0bd7b65ed269e6679c51a77e63bdee89

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2013-Jun-28 14:45:44
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains another PE executable:
  • This program cannot be run in DOS mode.
Miscellaneous malware strings:
  • virus
Contains domain names:
  • crl.globalsign.com
  • globalsign.com
  • http://crl.globalsign.com
  • http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
  • http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
  • http://ocsp2.globalsign.com
  • http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
  • http://secure.globalsign.com
  • http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
  • https://www.globalsign.com
  • https://www.globalsign.com/repository/0
  • ocsp2.globalsign.com
  • secure.globalsign.com
  • www.globalsign.com
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA256
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessA
Can create temporary files:
  • GetTempPathA
  • CreateFileA
Malicious The PE is possibly a dropper. Resource ARCHIVE is possibly compressed or encrypted.
Resource DECOMPRESSOR detected as a PE Executable.
Resources amount for 99.0524% of the executable.
Malicious VirusTotal score: 23/67 (Scanned on 2020-09-15 17:53:30) Bkav: W32.AIDetectVM.malware2
Elastic: malicious (high confidence)
Cylance: Unsafe
K7AntiVirus: Unwanted-Program ( 004ba1a41 )
K7GW: Unwanted-Program ( 004ba1a41 )
Invincea: Generic ML PUA (PUA)
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/HackTool.CheatEngine.AF potentially unsafe
APEX: Malicious
Cynet: Malicious (score: 100)
FireEye: Generic.mg.0bd7b65ed269e667
SentinelOne: DFI - Malicious PE
GData: Win32.Riskware.Hacktool.D
Jiangmin: TrojanSpy.KeyLogger.lsz
eGambit: Unsafe.AI_Score_99%
Antiy-AVL: HackTool[Hoax]/Win32.CheatEngine.a
Microsoft: Trojan:Win32/Wacatac.DB!ml
Acronis: suspicious
Rising: Trojan.Generic@ML.100 (RDML:shrI9v1FSSZ6RbosN5iEAQ)
Yandex: HackTool.CheatEngine!h2lP7QG9eRI
MaxSecure: Trojan.Malware.300983.susgen
Fortinet: Riskware/CheatEngine
CrowdStrike: win/malicious_confidence_70% (D)

Hashes

MD5 0bd7b65ed269e6679c51a77e63bdee89
SHA1 233e56faba1692f8acc95b42e5a1565d30c0cdb4
SHA256 b8896d8a64932eb3c896dc35b9e3e06d2bf3e3d542d12c40217dd21d1bc98b8c
SHA3 ca36dc1ff8d5a81a5e7ffb16adb12d8f3625113ac56f2b1d6100c90cf731999a
SSDeep 98304:CjxPTuXYBBTbfz7nnDx5nGXVempUN+OCUicEcn/wLFtn1ehcbUVBvXzU:6xPTuEBHz7nDxgFmNJC6Ec/wLFncVBv
Imports Hash 8d92fa1956a6a631c642190121740197

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2013-Jun-28 14:45:44
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x8e00
SizeOfInitializedData 0x581200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000015EB (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xa000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0x58e000
SizeOfHeaders 0x400
Checksum 0x11163
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 40b6c3ad804db9bc09242ade61fb6ea3
SHA1 19c269f7859f50a7ec90df4637ebd448d9256893
SHA256 bfc577c4b1e79be13461642e8f12bae2d8a8b172ec4ddc285e46c6eee2e8d14b
SHA3 b4d3ea20bb6bba895183f6ae88b849f90e8913fff3e30c0292295c72565f1e00
VirtualSize 0x8d54
VirtualAddress 0x1000
SizeOfRawData 0x8e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.56215

.rdata

MD5 33d023d2d6213e1f615883e5e3160e76
SHA1 42495099f48591f1a8efbba21c576c97f0f82aff
SHA256 36c989b74abd069ce8b310806e897d309f7040e4c58dd32d8af1b73d9ba87b2c
SHA3 38b506b37ac219d3dca849823a8de2ccd3bbaa02d179778dd6ea54937cdb8b3d
VirtualSize 0x2114
VirtualAddress 0xa000
SizeOfRawData 0x2200
PointerToRawData 0x9200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.44357

.data

MD5 3254d8738887635ac7c58c51f4e91adf
SHA1 358ba73f2f73183dc0bb1e36bcd5531cb4afb52a
SHA256 b7c82c609946c4510f84c3fc78fdb5005cb52d289aebb5cccf25d72ec0c243d9
SHA3 8a9f4a20d88b19dbc56d5a8d10c90d519831cd4e636c1c777f1d5581d44abb40
VirtualSize 0x2adc
VirtualAddress 0xd000
SizeOfRawData 0x1000
PointerToRawData 0xb400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.1026

.rsrc

MD5 db76af68f0c521e6877c586dc4b15c00
SHA1 a24041a4c7a864b22e9308d4f74f3e2cc54f21ea
SHA256 5803f7c66d2e1694ddd0f4e3b006501ea401c6014ae8448416c2a4337b564196
SHA3 7ae8f18c0f1dae3daee1e4d240b8c8a0cafe26706215e952455eae3595d4332b
VirtualSize 0x57ce88
VirtualAddress 0x10000
SizeOfRawData 0x57d000
PointerToRawData 0xc400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.98586

.reloc

MD5 65aac020a14aa9271485b36b38ac2718
SHA1 5623197bb662e9e89cfc1745ab5e5ee18b7cf2df
SHA256 1d3b7708419789a013f22609c85194943b07e823ee6a865a3f9f9ce43fe30597
SHA3 66c06a8e28937246e4054bbd03026b02fb5e70aa366a87d29dec4855bd7a27b7
VirtualSize 0xeea
VirtualAddress 0x58d000
SizeOfRawData 0x1000
PointerToRawData 0x589400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.32883

Imports

SHLWAPI.dll PathAddBackslashA
PathStripPathA
PathRemoveFileSpecA
KERNEL32.dll GetModuleFileNameA
FindResourceA
GetModuleHandleA
SizeofResource
LoadResource
GetTempPathA
CreateDirectoryA
DeleteFileA
CreateFileA
WriteFile
CloseHandle
CreateProcessA
WaitForSingleObject
RemoveDirectoryA
FlushFileBuffers
GetTempFileNameA
GetCurrentThreadId
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
GetProcAddress
ExitProcess
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
USER32.dll MessageBoxA
ADVAPI32.dll ConvertStringSecurityDescriptorToSecurityDescriptorA

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.97127
MD5 cd58d9740638da0f5e41199d771db859
SHA1 e101d2d3d23c2c6dbcf8b0ec2aefbb0297d6cb3a
SHA256 6c9d14c7826e41bc2797ba267268eca8174e8e1f7030676b9bf3a6332596be45
SHA3 91660c5c2552bd6c117564b8bb844d67339ee975fadfc3433f37f1a8207ca4fb

ARCHIVE

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x54c113
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99258
MD5 4f949a73a1446df70867910919f60a36
SHA1 969b4899720c0e95f06ace9063a6456cf85b1acf
SHA256 386346632e177ed9a2e9930ff454570d3392f908b624d187738aaba99e618f6f
SHA3 6335c0e642ce9323a31d6e3618080d4a6320c1c90a10fa9d276410d6aa30e915

DECOMPRESSOR

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x2f600
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.11488
Detected Filetype PE Executable
MD5 a65c29111a4cf5a7fdd5a9d79f77bcab
SHA1 c0c59b1f792c975558c33a3b7cf0d94adc636660
SHA256 dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af
SHA3 e4e1436cfab72b94daf67a44913cfa7f114e226acae1792f1f262cf82e87e372

101

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x1016
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.75594
Detected Filetype Icon file
MD5 6fd3e619882ac8fdd4ba88efc2f0e73f
SHA1 4f47d67084df6664b8911fd29514aadfa7d40756
SHA256 359f0b619308baab2c0b08ff49e2b8610877ab9a4a966675c7c2d953bbdcec11
SHA3 3148643b1301a12c3f7a04e49b6fb8b1582b3829dff4d73f3753285b7c0c4d26

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x165
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.77792
MD5 b9b507d6297b2d514477db4ae0d55ea6
SHA1 e8c4b4e815c1788b3bab96fc44560d7282282fe1
SHA256 ec5d04c8ef3fe0e571c8e604bf146b393108cee11f1ad3d665b7501ec20d37d0
SHA3 85e8c59b71094f3ffe0990fe28a56df78d58756dc3a423284dff50f92ed7fa6f

Version Info

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x40db60
SEHandlerTable 0x40b550
SEHandlerCount 3

RICH Header

XOR Key 0xd73b8ed3
Unmarked objects 0
C++ objects (VS2008 build 21022) 31
ASM objects (VS2008 build 21022) 16
C objects (VS2008 build 21022) 96
Imports (VS2012 build 50727 / VS2005 build 50727) 9
Total imports 99
138 (VS2008 build 21022) 2
Linker (VS2008 build 21022) 1
Resource objects (VS2008 build 21022) 1

Errors