Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:22:17 |
Detected languages |
English - Australia
|
CompanyName | Solway Software |
FileDescription | Task Scheduler |
FileVersion | 2.1.0.0 |
InternalName | Solway's Task Scheduler |
LegalCopyright | |
LegalTrademarks | |
OriginalFilename | tasksched.exe |
ProductName | Solway's Task Scheduler |
ProductVersion | 2.1.0.0 |
Comments |
Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h) UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX -> www.upx.sourceforge.net UPX Protector v1.0x (2) UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser |
Suspicious | The PE is packed with UPX |
Unusual section name found: UPX0
Section UPX0 is both writable and executable. Unusual section name found: UPX1 Section UPX1 is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE header may have been manually modified. |
Resource 1 is possibly compressed or encrypted.
Resource 2 is possibly compressed or encrypted. Resource 3 is possibly compressed or encrypted. Resource 4 is possibly compressed or encrypted. Resource 5 is possibly compressed or encrypted. Resource 6 is possibly compressed or encrypted. Resource 7 is possibly compressed or encrypted. Resource BBABORT is possibly compressed or encrypted. Resource BBALL is possibly compressed or encrypted. Resource BBCANCEL is possibly compressed or encrypted. Resource BBCLOSE is possibly compressed or encrypted. Resource BBHELP is possibly compressed or encrypted. Resource BBIGNORE is possibly compressed or encrypted. Resource BBNO is possibly compressed or encrypted. Resource BBOK is possibly compressed or encrypted. Resource BBRETRY is possibly compressed or encrypted. Resource BBYES is possibly compressed or encrypted. Resource PREVIEWGLYPH is possibly compressed or encrypted. Resource 4079 is possibly compressed or encrypted. Resource 4080 is possibly compressed or encrypted. Resource 4081 is possibly compressed or encrypted. Resource 4082 is possibly compressed or encrypted. Resource 4083 is possibly compressed or encrypted. Resource 4085 is possibly compressed or encrypted. Resource 4086 is possibly compressed or encrypted. Resource 4087 is possibly compressed or encrypted. Resource 4088 is possibly compressed or encrypted. Resource 4089 is possibly compressed or encrypted. Resource 4090 is possibly compressed or encrypted. Resource 4091 is possibly compressed or encrypted. Resource 4093 is possibly compressed or encrypted. Resource 4094 is possibly compressed or encrypted. Resource 4095 is possibly compressed or encrypted. Resource 4096 is possibly compressed or encrypted. Resource PACKAGEINFO is possibly compressed or encrypted. Resource TABOUTFORM is possibly compressed or encrypted. Resource THOLIDAYFORM is possibly compressed or encrypted. Resource TMAINFORM is possibly compressed or encrypted. Resource TNEWTASKFORM is possibly compressed or encrypted. Resource TREMINDERFORM is possibly compressed or encrypted. The resource timestamps differ from the PE header:
|
Malicious | VirusTotal score: 4/68 (Scanned on 2021-07-18 02:34:20) |
Bkav:
W32.AIDetect.malware2
APEX: Malicious MaxSecure: Trojan.Malware.300983.susgen Qihoo-360: Win32/Heur.Generic.HwsBT5cA |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 3 |
TimeDateStamp | 1992-Jun-19 22:22:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x3c000 |
SizeOfInitializedData | 0x3000 |
SizeOfUninitializedData | 0x71000 |
AddressOfEntryPoint | 0x000AD030 (Section: UPX1) |
BaseOfCode | 0x72000 |
BaseOfData | 0xae000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0xb1000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.DLL |
LoadLibraryA
GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess |
---|---|
advapi32.dll |
RegCloseKey
|
comctl32.dll |
ImageList_Add
|
comdlg32.dll |
GetOpenFileNameA
|
gdi32.dll |
SaveDC
|
ole32.dll |
IsEqualGUID
|
oleaut32.dll |
VariantCopy
|
shell32.dll |
SHGetMalloc
|
user32.dll |
GetDC
|
version.dll |
VerQueryValueA
|
winmm.dll |
sndPlaySoundA
|
芵网䆊串⟠ሊ혓쓶↥ﰔꕶ |