Manalyze report for bb6d6292a843a1692fb928ea401e04d8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-Mar-12 09:17:22
Detected languages	English - United States
CompanyName	Igor Pavlov
FileDescription	7z Setup SFX
FileVersion	`4.57`
InternalName	7zS.sfx
LegalCopyright	Copyright (c) 1999-2007 Igor Pavlov
OriginalFilename	7zS.sfx.exe
ProductName	7-Zip
ProductVersion	`4.57`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Interesting strings found in the binary:	`Contains domain names: clio.rice.edu`
Malicious	The file headers were tampered with.	`The RICH header checksum is invalid.`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileW GetTempPathA CreateFileA`
Suspicious	The file contains overlay data.	`8119957 bytes of data starting at offset 0x7d200.` `The overlay data has an entropy of 7.99781 and is possibly compressed or encrypted.` `Overlay data amounts for 94.063% of the executable.`
Safe	VirusTotal score: 0/63 (Scanned on 2022-05-08 05:34:41)	`All the AVs think this file is safe.`

Hashes

MD5	`bb6d6292a843a1692fb928ea401e04d8`
SHA1	`df64150ece3c9c9cc8192ed03a24c3b1b10d16aa`
SHA256	`d448e57cdd8719d6e91f1ab7378a93d71ad51ef76d29d8a2260fee4a063e698d`
SHA3	`69f50dcca7c1a7e9e41839246e00304a8439c1012fe8ac4b343ad644ed4ca878`
SSDeep	`196608:Vb1lZZ7YkzEa3fAAinSo+wYYEu+jJkcLgY0uFzkwaJE:VbtZDzEefin1DYYEjdT8zu1kJJE`
Imports Hash	`8495975063ac354d66cfcb5c2c194d39`

DOS Header

e_magic	`MZ`
e_cblp	`0`
e_cp	`0x28`
e_crlc	`0x19`
e_cparhdr	`0x20`
e_minalloc	`0x4b7`
e_maxalloc	`0x5b7`
e_ss	`0x87d`
e_sp	`0x180`
e_csum	`0`
e_ip	`0x54`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x58c68`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2019-Mar-12 09:17:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x19c00`
SizeOfInitializedData	`0xa800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0006B50A (Section: .text)`
BaseOfCode	`0x59000`
BaseOfData	`0x73000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x80000`
SizeOfHeaders	`0x58e00`
Checksum	`0x80a80`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d1580bf2588cbac1f804d8384e252df8`
SHA1	`95d32a32dc7e3d2b9893907e22212ca90839e977`
SHA256	`09332ebfe469a9a0b56a2e9d2034959fb9b6a85256cb70738d8b8f8b33842c52`
SHA3	`988ff1257c575a074d656e7f239bc79618b67c590905b4009f5f29af54a8f599`
VirtualSize	`0x19ab8`
VirtualAddress	`0x59000`
SizeOfRawData	`0x19c00`
PointerToRawData	`0x58e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.58314`

.rdata

MD5	`28ebba4f896af6e91b8264abece4c215`
SHA1	`b49946a5f5663355bd69b32a25a74b03959266a6`
SHA256	`8f16aa4c57aa67ff007335fce8300c06670822123502722795eb60246ec7c350`
SHA3	`1f081d75be178632c119af731c46cdbb9c045863a6bb03392be4b76cb2dbdc8e`
VirtualSize	`0x73fa`
VirtualAddress	`0x73000`
SizeOfRawData	`0x7400`
PointerToRawData	`0x72a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.66573`

.data

MD5	`41dbde7a2a4d1ac76065190caefdc612`
SHA1	`8e36ad4019081e39cf303cb2a8661c05401a4c6f`
SHA256	`31f021c1964221bdfdbc70d434b072c285f8b837baf53d48a6c12fdc6d08f130`
SHA3	`4d6b9bc3c6ae321a629bb90c743ba0d40c33b3ccdb07936dbd7e734bec3335a8`
VirtualSize	`0x2d84`
VirtualAddress	`0x7b000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x79e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.23345`

.rsrc

MD5	`72f7f6fa26bf08d3e1534f2b3a0d1954`
SHA1	`b004d7c4c08491e7100d2ea73b1c010e090f956a`
SHA256	`1bc2cb73767d5f6f3782a45059108cf2c6ec5caa08917390bd5bd29c46ae5994`
SHA3	`975c3f878ed7f1a53152f1e998d843035de5717dced794908ae65a1565982ae9`
VirtualSize	`0x1650`
VirtualAddress	`0x7e000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x7ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.08425`

Imports

COMCTL32.dll	`#17`
KERNEL32.dll	`DeleteCriticalSection` `MultiByteToWideChar` `WideCharToMultiByte` `GetLastError` `LoadLibraryA` `AreFileApisANSI` `GetModuleFileNameA` `GetModuleFileNameW` `LocalFree` `FormatMessageA` `FormatMessageW` `SetCurrentDirectoryA` `CloseHandle` `SetFileTime` `CreateFileW` `SetLastError` `SetFileAttributesA` `RemoveDirectoryA` `CreateDirectoryA` `DeleteFileA` `GetWindowsDirectoryA` `SetFileAttributesW` `RemoveDirectoryW` `CreateDirectoryW` `DeleteFileW` `lstrlenA` `GetFullPathNameA` `GetCurrentDirectoryA` `GetTempPathA` `GetTempFileNameA` `GetFullPathNameW` `FindClose` `FindFirstFileA` `FindFirstFileW` `FindNextFileA` `GetFileSize` `SetFilePointer` `ReadFile` `WriteFile` `SetEndOfFile` `CreateFileA` `GetStdHandle` `EnterCriticalSection` `LeaveCriticalSection` `WaitForMultipleObjects` `VirtualAlloc` `VirtualFree` `WaitForSingleObject` `CreateEventA` `SetEvent` `ResetEvent` `InitializeCriticalSection` `Sleep` `GetVersionExA` `GetExitCodeProcess` `CreateProcessA` `GetCommandLineW` `LCMapStringW` `LCMapStringA` `GetStringTypeW` `GetStringTypeA` `GetLocaleInfoA` `IsValidCodePage` `GetOEMCP` `GetACP` `GetCPInfo` `GetSystemTimeAsFileTime` `GetCurrentProcessId` `GetTickCount` `QueryPerformanceCounter` `GetFileType` `SetHandleCount` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetEnvironmentStrings` `FreeEnvironmentStringsA` `InitializeCriticalSectionAndSpinCount` `HeapSize` `HeapCreate` `HeapReAlloc` `IsDebuggerPresent` `GetCurrentProcess` `TerminateProcess` `InterlockedDecrement` `RaiseException` `RtlUnwind` `HeapAlloc` `HeapFree` `ExitThread` `GetCurrentThreadId` `CreateThread` `GetModuleHandleW` `GetProcAddress` `ExitProcess` `GetCommandLineA` `GetStartupInfoA` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement`
USER32.dll	`DestroyWindow` `PostMessageA` `ShowWindow` `EndDialog` `GetDlgItem` `KillTimer` `SetTimer` `SendMessageA` `MessageBoxW` `DialogBoxParamW` `DialogBoxParamA` `GetWindowLongA` `SetWindowLongA` `SetWindowTextW` `SetWindowTextA` `LoadStringW` `CharUpperW` `CharUpperA` `LoadStringA`
SHELL32.dll	`ShellExecuteExA`
OLEAUT32.dll	`SysAllocString` `VariantClear`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.69671`
MD5	`82b89e152d167d47c738593dfdbec33d`
SHA1	`3d36c353ab494e0e9bc240ee938b1d2db9d6cf7f`
SHA256	`7aa7a09660708e2e302c5b075f28188555c91b01cba928964c201b7967d816bc`
SHA3	`dd6a7f3766c1088fc47515421255bdadd8178f5e87d5691c37ec83a0211e01b4`

500

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xb8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.07919`
MD5	`240f92705e4da5f99196987de172e58c`
SHA1	`17e40c87730f29a693f7c9cfcba686bb2e2c1734`
SHA256	`3f75f19b7ac829b456afa56f9b4e1a8f244d36ed7b6fa66f7708ac47b4ae3aa3`
SHA3	`d6337dcdba8a03c21ba1f4b6966af666eb4451954844cb4671bc3eb5d7404aaf`

1 (#2)

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x94`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.78284`
MD5	`f10a79138329e5d18b25d47f648946b3`
SHA1	`05d88947da644a07509a64dc081b8b7d498d8648`
SHA256	`5f298d1dfce9f41bd500e89e57e1da7481713c7b2a37b01825a5e6badf940b14`
SHA3	`bd8d1803273589e9ec27a29accbd6a0e63dc51f4dcbbfaaaeee0cc7ee0cdd552`

5

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x34`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.43775`
MD5	`de24c92d0a67718187168052499199cb`
SHA1	`006654de0b450d1f31c7c370a2104558dfe5b9ad`
SHA256	`7bab4b9a6b82cb5e5561b48d0136a492aee4ce78242a5c28e4baa925de511575`
SHA3	`d1e8842da978e4258bf80b8126d03c02506b26d064db7999f6b103b5afb5b50f`

159

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`58ebb87a86317b6d24927da35043510c`
SHA1	`0b9f73c9e0df4ce471f81a69c9d55b09e4326899`
SHA256	`c04493b5cb4e400e784578fb8c753741c693ea4e58bfba318b4cffb66ef163eb`
SHA3	`013f63e9b53b05ce3a2dce811658c3adf591f08394b799d8945d1befa03b2be8`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2bc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43105`
MD5	`3c8a51ba361a47bef2d5f1e5aa8c0a44`
SHA1	`987f372b8758f1f5f8835f303ae5b2a2585b498e`
SHA256	`45f5d8f45c9d4eb972bd90ddc950da47c1d55ed6f3c0db75628e0216d81224b4`
SHA3	`8946e38bebc2e857867136b1a2379bab8a3424962ea4d4253000f82f12948619`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x165`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.77792`
MD5	`b9b507d6297b2d514477db4ae0d55ea6`
SHA1	`e8c4b4e815c1788b3bab96fc44560d7282282fe1`
SHA256	`ec5d04c8ef3fe0e571c8e604bf146b393108cee11f1ad3d665b7501ec20d37d0`
SHA3	`85e8c59b71094f3ffe0990fe28a56df78d58756dc3a423284dff50f92ed7fa6f`

String Table contents

Extraction Failed
File is corrupt
Cannot create folder '{0}'
Extracting

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	4.57.0.0
ProductVersion	4.57.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Igor Pavlov
FileDescription	7z Setup SFX
FileVersion (#2)	4.57
InternalName	7zS.sfx
LegalCopyright	Copyright (c) 1999-2007 Igor Pavlov
OriginalFilename	7zS.sfx.exe
ProductName	7-Zip
ProductVersion (#2)	4.57

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x47bf20`
SEHandlerTable	`0x477760`
SEHandlerCount	`107`

RICH Header

XOR Key	`0x8006d030`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`20`
C objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Imports (VS2012 build 50727 / VS2005 build 50727)	`11`
Total imports	`184`
C objects (VS2008 SP1 build 30729)	`80`
C++ objects (VS2008 SP1 build 30729)	`103`
Linker (VS2008 build 21022)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

bb6d6292a843a1692fb928ea401e04d8

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

500

1 (#2)

5

159

1 (#3)

1 (#4)

String Table contents

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors