Manalyze report for c9cc657fb2e2211ad128ab72af45bb3c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2020-May-18 22:30:35
Detected languages	English - United States
Debug artifacts	https://imgur.com/a/PiWvsB0
CompanyName	Riot Games, Inc.
FileDescription	Vanguard kernel-mode driver.
FileVersion	`0.3.6.10`
InternalName	vgk.sys
LegalCopyright	Copyright (C) 2020
OriginalFilename	vgk.sys
ProductName	Vanguard Driver
ProductVersion	`0.3.6.10`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: https://imgur.com imgur.com`
Suspicious	The PE is possibly packed.	`Unusual section name found: .stub0`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwCreateFile ZwReadFile ZwWriteFile ZwClose ZwFlushBuffersFile ZwQuerySystemInformation`
Info	The PE is digitally signed.	`Signer: Riot Games` `Issuer: DigiCert EV Code Signing CA (SHA2)`
Suspicious	VirusTotal score: 1/73 (Scanned on 2020-05-19 09:25:30)	`eGambit: Unsafe.AI_Score_83%`

Hashes

MD5	`c9cc657fb2e2211ad128ab72af45bb3c`
SHA1	`26b1ae2a7700756224a69c515b677aefacff5202`
SHA256	`d4601c1663d13e37dcd53e042fc333274dd64cb458ce08b158c4daa7d04589ba`
SHA3	`a1d0d1cd4a8ef8237e1c3504bb5c26cf33222f7d8342ae552b4160671bf886cf`
SSDeep	`98304:0MUaeEzZHllDN7kN02ip4XTLPjtdus3htdectnakQULE3JF+clp4T7+8h5ysXwn5:0MUaVNFQUp4XTNdXx29kF43Kmp4TzFw5`
Imports Hash	`b8b951abef146d2f91e46b970ede47f3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2020-May-18 22:30:35
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x35600`
SizeOfInitializedData	`0xfe00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000043000 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x5f0000`
SizeOfHeaders	`0x400`
Checksum	`0x5fb522`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`89e7ceb75ca14621a662dba92f54718e`
SHA1	`428d3a08c3d5968d2b1b2af0c2ed53acf49a3be7`
SHA256	`e62ceb94a5c1efd8cf3e10da25431db84bf3c3cd5c4b230d85d59308a4de7392`
SHA3	`30e69e008a22c8a1057c9c20100e9ea9dfe76dd6f15599aebe14e11d167109cc`
VirtualSize	`0x34e02`
VirtualAddress	`0x1000`
SizeOfRawData	`0x35000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`1.47005`

.rdata

MD5	`8bcf9c628cb0db02e7ac04b769bc6a1f`
SHA1	`1bbe9dba61d5e2fef8d74acafd7417b917105a85`
SHA256	`e1d9a0a59b683f7a04eb013531b5a7ba91c52337a1a382ba8b0dbc4ef02adea2`
SHA3	`df1e47718cf0cfd89136c86106e2390275d5c2992c732635557fe635d1b62a61`
VirtualSize	`0x52e4`
VirtualAddress	`0x36000`
SizeOfRawData	`0x5400`
PointerToRawData	`0x35400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.50585`

.data

MD5	`e96da57d6fc4c98fcab36911c94c5286`
SHA1	`2496894b3765c97343f1b024cc43f5e32df7b84a`
SHA256	`7d998a957e5aabc5916980831e0574a177871bf20b93c828f4f81f57d3f3728c`
SHA3	`e42f797c89b42a8e5a8e07f3f6701a593cbccd3bf34c360011bb8bec6da9f8d8`
VirtualSize	`0x3114`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3a800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.49591`

.pdata

MD5	`51a01f6e7e3ba32a970f6c7666580793`
SHA1	`71af538f1a1257ab36707f7d0d8e7bbe16250e2c`
SHA256	`db41f448509ed818922a1255f6679ceb45d75862e011781f3e7fc23b0e564d43`
SHA3	`b85b50b72643a0ad35bc8e935c4cdb3b3c5f88fc6dee6767054ded87ecb218e4`
VirtualSize	`0x1518`
VirtualAddress	`0x40000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x3ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.70918`

.edata

MD5	`eb6c5e34c225878dceb6eb608b26f40c`
SHA1	`a01db887474abf9900555e7178d11cca499b0027`
SHA256	`3fb57ead1981129c2d5a35e9b2947de5a407289c44a7fe1ce7fc287e1927aea5`
SHA3	`fc0db0bdec019a4eb6d78510ae8b51cb0f3bdc6d9f47135624d730e8fafbccdf`
VirtualSize	`0x3e`
VirtualAddress	`0x42000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.606751`

INIT

MD5	`b9a62fc45b667e8af20418dddf52f57e`
SHA1	`d9bcba32336ef0c3aaea11f17a03136c2407337a`
SHA256	`45060331ad91aff51fa342995c989a9ef0da5af3c586bb0261f3ab81a0f42b11`
SHA3	`eaf1f884b1131c5c1f05cdf091ce512e675396786a5b8f54e1556f8df9a6e10f`
VirtualSize	`0x466`
VirtualAddress	`0x43000`
SizeOfRawData	`0x600`
PointerToRawData	`0x3c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.62272`

.stub0

MD5	`46c4c55b448dbbb162dc8d472d1e5c9d`
SHA1	`39cb5f6947314219482d9d487396c8b91e1a7ac5`
SHA256	`12bfbb8632c37ca6d7fef22bd54c928ed4067c8a8363e5425aff9b3e17ebf953`
SHA3	`1668740f736ab8bbc697bfac58b6a802a5a2a366b03e8a0385419dd66c8ad847`
VirtualSize	`0x5a44b8`
VirtualAddress	`0x44000`
SizeOfRawData	`0x5a4600`
PointerToRawData	`0x3ca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.81046`

.reloc

MD5	`6a0879e544faeb2183022d1810725a59`
SHA1	`0346e791a53decb800c4a46cbe2f04fca844f91d`
SHA256	`ed398597fe363f45bb470bbf01890e2d4b20fbb9a5776286d67e7e6782d0ed17`
SHA3	`6467eb916988d580e9014dd2a5f274e5b1a9106088dfd2759304c24fdc054939`
VirtualSize	`0x16c`
VirtualAddress	`0x5e9000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5e1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.90848`

.rsrc

MD5	`5ff56b3e20e8d43619feb710674c34e1`
SHA1	`036e38751da64f9b5421cc22ecc88f465ae817a9`
SHA256	`cfa3ec671b1cec19d7a3d58874c59ccc8447788251e08f92f7e6c2f1595da0bc`
SHA3	`4e331da2c09be02c9fa9c356aca0b31e9e7518e4e35f593f3273de2ba72256f4`
VirtualSize	`0x5d44`
VirtualAddress	`0x5ea000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x5e1200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.31762`

Imports

cng.sys	`BCryptDestroyHash` `BCryptCloseAlgorithmProvider`
ntoskrnl.exe	`KeIpiGenericCall` `__C_specific_handler` `ExFreePoolWithTag` `_stricmp` `RtlDuplicateUnicodeString` `wcscat_s` `wcscpy_s` `RtlInitUnicodeString` `ZwCreateFile` `ZwReadFile` `ZwWriteFile` `ZwClose` `ZwFlushBuffersFile` `ZwQuerySystemInformation` `RtlTimeToTimeFields` `KeAreAllApcsDisabled` `ExSystemTimeToLocalTime` `swprintf_s` `vswprintf_s` `_vsnwprintf` `KeInitializeApc` `KeInsertQueueApc` `ExAllocatePoolWithTag` `KeBugCheckEx`

Delayed Imports

Egg

Ordinal	`1`
Address	`0xf754`

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.68286`
MD5	`98d249f68c00622606ecce20f737bfcc`
SHA1	`3e95abac4a81298f980366e63aa6beac80348521`
SHA256	`a4991e10ea39addaa30ad4e3ca180ede6f559682d956ba6ea267e9c9517d3789`
SHA3	`7e5c82e756a19d28f33e5338aed56baa92bf9ac5ff8b008134cc7d490a326582`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.39293`
MD5	`4bcf5ae34ccc3165df496e7052acb8e4`
SHA1	`b6a096f04634d6eb7a5e89eb449f5d2da37ca0df`
SHA256	`e3fd385009e65bd63d352691ad227829ee91928b9dee5975f6b808cbf9c2b186`
SHA3	`fab288eec627c04107d0a3cd586956884babeb368512fd33a3d0f0c8354e97ab`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.22667`
MD5	`d9e00fd0e98af67e00d5fea6ca6c891e`
SHA1	`f99b71d26b612d68c14bed1db1f313d23b1801e5`
SHA256	`3fffce4ebb2f22b6603f8e0a2dac2c69eb15fdf1eedf033b08584e3cd9084a95`
SHA3	`dcbdcc8115003d0bc72ac686f857a4766e4c3c23140381527e13891f94900a59`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.02845`
MD5	`0a9cebe925a641ac14300111c4970d4b`
SHA1	`905663952332321e87c3829d0ebace280848303a`
SHA256	`1ec24d21fc50edcab854d9ab4ae780ba6521e5ce01612a6a7ca75cb786584ecd`
SHA3	`8cc9cdbeed103762ec9842ec2b2d68937a1256cf2aab16a44632fc495116ab4c`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x140c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92659`
Detected Filetype	PNG graphic file
MD5	`3ba6c81af52c0688387888cd75f30308`
SHA1	`1456615ce9fa7a6f99b8612bba5255f5dca72e20`
SHA256	`aad706a538d25ae394bd44172ea5daf34c1b38b3a14cc79fa6e649504200243a`
SHA3	`e9deb22d45b2fde9cf461cff58e246880002c8d787b8726ed8d47f2ebffe1c72`

MAINICON

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.64638`
Detected Filetype	Icon file
MD5	`b3b36a22e13ffb8b2e2eda71b705a34e`
SHA1	`82407f79fc7ed4bd6d93770d36881b1e75413876`
SHA256	`6a6c5adf6545c9eed3777fff371db8db09c39885669f1aa1c6e177036f84d029`
SHA3	`5ccca1d385dc604bcf3e63fbddd9c49cc4208548a88330430f4781bebf1cedcb`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46551`
MD5	`84dcaa26f3bfad93d07fadd83b8439a1`
SHA1	`b58e23fc9eb49f3c904bdbebebef930dc0ca5285`
SHA256	`70e3774d1bced87a3489938767f80cee14abc29e847a9400bcf8a29fb9e0620d`
SHA3	`c613081872a1192127e6804dd334b8feadc21f2b0e7e436797e6e67fdcf34fee`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	0.3.6.10
ProductVersion	0.3.6.10
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`UNKNOWN`
Language	English - United States
CompanyName	Riot Games, Inc.
FileDescription	Vanguard kernel-mode driver.
FileVersion (#2)	0.3.6.10
InternalName	vgk.sys
LegalCopyright	Copyright (C) 2020
OriginalFilename	vgk.sys
ProductName	Vanguard Driver
ProductVersion (#2)	0.3.6.10

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2020-May-18 22:30:35
Version	`0.0`
SizeofData	`52`
AddressOfRawData	`0x39da8`
PointerToRawData	`0x391a8`
Referenced File	https://imgur.com/a/PiWvsB0

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-May-18 22:30:35
Version	`0.0`
SizeofData	`388`
AddressOfRawData	`0x39ddc`
PointerToRawData	`0x391dc`

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003c230`

RICH Header

XOR Key	`0x2e18afec`
Unmarked objects	`0`
ASM objects (26715)	`5`
C objects (26715)	`6`
Imports (VS2015 UPD3.1 build 24215)	`2`
Imports (26715)	`5`
Total imports	`30`
ASM objects (VS2019 Update 5 (16.5.4-5) compiler 28614)	`1`
C++ objects (VS2019 Update 5 (16.5.4-5) compiler 28614)	`26`
Exports (VS2019 Update 5 (16.5.4-5) compiler 28614)	`1`
Resource objects (VS2019 Update 5 (16.5.4-5) compiler 28614)	`1`
Linker (VS2019 Update 5 (16.5.4-5) compiler 28614)	`1`

c9cc657fb2e2211ad128ab72af45bb3c

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.edata

INIT

.stub0

.reloc

.rsrc

Imports

Delayed Imports

Egg

1

2

3

4

5

MAINICON

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors