Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 10.0
- [*] File Name: "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg"
- [*] File Size: 266240
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
- [*] SHA256: "e61baf5aaf6a75cfa8da252e8790e3a66b12a97885cbd455a0f1b7bd2b8f1e6a"
- [*] MD5: "6b191ac6e5b5a9c3982cbb7855355523"
- [*] SHA1: "3bfa45fbd03c1fb9339ed6c2b011f84d5a152573"
- [*] SHA512: "08858381e5c9db085fc8b1660291205d157b8e3499fed55d90a665a79f1f322e88d12c955c46fa5a36ddd138052d44e5661181ed4804876d32457d1ffd90ae1b"
- [*] CRC32: "522E8E8C"
- [*] SSDEEP: "6144:mCSBNNhsOBN7HvBTWkQufYAP0RqJaQ2lHjBSsIbYWl7bBPNTpy8W41rSIesqAkeK:5ONhsOBNrvApcaQik9J"
- [*] Process Execution: [
- "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
- "akbkdabad.exe",
- "akbkdabad.exe",
- "akbkdabad.exe",
- "services.exe",
- "lsass.exe",
- "GoogleUpdate.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details": [
- {
- "IP": "172.217.0.35:443"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "A process attempted to delay the analysis task.",
- "Details": [
- {
- "Process": "akbkdabad.exe tried to sleep 1414 seconds, actually delayed analysis time by 0 seconds"
- }
- ]
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "http://crl.globalsign.net/root-r2.crl0"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- }
- ]
- },
- {
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details": [
- {
- "section": "name: UPX1, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0003fa00, virtual_size: 0x00040000"
- }
- ]
- },
- {
- "Description": "The executable is compressed using UPX",
- "Details": [
- {
- "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00059000"
- }
- ]
- },
- {
- "Description": "Deletes its original binary from disk",
- "Details": []
- },
- {
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details": [
- {
- "Injection": "akbkdabad.exe(312) -> akbkdabad.exe(2224)"
- }
- ]
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11962623 times"
- }
- ]
- },
- {
- "Description": "Steals private information from local Internet browsers",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
- }
- ]
- },
- {
- "Description": "Creates a hidden or system file",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
- }
- ]
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- }
- ]
- },
- {
- "Description": "Harvests credentials from local FTP client softwares",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
- },
- {
- "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
- },
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- }
- ]
- },
- {
- "Description": "Harvests information related to installed instant messenger clients",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- }
- ]
- },
- {
- "Description": "Harvests information related to installed mail clients",
- "Details": [
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- },
- {
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
- }
- ]
- },
- {
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details": [
- {
- "file": "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier"
- }
- ]
- },
- {
- "Description": "Collects information to fingerprint the system",
- "Details": []
- },
- {
- "Description": "Anomalous binary characteristics",
- "Details": [
- {
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- }
- ]
- }
- ]
- [*] Started Service: [
- "VaultSvc"
- ]
- [*] Executed Commands: [
- "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\" 1 \"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg\" 1F59C1C",
- "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\"",
- "C:\\Windows\\system32\\lsass.exe",
- "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc"
- ]
- [*] Mutexes: [
- "1F59C1C",
- "6EFA73A4746045B65DEE781E",
- "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
- "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
- "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
- "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
- "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
- "\\??\\PIPE\\wkssvc",
- "\\??\\pipe\\GoogleCrashServices\\S-1-5-18"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}\\74.0.3729.169_73.0.3683.86_chrome_updater.exe",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}"
- ]
- [*] Modified Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\LastCheckSuccess",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince"
- ]
- [*] DNS Communications: [
- {
- "type": "A",
- "request": "www.effyqroup.com",
- "answers": [
- {
- "data": "",
- "type": "NXDOMAIN"
- }
- ]
- }
- ]
- [*] Domains: [
- {
- "ip": "",
- "domain": "www.effyqroup.com"
- }
- ]
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "LoadLibraryA",
- "address": "0x49b050"
- },
- {
- "name": "GetProcAddress",
- "address": "0x49b054"
- },
- {
- "name": "VirtualProtect",
- "address": "0x49b058"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x49b05c"
- },
- {
- "name": "VirtualFree",
- "address": "0x49b060"
- },
- {
- "name": "ExitProcess",
- "address": "0x49b064"
- }
- ],
- "dll": "KERNEL32.DLL"
- },
- {
- "imports": [
- {
- "name": "RegCloseKey",
- "address": "0x49b06c"
- }
- ],
- "dll": "advapi32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Add",
- "address": "0x49b074"
- }
- ],
- "dll": "comctl32.dll"
- },
- {
- "imports": [
- {
- "name": "GetOpenFileNameA",
- "address": "0x49b07c"
- }
- ],
- "dll": "comdlg32.dll"
- },
- {
- "imports": [
- {
- "name": "SaveDC",
- "address": "0x49b084"
- }
- ],
- "dll": "gdi32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantCopy",
- "address": "0x49b08c"
- }
- ],
- "dll": "oleaut32.dll"
- },
- {
- "imports": [
- {
- "name": "GetDC",
- "address": "0x49b094"
- }
- ],
- "dll": "user32.dll"
- },
- {
- "imports": [
- {
- "name": "VerQueryValueA",
- "address": "0x49b09c"
- }
- ],
- "dll": "version.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00050625",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x00499640",
- "timestamp": "1992-06-17 20:49:04",
- "osversion": "4.0",
- "sections": [
- {
- "name": "UPX0",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000400",
- "virtual_size": "0x00059000",
- "characteristics_raw": "0xe0000080"
- },
- {
- "name": "UPX1",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0005a000",
- "size_of_data": "0x0003fa00",
- "entropy": "7.95",
- "raw_address": "0x00000400",
- "virtual_size": "0x00040000",
- "characteristics_raw": "0xe0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009a000",
- "size_of_data": "0x00001200",
- "entropy": "3.33",
- "raw_address": "0x0003fe00",
- "virtual_size": "0x00002000",
- "characteristics_raw": "0xc0000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0009af9c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000224"
- },
- {
- "virtual_address": "0x0009a000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000f9c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000997f8",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000018"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c458ff2d515beb8f44158cd3636a7400",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 8,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.lstrcpyA",
- "kernel32.dll.WriteFile",
- "kernel32.dll.WaitForSingleObject",
- "kernel32.dll.VirtualQuery",
- "kernel32.dll.VirtualAlloc",
- "kernel32.dll.Sleep",
- "kernel32.dll.SizeofResource",
- "kernel32.dll.SetThreadLocale",
- "kernel32.dll.SetFilePointer",
- "kernel32.dll.SetEvent",
- "kernel32.dll.SetErrorMode",
- "kernel32.dll.SetEndOfFile",
- "kernel32.dll.ResetEvent",
- "kernel32.dll.ReadFile",
- "kernel32.dll.MulDiv",
- "kernel32.dll.LockResource",
- "kernel32.dll.LoadResource",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.LeaveCriticalSection",
- "kernel32.dll.InitializeCriticalSection",
- "kernel32.dll.GlobalUnlock",
- "kernel32.dll.GlobalReAlloc",
- "kernel32.dll.GlobalHandle",
- "kernel32.dll.GlobalLock",
- "kernel32.dll.GlobalFree",
- "kernel32.dll.GlobalFindAtomA",
- "kernel32.dll.GlobalDeleteAtom",
- "kernel32.dll.GlobalAlloc",
- "kernel32.dll.GlobalAddAtomA",
- "kernel32.dll.GetVersionExA",
- "kernel32.dll.GetVersion",
- "kernel32.dll.GetTickCount",
- "kernel32.dll.GetThreadLocale",
- "kernel32.dll.GetSystemInfo",
- "kernel32.dll.GetStringTypeExA",
- "kernel32.dll.GetStdHandle",
- "kernel32.dll.GetProcAddress",
- "kernel32.dll.GetModuleHandleA",
- "kernel32.dll.GetModuleFileNameA",
- "kernel32.dll.GetLocaleInfoA",
- "kernel32.dll.GetLocalTime",
- "kernel32.dll.GetLastError",
- "kernel32.dll.GetFullPathNameA",
- "kernel32.dll.GetFileAttributesA",
- "kernel32.dll.GetDiskFreeSpaceA",
- "kernel32.dll.GetDateFormatA",
- "kernel32.dll.GetCurrentThreadId",
- "kernel32.dll.GetCurrentProcessId",
- "kernel32.dll.GetCPInfo",
- "kernel32.dll.GetACP",
- "kernel32.dll.FreeResource",
- "kernel32.dll.InterlockedExchange",
- "kernel32.dll.FreeLibrary",
- "kernel32.dll.FormatMessageA",
- "kernel32.dll.FindResourceA",
- "kernel32.dll.FindFirstFileA",
- "kernel32.dll.FindClose",
- "kernel32.dll.FileTimeToLocalFileTime",
- "kernel32.dll.FileTimeToDosDateTime",
- "kernel32.dll.EnumCalendarInfoA",
- "kernel32.dll.EnterCriticalSection",
- "kernel32.dll.DeleteCriticalSection",
- "kernel32.dll.CreateThread",
- "kernel32.dll.CreateFileA",
- "kernel32.dll.CreateEventA",
- "kernel32.dll.CompareStringA",
- "kernel32.dll.CloseHandle",
- "kernel32.dll.TlsSetValue",
- "kernel32.dll.TlsGetValue",
- "kernel32.dll.LocalAlloc",
- "kernel32.dll.VirtualFree",
- "kernel32.dll.LocalFree",
- "kernel32.dll.InterlockedDecrement",
- "kernel32.dll.InterlockedIncrement",
- "kernel32.dll.WideCharToMultiByte",
- "kernel32.dll.MultiByteToWideChar",
- "kernel32.dll.lstrlenA",
- "kernel32.dll.lstrcpynA",
- "kernel32.dll.LoadLibraryExA",
- "kernel32.dll.GetStartupInfoA",
- "kernel32.dll.GetCommandLineA",
- "kernel32.dll.ExitProcess",
- "kernel32.dll.UnhandledExceptionFilter",
- "kernel32.dll.RtlUnwind",
- "kernel32.dll.RaiseException",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegOpenKeyExA",
- "advapi32.dll.RegCloseKey",
- "comctl32.dll.ImageList_SetIconSize",
- "comctl32.dll.ImageList_GetIconSize",
- "comctl32.dll.ImageList_Write",
- "comctl32.dll.ImageList_Read",
- "comctl32.dll.ImageList_GetDragImage",
- "comctl32.dll.ImageList_DragShowNolock",
- "comctl32.dll.ImageList_SetDragCursorImage",
- "comctl32.dll.ImageList_DragMove",
- "comctl32.dll.ImageList_DragLeave",
- "comctl32.dll.ImageList_DragEnter",
- "comctl32.dll.ImageList_EndDrag",
- "comctl32.dll.ImageList_BeginDrag",
- "comctl32.dll.ImageList_Remove",
- "comctl32.dll.ImageList_DrawEx",
- "comctl32.dll.ImageList_Replace",
- "comctl32.dll.ImageList_Draw",
- "comctl32.dll.ImageList_GetBkColor",
- "comctl32.dll.ImageList_SetBkColor",
- "comctl32.dll.ImageList_ReplaceIcon",
- "comctl32.dll.ImageList_Add",
- "comctl32.dll.ImageList_GetImageCount",
- "comctl32.dll.ImageList_Destroy",
- "comctl32.dll.ImageList_Create",
- "comdlg32.dll.GetOpenFileNameA",
- "gdi32.dll.UnrealizeObject",
- "gdi32.dll.StretchBlt",
- "gdi32.dll.SetWindowOrgEx",
- "gdi32.dll.SetWinMetaFileBits",
- "gdi32.dll.SetViewportOrgEx",
- "gdi32.dll.SetTextColor",
- "gdi32.dll.SetStretchBltMode",
- "gdi32.dll.SetROP2",
- "gdi32.dll.SetPixel",
- "gdi32.dll.SetEnhMetaFileBits",
- "gdi32.dll.SetDIBColorTable",
- "gdi32.dll.SetBrushOrgEx",
- "gdi32.dll.SetBkMode",
- "gdi32.dll.SetBkColor",
- "gdi32.dll.SelectPalette",
- "gdi32.dll.SelectObject",
- "gdi32.dll.SelectClipRgn",
- "gdi32.dll.ScaleWindowExtEx",
- "gdi32.dll.SaveDC",
- "gdi32.dll.RestoreDC",
- "gdi32.dll.Rectangle",
- "gdi32.dll.RectVisible",
- "gdi32.dll.RealizePalette",
- "gdi32.dll.Polyline",
- "gdi32.dll.PlayEnhMetaFile",
- "gdi32.dll.PathToRegion",
- "gdi32.dll.PatBlt",
- "gdi32.dll.MoveToEx",
- "gdi32.dll.MaskBlt",
- "gdi32.dll.LineTo",
- "gdi32.dll.IntersectClipRect",
- "gdi32.dll.GetWindowOrgEx",
- "gdi32.dll.GetWinMetaFileBits",
- "gdi32.dll.GetTextMetricsA",
- "gdi32.dll.GetTextExtentPoint32A",
- "gdi32.dll.GetSystemPaletteEntries",
- "gdi32.dll.GetStockObject",
- "gdi32.dll.GetPixel",
- "gdi32.dll.GetPaletteEntries",
- "gdi32.dll.GetObjectA",
- "gdi32.dll.GetEnhMetaFilePaletteEntries",
- "gdi32.dll.GetEnhMetaFileHeader",
- "gdi32.dll.GetEnhMetaFileBits",
- "gdi32.dll.GetDeviceCaps",
- "gdi32.dll.GetDIBits",
- "gdi32.dll.GetDIBColorTable",
- "gdi32.dll.GetDCOrgEx",
- "gdi32.dll.GetCurrentPositionEx",
- "gdi32.dll.GetClipRgn",
- "gdi32.dll.GetClipBox",
- "gdi32.dll.GetBrushOrgEx",
- "gdi32.dll.GetBitmapBits",
- "gdi32.dll.ExcludeClipRect",
- "gdi32.dll.DeleteObject",
- "gdi32.dll.DeleteEnhMetaFile",
- "gdi32.dll.DeleteDC",
- "gdi32.dll.CreateSolidBrush",
- "gdi32.dll.CreateRectRgn",
- "gdi32.dll.CreatePenIndirect",
- "gdi32.dll.CreatePalette",
- "gdi32.dll.CreateHalftonePalette",
- "gdi32.dll.CreateFontIndirectA",
- "gdi32.dll.CreateDIBitmap",
- "gdi32.dll.CreateDIBSection",
- "gdi32.dll.CreateCompatibleDC",
- "gdi32.dll.CreateCompatibleBitmap",
- "gdi32.dll.CreateBrushIndirect",
- "gdi32.dll.CreateBitmap",
- "gdi32.dll.CopyEnhMetaFileA",
- "gdi32.dll.BitBlt",
- "oleaut32.dll.SafeArrayPtrOfIndex",
- "oleaut32.dll.SafeArrayGetUBound",
- "oleaut32.dll.SafeArrayGetLBound",
- "oleaut32.dll.SafeArrayCreate",
- "oleaut32.dll.VariantChangeType",
- "oleaut32.dll.VariantCopy",
- "oleaut32.dll.VariantClear",
- "oleaut32.dll.VariantInit",
- "oleaut32.dll.SysFreeString",
- "oleaut32.dll.SysReAllocStringLen",
- "oleaut32.dll.SysAllocStringLen",
- "user32.dll.CreateWindowExA",
- "user32.dll.WindowFromPoint",
- "user32.dll.WinHelpA",
- "user32.dll.WaitMessage",
- "user32.dll.UpdateWindow",
- "user32.dll.UnregisterClassA",
- "user32.dll.UnhookWindowsHookEx",
- "user32.dll.TranslateMessage",
- "user32.dll.TranslateMDISysAccel",
- "user32.dll.TrackPopupMenu",
- "user32.dll.SystemParametersInfoA",
- "user32.dll.ShowWindow",
- "user32.dll.ShowScrollBar",
- "user32.dll.ShowOwnedPopups",
- "user32.dll.ShowCursor",
- "user32.dll.SetWindowsHookExA",
- "user32.dll.SetWindowPos",
- "user32.dll.SetWindowPlacement",
- "user32.dll.SetWindowLongA",
- "user32.dll.SetTimer",
- "user32.dll.SetScrollRange",
- "user32.dll.SetScrollPos",
- "user32.dll.SetScrollInfo",
- "user32.dll.SetRect",
- "user32.dll.SetPropA",
- "user32.dll.SetParent",
- "user32.dll.SetMenuItemInfoA",
- "user32.dll.SetMenu",
- "user32.dll.SetForegroundWindow",
- "user32.dll.SetFocus",
- "user32.dll.SetCursor",
- "user32.dll.SetClassLongA",
- "user32.dll.SetCapture",
- "user32.dll.SetActiveWindow",
- "user32.dll.SendMessageA",
- "user32.dll.ScrollWindow",
- "user32.dll.ScreenToClient",
- "user32.dll.RemovePropA",
- "user32.dll.RemoveMenu",
- "user32.dll.ReleaseDC",
- "user32.dll.ReleaseCapture",
- "user32.dll.RegisterWindowMessageA",
- "user32.dll.RegisterClipboardFormatA",
- "user32.dll.RegisterClassA",
- "user32.dll.RedrawWindow",
- "user32.dll.PtInRect",
- "user32.dll.PostQuitMessage",
- "user32.dll.PostMessageA",
- "user32.dll.PeekMessageA",
- "user32.dll.OffsetRect",
- "user32.dll.OemToCharA",
- "user32.dll.MessageBoxA",
- "user32.dll.MapWindowPoints",
- "user32.dll.MapVirtualKeyA",
- "user32.dll.LoadStringA",
- "user32.dll.LoadKeyboardLayoutA",
- "user32.dll.LoadIconA",
- "user32.dll.LoadCursorA",
- "user32.dll.LoadBitmapA",
- "user32.dll.KillTimer",
- "user32.dll.IsZoomed",
- "user32.dll.IsWindowVisible",
- "user32.dll.IsWindowEnabled",
- "user32.dll.IsWindow",
- "user32.dll.IsRectEmpty",
- "user32.dll.IsIconic",
- "user32.dll.IsDialogMessageA",
- "user32.dll.IsChild",
- "user32.dll.InvalidateRect",
- "user32.dll.IntersectRect",
- "user32.dll.InsertMenuItemA",
- "user32.dll.InsertMenuA",
- "user32.dll.InflateRect",
- "user32.dll.GetWindowThreadProcessId",
- "user32.dll.GetWindowTextA",
- "user32.dll.GetWindowRect",
- "user32.dll.GetWindowPlacement",
- "user32.dll.GetWindowLongA",
- "user32.dll.GetWindowDC",
- "user32.dll.GetTopWindow",
- "user32.dll.GetSystemMetrics",
- "user32.dll.GetSystemMenu",
- "user32.dll.GetSysColorBrush",
- "user32.dll.GetSysColor",
- "user32.dll.GetSubMenu",
- "user32.dll.GetScrollRange",
- "user32.dll.GetScrollPos",
- "user32.dll.GetScrollInfo",
- "user32.dll.GetPropA",
- "user32.dll.GetParent",
- "user32.dll.GetWindow",
- "user32.dll.GetMenuStringA",
- "user32.dll.GetMenuState",
- "user32.dll.GetMenuItemInfoA",
- "user32.dll.GetMenuItemID",
- "user32.dll.GetMenuItemCount",
- "user32.dll.GetMenu",
- "user32.dll.GetLastActivePopup",
- "user32.dll.GetKeyboardState",
- "user32.dll.GetKeyboardLayoutList",
- "user32.dll.GetKeyboardLayout",
- "user32.dll.GetKeyState",
- "user32.dll.GetKeyNameTextA",
- "user32.dll.GetIconInfo",
- "user32.dll.GetForegroundWindow",
- "user32.dll.GetFocus",
- "user32.dll.GetDlgItem",
- "user32.dll.GetDesktopWindow",
- "user32.dll.GetDCEx",
- "user32.dll.GetDC",
- "user32.dll.GetCursorPos",
- "user32.dll.GetCursor",
- "user32.dll.GetClipboardData",
- "user32.dll.GetClientRect",
- "user32.dll.GetClassNameA",
- "user32.dll.GetClassInfoA",
- "user32.dll.GetCapture",
- "user32.dll.GetActiveWindow",
- "user32.dll.FrameRect",
- "user32.dll.FindWindowA",
- "user32.dll.FillRect",
- "user32.dll.EqualRect",
- "user32.dll.EnumWindows",
- "user32.dll.EnumThreadWindows",
- "user32.dll.EndPaint",
- "user32.dll.EnableWindow",
- "user32.dll.EnableScrollBar",
- "user32.dll.EnableMenuItem",
- "user32.dll.DrawTextA",
- "user32.dll.DrawMenuBar",
- "user32.dll.DrawIconEx",
- "user32.dll.DrawIcon",
- "user32.dll.DrawFrameControl",
- "user32.dll.DrawFocusRect",
- "user32.dll.DrawEdge",
- "user32.dll.DispatchMessageA",
- "user32.dll.DestroyWindow",
- "user32.dll.DestroyMenu",
- "user32.dll.DestroyIcon",
- "user32.dll.DestroyCursor",
- "user32.dll.DeleteMenu",
- "user32.dll.DefWindowProcA",
- "user32.dll.DefMDIChildProcA",
- "user32.dll.DefFrameProcA",
- "user32.dll.CreatePopupMenu",
- "user32.dll.CreateMenu",
- "user32.dll.CreateIcon",
- "user32.dll.ClientToScreen",
- "user32.dll.CheckMenuItem",
- "user32.dll.CallWindowProcA",
- "user32.dll.CallNextHookEx",
- "user32.dll.BeginPaint",
- "user32.dll.CharNextA",
- "user32.dll.CharLowerBuffA",
- "user32.dll.CharLowerA",
- "user32.dll.CharToOemA",
- "user32.dll.AdjustWindowRectEx",
- "user32.dll.ActivateKeyboardLayout",
- "user32.dll.GetKeyboardType",
- "version.dll.VerQueryValueA",
- "version.dll.GetFileVersionInfoSizeA",
- "version.dll.GetFileVersionInfoA",
- "kernel32.dll.GetDiskFreeSpaceExA",
- "oleaut32.dll.VariantChangeTypeEx",
- "oleaut32.dll.VarNeg",
- "oleaut32.dll.VarNot",
- "oleaut32.dll.VarAdd",
- "oleaut32.dll.VarSub",
- "oleaut32.dll.VarMul",
- "oleaut32.dll.VarDiv",
- "oleaut32.dll.VarIdiv",
- "oleaut32.dll.VarMod",
- "oleaut32.dll.VarAnd",
- "oleaut32.dll.VarOr",
- "oleaut32.dll.VarXor",
- "oleaut32.dll.VarCmp",
- "oleaut32.dll.VarI4FromStr",
- "oleaut32.dll.VarR4FromStr",
- "oleaut32.dll.VarR8FromStr",
- "oleaut32.dll.VarDateFromStr",
- "oleaut32.dll.VarCyFromStr",
- "oleaut32.dll.VarBoolFromStr",
- "oleaut32.dll.VarBstrFromCy",
- "oleaut32.dll.VarBstrFromDate",
- "oleaut32.dll.VarBstrFromBool",
- "user32.dll.GetMonitorInfoA",
- "user32.dll.EnumDisplayMonitors",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "user32.dll.AnimateWindow",
- "comctl32.dll.InitializeFlatSB",
- "comctl32.dll.UninitializeFlatSB",
- "comctl32.dll.FlatSB_GetScrollProp",
- "comctl32.dll.FlatSB_SetScrollProp",
- "comctl32.dll.FlatSB_EnableScrollBar",
- "comctl32.dll.FlatSB_ShowScrollBar",
- "comctl32.dll.FlatSB_GetScrollRange",
- "comctl32.dll.FlatSB_GetScrollInfo",
- "comctl32.dll.FlatSB_GetScrollPos",
- "comctl32.dll.FlatSB_SetScrollPos",
- "comctl32.dll.FlatSB_SetScrollInfo",
- "comctl32.dll.FlatSB_SetScrollRange",
- "user32.dll.SetLayeredWindowAttributes",
- "cryptsp.dll.CryptAcquireContextW",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptGetHashParam",
- "cryptsp.dll.CryptDestroyHash",
- "cryptsp.dll.CryptReleaseContext",
- "vaultcli.dll.VaultEnumerateItems",
- "vaultcli.dll.VaultEnumerateVaults",
- "vaultcli.dll.VaultFree",
- "vaultcli.dll.VaultGetItem",
- "vaultcli.dll.VaultOpenVault",
- "vaultcli.dll.VaultCloseVault",
- "sechost.dll.LookupAccountSidLocalW",
- "netapi32.dll.NetUserGetInfo",
- "cryptsp.dll.CryptImportKey",
- "cryptsp.dll.CryptSetKeyParam",
- "cryptsp.dll.CryptDecrypt",
- "cryptsp.dll.CryptDestroyKey",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.FlsFree",
- "kernel32.dll.InitOnceExecuteOnce",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.GetFileInformationByHandleEx",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.TryAcquireSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.SleepConditionVariableSRW",
- "kernel32.dll.CreateThreadpoolWork",
- "kernel32.dll.SubmitThreadpoolWork",
- "kernel32.dll.CloseThreadpoolWork",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "goopdate.dll.DllEntry",
- "kernel32.dll.RtlCaptureStackBackTrace",
- "wkscli.dll.NetWkstaGetInfo",
- "cscapi.dll.CscNetApiGetInterface",
- "ntmarta.dll.GetMartaExtensionInterface",
- "kernel32.dll.CreateMutexExW",
- "dbghelp.dll.MiniDumpWriteDump",
- "rpcrt4.dll.UuidCreate",
- "cryptbase.dll.SystemFunction036",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "cryptsp.dll.CryptGenRandom",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoTaskMemAlloc",
- "ole32.dll.CoTaskMemFree",
- "ole32.dll.CoCreateInstance",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "psmachine.dll.DllGetClassObject",
- "psmachine.dll.DllCanUnloadNow",
- "advapi32.dll.RegOpenKeyW",
- "ntdll.dll.RtlGetVersion",
- "kernel32.dll.GetNativeSystemInfo",
- "winhttp.dll.WinHttpAddRequestHeaders",
- "winhttp.dll.WinHttpCheckPlatform",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpCreateUrl",
- "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetProxyForUrl",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpQueryAuthSchemes",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpQueryOption",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpSetCredentials",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpSetStatusCallback",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpWriteData",
- "shlwapi.dll.StrCmpNW",
- "shlwapi.dll.#153",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "schannel.dll.SpUserModeInitialize",
- "advapi32.dll.RegCreateKeyExW",
- "ws2_32.dll.WSASend",
- "ws2_32.dll.WSARecv",
- "advapi32.dll.RevertToSelf",
- "secur32.dll.FreeContextBuffer",
- "ncrypt.dll.SslOpenProvider",
- "ncrypt.dll.GetSChannelInterface",
- "bcryptprimitives.dll.GetHashInterface",
- "ncrypt.dll.SslIncrementProviderReferenceCount",
- "ncrypt.dll.SslImportKey",
- "bcryptprimitives.dll.GetCipherInterface",
- "ncrypt.dll.SslLookupCipherSuiteInfo",
- "user32.dll.LoadStringW",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "ncrypt.dll.BCryptDestroyHash",
- "crypt32.dll.CertGetCertificateChain",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertSidToStringSidW",
- "sechost.dll.ConvertStringSidToSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.QueryServiceConfigW",
- "winsta.dll.WinStationRegisterNotificationEvent",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.RpcAsyncInitializeHandle",
- "rpcrt4.dll.NdrClientCall2",
- "rpcrt4.dll.NdrAsyncClientCall",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptVerifySignatureA",
- "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
- "ncrypt.dll.BCryptImportKeyPair",
- "ncrypt.dll.BCryptVerifySignature",
- "ncrypt.dll.BCryptDestroyKey",
- "crypt32.dll.CertVerifyCertificateChainPolicy",
- "crypt32.dll.CertFreeCertificateChain",
- "crypt32.dll.CertDuplicateCertificateContext",
- "ncrypt.dll.SslEncryptPacket",
- "ncrypt.dll.SslDecryptPacket",
- "kernel32.dll.WTSGetActiveConsoleSessionId",
- "winsta.dll.WinStationQueryInformationW",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "rpcrt4.dll.RpcBindingFree",
- "kernel32.dll.IsWow64Process",
- "psapi.dll.GetProcessImageFileNameW",
- "oleaut32.dll.#500",
- "crypt32.dll.CertFreeCertificateContext",
- "ncrypt.dll.SslFreeObject"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "LoadLibraryA",
- "address": "0x49b050"
- },
- {
- "name": "GetProcAddress",
- "address": "0x49b054"
- },
- {
- "name": "VirtualProtect",
- "address": "0x49b058"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x49b05c"
- },
- {
- "name": "VirtualFree",
- "address": "0x49b060"
- },
- {
- "name": "ExitProcess",
- "address": "0x49b064"
- }
- ],
- "dll": "KERNEL32.DLL"
- },
- {
- "imports": [
- {
- "name": "RegCloseKey",
- "address": "0x49b06c"
- }
- ],
- "dll": "advapi32.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_Add",
- "address": "0x49b074"
- }
- ],
- "dll": "comctl32.dll"
- },
- {
- "imports": [
- {
- "name": "GetOpenFileNameA",
- "address": "0x49b07c"
- }
- ],
- "dll": "comdlg32.dll"
- },
- {
- "imports": [
- {
- "name": "SaveDC",
- "address": "0x49b084"
- }
- ],
- "dll": "gdi32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantCopy",
- "address": "0x49b08c"
- }
- ],
- "dll": "oleaut32.dll"
- },
- {
- "imports": [
- {
- "name": "GetDC",
- "address": "0x49b094"
- }
- ],
- "dll": "user32.dll"
- },
- {
- "imports": [
- {
- "name": "VerQueryValueA",
- "address": "0x49b09c"
- }
- ],
- "dll": "version.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00050625",
- "overlay": null,
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x00499640",
- "timestamp": "1992-06-17 20:49:04",
- "osversion": "4.0",
- "sections": [
- {
- "name": "UPX0",
- "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00000000",
- "entropy": "0.00",
- "raw_address": "0x00000400",
- "virtual_size": "0x00059000",
- "characteristics_raw": "0xe0000080"
- },
- {
- "name": "UPX1",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0005a000",
- "size_of_data": "0x0003fa00",
- "entropy": "7.95",
- "raw_address": "0x00000400",
- "virtual_size": "0x00040000",
- "characteristics_raw": "0xe0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009a000",
- "size_of_data": "0x00001200",
- "entropy": "3.33",
- "raw_address": "0x0003fe00",
- "virtual_size": "0x00002000",
- "characteristics_raw": "0xc0000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0009af9c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000224"
- },
- {
- "virtual_address": "0x0009a000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x00000f9c"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000997f8",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000018"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "c458ff2d515beb8f44158cd3636a7400",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 8,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement