Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-May-23 11:58:52 |
Detected languages |
English - United States
Process Default Language |
Debug artifacts |
D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
|
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to SHA1 |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Malicious | The file contains overlay data. |
5140 bytes of data starting at offset 0x8d000.
The file contains a Zip Compressed Archive after the PE data. |
Malicious | VirusTotal score: 50/71 (Scanned on 2019-12-30 02:38:49) |
Bkav:
W32.AdCoinMiner.Trojan
MicroWorld-eScan: Trojan.Generic.22597142 FireEye: Generic.mg.a09f22bd3627bae5 McAfee: RDN/Generic Downloader.x Cylance: Unsafe Sangfor: Malware K7AntiVirus: Trojan-Downloader ( 00543bab1 ) Alibaba: TrojanDownloader:VBS/CoinMiner.ee0865b2 K7GW: Trojan-Downloader ( 00543bab1 ) Cybereason: malicious.d3627b Invincea: heuristic Symantec: Trojan.Gen.2 TrendMicro-HouseCall: TROJ_DLOADR.AUSUHZ Paloalto: generic.ml ClamAV: Win.Malware.Snojan-6596600-0 Kaspersky: HEUR:Trojan.Script.Agent.gen BitDefender: Trojan.Generic.22597142 NANO-Antivirus: Trojan.Win32.Mlw.euvekb Avast: Win32:Malware-gen Ad-Aware: Trojan.Generic.22597142 Sophos: Mal/Generic-S F-Secure: Heuristic.HEUR/AGEN.1011440 VIPRE: Trojan.Win32.Generic!BT TrendMicro: TROJ_DLOADR.AUSUHZ McAfee-GW-Edition: BehavesLike.Win32.Backdoor.hm Trapmine: malicious.high.ml.score Emsisoft: Trojan.Generic.22597142 (B) Ikarus: Trojan-Downloader.VBS.Small Webroot: W32.Trojan.Genkd Avira: HEUR/AGEN.1011440 Microsoft: Trojan:Win32/Tiggre!rfn Endgame: malicious (high confidence) Arcabit: Trojan.Generic.D158CE16 AegisLab: Trojan.Script.Agent.4!c ZoneAlarm: HEUR:Trojan.Script.Agent.gen GData: Trojan.Generic.22597142 AhnLab-V3: Malware/Win32.Generic.C2357178 Acronis: suspicious ALYac: Trojan.Script.Agent VBA32: Trojan.Script APEX: Malicious ESET-NOD32: VBS/TrojanDownloader.Small.NGK Rising: Trojan.Sminager!8.EB3C (TOPIS:E0:zQJ6nxfdgJI) Yandex: Trojan.DL.Alien! SentinelOne: DFI - Suspicious PE Fortinet: VBS/Small.NGK!tr.dldr AVG: Win32:Malware-gen Panda: Trj/CI.A CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Win32/Trojan.Script.af7 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x108 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2017-May-23 11:58:52 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x22e00 |
SizeOfInitializedData | 0x69e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00011CA9 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x24000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0xc0000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetLastError
SetLastError GetFileType GetStdHandle WriteFile ReadFile FlushFileBuffers SetEndOfFile SetFilePointer SetFileTime CloseHandle CreateFileW CreateDirectoryW SetFileAttributesW GetFileAttributesW DeleteFileW MoveFileW FindClose FindFirstFileW FindNextFileW GetVersionExW GetCurrentDirectoryW GetFullPathNameW FoldStringW GetModuleFileNameW GetModuleHandleW FindResourceW FreeLibrary GetProcAddress GetCurrentProcessId ExitProcess Sleep LoadLibraryW GetSystemDirectoryW CompareStringW AllocConsole FreeConsole AttachConsole WriteConsoleW TzSpecificLocalTimeToSystemTime SystemTimeToFileTime FileTimeToLocalFileTime LocalFileTimeToFileTime FileTimeToSystemTime GetCPInfo IsDBCSLeadByte MultiByteToWideChar WideCharToMultiByte GlobalAlloc GetTickCount SetCurrentDirectoryW GetExitCodeProcess WaitForSingleObject GetLocalTime MapViewOfFile UnmapViewOfFile CreateFileMappingW OpenFileMappingW GetCommandLineW SetEnvironmentVariableW ExpandEnvironmentStringsW GetTempPathW MoveFileExW GetLocaleInfoW GetTimeFormatW GetDateFormatW GetNumberFormatW RaiseException GetSystemInfo VirtualProtect VirtualQuery LoadLibraryExA IsProcessorFeaturePresent IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW QueryPerformanceCounter GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead GetCurrentProcess TerminateProcess RtlUnwind EncodePointer EnterCriticalSection LeaveCriticalSection DeleteCriticalSection InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW QueryPerformanceFrequency GetModuleHandleExW GetModuleFileNameA GetACP HeapFree HeapAlloc HeapReAlloc GetStringTypeW LCMapStringW FindFirstFileExA FindNextFileA IsValidCodePage GetOEMCP GetCommandLineA GetEnvironmentStringsW FreeEnvironmentStringsW GetProcessHeap SetStdHandle HeapSize GetConsoleCP GetConsoleMode SetFilePointerEx DecodePointer |
---|---|
USER32.dll (delay-loaded) |
GetDC
ReleaseDC MessageBoxW FindWindowExW GetClassNameW wvsprintfW PostMessageW WaitForInputIdle IsWindowVisible DialogBoxParamW SendMessageW SetDlgItemTextW GetDlgItemTextW SendDlgItemMessageW SetFocus SetForegroundWindow GetSysColor LoadBitmapW LoadIconW DestroyIcon IsDialogMessageW LoadCursorW CopyRect MapWindowPoints UpdateWindow DestroyWindow IsWindow CreateWindowExW RegisterClassExW DefWindowProcW PeekMessageW DispatchMessageW TranslateMessage GetMessageW CharUpperW OemToCharBuffA LoadStringW GetWindow SetProcessDefaultLayout SetWindowLongW GetWindowLongW GetWindowRect GetClientRect GetWindowTextW GetSystemMetrics SetWindowPos GetParent SetWindowTextW EnableWindow GetDlgItem EndDialog ShowWindow |
Attributes | 0x1 |
---|---|
Name | USER32.dll |
ModuleHandle | 0x5ce2c |
DelayImportAddressTable | 0x2d934 |
DelayImportNameTable | 0x2bbc0 |
BoundDelayImportTable | 0x2c20c |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Select destination folder |
Extracting %s |
Skipping %s |
Unexpected end of archive |
The file "%s" header is corrupt |
Corrupt header is found |
Main archive header is corrupt |
The archive comment header is corrupt |
The archive comment is corrupt |
Not enough memory |
Unknown method in %s |
Cannot open %s |
Cannot create %s |
Cannot create folder %s |
Checksum error in the encrypted file %s. Corrupt file or wrong password. |
Checksum error in %s |
Packed data checksum error in %s |
Write error in the file %s. Probably the disk is full |
Read error in the file %s |
File close error |
The required volume is absent |
The archive is either in unknown format or damaged |
Extracting from %s |
Next volume |
The archive header is corrupt |
Close |
Error |
Errors encountered while performing the operation |
Look at the information window for more details |
bytes |
modified on |
folder is not accessible |
Some files could not be created. |
Please close all applications, reboot Windows and restart this installation |
Some installation files are corrupt. |
Please download a fresh copy and retry the installation |
All files |
<ul><li>Press <b>Install</b> button to start extraction.</li><br><br> |
<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br> |
<li>Use <b>Browse</b> button to select the destination |
folder from the folders tree. It can be also entered |
manually.</li><br><br> |
<li>If the destination folder does not exist, it will be |
created automatically before extraction.</li></ul> |
The archive is corrupt |
Extracting files to %s folder |
Extracting files to temporary folder |
Extract |
Extraction progress |
Total path and file name length must not exceed %d characters |
Unknown encryption method in %s |
The specified password is incorrect. |
Cannot copy %s to %s. |
Cannot create symbolic link %s |
Cannot create hard link %s |
You may need to run this self-extracting archive as administrator |
Pause |
Continue |
Security warning |
Please remove %s from folder %s. It is unsecure to run %s until it is done. |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-23 11:58:52 |
Version | 0.0 |
SizeofData | 81 |
AddressOfRawData | 0x2add8 |
PointerToRawData | 0x29fd8 |
Referenced File | D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-23 11:58:52 |
Version | 0.0 |
SizeofData | 20 |
AddressOfRawData | 0x2ae2c |
PointerToRawData | 0x2a02c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-May-23 11:58:52 |
Version | 0.0 |
SizeofData | 944 |
AddressOfRawData | 0x2ae40 |
PointerToRawData | 0x2a040 |
Size | 0x5c |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x42d0a8 |
SEHandlerTable | 0x42ad90 |
SEHandlerCount | 18 |
XOR Key | 0x91da655b |
---|---|
Unmarked objects | 0 |
241 (40116) | 13 |
243 (40116) | 138 |
242 (40116) | 24 |
ASM objects (VS2015 UPD3 build 24123) | 23 |
C objects (VS2015 UPD3 build 24123) | 19 |
C++ objects (VS2015 UPD3 build 24123) | 41 |
C objects (VS2008 SP1 build 30729) | 10 |
Imports (VS2008 SP1 build 30729) | 3 |
Total imports | 230 |
C++ objects (VS2015 UPD3.1 build 24215) | 37 |
Exports (VS2015 UPD3.1 build 24215) | 1 |
Resource objects (VS2015 UPD3 build 24210) | 1 |
Linker (VS2015 UPD3.1 build 24215) | 1 |