c197cf1e5f8e4c6e0024d28f2c9648b9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2015-Feb-09 21:57:00
Detected languages English - United States
Comments 1KEY GHOST HD 2017.02.17
CompanyName DOS之家
0FileDescription 一键GHOST硬盘版安装程序
^蘒^ꁄ᪟@FileVersion 11.2.2017.1217
InternalName 1KG
LegalCopyright DOS之家 doshome.com 葛明阳
LegalTrademarks 1KEY GHOST
OriginalFilename 一键GHOST硬盘版.exe
^0PrivateBuild
(#2) atꁀ
ProductName 一键GHOST硬盘版 2017.02.17 正式版
^ecs DProductVersion
2.2017.1217 0SpecialBuild
(#3) iaꁀ

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Suspicious Strings found in the binary may indicate undesirable behavior: Contains a XORed PE executable:
  • 53 6f 6e 74 27 77 75 68 60 75 66 6a 27 64 66 69 69 68 73 27 ...
Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Malicious The PE contains functions mostly used by malwares. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
Functions related to the privilege level:
  • OpenProcessToken
Malicious VirusTotal score: 25/67 (Scanned on 2017-12-01 01:28:58) CAT-QuickHeal: Trojan.Agent
McAfee: Artemis!C197CF1E5F8E
K7GW: Adware ( 0050718d1 )
K7AntiVirus: Adware ( 0050718d1 )
TrendMicro: TROJ_GEN.R023C0OH517
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: TROJ_GEN.R023C0OH517
Avast: Win32:Malware-gen
AegisLab: Troj.Generickd!c
DrWeb: BackDoor.BlackHole.50075
VIPRE: Trojan.Win32.Generic!BT
Invincea: heuristic
McAfee-GW-Edition: Artemis
Sophos: Mal/Generic-S
Paloalto: generic.ml
Cyren: W32/Trojan.NFHW-4393
Webroot: W32.Malware.Gen
Fortinet: PossibleThreat
Endgame: malicious (moderate confidence)
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted
AVG: Win32:Malware-gen
Cybereason: malicious.1b8fb7

Hashes

MD5 c197cf1e5f8e4c6e0024d28f2c9648b9
SHA1 04d28ab3df021b60932b611e3ee783f473b9039c
SHA256 f1738e42cefcc6e49e773624d1f87e354d72cc623675bd31908714ae84f981fa
SHA3 19b6f358300b84d065df25ac078383c906449d4197012ffebd655864f304e72a
SSDeep 393216:3VjSEC362cbFe9+xv7Jr9M9FjcxTr/aFS6D0sKRwrYez:NqEM9U7J98F0/aFSk0saw0ez
Imports Hash 1ff847646487d56f85778df99ff3728a

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xd8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2015-Feb-09 21:57:00
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x5800
SizeOfInitializedData 0xbe00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x29e1 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x7000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x15000
SizeOfHeaders 0x400
Checksum 0x10fc05d
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 c76b9ce587690b8a39ba7840b7dd540c
SHA1 114d7340e840ad290bdbf90e90e9848d2e1725c5
SHA256 a00ca9a863671b53f3827886406ca4967dad3c431d69e6486eec22e65020bef2
SHA3 f894603ccdf519b7fd738f8e4d5aece29ff89ca9a1346e7ad571e26d65c0542b
VirtualSize 0x5718
VirtualAddress 0x1000
SizeOfRawData 0x5800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.45945

.rdata

MD5 e96aa4f970e6f6799910a72904df3100
SHA1 80c5981f622e43d6b57fcf3642184de602555aea
SHA256 7ef2a00b505d7c6eea17396996af46b069539da535a30b838e27dcd37a8b70fe
SHA3 a1383ee5cdefae2a44f819b10e1b1bab1bbdc5c3679984268f825400f3bdb0b3
VirtualSize 0x2e82
VirtualAddress 0x7000
SizeOfRawData 0x3000
PointerToRawData 0x5c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.97533

.data

MD5 e504fdbba062ee9bbd9ac425a4f5c0f5
SHA1 43d241c5d9433f431cd187c0aff3a614130ad427
SHA256 9311d3ce61454f57fad8b8bfd0e560fa2c5c50e5adfaf08c6d84a63a4f6d71f8
SHA3 3f9477060851b8d01432f23e4708a90ae9c8f191149febd02f9316fe11428b41
VirtualSize 0x1968
VirtualAddress 0xa000
SizeOfRawData 0xc00
PointerToRawData 0x8c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.58663

.rsrc

MD5 2686b14e0c4844fb6f7389ec5a93dac3
SHA1 42aae28884f7564538652ed163cce087e8704e87
SHA256 26dd4256e636e0744c2e8474db0b59b11a44736187960e8821214f3c1de2733d
SHA3 3a11474889a7e847543d92c2a1133cff09c4c7a5def821901fb137c70f39ab7b
VirtualSize 0x6eb9
VirtualAddress 0xc000
SizeOfRawData 0x7000
PointerToRawData 0x9800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.8008

.reloc

MD5 a88bdb6f651ecf67b1b3db4a2866ea4e
SHA1 13996ad6f496c64dff1dbee17649d328463ed818
SHA256 6b4158116338cec89b82463ed9b34c860278f8a421b7e3919e8b9d6be7bddcbf
SHA3 8ebe2b9cd83ca5ab25c6d51a628fc98b9cc3a6fd578fb77bd7b5d946165f8146
VirtualSize 0x1092
VirtualAddress 0x13000
SizeOfRawData 0x1200
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.7122

Imports

KERNEL32.dll _lclose
GetModuleFileNameA
_lread
_llseek
_lopen
_lwrite
_lcreat
CreateDirectoryA
SetCurrentDirectoryA
lstrcatA
FreeLibrary
GetProcAddress
LoadLibraryA
GetDiskFreeSpaceA
GetFileAttributesA
RemoveDirectoryA
DeleteFileA
lstrlenA
GetCurrentDirectoryA
CloseHandle
GetExitCodeProcess
GetLastError
LocalFree
GetCurrentProcess
MoveFileExA
Sleep
GetStringTypeW
MultiByteToWideChar
LCMapStringW
HeapReAlloc
RtlUnwind
HeapSize
lstrcpyA
GetTempPathA
CompareStringA
IsValidCodePage
GetOEMCP
GetModuleHandleW
ExitProcess
DecodePointer
HeapFree
HeapAlloc
GetCommandLineA
HeapSetInformation
GetStartupInfoW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
EncodePointer
LoadLibraryW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetStdHandle
GetModuleFileNameW
IsProcessorFeaturePresent
HeapCreate
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
USER32.dll TranslateMessage
DispatchMessageA
PeekMessageA
wsprintfA
LoadCursorA
SetCursor
MessageBoxA
MsgWaitForMultipleObjects
ADVAPI32.dll GetTokenInformation
OpenProcessToken
SHELL32.dll ShellExecuteExA

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x128
Entropy 3.37177
MD5 496b9dec82e136f2b5dd974f16e64bf0
SHA1 9018c14ef7230dd5ee908cd193927d44d086782c
SHA256 bb69db8fabd21337e457a739d0c541c759678d349e900d52f5dfa22828f326e5
SHA3 4be0784dae8ddf46da55068151672ab8f82d1e3dafd639f42075c4fedc03fbe3

2

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x568
Entropy 4.31421
MD5 ceea1f40f26b391da8977d0bc69ce333
SHA1 b0cc7faf384a4a9b55661c9dd00afff3bd478469
SHA256 1f8d3da0dd89dca26c6bb14ac7be9ed5a01bc929574ad46b87524f251e80e2be
SHA3 7cc0fe9b559fc274048cceb5c27c499b576dcd8b961413bdd1851eedb13ee46c

3

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x468
Entropy 5.9477
MD5 286299765e413961c577250b562a9f6d
SHA1 c11066e0b36e102c15530a0a2bcf3ff59a447e38
SHA256 06fb164c24b5774aa1cc61dee3855f98998e7d8b80e7370403da6c202f054da8
SHA3 bb7b6d7b364cc8bb0566b8803afc6112c806d1340b50948fae110d2b4f805e7e

4

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x2e8
Entropy 3.78233
MD5 2bfdea3afd1fff1a7b0289c617cfae05
SHA1 bc3d4258adec91cf01ff8d841bec5c48dd58000f
SHA256 a8af8d3e6282e1efdd38fb2787c9ec42cfbbf9cd1d473f6845590c3e31ea3c11
SHA3 4eb3e3000d5cf37679db55735eab0028777be3b63ea3ade5b51ebcd755926b6f

5

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x8a8
Entropy 6.14953
MD5 d400262b6638ac150461e04641caf542
SHA1 bff6b574a2d8b8597b021e26699da166d7520104
SHA256 31e4e1eea0a0e2e6443773d356ddca1fe28d32e74727a13638c85bdbd78281a6
SHA3 d6f95ed5ca31894bbd9d134abee83ab2a2c30489a78444b913431380846e9f53

6

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x10a8
Entropy 5.83714
MD5 b5c47d2978f629cc35ab63e89cabcb2c
SHA1 2b979114d1a0832ede92cc14a62be2fe3a5572fd
SHA256 7a7ef627be60b3f8f5b2366d513efd6b341eb942f039bfcc9399d82ebd898d0d
SHA3 a1ce8ad53af0ee9ad9573abb6f944ccbebc3f7358e33af91fde7d80b9020b6ef

7

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x668
Entropy 3.64397
MD5 6acf27cac1ed0cc79e0b5cf6bbfa35af
SHA1 ae882712f338525cbb428dbb0dc5556a858993db
SHA256 d8bbb3fb720499a58160e7956e4bd18855b384c6dbd3aa262fea0e121436c6f2
SHA3 b1869023aec53f68ac7ffebbc09130daa3ee93ade92f7f46b25dd1099d846089

8

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0xea8
Entropy 5.84115
MD5 5073c50c3a136934f16481bc0b3df044
SHA1 11df1eebfbd55cb5acf95991e7c0169475ef9b8a
SHA256 b65d018eb43b3c976a891e6677049eee014093e7c77774ffa1a4d08565891ecd
SHA3 96266ffe7e8ab6f0f6a1cc2328bfdfafb174bc0de29af818fc5e6f940e1d6f48

9

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x25a8
Entropy 5.41049
MD5 ca478133475a2622104a5405539831fe
SHA1 8f2ad79e45e19b6ad4c3dc6aa273ea53479b67fa
SHA256 9df16fabe1cfc3dc3095c7c70f5fa39be14a8ca6a4fdf4aeaa194cde7995127c
SHA3 e65115467b0261de55c9e782bdc289b875ca573be61df82717a1065896680a52

101

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x84
Entropy 2.89097
Detected Filetype Icon file
MD5 6e71c5b6be8e29bfdcf3d856260f17b4
SHA1 d98d52ae0f3b84f09e2579e87bacdd0987e921d7
SHA256 d5f3b5a9baad2206b061f158ddba8b9feb33508f7b1c45fbdc4167b0d749e9fe
SHA3 c39422453d77e29f616cc18302d91574479df72c182f049241fca9eb138cfd26

1 (#2)

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x40c
Entropy 3.93971
MD5 5fe54fd76d40692bd204ae520125dd79
SHA1 898080f1b717cab3cdaa0208126913a0c0574f64
SHA256 84a1163d3677e7e6af133a6ec95583809e7568787f89fe1ca144f67bd7dc3fe5
SHA3 e81f2b795b5af3f7c067ae1bbdd9190613c7eef5dcea0146a652389d219334e0

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x591
Entropy 5.36998
MD5 bc6026c1ccbec7702456103ba17d23db
SHA1 c594ee61d4a4a12d038e2743a13e2b654d06cfa1
SHA256 cdfae727923915b2bf71f5b9b6ac9976b14baa8892c5cad9173491e7368ded79
SHA3 e43d5626823d783a6165f1b729297312ec4f0603ac6ebd6b5f383d2e5157a6d1

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 11.2.2017.1217
ProductVersion 11.2.2017.1217
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
Comments 1KEY GHOST HD 2017.02.17
CompanyName DOS之家
0FileDescription 一键GHOST硬盘版安装程序
^蘒^ꁄ᪟@FileVersion 11.2.2017.1217
InternalName 1KG
LegalCopyright DOS之家 doshome.com 葛明阳
LegalTrademarks 1KEY GHOST
OriginalFilename 一键GHOST硬盘版.exe
^0PrivateBuild
(#2) atꁀ
ProductName 一键GHOST硬盘版 2017.02.17 正式版
^ecs DProductVersion
2.2017.1217 0SpecialBuild
(#3) iaꁀ
Resource LangID English - United States

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x40a020
SEHandlerTable 0x409470
SEHandlerCount 3

Errors