Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 1970-Jan-01 00:00:00 |
TLS Callbacks | 3 callback(s) detected. |
Info | Interesting strings found in the binary: |
Contains domain names:
|
Suspicious | The PE is possibly packed. | Unusual section name found: .xdata |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The file contains overlay data. |
29202483 bytes of data starting at offset 0x138200.
The file contains a GZip Compressed Archive after the PE data. Overlay data amounts for 95.8057% of the executable. |
Suspicious | No VirusTotal score. | This file has never been scanned on VirusTotal. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x80 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 10 |
TimeDateStamp | 1970-Jan-01 00:00:00 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32+ |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0xbd800 |
SizeOfInitializedData | 0x7a600 |
SizeOfUninitializedData | 0xc00 |
AddressOfEntryPoint | 0x0000000000001500 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.2 |
Win32VersionValue | 0 |
SizeOfImage | 0x13f000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1d18e90 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x200000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
OpenProcessToken
SystemFunction036 |
---|---|
KERNEL32.dll |
AddVectoredExceptionHandler
CancelIo CloseHandle CopyFileExW CreateDirectoryW CreateEventW CreateFileW CreateHardLinkW CreateNamedPipeW CreateProcessW CreateThread DeleteCriticalSection DeleteFileW DeviceIoControl DuplicateHandle EnterCriticalSection ExitProcess FileTimeToSystemTime FindClose FindFirstFileW FindNextFileW FlushFileBuffers FormatMessageW FreeEnvironmentStringsW FreeLibrary GetCommandLineW GetConsoleMode GetCurrentDirectoryW GetCurrentProcess GetCurrentProcessId GetCurrentThread GetEnvironmentStringsW GetEnvironmentVariableW GetExitCodeProcess GetFileInformationByHandle GetLastError GetModuleFileNameW GetModuleHandleW GetOverlappedResult GetProcAddress GetProcessHeap GetProcessId GetStartupInfoA GetStdHandle GetSystemTimeAsFileTime GetTempPathW GetTimeZoneInformation HeapAlloc HeapFree HeapReAlloc InitializeCriticalSection LeaveCriticalSection LoadLibraryW LocalFree MoveFileExW OpenProcess QueryPerformanceCounter QueryPerformanceFrequency RaiseException ReadConsoleW ReadFile RemoveDirectoryW RtlCaptureContext RtlUnwindEx SetCurrentDirectoryW SetEnvironmentVariableW SetFileAttributesW SetFilePointerEx SetFileTime SetHandleInformation SetLastError SetUnhandledExceptionFilter Sleep SwitchToThread SystemTimeToFileTime SystemTimeToTzSpecificLocalTime TerminateProcess TlsAlloc TlsGetValue TlsSetValue TryEnterCriticalSection TzSpecificLocalTimeToSystemTime WaitForMultipleObjects WaitForSingleObject WideCharToMultiByte WriteConsoleW WriteFile lstrlenW |
ole32.dll |
CoTaskMemFree
|
SHELL32.dll |
CommandLineToArgvW
SHGetKnownFolderPath |
KERNEL32.dll (#2) |
AddVectoredExceptionHandler
CancelIo CloseHandle CopyFileExW CreateDirectoryW CreateEventW CreateFileW CreateHardLinkW CreateNamedPipeW CreateProcessW CreateThread DeleteCriticalSection DeleteFileW DeviceIoControl DuplicateHandle EnterCriticalSection ExitProcess FileTimeToSystemTime FindClose FindFirstFileW FindNextFileW FlushFileBuffers FormatMessageW FreeEnvironmentStringsW FreeLibrary GetCommandLineW GetConsoleMode GetCurrentDirectoryW GetCurrentProcess GetCurrentProcessId GetCurrentThread GetEnvironmentStringsW GetEnvironmentVariableW GetExitCodeProcess GetFileInformationByHandle GetLastError GetModuleFileNameW GetModuleHandleW GetOverlappedResult GetProcAddress GetProcessHeap GetProcessId GetStartupInfoA GetStdHandle GetSystemTimeAsFileTime GetTempPathW GetTimeZoneInformation HeapAlloc HeapFree HeapReAlloc InitializeCriticalSection LeaveCriticalSection LoadLibraryW LocalFree MoveFileExW OpenProcess QueryPerformanceCounter QueryPerformanceFrequency RaiseException ReadConsoleW ReadFile RemoveDirectoryW RtlCaptureContext RtlUnwindEx SetCurrentDirectoryW SetEnvironmentVariableW SetFileAttributesW SetFilePointerEx SetFileTime SetHandleInformation SetLastError SetUnhandledExceptionFilter Sleep SwitchToThread SystemTimeToFileTime SystemTimeToTzSpecificLocalTime TerminateProcess TlsAlloc TlsGetValue TlsSetValue TryEnterCriticalSection TzSpecificLocalTimeToSystemTime WaitForMultipleObjects WaitForSingleObject WideCharToMultiByte WriteConsoleW WriteFile lstrlenW |
msvcrt.dll |
__C_specific_handler
__dllonexit __doserrno __getmainargs __initenv __iob_func __lconv_init __pioinfo __set_app_type __setusermatherr _acmdln _amsg_exit _cexit _errno _exit _filelengthi64 _fileno _fmode _initterm _localtime64 _lock _lseeki64 _mktime64 _onexit _stat64 _time64 _unlock _utime64 _vsnprintf _write abort atoi bsearch calloc exit fclose fflush fgetpos fopen_s fprintf fread free freopen_s fsetpos fwprintf fwrite malloc memcmp memcpy memmove memset raise realloc remove signal strcmp strlen strncmp vfprintf wcscpy _snwprintf _read _open _lseek _getpid _close |
USER32.dll |
MessageBoxW
|
USERENV.dll |
GetUserProfileDirectoryW
|
WS2_32.dll |
WSACleanup
WSADuplicateSocketW WSAGetLastError WSASocketW WSAStartup accept bind closesocket connect freeaddrinfo getaddrinfo getpeername getsockname getsockopt ioctlsocket listen recv recvfrom select send sendto setsockopt shutdown |
StartAddressOfRawData | 0x506000 |
---|---|
EndAddressOfRawData | 0x506060 |
AddressOfIndex | 0x5027bc |
AddressOfCallbacks | 0x505040 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks |
0x0000000000452F60
0x00000000004A5C50 0x00000000004A5C20 |