Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2013-Feb-22 03:49:16 |
Detected languages |
English - United States
|
CompanyName | |
FileDescription | When run with SYSTEM credentials, this can start a program as the logged-on user |
FileVersion | 1.3.0.0 |
InternalName | |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | |
ProductName | |
ProductVersion | 1.3.0.0 |
Comments |
Suspicious | The PE is possibly packed. | Unusual section name found: .itext |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE's resources present abnormal characteristics. | The binary may have been compiled on a machine in the UTC-6 timezone. |
Suspicious | VirusTotal score: 2/67 (Scanned on 2017-12-30 21:23:35) |
Cylance:
Unsafe
Comodo: Heur.Packed.Unknown |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 9 |
TimeDateStamp | 2013-Feb-22 03:49:16 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x9a00 |
SizeOfInitializedData | 0x4800 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000B134 (Section: .itext) |
BaseOfCode | 0x1000 |
BaseOfData | 0xc000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x19000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
oleaut32.dll |
SysFreeString
|
---|---|
advapi32.dll |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
user32.dll |
GetKeyboardType
DestroyWindow LoadStringA MessageBoxA CharNextA |
kernel32.dll |
GetACP
Sleep VirtualFree VirtualAlloc GetCurrentThreadId VirtualQuery WideCharToMultiByte lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
kernel32.dll (#2) |
GetACP
Sleep VirtualFree VirtualAlloc GetCurrentThreadId VirtualQuery WideCharToMultiByte lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
user32.dll (#2) |
GetKeyboardType
DestroyWindow LoadStringA MessageBoxA CharNextA |
kernel32.dll (#3) |
GetACP
Sleep VirtualFree VirtualAlloc GetCurrentThreadId VirtualQuery WideCharToMultiByte lstrlenA lstrcpynA LoadLibraryExA GetThreadLocale GetStartupInfoA GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetCommandLineA FreeLibrary FindFirstFileA FindClose ExitProcess WriteFile UnhandledExceptionFilter SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetFileType CreateFileA CloseHandle |
advapi32.dll (#2) |
RegQueryValueExA
RegOpenKeyExA RegCloseKey |
November |
December |
Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
Sunday |
Monday |
Tuesday |
Wednesday |
Thursday |
Friday |
Saturday |
Jul |
Aug |
Sep |
Oct |
Nov |
Dec |
January |
February |
March |
April |
May |
June |
July |
August |
September |
October |
Invalid variant type conversion |
Invalid variant operation |
Invalid argument |
External exception %x |
Assertion failed |
Interface not supported |
Exception in safecall method |
%s (%s, line %d) |
Abstract Error |
Access violation at address %p in module '%s'. %s of address %p |
Jan |
Feb |
Mar |
Apr |
May |
Jun |
Invalid pointer operation |
Invalid class typecast |
Access violation at address %p. %s of address %p |
Access violation |
Stack overflow |
Control-C hit |
Privileged instruction |
Exception %s in module %s at %p. |
%s%s |
Application Error |
Format '%s' invalid or incompatible with argument |
No argument for format '%s' |
Variant method calls not supported |
Read |
Write |
Error creating variant or safe array |
Variant or safe array index out of bounds |
Out of memory |
I/O error %d |
File not found |
Invalid filename |
Too many open files |
File access denied |
Read beyond end of file |
Disk full |
Invalid numeric input |
Division by zero |
Range check error |
Integer overflow |
Invalid floating point operation |
Floating point division by zero |
Floating point overflow |
Floating point underflow |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.3.0.0 |
ProductVersion | 1.3.0.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | |
FileDescription | When run with SYSTEM credentials, this can start a program as the logged-on user |
FileVersion (#2) | 1.3.0.0 |
InternalName | |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | |
ProductName | |
ProductVersion (#2) | 1.3.0.0 |
Comments |
Resource LangID | English - United States |
---|
StartAddressOfRawData | 0x413000 |
---|---|
EndAddressOfRawData | 0x413008 |
AddressOfIndex | 0x40c780 |
AddressOfCallbacks | 0x414010 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks | (EMPTY) |