Manalyze report for 47ff74fecc716c714a74ee8f446535c1

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Jun-18 21:33:27
Detected languages	English - United States

Plugin Output

Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExA GetProcAddress` `Can access the registry: RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`47ff74fecc716c714a74ee8f446535c1`
SHA1	`5d1eec90cc5901374286789d39a0f9cc86fdc63a`
SHA256	`a069c952491cd69d60ee655eac188cd896834b1c7d219cd500e087c63006c4e0`
SHA3	`5296af267f86aa2deed62fbe7988c23407933bc349b80d966bd29b7b14c6c8fa`
SSDeep	`12288:otale6ih4CsQrfY2kf0ZDzj8uhcX36zyLbR:otaALh4CrDYel3tA3tbR`
Imports Hash	`d9e6a5e6bae798e211941a3a501049ea`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Jun-18 21:33:27
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5c00`
SizeOfInitializedData	`0x1b200`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x00003291 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x30000`
SizeOfHeaders	`0x400`
Checksum	`0xe1c40`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7ebfade271f75cb4c180603ab653af42`
SHA1	`45720e3559680fe044efceba32f55e60ed85f918`
SHA256	`a6ab680140aecaadf23ef0aa656b87d44f738731567466f4e7140d78766bc039`
SHA3	`d05038f2d5637acf6d026dd4976d9aef60c159f5a6c529942a9367a40f59389e`
VirtualSize	`0x5bc0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47639`

.rdata

MD5	`9d6e96915262c9d1129a16fa0b02a19a`
SHA1	`e46950b3424baeebebe8ab21b9f9674839c38bd6`
SHA256	`596b7a12a2debc3020218588a771f9bfed17ecf4fa105132e5a5a81ea395dcbc`
SHA3	`6aa051a51353ad192795522de21ac4f7d58d52fa251d464b6ce4efcd14669f85`
VirtualSize	`0x1190`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.18129`

.data

MD5	`dbf10679c897d0edeee280fffdad552f`
SHA1	`f257e37a5d8648d6123cef40868059ee78a136b9`
SHA256	`fa886ca8ff5e90e3b059a98202b163a66be4dca53641d0cb5e0e0702e9ac7fde`
SHA3	`427034ded21fc36e883ea850a581d755ed52ca6cf6e1140edefb705c3ca57a67`
VirtualSize	`0x1af78`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.72275`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xa000`
VirtualAddress	`0x24000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`638d6bdb04c7ac795db39307182642b9`
SHA1	`56b3a807251cc40dea7fdf7ba5b5b2f7152ca488`
SHA256	`105d26041ad3b238c8f35bcd542890e2fcb0f72ae62189f81c7de6b72d966627`
SHA3	`2e2ef18576d1843d29f7ca528c722d0b704cce9333550791be8fb5d18fcc99c7`
VirtualSize	`0x1ff3`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.72282`

Imports

KERNEL32.dll	`CompareFileTime` `SearchPathA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CreateDirectoryA` `SetFileAttributesA` `Sleep` `GetTickCount` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `SetFileTime` `GetTempPathA` `GetCommandLineA` `SetErrorMode` `LoadLibraryA` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `GetVersion` `CloseHandle` `lstrcmpiA` `lstrcmpA` `ExpandEnvironmentStringsA` `GlobalFree` `GlobalAlloc` `WaitForSingleObject` `GetExitCodeProcess` `GetModuleHandleA` `LoadLibraryExA` `GetProcAddress` `FreeLibrary` `MultiByteToWideChar` `WritePrivateProfileStringA` `GetPrivateProfileStringA` `WriteFile` `ReadFile` `MulDiv` `SetFilePointer` `FindClose` `FindNextFileA` `FindFirstFileA` `DeleteFileA` `GetWindowsDirectoryA`
USER32.dll	`EndDialog` `ScreenToClient` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `DestroyWindow` `CreateDialogParamA` `SetTimer` `SetWindowTextA` `PostQuitMessage` `SetForegroundWindow` `wsprintfA` `SendMessageTimeoutA` `FindWindowExA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `OpenClipboard` `ExitWindowsEx` `IsWindow` `GetDlgItem` `SetWindowLongA` `LoadImageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `ShowWindow`
GDI32.dll	`SetBkColor` `GetDeviceCaps` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectA` `SetBkMode` `SetTextColor` `SelectObject`
SHELL32.dll	`SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA` `SHGetSpecialFolderLocation`
ADVAPI32.dll	`RegQueryValueExA` `RegSetValueExA` `RegEnumKeyA` `RegEnumValueA` `RegOpenKeyExA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `#17` `ImageList_Create`
ole32.dll	`CoTaskMemFree` `OleInitialize` `OleUninitialize` `CoCreateInstance`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`

Delayed Imports

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`28f8d082df931688124f25f23c688904`
SHA1	`2f057655ecdd3ab25cfe985714e270786ce16cae`
SHA256	`4e7a8c59942ff527ff680aa88cc66bb8c8e7b6c02a018bc85ba36794e278670f`
SHA3	`99f004163a598b6df87372bd9b7d5e7704dbfdf7cfb3ec96da9e31c0275f7465`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`a42b23f1c58701e073db2e9de0b27333`
SHA1	`f22232cbadff165ceb212527a6d77124312d0688`
SHA256	`e253c6a87bdd62e771c0ef1b9850dbc9523c51408ca282f994d3530dbbad9b11`
SHA3	`bc93a26ac3218cac12b89fa3242b509e44b087d2c22a54d9a47c63692dc8dc57`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`7e1b34650fb04bc15a494a1d712cffee`
SHA1	`43e1808e4308baf093556946552f4fabc05278d8`
SHA256	`3731b0a75ab19d96b774da62d37eccacd517c6593af20aa66525dc0b951cdba9`
SHA3	`79a9c096a1a56ae4f98f1e8ad4c44fa5c08e5d98e745898df9031e3b3a13c46c`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`809457c05fe696f5d34ac5ac8768cdd4`
SHA1	`a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9`
SHA256	`1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be`
SHA3	`002d1b10f28d74c7572fc7c5b403eb32f2a0540c4958d7878ef67edfd17c8109`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`982079681d7ad12766abc44f06946f3e`
SHA1	`50f73ed0787bf5911bb907e487efbc84a9714e48`
SHA256	`250f52cb2d6f1966a29f6ac771fa1cd185b8f8531396c8a4026c0fe635617e0c`
SHA3	`b8805d45012d79cfa8bb45e23c9b4a4421cd91538d569e58437efa0f545cf4d4`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1ee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.68733`
MD5	`c0c4f9be63c9d286b8d1265977ac9d86`
SHA1	`f9c0d915ded3ea188f342d0e5341e67701eed813`
SHA256	`349420ba5b5de0b0081e96a686c826e0f409f2f3413f2e9fb7e6f71cb544c325`
SHA3	`dce55e6d53e014b0786bba9e4f6c7d81ed0c04fde8279c3b54f7c2f5a9fe121a`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xe4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.86626`
MD5	`8c69d2c81dd2d9050d0fa94df90ff16b`
SHA1	`cd71d904da747d7141e5abdde9363f7e240b26bd`
SHA256	`1a39a3aabdee2aa68c507c55ff37c38722b05b7f8bde66185a2462792381d8cd`
SHA3	`b80b33ab6bf40b07bc32c7a6a11831084f7c97a27dff86d576769d0aab14b979`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xda`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.9304`
MD5	`2497a44fff8b76b5129662b60a617c85`
SHA1	`f73bd7c9caa4c1f7a0e4840d69b0accdc6d167a0`
SHA256	`a10617b39293152a65ad5c91ca4f35135845c7b785e3a582e58f6c8229045b85`
SHA3	`aaf1dc708c305944a11a7180ef5ee2c8f722c3dd6d4bf91e0ae0f6c2b1a331ca`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3b3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.22401`
MD5	`e1933884e2394394b45eced1f68b46c7`
SHA1	`06b576318cc534d2ad15e0911f2f00355fc40f2f`
SHA256	`2ad2f5b517dbf833f26777d6524686c94317530ba2b1b5034806eafe319731a9`
SHA3	`6671129f1e4d58a6c5331df9f823e6d3170bd555917b9b0e1fb6f5f3444a1dcd`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd1dd2975`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`155`
Imports (VS2003 (.NET) build 4035)	`17`
C objects (VS98 build 8168)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Could not read a WIN_CERTIFICATE's header.
[*] Warning: Section .ndata has a size of 0!