edefdd9f4d3fd81aef434a28f93e8927

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2020-May-20 20:57:01
Debug artifacts F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\Release\apphost.pdb
CompanyName Timeless
FileDescription Timeless
FileVersion 1.0.0.0
InternalName Timeless.dll
LegalCopyright
OriginalFilename Timeless.dll
ProductName Timeless
ProductVersion 1.0.0
Assembly Version 1.0.0.0

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • birthpopuptypesapplyImagebeinguppernoteseveryshowsmeansextramatchtrackknownearlybegansuperpapernorthlearngivennamedendedTermspartsGroupbrandusingwomanfalsereadyaudiotakeswhile.com
  • crl.microsoft.com
  • genretrucklooksValueFrame.net
  • github.com
  • go.microsoft.com
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
  • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
  • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • http://go.microsoft.com
  • http://go.microsoft.com/fwlink/?LinkID
  • http://go.microsoft.com/fwlink/?LinkId
  • http://go.microsoft.com/fwlink/?linkid
  • http://manifests.microsoft.com
  • http://manifests.microsoft.com/win/2004/08/windows/events
  • http://microsoft.com0
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/win/2004/08/events
  • http://www.C
  • http://www.a
  • http://www.css
  • http://www.hortcut
  • http://www.icon
  • http://www.interpretation
  • http://www.language
  • http://www.microsoft.com
  • http://www.microsoft.com/PKI/docs/CPS/default.htm0
  • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
  • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0
  • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
  • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
  • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • http://www.microsoft.com/pkiops/docs/primarycps.htm0
  • http://www.microsoft.com/windows0
  • http://www.microsoft.com0
  • http://www.style
  • http://www.text-decoration
  • http://www.w3.org
  • http://www.w3.org/2001/XMLSchema
  • http://www.w3.org/2001/XMLSchema-instance
  • http://www.w3.org/shortcut
  • http://www.wencodeURIComponent
  • http://www.years
  • https://aka.ms
  • https://github.com
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?LinkID
  • https://go.microsoft.com/fwlink/?linkid
  • https://www.World
  • https://www.recent
  • manifests.microsoft.com
  • microsoft.com
  • schemas.microsoft.com
  • thing.org
  • www.microsoft.com
  • www.w3.org
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegGetValueW
 Possibly launches other programs:
  • ShellExecuteW
Suspicious The file contains overlay data. 22938946 bytes of data starting at offset 0x21c00.
Overlay data amounts for 99.401% of the executable.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 edefdd9f4d3fd81aef434a28f93e8927
SHA1 cf760ce2bf4faf5d064c609ca552b9fec1dc8397
SHA256 a0aaecbcc14c402c1421bd5a4155dc495c56b24dc15f3e15e825e8890714bf43
SHA3 05124f7bce55a1b244414f122b3de98f10701adf5e569f3b9dfb5d2ef08b09df
SSDeep 196608:dCjIfF1d3334JGJyOAJmoGaSM0ZJ1KNbE20n+wKTESUMG0SO8mUMG0SO8n4llc7y:rzJyOo/s1K6Rlf0Sb0Soll19xCHtVEN
Imports Hash bf1462ce2cfa173883d7ac57d7af7b93

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-May-20 20:57:01
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x15000
SizeOfInitializedData 0xc800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00011690 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x16000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x25000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x180000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5b71aba90061a34b49cf109db8625392
SHA1 2bdc0be470618224585a72fc5cf17e2f263f69b7
SHA256 7bf1aba8ded54bed29fa570c133ff7210adc68545aca48f8e523b7bc6703f468
SHA3 764a6915592f833233caa50c9ac89e8dbd194165d7401a6172535acc8cd6d6bb
VirtualSize 0x14e8a
VirtualAddress 0x1000
SizeOfRawData 0x15000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.47866

.rdata

MD5 3d27e7a6c7deb9b626318a7c08022a90
SHA1 cc18052c055f4584ad040fea7ba4fc1a2afaa459
SHA256 4f84a022080296cb72afcacca46345e1d1817cd1c6080765989de855ab84d70c
SHA3 804f8b7c49cc529d968950b364f8f4e2b1690a82591b6de34ab7a8a5ddd9a9e1
VirtualSize 0x9b90
VirtualAddress 0x16000
SizeOfRawData 0x9c00
PointerToRawData 0x15400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.45735

.data

MD5 5e47edde4a599da71b1525cede5eb3e5
SHA1 c0acdb782dc17682bdaec0d80953900b4b46803d
SHA256 e48daaec9e5a0e34cb481f82807f9b60621e262aab673ceee7bfe8f742a90bbb
SHA3 1f319c969508d7d9dbde09f49b9e3aa688ce70b2bbecf93af7fa69d107d817cc
VirtualSize 0x1220
VirtualAddress 0x20000
SizeOfRawData 0xc00
PointerToRawData 0x1f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.27924

.rsrc

MD5 67ff45894314e8fc0457b40807e0c5e1
SHA1 af183a99525a64df3393518e1132e93a02748785
SHA256 07eecf6c205686533687ab09d3b45be9241ca9d4a2af70998f63b3b89ffa2b94
SHA3 a255deb5b22be2c183f8ce6c34daaf463100c2c5c4263508e4d709e5d6954879
VirtualSize 0x54c
VirtualAddress 0x22000
SizeOfRawData 0x600
PointerToRawData 0x1fc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.57571

.reloc

MD5 e7656132a8767fdd2b5008a9eb66fadb
SHA1 285b78013145e3fc5130be4327d976bd1845d3ec
SHA256 a2c9608d7dfc73584ef4aba3ea53574a1c1b459148549ccd4c2c1e85fa529a46
SHA3 dd59f27b28afa305a7d92f56bb5b25eefbebe82e6cc95a27511927490a067add
VirtualSize 0x1898
VirtualAddress 0x23000
SizeOfRawData 0x1a00
PointerToRawData 0x20200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.44082

Imports

KERNEL32.dll FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFullPathNameW
GetTempPathW
GetLastError
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetEnvironmentVariableW
GetCurrentProcess
IsWow64Process
GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
LoadLibraryExW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
RtlUnwind
RaiseException
OutputDebugStringW
GetModuleHandleW
GetCurrentProcessId
Sleep
RemoveDirectoryW
DeleteCriticalSection
CreateDirectoryW
InitializeSListHead
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LCMapStringW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SwitchToThread
InitializeCriticalSectionAndSpinCount
SetLastError
DecodePointer
EncodePointer
GetStringTypeW
USER32.dll MessageBoxW
SHELL32.dll ShellExecuteW
ADVAPI32.dll RegOpenKeyExW
RegCloseKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll terminate
_controlfp_s
_register_thread_local_exe_atexit_callback
_errno
_c_exit
__p___wargv
_seh_filter_exe
__p___argc
_configure_wide_argv
_cexit
_crt_atexit
_exit
exit
_register_onexit_function
_initialize_onexit_table
_set_app_type
_initterm_e
_initterm
_get_initial_wide_environment
_invalid_parameter_noinfo_noreturn
_initialize_wide_environment
abort
api-ms-win-crt-heap-l1-1-0.dll calloc
free
_set_new_mode
_callnewh
malloc
api-ms-win-crt-math-l1-1-0.dll frexp
__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll _set_fmode
__stdio_common_vsprintf_s
__p__commode
fflush
_wfopen
__stdio_common_vfwprintf
fputws
fclose
fread
fseek
fwrite
__acrt_iob_func
fputwc
__stdio_common_vswprintf
api-ms-win-crt-string-l1-1-0.dll strcpy_s
memset
strcspn
wcsncmp
_wcsicmp
_wcsnicmp
wcsnlen
_wcsdup
api-ms-win-crt-locale-l1-1-0.dll __pctype_func
setlocale
___mb_cur_max_func
___lc_codepage_func
___lc_locale_name_func
localeconv
_unlock_locales
_lock_locales
_configthreadlocale
api-ms-win-crt-filesystem-l1-1-0.dll _wrename
_wremove
api-ms-win-crt-convert-l1-1-0.dll wcstoul
_wtoi
api-ms-win-crt-time-l1-1-0.dll _time64
wcsftime
_gmtime64

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x2c0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.17498
MD5 deed92f1bfa41f362110c25876ecfeed
SHA1 1a05ea0c949a4b849cc8ffd2cb8d7a55ff6a4141
SHA256 34a020f61ada8874f726fc46d2d53fd7614df86aadee5dc9b96e3c1a7ebd0c3d
SHA3 9a8e9bc098333998d8caf979df77fe76909029ab5de839306dced9e3163b12a5

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName Timeless
FileDescription Timeless
FileVersion (#2) 1.0.0.0
InternalName Timeless.dll
LegalCopyright
OriginalFilename Timeless.dll
ProductName Timeless
ProductVersion (#2) 1.0.0
Assembly Version 1.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2020-May-20 20:57:01
Version 0.0
SizeofData 118
AddressOfRawData 0x1d534
PointerToRawData 0x1c934
Referenced File F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\Release\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2020-May-20 20:57:01
Version 0.0
SizeofData 20
AddressOfRawData 0x1d5ac
PointerToRawData 0x1c9ac

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2020-May-20 20:57:01
Version 0.0
SizeofData 856
AddressOfRawData 0x1d5c0
PointerToRawData 0x1c9c0

TLS Callbacks

StartAddressOfRawData 0x41d928
EndAddressOfRawData 0x41d930
AddressOfIndex 0x420e34
AddressOfCallbacks 0x416280
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x420534
SEHandlerTable 0x41d400
SEHandlerCount 77
GuardCFCheckFunctionPointer 4284968
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xc8c41d4a
Unmarked objects 0
ASM objects (VS 2015/2017 runtime 26706) 13
C++ objects (VS 2015/2017 runtime 26706) 61
C objects (VS 2015/2017 runtime 26706) 32
Imports (VS2008 SP1 build 30729) 18
Imports (VS2015/2017 runtime 25711) 9
Total imports 165
C++ objects (27039) 13
Linker (27039) 1

Errors

<-- -->