API tools faq
paste
Advertisement
paladin316

autorunsc_exe.json

paladin316
Jun 17th, 2019
1,593
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 89.19 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 3.0
  5.  
  6. [*] File Name: "autorunsc.exe"
  7. [*] File Size: 645680
  8. [*] File Type: "PE32 executable (console) Intel 80386, for MS Windows"
  9. [*] SHA256: "fdf3979a74bd65ffcb603a01247dfb5a45557853c0f8ea561d7f5625b5067791"
  10. [*] MD5: "590e711a1923bd80e44a926e6db3cb6b"
  11. [*] SHA1: "f20f404f153036c113e3881da099e20f24a5a28e"
  12. [*] SHA512: "e96f1a4418d37283992be89fcb3c35b563957a50e54bd2ed84508be8aa3b2f82901ce30c44c63395cee33d2639c62a5d129f44c0c1b3320acc39c60c20b50f0d"
  13. [*] CRC32: "42407478"
  14. [*] SSDEEP: "12288:pJduItlvuMW05hBJF1/un7bn+iw9weF0LaY8X16z:pLmulF1/W7C4eKLv8Fs"
  15.  
  16. [*] Process Execution: [
  17. "autorunsc.exe"
  18. ]
  19.  
  20. [*] Signatures Detected: [
  21. {
  22. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  23. "Details": [
  24. {
  25. "IP": "66.210.41.16:80"
  26. }
  27. ]
  28. },
  29. {
  30. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  31. "Details": [
  32. {
  33. "ioc": "https://www.microsoft.com/pki/ssl/cps/WindowsPCA.htm0f"
  34. }
  35. ]
  36. },
  37. {
  38. "Description": "Expresses interest in specific running processes",
  39. "Details": [
  40. {
  41. "process": "winlogon.exe"
  42. }
  43. ]
  44. },
  45. {
  46. "Description": "Detects VirtualBox through the presence of a file",
  47. "Details": [
  48. {
  49. "file": "C:\\Windows\\sysnative\\VBoxTray.exe"
  50. }
  51. ]
  52. }
  53. ]
  54.  
  55. [*] Started Service: []
  56.  
  57. [*] Executed Commands: []
  58.  
  59. [*] Mutexes: [
  60. "CicLoadWinStaWinSta0",
  61. "Local\\MSCTF.CtfMonitorInstMutexDefault1"
  62. ]
  63.  
  64. [*] Modified Files: [
  65. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD",
  66. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD",
  67. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B8CC409ACDBF2A2FE04C56F2875B1FD6",
  68. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B8CC409ACDBF2A2FE04C56F2875B1FD6",
  69. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab29B6.tmp",
  70. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar29B7.tmp",
  71. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76",
  72. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76"
  73. ]
  74.  
  75. [*] Deleted Files: [
  76. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab29B6.tmp",
  77. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar29B7.tmp"
  78. ]
  79.  
  80. [*] Modified Registry Keys: [
  81. "HKEY_CURRENT_USER\\Software\\Sysinternals\\AutoRuns",
  82. "HKEY_CURRENT_USER\\Software\\Sysinternals\\AutoRuns\\EulaAccepted",
  83. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  84. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10"
  85. ]
  86.  
  87. [*] Deleted Registry Keys: []
  88.  
  89. [*] DNS Communications: []
  90.  
  91. [*] Domains: []
  92.  
  93. [*] Network Communication - ICMP: []
  94.  
  95. [*] Network Communication - HTTP: [
  96. {
  97. "count": 1,
  98. "body": "",
  99. "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
  100. "user-agent": "Microsoft-CryptoAPI/6.1",
  101. "method": "GET",
  102. "host": "crl.microsoft.com",
  103. "version": "1.1",
  104. "path": "/pki/crl/products/microsoftrootcert.crl",
  105. "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  106. "port": 80
  107. },
  108. {
  109. "count": 1,
  110. "body": "",
  111. "uri": "http://crl.microsoft.com/pki/crl/products/WinPCA.crl",
  112. "user-agent": "Microsoft-CryptoAPI/6.1",
  113. "method": "GET",
  114. "host": "crl.microsoft.com",
  115. "version": "1.1",
  116. "path": "/pki/crl/products/WinPCA.crl",
  117. "data": "GET /pki/crl/products/WinPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  118. "port": 80
  119. },
  120. {
  121. "count": 1,
  122. "body": "",
  123. "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
  124. "user-agent": "Microsoft-CryptoAPI/6.1",
  125. "method": "GET",
  126. "host": "crl.microsoft.com",
  127. "version": "1.1",
  128. "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
  129. "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
  130. "port": 80
  131. }
  132. ]
  133.  
  134. [*] Network Communication - SMTP: []
  135.  
  136. [*] Network Communication - Hosts: []
  137.  
  138. [*] Network Communication - IRC: []
  139.  
  140. [*] Static Analysis: {
  141. "pe": {
  142. "peid_signatures": null,
  143. "imports": [
  144. {
  145. "imports": [
  146. {
  147. "name": "VerQueryValueW",
  148. "address": "0x458340"
  149. },
  150. {
  151. "name": "GetFileVersionInfoW",
  152. "address": "0x458344"
  153. },
  154. {
  155. "name": "GetFileVersionInfoSizeW",
  156. "address": "0x458348"
  157. }
  158. ],
  159. "dll": "VERSION.dll"
  160. },
  161. {
  162. "imports": [
  163. {
  164. "name": "ImageList_ReplaceIcon",
  165. "address": "0x45809c"
  166. },
  167. {
  168. "name": "ImageList_Add",
  169. "address": "0x4580a0"
  170. }
  171. ],
  172. "dll": "COMCTL32.dll"
  173. },
  174. {
  175. "imports": [
  176. {
  177. "name": "CryptSIPLoad",
  178. "address": "0x4580b0"
  179. },
  180. {
  181. "name": "CryptSIPRetrieveSubjectGuidForCatalogFile",
  182. "address": "0x4580b4"
  183. },
  184. {
  185. "name": "CertDuplicateCertificateContext",
  186. "address": "0x4580b8"
  187. },
  188. {
  189. "name": "CertGetNameStringW",
  190. "address": "0x4580bc"
  191. }
  192. ],
  193. "dll": "CRYPT32.dll"
  194. },
  195. {
  196. "imports": [
  197. {
  198. "name": "CryptCATAdminCalcHashFromFileHandle",
  199. "address": "0x458384"
  200. }
  201. ],
  202. "dll": "WINTRUST.dll"
  203. },
  204. {
  205. "imports": [
  206. {
  207. "name": "RtlUnwind",
  208. "address": "0x45838c"
  209. },
  210. {
  211. "name": "NtOpenKey",
  212. "address": "0x458390"
  213. },
  214. {
  215. "name": "NtCreateKey",
  216. "address": "0x458394"
  217. }
  218. ],
  219. "dll": "ntdll.dll"
  220. },
  221. {
  222. "imports": [
  223. {
  224. "name": "GetFullPathNameW",
  225. "address": "0x4580ec"
  226. },
  227. {
  228. "name": "IsWow64Process",
  229. "address": "0x4580f0"
  230. },
  231. {
  232. "name": "CreateToolhelp32Snapshot",
  233. "address": "0x4580f4"
  234. },
  235. {
  236. "name": "Process32FirstW",
  237. "address": "0x4580f8"
  238. },
  239. {
  240. "name": "Process32NextW",
  241. "address": "0x4580fc"
  242. },
  243. {
  244. "name": "GetPrivateProfileStringW",
  245. "address": "0x458100"
  246. },
  247. {
  248. "name": "FreeLibrary",
  249. "address": "0x458104"
  250. },
  251. {
  252. "name": "LoadLibraryExW",
  253. "address": "0x458108"
  254. },
  255. {
  256. "name": "MultiByteToWideChar",
  257. "address": "0x45810c"
  258. },
  259. {
  260. "name": "DecodePointer",
  261. "address": "0x458110"
  262. },
  263. {
  264. "name": "HeapAlloc",
  265. "address": "0x458114"
  266. },
  267. {
  268. "name": "HeapReAlloc",
  269. "address": "0x458118"
  270. },
  271. {
  272. "name": "HeapFree",
  273. "address": "0x45811c"
  274. },
  275. {
  276. "name": "HeapSize",
  277. "address": "0x458120"
  278. },
  279. {
  280. "name": "GetProcessHeap",
  281. "address": "0x458124"
  282. },
  283. {
  284. "name": "RaiseException",
  285. "address": "0x458128"
  286. },
  287. {
  288. "name": "InitializeCriticalSectionAndSpinCount",
  289. "address": "0x45812c"
  290. },
  291. {
  292. "name": "DeleteCriticalSection",
  293. "address": "0x458130"
  294. },
  295. {
  296. "name": "LeaveCriticalSection",
  297. "address": "0x458134"
  298. },
  299. {
  300. "name": "GetCurrentThread",
  301. "address": "0x458138"
  302. },
  303. {
  304. "name": "SetThreadPriority",
  305. "address": "0x45813c"
  306. },
  307. {
  308. "name": "EnterCriticalSection",
  309. "address": "0x458140"
  310. },
  311. {
  312. "name": "SetEvent",
  313. "address": "0x458144"
  314. },
  315. {
  316. "name": "GetSystemWow64DirectoryW",
  317. "address": "0x458148"
  318. },
  319. {
  320. "name": "WaitForMultipleObjects",
  321. "address": "0x45814c"
  322. },
  323. {
  324. "name": "CreateEventW",
  325. "address": "0x458150"
  326. },
  327. {
  328. "name": "CreateThread",
  329. "address": "0x458154"
  330. },
  331. {
  332. "name": "GetExitCodeThread",
  333. "address": "0x458158"
  334. },
  335. {
  336. "name": "LCMapStringW",
  337. "address": "0x45815c"
  338. },
  339. {
  340. "name": "FreeEnvironmentStringsW",
  341. "address": "0x458160"
  342. },
  343. {
  344. "name": "GetEnvironmentStringsW",
  345. "address": "0x458164"
  346. },
  347. {
  348. "name": "GetSystemTimeAsFileTime",
  349. "address": "0x458168"
  350. },
  351. {
  352. "name": "GetCurrentProcessId",
  353. "address": "0x45816c"
  354. },
  355. {
  356. "name": "QueryPerformanceCounter",
  357. "address": "0x458170"
  358. },
  359. {
  360. "name": "GetStringTypeW",
  361. "address": "0x458174"
  362. },
  363. {
  364. "name": "GetConsoleCP",
  365. "address": "0x458178"
  366. },
  367. {
  368. "name": "FlushFileBuffers",
  369. "address": "0x45817c"
  370. },
  371. {
  372. "name": "GetStartupInfoW",
  373. "address": "0x458180"
  374. },
  375. {
  376. "name": "TlsFree",
  377. "address": "0x458184"
  378. },
  379. {
  380. "name": "TerminateProcess",
  381. "address": "0x458188"
  382. },
  383. {
  384. "name": "SetUnhandledExceptionFilter",
  385. "address": "0x45818c"
  386. },
  387. {
  388. "name": "UnhandledExceptionFilter",
  389. "address": "0x458190"
  390. },
  391. {
  392. "name": "SetLastError",
  393. "address": "0x458194"
  394. },
  395. {
  396. "name": "GetCPInfo",
  397. "address": "0x458198"
  398. },
  399. {
  400. "name": "GetOEMCP",
  401. "address": "0x45819c"
  402. },
  403. {
  404. "name": "GetACP",
  405. "address": "0x4581a0"
  406. },
  407. {
  408. "name": "IsValidCodePage",
  409. "address": "0x4581a4"
  410. },
  411. {
  412. "name": "GetCurrentThreadId",
  413. "address": "0x4581a8"
  414. },
  415. {
  416. "name": "SetStdHandle",
  417. "address": "0x4581ac"
  418. },
  419. {
  420. "name": "SetConsoleMode",
  421. "address": "0x4581b0"
  422. },
  423. {
  424. "name": "ReadConsoleInputA",
  425. "address": "0x4581b4"
  426. },
  427. {
  428. "name": "GetSystemWindowsDirectoryW",
  429. "address": "0x4581b8"
  430. },
  431. {
  432. "name": "ExpandEnvironmentStringsW",
  433. "address": "0x4581bc"
  434. },
  435. {
  436. "name": "SetEnvironmentVariableW",
  437. "address": "0x4581c0"
  438. },
  439. {
  440. "name": "TlsSetValue",
  441. "address": "0x4581c4"
  442. },
  443. {
  444. "name": "ExitProcess",
  445. "address": "0x4581c8"
  446. },
  447. {
  448. "name": "TlsAlloc",
  449. "address": "0x4581cc"
  450. },
  451. {
  452. "name": "lstrlenW",
  453. "address": "0x4581d0"
  454. },
  455. {
  456. "name": "FormatMessageA",
  457. "address": "0x4581d4"
  458. },
  459. {
  460. "name": "GetFileTime",
  461. "address": "0x4581d8"
  462. },
  463. {
  464. "name": "WriteFile",
  465. "address": "0x4581dc"
  466. },
  467. {
  468. "name": "GetFileSize",
  469. "address": "0x4581e0"
  470. },
  471. {
  472. "name": "InitializeCriticalSection",
  473. "address": "0x4581e4"
  474. },
  475. {
  476. "name": "SetErrorMode",
  477. "address": "0x4581e8"
  478. },
  479. {
  480. "name": "ExitThread",
  481. "address": "0x4581ec"
  482. },
  483. {
  484. "name": "GetCurrentProcess",
  485. "address": "0x4581f0"
  486. },
  487. {
  488. "name": "OpenProcess",
  489. "address": "0x4581f4"
  490. },
  491. {
  492. "name": "GetLongPathNameW",
  493. "address": "0x4581f8"
  494. },
  495. {
  496. "name": "GetVersion",
  497. "address": "0x4581fc"
  498. },
  499. {
  500. "name": "TlsGetValue",
  501. "address": "0x458200"
  502. },
  503. {
  504. "name": "GetModuleFileNameW",
  505. "address": "0x458204"
  506. },
  507. {
  508. "name": "GetCommandLineW",
  509. "address": "0x458208"
  510. },
  511. {
  512. "name": "GetStdHandle",
  513. "address": "0x45820c"
  514. },
  515. {
  516. "name": "GetFileType",
  517. "address": "0x458210"
  518. },
  519. {
  520. "name": "LocalFree",
  521. "address": "0x458214"
  522. },
  523. {
  524. "name": "LocalAlloc",
  525. "address": "0x458218"
  526. },
  527. {
  528. "name": "GetDateFormatW",
  529. "address": "0x45821c"
  530. },
  531. {
  532. "name": "GetTimeFormatW",
  533. "address": "0x458220"
  534. },
  535. {
  536. "name": "GetModuleHandleW",
  537. "address": "0x458224"
  538. },
  539. {
  540. "name": "FormatMessageW",
  541. "address": "0x458228"
  542. },
  543. {
  544. "name": "FileTimeToSystemTime",
  545. "address": "0x45822c"
  546. },
  547. {
  548. "name": "FileTimeToLocalFileTime",
  549. "address": "0x458230"
  550. },
  551. {
  552. "name": "MulDiv",
  553. "address": "0x458234"
  554. },
  555. {
  556. "name": "ReadFile",
  557. "address": "0x458238"
  558. },
  559. {
  560. "name": "InterlockedIncrement",
  561. "address": "0x45823c"
  562. },
  563. {
  564. "name": "FindNextFileW",
  565. "address": "0x458240"
  566. },
  567. {
  568. "name": "FindFirstFileW",
  569. "address": "0x458244"
  570. },
  571. {
  572. "name": "GetFileAttributesW",
  573. "address": "0x458248"
  574. },
  575. {
  576. "name": "CreateFileW",
  577. "address": "0x45824c"
  578. },
  579. {
  580. "name": "LoadLibraryW",
  581. "address": "0x458250"
  582. },
  583. {
  584. "name": "FindClose",
  585. "address": "0x458254"
  586. },
  587. {
  588. "name": "Sleep",
  589. "address": "0x458258"
  590. },
  591. {
  592. "name": "GetLastError",
  593. "address": "0x45825c"
  594. },
  595. {
  596. "name": "GetProcAddress",
  597. "address": "0x458260"
  598. },
  599. {
  600. "name": "InterlockedDecrement",
  601. "address": "0x458264"
  602. },
  603. {
  604. "name": "CreateFileMappingW",
  605. "address": "0x458268"
  606. },
  607. {
  608. "name": "UnmapViewOfFile",
  609. "address": "0x45826c"
  610. },
  611. {
  612. "name": "MapViewOfFile",
  613. "address": "0x458270"
  614. },
  615. {
  616. "name": "CloseHandle",
  617. "address": "0x458274"
  618. },
  619. {
  620. "name": "GetFileSizeEx",
  621. "address": "0x458278"
  622. },
  623. {
  624. "name": "SetFilePointerEx",
  625. "address": "0x45827c"
  626. },
  627. {
  628. "name": "OutputDebugStringW",
  629. "address": "0x458280"
  630. },
  631. {
  632. "name": "WriteConsoleW",
  633. "address": "0x458284"
  634. },
  635. {
  636. "name": "ReadConsoleW",
  637. "address": "0x458288"
  638. },
  639. {
  640. "name": "SetEndOfFile",
  641. "address": "0x45828c"
  642. },
  643. {
  644. "name": "lstrlenA",
  645. "address": "0x458290"
  646. },
  647. {
  648. "name": "EncodePointer",
  649. "address": "0x458294"
  650. },
  651. {
  652. "name": "IsProcessorFeaturePresent",
  653. "address": "0x458298"
  654. },
  655. {
  656. "name": "WaitForSingleObject",
  657. "address": "0x45829c"
  658. },
  659. {
  660. "name": "GetConsoleMode",
  661. "address": "0x4582a0"
  662. },
  663. {
  664. "name": "WideCharToMultiByte",
  665. "address": "0x4582a4"
  666. },
  667. {
  668. "name": "GetModuleHandleExW",
  669. "address": "0x4582a8"
  670. },
  671. {
  672. "name": "IsDebuggerPresent",
  673. "address": "0x4582ac"
  674. }
  675. ],
  676. "dll": "KERNEL32.dll"
  677. },
  678. {
  679. "imports": [
  680. {
  681. "name": "DialogBoxIndirectParamW",
  682. "address": "0x4582f0"
  683. },
  684. {
  685. "name": "MessageBoxW",
  686. "address": "0x4582f4"
  687. },
  688. {
  689. "name": "GetDlgItem",
  690. "address": "0x4582f8"
  691. },
  692. {
  693. "name": "SetWindowTextW",
  694. "address": "0x4582fc"
  695. },
  696. {
  697. "name": "SetCursor",
  698. "address": "0x458300"
  699. },
  700. {
  701. "name": "EndDialog",
  702. "address": "0x458304"
  703. },
  704. {
  705. "name": "SendMessageW",
  706. "address": "0x458308"
  707. },
  708. {
  709. "name": "InflateRect",
  710. "address": "0x45830c"
  711. },
  712. {
  713. "name": "LoadCursorW",
  714. "address": "0x458310"
  715. },
  716. {
  717. "name": "GetMenu",
  718. "address": "0x458314"
  719. },
  720. {
  721. "name": "CheckMenuItem",
  722. "address": "0x458318"
  723. },
  724. {
  725. "name": "GetSubMenu",
  726. "address": "0x45831c"
  727. },
  728. {
  729. "name": "DeleteMenu",
  730. "address": "0x458320"
  731. },
  732. {
  733. "name": "GetSysColorBrush",
  734. "address": "0x458324"
  735. },
  736. {
  737. "name": "PostMessageW",
  738. "address": "0x458328"
  739. },
  740. {
  741. "name": "LoadStringW",
  742. "address": "0x45832c"
  743. },
  744. {
  745. "name": "DestroyIcon",
  746. "address": "0x458330"
  747. },
  748. {
  749. "name": "LoadIconW",
  750. "address": "0x458334"
  751. },
  752. {
  753. "name": "InsertMenuW",
  754. "address": "0x458338"
  755. }
  756. ],
  757. "dll": "USER32.dll"
  758. },
  759. {
  760. "imports": [
  761. {
  762. "name": "DeleteObject",
  763. "address": "0x4580c4"
  764. },
  765. {
  766. "name": "EndPage",
  767. "address": "0x4580c8"
  768. },
  769. {
  770. "name": "StartPage",
  771. "address": "0x4580cc"
  772. },
  773. {
  774. "name": "StartDocW",
  775. "address": "0x4580d0"
  776. },
  777. {
  778. "name": "SetMapMode",
  779. "address": "0x4580d4"
  780. },
  781. {
  782. "name": "GetDeviceCaps",
  783. "address": "0x4580d8"
  784. },
  785. {
  786. "name": "DeleteDC",
  787. "address": "0x4580dc"
  788. },
  789. {
  790. "name": "CreateCompatibleDC",
  791. "address": "0x4580e0"
  792. },
  793. {
  794. "name": "EndDoc",
  795. "address": "0x4580e4"
  796. }
  797. ],
  798. "dll": "GDI32.dll"
  799. },
  800. {
  801. "imports": [
  802. {
  803. "name": "PrintDlgW",
  804. "address": "0x4580a8"
  805. }
  806. ],
  807. "dll": "COMDLG32.dll"
  808. },
  809. {
  810. "imports": [
  811. {
  812. "name": "QueryServiceConfig2W",
  813. "address": "0x458000"
  814. },
  815. {
  816. "name": "GetServiceDisplayNameW",
  817. "address": "0x458004"
  818. },
  819. {
  820. "name": "RegQueryValueW",
  821. "address": "0x458008"
  822. },
  823. {
  824. "name": "CryptAcquireContextW",
  825. "address": "0x45800c"
  826. },
  827. {
  828. "name": "CryptReleaseContext",
  829. "address": "0x458010"
  830. },
  831. {
  832. "name": "CryptGetHashParam",
  833. "address": "0x458014"
  834. },
  835. {
  836. "name": "CryptCreateHash",
  837. "address": "0x458018"
  838. },
  839. {
  840. "name": "CryptHashData",
  841. "address": "0x45801c"
  842. },
  843. {
  844. "name": "CryptDestroyHash",
  845. "address": "0x458020"
  846. },
  847. {
  848. "name": "RegCloseKey",
  849. "address": "0x458024"
  850. },
  851. {
  852. "name": "RegOpenKeyExW",
  853. "address": "0x458028"
  854. },
  855. {
  856. "name": "RegQueryValueExW",
  857. "address": "0x45802c"
  858. },
  859. {
  860. "name": "CloseServiceHandle",
  861. "address": "0x458030"
  862. },
  863. {
  864. "name": "RegUnLoadKeyW",
  865. "address": "0x458034"
  866. },
  867. {
  868. "name": "RegQueryInfoKeyW",
  869. "address": "0x458038"
  870. },
  871. {
  872. "name": "RegLoadKeyW",
  873. "address": "0x45803c"
  874. },
  875. {
  876. "name": "RegEnumValueW",
  877. "address": "0x458040"
  878. },
  879. {
  880. "name": "RegEnumKeyW",
  881. "address": "0x458044"
  882. },
  883. {
  884. "name": "RegDeleteKeyW",
  885. "address": "0x458048"
  886. },
  887. {
  888. "name": "DuplicateTokenEx",
  889. "address": "0x45804c"
  890. },
  891. {
  892. "name": "ImpersonateLoggedOnUser",
  893. "address": "0x458050"
  894. },
  895. {
  896. "name": "LookupPrivilegeValueW",
  897. "address": "0x458054"
  898. },
  899. {
  900. "name": "LookupAccountNameW",
  901. "address": "0x458058"
  902. },
  903. {
  904. "name": "LookupAccountSidW",
  905. "address": "0x45805c"
  906. },
  907. {
  908. "name": "FreeSid",
  909. "address": "0x458060"
  910. },
  911. {
  912. "name": "AllocateAndInitializeSid",
  913. "address": "0x458064"
  914. },
  915. {
  916. "name": "EqualSid",
  917. "address": "0x458068"
  918. },
  919. {
  920. "name": "AdjustTokenPrivileges",
  921. "address": "0x45806c"
  922. },
  923. {
  924. "name": "GetTokenInformation",
  925. "address": "0x458070"
  926. },
  927. {
  928. "name": "OpenProcessToken",
  929. "address": "0x458074"
  930. },
  931. {
  932. "name": "RevertToSelf",
  933. "address": "0x458078"
  934. },
  935. {
  936. "name": "RegOpenKeyW",
  937. "address": "0x45807c"
  938. },
  939. {
  940. "name": "RegCreateKeyW",
  941. "address": "0x458080"
  942. },
  943. {
  944. "name": "RegSetValueExW",
  945. "address": "0x458084"
  946. },
  947. {
  948. "name": "RegDeleteValueW",
  949. "address": "0x458088"
  950. },
  951. {
  952. "name": "RegCreateKeyExW",
  953. "address": "0x45808c"
  954. },
  955. {
  956. "name": "OpenServiceW",
  957. "address": "0x458090"
  958. },
  959. {
  960. "name": "OpenSCManagerW",
  961. "address": "0x458094"
  962. }
  963. ],
  964. "dll": "ADVAPI32.dll"
  965. },
  966. {
  967. "imports": [
  968. {
  969. "name": "ShellExecuteW",
  970. "address": "0x4582d4"
  971. },
  972. {
  973. "name": "SHGetFileInfoW",
  974. "address": "0x4582d8"
  975. },
  976. {
  977. "name": "SHGetFolderPathW",
  978. "address": "0x4582dc"
  979. }
  980. ],
  981. "dll": "SHELL32.dll"
  982. },
  983. {
  984. "imports": [
  985. {
  986. "name": "CoUninitialize",
  987. "address": "0x45839c"
  988. },
  989. {
  990. "name": "CoCreateInstance",
  991. "address": "0x4583a0"
  992. },
  993. {
  994. "name": "CoInitializeEx",
  995. "address": "0x4583a4"
  996. },
  997. {
  998. "name": "CoTaskMemFree",
  999. "address": "0x4583a8"
  1000. },
  1001. {
  1002. "name": "CoMarshalInterThreadInterfaceInStream",
  1003. "address": "0x4583ac"
  1004. },
  1005. {
  1006. "name": "CoGetInterfaceAndReleaseStream",
  1007. "address": "0x4583b0"
  1008. }
  1009. ],
  1010. "dll": "ole32.dll"
  1011. },
  1012. {
  1013. "imports": [
  1014. {
  1015. "name": "VariantChangeType",
  1016. "address": "0x4582b4"
  1017. },
  1018. {
  1019. "name": "VariantInit",
  1020. "address": "0x4582b8"
  1021. },
  1022. {
  1023. "name": "SysAllocString",
  1024. "address": "0x4582bc"
  1025. },
  1026. {
  1027. "name": "SysFreeString",
  1028. "address": "0x4582c0"
  1029. },
  1030. {
  1031. "name": "VariantClear",
  1032. "address": "0x4582c4"
  1033. },
  1034. {
  1035. "name": "SysStringLen",
  1036. "address": "0x4582c8"
  1037. },
  1038. {
  1039. "name": "SysAllocStringByteLen",
  1040. "address": "0x4582cc"
  1041. }
  1042. ],
  1043. "dll": "OLEAUT32.dll"
  1044. },
  1045. {
  1046. "imports": [
  1047. {
  1048. "name": "UrlUnescapeW",
  1049. "address": "0x4582e4"
  1050. },
  1051. {
  1052. "name": null,
  1053. "address": "0x4582e8"
  1054. }
  1055. ],
  1056. "dll": "SHLWAPI.dll"
  1057. },
  1058. {
  1059. "imports": [
  1060. {
  1061. "name": "WinHttpReadData",
  1062. "address": "0x458350"
  1063. },
  1064. {
  1065. "name": "WinHttpOpen",
  1066. "address": "0x458354"
  1067. },
  1068. {
  1069. "name": "WinHttpCloseHandle",
  1070. "address": "0x458358"
  1071. },
  1072. {
  1073. "name": "WinHttpConnect",
  1074. "address": "0x45835c"
  1075. },
  1076. {
  1077. "name": "WinHttpGetProxyForUrl",
  1078. "address": "0x458360"
  1079. },
  1080. {
  1081. "name": "WinHttpQueryHeaders",
  1082. "address": "0x458364"
  1083. },
  1084. {
  1085. "name": "WinHttpReceiveResponse",
  1086. "address": "0x458368"
  1087. },
  1088. {
  1089. "name": "WinHttpSendRequest",
  1090. "address": "0x45836c"
  1091. },
  1092. {
  1093. "name": "WinHttpOpenRequest",
  1094. "address": "0x458370"
  1095. },
  1096. {
  1097. "name": "WinHttpSetOption",
  1098. "address": "0x458374"
  1099. },
  1100. {
  1101. "name": "WinHttpQueryDataAvailable",
  1102. "address": "0x458378"
  1103. },
  1104. {
  1105. "name": "WinHttpWriteData",
  1106. "address": "0x45837c"
  1107. }
  1108. ],
  1109. "dll": "WINHTTP.dll"
  1110. }
  1111. ],
  1112. "digital_signers": null,
  1113. "exported_dll_name": null,
  1114. "actual_checksum": "0x000a76d3",
  1115. "overlay": {
  1116. "size": "0x00003e30",
  1117. "offset": "0x00099c00"
  1118. },
  1119. "imagebase": "0x00400000",
  1120. "reported_checksum": "0x000a76d3",
  1121. "icon_hash": null,
  1122. "entrypoint": "0x004408dd",
  1123. "timestamp": "2019-02-18 21:14:31",
  1124. "osversion": "5.1",
  1125. "sections": [
  1126. {
  1127. "name": ".text",
  1128. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  1129. "virtual_address": "0x00001000",
  1130. "size_of_data": "0x00056200",
  1131. "entropy": "6.41",
  1132. "raw_address": "0x00000400",
  1133. "virtual_size": "0x00056116",
  1134. "characteristics_raw": "0x60000020"
  1135. },
  1136. {
  1137. "name": ".rdata",
  1138. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1139. "virtual_address": "0x00058000",
  1140. "size_of_data": "0x0001fc00",
  1141. "entropy": "4.62",
  1142. "raw_address": "0x00056600",
  1143. "virtual_size": "0x0001fa98",
  1144. "characteristics_raw": "0x40000040"
  1145. },
  1146. {
  1147. "name": ".data",
  1148. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  1149. "virtual_address": "0x00078000",
  1150. "size_of_data": "0x00003c00",
  1151. "entropy": "2.44",
  1152. "raw_address": "0x00076200",
  1153. "virtual_size": "0x00007668",
  1154. "characteristics_raw": "0xc0000040"
  1155. },
  1156. {
  1157. "name": ".rsrc",
  1158. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  1159. "virtual_address": "0x00080000",
  1160. "size_of_data": "0x0001a400",
  1161. "entropy": "4.82",
  1162. "raw_address": "0x00079e00",
  1163. "virtual_size": "0x0001a3a8",
  1164. "characteristics_raw": "0x40000040"
  1165. },
  1166. {
  1167. "name": ".reloc",
  1168. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  1169. "virtual_address": "0x0009b000",
  1170. "size_of_data": "0x00005a00",
  1171. "entropy": "6.70",
  1172. "raw_address": "0x00094200",
  1173. "virtual_size": "0x000059f8",
  1174. "characteristics_raw": "0x42000040"
  1175. }
  1176. ],
  1177. "resources": [],
  1178. "dirents": [
  1179. {
  1180. "virtual_address": "0x00000000",
  1181. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  1182. "size": "0x00000000"
  1183. },
  1184. {
  1185. "virtual_address": "0x0007653c",
  1186. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  1187. "size": "0x00000140"
  1188. },
  1189. {
  1190. "virtual_address": "0x00080000",
  1191. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  1192. "size": "0x0001a3a8"
  1193. },
  1194. {
  1195. "virtual_address": "0x00000000",
  1196. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  1197. "size": "0x00000000"
  1198. },
  1199. {
  1200. "virtual_address": "0x00099c00",
  1201. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  1202. "size": "0x00003e30"
  1203. },
  1204. {
  1205. "virtual_address": "0x0009b000",
  1206. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  1207. "size": "0x000059f8"
  1208. },
  1209. {
  1210. "virtual_address": "0x00058480",
  1211. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  1212. "size": "0x00000038"
  1213. },
  1214. {
  1215. "virtual_address": "0x00000000",
  1216. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  1217. "size": "0x00000000"
  1218. },
  1219. {
  1220. "virtual_address": "0x00000000",
  1221. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  1222. "size": "0x00000000"
  1223. },
  1224. {
  1225. "virtual_address": "0x00000000",
  1226. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  1227. "size": "0x00000000"
  1228. },
  1229. {
  1230. "virtual_address": "0x000707a0",
  1231. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  1232. "size": "0x00000040"
  1233. },
  1234. {
  1235. "virtual_address": "0x00000000",
  1236. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  1237. "size": "0x00000000"
  1238. },
  1239. {
  1240. "virtual_address": "0x00058000",
  1241. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  1242. "size": "0x000003b8"
  1243. },
  1244. {
  1245. "virtual_address": "0x00000000",
  1246. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  1247. "size": "0x00000000"
  1248. },
  1249. {
  1250. "virtual_address": "0x00000000",
  1251. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  1252. "size": "0x00000000"
  1253. },
  1254. {
  1255. "virtual_address": "0x00000000",
  1256. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  1257. "size": "0x00000000"
  1258. }
  1259. ],
  1260. "exports": [],
  1261. "guest_signers": {},
  1262. "imphash": "3beeae58675be450ff0da1b20500c997",
  1263. "icon_fuzzy": null,
  1264. "icon": null,
  1265. "pdbpath": "C:\\agent\\_work\\3\\s\\Win32\\Release Console\\autorunsc.pdb",
  1266. "imported_dll_count": 15,
  1267. "versioninfo": []
  1268. }
  1269. }
  1270.  
  1271. [*] Resolved APIs: [
  1272. "kernel32.dll.FlsAlloc",
  1273. "kernel32.dll.FlsFree",
  1274. "kernel32.dll.FlsGetValue",
  1275. "kernel32.dll.FlsSetValue",
  1276. "kernel32.dll.InitializeCriticalSectionEx",
  1277. "kernel32.dll.CreateEventExW",
  1278. "kernel32.dll.CreateSemaphoreExW",
  1279. "kernel32.dll.SetThreadStackGuarantee",
  1280. "kernel32.dll.CreateThreadpoolTimer",
  1281. "kernel32.dll.SetThreadpoolTimer",
  1282. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
  1283. "kernel32.dll.CloseThreadpoolTimer",
  1284. "kernel32.dll.CreateThreadpoolWait",
  1285. "kernel32.dll.SetThreadpoolWait",
  1286. "kernel32.dll.CloseThreadpoolWait",
  1287. "kernel32.dll.FlushProcessWriteBuffers",
  1288. "kernel32.dll.FreeLibraryWhenCallbackReturns",
  1289. "kernel32.dll.GetCurrentProcessorNumber",
  1290. "kernel32.dll.GetLogicalProcessorInformation",
  1291. "kernel32.dll.CreateSymbolicLinkW",
  1292. "kernel32.dll.EnumSystemLocalesEx",
  1293. "kernel32.dll.CompareStringEx",
  1294. "kernel32.dll.GetDateFormatEx",
  1295. "kernel32.dll.GetLocaleInfoEx",
  1296. "kernel32.dll.GetTimeFormatEx",
  1297. "kernel32.dll.GetUserDefaultLocaleName",
  1298. "kernel32.dll.IsValidLocaleName",
  1299. "kernel32.dll.LCMapStringEx",
  1300. "kernel32.dll.GetTickCount64",
  1301. "kernel32.dll.SortGetHandle",
  1302. "kernel32.dll.SortCloseHandle",
  1303. "uxtheme.dll.ThemeInitApiHook",
  1304. "user32.dll.IsProcessDPIAware",
  1305. "dwmapi.dll.DwmIsCompositionEnabled",
  1306. "comctl32.dll.RegisterClassNameW",
  1307. "uxtheme.dll.EnableThemeDialogTexture",
  1308. "uxtheme.dll.OpenThemeData",
  1309. "uxtheme.dll.GetThemeBool",
  1310. "comctl32.dll.HIMAGELIST_QueryInterface",
  1311. "comctl32.dll.DrawShadowText",
  1312. "comctl32.dll.DrawSizeBox",
  1313. "comctl32.dll.DrawScrollBar",
  1314. "comctl32.dll.SizeBoxHwnd",
  1315. "comctl32.dll.ScrollBar_MouseMove",
  1316. "comctl32.dll.ScrollBar_Menu",
  1317. "comctl32.dll.HandleScrollCmd",
  1318. "comctl32.dll.DetachScrollBars",
  1319. "comctl32.dll.AttachScrollBars",
  1320. "comctl32.dll.CCSetScrollInfo",
  1321. "comctl32.dll.CCGetScrollInfo",
  1322. "comctl32.dll.CCEnableScrollBar",
  1323. "comctl32.dll.QuerySystemGestureStatus",
  1324. "uxtheme.dll.#49",
  1325. "uxtheme.dll.CloseThemeData",
  1326. "gdi32.dll.GetLayout",
  1327. "gdi32.dll.GdiRealizationInfo",
  1328. "gdi32.dll.FontIsLinked",
  1329. "advapi32.dll.RegOpenKeyExW",
  1330. "advapi32.dll.RegQueryInfoKeyW",
  1331. "gdi32.dll.GetTextFaceAliasW",
  1332. "advapi32.dll.RegEnumValueW",
  1333. "advapi32.dll.RegCloseKey",
  1334. "advapi32.dll.RegQueryValueExW",
  1335. "gdi32.dll.GetFontAssocStatus",
  1336. "advapi32.dll.RegQueryValueExA",
  1337. "advapi32.dll.RegEnumKeyExW",
  1338. "gdi32.dll.GdiIsMetaPrintDC",
  1339. "ole32.dll.CoInitializeEx",
  1340. "ole32.dll.CoUninitialize",
  1341. "cryptbase.dll.SystemFunction036",
  1342. "ole32.dll.CoRegisterInitializeSpy",
  1343. "ole32.dll.CoRevokeInitializeSpy",
  1344. "uxtheme.dll.BufferedPaintInit",
  1345. "uxtheme.dll.BufferedPaintRenderAnimation",
  1346. "uxtheme.dll.GetThemeTransitionDuration",
  1347. "uxtheme.dll.BeginBufferedAnimation",
  1348. "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
  1349. "uxtheme.dll.DrawThemeParentBackground",
  1350. "uxtheme.dll.DrawThemeBackground",
  1351. "uxtheme.dll.GetThemeBackgroundContentRect",
  1352. "uxtheme.dll.DrawThemeText",
  1353. "uxtheme.dll.EndBufferedAnimation",
  1354. "uxtheme.dll.GetThemePartSize",
  1355. "oleaut32.dll.#500",
  1356. "uxtheme.dll.BufferedPaintStopAllAnimations",
  1357. "uxtheme.dll.BufferedPaintUnInit",
  1358. "wintrust.dll.WinVerifyTrust",
  1359. "wintrust.dll.WTHelperGetProvSignerFromChain",
  1360. "wintrust.dll.WTHelperProvDataFromStateData",
  1361. "wintrust.dll.CryptCATAdminReleaseContext",
  1362. "wintrust.dll.CryptCATAdminReleaseCatalogContext",
  1363. "wintrust.dll.CryptCATCatalogInfoFromContext",
  1364. "wintrust.dll.CryptCATAdminEnumCatalogFromHash",
  1365. "wintrust.dll.CryptCATAdminCalcHashFromFileHandle",
  1366. "wintrust.dll.CryptCATAdminAcquireContext",
  1367. "wintrust.dll.CryptCATAdminAddCatalog",
  1368. "wintrust.dll.CryptCATAdminRemoveCatalog",
  1369. "wintrust.dll.IsCatalogFile",
  1370. "crypt32.dll.CertNameToStrW",
  1371. "kernel32.dll.Wow64EnableWow64FsRedirection",
  1372. "kernel32.dll.Wow64DisableWow64FsRedirection",
  1373. "kernel32.dll.Wow64RevertWow64FsRedirection",
  1374. "advapi32.dll.RegDeleteKeyExW",
  1375. "sechost.dll.LookupAccountNameLocalW",
  1376. "ntdll.dll.RtlNtStatusToDosError",
  1377. "sechost.dll.LookupAccountSidLocalW",
  1378. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
  1379. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
  1380. "comctl32.dll.#332",
  1381. "comctl32.dll.#386",
  1382. "wintrust.dll.WintrustCertificateTrust",
  1383. "wintrust.dll.SoftpubAuthenticode",
  1384. "wintrust.dll.SoftpubInitialize",
  1385. "wintrust.dll.SoftpubLoadMessage",
  1386. "wintrust.dll.SoftpubLoadSignature",
  1387. "wintrust.dll.SoftpubCheckCert",
  1388. "wintrust.dll.SoftpubCleanup",
  1389. "cryptsp.dll.CryptAcquireContextA",
  1390. "wintrust.dll.CryptSIPPutSignedDataMsg",
  1391. "wintrust.dll.CryptSIPGetSignedDataMsg",
  1392. "imagehlp.dll.ImageGetCertificateData",
  1393. "user32.dll.LoadStringW",
  1394. "wintrust.dll.CryptSIPCreateIndirectData",
  1395. "wintrust.dll.WVTAsn1SpcPeImageDataEncode",
  1396. "bcrypt.dll.BCryptOpenAlgorithmProvider",
  1397. "bcryptprimitives.dll.GetHashInterface",
  1398. "bcrypt.dll.BCryptGetProperty",
  1399. "bcrypt.dll.BCryptCreateHash",
  1400. "bcrypt.dll.BCryptHashData",
  1401. "bcrypt.dll.BCryptFinishHash",
  1402. "bcrypt.dll.BCryptDestroyHash",
  1403. "bcrypt.dll.BCryptCloseAlgorithmProvider",
  1404. "sechost.dll.ConvertStringSidToSidW",
  1405. "sechost.dll.OpenSCManagerW",
  1406. "sechost.dll.OpenServiceW",
  1407. "sechost.dll.QueryServiceConfigA",
  1408. "sechost.dll.QueryServiceStatus",
  1409. "sechost.dll.CloseServiceHandle",
  1410. "advapi32.dll.LookupAccountSidW",
  1411. "ncrypt.dll.BCryptOpenAlgorithmProvider",
  1412. "ncrypt.dll.BCryptGetProperty",
  1413. "ncrypt.dll.BCryptCreateHash",
  1414. "ncrypt.dll.BCryptHashData",
  1415. "ncrypt.dll.BCryptFinishHash",
  1416. "cryptsp.dll.CryptCreateHash",
  1417. "cryptsp.dll.CryptSetHashParam",
  1418. "cryptsp.dll.CryptVerifySignatureA",
  1419. "cryptsp.dll.CryptDestroyKey",
  1420. "cryptsp.dll.CryptDestroyHash",
  1421. "ncrypt.dll.BCryptDestroyHash",
  1422. "userenv.dll.GetUserProfileDirectoryW",
  1423. "sechost.dll.ConvertSidToStringSidW",
  1424. "userenv.dll.RegisterGPNotification",
  1425. "gpapi.dll.RegisterGPNotificationInternal",
  1426. "sechost.dll.QueryServiceConfigW",
  1427. "cryptsp.dll.CryptHashData",
  1428. "cryptnet.dll.CertDllVerifyRevocation",
  1429. "sensapi.dll.IsNetworkAlive",
  1430. "rpcrt4.dll.RpcBindingFromStringBindingW",
  1431. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
  1432. "rpcrt4.dll.NdrClientCall2",
  1433. "winhttp.dll.WinHttpOpen",
  1434. "winhttp.dll.WinHttpSetTimeouts",
  1435. "winhttp.dll.WinHttpSetOption",
  1436. "winhttp.dll.WinHttpCrackUrl",
  1437. "shlwapi.dll.StrCmpNW",
  1438. "winhttp.dll.WinHttpConnect",
  1439. "winhttp.dll.WinHttpOpenRequest",
  1440. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
  1441. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
  1442. "winhttp.dll.WinHttpTimeFromSystemTime",
  1443. "winhttp.dll.WinHttpSendRequest",
  1444. "ws2_32.dll.GetAddrInfoW",
  1445. "ws2_32.dll.WSASocketW",
  1446. "ws2_32.dll.#2",
  1447. "ws2_32.dll.#21",
  1448. "ws2_32.dll.#9",
  1449. "ws2_32.dll.WSAIoctl",
  1450. "ws2_32.dll.FreeAddrInfoW",
  1451. "ws2_32.dll.#6",
  1452. "ws2_32.dll.#5",
  1453. "ws2_32.dll.WSARecv",
  1454. "ws2_32.dll.WSASend",
  1455. "winhttp.dll.WinHttpReceiveResponse",
  1456. "winhttp.dll.WinHttpQueryHeaders",
  1457. "winhttp.dll.WinHttpQueryDataAvailable",
  1458. "winhttp.dll.WinHttpReadData",
  1459. "winhttp.dll.WinHttpCloseHandle",
  1460. "rpcrt4.dll.RpcBindingFree",
  1461. "cryptnet.dll.I_CryptNetGetConnectivity",
  1462. "cryptnet.dll.CryptRetrieveObjectByUrlW",
  1463. "setupapi.dll.SetupIterateCabinetW",
  1464. "kernel32.dll.RegOpenKeyExW",
  1465. "kernel32.dll.RegCloseKey",
  1466. "cabinet.dll.#20",
  1467. "cabinet.dll.#22",
  1468. "devrtl.dll.DevRtlGetThreadLogToken",
  1469. "rpcrt4.dll.RpcStringBindingComposeA",
  1470. "rpcrt4.dll.RpcBindingFromStringBindingA",
  1471. "rpcrt4.dll.RpcEpResolveBinding",
  1472. "rpcrt4.dll.RpcStringFreeA",
  1473. "advapi32.dll.SaferiSearchMatchingHashRules",
  1474. "cryptsp.dll.CryptReleaseContext",
  1475. "advapi32.dll.UnregisterTraceGuids"
  1476. ]
  1477.  
  1478. [*] Static Analysis: {
  1479. "pe": {
  1480. "peid_signatures": null,
  1481. "imports": [
  1482. {
  1483. "imports": [
  1484. {
  1485. "name": "VerQueryValueW",
  1486. "address": "0x458340"
  1487. },
  1488. {
  1489. "name": "GetFileVersionInfoW",
  1490. "address": "0x458344"
  1491. },
  1492. {
  1493. "name": "GetFileVersionInfoSizeW",
  1494. "address": "0x458348"
  1495. }
  1496. ],
  1497. "dll": "VERSION.dll"
  1498. },
  1499. {
  1500. "imports": [
  1501. {
  1502. "name": "ImageList_ReplaceIcon",
  1503. "address": "0x45809c"
  1504. },
  1505. {
  1506. "name": "ImageList_Add",
  1507. "address": "0x4580a0"
  1508. }
  1509. ],
  1510. "dll": "COMCTL32.dll"
  1511. },
  1512. {
  1513. "imports": [
  1514. {
  1515. "name": "CryptSIPLoad",
  1516. "address": "0x4580b0"
  1517. },
  1518. {
  1519. "name": "CryptSIPRetrieveSubjectGuidForCatalogFile",
  1520. "address": "0x4580b4"
  1521. },
  1522. {
  1523. "name": "CertDuplicateCertificateContext",
  1524. "address": "0x4580b8"
  1525. },
  1526. {
  1527. "name": "CertGetNameStringW",
  1528. "address": "0x4580bc"
  1529. }
  1530. ],
  1531. "dll": "CRYPT32.dll"
  1532. },
  1533. {
  1534. "imports": [
  1535. {
  1536. "name": "CryptCATAdminCalcHashFromFileHandle",
  1537. "address": "0x458384"
  1538. }
  1539. ],
  1540. "dll": "WINTRUST.dll"
  1541. },
  1542. {
  1543. "imports": [
  1544. {
  1545. "name": "RtlUnwind",
  1546. "address": "0x45838c"
  1547. },
  1548. {
  1549. "name": "NtOpenKey",
  1550. "address": "0x458390"
  1551. },
  1552. {
  1553. "name": "NtCreateKey",
  1554. "address": "0x458394"
  1555. }
  1556. ],
  1557. "dll": "ntdll.dll"
  1558. },
  1559. {
  1560. "imports": [
  1561. {
  1562. "name": "GetFullPathNameW",
  1563. "address": "0x4580ec"
  1564. },
  1565. {
  1566. "name": "IsWow64Process",
  1567. "address": "0x4580f0"
  1568. },
  1569. {
  1570. "name": "CreateToolhelp32Snapshot",
  1571. "address": "0x4580f4"
  1572. },
  1573. {
  1574. "name": "Process32FirstW",
  1575. "address": "0x4580f8"
  1576. },
  1577. {
  1578. "name": "Process32NextW",
  1579. "address": "0x4580fc"
  1580. },
  1581. {
  1582. "name": "GetPrivateProfileStringW",
  1583. "address": "0x458100"
  1584. },
  1585. {
  1586. "name": "FreeLibrary",
  1587. "address": "0x458104"
  1588. },
  1589. {
  1590. "name": "LoadLibraryExW",
  1591. "address": "0x458108"
  1592. },
  1593. {
  1594. "name": "MultiByteToWideChar",
  1595. "address": "0x45810c"
  1596. },
  1597. {
  1598. "name": "DecodePointer",
  1599. "address": "0x458110"
  1600. },
  1601. {
  1602. "name": "HeapAlloc",
  1603. "address": "0x458114"
  1604. },
  1605. {
  1606. "name": "HeapReAlloc",
  1607. "address": "0x458118"
  1608. },
  1609. {
  1610. "name": "HeapFree",
  1611. "address": "0x45811c"
  1612. },
  1613. {
  1614. "name": "HeapSize",
  1615. "address": "0x458120"
  1616. },
  1617. {
  1618. "name": "GetProcessHeap",
  1619. "address": "0x458124"
  1620. },
  1621. {
  1622. "name": "RaiseException",
  1623. "address": "0x458128"
  1624. },
  1625. {
  1626. "name": "InitializeCriticalSectionAndSpinCount",
  1627. "address": "0x45812c"
  1628. },
  1629. {
  1630. "name": "DeleteCriticalSection",
  1631. "address": "0x458130"
  1632. },
  1633. {
  1634. "name": "LeaveCriticalSection",
  1635. "address": "0x458134"
  1636. },
  1637. {
  1638. "name": "GetCurrentThread",
  1639. "address": "0x458138"
  1640. },
  1641. {
  1642. "name": "SetThreadPriority",
  1643. "address": "0x45813c"
  1644. },
  1645. {
  1646. "name": "EnterCriticalSection",
  1647. "address": "0x458140"
  1648. },
  1649. {
  1650. "name": "SetEvent",
  1651. "address": "0x458144"
  1652. },
  1653. {
  1654. "name": "GetSystemWow64DirectoryW",
  1655. "address": "0x458148"
  1656. },
  1657. {
  1658. "name": "WaitForMultipleObjects",
  1659. "address": "0x45814c"
  1660. },
  1661. {
  1662. "name": "CreateEventW",
  1663. "address": "0x458150"
  1664. },
  1665. {
  1666. "name": "CreateThread",
  1667. "address": "0x458154"
  1668. },
  1669. {
  1670. "name": "GetExitCodeThread",
  1671. "address": "0x458158"
  1672. },
  1673. {
  1674. "name": "LCMapStringW",
  1675. "address": "0x45815c"
  1676. },
  1677. {
  1678. "name": "FreeEnvironmentStringsW",
  1679. "address": "0x458160"
  1680. },
  1681. {
  1682. "name": "GetEnvironmentStringsW",
  1683. "address": "0x458164"
  1684. },
  1685. {
  1686. "name": "GetSystemTimeAsFileTime",
  1687. "address": "0x458168"
  1688. },
  1689. {
  1690. "name": "GetCurrentProcessId",
  1691. "address": "0x45816c"
  1692. },
  1693. {
  1694. "name": "QueryPerformanceCounter",
  1695. "address": "0x458170"
  1696. },
  1697. {
  1698. "name": "GetStringTypeW",
  1699. "address": "0x458174"
  1700. },
  1701. {
  1702. "name": "GetConsoleCP",
  1703. "address": "0x458178"
  1704. },
  1705. {
  1706. "name": "FlushFileBuffers",
  1707. "address": "0x45817c"
  1708. },
  1709. {
  1710. "name": "GetStartupInfoW",
  1711. "address": "0x458180"
  1712. },
  1713. {
  1714. "name": "TlsFree",
  1715. "address": "0x458184"
  1716. },
  1717. {
  1718. "name": "TerminateProcess",
  1719. "address": "0x458188"
  1720. },
  1721. {
  1722. "name": "SetUnhandledExceptionFilter",
  1723. "address": "0x45818c"
  1724. },
  1725. {
  1726. "name": "UnhandledExceptionFilter",
  1727. "address": "0x458190"
  1728. },
  1729. {
  1730. "name": "SetLastError",
  1731. "address": "0x458194"
  1732. },
  1733. {
  1734. "name": "GetCPInfo",
  1735. "address": "0x458198"
  1736. },
  1737. {
  1738. "name": "GetOEMCP",
  1739. "address": "0x45819c"
  1740. },
  1741. {
  1742. "name": "GetACP",
  1743. "address": "0x4581a0"
  1744. },
  1745. {
  1746. "name": "IsValidCodePage",
  1747. "address": "0x4581a4"
  1748. },
  1749. {
  1750. "name": "GetCurrentThreadId",
  1751. "address": "0x4581a8"
  1752. },
  1753. {
  1754. "name": "SetStdHandle",
  1755. "address": "0x4581ac"
  1756. },
  1757. {
  1758. "name": "SetConsoleMode",
  1759. "address": "0x4581b0"
  1760. },
  1761. {
  1762. "name": "ReadConsoleInputA",
  1763. "address": "0x4581b4"
  1764. },
  1765. {
  1766. "name": "GetSystemWindowsDirectoryW",
  1767. "address": "0x4581b8"
  1768. },
  1769. {
  1770. "name": "ExpandEnvironmentStringsW",
  1771. "address": "0x4581bc"
  1772. },
  1773. {
  1774. "name": "SetEnvironmentVariableW",
  1775. "address": "0x4581c0"
  1776. },
  1777. {
  1778. "name": "TlsSetValue",
  1779. "address": "0x4581c4"
  1780. },
  1781. {
  1782. "name": "ExitProcess",
  1783. "address": "0x4581c8"
  1784. },
  1785. {
  1786. "name": "TlsAlloc",
  1787. "address": "0x4581cc"
  1788. },
  1789. {
  1790. "name": "lstrlenW",
  1791. "address": "0x4581d0"
  1792. },
  1793. {
  1794. "name": "FormatMessageA",
  1795. "address": "0x4581d4"
  1796. },
  1797. {
  1798. "name": "GetFileTime",
  1799. "address": "0x4581d8"
  1800. },
  1801. {
  1802. "name": "WriteFile",
  1803. "address": "0x4581dc"
  1804. },
  1805. {
  1806. "name": "GetFileSize",
  1807. "address": "0x4581e0"
  1808. },
  1809. {
  1810. "name": "InitializeCriticalSection",
  1811. "address": "0x4581e4"
  1812. },
  1813. {
  1814. "name": "SetErrorMode",
  1815. "address": "0x4581e8"
  1816. },
  1817. {
  1818. "name": "ExitThread",
  1819. "address": "0x4581ec"
  1820. },
  1821. {
  1822. "name": "GetCurrentProcess",
  1823. "address": "0x4581f0"
  1824. },
  1825. {
  1826. "name": "OpenProcess",
  1827. "address": "0x4581f4"
  1828. },
  1829. {
  1830. "name": "GetLongPathNameW",
  1831. "address": "0x4581f8"
  1832. },
  1833. {
  1834. "name": "GetVersion",
  1835. "address": "0x4581fc"
  1836. },
  1837. {
  1838. "name": "TlsGetValue",
  1839. "address": "0x458200"
  1840. },
  1841. {
  1842. "name": "GetModuleFileNameW",
  1843. "address": "0x458204"
  1844. },
  1845. {
  1846. "name": "GetCommandLineW",
  1847. "address": "0x458208"
  1848. },
  1849. {
  1850. "name": "GetStdHandle",
  1851. "address": "0x45820c"
  1852. },
  1853. {
  1854. "name": "GetFileType",
  1855. "address": "0x458210"
  1856. },
  1857. {
  1858. "name": "LocalFree",
  1859. "address": "0x458214"
  1860. },
  1861. {
  1862. "name": "LocalAlloc",
  1863. "address": "0x458218"
  1864. },
  1865. {
  1866. "name": "GetDateFormatW",
  1867. "address": "0x45821c"
  1868. },
  1869. {
  1870. "name": "GetTimeFormatW",
  1871. "address": "0x458220"
  1872. },
  1873. {
  1874. "name": "GetModuleHandleW",
  1875. "address": "0x458224"
  1876. },
  1877. {
  1878. "name": "FormatMessageW",
  1879. "address": "0x458228"
  1880. },
  1881. {
  1882. "name": "FileTimeToSystemTime",
  1883. "address": "0x45822c"
  1884. },
  1885. {
  1886. "name": "FileTimeToLocalFileTime",
  1887. "address": "0x458230"
  1888. },
  1889. {
  1890. "name": "MulDiv",
  1891. "address": "0x458234"
  1892. },
  1893. {
  1894. "name": "ReadFile",
  1895. "address": "0x458238"
  1896. },
  1897. {
  1898. "name": "InterlockedIncrement",
  1899. "address": "0x45823c"
  1900. },
  1901. {
  1902. "name": "FindNextFileW",
  1903. "address": "0x458240"
  1904. },
  1905. {
  1906. "name": "FindFirstFileW",
  1907. "address": "0x458244"
  1908. },
  1909. {
  1910. "name": "GetFileAttributesW",
  1911. "address": "0x458248"
  1912. },
  1913. {
  1914. "name": "CreateFileW",
  1915. "address": "0x45824c"
  1916. },
  1917. {
  1918. "name": "LoadLibraryW",
  1919. "address": "0x458250"
  1920. },
  1921. {
  1922. "name": "FindClose",
  1923. "address": "0x458254"
  1924. },
  1925. {
  1926. "name": "Sleep",
  1927. "address": "0x458258"
  1928. },
  1929. {
  1930. "name": "GetLastError",
  1931. "address": "0x45825c"
  1932. },
  1933. {
  1934. "name": "GetProcAddress",
  1935. "address": "0x458260"
  1936. },
  1937. {
  1938. "name": "InterlockedDecrement",
  1939. "address": "0x458264"
  1940. },
  1941. {
  1942. "name": "CreateFileMappingW",
  1943. "address": "0x458268"
  1944. },
  1945. {
  1946. "name": "UnmapViewOfFile",
  1947. "address": "0x45826c"
  1948. },
  1949. {
  1950. "name": "MapViewOfFile",
  1951. "address": "0x458270"
  1952. },
  1953. {
  1954. "name": "CloseHandle",
  1955. "address": "0x458274"
  1956. },
  1957. {
  1958. "name": "GetFileSizeEx",
  1959. "address": "0x458278"
  1960. },
  1961. {
  1962. "name": "SetFilePointerEx",
  1963. "address": "0x45827c"
  1964. },
  1965. {
  1966. "name": "OutputDebugStringW",
  1967. "address": "0x458280"
  1968. },
  1969. {
  1970. "name": "WriteConsoleW",
  1971. "address": "0x458284"
  1972. },
  1973. {
  1974. "name": "ReadConsoleW",
  1975. "address": "0x458288"
  1976. },
  1977. {
  1978. "name": "SetEndOfFile",
  1979. "address": "0x45828c"
  1980. },
  1981. {
  1982. "name": "lstrlenA",
  1983. "address": "0x458290"
  1984. },
  1985. {
  1986. "name": "EncodePointer",
  1987. "address": "0x458294"
  1988. },
  1989. {
  1990. "name": "IsProcessorFeaturePresent",
  1991. "address": "0x458298"
  1992. },
  1993. {
  1994. "name": "WaitForSingleObject",
  1995. "address": "0x45829c"
  1996. },
  1997. {
  1998. "name": "GetConsoleMode",
  1999. "address": "0x4582a0"
  2000. },
  2001. {
  2002. "name": "WideCharToMultiByte",
  2003. "address": "0x4582a4"
  2004. },
  2005. {
  2006. "name": "GetModuleHandleExW",
  2007. "address": "0x4582a8"
  2008. },
  2009. {
  2010. "name": "IsDebuggerPresent",
  2011. "address": "0x4582ac"
  2012. }
  2013. ],
  2014. "dll": "KERNEL32.dll"
  2015. },
  2016. {
  2017. "imports": [
  2018. {
  2019. "name": "DialogBoxIndirectParamW",
  2020. "address": "0x4582f0"
  2021. },
  2022. {
  2023. "name": "MessageBoxW",
  2024. "address": "0x4582f4"
  2025. },
  2026. {
  2027. "name": "GetDlgItem",
  2028. "address": "0x4582f8"
  2029. },
  2030. {
  2031. "name": "SetWindowTextW",
  2032. "address": "0x4582fc"
  2033. },
  2034. {
  2035. "name": "SetCursor",
  2036. "address": "0x458300"
  2037. },
  2038. {
  2039. "name": "EndDialog",
  2040. "address": "0x458304"
  2041. },
  2042. {
  2043. "name": "SendMessageW",
  2044. "address": "0x458308"
  2045. },
  2046. {
  2047. "name": "InflateRect",
  2048. "address": "0x45830c"
  2049. },
  2050. {
  2051. "name": "LoadCursorW",
  2052. "address": "0x458310"
  2053. },
  2054. {
  2055. "name": "GetMenu",
  2056. "address": "0x458314"
  2057. },
  2058. {
  2059. "name": "CheckMenuItem",
  2060. "address": "0x458318"
  2061. },
  2062. {
  2063. "name": "GetSubMenu",
  2064. "address": "0x45831c"
  2065. },
  2066. {
  2067. "name": "DeleteMenu",
  2068. "address": "0x458320"
  2069. },
  2070. {
  2071. "name": "GetSysColorBrush",
  2072. "address": "0x458324"
  2073. },
  2074. {
  2075. "name": "PostMessageW",
  2076. "address": "0x458328"
  2077. },
  2078. {
  2079. "name": "LoadStringW",
  2080. "address": "0x45832c"
  2081. },
  2082. {
  2083. "name": "DestroyIcon",
  2084. "address": "0x458330"
  2085. },
  2086. {
  2087. "name": "LoadIconW",
  2088. "address": "0x458334"
  2089. },
  2090. {
  2091. "name": "InsertMenuW",
  2092. "address": "0x458338"
  2093. }
  2094. ],
  2095. "dll": "USER32.dll"
  2096. },
  2097. {
  2098. "imports": [
  2099. {
  2100. "name": "DeleteObject",
  2101. "address": "0x4580c4"
  2102. },
  2103. {
  2104. "name": "EndPage",
  2105. "address": "0x4580c8"
  2106. },
  2107. {
  2108. "name": "StartPage",
  2109. "address": "0x4580cc"
  2110. },
  2111. {
  2112. "name": "StartDocW",
  2113. "address": "0x4580d0"
  2114. },
  2115. {
  2116. "name": "SetMapMode",
  2117. "address": "0x4580d4"
  2118. },
  2119. {
  2120. "name": "GetDeviceCaps",
  2121. "address": "0x4580d8"
  2122. },
  2123. {
  2124. "name": "DeleteDC",
  2125. "address": "0x4580dc"
  2126. },
  2127. {
  2128. "name": "CreateCompatibleDC",
  2129. "address": "0x4580e0"
  2130. },
  2131. {
  2132. "name": "EndDoc",
  2133. "address": "0x4580e4"
  2134. }
  2135. ],
  2136. "dll": "GDI32.dll"
  2137. },
  2138. {
  2139. "imports": [
  2140. {
  2141. "name": "PrintDlgW",
  2142. "address": "0x4580a8"
  2143. }
  2144. ],
  2145. "dll": "COMDLG32.dll"
  2146. },
  2147. {
  2148. "imports": [
  2149. {
  2150. "name": "QueryServiceConfig2W",
  2151. "address": "0x458000"
  2152. },
  2153. {
  2154. "name": "GetServiceDisplayNameW",
  2155. "address": "0x458004"
  2156. },
  2157. {
  2158. "name": "RegQueryValueW",
  2159. "address": "0x458008"
  2160. },
  2161. {
  2162. "name": "CryptAcquireContextW",
  2163. "address": "0x45800c"
  2164. },
  2165. {
  2166. "name": "CryptReleaseContext",
  2167. "address": "0x458010"
  2168. },
  2169. {
  2170. "name": "CryptGetHashParam",
  2171. "address": "0x458014"
  2172. },
  2173. {
  2174. "name": "CryptCreateHash",
  2175. "address": "0x458018"
  2176. },
  2177. {
  2178. "name": "CryptHashData",
  2179. "address": "0x45801c"
  2180. },
  2181. {
  2182. "name": "CryptDestroyHash",
  2183. "address": "0x458020"
  2184. },
  2185. {
  2186. "name": "RegCloseKey",
  2187. "address": "0x458024"
  2188. },
  2189. {
  2190. "name": "RegOpenKeyExW",
  2191. "address": "0x458028"
  2192. },
  2193. {
  2194. "name": "RegQueryValueExW",
  2195. "address": "0x45802c"
  2196. },
  2197. {
  2198. "name": "CloseServiceHandle",
  2199. "address": "0x458030"
  2200. },
  2201. {
  2202. "name": "RegUnLoadKeyW",
  2203. "address": "0x458034"
  2204. },
  2205. {
  2206. "name": "RegQueryInfoKeyW",
  2207. "address": "0x458038"
  2208. },
  2209. {
  2210. "name": "RegLoadKeyW",
  2211. "address": "0x45803c"
  2212. },
  2213. {
  2214. "name": "RegEnumValueW",
  2215. "address": "0x458040"
  2216. },
  2217. {
  2218. "name": "RegEnumKeyW",
  2219. "address": "0x458044"
  2220. },
  2221. {
  2222. "name": "RegDeleteKeyW",
  2223. "address": "0x458048"
  2224. },
  2225. {
  2226. "name": "DuplicateTokenEx",
  2227. "address": "0x45804c"
  2228. },
  2229. {
  2230. "name": "ImpersonateLoggedOnUser",
  2231. "address": "0x458050"
  2232. },
  2233. {
  2234. "name": "LookupPrivilegeValueW",
  2235. "address": "0x458054"
  2236. },
  2237. {
  2238. "name": "LookupAccountNameW",
  2239. "address": "0x458058"
  2240. },
  2241. {
  2242. "name": "LookupAccountSidW",
  2243. "address": "0x45805c"
  2244. },
  2245. {
  2246. "name": "FreeSid",
  2247. "address": "0x458060"
  2248. },
  2249. {
  2250. "name": "AllocateAndInitializeSid",
  2251. "address": "0x458064"
  2252. },
  2253. {
  2254. "name": "EqualSid",
  2255. "address": "0x458068"
  2256. },
  2257. {
  2258. "name": "AdjustTokenPrivileges",
  2259. "address": "0x45806c"
  2260. },
  2261. {
  2262. "name": "GetTokenInformation",
  2263. "address": "0x458070"
  2264. },
  2265. {
  2266. "name": "OpenProcessToken",
  2267. "address": "0x458074"
  2268. },
  2269. {
  2270. "name": "RevertToSelf",
  2271. "address": "0x458078"
  2272. },
  2273. {
  2274. "name": "RegOpenKeyW",
  2275. "address": "0x45807c"
  2276. },
  2277. {
  2278. "name": "RegCreateKeyW",
  2279. "address": "0x458080"
  2280. },
  2281. {
  2282. "name": "RegSetValueExW",
  2283. "address": "0x458084"
  2284. },
  2285. {
  2286. "name": "RegDeleteValueW",
  2287. "address": "0x458088"
  2288. },
  2289. {
  2290. "name": "RegCreateKeyExW",
  2291. "address": "0x45808c"
  2292. },
  2293. {
  2294. "name": "OpenServiceW",
  2295. "address": "0x458090"
  2296. },
  2297. {
  2298. "name": "OpenSCManagerW",
  2299. "address": "0x458094"
  2300. }
  2301. ],
  2302. "dll": "ADVAPI32.dll"
  2303. },
  2304. {
  2305. "imports": [
  2306. {
  2307. "name": "ShellExecuteW",
  2308. "address": "0x4582d4"
  2309. },
  2310. {
  2311. "name": "SHGetFileInfoW",
  2312. "address": "0x4582d8"
  2313. },
  2314. {
  2315. "name": "SHGetFolderPathW",
  2316. "address": "0x4582dc"
  2317. }
  2318. ],
  2319. "dll": "SHELL32.dll"
  2320. },
  2321. {
  2322. "imports": [
  2323. {
  2324. "name": "CoUninitialize",
  2325. "address": "0x45839c"
  2326. },
  2327. {
  2328. "name": "CoCreateInstance",
  2329. "address": "0x4583a0"
  2330. },
  2331. {
  2332. "name": "CoInitializeEx",
  2333. "address": "0x4583a4"
  2334. },
  2335. {
  2336. "name": "CoTaskMemFree",
  2337. "address": "0x4583a8"
  2338. },
  2339. {
  2340. "name": "CoMarshalInterThreadInterfaceInStream",
  2341. "address": "0x4583ac"
  2342. },
  2343. {
  2344. "name": "CoGetInterfaceAndReleaseStream",
  2345. "address": "0x4583b0"
  2346. }
  2347. ],
  2348. "dll": "ole32.dll"
  2349. },
  2350. {
  2351. "imports": [
  2352. {
  2353. "name": "VariantChangeType",
  2354. "address": "0x4582b4"
  2355. },
  2356. {
  2357. "name": "VariantInit",
  2358. "address": "0x4582b8"
  2359. },
  2360. {
  2361. "name": "SysAllocString",
  2362. "address": "0x4582bc"
  2363. },
  2364. {
  2365. "name": "SysFreeString",
  2366. "address": "0x4582c0"
  2367. },
  2368. {
  2369. "name": "VariantClear",
  2370. "address": "0x4582c4"
  2371. },
  2372. {
  2373. "name": "SysStringLen",
  2374. "address": "0x4582c8"
  2375. },
  2376. {
  2377. "name": "SysAllocStringByteLen",
  2378. "address": "0x4582cc"
  2379. }
  2380. ],
  2381. "dll": "OLEAUT32.dll"
  2382. },
  2383. {
  2384. "imports": [
  2385. {
  2386. "name": "UrlUnescapeW",
  2387. "address": "0x4582e4"
  2388. },
  2389. {
  2390. "name": null,
  2391. "address": "0x4582e8"
  2392. }
  2393. ],
  2394. "dll": "SHLWAPI.dll"
  2395. },
  2396. {
  2397. "imports": [
  2398. {
  2399. "name": "WinHttpReadData",
  2400. "address": "0x458350"
  2401. },
  2402. {
  2403. "name": "WinHttpOpen",
  2404. "address": "0x458354"
  2405. },
  2406. {
  2407. "name": "WinHttpCloseHandle",
  2408. "address": "0x458358"
  2409. },
  2410. {
  2411. "name": "WinHttpConnect",
  2412. "address": "0x45835c"
  2413. },
  2414. {
  2415. "name": "WinHttpGetProxyForUrl",
  2416. "address": "0x458360"
  2417. },
  2418. {
  2419. "name": "WinHttpQueryHeaders",
  2420. "address": "0x458364"
  2421. },
  2422. {
  2423. "name": "WinHttpReceiveResponse",
  2424. "address": "0x458368"
  2425. },
  2426. {
  2427. "name": "WinHttpSendRequest",
  2428. "address": "0x45836c"
  2429. },
  2430. {
  2431. "name": "WinHttpOpenRequest",
  2432. "address": "0x458370"
  2433. },
  2434. {
  2435. "name": "WinHttpSetOption",
  2436. "address": "0x458374"
  2437. },
  2438. {
  2439. "name": "WinHttpQueryDataAvailable",
  2440. "address": "0x458378"
  2441. },
  2442. {
  2443. "name": "WinHttpWriteData",
  2444. "address": "0x45837c"
  2445. }
  2446. ],
  2447. "dll": "WINHTTP.dll"
  2448. }
  2449. ],
  2450. "digital_signers": null,
  2451. "exported_dll_name": null,
  2452. "actual_checksum": "0x000a76d3",
  2453. "overlay": {
  2454. "size": "0x00003e30",
  2455. "offset": "0x00099c00"
  2456. },
  2457. "imagebase": "0x00400000",
  2458. "reported_checksum": "0x000a76d3",
  2459. "icon_hash": null,
  2460. "entrypoint": "0x004408dd",
  2461. "timestamp": "2019-02-18 21:14:31",
  2462. "osversion": "5.1",
  2463. "sections": [
  2464. {
  2465. "name": ".text",
  2466. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
  2467. "virtual_address": "0x00001000",
  2468. "size_of_data": "0x00056200",
  2469. "entropy": "6.41",
  2470. "raw_address": "0x00000400",
  2471. "virtual_size": "0x00056116",
  2472. "characteristics_raw": "0x60000020"
  2473. },
  2474. {
  2475. "name": ".rdata",
  2476. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  2477. "virtual_address": "0x00058000",
  2478. "size_of_data": "0x0001fc00",
  2479. "entropy": "4.62",
  2480. "raw_address": "0x00056600",
  2481. "virtual_size": "0x0001fa98",
  2482. "characteristics_raw": "0x40000040"
  2483. },
  2484. {
  2485. "name": ".data",
  2486. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
  2487. "virtual_address": "0x00078000",
  2488. "size_of_data": "0x00003c00",
  2489. "entropy": "2.44",
  2490. "raw_address": "0x00076200",
  2491. "virtual_size": "0x00007668",
  2492. "characteristics_raw": "0xc0000040"
  2493. },
  2494. {
  2495. "name": ".rsrc",
  2496. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
  2497. "virtual_address": "0x00080000",
  2498. "size_of_data": "0x0001a400",
  2499. "entropy": "4.82",
  2500. "raw_address": "0x00079e00",
  2501. "virtual_size": "0x0001a3a8",
  2502. "characteristics_raw": "0x40000040"
  2503. },
  2504. {
  2505. "name": ".reloc",
  2506. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
  2507. "virtual_address": "0x0009b000",
  2508. "size_of_data": "0x00005a00",
  2509. "entropy": "6.70",
  2510. "raw_address": "0x00094200",
  2511. "virtual_size": "0x000059f8",
  2512. "characteristics_raw": "0x42000040"
  2513. }
  2514. ],
  2515. "resources": [],
  2516. "dirents": [
  2517. {
  2518. "virtual_address": "0x00000000",
  2519. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
  2520. "size": "0x00000000"
  2521. },
  2522. {
  2523. "virtual_address": "0x0007653c",
  2524. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
  2525. "size": "0x00000140"
  2526. },
  2527. {
  2528. "virtual_address": "0x00080000",
  2529. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
  2530. "size": "0x0001a3a8"
  2531. },
  2532. {
  2533. "virtual_address": "0x00000000",
  2534. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
  2535. "size": "0x00000000"
  2536. },
  2537. {
  2538. "virtual_address": "0x00099c00",
  2539. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
  2540. "size": "0x00003e30"
  2541. },
  2542. {
  2543. "virtual_address": "0x0009b000",
  2544. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
  2545. "size": "0x000059f8"
  2546. },
  2547. {
  2548. "virtual_address": "0x00058480",
  2549. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
  2550. "size": "0x00000038"
  2551. },
  2552. {
  2553. "virtual_address": "0x00000000",
  2554. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
  2555. "size": "0x00000000"
  2556. },
  2557. {
  2558. "virtual_address": "0x00000000",
  2559. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
  2560. "size": "0x00000000"
  2561. },
  2562. {
  2563. "virtual_address": "0x00000000",
  2564. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
  2565. "size": "0x00000000"
  2566. },
  2567. {
  2568. "virtual_address": "0x000707a0",
  2569. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
  2570. "size": "0x00000040"
  2571. },
  2572. {
  2573. "virtual_address": "0x00000000",
  2574. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
  2575. "size": "0x00000000"
  2576. },
  2577. {
  2578. "virtual_address": "0x00058000",
  2579. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
  2580. "size": "0x000003b8"
  2581. },
  2582. {
  2583. "virtual_address": "0x00000000",
  2584. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
  2585. "size": "0x00000000"
  2586. },
  2587. {
  2588. "virtual_address": "0x00000000",
  2589. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
  2590. "size": "0x00000000"
  2591. },
  2592. {
  2593. "virtual_address": "0x00000000",
  2594. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
  2595. "size": "0x00000000"
  2596. }
  2597. ],
  2598. "exports": [],
  2599. "guest_signers": {},
  2600. "imphash": "3beeae58675be450ff0da1b20500c997",
  2601. "icon_fuzzy": null,
  2602. "icon": null,
  2603. "pdbpath": "C:\\agent\\_work\\3\\s\\Win32\\Release Console\\autorunsc.pdb",
  2604. "imported_dll_count": 15,
  2605. "versioninfo": []
  2606. }
  2607. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!