[*] MalFamily: "Meretam" [*] MalScore: 10.0 [*] File Name: "log_install.tmp" [*] File Size: 663552 [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows" [*] SHA256: "3704bf7feb848e9e83db0e70d4a84a74cefc2a72da36aaa747e91986668c24a0" [*] MD5: "b212e24c37596cab9338cfdd78566395" [*] SHA1: "d33659cdd8a4f50e2d5227c47502852940f3c0d5" [*] SHA512: "aba60b089c858b914071cced3f7b7211478921d195c471f7e7baca0e4adb0962c8c03cdf8530863ae5e62c562316baf2d7e9b5769a7cbfa0009e6d224d1508a2" [*] CRC32: "DFAAE54E" [*] SSDEEP: "12288:2/TrrruOOW1BRCncwMqvVYhDpPd6JXyDTyC3Cnzi4ywPbmopfTM43fTOSDcMk4YI:eeOVonMyVQDpPdoXiTTye9wjp3i5x" [*] Process Execution: [ "log_install.tmp", "cmd.exe", "powershell.exe", "cmd.exe", "sc.exe", "cmd.exe", "sc.exe", "cmd.exe", "sc.exe", "cmd.exe", "sc.exe", "cmd.exe", "powershell.exe", "nqg_iputann.exe", "cmd.exe", "powershell.exe", "cmd.exe", "sc.exe", "cmd.exe", "sc.exe", "svchost.exe", "svchost.exe", "WMIADAP.exe", "svchost.exe", "WmiPrvSE.exe", "svchost.exe" ] [*] Signatures Detected: [ { "Description": "Creates RWX memory", "Details": [] }, { "Description": "Possible date expiration check, exits too soon after checking local time", "Details": [ { "process": "cmd.exe, PID 2492" } ] }, { "Description": "Reads data out of its own binary image", "Details": [ { "self_read": "process: log_install.tmp, pid: 1812, offset: 0x00000000, length: 0x000a2000" } ] }, { "Description": "A process created a hidden window", "Details": [ { "Process": "log_install.tmp -> cmd" }, { "Process": "log_install.tmp -> cmd" }, { "Process": "log_install.tmp -> cmd" }, { "Process": "nqg_iputann.exe -> cmd" }, { "Process": "nqg_iputann.exe -> cmd" }, { "Process": "nqg_iputann.exe -> cmd" }, { "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE" } ] }, { "Description": "File has been identified by 8 Antiviruses on VirusTotal as malicious", "Details": [ { "McAfee": "Artemis!B212E24C3759" }, { "Kaspersky": "UDS:DangerousObject.Multi.Generic" }, { "McAfee-GW-Edition": "Artemis" }, { "Webroot": "W32.Adware.Gen" }, { "ZoneAlarm": "UDS:DangerousObject.Multi.Generic" }, { "Microsoft": "Trojan:Win32/MereTam.A" }, { "Ikarus": "Trojan.Win32.Trickbot" }, { "Paloalto": "generic.ml" } ] }, { "Description": "Drops a binary and executes it", "Details": [ { "binary": "C:\\Users\\user\\AppData\\Roaming\\diskram\\nqg_iputann.exe" } ] }, { "Description": "Attempts to stop active services", "Details": [ { "servicename": "WinDefend" } ] }, { "Description": "Spoofs its process name and/or associated pathname to appear as a legitimate process", "Details": [ { "modified_name": "svchost.exe", "modified_path": "C:\\Users\\user\\AppData\\Roaming\\diskram\\nqg_iputann.exe", "original_name": "svchost.exe", "original_path": "C:\\Windows\\system32\\svchost.exe" } ] }, { "Description": "Creates a hidden or system file", "Details": [ { "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc8329.TMP" }, { "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc3279.TMP" } ] }, { "Description": "Creates a copy of itself", "Details": [ { "copy": "C:\\Users\\user\\AppData\\Roaming\\diskram\\nqg_iputann.exe" } ] }, { "Description": "Attempts to disable Windows Defender", "Details": [] } ] [*] Started Service: [] [*] Executed Commands: [ "\"C:\\Windows\\System32\\cmd.exe\" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true", "cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true", "\"C:\\Windows\\System32\\cmd.exe\" /c sc stop WinDefend", "cmd /c sc stop WinDefend", "\"C:\\Windows\\System32\\cmd.exe\" /c sc delete WinDefend", "cmd /c sc delete WinDefend", "C:\\Windows\\system32\\cmd.exe /c sc stop WinDefend", "C:\\Windows\\system32\\cmd.exe /c sc delete WinDefend", "C:\\Windows\\system32\\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true", "C:\\Users\\user\\AppData\\Roaming\\diskram\\nqg_iputann.exe", "powershell Set-MpPreference -DisableRealtimeMonitoring $true", "sc stop WinDefend", "sc delete WinDefend", "C:\\Windows\\system32\\svchost.exe", "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" ] [*] Mutexes: [ "Local\\ZoneAttributeCacheCounterMutex", "Local\\ZonesCacheCounterMutex", "Local\\ZonesLockedCacheCounterMutex", "Global\\CLR_CASOFF_MUTEX", "Global\\838B6C9EB27932960", "Global\\ADAP_WMI_ENTRY", "Global\\RefreshRA_Mutex", "Global\\RefreshRA_Mutex_Lib", "Global\\RefreshRA_Mutex_Flag" ] [*] Modified Files: [ "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-0000000000-0000000000-0000000000-1000\\00000000-0000-0000-0000-000000000000b_00000000-0000-0000-0000-000000000000", "C:\\Users\\user\\AppData\\Roaming\\diskram\\nqg_iputann.exe", "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk", "\\??\\PIPE\\srvsvc", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Y7U9MWEWETCC7N6VFREO.temp", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc8329.TMP", "C:\\Windows\\SysWOW64\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5ROSX7Z4TVYIA5B4EY57.temp", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms", "C:\\Users\\user\\AppData\\Roaming\\diskram\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\6U38Z89V234RIAS798EG.temp", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc3279.TMP", "C:\\Windows\\sysnative\\Tasks\\BrowserDatStorage", "\\Device\\LanmanDatagramReceiver", "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h", "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h", "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.ini", "\\??\\PIPE\\samr", "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP", "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA", "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "\\??\\WMIDataDevice" ] [*] Deleted Files: [ "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc8329.TMP", "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1824.13402968", "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1824.13402984", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1824.13402984", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\5ROSX7Z4TVYIA5B4EY57.temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2960.13404265", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2960.13404265", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2960.13404265", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RFcc3279.TMP", "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1732.13385312", "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1732.13385312", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1732.13385312", "C:\\Windows\\Tasks\\BrowserDatStorage.job", "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h", "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h" ] [*] Modified Registry Keys: [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnRealtimeEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{7BDBAE40-CCF3-48B5-81E2-9A3E20D79899}\\Path", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{7BDBAE40-CCF3-48B5-81E2-9A3E20D79899}\\Hash", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Id", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\BrowserDatStorage\\Index", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{7BDBAE40-CCF3-48B5-81E2-9A3E20D79899}\\Triggers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{7BDBAE40-CCF3-48B5-81E2-9A3E20D79899}\\DynamicInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-{00000000-0000-0000-0000-000000000000}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dll[MofResourceName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sys[ACPIMOFResource]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sys[MofResourceName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sys[MofResource]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYS[PortclsMof]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]" ] [*] Deleted Registry Keys: [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\BrowserDatStorage.job.fp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]" ] [*] DNS Communications: [] [*] Domains: [] [*] Network Communication - ICMP: [] [*] Network Communication - HTTP: [] [*] Network Communication - SMTP: [] [*] Network Communication - Hosts: [] [*] Network Communication - IRC: [] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "GetCommandLineA", "address": "0x448130" }, { "name": "TerminateProcess", "address": "0x448134" }, { "name": "HeapReAlloc", "address": "0x448138" }, { "name": "HeapSize", "address": "0x44813c" }, { "name": "HeapDestroy", "address": "0x448140" }, { "name": "HeapCreate", "address": "0x448144" }, { "name": "VirtualFree", "address": "0x448148" }, { "name": "IsBadWritePtr", "address": "0x44814c" }, { "name": "QueryPerformanceCounter", "address": "0x448150" }, { "name": "GetCurrentProcessId", "address": "0x448154" }, { "name": "SetUnhandledExceptionFilter", "address": "0x448158" }, { "name": "GetTimeZoneInformation", "address": "0x44815c" }, { "name": "GetStdHandle", "address": "0x448160" }, { "name": "UnhandledExceptionFilter", "address": "0x448164" }, { "name": "FreeEnvironmentStringsA", "address": "0x448168" }, { "name": "GetEnvironmentStrings", "address": "0x44816c" }, { "name": "GetStartupInfoA", "address": "0x448170" }, { "name": "GetEnvironmentStringsW", "address": "0x448174" }, { "name": "SetHandleCount", "address": "0x448178" }, { "name": "GetFileType", "address": "0x44817c" }, { "name": "LCMapStringA", "address": "0x448180" }, { "name": "LCMapStringW", "address": "0x448184" }, { "name": "GetStringTypeA", "address": "0x448188" }, { "name": "GetStringTypeW", "address": "0x44818c" }, { "name": "IsBadReadPtr", "address": "0x448190" }, { "name": "IsBadCodePtr", "address": "0x448194" }, { "name": "GetUserDefaultLCID", "address": "0x448198" }, { "name": "EnumSystemLocalesA", "address": "0x44819c" }, { "name": "IsValidLocale", "address": "0x4481a0" }, { "name": "IsValidCodePage", "address": "0x4481a4" }, { "name": "SetStdHandle", "address": "0x4481a8" }, { "name": "SetEnvironmentVariableA", "address": "0x4481ac" }, { "name": "GetLocaleInfoW", "address": "0x4481b0" }, { "name": "HeapFree", "address": "0x4481b4" }, { "name": "VirtualQuery", "address": "0x4481b8" }, { "name": "GetSystemInfo", "address": "0x4481bc" }, { "name": "VirtualAlloc", "address": "0x4481c0" }, { "name": "VirtualProtect", "address": "0x4481c4" }, { "name": "GetSystemTimeAsFileTime", "address": "0x4481c8" }, { "name": "ExitProcess", "address": "0x4481cc" }, { "name": "RtlUnwind", "address": "0x4481d0" }, { "name": "HeapAlloc", "address": "0x4481d4" }, { "name": "SetErrorMode", "address": "0x4481d8" }, { "name": "LocalFileTimeToFileTime", "address": "0x4481dc" }, { "name": "FileTimeToLocalFileTime", "address": "0x4481e0" }, { "name": "GetOEMCP", "address": "0x4481e4" }, { "name": "GetCPInfo", "address": "0x4481e8" }, { "name": "GetShortPathNameA", "address": "0x4481ec" }, { "name": "CreateFileA", "address": "0x4481f0" }, { "name": "GetVolumeInformationA", "address": "0x4481f4" }, { "name": "FindFirstFileA", "address": "0x4481f8" }, { "name": "FindClose", "address": "0x4481fc" }, { "name": "GetCurrentProcess", "address": "0x448200" }, { "name": "DuplicateHandle", "address": "0x448204" }, { "name": "GetFileSize", "address": "0x448208" }, { "name": "SetEndOfFile", "address": "0x44820c" }, { "name": "UnlockFile", "address": "0x448210" }, { "name": "LockFile", "address": "0x448214" }, { "name": "FlushFileBuffers", "address": "0x448218" }, { "name": "SetFilePointer", "address": "0x44821c" }, { "name": "WriteFile", "address": "0x448220" }, { "name": "ReadFile", "address": "0x448224" }, { "name": "DeleteFileA", "address": "0x448228" }, { "name": "MoveFileA", "address": "0x44822c" }, { "name": "TlsFree", "address": "0x448230" }, { "name": "LocalReAlloc", "address": "0x448234" }, { "name": "TlsSetValue", "address": "0x448238" }, { "name": "TlsAlloc", "address": "0x44823c" }, { "name": "TlsGetValue", "address": "0x448240" }, { "name": "EnterCriticalSection", "address": "0x448244" }, { "name": "GlobalHandle", "address": "0x448248" }, { "name": "GlobalReAlloc", "address": "0x44824c" }, { "name": "LeaveCriticalSection", "address": "0x448250" }, { "name": "LocalAlloc", "address": "0x448254" }, { "name": "InterlockedIncrement", "address": "0x448258" }, { "name": "GetCurrentDirectoryA", "address": "0x44825c" }, { "name": "GlobalFlags", "address": "0x448260" }, { "name": "InterlockedDecrement", "address": "0x448264" }, { "name": "SystemTimeToFileTime", "address": "0x448268" }, { "name": "FileTimeToSystemTime", "address": "0x44826c" }, { "name": "SetLastError", "address": "0x448270" }, { "name": "MulDiv", "address": "0x448274" }, { "name": "FormatMessageA", "address": "0x448278" }, { "name": "LocalFree", "address": "0x44827c" }, { "name": "GetDiskFreeSpaceA", "address": "0x448280" }, { "name": "GetFullPathNameA", "address": "0x448284" }, { "name": "GetTempFileNameA", "address": "0x448288" }, { "name": "GetFileTime", "address": "0x44828c" }, { "name": "SetFileTime", "address": "0x448290" }, { "name": "GetFileAttributesA", "address": "0x448294" }, { "name": "GlobalGetAtomNameA", "address": "0x448298" }, { "name": "GlobalFindAtomA", "address": "0x44829c" }, { "name": "lstrcatA", "address": "0x4482a0" }, { "name": "lstrcmpW", "address": "0x4482a4" }, { "name": "GetTickCount", "address": "0x4482a8" }, { "name": "GetPrivateProfileStringA", "address": "0x4482ac" }, { "name": "WritePrivateProfileStringA", "address": "0x4482b0" }, { "name": "GetPrivateProfileIntA", "address": "0x4482b4" }, { "name": "lstrcpynA", "address": "0x4482b8" }, { "name": "CloseHandle", "address": "0x4482bc" }, { "name": "GlobalAddAtomA", "address": "0x4482c0" }, { "name": "GetCurrentThread", "address": "0x4482c4" }, { "name": "GetCurrentThreadId", "address": "0x4482c8" }, { "name": "GlobalAlloc", "address": "0x4482cc" }, { "name": "FreeLibrary", "address": "0x4482d0" }, { "name": "GlobalDeleteAtom", "address": "0x4482d4" }, { "name": "lstrcmpA", "address": "0x4482d8" }, { "name": "GetModuleFileNameA", "address": "0x4482dc" }, { "name": "GetModuleHandleA", "address": "0x4482e0" }, { "name": "ConvertDefaultLocale", "address": "0x4482e4" }, { "name": "EnumResourceLanguagesA", "address": "0x4482e8" }, { "name": "lstrcpyA", "address": "0x4482ec" }, { "name": "GlobalLock", "address": "0x4482f0" }, { "name": "GlobalUnlock", "address": "0x4482f4" }, { "name": "GlobalFree", "address": "0x4482f8" }, { "name": "FreeResource", "address": "0x4482fc" }, { "name": "RaiseException", "address": "0x448300" }, { "name": "DeleteCriticalSection", "address": "0x448304" }, { "name": "InitializeCriticalSection", "address": "0x448308" }, { "name": "GetLastError", "address": "0x44830c" }, { "name": "lstrlenA", "address": "0x448310" }, { "name": "lstrcmpiA", "address": "0x448314" }, { "name": "GetStringTypeExA", "address": "0x448318" }, { "name": "CompareStringA", "address": "0x44831c" }, { "name": "CompareStringW", "address": "0x448320" }, { "name": "MultiByteToWideChar", "address": "0x448324" }, { "name": "GetVersion", "address": "0x448328" }, { "name": "WideCharToMultiByte", "address": "0x44832c" }, { "name": "LoadResource", "address": "0x448330" }, { "name": "LockResource", "address": "0x448334" }, { "name": "SizeofResource", "address": "0x448338" }, { "name": "FindResourceA", "address": "0x44833c" }, { "name": "GetThreadLocale", "address": "0x448340" }, { "name": "GetLocaleInfoA", "address": "0x448344" }, { "name": "GetACP", "address": "0x448348" }, { "name": "InterlockedExchange", "address": "0x44834c" }, { "name": "GetVersionExA", "address": "0x448350" }, { "name": "LoadLibraryA", "address": "0x448354" }, { "name": "FreeEnvironmentStringsW", "address": "0x448358" }, { "name": "GetProcAddress", "address": "0x44835c" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "LockWindowUpdate", "address": "0x4483cc" }, { "name": "RegisterWindowMessageA", "address": "0x4483d0" }, { "name": "WinHelpA", "address": "0x4483d4" }, { "name": "GetCapture", "address": "0x4483d8" }, { "name": "CreateWindowExA", "address": "0x4483dc" }, { "name": "GetClassLongA", "address": "0x4483e0" }, { "name": "GetClassInfoExA", "address": "0x4483e4" }, { "name": "GetClassNameA", "address": "0x4483e8" }, { "name": "SetPropA", "address": "0x4483ec" }, { "name": "GetPropA", "address": "0x4483f0" }, { "name": "RemovePropA", "address": "0x4483f4" }, { "name": "IsChild", "address": "0x4483f8" }, { "name": "GetForegroundWindow", "address": "0x4483fc" }, { "name": "BeginDeferWindowPos", "address": "0x448400" }, { "name": "EndDeferWindowPos", "address": "0x448404" }, { "name": "GetTopWindow", "address": "0x448408" }, { "name": "UnhookWindowsHookEx", "address": "0x44840c" }, { "name": "GetMessageTime", "address": "0x448410" }, { "name": "GetMessagePos", "address": "0x448414" }, { "name": "LoadIconA", "address": "0x448418" }, { "name": "MapWindowPoints", "address": "0x44841c" }, { "name": "ScrollWindow", "address": "0x448420" }, { "name": "TrackPopupMenu", "address": "0x448424" }, { "name": "SetScrollRange", "address": "0x448428" }, { "name": "GetScrollRange", "address": "0x44842c" }, { "name": "SetScrollPos", "address": "0x448430" }, { "name": "GetScrollPos", "address": "0x448434" }, { "name": "SetForegroundWindow", "address": "0x448438" }, { "name": "ShowScrollBar", "address": "0x44843c" }, { "name": "GetClientRect", "address": "0x448440" }, { "name": "GetMenu", "address": "0x448444" }, { "name": "GetSubMenu", "address": "0x448448" }, { "name": "GetMenuItemID", "address": "0x44844c" }, { "name": "GetMenuItemCount", "address": "0x448450" }, { "name": "GetSysColor", "address": "0x448454" }, { "name": "AdjustWindowRectEx", "address": "0x448458" }, { "name": "ScreenToClient", "address": "0x44845c" }, { "name": "EqualRect", "address": "0x448460" }, { "name": "DeferWindowPos", "address": "0x448464" }, { "name": "GetScrollInfo", "address": "0x448468" }, { "name": "SetScrollInfo", "address": "0x44846c" }, { "name": "GetClassInfoA", "address": "0x448470" }, { "name": "RegisterClassA", "address": "0x448474" }, { "name": "DefWindowProcA", "address": "0x448478" }, { "name": "CallWindowProcA", "address": "0x44847c" }, { "name": "OffsetRect", "address": "0x448480" }, { "name": "IntersectRect", "address": "0x448484" }, { "name": "SystemParametersInfoA", "address": "0x448488" }, { "name": "IsIconic", "address": "0x44848c" }, { "name": "GetWindowPlacement", "address": "0x448490" }, { "name": "GetWindowRect", "address": "0x448494" }, { "name": "CopyRect", "address": "0x448498" }, { "name": "PtInRect", "address": "0x44849c" }, { "name": "RegisterClipboardFormatA", "address": "0x4484a0" }, { "name": "GetWindow", "address": "0x4484a4" }, { "name": "SetWindowContextHelpId", "address": "0x4484a8" }, { "name": "MapDialogRect", "address": "0x4484ac" }, { "name": "wsprintfA", "address": "0x4484b0" }, { "name": "SetRect", "address": "0x4484b4" }, { "name": "GetWindowTextA", "address": "0x4484b8" }, { "name": "SetWindowPos", "address": "0x4484bc" }, { "name": "SetFocus", "address": "0x4484c0" }, { "name": "ShowWindow", "address": "0x4484c4" }, { "name": "MoveWindow", "address": "0x4484c8" }, { "name": "GetDCEx", "address": "0x4484cc" }, { "name": "GetDlgCtrlID", "address": "0x4484d0" }, { "name": "SetWindowTextA", "address": "0x4484d4" }, { "name": "IsDialogMessageA", "address": "0x4484d8" }, { "name": "IsDlgButtonChecked", "address": "0x4484dc" }, { "name": "SendDlgItemMessageA", "address": "0x4484e0" }, { "name": "SetMenuItemBitmaps", "address": "0x4484e4" }, { "name": "GetFocus", "address": "0x4484e8" }, { "name": "ModifyMenuA", "address": "0x4484ec" }, { "name": "GetMenuState", "address": "0x4484f0" }, { "name": "EnableMenuItem", "address": "0x4484f4" }, { "name": "CheckMenuItem", "address": "0x4484f8" }, { "name": "GetMenuCheckMarkDimensions", "address": "0x4484fc" }, { "name": "LoadBitmapA", "address": "0x448500" }, { "name": "SetWindowsHookExA", "address": "0x448504" }, { "name": "CallNextHookEx", "address": "0x448508" }, { "name": "GetMessageA", "address": "0x44850c" }, { "name": "TranslateMessage", "address": "0x448510" }, { "name": "DispatchMessageA", "address": "0x448514" }, { "name": "IsWindowVisible", "address": "0x448518" }, { "name": "GetKeyState", "address": "0x44851c" }, { "name": "PeekMessageA", "address": "0x448520" }, { "name": "GetCursorPos", "address": "0x448524" }, { "name": "ValidateRect", "address": "0x448528" }, { "name": "CharNextA", "address": "0x44852c" }, { "name": "DestroyIcon", "address": "0x448530" }, { "name": "GetSysColorBrush", "address": "0x448534" }, { "name": "EndPaint", "address": "0x448538" }, { "name": "BeginPaint", "address": "0x44853c" }, { "name": "GetWindowDC", "address": "0x448540" }, { "name": "GrayStringA", "address": "0x448544" }, { "name": "DrawTextExA", "address": "0x448548" }, { "name": "DrawTextA", "address": "0x44854c" }, { "name": "TabbedTextOutA", "address": "0x448550" }, { "name": "SetParent", "address": "0x448554" }, { "name": "GetSystemMenu", "address": "0x448558" }, { "name": "DeleteMenu", "address": "0x44855c" }, { "name": "MessageBoxA", "address": "0x448560" }, { "name": "GetLastActivePopup", "address": "0x448564" }, { "name": "ShowOwnedPopups", "address": "0x448568" }, { "name": "SetCursor", "address": "0x44856c" }, { "name": "PostMessageA", "address": "0x448570" }, { "name": "PostQuitMessage", "address": "0x448574" }, { "name": "GetDesktopWindow", "address": "0x448578" }, { "name": "GetActiveWindow", "address": "0x44857c" }, { "name": "SetActiveWindow", "address": "0x448580" }, { "name": "GetSystemMetrics", "address": "0x448584" }, { "name": "CreateDialogIndirectParamA", "address": "0x448588" }, { "name": "DestroyWindow", "address": "0x44858c" }, { "name": "IsWindow", "address": "0x448590" }, { "name": "GetWindowLongA", "address": "0x448594" }, { "name": "GetDlgItem", "address": "0x448598" }, { "name": "WindowFromPoint", "address": "0x44859c" }, { "name": "GetMenuItemInfoA", "address": "0x4485a0" }, { "name": "InflateRect", "address": "0x4485a4" }, { "name": "IsWindowEnabled", "address": "0x4485a8" }, { "name": "GetParent", "address": "0x4485ac" }, { "name": "GetNextDlgTabItem", "address": "0x4485b0" }, { "name": "EndDialog", "address": "0x4485b4" }, { "name": "UnregisterClassA", "address": "0x4485b8" }, { "name": "CharUpperA", "address": "0x4485bc" }, { "name": "SendMessageA", "address": "0x4485c0" }, { "name": "EnableWindow", "address": "0x4485c4" }, { "name": "UpdateWindow", "address": "0x4485c8" }, { "name": "PostThreadMessageA", "address": "0x4485cc" }, { "name": "MessageBeep", "address": "0x4485d0" }, { "name": "GetNextDlgGroupItem", "address": "0x4485d4" }, { "name": "InvalidateRgn", "address": "0x4485d8" }, { "name": "SetWindowLongA", "address": "0x4485dc" }, { "name": "CopyAcceleratorTableA", "address": "0x4485e0" }, { "name": "GetDC", "address": "0x4485e4" }, { "name": "ReleaseDC", "address": "0x4485e8" }, { "name": "IsZoomed", "address": "0x4485ec" }, { "name": "LoadMenuA", "address": "0x4485f0" }, { "name": "DestroyMenu", "address": "0x4485f4" }, { "name": "UnpackDDElParam", "address": "0x4485f8" }, { "name": "ReuseDDElParam", "address": "0x4485fc" }, { "name": "LoadAcceleratorsA", "address": "0x448600" }, { "name": "InsertMenuItemA", "address": "0x448604" }, { "name": "CreatePopupMenu", "address": "0x448608" }, { "name": "SetRectEmpty", "address": "0x44860c" }, { "name": "BringWindowToTop", "address": "0x448610" }, { "name": "SetMenu", "address": "0x448614" }, { "name": "TranslateAcceleratorA", "address": "0x448618" }, { "name": "ReleaseCapture", "address": "0x44861c" }, { "name": "LoadCursorA", "address": "0x448620" }, { "name": "SetCapture", "address": "0x448624" }, { "name": "KillTimer", "address": "0x448628" }, { "name": "SetTimer", "address": "0x44862c" }, { "name": "InvalidateRect", "address": "0x448630" }, { "name": "ClientToScreen", "address": "0x448634" }, { "name": "SetWindowRgn", "address": "0x448638" }, { "name": "DrawIcon", "address": "0x44863c" }, { "name": "FillRect", "address": "0x448640" }, { "name": "IsRectEmpty", "address": "0x448644" }, { "name": "FindWindowA", "address": "0x448648" }, { "name": "GetMenuStringA", "address": "0x44864c" }, { "name": "GetWindowTextLengthA", "address": "0x448650" }, { "name": "InsertMenuA", "address": "0x448654" }, { "name": "AppendMenuA", "address": "0x448658" } ], "dll": "USER32.dll" }, { "imports": [ { "name": "SetMapMode", "address": "0x448050" }, { "name": "ExcludeClipRect", "address": "0x448054" }, { "name": "IntersectClipRect", "address": "0x448058" }, { "name": "SelectClipRgn", "address": "0x44805c" }, { "name": "CreateRectRgn", "address": "0x448060" }, { "name": "GetViewportExtEx", "address": "0x448064" }, { "name": "GetWindowExtEx", "address": "0x448068" }, { "name": "BitBlt", "address": "0x44806c" }, { "name": "GetPixel", "address": "0x448070" }, { "name": "PtVisible", "address": "0x448074" }, { "name": "RectVisible", "address": "0x448078" }, { "name": "TextOutA", "address": "0x44807c" }, { "name": "ExtTextOutA", "address": "0x448080" }, { "name": "Escape", "address": "0x448084" }, { "name": "SetViewportOrgEx", "address": "0x448088" }, { "name": "OffsetViewportOrgEx", "address": "0x44808c" }, { "name": "SetViewportExtEx", "address": "0x448090" }, { "name": "ScaleViewportExtEx", "address": "0x448094" }, { "name": "ScaleWindowExtEx", "address": "0x448098" }, { "name": "ExtSelectClipRgn", "address": "0x44809c" }, { "name": "CreatePatternBrush", "address": "0x4480a0" }, { "name": "GetStockObject", "address": "0x4480a4" }, { "name": "CreateSolidBrush", "address": "0x4480a8" }, { "name": "CreateFontIndirectA", "address": "0x4480ac" }, { "name": "GetBkColor", "address": "0x4480b0" }, { "name": "GetTextColor", "address": "0x4480b4" }, { "name": "CreateRectRgnIndirect", "address": "0x4480b8" }, { "name": "GetRgnBox", "address": "0x4480bc" }, { "name": "PatBlt", "address": "0x4480c0" }, { "name": "SetRectRgn", "address": "0x4480c4" }, { "name": "CombineRgn", "address": "0x4480c8" }, { "name": "GetMapMode", "address": "0x4480cc" }, { "name": "SetBkMode", "address": "0x4480d0" }, { "name": "RestoreDC", "address": "0x4480d4" }, { "name": "SaveDC", "address": "0x4480d8" }, { "name": "CreateFontA", "address": "0x4480dc" }, { "name": "GetCharWidthA", "address": "0x4480e0" }, { "name": "DeleteObject", "address": "0x4480e4" }, { "name": "StretchDIBits", "address": "0x4480e8" }, { "name": "DeleteDC", "address": "0x4480ec" }, { "name": "GetTextExtentPoint32A", "address": "0x4480f0" }, { "name": "GetTextMetricsA", "address": "0x4480f4" }, { "name": "SelectObject", "address": "0x4480f8" }, { "name": "CreateCompatibleDC", "address": "0x4480fc" }, { "name": "CreateCompatibleBitmap", "address": "0x448100" }, { "name": "Ellipse", "address": "0x448104" }, { "name": "LPtoDP", "address": "0x448108" }, { "name": "CreateEllipticRgn", "address": "0x44810c" }, { "name": "GetDeviceCaps", "address": "0x448110" }, { "name": "GetObjectA", "address": "0x448114" }, { "name": "SetBkColor", "address": "0x448118" }, { "name": "SetTextColor", "address": "0x44811c" }, { "name": "GetClipBox", "address": "0x448120" }, { "name": "SetWindowExtEx", "address": "0x448124" }, { "name": "CreateBitmap", "address": "0x448128" } ], "dll": "GDI32.dll" }, { "imports": [ { "name": "GetSaveFileNameA", "address": "0x448670" }, { "name": "GetFileTitleA", "address": "0x448674" }, { "name": "GetOpenFileNameA", "address": "0x448678" } ], "dll": "comdlg32.dll" }, { "imports": [ { "name": "OpenPrinterA", "address": "0x448660" }, { "name": "DocumentPropertiesA", "address": "0x448664" }, { "name": "ClosePrinter", "address": "0x448668" } ], "dll": "WINSPOOL.DRV" }, { "imports": [ { "name": "RegSetValueA", "address": "0x448000" }, { "name": "RegQueryValueExA", "address": "0x448004" }, { "name": "RegOpenKeyExA", "address": "0x448008" }, { "name": "RegDeleteKeyA", "address": "0x44800c" }, { "name": "RegEnumKeyA", "address": "0x448010" }, { "name": "RegOpenKeyA", "address": "0x448014" }, { "name": "RegQueryValueA", "address": "0x448018" }, { "name": "RegCreateKeyExA", "address": "0x44801c" }, { "name": "RegSetValueExA", "address": "0x448020" }, { "name": "RegDeleteValueA", "address": "0x448024" }, { "name": "SetFileSecurityA", "address": "0x448028" }, { "name": "RegCreateKeyA", "address": "0x44802c" }, { "name": "RegCloseKey", "address": "0x448030" }, { "name": "GetFileSecurityA", "address": "0x448034" } ], "dll": "ADVAPI32.dll" }, { "imports": [ { "name": "DragFinish", "address": "0x44839c" }, { "name": "DragQueryFileA", "address": "0x4483a0" }, { "name": "ExtractIconA", "address": "0x4483a4" }, { "name": "SHGetFileInfoA", "address": "0x4483a8" }, { "name": "DragAcceptFiles", "address": "0x4483ac" } ], "dll": "SHELL32.dll" }, { "imports": [ { "name": null, "address": "0x44803c" }, { "name": "ImageList_Draw", "address": "0x448040" }, { "name": "ImageList_GetImageInfo", "address": "0x448044" }, { "name": "ImageList_Destroy", "address": "0x448048" } ], "dll": "COMCTL32.dll" }, { "imports": [ { "name": "PathRemoveExtensionA", "address": "0x4483b4" }, { "name": "PathFindFileNameA", "address": "0x4483b8" }, { "name": "PathStripToRootA", "address": "0x4483bc" }, { "name": "PathFindExtensionA", "address": "0x4483c0" }, { "name": "PathIsUNCA", "address": "0x4483c4" } ], "dll": "SHLWAPI.dll" }, { "imports": [ { "name": null, "address": "0x4486c0" } ], "dll": "oledlg.dll" }, { "imports": [ { "name": "CoGetClassObject", "address": "0x448680" }, { "name": "CoTaskMemAlloc", "address": "0x448684" }, { "name": "StgOpenStorageOnILockBytes", "address": "0x448688" }, { "name": "CoTaskMemFree", "address": "0x44868c" }, { "name": "OleInitialize", "address": "0x448690" }, { "name": "CoFreeUnusedLibraries", "address": "0x448694" }, { "name": "OleUninitialize", "address": "0x448698" }, { "name": "CLSIDFromString", "address": "0x44869c" }, { "name": "CLSIDFromProgID", "address": "0x4486a0" }, { "name": "StgCreateDocfileOnILockBytes", "address": "0x4486a4" }, { "name": "CreateILockBytesOnHGlobal", "address": "0x4486a8" }, { "name": "CoRevokeClassObject", "address": "0x4486ac" }, { "name": "OleIsCurrentClipboard", "address": "0x4486b0" }, { "name": "OleFlushClipboard", "address": "0x4486b4" }, { "name": "CoRegisterMessageFilter", "address": "0x4486b8" } ], "dll": "ole32.dll" }, { "imports": [ { "name": "VariantTimeToSystemTime", "address": "0x448364" }, { "name": "SysFreeString", "address": "0x448368" }, { "name": "SysAllocStringLen", "address": "0x44836c" }, { "name": "VariantClear", "address": "0x448370" }, { "name": "VariantChangeType", "address": "0x448374" }, { "name": "VariantInit", "address": "0x448378" }, { "name": "SysStringLen", "address": "0x44837c" }, { "name": "SysAllocStringByteLen", "address": "0x448380" }, { "name": "VariantCopy", "address": "0x448384" }, { "name": "SysAllocString", "address": "0x448388" }, { "name": "OleCreateFontIndirect", "address": "0x44838c" }, { "name": "SafeArrayDestroy", "address": "0x448390" }, { "name": "SystemTimeToVariantTime", "address": "0x448394" } ], "dll": "OLEAUT32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x000a30bc", "overlay": null, "imagebase": "0x00400000", "reported_checksum": "0x00000000", "icon_hash": null, "entrypoint": "0x00418c57", "timestamp": "2019-06-26 12:52:25", "osversion": "4.0", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x00047000", "entropy": "6.52", "raw_address": "0x00001000", "virtual_size": "0x000468fb", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00048000", "size_of_data": "0x0004b000", "entropy": "6.24", "raw_address": "0x00048000", "virtual_size": "0x0004ae26", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x00093000", "size_of_data": "0x00003000", "entropy": "3.96", "raw_address": "0x00093000", "virtual_size": "0x00006094", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x0009a000", "size_of_data": "0x0000c000", "entropy": "4.94", "raw_address": "0x00096000", "virtual_size": "0x0000b578", "characteristics_raw": "0x40000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x00090a48", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x00000104" }, { "virtual_address": "0x0009a000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x0000b578" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x0008abe0", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000048" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00048000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000006c8" }, { "virtual_address": "0x00090998", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000040" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "7a377bb2d9e9a9d3215f8897afdc67d6", "icon_fuzzy": null, "icon": null, "pdbpath": null, "imported_dll_count": 12, "versioninfo": [] } } [*] Resolved APIs: [ "kernel32.dll.InitializeCriticalSectionAndSpinCount", "kernel32.dll.FlsAlloc", "kernel32.dll.FlsGetValue", "kernel32.dll.FlsSetValue", "kernel32.dll.FlsFree", "kernel32.dll.IsProcessorFeaturePresent", "user32.dll.NotifyWinEvent", "advapi32.dll.CryptAcquireContextA", "cryptsp.dll.CryptAcquireContextA", "kernel32.dll.CreateFileMappingA", "kernel32.dll.MapViewOfFile", "kernel32.dll.VirtualAlloc", "ntdll.dll.memcpy", "kernel32.dll.GetCurrentProcess", "kernel32.dll.CloseHandle", "advapi32.dll.OpenProcessToken", "advapi32.dll.GetTokenInformation", "kernel32.dll.Wow64EnableWow64FsRedirection", "advapi32.dll.RegCloseKey", "advapi32.dll.RegCreateKeyW", "advapi32.dll.RegOpenKeyExW", "advapi32.dll.RegSetValueExW", "shell32.dll.ShellExecuteA", "ole32.dll.OleInitialize", "cryptbase.dll.SystemFunction036", "ole32.dll.CreateBindCtx", "ole32.dll.CoTaskMemAlloc", "propsys.dll.PSCreateMemoryPropertyStore", "propsys.dll.PSPropertyBag_WriteDWORD", "ole32.dll.CoGetApartmentType", "ole32.dll.CoRegisterInitializeSpy", "ole32.dll.CoTaskMemFree", "comctl32.dll.#236", "oleaut32.dll.#6", "ole32.dll.CoGetMalloc", "propsys.dll.PSPropertyBag_ReadDWORD", "propsys.dll.PSPropertyBag_ReadGUID", "comctl32.dll.#320", "comctl32.dll.#324", "comctl32.dll.#323", "advapi32.dll.RegEnumKeyW", "advapi32.dll.OpenThreadToken", "ole32.dll.StringFromGUID2", "apphelp.dll.ApphelpCheckShellObject", "ole32.dll.CoCreateInstance", "urlmon.dll.CreateUri", "kernel32.dll.InitializeSRWLock", "kernel32.dll.AcquireSRWLockExclusive", "kernel32.dll.AcquireSRWLockShared", "kernel32.dll.ReleaseSRWLockExclusive", "kernel32.dll.ReleaseSRWLockShared", "comctl32.dll.#328", "comctl32.dll.#334", "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW", "oleaut32.dll.#2", "setupapi.dll.CM_Get_Device_Interface_List_ExW", "shell32.dll.#102", "comctl32.dll.#332", "propsys.dll.PSPropertyBag_ReadStrAlloc", "comctl32.dll.#386", "ole32.dll.CoInitializeEx", "advapi32.dll.InitializeSecurityDescriptor", "advapi32.dll.SetEntriesInAclW", "ntmarta.dll.GetMartaExtensionInterface", "advapi32.dll.SetSecurityDescriptorDacl", "advapi32.dll.IsTextUnicode", "comctl32.dll.#338", "comctl32.dll.#339", "ole32.dll.CoUninitialize", "sechost.dll.ConvertSidToStringSidW", "profapi.dll.#104", "propsys.dll.#430", "advapi32.dll.RegGetValueW", "ole32.dll.CoTaskMemRealloc", "propsys.dll.InitPropVariantFromStringAsVector", "propsys.dll.PSCoerceToCanonicalValue", "propsys.dll.PropVariantToStringAlloc", "ole32.dll.PropVariantClear", "ole32.dll.CoAllowSetForegroundWindow", "shell32.dll.SHGetFolderPathW", "advapi32.dll.SaferGetPolicyInformation", "ntdll.dll.RtlDllShutdownInProgress", "comctl32.dll.#329", "ole32.dll.OleUninitialize", "ole32.dll.CoRevokeInitializeSpy", "comctl32.dll.#388", "oleaut32.dll.#500", "advapi32.dll.CryptImportKey", "advapi32.dll.CryptEncrypt", "cryptsp.dll.CryptImportKey", "cryptbase.dll.SystemFunction040", "cryptbase.dll.SystemFunction041", "cryptsp.dll.CryptEncrypt", "advapi32.dll.UnregisterTraceGuids", "comctl32.dll.#321", "kernel32.dll.SetThreadUILanguage", "kernel32.dll.CopyFileExW", "kernel32.dll.IsDebuggerPresent", "kernel32.dll.SetConsoleInputExeNameW", "kernel32.dll.SortGetHandle", "kernel32.dll.SortCloseHandle", "uxtheme.dll.ThemeInitApiHook", "user32.dll.IsProcessDPIAware", "shell32.dll.#66", "comctl32.dll.#385", "comctl32.dll.#336", "comctl32.dll.#333", "linkinfo.dll.IsValidLinkInfo", "propsys.dll.#417", "propsys.dll.PSGetNameFromPropertyKey", "propsys.dll.PSStringFromPropertyKey", "propsys.dll.InitVariantFromBuffer", "oleaut32.dll.#9", "propsys.dll.PropVariantToGUID", "linkinfo.dll.CreateLinkInfoW", "user32.dll.IsCharAlphaW", "user32.dll.CharPrevW", "ntshrui.dll.GetNetResourceFromLocalPathW", "srvcli.dll.NetShareEnum", "cscapi.dll.CscNetApiGetInterface", "slc.dll.SLGetWindowsInformationDWORD", "shlwapi.dll.PathRemoveFileSpecW", "linkinfo.dll.DestroyLinkInfo", "propsys.dll.PropVariantToBoolean", "cryptsp.dll.CryptAcquireContextW", "cryptsp.dll.CryptGenRandom", "cryptsp.dll.CryptReleaseContext", "advapi32.dll.GetSecurityInfo", "advapi32.dll.SetSecurityInfo", "advapi32.dll.GetSecurityDescriptorControl", "advapi32.dll.RegQueryInfoKeyW", "advapi32.dll.RegEnumKeyExW", "advapi32.dll.RegEnumValueW", "advapi32.dll.RegQueryValueExW", "shlwapi.dll.UrlIsW", "msvcrt.dll._set_error_mode", "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z", "kernel32.dll.FindActCtxSectionStringW", "kernel32.dll.GetSystemWindowsDirectoryW", "mscoree.dll.GetProcessExecutableHeap", "mscorwks.dll.DllGetClassObjectInternal", "mscorwks.dll.GetCLRFunction", "advapi32.dll.RegisterTraceGuidsW", "advapi32.dll.GetTraceLoggerHandle", "advapi32.dll.GetTraceEnableLevel", "advapi32.dll.GetTraceEnableFlags", "advapi32.dll.TraceEvent", "mscoree.dll.IEE", "mscorwks.dll.IEE", "mscoree.dll.GetStartupFlags", "mscoree.dll.GetHostConfigurationFile", "mscoree.dll.GetCORSystemDirectory", "ntdll.dll.RtlVirtualUnwind", "kernel32.dll.IsWow64Process", "advapi32.dll.AllocateAndInitializeSid", "advapi32.dll.InitializeAcl", "advapi32.dll.AddAccessAllowedAce", "advapi32.dll.FreeSid", "kernel32.dll.SetThreadStackGuarantee", "kernel32.dll.AddVectoredContinueHandler", "kernel32.dll.RemoveVectoredContinueHandler", "advapi32.dll.ConvertSidToStringSidW", "kernel32.dll.FlushProcessWriteBuffers", "kernel32.dll.GetWriteWatch", "kernel32.dll.ResetWriteWatch", "kernel32.dll.CreateMemoryResourceNotification", "kernel32.dll.QueryMemoryResourceNotification", "kernel32.dll.GlobalMemoryStatusEx", "ole32.dll.CoGetContextToken", "oleaut32.dll.#149", "kernel32.dll.GetUserDefaultUILanguage", "kernel32.dll.GetVersionExW", "kernel32.dll.GetFullPathNameW", "kernel32.dll.SetErrorMode", "kernel32.dll.GetFileAttributesExW", "version.dll.GetFileVersionInfoSizeW", "version.dll.GetFileVersionInfoW", "version.dll.VerQueryValueW", "kernel32.dll.lstrlen", "kernel32.dll.lstrlenW", "mscoree.dll.ND_RI2", "kernel32.dll.lstrcpy", "kernel32.dll.lstrcpyW", "version.dll.VerLanguageNameW", "kernel32.dll.GetCurrentProcessId", "advapi32.dll.LookupPrivilegeValueW", "advapi32.dll.AdjustTokenPrivileges", "kernel32.dll.OpenProcess", "psapi.dll.EnumProcessModules", "psapi.dll.GetModuleInformation", "psapi.dll.GetModuleBaseNameW", "psapi.dll.GetModuleFileNameExW", "kernel32.dll.GetExitCodeProcess", "ntdll.dll.NtQuerySystemInformation", "user32.dll.EnumWindows", "user32.dll.GetWindowThreadProcessId", "kernel32.dll.WerSetFlags", "kernel32.dll.SetThreadPreferredUILanguages", "kernel32.dll.GetThreadPreferredUILanguages", "kernel32.dll.GetUserDefaultLocaleName", "kernel32.dll.GetEnvironmentVariableW", "advapi32.dll.CryptReleaseContext", "advapi32.dll.CryptCreateHash", "advapi32.dll.CryptDestroyHash", "advapi32.dll.CryptHashData", "advapi32.dll.CryptGetHashParam", "advapi32.dll.CryptExportKey", "advapi32.dll.CryptGenKey", "advapi32.dll.CryptGetKeyParam", "advapi32.dll.CryptDestroyKey", "advapi32.dll.CryptVerifySignatureA", "advapi32.dll.CryptSignHashA", "advapi32.dll.CryptGetProvParam", "advapi32.dll.CryptGetUserKey", "advapi32.dll.CryptEnumProvidersA", "cryptsp.dll.CryptHashData", "cryptsp.dll.CryptGetHashParam", "cryptsp.dll.CryptDestroyHash", "cryptsp.dll.CryptDestroyKey", "mscoree.dll.GetTokenForVTableEntry", "mscoree.dll.SetTargetForVTableEntry", "mscoree.dll.GetTargetForVTableEntry", "culture.dll.ConvertLangIdToCultureName", "ole32.dll.CoCreateGuid", "kernel32.dll.CreateFileW", "kernel32.dll.GetConsoleScreenBufferInfo", "kernel32.dll.LocalFree", "kernel32.dll.LocalAlloc", "mscoree.dll.ND_RI4", "advapi32.dll.DuplicateTokenEx", "advapi32.dll.CheckTokenMembership", "kernel32.dll.GetConsoleTitleW", "mscorjit.dll.getJit", "kernel32.dll.SetConsoleTitleW", "kernel32.dll.SetConsoleCtrlHandler", "kernel32.dll.CreateEventW", "ntdll.dll.WinSqmIsOptedIn", "kernel32.dll.ExpandEnvironmentStringsW", "shfolder.dll.SHGetFolderPathW", "kernel32.dll.SetEnvironmentVariableW", "kernel32.dll.GetACP", "kernel32.dll.UnmapViewOfFile", "kernel32.dll.GetFileType", "kernel32.dll.ReadFile", "kernel32.dll.GetSystemInfo", "kernel32.dll.VirtualQuery", "secur32.dll.GetUserNameExW", "advapi32.dll.GetUserNameW", "kernel32.dll.ReleaseMutex", "advapi32.dll.RegisterEventSourceW", "advapi32.dll.DeregisterEventSource", "advapi32.dll.ReportEventW", "kernel32.dll.GetLogicalDrives", "kernel32.dll.GetDriveTypeW", "kernel32.dll.GetVolumeInformationW", "kernel32.dll.GetCurrentDirectoryW", "kernel32.dll.GetLastError", "kernel32.dll.GetStdHandle", "kernel32.dll.GetConsoleMode", "kernel32.dll.SetEvent", "kernel32.dll.FindFirstFileW", "kernel32.dll.FindClose", "mscoree.dll.DllGetClassObject", "diasymreader.dll.DllGetClassObjectInternal", "kernel32.dll.GetConsoleOutputCP", "gdi32.dll.TranslateCharsetInfo", "kernel32.dll.SetConsoleTextAttribute", "kernel32.dll.WriteConsoleW", "mscoree.dll.CorExitProcess", "mscorwks.dll.CorExitProcess", "mscorwks.dll._CorDllMain", "kernel32.dll.CreateActCtxW", "kernel32.dll.AddRefActCtx", "kernel32.dll.ReleaseActCtx", "kernel32.dll.ActivateActCtx", "kernel32.dll.DeactivateActCtx", "kernel32.dll.GetCurrentActCtx", "kernel32.dll.QueryActCtxW", "netutils.dll.NetApiBufferFree", "crypt32.dll.CryptProtectData", "ntdll.dll.RtlUnwind", "mscoree.dll._CorExeMain", "mscoree.dll._CorImageUnloading", "mscoree.dll._CorValidateImage", "cryptsp.dll.CryptExportKey", "cryptsp.dll.CryptCreateHash", "kernel32.dll.SwitchToThread", "sechost.dll.LookupAccountNameLocalW", "advapi32.dll.LookupAccountSidW", "sechost.dll.LookupAccountSidLocalW", "sspicli.dll.GetUserNameExW", "shlwapi.dll.PathFindFileNameW", "wevtapi.dll.EvtIntAssertConfig", "kernel32.dll.NlsGetCacheUpdateCount", "advapi32.dll.WmiMofEnumerateResourcesW", "advapi32.dll.WmiFreeBuffer", "advapi32.dll.WmiCloseBlock", "propsys.dll.PropVariantToVariant", "ole32.dll.CoDisconnectObject", "wbemcore.dll.Shutdown", "ole32.dll.CoReleaseMarshalData", "advapi32.dll.RegDeleteKeyExW", "kernel32.dll.RegDeleteValueW", "kernel32.dll.LocaleNameToLCID", "kernel32.dll.GetLocaleInfoEx", "kernel32.dll.LCIDToLocaleName", "kernel32.dll.GetSystemDefaultLocaleName", "fastprox.dll.DllGetClassObject", "fastprox.dll.DllCanUnloadNow", "oleaut32.dll.#283", "oleaut32.dll.#284", "kernel32.dll.RegOpenKeyExW", "psapi.dll.EnumProcesses", "ole32.dll.CoGetClassObject", "ole32.dll.CoGetMarshalSizeMax", "ole32.dll.CoMarshalInterface", "ole32.dll.CoUnmarshalInterface", "ole32.dll.StringFromIID", "ole32.dll.CoGetPSClsid", "ole32.dll.DcomChannelSetHResult", "vssapi.dll.CreateWriter", "advapi32.dll.LookupAccountNameW", "samcli.dll.NetLocalGroupGetMembers", "samlib.dll.SamConnect", "rpcrt4.dll.NdrClientCall3", "rpcrt4.dll.RpcStringBindingComposeW", "rpcrt4.dll.RpcBindingFromStringBindingW", "rpcrt4.dll.RpcStringFreeW", "rpcrt4.dll.RpcBindingFree", "samlib.dll.SamOpenDomain", "samlib.dll.SamLookupNamesInDomain", "samlib.dll.SamOpenAlias", "samlib.dll.SamFreeMemory", "samlib.dll.SamCloseHandle", "samlib.dll.SamGetMembersInAlias", "ole32.dll.StringFromCLSID", "oleaut32.dll.#4", "oleaut32.dll.#7", "propsys.dll.VariantToPropVariant", "wbemcore.dll.Reinitialize", "wbemsvc.dll.DllGetClassObject", "wbemsvc.dll.DllCanUnloadNow", "authz.dll.AuthzInitializeContextFromToken", "authz.dll.AuthzInitializeObjectAccessAuditEvent2", "authz.dll.AuthzAccessCheck", "authz.dll.AuthzFreeAuditEvent", "authz.dll.AuthzFreeContext", "authz.dll.AuthzInitializeResourceManager", "authz.dll.AuthzFreeResourceManager", "rpcrt4.dll.RpcBindingCreateW", "rpcrt4.dll.RpcBindingBind", "rpcrt4.dll.I_RpcMapWin32Status", "advapi32.dll.EventRegister", "advapi32.dll.EventUnregister", "advapi32.dll.EventWrite", "kernel32.dll.RegCloseKey", "kernel32.dll.RegSetValueExW", "kernel32.dll.RegQueryValueExW", "wmisvc.dll.IsImproperShutdownDetected", "wevtapi.dll.EvtRender", "wevtapi.dll.EvtNext", "wevtapi.dll.EvtClose", "wevtapi.dll.EvtQuery", "wevtapi.dll.EvtCreateRenderContext", "rpcrt4.dll.RpcBindingSetAuthInfoExW", "rpcrt4.dll.RpcBindingSetOption", "ole32.dll.CoCreateFreeThreadedMarshaler", "ole32.dll.CreateStreamOnHGlobal", "advapi32.dll.RegCreateKeyExW", "kernelbase.dll.InitializeAcl", "kernelbase.dll.AddAce", "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW", "kernel32.dll.IsThreadAFiber", "kernel32.dll.OpenProcessToken", "kernelbase.dll.GetTokenInformation", "kernelbase.dll.DuplicateTokenEx", "kernelbase.dll.AdjustTokenPrivileges", "kernelbase.dll.AllocateAndInitializeSid", "kernelbase.dll.CheckTokenMembership", "kernel32.dll.SetThreadToken", "oleaut32.dll.#285", "advapi32.dll.RegOpenKeyW", "ole32.dll.CLSIDFromString", "oleaut32.dll.#17", "oleaut32.dll.#20", "oleaut32.dll.#19", "oleaut32.dll.#25", "oleaut32.dll.#286", "authz.dll.AuthzInitializeContextFromSid", "ole32.dll.CoGetCallContext", "ole32.dll.CoImpersonateClient", "ole32.dll.CoRevertToSelf", "oleaut32.dll.#8", "ole32.dll.CoSwitchCallContext" ] [*] Static Analysis: { "pe": { "peid_signatures": null, "imports": [ { "imports": [ { "name": "GetCommandLineA", "address": "0x448130" }, { "name": "TerminateProcess", "address": "0x448134" }, { "name": "HeapReAlloc", "address": "0x448138" }, { "name": "HeapSize", "address": "0x44813c" }, { "name": "HeapDestroy", "address": "0x448140" }, { "name": "HeapCreate", "address": "0x448144" }, { "name": "VirtualFree", "address": "0x448148" }, { "name": "IsBadWritePtr", "address": "0x44814c" }, { "name": "QueryPerformanceCounter", "address": "0x448150" }, { "name": "GetCurrentProcessId", "address": "0x448154" }, { "name": "SetUnhandledExceptionFilter", "address": "0x448158" }, { "name": "GetTimeZoneInformation", "address": "0x44815c" }, { "name": "GetStdHandle", "address": "0x448160" }, { "name": "UnhandledExceptionFilter", "address": "0x448164" }, { "name": "FreeEnvironmentStringsA", "address": "0x448168" }, { "name": "GetEnvironmentStrings", "address": "0x44816c" }, { "name": "GetStartupInfoA", "address": "0x448170" }, { "name": "GetEnvironmentStringsW", "address": "0x448174" }, { "name": "SetHandleCount", "address": "0x448178" }, { "name": "GetFileType", "address": "0x44817c" }, { "name": "LCMapStringA", "address": "0x448180" }, { "name": "LCMapStringW", "address": "0x448184" }, { "name": "GetStringTypeA", "address": "0x448188" }, { "name": "GetStringTypeW", "address": "0x44818c" }, { "name": "IsBadReadPtr", "address": "0x448190" }, { "name": "IsBadCodePtr", "address": "0x448194" }, { "name": "GetUserDefaultLCID", "address": "0x448198" }, { "name": "EnumSystemLocalesA", "address": "0x44819c" }, { "name": "IsValidLocale", "address": "0x4481a0" }, { "name": "IsValidCodePage", "address": "0x4481a4" }, { "name": "SetStdHandle", "address": "0x4481a8" }, { "name": "SetEnvironmentVariableA", "address": "0x4481ac" }, { "name": "GetLocaleInfoW", "address": "0x4481b0" }, { "name": "HeapFree", "address": "0x4481b4" }, { "name": "VirtualQuery", "address": "0x4481b8" }, { "name": "GetSystemInfo", "address": "0x4481bc" }, { "name": "VirtualAlloc", "address": "0x4481c0" }, { "name": "VirtualProtect", "address": "0x4481c4" }, { "name": "GetSystemTimeAsFileTime", "address": "0x4481c8" }, { "name": "ExitProcess", "address": "0x4481cc" }, { "name": "RtlUnwind", "address": "0x4481d0" }, { "name": "HeapAlloc", "address": "0x4481d4" }, { "name": "SetErrorMode", "address": "0x4481d8" }, { "name": "LocalFileTimeToFileTime", "address": "0x4481dc" }, { "name": "FileTimeToLocalFileTime", "address": "0x4481e0" }, { "name": "GetOEMCP", "address": "0x4481e4" }, { "name": "GetCPInfo", "address": "0x4481e8" }, { "name": "GetShortPathNameA", "address": "0x4481ec" }, { "name": "CreateFileA", "address": "0x4481f0" }, { "name": "GetVolumeInformationA", "address": "0x4481f4" }, { "name": "FindFirstFileA", "address": "0x4481f8" }, { "name": "FindClose", "address": "0x4481fc" }, { "name": "GetCurrentProcess", "address": "0x448200" }, { "name": "DuplicateHandle", "address": "0x448204" }, { "name": "GetFileSize", "address": "0x448208" }, { "name": "SetEndOfFile", "address": "0x44820c" }, { "name": "UnlockFile", "address": "0x448210" }, { "name": "LockFile", "address": "0x448214" }, { "name": "FlushFileBuffers", "address": "0x448218" }, { "name": "SetFilePointer", "address": "0x44821c" }, { "name": "WriteFile", "address": "0x448220" }, { "name": "ReadFile", "address": "0x448224" }, { "name": "DeleteFileA", "address": "0x448228" }, { "name": "MoveFileA", "address": "0x44822c" }, { "name": "TlsFree", "address": "0x448230" }, { "name": "LocalReAlloc", "address": "0x448234" }, { "name": "TlsSetValue", "address": "0x448238" }, { "name": "TlsAlloc", "address": "0x44823c" }, { "name": "TlsGetValue", "address": "0x448240" }, { "name": "EnterCriticalSection", "address": "0x448244" }, { "name": "GlobalHandle", "address": "0x448248" }, { "name": "GlobalReAlloc", "address": "0x44824c" }, { "name": "LeaveCriticalSection", "address": "0x448250" }, { "name": "LocalAlloc", "address": "0x448254" }, { "name": "InterlockedIncrement", "address": "0x448258" }, { "name": "GetCurrentDirectoryA", "address": "0x44825c" }, { "name": "GlobalFlags", "address": "0x448260" }, { "name": "InterlockedDecrement", "address": "0x448264" }, { "name": "SystemTimeToFileTime", "address": "0x448268" }, { "name": "FileTimeToSystemTime", "address": "0x44826c" }, { "name": "SetLastError", "address": "0x448270" }, { "name": "MulDiv", "address": "0x448274" }, { "name": "FormatMessageA", "address": "0x448278" }, { "name": "LocalFree", "address": "0x44827c" }, { "name": "GetDiskFreeSpaceA", "address": "0x448280" }, { "name": "GetFullPathNameA", "address": "0x448284" }, { "name": "GetTempFileNameA", "address": "0x448288" }, { "name": "GetFileTime", "address": "0x44828c" }, { "name": "SetFileTime", "address": "0x448290" }, { "name": "GetFileAttributesA", "address": "0x448294" }, { "name": "GlobalGetAtomNameA", "address": "0x448298" }, { "name": "GlobalFindAtomA", "address": "0x44829c" }, { "name": "lstrcatA", "address": "0x4482a0" }, { "name": "lstrcmpW", "address": "0x4482a4" }, { "name": "GetTickCount", "address": "0x4482a8" }, { "name": "GetPrivateProfileStringA", "address": "0x4482ac" }, { "name": "WritePrivateProfileStringA", "address": "0x4482b0" }, { "name": "GetPrivateProfileIntA", "address": "0x4482b4" }, { "name": "lstrcpynA", "address": "0x4482b8" }, { "name": "CloseHandle", "address": "0x4482bc" }, { "name": "GlobalAddAtomA", "address": "0x4482c0" }, { "name": "GetCurrentThread", "address": "0x4482c4" }, { "name": "GetCurrentThreadId", "address": "0x4482c8" }, { "name": "GlobalAlloc", "address": "0x4482cc" }, { "name": "FreeLibrary", "address": "0x4482d0" }, { "name": "GlobalDeleteAtom", "address": "0x4482d4" }, { "name": "lstrcmpA", "address": "0x4482d8" }, { "name": "GetModuleFileNameA", "address": "0x4482dc" }, { "name": "GetModuleHandleA", "address": "0x4482e0" }, { "name": "ConvertDefaultLocale", "address": "0x4482e4" }, { "name": "EnumResourceLanguagesA", "address": "0x4482e8" }, { "name": "lstrcpyA", "address": "0x4482ec" }, { "name": "GlobalLock", "address": "0x4482f0" }, { "name": "GlobalUnlock", "address": "0x4482f4" }, { "name": "GlobalFree", "address": "0x4482f8" }, { "name": "FreeResource", "address": "0x4482fc" }, { "name": "RaiseException", "address": "0x448300" }, { "name": "DeleteCriticalSection", "address": "0x448304" }, { "name": "InitializeCriticalSection", "address": "0x448308" }, { "name": "GetLastError", "address": "0x44830c" }, { "name": "lstrlenA", "address": "0x448310" }, { "name": "lstrcmpiA", "address": "0x448314" }, { "name": "GetStringTypeExA", "address": "0x448318" }, { "name": "CompareStringA", "address": "0x44831c" }, { "name": "CompareStringW", "address": "0x448320" }, { "name": "MultiByteToWideChar", "address": "0x448324" }, { "name": "GetVersion", "address": "0x448328" }, { "name": "WideCharToMultiByte", "address": "0x44832c" }, { "name": "LoadResource", "address": "0x448330" }, { "name": "LockResource", "address": "0x448334" }, { "name": "SizeofResource", "address": "0x448338" }, { "name": "FindResourceA", "address": "0x44833c" }, { "name": "GetThreadLocale", "address": "0x448340" }, { "name": "GetLocaleInfoA", "address": "0x448344" }, { "name": "GetACP", "address": "0x448348" }, { "name": "InterlockedExchange", "address": "0x44834c" }, { "name": "GetVersionExA", "address": "0x448350" }, { "name": "LoadLibraryA", "address": "0x448354" }, { "name": "FreeEnvironmentStringsW", "address": "0x448358" }, { "name": "GetProcAddress", "address": "0x44835c" } ], "dll": "KERNEL32.dll" }, { "imports": [ { "name": "LockWindowUpdate", "address": "0x4483cc" }, { "name": "RegisterWindowMessageA", "address": "0x4483d0" }, { "name": "WinHelpA", "address": "0x4483d4" }, { "name": "GetCapture", "address": "0x4483d8" }, { "name": "CreateWindowExA", "address": "0x4483dc" }, { "name": "GetClassLongA", "address": "0x4483e0" }, { "name": "GetClassInfoExA", "address": "0x4483e4" }, { "name": "GetClassNameA", "address": "0x4483e8" }, { "name": "SetPropA", "address": "0x4483ec" }, { "name": "GetPropA", "address": "0x4483f0" }, { "name": "RemovePropA", "address": "0x4483f4" }, { "name": "IsChild", "address": "0x4483f8" }, { "name": "GetForegroundWindow", "address": "0x4483fc" }, { "name": "BeginDeferWindowPos", "address": "0x448400" }, { "name": "EndDeferWindowPos", "address": "0x448404" }, { "name": "GetTopWindow", "address": "0x448408" }, { "name": "UnhookWindowsHookEx", "address": "0x44840c" }, { "name": "GetMessageTime", "address": "0x448410" }, { "name": "GetMessagePos", "address": "0x448414" }, { "name": "LoadIconA", "address": "0x448418" }, { "name": "MapWindowPoints", "address": "0x44841c" }, { "name": "ScrollWindow", "address": "0x448420" }, { "name": "TrackPopupMenu", "address": "0x448424" }, { "name": "SetScrollRange", "address": "0x448428" }, { "name": "GetScrollRange", "address": "0x44842c" }, { "name": "SetScrollPos", "address": "0x448430" }, { "name": "GetScrollPos", "address": "0x448434" }, { "name": "SetForegroundWindow", "address": "0x448438" }, { "name": "ShowScrollBar", "address": "0x44843c" }, { "name": "GetClientRect", "address": "0x448440" }, { "name": "GetMenu", "address": "0x448444" }, { "name": "GetSubMenu", "address": "0x448448" }, { "name": "GetMenuItemID", "address": "0x44844c" }, { "name": "GetMenuItemCount", "address": "0x448450" }, { "name": "GetSysColor", "address": "0x448454" }, { "name": "AdjustWindowRectEx", "address": "0x448458" }, { "name": "ScreenToClient", "address": "0x44845c" }, { "name": "EqualRect", "address": "0x448460" }, { "name": "DeferWindowPos", "address": "0x448464" }, { "name": "GetScrollInfo", "address": "0x448468" }, { "name": "SetScrollInfo", "address": "0x44846c" }, { "name": "GetClassInfoA", "address": "0x448470" }, { "name": "RegisterClassA", "address": "0x448474" }, { "name": "DefWindowProcA", "address": "0x448478" }, { "name": "CallWindowProcA", "address": "0x44847c" }, { "name": "OffsetRect", "address": "0x448480" }, { "name": "IntersectRect", "address": "0x448484" }, { "name": "SystemParametersInfoA", "address": "0x448488" }, { "name": "IsIconic", "address": "0x44848c" }, { "name": "GetWindowPlacement", "address": "0x448490" }, { "name": "GetWindowRect", "address": "0x448494" }, { "name": "CopyRect", "address": "0x448498" }, { "name": "PtInRect", "address": "0x44849c" }, { "name": "RegisterClipboardFormatA", "address": "0x4484a0" }, { "name": "GetWindow", "address": "0x4484a4" }, { "name": "SetWindowContextHelpId", "address": "0x4484a8" }, { "name": "MapDialogRect", "address": "0x4484ac" }, { "name": "wsprintfA", "address": "0x4484b0" }, { "name": "SetRect", "address": "0x4484b4" }, { "name": "GetWindowTextA", "address": "0x4484b8" }, { "name": "SetWindowPos", "address": "0x4484bc" }, { "name": "SetFocus", "address": "0x4484c0" }, { "name": "ShowWindow", "address": "0x4484c4" }, { "name": "MoveWindow", "address": "0x4484c8" }, { "name": "GetDCEx", "address": "0x4484cc" }, { "name": "GetDlgCtrlID", "address": "0x4484d0" }, { "name": "SetWindowTextA", "address": "0x4484d4" }, { "name": "IsDialogMessageA", "address": "0x4484d8" }, { "name": "IsDlgButtonChecked", "address": "0x4484dc" }, { "name": "SendDlgItemMessageA", "address": "0x4484e0" }, { "name": "SetMenuItemBitmaps", "address": "0x4484e4" }, { "name": "GetFocus", "address": "0x4484e8" }, { "name": "ModifyMenuA", "address": "0x4484ec" }, { "name": "GetMenuState", "address": "0x4484f0" }, { "name": "EnableMenuItem", "address": "0x4484f4" }, { "name": "CheckMenuItem", "address": "0x4484f8" }, { "name": "GetMenuCheckMarkDimensions", "address": "0x4484fc" }, { "name": "LoadBitmapA", "address": "0x448500" }, { "name": "SetWindowsHookExA", "address": "0x448504" }, { "name": "CallNextHookEx", "address": "0x448508" }, { "name": "GetMessageA", "address": "0x44850c" }, { "name": "TranslateMessage", "address": "0x448510" }, { "name": "DispatchMessageA", "address": "0x448514" }, { "name": "IsWindowVisible", "address": "0x448518" }, { "name": "GetKeyState", "address": "0x44851c" }, { "name": "PeekMessageA", "address": "0x448520" }, { "name": "GetCursorPos", "address": "0x448524" }, { "name": "ValidateRect", "address": "0x448528" }, { "name": "CharNextA", "address": "0x44852c" }, { "name": "DestroyIcon", "address": "0x448530" }, { "name": "GetSysColorBrush", "address": "0x448534" }, { "name": "EndPaint", "address": "0x448538" }, { "name": "BeginPaint", "address": "0x44853c" }, { "name": "GetWindowDC", "address": "0x448540" }, { "name": "GrayStringA", "address": "0x448544" }, { "name": "DrawTextExA", "address": "0x448548" }, { "name": "DrawTextA", "address": "0x44854c" }, { "name": "TabbedTextOutA", "address": "0x448550" }, { "name": "SetParent", "address": "0x448554" }, { "name": "GetSystemMenu", "address": "0x448558" }, { "name": "DeleteMenu", "address": "0x44855c" }, { "name": "MessageBoxA", "address": "0x448560" }, { "name": "GetLastActivePopup", "address": "0x448564" }, { "name": "ShowOwnedPopups", "address": "0x448568" }, { "name": "SetCursor", "address": "0x44856c" }, { "name": "PostMessageA", "address": "0x448570" }, { "name": "PostQuitMessage", "address": "0x448574" }, { "name": "GetDesktopWindow", "address": "0x448578" }, { "name": "GetActiveWindow", "address": "0x44857c" }, { "name": "SetActiveWindow", "address": "0x448580" }, { "name": "GetSystemMetrics", "address": "0x448584" }, { "name": "CreateDialogIndirectParamA", "address": "0x448588" }, { "name": "DestroyWindow", "address": "0x44858c" }, { "name": "IsWindow", "address": "0x448590" }, { "name": "GetWindowLongA", "address": "0x448594" }, { "name": "GetDlgItem", "address": "0x448598" }, { "name": "WindowFromPoint", "address": "0x44859c" }, { "name": "GetMenuItemInfoA", "address": "0x4485a0" }, { "name": "InflateRect", "address": "0x4485a4" }, { "name": "IsWindowEnabled", "address": "0x4485a8" }, { "name": "GetParent", "address": "0x4485ac" }, { "name": "GetNextDlgTabItem", "address": "0x4485b0" }, { "name": "EndDialog", "address": "0x4485b4" }, { "name": "UnregisterClassA", "address": "0x4485b8" }, { "name": "CharUpperA", "address": "0x4485bc" }, { "name": "SendMessageA", "address": "0x4485c0" }, { "name": "EnableWindow", "address": "0x4485c4" }, { "name": "UpdateWindow", "address": "0x4485c8" }, { "name": "PostThreadMessageA", "address": "0x4485cc" }, { "name": "MessageBeep", "address": "0x4485d0" }, { "name": "GetNextDlgGroupItem", "address": "0x4485d4" }, { "name": "InvalidateRgn", "address": "0x4485d8" }, { "name": "SetWindowLongA", "address": "0x4485dc" }, { "name": "CopyAcceleratorTableA", "address": "0x4485e0" }, { "name": "GetDC", "address": "0x4485e4" }, { "name": "ReleaseDC", "address": "0x4485e8" }, { "name": "IsZoomed", "address": "0x4485ec" }, { "name": "LoadMenuA", "address": "0x4485f0" }, { "name": "DestroyMenu", "address": "0x4485f4" }, { "name": "UnpackDDElParam", "address": "0x4485f8" }, { "name": "ReuseDDElParam", "address": "0x4485fc" }, { "name": "LoadAcceleratorsA", "address": "0x448600" }, { "name": "InsertMenuItemA", "address": "0x448604" }, { "name": "CreatePopupMenu", "address": "0x448608" }, { "name": "SetRectEmpty", "address": "0x44860c" }, { "name": "BringWindowToTop", "address": "0x448610" }, { "name": "SetMenu", "address": "0x448614" }, { "name": "TranslateAcceleratorA", "address": "0x448618" }, { "name": "ReleaseCapture", "address": "0x44861c" }, { "name": "LoadCursorA", "address": "0x448620" }, { "name": "SetCapture", "address": "0x448624" }, { "name": "KillTimer", "address": "0x448628" }, { "name": "SetTimer", "address": "0x44862c" }, { "name": "InvalidateRect", "address": "0x448630" }, { "name": "ClientToScreen", "address": "0x448634" }, { "name": "SetWindowRgn", "address": "0x448638" }, { "name": "DrawIcon", "address": "0x44863c" }, { "name": "FillRect", "address": "0x448640" }, { "name": "IsRectEmpty", "address": "0x448644" }, { "name": "FindWindowA", "address": "0x448648" }, { "name": "GetMenuStringA", "address": "0x44864c" }, { "name": "GetWindowTextLengthA", "address": "0x448650" }, { "name": "InsertMenuA", "address": "0x448654" }, { "name": "AppendMenuA", "address": "0x448658" } ], "dll": "USER32.dll" }, { "imports": [ { "name": "SetMapMode", "address": "0x448050" }, { "name": "ExcludeClipRect", "address": "0x448054" }, { "name": "IntersectClipRect", "address": "0x448058" }, { "name": "SelectClipRgn", "address": "0x44805c" }, { "name": "CreateRectRgn", "address": "0x448060" }, { "name": "GetViewportExtEx", "address": "0x448064" }, { "name": "GetWindowExtEx", "address": "0x448068" }, { "name": "BitBlt", "address": "0x44806c" }, { "name": "GetPixel", "address": "0x448070" }, { "name": "PtVisible", "address": "0x448074" }, { "name": "RectVisible", "address": "0x448078" }, { "name": "TextOutA", "address": "0x44807c" }, { "name": "ExtTextOutA", "address": "0x448080" }, { "name": "Escape", "address": "0x448084" }, { "name": "SetViewportOrgEx", "address": "0x448088" }, { "name": "OffsetViewportOrgEx", "address": "0x44808c" }, { "name": "SetViewportExtEx", "address": "0x448090" }, { "name": "ScaleViewportExtEx", "address": "0x448094" }, { "name": "ScaleWindowExtEx", "address": "0x448098" }, { "name": "ExtSelectClipRgn", "address": "0x44809c" }, { "name": "CreatePatternBrush", "address": "0x4480a0" }, { "name": "GetStockObject", "address": "0x4480a4" }, { "name": "CreateSolidBrush", "address": "0x4480a8" }, { "name": "CreateFontIndirectA", "address": "0x4480ac" }, { "name": "GetBkColor", "address": "0x4480b0" }, { "name": "GetTextColor", "address": "0x4480b4" }, { "name": "CreateRectRgnIndirect", "address": "0x4480b8" }, { "name": "GetRgnBox", "address": "0x4480bc" }, { "name": "PatBlt", "address": "0x4480c0" }, { "name": "SetRectRgn", "address": "0x4480c4" }, { "name": "CombineRgn", "address": "0x4480c8" }, { "name": "GetMapMode", "address": "0x4480cc" }, { "name": "SetBkMode", "address": "0x4480d0" }, { "name": "RestoreDC", "address": "0x4480d4" }, { "name": "SaveDC", "address": "0x4480d8" }, { "name": "CreateFontA", "address": "0x4480dc" }, { "name": "GetCharWidthA", "address": "0x4480e0" }, { "name": "DeleteObject", "address": "0x4480e4" }, { "name": "StretchDIBits", "address": "0x4480e8" }, { "name": "DeleteDC", "address": "0x4480ec" }, { "name": "GetTextExtentPoint32A", "address": "0x4480f0" }, { "name": "GetTextMetricsA", "address": "0x4480f4" }, { "name": "SelectObject", "address": "0x4480f8" }, { "name": "CreateCompatibleDC", "address": "0x4480fc" }, { "name": "CreateCompatibleBitmap", "address": "0x448100" }, { "name": "Ellipse", "address": "0x448104" }, { "name": "LPtoDP", "address": "0x448108" }, { "name": "CreateEllipticRgn", "address": "0x44810c" }, { "name": "GetDeviceCaps", "address": "0x448110" }, { "name": "GetObjectA", "address": "0x448114" }, { "name": "SetBkColor", "address": "0x448118" }, { "name": "SetTextColor", "address": "0x44811c" }, { "name": "GetClipBox", "address": "0x448120" }, { "name": "SetWindowExtEx", "address": "0x448124" }, { "name": "CreateBitmap", "address": "0x448128" } ], "dll": "GDI32.dll" }, { "imports": [ { "name": "GetSaveFileNameA", "address": "0x448670" }, { "name": "GetFileTitleA", "address": "0x448674" }, { "name": "GetOpenFileNameA", "address": "0x448678" } ], "dll": "comdlg32.dll" }, { "imports": [ { "name": "OpenPrinterA", "address": "0x448660" }, { "name": "DocumentPropertiesA", "address": "0x448664" }, { "name": "ClosePrinter", "address": "0x448668" } ], "dll": "WINSPOOL.DRV" }, { "imports": [ { "name": "RegSetValueA", "address": "0x448000" }, { "name": "RegQueryValueExA", "address": "0x448004" }, { "name": "RegOpenKeyExA", "address": "0x448008" }, { "name": "RegDeleteKeyA", "address": "0x44800c" }, { "name": "RegEnumKeyA", "address": "0x448010" }, { "name": "RegOpenKeyA", "address": "0x448014" }, { "name": "RegQueryValueA", "address": "0x448018" }, { "name": "RegCreateKeyExA", "address": "0x44801c" }, { "name": "RegSetValueExA", "address": "0x448020" }, { "name": "RegDeleteValueA", "address": "0x448024" }, { "name": "SetFileSecurityA", "address": "0x448028" }, { "name": "RegCreateKeyA", "address": "0x44802c" }, { "name": "RegCloseKey", "address": "0x448030" }, { "name": "GetFileSecurityA", "address": "0x448034" } ], "dll": "ADVAPI32.dll" }, { "imports": [ { "name": "DragFinish", "address": "0x44839c" }, { "name": "DragQueryFileA", "address": "0x4483a0" }, { "name": "ExtractIconA", "address": "0x4483a4" }, { "name": "SHGetFileInfoA", "address": "0x4483a8" }, { "name": "DragAcceptFiles", "address": "0x4483ac" } ], "dll": "SHELL32.dll" }, { "imports": [ { "name": null, "address": "0x44803c" }, { "name": "ImageList_Draw", "address": "0x448040" }, { "name": "ImageList_GetImageInfo", "address": "0x448044" }, { "name": "ImageList_Destroy", "address": "0x448048" } ], "dll": "COMCTL32.dll" }, { "imports": [ { "name": "PathRemoveExtensionA", "address": "0x4483b4" }, { "name": "PathFindFileNameA", "address": "0x4483b8" }, { "name": "PathStripToRootA", "address": "0x4483bc" }, { "name": "PathFindExtensionA", "address": "0x4483c0" }, { "name": "PathIsUNCA", "address": "0x4483c4" } ], "dll": "SHLWAPI.dll" }, { "imports": [ { "name": null, "address": "0x4486c0" } ], "dll": "oledlg.dll" }, { "imports": [ { "name": "CoGetClassObject", "address": "0x448680" }, { "name": "CoTaskMemAlloc", "address": "0x448684" }, { "name": "StgOpenStorageOnILockBytes", "address": "0x448688" }, { "name": "CoTaskMemFree", "address": "0x44868c" }, { "name": "OleInitialize", "address": "0x448690" }, { "name": "CoFreeUnusedLibraries", "address": "0x448694" }, { "name": "OleUninitialize", "address": "0x448698" }, { "name": "CLSIDFromString", "address": "0x44869c" }, { "name": "CLSIDFromProgID", "address": "0x4486a0" }, { "name": "StgCreateDocfileOnILockBytes", "address": "0x4486a4" }, { "name": "CreateILockBytesOnHGlobal", "address": "0x4486a8" }, { "name": "CoRevokeClassObject", "address": "0x4486ac" }, { "name": "OleIsCurrentClipboard", "address": "0x4486b0" }, { "name": "OleFlushClipboard", "address": "0x4486b4" }, { "name": "CoRegisterMessageFilter", "address": "0x4486b8" } ], "dll": "ole32.dll" }, { "imports": [ { "name": "VariantTimeToSystemTime", "address": "0x448364" }, { "name": "SysFreeString", "address": "0x448368" }, { "name": "SysAllocStringLen", "address": "0x44836c" }, { "name": "VariantClear", "address": "0x448370" }, { "name": "VariantChangeType", "address": "0x448374" }, { "name": "VariantInit", "address": "0x448378" }, { "name": "SysStringLen", "address": "0x44837c" }, { "name": "SysAllocStringByteLen", "address": "0x448380" }, { "name": "VariantCopy", "address": "0x448384" }, { "name": "SysAllocString", "address": "0x448388" }, { "name": "OleCreateFontIndirect", "address": "0x44838c" }, { "name": "SafeArrayDestroy", "address": "0x448390" }, { "name": "SystemTimeToVariantTime", "address": "0x448394" } ], "dll": "OLEAUT32.dll" } ], "digital_signers": null, "exported_dll_name": null, "actual_checksum": "0x000a30bc", "overlay": null, "imagebase": "0x00400000", "reported_checksum": "0x00000000", "icon_hash": null, "entrypoint": "0x00418c57", "timestamp": "2019-06-26 12:52:25", "osversion": "4.0", "sections": [ { "name": ".text", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "virtual_address": "0x00001000", "size_of_data": "0x00047000", "entropy": "6.52", "raw_address": "0x00001000", "virtual_size": "0x000468fb", "characteristics_raw": "0x60000020" }, { "name": ".rdata", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x00048000", "size_of_data": "0x0004b000", "entropy": "6.24", "raw_address": "0x00048000", "virtual_size": "0x0004ae26", "characteristics_raw": "0x40000040" }, { "name": ".data", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "virtual_address": "0x00093000", "size_of_data": "0x00003000", "entropy": "3.96", "raw_address": "0x00093000", "virtual_size": "0x00006094", "characteristics_raw": "0xc0000040" }, { "name": ".rsrc", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "virtual_address": "0x0009a000", "size_of_data": "0x0000c000", "entropy": "4.94", "raw_address": "0x00096000", "virtual_size": "0x0000b578", "characteristics_raw": "0x40000040" } ], "resources": [], "dirents": [ { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "size": "0x00000000" }, { "virtual_address": "0x00090a48", "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "size": "0x00000104" }, { "virtual_address": "0x0009a000", "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "size": "0x0000b578" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_TLS", "size": "0x00000000" }, { "virtual_address": "0x0008abe0", "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "size": "0x00000048" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "size": "0x00000000" }, { "virtual_address": "0x00048000", "name": "IMAGE_DIRECTORY_ENTRY_IAT", "size": "0x000006c8" }, { "virtual_address": "0x00090998", "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "size": "0x00000040" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "size": "0x00000000" }, { "virtual_address": "0x00000000", "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "size": "0x00000000" } ], "exports": [], "guest_signers": {}, "imphash": "7a377bb2d9e9a9d3215f8897afdc67d6", "icon_fuzzy": null, "icon": null, "pdbpath": null, "imported_dll_count": 12, "versioninfo": [] } }