9a6b5f6c9c69c9a3902f4f9bae2a03b9
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2014-May-06 12:07:12 |
| Detected languages |
English - United States
Process Default Language |
| Debug artifacts |
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
|
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 |
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Malicious | The file contains overlay data. |
203119 bytes of data starting at offset 0x33400.
The file contains a WinRAR compressed archive file after the PE data. |
| Malicious | VirusTotal score: 11/52 (Scanned on 2016-08-09 12:48:56) |
K7GW:
EmailWorm ( 004df05b1 )
K7AntiVirus: EmailWorm ( 004df05b1 ) Baidu: Win32.Trojan.WisdomEyes.151026.9950.9999 Symantec: Infostealer.Limitail ESET-NOD32: a variant of MSIL/Injector.PWE TrendMicro-HouseCall: TROJ_MOSERAN.BME Sophos: Mal/RarMal-K McAfee-GW-Edition: BehavesLike.Win32.Backdoor.gc Avira: TR/Dropper.Gen McAfee: Artemis!9A6B5F6C9C69 Qihoo-360: HEUR/QVM41.1.0000.Malware.Gen |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0xe8 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 4 |
| TimeDateStamp | 2014-May-06 12:07:12 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 9.0 |
| SizeOfCode | 0x28600 |
| SizeOfInitializedData | 0xaa00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0001D41B (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x2a000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x56000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.rsrc
Imports
| COMCTL32.dll |
InitCommonControlsEx
|
|---|---|
| SHLWAPI.dll |
SHAutoComplete
|
| KERNEL32.dll |
ReadFile
FlushFileBuffers GetFileAttributesW SetFileAttributesW FindClose FindNextFileW FindFirstFileW GetCurrentDirectoryW GetFullPathNameW GetModuleFileNameW FindResourceW GetModuleHandleW FreeLibrary GetProcAddress LoadLibraryW GetCurrentProcessId GetLocaleInfoW GetNumberFormatW ExpandEnvironmentStringsW WaitForSingleObject GetDateFormatW GetTimeFormatW FileTimeToSystemTime FileTimeToLocalFileTime GetExitCodeProcess GetTempPathW MoveFileExW Sleep UnmapViewOfFile MapViewOfFile GetCommandLineW CreateFileMappingW GetTickCount SetEnvironmentVariableW OpenFileMappingW InitializeCriticalSection DeleteCriticalSection EnterCriticalSection LeaveCriticalSection CreateThread GetProcessAffinityMask CreateEventW CreateSemaphoreW ReleaseSemaphore ResetEvent SetEvent SetThreadPriority SystemTimeToFileTime GetSystemTime SystemTimeToTzSpecificLocalTime TzSpecificLocalTimeToSystemTime WideCharToMultiByte SetFileTime GetFileType IsDBCSLeadByte GetCPInfo GlobalAlloc SetCurrentDirectoryW WriteConsoleW GetConsoleOutputCP WriteConsoleA SetStdHandle GetLocaleInfoA GetStringTypeW GetStringTypeA LoadLibraryA GetConsoleMode GetConsoleCP InitializeCriticalSectionAndSpinCount QueryPerformanceCounter SetHandleCount GetEnvironmentStringsW FreeEnvironmentStringsW GetEnvironmentStrings FreeEnvironmentStringsA GetModuleHandleA LCMapStringW LCMapStringA IsValidCodePage GetOEMCP GetACP GetModuleFileNameA ExitProcess HeapSize IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter TerminateProcess VirtualAlloc VirtualFree HeapCreate InterlockedDecrement GetCurrentThreadId InterlockedIncrement TlsFree TlsSetValue TlsAlloc TlsGetValue GetStartupInfoA SetEndOfFile SetFilePointer WriteFile GetStdHandle GetLongPathNameW GetShortPathNameW CompareStringW MoveFileW CreateFileW CreateDirectoryW DeviceIoControl RemoveDirectoryW DeleteFileW CreateHardLinkW GetCurrentProcess CloseHandle SetLastError GetLastError CreateFileA MultiByteToWideChar GetCommandLineA RaiseException GetSystemTimeAsFileTime HeapAlloc HeapReAlloc HeapFree RtlUnwind |
| USER32.dll |
EnableWindow
GetDlgItem ShowWindow SetWindowLongW FindWindowExW GetParent MapWindowPoints CreateWindowExW UpdateWindow LoadCursorW RegisterClassExW DefWindowProcW DestroyWindow CopyRect IsWindow OemToCharBuffA LoadIconW LoadBitmapW PostMessageW SetForegroundWindow MessageBoxW WaitForInputIdle IsWindowVisible DialogBoxParamW DestroyIcon SetFocus GetClassNameW SendDlgItemMessageW EndDialog GetDlgItemTextW SetDlgItemTextW wvsprintfW SendMessageW GetDC ReleaseDC PeekMessageW GetMessageW TranslateMessage DispatchMessageW LoadStringW GetWindowRect GetClientRect SetWindowPos GetWindowTextW SetWindowTextW GetSystemMetrics GetWindow GetWindowLongW GetSysColor |
| GDI32.dll |
GetObjectW
DeleteObject GetDeviceCaps CreateDIBSection |
| COMDLG32.dll |
GetSaveFileNameW
CommDlgExtendedError GetOpenFileNameW |
| ADVAPI32.dll |
RegOpenKeyExW
RegQueryValueExW RegCreateKeyExW RegSetValueExW RegCloseKey SetFileSecurityW OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges |
| SHELL32.dll |
SHGetMalloc
SHGetSpecialFolderLocation SHGetFileInfoW ShellExecuteExW SHChangeNotify SHFileOperationW SHBrowseForFolderW SHGetPathFromIDListW |
| ole32.dll |
CLSIDFromString
CoCreateInstance OleInitialize OleUninitialize CreateStreamOnHGlobal |
| OLEAUT32.dll |
#8
|
Delayed Imports
101
1
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
7
8
9
10
11
12
13
14
15
100
1 (#2)
String Table contents
| Select destination folder |
| Extracting %s |
| Skipping %s |
| Unexpected end of archive |
| The file "%s" header is corrupt |
| Corrupt header is found |
| Main archive header is corrupt |
| The archive comment header is corrupt |
| The archive comment is corrupt |
| Not enough memory |
| Unknown method in %s |
| Cannot open %s |
| Cannot create %s |
| Cannot create folder %s |
| Checksum error in the encrypted file %s. Corrupt file or wrong password. |
| Checksum error in %s |
| Packed data checksum error in %s |
| Write error in the file %s. Probably the disk is full |
| Read error in the file %s |
| File close error |
| The required volume is absent |
| The archive is either in unknown format or damaged |
| Extracting from %s |
| Next volume |
| The archive header is corrupt |
| Close |
| Error |
| Errors encountered while performing the operation |
| Look at the information window for more details |
| bytes |
| modified on |
| folder is not accessible |
| Some files could not be created. |
| Please close all applications, reboot Windows and restart this installation |
| Some installation files are corrupt. |
| Please download a fresh copy and retry the installation |
| All files |
| <ul><li>Press <b>Install</b> button to start extraction.</li><br><br> |
| <ul><li>Press <b>Extract</b> button to start extraction.</li><br><br> |
| <li>Use <b>Browse</b> button to select the destination |
| folder from the folders tree. It can be also entered |
| manually.</li><br><br> |
| <li>If the destination folder does not exist, it will be |
| created automatically before extraction.</li></ul> |
| The archive is corrupt |
| Extracting files to %s folder |
| Extracting files to temporary folder |
| Extract |
| Extraction progress |
| Total path and file name length must not exceed %d characters |
| Unknown encryption method in %s |
| The specified password is incorrect. |
| Cannot copy %s to %s. |
| Cannot create symbolic link %s |
| Cannot create hard link %s |
| You may need to run this self-extracting archive as administrator |
Version Info
IMAGE_DEBUG_TYPE_CODEVIEW
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2014-May-06 12:07:12 |
| Version | 0.0 |
| SizeofData | 81 |
| AddressOfRawData | 0x2cc28 |
| PointerToRawData | 0x2b628 |
| Referenced File | d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb |
TLS Callbacks
Load Configuration
| Size | 0x48 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x42f298 |
| SEHandlerTable | 0x42cdb0 |
| SEHandlerCount | 38 |
RICH Header
| XOR Key | 0x16614bc7 |
|---|---|
| Unmarked objects | 0 |
| ASM objects (VS2008 SP1 build 30729) | 27 |
| C objects (VS2008 SP1 build 30729) | 143 |
| Imports (VS2008 SP1 build 30729) | 21 |
| Total imports | 232 |
| C++ objects (VS2008 SP1 build 30729) | 104 |
| Exports (VS2008 SP1 build 30729) | 1 |
| Linker (VS2008 SP1 build 30729) | 1 |
| Resource objects (VS2008 SP1 build 30729) | 1 |