ed1a289648df0ccad28a323097ca8db4

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2013-Dec-07 21:16:01
Detected languages German - Germany
Debug artifacts ParkdaleCmd.dbg
Comments http://j.mp/the_sz
CompanyName CompSoft
FileDescription ParkdaleCmd
FileVersion 1.01
InternalName ParkdaleCmd
LegalCopyright Copyright © 2013
LegalTrademarks
OriginalFilename ParkdaleCmd.exe
PrivateBuild
ProductName CompSoft ParkdaleCmd
ProductVersion 1.01
SpecialBuild The SZ

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
 May have dropper capabilities:
  • CurrentControlSet\Services
 Accesses the WMI:
  • ROOT\CIMV2
 Miscellaneous malware strings:
  • Cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to AES
Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCloseKey
  • RegQueryValueExA
  • RegOpenKeyExA
 Uses Microsoft's cryptographic API:
  • CryptAcquireContextA
  • CryptReleaseContext
  • CryptGenRandom
 Can create temporary files:
  • GetTempPathA
  • CreateFileA
 Enumerates local disk drives:
  • GetVolumeInformationA
 Can take screenshots:
  • GetDC
  • BitBlt
  • CreateCompatibleDC
Suspicious The file contains overlay data. 272 bytes of data starting at offset 0x41000.
Safe VirusTotal score: 0/62 (Scanned on 2017-05-15 09:59:40) All the AVs think this file is safe.

Hashes

MD5 ed1a289648df0ccad28a323097ca8db4
SHA1 2ced1c8509e77e9fa00f79ea1bef44bd48fe6c25
SHA256 1d615e28d8f31451adafa7ee1b532ac3fd064dfba1d4bbf0db81177412053e73
SHA3 11b5d3648683db19dab33e574440ab62956a41056091afeec2b73aae1c124b40
SSDeep 6144:3VYXVozdPNBeOp6D5EIyOR/v44hkiLRfG:3Vz9p6DmIL/vvzF
Imports Hash 2e9b31e647dc80c3321db464a199e719

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2013-Dec-07 21:16:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1b000
SizeOfInitializedData 0x27000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00010514 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1c000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x43000
SizeOfHeaders 0x1000
Checksum 0x411e4
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 02e459d89a8b65901f9cc8cfa6fe6310
SHA1 c333bca39b68dd26388f294e2554a63ed0abdc36
SHA256 f894f9b2169925b853559f782a38116181d7a1013d4780dc00d8ecca459789d2
SHA3 6cab31434b60b0e7b1ed6440587bbe5b60f7921f4b81f09e780c9fb3d85a795d
VirtualSize 0x1ab45
VirtualAddress 0x1000
SizeOfRawData 0x1b000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.47225

.rdata

MD5 d4c556116bcf8b0bd1f9e21aac6b4bf1
SHA1 6fd1e514d90fec7e2f8c4dfea2a89d387d9d30ed
SHA256 3df09466501e3886cab5256a5f7cabe827fe257c73e12ea16c83e2840bd6aab3
SHA3 bfbfa94456359b0e6b63748fe006f4cb12534ee0c02bb825806a8d4a503baefb
VirtualSize 0x6f48
VirtualAddress 0x1c000
SizeOfRawData 0x7000
PointerToRawData 0x1c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.67391

.data

MD5 4bf5673cbeb931f8ae5f5e1623c4fcef
SHA1 74a8e1f57285660dfa52c20d538c3e121aed8fd7
SHA256 1f2afb735f045fa0c3014863c79c3ec7e642dc8ec0e709009306ee464f6f5c6a
SHA3 4c107361e3c4ef8a83d98b012e1fe6e2e77952a0d8dc2270a87f0b7fc44129eb
VirtualSize 0x72d8
VirtualAddress 0x23000
SizeOfRawData 0x6000
PointerToRawData 0x23000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.58044

.rsrc

MD5 5f302b30b6402c38ac16521376b5a484
SHA1 a4b0ba86a1dec39ffd17bc3a98d7a2f6235ea5e2
SHA256 f3d196d40b821f13e7e183f4de7648ccbb774c2c4094dd760b3bf3c053ac1e7a
SHA3 8f788d1ecd7c31d2fbd08a6658558a9958a6b4241a1844d9ef3832262e81fdc7
VirtualSize 0x17658
VirtualAddress 0x2b000
SizeOfRawData 0x18000
PointerToRawData 0x29000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.39346

Imports

KERNEL32.dll LocalFree
GetCommandLineA
GetSystemTime
GetLocalTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDateFormatA
GetTimeFormatA
GetTickCount
GetModuleFileNameA
LocalAlloc
MulDiv
SetUnhandledExceptionFilter
GetThreadSelectorEntry
GetCurrentProcessId
GetVersionExA
GetCurrentThreadId
LoadLibraryA
FreeLibrary
GetProcAddress
Sleep
CreateThread
TerminateThread
GetEnvironmentVariableA
GetVolumeInformationA
CreateEventA
SetEvent
WaitForMultipleObjectsEx
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
QueryPerformanceCounter
TerminateProcess
RtlUnwind
HeapFree
HeapAlloc
GetVersion
ExitProcess
HeapReAlloc
RaiseException
HeapSize
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
IsBadReadPtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
OpenFileMappingA
CreateFileMappingA
MapViewOfFile
SetEndOfFile
SetFilePointer
UnmapViewOfFile
FlushFileBuffers
WriteFile
ReadFile
DeleteFileA
CreateDirectoryA
SetFileAttributesA
GetWindowsDirectoryA
GetCurrentProcess
GetTempPathA
GetFileSize
SetErrorMode
GetFileAttributesA
CreateFileA
CloseHandle
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
GetThreadLocale
GetStringTypeExA
WideCharToMultiByte
lstrlenA
FormatMessageA
GetModuleHandleA
RemoveDirectoryA
LeaveCriticalSection
GetLastError
WINMM.dll timeGetTime
VERSION.dll VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
USER32.dll GetKeyState
GetDlgCtrlID
InflateRect
GetSysColor
GetWindowTextA
GetWindowTextLengthA
PtInRect
GetCursorPos
PostMessageA
WindowFromPoint
FrameRect
FillRect
GetDC
DrawTextA
ReleaseDC
TranslateMessage
DispatchMessageA
MsgWaitForMultipleObjects
MapDialogRect
SetTimer
KillTimer
PeekMessageA
PostQuitMessage
DestroyWindow
GetParent
ScreenToClient
CharNextA
ShowWindow
InvalidateRect
GetClientRect
MapWindowPoints
LoadCursorA
SetCursor
SetWindowPos
GetForegroundWindow
DialogBoxIndirectParamA
RemovePropA
GetWindowLongA
SetWindowLongA
SetWindowTextA
GetSystemMetrics
LoadImageA
LoadIconA
GetDlgItem
SetDlgItemTextA
GetDlgItemTextA
EndDialog
SystemParametersInfoA
SendMessageA
CreateWindowExW
CallWindowProcA
GetPropA
SetPropA
BeginPaint
DrawEdge
EndPaint
GetWindowRect
DrawFocusRect
SendDlgItemMessageA
GDI32.dll GetTextExtentPoint32A
SetBkMode
SetBkColor
CreateSolidBrush
SetStretchBltMode
StretchBlt
BitBlt
CreateFontA
EnumFontFamiliesExA
DeleteObject
RestoreDC
GetStockObject
SetTextColor
CreateCompatibleDC
GetDeviceCaps
GetObjectA
CreateFontIndirectA
SaveDC
SelectObject
GetTextMetricsA
DeleteDC
ADVAPI32.dll CryptAcquireContextA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
CryptReleaseContext
CryptGenRandom
SHELL32.dll ShellExecuteExA
ole32.dll CoSetProxyBlanket
OleRun
CoInitializeSecurity
CoUninitialize
CoCreateInstance
CoInitialize
OLEAUT32.dll #6
#2
#9
#148
#8

Delayed Imports

1

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.48757
MD5 71902721501990942f00d302d0de1617
SHA1 60ff515a543857d45908ab346db5afd9caa0af7d
SHA256 325fa00f6f60505d7a2a051ded9037c096d6eac326fbf412ae61e860087f314b
SHA3 eb4a4a6d8aa2bb6817bb6a9f6082b717ebb0957c42d5c0daec5bebef374ee26b

2

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.42531
MD5 1c7f3f7e2644efc65b99ace458358590
SHA1 156f5c8fb68f04051e2ccca5ccd2cc40f642363a
SHA256 9ad8ff55b594b6ef3b95b34075dd876244a498fd69714d01334534a3f2d8a1a8
SHA3 9bf745b8ec0caa3f833523dd088c6e2f74ce5d1a7c3bc90dc1cafa09d563f70c

3

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x6c8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.02211
MD5 2e87e31eab4e3167ee3af5a4b56b4c07
SHA1 6c37d6b513a4f050f3e410cc32f52217a9ebfc87
SHA256 9cc5e709ecb6bd3f8bad1720cf6aee8a6a2a45de2c1fa1df72cbfea3d3a0ce2e
SHA3 30076f8e77c0a1643aa0d25476fba5bf738b1973f6bdad44a95ad8aca04505c3

4

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.64015
MD5 c75983b6c0e580570cabaa3fc1138691
SHA1 ac05b81c599302ae6698fdd662a2ad62ce4704ec
SHA256 f25a61130b94b1cfd7cf23570440f2090ee21290e623d6371f25a0f454dfe770
SHA3 7223bc4ff3bf6eea6e4c3e85185f61e3568595bbcad3190f9f35c9fb4ee63d87

5

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.31395
MD5 08a96361fe009f941ff433a1027ee9a4
SHA1 f3170af0f0d0ce107e53cce70531ed64e895bf16
SHA256 eff0a222768dd73c74741564815e28150c5f6024d3d17cea9ae66fb6f173920f
SHA3 8ef3d4a692da3bcc525e05d39e1e38c551c34453d6e76d5297baa23fcd53e4df

6

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.79267
MD5 6877aecb156c6969bbcefc9d962a6514
SHA1 90a8a4e75b4f4faff5fd56c2700f4652de8e4bcd
SHA256 7d2d445f4fdfa8809334af9593a2b6b513fb5ba5d993029e76ebcf59fc633c20
SHA3 9fafd587a869049618fb6eef4e925649a0bb190cec6161cd7eb4fd59f638c282

7

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.78895
MD5 4aa17b0c37aae62165d1330009fba4e6
SHA1 2564e8143637bb77821c0ab0c885fcd69f4c02f1
SHA256 b71cbdc133860fa270877ac7a61382f6e3668800003077287736c8035dabcee4
SHA3 d612182c26b22d117f954a669448b96d0ad0a544446cb2401e4f249accef2035

8

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.07381
MD5 0fecb745ebc2d224cf95a79d6cf8ef24
SHA1 5fa680f38909fd560defb981426c41c755bd3474
SHA256 7e8cf38a796f9be85a167ec80ef040d5958f8d9f415a0057f827bed6aae9cf97
SHA3 18275f028232c80f9469ae80edcf7cd586391a90e3fe1f607718669649701b14

9

Type RT_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.91141
MD5 a6e378dcec52e07f968cddd9fb7bf98f
SHA1 eb7ea8633dbfdb046254c798608b9778a6861ffe
SHA256 32657bb11e47544af7f321d2582047a0afb6d624471c69483b405d707c83b2e7
SHA3 af5054d2587d794f3c70d9f80b174d9aa6f7ab2bece0984b477ce9f5d52d5aa7

101

Type RT_GROUP_ICON
Language German - Germany
Codepage UNKNOWN
Size 0x84
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.94974
Detected Filetype Icon file
MD5 df49b31f6f0a931e70ddb830643c0849
SHA1 3871b86ca4281ec22579f1060270265603ab7625
SHA256 ce36984c0ade5ad688447c713d3a0301504ffcd81f5ace0784cebfa00d50f2fc
SHA3 ac339b84f326429e2c6dd5ec01077f85c5172dddc3e685cd6a0c7538abb3ae78

1 (#2)

Type RT_VERSION
Language German - Germany
Codepage UNKNOWN
Size 0x378
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.39768
MD5 daa1e0e0516f51f0236cedf8a7041030
SHA1 49c2245d8db13507c87fbce4b0746c1ccc17f8f6
SHA256 63519cef80f3594956a2599de6ce54da109228cf7cc5327ebdb31992d860182a
SHA3 9a78fb63e3cd4a3f19e2d5f4875282ebb2660a44eb5b078b4f5f2dc976b7d00e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.1.1
ProductVersion 1.0.1.1
FileFlags VS_FF_SPECIALBUILD
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language German - Germany
Comments http://j.mp/the_sz
CompanyName CompSoft
FileDescription ParkdaleCmd
FileVersion (#2) 1.01
InternalName ParkdaleCmd
LegalCopyright Copyright © 2013
LegalTrademarks
OriginalFilename ParkdaleCmd.exe
PrivateBuild
ProductName CompSoft ParkdaleCmd
ProductVersion (#2) 1.01
SpecialBuild The SZ
Resource LangID German - Germany

IMAGE_DEBUG_TYPE_MISC

Characteristics 0
TimeDateStamp 2013-Dec-07 21:16:01
Version 0.0
SizeofData 272
AddressOfRawData 0
PointerToRawData 0x41000
Referenced File ParkdaleCmd.dbg

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xac55e266
Unmarked objects 0
C objects (VS98 build 8168) 1
14 (7299) 28
C objects (VS98 SP6 build 8804) 141
C++ objects (8798) 3
37 (8755) 2
C objects (9178) 3
Imports (9210) 19
Total imports 344
C++ objects (VS98 SP6 build 8804) 54
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

<-- -->