Manalyze report for 2737455bff260fdc22216c3d1185d814

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Dec-15 22:24:32
Detected languages	English - United States
Comments
CompanyName	dxdiag
FileDescription	dxdiag Application
FileVersion	`1.0.2.1`
LegalCopyright	Copyright dxdiag company
LegalTrademarks	dxdiag company
ProductName	dxdiag

Plugin Output

Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegCreateKeyExA RegOpenKeyExA RegEnumValueA RegDeleteKeyA RegDeleteValueA RegCloseKey RegSetValueExA RegQueryValueExA RegEnumKeyA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileA GetTempPathA` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Changes object ACLs: SetFileSecurityA` `Can shut the system down or lock the screen: ExitWindowsEx`
Info	The PE is digitally signed.	`Signer: law.com` `Issuer: Trusted Secure Certificate Authority 5`
Malicious	VirusTotal score: 45/71 (Scanned on 2019-07-05 07:38:08)	`Bkav: HW32.Packed.` `MicroWorld-eScan: Trojan.Agent.DZCM` `FireEye: Trojan.Agent.DZCM` `CAT-QuickHeal: Trojan.Wacatac` `McAfee: RDN/Generic.dx` `Alibaba: Trojan:Win32/Agentb.8f98eb93` `K7AntiVirus: Trojan ( 005505201 )` `TrendMicro: Trojan.Win32.DELF.AKT` `NANO-Antivirus: Trojan.Win32.Delf.frtxvo` `F-Prot: W32/Trojan3.AOCC` `Symantec: Trojan Horse` `Paloalto: generic.ml` `Kaspersky: Trojan.Win32.Agentb.jpsa` `BitDefender: Trojan.Agent.DZCM` `AegisLab: Trojan.Win32.Agentb.4!c` `Tencent: Win32.Trojan.Raasmx.Auto` `Endgame: malicious (high confidence)` `Emsisoft: Trojan.Agent.DZCM (B)` `Comodo: Malware@#3ht055kuiswb9` `F-Secure: Trojan.TR/AD.TA505.DQ` `DrWeb: Trojan.Siggen8.35088` `Zillya: Trojan.Agentb.Win32.22672` `McAfee-GW-Edition: RDN/Generic.dx` `Sophos: Troj/Mdrop-ISJ` `Cyren: W32/Trojan.XYUQ-3703` `Webroot: W32.Adware.Gen` `Avira: TR/AD.TA505.DR` `Fortinet: W32/Delf.BJF!tr` `Arcabit: Trojan.Agent.DZCM` `ViRobot: Trojan.Win32.S.Infostealer.411696` `ZoneAlarm: Trojan.Win32.Agentb.jpsa` `Microsoft: Trojan:Win32/Skeeyah.A!bit` `AhnLab-V3: Backdoor/Win32.ServHelper.R277861` `ALYac: Backdoor.Agent.ServHelper` `Ad-Aware: Trojan.Agent.DZCM` `Malwarebytes: Trojan.Injector.NSIS` `ESET-NOD32: a variant of Win32/Delf.BJF` `TrendMicro-HouseCall: Trojan.Win32.DELF.AKT` `Rising: Backdoor.Agent!1.B95C (CLOUD)` `Ikarus: Backdoor.ServHelper` `GData: Trojan.Agent.DZCM` `AVG: Win32:Trojan-gen` `Avast: Win32:Trojan-gen` `CrowdStrike: win/malicious_confidence_100% (W)` `Qihoo-360: HEUR/QVM42.3.12C3.Malware.Gen`

Hashes

MD5	`2737455bff260fdc22216c3d1185d814`
SHA1	`66003b37c538f8dee543e014fef4fa17dcbe8e62`
SHA256	`fcfaa5a008448be96b273ca3d59e28d4a0b20156909da676520dc5103d15ad77`
SHA3	`b7d7d9e385458849bae3368249029182c92bbcc5970f8409c57a43c99cb5cbbb`
SSDeep	`6144:95aXZqZGebTwsnzad06EK8LemRw5YYx10+6dckHKM2GwpSeDxHDEOh8MTE19V8Un:uQ5bKYKhWw3x1sqkHKo3eDRDubLJ2S`
Imports Hash	`252855d26259282b1bb9bda8dff01755`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Dec-15 22:24:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6200`
SizeOfInitializedData	`0x1d000`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x00003328 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x2e000`
SizeOfHeaders	`0x400`
Checksum	`0x6acd7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0311bcb2ead177b380555800a8e6e6ee`
SHA1	`9b8f08f9640c322dbdf471fe113c60a6cae5d583`
SHA256	`019755b0ec6a48933fafa5a67be16db81d1531dfdafca7e8462d7a57ca9a270b`
SHA3	`e4af70cbba14ed2e18bf20f694a2bc5aa9af7dabf65216cc1b20b54fcdab98c9`
VirtualSize	`0x6077`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40386`

.rdata

MD5	`926b1e688f085d737343e22bcf628243`
SHA1	`0a25c233003472b9655cbd0bfe8d21c962c8ede8`
SHA256	`31d66573fd3f6c2f210a2e0f179ababe40b511e57fcbe7b2880b57edbef7a0fe`
SHA3	`56036c53bce9bd3f7a1ee0f0290027a9105e20c329b90dbc886e1a778ab125fc`
VirtualSize	`0x1250`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.04481`

.data

MD5	`9b72314b8d9ad5c72778b00cdf336ee2`
SHA1	`bbd203dd006ce01350a17c86143140eb14a9d94e`
SHA256	`1b8fb6198506eaef35e7f92db9770170a7ce9aa0e85c43137e7c4dc180bf3a06`
SHA3	`ff15db8aea32748882caf52ba47d30dd187512b673ec544648061cb3403e92a5`
VirtualSize	`0x1a838`
VirtualAddress	`0xa000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.22445`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x25000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`7c092d18dca9bf6e445553ef23bdaafb`
SHA1	`da32f7427ad73f941ef5b0f5f4a29165d597b366`
SHA256	`2c4e5ead96561465bb5a9a4cbe17db911143271b4a98ebb75ccee6833f96107f`
SHA3	`eb1cc0cdc9cac66d5d2fbb0467a31214f76e7b30313f5f9a8bc60ed38400ebe9`
VirtualSize	`0xd10`
VirtualAddress	`0x2d000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.2476`

Imports

KERNEL32.dll	`SetEnvironmentVariableA` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `ReadFile` `GetCurrentProcess` `CopyFileA` `Sleep` `GetTickCount` `GetWindowsDirectoryA` `GetTempPathA` `GetCommandLineA` `lstrlenA` `GetVersion` `SetErrorMode` `lstrcpynA` `ExitProcess` `SetCurrentDirectoryA` `GlobalLock` `CreateThread` `GetLastError` `CreateDirectoryA` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `WriteFile` `lstrcpyA` `MoveFileExA` `lstrcatA` `GetSystemDirectoryA` `GetProcAddress` `GetExitCodeProcess` `WaitForSingleObject` `CompareFileTime` `SetFileAttributesA` `GetFileAttributesA` `GetShortPathNameA` `MoveFileA` `GetFullPathNameA` `SetFileTime` `SearchPathA` `CloseHandle` `lstrcmpiA` `GlobalUnlock` `GetDiskFreeSpaceA` `lstrcmpA` `FindFirstFileA` `FindNextFileA` `DeleteFileA` `SetFilePointer` `GetPrivateProfileStringA` `FindClose` `MultiByteToWideChar` `FreeLibrary` `MulDiv` `WritePrivateProfileStringA` `LoadLibraryExA` `GetModuleHandleA` `GlobalAlloc` `GlobalFree` `ExpandEnvironmentStringsA`
USER32.dll	`ScreenToClient` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `PostQuitMessage` `GetWindowRect` `EnableMenuItem` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndDialog` `RegisterClassA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `ExitWindowsEx` `GetDC` `CreateDialogParamA` `SetTimer` `GetDlgItem` `SetWindowLongA` `SetForegroundWindow` `LoadImageA` `IsWindow` `SendMessageTimeoutA` `FindWindowExA` `OpenClipboard` `TrackPopupMenu` `AppendMenuA` `EndPaint` `DestroyWindow` `wsprintfA` `ShowWindow` `SetWindowTextA`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectA` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `ShellExecuteExA` `SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `SHFileOperationA`
ADVAPI32.dll	`AdjustTokenPrivileges` `RegCreateKeyExA` `RegOpenKeyExA` `SetFileSecurityA` `OpenProcessToken` `LookupPrivilegeValueA` `RegEnumValueA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA`
COMCTL32.dll	`ImageList_Create` `ImageList_AddMasked` `ImageList_Destroy` `#17`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50665`
MD5	`f00e9d9f29bad0b3f02ccf494a4f3a1f`
SHA1	`57f9c03e30c91d3035c2b658fff178f0e154947f`
SHA256	`7b99f0e5e7a3db2de9f02622f1ac8a0c9599492dd00196b3cb3c2ed15bbde57d`
SHA3	`ac2209893371010acb09ae7f6b8b3f6cb19c857bf9a89f6cfb543f351300bd09`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`42cf62b780813706e75fb9f2b2e8c258`
SHA1	`a022d5c1cfdd8aace0089f3e72f2eedd41bda464`
SHA256	`a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf`
SHA3	`0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x278`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23256`
MD5	`4aeac72a80c8b874f87719f7ce811ade`
SHA1	`416d955310abff1d20ce61d0e6041b3fbf6a5a20`
SHA256	`6bd409c9fd12d7ac04c20b4b7c9e4b6e44621fc9e8c7646e387072db1ef7a3ea`
SHA3	`28c051e591854730affc26a8ed0e0ad47333117c06933c76854805779503aabf`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x33e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.2992`
MD5	`4b1844ad078c858804c5f578b2c0b3e3`
SHA1	`225c2fea69ed00409cdabfde3ec719fd437b15b8`
SHA256	`084534cc783285750dbf8c5106b55674a13ff630b08869b1cb916451e7313260`
SHA3	`c937912512960b93fc550dbe51e7296b8a574b6e2fcac35903317937aaf97a7b`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	2.3.6.0
ProductVersion	2.3.6.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments
CompanyName	dxdiag
FileDescription	dxdiag Application
FileVersion (#2)	1.0.2.1
LegalCopyright	Copyright dxdiag company
LegalTrademarks	dxdiag company
ProductName	dxdiag

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd246d0e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`159`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!