057d09ff866001fd6e232e014632e719

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Mar-10 00:04:55

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX Protector v1.0x (2)
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE is packed with UPX. Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Possibly launches other programs:
  • ShellExecuteW
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Info The following exploit mitigation techniques have been detected Stack Canary: disabled
SafeSEH: disabled
ASLR: disabled
DEP: disabled
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 057d09ff866001fd6e232e014632e719
SHA1 88af318c2e25216a45baece0d2e2f35df66c38bf
SHA256 47fda7713721f000b48a6273d7f93e65a5a9f7ecd0c26c9b072f3381b5918976
SHA3 967da48411cc3913c0922c35804b4d8f9d174a7362cf87f3900cb9d60b210ae2
SSDeep 24576:b24gsa6Qb1kXGxFAAhQhwszIHSQYf9XK5Sddi4s09l7:a4gsvQb1k28nws0H+9XK4Pg2h
Imports Hash 19a6fe1f006cf59f0943957fa3491f92

DOS Header

e_magic MZ
e_cblp 0x50
e_cp 0x2
e_crlc 0
e_cparhdr 0x4
e_minalloc 0xf
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0x1a
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2017-Mar-10 00:04:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0xcf000
SizeOfInitializedData 0x53000
SizeOfUninitializedData 0x28c000
AddressOfEntryPoint 0x35b5b0 (Section: UPX1)
BaseOfCode 0x28d000
BaseOfData 0x35c000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x3af000
SizeOfHeaders 0x1000
Checksum 0x129877
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470
VirtualSize 0x28c000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

UPX1

MD5 0d0f4c41b3c8a89fd75cfd71443ef1d5
SHA1 4f9609affd53ab8737f07cd0a02be0aa93baff00
SHA256 1544aa6ec72a0d1cd654f1efc63d0546d1ca7ae9000a85cf4dbc98e4a1bbe368
SHA3 8106927bb17206fd59243ae3fa99d983d0ee6a73ab78cdd45cf0c62f56c5f2d3
VirtualSize 0xcf000
VirtualAddress 0x28d000
SizeOfRawData 0xce800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.92321

.rsrc

MD5 f43852b3c0150b32648c28a326e50015
SHA1 b2958e3e829193e5992aa7cd1ed906888863063a
SHA256 900ff782350dcae10256a823c471297b122c0b70c7c746533a18c02aa3555af4
SHA3 129e2abba5333aef648f97795df50683e715af5fe3421bf717db31f2d1eaca4c
VirtualSize 0x53000
VirtualAddress 0x35c000
SizeOfRawData 0x52a00
PointerToRawData 0xcec00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.94487

Imports

KERNEL32.DLL LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
advapi32.dll RegCloseKey
comctl32.dll ImageList_Add
gdi32.dll Pie
msvcrt.dll memset
netapi32.dll NetWkstaGetInfo
ole32.dll IsEqualGUID
oleaut32.dll VariantCopy
shell32.dll ShellExecuteW
user32.dll GetDC
version.dll VerQueryValueW
winspool.drv OpenPrinterW

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded! [*] Warning: IMAGE_EXPORT_DIRECTORY field Characteristics is reserved and should be 0! [!] Error: Could not read the exported DLL name. [*] Warning: Section UPX0 has a size of 0! [*] Warning: Section UPX0 has a size of 0!