Manalyze report for a65618f8715e88ed2715fb9143eb5bd2

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2015-Dec-27 05:38:55
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExA` `Can access the registry: RegDeleteValueA RegOpenKeyExA RegDeleteKeyA RegEnumValueA RegCloseKey RegCreateKeyExA RegSetValueExA RegQueryValueExA RegEnumKeyA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Changes object ACLs: SetFileSecurityA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`391950 bytes of data starting at offset 0xd200.` `The overlay data has an entropy of 7.99536 and is possibly compressed or encrypted.` `Overlay data amounts for 87.9383% of the executable.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`a65618f8715e88ed2715fb9143eb5bd2`
SHA1	`5daac34bf732cdf88faebfa3db3208d0d666a784`
SHA256	`d4825b0ada4661e855c75b1c3203596fac2976c7cff803219cf37a411ffa61ff`
SHA3	`dd3081c5c6aea9691b6dd8ef09e2221d140910f620c129c0f8d37fc80d34f5e2`
SSDeep	`6144:mnx1HouiesEqrT9zij5CY7p2iKNLCGYjhvjpGxWZI2l3/xQhs2VagUdgV:8otE49ud21NLnIaWZSdLV`
Imports Hash	`1d2227e8043278a982bc5e8030dda2be`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2015-Dec-27 05:38:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6000`
SizeOfInitializedData	`0x28400`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x0000310D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x3d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1a13b408c917b27c9106545148d3b8d3`
SHA1	`d494d42bc062a34311fd4e6f9441ae7bf7502670`
SHA256	`7206b7b4ab5aa313ef32e399ea7ed0c3f3dc8c55aa866b0d95471be4823f7e8b`
SHA3	`68596317fab1feb228cc4946a06712c16d94df2487d493882005413b0631c8ec`
VirtualSize	`0x5e3c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.4323`

.rdata

MD5	`921acf8cb0aea87c0603fa899765fcc2`
SHA1	`0a66f5418e1c6e20f4feb1ec5897aa6b9c9333e5`
SHA256	`157708d4af219948b94d3413ba17b236098ee3607c8fc67ac218e089fd125b93`
SHA3	`7586bef4a9d961b9c7f0eed803ab2a4a4d750af4402bccbb789eb51739283a30`
VirtualSize	`0x126a`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.00589`

.data

MD5	`797517c6ef57aa95d53df2cf07568953`
SHA1	`71208b818075cd0b8f4254c32f34807b75678ed2`
SHA256	`398b6347bfdceef6e85d5e833fd273c31c7fe638773a913991371e22456ab9a9`
SHA3	`f324164251e427d9c53850217e68fb992f90f5cfb02f2bebd9e24986a23c18f3`
VirtualSize	`0x25d38`
VirtualAddress	`0x9000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.29176`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x2f000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`a4fe9fe6ff855b63ae0c78eb103a03f8`
SHA1	`2639e49cbb2ce51382e7f3537364ad28b18c2e56`
SHA256	`6431db75e7f7822b5251462d660d1109accccf7846b2be49f55047b3065a7194`
SHA3	`b2e38928cd54b53aff9827b52429e8785d82f777b19446f40a4f56f220296d54`
VirtualSize	`0x52e0`
VirtualAddress	`0x37000`
SizeOfRawData	`0x5400`
PointerToRawData	`0x7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.82661`

Imports

KERNEL32.dll	`SetFileAttributesA` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `GetLastError` `CompareFileTime` `SearchPathA` `Sleep` `GetTickCount` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `CreateDirectoryA` `lstrcmpiA` `GetCommandLineA` `GetVersion` `SetErrorMode` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `CreateProcessA` `RemoveDirectoryA` `CreateFileA` `GetTempFileNameA` `lstrlenA` `lstrcatA` `GetSystemDirectoryA` `LoadLibraryA` `SetFileTime` `CloseHandle` `GlobalFree` `lstrcmpA` `ExpandEnvironmentStringsA` `GetExitCodeProcess` `GlobalAlloc` `WaitForSingleObject` `GetWindowsDirectoryA` `GetTempPathA` `GetProcAddress` `FindFirstFileA` `FindNextFileA` `DeleteFileA` `SetFilePointer` `ReadFile` `FindClose` `GetPrivateProfileStringA` `WritePrivateProfileStringA` `WriteFile` `MulDiv` `LoadLibraryExA` `GetModuleHandleA` `MultiByteToWideChar` `FreeLibrary`
USER32.dll	`GetWindowRect` `EnableMenuItem` `GetSystemMenu` `ScreenToClient` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetForegroundWindow` `PostQuitMessage` `RegisterClassA` `EndDialog` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndPaint` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `ExitWindowsEx` `DestroyWindow` `OpenClipboard` `TrackPopupMenu` `SendMessageTimeoutA` `GetDC` `LoadImageA` `GetDlgItem` `FindWindowExA` `IsWindow` `SetClipboardData` `SetWindowLongA` `EmptyClipboard` `SetTimer` `CreateDialogParamA` `wsprintfA` `ShowWindow` `SetWindowTextA`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectA` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA`
ADVAPI32.dll	`RegDeleteValueA` `SetFileSecurityA` `RegOpenKeyExA` `RegDeleteKeyA` `RegEnumValueA` `RegCloseKey` `RegCreateKeyExA` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA`
COMCTL32.dll	`ImageList_Create` `ImageList_Destroy` `#17` `ImageList_AddMasked`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

110

Type	`RT_BITMAP`
Language	English - United States
Codepage	UNKNOWN
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22336`
MD5	`3811c1e0a9153b958f1da69a3f801f3c`
SHA1	`4044512d457358973fc8f9180edca0486227e1fe`
SHA256	`a875f9b3c1f31835b3f70c23a8a1daa06404b82d61887d035731eb13f649c0db`
SHA3	`a1ff563ee071b39f785871bba806b49079d9b91b72bc90853b26e663f150d722`
Preview

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.60804`
MD5	`2023440d384d2e9b97e7bc9d0eba7e1d`
SHA1	`046d83a28ea54b66a92e240b4d0df2a312f86fcf`
SHA256	`02347a51ee36d0e777cd09f8c392fa0e130aa7bf37559e6a76e793478a555038`
SHA3	`692526efe6c802a38da8e50104dfeb216dd442c71d060c45c55678878ed0f0cc`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.94301`
MD5	`db47f4281a21cb8f12eee3f5879a0ea3`
SHA1	`b9e9d67b20020665283ebcae8c60c6d32dfe78fd`
SHA256	`35394be3d4dac8259440def38256453793418f0d50af23322917fb469ccc9cef`
SHA3	`f38d00c9c75500aca2eaa8faf41aacf16e7a5358236c23885c2227ee5e8c7242`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.04165`
MD5	`3f5dca9d8e69e105fc278ac672cac4d8`
SHA1	`c7735cbf924238e4a16c448e7abc7cb9ffb9ee56`
SHA256	`849b85eb3c4b5a77f4cf8d5559bfe4a4dccc99040dc01cc55053bb0e19ad1e02`
SHA3	`07f52df5aefa8d4eb7093c0d35cc4e19b91147b580c20b8a9f616b3f34410a21`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.50217`
MD5	`771834ba30f2b11ef76e31c0ae9e54de`
SHA1	`91bb0f62229c570db5de5c50d5bb566218a18ba7`
SHA256	`9f8a8c0de6b5e6c8f654be71898c853c0c031175f26f655bc06d47f69a87e79d`
SHA3	`7ab7a98907fcb5f14b9315d591e55d5a2df72c0cf21a667f724831d5172b0791`

102

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x94`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.74989`
MD5	`acc366a6605c1c751b916d2b2b867bfa`
SHA1	`8b3bbdd80a49f9f959695c3f7ee729127c66cd39`
SHA256	`8d27ebc708e351813e62dfd63aa3169251a403677ccd3a8d3c0ad2d3452965f5`
SHA3	`378a49b1678572c58a0903f7afa69a4a9893e2ce2c19c1a0d1ac2b59b2128287`

103

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x120`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61463`
MD5	`56789488dae0586e6403360564aaaa5e`
SHA1	`08cd1f15e40c7593ae0cff4216e216ca6fe20264`
SHA256	`1e188e0bc15242a09a4b52b264bf62fa9683fd5f43c2759183c399ae58cbb60d`
SHA3	`f5617293d5abd6ca1c6b11835fe0922c897fd37b32ad465beb8d050d0ccbb5b8`

104

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x118`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.70756`
MD5	`aeccab6ff9cf6056f570f2a909d99ff7`
SHA1	`93fef5731398938665cbac048a47495576f14ed6`
SHA256	`806ed3eabed50b717ef299e8b74274a821e1bda85872e6ff0051e1289716f1da`
SHA3	`1fe80961cd78ea15b4649c993e95e4cea251778bd67463cd4200df0bc4b37380`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.87228`
MD5	`342ad3fc8890c3e322fa5c9cea16b6fc`
SHA1	`b9f3b3e8f818601b3887ce5d611d511f4663613a`
SHA256	`a8d9dbff8670eb6b79b028eb3242433e9e9da289d816f86e7d2d5b661e74cc5e`
SHA3	`c783f4139d925ff3c102b8a8292dcd6af12cc809d76b1d7f3f1e354c39901220`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.62308`
Detected Filetype	Icon file
MD5	`5c84b5099ac46312565be1aa2e21eff0`
SHA1	`25f00759b0e6641f9b423e6a52556c2e4e2796c3`
SHA256	`816cc8c77a0adb35a7432b2bac047e9834bfd21b0ef96c612e5f8bc4f0986620`
SHA3	`17e6deff600599725f4cf3c95b7472cf6ca993cdc40907ae04b6209f5619547f`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2d7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.19265`
MD5	`53092a1009eb47fa82c363771f16a5a1`
SHA1	`f71c2d5aefb0dd4275850b1eb1a2869aec43468d`
SHA256	`bbed26dc3b9eca44c2dccffc1c644a5fc9cd50e828ccc2db366cb389beb35b50`
SHA3	`d36a4a213fe3368b672a37891b82bde7861a4795c85d75a887c142e3e40303d7`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd24652e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`153`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!