Manalyze report for 0eaac13f83786553bb11b47427f54e7b

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Dec-06 07:30:53
Detected languages	English - United States
Comments
NTS:123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890$
CompanyName	theRenamer.com
8901234567890123456789012345678901234567890123456789012345678901234567890$
FileDescription	Awesome Simple Best Renamer with Episode Titles
678901234567890123456789012345678901234567890$
LegalCopyright	theRenamer.com
5678901234567890123456789012345678901234567890123456789012345678901234567890$
LegalTrademarks	theRenamer
:12345678901234567890123456789012345678901234567890123456789012345678901234567890$
ProductName	theRenamer: Awesome Simple Renamer
89012345678901234567890123456789012345678901234567890$
FileVersion	`7.6.9.0`
333
ProductVersion	`7.6.9.0`
333 (#2)
InternalName	theRenamer
9012345678901234567890123456789012345678901234567890
OriginalFilename	theRenamer.exe
345678901234567890123456789012345678901234567890.exe

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: QeMU`
Malicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `Unusual section name found: .VS` `The PE only has 6 import(s).` `The RICH header checksum is invalid.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Suspicious	The file contains overlay data.	`3341591 bytes of data starting at offset 0xad400.` `The overlay data has an entropy of 7.99924 and is possibly compressed or encrypted.` `Overlay data amounts for 82.4835% of the executable.`
Malicious	VirusTotal score: 5/67 (Scanned on 2018-03-17 04:24:08)	`Bkav: W32.HfsAutoB.3852` `Cylance: Unsafe` `TrendMicro-HouseCall: Suspicious_GEN.F47V0222` `AegisLab: Troj.W32.Gen.lvCl` `Zillya: Trojan.Black.Win32.42054`

Hashes

MD5	`0eaac13f83786553bb11b47427f54e7b`
SHA1	`61a12614ca5fccce1c49ececa617a2fc29b2b17a`
SHA256	`7d4729d200cc2619be16068ddd3918a69897c958e7ddd4fc100383035a69c394`
SHA3	`3ff0a832b7c17e68c63dce160685323bdde99900c5c39d07c33da2329d777ea7`
SSDeep	`98304:Nqot6NVRYKNlGMpiT0FNBa6MEox28wpw9:NqotynY+lGNT05/lq`
Imports Hash	`e58ab46f2a279ded0846d81bf0fa21f7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xb0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Dec-06 07:30:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.2222`
SizeOfCode	`0x45c00`
SizeOfInitializedData	`0x68000`
SizeOfUninitializedData	`0x1d4000`
AddressOfEntryPoint	`0x002810F0 (Section: .VS)`
BaseOfCode	`0x1d5000`
BaseOfData	`0x219000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`457.8AE`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x283000`
SizeOfHeaders	`0x1000`
Checksum	`0xb8f0d`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1d4000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`eae8387354ac734abcf31a46f85cf73e`
SHA1	`9956caab1667262637d311c6a8ab139fd73e6d0e`
SHA256	`b46331d6a55428afa2fbbfbad2cbe0f04bcd05a2b7d9546993392f35b9d6015e`
SHA3	`4db7e8c4e7d18af301dd13fe76d2e9f3417d5ad57526d36838ca30d5f933c974`
VirtualSize	`0x44000`
VirtualAddress	`0x1d5000`
SizeOfRawData	`0x43c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89251`

.rsrc

MD5	`d4545a3d9a7d5857720e0972b521a721`
SHA1	`cc1cd7b7cddd20805d473b7665bc5c6a9e54f070`
SHA256	`af4c4fc1641111ed577a2117735e3f491c3d714863a1fb4018ac858935ba6661`
SHA3	`7255e4c5cdb6624c1ffce1e7a71c39ceb8387760164fa22a2ecc952d8fa82388`
VirtualSize	`0x68000`
VirtualAddress	`0x219000`
SizeOfRawData	`0x67800`
PointerToRawData	`0x44000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.8199`

.VS

MD5	`4579f576cb07839fed4c7856a98541f0`
SHA1	`e2306a28c7c3f0c892acc3450dac340bf3614789`
SHA256	`f2e6a4c02a6f27adb096ebb92019c2c293ea836b43cb117b9e011de3070f003a`
SHA3	`de0942ad814156a73d0bb9c80de2e757c6aa3062af3afae1766a1173d5104abe`
VirtualSize	`0x1c00`
VirtualAddress	`0x281000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0xab800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.57252`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`

Delayed Imports

30001

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xa068`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.05893`
Detected Filetype	PNG graphic file
MD5	`b4cf1ac02a5d3ec053cdaacd848a73a3`
SHA1	`38415b661d213dcdf2072d9981e2f9b780cf20af`
SHA256	`e42f6cd56e5d05b73f4f7a7030b6b2c93b841f52c3c94ce18d2d910f7e770016`
SHA3	`0d3ab668dd04fcd7cf7b29b14a6a6929f6adaa85d289acbdf869f604e6322c99`

30002

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x668`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`3.72185`
MD5	`fdd2c0fe49697964800855608e48c64c`
SHA1	`0da0b37b60c58d1fb37134639310b039d55a56f3`
SHA256	`3f496b481bd004fbfda96a6dfb28efa9337b6f7a7d0ae2ae74b839af0966cabc`
SHA3	`50d3739306c793c64a4defcb20d7a2b21b5ddfb0268858c145d8df64a2abd694`

30003

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x2e8`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`3.88061`
MD5	`79adfd93be721dd7372c2add713779cd`
SHA1	`95f48c4b1aaedbb8ab9670098dc549447a758cc4`
SHA256	`897768c80002c8062405d6dd92c5bb27b2920c1ad74b70da78d7cfa83e243175`
SHA3	`58d14c8d49bda67a7f7cf2cb3a1f57cf6921fac1519f43bcd56fe9c9dac68d08`

30004

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x128`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`3.2576`
MD5	`7e47d6f89e948b3b20d4e63d20e07c6d`
SHA1	`2d3d122d0d76b67b6db034f16f78b76f43ffa7e9`
SHA256	`6cc038ec44a674e42cfba81b3655b34fc795778751d83b4c19488b9b7e188e45`
SHA3	`9ad70cbe1f258a82792d6737bc72bfd5c0d01420a149c0c22015d2a2146de114`

30005

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x12428`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`4.20701`
Detected Filetype	PNG graphic file
MD5	`168f9390f58dc6e834fb8b54da3ca9eb`
SHA1	`2b3b0b0156791923ca7d1c2ed5d714d0f98ba409`
SHA256	`3725b076e606dca93966c786e773f93786cc7a362a8ea467021cc624565e3a0e`
SHA3	`f414f15850a0dea864cb99f4e78b32c0c5c66d5c7891cb5edfe2ac8fad01d274`

30006

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xea8`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.13177`
MD5	`98c92705ba5d1c649e9588e733c3fe48`
SHA1	`03e54e9a71d65aeaba8021e8386a226481fca9df`
SHA256	`cab4f03f10d8ad0313c4cbd500ec8adda029f889a7c9187b38b7e41c0b37c6e6`
SHA3	`ef62425ffa30d5f9afe32322e98b68a07ac0cca3164598ddfe8387a766a92665`

30007

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x8a8`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.10365`
MD5	`51791b645029976ff1086ca927843247`
SHA1	`4c74490ffb2cee4f47828feadefd400a64e66411`
SHA256	`1a80e41de69e13593041e574a8201dc96031918ac7b1b251fe559005dcb1ba7b`
SHA3	`e6d18c4b50a70678f08e8d84d323a1fb5e097b65a85ad33092239d2a908d2691`

30008

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x568`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`4.75284`
MD5	`2166cc1d3b0b78a6ee7fb6b3a86cdba3`
SHA1	`56c1c1ad0eff083195d703d3379815d72cc3c904`
SHA256	`78822310b6d0dbdc0aa5cdc96178a1d3565797b40344f7203c499b0408913676`
SHA3	`b21e1974a94ae3e5be2099e47c36127d3a286f6775ed57b7151125f7416c0d8a`

30009

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x42028`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`2.81309`
Detected Filetype	PNG graphic file
MD5	`165c936d0c364659130c677f8bb1c1d3`
SHA1	`72d02ed6e32255c711016af0126aed29f58663bb`
SHA256	`b7214fa24df52a912218b7094e2d809fbfaa1d92859deb965a01ee13745ae027`
SHA3	`fbee54c7111abf4ee86b8241665a1cdefab9326652452275ef4b378f8180bb10`

30010

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x25a8`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.25584`
MD5	`b7cc7e0f76a7d0a65e586505964d2182`
SHA1	`194d0d60a8c2cd1b45834f01617688f20a024af2`
SHA256	`a997dc900418b68676916e74f8d4cb33cc4656b0c412d2c116b292097226b310`
SHA3	`5ea9ab5e5822d4f5d848b6426f64f52795a0c79591994c1d037ab808c38b7c0e`

30011

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x10a8`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.28966`
MD5	`ac8b7d8645178d6cf54b3f51e3f59d7a`
SHA1	`ade692db9920ed611b707affae1485cfa5d39bc7`
SHA256	`21083e1b3249ea726b64270a169b5e247a61266626c2c46309138d797b287d34`
SHA3	`737a423226c30006b0ffbbe2883df400836e87ba32ec53f0c84970ffa683c532`

30012

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x468`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`5.53375`
MD5	`3562f8bfaaadea5ea4661d2f5c2a684f`
SHA1	`983f87a169bba047b4b52ea108eb7fe64e78274d`
SHA256	`bafa2ca7c7579b8ad9d503ee767ec337619f329d368b897ccd65e53d86d8c4b2`
SHA3	`711a36fa665cf25c474691ab08f6cfcee6427671a6abedcdf03cbe30c4ba8c5d`

1

Type	`RT_STRING`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0xe0`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`1.93975`
MD5	`f4dce30062673c9149676351eacfebec`
SHA1	`4a9713ee051168cc0e488c6b9cd100b2fef33f8d`
SHA256	`4fd6a96ca9c001a36b34781f69daa21944faf4007b1076556d52fcd6193bf1ef`
SHA3	`0bc76dfc761306d7e45cb12a4e95c4f60c22197c84e0d6d30bc2dec227da6a2b`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xb0`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`3.30389`
Detected Filetype	Icon file
MD5	`6f197c8069d7e9cda6ec383ee9dc38ab`
SHA1	`9ae8c721db95122fc254526104a9fa17597df621`
SHA256	`6dea198fff8ca6f0cd1774680e83cbe6108b9acd0df9039890f1cce17a94d43c`
SHA3	`9f7f1a0a146ebc76cbbcfa42bc1d2cee47310afe8ee90577ce0fce6fb987cf85`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0x948`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`3.34427`
MD5	`35adbc01d0ac7c73de3272b6550a5d22`
SHA1	`164ef8502dc4c4a2b12bd6d3de3a7dbf5113a0e9`
SHA256	`6f2c8e2b07446c811b971ae84ae06e7a0c09c08fc99a3e6bc8c595c3d86d81e0`
SHA3	`f247ac79180a7aad684a7a20623e5e8fe2a76a72722e8add353eb7624f710818`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0x2000`
TimeDateStamp	2010-Dec-06 07:30:53
Entropy	`1.35137`
MD5	`d3924cd04d54f58b1520536a55445dfa`
SHA1	`b250a993fb210db5c9ff4e38509d8e1fca050922`
SHA256	`8624578029181aadd241dcf4e12e462c3d9875ece8b5d5d2be7ea7adec02bb65`
SHA3	`b39ab716cf52ea40bb14a999f59b8e48a40cc8710fa7d10375c01a6934cbd194`

String Table contents

theRenamer: Awesome Simple Best Renamer with Episode Titles

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	7.6.9.0
ProductVersion	7.6.9.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments
NTS:123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890$
CompanyName	theRenamer.com
8901234567890123456789012345678901234567890123456789012345678901234567890$
FileDescription	Awesome Simple Best Renamer with Episode Titles
678901234567890123456789012345678901234567890$
LegalCopyright	theRenamer.com
5678901234567890123456789012345678901234567890123456789012345678901234567890$
LegalTrademarks	theRenamer
:12345678901234567890123456789012345678901234567890123456789012345678901234567890$
ProductName	theRenamer: Awesome Simple Renamer
89012345678901234567890123456789012345678901234567890$
FileVersion (#2)	7.6.9.0
333
ProductVersion (#2)	7.6.9.0
333 (#2)
InternalName	theRenamer
9012345678901234567890123456789012345678901234567890
OriginalFilename	theRenamer.exe
345678901234567890123456789012345678901234567890.exe

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x88697a29`
Unmarked objects	`0`
13 (8964)	`1`

Errors

[*] Warning: Section UPX0 has a size of 0!