| Architecture |
IMAGE_FILE_MACHINE_I386
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| Compilation Date |
1999-Dec-02 22:54:53
|
| Detected languages |
English - United States
|
| Debug artifacts |
Embedded COFF debugging symbols
obj\i386\whoami.exe
|
| CompanyName |
Microsoft Corporation
|
| FileDescription |
Whoami - queries user information
|
| FileVersion |
5.00.2128.1
|
| InternalName |
WhoAmI.exe
|
| LegalCopyright |
Copyright (C) Microsoft Corp. 1981-1999
|
| OriginalFilename |
WHOAMI.EXE
|
| ProductName |
Microsoft(R) Windows (R) 2000 Operating System
|
| ProductVersion |
5.00.2128.1
|
| Info |
Matching compiler(s): |
Microsoft Visual C++
Microsoft Visual C++ v6.0
|
| Info |
Interesting strings found in the binary: |
Contains domain names:
|
| Malicious |
The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
- LoadLibraryExW
- GetProcAddress
- LoadLibraryA
Functions related to the privilege level:
|
| Suspicious |
The file contains overlay data. |
26624 bytes of data starting at offset 0x9c00.
|
| Suspicious |
VirusTotal score: 2/68 (Scanned on 2022-05-15 05:11:05) |
APEX:
Malicious
Jiangmin:
Backdoor.Generic.awau
|
| MD5 |
e4f1b4e581fb998977d4c9c9080d35f6
|
| SHA1 |
8bcfd002d484fda03a0e95c66d80e0c64f65db73
|
| SHA256 |
bbca0cc59934fcce83ba7bb8be334784f27e626786546f276dbe934777df32af
|
| SHA3 |
4bc0a64d88ca71411ca4b6a9ffbfa4135fe1e6da8a9c8d2d02c5b6007a68dd14
|
| SSDeep |
768:gloK+uJzmK9+jvRpBq1RnvCKlMHK2kF4kU8/Vvpm3xxTB3lobeEm9U:geKrdmc+HB1KlMHKvUL3xxfobe9
|
| Imports Hash |
0e73ec669a8245790d02f257deaa91e9
|
| e_magic |
MZ
|
| e_cblp |
0x90
|
| e_cp |
0x3
|
| e_crlc |
0
|
| e_cparhdr |
0x4
|
| e_minalloc |
0
|
| e_maxalloc |
0xffff
|
| e_ss |
0
|
| e_sp |
0xb8
|
| e_csum |
0
|
| e_ip |
0
|
| e_cs |
0
|
| e_ovno |
0
|
| e_oemid |
0
|
| e_oeminfo |
0
|
| e_lfanew |
0xd8
|
| Signature |
PE
|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections |
3
|
| TimeDateStamp |
1999-Dec-02 22:54:53
|
| PointerToSymbolTable |
0x9c20
|
| NumberOfSymbols |
729
|
| SizeOfOptionalHeader |
0xe0
|
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
| Magic |
PE32
|
| LinkerVersion |
5.0
|
| SizeOfCode |
0x6800
|
| SizeOfInitializedData |
0x4200
|
| SizeOfUninitializedData |
0
|
| AddressOfEntryPoint |
0x00002C20 (Section: .text)
|
| BaseOfCode |
0x1000
|
| BaseOfData |
0x8000
|
| ImageBase |
0x1000000
|
| SectionAlignment |
0x1000
|
| FileAlignment |
0x200
|
| OperatingSystemVersion |
5.0
|
| ImageVersion |
5.0
|
| SubsystemVersion |
4.0
|
| Win32VersionValue |
0
|
| SizeOfImage |
0xd000
|
| SizeOfHeaders |
0x600
|
| Checksum |
0x1f5aa
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve |
0x40000
|
| SizeofStackCommit |
0x1000
|
| SizeofHeapReserve |
0x100000
|
| SizeofHeapCommit |
0x1000
|
| LoaderFlags |
0
|
| NumberOfRvaAndSizes |
16
|
| MD5 |
18b4ff7bfbda47cdd983f0ca6da81673
|
| SHA1 |
f5783ab96c08a23cb53c444ee02380740e0d1aa1
|
| SHA256 |
fda40c00e73ec1a9fffe55c240c290963486e22640cbcd382517e122f64d027c
|
| SHA3 |
252b2a9c0455ff4e71cffc82c41a2a22db91eda47144296811b1ff54f3ba09c3
|
| VirtualSize |
0x662e
|
| VirtualAddress |
0x1000
|
| SizeOfRawData |
0x6800
|
| PointerToRawData |
0x600
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
| Entropy |
6.36115
|
| MD5 |
731385bae1df8fd9a1807e940c220dc6
|
| SHA1 |
65243a507b6b95287c0a4f8ecf1224750efb71a5
|
| SHA256 |
7e829063e1dc99a45c9943d06ceb3feec9b94f85cd2ad230ef85c9ee8f67f705
|
| SHA3 |
9f728ab8202c564ba2e2b43aaccc44d3ba8bc3a5a4b9bbc5def39b0b0fac97f5
|
| VirtualSize |
0x3c34
|
| VirtualAddress |
0x8000
|
| SizeOfRawData |
0x2a00
|
| PointerToRawData |
0x6e00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
0.477653
|
| MD5 |
cfa02909eee6518adda4aeee3e2256ca
|
| SHA1 |
22db5103af704b67f29d345a9a12206ca15b7ab0
|
| SHA256 |
481e3ac487a8ce22d04327bc96e91b016bd3b95f0909230817ecc5c82cbf76c0
|
| SHA3 |
eaa9e25036e194c9be38778bacaa5f940af29457492f8e547a7ca33f49a7d500
|
| VirtualSize |
0x3d8
|
| VirtualAddress |
0xc000
|
| SizeOfRawData |
0x400
|
| PointerToRawData |
0x9800
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
3.28306
|
| ADVAPI32.dll |
IsValidSid
LookupPrivilegeDisplayNameW
LookupAccountSidW
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
LookupPrivilegeNameW
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
|
| KERNEL32.dll |
FormatMessageW
LoadLibraryExW
GetLastError
CloseHandle
GetCurrentProcess
GetVersion
ExitProcess
TerminateProcess
HeapFree
HeapReAlloc
HeapAlloc
MultiByteToWideChar
RtlUnwind
UnhandledExceptionFilter
GetModuleFileNameW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
WideCharToMultiByte
GetCommandLineW
GetCommandLineA
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
WriteFile
GetModuleFileNameA
VirtualAlloc
GetProcAddress
LoadLibraryA
LCMapStringA
LCMapStringW
FlushFileBuffers
SetFilePointer
GetStringTypeA
GetStringTypeW
SetStdHandle
|
| Type |
RT_VERSION
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x374
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
3.53412
|
| MD5 |
bbe478075246eb8364697a711de9fefe
|
| SHA1 |
35d601abe70b9d71b090bf856adf6eae88598667
|
| SHA256 |
7ad947c95c9dbdc0b45f56d2c9ab6f5a1032b465f98d9ab4ea92f065b8231cde
|
| SHA3 |
d004d9f3a857bbbde61eaed6ec122cb6251e6286a69ef7a538bf26e1b060ecbd
|
| Signature |
0xfeef04bd
|
| StructVersion |
0x10000
|
| FileVersion |
5.0.2128.1
|
| ProductVersion |
5.0.2128.1
|
| FileFlags |
VS_FF_PRIVATEBUILD
|
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language |
English - United States
|
| CompanyName |
Microsoft Corporation
|
| FileDescription |
Whoami - queries user information
|
| FileVersion (#2) |
5.00.2128.1
|
| InternalName |
WhoAmI.exe
|
| LegalCopyright |
Copyright (C) Microsoft Corp. 1981-1999
|
| OriginalFilename |
WHOAMI.EXE
|
| ProductName |
Microsoft(R) Windows (R) 2000 Operating System
|
| ProductVersion (#2) |
5.00.2128.1
|
| Resource LangID |
English - United States
|
| Characteristics |
0
|
| TimeDateStamp |
1999-Dec-02 22:54:53
|
| Version |
0.0
|
| SizeofData |
23943
|
| AddressOfRawData |
0
|
| PointerToRawData |
0x9c00
|
| Characteristics |
0
|
| TimeDateStamp |
1999-Dec-02 22:54:53
|
| Version |
0.0
|
| SizeofData |
272
|
| AddressOfRawData |
0
|
| PointerToRawData |
0xf988
|
| Referenced File |
obj\i386\whoami.exe
|
| Characteristics |
0
|
| TimeDateStamp |
1999-Dec-02 22:54:53
|
| Version |
0.0
|
| SizeofData |
2000
|
| AddressOfRawData |
0
|
| PointerToRawData |
0xfa98
|
| XOR Key |
0x94df97a5
|
| Unmarked objects |
0
|
| Total imports |
52
|
| 19 (9049) |
5
|
| Unmarked objects (#2) |
69
|
| Resource objects (2090) |
1
|
| C objects (VS98 build 8168) |
8
|
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!