API tools faq
paste
Advertisement
paladin316

Exes_ffdc7e68_1.json

paladin316
Jun 17th, 2019
1,355
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 57.38 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "Exes_ffdc7e68.1"
  7. [*] File Size: 265216
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "4f85cd4bc4743dad3c0dffa0f90eb9359e8924a03307904949548af183caa431"
  10. [*] MD5: "29d3c08d5f9fcbbef6ea5493907f91d8"
  11. [*] SHA1: "7bd1a9c718eed2a9283deaad8cd1421436f3445a"
  12. [*] SHA512: "3b603f0cee8643b5dc50dc1a4d018f4c474ccb767e222440a54e393179e326897a512c045a61042e185ab804b344d2cf77065ba6ff224627597836ceb93f28e7"
  13. [*] CRC32: "FFDC7E68"
  14. [*] SSDEEP: "3072:MNKaFoZXyneDiIPNzApGXwAT/ModCV9Ztkkp6ioTp3l0/wJBVpKWxw0UEkwfx:coZCneu8NEKkodCpbfo1S4iWxwBKfx"
  15.  
  16. [*] Process Execution: [
  17. "Exes_ffdc7e68.1",
  18. "winpojg.exe"
  19. ]
  20.  
  21. [*] Signatures Detected: [
  22. {
  23. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  24. "Details": [
  25. {
  26. "IP": "98.137.159.25:25"
  27. }
  28. ]
  29. },
  30. {
  31. "Description": "Creates RWX memory",
  32. "Details": []
  33. },
  34. {
  35. "Description": "Possible date expiration check, exits too soon after checking local time",
  36. "Details": [
  37. {
  38. "process": "winpojg.exe, PID 2764"
  39. }
  40. ]
  41. },
  42. {
  43. "Description": "Drops a binary and executes it",
  44. "Details": [
  45. {
  46. "binary": "C:\\Windows\\3143782112822236\\winpojg.exe"
  47. }
  48. ]
  49. },
  50. {
  51. "Description": "Performs some HTTP requests",
  52. "Details": [
  53. {
  54. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  55. },
  56. {
  57. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  58. },
  59. {
  60. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  61. }
  62. ]
  63. },
  64. {
  65. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  66. "Details": [
  67. {
  68. "Spam": "winpojg.exe (2764) called API GlobalMemoryStatus 2165386 times"
  69. },
  70. {
  71. "Spam": "Exes_ffdc7e68.1 (1748) called API GlobalMemoryStatus 2165386 times"
  72. }
  73. ]
  74. },
  75. {
  76. "Description": "Installs itself for autorun at Windows startup",
  77. "Details": [
  78. {
  79. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 8970679586"
  80. },
  81. {
  82. "data": "C:\\Windows\\3143782112822236\\winpojg.exe"
  83. },
  84. {
  85. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 8970679586"
  86. },
  87. {
  88. "data": "C:\\Windows\\3143782112822236\\winpojg.exe"
  89. }
  90. ]
  91. },
  92. {
  93. "Description": "Creates a hidden or system file",
  94. "Details": [
  95. {
  96. "file": "C:\\Windows\\3143782112822236"
  97. },
  98. {
  99. "file": "C:\\Windows\\3143782112822236\\winpojg.exe"
  100. }
  101. ]
  102. },
  103. {
  104. "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
  105. "Details": [
  106. {
  107. "MicroWorld-eScan": "Trojan.GenericKD.32054066"
  108. },
  109. {
  110. "Qihoo-360": "HEUR/QVM10.2.D05B.Malware.Gen"
  111. },
  112. {
  113. "McAfee": "RDN/Generic.dx"
  114. },
  115. {
  116. "Cylance": "Unsafe"
  117. },
  118. {
  119. "K7GW": "Riskware ( 0040eff71 )"
  120. },
  121. {
  122. "Symantec": "ML.Attribute.HighConfidence"
  123. },
  124. {
  125. "APEX": "Malicious"
  126. },
  127. {
  128. "Paloalto": "generic.ml"
  129. },
  130. {
  131. "Kaspersky": "Trojan.Win32.Zonidel.egu"
  132. },
  133. {
  134. "BitDefender": "Trojan.GenericKD.32054066"
  135. },
  136. {
  137. "ViRobot": "Trojan.Win32.Z.Zonidel.265216"
  138. },
  139. {
  140. "AegisLab": "Trojan.Multi.Generic.4!c"
  141. },
  142. {
  143. "Rising": "Trojan.Kryptik!8.8 (CLOUD)"
  144. },
  145. {
  146. "Endgame": "malicious (high confidence)"
  147. },
  148. {
  149. "Sophos": "Mal/Generic-S"
  150. },
  151. {
  152. "F-Secure": "Trojan.TR/AD.Phorpiex.efijh"
  153. },
  154. {
  155. "Invincea": "heuristic"
  156. },
  157. {
  158. "McAfee-GW-Edition": "Artemis!Trojan"
  159. },
  160. {
  161. "FireEye": "Generic.mg.29d3c08d5f9fcbbe"
  162. },
  163. {
  164. "Emsisoft": "Trojan.GenericKD.32054066 (B)"
  165. },
  166. {
  167. "SentinelOne": "DFI - Suspicious PE"
  168. },
  169. {
  170. "Webroot": "W32.Trojan.Gen"
  171. },
  172. {
  173. "Avira": "TR/AD.Phorpiex.efijh"
  174. },
  175. {
  176. "Microsoft": "Trojan:Win32/Gandcrab.AF"
  177. },
  178. {
  179. "Arcabit": "Trojan.Generic.D1E91B32"
  180. },
  181. {
  182. "AhnLab-V3": "Trojan/Win32.Crypted.R275704"
  183. },
  184. {
  185. "ZoneAlarm": "Trojan.Win32.Zonidel.egu"
  186. },
  187. {
  188. "GData": "Trojan.GenericKD.32054066"
  189. },
  190. {
  191. "ESET-NOD32": "a variant of Win32/Kryptik.GTYE"
  192. },
  193. {
  194. "Acronis": "suspicious"
  195. },
  196. {
  197. "Ad-Aware": "Trojan.GenericKD.32054066"
  198. },
  199. {
  200. "Tencent": "Win32.Trojan.Zonidel.Hufz"
  201. },
  202. {
  203. "Ikarus": "Trojan.Win32.Krypt"
  204. },
  205. {
  206. "Fortinet": "W32/Kryptik.GTVG!tr"
  207. },
  208. {
  209. "AVG": "FileRepMalware"
  210. },
  211. {
  212. "Avast": "FileRepMalware"
  213. },
  214. {
  215. "CrowdStrike": "win/malicious_confidence_80% (W)"
  216. }
  217. ]
  218. },
  219. {
  220. "Description": "Operates on local firewall's policies and settings",
  221. "Details": []
  222. },
  223. {
  224. "Description": "Creates a copy of itself",
  225. "Details": [
  226. {
  227. "copy": "C:\\Windows\\3143782112822236\\winpojg.exe"
  228. }
  229. ]
  230. },
  231. {
  232. "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
  233. "Details": [
  234. {
  235. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_ffdc7e68.1:Zone.Iduentifier"
  236. },
  237. {
  238. "file": "C:\\Windows\\3143782112822236\\winpojg.exe:Zone.Iduentifier"
  239. }
  240. ]
  241. }
  242. ]
  243.  
  244. [*] Started Service: []
  245.  
  246. [*] Executed Commands: [
  247. "C:\\Windows\\3143782112822236\\winpojg.exe"
  248. ]
  249.  
  250. [*] Mutexes: [
  251. "8970679586"
  252. ]
  253.  
  254. [*] Modified Files: [
  255. "C:\\Windows\\3143782112822236\\winpojg.exe"
  256. ]
  257.  
  258. [*] Deleted Files: [
  259. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_ffdc7e68.1:Zone.Iduentifier",
  260. "C:\\Windows\\3143782112822236\\winpojg.exe:Zone.Iduentifier"
  261. ]
  262.  
  263. [*] Modified Registry Keys: [
  264. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 8970679586",
  265. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 8970679586"
  266. ]
  267.  
  268. [*] Deleted Registry Keys: []
  269.  
  270. [*] DNS Communications: [
  271. {
  272. "type": "MX",
  273. "request": "yahoo.com",
  274. "answers": [
  275. {
  276. "data": "mta5.am0.yahoodns.net",
  277. "type": "MX"
  278. },
  279. {
  280. "data": "mta7.am0.yahoodns.net",
  281. "type": "MX"
  282. },
  283. {
  284. "data": "mta6.am0.yahoodns.net",
  285. "type": "MX"
  286. }
  287. ]
  288. },
  289. {
  290. "type": "A",
  291. "request": "mta7.am0.yahoodns.net",
  292. "answers": [
  293. {
  294. "data": "74.6.137.63",
  295. "type": "A"
  296. },
  297. {
  298. "data": "74.6.137.65",
  299. "type": "A"
  300. },
  301. {
  302. "data": "66.218.85.52",
  303. "type": "A"
  304. },
  305. {
  306. "data": "98.137.159.27",
  307. "type": "A"
  308. },
  309. {
  310. "data": "98.137.159.25",
  311. "type": "A"
  312. },
  313. {
  314. "data": "98.137.159.24",
  315. "type": "A"
  316. },
  317. {
  318. "data": "98.137.159.28",
  319. "type": "A"
  320. },
  321. {
  322. "data": "67.195.228.111",
  323. "type": "A"
  324. }
  325. ]
  326. }
  327. ]
  328.  
  329. [*] Domains: [
  330. {
  331. "ip": "98.137.159.27",
  332. "domain": "mta7.am0.yahoodns.net"
  333. },
  334. {
  335. "ip": "98.137.246.8",
  336. "domain": "yahoo.com"
  337. }
  338. ]
  339.  
  340. [*] Network Communication - ICMP: []
  341.  
  342. [*] Network Communication - HTTP: [
  343. {
  344. "count": 1,
  345. "body": "",
  346. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  347. "user-agent": "Microsoft-CryptoAPI/6.1",
  348. "method": "GET",
  349. "host": "ocsp.digicert.com",
  350. "version": "1.1",
  351. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  352. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  353. "port": 80
  354. },
  355. {
  356. "count": 1,
  357. "body": "",
  358. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  359. "user-agent": "Microsoft-CryptoAPI/6.1",
  360. "method": "GET",
  361. "host": "ocsp.digicert.com",
  362. "version": "1.1",
  363. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  364. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  365. "port": 80
  366. },
  367. {
  368. "count": 1,
  369. "body": "",
  370. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  371. "user-agent": "Microsoft-CryptoAPI/6.1",
  372. "method": "GET",
  373. "host": "ocsp.digicert.com",
  374. "version": "1.1",
  375. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  376. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  377. "port": 80
  378. }
  379. ]
  380.  
  381. [*] Network Communication - SMTP: []
  382.  
  383. [*] Network Communication - Hosts: []
  384.  
  385. [*] Network Communication - IRC: []
  386.  
  387. [*] Static Analysis: {
  388. "pe": {
  389. "peid_signatures": null,
  390. "imports": [
  391. {
  392. "imports": [
  393. {
  394. "name": "UnlockFile",
  395. "address": "0x426014"
  396. },
  397. {
  398. "name": "GetNumberFormatA",
  399. "address": "0x426018"
  400. },
  401. {
  402. "name": "GlobalAlloc",
  403. "address": "0x42601c"
  404. },
  405. {
  406. "name": "LoadLibraryW",
  407. "address": "0x426020"
  408. },
  409. {
  410. "name": "GetBinaryTypeA",
  411. "address": "0x426024"
  412. },
  413. {
  414. "name": "ReplaceFileW",
  415. "address": "0x426028"
  416. },
  417. {
  418. "name": "lstrlenW",
  419. "address": "0x42602c"
  420. },
  421. {
  422. "name": "SetHandleInformation",
  423. "address": "0x426030"
  424. },
  425. {
  426. "name": "GetProcAddress",
  427. "address": "0x426034"
  428. },
  429. {
  430. "name": "PeekConsoleInputW",
  431. "address": "0x426038"
  432. },
  433. {
  434. "name": "VirtualProtect",
  435. "address": "0x42603c"
  436. },
  437. {
  438. "name": "CreateToolhelp32Snapshot",
  439. "address": "0x426040"
  440. },
  441. {
  442. "name": "DuplicateHandle",
  443. "address": "0x426044"
  444. },
  445. {
  446. "name": "CloseHandle",
  447. "address": "0x426048"
  448. },
  449. {
  450. "name": "lstrcpynA",
  451. "address": "0x42604c"
  452. },
  453. {
  454. "name": "DebugActiveProcessStop",
  455. "address": "0x426050"
  456. },
  457. {
  458. "name": "GlobalMemoryStatus",
  459. "address": "0x426054"
  460. },
  461. {
  462. "name": "Module32First",
  463. "address": "0x426058"
  464. },
  465. {
  466. "name": "ExitProcess",
  467. "address": "0x42605c"
  468. },
  469. {
  470. "name": "GetStringTypeW",
  471. "address": "0x426060"
  472. },
  473. {
  474. "name": "OutputDebugStringW",
  475. "address": "0x426064"
  476. },
  477. {
  478. "name": "EnumSystemLocalesW",
  479. "address": "0x426068"
  480. },
  481. {
  482. "name": "GetUserDefaultLCID",
  483. "address": "0x42606c"
  484. },
  485. {
  486. "name": "IsValidLocale",
  487. "address": "0x426070"
  488. },
  489. {
  490. "name": "GetLocaleInfoW",
  491. "address": "0x426074"
  492. },
  493. {
  494. "name": "EncodePointer",
  495. "address": "0x426078"
  496. },
  497. {
  498. "name": "DecodePointer",
  499. "address": "0x42607c"
  500. },
  501. {
  502. "name": "GetCommandLineA",
  503. "address": "0x426080"
  504. },
  505. {
  506. "name": "RaiseException",
  507. "address": "0x426084"
  508. },
  509. {
  510. "name": "RtlUnwind",
  511. "address": "0x426088"
  512. },
  513. {
  514. "name": "IsDebuggerPresent",
  515. "address": "0x42608c"
  516. },
  517. {
  518. "name": "IsProcessorFeaturePresent",
  519. "address": "0x426090"
  520. },
  521. {
  522. "name": "EnterCriticalSection",
  523. "address": "0x426094"
  524. },
  525. {
  526. "name": "LeaveCriticalSection",
  527. "address": "0x426098"
  528. },
  529. {
  530. "name": "FlushFileBuffers",
  531. "address": "0x42609c"
  532. },
  533. {
  534. "name": "GetLastError",
  535. "address": "0x4260a0"
  536. },
  537. {
  538. "name": "WriteFile",
  539. "address": "0x4260a4"
  540. },
  541. {
  542. "name": "WideCharToMultiByte",
  543. "address": "0x4260a8"
  544. },
  545. {
  546. "name": "GetConsoleCP",
  547. "address": "0x4260ac"
  548. },
  549. {
  550. "name": "GetConsoleMode",
  551. "address": "0x4260b0"
  552. },
  553. {
  554. "name": "DeleteCriticalSection",
  555. "address": "0x4260b4"
  556. },
  557. {
  558. "name": "FatalAppExitA",
  559. "address": "0x4260b8"
  560. },
  561. {
  562. "name": "GetModuleHandleExW",
  563. "address": "0x4260bc"
  564. },
  565. {
  566. "name": "AreFileApisANSI",
  567. "address": "0x4260c0"
  568. },
  569. {
  570. "name": "MultiByteToWideChar",
  571. "address": "0x4260c4"
  572. },
  573. {
  574. "name": "HeapSize",
  575. "address": "0x4260c8"
  576. },
  577. {
  578. "name": "HeapFree",
  579. "address": "0x4260cc"
  580. },
  581. {
  582. "name": "HeapAlloc",
  583. "address": "0x4260d0"
  584. },
  585. {
  586. "name": "SetLastError",
  587. "address": "0x4260d4"
  588. },
  589. {
  590. "name": "GetCurrentThread",
  591. "address": "0x4260d8"
  592. },
  593. {
  594. "name": "GetCurrentThreadId",
  595. "address": "0x4260dc"
  596. },
  597. {
  598. "name": "GetProcessHeap",
  599. "address": "0x4260e0"
  600. },
  601. {
  602. "name": "GetStdHandle",
  603. "address": "0x4260e4"
  604. },
  605. {
  606. "name": "GetFileType",
  607. "address": "0x4260e8"
  608. },
  609. {
  610. "name": "GetStartupInfoW",
  611. "address": "0x4260ec"
  612. },
  613. {
  614. "name": "GetModuleFileNameA",
  615. "address": "0x4260f0"
  616. },
  617. {
  618. "name": "GetModuleFileNameW",
  619. "address": "0x4260f4"
  620. },
  621. {
  622. "name": "QueryPerformanceCounter",
  623. "address": "0x4260f8"
  624. },
  625. {
  626. "name": "GetCurrentProcessId",
  627. "address": "0x4260fc"
  628. },
  629. {
  630. "name": "GetSystemTimeAsFileTime",
  631. "address": "0x426100"
  632. },
  633. {
  634. "name": "GetEnvironmentStringsW",
  635. "address": "0x426104"
  636. },
  637. {
  638. "name": "FreeEnvironmentStringsW",
  639. "address": "0x426108"
  640. },
  641. {
  642. "name": "UnhandledExceptionFilter",
  643. "address": "0x42610c"
  644. },
  645. {
  646. "name": "SetUnhandledExceptionFilter",
  647. "address": "0x426110"
  648. },
  649. {
  650. "name": "InitializeCriticalSectionAndSpinCount",
  651. "address": "0x426114"
  652. },
  653. {
  654. "name": "CreateEventW",
  655. "address": "0x426118"
  656. },
  657. {
  658. "name": "Sleep",
  659. "address": "0x42611c"
  660. },
  661. {
  662. "name": "GetCurrentProcess",
  663. "address": "0x426120"
  664. },
  665. {
  666. "name": "TerminateProcess",
  667. "address": "0x426124"
  668. },
  669. {
  670. "name": "TlsAlloc",
  671. "address": "0x426128"
  672. },
  673. {
  674. "name": "TlsGetValue",
  675. "address": "0x42612c"
  676. },
  677. {
  678. "name": "TlsSetValue",
  679. "address": "0x426130"
  680. },
  681. {
  682. "name": "TlsFree",
  683. "address": "0x426134"
  684. },
  685. {
  686. "name": "GetTickCount",
  687. "address": "0x426138"
  688. },
  689. {
  690. "name": "GetModuleHandleW",
  691. "address": "0x42613c"
  692. },
  693. {
  694. "name": "CreateSemaphoreW",
  695. "address": "0x426140"
  696. },
  697. {
  698. "name": "SetStdHandle",
  699. "address": "0x426144"
  700. },
  701. {
  702. "name": "SetFilePointerEx",
  703. "address": "0x426148"
  704. },
  705. {
  706. "name": "WriteConsoleW",
  707. "address": "0x42614c"
  708. },
  709. {
  710. "name": "SetConsoleCtrlHandler",
  711. "address": "0x426150"
  712. },
  713. {
  714. "name": "FreeLibrary",
  715. "address": "0x426154"
  716. },
  717. {
  718. "name": "LoadLibraryExW",
  719. "address": "0x426158"
  720. },
  721. {
  722. "name": "IsValidCodePage",
  723. "address": "0x42615c"
  724. },
  725. {
  726. "name": "GetACP",
  727. "address": "0x426160"
  728. },
  729. {
  730. "name": "GetOEMCP",
  731. "address": "0x426164"
  732. },
  733. {
  734. "name": "GetCPInfo",
  735. "address": "0x426168"
  736. },
  737. {
  738. "name": "HeapReAlloc",
  739. "address": "0x42616c"
  740. },
  741. {
  742. "name": "GetDateFormatW",
  743. "address": "0x426170"
  744. },
  745. {
  746. "name": "GetTimeFormatW",
  747. "address": "0x426174"
  748. },
  749. {
  750. "name": "CompareStringW",
  751. "address": "0x426178"
  752. },
  753. {
  754. "name": "LCMapStringW",
  755. "address": "0x42617c"
  756. },
  757. {
  758. "name": "CreateFileW",
  759. "address": "0x426180"
  760. }
  761. ],
  762. "dll": "KERNEL32.dll"
  763. },
  764. {
  765. "imports": [
  766. {
  767. "name": "NotifyBootConfigStatus",
  768. "address": "0x426000"
  769. },
  770. {
  771. "name": "RegQueryInfoKeyA",
  772. "address": "0x426004"
  773. },
  774. {
  775. "name": "RegCreateKeyExW",
  776. "address": "0x426008"
  777. },
  778. {
  779. "name": "SetServiceStatus",
  780. "address": "0x42600c"
  781. }
  782. ],
  783. "dll": "ADVAPI32.dll"
  784. },
  785. {
  786. "imports": [
  787. {
  788. "name": "WinHttpConnect",
  789. "address": "0x426194"
  790. },
  791. {
  792. "name": "WinHttpOpen",
  793. "address": "0x426198"
  794. }
  795. ],
  796. "dll": "WINHTTP.dll"
  797. },
  798. {
  799. "imports": [
  800. {
  801. "name": "GradientFill",
  802. "address": "0x426188"
  803. },
  804. {
  805. "name": "TransparentBlt",
  806. "address": "0x42618c"
  807. }
  808. ],
  809. "dll": "MSIMG32.dll"
  810. }
  811. ],
  812. "digital_signers": null,
  813. "exported_dll_name": "ciponoyega.exe",
  814. "actual_checksum": "0x00042ae5",
  815. "overlay": null,
  816. "imagebase": "0x00400000",
  817. "reported_checksum": "0x00042ae5",
  818. "icon_hash": null,
  819. "entrypoint": "0x00403a81",
  820. "timestamp": "2018-10-15 06:33:45",
  821. "osversion": "5.1",
  822. "sections": [
  823. {
  824. "name": ".text",
  825. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  826. "virtual_address": "0x00001000",
  827. "size_of_data": "0x00025000",
  828. "entropy": "6.73",
  829. "raw_address": "0x00000400",
  830. "virtual_size": "0x00024fcd",
  831. "characteristics_raw": "0x60000020"
  832. },
  833. {
  834. "name": ".rdata",
  835. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  836. "virtual_address": "0x00026000",
  837. "size_of_data": "0x00010c00",
  838. "entropy": "6.03",
  839. "raw_address": "0x00025400",
  840. "virtual_size": "0x00010aae",
  841. "characteristics_raw": "0x40000040"
  842. },
  843. {
  844. "name": ".data",
  845. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  846. "virtual_address": "0x00037000",
  847. "size_of_data": "0x00001a00",
  848. "entropy": "3.42",
  849. "raw_address": "0x00036000",
  850. "virtual_size": "0x04e5d9ec",
  851. "characteristics_raw": "0xc0000040"
  852. },
  853. {
  854. "name": ".lesupoj",
  855. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  856. "virtual_address": "0x04e95000",
  857. "size_of_data": "0x00000600",
  858. "entropy": "0.00",
  859. "raw_address": "0x00037a00",
  860. "virtual_size": "0x00001400",
  861. "characteristics_raw": "0xc0000040"
  862. },
  863. {
  864. "name": ".rsrc",
  865. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  866. "virtual_address": "0x04e97000",
  867. "size_of_data": "0x00006c00",
  868. "entropy": "6.13",
  869. "raw_address": "0x00038000",
  870. "virtual_size": "0x00006a28",
  871. "characteristics_raw": "0x40000040"
  872. },
  873. {
  874. "name": ".reloc",
  875. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  876. "virtual_address": "0x04e9e000",
  877. "size_of_data": "0x00002000",
  878. "entropy": "6.63",
  879. "raw_address": "0x0003ec00",
  880. "virtual_size": "0x00001ff8",
  881. "characteristics_raw": "0x42000040"
  882. }
  883. ],
  884. "resources": [],
  885. "dirents": [
  886. {
  887. "virtual_address": "0x000360f0",
  888. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  889. "size": "0x0000004e"
  890. },
  891. {
  892. "virtual_address": "0x00036140",
  893. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  894. "size": "0x00000064"
  895. },
  896. {
  897. "virtual_address": "0x04e97000",
  898. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  899. "size": "0x00006a28"
  900. },
  901. {
  902. "virtual_address": "0x00000000",
  903. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  904. "size": "0x00000000"
  905. },
  906. {
  907. "virtual_address": "0x00000000",
  908. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  909. "size": "0x00000000"
  910. },
  911. {
  912. "virtual_address": "0x04e9e000",
  913. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  914. "size": "0x00001ff8"
  915. },
  916. {
  917. "virtual_address": "0x00026200",
  918. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  919. "size": "0x00000038"
  920. },
  921. {
  922. "virtual_address": "0x00000000",
  923. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  924. "size": "0x00000000"
  925. },
  926. {
  927. "virtual_address": "0x00000000",
  928. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  929. "size": "0x00000000"
  930. },
  931. {
  932. "virtual_address": "0x00000000",
  933. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  934. "size": "0x00000000"
  935. },
  936. {
  937. "virtual_address": "0x00000000",
  938. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  939. "size": "0x00000000"
  940. },
  941. {
  942. "virtual_address": "0x00000000",
  943. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  944. "size": "0x00000000"
  945. },
  946. {
  947. "virtual_address": "0x00026000",
  948. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  949. "size": "0x000001a0"
  950. },
  951. {
  952. "virtual_address": "0x00000000",
  953. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  954. "size": "0x00000000"
  955. },
  956. {
  957. "virtual_address": "0x00000000",
  958. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  959. "size": "0x00000000"
  960. },
  961. {
  962. "virtual_address": "0x00000000",
  963. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  964. "size": "0x00000000"
  965. }
  966. ],
  967. "exports": [
  968. {
  969. "ordinal": 1,
  970. "name": "MyFunc165@@4",
  971. "address": "0x425ec0"
  972. }
  973. ],
  974. "guest_signers": {},
  975. "imphash": "044e9d5eff89a58f097d20d545b5ede9",
  976. "icon_fuzzy": null,
  977. "icon": null,
  978. "pdbpath": "C:\\liz.pdb\\x00\\crypt_server\\runtime\\crypt\\tmp_2127232380\\bin\\ciponoyega.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x86C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xfcOC\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01",
  979. "imported_dll_count": 4,
  980. "versioninfo": []
  981. }
  982. }
  983.  
  984. [*] Resolved APIs: [
  985. "kernel32.dll.FlsAlloc",
  986. "kernel32.dll.FlsFree",
  987. "kernel32.dll.FlsGetValue",
  988. "kernel32.dll.FlsSetValue",
  989. "kernel32.dll.InitializeCriticalSectionEx",
  990. "kernel32.dll.CreateEventExW",
  991. "kernel32.dll.CreateSemaphoreExW",
  992. "kernel32.dll.SetThreadStackGuarantee",
  993. "kernel32.dll.CreateThreadpoolTimer",
  994. "kernel32.dll.SetThreadpoolTimer",
  995. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
  996. "kernel32.dll.CloseThreadpoolTimer",
  997. "kernel32.dll.CreateThreadpoolWait",
  998. "kernel32.dll.SetThreadpoolWait",
  999. "kernel32.dll.CloseThreadpoolWait",
  1000. "kernel32.dll.FlushProcessWriteBuffers",
  1001. "kernel32.dll.FreeLibraryWhenCallbackReturns",
  1002. "kernel32.dll.GetCurrentProcessorNumber",
  1003. "kernel32.dll.GetLogicalProcessorInformation",
  1004. "kernel32.dll.CreateSymbolicLinkW",
  1005. "kernel32.dll.EnumSystemLocalesEx",
  1006. "kernel32.dll.CompareStringEx",
  1007. "kernel32.dll.GetDateFormatEx",
  1008. "kernel32.dll.GetLocaleInfoEx",
  1009. "kernel32.dll.GetTimeFormatEx",
  1010. "kernel32.dll.GetUserDefaultLocaleName",
  1011. "kernel32.dll.IsValidLocaleName",
  1012. "kernel32.dll.LCMapStringEx",
  1013. "kernel32.dll.GetTickCount64",
  1014. "kernel32.dll.LoadLibraryA",
  1015. "kernel32.dll.VirtualAlloc",
  1016. "kernel32.dll.VirtualProtect",
  1017. "kernel32.dll.VirtualFree",
  1018. "kernel32.dll.GetVersionExA",
  1019. "kernel32.dll.TerminateProcess",
  1020. "kernel32.dll.ExitProcess",
  1021. "kernel32.dll.SetErrorMode",
  1022. "msvcrt.dll._except_handler3",
  1023. "msvcrt.dll.__set_app_type",
  1024. "msvcrt.dll.__p__fmode",
  1025. "msvcrt.dll.__p__commode",
  1026. "msvcrt.dll._adjust_fdiv",
  1027. "msvcrt.dll.__setusermatherr",
  1028. "msvcrt.dll._initterm",
  1029. "msvcrt.dll.__getmainargs",
  1030. "msvcrt.dll._acmdln",
  1031. "msvcrt.dll.exit",
  1032. "msvcrt.dll._XcptFilter",
  1033. "msvcrt.dll._exit",
  1034. "msvcrt.dll.wcsstr",
  1035. "msvcrt.dll.wcslen",
  1036. "msvcrt.dll.mbstowcs",
  1037. "msvcrt.dll.atoi",
  1038. "msvcrt.dll._snwprintf",
  1039. "msvcrt.dll._wfopen",
  1040. "msvcrt.dll.fgets",
  1041. "msvcrt.dll.fclose",
  1042. "msvcrt.dll.strtok",
  1043. "msvcrt.dll.strchr",
  1044. "msvcrt.dll.strcpy",
  1045. "msvcrt.dll.strcat",
  1046. "msvcrt.dll.strlen",
  1047. "msvcrt.dll.strstr",
  1048. "msvcrt.dll._snprintf",
  1049. "msvcrt.dll.memset",
  1050. "msvcrt.dll.malloc",
  1051. "msvcrt.dll.srand",
  1052. "msvcrt.dll.rand",
  1053. "msvcrt.dll._controlfp",
  1054. "msvcrt.dll.sprintf",
  1055. "ws2_32.dll.#9",
  1056. "ws2_32.dll.#16",
  1057. "ws2_32.dll.#115",
  1058. "ws2_32.dll.#19",
  1059. "ws2_32.dll.#23",
  1060. "ws2_32.dll.#4",
  1061. "ws2_32.dll.#11",
  1062. "ws2_32.dll.#52",
  1063. "ws2_32.dll.#3",
  1064. "wininet.dll.InternetOpenUrlW",
  1065. "wininet.dll.InternetReadFile",
  1066. "wininet.dll.InternetOpenA",
  1067. "wininet.dll.InternetOpenUrlA",
  1068. "wininet.dll.InternetOpenW",
  1069. "wininet.dll.InternetCloseHandle",
  1070. "shlwapi.dll.PathFindFileNameW",
  1071. "dnsapi.dll.DnsQuery_A",
  1072. "dnsapi.dll.DnsFree",
  1073. "kernel32.dll.GetTickCount",
  1074. "kernel32.dll.GetTimeZoneInformation",
  1075. "kernel32.dll.FileTimeToSystemTime",
  1076. "kernel32.dll.CloseHandle",
  1077. "kernel32.dll.WriteFile",
  1078. "kernel32.dll.CreateFileW",
  1079. "kernel32.dll.ExpandEnvironmentStringsW",
  1080. "kernel32.dll.FileTimeToLocalFileTime",
  1081. "kernel32.dll.CopyFileW",
  1082. "kernel32.dll.CreateDirectoryW",
  1083. "kernel32.dll.GetModuleFileNameW",
  1084. "kernel32.dll.GetLastError",
  1085. "kernel32.dll.Sleep",
  1086. "kernel32.dll.CreateMutexA",
  1087. "kernel32.dll.GetModuleHandleA",
  1088. "kernel32.dll.GetStartupInfoA",
  1089. "kernel32.dll.GetLocalTime",
  1090. "kernel32.dll.CreateProcessW",
  1091. "kernel32.dll.SetFileAttributesW",
  1092. "kernel32.dll.DeleteFileW",
  1093. "kernel32.dll.ExitThread",
  1094. "kernel32.dll.CreateThread",
  1095. "user32.dll.wsprintfA",
  1096. "advapi32.dll.RegSetValueExW",
  1097. "advapi32.dll.RegCloseKey",
  1098. "advapi32.dll.RegOpenKeyExW",
  1099. "shell32.dll.ShellExecuteW",
  1100. "msvcr100.dll.atexit"
  1101. ]
  1102.  
  1103. [*] Static Analysis: {
  1104. "pe": {
  1105. "peid_signatures": null,
  1106. "imports": [
  1107. {
  1108. "imports": [
  1109. {
  1110. "name": "UnlockFile",
  1111. "address": "0x426014"
  1112. },
  1113. {
  1114. "name": "GetNumberFormatA",
  1115. "address": "0x426018"
  1116. },
  1117. {
  1118. "name": "GlobalAlloc",
  1119. "address": "0x42601c"
  1120. },
  1121. {
  1122. "name": "LoadLibraryW",
  1123. "address": "0x426020"
  1124. },
  1125. {
  1126. "name": "GetBinaryTypeA",
  1127. "address": "0x426024"
  1128. },
  1129. {
  1130. "name": "ReplaceFileW",
  1131. "address": "0x426028"
  1132. },
  1133. {
  1134. "name": "lstrlenW",
  1135. "address": "0x42602c"
  1136. },
  1137. {
  1138. "name": "SetHandleInformation",
  1139. "address": "0x426030"
  1140. },
  1141. {
  1142. "name": "GetProcAddress",
  1143. "address": "0x426034"
  1144. },
  1145. {
  1146. "name": "PeekConsoleInputW",
  1147. "address": "0x426038"
  1148. },
  1149. {
  1150. "name": "VirtualProtect",
  1151. "address": "0x42603c"
  1152. },
  1153. {
  1154. "name": "CreateToolhelp32Snapshot",
  1155. "address": "0x426040"
  1156. },
  1157. {
  1158. "name": "DuplicateHandle",
  1159. "address": "0x426044"
  1160. },
  1161. {
  1162. "name": "CloseHandle",
  1163. "address": "0x426048"
  1164. },
  1165. {
  1166. "name": "lstrcpynA",
  1167. "address": "0x42604c"
  1168. },
  1169. {
  1170. "name": "DebugActiveProcessStop",
  1171. "address": "0x426050"
  1172. },
  1173. {
  1174. "name": "GlobalMemoryStatus",
  1175. "address": "0x426054"
  1176. },
  1177. {
  1178. "name": "Module32First",
  1179. "address": "0x426058"
  1180. },
  1181. {
  1182. "name": "ExitProcess",
  1183. "address": "0x42605c"
  1184. },
  1185. {
  1186. "name": "GetStringTypeW",
  1187. "address": "0x426060"
  1188. },
  1189. {
  1190. "name": "OutputDebugStringW",
  1191. "address": "0x426064"
  1192. },
  1193. {
  1194. "name": "EnumSystemLocalesW",
  1195. "address": "0x426068"
  1196. },
  1197. {
  1198. "name": "GetUserDefaultLCID",
  1199. "address": "0x42606c"
  1200. },
  1201. {
  1202. "name": "IsValidLocale",
  1203. "address": "0x426070"
  1204. },
  1205. {
  1206. "name": "GetLocaleInfoW",
  1207. "address": "0x426074"
  1208. },
  1209. {
  1210. "name": "EncodePointer",
  1211. "address": "0x426078"
  1212. },
  1213. {
  1214. "name": "DecodePointer",
  1215. "address": "0x42607c"
  1216. },
  1217. {
  1218. "name": "GetCommandLineA",
  1219. "address": "0x426080"
  1220. },
  1221. {
  1222. "name": "RaiseException",
  1223. "address": "0x426084"
  1224. },
  1225. {
  1226. "name": "RtlUnwind",
  1227. "address": "0x426088"
  1228. },
  1229. {
  1230. "name": "IsDebuggerPresent",
  1231. "address": "0x42608c"
  1232. },
  1233. {
  1234. "name": "IsProcessorFeaturePresent",
  1235. "address": "0x426090"
  1236. },
  1237. {
  1238. "name": "EnterCriticalSection",
  1239. "address": "0x426094"
  1240. },
  1241. {
  1242. "name": "LeaveCriticalSection",
  1243. "address": "0x426098"
  1244. },
  1245. {
  1246. "name": "FlushFileBuffers",
  1247. "address": "0x42609c"
  1248. },
  1249. {
  1250. "name": "GetLastError",
  1251. "address": "0x4260a0"
  1252. },
  1253. {
  1254. "name": "WriteFile",
  1255. "address": "0x4260a4"
  1256. },
  1257. {
  1258. "name": "WideCharToMultiByte",
  1259. "address": "0x4260a8"
  1260. },
  1261. {
  1262. "name": "GetConsoleCP",
  1263. "address": "0x4260ac"
  1264. },
  1265. {
  1266. "name": "GetConsoleMode",
  1267. "address": "0x4260b0"
  1268. },
  1269. {
  1270. "name": "DeleteCriticalSection",
  1271. "address": "0x4260b4"
  1272. },
  1273. {
  1274. "name": "FatalAppExitA",
  1275. "address": "0x4260b8"
  1276. },
  1277. {
  1278. "name": "GetModuleHandleExW",
  1279. "address": "0x4260bc"
  1280. },
  1281. {
  1282. "name": "AreFileApisANSI",
  1283. "address": "0x4260c0"
  1284. },
  1285. {
  1286. "name": "MultiByteToWideChar",
  1287. "address": "0x4260c4"
  1288. },
  1289. {
  1290. "name": "HeapSize",
  1291. "address": "0x4260c8"
  1292. },
  1293. {
  1294. "name": "HeapFree",
  1295. "address": "0x4260cc"
  1296. },
  1297. {
  1298. "name": "HeapAlloc",
  1299. "address": "0x4260d0"
  1300. },
  1301. {
  1302. "name": "SetLastError",
  1303. "address": "0x4260d4"
  1304. },
  1305. {
  1306. "name": "GetCurrentThread",
  1307. "address": "0x4260d8"
  1308. },
  1309. {
  1310. "name": "GetCurrentThreadId",
  1311. "address": "0x4260dc"
  1312. },
  1313. {
  1314. "name": "GetProcessHeap",
  1315. "address": "0x4260e0"
  1316. },
  1317. {
  1318. "name": "GetStdHandle",
  1319. "address": "0x4260e4"
  1320. },
  1321. {
  1322. "name": "GetFileType",
  1323. "address": "0x4260e8"
  1324. },
  1325. {
  1326. "name": "GetStartupInfoW",
  1327. "address": "0x4260ec"
  1328. },
  1329. {
  1330. "name": "GetModuleFileNameA",
  1331. "address": "0x4260f0"
  1332. },
  1333. {
  1334. "name": "GetModuleFileNameW",
  1335. "address": "0x4260f4"
  1336. },
  1337. {
  1338. "name": "QueryPerformanceCounter",
  1339. "address": "0x4260f8"
  1340. },
  1341. {
  1342. "name": "GetCurrentProcessId",
  1343. "address": "0x4260fc"
  1344. },
  1345. {
  1346. "name": "GetSystemTimeAsFileTime",
  1347. "address": "0x426100"
  1348. },
  1349. {
  1350. "name": "GetEnvironmentStringsW",
  1351. "address": "0x426104"
  1352. },
  1353. {
  1354. "name": "FreeEnvironmentStringsW",
  1355. "address": "0x426108"
  1356. },
  1357. {
  1358. "name": "UnhandledExceptionFilter",
  1359. "address": "0x42610c"
  1360. },
  1361. {
  1362. "name": "SetUnhandledExceptionFilter",
  1363. "address": "0x426110"
  1364. },
  1365. {
  1366. "name": "InitializeCriticalSectionAndSpinCount",
  1367. "address": "0x426114"
  1368. },
  1369. {
  1370. "name": "CreateEventW",
  1371. "address": "0x426118"
  1372. },
  1373. {
  1374. "name": "Sleep",
  1375. "address": "0x42611c"
  1376. },
  1377. {
  1378. "name": "GetCurrentProcess",
  1379. "address": "0x426120"
  1380. },
  1381. {
  1382. "name": "TerminateProcess",
  1383. "address": "0x426124"
  1384. },
  1385. {
  1386. "name": "TlsAlloc",
  1387. "address": "0x426128"
  1388. },
  1389. {
  1390. "name": "TlsGetValue",
  1391. "address": "0x42612c"
  1392. },
  1393. {
  1394. "name": "TlsSetValue",
  1395. "address": "0x426130"
  1396. },
  1397. {
  1398. "name": "TlsFree",
  1399. "address": "0x426134"
  1400. },
  1401. {
  1402. "name": "GetTickCount",
  1403. "address": "0x426138"
  1404. },
  1405. {
  1406. "name": "GetModuleHandleW",
  1407. "address": "0x42613c"
  1408. },
  1409. {
  1410. "name": "CreateSemaphoreW",
  1411. "address": "0x426140"
  1412. },
  1413. {
  1414. "name": "SetStdHandle",
  1415. "address": "0x426144"
  1416. },
  1417. {
  1418. "name": "SetFilePointerEx",
  1419. "address": "0x426148"
  1420. },
  1421. {
  1422. "name": "WriteConsoleW",
  1423. "address": "0x42614c"
  1424. },
  1425. {
  1426. "name": "SetConsoleCtrlHandler",
  1427. "address": "0x426150"
  1428. },
  1429. {
  1430. "name": "FreeLibrary",
  1431. "address": "0x426154"
  1432. },
  1433. {
  1434. "name": "LoadLibraryExW",
  1435. "address": "0x426158"
  1436. },
  1437. {
  1438. "name": "IsValidCodePage",
  1439. "address": "0x42615c"
  1440. },
  1441. {
  1442. "name": "GetACP",
  1443. "address": "0x426160"
  1444. },
  1445. {
  1446. "name": "GetOEMCP",
  1447. "address": "0x426164"
  1448. },
  1449. {
  1450. "name": "GetCPInfo",
  1451. "address": "0x426168"
  1452. },
  1453. {
  1454. "name": "HeapReAlloc",
  1455. "address": "0x42616c"
  1456. },
  1457. {
  1458. "name": "GetDateFormatW",
  1459. "address": "0x426170"
  1460. },
  1461. {
  1462. "name": "GetTimeFormatW",
  1463. "address": "0x426174"
  1464. },
  1465. {
  1466. "name": "CompareStringW",
  1467. "address": "0x426178"
  1468. },
  1469. {
  1470. "name": "LCMapStringW",
  1471. "address": "0x42617c"
  1472. },
  1473. {
  1474. "name": "CreateFileW",
  1475. "address": "0x426180"
  1476. }
  1477. ],
  1478. "dll": "KERNEL32.dll"
  1479. },
  1480. {
  1481. "imports": [
  1482. {
  1483. "name": "NotifyBootConfigStatus",
  1484. "address": "0x426000"
  1485. },
  1486. {
  1487. "name": "RegQueryInfoKeyA",
  1488. "address": "0x426004"
  1489. },
  1490. {
  1491. "name": "RegCreateKeyExW",
  1492. "address": "0x426008"
  1493. },
  1494. {
  1495. "name": "SetServiceStatus",
  1496. "address": "0x42600c"
  1497. }
  1498. ],
  1499. "dll": "ADVAPI32.dll"
  1500. },
  1501. {
  1502. "imports": [
  1503. {
  1504. "name": "WinHttpConnect",
  1505. "address": "0x426194"
  1506. },
  1507. {
  1508. "name": "WinHttpOpen",
  1509. "address": "0x426198"
  1510. }
  1511. ],
  1512. "dll": "WINHTTP.dll"
  1513. },
  1514. {
  1515. "imports": [
  1516. {
  1517. "name": "GradientFill",
  1518. "address": "0x426188"
  1519. },
  1520. {
  1521. "name": "TransparentBlt",
  1522. "address": "0x42618c"
  1523. }
  1524. ],
  1525. "dll": "MSIMG32.dll"
  1526. }
  1527. ],
  1528. "digital_signers": null,
  1529. "exported_dll_name": "ciponoyega.exe",
  1530. "actual_checksum": "0x00042ae5",
  1531. "overlay": null,
  1532. "imagebase": "0x00400000",
  1533. "reported_checksum": "0x00042ae5",
  1534. "icon_hash": null,
  1535. "entrypoint": "0x00403a81",
  1536. "timestamp": "2018-10-15 06:33:45",
  1537. "osversion": "5.1",
  1538. "sections": [
  1539. {
  1540. "name": ".text",
  1541. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1542. "virtual_address": "0x00001000",
  1543. "size_of_data": "0x00025000",
  1544. "entropy": "6.73",
  1545. "raw_address": "0x00000400",
  1546. "virtual_size": "0x00024fcd",
  1547. "characteristics_raw": "0x60000020"
  1548. },
  1549. {
  1550. "name": ".rdata",
  1551. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1552. "virtual_address": "0x00026000",
  1553. "size_of_data": "0x00010c00",
  1554. "entropy": "6.03",
  1555. "raw_address": "0x00025400",
  1556. "virtual_size": "0x00010aae",
  1557. "characteristics_raw": "0x40000040"
  1558. },
  1559. {
  1560. "name": ".data",
  1561. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1562. "virtual_address": "0x00037000",
  1563. "size_of_data": "0x00001a00",
  1564. "entropy": "3.42",
  1565. "raw_address": "0x00036000",
  1566. "virtual_size": "0x04e5d9ec",
  1567. "characteristics_raw": "0xc0000040"
  1568. },
  1569. {
  1570. "name": ".lesupoj",
  1571. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1572. "virtual_address": "0x04e95000",
  1573. "size_of_data": "0x00000600",
  1574. "entropy": "0.00",
  1575. "raw_address": "0x00037a00",
  1576. "virtual_size": "0x00001400",
  1577. "characteristics_raw": "0xc0000040"
  1578. },
  1579. {
  1580. "name": ".rsrc",
  1581. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1582. "virtual_address": "0x04e97000",
  1583. "size_of_data": "0x00006c00",
  1584. "entropy": "6.13",
  1585. "raw_address": "0x00038000",
  1586. "virtual_size": "0x00006a28",
  1587. "characteristics_raw": "0x40000040"
  1588. },
  1589. {
  1590. "name": ".reloc",
  1591. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  1592. "virtual_address": "0x04e9e000",
  1593. "size_of_data": "0x00002000",
  1594. "entropy": "6.63",
  1595. "raw_address": "0x0003ec00",
  1596. "virtual_size": "0x00001ff8",
  1597. "characteristics_raw": "0x42000040"
  1598. }
  1599. ],
  1600. "resources": [],
  1601. "dirents": [
  1602. {
  1603. "virtual_address": "0x000360f0",
  1604. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1605. "size": "0x0000004e"
  1606. },
  1607. {
  1608. "virtual_address": "0x00036140",
  1609. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1610. "size": "0x00000064"
  1611. },
  1612. {
  1613. "virtual_address": "0x04e97000",
  1614. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1615. "size": "0x00006a28"
  1616. },
  1617. {
  1618. "virtual_address": "0x00000000",
  1619. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1620. "size": "0x00000000"
  1621. },
  1622. {
  1623. "virtual_address": "0x00000000",
  1624. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1625. "size": "0x00000000"
  1626. },
  1627. {
  1628. "virtual_address": "0x04e9e000",
  1629. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1630. "size": "0x00001ff8"
  1631. },
  1632. {
  1633. "virtual_address": "0x00026200",
  1634. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1635. "size": "0x00000038"
  1636. },
  1637. {
  1638. "virtual_address": "0x00000000",
  1639. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1640. "size": "0x00000000"
  1641. },
  1642. {
  1643. "virtual_address": "0x00000000",
  1644. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1645. "size": "0x00000000"
  1646. },
  1647. {
  1648. "virtual_address": "0x00000000",
  1649. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1650. "size": "0x00000000"
  1651. },
  1652. {
  1653. "virtual_address": "0x00000000",
  1654. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1655. "size": "0x00000000"
  1656. },
  1657. {
  1658. "virtual_address": "0x00000000",
  1659. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1660. "size": "0x00000000"
  1661. },
  1662. {
  1663. "virtual_address": "0x00026000",
  1664. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1665. "size": "0x000001a0"
  1666. },
  1667. {
  1668. "virtual_address": "0x00000000",
  1669. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1670. "size": "0x00000000"
  1671. },
  1672. {
  1673. "virtual_address": "0x00000000",
  1674. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1675. "size": "0x00000000"
  1676. },
  1677. {
  1678. "virtual_address": "0x00000000",
  1679. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1680. "size": "0x00000000"
  1681. }
  1682. ],
  1683. "exports": [
  1684. {
  1685. "ordinal": 1,
  1686. "name": "MyFunc165@@4",
  1687. "address": "0x425ec0"
  1688. }
  1689. ],
  1690. "guest_signers": {},
  1691. "imphash": "044e9d5eff89a58f097d20d545b5ede9",
  1692. "icon_fuzzy": null,
  1693. "icon": null,
  1694. "pdbpath": "C:\\liz.pdb\\x00\\crypt_server\\runtime\\crypt\\tmp_2127232380\\bin\\ciponoyega.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x86C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\xfcOC\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01",
  1695. "imported_dll_count": 4,
  1696. "versioninfo": []
  1697. }
  1698. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!