Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2015-Feb-09 21:57:00 |
Detected languages |
English - United States
|
Comments | 1KEY GHOST HD 2017.02.17 |
CompanyName | DOS之家 |
0FileDescription | 一键GHOST硬盘版安装程序 |
^蘒^ꁄ@FileVersion | 11.2.2017.1217 |
InternalName | 1KG |
LegalCopyright | DOS之家 doshome.com 葛明阳 |
蘒 | |
LegalTrademarks | 1KEY GHOST |
OriginalFilename | 一键GHOST硬盘版.exe |
^0PrivateBuild | |
(#2) | atꁀ |
ProductName | 一键GHOST硬盘版 2017.02.17 正式版 |
^ecs | DProductVersion |
2.2017.1217 | 0SpecialBuild |
(#3) | iaꁀ |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Suspicious | PEiD Signature: |
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains a XORed PE executable:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to SHA1 |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. |
17726326 bytes of data starting at offset 0x11a00.
The overlay data has an entropy of 7.99561 and is possibly compressed or encrypted. Overlay data amounts for 99.5944% of the executable. |
Malicious | VirusTotal score: 26/62 (Scanned on 2020-01-16 10:37:14) |
Bkav:
W32.AIDetectVM.malware
CAT-QuickHeal: Trojan.Agent Cylance: Unsafe Sangfor: Malware K7AntiVirus: Adware ( 0050718d1 ) K7GW: Adware ( 0050718d1 ) Symantec: ML.Attribute.HighConfidence ESET-NOD32: a variant of Win32/Packed.FlyStudio.AA potentially unwanted APEX: Malicious Paloalto: generic.ml NANO-Antivirus: Trojan.Win32.BlackHole.extfvb Rising: Trojan.Win32.Generic.19E96E02 (CLOUD) Comodo: Malware@#32wugss7v1hkv DrWeb: BackDoor.BlackHole.50075 VIPRE: Trojan.Win32.Generic!BT Sophos: Generic PUA AE (PUA) Avira: TR/Agent.ojmdo Antiy-AVL: Trojan[Packed]/Win32.FlyStudio Endgame: malicious (high confidence) GData: Win32.Trojan.Agent.2I38JX TrendMicro-HouseCall: TROJ_GEN.R066H0CIN19 MAX: malware (ai score=100) eGambit: Unsafe.AI_Score_56% Fortinet: PossibleThreat AVG: Win32:PUP-gen [PUP] Avast: Win32:PUP-gen [PUP] |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2015-Feb-09 21:57:00 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 10.0 |
SizeOfCode | 0x5800 |
SizeOfInitializedData | 0xbe00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000029E1 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x7000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x15000 |
SizeOfHeaders | 0x400 |
Checksum | 0x10fc05d |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
_lclose
GetModuleFileNameA _lread _llseek _lopen _lwrite _lcreat CreateDirectoryA SetCurrentDirectoryA lstrcatA FreeLibrary GetProcAddress LoadLibraryA GetDiskFreeSpaceA GetFileAttributesA RemoveDirectoryA DeleteFileA lstrlenA GetCurrentDirectoryA CloseHandle GetExitCodeProcess GetLastError LocalFree GetCurrentProcess MoveFileExA Sleep GetStringTypeW MultiByteToWideChar LCMapStringW HeapReAlloc RtlUnwind HeapSize lstrcpyA GetTempPathA CompareStringA IsValidCodePage GetOEMCP GetModuleHandleW ExitProcess DecodePointer HeapFree HeapAlloc GetCommandLineA HeapSetInformation GetStartupInfoW InitializeCriticalSectionAndSpinCount DeleteCriticalSection LeaveCriticalSection EnterCriticalSection EncodePointer LoadLibraryW UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent TerminateProcess TlsAlloc TlsGetValue TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement WriteFile GetStdHandle GetModuleFileNameW IsProcessorFeaturePresent HeapCreate FreeEnvironmentStringsW WideCharToMultiByte GetEnvironmentStringsW SetHandleCount GetFileType QueryPerformanceCounter GetTickCount GetCurrentProcessId GetSystemTimeAsFileTime GetCPInfo GetACP |
---|---|
USER32.dll |
TranslateMessage
DispatchMessageA PeekMessageA wsprintfA LoadCursorA SetCursor MessageBoxA MsgWaitForMultipleObjects |
ADVAPI32.dll |
GetTokenInformation
OpenProcessToken |
SHELL32.dll |
ShellExecuteExA
|
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 11.2.2017.1217 |
ProductVersion | 11.2.2017.1217 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
Comments | 1KEY GHOST HD 2017.02.17 |
CompanyName | DOS之家 |
0FileDescription | 一键GHOST硬盘版安装程序 |
^蘒^ꁄ@FileVersion | 11.2.2017.1217 |
InternalName | 1KG |
LegalCopyright | DOS之家 doshome.com 葛明阳 |
蘒 | |
LegalTrademarks | 1KEY GHOST |
OriginalFilename | 一键GHOST硬盘版.exe |
^0PrivateBuild | |
(#2) | atꁀ |
ProductName | 一键GHOST硬盘版 2017.02.17 正式版 |
^ecs | DProductVersion |
2.2017.1217 | 0SpecialBuild |
(#3) | iaꁀ |
Resource LangID | English - United States |
---|
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x40a020 |
SEHandlerTable | 0x409470 |
SEHandlerCount | 3 |
XOR Key | 0x945cbac7 |
---|---|
Unmarked objects | 0 |
ASM objects (VS2010 SP1 build 40219) | 14 |
C objects (VS2010 SP1 build 40219) | 67 |
Imports (VS2008 SP1 build 30729) | 9 |
Total imports | 100 |
C++ objects (VS2010 SP1 build 40219) | 25 |
Resource objects (VS2010 SP1 build 40219) | 1 |
Linker (VS2010 SP1 build 40219) | 1 |