Manalyze report for 2d4bd605261d7759c56aa6865b5d5566

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Jan-11 23:57:05
Detected languages	English - United States
FileVersion	`1.0.0.17`
ProductVersion	`1.0.0.17`
FileDescription	Kaspersky Uninstall, Teamviewer Install
CompanyName	SAR Elektronic GmbH
LegalCopyright	tw/sar
ProductName	TV_install_exe

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe` `Contains domain names: command.com`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: GetTempPathA CreateFileA` `Enumerates local disk drives: GetVolumeInformationA`
Suspicious	The file contains overlay data.	`15631 bytes of data starting at offset 0x13000.`
Malicious	The program tries to mislead users about its origins.	`The PE pretends to be from Kaspersky but is not signed!`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`2d4bd605261d7759c56aa6865b5d5566`
SHA1	`153452544d1a46ddd4ec35e5f42f57424359962f`
SHA256	`35c2601f88ce2076befe321b0506253d85148d8f0df68990eda7b8ba5544fb50`
SHA3	`a0148bdcbb6a4eb0bc41c4688bd2d9feb73284911a38e96f5e6fd78a0abb7f1d`
SSDeep	`1536:a5tZELzzSaA1CyR7VbgvS5aL7tqWf/oCR8zT6sPDBD:iZYzzFA1CK7VR5KQWf/oM8zT6sPDBD`
Imports Hash	`33eef13e76e92bef87ed69dad887bc43`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2017-Jan-11 23:57:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0xe000`
SizeOfInitializedData	`0x4000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007BE6 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xf000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xb12000`
SizeOfHeaders	`0x1000`
Checksum	`0x19a63`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2456a56ef8531eef4b9ab47b3045fc86`
SHA1	`896a32bd772ef1ef8c34ec11d1b25a0fc019ba97`
SHA256	`0542722421efc4b624d18f641872928abacc88f927b397141fbbc1f069acc654`
SHA3	`e000d41fbc2c68182e44d197f1d1f864506ab0d2a62d6864177752c4333f3a54`
VirtualSize	`0xd776`
VirtualAddress	`0x1000`
SizeOfRawData	`0xe000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.34443`

.rdata

MD5	`08a485a24409b8d5438f1115f20b693c`
SHA1	`0359e99e79f2e893db26d7b6ccfac624ed127757`
SHA256	`df6c27507de5d554e8ab251ca65823422e089e4085f295d6d600c5829c7c3731`
SHA3	`f4f641962abeddba6eff01c531eef915d91f4b5783c2d7ca686b9302dc3177b4`
VirtualSize	`0xb84`
VirtualAddress	`0xf000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xf000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.32386`

.data

MD5	`0b814d8094fa0f06d9846307211580aa`
SHA1	`daafb3db87196524fb7812d2bb13618941526d0b`
SHA256	`20d984e65ca2b58800f4d04a957d1466498270d08e95b85cd46b1f867225e7e5`
SHA3	`862e3a48ceac5b0406af4c740c728260cff5cc71d1d0799ff3dce5b48f75be40`
VirtualSize	`0xb00ed8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.52283`

.rsrc

MD5	`ce961f3beaa54cbab19576371ee55c35`
SHA1	`59d08954374c0863c6bb57159614739f852f872f`
SHA256	`f5259ced50b72edf3a3a91bd0e0042855a01dc769eadcc0d8ca84a7988f15a9c`
SHA3	`6a486770e159011adf676cb5df3ec66478df6cb11d48f8e5200af596e3eee68c`
VirtualSize	`0x634`
VirtualAddress	`0xb11000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x12000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.41043`

Imports

KERNEL32.dll	`GetTempPathA` `GetModuleFileNameA` `GetStdHandle` `Sleep` `SetConsoleCursorInfo` `SetConsoleCursorPosition` `SetConsoleTextAttribute` `GetTickCount` `GetVolumeInformationA` `GetConsoleMode` `ExitProcess` `TerminateProcess` `GetCurrentProcess` `GetCommandLineA` `GetVersion` `SetHandleCount` `GetFileType` `GetStartupInfoA` `GetLastError` `ReadFile` `SetFilePointer` `HeapFree` `CloseHandle` `GetFileAttributesA` `GetProcAddress` `GetModuleHandleA` `WriteFile` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStrings` `GetEnvironmentStringsW` `HeapDestroy` `HeapCreate` `VirtualFree` `RtlUnwind` `HeapAlloc` `SetStdHandle` `FlushFileBuffers` `VirtualAlloc` `HeapReAlloc` `CreateFileA` `GetExitCodeProcess` `WaitForSingleObject` `CreateProcessA` `MultiByteToWideChar` `GetStringTypeA` `GetStringTypeW` `GetCPInfo` `GetACP` `GetOEMCP` `LoadLibraryA` `SetEndOfFile` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `LCMapStringA` `LCMapStringW` `WriteConsoleA` `ReadConsoleInputA` `SetConsoleMode`
WINMM.dll	`timeGetTime`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x280`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.36195`
MD5	`718a2dc1206d13c35a852183aec2b17f`
SHA1	`5b45bc5d987199490bdad7564074686e7fae80bc`
SHA256	`b290f60c3076af7ee707b47b413ed821369272ddb1b9d3c67a3349ad30afead7`
SHA3	`57f8ee9e82fa831e299263adf9e57c424ad659e82e05ba725ebb9b5d0dfb2e07`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x312`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.99409`
MD5	`e156a19b13e1251c5d71dff35d6b8ffa`
SHA1	`55b13b71107d69d1005ffac99562c83f2861d5b0`
SHA256	`b662bae58577fa99796a324987e2544cd5f8921d912f8ff208b25e38b864200c`
SHA3	`81b91c4dcef00042153a725f9d91ad9425a1372eb7a3bbdee4d05049cb43f469`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.17
ProductVersion	1.0.0.17
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	UNKNOWN
FileVersion (#2)	1.0.0.17
ProductVersion (#2)	1.0.0.17
FileDescription	Kaspersky Uninstall, Teamviewer Install
CompanyName	SAR Elektronic GmbH
LegalCopyright	tw/sar
ProductName	TV_install_exe

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x99506f88`
Unmarked objects	`0`
12 (7291)	`2`
C++ objects (VS98 build 8168)	`1`
14 (7299)	`15`
19 (8034)	`5`
Total imports	`66`
C objects (VS98 build 8168)	`95`
Resource objects (VS98 cvtres build 1720)	`1`

2d4bd605261d7759c56aa6865b5d5566

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors