filenamet.bender
size43872 (0xab60)
md5fcf42f407a35b1509660ab0c60e10dde
typePE32 executable (native) Intel 80386, for MS Windows
mimetypeapplication/x-dosexec
clamavOK
virustotal→ scan with virustotal.com
histogram

MZ Header

signatureMZ
bytes_in_last_block0x90
blocks_in_file3
num_relocs0
header_paragraphs4
min_extra_paragraphs0
max_extra_paragraphs0xffff
ss0
sp0xb8
checksum0
ip0
cs0
reloc_table_offset0x40
overlay_number0
reserved00
oem_id0
oem_info0
reserved20
reserved30
reserved40
reserved50
reserved60
lfanew0x260

Rich Header

lib idversiontimes used
1066
9340355
1540351
9540357
9640352
9040351

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001c0:

PE Header

SignaturePE
Machine0x14c
NumberOfSections6
TimeDateStamp0x4e9c7160
PointerToSymbolTable0
NumberOfSymbols0
SizeOfOptionalHeader0xe0
Characteristics0x10e
Magic0x10b
LinkerVersion7.10
SizeOfCode0x3280
SizeOfInitializedData0x900
SizeOfUninitializedData0
AddressOfEntryPoint0x3579
BaseOfCode0x480
BaseOfData0x2c00
ImageBase0xb0aaf000
SectionAlignment0x80
FileAlignment0x80
OperatingSystemVersion5.1
ImageVersion5.1
SubsystemVersion5.1
Reserved10
SizeOfImage0x4000
SizeOfHeaders0x480
CheckSum0xe04d
Subsystem1
DllCharacteristics0
SizeOfStackReserve0x40000
SizeOfStackCommit0x1000
SizeOfHeapReserve0x100000
SizeOfHeapCommit0x1000
LoaderFlags0
NumberOfRvaAndSizes0x10

Packer / Compiler

MS Visual C++ 6.0 - 8.0

Sections

namevavsizeraw sizeflags
.text0x4800x27400x2780R-X CODE
.rdata0x2c000x2d40x300R-- IDATA
.data0x2f000x2080x280RW- IDATA
PAGE0x31800x3330x380R-X CODE
INIT0x35000x71c0x780RWX CODE DISCARDABLE
.reloc0x3c800x34c0x380R-- IDATA DISCARDABLE

Data Directory

typevasize
EXPORT00
IMPORT0x35c00x3c
RESOURCE00
EXCEPTION00
SECURITY00
BASERELOC0x3c800x2b4
DEBUG0x2d100x1c
ARCHITECTURE00
GLOBALPTR00
TLS00
LOAD_CONFIG0x2e400x40
Bound_IAT00
IAT0x2c000x110
Delay_IAT00
CLR_Header00
module_namehintordfunction_name
ntoskrnl.exe1287ZwClose
ntoskrnl.exe1372ZwSetInformationFile
ntoskrnl.exe1345ZwQueryInformationFile
ntoskrnl.exe1292ZwCreateFile
ntoskrnl.exe1391ZwWriteFile
ntoskrnl.exe1299ZwDeleteFile
ntoskrnl.exe916PsTerminateSystemThread
ntoskrnl.exe500KeCancelTimer
ntoskrnl.exe618KeWaitForSingleObject
ntoskrnl.exe607KeSetTimerEx
ntoskrnl.exe541KeInitializeTimerEx
ntoskrnl.exe78ExFreePoolWithTag
ntoskrnl.exe1461swprintf
ntoskrnl.exe840PsCreateSystemThread
ntoskrnl.exe1356ZwQuerySystemInformation
ntoskrnl.exe65ExAllocatePoolWithTag
ntoskrnl.exe1417_stricmp
ntoskrnl.exe1457strncpy
ntoskrnl.exe1451strchr
ntoskrnl.exe1359ZwReadFile
ntoskrnl.exe600KeSetPriorityThread
ntoskrnl.exe516KeGetCurrentThread
ntoskrnl.exe759NtQueryDirectoryFile
ntoskrnl.exe768NtQuerySystemInformation
ntoskrnl.exe752NtOpenFile
ntoskrnl.exe737NtCreateFile
ntoskrnl.exe832ProbeForRead
ntoskrnl.exe1409_except_handler3
ntoskrnl.exe359IoGetCurrentProcess
ntoskrnl.exe1049RtlInitUnicodeString
ntoskrnl.exe1426_wcsicmp
ntoskrnl.exe1478wcsrchr
ntoskrnl.exe1480wcsstr
ntoskrnl.exe1323ZwOpenFile
ntoskrnl.exe1474wcslen
ntoskrnl.exe953RtlCompareUnicodeString
ntoskrnl.exe812ObfDereferenceObject
ntoskrnl.exe802ObQueryNameString
ntoskrnl.exe804ObReferenceObjectByHandle
ntoskrnl.exe1325ZwOpenKey
ntoskrnl.exe1469wcscat
ntoskrnl.exe1025RtlFreeUnicodeString
ntoskrnl.exe933RtlAnsiStringToUnicodeString
ntoskrnl.exe1046RtlInitAnsiString
ntoskrnl.exe1456strncmp
ntoskrnl.exe298IoAttachDeviceToDeviceStack
ntoskrnl.exe317IoCreateDevice
ntoskrnl.exe363IoGetDeviceObjectPointer
ntoskrnl.exe334IoDeleteDevice
ntoskrnl.exe337IoDetachDevice
ntoskrnl.exe479IofCallDriver
ntoskrnl.exe480IofCompleteRequest
ntoskrnl.exe121ExReleaseFastMutexUnsafe
ntoskrnl.exe326IoCreateSymbolicLink
ntoskrnl.exe54ExAcquireFastMutexUnsafe
ntoskrnl.exe336IoDeleteSymbolicLink
ntoskrnl.exe533KeInitializeEvent
ntoskrnl.exe611KeTickCount
ntoskrnl.exe499KeBugCheckEx
ntoskrnl.exe1125RtlQueryRegistryValues
ntoskrnl.exe1198RtlWriteRegistryValue
ntoskrnl.exe48DbgPrint
ntoskrnl.exe983RtlDeleteRegistryValue
ntoskrnl.exe5234588
ntoskrnl.exe5238568
ntoskrnl.exe5237108
ntoskrnl.exe5234828
ntoskrnl.exe5239568
ntoskrnl.exe5235328
ntoskrnl.exe6066226
ntoskrnl.exe5213650
ntoskrnl.exe5217200
ntoskrnl.exe5213708
ntoskrnl.exe5213596
ntoskrnl.exe5523686
ntoskrnl.exe5470837
ntoskrnl.exe6059152
ntoskrnl.exe5237548
ntoskrnl.exe5525376
ntoskrnl.exe5464505
ntoskrnl.exe5470304
ntoskrnl.exe5469456
ntoskrnl.exe5237748
ntoskrnl.exe5225358
ntoskrnl.exe5508992
ntoskrnl.exe5697924
ntoskrnl.exe6325672
ntoskrnl.exe5698730
ntoskrnl.exe5694348
ntoskrnl.exe6344548
ntoskrnl.exe5463776
ntoskrnl.exe5170712
ntoskrnl.exe5418396
ntoskrnl.exe5464997
ntoskrnl.exe5471742
ntoskrnl.exe5471877
ntoskrnl.exe5236408
ntoskrnl.exe5471514
ntoskrnl.exe6127458
ntoskrnl.exe5385106
ntoskrnl.exe6006708
ntoskrnl.exe5966858
ntoskrnl.exe5236468
ntoskrnl.exe5471249
ntoskrnl.exe6127310
ntoskrnl.exe6129398
ntoskrnl.exe5418340
ntoskrnl.exe5470240
ntoskrnl.exe5180076
ntoskrnl.exe5680102
ntoskrnl.exe5682338
ntoskrnl.exe5179608
ntoskrnl.exe5170026
ntoskrnl.exe5169456
ntoskrnl.exe5169600
ntoskrnl.exe5514948
ntoskrnl.exe5672568
ntoskrnl.exe5514916
ntoskrnl.exe5673430
ntoskrnl.exe5214002
ntoskrnl.exe5549728
ntoskrnl.exe5213354
ntoskrnl.exe6151864
ntoskrnl.exe6153438
ntoskrnl.exe5406354
ntoskrnl.exe6153628
HAL.dll77KfLowerIrql
HAL.dll76KfAcquireSpinLock
HAL.dll78KfRaiseIrql
HAL.dll7156432
HAL.dll7157472
HAL.dll7156344
offsetsizetypecomment
016384EXE10/17/2011 18:18:08#
15c115HTM#
400027488BINoverlay data past EOF#
Scanning the drive for archives:
1 file, 43872 bytes (43 KiB)



Errors: 1
offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable











everything is OK