381adf2102b335f9c5979c295b5e2684

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2058-Oct-06 08:39:55
Detected languages English - United States
Debug artifacts bootsect.pdb
CompanyName Microsoft Corporation
FileDescription Boot Sector Manipulation Tool
FileVersion 10.0.19041.1 (WinBuild.160101.0800)
InternalName bootsect.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bootsect.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.19041.1

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
 Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegQueryValueExW
 Uses Windows's Native API:
  • NtWaitForSingleObject
  • NtQueryDirectoryObject
  • NtCreateEvent
  • NtOpenDirectoryObject
  • NtDeviceIoControlFile
  • NtQuerySymbolicLinkObject
  • NtOpenSymbolicLinkObject
  • NtResetEvent
  • NtOpenFile
  • NtQueryVolumeInformationFile
  • NtFsControlFile
  • NtClose
  • NtQuerySystemInformation
  • NtQueryValueKey
  • NtQueryBootEntryOrder
  • NtQueryBootOptions
  • NtTranslateFilePath
  • NtEnumerateBootEntries
  • NtAdjustPrivilegesToken
  • NtOpenProcessTokenEx
  • NtSetInformationThread
  • NtOpenThreadTokenEx
  • NtOpenKey
Info The PE is digitally signed. Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/74 (Scanned on 2024-07-19 22:45:18) All the AVs think this file is safe.

Hashes

MD5 381adf2102b335f9c5979c295b5e2684
SHA1 64068391b62805bfd31180011a87b2bf7f493e96
SHA256 55a47316aab6e275758ed63c0238e61edf4283f4afe7add099b128ce56092a02
SHA3 629c160e779aa07915ac3d8b82628a58f82e00f16321cf3e209f9df2a77bc7f7
SSDeep 1536:uTB5egI78tKKc7XHui2IH5vgY83J+PWKJ:uVU/7CwiPIZvpagrJ
Imports Hash a26cb263b9dc97b5627f1e68caac6231

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2058-Oct-06 08:39:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x7400
SizeOfInitializedData 0x12e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000007D10 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x1e000
SizeOfHeaders 0x400
Checksum 0x1c674
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d960327c36c5dca4421578e7c06bf47b
SHA1 038848779eb12e6221848a02ca0345e4ffe3bc86
SHA256 f91903f1ef0c39c331791d1fd270e73e0cecbb61dfc9d447db2ff965409bf432
SHA3 29f73a220ef18bdc72e472eb4b76b0696d70f292577113c394fdb52d3e7d0ba1
VirtualSize 0x7370
VirtualAddress 0x1000
SizeOfRawData 0x7400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.13115

.rdata

MD5 77e1ab88c6276330c37e1f871222d9be
SHA1 f621fb87c28f50ce1593dd31b173e49635e5f6bf
SHA256 5e8abf803fd16729caf3a90358344091b871c1155329b247a46168a919334a72
SHA3 f3b4962c850bafc3ecee3178f44c3ca07e83fb0cef9c3c94d34ed8aadf72cbb2
VirtualSize 0x6b3a
VirtualAddress 0x9000
SizeOfRawData 0x6c00
PointerToRawData 0x7800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.02357

.data

MD5 ef5a23ce91ce434ebd035faa527d569a
SHA1 396a5476277a9cc74dd0346ec3130b77e00b72f2
SHA256 282325d9b3ad99ccf4bd15a7ac36ea5b98ef54f50d308637873a0adea92c39fe
SHA3 a5a7e4b3e9c4b6683c3ad516cd3b1ec0186086c4b92dcfda92326ec7d3e35f83
VirtualSize 0x7260
VirtualAddress 0x10000
SizeOfRawData 0x5c00
PointerToRawData 0xe400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.27008

.pdata

MD5 980c9581570bed365e7a16c9423ad94a
SHA1 ba356a6a5b51e013545541d9fbee567dba55abed
SHA256 af67730c3282c6beb2269de8343f3ff18d32fd5d30e9535a7f7a773a69fc92f8
SHA3 d2f1e5861590b21b2ac3387386f3aa4af2f4a1ab4217f61368e460eeb036bbeb
VirtualSize 0x42c
VirtualAddress 0x18000
SizeOfRawData 0x600
PointerToRawData 0x14000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.27227

.rsrc

MD5 3b3ae66ee6f9812c1c9948c79e2df85b
SHA1 86250c39cd945f3e7c8b18bcae74f9dcef46f8e4
SHA256 159a4fb5d4750b11ee41c531a235c46dd63b8518b26126aa61f101a4da08d58a
SHA3 75382b95a4e5c60cc55dfce2133ddca523b06f9581d0085ed08fc232264bc7c8
VirtualSize 0x3e20
VirtualAddress 0x19000
SizeOfRawData 0x4000
PointerToRawData 0x14600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.40267

.reloc

MD5 81195df61dff5cefafdfcde9f7116419
SHA1 d7b13467d432865a053a64adaa04601fa9a28ed7
SHA256 bb8702cf0dc6254aa5aec6422af6e04bdca5c28b16540b7b6c77c43ac2fe4aa6
SHA3 0a98b0eb92d9db6ab151647f830c4a71c907d36309c8fb5990998c91bd77f1f5
VirtualSize 0x79c
VirtualAddress 0x1d000
SizeOfRawData 0x800
PointerToRawData 0x18600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.26702

Imports

ADVAPI32.dll EventUnregister
EventRegister
EventWriteTransfer
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
KERNEL32.dll GetModuleHandleExW
SetFilePointer
GetLastError
GetProcAddress
FreeLibrary
GetConsoleOutputCP
GetStdHandle
GetModuleFileNameW
LocalAlloc
GetConsoleMode
FormatMessageW
QueryDosDeviceW
LocalFree
WideCharToMultiByte
GetFileType
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
ReadFile
WriteFile
WriteConsoleW
SetLastError
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoW
CreateFileW
GetVersionExW
SearchPathW
UnmapViewOfFile
CloseHandle
FindResourceExW
LoadResource
CreateFileMappingW
MapViewOfFile
LoadLibraryExW
msvcrt.dll _snwscanf_s
bsearch
wcsncmp
wcsstr
wcsnlen
memcpy
?terminate@@YAXXZ
_fmode
__C_specific_handler
_initterm
memset
__setusermatherr
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
iswxdigit
_vsnwprintf
_wcsnicmp
_stricmp
swprintf_s
isalpha
wcscpy_s
_wcsicmp
_wcslwr
_commode
ntdll.dll RtlVirtualUnwind
RtlLookupFunctionEntry
NtWaitForSingleObject
RtlFreeHeap
NtQueryDirectoryObject
NtCreateEvent
NtOpenDirectoryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
RtlAllocateHeap
NtOpenSymbolicLinkObject
NtResetEvent
NtOpenFile
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtFsControlFile
NtClose
RtlInitUnicodeString
NtQuerySystemInformation
RtlCaptureContext
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenKey

Delayed Imports

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xd0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.56955
MD5 ff85885ce7f6e7750a5583f5dce19c09
SHA1 bd2def36dd2d4b5b4efd0b736f5a705346db80f7
SHA256 c6a2e13fedc86c14a49a6d344b81006651df5d90fe7670f70895fefdeb5ed3fb
SHA3 f11b3a24c1d72ccfc22123713a9292b28a40a8ccf7143f487c7d39eae6c2237c

1 (#2)

Type RT_MESSAGETABLE
Language English - United States
Codepage UNKNOWN
Size 0x35b8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.2947
MD5 c3e4a3f6ffcf3471fa6a08a1fb8fa1b4
SHA1 abca48042bd73bf40248580e7beeabdf7b624301
SHA256 8dc7e53338df1c6c4dd2a860ddd850008a619be03516f791905167a2152bede4
SHA3 ed8cb2eb776b203dae317164e074589fa53441a4619615c139431db4b17bf746

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3b0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.40815
MD5 dc1f49d8db7f062ad2afbe31348bd9c2
SHA1 0841c4d11bc03e7d788dececac8ed147d2b51804
SHA256 382aa14af7e2de1c3d563c1b8bb6b52940b871998498a17ca336d671ae99d8d2
SHA3 e6667bd163713142889710fc6d0683fa17ab621092b3a04dd3794395e6772e36

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2a7
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89202
MD5 ae38829cf582707ccd44107823c5f8f6
SHA1 c159831ce581e2642aa96de87e1ee4f40a57e42a
SHA256 6943d96567e85497945a97fc39c0f649e6948acbf390851b62db1b61fcde2776
SHA3 feeb11d355a25b8bc7caec95a7177db6654d3d578e4fdab8bf2072ebe79aa020

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.19041.1
ProductVersion 10.0.19041.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Boot Sector Manipulation Tool
FileVersion (#2) 10.0.19041.1 (WinBuild.160101.0800)
InternalName bootsect.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename bootsect.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.19041.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2058-Oct-06 08:39:55
Version 0.0
SizeofData 37
AddressOfRawData 0xe748
PointerToRawData 0xcf48
Referenced File bootsect.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2058-Oct-06 08:39:55
Version 0.0
SizeofData 628
AddressOfRawData 0xe770
PointerToRawData 0xcf70

UNKNOWN

Characteristics 0
TimeDateStamp 2058-Oct-06 08:39:55
Version 0.0
SizeofData 36
AddressOfRawData 0xe9e4
PointerToRawData 0xd1e4

TLS Callbacks

Load Configuration

Size 0x118
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140010098
GuardCFCheckFunctionPointer 5368758512
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x84eb2f04
Unmarked objects 0
C++ objects (27412) 1
ASM objects (27412) 2
C objects (27412) 18
Imports (27412) 9
Total imports 128
C objects (LTCG) (27412) 11
Resource objects (27412) 1
Linker (27412) 1

Errors

<-- -->