Manalyze report for a1fb54a3aa6e79916b63a40d190d3f31

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Mar-03 07:27:35
Detected languages	English - United States
Debug artifacts	l:\projects\clamwin\src\clamav-win32\msvc\release\win32\clamscan.pdb
FileDescription	ClamWin Antivirus
FileVersion	`0, 99, 4, 0`
InternalName	clamscan.exe
LegalCopyright	Copyright (C) 2005-2018 Cisco Systems, Inc. / ClamWin Pty Ltd
OriginalFilename	clamscan.exe
ProductName	ClamWin Antivirus
ProductVersion	`0, 99, 4, 0`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8` `MSVC++ v.8 (procedure 1 recognized - h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: virus`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can create temporary files: CreateFileA GetTempPathA` `Manipulates other processes: OpenProcess ReadProcessMemory`
Suspicious	VirusTotal score: 1/71 (Scanned on 2019-10-18 16:19:17)	`Trapmine: malicious.moderate.ml.score`

Hashes

MD5	`a1fb54a3aa6e79916b63a40d190d3f31`
SHA1	`594c32f627e5d7992f66e3f7e72b244c9ba4ecf9`
SHA256	`fac2d6b4834a691260cebaae021ce13f21ef68b7fa5be846af3f2c206c051667`
SHA3	`2360500b0783e29e06be02de1c5fdfd7916dcb66a59d60edcf0c44a19c5c58ed`
SSDeep	`1536:m4X4LzDoC6USy/APm1ybDtJzauAMSU/Fl+l3WMsU5n66FO1jFjw+iykbLM8uQSwp:mH/Do9USy/ImkbDtJmuAVUb+l3l5nRF/`
Imports Hash	`3baa2dc84eb9fdb58de91fa07dd6fcca`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2018-Mar-03 07:27:35
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x7000`
SizeOfInitializedData	`0x10000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000787A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x18000`
SizeOfHeaders	`0x1000`
Checksum	`0x25e09`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c07c51b3114f457dec6663f58d57f7b4`
SHA1	`6a4446466080dabe0e4fa7f256e981e2d49d0225`
SHA256	`10a8305f24274cad45708a6de8f3dbbc9d4f2526050a85f7755680ec69d8161a`
SHA3	`6b5ae98b208591121199e1baf38c147fde961a810c003160ea603df2f9537423`
VirtualSize	`0x6f58`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.2985`

.rdata

MD5	`702587b0421e7a4847116a111402a2b6`
SHA1	`c9d3d11e6b83095002f11555e4e2a42c8ca4dbf7`
SHA256	`6c1c28b8388a63798d552c7a2da1432cd68a343ce3b308533ec4e6377da22132`
SHA3	`91e276cfd3e4cf99b2251332bb18371b69f2fb4b905d24d73a1d653947be3458`
VirtualSize	`0x77e2`
VirtualAddress	`0x8000`
SizeOfRawData	`0x8000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.8579`

.data

MD5	`5064e51de3d29df7efcd42170de852ca`
SHA1	`2effc83b5fbe4157bcc87506a32b62a7965b1a0e`
SHA256	`e683a23ef870b1a040568396f13d722fad73913560bdde2534e50b8239c9f7de`
SHA3	`60d97fda84ddcd7d9ff752b7af99c056b6563a9b514c6dbde53663d1401e5be9`
VirtualSize	`0xe5c`
VirtualAddress	`0x10000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.12183`

.rsrc

MD5	`f80e1fac8c8afdc1e49a9788579f8072`
SHA1	`6e92744e5ed1d16343389def5209381819f11f88`
SHA256	`e91048510eb25f0f982811e6ff180cc98efed5eed72d0bf9569ca82eab00a301`
SHA3	`e558e9e7b9cad8088236ff1ca5c3004c9c4c5cdbe51e82b537c985e3aac545b7`
VirtualSize	`0x6c94`
VirtualAddress	`0x11000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x11000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.86833`

Imports

KERNEL32.dll	`SetUnhandledExceptionFilter` `Sleep` `InterlockedCompareExchange` `SetConsoleCtrlHandler` `SetConsoleCursorPosition` `FillConsoleOutputCharacterA` `GetStdHandle` `GetConsoleScreenBufferInfo` `GetFileType` `UnmapViewOfFile` `CreateThread` `FreeLibrary` `GetLastError` `GetProcAddress` `GetCurrentProcess` `LoadLibraryA` `CreateFileMappingA` `GetExitCodeThread` `WaitForSingleObject` `FlushViewOfFile` `GetModuleFileNameA` `GetCurrentThreadId` `CloseHandle` `CreateFileA` `GetCurrentProcessId` `GetFileInformationByHandle` `GetTempPathA` `MapViewOfFile` `SetErrorMode` `InterlockedExchange` `IsBadReadPtr` `FindFirstFileW` `IsBadWritePtr` `TerminateProcess` `DeleteFileA` `FindClose` `ExpandEnvironmentStringsA` `WriteFile` `OpenProcess` `WideCharToMultiByte` `ReadProcessMemory` `CopyFileA` `UnhandledExceptionFilter` `IsDebuggerPresent` `QueryPerformanceCounter` `GetTickCount` `GetSystemTimeAsFileTime`
libclamav.dll	`#104` `cw_rename` `#91` `#215` `#214` `cl_retflevel` `cl_cvdfree` `#129` `cl_retdbdir` `#131` `#177` `cl_cvdhead` `#130` `cw_movefile` `cw_revertfsredir` `#60` `#122` `#61` `cw_disablefsredir` `#53` `#107` `#54` `cl_scandesc_callback` `cw_normalizepath` `cl_engine_set_clcb_meta` `cl_engine_set_clcb_post_scan` `cw_strerror` `#138` `#126` `cl_engine_set_clcb_stats_get_hostid` `cl_init` `#71` `cl_load` `cl_engine_set_clcb_virus_found` `cl_engine_set_num` `cl_engine_set_clcb_progress` `#110` `#137` `cl_engine_stats_enable` `#112` `cl_strerror` `cl_engine_free` `#165` `cl_engine_new` `cw_unlink` `cl_scanfile_callback` `cl_engine_set_str` `#70` `#90` `cl_engine_set_clcb_sigload` `cw_perror` `cl_engine_compile` `#125` `cw_stat` `#72` `cl_engine_set_clcb_stats_submit` `cl_engine_set_clcb_pre_cache` `cl_debug` `#172` `cl_always_gen_section_hash` `cl_cleanup_crypto` `#170` `cl_retver` `#171` `cl_initialize_crypto` `cl_scandesc`
MSVCR80.dll	`_lseek` `_strdup` `_getcwd` `_access` `_close` `_umask` `_CIlog` `memset` `realloc` `_stricmp` `memcpy` `_controlfp_s` `_invoke_watson` `_except_handler4_common` `_decode_pointer` `_onexit` `_lock` `__dllonexit` `_unlock` `?terminate@@YAXXZ` `_crt_debugger_hook` `__set_app_type` `_encode_pointer` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_configthreadlocale` `_initterm_e` `_initterm` `__initenv` `_XcptFilter` `_exit` `_cexit` `__getmainargs` `_amsg_exit` `strftime` `calloc` `_time64` `fflush` `_localtime64` `_ctime64` `fgets` `fread` `_open_osfhandle` `wcsrchr` `_wcsdup` `strncpy` `_setmode` `_fileno` `strncat` `abort` `strrchr` `fwrite` `free` `strncmp` `_errno` `fclose` `sprintf` `fprintf` `printf` `exit` `_ftime64` `_open` `malloc` `fopen` `__iob_func`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.35688`
MD5	`af894620285e7978a4b197866dd85cd6`
SHA1	`9c292927e64d53d1232fd1aa884145e1615f387f`
SHA256	`b2643dfd78a1fae84809aa1794baa0ab6e6c1023ae75b8b56ce564625440600b`
SHA3	`ba2d35caad1ee22ecf8c7ee88d8055490bcf6fa1c8a07327741ab26d4082b164`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.67718`
MD5	`9058ef77f687b9656e135b52c0c15a84`
SHA1	`0d838cfcebadf07ba97bd4a93ae5daf62562e6bf`
SHA256	`dd2bbed0a7f8cc7591c4238879d3d84666c504a736ab7869faea7dbcf963d520`
SHA3	`d7848eb9dbc3e70efa77b5274ee71e915bd4cdb9245c4b44a47b49f8f993a174`

3

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.42674`
MD5	`f64674442aff7108a7d085a3aeacdc00`
SHA1	`a37edbbfe7b6bfd550a2b243a6d8a49a13b797db`
SHA256	`2b2778284b5ff61ea2051dea06f738c5fa74fb02182e4ea38eef08b8498a8917`
SHA3	`e4b449dfb5ae21416e17f9c2b56e30275f50378629cfd3624ed55de0c5843114`

4

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.45585`
MD5	`0a31946a537eefce914f1e6ffae837e4`
SHA1	`a21e550f315da81d4434d198275b66aa820330f7`
SHA256	`e817f6bdd1d34e768ff851fd7d02acbdd6e9bc66b2b02516de4cb6832a1b5b9d`
SHA3	`4c72b21e6e9bc9ead97edec6228d6e94a6c8515e5ed632c365007c30731e4c41`

5

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.10645`
MD5	`ca9953916b8f0c32f7d9bbd818cda43a`
SHA1	`9e55785d2650f09e45ac167beb9032b974c3ae5d`
SHA256	`381a49f826ef673360eed55832c78374bacacadb3fb15dc1aee1b4d4dcf777fd`
SHA3	`411b4f67e48b6c9f6fc6fd951c383953ec261330a096de4972dfde13d9b2f8d8`

6

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.44717`
MD5	`a4f23e215e22b1ee2737ec1eb4c077f7`
SHA1	`cca549d9606600b141e035fcc71e03a4c161b5fb`
SHA256	`d0ef2aa8f2daf25212276b365dfd90b3f0f3e71989c9cb501865363b48c74de3`
SHA3	`f15a74017a879b38c021e68973968a56e5a3f8acdecb30bd56ce934ee2a936e7`

7

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.65633`
MD5	`e49d449ddfa7d6bcee0a22e434e1a006`
SHA1	`386f8721cc3306105155b43d45450cdd108d2054`
SHA256	`79fe12351f25e672bf6626c07375e3e5fe88cd9370c24f02cf9b85640eff36dc`
SHA3	`90a92303f300b6088cd190f8b6af101128f3694f49114dd5e53b4badf0b89d37`

8

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.78185`
MD5	`3227d16ff577129c80b8deda3ac4bf15`
SHA1	`283db7a56fce51d2a4913c60c91355fa5b942e75`
SHA256	`73f3902a8cea48e9267f4a246ff87949bff69ab357199b174c2b03d731e90bbc`
SHA3	`fcc0bdc7d4e2db49ded9513ab19fd7fc4c113b833d358af660c10428207329e2`

9

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.87391`
MD5	`29684b213f50ed6ead0612a4caf0b606`
SHA1	`61ac1bddc3ee55455c40b8eb973e8055bb7fcac9`
SHA256	`39c42491226aab9ebe40e7815ed88e36fa1adec55138c4b29dc0d19957f10671`
SHA3	`1248c26daeded1b801ecb006d2ff5bfd981da80850edbc4056e8e5cc478e20fd`

100

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91874`
Detected Filetype	Icon file
MD5	`19361f4bc063553ed93001187ff0d38f`
SHA1	`fb031954f420b4ac2fedf74cbbca09cd7f90c0a8`
SHA256	`405faedb755d5a18c5736ff0feb1a10fe46622b5f8ec43b7c3e47c8db7124332`
SHA3	`52f783860bbd84de4a69da443b43c153422d9b4d442ecbe61591fa098fa1e961`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x300`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39826`
MD5	`96c75b00f5463091736e264fe6d8b91e`
SHA1	`9315f3cb7f3e425524d7db1a6480300b23ef6498`
SHA256	`af6c82bfef0c1e1a753771effd1bf17cd98639314f8e1f6a920c123f49f931d3`
SHA3	`6f47df4342c1cbf2c48e3922a6017716d28b1f5efc3830a2c79612d3fe5dd8b3`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x155`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09264`
MD5	`5a000145fa5794ca1d45e479ab47b127`
SHA1	`a4a9c58152c765b3e31d4ab2f8d18ee5d926ed68`
SHA256	`051076e9d573943752a14858930365e0763f7f2920d824951787f199ddbc7859`
SHA3	`ac169575d584ac2f6061470b0926c8dd4c1184cc21509240e738016f0b5bb64f`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	0.99.4.0
ProductVersion	0.99.4.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	UNKNOWN
FileDescription	ClamWin Antivirus
FileVersion (#2)	0, 99, 4, 0
InternalName	clamscan.exe
LegalCopyright	Copyright (C) 2005-2018 Cisco Systems, Inc. / ClamWin Pty Ltd
OriginalFilename	clamscan.exe
ProductName	ClamWin Antivirus
ProductVersion (#2)	0, 99, 4, 0

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2018-Mar-03 07:27:35
Version	`0.0`
SizeofData	`93`
AddressOfRawData	`0xe9c8`
PointerToRawData	`0xe9c8`
Referenced File	l:\projects\clamwin\src\clamav-win32\msvc\release\win32\clamscan.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x410000`
SEHandlerTable	`0x40ea30`
SEHandlerCount	`1`

RICH Header

XOR Key	`0x376b278b`
Unmarked objects	`0`
126 (50327)	`7`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`2`
ASM objects (VS2012 build 50727 / VS2005 build 50727)	`4`
C objects (VS2012 build 50727 / VS2005 build 50727)	`22`
Imports (VS2012 build 50727 / VS2005 build 50727)	`4`
Total imports	`185`
Imports (VS2003 (.NET) build 4035)	`5`
113 (VS2012 build 50727 / VS2005 build 50727)	`10`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

a1fb54a3aa6e79916b63a40d190d3f31

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

5

6

7

8

9

100

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors