Exes_ed741296_exe.json

1.  
2. [*] MalFamily: "Zonidel"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_ed741296.exe"
7. [*] File Size: 266752
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "77f2b84f93c3151a8b264d11a47cbf5925132ca353f62ba2d999e51ee035dd18"
10. [*] MD5: "ffc6b2b54d3f6651278e2a42eed243c4"
11. [*] SHA1: "00951d6fba436f895d0e389f8029b1f7f6ffc717"
12. [*] SHA512: "66bbe1ce53ed8968f6a93c65c7ab8f956d929d714f7ceb008df2074eb3c4e9c9f95464a12c263089d3906569f3734fb889fd19095272d1f0c6050ab040c951c7"
13. [*] CRC32: "ED741296"
14. [*] SSDEEP: "6144:wcvLyLfIFA+1tjGkn0v/ZPzuKLJFtrj6Wsx56:wcWLfM1VGk0HZP6Kbt/6Nx56"
15.  
16. [*] Process Execution: [
17. "Exes_ed741296.exe",
18. "windxit.exe"
19. ]
20.  
21. [*] Signatures Detected: [
22. {
23. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
24. "Details": [
25. {
26. "IP": "74.6.137.63:25"
27. }
28. ]
29. },
30. {
31. "Description": "Creates RWX memory",
32. "Details": []
33. },
34. {
35. "Description": "Possible date expiration check, exits too soon after checking local time",
36. "Details": [
37. {
38. "process": "windxit.exe, PID 2176"
39. }
40. ]
41. },
42. {
43. "Description": "Drops a binary and executes it",
44. "Details": [
45. {
46. "binary": "C:\\Windows\\3429179713321391\\windxit.exe"
47. }
48. ]
49. },
50. {
51. "Description": "Performs some HTTP requests",
52. "Details": [
53. {
54. "url": "http://redirector.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe"
55. },
56. {
57. "url": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes"
58. },
59. {
60. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
61. },
62. {
63. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
64. },
65. {
66. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
67. }
68. ]
69. },
70. {
71. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
72. "Details": [
73. {
74. "Spam": "Exes_ed741296.exe (1752) called API GlobalMemoryStatus 2165386 times"
75. },
76. {
77. "Spam": "windxit.exe (2176) called API GlobalMemoryStatus 2165386 times"
78. }
79. ]
80. },
81. {
82. "Description": "Installs itself for autorun at Windows startup",
83. "Details": [
84. {
85. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 2462742724"
86. },
87. {
88. "data": "C:\\Windows\\3429179713321391\\windxit.exe"
89. },
90. {
91. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 2462742724"
92. },
93. {
94. "data": "C:\\Windows\\3429179713321391\\windxit.exe"
95. }
96. ]
97. },
98. {
99. "Description": "Creates a hidden or system file",
100. "Details": [
101. {
102. "file": "C:\\Windows\\3429179713321391"
103. },
104. {
105. "file": "C:\\Windows\\3429179713321391\\windxit.exe"
106. }
107. ]
108. },
109. {
110. "Description": "File has been identified by 39 Antiviruses on VirusTotal as malicious",
111. "Details": [
112. {
113. "MicroWorld-eScan": "Trojan.GenericKD.32054074"
114. },
115. {
116. "McAfee": "Artemis!FFC6B2B54D3F"
117. },
118. {
119. "AegisLab": "Trojan.Win32.Zonidel.4!c"
120. },
121. {
122. "BitDefender": "Trojan.GenericKD.32054074"
123. },
124. {
125. "K7GW": "Riskware ( 0040eff71 )"
126. },
127. {
128. "ESET-NOD32": "a variant of Win32/Kryptik.GTYE"
129. },
130. {
131. "APEX": "Malicious"
132. },
133. {
134. "Paloalto": "generic.ml"
135. },
136. {
137. "GData": "Trojan.GenericKD.32054074"
138. },
139. {
140. "Kaspersky": "Trojan.Win32.Zonidel.egt"
141. },
142. {
143. "Tencent": "Win32.Trojan.Zonidel.Eili"
144. },
145. {
146. "Endgame": "malicious (high confidence)"
147. },
148. {
149. "Emsisoft": "Trojan.GenericKD.32054074 (B)"
150. },
151. {
152. "Comodo": "Malware@#xqm6zfx65n78"
153. },
154. {
155. "F-Secure": "Trojan.TR/AD.Phorpiex.gwmgy"
156. },
157. {
158. "VIPRE": "Trojan.Win32.Generic!BT"
159. },
160. {
161. "Invincea": "heuristic"
162. },
163. {
164. "McAfee-GW-Edition": "Artemis"
165. },
166. {
167. "Trapmine": "malicious.high.ml.score"
168. },
169. {
170. "FireEye": "Generic.mg.ffc6b2b54d3f6651"
171. },
172. {
173. "Sophos": "Mal/Generic-S"
174. },
175. {
176. "Ikarus": "Trojan.Win32.Krypt"
177. },
178. {
179. "Avira": "TR/AD.Phorpiex.gwmgy"
180. },
181. {
182. "Arcabit": "Trojan.Generic.D1E91B3A"
183. },
184. {
185. "AhnLab-V3": "Trojan/Win32.Crypted.R275704"
186. },
187. {
188. "ZoneAlarm": "Trojan.Win32.Zonidel.egt"
189. },
190. {
191. "Microsoft": "Trojan:Win32/Gandcrab.AF"
192. },
193. {
194. "Acronis": "suspicious"
195. },
196. {
197. "ALYac": "Trojan.GenericKD.32054074"
198. },
199. {
200. "Ad-Aware": "Trojan.GenericKD.32054074"
201. },
202. {
203. "Malwarebytes": "Trojan.MalPack.GS"
204. },
205. {
206. "Panda": "Trj/GdSda.A"
207. },
208. {
209. "TrendMicro-HouseCall": "TROJ_GEN.R03FC0WFD19"
210. },
211. {
212. "Rising": "Malware.Heuristic.MLite(94%) (AI-LITE:uEgW6/MPn1b+FDScVK5Pvg)"
213. },
214. {
215. "Fortinet": "W32/GenKryptik.DKOO!tr"
216. },
217. {
218. "Webroot": "W32.Trojan.Gen"
219. },
220. {
221. "AVG": "FileRepMalware"
222. },
223. {
224. "Avast": "FileRepMalware"
225. },
226. {
227. "CrowdStrike": "win/malicious_confidence_70% (W)"
228. }
229. ]
230. },
231. {
232. "Description": "Operates on local firewall's policies and settings",
233. "Details": []
234. },
235. {
236. "Description": "Creates a copy of itself",
237. "Details": [
238. {
239. "copy": "C:\\Windows\\3429179713321391\\windxit.exe"
240. }
241. ]
242. },
243. {
244. "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
245. "Details": [
246. {
247. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_ed741296.exe:Zone.Iduentifier"
248. },
249. {
250. "file": "C:\\Windows\\3429179713321391\\windxit.exe:Zone.Iduentifier"
251. }
252. ]
253. }
254. ]
255.  
256. [*] Started Service: []
257.  
258. [*] Executed Commands: [
259. "C:\\Windows\\3429179713321391\\windxit.exe"
260. ]
261.  
262. [*] Mutexes: [
263. "2462742724"
264. ]
265.  
266. [*] Modified Files: [
267. "C:\\Windows\\3429179713321391\\windxit.exe"
268. ]
269.  
270. [*] Deleted Files: [
271. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_ed741296.exe:Zone.Iduentifier",
272. "C:\\Windows\\3429179713321391\\windxit.exe:Zone.Iduentifier"
273. ]
274.  
275. [*] Modified Registry Keys: [
276. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 2462742724",
277. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update 2462742724"
278. ]
279.  
280. [*] Deleted Registry Keys: []
281.  
282. [*] DNS Communications: [
283. {
284. "type": "MX",
285. "request": "yahoo.com",
286. "answers": [
287. {
288. "data": "mta5.am0.yahoodns.net",
289. "type": "MX"
290. },
291. {
292. "data": "mta7.am0.yahoodns.net",
293. "type": "MX"
294. },
295. {
296. "data": "mta6.am0.yahoodns.net",
297. "type": "MX"
298. }
299. ]
300. },
301. {
302. "type": "A",
303. "request": "mta6.am0.yahoodns.net",
304. "answers": [
305. {
306. "data": "67.195.228.94",
307. "type": "A"
308. },
309. {
310. "data": "66.218.85.139",
311. "type": "A"
312. },
313. {
314. "data": "74.6.137.65",
315. "type": "A"
316. },
317. {
318. "data": "67.195.228.109",
319. "type": "A"
320. },
321. {
322. "data": "98.137.159.26",
323. "type": "A"
324. },
325. {
326. "data": "98.137.159.25",
327. "type": "A"
328. },
329. {
330. "data": "74.6.137.63",
331. "type": "A"
332. },
333. {
334. "data": "67.195.228.106",
335. "type": "A"
336. }
337. ]
338. }
339. ]
340.  
341. [*] Domains: [
342. {
343. "ip": "67.195.228.106",
344. "domain": "mta6.am0.yahoodns.net"
345. },
346. {
347. "ip": "98.138.219.231",
348. "domain": "yahoo.com"
349. }
350. ]
351.  
352. [*] Network Communication - ICMP: []
353.  
354. [*] Network Communication - HTTP: [
355. {
356. "count": 1,
357. "body": "",
358. "uri": "http://redirector.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe",
359. "user-agent": "Microsoft BITS/7.5",
360. "method": "HEAD",
361. "host": "redirector.gvt1.com",
362. "version": "1.1",
363. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe",
364. "data": "HEAD /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: redirector.gvt1.com\r\n\r\n",
365. "port": 80
366. },
367. {
368. "count": 1,
369. "body": "",
370. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
371. "user-agent": "Microsoft BITS/7.5",
372. "method": "HEAD",
373. "host": "r2---sn-bvvbax-2ims.gvt1.com",
374. "version": "1.1",
375. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
376. "data": "HEAD /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
377. "port": 80
378. },
379. {
380. "count": 1,
381. "body": "",
382. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
383. "user-agent": "Microsoft-CryptoAPI/6.1",
384. "method": "GET",
385. "host": "ocsp.digicert.com",
386. "version": "1.1",
387. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
388. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
389. "port": 80
390. },
391. {
392. "count": 1,
393. "body": "",
394. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
395. "user-agent": "Microsoft-CryptoAPI/6.1",
396. "method": "GET",
397. "host": "ocsp.digicert.com",
398. "version": "1.1",
399. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
400. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
401. "port": 80
402. },
403. {
404. "count": 1,
405. "body": "",
406. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
407. "user-agent": "Microsoft-CryptoAPI/6.1",
408. "method": "GET",
409. "host": "ocsp.digicert.com",
410. "version": "1.1",
411. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
412. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
413. "port": 80
414. },
415. {
416. "count": 1,
417. "body": "",
418. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
419. "user-agent": "Microsoft BITS/7.5",
420. "method": "GET",
421. "host": "r2---sn-bvvbax-2ims.gvt1.com",
422. "version": "1.1",
423. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
424. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=0-6913\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
425. "port": 80
426. },
427. {
428. "count": 1,
429. "body": "",
430. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
431. "user-agent": "Microsoft BITS/7.5",
432. "method": "GET",
433. "host": "r2---sn-bvvbax-2ims.gvt1.com",
434. "version": "1.1",
435. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
436. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=6914-17673\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
437. "port": 80
438. },
439. {
440. "count": 1,
441. "body": "",
442. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
443. "user-agent": "Microsoft BITS/7.5",
444. "method": "GET",
445. "host": "r2---sn-bvvbax-2ims.gvt1.com",
446. "version": "1.1",
447. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
448. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=17674-27522\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
449. "port": 80
450. },
451. {
452. "count": 1,
453. "body": "",
454. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
455. "user-agent": "Microsoft BITS/7.5",
456. "method": "GET",
457. "host": "r2---sn-bvvbax-2ims.gvt1.com",
458. "version": "1.1",
459. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
460. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=27523-37529\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
461. "port": 80
462. },
463. {
464. "count": 1,
465. "body": "",
466. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
467. "user-agent": "Microsoft BITS/7.5",
468. "method": "GET",
469. "host": "r2---sn-bvvbax-2ims.gvt1.com",
470. "version": "1.1",
471. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
472. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=37530-58426\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
473. "port": 80
474. },
475. {
476. "count": 1,
477. "body": "",
478. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
479. "user-agent": "Microsoft BITS/7.5",
480. "method": "GET",
481. "host": "r2---sn-bvvbax-2ims.gvt1.com",
482. "version": "1.1",
483. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
484. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=58427-101399\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
485. "port": 80
486. },
487. {
488. "count": 1,
489. "body": "",
490. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
491. "user-agent": "Microsoft BITS/7.5",
492. "method": "GET",
493. "host": "r2---sn-bvvbax-2ims.gvt1.com",
494. "version": "1.1",
495. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
496. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=101400-131332\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
497. "port": 80
498. },
499. {
500. "count": 1,
501. "body": "",
502. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
503. "user-agent": "Microsoft BITS/7.5",
504. "method": "GET",
505. "host": "r2---sn-bvvbax-2ims.gvt1.com",
506. "version": "1.1",
507. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
508. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=131333-312387\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
509. "port": 80
510. },
511. {
512. "count": 1,
513. "body": "",
514. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
515. "user-agent": "Microsoft BITS/7.5",
516. "method": "GET",
517. "host": "r2---sn-bvvbax-2ims.gvt1.com",
518. "version": "1.1",
519. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
520. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=312388-569715\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
521. "port": 80
522. },
523. {
524. "count": 1,
525. "body": "",
526. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
527. "user-agent": "Microsoft BITS/7.5",
528. "method": "GET",
529. "host": "r2---sn-bvvbax-2ims.gvt1.com",
530. "version": "1.1",
531. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
532. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=569716-1295319\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
533. "port": 80
534. },
535. {
536. "count": 1,
537. "body": "",
538. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
539. "user-agent": "Microsoft BITS/7.5",
540. "method": "GET",
541. "host": "r2---sn-bvvbax-2ims.gvt1.com",
542. "version": "1.1",
543. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
544. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=1295320-2732173\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
545. "port": 80
546. },
547. {
548. "count": 1,
549. "body": "",
550. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
551. "user-agent": "Microsoft BITS/7.5",
552. "method": "GET",
553. "host": "r2---sn-bvvbax-2ims.gvt1.com",
554. "version": "1.1",
555. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
556. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=2732174-5611124\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
557. "port": 80
558. },
559. {
560. "count": 1,
561. "body": "",
562. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
563. "user-agent": "Microsoft BITS/7.5",
564. "method": "GET",
565. "host": "r2---sn-bvvbax-2ims.gvt1.com",
566. "version": "1.1",
567. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
568. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=5611125-11372756\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
569. "port": 80
570. },
571. {
572. "count": 1,
573. "body": "",
574. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
575. "user-agent": "Microsoft BITS/7.5",
576. "method": "GET",
577. "host": "r2---sn-bvvbax-2ims.gvt1.com",
578. "version": "1.1",
579. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
580. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=11372757-21628567\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
581. "port": 80
582. },
583. {
584. "count": 1,
585. "body": "",
586. "uri": "http://r2---sn-bvvbax-2ims.gvt1.com/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
587. "user-agent": "Microsoft BITS/7.5",
588. "method": "GET",
589. "host": "r2---sn-bvvbax-2ims.gvt1.com",
590. "version": "1.1",
591. "path": "/edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes",
592. "data": "GET /edgedl/release2/chrome/AO3hQFiic1uW_75.0.3770.90/75.0.3770.90_74.0.3729.169_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ims&ms=nvh&mt=1560482553&mv=m&nh=EAM&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Wed, 12 Jun 2019 22:15:46 GMT\r\nRange: bytes=21628568-30355199\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r2---sn-bvvbax-2ims.gvt1.com\r\n\r\n",
593. "port": 80
594. }
595. ]
596.  
597. [*] Network Communication - SMTP: []
598.  
599. [*] Network Communication - Hosts: []
600.  
601. [*] Network Communication - IRC: []
602.  
603. [*] Static Analysis: {
604. "pe": {
605. "peid_signatures": null,
606. "imports": [
607. {
608. "imports": [
609. {
610. "name": "SetVolumeMountPointW",
611. "address": "0x427018"
612. },
613. {
614. "name": "UnlockFile",
615. "address": "0x42701c"
616. },
617. {
618. "name": "GetNumberFormatA",
619. "address": "0x427020"
620. },
621. {
622. "name": "GlobalAlloc",
623. "address": "0x427024"
624. },
625. {
626. "name": "LoadLibraryW",
627. "address": "0x427028"
628. },
629. {
630. "name": "DnsHostnameToComputerNameW",
631. "address": "0x42702c"
632. },
633. {
634. "name": "GetBinaryTypeA",
635. "address": "0x427030"
636. },
637. {
638. "name": "lstrlenW",
639. "address": "0x427034"
640. },
641. {
642. "name": "SetHandleInformation",
643. "address": "0x427038"
644. },
645. {
646. "name": "GetProcAddress",
647. "address": "0x42703c"
648. },
649. {
650. "name": "PeekConsoleInputW",
651. "address": "0x427040"
652. },
653. {
654. "name": "LocalLock",
655. "address": "0x427044"
656. },
657. {
658. "name": "VirtualProtect",
659. "address": "0x427048"
660. },
661. {
662. "name": "CreateToolhelp32Snapshot",
663. "address": "0x42704c"
664. },
665. {
666. "name": "DuplicateHandle",
667. "address": "0x427050"
668. },
669. {
670. "name": "CloseHandle",
671. "address": "0x427054"
672. },
673. {
674. "name": "ZombifyActCtx",
675. "address": "0x427058"
676. },
677. {
678. "name": "lstrcpynA",
679. "address": "0x42705c"
680. },
681. {
682. "name": "DebugActiveProcessStop",
683. "address": "0x427060"
684. },
685. {
686. "name": "GlobalMemoryStatus",
687. "address": "0x427064"
688. },
689. {
690. "name": "Module32First",
691. "address": "0x427068"
692. },
693. {
694. "name": "ExitProcess",
695. "address": "0x42706c"
696. },
697. {
698. "name": "GetStringTypeW",
699. "address": "0x427070"
700. },
701. {
702. "name": "OutputDebugStringW",
703. "address": "0x427074"
704. },
705. {
706. "name": "EnumSystemLocalesW",
707. "address": "0x427078"
708. },
709. {
710. "name": "GetUserDefaultLCID",
711. "address": "0x42707c"
712. },
713. {
714. "name": "IsValidLocale",
715. "address": "0x427080"
716. },
717. {
718. "name": "GetLocaleInfoW",
719. "address": "0x427084"
720. },
721. {
722. "name": "EncodePointer",
723. "address": "0x427088"
724. },
725. {
726. "name": "DecodePointer",
727. "address": "0x42708c"
728. },
729. {
730. "name": "GetCommandLineA",
731. "address": "0x427090"
732. },
733. {
734. "name": "RaiseException",
735. "address": "0x427094"
736. },
737. {
738. "name": "RtlUnwind",
739. "address": "0x427098"
740. },
741. {
742. "name": "IsDebuggerPresent",
743. "address": "0x42709c"
744. },
745. {
746. "name": "IsProcessorFeaturePresent",
747. "address": "0x4270a0"
748. },
749. {
750. "name": "EnterCriticalSection",
751. "address": "0x4270a4"
752. },
753. {
754. "name": "LeaveCriticalSection",
755. "address": "0x4270a8"
756. },
757. {
758. "name": "FlushFileBuffers",
759. "address": "0x4270ac"
760. },
761. {
762. "name": "GetLastError",
763. "address": "0x4270b0"
764. },
765. {
766. "name": "WriteFile",
767. "address": "0x4270b4"
768. },
769. {
770. "name": "WideCharToMultiByte",
771. "address": "0x4270b8"
772. },
773. {
774. "name": "GetConsoleCP",
775. "address": "0x4270bc"
776. },
777. {
778. "name": "GetConsoleMode",
779. "address": "0x4270c0"
780. },
781. {
782. "name": "DeleteCriticalSection",
783. "address": "0x4270c4"
784. },
785. {
786. "name": "FatalAppExitA",
787. "address": "0x4270c8"
788. },
789. {
790. "name": "GetModuleHandleExW",
791. "address": "0x4270cc"
792. },
793. {
794. "name": "AreFileApisANSI",
795. "address": "0x4270d0"
796. },
797. {
798. "name": "MultiByteToWideChar",
799. "address": "0x4270d4"
800. },
801. {
802. "name": "HeapSize",
803. "address": "0x4270d8"
804. },
805. {
806. "name": "HeapFree",
807. "address": "0x4270dc"
808. },
809. {
810. "name": "HeapAlloc",
811. "address": "0x4270e0"
812. },
813. {
814. "name": "SetLastError",
815. "address": "0x4270e4"
816. },
817. {
818. "name": "GetCurrentThread",
819. "address": "0x4270e8"
820. },
821. {
822. "name": "GetCurrentThreadId",
823. "address": "0x4270ec"
824. },
825. {
826. "name": "GetProcessHeap",
827. "address": "0x4270f0"
828. },
829. {
830. "name": "GetStdHandle",
831. "address": "0x4270f4"
832. },
833. {
834. "name": "GetFileType",
835. "address": "0x4270f8"
836. },
837. {
838. "name": "GetStartupInfoW",
839. "address": "0x4270fc"
840. },
841. {
842. "name": "GetModuleFileNameA",
843. "address": "0x427100"
844. },
845. {
846. "name": "GetModuleFileNameW",
847. "address": "0x427104"
848. },
849. {
850. "name": "QueryPerformanceCounter",
851. "address": "0x427108"
852. },
853. {
854. "name": "GetCurrentProcessId",
855. "address": "0x42710c"
856. },
857. {
858. "name": "GetSystemTimeAsFileTime",
859. "address": "0x427110"
860. },
861. {
862. "name": "GetEnvironmentStringsW",
863. "address": "0x427114"
864. },
865. {
866. "name": "FreeEnvironmentStringsW",
867. "address": "0x427118"
868. },
869. {
870. "name": "UnhandledExceptionFilter",
871. "address": "0x42711c"
872. },
873. {
874. "name": "SetUnhandledExceptionFilter",
875. "address": "0x427120"
876. },
877. {
878. "name": "InitializeCriticalSectionAndSpinCount",
879. "address": "0x427124"
880. },
881. {
882. "name": "CreateEventW",
883. "address": "0x427128"
884. },
885. {
886. "name": "Sleep",
887. "address": "0x42712c"
888. },
889. {
890. "name": "GetCurrentProcess",
891. "address": "0x427130"
892. },
893. {
894. "name": "TerminateProcess",
895. "address": "0x427134"
896. },
897. {
898. "name": "TlsAlloc",
899. "address": "0x427138"
900. },
901. {
902. "name": "TlsGetValue",
903. "address": "0x42713c"
904. },
905. {
906. "name": "TlsSetValue",
907. "address": "0x427140"
908. },
909. {
910. "name": "TlsFree",
911. "address": "0x427144"
912. },
913. {
914. "name": "GetTickCount",
915. "address": "0x427148"
916. },
917. {
918. "name": "GetModuleHandleW",
919. "address": "0x42714c"
920. },
921. {
922. "name": "CreateSemaphoreW",
923. "address": "0x427150"
924. },
925. {
926. "name": "SetStdHandle",
927. "address": "0x427154"
928. },
929. {
930. "name": "SetFilePointerEx",
931. "address": "0x427158"
932. },
933. {
934. "name": "WriteConsoleW",
935. "address": "0x42715c"
936. },
937. {
938. "name": "SetConsoleCtrlHandler",
939. "address": "0x427160"
940. },
941. {
942. "name": "FreeLibrary",
943. "address": "0x427164"
944. },
945. {
946. "name": "LoadLibraryExW",
947. "address": "0x427168"
948. },
949. {
950. "name": "IsValidCodePage",
951. "address": "0x42716c"
952. },
953. {
954. "name": "GetACP",
955. "address": "0x427170"
956. },
957. {
958. "name": "GetOEMCP",
959. "address": "0x427174"
960. },
961. {
962. "name": "GetCPInfo",
963. "address": "0x427178"
964. },
965. {
966. "name": "HeapReAlloc",
967. "address": "0x42717c"
968. },
969. {
970. "name": "GetDateFormatW",
971. "address": "0x427180"
972. },
973. {
974. "name": "GetTimeFormatW",
975. "address": "0x427184"
976. },
977. {
978. "name": "CompareStringW",
979. "address": "0x427188"
980. },
981. {
982. "name": "LCMapStringW",
983. "address": "0x42718c"
984. },
985. {
986. "name": "CreateFileW",
987. "address": "0x427190"
988. }
989. ],
990. "dll": "KERNEL32.dll"
991. },
992. {
993. "imports": [
994. {
995. "name": "AbortSystemShutdownA",
996. "address": "0x427000"
997. },
998. {
999. "name": "AddAuditAccessObjectAce",
1000. "address": "0x427004"
1001. },
1002. {
1003. "name": "RegCreateKeyExW",
1004. "address": "0x427008"
1005. },
1006. {
1007. "name": "OpenProcessToken",
1008. "address": "0x42700c"
1009. },
1010. {
1011. "name": "RegEnumKeyExW",
1012. "address": "0x427010"
1013. }
1014. ],
1015. "dll": "ADVAPI32.dll"
1016. },
1017. {
1018. "imports": [
1019. {
1020. "name": "WinHttpWriteData",
1021. "address": "0x4271a4"
1022. },
1023. {
1024. "name": "WinHttpOpen",
1025. "address": "0x4271a8"
1026. }
1027. ],
1028. "dll": "WINHTTP.dll"
1029. },
1030. {
1031. "imports": [
1032. {
1033. "name": "GradientFill",
1034. "address": "0x427198"
1035. },
1036. {
1037. "name": "TransparentBlt",
1038. "address": "0x42719c"
1039. }
1040. ],
1041. "dll": "MSIMG32.dll"
1042. }
1043. ],
1044. "digital_signers": null,
1045. "exported_dll_name": "cubusemono.exe",
1046. "actual_checksum": "0x0004b223",
1047. "overlay": null,
1048. "imagebase": "0x00400000",
1049. "reported_checksum": "0x0004b223",
1050. "icon_hash": null,
1051. "entrypoint": "0x00403aa1",
1052. "timestamp": "2017-12-19 04:28:11",
1053. "osversion": "5.1",
1054. "sections": [
1055. {
1056. "name": ".text",
1057. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1058. "virtual_address": "0x00001000",
1059. "size_of_data": "0x00025200",
1060. "entropy": "6.72",
1061. "raw_address": "0x00000400",
1062. "virtual_size": "0x0002502d",
1063. "characteristics_raw": "0x60000020"
1064. },
1065. {
1066. "name": ".rdata",
1067. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1068. "virtual_address": "0x00027000",
1069. "size_of_data": "0x00010e00",
1070. "entropy": "6.05",
1071. "raw_address": "0x00025600",
1072. "virtual_size": "0x00010cd6",
1073. "characteristics_raw": "0x40000040"
1074. },
1075. {
1076. "name": ".data",
1077. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1078. "virtual_address": "0x00038000",
1079. "size_of_data": "0x00001a00",
1080. "entropy": "3.42",
1081. "raw_address": "0x00036400",
1082. "virtual_size": "0x04e5d9ec",
1083. "characteristics_raw": "0xc0000040"
1084. },
1085. {
1086. "name": ".sasa",
1087. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1088. "virtual_address": "0x04e96000",
1089. "size_of_data": "0x00000600",
1090. "entropy": "0.00",
1091. "raw_address": "0x00037e00",
1092. "virtual_size": "0x00001400",
1093. "characteristics_raw": "0xc0000040"
1094. },
1095. {
1096. "name": ".rsrc",
1097. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1098. "virtual_address": "0x04e98000",
1099. "size_of_data": "0x00006c00",
1100. "entropy": "6.33",
1101. "raw_address": "0x00038400",
1102. "virtual_size": "0x00006a28",
1103. "characteristics_raw": "0x40000040"
1104. },
1105. {
1106. "name": ".reloc",
1107. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1108. "virtual_address": "0x04e9f000",
1109. "size_of_data": "0x00002200",
1110. "entropy": "6.47",
1111. "raw_address": "0x0003f000",
1112. "virtual_size": "0x00002004",
1113. "characteristics_raw": "0x42000040"
1114. }
1115. ],
1116. "resources": [],
1117. "dirents": [
1118. {
1119. "virtual_address": "0x000372b0",
1120. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1121. "size": "0x0000004e"
1122. },
1123. {
1124. "virtual_address": "0x00037300",
1125. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1126. "size": "0x00000064"
1127. },
1128. {
1129. "virtual_address": "0x04e98000",
1130. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1131. "size": "0x00006a28"
1132. },
1133. {
1134. "virtual_address": "0x00000000",
1135. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1136. "size": "0x00000000"
1137. },
1138. {
1139. "virtual_address": "0x00000000",
1140. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1141. "size": "0x00000000"
1142. },
1143. {
1144. "virtual_address": "0x04e9f000",
1145. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1146. "size": "0x00002004"
1147. },
1148. {
1149. "virtual_address": "0x00027210",
1150. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1151. "size": "0x00000038"
1152. },
1153. {
1154. "virtual_address": "0x00000000",
1155. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1156. "size": "0x00000000"
1157. },
1158. {
1159. "virtual_address": "0x00000000",
1160. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1161. "size": "0x00000000"
1162. },
1163. {
1164. "virtual_address": "0x00000000",
1165. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1166. "size": "0x00000000"
1167. },
1168. {
1169. "virtual_address": "0x00000000",
1170. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1171. "size": "0x00000000"
1172. },
1173. {
1174. "virtual_address": "0x00000000",
1175. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1176. "size": "0x00000000"
1177. },
1178. {
1179. "virtual_address": "0x00027000",
1180. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1181. "size": "0x000001b0"
1182. },
1183. {
1184. "virtual_address": "0x00000000",
1185. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1186. "size": "0x00000000"
1187. },
1188. {
1189. "virtual_address": "0x00000000",
1190. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1191. "size": "0x00000000"
1192. },
1193. {
1194. "virtual_address": "0x00000000",
1195. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1196. "size": "0x00000000"
1197. }
1198. ],
1199. "exports": [
1200. {
1201. "ordinal": 1,
1202. "name": "MyFunc165@@4",
1203. "address": "0x425f20"
1204. }
1205. ],
1206. "guest_signers": {},
1207. "imphash": "42eb97f8f9223841094c685084b30abf",
1208. "icon_fuzzy": null,
1209. "icon": null,
1210. "pdbpath": "C:\\walukafomow-gozonixo\\fozuje.pdb\\x00ypt\\tmp_213048127\\bin\\cubusemono.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x96C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff",
1211. "imported_dll_count": 4,
1212. "versioninfo": []
1213. }
1214. }
1215.  
1216. [*] Resolved APIs: [
1217. "kernel32.dll.FlsAlloc",
1218. "kernel32.dll.FlsFree",
1219. "kernel32.dll.FlsGetValue",
1220. "kernel32.dll.FlsSetValue",
1221. "kernel32.dll.InitializeCriticalSectionEx",
1222. "kernel32.dll.CreateEventExW",
1223. "kernel32.dll.CreateSemaphoreExW",
1224. "kernel32.dll.SetThreadStackGuarantee",
1225. "kernel32.dll.CreateThreadpoolTimer",
1226. "kernel32.dll.SetThreadpoolTimer",
1227. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1228. "kernel32.dll.CloseThreadpoolTimer",
1229. "kernel32.dll.CreateThreadpoolWait",
1230. "kernel32.dll.SetThreadpoolWait",
1231. "kernel32.dll.CloseThreadpoolWait",
1232. "kernel32.dll.FlushProcessWriteBuffers",
1233. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1234. "kernel32.dll.GetCurrentProcessorNumber",
1235. "kernel32.dll.GetLogicalProcessorInformation",
1236. "kernel32.dll.CreateSymbolicLinkW",
1237. "kernel32.dll.EnumSystemLocalesEx",
1238. "kernel32.dll.CompareStringEx",
1239. "kernel32.dll.GetDateFormatEx",
1240. "kernel32.dll.GetLocaleInfoEx",
1241. "kernel32.dll.GetTimeFormatEx",
1242. "kernel32.dll.GetUserDefaultLocaleName",
1243. "kernel32.dll.IsValidLocaleName",
1244. "kernel32.dll.LCMapStringEx",
1245. "kernel32.dll.GetTickCount64",
1246. "kernel32.dll.LoadLibraryA",
1247. "kernel32.dll.VirtualAlloc",
1248. "kernel32.dll.VirtualProtect",
1249. "kernel32.dll.VirtualFree",
1250. "kernel32.dll.GetVersionExA",
1251. "kernel32.dll.TerminateProcess",
1252. "kernel32.dll.ExitProcess",
1253. "kernel32.dll.SetErrorMode",
1254. "msvcrt.dll._except_handler3",
1255. "msvcrt.dll.__set_app_type",
1256. "msvcrt.dll.__p__fmode",
1257. "msvcrt.dll.__p__commode",
1258. "msvcrt.dll._adjust_fdiv",
1259. "msvcrt.dll.__setusermatherr",
1260. "msvcrt.dll._initterm",
1261. "msvcrt.dll.__getmainargs",
1262. "msvcrt.dll._acmdln",
1263. "msvcrt.dll.exit",
1264. "msvcrt.dll._XcptFilter",
1265. "msvcrt.dll._exit",
1266. "msvcrt.dll.wcsstr",
1267. "msvcrt.dll.wcslen",
1268. "msvcrt.dll.mbstowcs",
1269. "msvcrt.dll.atoi",
1270. "msvcrt.dll._snwprintf",
1271. "msvcrt.dll._wfopen",
1272. "msvcrt.dll.fgets",
1273. "msvcrt.dll.fclose",
1274. "msvcrt.dll.strtok",
1275. "msvcrt.dll.strchr",
1276. "msvcrt.dll.strcpy",
1277. "msvcrt.dll.strcat",
1278. "msvcrt.dll.strlen",
1279. "msvcrt.dll.strstr",
1280. "msvcrt.dll._snprintf",
1281. "msvcrt.dll.memset",
1282. "msvcrt.dll.malloc",
1283. "msvcrt.dll.srand",
1284. "msvcrt.dll.rand",
1285. "msvcrt.dll._controlfp",
1286. "msvcrt.dll.sprintf",
1287. "ws2_32.dll.#9",
1288. "ws2_32.dll.#16",
1289. "ws2_32.dll.#115",
1290. "ws2_32.dll.#19",
1291. "ws2_32.dll.#23",
1292. "ws2_32.dll.#4",
1293. "ws2_32.dll.#11",
1294. "ws2_32.dll.#52",
1295. "ws2_32.dll.#3",
1296. "wininet.dll.InternetOpenUrlW",
1297. "wininet.dll.InternetReadFile",
1298. "wininet.dll.InternetOpenA",
1299. "wininet.dll.InternetOpenUrlA",
1300. "wininet.dll.InternetOpenW",
1301. "wininet.dll.InternetCloseHandle",
1302. "shlwapi.dll.PathFindFileNameW",
1303. "dnsapi.dll.DnsQuery_A",
1304. "dnsapi.dll.DnsFree",
1305. "kernel32.dll.GetTickCount",
1306. "kernel32.dll.GetTimeZoneInformation",
1307. "kernel32.dll.FileTimeToSystemTime",
1308. "kernel32.dll.CloseHandle",
1309. "kernel32.dll.WriteFile",
1310. "kernel32.dll.CreateFileW",
1311. "kernel32.dll.ExpandEnvironmentStringsW",
1312. "kernel32.dll.FileTimeToLocalFileTime",
1313. "kernel32.dll.CopyFileW",
1314. "kernel32.dll.CreateDirectoryW",
1315. "kernel32.dll.GetModuleFileNameW",
1316. "kernel32.dll.GetLastError",
1317. "kernel32.dll.Sleep",
1318. "kernel32.dll.CreateMutexA",
1319. "kernel32.dll.GetModuleHandleA",
1320. "kernel32.dll.GetStartupInfoA",
1321. "kernel32.dll.GetLocalTime",
1322. "kernel32.dll.CreateProcessW",
1323. "kernel32.dll.SetFileAttributesW",
1324. "kernel32.dll.DeleteFileW",
1325. "kernel32.dll.ExitThread",
1326. "kernel32.dll.CreateThread",
1327. "user32.dll.wsprintfA",
1328. "advapi32.dll.RegSetValueExW",
1329. "advapi32.dll.RegCloseKey",
1330. "advapi32.dll.RegOpenKeyExW",
1331. "shell32.dll.ShellExecuteW",
1332. "msvcr100.dll.atexit"
1333. ]
1334.  
1335. [*] Static Analysis: {
1336. "pe": {
1337. "peid_signatures": null,
1338. "imports": [
1339. {
1340. "imports": [
1341. {
1342. "name": "SetVolumeMountPointW",
1343. "address": "0x427018"
1344. },
1345. {
1346. "name": "UnlockFile",
1347. "address": "0x42701c"
1348. },
1349. {
1350. "name": "GetNumberFormatA",
1351. "address": "0x427020"
1352. },
1353. {
1354. "name": "GlobalAlloc",
1355. "address": "0x427024"
1356. },
1357. {
1358. "name": "LoadLibraryW",
1359. "address": "0x427028"
1360. },
1361. {
1362. "name": "DnsHostnameToComputerNameW",
1363. "address": "0x42702c"
1364. },
1365. {
1366. "name": "GetBinaryTypeA",
1367. "address": "0x427030"
1368. },
1369. {
1370. "name": "lstrlenW",
1371. "address": "0x427034"
1372. },
1373. {
1374. "name": "SetHandleInformation",
1375. "address": "0x427038"
1376. },
1377. {
1378. "name": "GetProcAddress",
1379. "address": "0x42703c"
1380. },
1381. {
1382. "name": "PeekConsoleInputW",
1383. "address": "0x427040"
1384. },
1385. {
1386. "name": "LocalLock",
1387. "address": "0x427044"
1388. },
1389. {
1390. "name": "VirtualProtect",
1391. "address": "0x427048"
1392. },
1393. {
1394. "name": "CreateToolhelp32Snapshot",
1395. "address": "0x42704c"
1396. },
1397. {
1398. "name": "DuplicateHandle",
1399. "address": "0x427050"
1400. },
1401. {
1402. "name": "CloseHandle",
1403. "address": "0x427054"
1404. },
1405. {
1406. "name": "ZombifyActCtx",
1407. "address": "0x427058"
1408. },
1409. {
1410. "name": "lstrcpynA",
1411. "address": "0x42705c"
1412. },
1413. {
1414. "name": "DebugActiveProcessStop",
1415. "address": "0x427060"
1416. },
1417. {
1418. "name": "GlobalMemoryStatus",
1419. "address": "0x427064"
1420. },
1421. {
1422. "name": "Module32First",
1423. "address": "0x427068"
1424. },
1425. {
1426. "name": "ExitProcess",
1427. "address": "0x42706c"
1428. },
1429. {
1430. "name": "GetStringTypeW",
1431. "address": "0x427070"
1432. },
1433. {
1434. "name": "OutputDebugStringW",
1435. "address": "0x427074"
1436. },
1437. {
1438. "name": "EnumSystemLocalesW",
1439. "address": "0x427078"
1440. },
1441. {
1442. "name": "GetUserDefaultLCID",
1443. "address": "0x42707c"
1444. },
1445. {
1446. "name": "IsValidLocale",
1447. "address": "0x427080"
1448. },
1449. {
1450. "name": "GetLocaleInfoW",
1451. "address": "0x427084"
1452. },
1453. {
1454. "name": "EncodePointer",
1455. "address": "0x427088"
1456. },
1457. {
1458. "name": "DecodePointer",
1459. "address": "0x42708c"
1460. },
1461. {
1462. "name": "GetCommandLineA",
1463. "address": "0x427090"
1464. },
1465. {
1466. "name": "RaiseException",
1467. "address": "0x427094"
1468. },
1469. {
1470. "name": "RtlUnwind",
1471. "address": "0x427098"
1472. },
1473. {
1474. "name": "IsDebuggerPresent",
1475. "address": "0x42709c"
1476. },
1477. {
1478. "name": "IsProcessorFeaturePresent",
1479. "address": "0x4270a0"
1480. },
1481. {
1482. "name": "EnterCriticalSection",
1483. "address": "0x4270a4"
1484. },
1485. {
1486. "name": "LeaveCriticalSection",
1487. "address": "0x4270a8"
1488. },
1489. {
1490. "name": "FlushFileBuffers",
1491. "address": "0x4270ac"
1492. },
1493. {
1494. "name": "GetLastError",
1495. "address": "0x4270b0"
1496. },
1497. {
1498. "name": "WriteFile",
1499. "address": "0x4270b4"
1500. },
1501. {
1502. "name": "WideCharToMultiByte",
1503. "address": "0x4270b8"
1504. },
1505. {
1506. "name": "GetConsoleCP",
1507. "address": "0x4270bc"
1508. },
1509. {
1510. "name": "GetConsoleMode",
1511. "address": "0x4270c0"
1512. },
1513. {
1514. "name": "DeleteCriticalSection",
1515. "address": "0x4270c4"
1516. },
1517. {
1518. "name": "FatalAppExitA",
1519. "address": "0x4270c8"
1520. },
1521. {
1522. "name": "GetModuleHandleExW",
1523. "address": "0x4270cc"
1524. },
1525. {
1526. "name": "AreFileApisANSI",
1527. "address": "0x4270d0"
1528. },
1529. {
1530. "name": "MultiByteToWideChar",
1531. "address": "0x4270d4"
1532. },
1533. {
1534. "name": "HeapSize",
1535. "address": "0x4270d8"
1536. },
1537. {
1538. "name": "HeapFree",
1539. "address": "0x4270dc"
1540. },
1541. {
1542. "name": "HeapAlloc",
1543. "address": "0x4270e0"
1544. },
1545. {
1546. "name": "SetLastError",
1547. "address": "0x4270e4"
1548. },
1549. {
1550. "name": "GetCurrentThread",
1551. "address": "0x4270e8"
1552. },
1553. {
1554. "name": "GetCurrentThreadId",
1555. "address": "0x4270ec"
1556. },
1557. {
1558. "name": "GetProcessHeap",
1559. "address": "0x4270f0"
1560. },
1561. {
1562. "name": "GetStdHandle",
1563. "address": "0x4270f4"
1564. },
1565. {
1566. "name": "GetFileType",
1567. "address": "0x4270f8"
1568. },
1569. {
1570. "name": "GetStartupInfoW",
1571. "address": "0x4270fc"
1572. },
1573. {
1574. "name": "GetModuleFileNameA",
1575. "address": "0x427100"
1576. },
1577. {
1578. "name": "GetModuleFileNameW",
1579. "address": "0x427104"
1580. },
1581. {
1582. "name": "QueryPerformanceCounter",
1583. "address": "0x427108"
1584. },
1585. {
1586. "name": "GetCurrentProcessId",
1587. "address": "0x42710c"
1588. },
1589. {
1590. "name": "GetSystemTimeAsFileTime",
1591. "address": "0x427110"
1592. },
1593. {
1594. "name": "GetEnvironmentStringsW",
1595. "address": "0x427114"
1596. },
1597. {
1598. "name": "FreeEnvironmentStringsW",
1599. "address": "0x427118"
1600. },
1601. {
1602. "name": "UnhandledExceptionFilter",
1603. "address": "0x42711c"
1604. },
1605. {
1606. "name": "SetUnhandledExceptionFilter",
1607. "address": "0x427120"
1608. },
1609. {
1610. "name": "InitializeCriticalSectionAndSpinCount",
1611. "address": "0x427124"
1612. },
1613. {
1614. "name": "CreateEventW",
1615. "address": "0x427128"
1616. },
1617. {
1618. "name": "Sleep",
1619. "address": "0x42712c"
1620. },
1621. {
1622. "name": "GetCurrentProcess",
1623. "address": "0x427130"
1624. },
1625. {
1626. "name": "TerminateProcess",
1627. "address": "0x427134"
1628. },
1629. {
1630. "name": "TlsAlloc",
1631. "address": "0x427138"
1632. },
1633. {
1634. "name": "TlsGetValue",
1635. "address": "0x42713c"
1636. },
1637. {
1638. "name": "TlsSetValue",
1639. "address": "0x427140"
1640. },
1641. {
1642. "name": "TlsFree",
1643. "address": "0x427144"
1644. },
1645. {
1646. "name": "GetTickCount",
1647. "address": "0x427148"
1648. },
1649. {
1650. "name": "GetModuleHandleW",
1651. "address": "0x42714c"
1652. },
1653. {
1654. "name": "CreateSemaphoreW",
1655. "address": "0x427150"
1656. },
1657. {
1658. "name": "SetStdHandle",
1659. "address": "0x427154"
1660. },
1661. {
1662. "name": "SetFilePointerEx",
1663. "address": "0x427158"
1664. },
1665. {
1666. "name": "WriteConsoleW",
1667. "address": "0x42715c"
1668. },
1669. {
1670. "name": "SetConsoleCtrlHandler",
1671. "address": "0x427160"
1672. },
1673. {
1674. "name": "FreeLibrary",
1675. "address": "0x427164"
1676. },
1677. {
1678. "name": "LoadLibraryExW",
1679. "address": "0x427168"
1680. },
1681. {
1682. "name": "IsValidCodePage",
1683. "address": "0x42716c"
1684. },
1685. {
1686. "name": "GetACP",
1687. "address": "0x427170"
1688. },
1689. {
1690. "name": "GetOEMCP",
1691. "address": "0x427174"
1692. },
1693. {
1694. "name": "GetCPInfo",
1695. "address": "0x427178"
1696. },
1697. {
1698. "name": "HeapReAlloc",
1699. "address": "0x42717c"
1700. },
1701. {
1702. "name": "GetDateFormatW",
1703. "address": "0x427180"
1704. },
1705. {
1706. "name": "GetTimeFormatW",
1707. "address": "0x427184"
1708. },
1709. {
1710. "name": "CompareStringW",
1711. "address": "0x427188"
1712. },
1713. {
1714. "name": "LCMapStringW",
1715. "address": "0x42718c"
1716. },
1717. {
1718. "name": "CreateFileW",
1719. "address": "0x427190"
1720. }
1721. ],
1722. "dll": "KERNEL32.dll"
1723. },
1724. {
1725. "imports": [
1726. {
1727. "name": "AbortSystemShutdownA",
1728. "address": "0x427000"
1729. },
1730. {
1731. "name": "AddAuditAccessObjectAce",
1732. "address": "0x427004"
1733. },
1734. {
1735. "name": "RegCreateKeyExW",
1736. "address": "0x427008"
1737. },
1738. {
1739. "name": "OpenProcessToken",
1740. "address": "0x42700c"
1741. },
1742. {
1743. "name": "RegEnumKeyExW",
1744. "address": "0x427010"
1745. }
1746. ],
1747. "dll": "ADVAPI32.dll"
1748. },
1749. {
1750. "imports": [
1751. {
1752. "name": "WinHttpWriteData",
1753. "address": "0x4271a4"
1754. },
1755. {
1756. "name": "WinHttpOpen",
1757. "address": "0x4271a8"
1758. }
1759. ],
1760. "dll": "WINHTTP.dll"
1761. },
1762. {
1763. "imports": [
1764. {
1765. "name": "GradientFill",
1766. "address": "0x427198"
1767. },
1768. {
1769. "name": "TransparentBlt",
1770. "address": "0x42719c"
1771. }
1772. ],
1773. "dll": "MSIMG32.dll"
1774. }
1775. ],
1776. "digital_signers": null,
1777. "exported_dll_name": "cubusemono.exe",
1778. "actual_checksum": "0x0004b223",
1779. "overlay": null,
1780. "imagebase": "0x00400000",
1781. "reported_checksum": "0x0004b223",
1782. "icon_hash": null,
1783. "entrypoint": "0x00403aa1",
1784. "timestamp": "2017-12-19 04:28:11",
1785. "osversion": "5.1",
1786. "sections": [
1787. {
1788. "name": ".text",
1789. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1790. "virtual_address": "0x00001000",
1791. "size_of_data": "0x00025200",
1792. "entropy": "6.72",
1793. "raw_address": "0x00000400",
1794. "virtual_size": "0x0002502d",
1795. "characteristics_raw": "0x60000020"
1796. },
1797. {
1798. "name": ".rdata",
1799. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1800. "virtual_address": "0x00027000",
1801. "size_of_data": "0x00010e00",
1802. "entropy": "6.05",
1803. "raw_address": "0x00025600",
1804. "virtual_size": "0x00010cd6",
1805. "characteristics_raw": "0x40000040"
1806. },
1807. {
1808. "name": ".data",
1809. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1810. "virtual_address": "0x00038000",
1811. "size_of_data": "0x00001a00",
1812. "entropy": "3.42",
1813. "raw_address": "0x00036400",
1814. "virtual_size": "0x04e5d9ec",
1815. "characteristics_raw": "0xc0000040"
1816. },
1817. {
1818. "name": ".sasa",
1819. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1820. "virtual_address": "0x04e96000",
1821. "size_of_data": "0x00000600",
1822. "entropy": "0.00",
1823. "raw_address": "0x00037e00",
1824. "virtual_size": "0x00001400",
1825. "characteristics_raw": "0xc0000040"
1826. },
1827. {
1828. "name": ".rsrc",
1829. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1830. "virtual_address": "0x04e98000",
1831. "size_of_data": "0x00006c00",
1832. "entropy": "6.33",
1833. "raw_address": "0x00038400",
1834. "virtual_size": "0x00006a28",
1835. "characteristics_raw": "0x40000040"
1836. },
1837. {
1838. "name": ".reloc",
1839. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1840. "virtual_address": "0x04e9f000",
1841. "size_of_data": "0x00002200",
1842. "entropy": "6.47",
1843. "raw_address": "0x0003f000",
1844. "virtual_size": "0x00002004",
1845. "characteristics_raw": "0x42000040"
1846. }
1847. ],
1848. "resources": [],
1849. "dirents": [
1850. {
1851. "virtual_address": "0x000372b0",
1852. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1853. "size": "0x0000004e"
1854. },
1855. {
1856. "virtual_address": "0x00037300",
1857. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1858. "size": "0x00000064"
1859. },
1860. {
1861. "virtual_address": "0x04e98000",
1862. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1863. "size": "0x00006a28"
1864. },
1865. {
1866. "virtual_address": "0x00000000",
1867. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1868. "size": "0x00000000"
1869. },
1870. {
1871. "virtual_address": "0x00000000",
1872. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1873. "size": "0x00000000"
1874. },
1875. {
1876. "virtual_address": "0x04e9f000",
1877. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1878. "size": "0x00002004"
1879. },
1880. {
1881. "virtual_address": "0x00027210",
1882. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1883. "size": "0x00000038"
1884. },
1885. {
1886. "virtual_address": "0x00000000",
1887. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1888. "size": "0x00000000"
1889. },
1890. {
1891. "virtual_address": "0x00000000",
1892. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1893. "size": "0x00000000"
1894. },
1895. {
1896. "virtual_address": "0x00000000",
1897. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1898. "size": "0x00000000"
1899. },
1900. {
1901. "virtual_address": "0x00000000",
1902. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1903. "size": "0x00000000"
1904. },
1905. {
1906. "virtual_address": "0x00000000",
1907. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1908. "size": "0x00000000"
1909. },
1910. {
1911. "virtual_address": "0x00027000",
1912. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1913. "size": "0x000001b0"
1914. },
1915. {
1916. "virtual_address": "0x00000000",
1917. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1918. "size": "0x00000000"
1919. },
1920. {
1921. "virtual_address": "0x00000000",
1922. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1923. "size": "0x00000000"
1924. },
1925. {
1926. "virtual_address": "0x00000000",
1927. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1928. "size": "0x00000000"
1929. }
1930. ],
1931. "exports": [
1932. {
1933. "ordinal": 1,
1934. "name": "MyFunc165@@4",
1935. "address": "0x425f20"
1936. }
1937. ],
1938. "guest_signers": {},
1939. "imphash": "42eb97f8f9223841094c685084b30abf",
1940. "icon_fuzzy": null,
1941. "icon": null,
1942. "pdbpath": "C:\\walukafomow-gozonixo\\fozuje.pdb\\x00ypt\\tmp_213048127\\bin\\cubusemono.pdb\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x96C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff",
1943. "imported_dll_count": 4,
1944. "versioninfo": []
1945. }
1946. }