Manalyze report for 788b45e103f6e91ab7a26fb5e7403827

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Dec-05 22:50:52
Detected languages	English - United States

Plugin Output

Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExA GetProcAddress` `Can access the registry: RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`3819796 bytes of data starting at offset 0x12000.` `The overlay data has an entropy of 7.99338 and is possibly compressed or encrypted.` `Overlay data amounts for 98.1064% of the executable.`
Safe	VirusTotal score: 0/65 (Scanned on 2019-02-21 21:06:12)	`All the AVs think this file is safe.`

Hashes

MD5	`788b45e103f6e91ab7a26fb5e7403827`
SHA1	`fe8f98f62bd9ee9db896bc56ffa15aa4d4f75e31`
SHA256	`881528c2793282fc88772576247683a26ebbdd032555b50081e55ee5427aec0f`
SHA3	`a5a85bfd4822cde3fff8891461361beaf9cb5c02bfccc73360644c0cbb4be1dc`
SSDeep	`98304:aIL+yVKjJsI9F4EW89SdcCoZAC0/sZbLHcnlv:avJCLEW0kcC4AP/gct`
Imports Hash	`f2eb8d789695eff25c68c44db80d0898`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Dec-05 22:50:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5e00`
SizeOfInitializedData	`0x28400`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x000030FA (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x42000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`856b32eb77dfd6fb67f21d6543272da5`
SHA1	`6597c511c2ee72f68f5246460f0683dae16dcade`
SHA256	`c6c2b4f41d6598b94106de36b422dd84534fd9a11d84b2b6a47b3be49524c750`
SHA3	`649e621f7eb7edb175d8285b7c35de1209efc88af5abb31f95bab19076fff3b4`
VirtualSize	`0x5c4c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.44011`

.rdata

MD5	`dc77f8a1e6985a4361c55642680ddb4f`
SHA1	`3d397ee25b2dd83ab741c67375880151cae94ed8`
SHA256	`576cdd5bc72421d008c86f056d0727c54cc8b3ec0961e5d0462af48278543d51`
SHA3	`d419a2c597e2f7a8a19b7c5c2090a93c78625e69629ff7d66a5359bfd614a8f4`
VirtualSize	`0x129c`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.04684`

.data

MD5	`7922d4ce117d7d5b3ac2cffe4b0b5e4f`
SHA1	`4e56bb1994226ae0285c7adee470777262de2c99`
SHA256	`97773fd68ac3aebb9795c59dc00c5dbc0c992ce0c3c2ef90bfff27eb1cd72b3d`
SHA3	`2a1aceed5a92a7ab4f568335758aa6da79df1e2fe50997652ea0f52f0813bead`
VirtualSize	`0x25c58`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.801`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`c1ddc1888b753070a85c6d5f17ff39b1`
SHA1	`da0fd48a312b9250799d441b6bc574887a42629f`
SHA256	`731d0bf40239d44721df34234f96b7a7fbacf5f8afee27322b3edc94dd7e1032`
SHA3	`63ea8f851b7da3f83d13dc7901a4e16431ee5c2fc80d0d5d2489aaab69401e92`
VirtualSize	`0xa508`
VirtualAddress	`0x37000`
SizeOfRawData	`0xa600`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72405`

Imports

KERNEL32.dll	`CompareFileTime` `SearchPathA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CreateDirectoryA` `SetFileAttributesA` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `GetWindowsDirectoryA` `SetFileTime` `GetCommandLineA` `SetErrorMode` `LoadLibraryA` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `CreateFileA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `GetVersion` `CloseHandle` `lstrcmpiA` `lstrcmpA` `ExpandEnvironmentStringsA` `GlobalFree` `GlobalAlloc` `WaitForSingleObject` `GetExitCodeProcess` `GetModuleHandleA` `LoadLibraryExA` `GetProcAddress` `FreeLibrary` `MultiByteToWideChar` `WritePrivateProfileStringA` `GetPrivateProfileStringA` `WriteFile` `ReadFile` `MulDiv` `SetFilePointer` `FindClose` `FindNextFileA` `FindFirstFileA` `DeleteFileA` `GetTempPathA`
USER32.dll	`EndDialog` `ScreenToClient` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `DestroyWindow` `CreateDialogParamA` `SetTimer` `SetWindowTextA` `PostQuitMessage` `SetForegroundWindow` `wsprintfA` `SendMessageTimeoutA` `FindWindowExA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `OpenClipboard` `ExitWindowsEx` `IsWindow` `GetDlgItem` `SetWindowLongA` `LoadImageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `ShowWindow`
GDI32.dll	`SetBkColor` `GetDeviceCaps` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectA` `SetBkMode` `SetTextColor` `SelectObject`
SHELL32.dll	`SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA` `SHGetSpecialFolderLocation`
ADVAPI32.dll	`RegQueryValueExA` `RegSetValueExA` `RegEnumKeyA` `RegEnumValueA` `RegOpenKeyExA` `RegDeleteKeyA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `#17` `ImageList_Create`
ole32.dll	`CoTaskMemFree` `OleInitialize` `OleUninitialize` `CoCreateInstance`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`

Delayed Imports

110

Type	`RT_BITMAP`
Language	English - United States
Codepage	UNKNOWN
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22336`
MD5	`3811c1e0a9153b958f1da69a3f801f3c`
SHA1	`4044512d457358973fc8f9180edca0486227e1fe`
SHA256	`a875f9b3c1f31835b3f70c23a8a1daa06404b82d61887d035731eb13f649c0db`
SHA3	`a1ff563ee071b39f785871bba806b49079d9b91b72bc90853b26e663f150d722`
Preview

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.42098`
MD5	`65f1e03456821587ffbb15161266d894`
SHA1	`b3c6bb6241a2c3d93c92a200dbc4f347106be6b8`
SHA256	`d03874b4b20ac03010d8c4b907c818cfc787f6137aa268b0e91930a0b0b18254`
SHA3	`6faddf31356b191c2808ffe434b2e7bb48a6d44e2fd5600db8290c84a02e528c`

102

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.74309`
MD5	`d0ee637c1ddc14e8b5a034d6dc534959`
SHA1	`102b4e10fa92a0bb636892075fb2aa9f94e874eb`
SHA256	`5cd3c60f603555dc7aaa160339f3315de1f606c7b69680a1a0f5f0fd7f318dc3`
SHA3	`6a883bf1303cb23f76f3f339b37ea617658ee5162a8b8fd74166ae73ceefc86b`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x144`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61782`
MD5	`46e58d12697ed2f2a218e47ae5bcfa3c`
SHA1	`1b5cde960720d5c1a9c26ded031e89d9e9ec2ecb`
SHA256	`18cfaba468cd4b07a8909fc3273f06302319b7963f75c4dda78b688c576511f0`
SHA3	`b08f048407ff29a6cadc4ed351fb591beeb4ccb1a0be22148fc38832807cb1b3`

104

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x13c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.6935`
MD5	`f710f3209a382e2a0e846cba6190f7d7`
SHA1	`357127cda13b5efb04d3dbde8bff3c4e17633447`
SHA256	`0a8e57a753806a4051f65d26f2da369cc30a0820b2d275bb3ad4ec43127afc25`
SHA3	`33f283ae26c36baeca1b65a18d658bc4c43e7095fd7fe682dd5ebec5f055755b`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

107

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.62276`
MD5	`b3b970ba2a434ca224efafe05aad1d06`
SHA1	`d972e50cdb3e17d9b8d22b160b65c2d6c8b66c52`
SHA256	`2d986f26ff752607366192a903078cdd7d6da06ab97309c85cd5c8cf05f823b6`
SHA3	`7b712c22d11a139c02d0f53916c725b62010452bca8c6fa37dad7542e322d0b8`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`fcf5da4bc7867f13b4025ad65c455f48`
SHA1	`b2d8d91f2a4a2c3c504f8b87d417c382838e0f2f`
SHA256	`8b10bf294e8d3fe252a5488ea8ae69fe8f06837079a5c6a4e84312a5ec334dee`
SHA3	`6f3bc5d6f0ea376c2c039a4e19233fe2a6f6731b870dac96b33a0768bc563742`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3be`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.21482`
MD5	`18a65b0356650472e36d75deef2173b5`
SHA1	`ad8ae2a67c7258efa638901ff609cc6561b96b4f`
SHA256	`cb24fe30879e7b0870fb61f7c16bdb8c4fa9a2a8c2d945bd3ea8dd889e93c0ff`
SHA3	`55079671a0ec8905dde3e77ac6ab2a0ab33bc1d621f43b49f67d3539c1fd0723`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x69ead975`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`155`
Imports (VS2003 (.NET) build 4035)	`17`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!