FuckXIA_Pass_Is_1[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

FuckXIA_Pass_Is_1.rar
Size

61.7MB
MD5

bdc42403a850bb336b9aebea7aa10522
SHA1

7878b24329d88511e3d88adb87b5b6f157430f1f
SHA256

4d5ef274dd43c0bb78ca06c9ba6d31e5369cceb711444eb3e2a47644e2a708b8
SHA512

31061166b7f34709c3d628b6839c944173bb39cc2ba25214a7d1d47b58cb5adeee64e86406a842db21796427b6a5bb2e8bde1b75f4a21d109be0341868b81513
SSDEEP

1572864:B5T+DEz/FF4XmgXaw+OYDYT19mJOgg6r30:Bd+aTgmQhWr30

Score

7^/10

vmprotect themida

Malware Config

Signatures

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

resource	yara_rule
static1/unpack001/XIA MOMENT/Xia's Programs & Shit/LatteLoader.proc.exe	themida
static1/unpack001/XIA MOMENT/Xia's Programs & Shit/OrangeRemover_protected_1.exe	themida

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
static1/unpack001/XIA MOMENT/Xia's Programs & Shit/CumAuth.exe	vmprotect

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/XIA MOMENT/Xia's Programs & Shit/CumAuth.exe
unpack001/XIA MOMENT/Xia's Programs & Shit/Exodus.proc.dll
unpack001/XIA MOMENT/Xia's Programs & Shit/LatteLoader.proc.exe
unpack001/XIA MOMENT/Xia's Programs & Shit/MacchiatoPaidTempSpafer.exe
unpack001/XIA MOMENT/Xia's Programs & Shit/OrangeRemover_protected_1.exe

Files

FuckXIA_Pass_Is_1.rar
.rar

Password: 1
XIA MOMENT/Clothing & Skin configs/clothes.json
XIA MOMENT/Clothing & Skin configs/skins.json
XIA MOMENT/Fifty Logins/Account.txt
XIA MOMENT/Images of them being clowns/ExcuseAndPureExitScam.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/ExposedForBadware.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/ExposedForBadwareV2.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/ExposedForBadwareV3.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/MochaAintGettingFixedLMAO.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/SkiddedHysteriaFeaturePatched.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/SkiddyXiaInjector.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/closedhwidresetticket.png
.png

Password: 1
XIA MOMENT/Images of them being clowns/notCopingOverTato.png
.png
XIA MOMENT/Images of them being clowns/notCopingOverTatoV2.png
.png
XIA MOMENT/Images of them being clowns/notCopingOverTatoV3.PNG
.png
XIA MOMENT/Images of them being clowns/notCopingOverTatoV4.png
.png
XIA MOMENT/Images of them being clowns/spooferExitScam.png
.png
XIA MOMENT/Xia's Programs & Shit/CumAuth.exe
.exe windows:6 windows x64 arch:x64

ff2ca35e9a85fb518383276d27a39490

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LeaveCriticalSection
FlsSetValue
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetRawInputDeviceInfoW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

msvcp140

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ

ws2_32

ntohl

mpr

WNetOpenEnumA

normaliz

IdnToAscii

wldap32

ord79

crypt32

CertCloseStore

rpcrt4

UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler

api-ms-win-crt-runtime-l1-1-0

abort

api-ms-win-crt-stdio-l1-1-0

__p__commode

api-ms-win-crt-string-l1-1-0

isupper

api-ms-win-crt-heap-l1-1-0

_callnewh

api-ms-win-crt-math-l1-1-0

ceilf

api-ms-win-crt-conio-l1-1-0

_getch

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

api-ms-win-crt-time-l1-1-0

_gmtime64

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-filesystem-l1-1-0

_stat64

advapi32

OpenProcessToken

shell32

ShellExecuteA

wtsapi32

WTSSendMessageW

Exports

Exports

q␾��/�M�{\�{�=�� \��Ao�8�%�$��&��8��z��fF�En$'�z��M,�O��8��k�`��=��D�Ur̻��P�euv}�.�wN�!�.��rJ��` ��c{7N��ߠ��Y�+��:� ?&��Y��Yw��?g�׼$�Ó��$�LS�L�r�uQ~C><L��9�VG��NL�B��ء��(��i�l�y�.�@��9\�uX��tp �I�uB��Q��N�n�@y!�(x�2`��j6�ʌM�'q��P�f,�ч�R^԰��w=��Y}F�E��4E�!��}�+8B��Pҥ@�=FJ뽚o�B�p��!�r��Sb�@Cr�٫.�햾�N��߭�YS�gu5�B�e�q%[7��_�U ��Dif��('yV1ް,&��ԋc��&SGmaNg x�= 5�� i-��bF�ĿW�b�Ӧ�E�m��F\;h.#�y��"�(Z2mG��X�rg��o瓷Wz��l��D��$d+��i��ḐoΎ�E�A ��̢nz�0�DK26�5��f��/�.n�-&uͽF(�<�kZ��J��̜E2u��'��,�U��=E��禮�s��e�~��!�h��UCUS>�F\�/�{4��v��`[z&�cN@+1�}��+ 'R�uF�/� $��%t�6%k�`Wڟp��+��1�/��[�lx�8'�j�d�s��D��+��=��-�-!:��<�e��~�b��S`��+ȳH��L�l 6��`<��2!>Fr��AH�\<�cG\�PNᙃQ�4��%� 2�G�5�.۠�@ :ɢ]�y9c�P�"��K�K|��b�Ɓ�v5��J��p�)��|![nS}�Z�"��^��#�i�~ݭC�>7B��z�/ ��Hb�:P�e�/4��$ e�F�|C�6f��3:;�� e)fi㜥6�M��jKU&<��&<(�YF��z��({��f��7�̈́�w6%e��_&��]�m|�#dQg~#@��mߓ}|*��iX�qb��];��K�H��ԑ��y��ϧc��4Z�O��&#3D�e��i˂[֎��h�0.8�l��e� {�4d��;�r U��Pp߳�G[ҦA��aE=I�Y��x��{'5{,�u^6A�7�"�5ͫ��Ɨ;�� f��]�~�atީ�� S �;�W�J�w�2X��ʅ^��b7��5��Cv��O{�c�zq��~�T�p*l�RZ:��E$�hB��Tl� ��=��7�6�u>5�O5�}�#� ol�!m��f qg3U��m zO;= ��;~��y��b��:��k��Y�2��]�_<{ ��9�r3�iI��c ��#��@��k~Ϲ�Ƨ&~��:Ƌ�jx��j��{�#�jk ��[��4�t�d(��Gj�X�w�<ߙ_�y�V��Ig��e��G~��)� H�r�Z(�ء�Ծq��!&(^�;6dZԊ��J��m�w�n$��*��2��Xnsj�@Sb��ժ̙(��;�8h��>D��]h�?P��pE�ty ��n��S��]��L��㜞޻9�n�͡\��rP�C�ֆ��R�;>�M�>(�Lw� K��Ƿ��2�ÝL�e�)i�2F�`&��x8�0��ۏh��C\-�ĻJ��6��ep�m�3jL�@gX��-��2Vr�}%�;þ��{Om �#ٔ��<�N�7-��;�乒aKί ��>,�;�G�c��1� W�9U� ��Ш��,>EfX�0L\�q��y��9|�b�֋�)�+��|��.��)q�"T)�i�m�y�!hڡS@�d��^��V�#k�1��Fn_cSɒ�5&�4x )�A�"Zd��q��_08��g�o�΁��|&Bx��y|��܂��?Y�J�n��|J��]5��;��ǽ� ը՘�釩 ~b��eM��x�e�"�6|/;T��S��N[�)�AG9D�f�x�S�j��= .%O&��N��ҭ��p��i�$��yh�Э�"��sa��- uqN<��1��]Ό`,�� 0u�<��'w�4T��H�36�� ѕk�"h�F:��n�`N��#�ZDj�(�C�0�Ӽ��m�2�N2~̮��>䫍�-��u�qn͆��˶��q��c\�R+Pi�m?�wY�6'0�~��M2!dc�H�ƍ�-k��=��as��陾:�=��q�֙�kni��K>��(�&�\�Qr�xy�EGy�,R�p��`Q-�}>EE[ر��~ڑ��e%��f �JB��*��#��eR~�ґ�s�hy�"�~"v{�� P�Z;��5��P@�7�WdZ�P��ͭ�]~�`��>��[6 Km$JW�Y�d��Y�C��N�I�pH�ݨu5��u�E��1"��G|p��N��$�xc{0F:yjOض�Wh�QQ��R�J�R�,�k*��~�UG�x��,:Hnp[��h ��3J�l�J� -��0��"�4�Sz"��U�T>Ʋ�÷��oJ��d��D�XS�� <��4a��|��}��sS��þ$!�j�r��/��R�f3$��[�V3�hr�\�Re�M��<��`�F��pn�&��uY��$6XPU<>��8��2!�HM/�ʹg6#bg��AnH��+�Ж�spq�#��Y��BU��ͦ��I ��ƤsΈ��S��.JJ�� ޓ�( �j��WNX){ȒN�eG��u_�t\��(�P�ӐM)��ˠ }�M�4��~�E�b�>Ս�� 2��u��LF�b�a��G d�B��NXc5��΄I��b�uƥ'��7t��D�mU��0 OL�<�(��@��k6N�Mn�S!��/6?�_

Sections

.text
Size: - Virtual size: 493KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 5.6MB - Virtual size: 5.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
XIA MOMENT/Xia's Programs & Shit/Exodus.proc.dll
.dll windows:6 windows x64 arch:x64

e7f4a5d23f90e4ac562d49d3950050aa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

SetThreadContext
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetAsyncKeyState
GetProcessWindowStation
GetUserObjectInformationW

msvcp140

??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ

imm32

ImmSetCandidateWindow

d3dcompiler_47

D3DCompile

ws2_32

freeaddrinfo

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate

api-ms-win-crt-heap-l1-1-0

calloc

api-ms-win-crt-runtime-l1-1-0

_crt_atexit

api-ms-win-crt-stdio-l1-1-0

fgetpos

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strncpy

api-ms-win-crt-convert-l1-1-0

strtod

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-filesystem-l1-1-0

_lock_file

api-ms-win-crt-locale-l1-1-0

localeconv

api-ms-win-crt-math-l1-1-0

sqrtf

Sections

.text
Size: - Virtual size: 383KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.proc0
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.proc1
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
XIA MOMENT/Xia's Programs & Shit/LatteLoader.proc.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 351KB - Virtual size: 708KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 89KB - Virtual size: 209KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 14KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 16KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
XIA MOMENT/Xia's Programs & Shit/MacchiatoPaidTempSpafer.exe
.exe windows:6 windows x64 arch:x64

b6d09782982f9aa0bf002baa8f52a6c9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetTempPathW
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

FindWindowA

advapi32

CopySid

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z

ntdll

VerSetConditionMask

normaliz

IdnToAscii

wldap32

ord143

crypt32

CertCloseStore

ws2_32

recv

rpcrt4

UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy

api-ms-win-crt-runtime-l1-1-0

_crt_atexit

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func

api-ms-win-crt-heap-l1-1-0

free

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-filesystem-l1-1-0

_lock_file

api-ms-win-crt-convert-l1-1-0

strtod

api-ms-win-crt-string-l1-1-0

strspn

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-math-l1-1-0

__setusermatherr

shell32

ShellExecuteA

Exports

Exports

OPENSSL_Applink

Sections

.text
Size: - Virtual size: 548KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 153KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rAP
Size: - Virtual size: 36.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Hyn
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.[4u
Size: 55.6MB - Virtual size: 55.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
XIA MOMENT/Xia's Programs & Shit/OrangeRemover_protected_1.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 7KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 3KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 1024B - Virtual size: 948B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ