| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date |
2025-Sep-08 20:03:33
|
| Detected languages |
English - United States
|
| TLS Callbacks |
1 callback(s) detected.
|
| Suspicious |
The PE is possibly packed. |
Unusual section name found: .orion0
Section .orion0 is both writable and executable.
Unusual section name found: .orion1
Section .orion1 is both writable and executable.
|
| Suspicious |
The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
- LoadLibraryA
- GetProcAddress
Can access the registry:
Leverages the raw socket API to access the Internet:
Can take screenshots:
|
| Suspicious |
No VirusTotal score. |
This file has never been scanned on VirusTotal.
|
| MD5 |
3554097493ed077d969ce0889a6ff607
|
| SHA1 |
3369f17afb578b080eb0d267cc1b60d66b361bec
|
| SHA256 |
4407b664a630312341b9a724135864b163e13723b7b4584f350f2183e12e062f
|
| SHA3 |
9e15890c3339a0de2a4f82f021eef90c623765f1efaab3e833edb6ca40c2b7d1
|
| SSDeep |
49152:ybhC1DrJvIMrKVhd7W4C+s4HqVmCJUBjnCO+329mFjsEMNgWSEWDtl3Jw0zJd:ybhCBFv1sj7W4nHrCqG329WslNgXz3y
|
| Imports Hash |
7a7818dde10aa96a1073b7a2277ff16a
|
| e_magic |
MZ
|
| e_cblp |
0x90
|
| e_cp |
0x3
|
| e_crlc |
0
|
| e_cparhdr |
0x4
|
| e_minalloc |
0
|
| e_maxalloc |
0xffff
|
| e_ss |
0
|
| e_sp |
0xb8
|
| e_csum |
0
|
| e_ip |
0
|
| e_cs |
0
|
| e_ovno |
0
|
| e_oemid |
0
|
| e_oeminfo |
0
|
| e_lfanew |
0xf8
|
| Signature |
PE
|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections |
3
|
| TimeDateStamp |
2025-Sep-08 20:03:33
|
| PointerToSymbolTable |
0
|
| NumberOfSymbols |
0
|
| SizeOfOptionalHeader |
0xf0
|
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic |
PE32+
|
| LinkerVersion |
14.0
|
| SizeOfCode |
0x28a000
|
| SizeOfInitializedData |
0x5000
|
| SizeOfUninitializedData |
0x619000
|
| AddressOfEntryPoint |
0x00000000008A0C30 (Section: .orion1)
|
| BaseOfCode |
0x61a000
|
| ImageBase |
0x140000000
|
| SectionAlignment |
0x1000
|
| FileAlignment |
0x200
|
| OperatingSystemVersion |
6.0
|
| ImageVersion |
0.0
|
| SubsystemVersion |
6.0
|
| Win32VersionValue |
0
|
| SizeOfImage |
0x8a9000
|
| SizeOfHeaders |
0x400
|
| Checksum |
0
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve |
0x100000
|
| SizeofStackCommit |
0x1000
|
| SizeofHeapReserve |
0x100000
|
| SizeofHeapCommit |
0x1000
|
| LoaderFlags |
0
|
| NumberOfRvaAndSizes |
16
|
| MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
| SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
| SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
| SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
| VirtualSize |
0x619000
|
| VirtualAddress |
0x1000
|
| SizeOfRawData |
0
|
| PointerToRawData |
0x400
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| MD5 |
e8ac2e105a94e01542fda32a5903a3e1
|
| SHA1 |
74bbdb59bc977fb3a6ab6711e51ec6223eaf82b5
|
| SHA256 |
e75a3d4e32ee60710f64a1e4240b7eb52821eeecb2923b67005882840081da9a
|
| SHA3 |
53b1f20526b77c29d35fedc15bd22f24010a905c65e8f2dd3eeefa3352b7e29d
|
| VirtualSize |
0x28a000
|
| VirtualAddress |
0x61a000
|
| SizeOfRawData |
0x289200
|
| PointerToRawData |
0x400
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
7.99891
|
| MD5 |
eb24fa3b803486c8f38bbc50574d3d08
|
| SHA1 |
312e71c582d039e773678a0c7146e57571d0d1d2
|
| SHA256 |
dff57c9ad593762f5ba9ac322cb57ee549d2e229d1fd202e051cd94b5b7c9feb
|
| SHA3 |
b25044b3efeb38327ff3dbef05487f17974f6958983c417ff92a066c38d286d5
|
| VirtualSize |
0x5000
|
| VirtualAddress |
0x8a4000
|
| SizeOfRawData |
0x4c00
|
| PointerToRawData |
0x289600
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
7.48839
|
| advapi32.dll |
RegCloseKey
|
| api-ms-win-core-synch-l1-2-0.dll |
WaitOnAddress
|
| api-ms-win-crt-convert-l1-1-0.dll |
atoi
|
| api-ms-win-crt-environment-l1-1-0.dll |
getenv
|
| api-ms-win-crt-filesystem-l1-1-0.dll |
_stat64i32
|
| api-ms-win-crt-heap-l1-1-0.dll |
free
|
| api-ms-win-crt-locale-l1-1-0.dll |
setlocale
|
| api-ms-win-crt-math-l1-1-0.dll |
pow
|
| api-ms-win-crt-runtime-l1-1-0.dll |
exit
|
| api-ms-win-crt-stdio-l1-1-0.dll |
feof
|
| api-ms-win-crt-string-l1-1-0.dll |
wcscmp
|
| api-ms-win-crt-time-l1-1-0.dll |
_time64
|
| api-ms-win-crt-utility-l1-1-0.dll |
qsort
|
| bcrypt.dll |
BCryptGenRandom
|
| bcryptprimitives.dll |
ProcessPrng
|
| comctl32.dll |
DefSubclassProc
|
| crypt32.dll |
CertCloseStore
|
| dwmapi.dll |
DwmSetWindowAttribute
|
| gdi32.dll |
BitBlt
|
| KERNEL32.DLL |
LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
|
| ntdll.dll |
NtWriteFile
|
| ole32.dll |
CoTaskMemFree
|
| oleaut32.dll |
SysStringLen
|
| shell32.dll |
DragFinish
|
| shlwapi.dll |
SHCreateMemStream
|
| user32.dll |
GetDC
|
| ws2_32.dll |
recv
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x5c8
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.41965
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
4d0c145e68fef8f7a1b800d36ea76dbf
|
| SHA1 |
4cd717d7b8e23453bcd5c49567f7075fe5fc22c6
|
| SHA256 |
72168181ccc6daba2790c7e9c7bce0900587e83dc25333939556572ab5edb305
|
| SHA3 |
9deaefc5770831f9b523125fad1229c73b839535468169d1218048759c20488d
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x256
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.14273
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
c8e73a2d07b136c904aadb91d85117c7
|
| SHA1 |
bce4c93438e6f5d3529d709baa384fe52eb18e91
|
| SHA256 |
790bbf31c90832ef26e82e618f287ac98f323a66ebb43db00cadcd9dd08c8b20
|
| SHA3 |
c64085ed950024187cb1138f3cee21fa9657bf8c735348037c44c87c9ecb9029
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x3fb
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.3683
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
5f969c01100f2d2f62facbe398567690
|
| SHA1 |
45758ec9a4bf27c41044c4d70d12389a2c81aa17
|
| SHA256 |
f58484fecac1f944f3e1004418096306bf0050341b7a0c928e739d4f51728ac4
|
| SHA3 |
08b9610fc7cbaac33e80e91fd5ba611320739a6168e5b76bfd660335958fd53f
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x9d9
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.55604
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
111db5a02085d85998a8a3f1c6d3ea03
|
| SHA1 |
4d3d9fe80fb2bf0060eda926b04021a1fbaabffd
|
| SHA256 |
deb5bfd7900db2d36c3ed215c3ac051f41b7e2fddcb2c9a1b19f65285067fea0
|
| SHA3 |
34144ca7545828099892b64c5555c308318ae0f4f1462d5a3ea16cdd30c54454
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0xe56
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.55121
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
024ffc9eaefe37e78e9bf1cbe7590604
|
| SHA1 |
5d9122c4a115299302a760b6f2495d234c01b773
|
| SHA256 |
94eb9f03018fa06447cc6e076180a8fa7eeb033099fe2ed9f656ebd7a0ebf990
|
| SHA3 |
deca8cf856f5e0a83114763d3d306ca0ca7360cd37e6f48a8ac12a5dbbed534c
|
| Type |
RT_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x1a61
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
7.89595
|
| Detected Filetype |
PNG graphic file
|
| MD5 |
30550cc5c6462aafa046c051ee3da730
|
| SHA1 |
4ae9970e1e52a1e5ee3c3eaec61782932a71513f
|
| SHA256 |
06d732d8f611dce68dfc67ed439ba607d193f4dabfb34c6c04fd0e56218e211f
|
| SHA3 |
6e58219230aaed2c3272916c81ad83fc5206612d9db81a87f4e980e20cb59e64
|
| Type |
RT_GROUP_ICON
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x5a
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
2.77987
|
| Detected Filetype |
Icon file
|
| MD5 |
d1ff573d50e9fe446785e15f466899cd
|
| SHA1 |
5f022a467743038ec801390c3a3f037294474f50
|
| SHA256 |
d238cf3bee134e6d6ec652dc69b0cec44ea59742caf3703be7f4393a3ad86e82
|
| SHA3 |
4e6e8c6421ae7c3aa1e5023c33cd30ef60addb9301bba3c5f474006994da8147
|
| Type |
RT_MANIFEST
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x229
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.93891
|
| MD5 |
63304a117e931399f8aff8cd74ea9d4b
|
| SHA1 |
12c49e2bc316e87e91f4427d192d3a5026bbe791
|
| SHA256 |
0713d16701f77ca3b1061a77335f2546784259656147440f25b39a780561e629
|
| SHA3 |
4ebf32f409aef170c01e2b00ca0e7acd2a5180deb89a89eacb27bcb8949c9c80
|
| StartAddressOfRawData |
0x1408a1838
|
| EndAddressOfRawData |
0x1408a2f2c
|
| AddressOfIndex |
0x140853a54
|
| AddressOfCallbacks |
0x1408a2f30
|
| SizeOfZeroFill |
0
|
| Characteristics |
IMAGE_SCN_ALIGN_16BYTES
|
| Callbacks |
0x00000001408A17E7
|
| Size |
0x140
|
| TimeDateStamp |
1970-Jan-01 00:00:00
|
| Version |
0.0
|
| GlobalFlagsClear |
(EMPTY)
|
| GlobalFlagsSet |
(EMPTY)
|
| CriticalSectionDefaultTimeout |
0
|
| DeCommitFreeBlockThreshold |
0
|
| DeCommitTotalFreeThreshold |
0
|
| LockPrefixTable |
0
|
| MaximumAllocationSize |
0
|
| VirtualMemoryThreshold |
0
|
| ProcessAffinityMask |
0
|
| ProcessHeapFlags |
(EMPTY)
|
| CSDVersion |
0
|
| Reserved1 |
0
|
| EditList |
0
|
| SecurityCookie |
0x14084e8c0
|
[*] Warning: Section .orion0 has a size of 0!
3554097493ed077d969ce0889a6ff607