Manalyze report for 10032259800cec8a23a636595579eb95

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1999-Mar-15 21:58:19
Detected languages	English - United States
ProductName	z 3 r 0 _ x
FileVersion	`8.01.0008`
ProductVersion	`8.01.0008`
InternalName	Dosya Klasörü
OriginalFilename	Dosya Klasörü.exe

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentVersion\Run`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.` `Section .rsrc is both writable and executable.` `Section .text is both writable and executable.` `The PE only has 7 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Suspicious	The PE header may have been manually modified.	`The resource timestamps differ from the PE header: 2018-Sep-03 04:42:56`
Suspicious	The file contains overlay data.	`140 bytes of data starting at offset 0x7d574.`
Malicious	VirusTotal score: 44/69 (Scanned on 2019-09-16 10:38:40)	`MicroWorld-eScan: Gen:Trojan.Heur.Fq1@rHmIwkfib` `CAT-QuickHeal: W32.Virut.Cur1` `Cylance: Unsafe` `SUPERAntiSpyware: Trojan.Agent/Gen-Malent` `Cybereason: malicious.9800ce` `Arcabit: Trojan.Heur.E010DC` `Invincea: heuristic` `Baidu: Win32.Trojan.Agent.bf` `F-Prot: W32/Ramnit.B!Generic` `ESET-NOD32: a variant of Win32/Chir.C` `APEX: Malicious` `ClamAV: Win.Worm.Brontok-88` `BitDefender: Gen:Trojan.Heur.Fq1@rHmIwkfib` `Avast: Win32:Agent-BARL [Trj]` `Tencent: Virus.Win32.Virut.ua` `Ad-Aware: Gen:Trojan.Heur.Fq1@rHmIwkfib` `Comodo: Heur.Corrupt.PE@1z141z3` `F-Secure: Malware.W32/Chir.B` `DrWeb: Trojan.KillFiles.8725` `VIPRE: Virus.Win32.Ramnit.a!dam (v)` `TrendMicro: Mal_OtorunN` `McAfee-GW-Edition: BehavesLike.Win32.Ramnit.hh` `Trapmine: malicious.high.ml.score` `FireEye: Generic.mg.10032259800cec8a` `Emsisoft: Gen:Trojan.Heur.Fq1@rHmIwkfib (B)` `SentinelOne: DFI - Malicious PE` `Jiangmin: Win32/Virut.bv` `Avira: W32/Chir.B` `Antiy-AVL: Worm[NET]/Win32.Nimda.gic` `Endgame: malicious (moderate confidence)` `Microsoft: Virus:Win32/Chir.gen!dam` `GData: Gen:Trojan.Heur.Fq1@rHmIwkfib` `AhnLab-V3: HEUR/Fakon.mwf` `Acronis: suspicious` `MAX: malware (ai score=83)` `Malwarebytes: Worm.AutoRun` `TrendMicro-HouseCall: Mal_OtorunN` `Rising: Worm.VobfusEx!1.99DF (CLASSIC)` `Yandex: Win32.Ramnit.Gen.2` `Ikarus: Net-Worm.Win32.Cynic` `eGambit: Unsafe.AI_Score_100%` `Fortinet: W32/Chir.C!tr` `AVG: Win32:Agent-BARL [Trj]` `CrowdStrike: win/malicious_confidence_100% (D)`

Hashes

MD5	`10032259800cec8a23a636595579eb95`
SHA1	`ecce7f870242ab2dabdda672bb79c2c7ab439dbc`
SHA256	`e96cba3c8be59c86445f68de1981799f138853a60a95c0846a0faf74c927d6e8`
SHA3	`85a8669b50d0d2274ae8dda3435e546ef30088fc82414610f425f314cdaddab8`
SSDeep	`6144:Z2AsnAnUJoSkfV7w1772IHesodAbmPoMkcc7mn0wN/hMhgRx:lsnAsoSaV7wZ27djP5kcc7Haq2R`
Imports Hash	`2511c8c7d84924eb85e4ed4b9b156385`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xa0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	1999-Mar-15 21:58:19
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.1`
SizeOfCode	`0xd000`
SizeOfInitializedData	`0x14000`
SizeOfUninitializedData	`0x6a000`
AddressOfEntryPoint	`0x41EC0C7A (Section: ?)`
BaseOfCode	`0x6b000`
BaseOfData	`0x78000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`8.1`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xec000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x6a000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`7c3d25e873264d3b796666707dd18970`
SHA1	`08ffa6656169e4142c708e81c93cc47801cd5771`
SHA256	`44e76a66d3fe216bad3025e630fcbbcdba4330b09bea942b411f13eecf0fb8ce`
SHA3	`588ba25c3217ae854c6f7a2e369ba64d38709f5a91dd4db4aeee47e48cbf976e`
VirtualSize	`0xd000`
VirtualAddress	`0x6b000`
SizeOfRawData	`0xc200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97316`

.rsrc

MD5	`f21ebf5f71b6e28cde3251ccd4fed068`
SHA1	`3ed1d62fc371a567e3418e46402565b67b3719d2`
SHA256	`f4d7970e2278dcbbf26405552caea1f62933b2120bed310d4563739a9c4f512a`
SHA3	`42e64a7432f8593e3dc4d9a0d50b4a648b634e945ea45f1bcc581484aa997e8f`
VirtualSize	`0x423f8`
VirtualAddress	`0x78000`
SizeOfRawData	`0x42400`
PointerToRawData	`0xc600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`76`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.56471`

.text

MD5	`5e67874ed295eecaaf453295d9780219`
SHA1	`aa3846ba586ebcc2d37be6f394a0b94e7116911f`
SHA256	`47625b39c3e2ade48be46c7c850490690a8efa5173b382009fc4fb5dfd799ff7`
SHA3	`112489c1d7684151d3de1bdb3cba112a76db056444fac0077828ba91dd30ac0b`
VirtualSize	`0x30770`
VirtualAddress	`0xbb000`
SizeOfRawData	`0x2eb7c`
PointerToRawData	`0x4e9f8`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.66416`

Imports

KERNEL32.DLL	`LoadLibraryA` `GetProcAddress` `VirtualProtect` `VirtualAlloc` `VirtualFree` `ExitProcess`
MSVBVM60.DLL	`#581`

Delayed Imports

30001

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x668`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`2.7552`
MD5	`b40f3850d65c294635fb7659231e235d`
SHA1	`2c495a9e77228f19fef41746c85370b16d416ab0`
SHA256	`0f943fabdeb1c8cd7f7baef1e4d829ce14c0dda554f9bd2ddab37bc49fc24b4b`
SHA3	`81cfac9eac6e4f2a6f2bfa13b8f5866f05efd4de93dbd3cb59a49f3ea048a9a2`

30002

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x2e8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.07781`
MD5	`1e738f21047a83a0aae9d911914f6343`
SHA1	`c8df9cbfb9e34fb1503178f3f6351b75b6bca56d`
SHA256	`b26f4cf1284200f1f93ee013b84e619d5681b24465ae234dcc2bf7d40200d655`
SHA3	`e14a17c9adebfd8912731859035f292ba42c6adc402d86c3a5c73f0df57702f9`

30003

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x128`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.31077`
MD5	`bdade9c9e6e62a205a185c86a3bcf424`
SHA1	`661ea52b96bda10bfe23636e8f8f7841d8b9638b`
SHA256	`858121b7bfeb21243476b839ea53b35a2c52fa9700851bc8ebe59ed526a712a9`
SHA3	`c36aa77db59dde87deff46160efffea7d459ca4a12dd9c028ba330df0c18b133`

30004

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xea8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.84352`
MD5	`d8ce71b0f9a7e4d452cd57672dc37bb7`
SHA1	`9b613f0cd5368b76d11f44d0e4f58a4769822d11`
SHA256	`77629cc5a79bc3f879d535e1d20f36af063eb2b862fdfd3a5fb6572d6ffa19c8`
SHA3	`df1c645b41370a9c66ee29637afd28e2447840bca958e8a856425c6ccd49b366`

30005

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x8a8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.91649`
MD5	`e275e8778d820c47ab4276fb9153b509`
SHA1	`7403f7065e951d89b8cc718702382c06337891cb`
SHA256	`9c9c0f95384ae4f05f21c8cbaf6c39dd1093c771b0b756aa21db4d9acc619f62`
SHA3	`b0b39327c38f74938c7e731c959303aaf3ec0154ba3f690bd7009d86f4d25041`

30006

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x6c8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.98653`
MD5	`361c9c3e652ec0903dad02d6edbab19f`
SHA1	`7dbcefa59aee67bf919da26cb07b7970540dd4f0`
SHA256	`d8af52fa15c2a2b07debaacccadcdbf3b457897ed8b60d07069341f045db79eb`
SHA3	`75c0756898de5542fa011699a03616e3647d08170784b214142392aa55ce78b4`

30007

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x568`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.84672`
MD5	`0807988d247c0de82fd74143c75df657`
SHA1	`23dd177890094ff88cb1847ef33d0409e5a70922`
SHA256	`62f901fe1e07ea44ba5aaf102116061ab8c206828dffd2e2d33a4bfa86656a1c`
SHA3	`5a8d2cf3e125aa7ca7a78b5a410995c7da6da482595dccc5bb448332c2665708`

30008

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x25a8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.313`
MD5	`ab44cba7fc88c86cae78d18616ba83e6`
SHA1	`0f7bf25373043eb8f4529a223f68a939c6885ad9`
SHA256	`b37db3fcf779b568b2d44edac50af9b7d1e8aa5d32e82e38283a002894d1b705`
SHA3	`727a9f9c53e066d127696dae3ddd3b2db3a106042854afcc13825c369865bcdf`

30009

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x10a8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.78865`
MD5	`7e8ed20b06ec05773b6a9b43860375f4`
SHA1	`f7af8fab0f3b6fededbaf234e79fd3197e6719ae`
SHA256	`a85b9e2eae5f2475ad4c2a23e83f91390f8053bdc56c83cd6b621908f6e8e738`
SHA3	`a1de10f4f4e6f4281ce9abc27a33b60e79140886fa5820d2cf9c2d54b86ceece`

30010

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x988`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.9998`
MD5	`ab18205aa448ea37f42d29fd693bb1ae`
SHA1	`eb5c5e48372d6a06ff4dad4e991a7acde6d60663`
SHA256	`6763e2219bb9efbc5ae8b775d27edd35e59b96a54ceee096ecc4ae79a0abeff2`
SHA3	`b2d4b7736740b03080e5d66cb81608206c22d82fcca54d0a6318210d2c2180b2`

30011

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x468`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.93119`
MD5	`e8f7620c5428108ed857933621be0178`
SHA1	`5b57998560f7c559211db7f317d7dfa658630668`
SHA256	`3b4cb11b67b625810f82506b2623c4b6f353937b9ecc8bed86d67b399521e942`
SHA3	`97f638c947db1e8b0aa8f54c5bc03f4625c46d54e8da24b33137559b7778f68c`

30012

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x2ca8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`6.29182`
MD5	`8bb85c191887b9af25ea3396d84e209b`
SHA1	`9734cc27fc97d55f2134e935a3613cb006e99802`
SHA256	`7595599a03bc5c1a45f8ef8c8c704e7569ca5ed67a9f6ec220010da24941aac8`
SHA3	`e91b2651749e24156cedd905c24ed9879cc6c54b982e17262f45e737d2279e08`

30013

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x94a8`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`4.23532`
MD5	`593b7f1e40ed9816a2f3eda589e662ae`
SHA1	`7d33590c1dbc9877a8a05ed45ec5fdcef7c3dd9f`
SHA256	`205e17734054a729c869d7758632dd40e37a7384e927b0f809da59152d056772`
SHA3	`976eae0bfa436b250fd9b78294f02b7004dd1e5676b79ac8abfa60b3a4ef87f6`

1

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xbc`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.54786`
Detected Filetype	Icon file
MD5	`64d4d55b3c547c60e63ae096c6833dcb`
SHA1	`0c5ecce741f1eeb2c2ef70dd85721d11cbb760e0`
SHA256	`d33be46c729b68af9dd7f0438425d8a12015e6cf0516bfcd50d0acc3558a8c75`
SHA3	`76dce5d41409af3729839225f9e85cb2e46803ef12db5b97e092019f84a46f32`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0x208`
TimeDateStamp	2018-Sep-03 04:42:56
Entropy	`3.30813`
MD5	`e034b63c57d64cd2dff409532814957a`
SHA1	`9e5a4a4325765208363d529967a49702cff66fa7`
SHA256	`f130097db3f6ac2bdc79c0c9de5adb441eb3f0f24e46a1e88855d65c43a05401`
SHA3	`8672938befd01c0f5f0ebe198e78b514c5b3a589a670db3a207e7197592f613a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	8.1.0.8
ProductVersion	8.1.0.8
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
ProductName	z 3 r 0 _ x
FileVersion (#2)	8.01.0008
ProductVersion (#2)	8.01.0008
InternalName	Dosya Klasörü
OriginalFilename	Dosya Klasörü.exe

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!