{ "79b417a8e99f72cc682e89fbdbb4262270ee1a24d07c6e3c82a13446a5a683fb": { "DOS Header": { "e_magic": "MZ", "e_cblp": 144, "e_cp": 3, "e_crlc": 0, "e_cparhdr": 4, "e_minalloc": 0, "e_maxalloc": 65535, "e_ss": 0, "e_sp": 184, "e_csum": 0, "e_ip": 0, "e_cs": 0, "e_ovno": 0, "e_oemid": 0, "e_oeminfo": 0, "e_lfanew": 224 }, "Debug Info": { "IMAGE_DEBUG_TYPE_CODEVIEW": { "Characteristics": 0, "TimeDateStamp": "2000-Aug-06 07:34:58", "Version": "0.0", "SizeofData": 75, "AddressOfRawData": 0, "PointerToRawData": 20480, "Referenced File": "tup.pdb" } }, "Errors": "", "Hashes": { "MD5": "0a0ae6454e4e6ca0ee0dc5c6ebee97ba", "SHA1": "5d514a73f8240799facd425d76d2ae7d1e2cbb73", "SHA256": "79b417a8e99f72cc682e89fbdbb4262270ee1a24d07c6e3c82a13446a5a683fb", "SHA3": "c07a56ff6a486e2c7e11de89cb75735a2bff763e9f707467413566d33918b8b2", "SSDeep": "1536:IfN5K7N7e5HvCHs/4h41xG5927zlKWCNewn45W59HkzeLYPL3fVynafqvPdIOU5:IfN5KBC5CH+xF7vCww95YeoLoSqtIzp", "Imports Hash": "6baf264da3571411da6bcfd20eee1894" }, "Image Optional Header": { "Magic": "PE32", "LinkerVersion": "6.0", "SizeOfCode": 720896, "SizeOfInitializedData": 20480, "SizeOfUninitializedData": 0, "AddressOfEntryPoint": "0x00007000 (Section: \\xb9-\\x8a\\x00P\\x11)", "BaseOfCode": 4096, "BaseOfData": 8192, "ImageBase": 4194304, "SectionAlignment": 4096, "FileAlignment": 4096, "OperatingSystemVersion": "4.0", "ImageVersion": "0.0", "SubsystemVersion": "4.0", "Win32VersionValue": 0, "SizeOfImage": 122880, "SizeOfHeaders": 4096, "Checksum": 0, "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_CUI", "SizeofStackReserve": 1048576, "SizeofStackCommit": 4096, "SizeofHeapReserve": 1048576, "SizeofHeapCommit": 4096, "LoaderFlags": 0, "NumberOfRvaAndSizes": 16 }, "Imports": { "MSVCRT.dll": [ "__setusermatherr", "__p__fmode", "__set_app_type", "_except_handler3", "_adjust_fdiv", "__p__commode", "__dllonexit", "_onexit", "_controlfp", "_initterm", "__wgetmainargs", "__p___winitenv", "exit", "_XcptFilter", "_exit", "printf", "_wtoi" ], "KERNEL32.dll": [ "DeleteCriticalSection", "InitializeCriticalSection", "LoadLibraryW", "GetLastError", "GetProcAddress" ] }, "PE Header": { "Signature": "PE", "Machine": "IMAGE_FILE_MACHINE_I386", "NumberofSections": 5, "TimeDateStamp": "2000-Aug-06 07:34:58", "PointerToSymbolTable": 0, "NumberOfSymbols": 0, "SizeOfOptionalHeader": 224, "Characteristics": [ "IMAGE_FILE_32BIT_MACHINE", "IMAGE_FILE_EXECUTABLE_IMAGE", "IMAGE_FILE_LINE_NUMS_STRIPPED", "IMAGE_FILE_LOCAL_SYMS_STRIPPED", "IMAGE_FILE_RELOCS_STRIPPED" ] }, "Plugins": { "compilers": { "level": 1, "plugin_output": { "info_0": "Microsoft Visual C++", "info_1": "Microsoft Visual C++ v6.0" }, "summary": "Matching compiler(s):" }, "packer": { "level": 2, "plugin_output": { "info_0": "Unusual section name found: \\xb9-\\x8a\\x00P\\x11", "info_1": "Section \\xb9-\\x8a\\x00P\\x11 is both writable and executable." }, "summary": "The PE is possibly packed." }, "imports": { "level": 1, "plugin_output": { "[!] The program may be hiding some of its imports": [ "LoadLibraryW", "GetProcAddress" ] }, "summary": "The PE contains common functions which appear in legitimate applications." }, "authenticode": { "level": 3, "plugin_output": { "info_0": "The PE pretends to be from INTEL but is not signed!" }, "summary": "The program tries to mislead users about its origins." }, "virustotal": { "level": 3, "plugin_output": { "Bkav": "W32.StChinCharA.PE", "MicroWorld-eScan": "Win32.Jadtre.E", "nProtect": "Virus/W32.Patched.P", "CMC": "Virus.Win32.Qvod!O", "CAT-QuickHeal": "W32.Jadtre.I", "McAfee": "W32/Fujacks.be", "VIPRE": "Virus.Win32.Jadtre.b (v)", "TheHacker": "Trojan/Bototer.gen", "K7GW": "Virus ( 700000081 )", "K7AntiVirus": "Virus ( 700000081 )", "TrendMicro": "PE_PIKOR.A", "Baidu": "Win32.Virus.Otwycal.b", "F-Prot": "W32/Jadtre.A", "Symantec": "W32.Wapomi.B!inf", "ESET-NOD32": "Win32/AutoRun.NAX", "TrendMicro-HouseCall": "PE_PIKOR.A", "Avast": "Win32:AutoRun-CTB [Trj]", "ClamAV": "Win.Trojan.Wapomi-1", "Kaspersky": "Virus.Win32.Qvod.b", "BitDefender": "Win32.Jadtre.E", "NANO-Antivirus": "Virus.Win32.Qvod.bmnus", "Paloalto": "generic.ml", "ViRobot": "Win32.Qvod.C[h]", "Rising": "Win32.Fednu.e (classic)", "Ad-Aware": "Win32.Jadtre.E", "Sophos": "W32/Jadtre-B", "Comodo": "Virus.Win32.Qvod.~Gen", "F-Secure": "Win32.Jadtre.E", "DrWeb": "Win32.Dropper.5", "Zillya": "Virus.Qvod.Win32.5", "Invincea": "virus.win32.jadtre.i", "McAfee-GW-Edition": "BehavesLike.Win32.Pate.ch", "Emsisoft": "Win32.Jadtre.E (B)", "SentinelOne": "static engine - malicious", "Cyren": "W32/Jadtre.A", "Jiangmin": "Win32/Agent.q", "Webroot": "W32.Qvod.b", "Avira": "W32/Wapomi.J", "Antiy-AVL": "Virus/Win32.Qvod.b", "Kingsoft": "Win32.Agent.g.421888", "Microsoft": "Virus:Win32/Jadtre.I", "Endgame": "malicious (high confidence)", "Arcabit": "Win32.Jadtre.E", "AegisLab": "W32.Qvod.tn6a", "ZoneAlarm": "Virus.Win32.Qvod.b", "GData": "Win32.Jadtre.E", "AhnLab-V3": "Win32/Dellboy.BG", "ALYac": "Win32.Jadtre.E", "AVware": "Virus.Win32.Jadtre.b (v)", "VBA32": "Virus.Win32.Qvod.b", "Zoner": "Win32.Viking", "Tencent": "Virus.Win32.Dropper.a", "Yandex": "Win32.Jadtre.Gen", "Ikarus": "Worm.Win32.Pikorms", "Fortinet": "W32/Krypt.C!tr.bdr", "AVG": "Worm/AutoRun.JT", "Panda": "W32/Bototer.D", "CrowdStrike": "malicious_confidence_100% (W)", "Qihoo-360": "Virus.Win32.Downloader.AF" }, "summary": "VirusTotal score: 59/61 (Scanned on 2017-04-20 21:57:53)" } }, "RICH Header": { "XOR Key": 3669281871, "Unmarked objects": 0, "19 (8034)": 2, "C++ objects (8397)": 1, "C objects (8397)": 11, "14 (7299)": 1, "Total imports": 32, "Linker (8397)": 3, "C++ objects (8769)": 4, "Resource objects (VS98 SP6 cvtres build 1736)": 1 }, "Resources": { "1": { "Type": "RT_VERSION", "Language": "English - United States", "Codepage": "UNKNOWN", "Size": 1242, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.48769, "MD5": "00110bc3bf4e12835540de39d3a7bcd7", "SHA1": "0c6145ba380bd42f551053f4052f04d1d5189df2", "SHA256": "f02abb5667529cb8cf74c86386bdfb82b06356c8709e28d7d497256b21b239cd", "SHA3": "3903a3c7473e7189ac8eb438c99afa912f3d19a16a5ae865bf665667d8fa2f46" } }, "Sections": { ".text": { "MD5": "e4bf92e65759cfc6efc5bfcd61e02dfa", "SHA1": "4bfaf3bc2961ac59a0ab528aad26dae2d1f1125c", "SHA256": "5ff6030f8797407c18421c0ed1d28df2fee3b51ea6cdf1bc8de9aea07c7c3a3d", "SHA3": "6774b5bd6e3502beff72d9679d1a39cdfef34b1f3649bf338acc70c105666f10", "VirtualSize": 722, "VirtualAddress": 4096, "SizeOfRawData": 4096, "PointerToRawData": 4096, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ" ], "Entropy": 1.46236 }, ".rdata": { "MD5": "087b4b3317ac7fed0bd699f290441e37", "SHA1": "99ef36cca5aa78dc1dc99b5bca5987f051fe04d4", "SHA256": "e347a1b843373444cdefa7b9a5a39d37a2c7dd6cebeded8d71b8a8206e3024a2", "SHA3": "2583e2d59d6672123cfec044f91b0a9780e27f122341517b6a473d7ee80c93e6", "VirtualSize": 690, "VirtualAddress": 8192, "SizeOfRawData": 4096, "PointerToRawData": 8192, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 1.06448 }, ".data": { "MD5": "fdffcb7b48d15875a69ca79a574dc507", "SHA1": "9741335be0804db64ff6ac5f90e23cb44e379b06", "SHA256": "986342226e81639d39f72e2b8ced48427725b605f517948c7a450f36fc21d5b9", "SHA3": "0f9572c81565edcf3ba188dfe8e9766d307aa6ec0d65f26c678c6d1ab07ddfaa", "VirtualSize": 8600, "VirtualAddress": 12288, "SizeOfRawData": 4096, "PointerToRawData": 12288, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 0.3742 }, ".rsrc": { "MD5": "642bcdc843141defd790b6f2a8e9a07e", "SHA1": "ea7e995ced9a7215c929a0af5a00ab97ddd3a51d", "SHA256": "989f62b3b5142be058c3241c0034a3d4559ab5a95872df752791785226f85f81", "SHA3": "bc04aeab4f6fd5423f7237e45b9551859e2a99b547481e62acfb485f0f458746", "VirtualSize": 1344, "VirtualAddress": 24576, "SizeOfRawData": 4096, "PointerToRawData": 16384, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 1.37704 }, "\\xb9-\\x8a\\x00P\\x11": { "MD5": "1c776f69aba1043d844ee5f337ffccba", "SHA1": "fc0196e07b66d95825ed641eb1725305b38d58a0", "SHA256": "974964575052161627a33d3d5caccd9545c43eb444cd98ec0a700cb62c1aa153", "SHA3": "0f5595b5f2d09abba1bbd4dbdf448aec44932da6ea44b4b3f56bd1b799eaf3e8", "VirtualSize": 94208, "VirtualAddress": 28672, "SizeOfRawData": 94208, "PointerToRawData": 24576, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 2017, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 7.68351 } }, "Summary": { "Architecture": "IMAGE_FILE_MACHINE_I386", "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_CUI", "Compilation Date": "2000-Aug-06 07:34:58", "Detected languages": [ "English - United States" ], "Debug artifacts": [ "tup.pdb" ], "Platform": "NT INTEL X86", "CompanyName": "Microsoft Corporation", "FileDescription": "SQLServer Full Text admin & query", "FileVersion": "2000.080.0194.00", "InternalName": "sqlftqry.dll", "LegalCopyright": "\u00a9 1988-2000 Microsoft Corp. All rights reserved.", "LegalTrademarks": "Microsoft\u00ae is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation", "OriginalFilename": "sqlftqry.dll", "ProductName": "Microsoft SQL Server", "ProductVersion": "8.00.194", "Comments": "NT INTEL X86" }, "Version Info": { "Resource LangID": "English - United States", "VS_VERSION_INFO": { "Signature": 4277077181, "StructVersion": 65536, "FileVersion": "2000.80.194.0", "ProductVersion": "8.0.1.94", "FileFlags": [], "FileOs": [ "VOS_NT", "VOS_NT_WINDOWS32", "VOS_WINCE" ], "FileType": "VFT_DLL", "Language": "English - United States", "Platform": "NT INTEL X86", "CompanyName": "Microsoft Corporation", "FileDescription": "SQLServer Full Text admin & query", "FileVersion (#2)": "2000.080.0194.00", "InternalName": "sqlftqry.dll", "LegalCopyright": "\u00a9 1988-2000 Microsoft Corp. All rights reserved.", "LegalTrademarks": "Microsoft\u00ae is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation", "OriginalFilename": "sqlftqry.dll", "ProductName": "Microsoft SQL Server", "ProductVersion (#2)": "8.00.194", "Comments": "NT INTEL X86" } } } }