Manalyze report for 2e5a8590cf6848968fc23de3fa1e25f1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2096-Mar-14 04:00:21
Detected languages	English - United States
Debug artifacts	powershell.pdb
CompanyName	Microsoft Corporation
FileDescription	Windows PowerShell
FileVersion	`10.0.19041.3996 (WinBuild.160101.0800)`
InternalName	POWERSHELL
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	PowerShell.EXE
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.19041.3996`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: rShell.EXE rshell.exe`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegEnumKeyExW RegOpenKeyExW RegGetValueW RegCloseKey RegQueryValueExW` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW`
Suspicious	The PE is possibly a dropper.	`Resources amount for 78.6427% of the executable.`
Safe	VirusTotal score: 0/73 (Scanned on 2025-03-31 14:45:47)	`All the AVs think this file is safe.`

Hashes

MD5	`2e5a8590cf6848968fc23de3fa1e25f1`
SHA1	`801262e122db6a2e758962896f260b55bbd0136a`
SHA256	`9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3`
SHA3	`797e36b40dcde5ae7e6570f071af2ea4ee1f782e7d4eb911d5631c9623908bc5`
SSDeep	`6144:67/KD0aTTyWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:9D0aTWW2KXzJ4pdd3klnnWosPhnzq`
Imports Hash	`3d08f4848535206d772de145804ff4b6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2096-Mar-14 04:00:21
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x9600`
SizeOfInitializedData	`0x66200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000042A0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x72000`
SizeOfHeaders	`0x400`
Checksum	`0x798b4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8dd55513a09d5579a0c60284bc372ba4`
SHA1	`34ecb690e924dcc2f9b3f4d18b811e2785d23643`
SHA256	`79cd2144b2fb1d04f2e6dae812c4504a115334a2bcf7a79df465cbe84bceedd5`
SHA3	`0a971e3848b023a0e9c60434e47740031d3ae5caa60a768b0d1e64470e91eb82`
VirtualSize	`0x94b5`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.07459`

.rdata

MD5	`dcad3c8ff986ed5d92798ff2015b576e`
SHA1	`033feda7e6d08e5240eb67824b34031b9aaaea30`
SHA256	`962808672769cbda90af1a1ab155e7bed940c45752847927fdfc7cb1317d428d`
SHA3	`278680294c39e24c8a673812338226f4366aad0a1185a169d008ded4ea1dcad8`
VirtualSize	`0xbcf2`
VirtualAddress	`0xb000`
SizeOfRawData	`0xbe00`
PointerToRawData	`0x9a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.08623`

.data

MD5	`1c705b45ca3b31440ac87b643973a708`
SHA1	`2e1b83463bb9bb394e0009d3848d6dc84a68d043`
SHA256	`dde2ab23f7a7e7eef3f6eb888bed3be99811666ffa7765cd0e74a3030fcbdb59`
SHA3	`9edbdff4716807c5a5cfc1fe4f371bfcb1241466867be68ec52fc6c942f11973`
VirtualSize	`0xf6c`
VirtualAddress	`0x17000`
SizeOfRawData	`0x800`
PointerToRawData	`0x15800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.15554`

.pdata

MD5	`d8d708ed8bb0fbe2a01fd63fb86838b4`
SHA1	`f64b1f2f52472a87da956af8c6a2a2dcae5bc5b3`
SHA256	`3fdee72456480a1b08678b2452aedf58895cca8a063ac479ed271ece56a5c39d`
SHA3	`d4d7265a768ff10e1ababeb10f541defac965aad264a74801e7e1e265272ed33`
VirtualSize	`0x918`
VirtualAddress	`0x18000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x16000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.45674`

.rsrc

MD5	`2f15dba186d692e028ba96225d76d836`
SHA1	`77774e35fb0b15da0ba02d5cf01d85dafc4398ea`
SHA256	`ecdfac391fe4cf9a685b46c811b9ae83002ac7ecebd0d534f7cdc66da146837b`
SHA3	`a02f0e7ac8331d76f995b26017d90f84a17d5438a21a89bc258a51256342bda1`
VirtualSize	`0x57d88`
VirtualAddress	`0x19000`
SizeOfRawData	`0x57e00`
PointerToRawData	`0x16a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.3057`

.reloc

MD5	`10395268fff53224dcc2a4454004ff48`
SHA1	`13d67cf29b1fdad45e7ce8f9a96bcc784411afb8`
SHA256	`7bb8678e58b20dfa3511a8388c780d9779a9ba0c4ec5539f2e187d940ac8fcf4`
SHA3	`c745b5fe4a965f157f04e3974cc0c549f10d34eac356b5c72986fc875f287b66`
VirtualSize	`0xa8c`
VirtualAddress	`0x71000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x6e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.17085`

Imports

msvcrt.dll	`_unlock` `_lock` `_commode` `_fmode` `_initterm` `__setusermatherr` `_cexit` `__dllonexit` `exit` `__set_app_type` `__wgetmainargs` `_amsg_exit` `_XcptFilter` `?terminate@@YAXXZ` `??1type_info@@UEAA@XZ` `memmove` `_exit` `_onexit` `_vsnwprintf` `_wcsicmp` `_wcsnicmp` `bsearch` `fclose` `_wfopen` `_itow_s` `wcstoul` `wcschr` `__uncaught_exception` `memcpy` `_CxxThrowException` `?what@exception@@UEBAPEBDXZ` `??1exception@@UEAA@XZ` `??0exception@@QEAA@AEBV0@@Z` `??0exception@@QEAA@AEBQEBDH@Z` `??0exception@@QEAA@AEBQEBD@Z` `_callnewh` `malloc` `wcsncmp` `wcsrchr` `free` `_purecall` `??3@YAXPEAX@Z` `memcpy_s` `??_V@YAXPEAX@Z` `__C_specific_handler` `__CxxFrameHandler3` `memset`
ATL.DLL	`#30`
KERNEL32.dll	`UnmapViewOfFile` `GetVersionExW` `GetLocaleInfoW` `GetUserDefaultUILanguage` `GetSystemDefaultUILanguage` `SearchPathW` `FindResourceExW` `GetTickCount` `GetSystemTimeAsFileTime` `GetCurrentThreadId` `QueryPerformanceCounter` `LoadResource` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `SleepConditionVariableSRW` `WakeAllConditionVariable` `AcquireSRWLockExclusive` `ReleaseSRWLockExclusive` `CreateFileMappingW` `IsWow64Process` `SetConsoleTitleW` `GetFileType` `FreeLibrary` `TerminateProcess` `GetStartupInfoW` `VerifyVersionInfoW` `FindFirstFileW` `MapViewOfFile` `LoadLibraryExW` `CompareStringW` `GetModuleHandleW` `SetLastError` `GetModuleHandleExW` `GetCurrentProcess` `GetStdHandle` `WriteFile` `GetCurrentProcessId` `ExpandEnvironmentStringsW` `VerSetConditionMask` `LocalFree` `WriteConsoleW` `GetModuleFileNameW` `SetThreadUILanguage` `K32GetModuleFileNameExW` `GetProcAddress` `SetErrorMode` `FindClose` `CreateFileW` `GetFileAttributesW` `OpenProcess` `CreateToolhelp32Snapshot` `Sleep` `FormatMessageW` `Process32FirstW` `CloseHandle` `GetLastError` `Process32NextW`
OLEAUT32.dll	`SysFreeString` `SafeArrayPutElement` `SysAllocString` `VariantClear` `SafeArrayCreate` `SysStringLen`
ADVAPI32.dll	`EventRegister` `RegEnumKeyExW` `RegOpenKeyExW` `RegGetValueW` `EventUnregister` `EventWriteTransfer` `RegCloseKey` `RegQueryValueExW` `EventSetInformation`
OLE32.dll	`CoInitialize` `PropVariantClear` `CoTaskMemAlloc` `CoUninitialize` `CoCreateInstance` `CoInitializeEx`
USER32.dll	`LoadStringW`
mscoree.dll	`CorBindToRuntimeEx`

Delayed Imports

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xd8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.64596`
MD5	`384ee455d497f326d51d154b074aaf2e`
SHA1	`ad45ed96ef7ce71a7fee19e05cf31b2ae3e14f9f`
SHA256	`4f5fe6829e022189fba9840744209445dd82d0b325c2c89cd2e22c3ea2f9b95d`
SHA3	`1b77c3e04c83ea044ae452fa08047c70c35f51fab195a5907bd831e829f14758`

1 (#2)

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2fbe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89964`
Detected Filetype	PNG graphic file
MD5	`8245fbd99fa64e5e5cb0da8a9d77b345`
SHA1	`16e9b848dc0ac17ca441a851d7186d3e6c1b1de2`
SHA256	`272a4147f0953b4a350915379b324db309d27b318d718ab12a56629b7687270c`
SHA3	`c8838947b19faf7e3d519e481e6f6ea93854ca8fb3332be227a65d9ad6eea145`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.23875`
MD5	`46904fc761ebe20dfd5f272a5c564046`
SHA1	`e2ebb195dd658a64776b6edd013606caff9f751d`
SHA256	`c300e62c324f12642c7a498d15adef62a5ebe2427475429abc2c94e55ee84610`
SHA3	`5b9279fe15f27557a7d06d32c148e8ee072506ea968098177cf022b1687ed659`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.34413`
MD5	`e804a8097a8d1d9646884009d5d7aeed`
SHA1	`c9506fb638f5ea01da935ad28d00fba9ac7d8dad`
SHA256	`36dc635c6edf17baae779bf5660c28e941819b6956117b8541667b660c90c8f4`
SHA3	`ee3400de45d6c44d9dfc7b219403bf4af7dd4518e5b099ab1ab3d2ace421aece`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1a68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.17191`
MD5	`4a6ba8e8b5a10a01219ddbba55b0dda4`
SHA1	`ba609647797f89d8b6daf84306a7d4c4c8134158`
SHA256	`4ac05dca288d58f7871091f728454138f20abd980f3eb34a348223f3ea74802a`
SHA3	`48fb07364d5819f3c24728a4ad676d3ec7d9ad409af461335349ca7b14a5cf87`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.5843`
MD5	`39d8daca5f97859234d462b48fd0ddba`
SHA1	`5cbf0996b0c34278f79a49f85463c0b377d755bd`
SHA256	`a3db470951a796b89940371604380fc1c22be7fe4451ced5a98a37094ef7cb66`
SHA3	`2f610e6e7f81dedc6a3e586e4cf353c69de76bdd9745f76eefbbd8bc7e49c8b7`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.70385`
MD5	`46ce09473e3345c147eb1b89ad496e8d`
SHA1	`4fd470a49c9703cbe14bcded7e3f9895e816c627`
SHA256	`a05bfb03905e1bfd87441f0c9575fe339464e46c430960329ec8c4bbec45f9a2`
SHA3	`ff8267c70a7220bb5953aba488a693a02b8c97664e808d9c4d8a7746b3215673`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6b8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.76217`
MD5	`3b748b67e7206ececf13c6bc97683bdd`
SHA1	`d0b2ae7cbffc7c3450391deb70d01fcd211552f8`
SHA256	`a2c3b775c6ec5f4a9b8c4575690550c0f0dba0c2c8e4e27b3484bb29f53116bb`
SHA3	`bfb6c50772be6027a934f3528f75a4e30866cf5c3d41a8aa2c84d821e2d2c5e8`

8

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91337`
MD5	`b70cafc39b47fc69114c1d48e416ca15`
SHA1	`874a484610e77cb3df27418ea842ff41fc7b33aa`
SHA256	`1843ca87de0016e80e6e9210a84bd6ebb93a37867e4c863b6ee27d39e096ed56`
SHA3	`0e0b9491d97a49c484537804aaa4c991f5dee71c6b5c98966c7211a1dd854f9d`

9

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46247`
MD5	`83ad6ea7a27416d22da3d9653d423d19`
SHA1	`cdd8bc279616276f1d6dfe3504737fa5015173bf`
SHA256	`6798e67cf1ade45b404bb6b738bf66a344d05e220f317f6b98f16a3091ccb03e`
SHA3	`82470370636739a2b5d3f8cca7bfd45ad0805aac683e3735d2e36821cb630d3b`

10

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.02666`
MD5	`6505a4195d1b31d18d56a947f94c867a`
SHA1	`73950ceacfbb2f068027de1d6a47a59da4abdf4f`
SHA256	`ab3488b3e80bd91281ead07ca41c24ea8990a530a491b9fa45ba1a6188558d9c`
SHA3	`5840b84a27b3e02088d962dfdf2f6a9c74b0f7c01869560df9551ce0468a1b77`

11

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.98563`
MD5	`e110db3490d8f96d9dbd939c33d5cc39`
SHA1	`2743b7ce6a0dea4c5a48148c7fb5c963becfbc47`
SHA256	`90cfb7abb585ead8f89db2d1a95ce2469758bcb7eb7f94bf49150e469cae811c`
SHA3	`102b3035f5683ba3770af838bf2eb2f0b23e333d82a58127d90033ee92bbad11`

12

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.72674`
MD5	`fb6051a04ba1a6bc6cc5efec00d2321c`
SHA1	`9d0236343e7972a74021a948dd02522ded9f5a8e`
SHA256	`60fb497ad9d6721ac946276460272386dd728a041276ef924eecc55c7fec7a4b`
SHA3	`51b50e0a88c3d19209abf29f2501e22583c8cd679143c165154aba6d5f9cc7dd`

13

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25686`
MD5	`64165187bdb5bb53e865ced2cd3dcd6d`
SHA1	`db709760992aaeb003bc2a7e8147dd689d12de86`
SHA256	`dd4ffb866e4cd7231a730f8e93d01949b6f31118887d69c2bcade264d9e21657`
SHA3	`95e34eb2f6b3b92dd9ddd4b8f45409e70a1ba5ed538d0bd2de4530c727544773`

14

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.01703`
MD5	`eedadce1ad81c4dab29d7db42d90e6d5`
SHA1	`66880b7d8682f6bfe3266f32bb37b40e0e17562e`
SHA256	`9b41accbe3aa7a9c55af03c3972fefe881614bb206356304d3a197e15027f710`
SHA3	`551a77d4380bbca4c106dd902c344008aa05754b62215281fafeb695b434479f`

15

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.23929`
MD5	`3643d129f2bc96763abe270648d38e8c`
SHA1	`657cf43baa55a7da9bd5c01ad9736baea4dcf14a`
SHA256	`d9a02d00a12ed977d25a662ee0a8aaa39bbb8786751d956789e6ab459ff4b087`
SHA3	`385f34a2b468e40bf08cdd8d6f5a58f1ee544729fa6a5e0b3de38192e2131584`

16

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.67792`
MD5	`c4b81ead0342a65d333deda43e2afecb`
SHA1	`c8843a3b791b8cbe28ef6325322dcbaea78ae8ce`
SHA256	`c32caf9e218f1f8c7b46735508249b8f7a71320b2c474b4e0d86b5a90926dd9b`
SHA3	`fbb9f4727c428aa7d84d92e0b4a59fd98a46459b4102287f1d2d0b0d2a8d8251`

17

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.15796`
MD5	`543e0cebdc4452be9fc5f02cf0f49f61`
SHA1	`49dfd61c1298490a1d6e2f32e51b0bfee271e15c`
SHA256	`165e1e29e5dd01af1a0794387f3262cb9d54cd6dd0b08738af348c4ee62da52e`
SHA3	`d9540950fbe2609e2a22a68578aff6f4995d687d8972afea0735f50651ad2b6a`

18

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.38513`
MD5	`707964b80dfd680d56335a5046bca8e7`
SHA1	`24c77c3e936d07fbfde666cc7b64b218fa28b011`
SHA256	`1fb26c499b1983c86205679d983f3f227ed007efa3eeafb314915daa41ee4541`
SHA3	`b1981ed6d780d4f40f3874bb941c4643b26ce35f1db305430b6afcde3f75e542`

19

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.75984`
MD5	`830f337bcb07d3375177131dac3f64a2`
SHA1	`d02492fbce8f5ea57c3dd8af93037af9a097a115`
SHA256	`8fe043e3d5b0241e179010c73f4c00083250dc0f0f0a5f20114ba452a7483284`
SHA3	`8c237cc3faf33a5e351e16e40bc7fbff5bc572e19893b1b8766c3c4830338918`

20

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.88579`
MD5	`fabbcc7d1cc996c7070b9917043ed19a`
SHA1	`6bb496a69dbdead90f716da5bab845560ed4750d`
SHA256	`b2533b141bb5a284f7ba5da0ff82af5b7bc47cda9e6eb04775da139c10b43952`
SHA3	`0222f48ad3782f9fe9f31c6c4241e9f09ae1b76df78977387c3dc2224a057903`

21

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.58762`
MD5	`2170f60038cfb7b61ef307bdf990e683`
SHA1	`8d64b7058e7ed75c867f30c853d840a1bb61d60c`
SHA256	`381aa9842cb77786dd2bc252c72a4176f4286fa398f964d3e893e98bad3c3a98`
SHA3	`aa7a7b64dc1a98e3d8f2907a64d3f1e14e3928b5505327e004311be259ae88c8`

MSH_MAIN

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x76`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.95799`
Detected Filetype	Icon file
MD5	`e8211c4a324eeac5317aa49f392f7534`
SHA1	`44f31c84081ce757d21087e182318bd8fb3fd4aa`
SHA256	`7f0f4b2fa24ae22ad3a0f7d6e4053a51af3d590c39530a5178a30479f3702ec5`
SHA3	`57364a3b9b3a31f396ff89eaa526636438e1b4040aea290096662a3beb9857d8`

MSH_SECURITY

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xbc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.1232`
Detected Filetype	Icon file
MD5	`237321df738bbd3e4f28d466f1373e2d`
SHA1	`f556140fbd7e26a098652228976c4ab20f0d8f24`
SHA256	`ac86dab55aac4069bb30fb3c0af4f5ec80a384b3ef24300b67af6fdd76f065f5`
SHA3	`197282d449732803dbe09e523d766316c7f497d8731183c7fdb6950b3a5c2d2a`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x39c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.52288`
MD5	`0a8000cdb47ff829fde03d4a2f5c7c9a`
SHA1	`0cd11147cc06680b9a14a4f9e0394d43fb8a6ac0`
SHA256	`e4f9aeb22bbc5fbba36822c633c814b5943e7783409812a7ea782f137e16b414`
SHA3	`077262edfd0697eebc21b3afe8dfd274a08a6f0fb78de61086c67402b85d92b9`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6a3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09576`
MD5	`866de8e3ef941d3cfc4b390448c5d9a8`
SHA1	`4b4c56a92eda4089b8944b7f676e5d836545e417`
SHA256	`e9c90370d42bbbc667e06a41ad0c37e452b7fff648a360ffb2d3239d0629dd92`
SHA3	`b9447d6e2f12e62dd78dd147e79e02f64bee5babdc544ad12588f9bfd161d6cd`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.19041.3996
ProductVersion	10.0.19041.3996
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Windows PowerShell
FileVersion (#2)	10.0.19041.3996 (WinBuild.160101.0800)
InternalName	POWERSHELL
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	PowerShell.EXE
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.19041.3996

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2096-Mar-14 04:00:21
Version	`0.0`
SizeofData	`39`
AddressOfRawData	`0x14934`
PointerToRawData	`0x13334`
Referenced File	powershell.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2096-Mar-14 04:00:21
Version	`0.0`
SizeofData	`1120`
AddressOfRawData	`0x1495c`
PointerToRawData	`0x1335c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2096-Mar-14 04:00:21
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x14dbc`
PointerToRawData	`0x137bc`

TLS Callbacks

StartAddressOfRawData	`0x140014de0`
EndAddressOfRawData	`0x140014de8`
AddressOfIndex	`0x140017c40`
AddressOfCallbacks	`0x14000ee30`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x118`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140017648`
GuardCFCheckFunctionPointer	`5368769976`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xce6fcf17`
Unmarked objects	`0`
Imports (VS2008 build 21022)	`2`
Imports (VS2008 SP1 build 30729)	`10`
ASM objects (27412)	`2`
C objects (27412)	`27`
Total imports	`139`
Imports (27412)	`5`
C++ objects (27412)	`9`
C objects (POGO O) (27412)	`9`
Resource objects (27412)	`1`
Linker (27412)	`1`

2e5a8590cf6848968fc23de3fa1e25f1

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

MSH_MAIN

MSH_SECURITY

1 (#3)

1 (#4)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors