Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Feb-12 20:06:28 |
Detected languages |
English - United States
Korean - Korea |
CompanyName | Microsoft Corporation |
FileDescription | NetBT Unattend Generic Command |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | netbtugc.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | netbtugc.exe.mui |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.10586.0 |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. |
2478175 bytes of data starting at offset 0x1fc00.
The overlay data has an entropy of 7.99992 and is possibly compressed or encrypted. Overlay data amounts for 95.0139% of the executable. |
Malicious | VirusTotal score: 16/69 (Scanned on 2019-09-09 02:06:54) |
Qihoo-360:
HEUR/QVM202.0.C0D1.Malware.Gen
McAfee: Trojan-HidCobra.a Cylance: Unsafe CrowdStrike: win/malicious_confidence_100% (W) Symantec: Trojan.Gen.MBT ESET-NOD32: a variant of Win64/NukeSped.AH Avast: FileRepMalware Sophos: Mal/Generic-S Invincea: heuristic McAfee-GW-Edition: Trojan-HidCobra.a Trapmine: malicious.high.ml.score Fortinet: W64/HidCobra.A!tr Microsoft: Trojan:Win32/Casdet!rfn MAX: malware (ai score=57) GData: Win64.Trojan.Agent.8S3OV5 AVG: FileRepMalware |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 2018-Feb-12 20:06:28 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 10.0 |
SizeOfCode | 0x15c00 |
SizeOfInitializedData | 0x9c00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000000D200 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.2 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x26000 |
SizeOfHeaders | 0x400 |
Checksum | 0x2f7c4 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetCurrentProcess
WriteFile WideCharToMultiByte ReadFile CreateFileW MultiByteToWideChar GetCurrentDirectoryW GetFileType CloseHandle MapViewOfFile SystemTimeToFileTime GetLastError GetLocalTime CreateFileMappingW GetCommandLineW MoveFileExW lstrlenW LocalAlloc DeleteFileW SetFilePointer DosDateTimeToFileTime LoadLibraryA UnmapViewOfFile GetProcAddress EncodePointer DecodePointer HeapFree HeapAlloc GetCommandLineA GetStartupInfoW TerminateProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent RtlVirtualUnwind RtlLookupFunctionEntry RtlCaptureContext Sleep HeapSize GetModuleHandleW ExitProcess RtlUnwindEx HeapSetInformation GetVersion HeapCreate GetStdHandle GetModuleFileNameW RaiseException RtlPcToFileHeader EnterCriticalSection LeaveCriticalSection InitializeCriticalSectionAndSpinCount FlsGetValue FlsSetValue FlsFree SetLastError GetCurrentThreadId FlsAlloc GetModuleFileNameA FreeEnvironmentStringsW GetEnvironmentStringsW SetHandleCount DeleteCriticalSection QueryPerformanceCounter GetTickCount GetCurrentProcessId GetSystemTimeAsFileTime HeapReAlloc LoadLibraryW GetCPInfo GetACP GetOEMCP IsValidCodePage GetConsoleCP GetConsoleMode SetStdHandle FlushFileBuffers LCMapStringW GetStringTypeW SetEndOfFile GetProcessHeap WriteConsoleW |
---|---|
ADVAPI32.dll |
ChangeServiceConfig2A
OpenServiceW CloseServiceHandle StartServiceA |
SHELL32.dll |
CommandLineToArgvW
|
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.10586.0 |
ProductVersion | 10.0.10586.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | NetBT Unattend Generic Command |
FileVersion (#2) | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | netbtugc.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | netbtugc.exe.mui |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 10.0.10586.0 |
Resource LangID | Korean - Korea |
---|
XOR Key | 0x4c74ba8b |
---|---|
Unmarked objects | 0 |
152 (20115) | 2 |
C++ objects (VS2010 build 30319) | 41 |
C objects (VS2010 build 30319) | 118 |
ASM objects (VS2010 build 30319) | 10 |
Imports (VS2008 SP1 build 30729) | 9 |
Total imports | 112 |
175 (VS2010 build 30319) | 6 |
Resource objects (VS2010 build 30319) | 1 |
Linker (VS2010 build 30319) | 1 |