Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Apr-21 08:10:25 |
Detected languages |
English - United States
|
Debug artifacts |
GatherOsState.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Gather Downlevel OS Activation State |
FileVersion | 10.0.17134.1 (WinBuild.160101.0800) |
InternalName | GatherOsState |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | GatherOsState.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.17134.1 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Accesses the WMI:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA256
Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. | Unusual section name found: .didat |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: Microsoft Windows
Issuer: Microsoft Windows Verification PCA |
Safe | VirusTotal score: 0/69 (Scanned on 2020-02-21 23:26:21) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 7 |
TimeDateStamp | 2010-Apr-21 08:10:25 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.20512 |
SizeOfCode | 0x7a400 |
SizeOfInitializedData | 0xf2800 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000017090 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | A.0 |
ImageVersion | 5343.5020 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x172000 |
SizeOfHeaders | 0x400 |
Checksum | 0x178925 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x80000 |
SizeofStackCommit | 0x2000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
msvcrt.dll |
?terminate@@YAXXZ
_onexit memcpy memcmp __dllonexit _unlock _lock _commode _fmode _initterm __setusermatherr _cexit _exit exit __set_app_type __wgetmainargs memchr wcschr _wcsnicmp memcpy_s _amsg_exit _XcptFilter _purecall __C_specific_handler malloc free wcsstr _wcsicmp memmove _vsnwprintf wprintf memset |
---|---|
ntdll.dll |
RtlDeleteFunctionTable
RtlAddFunctionTable RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind |
KERNEL32.dll |
FreeLibrary
GetSystemDirectoryW GlobalMemoryStatusEx DeviceIoControl MultiByteToWideChar VirtualAlloc GetTickCount GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter DelayLoadFailureHook LoadLibraryExA GetSystemDefaultUILanguage LCMapStringW HeapFree WriteFile GetModuleHandleExW ExpandEnvironmentStringsW GetModuleFileNameW SetErrorMode LocalAlloc CreateFileW GetFileAttributesW GetVersionExW GetLastError FileTimeToSystemTime CloseHandle HeapAlloc GetProcAddress LocalFree GetProcessHeap WideCharToMultiByte GetSystemTimeAsFileTime GetSystemTime VirtualProtect SetLastError EnterCriticalSection VirtualFree GetCurrentProcess TerminateProcess LeaveCriticalSection InitializeCriticalSection GetCurrentThread DeleteCriticalSection UnhandledExceptionFilter GetModuleHandleW LoadLibraryExW SetUnhandledExceptionFilter Sleep GetVersionExA |
ADVAPI32.dll |
CryptReleaseContext
CryptGetHashParam CryptDestroyHash CryptHashData CryptCreateHash CryptAcquireContextW GetCurrentHwProfileW RegCloseKey RegQueryValueExW RegOpenKeyExW |
SLC.dll (delay-loaded) |
SLGetWindowsInformationDWORD
SLGetSLIDList SLGetServiceInformation SLClose SLGetPKeyInformation SLOpen SLGetGenuineInformation |
Attributes | 0x1 |
---|---|
Name | SLC.dll |
ModuleHandle | 0x166988 |
DelayImportAddressTable | 0x16c0b8 |
DelayImportNameTable | 0x164490 |
BoundDelayImportTable | 0x164718 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.17134.1 |
ProductVersion | 10.0.17134.1 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Gather Downlevel OS Activation State |
FileVersion (#2) | 10.0.17134.1 (WinBuild.160101.0800) |
InternalName | GatherOsState |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | GatherOsState.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 10.0.17134.1 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2010-Apr-21 08:10:25 |
Version | 0.0 |
SizeofData | 42 |
AddressOfRawData | 0x163588 |
PointerToRawData | 0x161d88 |
Referenced File | GatherOsState.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2010-Apr-21 08:10:25 |
Version | 0.0 |
SizeofData | 828 |
AddressOfRawData | 0x1635b4 |
PointerToRawData | 0x161db4 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2010-Apr-21 08:10:25 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
StartAddressOfRawData | 0x1401638f0 |
---|---|
EndAddressOfRawData | 0x1401638f8 |
AddressOfIndex | 0x140166980 |
AddressOfCallbacks | 0x14008b828 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
Callbacks | (EMPTY) |
Size | 0x100 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1401662a8 |
GuardCFCheckFunctionPointer | 5369280432 |
GuardCFDispatchFunctionPointer | 0 |
GuardCFFunctionTable | 0 |
GuardCFFunctionCount | 0 |
GuardFlags | (EMPTY) |
CodeIntegrity.Flags | 0 |
CodeIntegrity.Catalog | 0 |
CodeIntegrity.CatalogOffset | 0 |
CodeIntegrity.Reserved | 0 |
GuardAddressTakenIatEntryTable | 0 |
GuardAddressTakenIatEntryCount | 0 |
GuardLongJumpTargetTable | 0 |
GuardLongJumpTargetCount | 0 |
XOR Key | 0xe14fa83b |
---|---|
Unmarked objects | 0 |
ASM objects (24325) | 1 |
C objects (VS2015/2017 runtime 25711) | 22 |
Total imports | 142 |
Imports (VS2015/2017 runtime 25711) | 9 |
C++ objects (VS2015/2017 runtime 25711) | 2 |
265 (VS2015/2017 runtime 25711) | 29 |
ASM objects (VS2015/2017 runtime 25711) | 4 |
Resource objects (VS2015/2017 runtime 25711) | 1 |
Linker (VS2015/2017 runtime 25711) | 1 |