Manalyze report for 99bcde2ebdb72206af313101da41ca58506543925e2536727bb94a1110183508

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Jul-02 02:09:43
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: qeMU` `Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegEnumValueW RegEnumKeyW RegQueryValueExW RegSetValueExW RegCloseKey RegDeleteValueW RegDeleteKeyW RegOpenKeyExW RegCreateKeyExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`19872465 bytes of data starting at offset 0x13800.` `The overlay data has an entropy of 7.99999 and is possibly compressed or encrypted.` `Overlay data amounts for 99.5997% of the executable.`
Suspicious	VirusTotal score: 1/70 (Scanned on 2026-04-12 19:49:14)	`Bkav: W32.AIDetectMalware`

Hashes

MD5	`38d47cd0f9477d352db3c7eb518832a4`
SHA1	`04334a4d9d8de32bb16f41ae64e9bd263d6642f4`
SHA256	`99bcde2ebdb72206af313101da41ca58506543925e2536727bb94a1110183508`
SHA3	`a677b21bbb3b285dcf3666a50913b4b33bc58b860b3051f89482bcead292b8ce`
SSDeep	`393216:6ImMXinmujdB3ob3cIVdz7Bb/NvXxRPBUEsvrdcSm+8irYJ6ufY9Q5D1I:6I7WmujdB3ob3cy5/NJ1+rmSm+M6ufYP`
Imports Hash	`9dda1a1d1f8a1d13ae0297b47046b26e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2023-Jul-02 02:09:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6800`
SizeOfInitializedData	`0x22200`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x00003645 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x5a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e65344ac983813901119e185754ec24e`
SHA1	`2e2d9a83daa729308b7cd185e22bcb46479a56bd`
SHA256	`5f999f1ac9618f2f597e44c35dc1fa622f24345640b4b9562b34dd34e76e1d92`
SHA3	`008386b2d98786950b15956c1a6f61ba1543b6a673022b82f1c7c150f7bc1c6e`
VirtualSize	`0x66b7`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.43787`

.rdata

MD5	`bd82d08a08da8783923a22b467699302`
SHA1	`8677bad7d268e6798da158299b8cde5996219d6a`
SHA256	`3feef820a9f96f0298da3113f8636dfeceef551c295fe0170dd77befe32d3b2e`
SHA3	`5e3cb63428d5f7f464b1f262839aaff7e576fca433f99011e311469f7bcbbf55`
VirtualSize	`0x1358`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.10336`

.data

MD5	`caa377d001cfc3215a3edff6d7702132`
SHA1	`12e015a7fa2a29356d00dee7e685246788254fef`
SHA256	`f382d804344ebc29cbc21b83080c050a81379e8a478ce109aac23cf53a2dc137`
SHA3	`9f2e198dbb796b48025124534f717a0ecd4cebf3bdb758a99dab79c8a0bd9bed`
VirtualSize	`0x1fb78`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.12621`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x24000`
VirtualAddress	`0x2a000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`56558edc1c6e50456dadc29ce44f1a33`
SHA1	`17478350e71f1df76b1d949df39980e3499dd6ad`
SHA256	`2dd88155a49585e3ca85ec7793559025e696f5c18e72cbcac0f1fcc74fda2407`
SHA3	`fcd74334c1e2e75c9a93efbf2d80ee3dd1684270b35fb8595b8454cb21d48c22`
VirtualSize	`0xb0b0`
VirtualAddress	`0x4e000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x8600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.36644`

Imports

ADVAPI32.dll	`RegEnumValueW` `RegEnumKeyW` `RegQueryValueExW` `RegSetValueExW` `RegCloseKey` `RegDeleteValueW` `RegDeleteKeyW` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `OpenProcessToken` `RegOpenKeyExW` `RegCreateKeyExW`
SHELL32.dll	`SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `SHFileOperationW` `ShellExecuteExW`
ole32.dll	`CoCreateInstance` `OleUninitialize` `OleInitialize` `IIDFromString` `CoTaskMemFree`
COMCTL32.dll	`ImageList_Destroy` `#17` `ImageList_AddMasked` `ImageList_Create`
USER32.dll	`MessageBoxIndirectW` `GetDlgItemTextW` `SetDlgItemTextW` `CreatePopupMenu` `AppendMenuW` `TrackPopupMenu` `OpenClipboard` `EmptyClipboard` `SetClipboardData` `CloseClipboard` `IsWindowVisible` `CallWindowProcW` `GetMessagePos` `CheckDlgButton` `LoadCursorW` `SetCursor` `GetSysColor` `SetWindowPos` `GetWindowLongW` `IsWindowEnabled` `SetClassLongW` `GetSystemMenu` `EnableMenuItem` `GetWindowRect` `ScreenToClient` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CharPrevW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `CreateDialogParamW` `SetTimer` `SetWindowTextW` `PostQuitMessage` `SetForegroundWindow` `ShowWindow` `wsprintfW` `SendMessageTimeoutW` `FindWindowExW` `IsWindow` `GetDlgItem` `SetWindowLongW` `LoadImageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `DrawTextW` `EndPaint` `CharNextA` `wsprintfA` `DispatchMessageW` `CreateWindowExW` `PeekMessageW` `GetSystemMetrics`
GDI32.dll	`GetDeviceCaps` `SetBkColor` `SelectObject` `DeleteObject` `CreateBrushIndirect` `CreateFontIndirectW` `SetBkMode` `SetTextColor`
KERNEL32.dll	`RemoveDirectoryW` `lstrcmpiA` `GetTempFileNameW` `CreateProcessW` `CreateDirectoryW` `GetLastError` `CreateThread` `GlobalLock` `GlobalUnlock` `GetDiskFreeSpaceW` `WideCharToMultiByte` `lstrcpynW` `lstrlenW` `SetErrorMode` `GetVersionExW` `GetCommandLineW` `GetTempPathW` `GetWindowsDirectoryW` `SetEnvironmentVariableW` `WriteFile` `ExitProcess` `GetCurrentProcess` `GetModuleFileNameW` `GetFileSize` `CreateFileW` `GetTickCount` `Sleep` `SetFileAttributesW` `GetFileAttributesW` `SetCurrentDirectoryW` `MoveFileW` `GetFullPathNameW` `GetShortPathNameW` `SearchPathW` `CompareFileTime` `SetFileTime` `CloseHandle` `lstrcmpiW` `lstrcmpW` `ExpandEnvironmentStringsW` `GlobalFree` `GlobalAlloc` `GetModuleHandleW` `LoadLibraryExW` `FreeLibrary` `WritePrivateProfileStringW` `GetPrivateProfileStringW` `lstrlenA` `MultiByteToWideChar` `ReadFile` `SetFilePointer` `FindClose` `FindNextFileW` `FindFirstFileW` `DeleteFileW` `MulDiv` `lstrcpyA` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `CopyFileW`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.9537`
MD5	`b982abb0225c34c46afa5d4f74638467`
SHA1	`abb6338a656eba0405fad06d45b882d42e0a8a05`
SHA256	`bd8a8be264a1480004709d7ab53b822785daf451479e400558ad68beed4c7be2`
SHA3	`b1a87291743a77ac4d699e7ab55865f26538df5308cf6deaa07d38b4d2c2d46d`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.09531`
MD5	`8b6fa1fac3e30a982b3fafbb0648c0c4`
SHA1	`36c49cf1371ba9aa207d8c3c0b1e4f4e73a71815`
SHA256	`ac69a1ea38bcaffd3d5287a544436dcff11da3efe005feccf9f39981d36692b0`
SHA3	`6d3465df2f4139a37b60ec785139a0d0d8e9e288ffb969f64c5dd4e7e206fddc`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1d24`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89066`
Detected Filetype	PNG graphic file
MD5	`cdafb24b34386a806ce6dff29296458c`
SHA1	`21701730c6c5816c4c948cbc080d8cb004f029ab`
SHA256	`90f24a535543687e392488ec0eacc8f95c9a69cb96c7211ce14edc28ce475da4`
SHA3	`8f1fe520b763d2d411be7c33711d32cd1ee21b3e3cef1f63afa43faa6a44bd33`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.25156`
MD5	`04e07a382b10b272a3bd0ac51ae7d5bc`
SHA1	`ad681726f8b6adcef5884a5f085c6666a757d9e5`
SHA256	`26a7855def687296cecc3509562bf5716c960224ae82c73d5d85ede57267d721`
SHA3	`324b935d0c8e0a71ccffe170b9a45caecf7c71bceed48ba02d5fc0e165744952`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.86312`
MD5	`994d1554165ce01ff35ee8f345c66665`
SHA1	`19a54084a988fbb85e7021b18fa7ce75df265542`
SHA256	`ec2a67b801419c936319ee488030295708f5ad580792af26afdeb37305b9d2cf`
SHA3	`b427e49517228d8fcfb3f8d35c0f55c044c7896eaefe0905cc3e1fb43e74d410`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.42655`
MD5	`659422c6b53f694ec62635e06f3d18d6`
SHA1	`a8a8a1e1befb718729ddf9656628e97a32ea0d60`
SHA256	`b037adcc09574efd6ed6f698b46cd70bff868305ddab9ed79c875c7329dd49cf`
SHA3	`266037552ad2f11bdfdc49d8ef79c5db2e4167e40910ff70df74d9d1bcbd2492`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x120`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.56193`
MD5	`db6dd0434da4d7cac564518725167e09`
SHA1	`a65a1367d7cd96450f089a8f8108239bbcea9f5b`
SHA256	`c50631fc1f8425a95fd1edcc8e730d339e193a38f18d42372c32847a5ad2c016`
SHA3	`4e3be5455c51e1cb04836e318cb69ecdffd2deadd0f338d4bc985d8f5ca653ff`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x202`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.73893`
MD5	`386770584473e271f23dced36427f4ff`
SHA1	`d14ce95f784b35e4e3ebee535476ebcd3e380c19`
SHA256	`425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014`
SHA3	`db13e5969376b27e8443eebff685230e2b74685aeb2fba73973f06e5cddc8662`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91148`
MD5	`fa83652660409e90e0db9731ad2adb17`
SHA1	`0a8f0af67723c87fe26ccf676b8e19ec6357b4dc`
SHA256	`4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4`
SHA3	`5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b`

107

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xa0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.52183`
MD5	`6ffba239dcfcab2080195f23947b70aa`
SHA1	`bcda1ca8ee9bb9878bde83aa06c670bb5a4d5843`
SHA256	`a7e5ea849cb343e9b58de221aeb25c9dd4a3748070bfba879a30c4265fc39023`
SHA3	`a75544b4c3fcbcb32fe4e02d1a631e045b2e58516aa1065bb96cce681aea7030`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.92767`
MD5	`1db3e4c32b9560257ddf3506fef9dd3f`
SHA1	`6666e0c8336456cfacec71d84415c6516e9e2673`
SHA256	`587a03198c39f990e77691056bb5705e21374281862ce06de94c68172f50f763`
SHA3	`30ca0affc3f1d2ef8b37f2103db7581caaf88548823fb3ae1d308fae9738dab4`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79371`
Detected Filetype	Icon file
MD5	`af6acfd3d1b95a6f2dd8487582dca022`
SHA1	`c13737932430b61098abc19af832f25752f48f91`
SHA256	`f71321fdbfbe163dc85459be19d4089cb7e2247c8aecd6cd0d6f52d50ed731a6`
SHA3	`a89d7c8ecc8d83a5804c928e3a27caefd372b4c5a68f1e5314eaed63ab0a67f0`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28834`
MD5	`4458230b610e2c5d12e075ad98954d85`
SHA1	`2c8bd9c11ddc2a80a8bd224d405558c6698b084d`
SHA256	`c5b9db09bbe24bf015f7c0d3f2f4da2a1296ffd20456648b389d3e1713503a86`
SHA3	`27f026eab489ff9039ba259f4be3d7ef5d9675f3394d1e470f1ac0df489462f1`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd24e50e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`163`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!

Leave a comment

No comments yet.