51e1a611637cb208cd53d133720cac1c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Jun-29 07:24:43
Detected languages English - United States
Debug artifacts C:\Users\q\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Contains domain names:
  • 2010-aia.verisign.com
  • 2010-crl.verisign.com
  • aia.verisign.com
  • aia.ws.symantec.com
  • crl.microsoft.com
  • crl.thawte.com
  • crl.verisign.com
  • crl.ws.symantec.com
  • csc3-2010-aia.verisign.com
  • csc3-2010-crl.verisign.com
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
  • http://crl.thawte.com
  • http://crl.thawte.com/ThawteTimestampingCA.crl0
  • http://crl.verisign.com
  • http://crl.verisign.com/pca3-g5.crl04
  • http://csc3-2010-aia.verisign.com
  • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
  • http://csc3-2010-crl.verisign.com
  • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
  • http://logo.verisign.com
  • http://logo.verisign.com/vslogo.gif04
  • http://ocsp.thawte.com0
  • http://ocsp.verisign.com0
  • http://ts-aia.ws.symantec.com
  • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
  • http://ts-crl.ws.symantec.com
  • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
  • http://ts-ocsp.ws.symantec.com07
  • https://www.verisign.com
  • https://www.verisign.com/cps0
  • https://www.verisign.com/rpa
  • https://www.verisign.com/rpa0
  • logo.verisign.com
  • microsoft.com
  • symantec.com
  • thawte.com
  • ts-aia.ws.symantec.com
  • ts-crl.ws.symantec.com
  • verisign.com
  • ws.symantec.com
  • www.verisign.com
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
 Can access the registry:
  • RegCloseKey
  • RegCreateKeyW
  • RegOpenKeyW
  • RegSetKeyValueW
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
Malicious VirusTotal score: 44/71 (Scanned on 2024-05-01 17:52:53) ALYac: Gen:Variant.Tedy.401967
APEX: Malicious
AVG: FileRepPup [PUP]
AhnLab-V3: Trojan/Win.Generic.R584527
Antiy-AVL: HackTool/Win64.Gamehack.q
Arcabit: Trojan.Tedy.D6222F
Avast: FileRepPup [PUP]
BitDefender: Gen:Variant.Tedy.401967
Bkav: W64.AIDetectMalware
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
ESET-NOD32: a variant of Win64/GameHack.ES potentially unsafe
Emsisoft: Gen:Variant.Tedy.401967 (B)
FireEye: Gen:Variant.Tedy.401967
Fortinet: Riskware/GameHack
GData: Gen:Variant.Tedy.401967
Google: Detected
Ikarus: Trojan.Win64.Krypt
Jiangmin: HackTool.DriverLoader.ap
K7AntiVirus: Unwanted-Program ( 0057cb871 )
K7GW: Unwanted-Program ( 0057cb871 )
Kaspersky: HEUR:HackTool.Win32.DriverLoader.gen
Kingsoft: Win32.HackTool.DriverLoader.gen
Lionic: Hacktool.Win32.DriverLoader.3!c
MAX: malware (ai score=82)
Malwarebytes: Malware.AI.1104201651
MaxSecure: Trojan.Malware.202002184.susgen
McAfee: Artemis!51E1A611637C
MicroWorld-eScan: Gen:Variant.Tedy.401967
Microsoft: Trojan:Win32/Wacatac.A!ml
Paloalto: generic.ml
Rising: Hacktool.DriverLoader!8.1789E (CLOUD)
Sangfor: Suspicious.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win64.Downloader.ch
Sophos: ATK/Kdmapper-A
Symantec: ML.Attribute.HighConfidence
TrendMicro-HouseCall: TROJ_GEN.R002H07B624
VIPRE: Gen:Variant.Tedy.401967
Varist: W64/Hacktool.W.gen!Eldorado
Zillya: Tool.DriverLoader.Win32.279
ZoneAlarm: HEUR:HackTool.Win32.DriverLoader.gen
alibabacloud: Trojan.Win.UnkAgent

Hashes

MD5 51e1a611637cb208cd53d133720cac1c
SHA1 13a3802db9efbc1c71a929762e2105cc6bc390fa
SHA256 8352e53e18a513a658ffb1f37a070dc3c4b7e08bbb93eb087311ee1d688f738d
SHA3 0bc55ae4535a0a05becc35d8ba006963ba25a70e55b29cfb65b1464f10203e22
SSDeep 3072:MkQjnYpEs+GnveGZ1gSKthoGr7mJTQSaMm5/6FPTva:MDYpLvel/wWlga
Imports Hash c3a4e78895d8e2183e503db5ac8a731c

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2023-Jun-29 07:24:43
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xf400
SizeOfInitializedData 0x12600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000F15C (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x26000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 0fb8433d22241dceb5cabe4ede32f84c
SHA1 4482beca94299024dfefc97df49860d1604d7588
SHA256 82e26e59a087ad938c36f18ba4c4d8ee0e1bfed20407bb5e30c08d0c3540ff19
SHA3 8f6505133baffa9aeca049bf285575871e51174c27406f7bd18692f7ae3da385
VirtualSize 0xf2a8
VirtualAddress 0x1000
SizeOfRawData 0xf400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.22359

.rdata

MD5 4c81d36b303f31079d4bb1a1e82c2d52
SHA1 52cf1cd9fe06cd31ec6c1071fe8b826c6c1d95cb
SHA256 5fcc71368bf17239b51866d778065adbb179f8c9b2dc010f5aaac2ebddc4f106
SHA3 18ab5fcd6a10e525b048e7aeef20fd8c3bbc4adbee8168c07898d9e4b6e1944a
VirtualSize 0x104d8
VirtualAddress 0x11000
SizeOfRawData 0x10600
PointerToRawData 0xf800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.7829

.data

MD5 fc5ef45a48d551109d4768fbae8de280
SHA1 538f18187bb0c2cc71e44c51bc34f19b96edcb68
SHA256 be5ac5c32a61ce7023bfed6c2475ae22e978b8eddbb094554af5d3be2ad85bec
SHA3 a45da4aab15e089584c3a21560e781e75323c0650bebb78d62cb74c981d16e0e
VirtualSize 0xda0
VirtualAddress 0x22000
SizeOfRawData 0x600
PointerToRawData 0x1fe00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.50249

.pdata

MD5 3d9e1e2256ea6b1a5cc78190dda92a0b
SHA1 fbc33b89ef031c08498903870ce891d339559d65
SHA256 a632b2ab3d64181f6ae496f0528d164d773d27197dc47b4b8a475289c61732b4
SHA3 7e077955161958b9705930468a9498856fc921a50d83c527ec49a9b1299aad96
VirtualSize 0xce4
VirtualAddress 0x23000
SizeOfRawData 0xe00
PointerToRawData 0x20400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.61333

.rsrc

MD5 971a6bbdae0e0e43dfd18434202d1eec
SHA1 b17a99d594379a0f4206027a1d42615b539beba0
SHA256 6cc4ca7915fe959fa164b655ce0ad385a07b765ce2cf0946e26a83a151370e4c
SHA3 ab15a618c89e7acb7d798fce9025749b2ef04e36c2ff404c422519d84ff23fb3
VirtualSize 0x1e8
VirtualAddress 0x24000
SizeOfRawData 0x200
PointerToRawData 0x21200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.77204

.reloc

MD5 6dfdae0a7581fae0ed84621d18f0c3c1
SHA1 4117ec156fd76e3e4e95604747e6ed88bfd2939e
SHA256 a54921d8486dc81a683edf7f1f1a331b800134ac796234b7a1c28ab4dfbfab3a
SHA3 c7a9cc23b652ab3d11ab413ca6b61c002841271e446711e19eac59e7b9c52ed7
VirtualSize 0x104
VirtualAddress 0x25000
SizeOfRawData 0x200
PointerToRawData 0x21400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.22277

Imports

KERNEL32.dll GetCurrentThreadId
GetModuleHandleA
GetLastError
CloseHandle
CreateFileW
GetProcAddress
DeleteCriticalSection
GetCurrentProcessId
SetUnhandledExceptionFilter
GetTempPathW
FormatMessageA
GetLocaleInfoEx
InitializeCriticalSectionEx
VirtualAlloc
DeviceIoControl
VirtualFree
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetModuleHandleW
GetFileInformationByHandleEx
WideCharToMultiByte
IsDebuggerPresent
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
LocalFree
ADVAPI32.dll RegCloseKey
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
RegSetKeyValueW
MSVCP140.dll ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?good@ios_base@std@@QEBA_NXZ
?uncaught_exception@std@@YA_NXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
ntdll.dll NtQuerySystemInformation
RtlInitUnicodeString
VCRUNTIME140_1.dll __CxxFrameHandler4
VCRUNTIME140.dll __current_exception
__C_specific_handler
memset
_CxxThrowException
__std_exception_copy
__std_exception_destroy
memcmp
__current_exception_context
__std_terminate
memmove
memcpy
api-ms-win-crt-stdio-l1-1-0.dll fsetpos
ungetc
_get_stream_buffer_pointers
fflush
fread
_fseeki64
setvbuf
fgetpos
fwrite
__p__commode
fclose
fgetc
fputc
_set_fmode
api-ms-win-crt-heap-l1-1-0.dll malloc
_set_new_mode
_callnewh
free
api-ms-win-crt-utility-l1-1-0.dll rand
srand
api-ms-win-crt-filesystem-l1-1-0.dll _lock_file
_wremove
_unlock_file
api-ms-win-crt-string-l1-1-0.dll _wcsicmp
_stricmp
api-ms-win-crt-time-l1-1-0.dll _time64
api-ms-win-crt-runtime-l1-1-0.dll _get_initial_wide_environment
_initialize_wide_environment
_configure_wide_argv
__p___argc
exit
_set_app_type
_seh_filter_exe
_initterm_e
_crt_atexit
_register_onexit_function
_initialize_onexit_table
__p___wargv
_c_exit
_cexit
terminate
_initterm
_exit
_register_thread_local_exe_atexit_callback
_invalid_parameter_noinfo_noreturn
api-ms-win-crt-locale-l1-1-0.dll ___lc_codepage_func
_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll __setusermatherr

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89623
MD5 b8e76ddb52d0eb41e972599ff3ca431b
SHA1 fc12d7ad112ddabfcd8f82f290d84e637a4d62f8
SHA256 165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
SHA3 37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2023-Jun-29 07:24:43
Version 0.0
SizeofData 102
AddressOfRawData 0x1d70c
PointerToRawData 0x1bf0c
Referenced File C:\Users\q\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2023-Jun-29 07:24:43
Version 0.0
SizeofData 20
AddressOfRawData 0x1d774
PointerToRawData 0x1bf74

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-Jun-29 07:24:43
Version 0.0
SizeofData 912
AddressOfRawData 0x1d788
PointerToRawData 0x1bf88

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2023-Jun-29 07:24:43
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x14001db38
EndAddressOfRawData 0x14001db40
AddressOfIndex 0x140022b88
AddressOfCallbacks 0x140011658
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140022010

RICH Header

XOR Key 0x1c7ab626
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 18
C objects (32420) 10
ASM objects (32420) 4
C++ objects (32420) 35
Imports (32420) 6
Imports (29395) 9
Total imports 241
C++ objects (LTCG) (VS 2015-2022 runtime 32532) 6
Resource objects (VS 2015-2022 runtime 32532) 1
Linker (VS 2015-2022 runtime 32532) 1

Errors