Manalyze report for b37c708b21a3f330b74fe94ad098182c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Jun-11 14:28:26
Detected languages	English - United States
CompanyName	MSFree Inc., Ratiborus

Plugin Output

Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Has Internet access capabilities: URLDownloadToFileW InternetOpenW` `Can take screenshots: BitBlt GetDC`
Info	The PE is digitally signed.	`Signer: WZTeam` `Issuer: WZTeam`
Malicious	VirusTotal score: 28/68 (Scanned on 2018-12-10 06:51:09)	`CAT-QuickHeal: Trojan.AutoKMS` `McAfee: Crack-KMS` `Cylance: Unsafe` `K7GW: Unwanted-Program ( 0051c2031 )` `K7AntiVirus: Unwanted-Program ( 0051c2031 )` `TrendMicro: TROJ_GEN.R011C0OFG18` `Cyren: W64/Trojan.LQUP-6751` `Symantec: Trojan.Smoaler` `ESET-NOD32: a variant of Win64/HackTool.WinActivator.B potentially unsafe` `TrendMicro-HouseCall: TROJ_GEN.R011C0OFG18` `Paloalto: generic.ml` `Comodo: Malware@#3c177631opm3m` `Invincea: heuristic` `McAfee-GW-Edition: Crack-KMS` `Ikarus: PUA.HackTool.Winactivator` `Webroot: W32.Hacktool.Kms` `Endgame: malicious (moderate confidence)` `Microsoft: PUA:Win32/AutoKMS` `GData: Win64.Trojan.Agent.UNIHK5` `AhnLab-V3: Unwanted/Win64.KMSActivator.C2645177` `MAX: malware (ai score=98)` `Panda: Trj/CI.A` `Rising: PUA.AutoKMS!8.F60B (CLOUD)` `eGambit: Unsafe.AI_Score_69%` `Fortinet: Riskware/WinActivator` `AVG: FileRepMetagen [PUP]` `Avast: FileRepMetagen [PUP]` `CrowdStrike: malicious_confidence_80% (D)`

Hashes

MD5	`b37c708b21a3f330b74fe94ad098182c`
SHA1	`d5dabc52343a88bb4744e8848c8a8a517ba7c006`
SHA256	`989366bbcfe7d0b58496072630d9b733718e7d90d613f2f3c34cae2cf8266ebd`
SHA3	`713ce275a0a65ecba68eab172fbf53b63e4019fd0a577ef7865848fdfbb01275`
SSDeep	`12288:Rdj8/KCpoBlzOe91MLs5+pFDlZlB+fPkv/yrB2HGo6Uz:Xj8/KCSBFR1+pFRTBFyUeUz`
Imports Hash	`b3c351e5a28d1a69a947c93b4c4e6c3b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2018-Jun-11 14:28:26
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x96000`
SizeOfInitializedData	`0x12000`
SizeOfUninitializedData	`0xed000`
AddressOfEntryPoint	`0x0000000000182BC0 (Section: UPX1)`
BaseOfCode	`0xee000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x196000`
SizeOfHeaders	`0x1000`
Checksum	`0xa9aa8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xed000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`7562bbf0646564f5f49c85ed02001ea7`
SHA1	`5c8d0c9360d79ff16695891dddbc4bc2df358889`
SHA256	`53caa385989bc47efe00c74df242f96c10a68690bec7cd02ae321b5f04bb18b9`
SHA3	`b00dc2ca2325af6dcab5fbcec5d5873d9da66f3a05ee23c11aa18b32f5fb00a0`
VirtualSize	`0x96000`
VirtualAddress	`0xee000`
SizeOfRawData	`0x95800`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99954`

.rsrc

MD5	`37833fd48576cbd10b41aa41beb2c643`
SHA1	`5db0604e4fbcd75411497e37b57c9527b803002a`
SHA256	`760ede7c1cc555ac326da07184bfbc95c7272084f014ad88b78202d8504f88d2`
SHA3	`44a0ee04e29487ca62eadc3dfb5e59edc17ceddce654017d317a34eb9b65d5d7`
VirtualSize	`0x12000`
VirtualAddress	`0x184000`
SizeOfRawData	`0x11400`
PointerToRawData	`0x95a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.50566`

Imports

ADVAPI32.DLL	`IsValidSid`
COMCTL32.DLL	`InitCommonControlsEx`
GDI32.DLL	`BitBlt`
gdiplus.dll	`GdipFree`
ICMP.DLL	`IcmpSendEcho`
IMAGEHLP.DLL	`MakeSureDirectoryPathExists`
IPHLPAPI.DLL	`GetAdaptersInfo`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSI.DLL	`MsiEnumProductsW`
msvcrt.dll	`pow`
NETAPI32.DLL	`NetUserDel`
OLE32.DLL	`CoCreateGuid`
OLEAUT32.DLL	`SafeArrayGetDim`
SETUPAPI.DLL	`SetupIterateCabinetW`
SHELL32.DLL	`IsNetDrive`
URLMON.DLL	`URLDownloadToFileW`
USER32.DLL	`GetDC`
USERENV.DLL	`GetDefaultUserProfileDirectoryW`
WININET.DLL	`InternetOpenW`
WINMM.DLL	`timeBeginPeriod`
WINSPOOL.DRV	`SetPrinterW`
WSOCK32.DLL	`bind`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	2018-Jun-11 14:28:26
Entropy	`3.27326`
MD5	`3faba206e17a7739fde9395af30429d6`
SHA1	`f246a0ee4150bf9a374c037530357107799220a0`
SHA256	`176a25d21a29ffb94a85722207cc61168910639558e8e3151943202ebe87b4f7`
SHA3	`1c141d80cd3f48ebe43b7aef7d5f86a83e69a86dd7bb5653c6151fad184a6eda`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	2018-Jun-11 14:28:26
Entropy	`1.98048`
Detected Filetype	Icon file
MD5	`38388dda6548693f4d42f2241a4218d7`
SHA1	`78bedd12a20f97e31e58742381f3d0ca1edb4715`
SHA256	`cd0991dd595a1392452a8c7ccf089e73626bc6eed1fd3f54ee4c6aa7ffbaedba`
SHA3	`9ace1e9f008d60580379cdfdcd4119706c82d52d2e5fdb9e5745fa00864cc1a8`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x12c`
TimeDateStamp	2018-Jun-11 14:28:26
Entropy	`2.97593`
MD5	`c40015cb5d0d6adcacac9f8f760731cc`
SHA1	`83771c067291221e4baee5bf0b4fb1e3f778e68d`
SHA256	`db9245cc0a724b3a7d845398b4da64b80293a53de1384a46304d9901b977f3ca`
SHA3	`9f6c3bcaf562ae990e4e0ab215c695c9fe4a6205c204eda385a35e76a03b02f7`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x36e`
TimeDateStamp	2018-Jun-11 14:28:26
Entropy	`4.85537`
MD5	`f79ed437c9423e418f66e7da6248b512`
SHA1	`176297b6e431174bf60662fe0420df9e6554d2b5`
SHA256	`069c47ac953a88e1e4e9107c43876733b197733bb0e83e4d33c17fff6e3d6927`
SHA3	`f6ec26a821ed7528038f8e8ba1cdc9bb005d771bdded7b6ec03543075c373957`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.2.0.0
ProductVersion	1.2.0.0
FileFlags	`(EMPTY)`
FileOs	`(EMPTY)`
FileType	`VFT_UNKNOWN`
Language	UNKNOWN
CompanyName	MSFree Inc., Ratiborus

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!