Manalyze report for 230eca9e861f2075149034a11c0f1792

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Dec-05 22:50:46
Detected languages	English - United States
CompanyName	bomgar
FileDescription	Bomgar
FileVersion	`15.1.4.58408`
LegalCopyright	Copyright (C) 2002-2015 Bomgar Corporation. Redistribution Prohibited. All Rights Reserved.
ProductName	Bomgar

Plugin Output

Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExA GetProcAddress` `Can access the registry: RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Can shut the system down or lock the screen: ExitWindowsEx`
Info	The PE is digitally signed.	`Signer: Bomgar Corporation` `Issuer: Symantec Class 3 SHA256 Code Signing CA`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`230eca9e861f2075149034a11c0f1792`
SHA1	`edebaea909b2174611572e2b2581b5843b83deaa`
SHA256	`ca015004e2283924d707a39aac4d0e94944dcfcd65e748379fb60830c0a84068`
SHA3	`4b68496ee287dfaf96aea92bd7f85c890163d8575f8a8cdc9a09fbbf9b983302`
SSDeep	`24576:nNKTpKf9q3PditjYCUjxhUyGApxKDZMV/ShGH3OaILdLHaxN4Z2suqyy6PdjnMtB:N+p93PdwU16yqyV/SYTqLe+2TjfKn`
Imports Hash	`d9e6a5e6bae798e211941a3a501049ea`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Dec-05 22:50:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5c00`
SizeOfInitializedData	`0x1d400`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x0000323C (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x34000`
SizeOfHeaders	`0x400`
Checksum	`0x1b2db8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0bc2ffd32265a08d72b795b18265828d`
SHA1	`dd2a446014a37556f39173b802c63a4e46e09366`
SHA256	`c5ee0a2892a4f9c317f9b33bfc3531e0235faa9a2a3b4c41bd71d39e4fd87d6f`
SHA3	`11ea595bc9adc98eea7c16af8a6b74aa6435a680e4c4d3de0baa4e919d3f2e25`
VirtualSize	`0x5a5a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.4177`

.rdata

MD5	`f179218a059068529bdb4637ef5fa28e`
SHA1	`6035d27db526131eb0f29aee60cfcdbb5072ed7d`
SHA256	`f80bf00310bd25e46e26c4b2042fa8215c3e5ce759947fe081d25b454dfc0fbe`
SHA3	`1a90c2506162a31f6264cafaafb479568941dc807c95a93babd7ebe526f2181f`
VirtualSize	`0x1190`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.18163`

.data

MD5	`975304d6dd6c4a4f076b15511e2bbbc0`
SHA1	`1f65340672c91ffd0f2583ff104beaece43c7855`
SHA256	`1e9a47766ca6c6ff180369d74d6db2eea7fd80b802eb3c8f1c1da79cfcafebc7`
SHA3	`bfd0fac532943cab215e411ffa4d4dd8a8a1063e6169fbe8f202a02192a9acae`
VirtualSize	`0x1af98`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.70903`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xb000`
VirtualAddress	`0x24000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`944a29ab1ab077d94679ded8321cefdd`
SHA1	`fd3bed809ce7d99d717cdd49bc4dfc305d83f2c3`
SHA256	`c81512edf7f3cd1e3874f6417b0c5ab7790d7d105e8de1ddea9435766d5460a4`
SHA3	`5911469ad0f4316d2bab181e9899e763ecd5214a8213936a3c0af935ae863aca`
VirtualSize	`0x4068`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x4200`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.73104`

Imports

KERNEL32.dll	`CompareFileTime` `SearchPathA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CreateDirectoryA` `SetFileAttributesA` `Sleep` `GetTickCount` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `SetFileTime` `GetTempPathA` `GetCommandLineA` `SetErrorMode` `LoadLibraryA` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `GetVersion` `CloseHandle` `lstrcmpiA` `lstrcmpA` `ExpandEnvironmentStringsA` `GlobalFree` `GlobalAlloc` `WaitForSingleObject` `GetExitCodeProcess` `GetModuleHandleA` `LoadLibraryExA` `GetProcAddress` `FreeLibrary` `MultiByteToWideChar` `WritePrivateProfileStringA` `GetPrivateProfileStringA` `WriteFile` `ReadFile` `MulDiv` `SetFilePointer` `FindClose` `FindNextFileA` `FindFirstFileA` `DeleteFileA` `GetWindowsDirectoryA`
USER32.dll	`EndDialog` `ScreenToClient` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `DestroyWindow` `CreateDialogParamA` `SetTimer` `SetWindowTextA` `PostQuitMessage` `SetForegroundWindow` `wsprintfA` `SendMessageTimeoutA` `FindWindowExA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `OpenClipboard` `ExitWindowsEx` `IsWindow` `GetDlgItem` `SetWindowLongA` `LoadImageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `ShowWindow`
GDI32.dll	`SetBkColor` `GetDeviceCaps` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectA` `SetBkMode` `SetTextColor` `SelectObject`
SHELL32.dll	`SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA` `SHGetSpecialFolderLocation`
ADVAPI32.dll	`RegQueryValueExA` `RegSetValueExA` `RegEnumKeyA` `RegEnumValueA` `RegOpenKeyExA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `#17` `ImageList_Create`
ole32.dll	`CoTaskMemFree` `OleInitialize` `OleUninitialize` `CoCreateInstance`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.07477`
MD5	`7e904f569acf34d8d15303070ef0d534`
SHA1	`da24e5382235a3bdfdbad07265a426d805c93e53`
SHA256	`6de09000d661103e4ebb98bae1727ff8fc5ae48a7a12f25384c9941b841de865`
SHA3	`56003a843063b51c3a46f410f7ded9f5c040f1ce148b338bf3191ab4eb35c47b`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.0512`
MD5	`2618cdad0a26c3e1039b88577766d91a`
SHA1	`e301d26ce00765a2f7ad9fa1ba41b25419bc7081`
SHA256	`26ff850a1c74834094afbade30f6de7aabe66ab160fdecfde1bfce3db3e230cf`
SHA3	`2cb4ab13efaaa309d5e3d23dcbc976125fffcd708aaa78329b46302e13d95984`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.2328`
Detected Filetype	Icon file
MD5	`00029bd7de304953843167ae5136d247`
SHA1	`82027d4f3b2c09ec2dab4f1167ed647ec9588a0b`
SHA256	`50ae094d6a18de9b0a7767a1a824f5857846640bdc030e9ba9fec0cf4fb44418`
SHA3	`d65e0f920f3743d6c76384f4283051edf379aab91597607bb5e1c29889e76c9c`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x28c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.37224`
MD5	`b24b303e5421e1249640a362ee620a1d`
SHA1	`3414cbba1033d9c610c57dbb9f20ccaa7db9eccd`
SHA256	`94c76603c905df00ba68589ffe95192a5856ece2a3e7546969fca6625061b0d0`
SHA3	`460a299593f589f209d632e25ad362f19fee85cb69f11caed65c6df833e9f49d`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2d7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.21857`
MD5	`3a8916be4b221fe94eba63af607d5a15`
SHA1	`904f6a7edb2f587ae950e757a71a0a1eb905cc19`
SHA256	`ffa6b3a3bd8f94ab1f93b39e14f8a1f26b0cd7533c74f9a43e9aa426f18f32a8`
SHA3	`b57ca1b5110703360c4189216dcb1830a91d075dfd0f359ce9738cfaf8b9ea2a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	15.1.4.58408
ProductVersion	15.1.4.58408
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	bomgar
FileDescription	Bomgar
FileVersion (#2)	15.1.4.58408
LegalCopyright	Copyright (C) 2002-2015 Bomgar Corporation. Redistribution Prohibited. All Rights Reserved.
ProductName	Bomgar

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x69ead975`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`155`
Imports (VS2003 (.NET) build 4035)	`17`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!