3bcae3ddaae6d56014fdfbec4764d173

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Apr-21 08:10:25
Detected languages English - United States
Debug artifacts GatherOsState.pdb
CompanyName Microsoft Corporation
FileDescription Gather Downlevel OS Activation State
FileVersion 10.0.17134.1 (WinBuild.160101.0800)
InternalName GatherOsState
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename GatherOsState.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.17134.1

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Accesses the WMI:
  • root\wmi
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA256
Microsoft's Cryptography API
Suspicious The PE is possibly packed. Unusual section name found: .didat
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryExA
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegCloseKey
  • RegQueryValueExW
  • RegOpenKeyExW
 Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptGetHashParam
  • CryptDestroyHash
  • CryptHashData
  • CryptCreateHash
  • CryptAcquireContextW
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Info The PE is digitally signed. Signer: Microsoft Windows
Issuer: Microsoft Windows Verification PCA
Safe VirusTotal score: 0/69 (Scanned on 2020-02-21 23:26:21) All the AVs think this file is safe.

Hashes

MD5 3bcae3ddaae6d56014fdfbec4764d173
SHA1 8b806326d9760fa6c5ff4477dd1213a06a904a91
SHA256 5e34dc5115ee4e63b75c8e193d863106780d6cf43f3ea39f4a0f608be10b0839
SHA3 5d0d65593e5d59b43cffc20688b027faa31f7d97b91e9926786cd165836b5615
SSDeep 24576:Ih/ZbMhNt0MBoR+V3KKxlkRslh+rKZWGnhmzDO2PRducIudwBoFAS5:IhN0Su3fSRQhoNducIoF/5
Imports Hash ce5483c47266f0ef9a6bfbc2d9941eb8

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2010-Apr-21 08:10:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.20512
SizeOfCode 0x7a400
SizeOfInitializedData 0xf2800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000017090 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion A.0
ImageVersion 5343.5020
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x172000
SizeOfHeaders 0x400
Checksum 0x178925
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d363d8ad50c33364460d6c43a48da3c8
SHA1 a31715ea6f5d42ccabc27d3bf04a8dd7aecef9f0
SHA256 212d71735bdd88efcc7c97389c2402db45725eac7ae6b4ccbf8b7ea9903a4c56
SHA3 7007fb0c7ba1032ac0005922d34b1c85a07caa9f81fbf6294a9dac5859193861
VirtualSize 0x7a36b
VirtualAddress 0x1000
SizeOfRawData 0x7a400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 7.65281

.rdata

MD5 c10fc21106d92721adcb9672ec5ed18d
SHA1 786afc44660055f5dcc2ba62c03bf86a7ffecf89
SHA256 6dd48c497b23b783c0910338975bd75ac9db13feffb3cdb4fd055650bd8e3f1c
SHA3 65055317c40b81edd5433095964c8fbd5c235e7976bbee17cabe21c97ca51b19
VirtualSize 0xe9282
VirtualAddress 0x7c000
SizeOfRawData 0xe9400
PointerToRawData 0x7a800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.22661

.data

MD5 c35d383fbaa434882fa457da721481e7
SHA1 574f8a0a73c7de610a346c932f060d5ce46d3705
SHA256 6903a6e966f9ad9fd72bb1fec9255b0e5b65fa278e94632b1c05530e04a5776a
SHA3 dd54610389f1eb66aa97d7327f8837d49281d3c7e3866046cd8cc5146323f25d
VirtualSize 0xb18
VirtualAddress 0x166000
SizeOfRawData 0x400
PointerToRawData 0x163c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.57776

.pdata

MD5 9bf90785be152d89aca4e10a0bb583ad
SHA1 95eb1cd5a4b37d8a86b7685c9c4f0c0f97e3512e
SHA256 6989848fe8549bdb25f98e1bf39a317831542db73900989142d7f886c5eab005
SHA3 d879bdd996b134a8bd7a1ce86c39b6f9fe4a5a903308a0fe82a6dcd74c1375e0
VirtualSize 0x43d4
VirtualAddress 0x167000
SizeOfRawData 0x4400
PointerToRawData 0x164000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.42822

.didat

MD5 3ff10fa08b32e2f916b01c6d67c807e1
SHA1 26e08983f646288c931f7330dc80812e6f7efce5
SHA256 9c58e6d30c18a1751ebc275e186fec81744978a747699f3f726aa24db652f263
SHA3 b83aefaeb4d6c34b936e1f55280d122055c040948dc64196c8280fc82655026c
VirtualSize 0x120
VirtualAddress 0x16c000
SizeOfRawData 0x200
PointerToRawData 0x168400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.99064

.rsrc

MD5 604467bcf3b02eca3e5ad64d54845f75
SHA1 19e35ec1b38cc6be79d6040ea767c8cc8f3c41bb
SHA256 95bdd7f22315937beb7edf78c0fe337c7d3918d3cc1ca134b4021d99bc494e6b
SHA3 4df3aad3f79b88d7234230d8884abe1db381d7174d05b288b5ef7109d51bbd19
VirtualSize 0x428
VirtualAddress 0x16d000
SizeOfRawData 0x600
PointerToRawData 0x168600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.51102

.reloc

MD5 8e92438428981ee5e660e0a47d954852
SHA1 c21ca3f558c1503ae2951052981e7884b0e2a522
SHA256 40efa850052cdf2a79e52d5982f4efca71cd91535587b6b3100e0f503f752e01
SHA3 b0f9269e9409ffbcc2bf8917bdf5c875811a71998db55d1499ef38f3cc16746c
VirtualSize 0x3b40
VirtualAddress 0x16e000
SizeOfRawData 0x3c00
PointerToRawData 0x168c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.42621

Imports

msvcrt.dll ?terminate@@YAXXZ
_onexit
memcpy
memcmp
__dllonexit
_unlock
_lock
_commode
_fmode
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
memchr
wcschr
_wcsnicmp
memcpy_s
_amsg_exit
_XcptFilter
_purecall
__C_specific_handler
malloc
free
wcsstr
_wcsicmp
memmove
_vsnwprintf
wprintf
memset
ntdll.dll RtlDeleteFunctionTable
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
KERNEL32.dll FreeLibrary
GetSystemDirectoryW
GlobalMemoryStatusEx
DeviceIoControl
MultiByteToWideChar
VirtualAlloc
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
DelayLoadFailureHook
LoadLibraryExA
GetSystemDefaultUILanguage
LCMapStringW
HeapFree
WriteFile
GetModuleHandleExW
ExpandEnvironmentStringsW
GetModuleFileNameW
SetErrorMode
LocalAlloc
CreateFileW
GetFileAttributesW
GetVersionExW
GetLastError
FileTimeToSystemTime
CloseHandle
HeapAlloc
GetProcAddress
LocalFree
GetProcessHeap
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
VirtualProtect
SetLastError
EnterCriticalSection
VirtualFree
GetCurrentProcess
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
GetCurrentThread
DeleteCriticalSection
UnhandledExceptionFilter
GetModuleHandleW
LoadLibraryExW
SetUnhandledExceptionFilter
Sleep
GetVersionExA
ADVAPI32.dll CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextW
GetCurrentHwProfileW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
SLC.dll (delay-loaded) SLGetWindowsInformationDWORD
SLGetSLIDList
SLGetServiceInformation
SLClose
SLGetPKeyInformation
SLOpen
SLGetGenuineInformation

Delayed Imports

Attributes 0x1
Name SLC.dll
ModuleHandle 0x166988
DelayImportAddressTable 0x16c0b8
DelayImportNameTable 0x164490
BoundDelayImportTable 0x164718
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3c8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.45424
MD5 7025cd9381894d76eff7f98454d4ca15
SHA1 6efdd0e3e480f18946a5441db58a387aaef9b47c
SHA256 ae87d56f4fa044e74fe2339ad57d6b25cf4e9f5521dc63ea5320f81822bf4190
SHA3 b05ab4884aaf99ef87a2cd6edfeab847eca6a469126c2d2f11dd184a03952d0c

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.17134.1
ProductVersion 10.0.17134.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Gather Downlevel OS Activation State
FileVersion (#2) 10.0.17134.1 (WinBuild.160101.0800)
InternalName GatherOsState
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename GatherOsState.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.17134.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2010-Apr-21 08:10:25
Version 0.0
SizeofData 42
AddressOfRawData 0x163588
PointerToRawData 0x161d88
Referenced File GatherOsState.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2010-Apr-21 08:10:25
Version 0.0
SizeofData 828
AddressOfRawData 0x1635b4
PointerToRawData 0x161db4

UNKNOWN

Characteristics 0
TimeDateStamp 2010-Apr-21 08:10:25
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x1401638f0
EndAddressOfRawData 0x1401638f8
AddressOfIndex 0x140166980
AddressOfCallbacks 0x14008b828
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1401662a8
GuardCFCheckFunctionPointer 5369280432
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xe14fa83b
Unmarked objects 0
ASM objects (24325) 1
C objects (VS2015/2017 runtime 25711) 22
Total imports 142
Imports (VS2015/2017 runtime 25711) 9
C++ objects (VS2015/2017 runtime 25711) 2
265 (VS2015/2017 runtime 25711) 29
ASM objects (VS2015/2017 runtime 25711) 4
Resource objects (VS2015/2017 runtime 25711) 1
Linker (VS2015/2017 runtime 25711) 1

Errors

<-- -->