| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| Compilation Date |
2020-Jan-05 12:15:27
|
| Info |
Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
|
| Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- GetProcAddress
- LoadLibraryExW
- LoadLibraryA
Possibly launches other programs:
Can create temporary files:
Leverages the raw socket API to access the Internet:
Enumerates local disk drives:
|
| Suspicious |
The file contains overlay data. |
1890658 bytes of data starting at offset 0x61400.
The overlay data has an entropy of 7.99913 and is possibly compressed or encrypted.
Overlay data amounts for 82.5978% of the executable.
|
| Suspicious |
No VirusTotal score. |
This file has never been scanned on VirusTotal.
|
| MD5 |
972c1038b1955288c7c3cff8a3a33da1
|
| SHA1 |
b017187ac2931460a55f32d91306486ea2852393
|
| SHA256 |
f12bba19049c650b6768e7f0f91b3ccd3910293b5faa580d2eea3dbb17702260
|
| SHA3 |
61b8d8392e955a431e9667d9eea2a80bd149c4d5c7b0276386b7dd32eec80e21
|
| SSDeep |
49152:7aTv4tL2h7wDvj7NCeSyNueVht8qYxyHWN+bdxJZ6GBD:7U4tL2SDvMjouer2UTh
|
| Imports Hash |
7aa1951517b3b8d38b12f874b66196c9
|
| e_magic |
MZ
|
| e_cblp |
0x90
|
| e_cp |
0x3
|
| e_crlc |
0
|
| e_cparhdr |
0x4
|
| e_minalloc |
0
|
| e_maxalloc |
0xffff
|
| e_ss |
0
|
| e_sp |
0xb8
|
| e_csum |
0
|
| e_ip |
0
|
| e_cs |
0
|
| e_ovno |
0
|
| e_oemid |
0
|
| e_oeminfo |
0
|
| e_lfanew |
0x108
|
| Signature |
PE
|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections |
7
|
| TimeDateStamp |
2020-Jan-05 12:15:27
|
| PointerToSymbolTable |
0
|
| NumberOfSymbols |
0
|
| SizeOfOptionalHeader |
0xf0
|
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic |
PE32+
|
| LinkerVersion |
14.0
|
| SizeOfCode |
0x21600
|
| SizeOfInitializedData |
0x3fa00
|
| SizeOfUninitializedData |
0
|
| AddressOfEntryPoint |
0x0000000000008B14 (Section: .text)
|
| BaseOfCode |
0x1000
|
| ImageBase |
0x140000000
|
| SectionAlignment |
0x1000
|
| FileAlignment |
0x200
|
| OperatingSystemVersion |
5.2
|
| ImageVersion |
0.0
|
| SubsystemVersion |
5.2
|
| Win32VersionValue |
0
|
| SizeOfImage |
0x74000
|
| SizeOfHeaders |
0x400
|
| Checksum |
0
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve |
0x100000
|
| SizeofStackCommit |
0x1000
|
| SizeofHeapReserve |
0x100000
|
| SizeofHeapCommit |
0x1000
|
| LoaderFlags |
0
|
| NumberOfRvaAndSizes |
16
|
| MD5 |
bc76aa9332c27788b891bf46421d2261
|
| SHA1 |
686c80d3a8c6ec573a5c6ffec549cad4bb0a678a
|
| SHA256 |
cb7cce6853729802c59d8b2371573b1d807180eb07dc52cabe8bdce46d6bbccb
|
| SHA3 |
65a7d369a5d960b36a306c893e459eb1db6966cef5ace4dcf57206437e94db47
|
| VirtualSize |
0x214d0
|
| VirtualAddress |
0x1000
|
| SizeOfRawData |
0x21600
|
| PointerToRawData |
0x400
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
| Entropy |
6.45785
|
| MD5 |
ffb1fcb4e358028e22b7048afa07095b
|
| SHA1 |
02ddad3a50d506a6c99e5b3dc6a07c74f19c58d7
|
| SHA256 |
15a56cb31592fb28a104e40d74875614919201e4df622e9498f4eae25f55f3c0
|
| SHA3 |
8785d12699279c3006f73dd1c859f98ec357ce28002baab673d347c3b47a9480
|
| VirtualSize |
0xf49e
|
| VirtualAddress |
0x23000
|
| SizeOfRawData |
0xf600
|
| PointerToRawData |
0x21a00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
5.83487
|
| MD5 |
e001c48c58a83fc36b1ec29411188fa4
|
| SHA1 |
5203faefd2291bfaffc2738d35c00d2fb6da126b
|
| SHA256 |
9882f044a326f172e5819392d47e875664b0b6e27fa8e727491b11610869260d
|
| SHA3 |
7830e8f91b5192569c0285f2617b20c96c86f56e8e04d49bdc2b822a59b35fda
|
| VirtualSize |
0xf108
|
| VirtualAddress |
0x33000
|
| SizeOfRawData |
0xc00
|
| PointerToRawData |
0x31000
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
1.84757
|
| MD5 |
2d86c7785fa4cdbeee10fa69a2e2d271
|
| SHA1 |
625726f93f714083cc036be0032c9831c09a5e0a
|
| SHA256 |
af4c7f89891ee7a467a0e3667c1d65a994cfa9e381481107a0a73df865adbf81
|
| SHA3 |
77171c94d107898995ee3fd39d2b5a3cd1bc847f86a549d6c81c7be9b652a37f
|
| VirtualSize |
0x1d10
|
| VirtualAddress |
0x43000
|
| SizeOfRawData |
0x1e00
|
| PointerToRawData |
0x31c00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
5.22925
|
| MD5 |
4ca521d659f21e53989de742d2577e62
|
| SHA1 |
ab0eeab214975ac81307258033a40b34f277929e
|
| SHA256 |
b2325b63a1da49ed3306a132e879fb2ad3dd3ca7bc3d024b361f322287b3679c
|
| SHA3 |
929ef5c35d504b513bee15816bd5069061ea9de82e77270018884c2a36b03f68
|
| VirtualSize |
0xac
|
| VirtualAddress |
0x45000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x33a00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
1.72035
|
| MD5 |
3292c5376aeff7d18c4673a8427886c3
|
| SHA1 |
9490fa6fc2bf5b9b7d13ba32da594bb15eadafaf
|
| SHA256 |
2494e2d0e6740a45e9e9af12a4f88c49c104cc4b7f43cc8468ea55ff209408b6
|
| SHA3 |
32fd8ecc372290929b60d73e72e8a209f07d32954806fd48c468337712e8a7bb
|
| VirtualSize |
0x2ce08
|
| VirtualAddress |
0x46000
|
| SizeOfRawData |
0x2d000
|
| PointerToRawData |
0x33c00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
4.7813
|
| MD5 |
7df6f38c84844da9738fba2d2a443f7f
|
| SHA1 |
09b4da2d7f37b424aeb8df0b7632a1c8594c96b7
|
| SHA256 |
cb41bb86c2112e09afbc8136608737abb0546f4114d4afc43569cbab15e1a7e9
|
| SHA3 |
1c398c095d035089b5c1ddc3d8c79ae6690ea575e50ec72207e8f7dd97a8c21e
|
| VirtualSize |
0x690
|
| VirtualAddress |
0x73000
|
| SizeOfRawData |
0x800
|
| PointerToRawData |
0x60c00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
| Entropy |
4.9923
|
| KERNEL32.dll |
GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
WaitForSingleObject
Sleep
SetDllDirectoryW
CreateProcessW
GetStartupInfoW
LoadLibraryExW
CreateDirectoryW
GetShortPathNameW
FormatMessageW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
GetExitCodeProcess
GetLastError
SetEndOfFile
HeapReAlloc
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetCommandLineA
ReadFile
CreateFileW
GetDriveTypeW
GetFileType
CloseHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
GetFullPathNameA
RemoveDirectoryW
FindClose
FindFirstFileExW
FindNextFileW
SetStdHandle
SetConsoleCtrlHandler
DeleteFileW
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetACP
HeapFree
HeapAlloc
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleCP
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
SetEnvironmentVariableA
GetFileAttributesExW
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
GetProcessHeap
WriteConsoleW
GetTimeZoneInformation
HeapSize
RaiseException
|
| ADVAPI32.dll |
ConvertStringSecurityDescriptorToSecurityDescriptorW
|
| WS2_32.dll |
ntohl
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x5309
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.97359
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
e30fc66585b424856c0f983e4d16cdd2
|
| SHA1 |
c336b95f3685d608bd19d4d02f97efe81384fa19
|
| SHA256 |
61681f423e185014ed6e3048b1b33d6e53870b3fd15a326c4788a5457e60123a
|
| SHA3 |
c875aec755ff17da26b6ce4b908fa9632d2ac57d874ae593c1b8a03716a3048d
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x10828
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
3.55939
|
| MD5 |
0162e37e58e3e58668bed3b7c363c183
|
| SHA1 |
3db7861c5841d47579020db2fcaf43141a4fec3f
|
| SHA256 |
1c1941ab3b2ac63fc62f6565d7432dfdf03eb0beb18705c0870278426ab77ccf
|
| SHA3 |
c9f981dccb1b1f37060fde0c5f24e5706505d6dfaf99b23c8a0c342fe65f4e32
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x94a8
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.03706
|
| MD5 |
ef688cd769ddabc7b6565889ee191183
|
| SHA1 |
c80c746d04b3dea776493153bf49f5c164f68a6f
|
| SHA256 |
d07a75a41d383d23e76d40ddace95df6a5998f5135397a2a4e09b641d9a4a79e
|
| SHA3 |
626b5fed77dcfe8d0bac99cf53ba28ea42b2ee0956a496de69da69be74be0cd7
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x5488
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.01515
|
| MD5 |
974aa97fabae886288f4f0d821fd906e
|
| SHA1 |
e9af9230b1f2d6865db465a5290881203a953070
|
| SHA256 |
be42efe6095473f9ca3d66e035935288b1687706c83932408b09ffce54809d84
|
| SHA3 |
af07492ac894755a2f1c14fe4852c01787cc07814f4afc91deec2f5478567af0
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x4228
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
3.86551
|
| MD5 |
db07cabcb0dad5f23d81a4d11541ecab
|
| SHA1 |
c6c9a0a563167bb3c51c0c7b562233c88d6342b6
|
| SHA256 |
3fefeabcb63f9faec84330ffde7dfda064c3b32024a53262f0aa9abbd9ebee66
|
| SHA3 |
b0dd018c125511c27cca0ece5f261682913c538520885be355208421aff5c6d1
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x25a8
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.31237
|
| MD5 |
0c8b5fa2cfdbbf3e2ad942584c79413c
|
| SHA1 |
4a95e7344fb812199d7652649542ad6de207f216
|
| SHA256 |
5523014479ae5f32c754f4c49a0f73f73aa55ca5ecfb68a0856c74b7084a319f
|
| SHA3 |
df0c9091bf0b09c05ba1c81a8a44dfad255d2cc0d39e91f8175d14bc60ae60f5
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x10a8
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.35232
|
| MD5 |
86d87c5e70df355488dfd68e0c822904
|
| SHA1 |
3cd080b99ed23c2b0a9c8a132f75366d7dcded67
|
| SHA256 |
7c661751745054a30bb556fe0b4d52979b7f9361e2479b935034a5ae0ac2493f
|
| SHA3 |
ba1e07f42cb065909386ea7f5ecef48b97af469fcb63eecd73bc4068b11d69fd
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x988
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.73845
|
| MD5 |
3b354458d0977be0e2f73a10a0a46442
|
| SHA1 |
880c0df2bf98a5a9761b1545d6bb7656b2ff18ac
|
| SHA256 |
679aacf923de2a104d2b2fa00fed18026c65014e2c14cf6e9b61f7c80e0d34d1
|
| SHA3 |
c2f1ebaca9d205638ea1047a40ebd566f3713626152f313c660a616657d609d4
|
| Type |
RT_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x468
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.88163
|
| MD5 |
ea0343502d5d078ed2016c7fa3e8c5fa
|
| SHA1 |
a72c3a27f690ae7f82ea2b02bb737c4cc26a8ab1
|
| SHA256 |
e208a213d43066d3f8d55338b8d8ce54516b3ec50fa7a2e4a6052624740e21ee
|
| SHA3 |
7df8d7839dded0f8857580522c47f07198e17d7d7fe5575324cefb88450a10b3
|
| Type |
RT_GROUP_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x84
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
3.01007
|
| Detected Filetype |
Icon file
|
| MD5 |
36bb4d8746f7a121836c488a3f08d726
|
| SHA1 |
0a889d8c669659ce2ea953e9e234c3a991893925
|
| SHA256 |
41aab68cebe6095e37f0b4131b91c1c957ea121f3a29813448f5458fc9b32183
|
| SHA3 |
ec27d42be42c92375194411ca13c392735bc82aabc7fdcbcc2df75ff7b82c906
|
| Type |
RT_GROUP_ICON
|
| Language |
UNKNOWN
|
| Codepage |
Latin 1 / Western European
|
| Size |
0x68
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
2.71858
|
| Detected Filetype |
Icon file
|
| MD5 |
d06bb5f499a7e63fdebdde478b53af68
|
| SHA1 |
f4b46ca808dc838d436be1d2c13a40d51bdd8f4f
|
| SHA256 |
038506ab04814afcdce660ffc0de198ebe40a5b0d8e090799549e208c689fed5
|
| SHA3 |
af3d6a80a0ad9e117953a9e1466a44d29b3d32a19a456a9297995e94ead2efd7
|
| Characteristics |
0
|
| TimeDateStamp |
2020-Jan-05 12:15:27
|
| Version |
0.0
|
| SizeofData |
720
|
| AddressOfRawData |
0x2fab8
|
| PointerToRawData |
0x2e4b8
|
| Size |
0x94
|
| TimeDateStamp |
1970-Jan-01 00:00:00
|
| Version |
0.0
|
| GlobalFlagsClear |
(EMPTY)
|
| GlobalFlagsSet |
(EMPTY)
|
| CriticalSectionDefaultTimeout |
0
|
| DeCommitFreeBlockThreshold |
0
|
| DeCommitTotalFreeThreshold |
0
|
| LockPrefixTable |
0
|
| MaximumAllocationSize |
0
|
| VirtualMemoryThreshold |
0
|
| ProcessAffinityMask |
0
|
| ProcessHeapFlags |
(EMPTY)
|
| CSDVersion |
0
|
| Reserved1 |
0
|
| EditList |
0
|
| SecurityCookie |
0x140033010
|
| XOR Key |
0x86ac5c9d
|
| Unmarked objects |
0
|
| 241 (40116) |
7
|
| 243 (40116) |
169
|
| 242 (40116) |
13
|
| ASM objects (VS2015 UPD3 build 24123) |
7
|
| C++ objects (VS2015 UPD3 build 24123) |
28
|
| C objects (VS2015 UPD3 build 24123) |
19
|
| Imports (65501) |
7
|
| Total imports |
115
|
| C objects (VS2015 UPD3 build 24210) |
17
|
| Resource objects (VS2015 UPD3 build 24210) |
1
|
| Linker (VS2015 UPD3 build 24210) |
1
|
[*] Warning: Raw bytes from section .rsrc could not be obtained.