Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-May-01 14:33:52 |
Detected languages |
English - United States
|
Debug artifacts |
C:\build\work\eca3d12b\wix3\build\ship\x86\burn.pdb
|
CompanyName | BlueParrott |
FileDescription | BlueParrott Updater |
FileVersion | 103.9.1 |
InternalName | setup |
LegalCopyright | Copyright (c) BlueParrott. All rights reserved. |
OriginalFilename | BlueParrott_Updater_V_103.9.1.exe |
ProductName | BlueParrott Updater |
ProductVersion | 103.9.1 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. | Unusual section name found: .wixburn |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The file contains overlay data. |
24225727 bytes of data starting at offset 0x78a00.
The file contains a CAB Installer file after the PE data. Overlay data amounts for 98.0013% of the executable. |
Suspicious | VirusTotal score: 1/65 (Scanned on 2018-04-18 07:09:49) | Cylance: Unsafe |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x118 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 7 |
TimeDateStamp | 2017-May-01 14:33:52 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x49c00 |
SizeOfInitializedData | 0x2ea00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0002E1FD (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x4b000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x7d000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
RegCloseKey
RegOpenKeyExW OpenProcessToken AdjustTokenPrivileges LookupPrivilegeValueW InitiateSystemShutdownExW GetUserNameW RegQueryValueExW RegDeleteValueW CloseEventLog OpenEventLogW ReportEventW ConvertStringSecurityDescriptorToSecurityDescriptorW DecryptFileW CreateWellKnownSid InitializeAcl SetEntriesInAclW ChangeServiceConfigW CloseServiceHandle ControlService OpenSCManagerW OpenServiceW QueryServiceStatus SetNamedSecurityInfoW CheckTokenMembership AllocateAndInitializeSid SetEntriesInAclA SetSecurityDescriptorGroup SetSecurityDescriptorOwner SetSecurityDescriptorDacl InitializeSecurityDescriptor RegSetValueExW RegQueryInfoKeyW RegEnumValueW RegEnumKeyExW RegDeleteKeyW RegCreateKeyExW GetTokenInformation CryptDestroyHash CryptHashData CryptCreateHash CryptGetHashParam CryptReleaseContext CryptAcquireContextW QueryServiceConfigW |
---|---|
USER32.dll |
GetMessageW
PostMessageW IsWindow WaitForInputIdle PostQuitMessage PeekMessageW MsgWaitForMultipleObjects PostThreadMessageW GetMonitorInfoW MonitorFromPoint IsDialogMessageW LoadCursorW LoadBitmapW SetWindowLongW GetWindowLongW GetCursorPos MessageBoxW CreateWindowExW UnregisterClassW RegisterClassW DefWindowProcW DispatchMessageW TranslateMessage |
OLEAUT32.dll |
#6
#2 #8 #9 |
GDI32.dll |
CreateCompatibleDC
DeleteObject SelectObject StretchBlt GetObjectW DeleteDC |
SHELL32.dll |
SHGetFolderPathW
CommandLineToArgvW ShellExecuteExW |
ole32.dll |
CoUninitialize
CoInitializeEx CoInitialize StringFromGUID2 CoCreateInstance CoTaskMemFree CoInitializeSecurity CLSIDFromProgID |
KERNEL32.dll |
GetCommandLineA
GetCPInfo GetOEMCP CloseHandle CreateFileW GetProcAddress LocalFree HeapSetInformation GetLastError GetModuleHandleW FormatMessageW lstrlenA lstrlenW MultiByteToWideChar WideCharToMultiByte LCMapStringW Sleep GetLocalTime GetModuleFileNameW ExpandEnvironmentStringsW GetTempPathW GetTempFileNameW CreateDirectoryW GetFullPathNameW CompareStringW GetCurrentProcessId WriteFile SetFilePointer LoadLibraryW GetSystemDirectoryW CreateFileA HeapAlloc HeapReAlloc HeapFree HeapSize GetProcessHeap FindClose GetCommandLineW GetCurrentDirectoryW RemoveDirectoryW SetFileAttributesW GetFileAttributesW DeleteFileW FindFirstFileW FindNextFileW MoveFileExW GetCurrentProcess GetCurrentThreadId InitializeCriticalSection DeleteCriticalSection ReleaseMutex TlsAlloc GetEnvironmentStringsW TlsSetValue TlsFree CreateProcessW GetVersionExW VerSetConditionMask FreeLibrary EnterCriticalSection LeaveCriticalSection GetSystemTime GetNativeSystemInfo GetModuleHandleExW GetWindowsDirectoryW GetSystemWow64DirectoryW GetComputerNameW VerifyVersionInfoW GetVolumePathNameW GetDateFormatW GetUserDefaultUILanguage GetSystemDefaultLangID GetUserDefaultLangID GetStringTypeW ReadFile SetFilePointerEx DuplicateHandle InterlockedExchange InterlockedCompareExchange LoadLibraryExW CreateEventW ProcessIdToSessionId OpenProcess GetProcessId WaitForSingleObject ConnectNamedPipe SetNamedPipeHandleState CreateNamedPipeW CreateThread GetExitCodeThread SetEvent WaitForMultipleObjects InterlockedIncrement InterlockedDecrement ResetEvent SetEndOfFile SetFileTime LocalFileTimeToFileTime DosDateTimeToFileTime CompareStringA GetExitCodeProcess SetThreadExecutionState CopyFileExW MapViewOfFile UnmapViewOfFile CreateMutexW CreateFileMappingW GetThreadLocale IsValidCodePage FreeEnvironmentStringsW TlsGetValue SetStdHandle GetConsoleCP GetConsoleMode FlushFileBuffers DecodePointer WriteConsoleW GetModuleHandleA GlobalAlloc GlobalFree GetFileSizeEx CopyFileW VirtualAlloc VirtualFree SystemTimeToTzSpecificLocalTime GetTimeZoneInformation SystemTimeToFileTime GetSystemInfo VirtualProtect VirtualQuery SetCurrentDirectoryW FindFirstFileExW GetFileType GetACP ExitProcess GetStdHandle InitializeCriticalSectionAndSpinCount SetLastError UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent GetStartupInfoW RaiseException RtlUnwind LoadLibraryExA |
RPCRT4.dll |
UuidCreate
|
Cabinet.dll (delay-loaded) |
#22
#23 #20 |
Attributes | 0x1 |
---|---|
Name | Cabinet.dll |
ModuleHandle | 0x6b5c4 |
DelayImportAddressTable | 0x6a944 |
DelayImportNameTable | 0x68240 |
BoundDelayImportTable | 0x684ec |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 103.9.1.0 |
ProductVersion | 103.9.1.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | BlueParrott |
FileDescription | BlueParrott Updater |
FileVersion (#2) | 103.9.1 |
InternalName | setup |
LegalCopyright | Copyright (c) BlueParrott. All rights reserved. |
OriginalFilename | BlueParrott_Updater_V_103.9.1.exe |
ProductName | BlueParrott Updater |
ProductVersion (#2) | 103.9.1 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-01 14:33:52 |
Version | 0.0 |
SizeofData | 76 |
AddressOfRawData | 0x678ec |
PointerToRawData | 0x668ec |
Referenced File | C:\build\work\eca3d12b\wix3\build\ship\x86\burn.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-01 14:33:52 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x67938 |
PointerToRawData | 0x66938 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-01 14:33:52 |
Version | 0.0 |
SizeofData | 984 |
AddressOfRawData | 0x6794c |
PointerToRawData | 0x6694c |
StartAddressOfRawData | 0x46d000 |
---|---|
EndAddressOfRawData | 0x46d008 |
AddressOfIndex | 0x46aac0 |
AddressOfCallbacks | 0x44b43c |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_ALIGN_4BYTES
|
Callbacks | (EMPTY) |
Size | 0x68 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x46a008 |
SEHandlerTable | 0x4678e0 |
SEHandlerCount | 3 |
XOR Key | 0xdc0f4ed9 |
---|---|
Unmarked objects | 0 |
241 (40116) | 9 |
243 (40116) | 124 |
242 (40116) | 24 |
ASM objects (24723) | 19 |
C objects (24723) | 19 |
C++ objects (24723) | 38 |
C objects (VS2008 SP1 build 30729) | 5 |
Imports (VS2008 SP1 build 30729) | 17 |
Total imports | 341 |
C++ objects (VS2017 v15.0 compiler 25017) | 75 |
Resource objects (VS2017 v15.0 compiler 25017) | 1 |
151 | 2 |
Linker (VS2017 v15.0 compiler 25017) | 1 |