Manalyze report for 9a7a15fe0ec36da8943d60b5b2e28751

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Oct-17 12:16:00
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
CompanyName	GetCreds
FileDescription	GetCreds
FileVersion	`1.0.0.0`
InternalName	GetCreds.dll
LegalCopyright
OriginalFilename	GetCreds.dll
ProductName	GetCreds
ProductVersion	`1.0.0`
Assembly Version	1.0.0.0

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: regsvr32.exe` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: crl.microsoft.com github.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://schemas.microsoft.com http://schemas.microsoft.com/.NetConfiguration/v2.0 http://www.microsoft.com http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pkiops/Docs/Repository.htm0 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/docs/primarycps.htm0 http://www.microsoft.com0 http://www.w3.org http://www.w3.org/2001/XMLSchema https://aka.ms https://github.com https://pastebin.com https://www.npgsql.org https://www.npgsql.org/doc/copy.html https://www.npgsql.org/doc/types/basic.html https://www.npgsql.org/doc/types/enums_and_composites.html https://www.npgsql.org/doc/types/json.html https://www.npgsql.org/doc/types/ranges.html microsoft.com microsoft.net npgsql.org pastebin.com schemas.microsoft.com system.net www.microsoft.com www.npgsql.org www.w3.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256` `Uses known Mersenne Twister constants`
Suspicious	The PE is packed with Enigma Protector	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .imports` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot` `Unusual section name found: .enigma1` `Section .enigma1 is both writable and executable.` `Unusual section name found: .enigma2` `Section .enigma2 is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryA GetProcAddress` `Code injection capabilities: VirtualAlloc VirtualAllocEx CreateRemoteThread WriteProcessMemory` `Code injection capabilities (process hollowing): ResumeThread WriteProcessMemory SetThreadContext` `Can access the registry: RegOpenKeyA` `Can create temporary files: CreateFileW GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect VirtualAllocEx VirtualProtectEx` `Enumerates local disk drives: GetLogicalDriveStringsW` `Manipulates other processes: ReadProcessMemory WriteProcessMemory`
Malicious	VirusTotal score: 16/72 (Scanned on 2025-05-24 20:28:48)	`APEX: Malicious` `AVG: Win64:Evo-gen [Trj]` `Avast: Win64:Evo-gen [Trj]` `Bkav: W64.AIDetectMalware` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: Unsafe` `Elastic: malicious (high confidence)` `Gridinsoft: Trojan.Heur!.03212023` `Ikarus: PUA.Themida` `Malwarebytes: Generic.Malware.AI.DDS` `McAfeeD: ti!B7029BFBF163` `NANO-Antivirus: Virus.Win64.Virut-Gen.bwpxnc` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.high.ml.score`

Hashes

MD5	`9a7a15fe0ec36da8943d60b5b2e28751`
SHA1	`1587c181d070a5796ef1564d37f2b6130db0c1f8`
SHA256	`b7029bfbf1638d41c04c24f2409b6c78c8c8ce15fd6b7bf783bafaf78fe4a029`
SHA3	`ad7fbcaab7122a9e8d0de6513a6b951580e411332463af38fcd185f535ca5677`
SSDeep	`98304:rZhc5qzBsHf7jzSojPCv4z+VeTYD0+KeS7o4LNo/Q1GhPmaLpZ:/c6a7/H6v4zAeTy05eStcQ1uPPN`
Imports Hash	`4a69501d065aecd17da3f8f42bc46478`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`14`
TimeDateStamp	2024-Oct-17 12:16:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x15a00`
SizeOfInitializedData	`0xd000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000005A2058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x965000`
SizeOfHeaders	`0x1000`
Checksum	`0x32ac7f`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x300000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x200000`
SizeofHeapCommit	`0x2000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`33db556db8f79e2b3efae3f0979f78ba`
SHA1	`aee61ca5e9398b4fafcbb751b806a9bde6b45b15`
SHA256	`952441224a585424cc0920a553edab7fc879f913c39315de7bbaef2f7958cd36`
SHA3	`a0130b672a509dcd034875c5221bdf4dc83bcc8834c96ef7df8eb4e5b4b7f708`
VirtualSize	`0x1596c`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa76d`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.97684`

(#2)

MD5	`f25752c7418cf2b289b802a7be4c2b39`
SHA1	`a24b846a13ede57f2990b2f07821b443cb844b4c`
SHA256	`cbd7bfe9258fb82e3d5098b8702b16b6f80f3e514cbee0b12e9401c1c68a0ab4`
SHA3	`5918645027b8995916661fc708880d78aeb4687b3e0cf07075fb39512350560e`
VirtualSize	`0x9686`
VirtualAddress	`0x17000`
SizeOfRawData	`0x30bc`
PointerToRawData	`0xae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.95586`

(#3)

MD5	`7e79c01b45ad144c7b37cb438b75f21b`
SHA1	`876fdefa7f2f46dd9e01e9636bb242b0dc780352`
SHA256	`4d7c6f6897731567e6b8fc7f2a86b8d8e7ff268227640db0805a3f62bb54322b`
SHA3	`56759e0faafd071712560de291117cd6473084a6bd2533c33c5da288cd7d05b3`
VirtualSize	`0x18a8`
VirtualAddress	`0x21000`
SizeOfRawData	`0x1c1`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.43535`

(#4)

MD5	`7478f2ce2c932dc608a7eba2426dd2ee`
SHA1	`46819f0df166f126691084156b932fcfd35e0fd1`
SHA256	`dece4d90b79b32ba756831f0f5fb3b1d83d599cd078bab2f8db35f88ca4a075b`
SHA3	`aba1b804b54903343853fe4396e9147ac487a969b46094a9b50d6fd7d64c1617`
VirtualSize	`0x135c`
VirtualAddress	`0x23000`
SizeOfRawData	`0xad7`
PointerToRawData	`0xe200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.5647`

(#5)

MD5	`facccdee71f95f85c4bfe90bf344882e`
SHA1	`0041ae3cfabe1cb94f924eb8ca2c38c282fc7199`
SHA256	`e21ce9b737f887b0dc4958f4b4a69614eea72714e78bf4207ad846d01b4dfe4d`
SHA3	`ac870dc13d8fd95376d706b88a34ec20036b14fa03331422b0e7d0040d590380`
VirtualSize	`0x328`
VirtualAddress	`0x25000`
SizeOfRawData	`0x2fa`
PointerToRawData	`0xee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.17834`

(#6)

MD5	`6fedf602698b71e57e362f86971006c9`
SHA1	`e1661a9ebfdd7cce1caaf58e0fe22d5eb4cc5847`
SHA256	`1e3fb174ba13a9535f85c0b1677fc25d08c2a3330a710b60d4f04b6140bb0fc2`
SHA3	`35ae08f5340df99c080422f7be7280e03de483e7925e2fd1d88d4c00d88dc676`
VirtualSize	`0x54c`
VirtualAddress	`0x26000`
SizeOfRawData	`0x270`
PointerToRawData	`0xf200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.63047`

.imports

MD5	`c51b7f4b3da12028c63ab9165e3ee8aa`
SHA1	`ebe688ad67afdb51da1039dacc8c9d527028ad7c`
SHA256	`775b46102766028d54193a24a023f07cd6fffad41b497e7ec08d74e91fc72613`
SHA3	`2b785eebc1df6a0b9910e6460c3c3248611bd69ae946f474821584556a9a7f55`
VirtualSize	`0x1000`
VirtualAddress	`0x27000`
SizeOfRawData	`0x400`
PointerToRawData	`0xf600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.77774`

.tls

MD5	`eb99eb697a5f1316f1fcbea562c6ebbe`
SHA1	`ae05e2fdeee8dce53d99b8a3b405a8f550a7e136`
SHA256	`44480937bef04fc1f4b12378c4a319d1bf3e8c44985dcff66ea4c058c9cba351`
SHA3	`732ea60a086eedc438fa720187feb0f3ad3a8ef296de049e67530c9087fb74a1`
VirtualSize	`0x1000`
VirtualAddress	`0x28000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.257921`

.rsrc

MD5	`207e2e6044542d02f62ba14e43988d6c`
SHA1	`60fb81b6ae5935da0199a7de5f4a99676834434a`
SHA256	`4e559ddab5e58e44f360dbb54cff3bdd7576948ed96953b209816acb29ad64c5`
SHA3	`d4611a3c416a790d37a1209cda56ac89c0c4b7543f8347bbe453e9c423256c1a`
VirtualSize	`0x1000`
VirtualAddress	`0x29000`
SizeOfRawData	`0x600`
PointerToRawData	`0xfc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.92541`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x578000`
VirtualAddress	`0x2a000`
SizeOfRawData	`0`
PointerToRawData	`0x10200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`468b7f919c90a9a882eb3e47a3a45b8a`
SHA1	`334e52f7be689298363c349f9117bedd86ed84f3`
SHA256	`e449fb6a06987182b6e59000b573269e2d9ea3b6c6653094e03f46c9d6b7de70`
SHA3	`264f66bc8589e4603f51b2bb4773024237a60fc0b48417474595eab65eaada96`
VirtualSize	`0x30c200`
VirtualAddress	`0x5a2000`
SizeOfRawData	`0x30c200`
PointerToRawData	`0x10200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.96521`

.reloc

MD5	`2df9a5f5eafb00c7e3816942a1095bfc`
SHA1	`da35f409ca59895d3fc7c912230721070e801ccf`
SHA256	`3a977a311a185fb7e39d0a17367b8b46fb2694096dfb240eec6dadf8454561c0`
SHA3	`a949dedf4aef7edd883368189b6bbf13475e88063dea605afbe4588fde4243c5`
VirtualSize	`0x1000`
VirtualAddress	`0x8af000`
SizeOfRawData	`0x10`
PointerToRawData	`0x31c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

.enigma1

MD5	`ebe40e72079eb8ef526170f799c3a8ba`
SHA1	`e8c27698b9f45289a5759f852283b521da93bff8`
SHA256	`6ec857a7e7d9a43df3009088b91974fa35bb2c69acc1370010882e561df44469`
SHA3	`b16c3cadb059e5741ce06441c1815f50ab03ec7b7cc2b0957ffa61e969150b3a`
VirtualSize	`0x1000`
VirtualAddress	`0x8b0000`
SizeOfRawData	`0x3a4000`
PointerToRawData	`0x31c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.62977`

.enigma2

MD5	`a8f3b5ac9be15845519e1d8f2084b7d1`
SHA1	`383e56a9a57e5d86858eb2f031fad36b4e39f7c8`
SHA256	`a664d637d0ccc9abadb7b6883443edbba7af0bab603b9324b10e4c624c0e1f94`
SHA3	`9d22b5f3fdfb9add09257cb79454dfb9fdeda4b133455cdde408b98672969b1b`
VirtualSize	`0xb4000`
VirtualAddress	`0x8b1000`
SizeOfRawData	`0xb4000`
PointerToRawData	`0x6c0600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.46986`

Imports

kernel32.dll	`GetStdHandle` `GetConsoleMode` `TlsGetValue` `GetLastError` `SetLastError` `RaiseException` `GetTickCount` `ExitProcess` `GetStartupInfoA` `GetCommandLineA` `GetCurrentProcessId` `GetCurrentThreadId` `GetCurrentProcess` `ReadProcessMemory` `GetModuleFileNameA` `GetModuleHandleA` `WriteFile` `ReadFile` `CloseHandle` `SetFilePointer` `GetFileSize` `SetEndOfFile` `GetSystemInfo` `LoadLibraryW` `LoadLibraryA` `GetProcAddress` `FreeLibrary` `FormatMessageW` `DeleteFileW` `CreateFileW` `GetFileAttributesW` `CreateDirectoryW` `RemoveDirectoryW` `SetCurrentDirectoryW` `GetCurrentDirectoryW` `GetFullPathNameW` `SetEnvironmentVariableW` `GetConsoleOutputCP` `GetOEMCP` `GetProcessHeap` `HeapAlloc` `HeapFree` `TlsAlloc` `TlsFree` `TlsSetValue` `CreateThread` `ExitThread` `LocalAlloc` `LocalFree` `Sleep` `SuspendThread` `ResumeThread` `TerminateThread` `WaitForSingleObject` `SetThreadPriority` `GetThreadPriority` `GetCurrentThread` `OpenThread` `IsDebuggerPresent` `CreateEventA` `ResetEvent` `SetEvent` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `TryEnterCriticalSection` `MultiByteToWideChar` `WideCharToMultiByte` `GetACP` `GetConsoleCP` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlUnwindEx` `EnumResourceTypesA` `EnumResourceNamesA` `EnumResourceLanguagesA` `FindResourceA` `FindResourceExA` `LoadResource` `SizeofResource` `LockResource` `FreeResource` `GetVersion` `FlushInstructionCache` `VirtualAlloc` `VirtualFree` `VirtualProtect` `VirtualAllocEx` `VirtualProtectEx` `CreateRemoteThread` `PostQueuedCompletionStatus` `SetErrorMode` `WriteProcessMemory` `GetThreadContext` `SetThreadContext` `FlushFileBuffers` `DeviceIoControl` `FindClose` `GetLocalTime` `SystemTimeToFileTime` `FileTimeToLocalFileTime` `FileTimeToDosDateTime` `GetLogicalDriveStringsW` `GetModuleFileNameW` `GetSystemDirectoryW` `GetTempPathW` `GetTempFileNameW` `GetWindowsDirectoryA` `GetWindowsDirectoryW` `QueryDosDeviceW` `SetFileAttributesW` `FindFirstFileExW` `FindNextFileW` `IsBadReadPtr` `IsBadWritePtr` `GetVersionExA` `CreateActCtxW` `ActivateActCtx` `CompareStringA` `GetLocaleInfoA` `GetDateFormatA` `EnumCalendarInfoA` `CompareStringW` `GetLocaleInfoW` `GetDateFormatW` `GetCPInfo` `GetThreadLocale` `SetThreadLocale` `GetUserDefaultLCID`
oleaut32.dll	`SysAllocStringLen` `SysFreeString` `SysReAllocStringLen` `SafeArrayCreate` `SafeArrayRedim` `SafeArrayGetUBound` `SafeArrayGetLBound` `SafeArrayAccessData` `SafeArrayUnaccessData` `SafeArrayGetElement` `SafeArrayPutElement` `SafeArrayPtrOfIndex` `VariantChangeTypeEx` `VariantClear` `VariantCopy` `VariantInit`
user32.dll	`MessageBoxA` `CharUpperBuffW` `CharLowerBuffW` `CharUpperA` `CharUpperBuffA` `CharLowerA` `CharLowerBuffA` `GetSystemMetrics` `MessageBeep`
advapi32.dll	`RegOpenKeyA`
ole32.dll	`CoUninitialize` `CoInitialize`
ntdll.dll	`ZwProtectVirtualMemory` `RtlFormatCurrentUserKeyPath` `RtlDosPathNameToNtPathName_U` `RtlFreeUnicodeString` `RtlInitUnicodeString`
shlwapi.dll	`PathMatchSpecW`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.20359`
MD5	`0355cf78d0c0df3d32f2ddf638e29c25`
SHA1	`db4687122c74fe2f919ebb541e3d89a986baba15`
SHA256	`024adbede25380e800c1469fad208921d13daff1870f565c5f3a75362c877942`
SHA3	`1ef8fd58f51466963387b798b8fc20ac07fddad25f84f0e0cd79de5c2a5b9b9d`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`b7db84991f23a680df8e95af8946f9c9`
SHA1	`cac699787884fb993ced8d7dc47b7c522c7bc734`
SHA256	`539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a`
SHA3	`4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	GetCreds
FileDescription	GetCreds
FileVersion (#2)	1.0.0.0
InternalName	GetCreds.dll
LegalCopyright
OriginalFilename	GetCreds.dll
ProductName	GetCreds
ProductVersion (#2)	1.0.0
Assembly Version	1.0.0.0

Resource LangID	UNKNOWN

TLS Callbacks

StartAddressOfRawData	`0x140028000`
EndAddressOfRawData	`0x140028010`
AddressOfIndex	`0x140028010`
AddressOfCallbacks	`0x1408b0058`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00000001408B2A70`

Load Configuration

RICH Header

XOR Key	`0x653c27b5`
Unmarked objects	`0`
ASM objects (33731)	`10`
C objects (33731)	`12`
C++ objects (33731)	`87`
Imports (VS2008 SP1 build 30729)	`16`
Imports (33136)	`9`
Total imports	`201`
C++ objects (LTCG) (33811)	`10`
Linker (33811)	`1`

Errors

[*] Warning: Section .themida has a size of 0!