2163042ebbd98ef14cce16aa8b6e42cf

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2013-Feb-22 03:49:16
Detected languages English - United States
CompanyName
FileDescription When run with SYSTEM credentials, this can start a program as the logged-on user
FileVersion 1.3.0.0
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion 1.3.0.0
Comments

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .itext
Malicious The PE contains functions mostly used by malwares. [!] The program may be hiding some of its imports:
  • LoadLibraryExA
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessAsUserA
Functions related to the privilege level:
  • OpenProcessToken
  • DuplicateTokenEx
Manipulates other processes:
  • OpenProcess
Suspicious VirusTotal score: 2/67 (Scanned on 2017-12-30 21:23:35) Cylance: Unsafe
Comodo: Heur.Packed.Unknown

Hashes

MD5 2163042ebbd98ef14cce16aa8b6e42cf
SHA1 9ba3f013bb6b355f043f2020bd48fd6d81efc01d
SHA256 eeb03cd198f1f09170d7552d023fb59f2de2cd651d43ef08497095204a012bc2
SHA3 ba61f1ff9bca5839e07d2b1335765d077f170c90a4999cd2f55b59fe2b0b97a3
SSDeep 768:F4cxvplZ/ija+1IOt5M0ag68m2wEW0qM6371mg49YdwDjeKU1OcdzBvObXY4cor:RxvpC5tag68m06375dw3ur2bXY/kxs
Imports Hash 82aa4e6257275b038cbdc65769710c4d

DOS Header

e_magic MZ
e_cblp 0x50
e_cp 0x2
e_crlc 0
e_cparhdr 0x4
e_minalloc 0xf
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0x1a
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 9
TimeDateStamp 2013-Feb-22 03:49:16
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x9a00
SizeOfInitializedData 0x4800
SizeOfUninitializedData 0
AddressOfEntryPoint 0xb134 (Section: .itext)
BaseOfCode 0x1000
BaseOfData 0xc000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x19000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c16e1effe7bf3509619075b13427dbe1
SHA1 2f6e1655a80413e9b9b1d7a595ddf6758658e530
SHA256 a550f7507495bbd3f1efe2c58aebd65778ad3eb4f5f9544ed4b06eb207003980
SHA3 82b8e84d8f72d5dacaf8f769d62588b82c92b02c6873abbc46e4d75092feed78
VirtualSize 0x92a8
VirtualAddress 0x1000
SizeOfRawData 0x9400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.50102

.itext

MD5 c3524fce19b8cea3e9af9824afad91d1
SHA1 9c450d2b0aeb109ef272a88b1ae5d47121dba5cc
SHA256 7568bad4c63c56de23f295354fc77c5423715b79905e4e4192c31d0fcfedcf7e
SHA3 4094f86afcd8a3473bee53aabbadce19645de159ee10e241a23e7447a4a85a95
VirtualSize 0x430
VirtualAddress 0xb000
SizeOfRawData 0x600
PointerToRawData 0x9800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.73958

.data

MD5 e05338476ea19624e6809149019c3ebf
SHA1 279eacbddb8b76be196ccd7e88a9e161893c7793
SHA256 2b731c4434d51e76202ee4a26f521c9ad2d7a8de15b911fd757706712e9b5482
SHA3 63e648544b4de5e39a879117de80112455477c814110f60105abcd0f17c392df
VirtualSize 0xb1c
VirtualAddress 0xc000
SizeOfRawData 0xc00
PointerToRawData 0x9e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.03797

.bss

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470
VirtualSize 0x4950
VirtualAddress 0xd000
SizeOfRawData 0
PointerToRawData 0xaa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.idata

MD5 ea5c158a0c7c985ba480c3dedd09eaa9
SHA1 b61d09abba680d1c69c6ca8d60b89f8477b914d2
SHA256 a359b2952378f66215010c64c15b14b5b1e8b279084afcc5c5b5d795a1a63922
SHA3 c911c869783d3eeef17c3a2f0576dbc8f0984e9f04428dbb70785a9be737c409
VirtualSize 0x8d2
VirtualAddress 0x12000
SizeOfRawData 0xa00
PointerToRawData 0xaa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.48349

.tls

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470
VirtualSize 0x8
VirtualAddress 0x13000
SizeOfRawData 0
PointerToRawData 0xb400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rdata

MD5 e9700fa58542f400c1d837e6b14a9b2e
SHA1 f77f0d8acd7a7d21c997ad35edc3b2337ef8c327
SHA256 dc86d0248e90838f9b947f9b8f9fa11f90bcdf47d01bf5d1ef982f66463dfd34
SHA3 aa971a61862be42d81c4036de64021ef7a9d5de8de242f3c587f63700754cf37
VirtualSize 0x18
VirtualAddress 0x14000
SizeOfRawData 0x200
PointerToRawData 0xb400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.20692

.reloc

MD5 12861ade2b133b46bf7ae29037ab38c9
SHA1 a17e4b047b47a4d4986bb2b86621936f18cd6f0f
SHA256 e750fd79d7d590356c8641a3249fbffe0757942c07f4b45b10e7fb1e744323a8
SHA3 e5c8cccad162f5b313cc82c7ef5cf8bd38640117f7070564ecd50b90b3dced01
VirtualSize 0xce0
VirtualAddress 0x15000
SizeOfRawData 0xe00
PointerToRawData 0xb600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.37189

.rsrc

MD5 1adeb6ee086bc66d1a3648a60675f1d1
SHA1 0a93de49bfe56e09d7efe5faa9c252dc4175e57e
SHA256 504db5c38e97d255ae454aadf0abd8b9327566766f396c2b0a234023ec91d8e2
SHA3 f928c21af83de111a05bec12e8b496a0c45701967ea523e4244c638aa0859437
VirtualSize 0x2200
VirtualAddress 0x16000
SizeOfRawData 0x2200
PointerToRawData 0xc400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.80657

Imports

oleaut32.dll SysFreeString
advapi32.dll RegQueryValueExA
RegOpenKeyExA
RegCloseKey
user32.dll GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
kernel32.dll GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
kernel32.dll (#2) GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
user32.dll (#2) GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
kernel32.dll (#3) GetACP
Sleep
VirtualFree
VirtualAlloc
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
advapi32.dll (#2) RegQueryValueExA
RegOpenKeyExA
RegCloseKey

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
Entropy 3.18073
MD5 d0de9e612f3a4443d9c5cbf087cf99ec
SHA1 ae1172f113e055fcb241c0c3dcf1dd2365c192e0
SHA256 72d1858e2477a69e326666fcbfb0fea0e415bbf3eaf40ceb740b7be68dbaaff9
SHA3 63df0ee002ccbabe5400cc1f7237cad961dae454172a4ccd727b10ed2b9a23ad

4092

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xd0
Entropy 3.2023
MD5 2c445e7460778069a108bfa6e5838bf4
SHA1 ada7c52ba585077d914fb80b269ec8a841801795
SHA256 67fa84ed1924419c10197924c66863e6a229a1e590b17e32bde70bb75a809f82
SHA3 af234cd13c86687a19221e955108bf1d7805ddb1b1b9b940c2c61ceea804364f

4093

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xb8
Entropy 3.34911
MD5 4a1e6314536c88cfa0467bf5b0cc0dd1
SHA1 34d0696c00ac0a6e0171d94cdb9cb2b3bc662afb
SHA256 dbd0defe0cb0baca38eba086f1db49f41b260ac4f9cd2d6cdaed54074f04e2f9
SHA3 abb1ced3fa8c257783db3836da66e78e0289850f43c206a95e2868c417e0c666

4094

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x240
Entropy 3.33001
MD5 b1ddb51fa6f37ba6c368cefa2f2758c4
SHA1 cbd129a306495b470ff9635b5f469846853aef78
SHA256 f6c922f8922e4b5d921f80eae02005303529c711e152dd862e51acbb658d7254
SHA3 ad99f5d004dd760f86cbf96e29adbd2cf418eb8188e6f5e1ac8624e5d59b6a5f

4095

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x35c
Entropy 3.33933
MD5 3959de07687076819e595c726efe714f
SHA1 607464112d8c08052ce60fa48ab176430abede27
SHA256 5de3ab0e6ffdee43cf7921ca4d399bfe27e67fa00ab2d657012e9157fc5c3d3a
SHA3 c6dd0f74a5789ee36c7596d1355b3a63ded042bccd7528f38ee7d72bd64dc258

4096

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x280
Entropy 3.29535
MD5 dbb1639cae4f97cb2a198d7320249054
SHA1 1b511b62f1478abba0b447ef2658172611af4de0
SHA256 1893a4eed0a8c996ee87a4a73bfa06c6fb9a147117e1925983caff227c147943
SHA3 dcbe26fa0af22e9a679a74d29dfc05868c8438ec7aad13b17ad8e097307b41c9

DVCLAL

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x10
Entropy 4
MD5 d8090aba7197fbf9c7e2631c750965a8
SHA1 04f73efb0801b18f6984b14cd057fb56519cd31b
SHA256 88d14cc6638af8a0836f6d868dfab60df92907a2d7becaefbbd7e007acb75610
SHA3 c6c76d2cc1f3d53733b805a2d82178b366a8a5e3867bc0e99134cb004cde57a0

PACKAGEINFO

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x74
Entropy 4.72367
MD5 de1c269564b735bcff3da40d92e8e140
SHA1 e798c37f59f89b3a78524efef2e8e6937d9e58b4
SHA256 7e0196de8c842f55ce3437279406508942867fface7c13a212d5e55a6b028213
SHA3 532a609bec77ae76c74f18aa738b8efc835d9b6a90cbd25429cb76399fc996ec

MAINICON

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x14
Entropy 1.86096
Detected Filetype Icon file
MD5 f267c11c83be33a53b3258d32d01c71f
SHA1 de354818d3ec2ba25abbfde1e7325de4a5223124
SHA256 af4ffa8e39ac2f72dc0efe9e0bb90413bb45d92209fd2279900b4628f5cf6aba
SHA3 694f1d69341c1c522efcf8709df55aecabefbca18952e4eedbc8198a0a453655

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x314
Entropy 3.246
MD5 ba9090bd1d403c5f09f33c9ba4171bd6
SHA1 ad68baa6a8b18173661864ffc69a1bb0691ae32d
SHA256 c4797301ea290149d8412c4d40af8547a3d78bf2aeed5f0a088b14275f8ad33c
SHA3 5d19710be78b118f7364a027be9a596f753ed2c976c6b6dc95e0173ce387830e

String Table contents

November
December
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Jul
Aug
Sep
Oct
Nov
Dec
January
February
March
April
May
June
July
August
September
October
Invalid variant type conversion
Invalid variant operation
Invalid argument
External exception %x
Assertion failed
Interface not supported
Exception in safecall method
%s (%s, line %d)
Abstract Error
Access violation at address %p in module '%s'. %s of address %p
Jan
Feb
Mar
Apr
May
Jun
Invalid pointer operation
Invalid class typecast
Access violation at address %p. %s of address %p
Access violation
Stack overflow
Control-C hit
Privileged instruction
Exception %s in module %s at %p.
%s%s
Application Error
Format '%s' invalid or incompatible with argument
No argument for format '%s'
Variant method calls not supported
Read
Write
Error creating variant or safe array
Variant or safe array index out of bounds
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full
Invalid numeric input
Division by zero
Range check error
Integer overflow
Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.3.0.0
ProductVersion 1.3.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName
FileDescription When run with SYSTEM credentials, this can start a program as the logged-on user
FileVersion (#2) 1.3.0.0
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion (#2) 1.3.0.0
Comments
Resource LangID English - United States

TLS Callbacks

StartAddressOfRawData 0x413000
EndAddressOfRawData 0x413008
AddressOfIndex 0x40c780
AddressOfCallbacks 0x414010
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks (EMPTY)

Load Configuration

Errors

[*] Warning: Section .bss has a size of 0! [*] Warning: Section .bss has a size of 0! [*] Warning: Section .tls has a size of 0! [*] Warning: Section .tls has a size of 0!