f734dcd6647ad2b136d40229906719ea
Summary
| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| Compilation Date | 2024-May-04 04:55:38 |
Plugin Output
| Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The file contains overlay data. |
9087920 bytes of data starting at offset 0x60600.
The overlay data has an entropy of 7.9981 and is possibly compressed or encrypted. Overlay data amounts for 95.8371% of the executable. |
| Suspicious | No VirusTotal score. | This file has never been scanned on VirusTotal. |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x100 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 7 |
| TimeDateStamp | 2024-May-04 04:55:38 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Image Optional Header
| Magic | PE32+ |
|---|---|
| LinkerVersion | 14.0 |
| SizeOfCode | 0x2b200 |
| SizeOfInitializedData | 0x35000 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x000000000000B9E0 (Section: .text) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x140000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.2 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.2 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x68000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0x90cb8f |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x1e8480 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Imports
| USER32.dll |
GetWindowThreadProcessId
ShowWindow |
|---|---|
| KERNEL32.dll |
CreateFileW
GetFinalPathNameByHandleW CloseHandle GetModuleFileNameW CreateSymbolicLinkW GetProcAddress GetCommandLineW GetEnvironmentVariableW SetEnvironmentVariableW ExpandEnvironmentStringsW CreateDirectoryW GetTempPathW WaitForSingleObject Sleep SetDllDirectoryW CreateProcessW GetStartupInfoW FreeLibrary LoadLibraryExW SetConsoleCtrlHandler FindClose FindFirstFileExW GetCurrentProcess GetCurrentProcessId LocalFree FormatMessageW MultiByteToWideChar WideCharToMultiByte GetConsoleWindow HeapSize GetLastError WriteConsoleW SetEndOfFile GetExitCodeProcess TlsGetValue RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind UnhandledExceptionFilter SetUnhandledExceptionFilter TerminateProcess IsProcessorFeaturePresent QueryPerformanceCounter GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead IsDebuggerPresent GetModuleHandleW RtlUnwindEx SetLastError EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsSetValue TlsFree EncodePointer RaiseException RtlPcToFileHeader GetCommandLineA GetDriveTypeW GetFileInformationByHandle GetFileType PeekNamedPipe SystemTimeToTzSpecificLocalTime FileTimeToSystemTime GetFullPathNameW RemoveDirectoryW FindNextFileW SetStdHandle DeleteFileW ReadFile GetStdHandle WriteFile ExitProcess GetModuleHandleExW HeapFree GetConsoleMode ReadConsoleW SetFilePointerEx GetConsoleOutputCP GetFileSizeEx HeapAlloc FlsAlloc FlsGetValue FlsSetValue FlsFree CompareStringW LCMapStringW GetCurrentDirectoryW FlushFileBuffers HeapReAlloc GetFileAttributesExW GetStringTypeW IsValidCodePage GetACP GetOEMCP GetCPInfo GetEnvironmentStringsW FreeEnvironmentStringsW GetProcessHeap GetTimeZoneInformation |
| ADVAPI32.dll |
ConvertSidToStringSidW
GetTokenInformation OpenProcessToken ConvertStringSecurityDescriptorToSecurityDescriptorW |
Delayed Imports
1
2
3
4
5
1 (#2)
1 (#3)
Version Info
IMAGE_DEBUG_TYPE_POGO
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2024-May-04 04:55:38 |
| Version | 0.0 |
| SizeofData | 812 |
| AddressOfRawData | 0x3ca0c |
| PointerToRawData | 0x3b00c |
TLS Callbacks
Load Configuration
| Size | 0x140 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x140040040 |
| GuardCFCheckFunctionPointer | 5368894336 |
| GuardCFDispatchFunctionPointer | 0 |
| GuardCFFunctionTable | 0 |
| GuardCFFunctionCount | 0 |
| GuardFlags | (EMPTY) |
| CodeIntegrity.Flags | 0 |
| CodeIntegrity.Catalog | 0 |
| CodeIntegrity.CatalogOffset | 0 |
| CodeIntegrity.Reserved | 0 |
| GuardAddressTakenIatEntryTable | 0 |
| GuardAddressTakenIatEntryCount | 0 |
| GuardLongJumpTargetTable | 0 |
| GuardLongJumpTargetCount | 0 |
RICH Header
| XOR Key | 0xbfc33c47 |
|---|---|
| Unmarked objects | 0 |
| ASM objects (30795) | 8 |
| C++ objects (30795) | 187 |
| C objects (30795) | 10 |
| Unmarked objects (#2) | 1 |
| 253 (VS 2015-2022 runtime 33030) | 4 |
| C++ objects (VS 2015-2022 runtime 33030) | 40 |
| C objects (VS 2015-2022 runtime 33030) | 17 |
| ASM objects (VS 2015-2022 runtime 33030) | 17 |
| Imports (30795) | 7 |
| Total imports | 121 |
| C objects (33135) | 21 |
| Linker (33135) | 1 |