bf53b34e49bc583870e1b0d45aac6c63

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2012-Mar-08 15:59:48
Detected languages English - United States
French - France
Debug artifacts C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb
FileVersion 1, 0, 0, 0
ProductVersion 1, 0, 0, 0
LegalCopyright Copyright (C) 2018
FileDescription
ProductName NisWatchII

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • LoadLibraryW
  • LoadLibraryA
  • GetProcAddress
Can access the registry:
  • RegSetValueExW
  • RegEnumKeyW
  • RegDeleteKeyW
  • RegQueryValueW
  • RegOpenKeyW
  • RegCreateKeyExW
  • RegCloseKey
  • RegQueryValueExW
  • RegEnumKeyExW
  • RegOpenKeyExW
Uses functions commonly found in keyloggers:
  • CallNextHookEx
  • GetForegroundWindow
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Enumerates local disk drives:
  • GetVolumeInformationW
Info The PE's resources present abnormal characteristics. Resource 129 is possibly compressed or encrypted.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 bf53b34e49bc583870e1b0d45aac6c63
SHA1 c7be62768960b67431b8dd9daa5372830bff6767
SHA256 6b3d027137799b22093c435f18434f1c1be4068b9607edf39b87a1ecbcc89cd6
SHA3 11fc36fd0cd0d2c8a7e94be1f7717eba129906cf7e4fecaf3ffa1fb413ef0291
SSDeep 6144:mhRNNKQWSlsjJWQAEvcMPVoZgNLskQInt+qoAU9ObQ:mhqJnvhPVoZgNtQInMqoADbQ
Imports Hash 2691b9b51544cc45c4175204fe1d1626

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2012-Mar-08 15:59:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x29400
SizeOfInitializedData 0x1fa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00017C69 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2b000
ImageBase 0xd10000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x507e6
SizeOfHeaders 0x400
Checksum 0x44a01
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 55dd71bef22e0f478e6cd1df381f4ca1
SHA1 6a5c863df8674bd24f82b8aba2f6407144701549
SHA256 90b8a9ffeb97daefcd2f97632f36b9ec667c12ffe653bdbcd1eb27d5bec5cff5
SHA3 179d35ad794830e779e36f4ade26cd3add375ceb43b03435425eadf977972854
VirtualSize 0x2a000
VirtualAddress 0x1000
SizeOfRawData 0x29400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.60608

.rdata

MD5 90c00cdd7ae6202f801c2150ac15cdb8
SHA1 35e045c7db7b8312a48b68ebeff80db0518429f8
SHA256 e3e560175acbe52aca82dbb34f13b728295d07579ebcded3a95d30389941f549
SHA3 5cc5cee7663aedb2682a09bf64cb9c8b0e2fa2072ef138380dc56851f93e8577
VirtualSize 0xb000
VirtualAddress 0x2b000
SizeOfRawData 0xaa00
PointerToRawData 0x29800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.83773

.data

MD5 3df4705b8ffed406f7ee62ef227f4b2a
SHA1 67ed0d439be3323fb0bee3d0833e1c2d6a5e3a94
SHA256 90a473b922cde7a4b5adc9f2a2c686aeb7ec403cad31f3e2272ee45cb3e92262
SHA3 259188d0c459cb6fc38bd4ba455f672fd44b47ba478317dd8562ccd12793aec2
VirtualSize 0x7000
VirtualAddress 0x36000
SizeOfRawData 0x6200
PointerToRawData 0x34200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.05334

.rsrc

MD5 a6b48347bf996191cca62e8ce67ecb9f
SHA1 7090dafb3181c007baed11a8e978c8e04d491dce
SHA256 ceafceea6c7b42366be9420acb0be4004ba9e649f3c623b47c58109c0f971619
SHA3 a2ddc6ee9ea4e90c1ad3d84a32f1bd8a991d95e5a7e7a40414f58fab7493d3ef
VirtualSize 0xc000
VirtualAddress 0x3d000
SizeOfRawData 0xb400
PointerToRawData 0x3a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.03009

.reloc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x77e6
VirtualAddress 0x49000
SizeOfRawData 0
PointerToRawData 0x45800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Imports

KERNEL32.dll GetFileAttributesW
GetFileSizeEx
GetFileTime
GetStartupInfoW
HeapAlloc
HeapFree
RtlUnwind
HeapReAlloc
RaiseException
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapSize
SetUnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
HeapCreate
VirtualFree
QueryPerformanceCounter
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
CreateFileA
SetEnvironmentVariableA
FileTimeToLocalFileTime
CreateFileW
GetFullPathNameW
GetVolumeInformationW
FindFirstFileW
FindClose
GetCurrentProcess
DuplicateHandle
GetFileSize
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
WritePrivateProfileStringW
GetModuleHandleA
GlobalFlags
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
GlobalHandle
GlobalReAlloc
EnterCriticalSection
TlsGetValue
LeaveCriticalSection
LocalAlloc
FileTimeToSystemTime
GetCurrentProcessId
SetErrorMode
GetCurrentThread
ConvertDefaultLocale
EnumResourceLanguagesW
GetLocaleInfoW
LoadLibraryExW
CompareStringA
InterlockedExchange
InterlockedIncrement
lstrlenA
lstrcmpA
CloseHandle
GetCurrentThreadId
GlobalAddAtomW
GlobalFindAtomW
GlobalDeleteAtom
LoadLibraryW
CompareStringW
LoadLibraryA
lstrcmpW
GetVersionExA
FreeLibrary
InterlockedDecrement
GetProcAddress
GetLastError
SetLastError
GlobalFree
GlobalAlloc
GlobalLock
GlobalUnlock
FormatMessageW
LocalFree
lstrlenW
WideCharToMultiByte
WriteConsoleW
ExitProcess
GetModuleFileNameW
ExpandEnvironmentStringsW
GetStdHandle
Sleep
GetModuleHandleW
GetCommandLineW
MultiByteToWideChar
FindResourceW
LoadResource
LockResource
GetTickCount
SizeofResource
USER32.dll CharUpperW
SetCursor
GrayStringW
DrawTextExW
DrawTextW
TabbedTextOutW
ClientToScreen
DestroyMenu
ShowWindow
SetWindowTextW
LoadCursorW
GetDC
ReleaseDC
GetSysColorBrush
GetWindowThreadProcessId
IsWindowEnabled
PostQuitMessage
SetMenuItemBitmaps
LoadBitmapW
ModifyMenuW
CheckMenuItem
GetMessageW
TranslateMessage
GetCursorPos
ValidateRect
RegisterWindowMessageW
LoadIconW
WinHelpW
GetCapture
SetWindowsHookExW
CallNextHookEx
GetClassLongW
GetClassNameW
SetPropW
GetPropW
RemovePropW
GetFocus
IsWindow
GetWindowTextW
GetForegroundWindow
GetLastActivePopup
DispatchMessageW
GetDlgItem
GetTopWindow
DestroyWindow
GetMessageTime
GetMessagePos
PeekMessageW
MapWindowPoints
MessageBoxW
GetActiveWindow
GetSubMenu
GetKeyState
SetMenu
EnableWindow
SetForegroundWindow
IsWindowVisible
GetClientRect
PostMessageW
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
UnhookWindowsHookEx
GetWindow
GetSystemMetrics
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
SetWindowPos
SetWindowLongW
GetWindowLongW
GetMenu
PtInRect
CopyRect
CallWindowProcW
DefWindowProcW
SendMessageW
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
GetSysColor
AdjustWindowRectEx
GetParent
GetDlgCtrlID
EnableMenuItem
GDI32.dll DeleteDC
GetStockObject
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SelectObject
Escape
TextOutW
RectVisible
GetDeviceCaps
SetMapMode
RestoreDC
SaveDC
DeleteObject
ExtTextOutW
CreateBitmap
SetBkColor
SetTextColor
GetClipBox
PtVisible
COMDLG32.dll GetFileTitleW
WINSPOOL.DRV DocumentPropertiesW
OpenPrinterW
ClosePrinter
ADVAPI32.dll RegSetValueExW
RegEnumKeyW
RegDeleteKeyW
RegQueryValueW
RegOpenKeyW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExW
SHLWAPI.dll PathStripToRootW
PathIsUNCW
PathFindFileNameW
PathFindExtensionW
ole32.dll CoDisconnectObject
StringFromGUID2
CoGetObject
CoCreateInstance
CLSIDFromProgID
CoInitialize
OLEAUT32.dll #6
#8
#10
#9
#4
#12
#183
#162
#2
#7
#161
OLEACC.dll (delay-loaded) LresultFromObject
CreateStdAccessibleObject

Delayed Imports

Attributes 0x1
Name OLEACC.dll
ModuleHandle 0x3aef0
DelayImportAddressTable 0x383f8
DelayImportNameTable 0x34238
BoundDelayImportTable 0x34274
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

129

Type RT_BITMAP
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x3a4c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.90949
MD5 ae3bd35726e256961b0b7b9e143eda58
SHA1 97fdf228382aa25bfce97f2684f5a4dd98d1bc6d
SHA256 0eb0d9d00f8be714f834bbe9ac386ab75fd67e74009a706cff35addf565a38b3
SHA3 20ba49009ffcf1fe78ab3e74b915e5d93c3d4005eff71718204019f970acad0d
Preview

1

Type RT_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x70a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.67318
MD5 1bf4584dc12fe62b9786c55870f4d2a0
SHA1 90f4ddddb79d2f320b48f6d0fed52744613504e5
SHA256 ba2f75718961d4174874e655fc4055d34dddc6e477be7ad48315b7ac79ca44cf
SHA3 6f25cd77fb1343bfbb226f4cdca8d634aafd6d3bd32ab1ed35a3edf0dc09b845

7

Type RT_STRING
Language French - France
Codepage Latin 1 / Western European
Size 0x48
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.19502
MD5 10d022e533e73f962adaaea84d9d2341
SHA1 481e712df2258121f09da4acaaa7999fd25a1f23
SHA256 21933103638153262fc04241620439d017bfd09e4bdee5c696367de46a7d1a91
SHA3 5793e868a42430bd434b149a7848daf8da84f6294f6432baaf35f426a40023cc

131

Type RT_GROUP_ICON
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 5a181c8e195049d74c15cd450c32b67b
SHA1 4a8e54de71bcbc2fe94255397fd5ea0c38a7ce23
SHA256 beca8ec591fb662213cad9a95fd978021158938a283178e5d01600004d238ef3
SHA3 39d4387198bd7e3b67f20d985a0262e9c961fdadbb80595389db6a917154d210

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1fc
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.59208
MD5 c9b7b544a9ddb7849b802905c4ff657a
SHA1 e2d2f2044f20e23dd9af63cd171cd70b377955d9
SHA256 3f6069c080316b866b2aa1bd15ec3eac22e651d3534959e84235c6535e823918
SHA3 059bc74433001d95a3cd7f0f02f94a5430052601f1973b032fe07aeea887ab79

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x12a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.76335
MD5 aaf3ee7fa1852fab25ddef0cd42b66f8
SHA1 c4a0d6105c3ae5103ff54b5a59e40aee3771e082
SHA256 a8cb18d3a79d9cc323fde18a0dc9d9fdad4c55e3998a76772546fc70aeef3e21
SHA3 39f95ba32add6c64595f7271a6174cddf6ef045ba0316eac1683990d7ed5042c

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x15a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79597
MD5 24d3b502e1846356b0263f945ddd5529
SHA1 bac45b86a9c48fc3756a46809c101570d349737d
SHA256 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
SHA3 1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e

String Table contents

mywscript2
MYWSCRIPT2

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags VS_FF_DEBUG
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
FileVersion (#2) 1, 0, 0, 0
ProductVersion (#2) 1, 0, 0, 0
LegalCopyright Copyright (C) 2018
FileDescription
ProductName NisWatchII
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2012-Mar-08 15:59:48
Version 0.0
SizeofData 83
AddressOfRawData 0x306c0
PointerToRawData 0x2eec0
Referenced File C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb

TLS Callbacks

Load Configuration

RICH Header

Errors

[!] Error: Could not read an IMAGE_BASE_RELOCATION! [*] Warning: Section .reloc has a size of 0!