4e55cd8b5066f581cdc61e5b599766d2

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Aug-01 02:45:20
Detected languages English - United States
CompanyName Bernd Schuster
FileDescription W10Privacy Setup
FileVersion 3.6.1.1
LegalCopyright Copyright (C) 2020 Bernd Schuster
ProductName W10Privacy.exe
ProductVersion 3.6.1.1

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://nsis.sf.net
  • http://nsis.sf.net/NSIS_Error
  • inkscape.org
  • nsis.sf.net
  • www.inkscape.org
Suspicious The PE is an NSIS installer Unusual section name found: .ndata
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
Can access the registry:
  • RegCreateKeyExW
  • RegEnumKeyW
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey
  • RegDeleteValueW
  • RegDeleteKeyW
  • RegOpenKeyExW
  • RegEnumValueW
Possibly launches other programs:
  • CreateProcessW
Can create temporary files:
  • CreateFileW
  • GetTempPathW
Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
Changes object ACLs:
  • SetFileSecurityW
Can shut the system down or lock the screen:
  • ExitWindowsEx
Suspicious The file contains overlay data. 2326850 bytes of data starting at offset 0x39400.
The overlay data has an entropy of 7.99968 and is possibly compressed or encrypted.
Overlay data amounts for 90.8448% of the executable.
Suspicious VirusTotal score: 2/72 (Scanned on 2020-11-21 03:59:35) APEX: Malicious
eGambit: Unsafe.AI_Score_94%

Hashes

MD5 4e55cd8b5066f581cdc61e5b599766d2
SHA1 249a34eea68eb025fe8820d76e67630455c90f50
SHA256 4426f3ffba878b8f388a789d6dd0357e01f04908d1ab1c3c4e93eed334859c32
SHA3 413218a5e9137aa7f436acd588cb30bba05b0282c3eb668f88d53940208642fc
SSDeep 49152:VTgyZtLFBlvXbZLDNppJvD220uuad8fAdE/KjU4djbZ4mESLOQYrbA:19ZtLFTPbhN9DHtrdEr4djbZbLOQcbA
Imports Hash 32e718b988ed414154ac679b26716a01

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-Aug-01 02:45:20
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6800
SizeOfInitializedData 0x2da00
SizeOfUninitializedData 0x800
AddressOfEntryPoint 0x000034C5 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 6.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x99000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c25464d6f87775ef687d2492f92ddf9a
SHA1 a677494d25d0faa3f930f79fe685b6774b6feaf0
SHA256 7cd9eab4e0c35d904dd9fdca813e73bba62713fc55086eac92f6c56b6c13e212
SHA3 2ce9c6eb931ca624729d77e94366d66496816debbb223f27496435073a2b8212
VirtualSize 0x6793
VirtualAddress 0x1000
SizeOfRawData 0x6800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.49526

.rdata

MD5 e36c6ad0568cd039e0c7810069438d6d
SHA1 0ca0cae5907009d274e5ca8d2b8eefd8e643ff2d
SHA256 8b7d535a3db9a53d02e8cba28e222eeaae8a5aac62d11f51854101e1c4cc1c61
SHA3 8009d1268b62023d44fd330df8b3ea1d0ec327a91b7e4c228754428b81a385fd
VirtualSize 0x14a4
VirtualAddress 0x8000
SizeOfRawData 0x1600
PointerToRawData 0x6c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.01371

.data

MD5 33b1d611a00420c98fa82231feaa907b
SHA1 559f9ae22605a5313910c57a5f60f3475281844c
SHA256 21ecd588acec5d27e9de9512929025603efc3aa4b79d0dd3825c5b1f01a78221
SHA3 3f9f6ebfa6ebf3214776578445f381ff49b9462a51230c13d5ad110559b43f7f
VirtualSize 0x2b018
VirtualAddress 0xa000
SizeOfRawData 0x600
PointerToRawData 0x8200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.15558

.ndata

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x32000
VirtualAddress 0x36000
SizeOfRawData 0
PointerToRawData 0
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 cab75bd22e3399627f289cd8f5b40e1d
SHA1 39c073e53ac10a743541f924f4c93075e5a76747
SHA256 5c008de807372a15965f2c0d622c4529490b33cef046e25cc35c346cdbd0ceae
SHA3 a8d4b5d3209b9259b16172ced9fa25ffb06e68d0c704e2cdf6fb74ef167d5a8e
VirtualSize 0x30b70
VirtualAddress 0x68000
SizeOfRawData 0x30c00
PointerToRawData 0x8800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.06843

Imports

ADVAPI32.dll RegCreateKeyExW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegEnumValueW
SHELL32.dll SHGetSpecialFolderLocation
SHFileOperationW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetFileInfoW
ole32.dll OleInitialize
OleUninitialize
CoCreateInstance
IIDFromString
CoTaskMemFree
COMCTL32.dll #17
ImageList_Create
ImageList_Destroy
ImageList_AddMasked
USER32.dll GetClientRect
EndPaint
DrawTextW
IsWindowEnabled
DispatchMessageW
wsprintfA
CharNextA
CharPrevW
MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
GetSystemMetrics
FillRect
AppendMenuW
TrackPopupMenu
OpenClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
SetWindowPos
PeekMessageW
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
EmptyClipboard
CreatePopupMenu
GDI32.dll SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
SetTextColor
SelectObject
KERNEL32.dll GetExitCodeProcess
WaitForSingleObject
GetModuleHandleA
GetProcAddress
GetSystemDirectoryW
lstrcatW
Sleep
lstrcpyA
WriteFile
GetTempFileNameW
CreateFileW
lstrcmpiA
RemoveDirectoryW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersion
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
SetEnvironmentVariableW
ExitProcess
CopyFileW
GetCurrentProcess
GetModuleFileNameW
GetFileSize
GetTickCount
MulDiv
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
MoveFileExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW

Delayed Imports

110

Type RT_BITMAP
Language English - United States
Codepage UNKNOWN
Size 0x666
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.82633
MD5 b6bf70baab40fe438feff063bfb9ff6f
SHA1 7d4659d43e08d368ddacd31945872461c0b06253
SHA256 0e90a9e4b8f3a5bf990e8aadfd8096ad7aeaf1a4e032ac7b6395ce191d61c142
SHA3 cab98fabaf20118d9a8a4d2bcff4383a7291a0e04ff11a8690e71eed619c75e7
Preview

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.41892
MD5 8ce23dc5c8bfbdce92e551efa9cb1873
SHA1 8200e5347221372b204d1dda49e9333e7d81ff7a
SHA256 dc170a305cc0ccfa2bb1cadc595eeb7b7ccf41b5dc61318c5417f6130d00e32c
SHA3 042aaa36b915a687ecce26b613b09157a5459c22d3e1fb45a7fa132864ac0ad6

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x94a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.55833
MD5 6e5fead4906ce11feda86376d0adc15b
SHA1 14bca2e836ea136ee2c0ec3f27280595a3ef5bfd
SHA256 97984abc98a0cd05a931bff89d157bba11f84040a2846a153cc77dae4a72b066
SHA3 4863f83cd81ce265288ebf6c81d1ecf213c9616a79715875994a27175133aa9b

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x7974
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.96781
Detected Filetype PNG graphic file
MD5 32a6e28f8a6e614537bc2305f6076e48
SHA1 9387515acf0a71eed1d21218dfc454362ea6d2d6
SHA256 768225a9ffdbe0c02b9324846252f0c4fa91a955ddd00c4036f2c067211198f3
SHA3 7402dd4c56995ba049576088b8605fa19d818a8e18fa0168f8900e4428a9ed46

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x5488
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.50199
MD5 973eb01e8966580a355047377ed9f7a3
SHA1 b65defea771cf9ae91b4d5ea16b25bece7b58766
SHA256 1e30fc0754f256573df535c52edb8c082eba02a49629f7ea88f0929c5233fe27
SHA3 c200db6bb50a7915bfd8fcf7a69df3e1e7cf06da1a9b41b41f6ad687bcb09a4d

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.44634
MD5 101c4c1db53e301e8a36c633395dfc56
SHA1 8c5c5c32a4cd701462e64206cfddd19adcb4a784
SHA256 9619bd754375201841e928c241f7d73defb75f1941b0467bc56c19b2fa8a29d6
SHA3 77f42bd9ee2c9a659dda2c818b383fe684fba6b315e1416735976bdcb0f8887b

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.54554
MD5 0e442652e746bfee2503a03b386cde0c
SHA1 3d171ff5f6c4161409454da0cc7f71d10c1c8157
SHA256 e7e775fedc4119541a40ad075d46f8b4c6597405c566ddf25608763070421af2
SHA3 4054f0bde0103d2b7950853f09e1a0f5c6095622cdd685d02f532f6b3bdc60ca

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.54921
MD5 600cbca1dd381a6f2c55a9c83ec17b93
SHA1 4d28238560f351fc7e31da27e7af2d9b83ea26a8
SHA256 b82d88b8d83a2d5b0617fb25488bf8bb916586fc983cf6a14201c47eddc1eac2
SHA3 b48885dc67ffd4c16286be08d6e5146a317821bcb33ee0fa707dc06eff938d50

8

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.72011
MD5 764b093756b975dbd689206079f79dd9
SHA1 9baff9651c5a3bd4c7ddc768fa208bbefe112be5
SHA256 86154eecbdf03f6e00b5e6a09d5c27fb29716a9e1cbf7cf6765a1a915c7ae59c
SHA3 dba99cac18c16517edcb3d48f30ed8dd44d33e2734daed237a7e3371b6206c48

9

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.70462
MD5 b51daa436b1e19d4c974aba1c226077a
SHA1 bfd9d688ee8a8ac6ecf188b32721475998cc08fc
SHA256 208ff28f950333d1bbc7d54163ffc59cd4645fdbfb1d0038fe9d640ea24f03f1
SHA3 75b399c3a46b011e998c39f17f3a9c993f6ad2a4c66c14e7b4308cb59bd59715

102

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xb4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.71813
MD5 a69caf66f3f899403f8b25b02dc61908
SHA1 3e5db9186cf0f75be24676462d88170e5950d9c8
SHA256 7854e8d67a11148566ad37c5d23e1534e0990fe31a160e0e7da3ca751830bb50
SHA3 1eea945e3712b317143e07560f54b0b9a13b1fd6c2b57cab9176181a9aaf4f79

103

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x120
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.56193
MD5 db6dd0434da4d7cac564518725167e09
SHA1 a65a1367d7cd96450f089a8f8108239bbcea9f5b
SHA256 c50631fc1f8425a95fd1edcc8e730d339e193a38f18d42372c32847a5ad2c016
SHA3 4e3be5455c51e1cb04836e318cb69ecdffd2deadd0f338d4bc985d8f5ca653ff

104

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x118
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.65946
MD5 2000509765223fff4a8221925db89b0b
SHA1 a45e28aa820f8673bb42b668a32dcebe5378249d
SHA256 9dbe7e3450b80b2c3727d80f42af8c4066623f6320b74ce0efbc81c618c9a0b4
SHA3 45470481ab29e521fc06e9e3f41674bd9e62f11181ef475a6e46efee741a3351

105

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x202
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.73893
MD5 386770584473e271f23dced36427f4ff
SHA1 d14ce95f784b35e4e3ebee535476ebcd3e380c19
SHA256 425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014
SHA3 db13e5969376b27e8443eebff685230e2b74685aeb2fba73973f06e5cddc8662

106

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xf8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.91148
MD5 fa83652660409e90e0db9731ad2adb17
SHA1 0a8f0af67723c87fe26ccf676b8e19ec6357b4dc
SHA256 4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4
SHA3 5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b

107

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xa0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.52183
MD5 6ffba239dcfcab2080195f23947b70aa
SHA1 bcda1ca8ee9bb9878bde83aa06c670bb5a4d5843
SHA256 a7e5ea849cb343e9b58de221aeb25c9dd4a3748070bfba879a30c4265fc39023
SHA3 a75544b4c3fcbcb32fe4e02d1a631e045b2e58516aa1065bb96cce681aea7030

111

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xee
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.89887
MD5 663040d6315b1d6ce8c0334d182ed8fc
SHA1 ebcfff801a12fb8ad1200a4526fca8bd2c3e96cf
SHA256 cb3c86cbcb579244a6f819f9c1807a7e89b6e600982ec6ea0841fcdcb16a9efd
SHA3 6a25a2cb16aeb17693f10e8aaa0245c701701db571b458fde7830291a4a01cfc

103 (#2)

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x84
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.03466
Detected Filetype Icon file
MD5 000424e8c717f8cd4326b5c78bd7fad9
SHA1 8ebe687d8ec7837b727695f44331d5d8654da115
SHA256 83591c52f0fa8fc7ec218236fcefbec94770708d62e8316ed437210fb67032b8
SHA3 77afe9c9585df2a2bcc4e8b08dac8e706fffdf9c88b997431eb329142bcc8a05

1 (#2)

Type RT_VERSION
Language UNKNOWN
Codepage UNKNOWN
Size 0x274
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.3442
MD5 78ef8f1674f6c6ba6ba2572eb5beb960
SHA1 a141c3d06fe3ec741beb12c4397c870bcc45361a
SHA256 42ebc35a3daadfbad28e8c60e395f20aa0ce57d0cbd1b0ddfbc995113c874887
SHA3 9e38896a57e0f96fd9e64af9adf48ca88cb8850e309edcfce1004c555c876422

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x4ee
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.28077
MD5 699bf8d7e811b21dde1faf0946b55ec1
SHA1 16beb27e45a7109854124b2c505e7644ec53e9a2
SHA256 e585b7e8cebd2f86590a456a66ac8d911b4aec05cb6bed118f9498d502a92eb6
SHA3 7f3fa5b80dc9a04d0e328c2b7ecab54e5ee9365c0c47f9fe6053afaadba7e10b

Version Info

Signature 0xfeef04bd
StructVersion 0
FileVersion 3.6.1.1
ProductVersion 3.6.1.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName Bernd Schuster
FileDescription W10Privacy Setup
FileVersion (#2) 3.6.1.1
LegalCopyright Copyright (C) 2020 Bernd Schuster
ProductName W10Privacy.exe
ProductVersion (#2) 3.6.1.1
Resource LangID UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xd26650e9
Unmarked objects 0
C objects (VS2003 (.NET) build 4035) 2
Total imports 165
Imports (VS2003 (.NET) build 4035) 15
48 (9044) 10
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Section .ndata has a size of 0!