Manalyze report for 1e27184759cc4099c0da73b152408281

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-May-10 05:33:06
Detected languages	English - United States
Comments	Does Mercury ever fail in the Cure of Lues Venerea
CompanyName	fLASH This is a question of the highest importance, and therefore merits our attention
FileDescription	Collection of Voyages and Travels, Volume VI
ProductName	Georg
FileVersion	`1.00.0729`
ProductVersion	`1.00.0729`
InternalName	7nWHc
OriginalFilename	7nWHc.exe

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual Basic v5.0/v6.0` `Microsoft Visual Basic v5.0 - v6.0`
Suspicious	The file contains overlay data.	`809330 bytes of data starting at offset 0x10000.` `The overlay data has an entropy of 7.99899 and is possibly compressed or encrypted.` `Overlay data amounts for 92.509% of the executable.`
Malicious	VirusTotal score: 42/55 (Scanned on 2016-07-14 19:46:57)	`Bkav: HW32.Packed.EF55` `MicroWorld-eScan: Trojan.GenericKD.3219041` `nProtect: Trojan.GenericKD.3219041` `CAT-QuickHeal: Ransomware.Generic.WR3` `ALYac: Trojan.GenericKD.3219041` `VIPRE: Trojan.Win32.Generic!BT` `K7GW: Trojan ( 004eeacd1 )` `K7AntiVirus: Trojan ( 004eeacd1 )` `Arcabit: Trojan.Generic.D311E61` `Baidu: Win32.Trojan.WisdomEyes.151026.9950.9999` `NANO-Antivirus: Trojan.Win32.Encoder.ecixgz` `Symantec: Trojan.Gen` `ESET-NOD32: a variant of Win32/Injector.CYGW` `Avast: Win32:Malware-gen` `Kaspersky: Trojan-Ransom.Win32.Shade.kpk` `BitDefender: Trojan.GenericKD.3219041` `Agnitum: Trojan.Shade!` `ViRobot: Trojan.Win32.Z.Injector.874866[h]` `Ad-Aware: Trojan.GenericKD.3219041` `Emsisoft: Trojan.GenericKD.3219041 (B)` `F-Secure: Trojan.GenericKD.3219041` `DrWeb: Trojan.Encoder.4509` `TrendMicro: TROJ_GEN.R00XC0DED16` `McAfee-GW-Edition: BehavesLike.Win32.Autorun.cc` `Sophos: Mal/Generic-S` `Cyren: W32/Trojan.MDAP-2837` `Jiangmin: Backdoor.Androm.hlx` `Avira: TR/Dropper.VB.yufn` `Microsoft: Ransom:Win32/Troldesh.A` `AegisLab: Troj.Ransom.W32.Shade!c` `GData: Trojan.GenericKD.3219041` `AhnLab-V3: Malware/Win32.Generic.N1997427770` `McAfee: RDN/Ransom` `AVware: Trojan.Win32.Generic!BT` `VBA32: Hoax.Shade` `Tencent: Win32.Trojan.Shade.Dzal` `Yandex: Trojan.Shade!` `Ikarus: Trojan.Win32.SelfDel` `Fortinet: W32/Injector.CYDM!tr` `AVG: Generic_vb.LJF` `Panda: Trj/CI.A` `Qihoo-360: HEUR/QVM03.0.Malware.Gen`

Hashes

MD5	`1e27184759cc4099c0da73b152408281`
SHA1	`cf71196d88354a8324fdaa12013a4d80aa3b7c55`
SHA256	`9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec`
SHA3	`d08cd29cfc3a194d3e7903207379f0747345a3dbc15f0656adae2529c9c7527d`
SSDeep	`24576:nggg3ggg9KDv9MvJhNAeWRuyKgVeKSBpfPjw97:hKDGhhWR5d+BpTw97`
Imports Hash	`605505787a959c93faa2868a847607e9`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2016-May-10 05:33:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xa000`
SizeOfInitializedData	`0x5000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000013F4 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xb000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x10000`
SizeOfHeaders	`0x1000`
Checksum	`0x10ea7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`26008a90b1d5a4647ff11383530662d3`
SHA1	`37244a24100498cb32b7cc5ea0ab7fe04ada5cf5`
SHA256	`f8e275e16fd49464fb415947b9e99f48fa9ef2e7895f40f1c726ac697fc40376`
SHA3	`d00a7ca8b2e2477f958cbd25a411672119fdcdc5499230e2428d985e45a6bcdf`
VirtualSize	`0x9ed0`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.86468`

.data

MD5	`620f0b67a91f7f74151bc5be745b7110`
SHA1	`1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d`
SHA256	`ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7`
SHA3	`a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563`
VirtualSize	`0xb4c`
VirtualAddress	`0xb000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`5a51fd61cb8ee0b6ecb9f5598d745c3e`
SHA1	`c496bab8297770e0c86f2f09c6270a8e82e14c87`
SHA256	`480ff9a6650b9467385528b0bd2fae91558c408e7c9eaae1e5c94312f565ccd3`
SHA3	`bba77c5b40c4241ca8f974b90f5df77be387eb58d95b1c80a4a97222b206866c`
VirtualSize	`0x3610`
VirtualAddress	`0xc000`
SizeOfRawData	`0x4000`
PointerToRawData	`0xc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.58447`

Imports

MSVBVM60.DLL	`__vbaVarSub` `_CIcos` `_adj_fptan` `__vbaVarMove` `__vbaAryMove` `__vbaFreeVar` `__vbaLenBstr` `__vbaStrVarMove` `#696` `__vbaFreeVarList` `_adj_fdiv_m64` `_adj_fprem1` `__vbaStrCat` `#660` `__vbaSetSystemError` `__vbaHresultCheckObj` `_adj_fdiv_m32` `__vbaVarCmpGe` `__vbaAryDestruct` `__vbaExitProc` `__vbaOnError` `__vbaObjSet` `_adj_fdiv_m16i` `__vbaObjSetAddref` `_adj_fdivr_m16i` `__vbaVarIndexLoad` `__vbaBoolVarNull` `_CIsin` `#631` `#525` `__vbaChkstk` `__vbaCyVar` `__vbaFileClose` `EVENT_SINK_AddRef` `__vbaGenerateBoundsError` `__vbaStrCmp` `__vbaGet3` `__vbaVarTstEq` `__vbaAryConstruct2` `DllFunctionCall` `__vbaVarOr` `__vbaLbound` `_adj_fpatan` `EVENT_SINK_Release` `__vbaUI1I2` `_CIsqrt` `__vbaVarAnd` `EVENT_SINK_QueryInterface` `__vbaUI1I4` `__vbaExceptHandler` `#711` `_adj_fprem` `_adj_fdivr_m64` `__vbaVarCmpLe` `__vbaFPException` `#717` `__vbaUbound` `__vbaVarCat` `__vbaI2Var` `#537` `_CIlog` `__vbaErrorOverflow` `__vbaFileOpen` `__vbaNew2` `#570` `__vbaVar2Vec` `_adj_fdiv_m32i` `_adj_fdivr_m32i` `__vbaStrCopy` `__vbaVarNot` `__vbaFreeStrList` `_adj_fdivr_m32` `_adj_fdiv_r` `#685` `#100` `__vbaI4Var` `__vbaVarCmpEq` `__vbaAryLock` `__vbaVarDup` `__vbaVarLateMemCallLd` `_CIatan` `__vbaStrMove` `__vbaStrVarCopy` `#542` `_allmul` `_CItan` `__vbaUI1Var` `__vbaAryUnlock` `_CIexp` `__vbaFreeObj` `__vbaFreeStr`

Delayed Imports

30001

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0xea8`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`4.23919`
MD5	`6607c1d16757752320935febd3c4807c`
SHA1	`05b316f0fe681753b96c49b1e363e5c44f1642c9`
SHA256	`5701ed92b126da1f69f8d16899effee54381c956d3ce007f7cb461c448a4a123`
SHA3	`6d953f116a7953a2a858757e1d11290f6b37ed2a15a2cd55f025f17e60f2dd23`

30002

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x8a8`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`4.39557`
MD5	`0506542e0b471089f10ac4a27c74b407`
SHA1	`dd45ec601e4b6f7e2dc77279e794d51b5edbd17b`
SHA256	`36a5572adf10f963e3f9efb90523a104ef4cd96f14fbc37e4e4e2bc5891bbfc1`
SHA3	`4b1cc686595dfc844f6f202e4632cef814f7aafe4c5e6d2fd463da6ee96e36c8`

30003

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x10a8`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`4.2635`
MD5	`19a055710af1effeed0db023eaed32cb`
SHA1	`0a414d0fca58e27031f5a27ea2cd11f2d4f64ee9`
SHA256	`bca00353b9cde1e8630f704b39c34f7e97da134820d213c0c2731fbb96695418`
SHA3	`d27f2171e80f63c71cc4ae69c321c791eb8afd9785fe99b527971613bc132840`

30004

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x8a8`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`4.39557`
MD5	`0506542e0b471089f10ac4a27c74b407`
SHA1	`dd45ec601e4b6f7e2dc77279e794d51b5edbd17b`
SHA256	`36a5572adf10f963e3f9efb90523a104ef4cd96f14fbc37e4e4e2bc5891bbfc1`
SHA3	`4b1cc686595dfc844f6f202e4632cef814f7aafe4c5e6d2fd463da6ee96e36c8`

1

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Unicode (UTF 16LE)
Size	`0x40`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`2.74879`
Detected Filetype	Icon file
MD5	`1f98d0d413465ae361b22984b2ce4859`
SHA1	`30ad52ae64da8cc205cd87e08f800d4ef34dbc0d`
SHA256	`4bfe6b784517114ae4f0cab0546018accc0ccee52e93cb88868b3a343ba05757`
SHA3	`02a325c7a5765d5c1f7389f371c83529e55a3a79fc9c5d89d2aeff1442ffb26e`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Unicode (UTF 16LE)
Size	`0x3b0`
TimeDateStamp	2016-May-10 05:33:06
Entropy	`3.39712`
MD5	`edbb455e1f90877adf8aa2d1778321f2`
SHA1	`d1715f5f8b060a7eab98a29d7cdcd3890fa4ec94`
SHA256	`a81eefd6eba27dd872052e00c0b31af82ed9d7d1eb9fe5c0f2a7656d944ceab1`
SHA3	`be3b94dc78a42886ac5a3053a059135964dcc8d4081770cde3e761ddb4e8118a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.729
ProductVersion	1.0.0.729
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Does Mercury ever fail in the Cure of Lues Venerea
CompanyName	fLASH This is a question of the highest importance, and therefore merits our attention
FileDescription	Collection of Voyages and Travels, Volume VI
ProductName	Georg
FileVersion (#2)	1.00.0729
ProductVersion (#2)	1.00.0729
InternalName	7nWHc
OriginalFilename	7nWHc.exe

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x8917a389`
Unmarked objects	`0`
14 (7299)	`1`
9 (8041)	`4`
13 (8169)	`1`

1e27184759cc4099c0da73b152408281

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.rsrc

Imports

Delayed Imports

30001

30002

30003

30004

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors