Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1989-Jun-04 00:00:00 |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
Suspicious | The PE is possibly packed. |
Unusual section name found: No
Unusual section name found: Looking Unusual section name found: Please |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 4/72 (Scanned on 2020-05-11 14:14:30) |
APEX:
Malicious
Invincea: heuristic Trapmine: malicious.high.ml.score CrowdStrike: win/malicious_confidence_60% (W) |
e_magic | MZ |
---|---|
e_cblp | 0 |
e_cp | 0 |
e_crlc | 0 |
e_cparhdr | 0 |
e_minalloc | 0 |
e_maxalloc | 0 |
e_ss | 0 |
e_sp | 0 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x40 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 3 |
TimeDateStamp | 1989-Jun-04 00:00:00 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32+ |
---|---|
LinkerVersion | 89.0 |
SizeOfCode | 0x1f1200 |
SizeOfInitializedData | 0x5ea00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00000000001D2440 (Section: No) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x252000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1f8241 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
WriteFile
WriteConsoleW CloseHandle CreateFileW RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW IsProcessorFeaturePresent GetModuleHandleW QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead RtlPcToFileHeader RaiseException RtlUnwindEx GetLastError SetLastError EncodePointer EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree FreeLibrary GetProcAddress LoadLibraryExW GetCurrentProcess TerminateProcess ExitProcess GetModuleHandleExW GetModuleFileNameW GetStdHandle HeapAlloc HeapFree FindClose FindFirstFileExW FindNextFileW IsValidCodePage GetACP GetOEMCP GetCPInfo GetCommandLineA GetCommandLineW MultiByteToWideChar WideCharToMultiByte GetEnvironmentStringsW FreeEnvironmentStringsW LCMapStringW GetProcessHeap GetFileType SetStdHandle GetStringTypeW HeapSize HeapReAlloc FlushFileBuffers GetConsoleCP GetConsoleMode SetFilePointerEx |
---|
Size | 0x108 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1401f3038 |