e89dbba95890b1cac6e7015ef2b82052

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2025-Apr-05 18:57:07
Detected languages English - United States
CompanyName Microsoft Corporation
FileDescription Windows NT BASE API Client DLL
FileVersion 10.0.26100.3323 (WinBuild.160101.0800)
InternalName kernel32
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename kernel32
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.26100.3323

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Uses functions commonly found in keyloggers:
  • GetForegroundWindow
  • MapVirtualKeyA
  • GetAsyncKeyState
 Reads the contents of the clipboard:
  • GetClipboardData
Info The PE is digitally signed. Signer: 04f5be18-91cc-40c4-9002-4eb30ffa9fc7
Issuer: 04f5be18-91cc-40c4-9002-4eb30ffa9fc7
Malicious VirusTotal score: 34/72 (Scanned on 2025-04-07 15:41:14) ALYac: Gen:Variant.Jaik.76520
AVG: Win32:SpywareX-gen [Trj]
Antiy-AVL: GrayWare/Win32.Wacapew
Arcabit: Trojan.Jaik.D12AE8
Avast: Win32:SpywareX-gen [Trj]
BitDefender: Gen:Variant.Jaik.76520
CTX: exe.trojan.jaik
CrowdStrike: win/malicious_confidence_90% (W)
Cylance: Unsafe
DeepInstinct: MALICIOUS
Elastic: malicious (high confidence)
Emsisoft: Gen:Variant.Jaik.76520 (B)
FireEye: Gen:Variant.Jaik.76520
Fortinet: W32/PossibleThreat
GData: Gen:Variant.Jaik.76520
Google: Detected
K7AntiVirus: Spyware ( 0052ae1c1 )
K7GW: Spyware ( 0052ae1c1 )
Kaspersky: UDS:Trojan-Spy.Win32.Xegumumune.gen
Kingsoft: malware.kb.a.913
Lionic: Trojan.Win32.Xegumumune.l!c
Malwarebytes: Generic.Malware/Suspicious
McAfee: Artemis!E89DBBA95890
McAfeeD: ti!7D056B282B13
MicroWorld-eScan: Gen:Variant.Jaik.76520
Microsoft: Program:Win32/Wacapew.C!ml
Panda: Trj/Chgt.AD
Rising: Spyware.Xegumumune!8.10962 (CLOUD)
Sangfor: Trojan.Win32.Save.a
Sophos: Generic Reputation PUA (PUA)
Symantec: ML.Attribute.HighConfidence
TrendMicro-HouseCall: TROJ_GEN.R002H09D525
VIPRE: Gen:Variant.Jaik.76520
Varist: W32/ABTrojan.UXKZ-0902

Hashes

MD5 e89dbba95890b1cac6e7015ef2b82052
SHA1 e791f6b42be212b1891cbe165bfc19524449248d
SHA256 7d056b282b139d3566b7be6e6c6005cf3034f0ace17d2ecacbba220afd958da2
SHA3 e77873ad0df81464d345346d61fdb47ffe7aa0aa4a13ed637f2c4b7d205fa172
SSDeep 3072:N2d+Hnxu/rspwwbvE16hwl91sqtBTJHORncF/Z8L8SlrBMDBjSvW70DgCcN+Cc6v:3Hq5wI6hwl9iqPVHwo/Z6xmx0L9CPv
Imports Hash 9e6351e6af601f00eaab03bdeb663fa3

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2025-Apr-05 18:57:07
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x23800
SizeOfInitializedData 0xe000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00007597 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x25000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x35000
SizeOfHeaders 0x400
Checksum 0x31d87
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 8a48cf912c29540991c6ede84372913b
SHA1 ffd2d30fdf04db3a17c5f97eee87857f308ffc9e
SHA256 3ec617207406bcb93396af8c794fb30391df6d9fd15817de6adbcad4d3f0274b
SHA3 922c2b7de8f5e6f9911266256dac48d1e7772aaf33a6d42ab7b5b1e32b83ed23
VirtualSize 0x2371d
VirtualAddress 0x1000
SizeOfRawData 0x23800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.62779

.rdata

MD5 62640dc8a173be2c9c4fdd75df92b634
SHA1 939a4b6a73fa0cde26b24552ce1e9cf11577d9b0
SHA256 83308ed091eb03a1b9e1b348adbadce597ba9e4aaf175961b399182238b87c1e
SHA3 7bdf4fd8ccf94769307921885a2e49459f3d1e9134959edf4a1cce7d1218e76d
VirtualSize 0xa032
VirtualAddress 0x25000
SizeOfRawData 0xa200
PointerToRawData 0x23c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.9627

.data

MD5 9109c39c957f35be8cd0e6ada8293ca3
SHA1 8844e474e21e5f81e6ac0656024482b2abe82c28
SHA256 6e7ba51fff2d75f06667bdbdc70276686130121c8e9f60b258b368ca749c2368
SHA3 2dc27ca74a4e3a015db72afd626f8e4584d025c05d5e7d617243a0411296f7c0
VirtualSize 0x1d28
VirtualAddress 0x30000
SizeOfRawData 0x1000
PointerToRawData 0x2de00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.18061

.reloc

MD5 09b40be7a1132ced457a24f46f4298d3
SHA1 5ffedb5f0e1ba117c222327f1c37a338944fac8c
SHA256 60393209593de522385e3f99818bbc8f48d6ce8c3a782c53623dcc06b497e548
SHA3 ec13bbccea48c5d5718b37e4502afe22221decba061233a98955df2db7f782cc
VirtualSize 0x1b9c
VirtualAddress 0x32000
SizeOfRawData 0x1c00
PointerToRawData 0x2ee00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.50674

.rsrc

MD5 ab0f630ac174a2c18bab65bb909db4a3
SHA1 4d8d985664aae3bfb2ffe1401de331c8b0ee8c59
SHA256 2f663bb5db0fea0041e9cead1ed43ce8e1de1fd5648f1e45daa50c9b687b1b55
SHA3 9163ea35ae1b2282abc80c56bea03128d20b7990b1b394a5cb7e66f46f263a7d
VirtualSize 0x3fc
VirtualAddress 0x34000
SizeOfRawData 0x400
PointerToRawData 0x30a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.3975

Imports

USER32.dll OpenClipboard
GetWindowTextW
GetForegroundWindow
MapVirtualKeyA
GetAsyncKeyState
GetKeyState
GetClipboardData
CloseClipboard
ShowWindow
KERNEL32.dll TlsSetValue
WriteConsoleW
HeapSize
CreateFileW
GetProcessHeap
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
Sleep
GlobalUnlock
GlobalLock
GetConsoleWindow
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
MultiByteToWideChar
LCMapStringEx
GetStringTypeW
GetCPInfo
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
GetModuleHandleW
GetCurrentProcess
TerminateProcess
GetACP
RaiseException
RtlUnwind
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
SetEndOfFile
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
CloseHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadFile
GetFileSizeEx
SetFilePointerEx
ReadConsoleW
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3a4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.50786
MD5 4067fd505ade4c2b0d2bd024edab6c50
SHA1 c0aeb7ae5edff49740a69a0362a0fe7c81b02f65
SHA256 ef6b1deba007d4950e5034c9849d3e6bd4a3640933933e043e49332e39f3de3d
SHA3 f99f5d1a628decf187b6fc6d34e04118dda531e5106818725806166257ec148e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.26100.3323
ProductVersion 10.0.26100.3323
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription Windows NT BASE API Client DLL
FileVersion (#2) 10.0.26100.3323 (WinBuild.160101.0800)
InternalName kernel32
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename kernel32
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.26100.3323
Resource LangID English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2025-Apr-05 18:57:07
Version 0.0
SizeofData 792
AddressOfRawData 0x2d910
PointerToRawData 0x2c510

TLS Callbacks

Load Configuration

Size 0xc0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x430080
SEHandlerTable 0x42d7f8
SEHandlerCount 18

RICH Header

XOR Key 0xc3bc5006
Unmarked objects 0
ASM objects (30795) 11
C++ objects (30795) 173
C objects (30795) 21
ASM objects (33808) 21
C objects (33808) 18
Imports (30795) 5
Total imports 102
C++ objects (33808) 77
C++ objects (34123) 1
Linker (34123) 1

Errors