130cd094b456264240007efb4a9442d3

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2018-Oct-03 14:08:25
Debug artifacts F:\Github\Arctium patcher\build\Release\launcher\netcoreapp2.1\win-x64\native\Arctium WoW Client Launcher.pdb

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Suspicious The PE is possibly packed. Unusual section name found: .managed
Unusual section name found: rdata
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Suspicious VirusTotal score: 1/71 (Scanned on 2019-06-21 20:23:18) Bkav: W64.HfsReno.

Hashes

MD5 130cd094b456264240007efb4a9442d3
SHA1 baf5922278da89822d56d4c31e73cbd324884e0f
SHA256 5b53f3f3b9152f664118d6c406cf2aaa3c22071de092e193562ebe8badc1a33b
SHA3 b1728cf8d6bf4383f6e8cf151f94670f3f738bd6220e9f0eb8143c7f9cc043ad
SSDeep 49152:f/lWSoLg2N1HJeS7OS4+Nl4a/E1BFtyUZvkUTQekZ3YCqiN9nrs//AsEtHQGFBN:CbNwSbg/Pus4
Imports Hash cf493a3bcb1d8d91cd3806a1bbf025e9

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2018-Oct-03 14:08:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x1f9a00
SizeOfInitializedData 0x20fa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000001E3384 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x40e000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.managed

MD5 a3b9e268d85881b64213827a74f741aa
SHA1 e71c47884eb16defb6e240162b0d6d7c9736fab4
SHA256 1654b1f173cb6b6d8cc56c277a4a75d30109fda076f65e497e447644153d446b
SHA3 dbb0f9b94a7eee6f5028557b3eb433f253e00b4e6b250720275dcbf203990f9a
VirtualSize 0x19ff59
VirtualAddress 0x1000
SizeOfRawData 0x1a0000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.43991

.text

MD5 dcc580a3e56e7da3a7be91b9625d99a7
SHA1 080e112dc907764477e2e05bd76d05e79e08cc7c
SHA256 026abb839b65f12dba81ab9fc20fd0c2f6b812222f69b86f5fc2ae2a674c3e06
SHA3 6b9ada35399c72277e70a95967f505a205af753b283f410e69548764ade8ebb8
VirtualSize 0x59908
VirtualAddress 0x1a1000
SizeOfRawData 0x59a00
PointerToRawData 0x1a0400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.51887

.rdata

MD5 6fdc1494a0201d41cd081b2f57159009
SHA1 1a316fda774b7cde7526bdc24a7f235e65bb6789
SHA256 bba4d7e52fb112f724a1925a12ef1c0611a52401cb6f7565a50d93b96bf98508
SHA3 28264fcdd928d3295e46f8b7f84a9367a9392af8ddc8ed493e4b26c2f678bf1c
VirtualSize 0x18c476
VirtualAddress 0x1fb000
SizeOfRawData 0x18c600
PointerToRawData 0x1f9e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.29589

.data

MD5 4959ff4dab7005c093a60abdefa6b0a0
SHA1 ccc71a3ff27781c9394feb21c851096a5b24062d
SHA256 4acaf7502e1e577a99802fb59992f0dc52c46441d76e654197df685d5879491d
SHA3 9c187cf5c0b2e5892d5958864b890e5ba8de2ef6938b5197382f042517ba7604
VirtualSize 0x2d090
VirtualAddress 0x388000
SizeOfRawData 0x27200
PointerToRawData 0x386400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.69809

.pdata

MD5 41905ad7b95ba9f9286f14a9657d218f
SHA1 e7cc057b03b4664873dacaeb01b02f9c42f17263
SHA256 93dcd0b943644fe693a0c1a54024f3cd5fbd40b8f3f845383dd5ee2cc0451d6c
SHA3 8f506878b60715a30c0ba5175b7f198f007b80fb98215b73f2e840e6ef26d8f2
VirtualSize 0x279f0
VirtualAddress 0x3b6000
SizeOfRawData 0x27a00
PointerToRawData 0x3ad600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.38281

rdata

MD5 ca507821519751b071c406fabfb67153
SHA1 a054d3deffacb4334f4bfb5bd548048bfa962428
SHA256 218f0a60c5a991db71ea82f11e9c2636d8b3741b1ec54d47f37e91d2b149af8f
SHA3 2dbf8104fa51eb3d5ef335d3d0434f18e7c9038fa6ed64832460b4d5bca5c236
VirtualSize 0x182a4
VirtualAddress 0x3de000
SizeOfRawData 0x18400
PointerToRawData 0x3d5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.10888

.reloc

MD5 6c64435a9af6ad73aa3bd6443c8bb8d0
SHA1 199a9322e9f5022c17354721cbd369d3dda87ffa
SHA256 d24a7028f512c8939dd65767b926b24212a5971f6db872de76a6d0a5443351b3
SHA3 cff9d070f04d609c8c9f460742cc4293b5ddc9bb134c2c5747ad676ec6738ab0
VirtualSize 0x16328
VirtualAddress 0x3f7000
SizeOfRawData 0x16400
PointerToRawData 0x3ed400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.46338

Imports

KERNEL32.dll HeapAlloc
CloseThreadpoolIo
HeapFree
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount64
CreateThreadpoolWork
CloseThreadpoolWork
SubmitThreadpoolWork
GetCurrentProcessorNumber
GetProcAddress
RaiseFailFastException
LoadLibraryExW
FreeLibrary
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
GetSystemDirectoryW
FlushProcessWriteBuffers
CloseHandle
DuplicateHandle
GetCurrentProcess
GetCurrentThread
SetEvent
WaitForSingleObjectEx
RaiseException
GetFileAttributesExW
ReadFile
GetSystemInfo
VirtualQuery
RtlVirtualUnwind
GetStdHandle
CreateFileW
WriteFile
DebugBreak
AddVectoredExceptionHandler
GetProcessHeap
FlsGetValue
FlsSetValue
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
WaitForMultipleObjectsEx
CreateEventW
Sleep
GetCurrentProcessId
SwitchToThread
CreateThread
SetThreadPriority
SuspendThread
ResumeThread
GetThreadContext
GlobalMemoryStatusEx
GetTickCount
GetLogicalProcessorInformation
VirtualAlloc
VirtualProtect
VirtualFree
VirtualUnlock
GetWriteWatch
ResetWriteWatch
GetModuleHandleExW
InitializeCriticalSectionEx
ResetEvent
GetEnvironmentVariableW
SetFilePointerEx
GetLastError
FlsAlloc
SetLastError
HeapReAlloc
HeapSize
GetConsoleMode
GetConsoleCP
FlushFileBuffers
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlPcToFileHeader
RtlUnwindEx
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
CompareStringW
LCMapStringW
GetFileType
MultiByteToWideChar
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
WriteConsoleW
ole32.dll CoGetMarshalSizeMax
CoUnmarshalInterface
CoCreateInstance
CoMarshalInterface
CoWaitForMultipleHandles

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2018-Oct-03 14:08:25
Version 0.0
SizeofData 134
AddressOfRawData 0x322c74
PointerToRawData 0x321a74
Referenced File F:\Github\Arctium patcher\build\Release\launcher\netcoreapp2.1\win-x64\native\Arctium WoW Client Launcher.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2018-Oct-03 14:08:25
Version 0.0
SizeofData 20
AddressOfRawData 0x322cfc
PointerToRawData 0x321afc

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2018-Oct-03 14:08:25
Version 0.0
SizeofData 1032
AddressOfRawData 0x322d10
PointerToRawData 0x321b10

TLS Callbacks

StartAddressOfRawData 0x140323160
EndAddressOfRawData 0x140323278
AddressOfIndex 0x1403b3dbc
AddressOfCallbacks 0x1401fb490
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1403ae5f0

RICH Header

XOR Key 0xdfff7214
Unmarked objects 0
C objects (VS2015/2017 runtime 25711) 22
ASM objects (VS2015/2017 runtime 25711) 15
C++ objects (VS2015/2017 runtime 25711) 144
ASM objects (VS2017 v15.6.6 compiler 26131) 8
C objects (VS2017 v15.6.6 compiler 26131) 19
C++ objects (VS2017 v15.6.6 compiler 26131) 43
Imports (VS2015/2017 runtime 25711) 7
Total imports 139
ASM objects (VS2017 v15.7.3 compiler 26430) 13
C++ objects (VS2017 v15.7.3 compiler 26430) 49
Unmarked objects (#2) 1
Linker (VS2017 v15.7.4 compiler 26431) 1

Errors

<-- -->