API tools faq
paste
Advertisement
paladin316

word28-01-2019_doc_exe_2019-06-24_12_30.json

paladin316
Jun 24th, 2019
1,345
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 58.59 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 10.0
  5.  
  6. [*] File Name: "word28-01-2019.doc.exe"
  7. [*] File Size: 83968
  8. [*] File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
  9. [*] SHA256: "0284b1144191db3726db5c00dacb19f2a760defc740b006bca80c2e06239b37f"
  10. [*] MD5: "03364237e1b1201385dfc0f79c8c2fab"
  11. [*] SHA1: "cd2d695e63ba01f4b24c2aa9f39bf8da01a409a6"
  12. [*] SHA512: "ce178801a06cf890c1f8ab5a87efe4cae503baf78a2b8f4ec91f4c700244e56424dd16672e61aa6d935ff77e085dbee32f86fa54daf865e1f5493889b46e70a4"
  13. [*] CRC32: "21C6AA8A"
  14. [*] SSDEEP: "1536:5/NNjBJia0IazMOxBQDh+W/Rf0Sc8IRsvc8Ke2dOLEpvWNSXj8BRbG:fNtJiaQQt+m0Sgs6e2MLEpvJsG"
  15.  
  16. [*] Process Execution: [
  17. "word28-01-2019.doc.exe",
  18. "doc.exe",
  19. "netsh.exe"
  20. ]
  21.  
  22. [*] Signatures Detected: [
  23. {
  24. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  25. "Details": [
  26. {
  27. "IP": "197.2.246.95:4545"
  28. }
  29. ]
  30. },
  31. {
  32. "Description": "Creates RWX memory",
  33. "Details": []
  34. },
  35. {
  36. "Description": "A process attempted to delay the analysis task.",
  37. "Details": [
  38. {
  39. "Process": "doc.exe tried to sleep 318 seconds, actually delayed analysis time by 0 seconds"
  40. }
  41. ]
  42. },
  43. {
  44. "Description": "Reads data out of its own binary image",
  45. "Details": [
  46. {
  47. "self_read": "process: word28-01-2019.doc.exe, pid: 1116, offset: 0x00000000, length: 0x00014800"
  48. }
  49. ]
  50. },
  51. {
  52. "Description": "Drops a binary and executes it",
  53. "Details": [
  54. {
  55. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe"
  56. }
  57. ]
  58. },
  59. {
  60. "Description": "Attempts to mimic the file extension of a Word 97-2003 document by having 'doc' in the file name.",
  61. "Details": []
  62. },
  63. {
  64. "Description": "Sniffs keystrokes",
  65. "Details": [
  66. {
  67. "GetAsyncKeyState": "Process: doc.exe(1244)"
  68. }
  69. ]
  70. },
  71. {
  72. "Description": "Installs itself for autorun at Windows startup",
  73. "Details": [
  74. {
  75. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52"
  76. },
  77. {
  78. "data": "\"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" .."
  79. },
  80. {
  81. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52"
  82. },
  83. {
  84. "data": "\"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" .."
  85. },
  86. {
  87. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
  88. },
  89. {
  90. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
  91. }
  92. ]
  93. },
  94. {
  95. "Description": "File has been identified by 46 Antiviruses on VirusTotal as malicious",
  96. "Details": [
  97. {
  98. "MicroWorld-eScan": "Trojan.GenericKD.31594522"
  99. },
  100. {
  101. "CAT-QuickHeal": "Trojan.MSIL"
  102. },
  103. {
  104. "McAfee": "RDN/Generic.dx"
  105. },
  106. {
  107. "BitDefender": "Trojan.GenericKD.31594522"
  108. },
  109. {
  110. "K7GW": "Trojan ( 004d89911 )"
  111. },
  112. {
  113. "K7AntiVirus": "Trojan ( 004d89911 )"
  114. },
  115. {
  116. "Cyren": "W32/Trojan.ZHQO-2880"
  117. },
  118. {
  119. "ESET-NOD32": "a variant of MSIL/Kryptik.EMQ"
  120. },
  121. {
  122. "TrendMicro-HouseCall": "TROJ_GEN.R002C0WAU19"
  123. },
  124. {
  125. "Avast": "Win32:Malware-gen"
  126. },
  127. {
  128. "Kaspersky": "HEUR:Trojan.MSIL.Disfa.gen"
  129. },
  130. {
  131. "NANO-Antivirus": "Trojan.Win32.Kryptik.fmmngk"
  132. },
  133. {
  134. "AegisLab": "Trojan.MSIL.Disfa.4!c"
  135. },
  136. {
  137. "Rising": "Backdoor.Bladabindi!8.B1F (CLOUD)"
  138. },
  139. {
  140. "Endgame": "malicious (high confidence)"
  141. },
  142. {
  143. "Emsisoft": "Trojan.GenericKD.31594522 (B)"
  144. },
  145. {
  146. "Comodo": "Malware@#gvize6c4c1k0"
  147. },
  148. {
  149. "F-Secure": "Heuristic.HEUR/AGEN.1005106"
  150. },
  151. {
  152. "DrWeb": "Trojan.DownLoader17.52584"
  153. },
  154. {
  155. "Invincea": "heuristic"
  156. },
  157. {
  158. "McAfee-GW-Edition": "RDN/Generic.dx"
  159. },
  160. {
  161. "FireEye": "Generic.mg.03364237e1b12013"
  162. },
  163. {
  164. "TheHacker": "Trojan/Kryptik.emq"
  165. },
  166. {
  167. "Ikarus": "Trojan.SuspectCRC"
  168. },
  169. {
  170. "GData": "Trojan.GenericKD.31594522"
  171. },
  172. {
  173. "Avira": "HEUR/AGEN.1005106"
  174. },
  175. {
  176. "MAX": "malware (ai score=86)"
  177. },
  178. {
  179. "Antiy-AVL": "Trojan/MSIL.Disfa"
  180. },
  181. {
  182. "Microsoft": "Backdoor:MSIL/Bladabindi"
  183. },
  184. {
  185. "Arcabit": "Trojan.Generic.D1E2181A"
  186. },
  187. {
  188. "AhnLab-V3": "Malware/Win32.Generic.C674694"
  189. },
  190. {
  191. "ZoneAlarm": "HEUR:Trojan.MSIL.Disfa.gen"
  192. },
  193. {
  194. "Sophos": "Mal/Generic-S"
  195. },
  196. {
  197. "VBA32": "TScope.Trojan.MSIL"
  198. },
  199. {
  200. "ALYac": "Trojan.GenericKD.31594522"
  201. },
  202. {
  203. "Ad-Aware": "Trojan.GenericKD.31594522"
  204. },
  205. {
  206. "Panda": "Trj/GdSda.A"
  207. },
  208. {
  209. "Tencent": "Msil.Trojan.Disfa.Chi"
  210. },
  211. {
  212. "Yandex": "Trojan.Disfa!aB/UjAwPYq0"
  213. },
  214. {
  215. "SentinelOne": "DFI - Malicious PE"
  216. },
  217. {
  218. "Fortinet": "MSIL/Kryptik.EMQ!tr"
  219. },
  220. {
  221. "AVG": "Win32:Malware-gen"
  222. },
  223. {
  224. "Cybereason": "malicious.e63ba0"
  225. },
  226. {
  227. "Paloalto": "generic.ml"
  228. },
  229. {
  230. "CrowdStrike": "win/malicious_confidence_100% (W)"
  231. },
  232. {
  233. "Qihoo-360": "Win32/Trojan.593"
  234. }
  235. ]
  236. },
  237. {
  238. "Description": "Creates a copy of itself",
  239. "Details": [
  240. {
  241. "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe"
  242. },
  243. {
  244. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe"
  245. }
  246. ]
  247. }
  248. ]
  249.  
  250. [*] Started Service: []
  251.  
  252. [*] Executed Commands: [
  253. "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe ",
  254. "netsh firewall add allowedprogram \"C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe\" \"doc.exe\" ENABLE"
  255. ]
  256.  
  257. [*] Mutexes: [
  258. "Global\\CLR_CASOFF_MUTEX",
  259. "f062a1be715f108d3fc891dc39c27c52",
  260. "Global\\.net clr networking"
  261. ]
  262.  
  263. [*] Modified Files: [
  264. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
  265. "C:\\Users\\user\\AppData\\Local\\Temp\\doc.exe",
  266. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f062a1be715f108d3fc891dc39c27c52.exe",
  267. "\\Device\\Http\\Communication"
  268. ]
  269.  
  270. [*] Deleted Files: [
  271. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1116.35109765",
  272. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1116.35109765",
  273. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1116.35109781"
  274. ]
  275.  
  276. [*] Modified Registry Keys: [
  277. "HKEY_CURRENT_USER\\di",
  278. "HKEY_CURRENT_USER\\Environment\\SEE_MASK_NOZONECHECKS",
  279. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52",
  280. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\f062a1be715f108d3fc891dc39c27c52",
  281. "HKEY_CURRENT_USER\\Software\\f062a1be715f108d3fc891dc39c27c52",
  282. "HKEY_CURRENT_USER\\Software\\f062a1be715f108d3fc891dc39c27c52\\[kl]",
  283. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  284. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
  285. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
  286. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
  287. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
  288. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
  289. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
  290. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
  291. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
  292. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
  293. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
  294. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
  295. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
  296. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
  297. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
  298. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
  299. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103"
  300. ]
  301.  
  302. [*] Deleted Registry Keys: []
  303.  
  304. [*] DNS Communications: [
  305. {
  306. "type": "A",
  307. "request": "secureisrael.ddns.net",
  308. "answers": [
  309. {
  310. "data": "197.2.246.95",
  311. "type": "A"
  312. }
  313. ]
  314. }
  315. ]
  316.  
  317. [*] Domains: [
  318. {
  319. "ip": "197.2.246.95",
  320. "domain": "secureisrael.ddns.net"
  321. }
  322. ]
  323.  
  324. [*] Network Communication - ICMP: []
  325.  
  326. [*] Network Communication - HTTP: []
  327.  
  328. [*] Network Communication - SMTP: []
  329.  
  330. [*] Network Communication - Hosts: []
  331.  
  332. [*] Network Communication - IRC: []
  333.  
  334. [*] Static Analysis: {
  335. "dotnet": {
  336. "customattrs": null,
  337. "assemblyinfo": {
  338. "version": "1.0.0.0",
  339. "name": "word"
  340. },
  341. "assemblyrefs": [
  342. {
  343. "version": "2.0.0.0",
  344. "name": "mscorlib"
  345. },
  346. {
  347. "version": "8.0.0.0",
  348. "name": "Microsoft.VisualBasic"
  349. },
  350. {
  351. "version": "2.0.0.0",
  352. "name": "System.Windows.Forms"
  353. },
  354. {
  355. "version": "2.0.0.0",
  356. "name": "System"
  357. },
  358. {
  359. "version": "2.0.0.0",
  360. "name": "System.Drawing"
  361. }
  362. ],
  363. "typerefs": [
  364. {
  365. "typename": "Microsoft.VisualBasic.ApplicationServices.AuthenticationMode",
  366. "assembly": "Microsoft.VisualBasic"
  367. },
  368. {
  369. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler",
  370. "assembly": "Microsoft.VisualBasic"
  371. },
  372. {
  373. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownMode",
  374. "assembly": "Microsoft.VisualBasic"
  375. },
  376. {
  377. "typename": "Microsoft.VisualBasic.ApplicationServices.User",
  378. "assembly": "Microsoft.VisualBasic"
  379. },
  380. {
  381. "typename": "Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase",
  382. "assembly": "Microsoft.VisualBasic"
  383. },
  384. {
  385. "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
  386. "assembly": "Microsoft.VisualBasic"
  387. },
  388. {
  389. "typename": "Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute",
  390. "assembly": "Microsoft.VisualBasic"
  391. },
  392. {
  393. "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
  394. "assembly": "Microsoft.VisualBasic"
  395. },
  396. {
  397. "typename": "Microsoft.VisualBasic.CompilerServices.ObjectFlowControl",
  398. "assembly": "Microsoft.VisualBasic"
  399. },
  400. {
  401. "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
  402. "assembly": "Microsoft.VisualBasic"
  403. },
  404. {
  405. "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
  406. "assembly": "Microsoft.VisualBasic"
  407. },
  408. {
  409. "typename": "Microsoft.VisualBasic.CompilerServices.Utils",
  410. "assembly": "Microsoft.VisualBasic"
  411. },
  412. {
  413. "typename": "Microsoft.VisualBasic.Devices.Computer",
  414. "assembly": "Microsoft.VisualBasic"
  415. },
  416. {
  417. "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
  418. "assembly": "Microsoft.VisualBasic"
  419. },
  420. {
  421. "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
  422. "assembly": "Microsoft.VisualBasic"
  423. },
  424. {
  425. "typename": "Microsoft.VisualBasic.Strings",
  426. "assembly": "Microsoft.VisualBasic"
  427. },
  428. {
  429. "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
  430. "assembly": "System"
  431. },
  432. {
  433. "typename": "System.ComponentModel.Component",
  434. "assembly": "System"
  435. },
  436. {
  437. "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
  438. "assembly": "System"
  439. },
  440. {
  441. "typename": "System.ComponentModel.EditorBrowsableAttribute",
  442. "assembly": "System"
  443. },
  444. {
  445. "typename": "System.ComponentModel.EditorBrowsableState",
  446. "assembly": "System"
  447. },
  448. {
  449. "typename": "System.ComponentModel.IContainer",
  450. "assembly": "System"
  451. },
  452. {
  453. "typename": "System.Configuration.ApplicationSettingsBase",
  454. "assembly": "System"
  455. },
  456. {
  457. "typename": "System.Configuration.SettingsBase",
  458. "assembly": "System"
  459. },
  460. {
  461. "typename": "System.Drawing.Size",
  462. "assembly": "System.Drawing"
  463. },
  464. {
  465. "typename": "System.Drawing.SizeF",
  466. "assembly": "System.Drawing"
  467. },
  468. {
  469. "typename": "System.Windows.Forms.Application",
  470. "assembly": "System.Windows.Forms"
  471. },
  472. {
  473. "typename": "System.Windows.Forms.AutoScaleMode",
  474. "assembly": "System.Windows.Forms"
  475. },
  476. {
  477. "typename": "System.Windows.Forms.ContainerControl",
  478. "assembly": "System.Windows.Forms"
  479. },
  480. {
  481. "typename": "System.Windows.Forms.Control",
  482. "assembly": "System.Windows.Forms"
  483. },
  484. {
  485. "typename": "System.Windows.Forms.Form",
  486. "assembly": "System.Windows.Forms"
  487. },
  488. {
  489. "typename": "System.Activator",
  490. "assembly": "mscorlib"
  491. },
  492. {
  493. "typename": "System.AppDomain",
  494. "assembly": "mscorlib"
  495. },
  496. {
  497. "typename": "System.ArgumentException",
  498. "assembly": "mscorlib"
  499. },
  500. {
  501. "typename": "System.Boolean",
  502. "assembly": "mscorlib"
  503. },
  504. {
  505. "typename": "System.Byte",
  506. "assembly": "mscorlib"
  507. },
  508. {
  509. "typename": "System.Collections.Generic.List`1",
  510. "assembly": "mscorlib"
  511. },
  512. {
  513. "typename": "System.Collections.Hashtable",
  514. "assembly": "mscorlib"
  515. },
  516. {
  517. "typename": "System.Convert",
  518. "assembly": "mscorlib"
  519. },
  520. {
  521. "typename": "System.Diagnostics.DebuggableAttribute",
  522. "assembly": "mscorlib"
  523. },
  524. {
  525. "typename": "System.Diagnostics.DebuggableAttribute/DebuggingModes",
  526. "assembly": "mscorlib"
  527. },
  528. {
  529. "typename": "System.Diagnostics.DebuggerHiddenAttribute",
  530. "assembly": "mscorlib"
  531. },
  532. {
  533. "typename": "System.Diagnostics.DebuggerNonUserCodeAttribute",
  534. "assembly": "mscorlib"
  535. },
  536. {
  537. "typename": "System.Diagnostics.DebuggerStepThroughAttribute",
  538. "assembly": "mscorlib"
  539. },
  540. {
  541. "typename": "System.Double",
  542. "assembly": "mscorlib"
  543. },
  544. {
  545. "typename": "System.EventArgs",
  546. "assembly": "mscorlib"
  547. },
  548. {
  549. "typename": "System.EventHandler",
  550. "assembly": "mscorlib"
  551. },
  552. {
  553. "typename": "System.Exception",
  554. "assembly": "mscorlib"
  555. },
  556. {
  557. "typename": "System.Globalization.CultureInfo",
  558. "assembly": "mscorlib"
  559. },
  560. {
  561. "typename": "System.IDisposable",
  562. "assembly": "mscorlib"
  563. },
  564. {
  565. "typename": "System.Int32",
  566. "assembly": "mscorlib"
  567. },
  568. {
  569. "typename": "System.IntPtr",
  570. "assembly": "mscorlib"
  571. },
  572. {
  573. "typename": "System.InvalidOperationException",
  574. "assembly": "mscorlib"
  575. },
  576. {
  577. "typename": "System.Object",
  578. "assembly": "mscorlib"
  579. },
  580. {
  581. "typename": "System.Reflection.Assembly",
  582. "assembly": "mscorlib"
  583. },
  584. {
  585. "typename": "System.Reflection.AssemblyCompanyAttribute",
  586. "assembly": "mscorlib"
  587. },
  588. {
  589. "typename": "System.Reflection.AssemblyCopyrightAttribute",
  590. "assembly": "mscorlib"
  591. },
  592. {
  593. "typename": "System.Reflection.AssemblyDescriptionAttribute",
  594. "assembly": "mscorlib"
  595. },
  596. {
  597. "typename": "System.Reflection.AssemblyFileVersionAttribute",
  598. "assembly": "mscorlib"
  599. },
  600. {
  601. "typename": "System.Reflection.AssemblyProductAttribute",
  602. "assembly": "mscorlib"
  603. },
  604. {
  605. "typename": "System.Reflection.AssemblyTitleAttribute",
  606. "assembly": "mscorlib"
  607. },
  608. {
  609. "typename": "System.Reflection.AssemblyTrademarkAttribute",
  610. "assembly": "mscorlib"
  611. },
  612. {
  613. "typename": "System.Reflection.TargetInvocationException",
  614. "assembly": "mscorlib"
  615. },
  616. {
  617. "typename": "System.Resources.ResourceManager",
  618. "assembly": "mscorlib"
  619. },
  620. {
  621. "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
  622. "assembly": "mscorlib"
  623. },
  624. {
  625. "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
  626. "assembly": "mscorlib"
  627. },
  628. {
  629. "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
  630. "assembly": "mscorlib"
  631. },
  632. {
  633. "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
  634. "assembly": "mscorlib"
  635. },
  636. {
  637. "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
  638. "assembly": "mscorlib"
  639. },
  640. {
  641. "typename": "System.Runtime.InteropServices.GuidAttribute",
  642. "assembly": "mscorlib"
  643. },
  644. {
  645. "typename": "System.RuntimeTypeHandle",
  646. "assembly": "mscorlib"
  647. },
  648. {
  649. "typename": "System.STAThreadAttribute",
  650. "assembly": "mscorlib"
  651. },
  652. {
  653. "typename": "System.Security.Cryptography.CipherMode",
  654. "assembly": "mscorlib"
  655. },
  656. {
  657. "typename": "System.Security.Cryptography.HashAlgorithm",
  658. "assembly": "mscorlib"
  659. },
  660. {
  661. "typename": "System.Security.Cryptography.ICryptoTransform",
  662. "assembly": "mscorlib"
  663. },
  664. {
  665. "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
  666. "assembly": "mscorlib"
  667. },
  668. {
  669. "typename": "System.Security.Cryptography.PaddingMode",
  670. "assembly": "mscorlib"
  671. },
  672. {
  673. "typename": "System.Security.Cryptography.SymmetricAlgorithm",
  674. "assembly": "mscorlib"
  675. },
  676. {
  677. "typename": "System.Security.Cryptography.TripleDES",
  678. "assembly": "mscorlib"
  679. },
  680. {
  681. "typename": "System.Security.Cryptography.TripleDESCryptoServiceProvider",
  682. "assembly": "mscorlib"
  683. },
  684. {
  685. "typename": "System.Single",
  686. "assembly": "mscorlib"
  687. },
  688. {
  689. "typename": "System.String",
  690. "assembly": "mscorlib"
  691. },
  692. {
  693. "typename": "System.Text.Encoding",
  694. "assembly": "mscorlib"
  695. },
  696. {
  697. "typename": "System.ThreadStaticAttribute",
  698. "assembly": "mscorlib"
  699. },
  700. {
  701. "typename": "System.Threading.Monitor",
  702. "assembly": "mscorlib"
  703. },
  704. {
  705. "typename": "System.Type",
  706. "assembly": "mscorlib"
  707. },
  708. {
  709. "typename": "System.Void",
  710. "assembly": "mscorlib"
  711. },
  712. {
  713. "typename": "System.WeakReference",
  714. "assembly": "mscorlib"
  715. }
  716. ]
  717. },
  718. "pe": {
  719. "peid_signatures": null,
  720. "imports": [
  721. {
  722. "imports": [
  723. {
  724. "name": "_CorExeMain",
  725. "address": "0x402000"
  726. }
  727. ],
  728. "dll": "mscoree.dll"
  729. }
  730. ],
  731. "digital_signers": null,
  732. "exported_dll_name": null,
  733. "actual_checksum": "0x00018eac",
  734. "overlay": null,
  735. "imagebase": "0x00400000",
  736. "reported_checksum": "0x00000000",
  737. "icon_hash": null,
  738. "entrypoint": "0x004157ce",
  739. "timestamp": "2019-01-28 04:04:03",
  740. "osversion": "4.0",
  741. "sections": [
  742. {
  743. "name": ".text",
  744. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  745. "virtual_address": "0x00002000",
  746. "size_of_data": "0x00013800",
  747. "entropy": "4.61",
  748. "raw_address": "0x00000200",
  749. "virtual_size": "0x000137d4",
  750. "characteristics_raw": "0x60000020"
  751. },
  752. {
  753. "name": ".rsrc",
  754. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  755. "virtual_address": "0x00016000",
  756. "size_of_data": "0x00000c00",
  757. "entropy": "3.71",
  758. "raw_address": "0x00013a00",
  759. "virtual_size": "0x00000a90",
  760. "characteristics_raw": "0x40000040"
  761. },
  762. {
  763. "name": ".reloc",
  764. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  765. "virtual_address": "0x00018000",
  766. "size_of_data": "0x00000200",
  767. "entropy": "0.10",
  768. "raw_address": "0x00014600",
  769. "virtual_size": "0x0000000c",
  770. "characteristics_raw": "0x42000040"
  771. }
  772. ],
  773. "resources": [],
  774. "dirents": [
  775. {
  776. "virtual_address": "0x00000000",
  777. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  778. "size": "0x00000000"
  779. },
  780. {
  781. "virtual_address": "0x00015780",
  782. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  783. "size": "0x0000004b"
  784. },
  785. {
  786. "virtual_address": "0x00016000",
  787. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  788. "size": "0x00000a90"
  789. },
  790. {
  791. "virtual_address": "0x00000000",
  792. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  793. "size": "0x00000000"
  794. },
  795. {
  796. "virtual_address": "0x00000000",
  797. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  798. "size": "0x00000000"
  799. },
  800. {
  801. "virtual_address": "0x00018000",
  802. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  803. "size": "0x0000000c"
  804. },
  805. {
  806. "virtual_address": "0x00000000",
  807. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  808. "size": "0x00000000"
  809. },
  810. {
  811. "virtual_address": "0x00000000",
  812. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  813. "size": "0x00000000"
  814. },
  815. {
  816. "virtual_address": "0x00000000",
  817. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  818. "size": "0x00000000"
  819. },
  820. {
  821. "virtual_address": "0x00000000",
  822. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  823. "size": "0x00000000"
  824. },
  825. {
  826. "virtual_address": "0x00000000",
  827. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  828. "size": "0x00000000"
  829. },
  830. {
  831. "virtual_address": "0x00000000",
  832. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  833. "size": "0x00000000"
  834. },
  835. {
  836. "virtual_address": "0x00002000",
  837. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  838. "size": "0x00000008"
  839. },
  840. {
  841. "virtual_address": "0x00000000",
  842. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  843. "size": "0x00000000"
  844. },
  845. {
  846. "virtual_address": "0x00002008",
  847. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  848. "size": "0x00000048"
  849. },
  850. {
  851. "virtual_address": "0x00000000",
  852. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  853. "size": "0x00000000"
  854. }
  855. ],
  856. "exports": [],
  857. "guest_signers": {},
  858. "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
  859. "icon_fuzzy": null,
  860. "icon": null,
  861. "pdbpath": null,
  862. "imported_dll_count": 1,
  863. "versioninfo": []
  864. }
  865. }
  866.  
  867. [*] Resolved APIs: [
  868. "advapi32.dll.RegOpenKeyExW",
  869. "advapi32.dll.RegQueryInfoKeyW",
  870. "advapi32.dll.RegEnumKeyExW",
  871. "advapi32.dll.RegEnumValueW",
  872. "advapi32.dll.RegCloseKey",
  873. "advapi32.dll.RegQueryValueExW",
  874. "kernel32.dll.QueryActCtxW",
  875. "shlwapi.dll.UrlIsW",
  876. "kernel32.dll.FlsAlloc",
  877. "kernel32.dll.FlsGetValue",
  878. "kernel32.dll.FlsSetValue",
  879. "kernel32.dll.FlsFree",
  880. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
  881. "kernel32.dll.IsProcessorFeaturePresent",
  882. "msvcrt.dll._set_error_mode",
  883. "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
  884. "kernel32.dll.FindActCtxSectionStringW",
  885. "kernel32.dll.GetSystemWindowsDirectoryW",
  886. "mscoree.dll.GetProcessExecutableHeap",
  887. "mscorwks.dll._CorExeMain",
  888. "mscorwks.dll.GetCLRFunction",
  889. "advapi32.dll.RegisterTraceGuidsW",
  890. "advapi32.dll.UnregisterTraceGuids",
  891. "advapi32.dll.GetTraceLoggerHandle",
  892. "advapi32.dll.GetTraceEnableLevel",
  893. "advapi32.dll.GetTraceEnableFlags",
  894. "advapi32.dll.TraceEvent",
  895. "mscoree.dll.IEE",
  896. "mscorwks.dll.IEE",
  897. "mscoree.dll.GetStartupFlags",
  898. "mscoree.dll.GetHostConfigurationFile",
  899. "mscoree.dll.GetCORSystemDirectory",
  900. "ntdll.dll.RtlUnwind",
  901. "kernel32.dll.IsWow64Process",
  902. "advapi32.dll.AllocateAndInitializeSid",
  903. "advapi32.dll.OpenProcessToken",
  904. "advapi32.dll.GetTokenInformation",
  905. "advapi32.dll.InitializeAcl",
  906. "advapi32.dll.AddAccessAllowedAce",
  907. "advapi32.dll.FreeSid",
  908. "kernel32.dll.SetThreadStackGuarantee",
  909. "kernel32.dll.AddVectoredContinueHandler",
  910. "kernel32.dll.RemoveVectoredContinueHandler",
  911. "advapi32.dll.ConvertSidToStringSidW",
  912. "shell32.dll.SHGetFolderPathW",
  913. "kernel32.dll.FlushProcessWriteBuffers",
  914. "kernel32.dll.GetWriteWatch",
  915. "kernel32.dll.ResetWriteWatch",
  916. "kernel32.dll.CreateMemoryResourceNotification",
  917. "kernel32.dll.QueryMemoryResourceNotification",
  918. "ole32.dll.CoInitializeEx",
  919. "cryptbase.dll.SystemFunction036",
  920. "uxtheme.dll.ThemeInitApiHook",
  921. "user32.dll.IsProcessDPIAware",
  922. "ole32.dll.CoGetContextToken",
  923. "kernel32.dll.GetFullPathNameW",
  924. "kernel32.dll.GetVersionExW",
  925. "advapi32.dll.CryptAcquireContextA",
  926. "advapi32.dll.CryptReleaseContext",
  927. "advapi32.dll.CryptCreateHash",
  928. "advapi32.dll.CryptDestroyHash",
  929. "advapi32.dll.CryptHashData",
  930. "advapi32.dll.CryptGetHashParam",
  931. "advapi32.dll.CryptImportKey",
  932. "advapi32.dll.CryptExportKey",
  933. "advapi32.dll.CryptGenKey",
  934. "advapi32.dll.CryptGetKeyParam",
  935. "advapi32.dll.CryptDestroyKey",
  936. "advapi32.dll.CryptVerifySignatureA",
  937. "advapi32.dll.CryptSignHashA",
  938. "advapi32.dll.CryptGetProvParam",
  939. "advapi32.dll.CryptGetUserKey",
  940. "advapi32.dll.CryptEnumProvidersA",
  941. "mscoree.dll.GetMetaDataInternalInterface",
  942. "mscorwks.dll.GetMetaDataInternalInterface",
  943. "mscorjit.dll.getJit",
  944. "user32.dll.RegisterWindowMessageW",
  945. "kernel32.dll.CloseHandle",
  946. "kernel32.dll.GetCurrentProcess",
  947. "kernel32.dll.GetCurrentThread",
  948. "kernel32.dll.DuplicateHandle",
  949. "kernel32.dll.GetCurrentThreadId",
  950. "user32.dll.GetSystemMetrics",
  951. "kernel32.dll.lstrlen",
  952. "kernel32.dll.lstrlenW",
  953. "kernel32.dll.GetModuleHandleW",
  954. "kernel32.dll.GetProcAddress",
  955. "user32.dll.DefWindowProcW",
  956. "gdi32.dll.GetStockObject",
  957. "kernel32.dll.GetUserDefaultUILanguage",
  958. "user32.dll.RegisterClassW",
  959. "ole32.dll.CoTaskMemAlloc",
  960. "ole32.dll.CoTaskMemFree",
  961. "user32.dll.CreateWindowExW",
  962. "user32.dll.SetWindowLongW",
  963. "user32.dll.GetWindowLongW",
  964. "user32.dll.CallWindowProcW",
  965. "user32.dll.GetClientRect",
  966. "user32.dll.GetWindowRect",
  967. "user32.dll.GetParent",
  968. "uxtheme.dll.IsAppThemed",
  969. "kernel32.dll.CreateActCtxA",
  970. "user32.dll.AdjustWindowRectEx",
  971. "gdi32.dll.CreateCompatibleDC",
  972. "kernel32.dll.GetSystemDefaultLCID",
  973. "gdi32.dll.GetObjectW",
  974. "user32.dll.GetDC",
  975. "kernel32.dll.GetCurrentProcessId",
  976. "kernel32.dll.FindAtomW",
  977. "kernel32.dll.AddAtomW",
  978. "mscoree.dll.LoadLibraryShim",
  979. "gdiplus.dll.GdiplusStartup",
  980. "user32.dll.GetWindowInfo",
  981. "user32.dll.GetAncestor",
  982. "user32.dll.GetMonitorInfoA",
  983. "user32.dll.EnumDisplayMonitors",
  984. "user32.dll.EnumDisplayDevicesA",
  985. "gdi32.dll.ExtTextOutW",
  986. "gdi32.dll.GdiIsMetaPrintDC",
  987. "gdiplus.dll.GdipCreateFontFromLogfontW",
  988. "kernel32.dll.RegOpenKeyExW",
  989. "kernel32.dll.RegQueryInfoKeyA",
  990. "kernel32.dll.RegCloseKey",
  991. "kernel32.dll.RegCreateKeyExW",
  992. "kernel32.dll.RegQueryValueExW",
  993. "kernel32.dll.RegEnumValueW",
  994. "kernel32.dll.RegQueryInfoKeyW",
  995. "mscoree.dll.ND_RI2",
  996. "mscoree.dll.ND_RU1",
  997. "gdiplus.dll.GdipGetFontUnit",
  998. "gdiplus.dll.GdipGetFontSize",
  999. "gdiplus.dll.GdipGetFontStyle",
  1000. "gdiplus.dll.GdipGetFamily",
  1001. "user32.dll.ReleaseDC",
  1002. "gdiplus.dll.GdipCreateFromHDC",
  1003. "gdiplus.dll.GdipGetDpiY",
  1004. "gdiplus.dll.GdipGetFontHeight",
  1005. "gdiplus.dll.GdipGetEmHeight",
  1006. "gdiplus.dll.GdipGetLineSpacing",
  1007. "gdiplus.dll.GdipDeleteGraphics",
  1008. "gdiplus.dll.GdipCreateFont",
  1009. "gdiplus.dll.GdipDeleteFont",
  1010. "gdiplus.dll.GdipGetLogFontW",
  1011. "mscoree.dll.ND_WU1",
  1012. "gdi32.dll.CreateFontIndirectW",
  1013. "gdi32.dll.SelectObject",
  1014. "gdi32.dll.GetTextMetricsW",
  1015. "gdi32.dll.GetTextExtentPoint32W",
  1016. "gdi32.dll.DeleteDC",
  1017. "kernel32.dll.GetCurrentActCtx",
  1018. "kernel32.dll.ActivateActCtx",
  1019. "dwmapi.dll.DwmIsCompositionEnabled",
  1020. "user32.dll.SetWindowTextW",
  1021. "user32.dll.GetProcessWindowStation",
  1022. "user32.dll.GetUserObjectInformationA",
  1023. "kernel32.dll.SetConsoleCtrlHandler",
  1024. "user32.dll.GetClassInfoW",
  1025. "kernel32.dll.GetStartupInfoW",
  1026. "gdi32.dll.GetDeviceCaps",
  1027. "user32.dll.CreateIconFromResourceEx",
  1028. "user32.dll.SendMessageW",
  1029. "gdi32.dll.GetLayout",
  1030. "gdi32.dll.GdiRealizationInfo",
  1031. "gdi32.dll.FontIsLinked",
  1032. "gdi32.dll.GetTextFaceAliasW",
  1033. "gdi32.dll.GetFontAssocStatus",
  1034. "advapi32.dll.RegQueryValueExA",
  1035. "user32.dll.GetSystemMenu",
  1036. "user32.dll.GetWindowPlacement",
  1037. "user32.dll.EnableMenuItem",
  1038. "user32.dll.GetWindowTextLengthW",
  1039. "user32.dll.GetWindowTextW",
  1040. "user32.dll.SetWindowPos",
  1041. "user32.dll.RedrawWindow",
  1042. "user32.dll.ShowWindow",
  1043. "user32.dll.GetFocus",
  1044. "user32.dll.EnumThreadWindows",
  1045. "user32.dll.DestroyWindow",
  1046. "user32.dll.SetLayeredWindowAttributes",
  1047. "bcrypt.dll.BCryptGetFipsAlgorithmMode",
  1048. "cryptsp.dll.CryptAcquireContextW",
  1049. "cryptsp.dll.CryptCreateHash",
  1050. "cryptsp.dll.CryptHashData",
  1051. "cryptsp.dll.CryptGetHashParam",
  1052. "cryptsp.dll.CryptDestroyHash",
  1053. "cryptsp.dll.CryptGetProvParam",
  1054. "cryptsp.dll.CryptGenRandom",
  1055. "cryptsp.dll.CryptImportKey",
  1056. "cryptsp.dll.CryptSetKeyParam",
  1057. "cryptsp.dll.CryptDecrypt",
  1058. "cryptsp.dll.CryptEncrypt",
  1059. "advapi32.dll.RegSetValueExW",
  1060. "kernel32.dll.ReleaseMutex",
  1061. "kernel32.dll.CreateMutexW",
  1062. "kernel32.dll.GetEnvironmentVariableW",
  1063. "kernel32.dll.SetErrorMode",
  1064. "kernel32.dll.GetFileAttributesExW",
  1065. "kernel32.dll.CreateFileW",
  1066. "kernel32.dll.GetFileType",
  1067. "kernel32.dll.GetFileSize",
  1068. "kernel32.dll.ReadFile",
  1069. "kernel32.dll.WriteFile",
  1070. "kernel32.dll.LocalAlloc",
  1071. "kernel32.dll.RtlMoveMemory",
  1072. "shell32.dll.ShellExecuteEx",
  1073. "shell32.dll.ShellExecuteExW",
  1074. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  1075. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  1076. "comctl32.dll.#386",
  1077. "kernel32.dll.LocalFree",
  1078. "ole32.dll.CoWaitForMultipleHandles",
  1079. "sechost.dll.LookupAccountNameLocalW",
  1080. "user32.dll.SetClassLongW",
  1081. "user32.dll.PostMessageW",
  1082. "user32.dll.UnregisterClassW",
  1083. "kernel32.dll.DeleteAtom",
  1084. "user32.dll.IsWindow",
  1085. "user32.dll.DestroyIcon",
  1086. "gdi32.dll.DeleteObject",
  1087. "cryptsp.dll.CryptDestroyKey",
  1088. "cryptsp.dll.CryptReleaseContext",
  1089. "advapi32.dll.LookupAccountSidW",
  1090. "sechost.dll.LookupAccountSidLocalW",
  1091. "ole32.dll.NdrOleInitializeExtension",
  1092. "ole32.dll.CoGetClassObject",
  1093. "ole32.dll.CoGetMarshalSizeMax",
  1094. "ole32.dll.CoMarshalInterface",
  1095. "ole32.dll.CoUnmarshalInterface",
  1096. "ole32.dll.StringFromIID",
  1097. "ole32.dll.CoGetPSClsid",
  1098. "ole32.dll.CoCreateInstance",
  1099. "ole32.dll.CoReleaseMarshalData",
  1100. "ole32.dll.DcomChannelSetHResult",
  1101. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
  1102. "comctl32.dll.#321",
  1103. "kernel32.dll.CreateActCtxW",
  1104. "kernel32.dll.AddRefActCtx",
  1105. "kernel32.dll.ReleaseActCtx",
  1106. "kernel32.dll.DeactivateActCtx",
  1107. "kernel32.dll.SwitchToThread",
  1108. "user32.dll.SendMessageTimeoutA",
  1109. "user32.dll.SystemParametersInfoW",
  1110. "kernel32.dll.lstrcpy",
  1111. "kernel32.dll.lstrcpyW",
  1112. "kernel32.dll.CreateProcessW",
  1113. "kernel32.dll.WaitForSingleObject",
  1114. "shfolder.dll.SHGetFolderPathW",
  1115. "kernel32.dll.CopyFileW",
  1116. "user32.dll.GetAsyncKeyState",
  1117. "user32.dll.GetKeyState",
  1118. "user32.dll.GetKeyboardState",
  1119. "user32.dll.MapVirtualKeyA",
  1120. "user32.dll.GetForegroundWindow",
  1121. "user32.dll.GetWindowThreadProcessId",
  1122. "user32.dll.GetKeyboardLayout",
  1123. "user32.dll.ToUnicodeEx",
  1124. "ole32.dll.OleInitialize",
  1125. "ole32.dll.CoRegisterMessageFilter",
  1126. "user32.dll.PeekMessageW",
  1127. "user32.dll.IsWindowUnicode",
  1128. "user32.dll.GetMessageW",
  1129. "user32.dll.TranslateMessage",
  1130. "user32.dll.DispatchMessageW",
  1131. "version.dll.GetFileVersionInfoSizeW",
  1132. "version.dll.GetFileVersionInfoW",
  1133. "version.dll.VerQueryValueW",
  1134. "version.dll.VerLanguageNameW",
  1135. "user32.dll.BeginPaint",
  1136. "gdiplus.dll.GdipCreateHalftonePalette",
  1137. "gdi32.dll.SelectPalette",
  1138. "user32.dll.EndPaint",
  1139. "ws2_32.dll.WSAStartup",
  1140. "ws2_32.dll.WSASocketW",
  1141. "ws2_32.dll.setsockopt",
  1142. "ws2_32.dll.WSAEventSelect",
  1143. "ws2_32.dll.ioctlsocket",
  1144. "ws2_32.dll.closesocket",
  1145. "kernel32.dll.GetComputerNameW",
  1146. "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
  1147. "kernel32.dll.CreateFileMappingW",
  1148. "kernel32.dll.MapViewOfFile",
  1149. "kernel32.dll.UnmapViewOfFile",
  1150. "kernel32.dll.VirtualQuery",
  1151. "advapi32.dll.CreateWellKnownSid",
  1152. "kernel32.dll.OpenMutexW",
  1153. "kernel32.dll.OpenProcess",
  1154. "kernel32.dll.GetProcessTimes",
  1155. "ws2_32.dll.getaddrinfo",
  1156. "ws2_32.dll.freeaddrinfo",
  1157. "ws2_32.dll.WSAConnect",
  1158. "advapi32.dll.LookupPrivilegeValueW",
  1159. "advapi32.dll.AdjustTokenPrivileges",
  1160. "kernel32.dll.GetExitCodeProcess",
  1161. "kernel32.dll.GetProcessWorkingSetSize",
  1162. "kernel32.dll.SetProcessWorkingSetSize",
  1163. "user32.dll.GetWindowTextLengthA",
  1164. "user32.dll.GetWindowTextA",
  1165. "advapi32.dll.RegCreateKeyExW",
  1166. "kernel32.dll.FormatMessageW",
  1167. "ws2_32.dll.shutdown",
  1168. "kernel32.dll.GlobalMemoryStatusEx",
  1169. "rasmontr.dll.InitHelperDll",
  1170. "nshwfp.dll.InitHelperDll",
  1171. "dhcpcmonitor.dll.InitHelperDll",
  1172. "wshelper.dll.InitHelperDll",
  1173. "nshhttp.dll.InitHelperDll",
  1174. "fwcfg.dll.InitHelperDll",
  1175. "authfwcfg.dll.InitHelperDll",
  1176. "ifmon.dll.InitHelperDll",
  1177. "netiohlp.dll.InitHelperDll",
  1178. "whhelper.dll.InitHelperDll",
  1179. "hnetmon.dll.InitHelperDll",
  1180. "rpcnsh.dll.InitHelperDll",
  1181. "dot3cfg.dll.InitHelperDll",
  1182. "napmontr.dll.InitHelperDll",
  1183. "nshipsec.dll.InitHelperDll",
  1184. "p2pnetsh.dll.InitHelperDll",
  1185. "wlancfg.dll.InitHelperDll",
  1186. "peerdistsh.dll.InitHelperDll",
  1187. "cryptsp.dll.CryptEnumProvidersW",
  1188. "user32.dll.LoadStringW",
  1189. "sechost.dll.OpenSCManagerW",
  1190. "sechost.dll.OpenServiceW",
  1191. "sechost.dll.QueryServiceConfigW",
  1192. "sechost.dll.CloseServiceHandle",
  1193. "sechost.dll.QueryServiceStatus",
  1194. "httpapi.dll.HttpInitialize",
  1195. "userenv.dll.RegisterGPNotification",
  1196. "userenv.dll.UnregisterGPNotification",
  1197. "gpapi.dll.RegisterGPNotificationInternal",
  1198. "bcryptprimitives.dll.GetHashInterface",
  1199. "bcryptprimitives.dll.GetCipherInterface",
  1200. "kernel32.dll.SetThreadUILanguage",
  1201. "oleaut32.dll.#7",
  1202. "shlwapi.dll.PathCanonicalizeW",
  1203. "ole32.dll.CoCreateGuid",
  1204. "ole32.dll.StringFromGUID2",
  1205. "ole32.dll.CoUninitialize",
  1206. "oleaut32.dll.#500",
  1207. "httpapi.dll.HttpTerminate",
  1208. "gpapi.dll.UnregisterGPNotificationInternal",
  1209. "oleaut32.dll.#9",
  1210. "comctl32.dll.#388"
  1211. ]
  1212.  
  1213. [*] Static Analysis: {
  1214. "dotnet": {
  1215. "customattrs": null,
  1216. "assemblyinfo": {
  1217. "version": "1.0.0.0",
  1218. "name": "word"
  1219. },
  1220. "assemblyrefs": [
  1221. {
  1222. "version": "2.0.0.0",
  1223. "name": "mscorlib"
  1224. },
  1225. {
  1226. "version": "8.0.0.0",
  1227. "name": "Microsoft.VisualBasic"
  1228. },
  1229. {
  1230. "version": "2.0.0.0",
  1231. "name": "System.Windows.Forms"
  1232. },
  1233. {
  1234. "version": "2.0.0.0",
  1235. "name": "System"
  1236. },
  1237. {
  1238. "version": "2.0.0.0",
  1239. "name": "System.Drawing"
  1240. }
  1241. ],
  1242. "typerefs": [
  1243. {
  1244. "typename": "Microsoft.VisualBasic.ApplicationServices.AuthenticationMode",
  1245. "assembly": "Microsoft.VisualBasic"
  1246. },
  1247. {
  1248. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownEventHandler",
  1249. "assembly": "Microsoft.VisualBasic"
  1250. },
  1251. {
  1252. "typename": "Microsoft.VisualBasic.ApplicationServices.ShutdownMode",
  1253. "assembly": "Microsoft.VisualBasic"
  1254. },
  1255. {
  1256. "typename": "Microsoft.VisualBasic.ApplicationServices.User",
  1257. "assembly": "Microsoft.VisualBasic"
  1258. },
  1259. {
  1260. "typename": "Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase",
  1261. "assembly": "Microsoft.VisualBasic"
  1262. },
  1263. {
  1264. "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
  1265. "assembly": "Microsoft.VisualBasic"
  1266. },
  1267. {
  1268. "typename": "Microsoft.VisualBasic.CompilerServices.DesignerGeneratedAttribute",
  1269. "assembly": "Microsoft.VisualBasic"
  1270. },
  1271. {
  1272. "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
  1273. "assembly": "Microsoft.VisualBasic"
  1274. },
  1275. {
  1276. "typename": "Microsoft.VisualBasic.CompilerServices.ObjectFlowControl",
  1277. "assembly": "Microsoft.VisualBasic"
  1278. },
  1279. {
  1280. "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
  1281. "assembly": "Microsoft.VisualBasic"
  1282. },
  1283. {
  1284. "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
  1285. "assembly": "Microsoft.VisualBasic"
  1286. },
  1287. {
  1288. "typename": "Microsoft.VisualBasic.CompilerServices.Utils",
  1289. "assembly": "Microsoft.VisualBasic"
  1290. },
  1291. {
  1292. "typename": "Microsoft.VisualBasic.Devices.Computer",
  1293. "assembly": "Microsoft.VisualBasic"
  1294. },
  1295. {
  1296. "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
  1297. "assembly": "Microsoft.VisualBasic"
  1298. },
  1299. {
  1300. "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
  1301. "assembly": "Microsoft.VisualBasic"
  1302. },
  1303. {
  1304. "typename": "Microsoft.VisualBasic.Strings",
  1305. "assembly": "Microsoft.VisualBasic"
  1306. },
  1307. {
  1308. "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
  1309. "assembly": "System"
  1310. },
  1311. {
  1312. "typename": "System.ComponentModel.Component",
  1313. "assembly": "System"
  1314. },
  1315. {
  1316. "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
  1317. "assembly": "System"
  1318. },
  1319. {
  1320. "typename": "System.ComponentModel.EditorBrowsableAttribute",
  1321. "assembly": "System"
  1322. },
  1323. {
  1324. "typename": "System.ComponentModel.EditorBrowsableState",
  1325. "assembly": "System"
  1326. },
  1327. {
  1328. "typename": "System.ComponentModel.IContainer",
  1329. "assembly": "System"
  1330. },
  1331. {
  1332. "typename": "System.Configuration.ApplicationSettingsBase",
  1333. "assembly": "System"
  1334. },
  1335. {
  1336. "typename": "System.Configuration.SettingsBase",
  1337. "assembly": "System"
  1338. },
  1339. {
  1340. "typename": "System.Drawing.Size",
  1341. "assembly": "System.Drawing"
  1342. },
  1343. {
  1344. "typename": "System.Drawing.SizeF",
  1345. "assembly": "System.Drawing"
  1346. },
  1347. {
  1348. "typename": "System.Windows.Forms.Application",
  1349. "assembly": "System.Windows.Forms"
  1350. },
  1351. {
  1352. "typename": "System.Windows.Forms.AutoScaleMode",
  1353. "assembly": "System.Windows.Forms"
  1354. },
  1355. {
  1356. "typename": "System.Windows.Forms.ContainerControl",
  1357. "assembly": "System.Windows.Forms"
  1358. },
  1359. {
  1360. "typename": "System.Windows.Forms.Control",
  1361. "assembly": "System.Windows.Forms"
  1362. },
  1363. {
  1364. "typename": "System.Windows.Forms.Form",
  1365. "assembly": "System.Windows.Forms"
  1366. },
  1367. {
  1368. "typename": "System.Activator",
  1369. "assembly": "mscorlib"
  1370. },
  1371. {
  1372. "typename": "System.AppDomain",
  1373. "assembly": "mscorlib"
  1374. },
  1375. {
  1376. "typename": "System.ArgumentException",
  1377. "assembly": "mscorlib"
  1378. },
  1379. {
  1380. "typename": "System.Boolean",
  1381. "assembly": "mscorlib"
  1382. },
  1383. {
  1384. "typename": "System.Byte",
  1385. "assembly": "mscorlib"
  1386. },
  1387. {
  1388. "typename": "System.Collections.Generic.List`1",
  1389. "assembly": "mscorlib"
  1390. },
  1391. {
  1392. "typename": "System.Collections.Hashtable",
  1393. "assembly": "mscorlib"
  1394. },
  1395. {
  1396. "typename": "System.Convert",
  1397. "assembly": "mscorlib"
  1398. },
  1399. {
  1400. "typename": "System.Diagnostics.DebuggableAttribute",
  1401. "assembly": "mscorlib"
  1402. },
  1403. {
  1404. "typename": "System.Diagnostics.DebuggableAttribute/DebuggingModes",
  1405. "assembly": "mscorlib"
  1406. },
  1407. {
  1408. "typename": "System.Diagnostics.DebuggerHiddenAttribute",
  1409. "assembly": "mscorlib"
  1410. },
  1411. {
  1412. "typename": "System.Diagnostics.DebuggerNonUserCodeAttribute",
  1413. "assembly": "mscorlib"
  1414. },
  1415. {
  1416. "typename": "System.Diagnostics.DebuggerStepThroughAttribute",
  1417. "assembly": "mscorlib"
  1418. },
  1419. {
  1420. "typename": "System.Double",
  1421. "assembly": "mscorlib"
  1422. },
  1423. {
  1424. "typename": "System.EventArgs",
  1425. "assembly": "mscorlib"
  1426. },
  1427. {
  1428. "typename": "System.EventHandler",
  1429. "assembly": "mscorlib"
  1430. },
  1431. {
  1432. "typename": "System.Exception",
  1433. "assembly": "mscorlib"
  1434. },
  1435. {
  1436. "typename": "System.Globalization.CultureInfo",
  1437. "assembly": "mscorlib"
  1438. },
  1439. {
  1440. "typename": "System.IDisposable",
  1441. "assembly": "mscorlib"
  1442. },
  1443. {
  1444. "typename": "System.Int32",
  1445. "assembly": "mscorlib"
  1446. },
  1447. {
  1448. "typename": "System.IntPtr",
  1449. "assembly": "mscorlib"
  1450. },
  1451. {
  1452. "typename": "System.InvalidOperationException",
  1453. "assembly": "mscorlib"
  1454. },
  1455. {
  1456. "typename": "System.Object",
  1457. "assembly": "mscorlib"
  1458. },
  1459. {
  1460. "typename": "System.Reflection.Assembly",
  1461. "assembly": "mscorlib"
  1462. },
  1463. {
  1464. "typename": "System.Reflection.AssemblyCompanyAttribute",
  1465. "assembly": "mscorlib"
  1466. },
  1467. {
  1468. "typename": "System.Reflection.AssemblyCopyrightAttribute",
  1469. "assembly": "mscorlib"
  1470. },
  1471. {
  1472. "typename": "System.Reflection.AssemblyDescriptionAttribute",
  1473. "assembly": "mscorlib"
  1474. },
  1475. {
  1476. "typename": "System.Reflection.AssemblyFileVersionAttribute",
  1477. "assembly": "mscorlib"
  1478. },
  1479. {
  1480. "typename": "System.Reflection.AssemblyProductAttribute",
  1481. "assembly": "mscorlib"
  1482. },
  1483. {
  1484. "typename": "System.Reflection.AssemblyTitleAttribute",
  1485. "assembly": "mscorlib"
  1486. },
  1487. {
  1488. "typename": "System.Reflection.AssemblyTrademarkAttribute",
  1489. "assembly": "mscorlib"
  1490. },
  1491. {
  1492. "typename": "System.Reflection.TargetInvocationException",
  1493. "assembly": "mscorlib"
  1494. },
  1495. {
  1496. "typename": "System.Resources.ResourceManager",
  1497. "assembly": "mscorlib"
  1498. },
  1499. {
  1500. "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
  1501. "assembly": "mscorlib"
  1502. },
  1503. {
  1504. "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
  1505. "assembly": "mscorlib"
  1506. },
  1507. {
  1508. "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
  1509. "assembly": "mscorlib"
  1510. },
  1511. {
  1512. "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
  1513. "assembly": "mscorlib"
  1514. },
  1515. {
  1516. "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
  1517. "assembly": "mscorlib"
  1518. },
  1519. {
  1520. "typename": "System.Runtime.InteropServices.GuidAttribute",
  1521. "assembly": "mscorlib"
  1522. },
  1523. {
  1524. "typename": "System.RuntimeTypeHandle",
  1525. "assembly": "mscorlib"
  1526. },
  1527. {
  1528. "typename": "System.STAThreadAttribute",
  1529. "assembly": "mscorlib"
  1530. },
  1531. {
  1532. "typename": "System.Security.Cryptography.CipherMode",
  1533. "assembly": "mscorlib"
  1534. },
  1535. {
  1536. "typename": "System.Security.Cryptography.HashAlgorithm",
  1537. "assembly": "mscorlib"
  1538. },
  1539. {
  1540. "typename": "System.Security.Cryptography.ICryptoTransform",
  1541. "assembly": "mscorlib"
  1542. },
  1543. {
  1544. "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
  1545. "assembly": "mscorlib"
  1546. },
  1547. {
  1548. "typename": "System.Security.Cryptography.PaddingMode",
  1549. "assembly": "mscorlib"
  1550. },
  1551. {
  1552. "typename": "System.Security.Cryptography.SymmetricAlgorithm",
  1553. "assembly": "mscorlib"
  1554. },
  1555. {
  1556. "typename": "System.Security.Cryptography.TripleDES",
  1557. "assembly": "mscorlib"
  1558. },
  1559. {
  1560. "typename": "System.Security.Cryptography.TripleDESCryptoServiceProvider",
  1561. "assembly": "mscorlib"
  1562. },
  1563. {
  1564. "typename": "System.Single",
  1565. "assembly": "mscorlib"
  1566. },
  1567. {
  1568. "typename": "System.String",
  1569. "assembly": "mscorlib"
  1570. },
  1571. {
  1572. "typename": "System.Text.Encoding",
  1573. "assembly": "mscorlib"
  1574. },
  1575. {
  1576. "typename": "System.ThreadStaticAttribute",
  1577. "assembly": "mscorlib"
  1578. },
  1579. {
  1580. "typename": "System.Threading.Monitor",
  1581. "assembly": "mscorlib"
  1582. },
  1583. {
  1584. "typename": "System.Type",
  1585. "assembly": "mscorlib"
  1586. },
  1587. {
  1588. "typename": "System.Void",
  1589. "assembly": "mscorlib"
  1590. },
  1591. {
  1592. "typename": "System.WeakReference",
  1593. "assembly": "mscorlib"
  1594. }
  1595. ]
  1596. },
  1597. "pe": {
  1598. "peid_signatures": null,
  1599. "imports": [
  1600. {
  1601. "imports": [
  1602. {
  1603. "name": "_CorExeMain",
  1604. "address": "0x402000"
  1605. }
  1606. ],
  1607. "dll": "mscoree.dll"
  1608. }
  1609. ],
  1610. "digital_signers": null,
  1611. "exported_dll_name": null,
  1612. "actual_checksum": "0x00018eac",
  1613. "overlay": null,
  1614. "imagebase": "0x00400000",
  1615. "reported_checksum": "0x00000000",
  1616. "icon_hash": null,
  1617. "entrypoint": "0x004157ce",
  1618. "timestamp": "2019-01-28 04:04:03",
  1619. "osversion": "4.0",
  1620. "sections": [
  1621. {
  1622. "name": ".text",
  1623. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1624. "virtual_address": "0x00002000",
  1625. "size_of_data": "0x00013800",
  1626. "entropy": "4.61",
  1627. "raw_address": "0x00000200",
  1628. "virtual_size": "0x000137d4",
  1629. "characteristics_raw": "0x60000020"
  1630. },
  1631. {
  1632. "name": ".rsrc",
  1633. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1634. "virtual_address": "0x00016000",
  1635. "size_of_data": "0x00000c00",
  1636. "entropy": "3.71",
  1637. "raw_address": "0x00013a00",
  1638. "virtual_size": "0x00000a90",
  1639. "characteristics_raw": "0x40000040"
  1640. },
  1641. {
  1642. "name": ".reloc",
  1643. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  1644. "virtual_address": "0x00018000",
  1645. "size_of_data": "0x00000200",
  1646. "entropy": "0.10",
  1647. "raw_address": "0x00014600",
  1648. "virtual_size": "0x0000000c",
  1649. "characteristics_raw": "0x42000040"
  1650. }
  1651. ],
  1652. "resources": [],
  1653. "dirents": [
  1654. {
  1655. "virtual_address": "0x00000000",
  1656. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1657. "size": "0x00000000"
  1658. },
  1659. {
  1660. "virtual_address": "0x00015780",
  1661. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1662. "size": "0x0000004b"
  1663. },
  1664. {
  1665. "virtual_address": "0x00016000",
  1666. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1667. "size": "0x00000a90"
  1668. },
  1669. {
  1670. "virtual_address": "0x00000000",
  1671. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1672. "size": "0x00000000"
  1673. },
  1674. {
  1675. "virtual_address": "0x00000000",
  1676. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1677. "size": "0x00000000"
  1678. },
  1679. {
  1680. "virtual_address": "0x00018000",
  1681. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1682. "size": "0x0000000c"
  1683. },
  1684. {
  1685. "virtual_address": "0x00000000",
  1686. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1687. "size": "0x00000000"
  1688. },
  1689. {
  1690. "virtual_address": "0x00000000",
  1691. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1692. "size": "0x00000000"
  1693. },
  1694. {
  1695. "virtual_address": "0x00000000",
  1696. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1697. "size": "0x00000000"
  1698. },
  1699. {
  1700. "virtual_address": "0x00000000",
  1701. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1702. "size": "0x00000000"
  1703. },
  1704. {
  1705. "virtual_address": "0x00000000",
  1706. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1707. "size": "0x00000000"
  1708. },
  1709. {
  1710. "virtual_address": "0x00000000",
  1711. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1712. "size": "0x00000000"
  1713. },
  1714. {
  1715. "virtual_address": "0x00002000",
  1716. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1717. "size": "0x00000008"
  1718. },
  1719. {
  1720. "virtual_address": "0x00000000",
  1721. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1722. "size": "0x00000000"
  1723. },
  1724. {
  1725. "virtual_address": "0x00002008",
  1726. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1727. "size": "0x00000048"
  1728. },
  1729. {
  1730. "virtual_address": "0x00000000",
  1731. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1732. "size": "0x00000000"
  1733. }
  1734. ],
  1735. "exports": [],
  1736. "guest_signers": {},
  1737. "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
  1738. "icon_fuzzy": null,
  1739. "icon": null,
  1740. "pdbpath": null,
  1741. "imported_dll_count": 1,
  1742. "versioninfo": []
  1743. }
  1744. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!