Manalyze report for af442fcdcf8d2967ec463d92a25f7ac8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Aug-20 09:03:09
Detected languages	English - United States
Debug artifacts	c:\tone\ask\note\dependPress.pdb
CompanyName	Allwind Four Winds Interactive
FileDescription	Likefine
FileVersion	`15.2.31.75`
InternalName	Likefine
LegalCopyright	Copyright © 2008-2019 Experiencechance
LegalTrademarks	Likefine Allwind Four Winds Interactive
OriginalFilename	Likefine
ProductVersion	`15.2.31.75`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegOpenKeyExA RegCreateKeyA RegQueryValueExA RegCloseKey` `Can create temporary files: GetTempPathA CreateFileA` `Memory manipulation functions often used by packers: VirtualProtectEx VirtualAlloc`
Malicious	VirusTotal score: 43/60 (Scanned on 2019-09-02 18:17:50)	`MicroWorld-eScan: Trojan.Agent.ECJZ` `CMC: Trojan.Win32.Swizzor.3!O` `CAT-QuickHeal: Trojan.Gozi` `McAfee: GenericRXIK-LC!AF442FCDCF8D` `AegisLab: Trojan.Win32.Gozi.7!c` `K7AntiVirus: Trojan ( 0055664b1 )` `Alibaba: TrojanBanker:Win32/Gozi.8267f6c1` `K7GW: Trojan ( 0055664b1 )` `Invincea: heuristic` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: a variant of Win32/Kryptik.GVSG` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: Trojan-Banker.Win32.Gozi.eku` `BitDefender: Trojan.Agent.ECJZ` `Avast: Win32:Trojan-gen` `Rising: Trojan.Kryptik!8.8 (TFE:5:3Vv2qPqE3JH)` `Ad-Aware: Trojan.Agent.ECJZ` `Comodo: Malware@#18ysfpbdkolwl` `TrendMicro: TROJ_GEN.R002C0WHN19` `FireEye: Generic.mg.af442fcdcf8d2967` `Sophos: Mal/Generic-S` `SentinelOne: DFI - Malicious PE` `Jiangmin: Trojan.Banker.Gozi.up` `Webroot: W32.Trojan.Gen` `Avira: TR/Crypt.Agent.ppuea` `Microsoft: Trojan:Win32/Occamy.C` `Arcabit: Trojan.Agent.ECJZ` `ZoneAlarm: Trojan-Banker.Win32.Gozi.eku` `GData: Trojan.Agent.ECJZ` `AhnLab-V3: Trojan/Win32.Ursnif.C3445746` `Acronis: suspicious` `VBA32: TrojanBanker.Gozi` `ALYac: Trojan.Agent.ECJZ` `MAX: malware (ai score=83)` `TrendMicro-HouseCall: TROJ_GEN.R002C0WHN19` `Tencent: Win32.Trojan-banker.Gozi.Lork` `TACHYON: Banker/W32.Gozi.551936` `Fortinet: W32/Kryptik.DQJS!tr` `AVG: Win32:Trojan-gen` `Cybereason: malicious.dcf8d2` `Panda: Trj/GdSda.A` `Qihoo-360: Win32/Trojan.c8f`

Hashes

MD5	`af442fcdcf8d2967ec463d92a25f7ac8`
SHA1	`db910469f6cd5a6b1d08f681b1559005929ae30d`
SHA256	`4d929f61b964a7683ff3f2cea3a79f3f240c199a3593660620a331d8d8e80afc`
SHA3	`8e2372956d1f44fa696dca99448f7cb8ad4823a62d12486407bfa90df005672e`
SSDeep	`6144:fKKiLrE0iO3wJCZ31Jxni3mkJCkQeOo0D/5Dr:8/E0iO3w2JlcmkkpeOo0Dh3`
Imports Hash	`aa210b458ecc5661c3b758ec9425a7fd`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2010-Aug-20 09:03:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x26a00`
SizeOfInitializedData	`0x72e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001B99 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x28000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x9d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3ff3042382fd15599287bd4027a0b1fe`
SHA1	`4c003d63a9e8cd9c2fcaeac6bb3cbb0ea3d79509`
SHA256	`7b8c640315113e120bb522d0846c7962856fce731a500db2c27267da050968ef`
SHA3	`0c0fc1a5719699235fe10fa3cf87a50fd01245f33a2fad6ebd60e3dd022b60f6`
VirtualSize	`0x26860`
VirtualAddress	`0x1000`
SizeOfRawData	`0x26a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.67762`

.rdata

MD5	`19665382b57db6f2adf1d186afb3a504`
SHA1	`88b19efe6826cc3c0eb63ce8010593fa348c35be`
SHA256	`af8e9e62e5ada04d083f3da5b474545ce85331605a7269c140f6377a0907e87a`
SHA3	`07e29fa6e4168b898116181c802e24df5dc71fc05593ff4a6dc3ff5159313892`
VirtualSize	`0x447a`
VirtualAddress	`0x28000`
SizeOfRawData	`0x4600`
PointerToRawData	`0x26e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.81069`

.data

MD5	`14aa452b6fda74a59a1080dd1233f385`
SHA1	`3490083a9639a54a44b45e4a2c2bd5e2792b8298`
SHA256	`52fbcfce6ee654c0ada8d52f887e5839d3732df3a9e32354bdb62288266d4d14`
SHA3	`6d7964f333187523448bfd81e1d39d6eb3b6c564fa839b7dacf308d0d2c6029b`
VirtualSize	`0x15848`
VirtualAddress	`0x2d000`
SizeOfRawData	`0x2a00`
PointerToRawData	`0x2b400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.70668`

.rsrc

MD5	`2ed8db42c2199ad9ea8cf49d6ec918f8`
SHA1	`63fd687e74573202fbdf7992e77c1a43937dc755`
SHA256	`1b4d686e1bdd68bffbf8055b1fd78f9137cb546ebba222dfdc5b6bff4f32d26d`
SHA3	`30efd1bfc956060ffbf510b9f7cc56f5cb4ed07676811f5e78e7860e79126d7b`
VirtualSize	`0x573d8`
VirtualAddress	`0x43000`
SizeOfRawData	`0x57400`
PointerToRawData	`0x2de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.97602`

.reloc

MD5	`36ce508f6eaf87aea4a51dc3a3cf6882`
SHA1	`ab22fbb33a5917155e47f5e968a298fd12c28807`
SHA256	`2eb85fbe8b9b30398cb46f016fcadcd07287dd0f31ee4e3d18ca945def1be132`
SHA3	`5efc3afaebb4340e4f3d8a3150085ff75ce55f3c53ace7c89f28ae73899a1cc7`
VirtualSize	`0x18d6`
VirtualAddress	`0x9b000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x85200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.35516`

Imports

KERNEL32.dll	`GetTempPathA` `HeapSize` `WriteConsoleW` `GetConsoleOutputCP` `WriteConsoleA` `GetProcessHeap` `SetEndOfFile` `SetFilePointer` `GetCurrentProcessId` `GetFileTime` `FindFirstChangeNotificationA` `GetModuleFileNameA` `VirtualProtectEx` `LoadLibraryA` `Sleep` `WideCharToMultiByte` `MoveFileExA` `ExitProcess` `GetStartupInfoW` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `EnterCriticalSection` `LeaveCriticalSection` `SetHandleCount` `GetStdHandle` `GetFileType` `GetStartupInfoA` `DeleteCriticalSection` `RtlUnwind` `GetLastError` `HeapFree` `CloseHandle` `GetModuleHandleW` `GetProcAddress` `WriteFile` `GetModuleFileNameW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineW` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `HeapCreate` `VirtualFree` `QueryPerformanceCounter` `GetTickCount` `GetSystemTimeAsFileTime` `InitializeCriticalSectionAndSpinCount` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `MultiByteToWideChar` `ReadFile` `CreateFileA` `HeapAlloc` `VirtualAlloc` `HeapReAlloc` `SetStdHandle` `GetConsoleCP` `GetConsoleMode` `FlushFileBuffers` `LCMapStringA` `LCMapStringW` `GetStringTypeA` `GetStringTypeW` `GetLocaleInfoA`
GDI32.dll	`CreateCompatibleBitmap` `SetPixel` `StretchBlt` `GetTextExtentPoint32A` `PatBlt`
USER32.dll	`SetCursor` `GetClassNameA` `GetDlgItemInt` `InsertMenuItemA` `IsWindowEnabled` `DrawIcon` `SetDlgItemInt` `CheckMenuRadioItem` `ShowScrollBar` `DispatchMessageA` `LoadImageA`
COMCTL32.dll	`ImageList_GetIcon` `ImageList_Create` `ImageList_EndDrag` `ImageList_GetDragImage` `ImageList_GetImageCount`
ADVAPI32.dll	`RegOpenKeyExA` `RegCreateKeyA` `RegQueryValueExA` `RegCloseKey`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.92551`
MD5	`212e3fc597e8bb98ddb5460110390c91`
SHA1	`1190945b15ef80ba1a1c060ed3789cafed5d3770`
SHA256	`f1f6af7435975c59e3d054afb118bcdf18a39acc58199189a9aa8df9f2b650e2`
SHA3	`98bad0179a763a24c34daa2ff90f602efb29c36b9426fc12e360bbd37323e027`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.00409`
MD5	`b13d51138c236ae586e3773ed2892ed4`
SHA1	`316c4c44ca61f1d6611c2376ef4b7b9a3ebb5c65`
SHA256	`5f1531657c3f0719f322339c50f1b8f0d42f09911348401e5abeabad81d906fd`
SHA3	`a9eef6d0039169e18131f588854df1ed46a455b01d7935b18e8a539afaa9d2ba`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.93114`
MD5	`2db85ce167168ff179ffd278eefdda2b`
SHA1	`6e60a89396518587aef8710137c29c26a44b89cf`
SHA256	`ee34e21ed361e821c767fd518198bd60d03f06e8cb97cf26798f2b458ef77306`
SHA3	`755236c4df129213ddf14b1d067d539b9346a5286b810f32e05aaf4d08b488af`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.00577`
MD5	`0e2cb8db05820430922184622763a4e7`
SHA1	`73b49e424542a5a903af5cd88b3795819773843d`
SHA256	`c687961f0a35ab02190d1472dc88d4cd35f75ecfedd8c0144d2708a79c485389`
SHA3	`efefe4b523df305f28acb6dcf9b8590bffd0094ff1ec8ce01b836bfe9c9ecf9e`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.91678`
MD5	`4ecc2034205f9cf53fa5543916c119e6`
SHA1	`e655852e1b11507d9887d276d720ec65f6223ed6`
SHA256	`8a85c24dacfc310429aea0e7be6bf5aaf7b63a00bb444d000ab030cbb91e94ce`
SHA3	`9c6bfa9c57dbf0a2358e5d13352f19f5264342e8fb609385ea682b592088553a`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.01504`
MD5	`2f7910653cc96fce0c41cfbe54b6cae3`
SHA1	`f97f0986c33ff82ec374fbcf85a05ee7985d34d7`
SHA256	`038d97c572eb7aca6c6c85472000d834c0910ba127c4f8730b726e436f13c4a6`
SHA3	`571cae7254604e7cc480986284863e0eab9eba2eecac32e33bf9cb488ccdcc1a`

IDI_ICON1

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79572`
Detected Filetype	Icon file
MD5	`8e7a5fe210ff59c9a8f2e9f21280341f`
SHA1	`c0aae6b28beb028df93e35add7de72653f0f26d2`
SHA256	`8681ff5a8c6b139001b5c666293c3fc6f5d83ae8eba816db17ae66e1e61434f6`
SHA3	`6866c8dadfff5877332d7cf0b85aa8e65c797221d642267788755411d9d656e8`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x348`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43815`
MD5	`8760973709d44addf93bd85f8a9e69de`
SHA1	`3062827e073d0eba61af4592c6c90db1c10ec65b`
SHA256	`e75dbea24236a250d366d2cf86ccc52e262e28c68883a279dcb0b3f27708f267`
SHA3	`1fe7c167cebe87a97728b4f4d4ccc1961b56f09e045b02dccb51c8332d5f0418`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	15.2.31.75
ProductVersion	15.2.31.75
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Allwind Four Winds Interactive
FileDescription	Likefine
FileVersion (#2)	15.2.31.75
InternalName	Likefine
LegalCopyright	Copyright © 2008-2019 Experiencechance
LegalTrademarks	Likefine Allwind Four Winds Interactive
OriginalFilename	Likefine
ProductVersion (#2)	15.2.31.75

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2010-Aug-20 09:03:09
Version	`0.0`
SizeofData	`57`
AddressOfRawData	`0x2b610`
PointerToRawData	`0x2a410`
Referenced File	c:\tone\ask\note\dependPress.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x42d004`
SEHandlerTable	`0x42b650`
SEHandlerCount	`3`

RICH Header

XOR Key	`0xe5e35588`
Unmarked objects	`0`
C++ objects (VS2008 build 21022)	`34`
ASM objects (VS2008 build 21022)	`16`
C objects (VS2008 build 21022)	`109`
Imports (VS2008 SP1 build 30729)	`11`
Total imports	`116`
138 (VS2008 SP1 build 30729)	`1`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

af442fcdcf8d2967ec463d92a25f7ac8

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

IDI_ICON1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors