5.exe

info
MZ
PE
resources
strings
imports
foremost
hexdump
disasm
log
discuss
donate

filename	5.exe
size	196608 (0x30000)
md5	7637e83def3c66546bb4a6ee5e963b03

type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
mimetype	application/x-dosexec

clamav	OK
virustotal	→ scan with virustotal.com

histogram

MZ Header

signature	MZ
bytes_in_last_block	0x90
blocks_in_file	3
num_relocs	0
header_paragraphs	4
min_extra_paragraphs	0
max_extra_paragraphs	0xffff
ss	0
sp	0xb8
checksum	0
ip	0
cs	0
reloc_table_offset	0x40
overlay_number	0
reserved0	0
oem_id	0
oem_info	0
reserved2	0
reserved3	0
reserved4	0
reserved5	0
reserved6	0
lfanew	0xe8

Rich Header

lib id	version	times used
132	21022	36
149	21022	24
131	21022	121
123	50727	17
1	0	191
138	21022	1
146	21022	1
148	21022	1
145	21022	1

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

PE Header

Signature	PE
Machine	0x14c
NumberOfSections	3
TimeDateStamp	0x5b41832b
PointerToSymbolTable	0
NumberOfSymbols	0
SizeOfOptionalHeader	0xe0
Characteristics	0x123
Magic	0x10b
LinkerVersion	9.0
SizeOfCode	0x2b000
SizeOfInitializedData	0x5000
SizeOfUninitializedData	0x15aa000
AddressOfEntryPoint	0x15d59a0
BaseOfCode	0x15ab000
BaseOfData	0x15d6000
ImageBase	0x400000
SectionAlignment	0x1000
FileAlignment	0x200
OperatingSystemVersion	5.0
ImageVersion	0.0
SubsystemVersion	5.0
Reserved1	0
SizeOfImage	0x15db000
SizeOfHeaders	0x1000
CheckSum	0
Subsystem	2
DllCharacteristics	0x8000
SizeOfStackReserve	0x100000
SizeOfStackCommit	0x1000
SizeOfHeapReserve	0x100000
SizeOfHeapCommit	0x1000
LoaderFlags	0
NumberOfRvaAndSizes	0x10

Packer / Compiler

UPX Modified >> *$igBy Ahmed18

This file is packed with UPX. Analysis will be incomplete without unpacking.
We can unpack it for you.

»» Analyze unpacked file

Sections

name	va	vsize	raw size	flags
UPX0	0x1000	0x15aa000	0	RWX UDATA
UPX1	0x15ab000	0x2b000	0x2ac00	RWX IDATA
.rsrc	0x15d6000	0x5000	0x5000	RW- IDATA

Data Directory

type	va	size
EXPORT	0x20880	0x47
IMPORT	0x15dacbc	0x204
RESOURCE	0x15d6000	0x4cbc
EXCEPTION	0	0
SECURITY	0	0
BASERELOC	0	0
DEBUG	0	0
ARCHITECTURE	0	0
GLOBALPTR	0	0
TLS	0	0
LOAD_CONFIG	0x15d5b48	0x48
Bound_IAT	0	0
IAT	0	0
Delay_IAT	0	0
CLR_Header	0	0

show previews

type	name	size
ICON	#1	1736
ICON	#2	1384
ICON	#3	3752
ICON	#4	2440
ICON	#5	9640
STRING	#19	294
STRING	#20	670
ACCELERATORS	#213	128
ACCELERATORS	#326	176
GROUP_ICON	#113	76

lang

string

288

12298

a0 3c 2f 00 c2 05 26 12  5b 06 0a a0 c4 66 63 93  |.|
0f 2d 30 0b 9b c8 7a de  3a 12 37 44 70 43 2f a8  |.-0...z.:.7DpC/.|
92 3c bc 07 00 11 1b d6  7d 55 93 a5 ea 56 22 8a  |.<......}U...V".|
3a 11 31 2b 1b 46 93 03  82 60 4e e2 37 41 77 98  |:.1+.F...`N.7Aw.|
53 7e 72 20 04 18 30 2a  c0 9b 76 d4 31 1f 70 38  |S~r ..0*..v.1.p8|
22 39 01 6a 0c 30 14 55  2f e0 21 28 3c 38 80 19  |"9.j.0.U/.!(<8..|
be 65 ea 32 94 e4 5a 04  96 6d d2 02 91 82 f0 03  |.e.2..Z..m......|
1b 3c 23 31 c3 48 ac 30  68 7e 34 09 d8 8c d0 22  |.<#1.H.0h~4...."|
bb 6e 04 24 18 c0 2c 28  2e 80 68 d6 dd 06 f2 15  |.n.$..,(..h.....|
1d 2b 64 31 5b b1 4a 9d  72 11 86 31 1b ec 1d 0d  |.+d1[.J.r..1....|
34 38 7e 95 08 ce 08 07  0c 17 03 13 e0 7a 11 e5  |48~..........z..|
70 46 2a 3e 28 13 11 18  06 10 07 2f 16 09 07 37  |pF*>(....../...7|
18 08 02 00 84 ef                                 |......          |

304

12298

8a b2 31 37 0e 0e 3d 09  07 45 5c 34 20 2b 16 aa  |..17..=..E\4 +..|
0d dc 21 98 22 16 34 28  0e 80 61 33 98 80 0e c2  |..!.".4(..a3....|
13 06 7e ba 01 97 12 f2  dc 1c 3e ed 4d 52 01 2c  |..~.......>.MR.,|
18 24 1f 37 37 16 ac 1d  f5 17 48 5f da 0c 2e 23  |.$.77.....H_...#|
1b 1a 1b 10 10 22 a5 5a  40 41 aa 4a 25 05 94 02  |.....".Z@A.J%...|
10 19 d8 ee 03 01 9a 40  e2 95 94 9a be 21 2d 15  |.......@.....!-.|
36 4d dc e4 da 08 12 2f  ba 20 05 06 24 45 39 09  |6M...../. ..$E9.|
c0 84 36 45 0b b0 ca 82  f0 28 07 20 13 2b 38 06  |..6E.....(. .+8.|
b7 8a cd c0 13 33 e4 12  32 d0 2b 28 2a 3a 1e 8a  |.....3..2.+(*:..|
26 80 fe 00 2d 08 2a 18  13 0f aa 2c 08 b8 25 84  |&...-.*....,..%.|
d0 84 11 c4 39 16 13 5c  00 05 06 f6 15 31 0f 54  |....9..\.....1.T|
16 4a 65 b4 6c 05 04 dc  c4 fa 63 23 0c 87 be 48  |.Je.l.....c#...H|
d8 36 3d b1 62 d1 57 5a  36 20 1e 15 3d 32 25 2b  |.6=.b.WZ6 ..=2%+|
3e 0c 29 6f 24 20 5a 2a  06 22 9c ea 14 2f 39 35  |>.)o$ Z*.".../95|
29 81 1a 1d ee 1f 92 b8  4b a4 17 a9 ec 18 10 19  |).......K.......|
2e 3c e8 d5 a4 dd ba 1e  2c 19 05 96 37 07 0e 14  |.<......,...7...|
30 50 2d 5c 50 2b 1e 0c  56 2a 51 23 24 38 ca 22  |0P-\P+..V*Q#$8."|
52 1e 3e a0 5f 55 f1 5b  18 82 18 3c 22 27 1c 37  |R.>._U.[...<"'.7|
1e 27 62 06 34 00 0c 28  43 f5 0a d3 04 08 9c 28  |.'b.4..(C......(|
08 01 3e 0a 54 04 0a 5e  04 48 31 23 18 3e 6e 1e  |..>.T..^.H1#.>n.|
61 55 b3 21 6c fc 12 52  36 17 cd 5e 40 bc 4c 13  |aU.!l..R6..^@.L.|
03 22 14 32 02 18 24 34  dc cc 1f 17 e5 00 f1 32  |.".2..$4.......2|
26 09 13 78 6a 60 93 8c  26 e8 1f ee 06 0b 4b b0  |&..xj`..&.....K.|
c9 80 8c 84 11 0a 44 32  15 a1 50 ac e6 9a 68 2a  |......D2..P...h*|
44 12 2e 5c 12 18 1c 5a  aa 32 f0 0d 05 04 34 26  |D..\...Z.2....4&|
b6 2c 1b 2d 22 36 c2 d0  21 83 be 9c 24 5e d2 fa  |.,.-"6..!...$^..|
ef b8 20 19 07 14 c8 29  0f 2a 29 0b 2a 33 25 3a  |.. ....).*).*3%:|
f1 cd 09 a1 9e 31 b2 7a  2a 09 33 0f 27 1a a6 a2  |.....1.z*.3.'...|
51 d8 13 16 6a e1 4a 11  6e 6c 9c 30 3f 0f 40 0b  |Q...j.J.nl.0?.@.|
ad 66 50 39 72 2d 11 22  c1 65 55 c4 07 f4 66 70  |.fP9r-.".eU...fp|
91 d8 f8 26 3f 16 0c 21  fa 82 37 19 18 0c d6 26  |...&?..!..7....&|
16 74 4e 15 2c 76 8b 64  74 89 fc 5a 2e b8 0b 3d  |.tN.,v.dt..Z...=|
00 9c 92 58 7a 42 00 cc  04 d4 86 f0 a5 f8 86 1d  |...XzB..........|
92 13 34 a0 13 1a 0e 31  06 68 11 28 80 de 78 27  |..4....1.h.(..x'|
2d 0b 3a 56 19 18 8b 00  bc f2 03 07 32 2d 8a 2e  |-.:V........2-..|
10 2e 03 f6 46 60 30 1a  3b 16 7a 8a 02 97 24 c0  |....F`0.;.z...$.|
09 19 82 f6 78 60 b8 8c  15 8e 18 1b 04 a0 8a c2  |....x`..........|
cd 00 ae 3e 1f 20 4c 28  94 00 1a be 18 12 04 3e  |...>. L(.......>|
3e 2a d2 06 02 27 5e 4c  89 6c 1c 18 21 04 1f 4c  |>*...'^L.l..!..L|
14 40 21 7d 24 2f 18 2e  00 46 3a 28 fd a6 9b 64  |.@!}$/...F:(...d|
c2 2f 2b 28 42 06 28 35  09 36 29 84 42 2a c0 e0  |./+(B.(5.6).B*..|
b6 04 5c 5c 55 f0 0d 26  34 31 15 09 1d 60        |..\\U..&41...`  |

module_name	hint	ord	function_name
ADVAPI32.dll			RegEnumKeyW
GDI32.dll			PolyDraw
KERNEL32.DLL			LoadLibraryA
KERNEL32.DLL			ExitProcess
KERNEL32.DLL			GetProcAddress
KERNEL32.DLL			VirtualProtect
ole32.dll			CoRevertToSelf
SHELL32.dll			DuplicateIcon
USER32.dll			ToAscii
WINHTTP.dll			WinHttpCrackUrl
WINSPOOL.DRV			DeviceCapabilitiesA

show previews

offset	size	type	comment
0	196608	EXE	07/08/2018 03:21:15	#
15c1	15	HTM		#

offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable

Please donate some bucks to keep this site up and running:
Ko-fi
Yandex.Money
Thank you!

[!] string size(31040) > stringtable size(294). truncated to 292

[!] cannot convert "/\x00\xC2\x05&\x12[\x06\n\xA0\xC4fc\x93`\xCA"... to UTF-16

[!] string size(91412) > stringtable size(670). truncated to 668

[!] cannot convert "17\x0E\x0E=\t\aE\\4 +\x16\xAA\r\xDC"... to UTF-16

[?] can't find file_offset of VA 0x20880