Manalyze report for b4b728225f8f0a70614be5b4a5094b9f

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2005-Oct-02 11:01:22
Detected languages	Chinese - PRC English - United States
Debug artifacts	Embedded COFF debugging symbols
Comments	http://www.whitetown.com
CompanyName	WhiteTown Software
FileDescription	DBF2XLS
FileVersion	`1, 4, 0, 0`
InternalName	DBF2XLS
LegalCopyright	Copyright ? 2005
LegalTrademarks	DBF to XLS
OriginalFilename	DBF2XLS.exe
ProductName	DBF to XLS
ProductVersion	`1, 4, 0, 0`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Section .rdata is both writable and executable.` `Section .data is both writable and executable.` `Section .rsrc is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can access the registry: RegCloseKey RegCreateKeyA RegSetValueExA RegOpenKeyA RegQueryValueExA` `Possibly launches other programs: ShellExecuteA` `Uses functions commonly found in keyloggers: GetForegroundWindow CallNextHookEx`
Info	The PE's resources present abnormal characteristics.	`Resource 102 is possibly compressed or encrypted.`
Suspicious	VirusTotal score: 1/57 (Scanned on 2016-12-02 10:13:37)	`CrowdStrike: malicious_confidence_67% (W)`

Hashes

MD5	`b4b728225f8f0a70614be5b4a5094b9f`
SHA1	`852bfbb9e8bc266f055dc660eaab067abc18e714`
SHA256	`eb71dfa22803213e32777de1f8e63291fc5f4278d55ab8729570f6faf5759cc6`
SHA3	`bdca774bf88320c9ebdda63975d81a97184a8f71200fc2505eeb05b4e6b8e865`
SSDeep	`3072:GYmwOT41vXtHy1zdtxJSpDl2wE2YG4YR7BoBFWdKl20iaEzEEAP3598Jz4Q5z6k:xmwOT41vXxy1fvStl2wsGjp90uMYn5`
Imports Hash	`ee9dbfd227d9167b75f5880cd3338687`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2005-Oct-02 11:01:22
PointerToSymbolTable	`0x726f4c5b`
NumberOfSymbols	`1564823652`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x1d000`
SizeOfInitializedData	`0x8a000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000B2FA (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1e000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0xa9000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e0ee1efab9a5f3440ca5f51fb69e508d`
SHA1	`7fb26adfb0a8e0f5c96fca23ed25255a2097c3c0`
SHA256	`205ccb6e091cc7978fd7845602eea289e55ab02e0b0a09da76f5d826bebf4218`
SHA3	`fb1b4dc930773ac80a69cf5f1d45368bc51e03f1f26cfd1bd906961bcc68b73c`
VirtualSize	`0x1d000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1d000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.59732`

.rdata

MD5	`0b86df29b9962435917be81305cbb2e4`
SHA1	`a11b94d7fd8ae16a210db12f9c6a3806cc940758`
SHA256	`7d9e6d8d5b6b1321a42c87e6e9c763d0aa050e0c78f4fc9867b309c0c6d594cb`
SHA3	`8adfa0016b4898ea0afd76363e39e313b8cb7c993e2aee5b791c099755e7d44a`
VirtualSize	`0x5000`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x1e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.08402`

.data

MD5	`0241067eaed5380b2b59d1e55a600058`
SHA1	`0d51e4cf294f1336079afede4bf38c2d385fe178`
SHA256	`e58d1c03a5695bd76439304260075ba320061b304b5b67326eff9138eb5eeb98`
SHA3	`d41525f8d25e2961a6c6dc9e4a6ddd47fa04ac0a6f0fd547b7275e09f890a26a`
VirtualSize	`0x8000`
VirtualAddress	`0x23000`
SizeOfRawData	`0x8000`
PointerToRawData	`0x23000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.43465`

.rsrc

MD5	`890e94b5bb8d4cdcca178117c4546820`
SHA1	`c4653ffdad633da1f7698601f096c7e1f1aa2bc1`
SHA256	`09100cf2f4153971c795f40157b1b9eaceacc82d509d3f3c0a42e10e06ca195e`
SHA3	`ae1b9a8f5d1a1dc8f15f6bb05b304149612ac3337761f605fb67a82050fe6163`
VirtualSize	`0x7d26c`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x7e000`
PointerToRawData	`0x2b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.54457`

Imports

advapi32.dll	`RegCloseKey` `RegCreateKeyA` `RegSetValueExA` `RegOpenKeyA` `RegQueryValueExA`
comctl32.dll	`PropertySheet` `CreatePropertySheetPage` `InitCommonControls`
gdi32.dll	`SetMapMode` `SetViewportOrgEx` `GetStockObject` `SelectObject` `RestoreDC` `SaveDC` `Escape` `ExtTextOutA` `TextOutA` `RectVisible` `PtVisible` `DeleteDC` `DeleteObject` `CreateFontIndirectA` `GetDeviceCaps` `GetTextMetricsA` `CreateBitmap` `GetObjectA` `SetBkColor` `SetTextColor` `GetClipBox` `ScaleWindowExtEx` `SetWindowExtEx` `ScaleViewportExtEx` `SetViewportExtEx` `OffsetViewportOrgEx`
kernel32.dll	`CreateThread` `DeleteFileA` `FindFirstFileA` `FindNextFileA` `FindClose` `GetPrivateProfileIntA` `GetPrivateProfileStringA` `GetModuleFileNameA` `WritePrivateProfileStringA` `SetEndOfFile` `GetSystemTime` `lstrlen` `lstrcat` `CreateFileA` `SetFilePointer` `ReadFile` `WriteFile` `CloseHandle` `lstrcpy` `HeapAlloc` `HeapFree` `GetLastError` `InterlockedDecrement` `InterlockedIncrement` `ExitProcess` `TerminateProcess` `GetCurrentProcess` `GetTimeZoneInformation` `GetLocalTime` `RtlUnwind` `GetModuleHandleA` `GetStartupInfoA` `GetCommandLineA` `GetVersion` `HeapDestroy` `HeapCreate` `VirtualFree` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `VirtualAlloc` `HeapReAlloc` `IsBadWritePtr` `GetProcAddress` `GetCPInfo` `GetACP` `GetOEMCP` `WideCharToMultiByte` `MultiByteToWideChar` `LCMapStringA` `LCMapStringW` `GetStringTypeA` `GetStringTypeW` `GetCurrentThreadId` `TlsSetValue` `TlsAlloc` `SetLastError` `TlsGetValue` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `GetEnvironmentStrings` `GetEnvironmentStringsW` `LockResource` `GetStdHandle` `GetFileType` `SetStdHandle` `FlushFileBuffers` `SetUnhandledExceptionFilter` `IsBadReadPtr` `IsBadCodePtr` `LoadLibraryA` `RaiseException` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `lstrcmp` `lstrcpyn` `GlobalUnlock` `GlobalLock` `GlobalAlloc` `GlobalReAlloc` `LocalFree` `LocalAlloc` `GlobalFree` `GlobalHandle` `LocalReAlloc` `GlobalDeleteAtom` `GlobalFindAtomA` `GlobalAddAtomA` `lstrcmpi` `GlobalGetAtomNameA` `FreeLibrary` `GetProcessVersion` `GlobalFlags` `HeapSize`
odbc32.dll	`SQLCancel` `SQLFreeStmt` `SQLMoreResults` `SQLFetch` `SQLNumResultCols` `SQLExecDirect` `SQLAllocStmt` `SQLDriverConnect` `SQLAllocEnv` `SQLAllocConnect` `SQLSetConnectOption` `SQLGetInfo` `SQLSetStmtOption` `SQLFreeEnv` `SQLDisconnect` `SQLFreeConnect` `SQLError`
shell32.dll	`ShellExecuteA` `SHGetPathFromIDList` `SHGetSpecialFolderLocation`
user32.dll	`CopyRect` `GetClientRect` `AdjustWindowRectEx` `SetFocus` `GetSysColor` `MapWindowPoints` `LoadIconA` `SetWindowTextA` `GetSysColorBrush` `GetClassNameA` `PtInRect` `ClientToScreen` `PostQuitMessage` `DestroyMenu` `TabbedTextOutA` `DrawTextA` `GrayStringA` `GetClassInfoA` `RegisterClassA` `GetMenu` `GetMenuItemCount` `GetSubMenu` `GetMenuItemID` `GetDlgCtrlID` `DefWindowProcA` `DestroyWindow` `CreateWindowExA` `GetClassLongA` `GetPropA` `CallWindowProcA` `RemovePropA` `GetMessageTime` `GetMessagePos` `GetForegroundWindow` `SetForegroundWindow` `GetWindow` `SetWindowPos` `RegisterClipboardFormatA` `CharUpperA` `wsprintfA` `GetDesktopWindow` `LoadStringA` `IsWindowEnabled` `GetLastActivePopup` `UnhookWindowsHookEx` `SetWindowsHookExA` `PeekMessageA` `CallNextHookEx` `GetKeyState` `GetTopWindow` `GetCapture` `DispatchMessageA` `CharToOemA` `UpdateWindow` `CheckDlgButton` `EnableWindow` `CheckRadioButton` `InvalidateRect` `IsDlgButtonChecked` `LoadCursorA` `SetCursor` `OemToCharA` `GetWindowLongA` `SetWindowLongA` `SendMessageA` `GetParent` `PostMessageA` `GetDlgItemTextA` `SetDlgItemTextA` `GetDlgItem` `ShowWindow` `GetWindowTextA` `GetNextDlgTabItem` `GetFocus` `EnableMenuItem` `SystemParametersInfoA` `GetDC` `ReleaseDC` `MessageBoxA` `OemToCharBuffA` `SetPropA` `WinHelpA` `IsIconic` `GetWindowPlacement` `GetWindowRect` `GetSystemMetrics` `GetMenuCheckMarkDimensions` `LoadBitmapA` `GetMenuState` `ModifyMenuA` `SetMenuItemBitmaps` `CheckMenuItem`
winspool.drv	`OpenPrinterA` `DocumentPropertiesA` `ClosePrinter`
comdlg32.dll	`GetOpenFileNameA` `GetSaveFileNameA`

Delayed Imports

102

Type	`RT_BITMAP`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x7958`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.15656`
MD5	`5cf8d55a3747e0076264e2a1665523fe`
SHA1	`11854a83e736ef16fba5aa175d12a640271d821e`
SHA256	`125d3f9b1e8596ac00ce2e19e62e34e4739a9c429d216215052c0489b97b363e`
SHA3	`6f8664802a0a072d5b5b329fb123e413a9d04b5efa8c873e77cfc8a4df709069`
Preview

103

Type	`RT_BITMAP`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x73000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.02701`
MD5	`7582f533a676ce339ce62dd3c46aa6bd`
SHA1	`bdf4612043e4618dc5ecfca76be7d9174530d2a9`
SHA256	`8e42a965754eb6cdee023123a84edba114a43a533696065384eac63288ef555c`
SHA3	`50510e370a99a351bd025415a983602d653f6821478d9e83bd68eac94f0b7a96`
Preview

1

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0xca8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.76886`
MD5	`40efc0f2b9e40e1bef2dc2fb8d482996`
SHA1	`330666dab49845adc9fd55adc174bffe348b64ba`
SHA256	`5c650da248d80714568aae8ba209716ddead3911533a3a1b01c38d1b5b3d7f2a`
SHA3	`e426d313c5039e0736d9ad9ba40df5a21175e6fc975277a26ecbd854624b3c3d`

107

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x2f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43305`
MD5	`ca4df10ae29594dc21d15a38b6f6450b`
SHA1	`72b69bd485b13cde8c56ca8e73faa083233d2dde`
SHA256	`cbb6363c7e5bd8b90b5c8b73fcf80dedc6f856f4ffc01da6d69bb0bf5b474536`
SHA3	`1413e40df489364518392db75e6724b4de06d06f319c9681adb680a3dd67252d`

108

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x24e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.16265`
MD5	`0e4c99812e65fe6fd1ecc5b4b47d0830`
SHA1	`9b9db84fa4a829b00adb06e15180ad2d398a709c`
SHA256	`5adcf0bb886596802a2b9af8f4c7ba46a288847f709db29970f32f7a0f5c256b`
SHA3	`b244117afdc7ba732265545adef51b916b7d87a7aa6cf7ba4ec3d05e37e4a428`

109

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x35c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.15423`
MD5	`f3543500254aa889135dbed52963d248`
SHA1	`ec8bd4f0fa630275447afe26aa4487a25fcce766`
SHA256	`2474006eb8ecbd0f7345b11bd7e8c27917768a76970f2ed910e291dbf2c120d7`
SHA3	`47e9e4b277c92fe2e94334b705d37c7548e8b4accba28d8ad4fee75af94c35a2`

110

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x20c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.89141`
MD5	`cc1d13d4b90295449959834366b3d599`
SHA1	`e331ff68eaab34e7c28be273f06c93a6759d068a`
SHA256	`50059f9f3ab1bfbb6cfd38056cff0d7d75dd7f161bf286aa0fb42a21aa288d59`
SHA3	`9557b536bda1d85324aee3dd0b0a553a0480a6103b3af78d221983fe61517c3b`

111

Type	`RT_DIALOG`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x154`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.70811`
MD5	`eb5245780ae929a779db5549c8f4a378`
SHA1	`d2993b9df3b99cef3d995d9f3d37dc418ccf8e58`
SHA256	`7d946995c8da11ba99bdd594ac922c4992c4d41fdb658e19462206611db1010b`
SHA3	`f829c2b42770a7cfbd7ef0ad5180385bf51417bd469baf4acc3800e5e74a3345`

1 (#2)

Type	`RT_STRING`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x38e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.981722`
MD5	`3624ca42cc5a205362dfcc10a122779e`
SHA1	`5dfe155f61188fbaeb6a662fc5f35155bafba4d2`
SHA256	`53dded3c812cb930abd5ad28e718c54d2ee72adbf3b5c89eb7c2b14a000f3b4b`
SHA3	`0a4f193a9e74d24c2026a16cfa7f2424bfb1c93be6514d7cf87b157bdd75f48d`

104

Type	`RT_GROUP_ICON`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`6f191f45d2ea96b2d22e9eafa1a55bd7`
SHA1	`aa9a0930cb6ae38dd9645dbd2e85cf3796ed2977`
SHA256	`f01c223e6cf0e0f5c1d990ad720488af398180adb1b92e61c2144cf11d3130f8`
SHA3	`ab7f66f51b1cb5a30df00c2674a3a04e8323578947f36708e2e82dd5d04f0416`

1 (#3)

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Chinese (simplified)
Size	`0x38c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23862`
MD5	`fd591853ed708295b203350e80178d3b`
SHA1	`c501fa8b96c362a50e57b0170a76016e782c92ca`
SHA256	`f94c81d373eccf44c6ce24d7eb4ebe6294c67568987ce928d2381f39d82b16e6`
SHA3	`f34b00d790e58f07687227804aa4ecdfc2a222a8182e4f5ae0ff7d0f25d13c2a`

String Table contents

打开 DBF 文件
单击“浏览”按钮
选择输出的文件
单击“浏览”按钮
转换进度
这需要花几分钟……

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.3.0.0
ProductVersion	1.3.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	http://www.whitetown.com
CompanyName	WhiteTown Software
FileDescription	DBF2XLS
FileVersion (#2)	1, 4, 0, 0
InternalName	DBF2XLS
LegalCopyright	Copyright ? 2005
LegalTrademarks	DBF to XLS
OriginalFilename	DBF2XLS.exe
ProductName	DBF to XLS
ProductVersion (#2)	1, 4, 0, 0

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd06050da`
Unmarked objects	`0`
19 (8022)	`32`
12 (7291)	`4`
14 (7299)	`39`
Imports (VS97 SP3 link 5.10.7303)	`34`
Unmarked objects (#2)	`15`
19 (8034)	`17`
Total imports	`385`
C objects (VS98 build 8168)	`157`
C objects (VC++ 6.0 SP5 build 8804)	`5`
C++ objects (VS98 build 8168)	`63`
Resource objects (VS98 cvtres build 1720)	`1`
Linker (VS98 build 8168)	`1`

Errors

[!] Error: Could not read a COFF symbol.