rdataĮxtensive use of GetProcAddress (often used to hide API calls)Ĭode function: 0_2_001479 97 GetModu leHandleW, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress,ĭisables application error messsages (SetErrorMode) Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IA T is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_LO AD_CONFIG is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_BA SERELOC is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_RE SOURCE is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IM PORT is in.
PE file contains a valid data directory to section mapping Static PE information: TERMINAL_S ERVER_AWAR E, DYNAMIC _BASE, NX_ COMPATīinary string: C:\Users\p aulb\code\ Squirrel\s quirrel.wi ndows\src\ StubExecut able\bin\R elease\Stu bExecutabl e.pdb sour ce: Source Tree.exe Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_IATĬontains modern PE file flags such as dynamic base (ASLR) or NX Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_LOAD_CO NFIG Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_DEBUG Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_BASEREL OC
Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_RESOURC E Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_IMPORT PE file contains a mix of data directories often seen in goodware Static PE information: certificat e valid Process created: C:\Users\u ser\Deskto p\SourceTr ee.exe 'C: \Users\use r\Desktop\ SourceTree. Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiersįile read: C:\Windows \System32\ drivers\et c\hosts text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ text section and no other executable section Mutant created: \Sessions\ 1\BaseName dObjects\L ocal\WERRe portingFor Process581 6įile created: C:\Program Data\Micro soft\Windo ws\WER\Tem p\WERA4F0. Source: C:\Windows \SysWOW64\ WerFault.e xe Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRST Process created: C:\Windows \SysWOW64\ WerFault.e xe C:\Wind ows\SysWOW 64\WerFaul t.exe -u - p 5816 -s 224 Source: C:\Users\u ser\Deskto p\SourceTr ee.exeįound potential string decryption / allocating functionsĬode function: String fun ction: 001 48C30 appe ars 35 tim es String found in binary or memory: w.digicert. String found in binary or memory: p.digicert. String found in binary or memory: 4.digicert.
String found in binary or memory: 3.digicert. String found in binary or memory: erts.digic ert.com/Di giCertSHA2 AssuredIDC odeSigning CA.crt0 String found in binary or memory: erts.digic ert.com/Di giCertAssu redIDRootC A.crt0
0 kommentar(er)
