Exes_6b191ac6e5b5a9c3982cbb7855355523_jpg_json.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg"
7. [*] File Size: 266240
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
9. [*] SHA256: "e61baf5aaf6a75cfa8da252e8790e3a66b12a97885cbd455a0f1b7bd2b8f1e6a"
10. [*] MD5: "6b191ac6e5b5a9c3982cbb7855355523"
11. [*] SHA1: "3bfa45fbd03c1fb9339ed6c2b011f84d5a152573"
12. [*] SHA512: "08858381e5c9db085fc8b1660291205d157b8e3499fed55d90a665a79f1f322e88d12c955c46fa5a36ddd138052d44e5661181ed4804876d32457d1ffd90ae1b"
13. [*] CRC32: "522E8E8C"
14. [*] SSDEEP: "6144:mCSBNNhsOBN7HvBTWkQufYAP0RqJaQ2lHjBSsIbYWl7bBPNTpy8W41rSIesqAkeK:5ONhsOBNrvApcaQik9J"
15.  
16. [*] Process Execution: [
17. "Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
18. "akbkdabad.exe",
19. "akbkdabad.exe",
20. "akbkdabad.exe",
21. "services.exe",
22. "lsass.exe",
23. "GoogleUpdate.exe"
24. ]
25.  
26. [*] Signatures Detected: [
27. {
28. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
29. "Details": [
30. {
31. "IP": "172.217.0.35:443"
32. }
33. ]
34. },
35. {
36. "Description": "Creates RWX memory",
37. "Details": []
38. },
39. {
40. "Description": "A process attempted to delay the analysis task.",
41. "Details": [
42. {
43. "Process": "akbkdabad.exe tried to sleep 1414 seconds, actually delayed analysis time by 0 seconds"
44. }
45. ]
46. },
47. {
48. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
49. "Details": [
50. {
51. "ioc": "http://crl.globalsign.net/root-r2.crl0"
52. }
53. ]
54. },
55. {
56. "Description": "Performs some HTTP requests",
57. "Details": [
58. {
59. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
60. },
61. {
62. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
63. },
64. {
65. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
66. }
67. ]
68. },
69. {
70. "Description": "The binary likely contains encrypted or compressed data.",
71. "Details": [
72. {
73. "section": "name: UPX1, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0003fa00, virtual_size: 0x00040000"
74. }
75. ]
76. },
77. {
78. "Description": "The executable is compressed using UPX",
79. "Details": [
80. {
81. "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00059000"
82. }
83. ]
84. },
85. {
86. "Description": "Deletes its original binary from disk",
87. "Details": []
88. },
89. {
90. "Description": "Executed a process and injected code into it, probably while unpacking",
91. "Details": [
92. {
93. "Injection": "akbkdabad.exe(312) -> akbkdabad.exe(2224)"
94. }
95. ]
96. },
97. {
98. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
99. "Details": [
100. {
101. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11962623 times"
102. }
103. ]
104. },
105. {
106. "Description": "Steals private information from local Internet browsers",
107. "Details": [
108. {
109. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
110. }
111. ]
112. },
113. {
114. "Description": "Installs itself for autorun at Windows startup",
115. "Details": [
116. {
117. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
118. },
119. {
120. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs"
121. }
122. ]
123. },
124. {
125. "Description": "Creates a hidden or system file",
126. "Details": [
127. {
128. "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
129. },
130. {
131. "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
132. }
133. ]
134. },
135. {
136. "Description": "Creates a copy of itself",
137. "Details": [
138. {
139. "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
140. }
141. ]
142. },
143. {
144. "Description": "Harvests credentials from local FTP client softwares",
145. "Details": [
146. {
147. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
148. },
149. {
150. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
151. },
152. {
153. "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
154. },
155. {
156. "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
157. },
158. {
159. "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
160. },
161. {
162. "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
163. },
164. {
165. "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
166. },
167. {
168. "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
169. },
170. {
171. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
172. },
173. {
174. "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
175. }
176. ]
177. },
178. {
179. "Description": "Harvests information related to installed instant messenger clients",
180. "Details": [
181. {
182. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
183. }
184. ]
185. },
186. {
187. "Description": "Harvests information related to installed mail clients",
188. "Details": [
189. {
190. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
191. },
192. {
193. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
194. },
195. {
196. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
197. },
198. {
199. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
200. },
201. {
202. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
203. },
204. {
205. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
206. },
207. {
208. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
209. },
210. {
211. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
212. },
213. {
214. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
215. },
216. {
217. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
218. },
219. {
220. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
221. },
222. {
223. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
224. },
225. {
226. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
227. },
228. {
229. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
230. },
231. {
232. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
233. },
234. {
235. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
236. },
237. {
238. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
239. },
240. {
241. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
242. },
243. {
244. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
245. },
246. {
247. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
248. },
249. {
250. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
251. },
252. {
253. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
254. },
255. {
256. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
257. },
258. {
259. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
260. },
261. {
262. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
263. },
264. {
265. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
266. },
267. {
268. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
269. },
270. {
271. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
272. },
273. {
274. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
275. },
276. {
277. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
278. },
279. {
280. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
281. },
282. {
283. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
284. },
285. {
286. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
287. },
288. {
289. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
290. },
291. {
292. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
293. }
294. ]
295. },
296. {
297. "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
298. "Details": [
299. {
300. "file": "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier"
301. }
302. ]
303. },
304. {
305. "Description": "Collects information to fingerprint the system",
306. "Details": []
307. },
308. {
309. "Description": "Anomalous binary characteristics",
310. "Details": [
311. {
312. "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
313. }
314. ]
315. }
316. ]
317.  
318. [*] Started Service: [
319. "VaultSvc"
320. ]
321.  
322. [*] Executed Commands: [
323. "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\" 1 \"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg\" 1F59C1C",
324. "\"C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe\"",
325. "C:\\Windows\\system32\\lsass.exe",
326. "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc"
327. ]
328.  
329. [*] Mutexes: [
330. "1F59C1C",
331. "6EFA73A4746045B65DEE781E",
332. "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
333. "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
334. "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
335. "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
336. ]
337.  
338. [*] Modified Files: [
339. "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
340. "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe:ZoneIdentifier",
341. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
342. "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
343. "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
344. "\\??\\PIPE\\wkssvc",
345. "\\??\\pipe\\GoogleCrashServices\\S-1-5-18"
346. ]
347.  
348. [*] Deleted Files: [
349. "C:\\Users\\user\\AppData\\Roaming\\dnlsknlsiii\\akbkdabad.exe",
350. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_6b191ac6e5b5a9c3982cbb7855355523.jpg",
351. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dnlsknlsiii.vbs",
352. "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
353. "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}\\74.0.3729.169_73.0.3683.86_chrome_updater.exe",
354. "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}"
355. ]
356.  
357. [*] Modified Registry Keys: [
358. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
359. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}",
360. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingString",
361. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{EDC4B9FC-9CBF-4757-A75A-7160D2D83929}\\PersistedPingTime",
362. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
363. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
364. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
365. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
366. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
367. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
368. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
369. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
370. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
371. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
372. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
373. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
374. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
375. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
376. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
377. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
378. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
379. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
380. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
381. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
382. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
383. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
384. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\LastCheckSuccess",
385. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
386. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
387. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue"
388. ]
389.  
390. [*] Deleted Registry Keys: [
391. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
392. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
393. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
394. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
395. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
396. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
397. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken",
398. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
399. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince"
400. ]
401.  
402. [*] DNS Communications: [
403. {
404. "type": "A",
405. "request": "www.effyqroup.com",
406. "answers": [
407. {
408. "data": "",
409. "type": "NXDOMAIN"
410. }
411. ]
412. }
413. ]
414.  
415. [*] Domains: [
416. {
417. "ip": "",
418. "domain": "www.effyqroup.com"
419. }
420. ]
421.  
422. [*] Network Communication - ICMP: []
423.  
424. [*] Network Communication - HTTP: [
425. {
426. "count": 1,
427. "body": "",
428. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
429. "user-agent": "Microsoft-CryptoAPI/6.1",
430. "method": "GET",
431. "host": "ocsp.digicert.com",
432. "version": "1.1",
433. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
434. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
435. "port": 80
436. },
437. {
438. "count": 1,
439. "body": "",
440. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
441. "user-agent": "Microsoft-CryptoAPI/6.1",
442. "method": "GET",
443. "host": "ocsp.digicert.com",
444. "version": "1.1",
445. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
446. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
447. "port": 80
448. },
449. {
450. "count": 1,
451. "body": "",
452. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
453. "user-agent": "Microsoft-CryptoAPI/6.1",
454. "method": "GET",
455. "host": "ocsp.digicert.com",
456. "version": "1.1",
457. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
458. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
459. "port": 80
460. }
461. ]
462.  
463. [*] Network Communication - SMTP: []
464.  
465. [*] Network Communication - Hosts: []
466.  
467. [*] Network Communication - IRC: []
468.  
469. [*] Static Analysis: {
470. "pe": {
471. "peid_signatures": null,
472. "imports": [
473. {
474. "imports": [
475. {
476. "name": "LoadLibraryA",
477. "address": "0x49b050"
478. },
479. {
480. "name": "GetProcAddress",
481. "address": "0x49b054"
482. },
483. {
484. "name": "VirtualProtect",
485. "address": "0x49b058"
486. },
487. {
488. "name": "VirtualAlloc",
489. "address": "0x49b05c"
490. },
491. {
492. "name": "VirtualFree",
493. "address": "0x49b060"
494. },
495. {
496. "name": "ExitProcess",
497. "address": "0x49b064"
498. }
499. ],
500. "dll": "KERNEL32.DLL"
501. },
502. {
503. "imports": [
504. {
505. "name": "RegCloseKey",
506. "address": "0x49b06c"
507. }
508. ],
509. "dll": "advapi32.dll"
510. },
511. {
512. "imports": [
513. {
514. "name": "ImageList_Add",
515. "address": "0x49b074"
516. }
517. ],
518. "dll": "comctl32.dll"
519. },
520. {
521. "imports": [
522. {
523. "name": "GetOpenFileNameA",
524. "address": "0x49b07c"
525. }
526. ],
527. "dll": "comdlg32.dll"
528. },
529. {
530. "imports": [
531. {
532. "name": "SaveDC",
533. "address": "0x49b084"
534. }
535. ],
536. "dll": "gdi32.dll"
537. },
538. {
539. "imports": [
540. {
541. "name": "VariantCopy",
542. "address": "0x49b08c"
543. }
544. ],
545. "dll": "oleaut32.dll"
546. },
547. {
548. "imports": [
549. {
550. "name": "GetDC",
551. "address": "0x49b094"
552. }
553. ],
554. "dll": "user32.dll"
555. },
556. {
557. "imports": [
558. {
559. "name": "VerQueryValueA",
560. "address": "0x49b09c"
561. }
562. ],
563. "dll": "version.dll"
564. }
565. ],
566. "digital_signers": null,
567. "exported_dll_name": null,
568. "actual_checksum": "0x00050625",
569. "overlay": null,
570. "imagebase": "0x00400000",
571. "reported_checksum": "0x00000000",
572. "icon_hash": null,
573. "entrypoint": "0x00499640",
574. "timestamp": "1992-06-17 20:49:04",
575. "osversion": "4.0",
576. "sections": [
577. {
578. "name": "UPX0",
579. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
580. "virtual_address": "0x00001000",
581. "size_of_data": "0x00000000",
582. "entropy": "0.00",
583. "raw_address": "0x00000400",
584. "virtual_size": "0x00059000",
585. "characteristics_raw": "0xe0000080"
586. },
587. {
588. "name": "UPX1",
589. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
590. "virtual_address": "0x0005a000",
591. "size_of_data": "0x0003fa00",
592. "entropy": "7.95",
593. "raw_address": "0x00000400",
594. "virtual_size": "0x00040000",
595. "characteristics_raw": "0xe0000040"
596. },
597. {
598. "name": ".rsrc",
599. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
600. "virtual_address": "0x0009a000",
601. "size_of_data": "0x00001200",
602. "entropy": "3.33",
603. "raw_address": "0x0003fe00",
604. "virtual_size": "0x00002000",
605. "characteristics_raw": "0xc0000040"
606. }
607. ],
608. "resources": [],
609. "dirents": [
610. {
611. "virtual_address": "0x00000000",
612. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
613. "size": "0x00000000"
614. },
615. {
616. "virtual_address": "0x0009af9c",
617. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
618. "size": "0x00000224"
619. },
620. {
621. "virtual_address": "0x0009a000",
622. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
623. "size": "0x00000f9c"
624. },
625. {
626. "virtual_address": "0x00000000",
627. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
628. "size": "0x00000000"
629. },
630. {
631. "virtual_address": "0x00000000",
632. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
633. "size": "0x00000000"
634. },
635. {
636. "virtual_address": "0x00000000",
637. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
638. "size": "0x00000000"
639. },
640. {
641. "virtual_address": "0x00000000",
642. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
643. "size": "0x00000000"
644. },
645. {
646. "virtual_address": "0x00000000",
647. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
648. "size": "0x00000000"
649. },
650. {
651. "virtual_address": "0x00000000",
652. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
653. "size": "0x00000000"
654. },
655. {
656. "virtual_address": "0x000997f8",
657. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
658. "size": "0x00000018"
659. },
660. {
661. "virtual_address": "0x00000000",
662. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
663. "size": "0x00000000"
664. },
665. {
666. "virtual_address": "0x00000000",
667. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
668. "size": "0x00000000"
669. },
670. {
671. "virtual_address": "0x00000000",
672. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
673. "size": "0x00000000"
674. },
675. {
676. "virtual_address": "0x00000000",
677. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
678. "size": "0x00000000"
679. },
680. {
681. "virtual_address": "0x00000000",
682. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
683. "size": "0x00000000"
684. },
685. {
686. "virtual_address": "0x00000000",
687. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
688. "size": "0x00000000"
689. }
690. ],
691. "exports": [],
692. "guest_signers": {},
693. "imphash": "c458ff2d515beb8f44158cd3636a7400",
694. "icon_fuzzy": null,
695. "icon": null,
696. "pdbpath": null,
697. "imported_dll_count": 8,
698. "versioninfo": []
699. }
700. }
701.  
702. [*] Resolved APIs: [
703. "kernel32.dll.lstrcpyA",
704. "kernel32.dll.WriteFile",
705. "kernel32.dll.WaitForSingleObject",
706. "kernel32.dll.VirtualQuery",
707. "kernel32.dll.VirtualAlloc",
708. "kernel32.dll.Sleep",
709. "kernel32.dll.SizeofResource",
710. "kernel32.dll.SetThreadLocale",
711. "kernel32.dll.SetFilePointer",
712. "kernel32.dll.SetEvent",
713. "kernel32.dll.SetErrorMode",
714. "kernel32.dll.SetEndOfFile",
715. "kernel32.dll.ResetEvent",
716. "kernel32.dll.ReadFile",
717. "kernel32.dll.MulDiv",
718. "kernel32.dll.LockResource",
719. "kernel32.dll.LoadResource",
720. "kernel32.dll.LoadLibraryA",
721. "kernel32.dll.LeaveCriticalSection",
722. "kernel32.dll.InitializeCriticalSection",
723. "kernel32.dll.GlobalUnlock",
724. "kernel32.dll.GlobalReAlloc",
725. "kernel32.dll.GlobalHandle",
726. "kernel32.dll.GlobalLock",
727. "kernel32.dll.GlobalFree",
728. "kernel32.dll.GlobalFindAtomA",
729. "kernel32.dll.GlobalDeleteAtom",
730. "kernel32.dll.GlobalAlloc",
731. "kernel32.dll.GlobalAddAtomA",
732. "kernel32.dll.GetVersionExA",
733. "kernel32.dll.GetVersion",
734. "kernel32.dll.GetTickCount",
735. "kernel32.dll.GetThreadLocale",
736. "kernel32.dll.GetSystemInfo",
737. "kernel32.dll.GetStringTypeExA",
738. "kernel32.dll.GetStdHandle",
739. "kernel32.dll.GetProcAddress",
740. "kernel32.dll.GetModuleHandleA",
741. "kernel32.dll.GetModuleFileNameA",
742. "kernel32.dll.GetLocaleInfoA",
743. "kernel32.dll.GetLocalTime",
744. "kernel32.dll.GetLastError",
745. "kernel32.dll.GetFullPathNameA",
746. "kernel32.dll.GetFileAttributesA",
747. "kernel32.dll.GetDiskFreeSpaceA",
748. "kernel32.dll.GetDateFormatA",
749. "kernel32.dll.GetCurrentThreadId",
750. "kernel32.dll.GetCurrentProcessId",
751. "kernel32.dll.GetCPInfo",
752. "kernel32.dll.GetACP",
753. "kernel32.dll.FreeResource",
754. "kernel32.dll.InterlockedExchange",
755. "kernel32.dll.FreeLibrary",
756. "kernel32.dll.FormatMessageA",
757. "kernel32.dll.FindResourceA",
758. "kernel32.dll.FindFirstFileA",
759. "kernel32.dll.FindClose",
760. "kernel32.dll.FileTimeToLocalFileTime",
761. "kernel32.dll.FileTimeToDosDateTime",
762. "kernel32.dll.EnumCalendarInfoA",
763. "kernel32.dll.EnterCriticalSection",
764. "kernel32.dll.DeleteCriticalSection",
765. "kernel32.dll.CreateThread",
766. "kernel32.dll.CreateFileA",
767. "kernel32.dll.CreateEventA",
768. "kernel32.dll.CompareStringA",
769. "kernel32.dll.CloseHandle",
770. "kernel32.dll.TlsSetValue",
771. "kernel32.dll.TlsGetValue",
772. "kernel32.dll.LocalAlloc",
773. "kernel32.dll.VirtualFree",
774. "kernel32.dll.LocalFree",
775. "kernel32.dll.InterlockedDecrement",
776. "kernel32.dll.InterlockedIncrement",
777. "kernel32.dll.WideCharToMultiByte",
778. "kernel32.dll.MultiByteToWideChar",
779. "kernel32.dll.lstrlenA",
780. "kernel32.dll.lstrcpynA",
781. "kernel32.dll.LoadLibraryExA",
782. "kernel32.dll.GetStartupInfoA",
783. "kernel32.dll.GetCommandLineA",
784. "kernel32.dll.ExitProcess",
785. "kernel32.dll.UnhandledExceptionFilter",
786. "kernel32.dll.RtlUnwind",
787. "kernel32.dll.RaiseException",
788. "advapi32.dll.RegQueryValueExA",
789. "advapi32.dll.RegOpenKeyExA",
790. "advapi32.dll.RegCloseKey",
791. "comctl32.dll.ImageList_SetIconSize",
792. "comctl32.dll.ImageList_GetIconSize",
793. "comctl32.dll.ImageList_Write",
794. "comctl32.dll.ImageList_Read",
795. "comctl32.dll.ImageList_GetDragImage",
796. "comctl32.dll.ImageList_DragShowNolock",
797. "comctl32.dll.ImageList_SetDragCursorImage",
798. "comctl32.dll.ImageList_DragMove",
799. "comctl32.dll.ImageList_DragLeave",
800. "comctl32.dll.ImageList_DragEnter",
801. "comctl32.dll.ImageList_EndDrag",
802. "comctl32.dll.ImageList_BeginDrag",
803. "comctl32.dll.ImageList_Remove",
804. "comctl32.dll.ImageList_DrawEx",
805. "comctl32.dll.ImageList_Replace",
806. "comctl32.dll.ImageList_Draw",
807. "comctl32.dll.ImageList_GetBkColor",
808. "comctl32.dll.ImageList_SetBkColor",
809. "comctl32.dll.ImageList_ReplaceIcon",
810. "comctl32.dll.ImageList_Add",
811. "comctl32.dll.ImageList_GetImageCount",
812. "comctl32.dll.ImageList_Destroy",
813. "comctl32.dll.ImageList_Create",
814. "comdlg32.dll.GetOpenFileNameA",
815. "gdi32.dll.UnrealizeObject",
816. "gdi32.dll.StretchBlt",
817. "gdi32.dll.SetWindowOrgEx",
818. "gdi32.dll.SetWinMetaFileBits",
819. "gdi32.dll.SetViewportOrgEx",
820. "gdi32.dll.SetTextColor",
821. "gdi32.dll.SetStretchBltMode",
822. "gdi32.dll.SetROP2",
823. "gdi32.dll.SetPixel",
824. "gdi32.dll.SetEnhMetaFileBits",
825. "gdi32.dll.SetDIBColorTable",
826. "gdi32.dll.SetBrushOrgEx",
827. "gdi32.dll.SetBkMode",
828. "gdi32.dll.SetBkColor",
829. "gdi32.dll.SelectPalette",
830. "gdi32.dll.SelectObject",
831. "gdi32.dll.SelectClipRgn",
832. "gdi32.dll.ScaleWindowExtEx",
833. "gdi32.dll.SaveDC",
834. "gdi32.dll.RestoreDC",
835. "gdi32.dll.Rectangle",
836. "gdi32.dll.RectVisible",
837. "gdi32.dll.RealizePalette",
838. "gdi32.dll.Polyline",
839. "gdi32.dll.PlayEnhMetaFile",
840. "gdi32.dll.PathToRegion",
841. "gdi32.dll.PatBlt",
842. "gdi32.dll.MoveToEx",
843. "gdi32.dll.MaskBlt",
844. "gdi32.dll.LineTo",
845. "gdi32.dll.IntersectClipRect",
846. "gdi32.dll.GetWindowOrgEx",
847. "gdi32.dll.GetWinMetaFileBits",
848. "gdi32.dll.GetTextMetricsA",
849. "gdi32.dll.GetTextExtentPoint32A",
850. "gdi32.dll.GetSystemPaletteEntries",
851. "gdi32.dll.GetStockObject",
852. "gdi32.dll.GetPixel",
853. "gdi32.dll.GetPaletteEntries",
854. "gdi32.dll.GetObjectA",
855. "gdi32.dll.GetEnhMetaFilePaletteEntries",
856. "gdi32.dll.GetEnhMetaFileHeader",
857. "gdi32.dll.GetEnhMetaFileBits",
858. "gdi32.dll.GetDeviceCaps",
859. "gdi32.dll.GetDIBits",
860. "gdi32.dll.GetDIBColorTable",
861. "gdi32.dll.GetDCOrgEx",
862. "gdi32.dll.GetCurrentPositionEx",
863. "gdi32.dll.GetClipRgn",
864. "gdi32.dll.GetClipBox",
865. "gdi32.dll.GetBrushOrgEx",
866. "gdi32.dll.GetBitmapBits",
867. "gdi32.dll.ExcludeClipRect",
868. "gdi32.dll.DeleteObject",
869. "gdi32.dll.DeleteEnhMetaFile",
870. "gdi32.dll.DeleteDC",
871. "gdi32.dll.CreateSolidBrush",
872. "gdi32.dll.CreateRectRgn",
873. "gdi32.dll.CreatePenIndirect",
874. "gdi32.dll.CreatePalette",
875. "gdi32.dll.CreateHalftonePalette",
876. "gdi32.dll.CreateFontIndirectA",
877. "gdi32.dll.CreateDIBitmap",
878. "gdi32.dll.CreateDIBSection",
879. "gdi32.dll.CreateCompatibleDC",
880. "gdi32.dll.CreateCompatibleBitmap",
881. "gdi32.dll.CreateBrushIndirect",
882. "gdi32.dll.CreateBitmap",
883. "gdi32.dll.CopyEnhMetaFileA",
884. "gdi32.dll.BitBlt",
885. "oleaut32.dll.SafeArrayPtrOfIndex",
886. "oleaut32.dll.SafeArrayGetUBound",
887. "oleaut32.dll.SafeArrayGetLBound",
888. "oleaut32.dll.SafeArrayCreate",
889. "oleaut32.dll.VariantChangeType",
890. "oleaut32.dll.VariantCopy",
891. "oleaut32.dll.VariantClear",
892. "oleaut32.dll.VariantInit",
893. "oleaut32.dll.SysFreeString",
894. "oleaut32.dll.SysReAllocStringLen",
895. "oleaut32.dll.SysAllocStringLen",
896. "user32.dll.CreateWindowExA",
897. "user32.dll.WindowFromPoint",
898. "user32.dll.WinHelpA",
899. "user32.dll.WaitMessage",
900. "user32.dll.UpdateWindow",
901. "user32.dll.UnregisterClassA",
902. "user32.dll.UnhookWindowsHookEx",
903. "user32.dll.TranslateMessage",
904. "user32.dll.TranslateMDISysAccel",
905. "user32.dll.TrackPopupMenu",
906. "user32.dll.SystemParametersInfoA",
907. "user32.dll.ShowWindow",
908. "user32.dll.ShowScrollBar",
909. "user32.dll.ShowOwnedPopups",
910. "user32.dll.ShowCursor",
911. "user32.dll.SetWindowsHookExA",
912. "user32.dll.SetWindowPos",
913. "user32.dll.SetWindowPlacement",
914. "user32.dll.SetWindowLongA",
915. "user32.dll.SetTimer",
916. "user32.dll.SetScrollRange",
917. "user32.dll.SetScrollPos",
918. "user32.dll.SetScrollInfo",
919. "user32.dll.SetRect",
920. "user32.dll.SetPropA",
921. "user32.dll.SetParent",
922. "user32.dll.SetMenuItemInfoA",
923. "user32.dll.SetMenu",
924. "user32.dll.SetForegroundWindow",
925. "user32.dll.SetFocus",
926. "user32.dll.SetCursor",
927. "user32.dll.SetClassLongA",
928. "user32.dll.SetCapture",
929. "user32.dll.SetActiveWindow",
930. "user32.dll.SendMessageA",
931. "user32.dll.ScrollWindow",
932. "user32.dll.ScreenToClient",
933. "user32.dll.RemovePropA",
934. "user32.dll.RemoveMenu",
935. "user32.dll.ReleaseDC",
936. "user32.dll.ReleaseCapture",
937. "user32.dll.RegisterWindowMessageA",
938. "user32.dll.RegisterClipboardFormatA",
939. "user32.dll.RegisterClassA",
940. "user32.dll.RedrawWindow",
941. "user32.dll.PtInRect",
942. "user32.dll.PostQuitMessage",
943. "user32.dll.PostMessageA",
944. "user32.dll.PeekMessageA",
945. "user32.dll.OffsetRect",
946. "user32.dll.OemToCharA",
947. "user32.dll.MessageBoxA",
948. "user32.dll.MapWindowPoints",
949. "user32.dll.MapVirtualKeyA",
950. "user32.dll.LoadStringA",
951. "user32.dll.LoadKeyboardLayoutA",
952. "user32.dll.LoadIconA",
953. "user32.dll.LoadCursorA",
954. "user32.dll.LoadBitmapA",
955. "user32.dll.KillTimer",
956. "user32.dll.IsZoomed",
957. "user32.dll.IsWindowVisible",
958. "user32.dll.IsWindowEnabled",
959. "user32.dll.IsWindow",
960. "user32.dll.IsRectEmpty",
961. "user32.dll.IsIconic",
962. "user32.dll.IsDialogMessageA",
963. "user32.dll.IsChild",
964. "user32.dll.InvalidateRect",
965. "user32.dll.IntersectRect",
966. "user32.dll.InsertMenuItemA",
967. "user32.dll.InsertMenuA",
968. "user32.dll.InflateRect",
969. "user32.dll.GetWindowThreadProcessId",
970. "user32.dll.GetWindowTextA",
971. "user32.dll.GetWindowRect",
972. "user32.dll.GetWindowPlacement",
973. "user32.dll.GetWindowLongA",
974. "user32.dll.GetWindowDC",
975. "user32.dll.GetTopWindow",
976. "user32.dll.GetSystemMetrics",
977. "user32.dll.GetSystemMenu",
978. "user32.dll.GetSysColorBrush",
979. "user32.dll.GetSysColor",
980. "user32.dll.GetSubMenu",
981. "user32.dll.GetScrollRange",
982. "user32.dll.GetScrollPos",
983. "user32.dll.GetScrollInfo",
984. "user32.dll.GetPropA",
985. "user32.dll.GetParent",
986. "user32.dll.GetWindow",
987. "user32.dll.GetMenuStringA",
988. "user32.dll.GetMenuState",
989. "user32.dll.GetMenuItemInfoA",
990. "user32.dll.GetMenuItemID",
991. "user32.dll.GetMenuItemCount",
992. "user32.dll.GetMenu",
993. "user32.dll.GetLastActivePopup",
994. "user32.dll.GetKeyboardState",
995. "user32.dll.GetKeyboardLayoutList",
996. "user32.dll.GetKeyboardLayout",
997. "user32.dll.GetKeyState",
998. "user32.dll.GetKeyNameTextA",
999. "user32.dll.GetIconInfo",
1000. "user32.dll.GetForegroundWindow",
1001. "user32.dll.GetFocus",
1002. "user32.dll.GetDlgItem",
1003. "user32.dll.GetDesktopWindow",
1004. "user32.dll.GetDCEx",
1005. "user32.dll.GetDC",
1006. "user32.dll.GetCursorPos",
1007. "user32.dll.GetCursor",
1008. "user32.dll.GetClipboardData",
1009. "user32.dll.GetClientRect",
1010. "user32.dll.GetClassNameA",
1011. "user32.dll.GetClassInfoA",
1012. "user32.dll.GetCapture",
1013. "user32.dll.GetActiveWindow",
1014. "user32.dll.FrameRect",
1015. "user32.dll.FindWindowA",
1016. "user32.dll.FillRect",
1017. "user32.dll.EqualRect",
1018. "user32.dll.EnumWindows",
1019. "user32.dll.EnumThreadWindows",
1020. "user32.dll.EndPaint",
1021. "user32.dll.EnableWindow",
1022. "user32.dll.EnableScrollBar",
1023. "user32.dll.EnableMenuItem",
1024. "user32.dll.DrawTextA",
1025. "user32.dll.DrawMenuBar",
1026. "user32.dll.DrawIconEx",
1027. "user32.dll.DrawIcon",
1028. "user32.dll.DrawFrameControl",
1029. "user32.dll.DrawFocusRect",
1030. "user32.dll.DrawEdge",
1031. "user32.dll.DispatchMessageA",
1032. "user32.dll.DestroyWindow",
1033. "user32.dll.DestroyMenu",
1034. "user32.dll.DestroyIcon",
1035. "user32.dll.DestroyCursor",
1036. "user32.dll.DeleteMenu",
1037. "user32.dll.DefWindowProcA",
1038. "user32.dll.DefMDIChildProcA",
1039. "user32.dll.DefFrameProcA",
1040. "user32.dll.CreatePopupMenu",
1041. "user32.dll.CreateMenu",
1042. "user32.dll.CreateIcon",
1043. "user32.dll.ClientToScreen",
1044. "user32.dll.CheckMenuItem",
1045. "user32.dll.CallWindowProcA",
1046. "user32.dll.CallNextHookEx",
1047. "user32.dll.BeginPaint",
1048. "user32.dll.CharNextA",
1049. "user32.dll.CharLowerBuffA",
1050. "user32.dll.CharLowerA",
1051. "user32.dll.CharToOemA",
1052. "user32.dll.AdjustWindowRectEx",
1053. "user32.dll.ActivateKeyboardLayout",
1054. "user32.dll.GetKeyboardType",
1055. "version.dll.VerQueryValueA",
1056. "version.dll.GetFileVersionInfoSizeA",
1057. "version.dll.GetFileVersionInfoA",
1058. "kernel32.dll.GetDiskFreeSpaceExA",
1059. "oleaut32.dll.VariantChangeTypeEx",
1060. "oleaut32.dll.VarNeg",
1061. "oleaut32.dll.VarNot",
1062. "oleaut32.dll.VarAdd",
1063. "oleaut32.dll.VarSub",
1064. "oleaut32.dll.VarMul",
1065. "oleaut32.dll.VarDiv",
1066. "oleaut32.dll.VarIdiv",
1067. "oleaut32.dll.VarMod",
1068. "oleaut32.dll.VarAnd",
1069. "oleaut32.dll.VarOr",
1070. "oleaut32.dll.VarXor",
1071. "oleaut32.dll.VarCmp",
1072. "oleaut32.dll.VarI4FromStr",
1073. "oleaut32.dll.VarR4FromStr",
1074. "oleaut32.dll.VarR8FromStr",
1075. "oleaut32.dll.VarDateFromStr",
1076. "oleaut32.dll.VarCyFromStr",
1077. "oleaut32.dll.VarBoolFromStr",
1078. "oleaut32.dll.VarBstrFromCy",
1079. "oleaut32.dll.VarBstrFromDate",
1080. "oleaut32.dll.VarBstrFromBool",
1081. "user32.dll.GetMonitorInfoA",
1082. "user32.dll.EnumDisplayMonitors",
1083. "dwmapi.dll.DwmIsCompositionEnabled",
1084. "gdi32.dll.GetLayout",
1085. "gdi32.dll.GdiRealizationInfo",
1086. "gdi32.dll.FontIsLinked",
1087. "advapi32.dll.RegOpenKeyExW",
1088. "advapi32.dll.RegQueryInfoKeyW",
1089. "gdi32.dll.GetTextFaceAliasW",
1090. "advapi32.dll.RegEnumValueW",
1091. "advapi32.dll.RegQueryValueExW",
1092. "gdi32.dll.GetFontAssocStatus",
1093. "advapi32.dll.RegEnumKeyExW",
1094. "gdi32.dll.GdiIsMetaPrintDC",
1095. "user32.dll.AnimateWindow",
1096. "comctl32.dll.InitializeFlatSB",
1097. "comctl32.dll.UninitializeFlatSB",
1098. "comctl32.dll.FlatSB_GetScrollProp",
1099. "comctl32.dll.FlatSB_SetScrollProp",
1100. "comctl32.dll.FlatSB_EnableScrollBar",
1101. "comctl32.dll.FlatSB_ShowScrollBar",
1102. "comctl32.dll.FlatSB_GetScrollRange",
1103. "comctl32.dll.FlatSB_GetScrollInfo",
1104. "comctl32.dll.FlatSB_GetScrollPos",
1105. "comctl32.dll.FlatSB_SetScrollPos",
1106. "comctl32.dll.FlatSB_SetScrollInfo",
1107. "comctl32.dll.FlatSB_SetScrollRange",
1108. "user32.dll.SetLayeredWindowAttributes",
1109. "cryptsp.dll.CryptAcquireContextW",
1110. "cryptsp.dll.CryptCreateHash",
1111. "cryptsp.dll.CryptHashData",
1112. "cryptsp.dll.CryptGetHashParam",
1113. "cryptsp.dll.CryptDestroyHash",
1114. "cryptsp.dll.CryptReleaseContext",
1115. "vaultcli.dll.VaultEnumerateItems",
1116. "vaultcli.dll.VaultEnumerateVaults",
1117. "vaultcli.dll.VaultFree",
1118. "vaultcli.dll.VaultGetItem",
1119. "vaultcli.dll.VaultOpenVault",
1120. "vaultcli.dll.VaultCloseVault",
1121. "sechost.dll.LookupAccountSidLocalW",
1122. "netapi32.dll.NetUserGetInfo",
1123. "cryptsp.dll.CryptImportKey",
1124. "cryptsp.dll.CryptSetKeyParam",
1125. "cryptsp.dll.CryptDecrypt",
1126. "cryptsp.dll.CryptDestroyKey",
1127. "kernel32.dll.FlsAlloc",
1128. "kernel32.dll.FlsSetValue",
1129. "kernel32.dll.FlsGetValue",
1130. "kernel32.dll.LCMapStringEx",
1131. "kernel32.dll.InitializeCriticalSectionEx",
1132. "kernel32.dll.FlsFree",
1133. "kernel32.dll.InitOnceExecuteOnce",
1134. "kernel32.dll.CreateEventExW",
1135. "kernel32.dll.CreateSemaphoreW",
1136. "kernel32.dll.CreateSemaphoreExW",
1137. "kernel32.dll.CreateThreadpoolTimer",
1138. "kernel32.dll.SetThreadpoolTimer",
1139. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1140. "kernel32.dll.CloseThreadpoolTimer",
1141. "kernel32.dll.CreateThreadpoolWait",
1142. "kernel32.dll.SetThreadpoolWait",
1143. "kernel32.dll.CloseThreadpoolWait",
1144. "kernel32.dll.FlushProcessWriteBuffers",
1145. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1146. "kernel32.dll.GetCurrentProcessorNumber",
1147. "kernel32.dll.CreateSymbolicLinkW",
1148. "kernel32.dll.GetTickCount64",
1149. "kernel32.dll.GetFileInformationByHandleEx",
1150. "kernel32.dll.SetFileInformationByHandle",
1151. "kernel32.dll.InitializeConditionVariable",
1152. "kernel32.dll.WakeConditionVariable",
1153. "kernel32.dll.WakeAllConditionVariable",
1154. "kernel32.dll.SleepConditionVariableCS",
1155. "kernel32.dll.InitializeSRWLock",
1156. "kernel32.dll.AcquireSRWLockExclusive",
1157. "kernel32.dll.TryAcquireSRWLockExclusive",
1158. "kernel32.dll.ReleaseSRWLockExclusive",
1159. "kernel32.dll.SleepConditionVariableSRW",
1160. "kernel32.dll.CreateThreadpoolWork",
1161. "kernel32.dll.SubmitThreadpoolWork",
1162. "kernel32.dll.CloseThreadpoolWork",
1163. "kernel32.dll.CompareStringEx",
1164. "kernel32.dll.GetLocaleInfoEx",
1165. "kernel32.dll.SortGetHandle",
1166. "kernel32.dll.SortCloseHandle",
1167. "goopdate.dll.DllEntry",
1168. "kernel32.dll.RtlCaptureStackBackTrace",
1169. "wkscli.dll.NetWkstaGetInfo",
1170. "cscapi.dll.CscNetApiGetInterface",
1171. "ntmarta.dll.GetMartaExtensionInterface",
1172. "kernel32.dll.CreateMutexExW",
1173. "dbghelp.dll.MiniDumpWriteDump",
1174. "rpcrt4.dll.UuidCreate",
1175. "cryptbase.dll.SystemFunction036",
1176. "sechost.dll.LookupAccountNameLocalW",
1177. "advapi32.dll.LookupAccountSidW",
1178. "cryptsp.dll.CryptGenRandom",
1179. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1180. "ole32.dll.CoGetClassObject",
1181. "ole32.dll.CoGetMarshalSizeMax",
1182. "ole32.dll.CoMarshalInterface",
1183. "ole32.dll.CoUnmarshalInterface",
1184. "ole32.dll.StringFromIID",
1185. "ole32.dll.CoGetPSClsid",
1186. "ole32.dll.CoTaskMemAlloc",
1187. "ole32.dll.CoTaskMemFree",
1188. "ole32.dll.CoCreateInstance",
1189. "ole32.dll.CoReleaseMarshalData",
1190. "ole32.dll.DcomChannelSetHResult",
1191. "psmachine.dll.DllGetClassObject",
1192. "psmachine.dll.DllCanUnloadNow",
1193. "advapi32.dll.RegOpenKeyW",
1194. "ntdll.dll.RtlGetVersion",
1195. "kernel32.dll.GetNativeSystemInfo",
1196. "winhttp.dll.WinHttpAddRequestHeaders",
1197. "winhttp.dll.WinHttpCheckPlatform",
1198. "winhttp.dll.WinHttpCloseHandle",
1199. "winhttp.dll.WinHttpConnect",
1200. "winhttp.dll.WinHttpCrackUrl",
1201. "winhttp.dll.WinHttpCreateUrl",
1202. "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
1203. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
1204. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
1205. "winhttp.dll.WinHttpGetProxyForUrl",
1206. "winhttp.dll.WinHttpOpen",
1207. "winhttp.dll.WinHttpOpenRequest",
1208. "winhttp.dll.WinHttpQueryAuthSchemes",
1209. "winhttp.dll.WinHttpQueryDataAvailable",
1210. "winhttp.dll.WinHttpQueryHeaders",
1211. "winhttp.dll.WinHttpQueryOption",
1212. "winhttp.dll.WinHttpReadData",
1213. "winhttp.dll.WinHttpReceiveResponse",
1214. "winhttp.dll.WinHttpSendRequest",
1215. "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
1216. "winhttp.dll.WinHttpSetCredentials",
1217. "winhttp.dll.WinHttpSetOption",
1218. "winhttp.dll.WinHttpSetStatusCallback",
1219. "winhttp.dll.WinHttpSetTimeouts",
1220. "winhttp.dll.WinHttpWriteData",
1221. "shlwapi.dll.StrCmpNW",
1222. "shlwapi.dll.#153",
1223. "ws2_32.dll.GetAddrInfoW",
1224. "ws2_32.dll.WSASocketW",
1225. "ws2_32.dll.#2",
1226. "ws2_32.dll.#21",
1227. "ws2_32.dll.#9",
1228. "ws2_32.dll.WSAIoctl",
1229. "ws2_32.dll.FreeAddrInfoW",
1230. "ws2_32.dll.#6",
1231. "ws2_32.dll.#5",
1232. "schannel.dll.SpUserModeInitialize",
1233. "advapi32.dll.RegCreateKeyExW",
1234. "ws2_32.dll.WSASend",
1235. "ws2_32.dll.WSARecv",
1236. "advapi32.dll.RevertToSelf",
1237. "secur32.dll.FreeContextBuffer",
1238. "ncrypt.dll.SslOpenProvider",
1239. "ncrypt.dll.GetSChannelInterface",
1240. "bcryptprimitives.dll.GetHashInterface",
1241. "ncrypt.dll.SslIncrementProviderReferenceCount",
1242. "ncrypt.dll.SslImportKey",
1243. "bcryptprimitives.dll.GetCipherInterface",
1244. "ncrypt.dll.SslLookupCipherSuiteInfo",
1245. "user32.dll.LoadStringW",
1246. "ncrypt.dll.BCryptOpenAlgorithmProvider",
1247. "ncrypt.dll.BCryptGetProperty",
1248. "ncrypt.dll.BCryptCreateHash",
1249. "ncrypt.dll.BCryptHashData",
1250. "ncrypt.dll.BCryptFinishHash",
1251. "ncrypt.dll.BCryptDestroyHash",
1252. "crypt32.dll.CertGetCertificateChain",
1253. "userenv.dll.GetUserProfileDirectoryW",
1254. "sechost.dll.ConvertSidToStringSidW",
1255. "sechost.dll.ConvertStringSidToSidW",
1256. "userenv.dll.RegisterGPNotification",
1257. "gpapi.dll.RegisterGPNotificationInternal",
1258. "sechost.dll.OpenSCManagerW",
1259. "sechost.dll.OpenServiceW",
1260. "sechost.dll.CloseServiceHandle",
1261. "sechost.dll.QueryServiceConfigW",
1262. "winsta.dll.WinStationRegisterNotificationEvent",
1263. "advapi32.dll.CreateWellKnownSid",
1264. "rpcrt4.dll.RpcStringBindingComposeW",
1265. "rpcrt4.dll.RpcBindingFromStringBindingW",
1266. "rpcrt4.dll.RpcStringFreeW",
1267. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1268. "rpcrt4.dll.RpcAsyncInitializeHandle",
1269. "rpcrt4.dll.NdrClientCall2",
1270. "rpcrt4.dll.NdrAsyncClientCall",
1271. "cryptsp.dll.CryptAcquireContextA",
1272. "cryptsp.dll.CryptVerifySignatureA",
1273. "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
1274. "ncrypt.dll.BCryptImportKeyPair",
1275. "ncrypt.dll.BCryptVerifySignature",
1276. "ncrypt.dll.BCryptDestroyKey",
1277. "crypt32.dll.CertVerifyCertificateChainPolicy",
1278. "crypt32.dll.CertFreeCertificateChain",
1279. "crypt32.dll.CertDuplicateCertificateContext",
1280. "ncrypt.dll.SslEncryptPacket",
1281. "ncrypt.dll.SslDecryptPacket",
1282. "kernel32.dll.WTSGetActiveConsoleSessionId",
1283. "winsta.dll.WinStationQueryInformationW",
1284. "rpcrt4.dll.I_RpcExceptionFilter",
1285. "rpcrt4.dll.RpcBindingFree",
1286. "kernel32.dll.IsWow64Process",
1287. "psapi.dll.GetProcessImageFileNameW",
1288. "oleaut32.dll.#500",
1289. "crypt32.dll.CertFreeCertificateContext",
1290. "ncrypt.dll.SslFreeObject"
1291. ]
1292.  
1293. [*] Static Analysis: {
1294. "pe": {
1295. "peid_signatures": null,
1296. "imports": [
1297. {
1298. "imports": [
1299. {
1300. "name": "LoadLibraryA",
1301. "address": "0x49b050"
1302. },
1303. {
1304. "name": "GetProcAddress",
1305. "address": "0x49b054"
1306. },
1307. {
1308. "name": "VirtualProtect",
1309. "address": "0x49b058"
1310. },
1311. {
1312. "name": "VirtualAlloc",
1313. "address": "0x49b05c"
1314. },
1315. {
1316. "name": "VirtualFree",
1317. "address": "0x49b060"
1318. },
1319. {
1320. "name": "ExitProcess",
1321. "address": "0x49b064"
1322. }
1323. ],
1324. "dll": "KERNEL32.DLL"
1325. },
1326. {
1327. "imports": [
1328. {
1329. "name": "RegCloseKey",
1330. "address": "0x49b06c"
1331. }
1332. ],
1333. "dll": "advapi32.dll"
1334. },
1335. {
1336. "imports": [
1337. {
1338. "name": "ImageList_Add",
1339. "address": "0x49b074"
1340. }
1341. ],
1342. "dll": "comctl32.dll"
1343. },
1344. {
1345. "imports": [
1346. {
1347. "name": "GetOpenFileNameA",
1348. "address": "0x49b07c"
1349. }
1350. ],
1351. "dll": "comdlg32.dll"
1352. },
1353. {
1354. "imports": [
1355. {
1356. "name": "SaveDC",
1357. "address": "0x49b084"
1358. }
1359. ],
1360. "dll": "gdi32.dll"
1361. },
1362. {
1363. "imports": [
1364. {
1365. "name": "VariantCopy",
1366. "address": "0x49b08c"
1367. }
1368. ],
1369. "dll": "oleaut32.dll"
1370. },
1371. {
1372. "imports": [
1373. {
1374. "name": "GetDC",
1375. "address": "0x49b094"
1376. }
1377. ],
1378. "dll": "user32.dll"
1379. },
1380. {
1381. "imports": [
1382. {
1383. "name": "VerQueryValueA",
1384. "address": "0x49b09c"
1385. }
1386. ],
1387. "dll": "version.dll"
1388. }
1389. ],
1390. "digital_signers": null,
1391. "exported_dll_name": null,
1392. "actual_checksum": "0x00050625",
1393. "overlay": null,
1394. "imagebase": "0x00400000",
1395. "reported_checksum": "0x00000000",
1396. "icon_hash": null,
1397. "entrypoint": "0x00499640",
1398. "timestamp": "1992-06-17 20:49:04",
1399. "osversion": "4.0",
1400. "sections": [
1401. {
1402. "name": "UPX0",
1403. "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1404. "virtual_address": "0x00001000",
1405. "size_of_data": "0x00000000",
1406. "entropy": "0.00",
1407. "raw_address": "0x00000400",
1408. "virtual_size": "0x00059000",
1409. "characteristics_raw": "0xe0000080"
1410. },
1411. {
1412. "name": "UPX1",
1413. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1414. "virtual_address": "0x0005a000",
1415. "size_of_data": "0x0003fa00",
1416. "entropy": "7.95",
1417. "raw_address": "0x00000400",
1418. "virtual_size": "0x00040000",
1419. "characteristics_raw": "0xe0000040"
1420. },
1421. {
1422. "name": ".rsrc",
1423. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1424. "virtual_address": "0x0009a000",
1425. "size_of_data": "0x00001200",
1426. "entropy": "3.33",
1427. "raw_address": "0x0003fe00",
1428. "virtual_size": "0x00002000",
1429. "characteristics_raw": "0xc0000040"
1430. }
1431. ],
1432. "resources": [],
1433. "dirents": [
1434. {
1435. "virtual_address": "0x00000000",
1436. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1437. "size": "0x00000000"
1438. },
1439. {
1440. "virtual_address": "0x0009af9c",
1441. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1442. "size": "0x00000224"
1443. },
1444. {
1445. "virtual_address": "0x0009a000",
1446. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1447. "size": "0x00000f9c"
1448. },
1449. {
1450. "virtual_address": "0x00000000",
1451. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1452. "size": "0x00000000"
1453. },
1454. {
1455. "virtual_address": "0x00000000",
1456. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1457. "size": "0x00000000"
1458. },
1459. {
1460. "virtual_address": "0x00000000",
1461. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1462. "size": "0x00000000"
1463. },
1464. {
1465. "virtual_address": "0x00000000",
1466. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1467. "size": "0x00000000"
1468. },
1469. {
1470. "virtual_address": "0x00000000",
1471. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1472. "size": "0x00000000"
1473. },
1474. {
1475. "virtual_address": "0x00000000",
1476. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1477. "size": "0x00000000"
1478. },
1479. {
1480. "virtual_address": "0x000997f8",
1481. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1482. "size": "0x00000018"
1483. },
1484. {
1485. "virtual_address": "0x00000000",
1486. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1487. "size": "0x00000000"
1488. },
1489. {
1490. "virtual_address": "0x00000000",
1491. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1492. "size": "0x00000000"
1493. },
1494. {
1495. "virtual_address": "0x00000000",
1496. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1497. "size": "0x00000000"
1498. },
1499. {
1500. "virtual_address": "0x00000000",
1501. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1502. "size": "0x00000000"
1503. },
1504. {
1505. "virtual_address": "0x00000000",
1506. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1507. "size": "0x00000000"
1508. },
1509. {
1510. "virtual_address": "0x00000000",
1511. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1512. "size": "0x00000000"
1513. }
1514. ],
1515. "exports": [],
1516. "guest_signers": {},
1517. "imphash": "c458ff2d515beb8f44158cd3636a7400",
1518. "icon_fuzzy": null,
1519. "icon": null,
1520. "pdbpath": null,
1521. "imported_dll_count": 8,
1522. "versioninfo": []
1523. }
1524. }