Manalyze report for 0e69b6bd18e064c83a11b48495c1b01e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2019-Aug-01 17:53:32
Detected languages	English - United States Hebrew - Israel
CompanyName	NirSoft
FileDescription	NirCmd
FileVersion	`2.86`
InternalName	NirCmd
LegalCopyright	Copyright © 2003 - 2019 Nir Sofer
OriginalFilename	NirCmd.exe
ProductName	NirCmd
ProductVersion	`2.86`

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: Cmd.exe`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCloseKey` `Possibly launches other programs: ShellExecuteA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Can take screenshots: BitBlt GetDC`
Info	The PE's resources present abnormal characteristics.	`Resource 1 is possibly compressed or encrypted.` `Resource 102 is possibly compressed or encrypted.` `Resource 112 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 3/72 (Scanned on 2025-04-22 18:59:51)	`Bkav: W32.AIDetectMalware` `SentinelOne: Static AI - Suspicious PE` `Sophos: NirCmd (PUA)`

Hashes

MD5	`0e69b6bd18e064c83a11b48495c1b01e`
SHA1	`21c4cc08d3600c564bd0d04c8553e59f564bfff4`
SHA256	`67e0d635825cbf7cc213670f671544da9ff18047742dd4a0696a508b79eef607`
SHA3	`afcf30315158fdee4cb0c42ef4ee6a73a5acafd95dff751d96811b88f64c6ca3`
SSDeep	`768:UF24SNifq4YWc5uEvW7KrQaFzs4C9B18sEufqnYIG0y8XmEsYR2fWIrKiSU:UMNG9c5jfQ8XoB18FufVIG092lWAKiS`
Imports Hash	`2f9a0154d6a293d856bfb68d9a5042ea`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2019-Aug-01 17:53:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0xa000`
SizeOfInitializedData	`0x1000`
SizeOfUninitializedData	`0xf000`
AddressOfEntryPoint	`0x00019CD0 (Section: UPX1)`
BaseOfCode	`0x10000`
BaseOfData	`0x1a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1b000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xf000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`b728c61d088f6aaf66130e32663848d4`
SHA1	`be4ef762ea30c39cd7033adbaf06de3ef72023eb`
SHA256	`38d34f95278347a923e65160f0867ccb26432a3d76a532917989a5abb0f24beb`
SHA3	`56b34d7100b65a929d1b190526d33c578bbb5026575ea200a8ed92830cb74417`
VirtualSize	`0xa000`
VirtualAddress	`0x10000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89273`

.rsrc

MD5	`f62499aaa1c19a5911d2766e4c839876`
SHA1	`1ec86d2bf7f9a8a4388b3b92989a0d4a0a130524`
SHA256	`2d9a137f06f8fc91aac27e7099e8cbd88fdb541eafbde96675d6d4ff4cc0d128`
SHA3	`cb336db5f5b4939f17cd9d771d6e7ffee91e386ee4efbb151e4479a135bb253f`
VirtualSize	`0x1000`
VirtualAddress	`0x1a000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.65713`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
ADVAPI32.dll	`RegCloseKey`
GDI32.dll	`BitBlt`
msvcrt.dll	`exit`
ole32.dll	`CoInitialize`
SHELL32.dll	`ShellExecuteA`
USER32.dll	`GetDC`
WINMM.dll	`mixerOpen`

Delayed Imports

1

Type	`RT_CURSOR`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x134`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.02441`
MD5	`da6150c74732f8544889d0bf214d9d39`
SHA1	`a3c29e8ed079e7c83b3c1da9af5ae1e2adfa5486`
SHA256	`567a78b17a0f1cb0d8ae2b1f9fddec10274b1e71408beee0e870aeb2b12a03ec`
SHA3	`75bdaee15a99326c2aacf311a4643c9e9f69afffa864031f718ffe2f409e6690`

102

Type	`RT_DIALOG`
Language	Hebrew - Israel
Codepage	Latin 1 / Western European
Size	`0x140`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.13444`
MD5	`05f8b4466be5623d21300d93afcc5c07`
SHA1	`ec66493c17a78bb3ac98bfda2216dfac219a47ce`
SHA256	`1b0d78747990b4785f3474aae2dbca90ec93f1188519115b97c39f7f0214aab5`
SHA3	`bcf4ac5282f4689f38d6049a24fed8ee1b368d4bceaace12050b24ea62774969`

112

Type	`RT_DIALOG`
Language	Hebrew - Israel
Codepage	Latin 1 / Western European
Size	`0x114`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.08076`
MD5	`4913dd8e911758da8790cfc9f831f862`
SHA1	`7a1350bc5d11dcf5211da57184a0629bc5f7b7d9`
SHA256	`2d2dc6d361ec4a2ccda929d34ef57c5bd2b5aab3d73d1ead5599ca5d9f8c2999`
SHA3	`787c20a7864a50bab6e31e4cc0a56989e335f7e071ef7d849506c05dcc49745d`

103

Type	`RT_GROUP_CURSOR`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.32193`
MD5	`d30c5b4cd0d3ca0a71f55c0768576478`
SHA1	`ec66f442d815c9ec426a418bb092821ea19e59d8`
SHA256	`71f5f11cac075eac92084869575447268ea9a058429e018feea9da17999c8a3d`
SHA3	`7dbdb39216ec3f7ce685424b6283a834bfb4b90aaa1aaf0e57c6b187e9fd9f7a`

1 (#2)

Type	`RT_VERSION`
Language	Hebrew - Israel
Codepage	Latin 1 / Western European
Size	`0x2a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.37016`
MD5	`b866ae690fdd5e571c37ffec0ac75918`
SHA1	`5896d77f385906e0689a7bfc864adc31f0b33cfa`
SHA256	`6237be97e5721039b68d80aa105d83b4f64d50ed0a86093a102b4d54629c4e39`
SHA3	`45d22ea6abc8ce96d03a9db02ea34bac1cfa9a71f200ee577ab48df3c2ab95ea`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x358`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.38164`
MD5	`004d136841202e13d5a6c74fa647976d`
SHA1	`0f1169d49bbfc5ad6dd882d92ad6470784815c6c`
SHA256	`e03b89a877d5f56b92dca22469dd240c439700b839c0344f910bdbcad1c02329`
SHA3	`ade16ca580f2bc782e23287867b1555fa20299381736ea66dc80aea1239e39e9`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.8.6.231
ProductVersion	2.8.6.231
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	NirSoft
FileDescription	NirCmd
FileVersion (#2)	2.86
InternalName	NirCmd
LegalCopyright	Copyright © 2003 - 2019 Nir Sofer
OriginalFilename	NirCmd.exe
ProductName	NirCmd
ProductVersion (#2)	2.86

Resource LangID	Hebrew - Israel

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xb08157fe`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
ASM objects (9210)	`4`
C objects (9178)	`12`
Imports (9210)	`2`
Imports (VS2003 (.NET) build 4035)	`19`
Total imports	`280`
114 (VS2012 build 50727 / VS2005 build 50727)	`29`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!
[*] Warning: Resource 103 is empty!