The files Midterm1.7z and Midterm2.7z are protected by the password "malware", without the quotes.

The exam is to be emailed to Alison and me no later than 5:30pm Monday 
Midterm1.exe

(2pts) What is the sha256 for the file?


(4pts) What Windows API functions does this program use?


(4pts) Are there any Host-Based or Network-Based Indicators in the program? What are they?


(4pts) What is the function at 0x401040 doing?


(6pts) What function from the C Library is being used at 0x4012B5?


(6pts) What C language construct best resembles the set of instructions located at 0x401150?


(4pts) How long does the program sleep for when the function is called?


(8pts) What does this program do?



(2pts Extra Credit) There is a popular movie quote located somewhere
in the executable. What movie is it from and who said it?




Midterm2.exe
(2pts) What is the sha256 for the file?


(2pts) Is the file packed, and if so, how?


(4pts) What Windows API functions does this program use?


(4pts) Are there any Host-Based or Network-Based Indicators in the program? What are they?


(4pts) How many functions, if any, write to a file? Where are those functions?


(6pts) If there is network activity, what protocol(s) are used? Describe the network activity.


(6pts) How does this program attain persistence, if it does?


(10pts) What does this program do?