Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2016-May-18 16:07:24 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb
|
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: ScreenConnect Software
Issuer: COMODO RSA Code Signing CA |
Malicious | VirusTotal score: 3/67 (Scanned on 2018-06-13 14:23:52) |
TrendMicro-HouseCall:
Suspicious_GEN.F47V0516
Jiangmin: Trojan.Generic.bqwbr ViRobot: Trojan.Win32.Agent.86672 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2016-May-18 16:07:24 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0xac00 |
SizeOfInitializedData | 0x8200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000016E7 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xc000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x17000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1c280 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
CRYPT32.dll |
CertOpenSystemStoreA
CryptMsgClose CertFreeCertificateContext CertDeleteCertificateFromStore CryptQueryObject CertCloseStore CryptMsgGetParam CertAddCertificateContextToStore CertCreateCertificateContext |
---|---|
KERNEL32.dll |
SetFilePointer
LocalAlloc CreateFileW Sleep LoadLibraryA CloseHandle GetProcAddress LocalFree UnhandledExceptionFilter SetUnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent GetStartupInfoW GetModuleHandleW GetLastError InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree FreeLibrary LoadLibraryExW RtlUnwind SetLastError EnterCriticalSection LeaveCriticalSection DeleteCriticalSection GetStdHandle WriteFile GetModuleFileNameW MultiByteToWideChar WideCharToMultiByte ExitProcess GetModuleHandleExW GetACP HeapFree HeapAlloc FindClose FindFirstFileExA FindNextFileA IsValidCodePage GetOEMCP GetCPInfo GetCommandLineA GetCommandLineW GetEnvironmentStringsW FreeEnvironmentStringsW LCMapStringW SetStdHandle GetFileType GetStringTypeW GetProcessHeap HeapSize HeapReAlloc FlushFileBuffers GetConsoleCP GetConsoleMode SetFilePointerEx WriteConsoleW DecodePointer RaiseException ReadFile GetModuleFileNameA |
ADVAPI32.dll |
SystemFunction036
|
Characteristics |
0
|
---|---|
TimeDateStamp | 2016-May-18 16:07:24 |
Version | 0.0 |
SizeofData | 112 |
AddressOfRawData | 0x10c14 |
PointerToRawData | 0xfc14 |
Referenced File | C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2016-May-18 16:07:24 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x10c84 |
PointerToRawData | 0xfc84 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2016-May-18 16:07:24 |
Version | 0.0 |
SizeofData | 808 |
AddressOfRawData | 0x10c98 |
PointerToRawData | 0xfc98 |
Characteristics |
0
|
---|---|
TimeDateStamp | 2016-May-18 16:07:24 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x5c |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x412004 |
SEHandlerTable | 0x410b50 |
SEHandlerCount | 3 |
XOR Key | 0x51435d41 |
---|---|
Unmarked objects | 0 |
241 (40116) | 9 |
243 (40116) | 120 |
242 (40116) | 24 |
ASM objects (23406) | 17 |
C++ objects (23406) | 29 |
C objects (23406) | 17 |
Imports (VS2008 SP1 build 30729) | 7 |
Total imports | 100 |
264 (VS2015 UPD1 build 23506) | 1 |
Resource objects (VS2015 UPD1 build 23506) | 1 |
Linker (VS2015 UPD1 build 23506) | 1 |