Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: ""
- [*] MalScore: 3.0
- [*] File Name: "autorunsc.exe"
- [*] File Size: 645680
- [*] File Type: "PE32 executable (console) Intel 80386, for MS Windows"
- [*] SHA256: "fdf3979a74bd65ffcb603a01247dfb5a45557853c0f8ea561d7f5625b5067791"
- [*] MD5: "590e711a1923bd80e44a926e6db3cb6b"
- [*] SHA1: "f20f404f153036c113e3881da099e20f24a5a28e"
- [*] SHA512: "e96f1a4418d37283992be89fcb3c35b563957a50e54bd2ed84508be8aa3b2f82901ce30c44c63395cee33d2639c62a5d129f44c0c1b3320acc39c60c20b50f0d"
- [*] CRC32: "42407478"
- [*] SSDEEP: "12288:pJduItlvuMW05hBJF1/un7bn+iw9weF0LaY8X16z:pLmulF1/W7C4eKLv8Fs"
- [*] Process Execution: [
- "autorunsc.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details": [
- {
- "IP": "66.210.41.16:80"
- }
- ]
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "https://www.microsoft.com/pki/ssl/cps/WindowsPCA.htm0f"
- }
- ]
- },
- {
- "Description": "Expresses interest in specific running processes",
- "Details": [
- {
- "process": "winlogon.exe"
- }
- ]
- },
- {
- "Description": "Detects VirtualBox through the presence of a file",
- "Details": [
- {
- "file": "C:\\Windows\\sysnative\\VBoxTray.exe"
- }
- ]
- }
- ]
- [*] Started Service: []
- [*] Executed Commands: []
- [*] Mutexes: [
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- ]
- [*] Modified Files: [
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B8CC409ACDBF2A2FE04C56F2875B1FD6",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B8CC409ACDBF2A2FE04C56F2875B1FD6",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Cab29B6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Tar29B7.tmp",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76"
- ]
- [*] Deleted Files: [
- "C:\\Users\\user\\AppData\\Local\\Temp\\Cab29B6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Tar29B7.tmp"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Sysinternals\\AutoRuns",
- "HKEY_CURRENT_USER\\Software\\Sysinternals\\AutoRuns\\EulaAccepted",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10"
- ]
- [*] Deleted Registry Keys: []
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/microsoftrootcert.crl",
- "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/WinPCA.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/WinPCA.crl",
- "data": "GET /pki/crl/products/WinPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "crl.microsoft.com",
- "version": "1.1",
- "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
- "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "VerQueryValueW",
- "address": "0x458340"
- },
- {
- "name": "GetFileVersionInfoW",
- "address": "0x458344"
- },
- {
- "name": "GetFileVersionInfoSizeW",
- "address": "0x458348"
- }
- ],
- "dll": "VERSION.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_ReplaceIcon",
- "address": "0x45809c"
- },
- {
- "name": "ImageList_Add",
- "address": "0x4580a0"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "CryptSIPLoad",
- "address": "0x4580b0"
- },
- {
- "name": "CryptSIPRetrieveSubjectGuidForCatalogFile",
- "address": "0x4580b4"
- },
- {
- "name": "CertDuplicateCertificateContext",
- "address": "0x4580b8"
- },
- {
- "name": "CertGetNameStringW",
- "address": "0x4580bc"
- }
- ],
- "dll": "CRYPT32.dll"
- },
- {
- "imports": [
- {
- "name": "CryptCATAdminCalcHashFromFileHandle",
- "address": "0x458384"
- }
- ],
- "dll": "WINTRUST.dll"
- },
- {
- "imports": [
- {
- "name": "RtlUnwind",
- "address": "0x45838c"
- },
- {
- "name": "NtOpenKey",
- "address": "0x458390"
- },
- {
- "name": "NtCreateKey",
- "address": "0x458394"
- }
- ],
- "dll": "ntdll.dll"
- },
- {
- "imports": [
- {
- "name": "GetFullPathNameW",
- "address": "0x4580ec"
- },
- {
- "name": "IsWow64Process",
- "address": "0x4580f0"
- },
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x4580f4"
- },
- {
- "name": "Process32FirstW",
- "address": "0x4580f8"
- },
- {
- "name": "Process32NextW",
- "address": "0x4580fc"
- },
- {
- "name": "GetPrivateProfileStringW",
- "address": "0x458100"
- },
- {
- "name": "FreeLibrary",
- "address": "0x458104"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x458108"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x45810c"
- },
- {
- "name": "DecodePointer",
- "address": "0x458110"
- },
- {
- "name": "HeapAlloc",
- "address": "0x458114"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x458118"
- },
- {
- "name": "HeapFree",
- "address": "0x45811c"
- },
- {
- "name": "HeapSize",
- "address": "0x458120"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x458124"
- },
- {
- "name": "RaiseException",
- "address": "0x458128"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x45812c"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x458130"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x458134"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x458138"
- },
- {
- "name": "SetThreadPriority",
- "address": "0x45813c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x458140"
- },
- {
- "name": "SetEvent",
- "address": "0x458144"
- },
- {
- "name": "GetSystemWow64DirectoryW",
- "address": "0x458148"
- },
- {
- "name": "WaitForMultipleObjects",
- "address": "0x45814c"
- },
- {
- "name": "CreateEventW",
- "address": "0x458150"
- },
- {
- "name": "CreateThread",
- "address": "0x458154"
- },
- {
- "name": "GetExitCodeThread",
- "address": "0x458158"
- },
- {
- "name": "LCMapStringW",
- "address": "0x45815c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x458160"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x458164"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x458168"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x45816c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x458170"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x458174"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x458178"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x45817c"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x458180"
- },
- {
- "name": "TlsFree",
- "address": "0x458184"
- },
- {
- "name": "TerminateProcess",
- "address": "0x458188"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x45818c"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x458190"
- },
- {
- "name": "SetLastError",
- "address": "0x458194"
- },
- {
- "name": "GetCPInfo",
- "address": "0x458198"
- },
- {
- "name": "GetOEMCP",
- "address": "0x45819c"
- },
- {
- "name": "GetACP",
- "address": "0x4581a0"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x4581a4"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4581a8"
- },
- {
- "name": "SetStdHandle",
- "address": "0x4581ac"
- },
- {
- "name": "SetConsoleMode",
- "address": "0x4581b0"
- },
- {
- "name": "ReadConsoleInputA",
- "address": "0x4581b4"
- },
- {
- "name": "GetSystemWindowsDirectoryW",
- "address": "0x4581b8"
- },
- {
- "name": "ExpandEnvironmentStringsW",
- "address": "0x4581bc"
- },
- {
- "name": "SetEnvironmentVariableW",
- "address": "0x4581c0"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4581c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4581c8"
- },
- {
- "name": "TlsAlloc",
- "address": "0x4581cc"
- },
- {
- "name": "lstrlenW",
- "address": "0x4581d0"
- },
- {
- "name": "FormatMessageA",
- "address": "0x4581d4"
- },
- {
- "name": "GetFileTime",
- "address": "0x4581d8"
- },
- {
- "name": "WriteFile",
- "address": "0x4581dc"
- },
- {
- "name": "GetFileSize",
- "address": "0x4581e0"
- },
- {
- "name": "InitializeCriticalSection",
- "address": "0x4581e4"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4581e8"
- },
- {
- "name": "ExitThread",
- "address": "0x4581ec"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x4581f0"
- },
- {
- "name": "OpenProcess",
- "address": "0x4581f4"
- },
- {
- "name": "GetLongPathNameW",
- "address": "0x4581f8"
- },
- {
- "name": "GetVersion",
- "address": "0x4581fc"
- },
- {
- "name": "TlsGetValue",
- "address": "0x458200"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x458204"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x458208"
- },
- {
- "name": "GetStdHandle",
- "address": "0x45820c"
- },
- {
- "name": "GetFileType",
- "address": "0x458210"
- },
- {
- "name": "LocalFree",
- "address": "0x458214"
- },
- {
- "name": "LocalAlloc",
- "address": "0x458218"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x45821c"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x458220"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x458224"
- },
- {
- "name": "FormatMessageW",
- "address": "0x458228"
- },
- {
- "name": "FileTimeToSystemTime",
- "address": "0x45822c"
- },
- {
- "name": "FileTimeToLocalFileTime",
- "address": "0x458230"
- },
- {
- "name": "MulDiv",
- "address": "0x458234"
- },
- {
- "name": "ReadFile",
- "address": "0x458238"
- },
- {
- "name": "InterlockedIncrement",
- "address": "0x45823c"
- },
- {
- "name": "FindNextFileW",
- "address": "0x458240"
- },
- {
- "name": "FindFirstFileW",
- "address": "0x458244"
- },
- {
- "name": "GetFileAttributesW",
- "address": "0x458248"
- },
- {
- "name": "CreateFileW",
- "address": "0x45824c"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x458250"
- },
- {
- "name": "FindClose",
- "address": "0x458254"
- },
- {
- "name": "Sleep",
- "address": "0x458258"
- },
- {
- "name": "GetLastError",
- "address": "0x45825c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x458260"
- },
- {
- "name": "InterlockedDecrement",
- "address": "0x458264"
- },
- {
- "name": "CreateFileMappingW",
- "address": "0x458268"
- },
- {
- "name": "UnmapViewOfFile",
- "address": "0x45826c"
- },
- {
- "name": "MapViewOfFile",
- "address": "0x458270"
- },
- {
- "name": "CloseHandle",
- "address": "0x458274"
- },
- {
- "name": "GetFileSizeEx",
- "address": "0x458278"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x45827c"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x458280"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x458284"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x458288"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x45828c"
- },
- {
- "name": "lstrlenA",
- "address": "0x458290"
- },
- {
- "name": "EncodePointer",
- "address": "0x458294"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x458298"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x45829c"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x4582a0"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x4582a4"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4582a8"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x4582ac"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "DialogBoxIndirectParamW",
- "address": "0x4582f0"
- },
- {
- "name": "MessageBoxW",
- "address": "0x4582f4"
- },
- {
- "name": "GetDlgItem",
- "address": "0x4582f8"
- },
- {
- "name": "SetWindowTextW",
- "address": "0x4582fc"
- },
- {
- "name": "SetCursor",
- "address": "0x458300"
- },
- {
- "name": "EndDialog",
- "address": "0x458304"
- },
- {
- "name": "SendMessageW",
- "address": "0x458308"
- },
- {
- "name": "InflateRect",
- "address": "0x45830c"
- },
- {
- "name": "LoadCursorW",
- "address": "0x458310"
- },
- {
- "name": "GetMenu",
- "address": "0x458314"
- },
- {
- "name": "CheckMenuItem",
- "address": "0x458318"
- },
- {
- "name": "GetSubMenu",
- "address": "0x45831c"
- },
- {
- "name": "DeleteMenu",
- "address": "0x458320"
- },
- {
- "name": "GetSysColorBrush",
- "address": "0x458324"
- },
- {
- "name": "PostMessageW",
- "address": "0x458328"
- },
- {
- "name": "LoadStringW",
- "address": "0x45832c"
- },
- {
- "name": "DestroyIcon",
- "address": "0x458330"
- },
- {
- "name": "LoadIconW",
- "address": "0x458334"
- },
- {
- "name": "InsertMenuW",
- "address": "0x458338"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "DeleteObject",
- "address": "0x4580c4"
- },
- {
- "name": "EndPage",
- "address": "0x4580c8"
- },
- {
- "name": "StartPage",
- "address": "0x4580cc"
- },
- {
- "name": "StartDocW",
- "address": "0x4580d0"
- },
- {
- "name": "SetMapMode",
- "address": "0x4580d4"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x4580d8"
- },
- {
- "name": "DeleteDC",
- "address": "0x4580dc"
- },
- {
- "name": "CreateCompatibleDC",
- "address": "0x4580e0"
- },
- {
- "name": "EndDoc",
- "address": "0x4580e4"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "PrintDlgW",
- "address": "0x4580a8"
- }
- ],
- "dll": "COMDLG32.dll"
- },
- {
- "imports": [
- {
- "name": "QueryServiceConfig2W",
- "address": "0x458000"
- },
- {
- "name": "GetServiceDisplayNameW",
- "address": "0x458004"
- },
- {
- "name": "RegQueryValueW",
- "address": "0x458008"
- },
- {
- "name": "CryptAcquireContextW",
- "address": "0x45800c"
- },
- {
- "name": "CryptReleaseContext",
- "address": "0x458010"
- },
- {
- "name": "CryptGetHashParam",
- "address": "0x458014"
- },
- {
- "name": "CryptCreateHash",
- "address": "0x458018"
- },
- {
- "name": "CryptHashData",
- "address": "0x45801c"
- },
- {
- "name": "CryptDestroyHash",
- "address": "0x458020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x458024"
- },
- {
- "name": "RegOpenKeyExW",
- "address": "0x458028"
- },
- {
- "name": "RegQueryValueExW",
- "address": "0x45802c"
- },
- {
- "name": "CloseServiceHandle",
- "address": "0x458030"
- },
- {
- "name": "RegUnLoadKeyW",
- "address": "0x458034"
- },
- {
- "name": "RegQueryInfoKeyW",
- "address": "0x458038"
- },
- {
- "name": "RegLoadKeyW",
- "address": "0x45803c"
- },
- {
- "name": "RegEnumValueW",
- "address": "0x458040"
- },
- {
- "name": "RegEnumKeyW",
- "address": "0x458044"
- },
- {
- "name": "RegDeleteKeyW",
- "address": "0x458048"
- },
- {
- "name": "DuplicateTokenEx",
- "address": "0x45804c"
- },
- {
- "name": "ImpersonateLoggedOnUser",
- "address": "0x458050"
- },
- {
- "name": "LookupPrivilegeValueW",
- "address": "0x458054"
- },
- {
- "name": "LookupAccountNameW",
- "address": "0x458058"
- },
- {
- "name": "LookupAccountSidW",
- "address": "0x45805c"
- },
- {
- "name": "FreeSid",
- "address": "0x458060"
- },
- {
- "name": "AllocateAndInitializeSid",
- "address": "0x458064"
- },
- {
- "name": "EqualSid",
- "address": "0x458068"
- },
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x45806c"
- },
- {
- "name": "GetTokenInformation",
- "address": "0x458070"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x458074"
- },
- {
- "name": "RevertToSelf",
- "address": "0x458078"
- },
- {
- "name": "RegOpenKeyW",
- "address": "0x45807c"
- },
- {
- "name": "RegCreateKeyW",
- "address": "0x458080"
- },
- {
- "name": "RegSetValueExW",
- "address": "0x458084"
- },
- {
- "name": "RegDeleteValueW",
- "address": "0x458088"
- },
- {
- "name": "RegCreateKeyExW",
- "address": "0x45808c"
- },
- {
- "name": "OpenServiceW",
- "address": "0x458090"
- },
- {
- "name": "OpenSCManagerW",
- "address": "0x458094"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ShellExecuteW",
- "address": "0x4582d4"
- },
- {
- "name": "SHGetFileInfoW",
- "address": "0x4582d8"
- },
- {
- "name": "SHGetFolderPathW",
- "address": "0x4582dc"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "CoUninitialize",
- "address": "0x45839c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x4583a0"
- },
- {
- "name": "CoInitializeEx",
- "address": "0x4583a4"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x4583a8"
- },
- {
- "name": "CoMarshalInterThreadInterfaceInStream",
- "address": "0x4583ac"
- },
- {
- "name": "CoGetInterfaceAndReleaseStream",
- "address": "0x4583b0"
- }
- ],
- "dll": "ole32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantChangeType",
- "address": "0x4582b4"
- },
- {
- "name": "VariantInit",
- "address": "0x4582b8"
- },
- {
- "name": "SysAllocString",
- "address": "0x4582bc"
- },
- {
- "name": "SysFreeString",
- "address": "0x4582c0"
- },
- {
- "name": "VariantClear",
- "address": "0x4582c4"
- },
- {
- "name": "SysStringLen",
- "address": "0x4582c8"
- },
- {
- "name": "SysAllocStringByteLen",
- "address": "0x4582cc"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "UrlUnescapeW",
- "address": "0x4582e4"
- },
- {
- "name": null,
- "address": "0x4582e8"
- }
- ],
- "dll": "SHLWAPI.dll"
- },
- {
- "imports": [
- {
- "name": "WinHttpReadData",
- "address": "0x458350"
- },
- {
- "name": "WinHttpOpen",
- "address": "0x458354"
- },
- {
- "name": "WinHttpCloseHandle",
- "address": "0x458358"
- },
- {
- "name": "WinHttpConnect",
- "address": "0x45835c"
- },
- {
- "name": "WinHttpGetProxyForUrl",
- "address": "0x458360"
- },
- {
- "name": "WinHttpQueryHeaders",
- "address": "0x458364"
- },
- {
- "name": "WinHttpReceiveResponse",
- "address": "0x458368"
- },
- {
- "name": "WinHttpSendRequest",
- "address": "0x45836c"
- },
- {
- "name": "WinHttpOpenRequest",
- "address": "0x458370"
- },
- {
- "name": "WinHttpSetOption",
- "address": "0x458374"
- },
- {
- "name": "WinHttpQueryDataAvailable",
- "address": "0x458378"
- },
- {
- "name": "WinHttpWriteData",
- "address": "0x45837c"
- }
- ],
- "dll": "WINHTTP.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000a76d3",
- "overlay": {
- "size": "0x00003e30",
- "offset": "0x00099c00"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x000a76d3",
- "icon_hash": null,
- "entrypoint": "0x004408dd",
- "timestamp": "2019-02-18 21:14:31",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00056200",
- "entropy": "6.41",
- "raw_address": "0x00000400",
- "virtual_size": "0x00056116",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00058000",
- "size_of_data": "0x0001fc00",
- "entropy": "4.62",
- "raw_address": "0x00056600",
- "virtual_size": "0x0001fa98",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00078000",
- "size_of_data": "0x00003c00",
- "entropy": "2.44",
- "raw_address": "0x00076200",
- "virtual_size": "0x00007668",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00080000",
- "size_of_data": "0x0001a400",
- "entropy": "4.82",
- "raw_address": "0x00079e00",
- "virtual_size": "0x0001a3a8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0009b000",
- "size_of_data": "0x00005a00",
- "entropy": "6.70",
- "raw_address": "0x00094200",
- "virtual_size": "0x000059f8",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0007653c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000140"
- },
- {
- "virtual_address": "0x00080000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x0001a3a8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00099c00",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00003e30"
- },
- {
- "virtual_address": "0x0009b000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x000059f8"
- },
- {
- "virtual_address": "0x00058480",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000707a0",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00058000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000003b8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3beeae58675be450ff0da1b20500c997",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\agent\\_work\\3\\s\\Win32\\Release Console\\autorunsc.pdb",
- "imported_dll_count": 15,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsFree",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.SetThreadStackGuarantee",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.GetLogicalProcessorInformation",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.EnumSystemLocalesEx",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetDateFormatEx",
- "kernel32.dll.GetLocaleInfoEx",
- "kernel32.dll.GetTimeFormatEx",
- "kernel32.dll.GetUserDefaultLocaleName",
- "kernel32.dll.IsValidLocaleName",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "comctl32.dll.RegisterClassNameW",
- "uxtheme.dll.EnableThemeDialogTexture",
- "uxtheme.dll.OpenThemeData",
- "uxtheme.dll.GetThemeBool",
- "comctl32.dll.HIMAGELIST_QueryInterface",
- "comctl32.dll.DrawShadowText",
- "comctl32.dll.DrawSizeBox",
- "comctl32.dll.DrawScrollBar",
- "comctl32.dll.SizeBoxHwnd",
- "comctl32.dll.ScrollBar_MouseMove",
- "comctl32.dll.ScrollBar_Menu",
- "comctl32.dll.HandleScrollCmd",
- "comctl32.dll.DetachScrollBars",
- "comctl32.dll.AttachScrollBars",
- "comctl32.dll.CCSetScrollInfo",
- "comctl32.dll.CCGetScrollInfo",
- "comctl32.dll.CCEnableScrollBar",
- "comctl32.dll.QuerySystemGestureStatus",
- "uxtheme.dll.#49",
- "uxtheme.dll.CloseThemeData",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegCloseKey",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoUninitialize",
- "cryptbase.dll.SystemFunction036",
- "ole32.dll.CoRegisterInitializeSpy",
- "ole32.dll.CoRevokeInitializeSpy",
- "uxtheme.dll.BufferedPaintInit",
- "uxtheme.dll.BufferedPaintRenderAnimation",
- "uxtheme.dll.GetThemeTransitionDuration",
- "uxtheme.dll.BeginBufferedAnimation",
- "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
- "uxtheme.dll.DrawThemeParentBackground",
- "uxtheme.dll.DrawThemeBackground",
- "uxtheme.dll.GetThemeBackgroundContentRect",
- "uxtheme.dll.DrawThemeText",
- "uxtheme.dll.EndBufferedAnimation",
- "uxtheme.dll.GetThemePartSize",
- "oleaut32.dll.#500",
- "uxtheme.dll.BufferedPaintStopAllAnimations",
- "uxtheme.dll.BufferedPaintUnInit",
- "wintrust.dll.WinVerifyTrust",
- "wintrust.dll.WTHelperGetProvSignerFromChain",
- "wintrust.dll.WTHelperProvDataFromStateData",
- "wintrust.dll.CryptCATAdminReleaseContext",
- "wintrust.dll.CryptCATAdminReleaseCatalogContext",
- "wintrust.dll.CryptCATCatalogInfoFromContext",
- "wintrust.dll.CryptCATAdminEnumCatalogFromHash",
- "wintrust.dll.CryptCATAdminCalcHashFromFileHandle",
- "wintrust.dll.CryptCATAdminAcquireContext",
- "wintrust.dll.CryptCATAdminAddCatalog",
- "wintrust.dll.CryptCATAdminRemoveCatalog",
- "wintrust.dll.IsCatalogFile",
- "crypt32.dll.CertNameToStrW",
- "kernel32.dll.Wow64EnableWow64FsRedirection",
- "kernel32.dll.Wow64DisableWow64FsRedirection",
- "kernel32.dll.Wow64RevertWow64FsRedirection",
- "advapi32.dll.RegDeleteKeyExW",
- "sechost.dll.LookupAccountNameLocalW",
- "ntdll.dll.RtlNtStatusToDosError",
- "sechost.dll.LookupAccountSidLocalW",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#332",
- "comctl32.dll.#386",
- "wintrust.dll.WintrustCertificateTrust",
- "wintrust.dll.SoftpubAuthenticode",
- "wintrust.dll.SoftpubInitialize",
- "wintrust.dll.SoftpubLoadMessage",
- "wintrust.dll.SoftpubLoadSignature",
- "wintrust.dll.SoftpubCheckCert",
- "wintrust.dll.SoftpubCleanup",
- "cryptsp.dll.CryptAcquireContextA",
- "wintrust.dll.CryptSIPPutSignedDataMsg",
- "wintrust.dll.CryptSIPGetSignedDataMsg",
- "imagehlp.dll.ImageGetCertificateData",
- "user32.dll.LoadStringW",
- "wintrust.dll.CryptSIPCreateIndirectData",
- "wintrust.dll.WVTAsn1SpcPeImageDataEncode",
- "bcrypt.dll.BCryptOpenAlgorithmProvider",
- "bcryptprimitives.dll.GetHashInterface",
- "bcrypt.dll.BCryptGetProperty",
- "bcrypt.dll.BCryptCreateHash",
- "bcrypt.dll.BCryptHashData",
- "bcrypt.dll.BCryptFinishHash",
- "bcrypt.dll.BCryptDestroyHash",
- "bcrypt.dll.BCryptCloseAlgorithmProvider",
- "sechost.dll.ConvertStringSidToSidW",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.QueryServiceConfigA",
- "sechost.dll.QueryServiceStatus",
- "sechost.dll.CloseServiceHandle",
- "advapi32.dll.LookupAccountSidW",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptSetHashParam",
- "cryptsp.dll.CryptVerifySignatureA",
- "cryptsp.dll.CryptDestroyKey",
- "cryptsp.dll.CryptDestroyHash",
- "ncrypt.dll.BCryptDestroyHash",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertSidToStringSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.QueryServiceConfigW",
- "cryptsp.dll.CryptHashData",
- "cryptnet.dll.CertDllVerifyRevocation",
- "sensapi.dll.IsNetworkAlive",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall2",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpCrackUrl",
- "shlwapi.dll.StrCmpNW",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpTimeFromSystemTime",
- "winhttp.dll.WinHttpSendRequest",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "ws2_32.dll.WSARecv",
- "ws2_32.dll.WSASend",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpCloseHandle",
- "rpcrt4.dll.RpcBindingFree",
- "cryptnet.dll.I_CryptNetGetConnectivity",
- "cryptnet.dll.CryptRetrieveObjectByUrlW",
- "setupapi.dll.SetupIterateCabinetW",
- "kernel32.dll.RegOpenKeyExW",
- "kernel32.dll.RegCloseKey",
- "cabinet.dll.#20",
- "cabinet.dll.#22",
- "devrtl.dll.DevRtlGetThreadLogToken",
- "rpcrt4.dll.RpcStringBindingComposeA",
- "rpcrt4.dll.RpcBindingFromStringBindingA",
- "rpcrt4.dll.RpcEpResolveBinding",
- "rpcrt4.dll.RpcStringFreeA",
- "advapi32.dll.SaferiSearchMatchingHashRules",
- "cryptsp.dll.CryptReleaseContext",
- "advapi32.dll.UnregisterTraceGuids"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "VerQueryValueW",
- "address": "0x458340"
- },
- {
- "name": "GetFileVersionInfoW",
- "address": "0x458344"
- },
- {
- "name": "GetFileVersionInfoSizeW",
- "address": "0x458348"
- }
- ],
- "dll": "VERSION.dll"
- },
- {
- "imports": [
- {
- "name": "ImageList_ReplaceIcon",
- "address": "0x45809c"
- },
- {
- "name": "ImageList_Add",
- "address": "0x4580a0"
- }
- ],
- "dll": "COMCTL32.dll"
- },
- {
- "imports": [
- {
- "name": "CryptSIPLoad",
- "address": "0x4580b0"
- },
- {
- "name": "CryptSIPRetrieveSubjectGuidForCatalogFile",
- "address": "0x4580b4"
- },
- {
- "name": "CertDuplicateCertificateContext",
- "address": "0x4580b8"
- },
- {
- "name": "CertGetNameStringW",
- "address": "0x4580bc"
- }
- ],
- "dll": "CRYPT32.dll"
- },
- {
- "imports": [
- {
- "name": "CryptCATAdminCalcHashFromFileHandle",
- "address": "0x458384"
- }
- ],
- "dll": "WINTRUST.dll"
- },
- {
- "imports": [
- {
- "name": "RtlUnwind",
- "address": "0x45838c"
- },
- {
- "name": "NtOpenKey",
- "address": "0x458390"
- },
- {
- "name": "NtCreateKey",
- "address": "0x458394"
- }
- ],
- "dll": "ntdll.dll"
- },
- {
- "imports": [
- {
- "name": "GetFullPathNameW",
- "address": "0x4580ec"
- },
- {
- "name": "IsWow64Process",
- "address": "0x4580f0"
- },
- {
- "name": "CreateToolhelp32Snapshot",
- "address": "0x4580f4"
- },
- {
- "name": "Process32FirstW",
- "address": "0x4580f8"
- },
- {
- "name": "Process32NextW",
- "address": "0x4580fc"
- },
- {
- "name": "GetPrivateProfileStringW",
- "address": "0x458100"
- },
- {
- "name": "FreeLibrary",
- "address": "0x458104"
- },
- {
- "name": "LoadLibraryExW",
- "address": "0x458108"
- },
- {
- "name": "MultiByteToWideChar",
- "address": "0x45810c"
- },
- {
- "name": "DecodePointer",
- "address": "0x458110"
- },
- {
- "name": "HeapAlloc",
- "address": "0x458114"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x458118"
- },
- {
- "name": "HeapFree",
- "address": "0x45811c"
- },
- {
- "name": "HeapSize",
- "address": "0x458120"
- },
- {
- "name": "GetProcessHeap",
- "address": "0x458124"
- },
- {
- "name": "RaiseException",
- "address": "0x458128"
- },
- {
- "name": "InitializeCriticalSectionAndSpinCount",
- "address": "0x45812c"
- },
- {
- "name": "DeleteCriticalSection",
- "address": "0x458130"
- },
- {
- "name": "LeaveCriticalSection",
- "address": "0x458134"
- },
- {
- "name": "GetCurrentThread",
- "address": "0x458138"
- },
- {
- "name": "SetThreadPriority",
- "address": "0x45813c"
- },
- {
- "name": "EnterCriticalSection",
- "address": "0x458140"
- },
- {
- "name": "SetEvent",
- "address": "0x458144"
- },
- {
- "name": "GetSystemWow64DirectoryW",
- "address": "0x458148"
- },
- {
- "name": "WaitForMultipleObjects",
- "address": "0x45814c"
- },
- {
- "name": "CreateEventW",
- "address": "0x458150"
- },
- {
- "name": "CreateThread",
- "address": "0x458154"
- },
- {
- "name": "GetExitCodeThread",
- "address": "0x458158"
- },
- {
- "name": "LCMapStringW",
- "address": "0x45815c"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x458160"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x458164"
- },
- {
- "name": "GetSystemTimeAsFileTime",
- "address": "0x458168"
- },
- {
- "name": "GetCurrentProcessId",
- "address": "0x45816c"
- },
- {
- "name": "QueryPerformanceCounter",
- "address": "0x458170"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x458174"
- },
- {
- "name": "GetConsoleCP",
- "address": "0x458178"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x45817c"
- },
- {
- "name": "GetStartupInfoW",
- "address": "0x458180"
- },
- {
- "name": "TlsFree",
- "address": "0x458184"
- },
- {
- "name": "TerminateProcess",
- "address": "0x458188"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x45818c"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x458190"
- },
- {
- "name": "SetLastError",
- "address": "0x458194"
- },
- {
- "name": "GetCPInfo",
- "address": "0x458198"
- },
- {
- "name": "GetOEMCP",
- "address": "0x45819c"
- },
- {
- "name": "GetACP",
- "address": "0x4581a0"
- },
- {
- "name": "IsValidCodePage",
- "address": "0x4581a4"
- },
- {
- "name": "GetCurrentThreadId",
- "address": "0x4581a8"
- },
- {
- "name": "SetStdHandle",
- "address": "0x4581ac"
- },
- {
- "name": "SetConsoleMode",
- "address": "0x4581b0"
- },
- {
- "name": "ReadConsoleInputA",
- "address": "0x4581b4"
- },
- {
- "name": "GetSystemWindowsDirectoryW",
- "address": "0x4581b8"
- },
- {
- "name": "ExpandEnvironmentStringsW",
- "address": "0x4581bc"
- },
- {
- "name": "SetEnvironmentVariableW",
- "address": "0x4581c0"
- },
- {
- "name": "TlsSetValue",
- "address": "0x4581c4"
- },
- {
- "name": "ExitProcess",
- "address": "0x4581c8"
- },
- {
- "name": "TlsAlloc",
- "address": "0x4581cc"
- },
- {
- "name": "lstrlenW",
- "address": "0x4581d0"
- },
- {
- "name": "FormatMessageA",
- "address": "0x4581d4"
- },
- {
- "name": "GetFileTime",
- "address": "0x4581d8"
- },
- {
- "name": "WriteFile",
- "address": "0x4581dc"
- },
- {
- "name": "GetFileSize",
- "address": "0x4581e0"
- },
- {
- "name": "InitializeCriticalSection",
- "address": "0x4581e4"
- },
- {
- "name": "SetErrorMode",
- "address": "0x4581e8"
- },
- {
- "name": "ExitThread",
- "address": "0x4581ec"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x4581f0"
- },
- {
- "name": "OpenProcess",
- "address": "0x4581f4"
- },
- {
- "name": "GetLongPathNameW",
- "address": "0x4581f8"
- },
- {
- "name": "GetVersion",
- "address": "0x4581fc"
- },
- {
- "name": "TlsGetValue",
- "address": "0x458200"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x458204"
- },
- {
- "name": "GetCommandLineW",
- "address": "0x458208"
- },
- {
- "name": "GetStdHandle",
- "address": "0x45820c"
- },
- {
- "name": "GetFileType",
- "address": "0x458210"
- },
- {
- "name": "LocalFree",
- "address": "0x458214"
- },
- {
- "name": "LocalAlloc",
- "address": "0x458218"
- },
- {
- "name": "GetDateFormatW",
- "address": "0x45821c"
- },
- {
- "name": "GetTimeFormatW",
- "address": "0x458220"
- },
- {
- "name": "GetModuleHandleW",
- "address": "0x458224"
- },
- {
- "name": "FormatMessageW",
- "address": "0x458228"
- },
- {
- "name": "FileTimeToSystemTime",
- "address": "0x45822c"
- },
- {
- "name": "FileTimeToLocalFileTime",
- "address": "0x458230"
- },
- {
- "name": "MulDiv",
- "address": "0x458234"
- },
- {
- "name": "ReadFile",
- "address": "0x458238"
- },
- {
- "name": "InterlockedIncrement",
- "address": "0x45823c"
- },
- {
- "name": "FindNextFileW",
- "address": "0x458240"
- },
- {
- "name": "FindFirstFileW",
- "address": "0x458244"
- },
- {
- "name": "GetFileAttributesW",
- "address": "0x458248"
- },
- {
- "name": "CreateFileW",
- "address": "0x45824c"
- },
- {
- "name": "LoadLibraryW",
- "address": "0x458250"
- },
- {
- "name": "FindClose",
- "address": "0x458254"
- },
- {
- "name": "Sleep",
- "address": "0x458258"
- },
- {
- "name": "GetLastError",
- "address": "0x45825c"
- },
- {
- "name": "GetProcAddress",
- "address": "0x458260"
- },
- {
- "name": "InterlockedDecrement",
- "address": "0x458264"
- },
- {
- "name": "CreateFileMappingW",
- "address": "0x458268"
- },
- {
- "name": "UnmapViewOfFile",
- "address": "0x45826c"
- },
- {
- "name": "MapViewOfFile",
- "address": "0x458270"
- },
- {
- "name": "CloseHandle",
- "address": "0x458274"
- },
- {
- "name": "GetFileSizeEx",
- "address": "0x458278"
- },
- {
- "name": "SetFilePointerEx",
- "address": "0x45827c"
- },
- {
- "name": "OutputDebugStringW",
- "address": "0x458280"
- },
- {
- "name": "WriteConsoleW",
- "address": "0x458284"
- },
- {
- "name": "ReadConsoleW",
- "address": "0x458288"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x45828c"
- },
- {
- "name": "lstrlenA",
- "address": "0x458290"
- },
- {
- "name": "EncodePointer",
- "address": "0x458294"
- },
- {
- "name": "IsProcessorFeaturePresent",
- "address": "0x458298"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x45829c"
- },
- {
- "name": "GetConsoleMode",
- "address": "0x4582a0"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x4582a4"
- },
- {
- "name": "GetModuleHandleExW",
- "address": "0x4582a8"
- },
- {
- "name": "IsDebuggerPresent",
- "address": "0x4582ac"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "DialogBoxIndirectParamW",
- "address": "0x4582f0"
- },
- {
- "name": "MessageBoxW",
- "address": "0x4582f4"
- },
- {
- "name": "GetDlgItem",
- "address": "0x4582f8"
- },
- {
- "name": "SetWindowTextW",
- "address": "0x4582fc"
- },
- {
- "name": "SetCursor",
- "address": "0x458300"
- },
- {
- "name": "EndDialog",
- "address": "0x458304"
- },
- {
- "name": "SendMessageW",
- "address": "0x458308"
- },
- {
- "name": "InflateRect",
- "address": "0x45830c"
- },
- {
- "name": "LoadCursorW",
- "address": "0x458310"
- },
- {
- "name": "GetMenu",
- "address": "0x458314"
- },
- {
- "name": "CheckMenuItem",
- "address": "0x458318"
- },
- {
- "name": "GetSubMenu",
- "address": "0x45831c"
- },
- {
- "name": "DeleteMenu",
- "address": "0x458320"
- },
- {
- "name": "GetSysColorBrush",
- "address": "0x458324"
- },
- {
- "name": "PostMessageW",
- "address": "0x458328"
- },
- {
- "name": "LoadStringW",
- "address": "0x45832c"
- },
- {
- "name": "DestroyIcon",
- "address": "0x458330"
- },
- {
- "name": "LoadIconW",
- "address": "0x458334"
- },
- {
- "name": "InsertMenuW",
- "address": "0x458338"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "DeleteObject",
- "address": "0x4580c4"
- },
- {
- "name": "EndPage",
- "address": "0x4580c8"
- },
- {
- "name": "StartPage",
- "address": "0x4580cc"
- },
- {
- "name": "StartDocW",
- "address": "0x4580d0"
- },
- {
- "name": "SetMapMode",
- "address": "0x4580d4"
- },
- {
- "name": "GetDeviceCaps",
- "address": "0x4580d8"
- },
- {
- "name": "DeleteDC",
- "address": "0x4580dc"
- },
- {
- "name": "CreateCompatibleDC",
- "address": "0x4580e0"
- },
- {
- "name": "EndDoc",
- "address": "0x4580e4"
- }
- ],
- "dll": "GDI32.dll"
- },
- {
- "imports": [
- {
- "name": "PrintDlgW",
- "address": "0x4580a8"
- }
- ],
- "dll": "COMDLG32.dll"
- },
- {
- "imports": [
- {
- "name": "QueryServiceConfig2W",
- "address": "0x458000"
- },
- {
- "name": "GetServiceDisplayNameW",
- "address": "0x458004"
- },
- {
- "name": "RegQueryValueW",
- "address": "0x458008"
- },
- {
- "name": "CryptAcquireContextW",
- "address": "0x45800c"
- },
- {
- "name": "CryptReleaseContext",
- "address": "0x458010"
- },
- {
- "name": "CryptGetHashParam",
- "address": "0x458014"
- },
- {
- "name": "CryptCreateHash",
- "address": "0x458018"
- },
- {
- "name": "CryptHashData",
- "address": "0x45801c"
- },
- {
- "name": "CryptDestroyHash",
- "address": "0x458020"
- },
- {
- "name": "RegCloseKey",
- "address": "0x458024"
- },
- {
- "name": "RegOpenKeyExW",
- "address": "0x458028"
- },
- {
- "name": "RegQueryValueExW",
- "address": "0x45802c"
- },
- {
- "name": "CloseServiceHandle",
- "address": "0x458030"
- },
- {
- "name": "RegUnLoadKeyW",
- "address": "0x458034"
- },
- {
- "name": "RegQueryInfoKeyW",
- "address": "0x458038"
- },
- {
- "name": "RegLoadKeyW",
- "address": "0x45803c"
- },
- {
- "name": "RegEnumValueW",
- "address": "0x458040"
- },
- {
- "name": "RegEnumKeyW",
- "address": "0x458044"
- },
- {
- "name": "RegDeleteKeyW",
- "address": "0x458048"
- },
- {
- "name": "DuplicateTokenEx",
- "address": "0x45804c"
- },
- {
- "name": "ImpersonateLoggedOnUser",
- "address": "0x458050"
- },
- {
- "name": "LookupPrivilegeValueW",
- "address": "0x458054"
- },
- {
- "name": "LookupAccountNameW",
- "address": "0x458058"
- },
- {
- "name": "LookupAccountSidW",
- "address": "0x45805c"
- },
- {
- "name": "FreeSid",
- "address": "0x458060"
- },
- {
- "name": "AllocateAndInitializeSid",
- "address": "0x458064"
- },
- {
- "name": "EqualSid",
- "address": "0x458068"
- },
- {
- "name": "AdjustTokenPrivileges",
- "address": "0x45806c"
- },
- {
- "name": "GetTokenInformation",
- "address": "0x458070"
- },
- {
- "name": "OpenProcessToken",
- "address": "0x458074"
- },
- {
- "name": "RevertToSelf",
- "address": "0x458078"
- },
- {
- "name": "RegOpenKeyW",
- "address": "0x45807c"
- },
- {
- "name": "RegCreateKeyW",
- "address": "0x458080"
- },
- {
- "name": "RegSetValueExW",
- "address": "0x458084"
- },
- {
- "name": "RegDeleteValueW",
- "address": "0x458088"
- },
- {
- "name": "RegCreateKeyExW",
- "address": "0x45808c"
- },
- {
- "name": "OpenServiceW",
- "address": "0x458090"
- },
- {
- "name": "OpenSCManagerW",
- "address": "0x458094"
- }
- ],
- "dll": "ADVAPI32.dll"
- },
- {
- "imports": [
- {
- "name": "ShellExecuteW",
- "address": "0x4582d4"
- },
- {
- "name": "SHGetFileInfoW",
- "address": "0x4582d8"
- },
- {
- "name": "SHGetFolderPathW",
- "address": "0x4582dc"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "CoUninitialize",
- "address": "0x45839c"
- },
- {
- "name": "CoCreateInstance",
- "address": "0x4583a0"
- },
- {
- "name": "CoInitializeEx",
- "address": "0x4583a4"
- },
- {
- "name": "CoTaskMemFree",
- "address": "0x4583a8"
- },
- {
- "name": "CoMarshalInterThreadInterfaceInStream",
- "address": "0x4583ac"
- },
- {
- "name": "CoGetInterfaceAndReleaseStream",
- "address": "0x4583b0"
- }
- ],
- "dll": "ole32.dll"
- },
- {
- "imports": [
- {
- "name": "VariantChangeType",
- "address": "0x4582b4"
- },
- {
- "name": "VariantInit",
- "address": "0x4582b8"
- },
- {
- "name": "SysAllocString",
- "address": "0x4582bc"
- },
- {
- "name": "SysFreeString",
- "address": "0x4582c0"
- },
- {
- "name": "VariantClear",
- "address": "0x4582c4"
- },
- {
- "name": "SysStringLen",
- "address": "0x4582c8"
- },
- {
- "name": "SysAllocStringByteLen",
- "address": "0x4582cc"
- }
- ],
- "dll": "OLEAUT32.dll"
- },
- {
- "imports": [
- {
- "name": "UrlUnescapeW",
- "address": "0x4582e4"
- },
- {
- "name": null,
- "address": "0x4582e8"
- }
- ],
- "dll": "SHLWAPI.dll"
- },
- {
- "imports": [
- {
- "name": "WinHttpReadData",
- "address": "0x458350"
- },
- {
- "name": "WinHttpOpen",
- "address": "0x458354"
- },
- {
- "name": "WinHttpCloseHandle",
- "address": "0x458358"
- },
- {
- "name": "WinHttpConnect",
- "address": "0x45835c"
- },
- {
- "name": "WinHttpGetProxyForUrl",
- "address": "0x458360"
- },
- {
- "name": "WinHttpQueryHeaders",
- "address": "0x458364"
- },
- {
- "name": "WinHttpReceiveResponse",
- "address": "0x458368"
- },
- {
- "name": "WinHttpSendRequest",
- "address": "0x45836c"
- },
- {
- "name": "WinHttpOpenRequest",
- "address": "0x458370"
- },
- {
- "name": "WinHttpSetOption",
- "address": "0x458374"
- },
- {
- "name": "WinHttpQueryDataAvailable",
- "address": "0x458378"
- },
- {
- "name": "WinHttpWriteData",
- "address": "0x45837c"
- }
- ],
- "dll": "WINHTTP.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x000a76d3",
- "overlay": {
- "size": "0x00003e30",
- "offset": "0x00099c00"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x000a76d3",
- "icon_hash": null,
- "entrypoint": "0x004408dd",
- "timestamp": "2019-02-18 21:14:31",
- "osversion": "5.1",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x00056200",
- "entropy": "6.41",
- "raw_address": "0x00000400",
- "virtual_size": "0x00056116",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00058000",
- "size_of_data": "0x0001fc00",
- "entropy": "4.62",
- "raw_address": "0x00056600",
- "virtual_size": "0x0001fa98",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x00078000",
- "size_of_data": "0x00003c00",
- "entropy": "2.44",
- "raw_address": "0x00076200",
- "virtual_size": "0x00007668",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00080000",
- "size_of_data": "0x0001a400",
- "entropy": "4.82",
- "raw_address": "0x00079e00",
- "virtual_size": "0x0001a3a8",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".reloc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0009b000",
- "size_of_data": "0x00005a00",
- "entropy": "6.70",
- "raw_address": "0x00094200",
- "virtual_size": "0x000059f8",
- "characteristics_raw": "0x42000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0007653c",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x00000140"
- },
- {
- "virtual_address": "0x00080000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x0001a3a8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00099c00",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00003e30"
- },
- {
- "virtual_address": "0x0009b000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x000059f8"
- },
- {
- "virtual_address": "0x00058480",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000038"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x000707a0",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000040"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00058000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000003b8"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "3beeae58675be450ff0da1b20500c997",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": "C:\\agent\\_work\\3\\s\\Win32\\Release Console\\autorunsc.pdb",
- "imported_dll_count": 15,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement