Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2017-May-26 09:23:01 |
Detected languages |
English - United States
|
Info | Matching compiler(s): | MASM/TASM - sig1(h) |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Suspicious | VirusTotal score: 1/62 (Scanned on 2017-07-06 16:21:57) | VIPRE: RiskTool.Win32.ProcessPatcher.Nor!cobra (v) (not malicious) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 6 |
TimeDateStamp | 2017-May-26 09:23:01 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x5e00 |
SizeOfInitializedData | 0x5200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000005C74 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0xf000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
WriteProcessMemory
GetFullPathNameW Thread32Next Thread32First WaitForSingleObject SuspendThread ResumeThread OpenProcess CreateToolhelp32Snapshot Process32NextW Process32FirstW CloseHandle LoadLibraryW QueueUserAPC GetThreadContext GetProcAddress VirtualAllocEx ReadProcessMemory CreateProcessW GetModuleHandleW CreateRemoteThread VirtualFreeEx SetThreadContext OpenThread MultiByteToWideChar IsDebuggerPresent InitializeSListHead RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime RtlCaptureContext |
---|---|
USER32.dll |
UnhookWindowsHookEx
SetWindowsHookExW |
MSVCP140.dll |
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ ?always_noconv@codecvt_base@std@@QEBA_NXZ ??Bid@locale@std@@QEAA_KXZ ?_Xlength_error@std@@YAXPEBD@Z ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A ?_BADOFF@std@@3_JB ?_Xout_of_range@std@@YAXPEBD@Z ?_Xbad_alloc@std@@YAXXZ ?uncaught_exception@std@@YA_NXZ ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A ??0_Lockit@std@@QEAA@H@Z ??1_Lockit@std@@QEAA@XZ ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ |
VCRUNTIME140.dll |
memcmp
memcpy memset _CxxThrowException __CxxFrameHandler3 __C_specific_handler __std_exception_destroy memmove __std_exception_copy __std_type_info_compare _purecall __std_terminate |
api-ms-win-crt-stdio-l1-1-0.dll |
setvbuf
__p__commode _set_fmode _get_stream_buffer_pointers _fseeki64 fsetpos ungetc fputc fgetpos fwrite fgetc fclose fflush |
api-ms-win-crt-string-l1-1-0.dll |
_wcsicmp
|
api-ms-win-crt-runtime-l1-1-0.dll |
_exit
_errno __p___argc __p___argv _cexit _c_exit _initterm _get_initial_narrow_environment exit _configure_narrow_argv _initialize_onexit_table _register_onexit_function _crt_atexit terminate _initialize_narrow_environment _invalid_parameter_noinfo _set_app_type _seh_filter_exe _invalid_parameter_noinfo_noreturn _register_thread_local_exe_atexit_callback _initterm_e |
api-ms-win-crt-filesystem-l1-1-0.dll |
_unlock_file
_lock_file |
api-ms-win-crt-heap-l1-1-0.dll |
free
malloc _set_new_mode _callnewh |
api-ms-win-crt-math-l1-1-0.dll |
__setusermatherr
|
api-ms-win-crt-locale-l1-1-0.dll |
_configthreadlocale
|
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-26 09:23:01 |
Version | 0.0 |
SizeofData | 736 |
AddressOfRawData | 0x84e4 |
PointerToRawData | 0x76e4 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-26 09:23:01 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0xa0 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x14000b010 |
XOR Key | 0x58ec0f06 |
---|---|
Unmarked objects | 0 |
Imports (VS2008 SP1 build 30729) | 14 |
ASM objects (24723) | 3 |
C objects (24723) | 13 |
Imports (24723) | 4 |
C++ objects (24723) | 25 |
Imports (24610) | 5 |
Total imports | 156 |
265 (VS2017 v15.2 compiler 25019) | 2 |
Resource objects (VS2017 v15.2 compiler 25019) | 1 |
Linker (VS2017 v15.2 compiler 25019) | 1 |