Manalyze report for 614d994a6b4275506037747ec162df5e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Apr-30 12:00:00
Detected languages	English - United States
CompanyName	Igor Pavlov
FileDescription	7-Zip Console
FileVersion	`18.05`
InternalName	7z
LegalCopyright	Copyright (c) 1999-2018 Igor Pavlov
OriginalFilename	7z.exe
ProductName	7-Zip
ProductVersion	`18.05`

Plugin Output

Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryW GetProcAddress` `Can access the registry: RegOpenKeyExW RegQueryValueExW RegCloseKey` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Enumerates local disk drives: GetLogicalDriveStringsW` `Changes object ACLs: SetFileSecurityW`
Suspicious	VirusTotal score: 1/68 (Scanned on 2019-01-01 02:37:06)	`Trapmine: malicious.moderate.ml.score`

Hashes

MD5	`614d994a6b4275506037747ec162df5e`
SHA1	`11f7c47a7935560aa9c8c30ac1cecc974000b392`
SHA256	`47462483fe54776e01d8ceb8ff9fd5bf2c3f1f01d852a54d878914f62f98f2d3`
SHA3	`43545f1e47a8aaf1e53b990d28a7ab5681f6083ff3849476d822013d111c86de`
SSDeep	`12288:5C8TNi6LjSNacKiFzkae6N31+njiipWGc4:TNDjSNacKwNZiYJ4`
Imports Hash	`9415f65b67a8ecbcc9bc12693f3a15a0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2018-Apr-30 12:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`8.0`
SizeOfCode	`0x4cc00`
SizeOfInitializedData	`0x26200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000004D010 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x75000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`50a0a0fdd6863a8c7d91c7989df8de2d`
SHA1	`774e474782c570968a6a0e69750291b75c975558`
SHA256	`c54a2c33f6ca028cd392be36ddc5deba13e771027a9bcce105a644b1f4efe954`
SHA3	`24068a10fb6a6c2764dcd065bf4aff57ec032061f60adebe51f1d51f21fda89c`
VirtualSize	`0x4cb0a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x4cc00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.2895`

.rdata

MD5	`db14964986d08aefbf119b5dc89ac13e`
SHA1	`361a0af74be128fb919e3b647c1d003f3780f9a4`
SHA256	`7a21107c3941e74a58ed00616634cf27c7fd03527d892d46bb3ed4850813ae00`
SHA3	`c4d2d3f55aed5e357fa106583feafe68d711a634a5fa684b593779c7e78de6b6`
VirtualSize	`0x1bd2e`
VirtualAddress	`0x4e000`
SizeOfRawData	`0x1be00`
PointerToRawData	`0x4d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.85934`

.data

MD5	`78242cdda0885ebebebbdcf0d13484dd`
SHA1	`c2e6e1deb9ec9c97e32c7fa354583114f8b9c64c`
SHA256	`7c874bb740daff69bd3486364ffc2f695e65e776f9a0f7669aa76b45f6a20fd3`
SHA3	`4b3684c5e3a7cf5a4dbef76663143199594eebfc57d66d5cc94a7861d39309cd`
VirtualSize	`0x2cb8`
VirtualAddress	`0x6a000`
SizeOfRawData	`0x800`
PointerToRawData	`0x68e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.24033`

.pdata

MD5	`019f5ccf770390a9ba0df01be95c40f0`
SHA1	`2ab9d41dc3b6ddcad6d449e7c3e2017ccf5010d0`
SHA256	`b4955f217c1867d65f75b2ab5cd9966f348e89a36cb3f80cbceb82847b5062df`
SHA3	`743efe4694de53ed40e6e64122e374a6961e9fa7d38bfa7367ac0f74676aca4e`
VirtualSize	`0x5fe8`
VirtualAddress	`0x6d000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x69600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.77845`

.rsrc

MD5	`f4f4ac30bbf4741e4bd0f34ee87042e3`
SHA1	`e047259eefc51af003b751eb67186eb1348c3b1e`
SHA256	`8f59d08a6f4e9f5fb842a1ed284b5be153851e26ba5d352a62f0f92c20ae8839`
SHA3	`6381a32bd62c7c2a9fc4f443a7daff04697f7ea521f88002ae653ab250b561c3`
VirtualSize	`0x6e0`
VirtualAddress	`0x73000`
SizeOfRawData	`0x800`
PointerToRawData	`0x6f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.44462`

.reloc

MD5	`dbceaa5f2f187a607c336fd343053087`
SHA1	`c1bb37393092d5f9d9a7bb9a0c43e5303695cbf8`
SHA256	`cb116ae4a28a73844efd96baa2c3d7c0c2daead57e35fc58dbdab3d72b300040`
SHA3	`408508e965b2dd5b124b09a9f4c9baf7a474c6c823a70ea736bb1d14c356f272`
VirtualSize	`0xde6`
VirtualAddress	`0x74000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x6fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.58859`

Imports

OLEAUT32.dll	`#7` `#9` `#10` `#2` `#149` `#6` `#4`
USER32.dll	`CharUpperW`
ADVAPI32.dll	`OpenProcessToken` `GetFileSecurityW` `SetFileSecurityW` `RegOpenKeyExW` `RegQueryValueExW` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `RegCloseKey`
msvcrt.dll	`_exit` `_c_exit` `_XcptFilter` `_onexit` `__dllonexit` `??1type_info@@UEAA@XZ` `?terminate@@YAXXZ` `__C_specific_handler` `_beginthreadex` `_isatty` `memcmp` `_purecall` `strlen` `memset` `wcsstr` `_cexit` `wcscmp` `strcmp` `memmove` `fflush` `fputc` `fputs` `_iob` `fgetc` `fclose` `free` `_CxxThrowException` `malloc` `__CxxFrameHandler` `memcpy` `__initenv` `exit` `__getmainargs` `_initterm` `__setusermatherr` `_commode` `_fmode` `__set_app_type`
KERNEL32.dll	`VirtualAlloc` `VirtualFree` `WaitForSingleObject` `SetEvent` `InitializeCriticalSection` `FormatMessageW` `GetConsoleMode` `SetConsoleMode` `SetFileApisToOEM` `GetCommandLineW` `GetConsoleScreenBufferInfo` `SetConsoleCtrlHandler` `IsProcessorFeaturePresent` `GetProcessTimes` `LeaveCriticalSection` `EnterCriticalSection` `DeleteCriticalSection` `SetProcessAffinityMask` `OpenEventW` `UnmapViewOfFile` `MapViewOfFile` `OpenFileMappingW` `GetStdHandle` `GetSystemTimeAsFileTime` `FileTimeToDosDateTime` `GlobalMemoryStatusEx` `GetSystemInfo` `GetProcessAffinityMask` `FileTimeToLocalFileTime` `FileTimeToSystemTime` `CompareFileTime` `GetCurrentProcess` `GetDiskFreeSpaceW` `GetFileInformationByHandle` `SetEndOfFile` `WriteFile` `ReadFile` `SetFilePointer` `GetFileSize` `DeviceIoControl` `GetLogicalDriveStringsW` `GetFileAttributesW` `GetModuleHandleA` `GetLastError` `MultiByteToWideChar` `WideCharToMultiByte` `FreeLibrary` `LoadLibraryExW` `LoadLibraryW` `GetModuleFileNameW` `LocalFree` `CloseHandle` `SetFileTime` `CreateFileW` `SetFileAttributesW` `RemoveDirectoryW` `MoveFileW` `GetProcAddress` `GetModuleHandleW` `CreateDirectoryW` `DeleteFileW` `SetCurrentDirectoryW` `GetCurrentDirectoryW` `GetTempPathW` `SetLastError` `GetCurrentProcessId` `GetTickCount` `GetCurrentThreadId` `FindClose` `FindFirstFileW` `FindNextFileW`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.428`
MD5	`b7fdea6a99abcd32a8e45e09eae6ac4f`
SHA1	`08ebf3ab61e48bbeae848a14a89693bb0e7fd028`
SHA256	`14fd3e099bc2226ddd38381a7ddb2e95eb459356f1c3e5609ad8411da8558a7b`
SHA3	`656ad7267cf64a5eb5f02b3c6a9f8ca05df736a6ca26ec48a25ddfe2c64a63fd`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x38e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.36954`
MD5	`445ab0be1ebbb45eac34dd03f4204971`
SHA1	`cda51970a44a9b2ca92f1ce56607bffd3d39bf5f`
SHA256	`fd3f18e6ec417eb0f63a003d9808553b3194f6fab33a8bf618d18a476944a5e6`
SHA3	`b5552a2682a529c160d7341b7b2ed8173a8ed7082e2c10f7513dd6b3e206c045`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	18.5.0.0
ProductVersion	18.5.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Igor Pavlov
FileDescription	7-Zip Console
FileVersion (#2)	18.05
InternalName	7z
LegalCopyright	Copyright (c) 1999-2018 Igor Pavlov
OriginalFilename	7z.exe
ProductName	7-Zip
ProductVersion (#2)	18.05

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xad047f5b`
Unmarked objects	`0`
ASM objects (40310)	`1`
Imports (40310)	`11`
Total imports	`146`
C++ objects (40310)	`75`
C objects (40310)	`15`
ASM objects (VS2010 SP1 build 40219)	`1`
Resource objects (40310)	`1`
Linker (40310)	`1`

614d994a6b4275506037747ec162df5e

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors