Manalyze report for 7f130e1dea535487a61105c3c6da6383

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Dec-21 20:59:46

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can create temporary files: GetTempPathA CreateFileA`
Suspicious	The PE is possibly a dropper.	`Resource DLL is possibly compressed or encrypted.` `Resources amount for 95.1294% of the executable.`
Malicious	VirusTotal score: 47/72 (Scanned on 2025-03-04 14:09:58)	`AVG: FileRepMalware [Misc]` `Antiy-AVL: HackTool/Win32.Patcher.ad` `Arcabit: Application.Heur.FU.E7A811` `Avast: FileRepMalware [Misc]` `Baidu: Win32.Trojan.Generic.f` `BitDefender: Gen:Application.Heur.FU.fuW@aWdfvXk` `CAT-QuickHeal: Riskware.Dupatcher.A4` `CTX: exe.hacktool.patcher` `CrowdStrike: win/grayware_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win32/HackTool.Patcher.AD potentially unsafe` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Application.Heur.FU.fuW@aWdfvXk (B)` `FireEye: Generic.mg.7f130e1dea535487` `Fortinet: Riskware/GamePatcher` `GData: Win32.Riskware.Patcher.E` `Google: Detected` `Gridinsoft: Hack.Win32.Patcher.sa` `Ikarus: possible-Threat.Hacktool.Patcher` `K7AntiVirus: Trojan ( 0040f3a51 )` `K7GW: Trojan ( 0040f3a51 )` `Kingsoft: Win32.Troj.Unknown.a` `Lionic: Hacktool.Win32.Agent.tpR4` `Malwarebytes: HackTool.FilePatch` `MaxSecure: Trojan.Malware.121218.susgen` `McAfee: FilePatcher` `McAfeeD: Real Protect-LS!7F130E1DEA53` `MicroWorld-eScan: Gen:Application.Heur.FU.fuW@aWdfvXk` `Microsoft: HackTool:Win32/Keygen` `Paloalto: generic.ml` `Panda: Trj/CI.A` `Rising: HackTool.Patcher!1.B3BB (CLASSIC)` `SUPERAntiSpyware: Hack.Tool/Gen-Patcher` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.FilePatcher.mc` `Sophos: Generic Patcher (PUA)` `Symantec: ML.Attribute.HighConfidence` `VIPRE: Gen:Application.Heur.FU.fuW@aWdfvXk` `Varist: W32/Agent.EWQQ-1275` `ViRobot: Trojan.Win32.Agent.754688.B` `Webroot: W32.Hacktool.Gen` `Xcitium: Application.Win32.HackTool.Patcher.T@8rlo7s` `Zillya: Tool.Patcher.Win32.48299` `alibabacloud: HackTool:Win/Patcher.AF`

Hashes

MD5	`7f130e1dea535487a61105c3c6da6383`
SHA1	`3cd57ec62edcf195a781a11b7557ce76bf1a72af`
SHA256	`deb3f96848bc216373c641b45dc66b0f4cce8ace06737c549a63c605852626b6`
SHA3	`2952b1675b6d5982fcfdab1932558e6b920e405ac42fa446516f03d89b0d806b`
SSDeep	`1536:WhN0rbd6++Vy4UX51BW/iAEbHRRx8tYmTKOXNdSeXe4gik6G0Lz/cYMf4u9I:Who6BV+X5m/EL9ai8e4gf0HcYz`
Imports Hash	`dc73a9bd8de0fd640549c85ac4089b87`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2012-Dec-21 20:59:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x200`
SizeOfInitializedData	`0x13a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000102B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x2000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x19000`
SizeOfHeaders	`0x400`
Checksum	`0xecdd`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4c584307e5aa70f515ee8c3d942e5f6c`
SHA1	`05668764efd56b4a53d8574ff9dec26b851ca07b`
SHA256	`9c0c821fe1c66ad45a044fec0be845fa08b96ea7b7c24e852b132a92fe08a90c`
SHA3	`a56964eb90adb7bd0f5c92dbd62425658cbd2b396621386f34ca3397e2a0465f`
VirtualSize	`0x1f6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.06408`

.rdata

MD5	`e5aa65265e17d8a1b524adbc10c0a1ad`
SHA1	`0e0eb11d610df253f860f9b46790f28f7477d12a`
SHA256	`b8af2ef3ea5c0fb35d0c846a94425f028f8cdba30eefbb401377749e0266640b`
SHA3	`7c0d77a4d031c3944bb719376c53cf53fc047471e027fa4f69aacd44c986f6a8`
VirtualSize	`0x1d8`
VirtualAddress	`0x2000`
SizeOfRawData	`0x200`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.27064`

.data

MD5	`f8fedf1be1122ff5cd0e5b4716311cc5`
SHA1	`c41831c104ced77633be9d2b09364c22a9392a73`
SHA256	`b23a9af37c2bfeb0bcb17555a8038d0403b12616851e58513e9135a77c84363b`
SHA3	`eed0f7054aa182d7497331ee77969143efb3a63e8fee1ed02e44e82494404132`
VirtualSize	`0x34`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.568988`

.rsrc

MD5	`fefe8696c219aabefdc7ab714d877512`
SHA1	`168a0a017d02ff9dfeead598d1ab54a4960f899d`
SHA256	`7f4bae8f4c04ceba1ab84c9d83985b86dc529ecfbc87efb021313c49a8b5f463`
SHA3	`50ebc889e6999125e86099685f6777b019f1762c6b9debb491b4bd4a881647fb`
VirtualSize	`0x13204`
VirtualAddress	`0x4000`
SizeOfRawData	`0x13400`
PointerToRawData	`0xa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.75611`

.reloc

MD5	`2e6554ffc943448b686d85ad68f9ec9a`
SHA1	`2983937fa0491ffb874e3d5084ddc909f7b417ba`
SHA256	`4bb6e032bb8a0cc87b345564204b1e74d8eb2ed7665c2a1d82dcd3b3096bf885`
SHA3	`1037aac5df319410ca7ed864e945ccb384d66f6e8ac2a1f9c2cfcdc03c63f497`
VirtualSize	`0x52`
VirtualAddress	`0x18000`
SizeOfRawData	`0x200`
PointerToRawData	`0x13e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.736046`

Imports

kernel32.dll	`DeleteFileA` `ExitProcess` `FindResourceA` `FreeLibrary` `GetModuleHandleA` `GetProcAddress` `GetTempPathA` `LoadLibraryA` `LoadResource` `RtlMoveMemory` `SizeofResource` `VirtualAlloc` `lstrcatA` `CloseHandle` `CreateFileA` `FlushFileBuffers` `WriteFile`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.90216`
MD5	`a2ded54d4a9b210175173d0e71ef1128`
SHA1	`f6411fda0329620e6593812d5f3b1bb29f86102d`
SHA256	`00b5ab981f34a54793c5e6205533bda7b0f682dffc52b60290ba77da3ad20517`
SHA3	`23158337147bf9bb053348da0518ad3f5432ee16fd1e5ba25f39e81ff5057067`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.75642`
MD5	`69566855f476b68068751dd428e73e0c`
SHA1	`78f9fd60320bd63541c5a31c39653042e7058fb7`
SHA256	`e7007400eb9146edf1b7a80adb0ade51edd25af8bd3aa257e73d734d10a13645`
SHA3	`bc47cbdd563be0f9fb8e2a280462d7d6791d411ab1dc97841fd6e2d38fd1100c`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.50765`
MD5	`b1fc2db4a531570c4b49d8bebccf9af6`
SHA1	`04d8c04a679bff205d51ad480c34c147380727a1`
SHA256	`543502263e5445b4a66e1b2cf2499053d7c8d9afed992303a0dba7c8ccfc1b53`
SHA3	`692649d7c4854bc0a4ee5285aa81c6219456fc80aa419d2e85c0ed3eb333d343`

DLL

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xf200`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99715`
MD5	`5e9e5d7bdfa6e3b0f31bab11e227639c`
SHA1	`66b32f529957e3408ee2a3b00128bdb150a9f04d`
SHA256	`d0de32a68adb692e9da47a85e355f852ac008b66d2731a6713f16e51fab71aac`
SHA3	`96b58af26105b5743e722e5c4a0dc8f94e1e1a2a4e4a074935c4276be18d8eee`

500

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`409e1724611e0bc39356e2f58888db55`
SHA1	`c06c0e66cc2f7956256e2f018aa0294bfa914960`
SHA256	`6ab18c3b81a5d30c5a190a4504cae807d73b1a4d02d56ffddf641abbb62b7210`
SHA3	`315b2ad40793f4ef885ff4c878169b02c62f619b57780a98a76c8538cd0ee5c9`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x382`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.85663`
MD5	`3d015c7d35d5e650f594c23c7368cd6f`
SHA1	`b5fdca6e0c5847a306b43553ce96c7c37a40c680`
SHA256	`3e11f55df49746534018ddcb81f928559124029992dfaa0adb67318b2d41df15`
SHA3	`94d9e3898971601d603eb374856eca2677a11d61314d956b1f82e18cd60c9b4c`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x9103f02d`
Unmarked objects	`0`
18 (8444)	`1`
Imports (VS2010 build 30319)	`3`
Total imports	`17`
ASM objects (VS2010 build 30319)	`1`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

7f130e1dea535487a61105c3c6da6383

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

DLL

500

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors