{ "8b54bf9e38afe5f0123f513b450f4ef9b773f93ed24d30e0f559df4ae067e40a": { "DOS Header": { "e_magic": "MZ", "e_cblp": 144, "e_cp": 3, "e_crlc": 0, "e_cparhdr": 4, "e_minalloc": 0, "e_maxalloc": 65535, "e_ss": 0, "e_sp": 184, "e_csum": 0, "e_ip": 0, "e_cs": 0, "e_ovno": 0, "e_oemid": 0, "e_oeminfo": 0, "e_lfanew": 264 }, "Errors": "", "Hashes": { "MD5": "ab35c68e263bb4dca6c11e16cd7fb9d8", "SHA1": "ceaee2c6a2305d454aea111eb882ef8070c54548", "SHA256": "8b54bf9e38afe5f0123f513b450f4ef9b773f93ed24d30e0f559df4ae067e40a", "SHA3": "54dfcd9b7616c50299c98afbd4b2e855402b476914fb7c1d29c472151520c0d6", "SSDeep": "3072:QmujLlgroMBAWKhsaMHHkGlEFDYpjz2Q1W/s0R7pNZUF6WbBS8H2wAm5FaVO+cOe:Q3vlTaNKuuOjCQCsS7pYmezTkQclSLPr", "Imports Hash": "aca83f34338ca401d3552e12821af6a5" }, "Image Optional Header": { "Magic": "PE32", "LinkerVersion": "12.0", "SizeOfCode": 209920, "SizeOfInitializedData": 158208, "SizeOfUninitializedData": 0, "AddressOfEntryPoint": "0x0001A4AB (Section: .text)", "BaseOfCode": 4096, "BaseOfData": 217088, "ImageBase": 4194304, "SectionAlignment": 4096, "FileAlignment": 512, "OperatingSystemVersion": "5.1", "ImageVersion": "0.0", "SubsystemVersion": "5.1", "Win32VersionValue": 0, "SizeOfImage": 380928, "SizeOfHeaders": 1024, "Checksum": 388678, "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_CUI", "DllCharacteristics": [ "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE", "IMAGE_DLLCHARACTERISTICS_NX_COMPAT", "IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE" ], "SizeofStackReserve": 1048576, "SizeofStackCommit": 4096, "SizeofHeapReserve": 1048576, "SizeofHeapCommit": 4096, "LoaderFlags": 0, "NumberOfRvaAndSizes": 16 }, "Imports": { "WINTRUST.dll": [ "CryptCATEnumerateMember", "CryptCATEnumerateCatAttr", "CryptCATOpen", "CryptCATClose", "CryptCATEnumerateAttr" ], "VERSION.dll": [ "GetFileVersionInfoSizeW", "VerQueryValueW", "GetFileVersionInfoW" ], "CRYPT32.dll": [ "CryptSIPRetrieveSubjectGuidForCatalogFile", "CertGetValidUsages", "CertAddCertificateContextToStore", "CertFreeCertificateContext", "CertFreeCertificateChain", "CertGetStoreProperty", "CertCreateCTLContext", "CertGetCertificateContextProperty", "CertEnumCertificatesInStore", "CertCloseStore", "CertOpenStore", "CertGetCertificateChain", "CertGetNameStringW", "CertDuplicateCertificateContext", "CryptFindOIDInfo", "CryptSIPLoad" ], "KERNEL32.dll": [ "FileTimeToSystemTime", "FormatMessageW", "GetTimeFormatW", "GetDateFormatW", "SetLastError", "GetFileSize", "ExpandEnvironmentStringsA", "GetCurrentDirectoryA", "DeleteFileW", "FreeResource", "LockResource", "FreeLibrary", "GetVersion", "GetCurrentProcess", "LoadResource", "GetLastError", "GetFileInformationByHandle", "FileTimeToLocalFileTime", "LoadLibraryExW", "FindResourceW", "GetCurrentDirectoryW", "GetFullPathNameW", "WriteConsoleW", "OutputDebugStringW", "FreeEnvironmentStringsW", "GetEnvironmentStringsW", "GetCurrentProcessId", "QueryPerformanceCounter", "HeapSize", "GetCPInfo", "GetOEMCP", "GetACP", "MulDiv", "InterlockedIncrement", "FindNextFileW", "FindFirstFileW", "GetFileAttributesW", "CreateFileW", "Sleep", "FindClose", "GetSystemTimeAsFileTime", "InterlockedDecrement", "CreateFileMappingW", "UnmapViewOfFile", "MapViewOfFile", "GetFileSizeEx", "GetCommandLineW", "GetModuleHandleW", "LoadLibraryW", "GetStdHandle", "LocalFree", "LocalAlloc", "GetProcAddress", "GetModuleFileNameW", "GetFileType", "SetFileInformationByHandle", "CreateFileA", "DosDateTimeToFileTime", "LocalFileTimeToFileTime", "CloseHandle", "SetFilePointer", "ReadFile", "WriteFile", "GetStringTypeW", "GetLocaleInfoW", "IsValidLocale", "GetUserDefaultLCID", "EnumSystemLocalesW", "IsValidCodePage", "TlsFree", "TlsSetValue", "TlsGetValue", "TlsAlloc", "TerminateProcess", "InitializeCriticalSectionAndSpinCount", "SetUnhandledExceptionFilter", "UnhandledExceptionFilter", "GetConsoleCP", "FlushFileBuffers", "LCMapStringW", "SetEndOfFile", "SizeofResource", "GetStartupInfoW", "DeleteCriticalSection", "SetFilePointerEx", "ReadConsoleW", "GetCurrentThreadId", "GetProcessHeap", "RaiseException", "HeapReAlloc", "IsProcessorFeaturePresent", "IsDebuggerPresent", "RtlUnwind", "lstrlenA", "MultiByteToWideChar", "WideCharToMultiByte", "HeapFree", "HeapAlloc", "EnterCriticalSection", "LeaveCriticalSection", "SetStdHandle", "EncodePointer", "DecodePointer", "ExitProcess", "GetModuleHandleExW", "GetConsoleMode", "ReadConsoleInputA", "SetConsoleMode" ], "USER32.dll": [ "DialogBoxIndirectParamW", "EndDialog", "GetDlgItem", "SendMessageW", "SetCursor", "GetSysColorBrush", "InflateRect", "LoadCursorW", "MessageBoxW", "SetWindowTextW" ], "GDI32.dll": [ "CreateCompatibleDC", "DeleteDC", "EndPage", "StartPage", "EndDoc", "StartDocW", "SetMapMode", "GetDeviceCaps" ], "COMDLG32.dll": [ "PrintDlgW" ], "ADVAPI32.dll": [ "RegEnumKeyW", "RegCloseKey", "RegCreateKeyW", "FreeSid", "AllocateAndInitializeSid", "EqualSid", "GetTokenInformation", "OpenProcessToken", "RegOpenKeyW", "RegOpenKeyExW", "RegQueryValueExW", "RegSetValueExW", "CryptAcquireContextW", "CryptReleaseContext", "CryptGetHashParam", "CryptCreateHash", "CryptHashData", "CryptDestroyHash", "RegCreateKeyExW", "RegDeleteValueW" ], "SHELL32.dll": [ "ShellExecuteW" ], "ole32.dll": [ "CoCreateInstance" ], "OLEAUT32.dll": [ "#6", "#2", "#9", "#7", "#150", "#8", "#12" ], "SHLWAPI.dll": [ "#176" ], "Cabinet.dll": [ "#23", "#22", "#20" ], "WINHTTP.dll": [ "WinHttpSendRequest", "WinHttpOpenRequest", "WinHttpSetOption", "WinHttpReceiveResponse", "WinHttpWriteData", "WinHttpReadData", "WinHttpConnect", "WinHttpOpen", "WinHttpQueryHeaders", "WinHttpGetProxyForUrl", "WinHttpQueryDataAvailable", "WinHttpCloseHandle" ] }, "Load Configuration": { "Size": 72, "TimeDateStamp": "1970-Jan-01 00:00:00", "Version": "0.0", "GlobalFlagsClear": [], "GlobalFlagsSet": [], "CriticalSectionDefaultTimeout": 0, "DeCommitFreeBlockThreshold": 0, "DeCommitTotalFreeThreshold": 0, "LockPrefixTable": 0, "MaximumAllocationSize": 0, "VirtualMemoryThreshold": 0, "ProcessAffinityMask": 0, "ProcessHeapFlags": [], "CSDVersion": 0, "Reserved1": 0, "EditList": 0, "SecurityCookie": 4533344, "SEHandlerTable": 4503328, "SEHandlerCount": 57 }, "PE Header": { "Signature": "PE", "Machine": "IMAGE_FILE_MACHINE_I386", "NumberofSections": 5, "TimeDateStamp": "2017-Nov-16 22:05:22", "PointerToSymbolTable": 0, "NumberOfSymbols": 0, "SizeOfOptionalHeader": 224, "Characteristics": [ "IMAGE_FILE_32BIT_MACHINE", "IMAGE_FILE_EXECUTABLE_IMAGE" ] }, "Plugins": { "compilers": { "level": 1, "plugin_output": { "info_0": "Microsoft Visual C++ 6.0 - 8.0" }, "summary": "Matching compiler(s):" }, "strings": { "level": 2, "plugin_output": { "May have dropper capabilities": [ "%TEMP%" ], "Miscellaneous malware strings": [ "Virus" ] }, "summary": "Strings found in the binary may indicate undesirable behavior:" }, "findcrypt": { "level": 1, "plugin_output": { "info_0": "Microsoft's Cryptography API" }, "summary": "Libraries used to perform cryptographic operations:" }, "imports": { "level": 3, "plugin_output": { "[!] The program may be hiding some of its imports": [ "LoadLibraryExW", "LoadLibraryW", "GetProcAddress" ], "Can access the registry": [ "RegEnumKeyW", "RegCloseKey", "RegCreateKeyW", "RegOpenKeyW", "RegOpenKeyExW", "RegQueryValueExW", "RegSetValueExW", "RegCreateKeyExW", "RegDeleteValueW" ], "Possibly launches other programs": [ "ShellExecuteW" ], "Uses Microsoft's cryptographic API": [ "CryptCATEnumerateMember", "CryptCATEnumerateCatAttr", "CryptCATOpen", "CryptCATClose", "CryptCATEnumerateAttr", "CryptSIPRetrieveSubjectGuidForCatalogFile", "CryptFindOIDInfo", "CryptSIPLoad", "CryptAcquireContextW", "CryptReleaseContext", "CryptGetHashParam", "CryptCreateHash", "CryptHashData", "CryptDestroyHash" ], "Has Internet access capabilities": [ "WinHttpSendRequest", "WinHttpOpenRequest", "WinHttpSetOption", "WinHttpReceiveResponse", "WinHttpWriteData", "WinHttpReadData", "WinHttpConnect", "WinHttpOpen", "WinHttpQueryHeaders", "WinHttpGetProxyForUrl", "WinHttpQueryDataAvailable", "WinHttpCloseHandle" ], "Functions related to the privilege level": [ "OpenProcessToken" ], "Interacts with the certificate store": [ "CertAddCertificateContextToStore", "CertOpenStore" ] }, "summary": "The PE contains functions mostly used by malware." }, "authenticode": { "level": 1, "plugin_output": { "info_0": "Signer: Microsoft Corporation", "info_1": "Issuer: Microsoft Code Signing PCA" }, "summary": "The PE is digitally signed." }, "virustotal": { "level": 0, "plugin_output": { "info_0": "All the AVs think this file is safe." }, "summary": "VirusTotal score: 0/68 (Scanned on 2018-07-21 17:48:54)" } }, "RICH Header": { "XOR Key": 523002402, "Unmarked objects": 0, "C++ objects (VS2013 build 21005)": 77, "ASM objects (VS2013 build 21005)": 33, "C objects (VS2013 build 21005)": 228, "C++ objects (20806)": 5, "C objects (VS2008 SP1 build 30729)": 2, "Imports (VS2008 SP1 build 30729)": 29, "Total imports": 218, "C objects (VS2013 UPD4 build 31101)": 2, "C++ objects (VS2013 UPD4 build 31101)": 12, "Resource objects (VS2013 build 21005)": 1, "Linker (VS2013 UPD4 build 31101)": 1 }, "Resources": { "1": { "Type": "RT_VERSION", "Language": "English - United States", "Codepage": "UNKNOWN", "Size": 840, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.40049, "MD5": "b00dad8cd8b2adff569267764123a4ce", "SHA1": "48cf205c2a63018aa56267f95490b0da0156aa6d", "SHA256": "afc87977984bf2405fee67d45e0e4d66f54af48ef9b1267775a4fd15ecadcf55", "SHA3": "df4b82d71c8b98b0bc2efed18bbd2a62121b8c8dc0cf922e8ad1b1a9fba7381b" }, "1 (#2)": { "Type": "RT_MANIFEST", "Language": "English - United States", "Codepage": "UNKNOWN", "Size": 1663, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 4.81817, "MD5": "da5f02773c15d40b161cca54dce87c84", "SHA1": "dae15202a3b898b51fe58d4bfe5fbc06461864f1", "SHA256": "c6856898b42d40bd117b74e7300b1ea523f5ada29f90f904853df7b20a45005d", "SHA3": "0981d453c2e021cc850c7b9c090e3aaec30519399cab8e20736cc79e09a32048" } }, "Sections": { ".text": { "MD5": "c151016c0929a571e7a3882e3c292524", "SHA1": "12a0c36632d998a5ba36e052ee9fc594b2543835", "SHA256": "839068773941e32bb989293b3fc0155fb8c4367fb7956b1d4f913cff4dd35dab", "SHA3": "0104cb1f7a45bafceac72d2d02af95b34c34bcde6631f4aded118f27ace28a05", "VirtualSize": 209836, "VirtualAddress": 4096, "SizeOfRawData": 209920, "PointerToRawData": 1024, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.60464 }, ".rdata": { "MD5": "10e89ef6660ecd6a600fd4f7784c8448", "SHA1": "1b7b79bd76f27b6b6d756b8578c95d011be07039", "SHA256": "cfc3a4d4a7720568755b9f3d6533eb042de1da6960e60e54f48f7240b27891a0", "SHA3": "5dd200cde7c3043f872daea69bd72ae425766fd9cb39fe7e246718885da8bbd3", "VirtualSize": 103992, "VirtualAddress": 217088, "SizeOfRawData": 104448, "PointerToRawData": 210944, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 4.73598 }, ".data": { "MD5": "f440227e84f27453a73ee5596288d9db", "SHA1": "9cf906b51c7f75b669d9d67acfe6ede69bf0ad12", "SHA256": "cbfce20371fab7369b333db24a6e3bbe4443469602017117d1f2af6f4e368b8a", "SHA3": "04c3caa77e0fd52b6cf3fee0486f901bfa0480d7c651b82e3e90c6d1a9e050c2", "VirtualSize": 35496, "VirtualAddress": 323584, "SizeOfRawData": 22528, "PointerToRawData": 315392, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 2.30479 }, ".rsrc": { "MD5": "a7cc95b2d9592042484f97a867ac2879", "SHA1": "2e311201254f363c4243e0b084863e3a8a5433b7", "SHA256": "6ce44933f27afa0ab3189f7535b8c7afdb442be1760884933fdc56c940f0bb90", "SHA3": "abe7b6c209b842070248e23d998a07c053f2ee0c7cd7fff957cb8d67c6f32540", "VirtualSize": 2664, "VirtualAddress": 360448, "SizeOfRawData": 3072, "PointerToRawData": 337920, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 4.40695 }, ".reloc": { "MD5": "68fe48aed04d65fbe007486af93d523a", "SHA1": "c33468bb8ed214f53497f786cf4aed0e118fb7d5", "SHA256": "6641c4b180cb44feddbe4e4d5adc4b94120d81302dfa34588258e93ad493ba6b", "SHA3": "cea534ed59244bf935c9e2dc4ce279c55b8617449382339966e701ba7fa2aeb9", "VirtualSize": 14412, "VirtualAddress": 364544, "SizeOfRawData": 14848, "PointerToRawData": 340992, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_DISCARDABLE", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.63745 } }, "Summary": { "Architecture": "IMAGE_FILE_MACHINE_I386", "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_CUI", "Compilation Date": "2017-Nov-16 22:05:22", "Detected languages": [ "English - United States" ], "CompanyName": "Sysinternals - www.sysinternals.com", "FileDescription": "File version and signature viewer", "FileVersion": "2.60", "InternalName": "Sigcheck", "LegalCopyright": "Copyright (C) 2004-2017 Mark Russinovich", "OriginalFilename": "sigcheck.exe", "ProductName": "Sysinternals Sigcheck", "ProductVersion": "2.60" }, "Version Info": { "Resource LangID": "English - United States", "VS_VERSION_INFO": { "Signature": 4277077181, "StructVersion": 65536, "FileVersion": "2.60.0.0", "ProductVersion": "2.60.0.0", "FileFlags": [], "FileOs": [ "VOS_DOS_WINDOWS32", "VOS_NT", "VOS_NT_WINDOWS32", "VOS_WINCE", "VOS__WINDOWS32" ], "FileType": "VFT_APP", "Language": "English - United States", "CompanyName": "Sysinternals - www.sysinternals.com", "FileDescription": "File version and signature viewer", "FileVersion (#2)": "2.60", "InternalName": "Sigcheck", "LegalCopyright": "Copyright (C) 2004-2017 Mark Russinovich", "OriginalFilename": "sigcheck.exe", "ProductName": "Sysinternals Sigcheck", "ProductVersion (#2)": "2.60" } } } }