Manalyze report for a9b030e00d85782aa4b16ac0ec764af403cf8da785be2ce6ff6d118714207495

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Sep-25 07:01:11
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
Debug artifacts	I:\AIR\code\build\win\results\Release\info\CaptiveAppEntry.vc2015.pdb

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Suspicious	PEiD Signature:	`PolyEnE 0.01+ by Lennart Hedlund`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: control.exe regsvr32.exe` `Tries to detect virtualized environments: Hardware\Description\System b3 eb 36 e4 4f 52 ce 11 9f 53 00 20 af 0b a7 70` `Looks for VMWare presence: vmDebug` `Accesses the WMI: root\cimv2` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: .adobe.com .macromedia.com adobe.com adobefpl.com airsdk.harman.com apple.com auth.adobefpl.com cacerts.digicert.com crl3.digicert.com crl4.digicert.com digicert.com exslt.org flash.net fpdownload.macromedia.com fpdownload2.macromedia.com get.adobe.com getResultInner-flash.net google.com harman.com http://adobe.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0 http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0 http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07 http://crl3.digicert.com/sha2-assured-ts.crl02 http://crl4.digicert.com http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K http://crl4.digicert.com/sha2-assured-ts.crl0 http://exslt.org http://fpdownload2.macromedia.com http://fpdownload2.macromedia.com/get/ http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_ http://icl.com http://images.apple.com http://images.apple.com/safari/welcome/styles/safari.css http://ns.adobe.com http://ns.adobe.com/air/application/1.0 http://ns.adobe.com/air/application/1.1 http://ns.adobe.com/air/application/1.5 http://ns.adobe.com/air/application/1.5.1 http://ns.adobe.com/air/application/1.5.2 http://ns.adobe.com/air/application/1.5.3 http://ns.adobe.com/air/application/13.0 http://ns.adobe.com/air/application/14.0 http://ns.adobe.com/air/application/15.0 http://ns.adobe.com/air/application/16.0 http://ns.adobe.com/air/application/17.0 http://ns.adobe.com/air/application/18.0 http://ns.adobe.com/air/application/19.0 http://ns.adobe.com/air/application/2.0 http://ns.adobe.com/air/application/2.5 http://ns.adobe.com/air/application/2.6 http://ns.adobe.com/air/application/2.7 http://ns.adobe.com/air/application/20.0 http://ns.adobe.com/air/application/21.0 http://ns.adobe.com/air/application/22.0 http://ns.adobe.com/air/application/23.0 http://ns.adobe.com/air/application/24.0 http://ns.adobe.com/air/application/25.0 http://ns.adobe.com/air/application/26.0 http://ns.adobe.com/air/application/27.0 http://ns.adobe.com/air/application/28.0 http://ns.adobe.com/air/application/29.0 http://ns.adobe.com/air/application/3.0 http://ns.adobe.com/air/application/3.1 http://ns.adobe.com/air/application/3.2 http://ns.adobe.com/air/application/3.3 http://ns.adobe.com/air/application/3.4 http://ns.adobe.com/air/application/3.5 http://ns.adobe.com/air/application/3.6 http://ns.adobe.com/air/application/3.7 http://ns.adobe.com/air/application/3.8 http://ns.adobe.com/air/application/3.9 http://ns.adobe.com/air/application/30.0 http://ns.adobe.com/air/application/31.0 http://ns.adobe.com/air/application/32.0 http://ns.adobe.com/air/application/33.1 http://ns.adobe.com/air/application/4.0 http://ns.adobe.com/air/extension/13.0 http://ns.adobe.com/air/extension/13.0&http http://ns.adobe.com/air/extension/14.0 http://ns.adobe.com/air/extension/14.0&http http://ns.adobe.com/air/extension/15.0 http://ns.adobe.com/air/extension/15.0&http http://ns.adobe.com/air/extension/16.0 http://ns.adobe.com/air/extension/16.0&http http://ns.adobe.com/air/extension/17.0 http://ns.adobe.com/air/extension/17.0&http http://ns.adobe.com/air/extension/18.0 http://ns.adobe.com/air/extension/18.0&http http://ns.adobe.com/air/extension/19.0 http://ns.adobe.com/air/extension/19.0&http http://ns.adobe.com/air/extension/2.5 http://ns.adobe.com/air/extension/2.5%http http://ns.adobe.com/air/extension/20.0 http://ns.adobe.com/air/extension/20.0&http http://ns.adobe.com/air/extension/21.0 http://ns.adobe.com/air/extension/21.0&http http://ns.adobe.com/air/extension/22.0 http://ns.adobe.com/air/extension/22.0&http http://ns.adobe.com/air/extension/23.0 http://ns.adobe.com/air/extension/23.0&http http://ns.adobe.com/air/extension/24.0 http://ns.adobe.com/air/extension/24.0&http http://ns.adobe.com/air/extension/25.0 http://ns.adobe.com/air/extension/25.0&http http://ns.adobe.com/air/extension/26.0 http://ns.adobe.com/air/extension/26.0&http http://ns.adobe.com/air/extension/27.0 http://ns.adobe.com/air/extension/27.0&http http://ns.adobe.com/air/extension/28.0 http://ns.adobe.com/air/extension/28.0&http http://ns.adobe.com/air/extension/29.0 http://ns.adobe.com/air/extension/29.0&http http://ns.adobe.com/air/extension/3.1 http://ns.adobe.com/air/extension/3.1%http http://ns.adobe.com/air/extension/3.2 http://ns.adobe.com/air/extension/3.2%http http://ns.adobe.com/air/extension/3.3 http://ns.adobe.com/air/extension/3.3%http http://ns.adobe.com/air/extension/3.4 http://ns.adobe.com/air/extension/3.4%http http://ns.adobe.com/air/extension/3.5 http://ns.adobe.com/air/extension/3.5%http http://ns.adobe.com/air/extension/3.6 http://ns.adobe.com/air/extension/3.6%http http://ns.adobe.com/air/extension/3.7 http://ns.adobe.com/air/extension/3.7%http http://ns.adobe.com/air/extension/3.8 http://ns.adobe.com/air/extension/3.8%http http://ns.adobe.com/air/extension/3.9 http://ns.adobe.com/air/extension/3.9%http http://ns.adobe.com/air/extension/30.0 http://ns.adobe.com/air/extension/30.0&http http://ns.adobe.com/air/extension/31.0 http://ns.adobe.com/air/extension/31.0&http http://ns.adobe.com/air/extension/32.0 http://ns.adobe.com/air/extension/32.0&http http://ns.adobe.com/air/extension/33.1 http://ns.adobe.com/air/extension/4.0 http://ns.adobe.com/air/extension/4.0&http http://ns.adobe.com/asf http://ns.adobe.com/asf/asf_1_0.dtd http://ocsp.digicert.com0C http://ocsp.digicert.com0H http://ocsp.digicert.com0I http://ocsp.digicert.com0O http://uri.etsi.org http://uri.etsi.org/01903/v1.1.1# http://uri.etsi.org/01903/v1.1.1#'Unexpected http://www.adobe.com http://www.adobe.com/2006/actionscript/flash/proxy http://www.adobe.com/go/allowscriptaccess http://www.adobe.com/go/getair http://www.adobe.com/go/getair, http://www.adobe.com/go/getair. http://www.adobe.com/go/getair_br http://www.adobe.com/go/getair_cn http://www.adobe.com/go/getair_cz http://www.adobe.com/go/getair_de http://www.adobe.com/go/getair_es, http://www.adobe.com/go/getair_fr http://www.adobe.com/go/getair_it http://www.adobe.com/go/getair_jp http://www.adobe.com/go/getair_kr http://www.adobe.com/go/getair_nl http://www.adobe.com/go/getair_pl http://www.adobe.com/go/getair_ru http://www.adobe.com/go/getair_se http://www.adobe.com/go/getair_tr http://www.adobe.com/go/strict_policy_files http://www.digicert.com http://www.digicert.com/CPS0 http://www.digicert.com/ssl-cps-repository.htm0 http://www.ibm.com http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd http://www.jclark.com http://www.jclark.com/xt http://www.macromedia.com http://www.macromedia.com/go/ac2e1eab http://www.mozilla.org http://www.mozilla.org/MPL/ http://www.w3.org http://www.w3.org/1999/XSL/Transform http://www.w3.org/1999/xhtml http://www.w3.org/2000/09/xmldsig# http://www.w3.org/2000/09/xmldsig#enveloped-signature http://www.w3.org/2000/xmlns/ http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2002/08/xquery-functions http://www.w3.org/Graphics/SVG http://www.w3.org/TR/1999/REC-html401-19991224/frameset.dtd http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd http://www.w3.org/TR/2001/REC-xml-c14n-20010315 http://www.w3.org/TR/REC-html40/loose.dtd http://www.w3.org/TR/html4/frameset.dtd http://www.w3.org/TR/html4/loose.dtd http://www.w3.org/TR/html4/strict.dtd http://www.w3.org/TR/xhtml http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd http://www.w3.org/TR/xmldsig-core#rsa-sha1 http://www.w3.org/XML/1998/namespace http://xmlsoft.org https://airsdk.harman.com https://airsdk.harman.com/airdownloads/3 https://airsdk.harman.com/airdownloads/air.updates.req?t https://auth.adobefpl.com https://auth.adobefpl.com/1/ https://fpdownload.macromedia.com https://fpdownload.macromedia.com/get/ https://get.adobe.com https://get.adobe.com/flashplayer/npapi/ https://www.adobe.com https://www.adobe.com/go/about_flash_player https://www.adobe.com/go/fp-spectre https://www.digicert.com https://www.digicert.com/CPS0 https://www.macromedia.com https://www.macromedia.com/bin/flashdownload.cgi https://www.macromedia.com/support/flashplayer/sys/ images.apple.com jclark.com macromedia.com mail.google.com mozilla.org ns.adobe.com uri.etsi.org www.adobe.com www.digicert.com www.ibm.com www.jclark.com www.macromedia.com www.mozilla.org www.w3.org xmlsoft.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes`
Suspicious	The PE is packed with Enigma Protector	`Unusual section name found: .enigma1` `Section .enigma1 is both writable and executable.` `Unusual section name found: .enigma2` `Section .enigma2 is both writable and executable.` `The number of imports reported in the RICH header is inconsistent.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LdrLoadDll LoadLibraryA GetProcAddress LoadLibraryW` `Code injection capabilities: VirtualAlloc VirtualAllocEx CreateRemoteThread WriteProcessMemory` `Code injection capabilities (process hollowing): ResumeThread WriteProcessMemory SetThreadContext` `Can access the registry: RegOpenKeyA` `Can create temporary files: CreateFileW GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect VirtualAllocEx VirtualProtectEx` `Enumerates local disk drives: GetLogicalDriveStringsW` `Manipulates other processes: ReadProcessMemory WriteProcessMemory`
Malicious	VirusTotal score: 3/65 (Scanned on 2021-10-16 09:54:28)	`APEX: Malicious` `NANO-Antivirus: Virus.Win64.Virut-Gen.bwpxnc` `SentinelOne: Static AI - Malicious PE`

Hashes

MD5	`07c4d8ff8aaa0d04402682624307be39`
SHA1	`4cca924cd0baf0bcb93f79fc49f314a79d0f6081`
SHA256	`a9b030e00d85782aa4b16ac0ec764af403cf8da785be2ce6ff6d118714207495`
SHA3	`36aec8c7bbc9dc52b264683a6ec6a5ecf360a42254900c1aa0f70cafa36f700a`
SSDeep	`393216:SZIPuww8Vw2b1NGheyBXorwQQGRLlbpHnII0MikeCXPEdrcE6vo:/buBtWRdVnII0MikXPKrcE6v`
Imports Hash	`5d335d2ab676c830ef67845d853f4eea`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2021-Sep-25 07:01:11
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xa000`
SizeOfInitializedData	`0x21200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001660 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xcc000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x200000`
SizeofHeapCommit	`0x2000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ca7248b2a9d0785c7c703f7f96061a8e`
SHA1	`fbf7c48d17c30b15b774f95351433750cdb239e5`
SHA256	`cff13a670c07a8bd6802d131bc7926dac24ec4bfe07ed03f4d276145d36f9a21`
SHA3	`ed45ed346e7b493841db6307d9e8f02be7fc6a8913514a4ac01b10d84b0b2813`
VirtualSize	`0x9f7e`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.37851`

.rdata

MD5	`f802351f5d1754f8fec3a725f0ddfddd`
SHA1	`c26b0d7847bfcededc0e28d003151ad7753327b9`
SHA256	`e9e110aee60443e3d8a71a937df96e746c6bf0330b2c4a3fbfcf5a1ce5a64245`
SHA3	`f4e8aa59aaf627acd188467f483565746b9cc6e6f799ab93c0c5882c2022dfdd`
VirtualSize	`0xa70a`
VirtualAddress	`0xb000`
SizeOfRawData	`0xa800`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72174`

.data

MD5	`84624c9262c1062544130e0399a1f80b`
SHA1	`33d2259f6b516dea5d408111037377eb24723791`
SHA256	`8de290c71eb17fe6b83408002ab86b17f270bf7e93462f82f92874a83eaa5cbb`
SHA3	`378d1318267a2defc588c2679fff361381fa257b4673b13a029e5bd9e58836f0`
VirtualSize	`0x1d20`
VirtualAddress	`0x16000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x14c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.24695`

.pdata

MD5	`b4202f7fe985b9648b4676e6f70832bd`
SHA1	`d37c2b3927946ed617455b3c5913fcab0bc1af52`
SHA256	`6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10`
SHA3	`a51cde69090452f3e45491306e2e536dabdde61d5bde0a832f35ab4a6afc5552`
VirtualSize	`0xc0c`
VirtualAddress	`0x18000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x15800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0`

.rsrc

MD5	`6f5c6302a41f9cb79443b10a6687b17d`
SHA1	`81738d5b8b2bae35054b0d90fee96386d66b512e`
SHA256	`a1aa93738cee1145d1972d12e8a6cac5b7746cce44ee520d188d8e37b5e8c291`
SHA3	`a2cf84bf8a742ab6735b5ee5538db9e9e984faca97cd75a493f72200f234b0dc`
VirtualSize	`0x147d0`
VirtualAddress	`0x19000`
SizeOfRawData	`0x14800`
PointerToRawData	`0x16600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.36727`

.reloc

MD5	`00fba9071132e899e8655c9528b757a8`
SHA1	`f67f1ff68cac481bd4a01cb1901044f06d57798c`
SHA256	`99a0f91035aba466805000cc44b0eeb8373bc5e9cab5d5160676d1119c17a445`
SHA3	`b14b0e59e59d70075d3ca74fe1290b3b2b26fb01696cceb241e24dae94dfc71d`
VirtualSize	`0x688`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x800`
PointerToRawData	`0x2ae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.90206`

.enigma1

MD5	`bf99ddcd703e6d920f9470390e3cad3c`
SHA1	`2961c5b26603bbaf6a3a580340cf9c7a48877402`
SHA256	`7848e98bf90758dd67581686f80ef226f4ead2d501739b6788f5e16fe66c633b`
SHA3	`bb969f9e27968d3d7fdcdcf3ff26c6cfcfdf4e79f9cbdaa5457b08acfbf87391`
VirtualSize	`0x1000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x1bf8000`
PointerToRawData	`0x2b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.69018`

.enigma2

MD5	`b007af2db9c9e4ecf68e1635b4316a5c`
SHA1	`2f562d1b64a79e5e77e15ee792cd81169303ec4b`
SHA256	`075c6768bdf53a295d125d0070185a5e9131c0fb19892e4865b8c61d2f20b39f`
SHA3	`59691d189551088bec74fbad4de9b4cedde0cf9190d3795f6235ab046ef3fc7f`
VirtualSize	`0x9c000`
VirtualAddress	`0x30000`
SizeOfRawData	`0x9c000`
PointerToRawData	`0x1c23600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.39165`

Imports

ntdll.dll	`LdrLoadDll` `RtlAnsiStringToUnicodeString` `RtlInitAnsiString` `RtlFreeUnicodeString` `LdrGetProcedureAddress` `ZwProtectVirtualMemory` `RtlFormatCurrentUserKeyPath` `RtlDosPathNameToNtPathName_U` `RtlInitUnicodeString`
kernel32.dll	`GetLastError` `SetLastError` `GetTickCount` `ExitProcess` `GetStartupInfoA` `GetStdHandle` `GetCommandLineA` `GetCurrentProcessId` `GetCurrentThreadId` `GetCurrentProcess` `ReadProcessMemory` `GetModuleFileNameA` `GetModuleHandleA` `WriteFile` `ReadFile` `CloseHandle` `SetFilePointer` `GetFileSize` `SetEndOfFile` `FreeLibrary` `GetSystemInfo` `LoadLibraryA` `GetProcAddress` `DeleteFileW` `CreateFileW` `GetFileAttributesW` `CreateDirectoryW` `RemoveDirectoryW` `SetCurrentDirectoryW` `GetCurrentDirectoryW` `GetFullPathNameW` `SetEnvironmentVariableW` `GetConsoleMode` `GetConsoleOutputCP` `GetOEMCP` `GetProcessHeap` `HeapAlloc` `HeapFree` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `CreateThread` `ExitThread` `LocalAlloc` `LocalFree` `Sleep` `SuspendThread` `ResumeThread` `TerminateThread` `WaitForSingleObject` `SetThreadPriority` `GetThreadPriority` `CreateEventA` `ResetEvent` `SetEvent` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `TryEnterCriticalSection` `RaiseException` `MultiByteToWideChar` `WideCharToMultiByte` `GetACP` `GetConsoleCP` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlUnwindEx` `EnumResourceTypesA` `EnumResourceNamesA` `EnumResourceLanguagesA` `FindResourceA` `FindResourceExA` `LoadResource` `SizeofResource` `LockResource` `FreeResource` `GetVersion` `FlushInstructionCache` `VirtualAlloc` `VirtualFree` `VirtualProtect` `VirtualAllocEx` `VirtualProtectEx` `CreateRemoteThread` `PostQueuedCompletionStatus` `SetErrorMode` `WriteProcessMemory` `GetThreadContext` `SetThreadContext` `FlushFileBuffers` `FindClose` `SetFileTime` `GetLocalTime` `SystemTimeToFileTime` `FileTimeToLocalFileTime` `FileTimeToDosDateTime` `FormatMessageW` `GetLogicalDriveStringsW` `LoadLibraryW` `GetModuleFileNameW` `GetSystemDirectoryW` `GetTempPathW` `GetTempFileNameW` `GetWindowsDirectoryA` `GetWindowsDirectoryW` `QueryDosDeviceW` `SetFileAttributesW` `FindFirstFileW` `FindNextFileW` `IsBadReadPtr` `IsBadWritePtr` `GetVersionExA` `CreateActCtxW` `ActivateActCtx` `CompareStringA` `GetLocaleInfoA` `GetDateFormatA` `EnumCalendarInfoA` `CompareStringW` `GetThreadLocale` `SetThreadLocale` `GetUserDefaultLCID`
oleaut32.dll	`SysAllocStringLen` `SysFreeString` `SysReAllocStringLen` `SafeArrayCreate` `SafeArrayRedim` `SafeArrayGetUBound` `SafeArrayGetLBound` `SafeArrayAccessData` `SafeArrayUnaccessData` `SafeArrayGetElement` `SafeArrayPutElement` `SafeArrayPtrOfIndex` `VariantChangeTypeEx` `VariantClear` `VariantCopy` `VariantInit`
user32.dll	`MessageBoxA` `CharUpperBuffW` `CharLowerBuffW` `CharUpperA` `CharUpperBuffA` `CharLowerA` `CharLowerBuffA` `GetSystemMetrics` `MessageBeep`
advapi32.dll	`RegOpenKeyA`
ole32.dll	`CoUninitialize` `CoInitialize`
shlwapi.dll	`PathMatchSpecW`

Delayed Imports

AmdPowerXpressRequestBetterBatteryLife

Ordinal	`1`
Address	`0x16900`

NvOptimusDisablement

Ordinal	`2`
Address	`0x16904`

101

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.20425`
MD5	`8853261a77783cd67c3c79b405ed0875`
SHA1	`ea9dd8a9d975f9207ed834bb39ac84155eb3359a`
SHA256	`03f5c8ad554d3f3d3c8df869b8622d0b69f62d7dbfcf47a7eda5d8d231e799b6`
SHA3	`66d13c520510c75f6391ec0e215ec0ad602dee943cd6b4cfb1ec7868e82e3e3a`

102

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.75595`
MD5	`c157db3f08e8964ade0db7f842706cdc`
SHA1	`0cf40a083a9927543e2453f942db1d40f457f8f4`
SHA256	`e52647a188b43e71156536c49083ef0bdc64fcbc8fbfd0aae18a0a5e69da9d99`
SHA3	`d218cb7700fe11db716185af566f99bedeac9cffc81112b08fe9ed84294bbcd4`

103

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.48631`
MD5	`e00de5dd816bcd112b64dcb5cc886c50`
SHA1	`465e8690e67c0a1b85b280b9d758a6dae8f30cdf`
SHA256	`1a34807aae622f1407580d47d48333f8080b59745609fa6872281f72168c9c10`
SHA3	`b341603b14af5f9159a65e810b0074f6e0ff8017ee6df477c142870b71ab4e31`

104

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.31481`
MD5	`1f719921e7120525d95d5e447c3b0220`
SHA1	`51523ea2f18e7387d50e0c304632608e997e3444`
SHA256	`016f05e2b13ab104a08077c0b7a85876a7499474f1c746a9f40111d13cde8041`
SHA3	`2ad14f4d124da2f28d19fbaa4db7fd99fbbbed6b80208ae18c2b0e4e6df1fd6e`

100

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.7388`
Detected Filetype	Icon file
MD5	`d2a02ebd8a2b9a534ef3dd9f5bad34fc`
SHA1	`650081bee209dab4aed9ab7b23acef2937cd1999`
SHA256	`91d3e0d15949b546365e9f0bb8bab6b3ec0bffdfacbb65a1bbbfb2cfdeece945`
SHA3	`e7125c3adcf9323d2831921ef23a5f55cb444b2a0b7947beb5a1afcc7d0a178f`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x336`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.3298`
MD5	`73faacbcdc7822a038c4e3786814611d`
SHA1	`287208b33c407a0b361d0ce2767111875e20a9f3`
SHA256	`411d4b3df3807e19bca735fd7415be9bbbfa9a87293a2d16bc53dda75845e50f`
SHA3	`0b3da7eac75b1a2f67eeda09933c30f1ff2415251fcfab020566826e9a344c08`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Sep-25 07:01:11
Version	`0.0`
SizeofData	`94`
AddressOfRawData	`0x140c8`
PointerToRawData	`0x134c8`
Referenced File	I:\AIR\code\build\win\results\Release\info\CaptiveAppEntry.vc2015.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Sep-25 07:01:11
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x14128`
PointerToRawData	`0x13528`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Sep-25 07:01:11
Version	`0.0`
SizeofData	`776`
AddressOfRawData	`0x1413c`
PointerToRawData	`0x1353c`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2021-Sep-25 07:01:11
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x14002f028`
EndAddressOfRawData	`0x14002f050`
AddressOfIndex	`0x14002f050`
AddressOfCallbacks	`0x14002f058`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140044450`

Load Configuration

Size	`0x94`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140016018`
GuardCFCheckFunctionPointer	`5368754792`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x84b4a556`
Unmarked objects	`0`
241 (40116)	`5`
243 (40116)	`125`
242 (40116)	`14`
C++ objects (VS2015 UPD3.1 build 24215)	`2`
ASM objects (VS2015 UPD3 build 24123)	`7`
C++ objects (VS2015 UPD3 build 24123)	`28`
C objects (VS2015 UPD3 build 24123)	`18`
Imports (65501)	`15`
Total imports	`133`
265 (VS2015 UPD3.1 build 24215)	`1`
Exports (VS2015 UPD3.1 build 24215)	`1`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3.1 build 24215)	`1`

Errors

Leave a comment

No comments yet.