Manalyze report for 2d9faeaae576894d379c95bcdd48c4ca

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2003-May-20 18:15:00
Detected languages	English - United States
CompanyName	ScanSoft, Inc.
FileDescription	OmniForm Mailable Filler Bootstrapper
FileVersion	`5.1`
InternalName	OMNIBOOT
LegalCopyright	Copyright © ScanSoft, Inc. 1988-2003
OriginalFilename	OMNIBOOT.EXE
ProductName	OmniForm
ProductVersion	`5.1`

Plugin Output

Info	Matching compiler(s):	`Installer VISE Custom` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Info	Interesting strings found in the binary:	`Contains domain names: eomniform.com http://www.eomniform.com http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi http://www.eomniform.com/OF5/nsplugins/OFMailX.cab www.eomniform.com`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: FindWindowA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileA GetTempPathA`
Suspicious	The file contains overlay data.	`673663 bytes of data starting at offset 0xc000.` `The overlay data has an entropy of 7.91208 and is possibly compressed or encrypted.` `Overlay data amounts for 93.1999% of the executable.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`2d9faeaae576894d379c95bcdd48c4ca`
SHA1	`e88420de642f525160875c4563bb9ccf88688e8a`
SHA256	`30a76997de293752461623e8b729614965c620add3db73a5fcfe7a2cca26ce0e`
SHA3	`5b4570b7a9927f955f83223c0330e21e93388200990cd1247a0a41ab6af8882e`
SSDeep	`12288:8+P0zj7rHErYXG2zp4MIO98soIWm3kCCSi6chICHzG+xPM/L/IQCtCLfDG2Y7BdP:Ior0G2N4zOKsoIbBSRzfZoL/I5CLbHYD`
Imports Hash	`cf33793432872ea1bdab1e2964e0a684`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2003-May-20 18:15:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6000`
SizeOfInitializedData	`0xa000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000023FC (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x11000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`89bd5ee69a75579600a1bd48aac673dd`
SHA1	`d8f7bed6b30f77385a0a1cdbed2e3f4e2009449a`
SHA256	`ea0587713c0096614ca5a11f569bc9617939fd0e6b3065591eeaf5eb57868918`
SHA3	`0b15c934383af1c817b71dfed80534af2528bc85ef39097ecfcd3300de852089`
VirtualSize	`0x5c52`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52281`

.rdata

MD5	`acf4d3b72d11a8b4fa234713c3c2e692`
SHA1	`5a9c0f13afbad78520a43923f350fbd695fd49ee`
SHA256	`0be6f1d4a469bad8d80a19364bc28db427f76efe68ededdaafa33a2878e3ba76`
SHA3	`b46499df1f166832f520d939877669b541fa196de157813338ce153368c8f02e`
VirtualSize	`0x952`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.68257`

.data

MD5	`f4d3dde87b161dddfeff504402d3f599`
SHA1	`e6e9817b9fb186a6ea0445eff2f2111f9583fdf6`
SHA256	`8bea50f9cf6f7dd6579ebf1492ff7ff086057bc68296a21417a434e3029fe497`
SHA3	`0032beb3f133a1d7a9a8f326495139557241e40448819f0f61b0d510dc057753`
VirtualSize	`0x747c`
VirtualAddress	`0x8000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.5033`

.rsrc

MD5	`b7291230cbdaee1414d73ecc3d04b659`
SHA1	`eb4780a6994e4cf51949fbfd3fb8bec8c5eaed26`
SHA256	`128fb8eb9fd68206f5d2d4ff0f4bd1396aa9f564ddda76199eb1327d58d24ad6`
SHA3	`79d8ca6a93da61e44105d852656bb2cc8088967a2b146c2519245bd3acd91928`
VirtualSize	`0x9a8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.30066`

Imports

KERNEL32.dll	`CloseHandle` `SetFilePointer` `ReadFile` `CreateFileA` `CreateProcessA` `GetTempFileNameA` `GetTempPathA` `GetModuleFileNameA` `DeleteFileA` `Sleep` `GetStringTypeA` `LCMapStringW` `LCMapStringA` `MultiByteToWideChar` `SetEndOfFile` `HeapAlloc` `GetModuleHandleA` `GetStartupInfoA` `GetCommandLineA` `GetVersion` `ExitProcess` `HeapFree` `GetLastError` `WriteFile` `TerminateProcess` `GetCurrentProcess` `SetHandleCount` `GetStdHandle` `GetFileType` `GetEnvironmentVariableA` `GetVersionExA` `HeapDestroy` `HeapCreate` `VirtualFree` `VirtualAlloc` `HeapReAlloc` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `WideCharToMultiByte` `GetEnvironmentStrings` `GetEnvironmentStringsW` `RtlUnwind` `SetStdHandle` `FlushFileBuffers` `GetCPInfo` `GetACP` `GetOEMCP` `GetProcAddress` `LoadLibraryA` `GetStringTypeW`
USER32.dll	`MessageBeep` `MessageBoxA` `FindWindowA` `LoadStringA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.99482`
MD5	`b495a548e63cbd7c435dd3b289ec9501`
SHA1	`7fcd75f4c7dd2f10945205fd7f2d1654ca6031a0`
SHA256	`c86593d1615508b417cb8d47d2d566465f560884e73dde143ac2ee711bf86a33`
SHA3	`9f6d26a0a11a0661eee678fe2d764282c77957429402e6c377c6bdc851a81678`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.55476`
MD5	`5a65284757adbf13aab793cb2fd763f2`
SHA1	`ab2154bc24e20eabea95f25ba6414a1601b2327d`
SHA256	`1c10872828c879a88a141f7f307688ade22438fc356a07175f343ecb0ccd95e2`
SHA3	`0b9c9306c470c6103a0bc17761d15fc1206251afd21b19d3cc31bed38a7e1cc4`

1 (#2)

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61267`
MD5	`866d7dc9dc87200bb63a11246090c0cb`
SHA1	`aa28487caa6ef2e1238672848bcc85c688daf079`
SHA256	`0a5c6b6a3779f3bbbd825488533f0fc5527ed86926defb67a2fa8fbba2842e94`
SHA3	`d0b9578a625e3a97c93b089feb7bf43d34c4960e1aaa0a40fbc0331b711cb7d3`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.37086`
Detected Filetype	Icon file
MD5	`d59e0d372ea5fd8c1f4de744376a6af4`
SHA1	`6883ce60e71a83424db0b41d0ab6bf61080e3de2`
SHA256	`b10e28a32eddb2ab20a46ceae59d9c0786911eb20f0c8dd2a28421f226ea2b8b`
SHA3	`5e39df982879204dd9f129a37d1e1c2ff906e88de9ae01b4418db5e8455e7ae1`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x380`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.38826`
MD5	`b776298ca796cc0cfb6221a0e99f7a5f`
SHA1	`e9911049a373238e8d7b866c851b5fa61ba9dcef`
SHA256	`75d5011d38ef52fad34b1c3a5318313c4904a9d7c264eaafc0d74077c5f6b9a2`
SHA3	`d07336ae5c9ed520cd27fca91faa084345f71e6579147521e2f36564451c64cc`

String Table contents

OmniForm Mailable Filler
Failed to launch application.

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.1.0.0
ProductVersion	5.1.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	ScanSoft, Inc.
FileDescription	OmniForm Mailable Filler Bootstrapper
FileVersion (#2)	5.1
InternalName	OMNIBOOT
LegalCopyright	Copyright © ScanSoft, Inc. 1988-2003
OriginalFilename	OMNIBOOT.EXE
ProductName	OmniForm
ProductVersion (#2)	5.1

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xc9c7c9ef`
Unmarked objects	`0`
C++ objects (8047)	`1`
14 (7299)	`14`
C objects (8047)	`55`
19 (9049)	`5`
Total imports	`56`
C objects (VC++ 6.0 SP5 build 8804)	`3`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

2d9faeaae576894d379c95bcdd48c4ca

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

1 (#2)

101

1 (#3)

String Table contents

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors