Manalyze report for 44aee97a98d5b7db5326bb734ff246c4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-04 08:30:15

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCloseKey`
Suspicious	VirusTotal score: 2/66 (Scanned on 2018-08-19 08:53:43)	`Cylance: Unsafe` `Paloalto: generic.ml`

Hashes

MD5	`44aee97a98d5b7db5326bb734ff246c4`
SHA1	`0125548e3d4e445f57d3a6ead4f59df326e83325`
SHA256	`d9ef6fa3fab8fa4753a7b94fb78e126d23b8be804b75c60db06950dd1e6a5f4c`
SHA3	`9b4e080ecebc803f71df150829030b8069e197930dbd967d0e6134ccfc2c7fe7`
SSDeep	`12288:zKbEYJHQ1FJl0milUQo+D4bgsXlS92390jp5BhNYZ9bksXGi7:zyEoQ1FJmmil/o+Ow0+dzIbkC7`
Imports Hash	`b9479a3ecbe4498cd7b4466de7a7a89b`

DOS Header

e_magic	`MZ`
e_cblp	`0x50`
e_cp	`0x2`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0xf`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0x1a`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2017-Aug-04 08:30:15
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_BYTES_REVERSED_HI` `IMAGE_FILE_BYTES_REVERSED_LO` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0xa7000`
SizeOfInitializedData	`0x6000`
SizeOfUninitializedData	`0x282000`
AddressOfEntryPoint	`0x00329C30 (Section: UPX1)`
BaseOfCode	`0x283000`
BaseOfData	`0x32a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x330000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x282000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`9244d27fbb49e0ff48457174b582ff01`
SHA1	`5345de1105b2010d37a35ab32e2b00108cf89c45`
SHA256	`24ec3342a1766de1ae9e70456372fe2f1a093f390544780d7af8a6376fbb5c40`
SHA3	`624b36eef4d50a3b86d39be03f3a7b8eb5ab35625ff2d3285f7caecc33cf4f03`
VirtualSize	`0xa7000`
VirtualAddress	`0x283000`
SizeOfRawData	`0xa7000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.92427`

.rsrc

MD5	`2d33ad81a2d42b78250e1ba4ef70fd37`
SHA1	`73679b38f3d61d628179032f0660b6cc1e8430df`
SHA256	`b4b40922c3016f40af3796539733132f4a12d15dcf484887bc5c34350a0f2efc`
SHA3	`676419c073d0995fc119b42db4fb103037416cbecc1aa4ceeeb89ff7ac74f84f`
VirtualSize	`0x6000`
VirtualAddress	`0x32a000`
SizeOfRawData	`0x5600`
PointerToRawData	`0xa7400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.15923`

Imports

advapi32.dll	`RegCloseKey`
comctl32.dll	`ImageList_Add`
gdi32.dll	`Pie`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
ole32.dll	`OleDraw`
oleaut32.dll	`VariantCopy`
shell32.dll	`SHFileOperationW`
user32.dll	`GetDC`
version.dll	`VerQueryValueW`
winspool.drv	`OpenPrinterW`

Delayed Imports

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Could not read the Delay-Load Directory Table!
[!] Error: Could not read the IMAGE_EXPORT_DIRECTORY.
[*] Warning: Section UPX0 has a size of 0!