API tools faq
paste
Advertisement
paladin316

atpbtqwlcs_exe.json

paladin316
Jun 17th, 2019
1,439
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 75.34 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 1.6
  5.  
  6. [*] File Name: "atpbtqwlcs.exe"
  7. [*] File Size: 1105975
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "7b9747384f7f5732e6fb3bc12c3f96bcab53ed8d066d064e465bf9f51bb88618"
  10. [*] MD5: "a1efbe65547fd9a8a533eb788eadf155"
  11. [*] SHA1: "8aa18ff2560f212e2e1f776673aa1c1c86a75bae"
  12. [*] SHA512: "5292b87e3f239a96499e74bfb301e6446773ea0390c9564e9781fd1afcd78a1c993f951e58908668fef1505749d2dd7ae3e695d003e7e3b10557e294a17433b7"
  13. [*] CRC32: "4B914204"
  14. [*] SSDEEP: "24576:7yKzMHUZ7Ng4RvFjEvTaVSFCf1+K4gaHWtRwrho61/u:eiZu4RvFjg7gfgKNk8RwNT1/u"
  15.  
  16. [*] Process Execution: [
  17. "atpbtqwlcs.exe",
  18. "atpbtqwlcs.tmp"
  19. ]
  20.  
  21. [*] Signatures Detected: [
  22. {
  23. "Description": "Creates RWX memory",
  24. "Details": []
  25. },
  26. {
  27. "Description": "Reads data out of its own binary image",
  28. "Details": [
  29. {
  30. "self_read": "process: atpbtqwlcs.exe, pid: 748, offset: 0x000c32f3, length: 0x0000187e"
  31. },
  32. {
  33. "self_read": "process: atpbtqwlcs.exe, pid: 748, offset: 0x000c4c4b, length: 0x000493ec"
  34. }
  35. ]
  36. },
  37. {
  38. "Description": "Drops a binary and executes it",
  39. "Details": [
  40. {
  41. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\is-C7HDA.tmp\\atpbtqwlcs.tmp"
  42. }
  43. ]
  44. },
  45. {
  46. "Description": "Performs some HTTP requests",
  47. "Details": [
  48. {
  49. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  50. },
  51. {
  52. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  53. },
  54. {
  55. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  56. },
  57. {
  58. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
  59. },
  60. {
  61. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
  62. },
  63. {
  64. "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
  65. },
  66. {
  67. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
  68. },
  69. {
  70. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
  71. },
  72. {
  73. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  74. },
  75. {
  76. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
  77. },
  78. {
  79. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
  80. },
  81. {
  82. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
  83. },
  84. {
  85. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
  86. },
  87. {
  88. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
  89. },
  90. {
  91. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
  92. },
  93. {
  94. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
  95. },
  96. {
  97. "url": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
  98. },
  99. {
  100. "url": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
  101. },
  102. {
  103. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
  104. },
  105. {
  106. "url": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
  107. },
  108. {
  109. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
  110. },
  111. {
  112. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
  113. },
  114. {
  115. "url": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
  116. }
  117. ]
  118. }
  119. ]
  120.  
  121. [*] Started Service: []
  122.  
  123. [*] Executed Commands: [
  124. "\"C:\\Users\\user\\AppData\\Local\\Temp\\is-C7HDA.tmp\\atpbtqwlcs.tmp\" /SL5=\"$130166,799475,54272,C:\\Users\\user\\AppData\\Local\\Temp\\atpbtqwlcs.exe\""
  125. ]
  126.  
  127. [*] Mutexes: [
  128. "CicLoadWinStaWinSta0",
  129. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  130. "Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511",
  131. "Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
  132. "DefaultTabtip-MainUI"
  133. ]
  134.  
  135. [*] Modified Files: [
  136. "C:\\Users\\user\\AppData\\Local\\Temp\\is-C7HDA.tmp\\atpbtqwlcs.tmp",
  137. "C:\\Users\\user\\AppData\\Local\\Temp\\is-OUDOH.tmp\\_isetup\\_RegDLL.tmp",
  138. "C:\\Users\\user\\AppData\\Local\\Temp\\is-OUDOH.tmp\\_isetup\\_setup64.tmp",
  139. "C:\\Users\\user\\AppData\\Local\\Temp\\is-OUDOH.tmp\\_isetup\\_shfoldr.dll"
  140. ]
  141.  
  142. [*] Deleted Files: []
  143.  
  144. [*] Modified Registry Keys: [
  145. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
  146. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
  147. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
  148. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence"
  149. ]
  150.  
  151. [*] Deleted Registry Keys: []
  152.  
  153. [*] DNS Communications: []
  154.  
  155. [*] Domains: []
  156.  
  157. [*] Network Communication - ICMP: []
  158.  
  159. [*] Network Communication - HTTP: [
  160. {
  161. "count": 1,
  162. "body": "",
  163. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  164. "user-agent": "Microsoft-CryptoAPI/6.1",
  165. "method": "GET",
  166. "host": "ocsp.digicert.com",
  167. "version": "1.1",
  168. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
  169. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  170. "port": 80
  171. },
  172. {
  173. "count": 1,
  174. "body": "",
  175. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  176. "user-agent": "Microsoft-CryptoAPI/6.1",
  177. "method": "GET",
  178. "host": "ocsp.digicert.com",
  179. "version": "1.1",
  180. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
  181. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  182. "port": 80
  183. },
  184. {
  185. "count": 1,
  186. "body": "",
  187. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  188. "user-agent": "Microsoft-CryptoAPI/6.1",
  189. "method": "GET",
  190. "host": "ocsp.digicert.com",
  191. "version": "1.1",
  192. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
  193. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  194. "port": 80
  195. },
  196. {
  197. "count": 1,
  198. "body": "",
  199. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
  200. "user-agent": "Microsoft-CryptoAPI/6.1",
  201. "method": "GET",
  202. "host": "ocsp.pki.goog",
  203. "version": "1.1",
  204. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
  205. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  206. "port": 80
  207. },
  208. {
  209. "count": 1,
  210. "body": "",
  211. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
  212. "user-agent": "Microsoft-CryptoAPI/6.1",
  213. "method": "GET",
  214. "host": "ocsp.digicert.com",
  215. "version": "1.1",
  216. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
  217. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D HTTP/1.1\r\nCache-Control: max-age = 89056\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 18:30:24 GMT\r\nIf-None-Match: \"5c9529c0-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  218. "port": 80
  219. },
  220. {
  221. "count": 1,
  222. "body": "",
  223. "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
  224. "user-agent": "Microsoft-CryptoAPI/6.1",
  225. "method": "GET",
  226. "host": "crl.microsoft.com",
  227. "version": "1.1",
  228. "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
  229. "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  230. "port": 80
  231. },
  232. {
  233. "count": 1,
  234. "body": "",
  235. "uri": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
  236. "user-agent": "Microsoft-CryptoAPI/6.1",
  237. "method": "GET",
  238. "host": "ocsp.comodoca.com",
  239. "version": "1.1",
  240. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
  241. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1\r\nCache-Control: max-age = 94804\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
  242. "port": 80
  243. },
  244. {
  245. "count": 1,
  246. "body": "",
  247. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
  248. "user-agent": "Microsoft-CryptoAPI/6.1",
  249. "method": "GET",
  250. "host": "ocsp.pki.goog",
  251. "version": "1.1",
  252. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
  253. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  254. "port": 80
  255. },
  256. {
  257. "count": 1,
  258. "body": "",
  259. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
  260. "user-agent": "Microsoft-CryptoAPI/6.1",
  261. "method": "GET",
  262. "host": "ocsp.digicert.com",
  263. "version": "1.1",
  264. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
  265. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D HTTP/1.1\r\nCache-Control: max-age = 108232\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 23:50:01 GMT\r\nIf-None-Match: \"5c9574a9-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  266. "port": 80
  267. },
  268. {
  269. "count": 1,
  270. "body": "",
  271. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  272. "user-agent": "Microsoft-CryptoAPI/6.1",
  273. "method": "GET",
  274. "host": "www.download.windowsupdate.com",
  275. "version": "1.1",
  276. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  277. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
  278. "port": 80
  279. },
  280. {
  281. "count": 1,
  282. "body": "",
  283. "uri": "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
  284. "user-agent": "Microsoft-CryptoAPI/6.1",
  285. "method": "GET",
  286. "host": "crl.microsoft.com",
  287. "version": "1.1",
  288. "path": "/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
  289. "data": "GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 14 Feb 2019 06:01:18 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  290. "port": 80
  291. },
  292. {
  293. "count": 1,
  294. "body": "",
  295. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
  296. "user-agent": "Microsoft-CryptoAPI/6.1",
  297. "method": "GET",
  298. "host": "ocsp.digicert.com",
  299. "version": "1.1",
  300. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
  301. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D HTTP/1.1\r\nCache-Control: max-age = 93156\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 04:40:45 GMT\r\nIf-None-Match: \"5c8c7e4d-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  302. "port": 80
  303. },
  304. {
  305. "count": 1,
  306. "body": "",
  307. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
  308. "user-agent": "Microsoft-CryptoAPI/6.1",
  309. "method": "GET",
  310. "host": "ocsp.digicert.com",
  311. "version": "1.1",
  312. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
  313. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1\r\nCache-Control: max-age = 149079\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:10:47 GMT\r\nIf-None-Match: \"5c961437-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  314. "port": 80
  315. },
  316. {
  317. "count": 1,
  318. "body": "",
  319. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
  320. "user-agent": "Microsoft-CryptoAPI/6.1",
  321. "method": "GET",
  322. "host": "ocsp.digicert.com",
  323. "version": "1.1",
  324. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
  325. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1\r\nCache-Control: max-age = 148251\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 18:10:24 GMT\r\nIf-None-Match: \"5c8d3c10-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  326. "port": 80
  327. },
  328. {
  329. "count": 1,
  330. "body": "",
  331. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
  332. "user-agent": "Microsoft-CryptoAPI/6.1",
  333. "method": "GET",
  334. "host": "ocsp.pki.goog",
  335. "version": "1.1",
  336. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
  337. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  338. "port": 80
  339. },
  340. {
  341. "count": 1,
  342. "body": "",
  343. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
  344. "user-agent": "Microsoft-CryptoAPI/6.1",
  345. "method": "GET",
  346. "host": "ocsp.pki.goog",
  347. "version": "1.1",
  348. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
  349. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  350. "port": 80
  351. },
  352. {
  353. "count": 1,
  354. "body": "",
  355. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
  356. "user-agent": "Microsoft-CryptoAPI/6.1",
  357. "method": "GET",
  358. "host": "ocsp.digicert.com",
  359. "version": "1.1",
  360. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
  361. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D HTTP/1.1\r\nCache-Control: max-age = 126990\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 10:41:16 GMT\r\nIf-None-Match: \"5c960d4c-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  362. "port": 80
  363. },
  364. {
  365. "count": 1,
  366. "body": "",
  367. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
  368. "user-agent": "Microsoft-CryptoAPI/6.1",
  369. "method": "GET",
  370. "host": "ocsp.pki.goog",
  371. "version": "1.1",
  372. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
  373. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  374. "port": 80
  375. },
  376. {
  377. "count": 1,
  378. "body": "",
  379. "uri": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
  380. "user-agent": "Microsoft-CryptoAPI/6.1",
  381. "method": "GET",
  382. "host": "ocsp.msocsp.com",
  383. "version": "1.1",
  384. "path": "/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
  385. "data": "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 17:46:18 GMT\r\nIf-None-Match: \"dd54d75d4688b8dc62b087df4e04af258704c48b\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.msocsp.com\r\n\r\n",
  386. "port": 80
  387. },
  388. {
  389. "count": 1,
  390. "body": "",
  391. "uri": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
  392. "user-agent": "Microsoft-CryptoAPI/6.1",
  393. "method": "GET",
  394. "host": "ocsp.thawte.com",
  395. "version": "1.1",
  396. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
  397. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1\r\nCache-Control: max-age = 320712\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Wed, 20 Mar 2019 11:42:01 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.thawte.com\r\n\r\n",
  398. "port": 80
  399. },
  400. {
  401. "count": 1,
  402. "body": "",
  403. "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  404. "user-agent": "Microsoft-CryptoAPI/6.1",
  405. "method": "GET",
  406. "host": "ocsp.usertrust.com",
  407. "version": "1.1",
  408. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  409. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
  410. "port": 80
  411. },
  412. {
  413. "count": 1,
  414. "body": "",
  415. "uri": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
  416. "user-agent": "Microsoft-CryptoAPI/6.1",
  417. "method": "GET",
  418. "host": "th.symcd.com",
  419. "version": "1.1",
  420. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
  421. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D HTTP/1.1\r\nCache-Control: max-age = 386377\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 21 Mar 2019 05:58:32 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: th.symcd.com\r\n\r\n",
  422. "port": 80
  423. },
  424. {
  425. "count": 1,
  426. "body": "",
  427. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
  428. "user-agent": "Microsoft-CryptoAPI/6.1",
  429. "method": "GET",
  430. "host": "ocsp.digicert.com",
  431. "version": "1.1",
  432. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
  433. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D HTTP/1.1\r\nCache-Control: max-age = 142986\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 07:40:28 GMT\r\nIf-None-Match: \"5cece5ec-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  434. "port": 80
  435. },
  436. {
  437. "count": 1,
  438. "body": "",
  439. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
  440. "user-agent": "Microsoft-CryptoAPI/6.1",
  441. "method": "GET",
  442. "host": "ocsp.digicert.com",
  443. "version": "1.1",
  444. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
  445. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D HTTP/1.1\r\nCache-Control: max-age = 161796\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 13:00:33 GMT\r\nIf-None-Match: \"5ced30f1-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
  446. "port": 80
  447. },
  448. {
  449. "count": 1,
  450. "body": "",
  451. "uri": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
  452. "user-agent": "Microsoft-CryptoAPI/6.1",
  453. "method": "GET",
  454. "host": "ocsp.pki.goog",
  455. "version": "1.1",
  456. "path": "/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
  457. "data": "GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
  458. "port": 80
  459. },
  460. {
  461. "count": 1,
  462. "body": "",
  463. "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
  464. "user-agent": "Microsoft-CryptoAPI/6.1",
  465. "method": "GET",
  466. "host": "crl.microsoft.com",
  467. "version": "1.1",
  468. "path": "/pki/crl/products/microsoftrootcert.crl",
  469. "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  470. "port": 80
  471. }
  472. ]
  473.  
  474. [*] Network Communication - SMTP: []
  475.  
  476. [*] Network Communication - Hosts: []
  477.  
  478. [*] Network Communication - IRC: []
  479.  
  480. [*] Static Analysis: {
  481. "pe": {
  482. "peid_signatures": null,
  483. "imports": [
  484. {
  485. "imports": [
  486. {
  487. "name": "DeleteCriticalSection",
  488. "address": "0x40d0b4"
  489. },
  490. {
  491. "name": "LeaveCriticalSection",
  492. "address": "0x40d0b8"
  493. },
  494. {
  495. "name": "EnterCriticalSection",
  496. "address": "0x40d0bc"
  497. },
  498. {
  499. "name": "InitializeCriticalSection",
  500. "address": "0x40d0c0"
  501. },
  502. {
  503. "name": "VirtualFree",
  504. "address": "0x40d0c4"
  505. },
  506. {
  507. "name": "VirtualAlloc",
  508. "address": "0x40d0c8"
  509. },
  510. {
  511. "name": "LocalFree",
  512. "address": "0x40d0cc"
  513. },
  514. {
  515. "name": "LocalAlloc",
  516. "address": "0x40d0d0"
  517. },
  518. {
  519. "name": "WideCharToMultiByte",
  520. "address": "0x40d0d4"
  521. },
  522. {
  523. "name": "TlsSetValue",
  524. "address": "0x40d0d8"
  525. },
  526. {
  527. "name": "TlsGetValue",
  528. "address": "0x40d0dc"
  529. },
  530. {
  531. "name": "MultiByteToWideChar",
  532. "address": "0x40d0e0"
  533. },
  534. {
  535. "name": "GetModuleHandleA",
  536. "address": "0x40d0e4"
  537. },
  538. {
  539. "name": "GetLastError",
  540. "address": "0x40d0e8"
  541. },
  542. {
  543. "name": "GetCommandLineA",
  544. "address": "0x40d0ec"
  545. },
  546. {
  547. "name": "WriteFile",
  548. "address": "0x40d0f0"
  549. },
  550. {
  551. "name": "SetFilePointer",
  552. "address": "0x40d0f4"
  553. },
  554. {
  555. "name": "SetEndOfFile",
  556. "address": "0x40d0f8"
  557. },
  558. {
  559. "name": "RtlUnwind",
  560. "address": "0x40d0fc"
  561. },
  562. {
  563. "name": "ReadFile",
  564. "address": "0x40d100"
  565. },
  566. {
  567. "name": "RaiseException",
  568. "address": "0x40d104"
  569. },
  570. {
  571. "name": "GetStdHandle",
  572. "address": "0x40d108"
  573. },
  574. {
  575. "name": "GetFileSize",
  576. "address": "0x40d10c"
  577. },
  578. {
  579. "name": "GetSystemTime",
  580. "address": "0x40d110"
  581. },
  582. {
  583. "name": "GetFileType",
  584. "address": "0x40d114"
  585. },
  586. {
  587. "name": "ExitProcess",
  588. "address": "0x40d118"
  589. },
  590. {
  591. "name": "CreateFileA",
  592. "address": "0x40d11c"
  593. },
  594. {
  595. "name": "CloseHandle",
  596. "address": "0x40d120"
  597. }
  598. ],
  599. "dll": "kernel32.dll"
  600. },
  601. {
  602. "imports": [
  603. {
  604. "name": "MessageBoxA",
  605. "address": "0x40d128"
  606. }
  607. ],
  608. "dll": "user32.dll"
  609. },
  610. {
  611. "imports": [
  612. {
  613. "name": "VariantChangeTypeEx",
  614. "address": "0x40d130"
  615. },
  616. {
  617. "name": "VariantCopyInd",
  618. "address": "0x40d134"
  619. },
  620. {
  621. "name": "VariantClear",
  622. "address": "0x40d138"
  623. },
  624. {
  625. "name": "SysStringLen",
  626. "address": "0x40d13c"
  627. },
  628. {
  629. "name": "SysAllocStringLen",
  630. "address": "0x40d140"
  631. }
  632. ],
  633. "dll": "oleaut32.dll"
  634. },
  635. {
  636. "imports": [
  637. {
  638. "name": "RegQueryValueExA",
  639. "address": "0x40d148"
  640. },
  641. {
  642. "name": "RegOpenKeyExA",
  643. "address": "0x40d14c"
  644. },
  645. {
  646. "name": "RegCloseKey",
  647. "address": "0x40d150"
  648. },
  649. {
  650. "name": "OpenProcessToken",
  651. "address": "0x40d154"
  652. },
  653. {
  654. "name": "LookupPrivilegeValueA",
  655. "address": "0x40d158"
  656. }
  657. ],
  658. "dll": "advapi32.dll"
  659. },
  660. {
  661. "imports": [
  662. {
  663. "name": "WriteFile",
  664. "address": "0x40d160"
  665. },
  666. {
  667. "name": "VirtualQuery",
  668. "address": "0x40d164"
  669. },
  670. {
  671. "name": "VirtualProtect",
  672. "address": "0x40d168"
  673. },
  674. {
  675. "name": "VirtualFree",
  676. "address": "0x40d16c"
  677. },
  678. {
  679. "name": "VirtualAlloc",
  680. "address": "0x40d170"
  681. },
  682. {
  683. "name": "Sleep",
  684. "address": "0x40d174"
  685. },
  686. {
  687. "name": "SizeofResource",
  688. "address": "0x40d178"
  689. },
  690. {
  691. "name": "SetLastError",
  692. "address": "0x40d17c"
  693. },
  694. {
  695. "name": "SetFilePointer",
  696. "address": "0x40d180"
  697. },
  698. {
  699. "name": "SetErrorMode",
  700. "address": "0x40d184"
  701. },
  702. {
  703. "name": "SetEndOfFile",
  704. "address": "0x40d188"
  705. },
  706. {
  707. "name": "RemoveDirectoryA",
  708. "address": "0x40d18c"
  709. },
  710. {
  711. "name": "ReadFile",
  712. "address": "0x40d190"
  713. },
  714. {
  715. "name": "LockResource",
  716. "address": "0x40d194"
  717. },
  718. {
  719. "name": "LoadResource",
  720. "address": "0x40d198"
  721. },
  722. {
  723. "name": "LoadLibraryA",
  724. "address": "0x40d19c"
  725. },
  726. {
  727. "name": "IsDBCSLeadByte",
  728. "address": "0x40d1a0"
  729. },
  730. {
  731. "name": "GetWindowsDirectoryA",
  732. "address": "0x40d1a4"
  733. },
  734. {
  735. "name": "GetVersionExA",
  736. "address": "0x40d1a8"
  737. },
  738. {
  739. "name": "GetUserDefaultLangID",
  740. "address": "0x40d1ac"
  741. },
  742. {
  743. "name": "GetSystemInfo",
  744. "address": "0x40d1b0"
  745. },
  746. {
  747. "name": "GetSystemDefaultLCID",
  748. "address": "0x40d1b4"
  749. },
  750. {
  751. "name": "GetProcAddress",
  752. "address": "0x40d1b8"
  753. },
  754. {
  755. "name": "GetModuleHandleA",
  756. "address": "0x40d1bc"
  757. },
  758. {
  759. "name": "GetModuleFileNameA",
  760. "address": "0x40d1c0"
  761. },
  762. {
  763. "name": "GetLocaleInfoA",
  764. "address": "0x40d1c4"
  765. },
  766. {
  767. "name": "GetLastError",
  768. "address": "0x40d1c8"
  769. },
  770. {
  771. "name": "GetFullPathNameA",
  772. "address": "0x40d1cc"
  773. },
  774. {
  775. "name": "GetFileSize",
  776. "address": "0x40d1d0"
  777. },
  778. {
  779. "name": "GetFileAttributesA",
  780. "address": "0x40d1d4"
  781. },
  782. {
  783. "name": "GetExitCodeProcess",
  784. "address": "0x40d1d8"
  785. },
  786. {
  787. "name": "GetEnvironmentVariableA",
  788. "address": "0x40d1dc"
  789. },
  790. {
  791. "name": "GetCurrentProcess",
  792. "address": "0x40d1e0"
  793. },
  794. {
  795. "name": "GetCommandLineA",
  796. "address": "0x40d1e4"
  797. },
  798. {
  799. "name": "GetACP",
  800. "address": "0x40d1e8"
  801. },
  802. {
  803. "name": "InterlockedExchange",
  804. "address": "0x40d1ec"
  805. },
  806. {
  807. "name": "FormatMessageA",
  808. "address": "0x40d1f0"
  809. },
  810. {
  811. "name": "FindResourceA",
  812. "address": "0x40d1f4"
  813. },
  814. {
  815. "name": "DeleteFileA",
  816. "address": "0x40d1f8"
  817. },
  818. {
  819. "name": "CreateProcessA",
  820. "address": "0x40d1fc"
  821. },
  822. {
  823. "name": "CreateFileA",
  824. "address": "0x40d200"
  825. },
  826. {
  827. "name": "CreateDirectoryA",
  828. "address": "0x40d204"
  829. },
  830. {
  831. "name": "CloseHandle",
  832. "address": "0x40d208"
  833. }
  834. ],
  835. "dll": "kernel32.dll"
  836. },
  837. {
  838. "imports": [
  839. {
  840. "name": "TranslateMessage",
  841. "address": "0x40d210"
  842. },
  843. {
  844. "name": "SetWindowLongA",
  845. "address": "0x40d214"
  846. },
  847. {
  848. "name": "PeekMessageA",
  849. "address": "0x40d218"
  850. },
  851. {
  852. "name": "MsgWaitForMultipleObjects",
  853. "address": "0x40d21c"
  854. },
  855. {
  856. "name": "MessageBoxA",
  857. "address": "0x40d220"
  858. },
  859. {
  860. "name": "LoadStringA",
  861. "address": "0x40d224"
  862. },
  863. {
  864. "name": "ExitWindowsEx",
  865. "address": "0x40d228"
  866. },
  867. {
  868. "name": "DispatchMessageA",
  869. "address": "0x40d22c"
  870. },
  871. {
  872. "name": "DestroyWindow",
  873. "address": "0x40d230"
  874. },
  875. {
  876. "name": "CreateWindowExA",
  877. "address": "0x40d234"
  878. },
  879. {
  880. "name": "CallWindowProcA",
  881. "address": "0x40d238"
  882. },
  883. {
  884. "name": "CharPrevA",
  885. "address": "0x40d23c"
  886. }
  887. ],
  888. "dll": "user32.dll"
  889. },
  890. {
  891. "imports": [
  892. {
  893. "name": "InitCommonControls",
  894. "address": "0x40d244"
  895. }
  896. ],
  897. "dll": "comctl32.dll"
  898. },
  899. {
  900. "imports": [
  901. {
  902. "name": "AdjustTokenPrivileges",
  903. "address": "0x40d24c"
  904. }
  905. ],
  906. "dll": "advapi32.dll"
  907. }
  908. ],
  909. "digital_signers": null,
  910. "exported_dll_name": null,
  911. "actual_checksum": "0x00119d21",
  912. "overlay": {
  913. "size": "0x00100c37",
  914. "offset": "0x0000d400"
  915. },
  916. "imagebase": "0x00400000",
  917. "reported_checksum": "0x00000000",
  918. "icon_hash": null,
  919. "entrypoint": "0x00409c14",
  920. "timestamp": "1992-06-19 22:22:17",
  921. "osversion": "1.0",
  922. "sections": [
  923. {
  924. "name": "CODE",
  925. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  926. "virtual_address": "0x00001000",
  927. "size_of_data": "0x00009400",
  928. "entropy": "6.56",
  929. "raw_address": "0x00000400",
  930. "virtual_size": "0x00009338",
  931. "characteristics_raw": "0x60000020"
  932. },
  933. {
  934. "name": "DATA",
  935. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  936. "virtual_address": "0x0000b000",
  937. "size_of_data": "0x00000400",
  938. "entropy": "2.74",
  939. "raw_address": "0x00009800",
  940. "virtual_size": "0x0000024c",
  941. "characteristics_raw": "0xc0000040"
  942. },
  943. {
  944. "name": "BSS",
  945. "characteristics": "IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  946. "virtual_address": "0x0000c000",
  947. "size_of_data": "0x00000000",
  948. "entropy": "0.00",
  949. "raw_address": "0x00009c00",
  950. "virtual_size": "0x00000e8c",
  951. "characteristics_raw": "0xc0000000"
  952. },
  953. {
  954. "name": ".idata",
  955. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  956. "virtual_address": "0x0000d000",
  957. "size_of_data": "0x00000a00",
  958. "entropy": "4.43",
  959. "raw_address": "0x00009c00",
  960. "virtual_size": "0x00000950",
  961. "characteristics_raw": "0xc0000040"
  962. },
  963. {
  964. "name": ".tls",
  965. "characteristics": "IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  966. "virtual_address": "0x0000e000",
  967. "size_of_data": "0x00000000",
  968. "entropy": "0.00",
  969. "raw_address": "0x0000a600",
  970. "virtual_size": "0x00000008",
  971. "characteristics_raw": "0xc0000000"
  972. },
  973. {
  974. "name": ".rdata",
  975. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  976. "virtual_address": "0x0000f000",
  977. "size_of_data": "0x00000200",
  978. "entropy": "0.20",
  979. "raw_address": "0x0000a600",
  980. "virtual_size": "0x00000018",
  981. "characteristics_raw": "0x50000040"
  982. },
  983. {
  984. "name": ".reloc",
  985. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  986. "virtual_address": "0x00010000",
  987. "size_of_data": "0x00000000",
  988. "entropy": "0.00",
  989. "raw_address": "0x0000a800",
  990. "virtual_size": "0x000008b0",
  991. "characteristics_raw": "0x50000040"
  992. },
  993. {
  994. "name": ".rsrc",
  995. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  996. "virtual_address": "0x00011000",
  997. "size_of_data": "0x00002c00",
  998. "entropy": "4.47",
  999. "raw_address": "0x0000a800",
  1000. "virtual_size": "0x00002c00",
  1001. "characteristics_raw": "0x50000040"
  1002. }
  1003. ],
  1004. "resources": [],
  1005. "dirents": [
  1006. {
  1007. "virtual_address": "0x00000000",
  1008. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1009. "size": "0x00000000"
  1010. },
  1011. {
  1012. "virtual_address": "0x0000d000",
  1013. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1014. "size": "0x00000950"
  1015. },
  1016. {
  1017. "virtual_address": "0x00011000",
  1018. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1019. "size": "0x00002c00"
  1020. },
  1021. {
  1022. "virtual_address": "0x00000000",
  1023. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1024. "size": "0x00000000"
  1025. },
  1026. {
  1027. "virtual_address": "0x00000000",
  1028. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1029. "size": "0x00000000"
  1030. },
  1031. {
  1032. "virtual_address": "0x00000000",
  1033. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1034. "size": "0x00000000"
  1035. },
  1036. {
  1037. "virtual_address": "0x00000000",
  1038. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1039. "size": "0x00000000"
  1040. },
  1041. {
  1042. "virtual_address": "0x00000000",
  1043. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1044. "size": "0x00000000"
  1045. },
  1046. {
  1047. "virtual_address": "0x00000000",
  1048. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1049. "size": "0x00000000"
  1050. },
  1051. {
  1052. "virtual_address": "0x0000f000",
  1053. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1054. "size": "0x00000018"
  1055. },
  1056. {
  1057. "virtual_address": "0x00000000",
  1058. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1059. "size": "0x00000000"
  1060. },
  1061. {
  1062. "virtual_address": "0x00000000",
  1063. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1064. "size": "0x00000000"
  1065. },
  1066. {
  1067. "virtual_address": "0x00000000",
  1068. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1069. "size": "0x00000000"
  1070. },
  1071. {
  1072. "virtual_address": "0x00000000",
  1073. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1074. "size": "0x00000000"
  1075. },
  1076. {
  1077. "virtual_address": "0x00000000",
  1078. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1079. "size": "0x00000000"
  1080. },
  1081. {
  1082. "virtual_address": "0x00000000",
  1083. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1084. "size": "0x00000000"
  1085. }
  1086. ],
  1087. "exports": [],
  1088. "guest_signers": {},
  1089. "imphash": "884310b1928934402ea6fec1dbd3cf5e",
  1090. "icon_fuzzy": null,
  1091. "icon": null,
  1092. "pdbpath": null,
  1093. "imported_dll_count": 8,
  1094. "versioninfo": []
  1095. }
  1096. }
  1097.  
  1098. [*] Resolved APIs: [
  1099. "kernel32.dll.SetDllDirectoryW",
  1100. "kernel32.dll.SetSearchPathMode",
  1101. "kernel32.dll.SetProcessDEPPolicy",
  1102. "kernel32.dll.Wow64DisableWow64FsRedirection",
  1103. "kernel32.dll.Wow64RevertWow64FsRedirection",
  1104. "kernel32.dll.GetUserDefaultUILanguage",
  1105. "comctl32.dll.RegisterClassNameW",
  1106. "kernel32.dll.SortGetHandle",
  1107. "kernel32.dll.SortCloseHandle",
  1108. "uxtheme.dll.ThemeInitApiHook",
  1109. "user32.dll.IsProcessDPIAware",
  1110. "dwmapi.dll.DwmIsCompositionEnabled",
  1111. "uxtheme.dll.EnableThemeDialogTexture",
  1112. "uxtheme.dll.OpenThemeData",
  1113. "uxtheme.dll.CloseThemeData",
  1114. "uxtheme.dll.DrawThemeBackground",
  1115. "uxtheme.dll.DrawThemeText",
  1116. "uxtheme.dll.GetThemeBackgroundContentRect",
  1117. "uxtheme.dll.GetThemePartSize",
  1118. "uxtheme.dll.GetThemeTextExtent",
  1119. "uxtheme.dll.GetThemeTextMetrics",
  1120. "uxtheme.dll.GetThemeBackgroundRegion",
  1121. "uxtheme.dll.HitTestThemeBackground",
  1122. "uxtheme.dll.DrawThemeEdge",
  1123. "uxtheme.dll.DrawThemeIcon",
  1124. "uxtheme.dll.IsThemePartDefined",
  1125. "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
  1126. "uxtheme.dll.GetThemeColor",
  1127. "uxtheme.dll.GetThemeMetric",
  1128. "uxtheme.dll.GetThemeString",
  1129. "uxtheme.dll.GetThemeBool",
  1130. "uxtheme.dll.GetThemeInt",
  1131. "uxtheme.dll.GetThemeEnumValue",
  1132. "uxtheme.dll.GetThemePosition",
  1133. "uxtheme.dll.GetThemeFont",
  1134. "uxtheme.dll.GetThemeRect",
  1135. "uxtheme.dll.GetThemeMargins",
  1136. "uxtheme.dll.GetThemeIntList",
  1137. "uxtheme.dll.GetThemePropertyOrigin",
  1138. "uxtheme.dll.SetWindowTheme",
  1139. "uxtheme.dll.GetThemeFilename",
  1140. "uxtheme.dll.GetThemeSysColor",
  1141. "uxtheme.dll.GetThemeSysColorBrush",
  1142. "uxtheme.dll.GetThemeSysBool",
  1143. "uxtheme.dll.GetThemeSysSize",
  1144. "uxtheme.dll.GetThemeSysFont",
  1145. "uxtheme.dll.GetThemeSysString",
  1146. "uxtheme.dll.GetThemeSysInt",
  1147. "uxtheme.dll.IsThemeActive",
  1148. "uxtheme.dll.IsAppThemed",
  1149. "uxtheme.dll.GetWindowTheme",
  1150. "uxtheme.dll.IsThemeDialogTextureEnabled",
  1151. "uxtheme.dll.GetThemeAppProperties",
  1152. "uxtheme.dll.SetThemeAppProperties",
  1153. "uxtheme.dll.GetCurrentThemeName",
  1154. "uxtheme.dll.GetThemeDocumentationProperty",
  1155. "uxtheme.dll.DrawThemeParentBackground",
  1156. "uxtheme.dll.EnableTheming",
  1157. "user32.dll.NotifyWinEvent",
  1158. "cryptbase.dll.SystemFunction036",
  1159. "shell32.dll.SHCreateItemFromParsingName",
  1160. "shell32.dll.SHPathPrepareForWriteA",
  1161. "kernel32.dll.VerSetConditionMask",
  1162. "kernel32.dll.VerifyVersionInfoW",
  1163. "kernel32.dll.GetNativeSystemInfo",
  1164. "kernel32.dll.IsWow64Process",
  1165. "kernel32.dll.GetSystemWow64DirectoryA",
  1166. "advapi32.dll.RegDeleteKeyExA",
  1167. "user32.dll.AnimateWindow",
  1168. "gdi32.dll.GetLayout",
  1169. "gdi32.dll.GdiRealizationInfo",
  1170. "gdi32.dll.FontIsLinked",
  1171. "advapi32.dll.RegOpenKeyExW",
  1172. "advapi32.dll.RegQueryInfoKeyW",
  1173. "gdi32.dll.GetTextFaceAliasW",
  1174. "advapi32.dll.RegEnumValueW",
  1175. "advapi32.dll.RegCloseKey",
  1176. "advapi32.dll.RegQueryValueExW",
  1177. "gdi32.dll.GetFontAssocStatus",
  1178. "advapi32.dll.RegQueryValueExA",
  1179. "advapi32.dll.RegEnumKeyExW",
  1180. "gdi32.dll.GdiIsMetaPrintDC",
  1181. "ole32.dll.CoInitializeEx",
  1182. "ole32.dll.CoUninitialize",
  1183. "ole32.dll.CoRegisterInitializeSpy",
  1184. "ole32.dll.CoRevokeInitializeSpy",
  1185. "comctl32.dll._TrackMouseEvent",
  1186. "msimg32.dll.TransparentBlt",
  1187. "user32.dll.DisableProcessWindowsGhosting",
  1188. "advapi32.dll.CheckTokenMembership",
  1189. "user32.dll.ShutdownBlockReasonDestroy",
  1190. "user32.dll.ShutdownBlockReasonCreate",
  1191. "shfolder.dll.SHGetFolderPathA",
  1192. "rstrtmgr.dll.RmStartSession",
  1193. "rstrtmgr.dll.RmRegisterResources",
  1194. "rstrtmgr.dll.RmGetList",
  1195. "rstrtmgr.dll.RmShutdown",
  1196. "rstrtmgr.dll.RmRestart",
  1197. "rstrtmgr.dll.RmEndSession",
  1198. "bcryptprimitives.dll.GetHashInterface",
  1199. "comctl32.dll.HIMAGELIST_QueryInterface",
  1200. "comctl32.dll.DrawShadowText",
  1201. "comctl32.dll.DrawSizeBox",
  1202. "comctl32.dll.DrawScrollBar",
  1203. "comctl32.dll.SizeBoxHwnd",
  1204. "comctl32.dll.ScrollBar_MouseMove",
  1205. "comctl32.dll.ScrollBar_Menu",
  1206. "comctl32.dll.HandleScrollCmd",
  1207. "comctl32.dll.DetachScrollBars",
  1208. "comctl32.dll.AttachScrollBars",
  1209. "comctl32.dll.CCSetScrollInfo",
  1210. "comctl32.dll.CCGetScrollInfo",
  1211. "comctl32.dll.CCEnableScrollBar",
  1212. "comctl32.dll.QuerySystemGestureStatus",
  1213. "uxtheme.dll.#49",
  1214. "user32.dll.ChangeWindowMessageFilterEx",
  1215. "gdi32.dll.GetTextExtentExPointWPri",
  1216. "imm32.dll.ImmIsIME",
  1217. "imm32.dll.ImmGetContext",
  1218. "imm32.dll.ImmReleaseContext",
  1219. "imm32.dll.ImmAssociateContext",
  1220. "user32.dll.MonitorFromRect",
  1221. "user32.dll.GetMonitorInfoA",
  1222. "shlwapi.dll.SHAutoComplete",
  1223. "ole32.dll.CoCreateInstance",
  1224. "comctl32.dll.#411",
  1225. "comctl32.dll.#410",
  1226. "ole32.dll.CLSIDFromString",
  1227. "comctl32.dll.#413",
  1228. "uxtheme.dll.BufferedPaintInit",
  1229. "uxtheme.dll.BufferedPaintRenderAnimation",
  1230. "uxtheme.dll.GetThemeTransitionDuration",
  1231. "uxtheme.dll.BeginBufferedAnimation",
  1232. "uxtheme.dll.EndBufferedAnimation"
  1233. ]
  1234.  
  1235. [*] Static Analysis: {
  1236. "pe": {
  1237. "peid_signatures": null,
  1238. "imports": [
  1239. {
  1240. "imports": [
  1241. {
  1242. "name": "DeleteCriticalSection",
  1243. "address": "0x40d0b4"
  1244. },
  1245. {
  1246. "name": "LeaveCriticalSection",
  1247. "address": "0x40d0b8"
  1248. },
  1249. {
  1250. "name": "EnterCriticalSection",
  1251. "address": "0x40d0bc"
  1252. },
  1253. {
  1254. "name": "InitializeCriticalSection",
  1255. "address": "0x40d0c0"
  1256. },
  1257. {
  1258. "name": "VirtualFree",
  1259. "address": "0x40d0c4"
  1260. },
  1261. {
  1262. "name": "VirtualAlloc",
  1263. "address": "0x40d0c8"
  1264. },
  1265. {
  1266. "name": "LocalFree",
  1267. "address": "0x40d0cc"
  1268. },
  1269. {
  1270. "name": "LocalAlloc",
  1271. "address": "0x40d0d0"
  1272. },
  1273. {
  1274. "name": "WideCharToMultiByte",
  1275. "address": "0x40d0d4"
  1276. },
  1277. {
  1278. "name": "TlsSetValue",
  1279. "address": "0x40d0d8"
  1280. },
  1281. {
  1282. "name": "TlsGetValue",
  1283. "address": "0x40d0dc"
  1284. },
  1285. {
  1286. "name": "MultiByteToWideChar",
  1287. "address": "0x40d0e0"
  1288. },
  1289. {
  1290. "name": "GetModuleHandleA",
  1291. "address": "0x40d0e4"
  1292. },
  1293. {
  1294. "name": "GetLastError",
  1295. "address": "0x40d0e8"
  1296. },
  1297. {
  1298. "name": "GetCommandLineA",
  1299. "address": "0x40d0ec"
  1300. },
  1301. {
  1302. "name": "WriteFile",
  1303. "address": "0x40d0f0"
  1304. },
  1305. {
  1306. "name": "SetFilePointer",
  1307. "address": "0x40d0f4"
  1308. },
  1309. {
  1310. "name": "SetEndOfFile",
  1311. "address": "0x40d0f8"
  1312. },
  1313. {
  1314. "name": "RtlUnwind",
  1315. "address": "0x40d0fc"
  1316. },
  1317. {
  1318. "name": "ReadFile",
  1319. "address": "0x40d100"
  1320. },
  1321. {
  1322. "name": "RaiseException",
  1323. "address": "0x40d104"
  1324. },
  1325. {
  1326. "name": "GetStdHandle",
  1327. "address": "0x40d108"
  1328. },
  1329. {
  1330. "name": "GetFileSize",
  1331. "address": "0x40d10c"
  1332. },
  1333. {
  1334. "name": "GetSystemTime",
  1335. "address": "0x40d110"
  1336. },
  1337. {
  1338. "name": "GetFileType",
  1339. "address": "0x40d114"
  1340. },
  1341. {
  1342. "name": "ExitProcess",
  1343. "address": "0x40d118"
  1344. },
  1345. {
  1346. "name": "CreateFileA",
  1347. "address": "0x40d11c"
  1348. },
  1349. {
  1350. "name": "CloseHandle",
  1351. "address": "0x40d120"
  1352. }
  1353. ],
  1354. "dll": "kernel32.dll"
  1355. },
  1356. {
  1357. "imports": [
  1358. {
  1359. "name": "MessageBoxA",
  1360. "address": "0x40d128"
  1361. }
  1362. ],
  1363. "dll": "user32.dll"
  1364. },
  1365. {
  1366. "imports": [
  1367. {
  1368. "name": "VariantChangeTypeEx",
  1369. "address": "0x40d130"
  1370. },
  1371. {
  1372. "name": "VariantCopyInd",
  1373. "address": "0x40d134"
  1374. },
  1375. {
  1376. "name": "VariantClear",
  1377. "address": "0x40d138"
  1378. },
  1379. {
  1380. "name": "SysStringLen",
  1381. "address": "0x40d13c"
  1382. },
  1383. {
  1384. "name": "SysAllocStringLen",
  1385. "address": "0x40d140"
  1386. }
  1387. ],
  1388. "dll": "oleaut32.dll"
  1389. },
  1390. {
  1391. "imports": [
  1392. {
  1393. "name": "RegQueryValueExA",
  1394. "address": "0x40d148"
  1395. },
  1396. {
  1397. "name": "RegOpenKeyExA",
  1398. "address": "0x40d14c"
  1399. },
  1400. {
  1401. "name": "RegCloseKey",
  1402. "address": "0x40d150"
  1403. },
  1404. {
  1405. "name": "OpenProcessToken",
  1406. "address": "0x40d154"
  1407. },
  1408. {
  1409. "name": "LookupPrivilegeValueA",
  1410. "address": "0x40d158"
  1411. }
  1412. ],
  1413. "dll": "advapi32.dll"
  1414. },
  1415. {
  1416. "imports": [
  1417. {
  1418. "name": "WriteFile",
  1419. "address": "0x40d160"
  1420. },
  1421. {
  1422. "name": "VirtualQuery",
  1423. "address": "0x40d164"
  1424. },
  1425. {
  1426. "name": "VirtualProtect",
  1427. "address": "0x40d168"
  1428. },
  1429. {
  1430. "name": "VirtualFree",
  1431. "address": "0x40d16c"
  1432. },
  1433. {
  1434. "name": "VirtualAlloc",
  1435. "address": "0x40d170"
  1436. },
  1437. {
  1438. "name": "Sleep",
  1439. "address": "0x40d174"
  1440. },
  1441. {
  1442. "name": "SizeofResource",
  1443. "address": "0x40d178"
  1444. },
  1445. {
  1446. "name": "SetLastError",
  1447. "address": "0x40d17c"
  1448. },
  1449. {
  1450. "name": "SetFilePointer",
  1451. "address": "0x40d180"
  1452. },
  1453. {
  1454. "name": "SetErrorMode",
  1455. "address": "0x40d184"
  1456. },
  1457. {
  1458. "name": "SetEndOfFile",
  1459. "address": "0x40d188"
  1460. },
  1461. {
  1462. "name": "RemoveDirectoryA",
  1463. "address": "0x40d18c"
  1464. },
  1465. {
  1466. "name": "ReadFile",
  1467. "address": "0x40d190"
  1468. },
  1469. {
  1470. "name": "LockResource",
  1471. "address": "0x40d194"
  1472. },
  1473. {
  1474. "name": "LoadResource",
  1475. "address": "0x40d198"
  1476. },
  1477. {
  1478. "name": "LoadLibraryA",
  1479. "address": "0x40d19c"
  1480. },
  1481. {
  1482. "name": "IsDBCSLeadByte",
  1483. "address": "0x40d1a0"
  1484. },
  1485. {
  1486. "name": "GetWindowsDirectoryA",
  1487. "address": "0x40d1a4"
  1488. },
  1489. {
  1490. "name": "GetVersionExA",
  1491. "address": "0x40d1a8"
  1492. },
  1493. {
  1494. "name": "GetUserDefaultLangID",
  1495. "address": "0x40d1ac"
  1496. },
  1497. {
  1498. "name": "GetSystemInfo",
  1499. "address": "0x40d1b0"
  1500. },
  1501. {
  1502. "name": "GetSystemDefaultLCID",
  1503. "address": "0x40d1b4"
  1504. },
  1505. {
  1506. "name": "GetProcAddress",
  1507. "address": "0x40d1b8"
  1508. },
  1509. {
  1510. "name": "GetModuleHandleA",
  1511. "address": "0x40d1bc"
  1512. },
  1513. {
  1514. "name": "GetModuleFileNameA",
  1515. "address": "0x40d1c0"
  1516. },
  1517. {
  1518. "name": "GetLocaleInfoA",
  1519. "address": "0x40d1c4"
  1520. },
  1521. {
  1522. "name": "GetLastError",
  1523. "address": "0x40d1c8"
  1524. },
  1525. {
  1526. "name": "GetFullPathNameA",
  1527. "address": "0x40d1cc"
  1528. },
  1529. {
  1530. "name": "GetFileSize",
  1531. "address": "0x40d1d0"
  1532. },
  1533. {
  1534. "name": "GetFileAttributesA",
  1535. "address": "0x40d1d4"
  1536. },
  1537. {
  1538. "name": "GetExitCodeProcess",
  1539. "address": "0x40d1d8"
  1540. },
  1541. {
  1542. "name": "GetEnvironmentVariableA",
  1543. "address": "0x40d1dc"
  1544. },
  1545. {
  1546. "name": "GetCurrentProcess",
  1547. "address": "0x40d1e0"
  1548. },
  1549. {
  1550. "name": "GetCommandLineA",
  1551. "address": "0x40d1e4"
  1552. },
  1553. {
  1554. "name": "GetACP",
  1555. "address": "0x40d1e8"
  1556. },
  1557. {
  1558. "name": "InterlockedExchange",
  1559. "address": "0x40d1ec"
  1560. },
  1561. {
  1562. "name": "FormatMessageA",
  1563. "address": "0x40d1f0"
  1564. },
  1565. {
  1566. "name": "FindResourceA",
  1567. "address": "0x40d1f4"
  1568. },
  1569. {
  1570. "name": "DeleteFileA",
  1571. "address": "0x40d1f8"
  1572. },
  1573. {
  1574. "name": "CreateProcessA",
  1575. "address": "0x40d1fc"
  1576. },
  1577. {
  1578. "name": "CreateFileA",
  1579. "address": "0x40d200"
  1580. },
  1581. {
  1582. "name": "CreateDirectoryA",
  1583. "address": "0x40d204"
  1584. },
  1585. {
  1586. "name": "CloseHandle",
  1587. "address": "0x40d208"
  1588. }
  1589. ],
  1590. "dll": "kernel32.dll"
  1591. },
  1592. {
  1593. "imports": [
  1594. {
  1595. "name": "TranslateMessage",
  1596. "address": "0x40d210"
  1597. },
  1598. {
  1599. "name": "SetWindowLongA",
  1600. "address": "0x40d214"
  1601. },
  1602. {
  1603. "name": "PeekMessageA",
  1604. "address": "0x40d218"
  1605. },
  1606. {
  1607. "name": "MsgWaitForMultipleObjects",
  1608. "address": "0x40d21c"
  1609. },
  1610. {
  1611. "name": "MessageBoxA",
  1612. "address": "0x40d220"
  1613. },
  1614. {
  1615. "name": "LoadStringA",
  1616. "address": "0x40d224"
  1617. },
  1618. {
  1619. "name": "ExitWindowsEx",
  1620. "address": "0x40d228"
  1621. },
  1622. {
  1623. "name": "DispatchMessageA",
  1624. "address": "0x40d22c"
  1625. },
  1626. {
  1627. "name": "DestroyWindow",
  1628. "address": "0x40d230"
  1629. },
  1630. {
  1631. "name": "CreateWindowExA",
  1632. "address": "0x40d234"
  1633. },
  1634. {
  1635. "name": "CallWindowProcA",
  1636. "address": "0x40d238"
  1637. },
  1638. {
  1639. "name": "CharPrevA",
  1640. "address": "0x40d23c"
  1641. }
  1642. ],
  1643. "dll": "user32.dll"
  1644. },
  1645. {
  1646. "imports": [
  1647. {
  1648. "name": "InitCommonControls",
  1649. "address": "0x40d244"
  1650. }
  1651. ],
  1652. "dll": "comctl32.dll"
  1653. },
  1654. {
  1655. "imports": [
  1656. {
  1657. "name": "AdjustTokenPrivileges",
  1658. "address": "0x40d24c"
  1659. }
  1660. ],
  1661. "dll": "advapi32.dll"
  1662. }
  1663. ],
  1664. "digital_signers": null,
  1665. "exported_dll_name": null,
  1666. "actual_checksum": "0x00119d21",
  1667. "overlay": {
  1668. "size": "0x00100c37",
  1669. "offset": "0x0000d400"
  1670. },
  1671. "imagebase": "0x00400000",
  1672. "reported_checksum": "0x00000000",
  1673. "icon_hash": null,
  1674. "entrypoint": "0x00409c14",
  1675. "timestamp": "1992-06-19 22:22:17",
  1676. "osversion": "1.0",
  1677. "sections": [
  1678. {
  1679. "name": "CODE",
  1680. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1681. "virtual_address": "0x00001000",
  1682. "size_of_data": "0x00009400",
  1683. "entropy": "6.56",
  1684. "raw_address": "0x00000400",
  1685. "virtual_size": "0x00009338",
  1686. "characteristics_raw": "0x60000020"
  1687. },
  1688. {
  1689. "name": "DATA",
  1690. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1691. "virtual_address": "0x0000b000",
  1692. "size_of_data": "0x00000400",
  1693. "entropy": "2.74",
  1694. "raw_address": "0x00009800",
  1695. "virtual_size": "0x0000024c",
  1696. "characteristics_raw": "0xc0000040"
  1697. },
  1698. {
  1699. "name": "BSS",
  1700. "characteristics": "IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1701. "virtual_address": "0x0000c000",
  1702. "size_of_data": "0x00000000",
  1703. "entropy": "0.00",
  1704. "raw_address": "0x00009c00",
  1705. "virtual_size": "0x00000e8c",
  1706. "characteristics_raw": "0xc0000000"
  1707. },
  1708. {
  1709. "name": ".idata",
  1710. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1711. "virtual_address": "0x0000d000",
  1712. "size_of_data": "0x00000a00",
  1713. "entropy": "4.43",
  1714. "raw_address": "0x00009c00",
  1715. "virtual_size": "0x00000950",
  1716. "characteristics_raw": "0xc0000040"
  1717. },
  1718. {
  1719. "name": ".tls",
  1720. "characteristics": "IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1721. "virtual_address": "0x0000e000",
  1722. "size_of_data": "0x00000000",
  1723. "entropy": "0.00",
  1724. "raw_address": "0x0000a600",
  1725. "virtual_size": "0x00000008",
  1726. "characteristics_raw": "0xc0000000"
  1727. },
  1728. {
  1729. "name": ".rdata",
  1730. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  1731. "virtual_address": "0x0000f000",
  1732. "size_of_data": "0x00000200",
  1733. "entropy": "0.20",
  1734. "raw_address": "0x0000a600",
  1735. "virtual_size": "0x00000018",
  1736. "characteristics_raw": "0x50000040"
  1737. },
  1738. {
  1739. "name": ".reloc",
  1740. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  1741. "virtual_address": "0x00010000",
  1742. "size_of_data": "0x00000000",
  1743. "entropy": "0.00",
  1744. "raw_address": "0x0000a800",
  1745. "virtual_size": "0x000008b0",
  1746. "characteristics_raw": "0x50000040"
  1747. },
  1748. {
  1749. "name": ".rsrc",
  1750. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ",
  1751. "virtual_address": "0x00011000",
  1752. "size_of_data": "0x00002c00",
  1753. "entropy": "4.47",
  1754. "raw_address": "0x0000a800",
  1755. "virtual_size": "0x00002c00",
  1756. "characteristics_raw": "0x50000040"
  1757. }
  1758. ],
  1759. "resources": [],
  1760. "dirents": [
  1761. {
  1762. "virtual_address": "0x00000000",
  1763. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1764. "size": "0x00000000"
  1765. },
  1766. {
  1767. "virtual_address": "0x0000d000",
  1768. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1769. "size": "0x00000950"
  1770. },
  1771. {
  1772. "virtual_address": "0x00011000",
  1773. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1774. "size": "0x00002c00"
  1775. },
  1776. {
  1777. "virtual_address": "0x00000000",
  1778. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1779. "size": "0x00000000"
  1780. },
  1781. {
  1782. "virtual_address": "0x00000000",
  1783. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1784. "size": "0x00000000"
  1785. },
  1786. {
  1787. "virtual_address": "0x00000000",
  1788. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1789. "size": "0x00000000"
  1790. },
  1791. {
  1792. "virtual_address": "0x00000000",
  1793. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1794. "size": "0x00000000"
  1795. },
  1796. {
  1797. "virtual_address": "0x00000000",
  1798. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1799. "size": "0x00000000"
  1800. },
  1801. {
  1802. "virtual_address": "0x00000000",
  1803. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1804. "size": "0x00000000"
  1805. },
  1806. {
  1807. "virtual_address": "0x0000f000",
  1808. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1809. "size": "0x00000018"
  1810. },
  1811. {
  1812. "virtual_address": "0x00000000",
  1813. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1814. "size": "0x00000000"
  1815. },
  1816. {
  1817. "virtual_address": "0x00000000",
  1818. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1819. "size": "0x00000000"
  1820. },
  1821. {
  1822. "virtual_address": "0x00000000",
  1823. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1824. "size": "0x00000000"
  1825. },
  1826. {
  1827. "virtual_address": "0x00000000",
  1828. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1829. "size": "0x00000000"
  1830. },
  1831. {
  1832. "virtual_address": "0x00000000",
  1833. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1834. "size": "0x00000000"
  1835. },
  1836. {
  1837. "virtual_address": "0x00000000",
  1838. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1839. "size": "0x00000000"
  1840. }
  1841. ],
  1842. "exports": [],
  1843. "guest_signers": {},
  1844. "imphash": "884310b1928934402ea6fec1dbd3cf5e",
  1845. "icon_fuzzy": null,
  1846. "icon": null,
  1847. "pdbpath": null,
  1848. "imported_dll_count": 8,
  1849. "versioninfo": []
  1850. }
  1851. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!