filename2182604_KAROSMULTI.exe
size5962752 (0x5afc00)
md59e0482245d3b7592ccee8484889a51cd
typePE32 executable (GUI) Intel 80386, for MS Windows
mimetypeapplication/x-dosexec
clamavWin.Trojan.Agent-1376694 FOUND
virustotal→ scan with virustotal.com
histogram

MZ Header

signatureMZ
bytes_in_last_block0x50
blocks_in_file2
num_relocs0
header_paragraphs4
min_extra_paragraphs0xf
max_extra_paragraphs0xffff
ss0
sp0xb8
checksum0
ip0
cs0
reloc_table_offset0x40
overlay_number0x1a
reserved00
oem_id0
oem_info0
reserved20
reserved30
reserved40
reserved50
reserved60
lfanew0x100

DOS stub

00000000: ba 10 00 0e 1f b4 09 cd  21 b8 01 4c cd 21 90 90  |........!..L.!..|
00000010: 54 68 69 73 20 70 72 6f  67 72 61 6d 20 6d 75 73  |This program mus|
00000020: 74 20 62 65 20 72 75 6e  20 75 6e 64 65 72 20 57  |t be run under W|
00000030: 69 6e 33 32 0d 0a 24 37  00 00 00 00 00 00 00 00  |in32..$7........|
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000c0:

PE Header

SignaturePE
Machine0x14c
NumberOfSections8
TimeDateStamp0x2a425e19
PointerToSymbolTable0
NumberOfSymbols0
SizeOfOptionalHeader0xe0
Characteristics0x818e
Magic0x10b
LinkerVersion2.25
SizeOfCode0x1400
SizeOfInitializedData0x5ae400
SizeOfUninitializedData0
AddressOfEntryPoint0x20cc
BaseOfCode0x1000
BaseOfData0x3000
ImageBase0x400000
SectionAlignment0x1000
FileAlignment0x200
OperatingSystemVersion4.0
ImageVersion0.0
SubsystemVersion4.0
Reserved10
SizeOfImage0x5b7000
SizeOfHeaders0x400
CheckSum0
Subsystem2
DllCharacteristics0
SizeOfStackReserve0x100000
SizeOfStackCommit0x4000
SizeOfHeapReserve0x100000
SizeOfHeapCommit0x1000
LoaderFlags0
NumberOfRvaAndSizes0x10

Packer / Compiler

Borland Delphi v6.0 - v7.0

Sections

namevavsizeraw sizeflags
CODE0x10000x13b80x1400R-X CODE
DATA0x30000x7c0x200RW- IDATA
BSS0x40000x6950RW-
.idata0x50000x3020x400RW- IDATA
.tls0x600040RW-
.rdata0x70000x180x200R-- IDATA SHARED
.reloc0x80000x1c80x200R-- IDATA SHARED
.rsrc0x90000x5ad8e80x5ada00R-- IDATA SHARED

Data Directory

typevasize
EXPORT00
IMPORT0x50000x302
RESOURCE0x90000x5ad8e8
EXCEPTION00
SECURITY00
BASERELOC0x80000x1c8
DEBUG00
ARCHITECTURE00
GLOBALPTR00
TLS0x70000x18
LOAD_CONFIG00
Bound_IAT00
IAT00
Delay_IAT00
CLR_Header00

TLS

raw
start		raw
end		indexcallbkszero
fill		flags
0x4060000x4060040x4030600x40701000
typenamesizecp
RCDATAA148277641252
RCDATAA25740851252
RCDATAA35509121252
RCDATAB1121252
RCDATAB241252
RCDATAB391252
RCDATAC111252
RCDATAC211252
RCDATAC311252
RCDATAD111252
RCDATAD211252
RCDATAD311252
RCDATADVCLAL161252
RCDATAE111252
RCDATAPACKAGEINFO561252
module_namehintordfunction_name
kernel32.dllGetCurrentThreadId
kernel32.dllSetCurrentDirectoryA
kernel32.dllGetCurrentDirectoryA
kernel32.dllExitProcess
kernel32.dllRtlUnwind
kernel32.dllRaiseException
kernel32.dllTlsSetValue
kernel32.dllTlsGetValue
kernel32.dllLocalAlloc
kernel32.dllGetModuleHandleA
kernel32.dllFreeLibrary
kernel32.dllHeapFree
kernel32.dllHeapReAlloc
kernel32.dllHeapAlloc
kernel32.dllGetProcessHeap
kernel32.dllWriteFile
kernel32.dllSizeofResource
kernel32.dllSetFilePointer
kernel32.dllLockResource
kernel32.dllLoadResource
kernel32.dllGetWindowsDirectoryA
kernel32.dllGetTempPathA
kernel32.dllGetSystemDirectoryA
kernel32.dllFreeResource
kernel32.dllFindResourceA
kernel32.dllCreateFileA
kernel32.dllCloseHandle
shfolder.dllSHGetFolderPathA
shell32.dllShellExecuteA
offsetsizetypecomment
15c115HTM#
256c247296EXE02/15/2015 08:00:31#
345b818444PNG(256 x 256)#
3eb6c1122RAR#
49cfe0573952EXE07/22/2012 21:16:20#
529268550912EXE06/19/1992 22:22:17#
5a18a756211JPG#
5afa68408BINoverlay data past EOF#
Scanning the drive for archives:
1 file, 5962752 bytes (5823 KiB)


--
Type = PE
Physical Size = 5962752
CPU = x86
Characteristics = Executable 32-bit NoLineNums NoLocalSyms Little-Endian Big-Endian
Created = 1992-06-19 22:22:17
Headers Size = 1024
Checksum = 0
Image Size = 5992448
Section Alignment = 4096
File Alignment = 512
Code Size = 5120
Initialized Data Size = 5956608
Uninitialized Data Size = 0
Linker Version = 2.25
OS Version = 4.0
Image Version = 0.0
Subsystem Version = 4.0
Subsystem = Windows GUI
Stack Reserve = 1048576
Stack Commit = 16384
Heap Reserve = 1048576
Heap Commit = 4096
Image Base = 4194304
----
Path = .rsrc/RCDATA/A1
Size = 4827764
Packed Size = 4827764
--
Path = .rsrc/RCDATA/A1
Type = Rar
Offset = 247296
Physical Size = 4580468
Solid = -
Blocks = 4
Multivolume = -
Volumes = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2016-03-20 18:20:36 ....A      4510228      4395095  WinMediaInstall.exe
2016-03-20 18:25:51 ....A          102          102  WinInstall.bat
2016-03-20 18:33:53 ....A       416768       182112  WinInstall.exe
2016-05-13 16:42:59 ....A        12420         2663  drv_set.reg
------------------- ----- ------------ ------------  ------------------------
2016-05-13 16:42:59            4939518      4579972  4 files
offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable







everything is OK