Manalyze report for 52af7649ae5fa8101d7a0f010f54443b

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Mar-08 15:59:48
Detected languages	English - United States French - France
Debug artifacts	C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb
FileVersion	`1, 0, 0, 0`
ProductVersion	`1, 0, 0, 0`
LegalCopyright	Copyright (C) 2018
FileDescription
ProductName	NisWatchII

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryW LoadLibraryA GetProcAddress` `Can access the registry: RegSetValueExW RegEnumKeyW RegDeleteKeyW RegQueryValueW RegOpenKeyW RegCreateKeyExW RegCloseKey RegQueryValueExW RegEnumKeyExW RegOpenKeyExW` `Uses functions commonly found in keyloggers: CallNextHookEx GetForegroundWindow` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Enumerates local disk drives: GetVolumeInformationW`
Info	The PE's resources present abnormal characteristics.	`Resource 129 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 25/71 (Scanned on 2019-11-01 18:33:35)	`VBA32: TrojanDropper.MSIL.Agent` `CrowdStrike: win/malicious_confidence_60% (W)` `Invincea: heuristic` `ClamAV: Win.Malware.Dexel-6910198-0` `Kaspersky: Trojan.Win32.Agent.xaaimm` `NANO-Antivirus: Trojan.Win32.Dapato.cqtyqs` `Paloalto: generic.ml` `Sophos: Mal/Generic-S` `Comodo: TrojWare.Win32.TrojanDropper.Dexel.A@6k1yft` `Zillya: Dropper.Agent.Win32.104010` `CMC: Trojan-Downloader.Win32.Gamarue.2!O` `SentinelOne: DFI - Suspicious PE` `Cyren: W32/Trojan.ORZX-4617` `eGambit: Trojan.Generic` `Microsoft: Trojan:Win32/Zpevdo.B` `AegisLab: Trojan.Win32.Generic.4!c` `ZoneAlarm: Trojan.Win32.Agent.xaaimm` `AhnLab-V3: Malware/Win32.Generic.C3278571` `Zoner: Trojan.Win32.34274` `Rising: Trojan.Generic@ML.100 (RDML:mkkSB5BIiRBNb801CO6/ew)` `Yandex: Trojan.Agent!4xFGLKGgIf4` `BitDefenderTheta: Gen:NN.ZexaE.31176.su0@aWohjOom` `AVG: FileRepMalware` `Cybereason: malicious.15259f` `Qihoo-360: Win32/Trojan.IM.3d2`

Hashes

MD5	`52af7649ae5fa8101d7a0f010f54443b`
SHA1	`ce879ab15259fb1a40e36b4231a9ed28c4194fa6`
SHA256	`eed79e2a580045d1be557b4bfdd91d7ee118ce1d8596184ca7ee978a6cc552f4`
SHA3	`cd16daf8f960088850b05613bf73d9c3c66ad532ff978ba216d966e2a693e539`
SSDeep	`6144:17v2qpIYih+xyrQrVmdzBlZlKLcmPm93nskQEX+VabQX4K:173yWmdzBlZlK/PmdskVRbQX4K`
Imports Hash	`2691b9b51544cc45c4175204fe1d1626`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2012-Mar-08 15:59:48
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x29400`
SizeOfInitializedData	`0x1fa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00017C69 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x2b000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x51000`
SizeOfHeaders	`0x400`
Checksum	`0x44a01`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`55b1a4672609887b96340471a7d12198`
SHA1	`f1ef30142b52535d53ac00bce16b164d6e5eea73`
SHA256	`3d1787e49598b5b2069f85a0622a47ce220b525c2defc3f274cabbac4a8fd617`
SHA3	`083342f4e3c9cef45e4fd8bd19d4f8f6adcffd3a4ff700676ab72ca989a42e7d`
VirtualSize	`0x2923b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x29400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60251`

.rdata

MD5	`f34756becee4ac0c36195689a1ad7ae2`
SHA1	`5e8b668bf2b30f90680f6a909a4a835d258f6dfd`
SHA256	`75691e05bb8e9a2e535b3c28e310167b0a61b9133f7aa627c1a9379b8efac689`
SHA3	`f4f63c6b9f63bc6019c52b7385a780d7d0360eaf9797ed0bc5d86e6d6269537d`
VirtualSize	`0xa9b8`
VirtualAddress	`0x2b000`
SizeOfRawData	`0xaa00`
PointerToRawData	`0x29800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75546`

.data

MD5	`1122c2c1568e7169abcafad6930a6768`
SHA1	`9c5e3fb4f7ed5765a36a84d93989ed71763ada53`
SHA256	`d96651b5eb7ef9397459a1a2cc11e28fb872c9c3e081a2ce4b576d05bfaf6fab`
SHA3	`4db25e078a8f4a26a6cc43e61d58f64792111bcba5a1e141c73df1701614363f`
VirtualSize	`0x6118`
VirtualAddress	`0x36000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x34200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.86216`

.rsrc

MD5	`57499fff25399d79672162bc6a4e16b6`
SHA1	`e1df59c1a4eefda16c1dbf21f8abcf8113582aa4`
SHA256	`87aea98c3ffa23a4b8ad6715ce640cfc3a47ad0b5e905e738ff6231adaf720d0`
SHA3	`e5d69b6671a8bd2e32bc604ec1a944953291463e74a2735e4c09d604d88f5c31`
VirtualSize	`0xb1ac`
VirtualAddress	`0x3d000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x36800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.0662`

.reloc

MD5	`0fd26a531b938bc58f0942d138627ef7`
SHA1	`a767ced845007d312d5b44a5556f08439c6fc495`
SHA256	`80df48faa36134cbce30a9c33781f5eeb1b7959e8df17453a587c1b56f4bbf14`
SHA3	`0667be0419fb745266087a35957d5a5457f490614998fa84cd29b1c93239671b`
VirtualSize	`0x77e6`
VirtualAddress	`0x49000`
SizeOfRawData	`0x7800`
PointerToRawData	`0x41a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.31586`

Imports

KERNEL32.dll	`GetFileAttributesW` `GetFileSizeEx` `GetFileTime` `GetStartupInfoW` `HeapAlloc` `HeapFree` `RtlUnwind` `HeapReAlloc` `RaiseException` `VirtualProtect` `VirtualAlloc` `GetSystemInfo` `VirtualQuery` `HeapSize` `SetUnhandledExceptionFilter` `GetModuleFileNameA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `GetStartupInfoA` `HeapCreate` `VirtualFree` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `TerminateProcess` `UnhandledExceptionFilter` `IsDebuggerPresent` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `InitializeCriticalSectionAndSpinCount` `GetTimeZoneInformation` `GetConsoleCP` `GetConsoleMode` `LCMapStringA` `LCMapStringW` `GetStringTypeA` `GetStringTypeW` `GetLocaleInfoA` `SetStdHandle` `WriteConsoleA` `GetConsoleOutputCP` `CreateFileA` `SetEnvironmentVariableA` `FileTimeToLocalFileTime` `CreateFileW` `GetFullPathNameW` `GetVolumeInformationW` `FindFirstFileW` `FindClose` `GetCurrentProcess` `DuplicateHandle` `GetFileSize` `SetEndOfFile` `UnlockFile` `LockFile` `FlushFileBuffers` `SetFilePointer` `WriteFile` `ReadFile` `WritePrivateProfileStringW` `GetModuleHandleA` `GlobalFlags` `TlsFree` `DeleteCriticalSection` `LocalReAlloc` `TlsSetValue` `TlsAlloc` `InitializeCriticalSection` `GlobalHandle` `GlobalReAlloc` `EnterCriticalSection` `TlsGetValue` `LeaveCriticalSection` `LocalAlloc` `FileTimeToSystemTime` `GetCurrentProcessId` `SetErrorMode` `GetCurrentThread` `ConvertDefaultLocale` `EnumResourceLanguagesW` `GetLocaleInfoW` `LoadLibraryExW` `CompareStringA` `InterlockedExchange` `InterlockedIncrement` `lstrlenA` `lstrcmpA` `CloseHandle` `GetCurrentThreadId` `GlobalAddAtomW` `GlobalFindAtomW` `GlobalDeleteAtom` `LoadLibraryW` `CompareStringW` `LoadLibraryA` `lstrcmpW` `GetVersionExA` `FreeLibrary` `InterlockedDecrement` `GetProcAddress` `GetLastError` `SetLastError` `GlobalFree` `GlobalAlloc` `GlobalLock` `GlobalUnlock` `FormatMessageW` `LocalFree` `lstrlenW` `WideCharToMultiByte` `WriteConsoleW` `ExitProcess` `GetModuleFileNameW` `ExpandEnvironmentStringsW` `GetStdHandle` `Sleep` `GetModuleHandleW` `GetCommandLineW` `MultiByteToWideChar` `FindResourceW` `LoadResource` `LockResource` `GetTickCount` `SizeofResource`
USER32.dll	`CharUpperW` `SetCursor` `GrayStringW` `DrawTextExW` `DrawTextW` `TabbedTextOutW` `ClientToScreen` `DestroyMenu` `ShowWindow` `SetWindowTextW` `LoadCursorW` `GetDC` `ReleaseDC` `GetSysColorBrush` `GetWindowThreadProcessId` `IsWindowEnabled` `PostQuitMessage` `SetMenuItemBitmaps` `LoadBitmapW` `ModifyMenuW` `CheckMenuItem` `GetMessageW` `TranslateMessage` `GetCursorPos` `ValidateRect` `RegisterWindowMessageW` `LoadIconW` `WinHelpW` `GetCapture` `SetWindowsHookExW` `CallNextHookEx` `GetClassLongW` `GetClassNameW` `SetPropW` `GetPropW` `RemovePropW` `GetFocus` `IsWindow` `GetWindowTextW` `GetForegroundWindow` `GetLastActivePopup` `DispatchMessageW` `GetDlgItem` `GetTopWindow` `DestroyWindow` `GetMessageTime` `GetMessagePos` `PeekMessageW` `MapWindowPoints` `MessageBoxW` `GetActiveWindow` `GetSubMenu` `GetKeyState` `SetMenu` `EnableWindow` `SetForegroundWindow` `IsWindowVisible` `GetClientRect` `PostMessageW` `GetMenuCheckMarkDimensions` `GetMenuItemCount` `GetMenuItemID` `GetMenuState` `UnhookWindowsHookEx` `GetWindow` `GetSystemMetrics` `GetWindowRect` `GetWindowPlacement` `IsIconic` `SystemParametersInfoA` `SetWindowPos` `SetWindowLongW` `GetWindowLongW` `GetMenu` `PtInRect` `CopyRect` `CallWindowProcW` `DefWindowProcW` `SendMessageW` `CreateWindowExW` `GetClassInfoExW` `GetClassInfoW` `RegisterClassW` `GetSysColor` `AdjustWindowRectEx` `GetParent` `GetDlgCtrlID` `EnableMenuItem`
GDI32.dll	`DeleteDC` `GetStockObject` `ScaleWindowExtEx` `SetWindowExtEx` `ScaleViewportExtEx` `SetViewportExtEx` `OffsetViewportOrgEx` `SetViewportOrgEx` `SelectObject` `Escape` `TextOutW` `RectVisible` `GetDeviceCaps` `SetMapMode` `RestoreDC` `SaveDC` `DeleteObject` `ExtTextOutW` `CreateBitmap` `SetBkColor` `SetTextColor` `GetClipBox` `PtVisible`
COMDLG32.dll	`GetFileTitleW`
WINSPOOL.DRV	`DocumentPropertiesW` `OpenPrinterW` `ClosePrinter`
ADVAPI32.dll	`RegSetValueExW` `RegEnumKeyW` `RegDeleteKeyW` `RegQueryValueW` `RegOpenKeyW` `RegCreateKeyExW` `RegCloseKey` `RegQueryValueExW` `RegEnumKeyExW` `RegOpenKeyExW`
SHLWAPI.dll	`PathStripToRootW` `PathIsUNCW` `PathFindFileNameW` `PathFindExtensionW`
ole32.dll	`CoDisconnectObject` `StringFromGUID2` `CoGetObject` `CoCreateInstance` `CLSIDFromProgID` `CoInitialize`
OLEAUT32.dll	`#6` `#8` `#10` `#9` `#4` `#12` `#183` `#162` `#2` `#7` `#161`
OLEACC.dll (delay-loaded)	`LresultFromObject` `CreateStdAccessibleObject`

Delayed Imports

Attributes	`0x1`
Name	`OLEACC.dll`
ModuleHandle	`0x3aef0`
DelayImportAddressTable	`0x383f8`
DelayImportNameTable	`0x34238`
BoundDelayImportTable	`0x34274`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

129

Type	`RT_BITMAP`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x3a4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.90949`
MD5	`ae3bd35726e256961b0b7b9e143eda58`
SHA1	`97fdf228382aa25bfce97f2684f5a4dd98d1bc6d`
SHA256	`0eb0d9d00f8be714f834bbe9ac386ab75fd67e74009a706cff35addf565a38b3`
SHA3	`20ba49009ffcf1fe78ab3e74b915e5d93c3d4005eff71718204019f970acad0d`
Preview

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x70a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67318`
MD5	`1bf4584dc12fe62b9786c55870f4d2a0`
SHA1	`90f4ddddb79d2f320b48f6d0fed52744613504e5`
SHA256	`ba2f75718961d4174874e655fc4055d34dddc6e477be7ad48315b7ac79ca44cf`
SHA3	`6f25cd77fb1343bfbb226f4cdca8d634aafd6d3bd32ab1ed35a3edf0dc09b845`

7

Type	`RT_STRING`
Language	French - France
Codepage	Latin 1 / Western European
Size	`0x48`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.19502`
MD5	`10d022e533e73f962adaaea84d9d2341`
SHA1	`481e712df2258121f09da4acaaa7999fd25a1f23`
SHA256	`21933103638153262fc04241620439d017bfd09e4bdee5c696367de46a7d1a91`
SHA3	`5793e868a42430bd434b149a7848daf8da84f6294f6432baaf35f426a40023cc`

131

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`5a181c8e195049d74c15cd450c32b67b`
SHA1	`4a8e54de71bcbc2fe94255397fd5ea0c38a7ce23`
SHA256	`beca8ec591fb662213cad9a95fd978021158938a283178e5d01600004d238ef3`
SHA3	`39d4387198bd7e3b67f20d985a0262e9c961fdadbb80595389db6a917154d210`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.59208`
MD5	`c9b7b544a9ddb7849b802905c4ff657a`
SHA1	`e2d2f2044f20e23dd9af63cd171cd70b377955d9`
SHA256	`3f6069c080316b866b2aa1bd15ec3eac22e651d3534959e84235c6535e823918`
SHA3	`059bc74433001d95a3cd7f0f02f94a5430052601f1973b032fe07aeea887ab79`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x12a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.76335`
MD5	`aaf3ee7fa1852fab25ddef0cd42b66f8`
SHA1	`c4a0d6105c3ae5103ff54b5a59e40aee3771e082`
SHA256	`a8cb18d3a79d9cc323fde18a0dc9d9fdad4c55e3998a76772546fc70aeef3e21`
SHA3	`39f95ba32add6c64595f7271a6174cddf6ef045ba0316eac1683990d7ed5042c`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

String Table contents

mywscript2
MYWSCRIPT2

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`VS_FF_DEBUG`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
FileVersion (#2)	1, 0, 0, 0
ProductVersion (#2)	1, 0, 0, 0
LegalCopyright	Copyright (C) 2018
FileDescription
ProductName	NisWatchII

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2012-Mar-08 15:59:48
Version	`0.0`
SizeofData	`83`
AddressOfRawData	`0x306c0`
PointerToRawData	`0x2eec0`
Referenced File	C:\Projets\vbsedit_source\script2exe\Release\mywscript.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x436ddc`
SEHandlerTable	`0x431e80`
SEHandlerCount	`106`

RICH Header

XOR Key	`0x647ee5a7`
Unmarked objects	`0`
C objects (VS2012 build 50727 / VS2005 build 50727)	`8`
Imports (VS2012 build 50727 / VS2005 build 50727)	`21`
Total imports	`516`
ASM objects (VS2008 SP1 build 30729)	`25`
C objects (VS2008 SP1 build 30729)	`151`
C++ objects (VS2008 SP1 build 30729)	`130`
C++ objects (VS2008 build 21022)	`3`
138 (VS2008 SP1 build 30729)	`8`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

52af7649ae5fa8101d7a0f010f54443b

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

129

1

7

131

1 (#2)

1 (#3)

1 (#4)

String Table contents

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors