Manalyze report for c528e0069a2b38a2842f466d599b8142

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Apr-02 22:14:51
CompanyName	Oleg N. Scherbakov
FileDescription	7z Setup SFX (x86)
FileVersion	`1.7.0.3900`
InternalName	7ZSfxMod
LegalCopyright	Copyright © 2005-2016 Oleg N. Scherbakov
OriginalFilename	7ZSfxMod_x86.exe
PrivateBuild	April 1, 2016
ProductName	7-Zip SFX
ProductVersion	`1.7.0.3900`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to AES`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: ShellExecuteW CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: CheckTokenMembership` `Enumerates local disk drives: GetDriveTypeW` `Can take screenshots: CreateCompatibleDC GetDC`
Malicious	The PE's digital signature is invalid.	`Signer: Piriform Software Ltd` `Issuer: DigiCert SHA2 Assured ID Code Signing CA` `The file was modified after it was signed.`
Malicious	VirusTotal score: 19/69 (Scanned on 2021-05-13 18:36:25)	`Bkav: W32.AIDetect.malware1` `Sangfor: Backdoor.Win32.Agent.ky` `Symantec: Trojan.Gen.2` `ESET-NOD32: Win32/Agent.ACXU` `Avast: FileRepMalware` `Kaspersky: Backdoor.Win32.Agent.myuawa` `Emsisoft: Trojan.Dropper (A)` `McAfee-GW-Edition: Artemis` `Jiangmin: HackTool.Agent.dhf` `Kingsoft: Win32.Hack.Undef.(kcloud)` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Cynet: Malicious (score: 100)` `McAfee: Artemis!C528E0069A2B` `Malwarebytes: Malware.AI.2367053252` `eGambit: PE.Heur.InvalidSig` `Fortinet: PossibleThreat.PALLAS.H` `Webroot: Pua.Opencandy` `AVG: FileRepMalware` `CrowdStrike: win/malicious_confidence_90% (W)`

Hashes

MD5	`c528e0069a2b38a2842f466d599b8142`
SHA1	`b1f853b68173d6750d1553d1caeaebf61bbe166b`
SHA256	`c81580d1c7a0074ecc038d95f79a85e43a2a20de127bb660d65fec504b944179`
SHA3	`912d0c5062e16f9c9e44ecef0a8a80d7d06b8b3cc918ed85a388de7c4d953f9d`
SSDeep	`24576:RdW6CkSDkqK+ZXjF/bVYDfb/gkxUQRxVMnR3R0MH0w28TVdw/WQB+56nU7MR:RdW6CkSDkqT/pYLb9bfodM8hdlQhU7MR`
Imports Hash	`a1a66d588dcf1394354ebf6ec400c223`

DOS Header

e_magic	`MZ`
e_cblp	`0x60`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x60`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2016-Apr-02 22:14:51
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x18200`
SizeOfInitializedData	`0x4ce00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001876F (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x68000`
SizeOfHeaders	`0x200`
Checksum	`0x1e0872`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`216156d27f2b0e2705346c4c451f706a`
SHA1	`5c634a337873153e507bea21c8b43db3221690d9`
SHA256	`76b021290961f384843af2a4b69735ccc4496a0b0af87dca74ec6db2a187c630`
SHA3	`54197b9b08d9a7d454d2e1c22746c78a0a9076f9aeca7d7b59b6a3e742314539`
VirtualSize	`0x1811a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x18200`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.69436`

.rdata

MD5	`f3a9a10d440b4fce2c7306ea5b8abaeb`
SHA1	`a42f951ec43e1a3e5cb6e4f42e5fbd9060cd9c5d`
SHA256	`6426c4bd124d1ad5dfb5462db2e0b833407561206bbed9d06069b1468dcc28e3`
SHA3	`b65871f1999f072fe1a7ee809c9155f643c046ebf3bb1ea4b5516a175092b847`
VirtualSize	`0x3f08`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x18400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.73448`

.data

MD5	`509f17b4a1a173a5acc62e0d19f2a6cb`
SHA1	`7c6a6cd3c4f6abf889564e4a11ed6dec477723e8`
SHA256	`3653e21528c21c5f333609d96ad44fb36b004f7e3c74af2614c5981f496e072d`
SHA3	`659656b2229d13c16633266de94295941d35e347474d7e46cb4e0a820751fd57`
VirtualSize	`0x4b90`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x800`
PointerToRawData	`0x1c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.63033`

.rsrc

MD5	`da27420b66f84017cf7b608086fdd315`
SHA1	`a14bf6a012ad0b76493244a9db1b03b6464a3a34`
SHA256	`9e769ad56a8799c26ecca496b4c030f901f93d9c1ca4924c4b3759bbc6c8669b`
SHA3	`3b49ab00c84df592b5488a59f58f0c9b2fac9fb8125653caf0f32eddb2ec3f20`
VirtualSize	`0x441f5`
VirtualAddress	`0x23000`
SizeOfRawData	`0x44200`
PointerToRawData	`0x1cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.72771`

Imports

COMCTL32.dll	`#17`
SHELL32.dll	`ShellExecuteExW` `ShellExecuteW` `SHGetMalloc` `SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `SHGetSpecialFolderPathW`
GDI32.dll	`CreateCompatibleDC` `CreateFontIndirectW` `DeleteObject` `DeleteDC` `GetCurrentObject` `StretchBlt` `GetDeviceCaps` `CreateCompatibleBitmap` `SelectObject` `SetStretchBltMode` `GetObjectW`
ADVAPI32.dll	`FreeSid` `AllocateAndInitializeSid` `CheckTokenMembership`
USER32.dll	`GetParent` `ScreenToClient` `CreateWindowExW` `GetDesktopWindow` `GetWindowTextLengthW` `SetWindowPos` `SetTimer` `GetMessageW` `CopyImage` `KillTimer` `CharUpperW` `SendMessageW` `ShowWindow` `BringWindowToTop` `wsprintfW` `MessageBoxW` `EndDialog` `ReleaseDC` `GetWindowDC` `GetMenu` `GetWindowLongW` `GetClassNameA` `wsprintfA` `DispatchMessageW` `SetWindowTextW` `GetSysColor` `DestroyWindow` `MessageBoxA` `GetKeyState` `IsWindow` `GetDlgItem` `GetClientRect` `GetSystemMetrics` `SetWindowLongW` `UnhookWindowsHookEx` `SetFocus` `SystemParametersInfoW` `DrawTextW` `GetDC` `ClientToScreen` `GetWindow` `DialogBoxIndirectParamW` `DrawIconEx` `CallWindowProcW` `DefWindowProcW` `CallNextHookEx` `PtInRect` `SetWindowsHookExW` `LoadImageW` `LoadIconW` `MessageBeep` `EnableWindow` `EnableMenuItem` `GetSystemMenu` `CreateWindowExA` `wvsprintfW` `GetWindowTextW` `GetWindowRect`
ole32.dll	`CreateStreamOnHGlobal` `CoCreateInstance` `CoInitialize`
OLEAUT32.dll	`SysAllocStringLen` `VariantClear` `SysFreeString` `OleLoadPicture` `SysAllocString`
KERNEL32.dll	`SetFileTime` `SetEndOfFile` `GetFileInformationByHandle` `VirtualFree` `GetModuleHandleA` `WaitForMultipleObjects` `VirtualAlloc` `ReadFile` `SetFilePointer` `GetFileSize` `LeaveCriticalSection` `EnterCriticalSection` `DeleteCriticalSection` `FormatMessageW` `lstrcpyW` `LocalFree` `IsBadReadPtr` `GetSystemDirectoryW` `GetCurrentThreadId` `SuspendThread` `TerminateThread` `InitializeCriticalSection` `ResetEvent` `SetEvent` `CreateEventW` `GetVersionExW` `GetModuleFileNameW` `GetCurrentProcess` `SetProcessWorkingSetSize` `SetEnvironmentVariableW` `GetDriveTypeW` `CreateFileW` `LoadLibraryA` `SetThreadLocale` `GetSystemTimeAsFileTime` `ExpandEnvironmentStringsW` `CompareFileTime` `WideCharToMultiByte` `GetTempPathW` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `lstrcmpiW` `GetLocaleInfoW` `MultiByteToWideChar` `GetUserDefaultUILanguage` `GetSystemDefaultUILanguage` `GetSystemDefaultLCID` `lstrcmpiA` `GlobalAlloc` `GlobalFree` `MulDiv` `FindResourceExA` `SizeofResource` `LoadResource` `LockResource` `GetModuleHandleW` `FindFirstFileW` `lstrcmpW` `DeleteFileW` `FindNextFileW` `FindClose` `RemoveDirectoryW` `GetStdHandle` `WriteFile` `lstrlenA` `CreateDirectoryW` `GetFileAttributesW` `SetCurrentDirectoryW` `GetLocalTime` `SystemTimeToFileTime` `CreateThread` `GetExitCodeThread` `Sleep` `SetFileAttributesW` `GetDiskFreeSpaceExW` `SetLastError` `GetTickCount` `lstrlenW` `ExitProcess` `lstrcatW` `GetProcAddress` `CloseHandle` `WaitForSingleObject` `GetExitCodeProcess` `GetQueuedCompletionStatus` `ResumeThread` `SetInformationJobObject` `CreateIoCompletionPort` `AssignProcessToJobObject` `CreateJobObjectW` `GetLastError` `CreateProcessW` `GetStartupInfoW` `GetCommandLineW` `GetStartupInfoA`
MSVCRT.dll	`_purecall` `??2@YAPAXI@Z` `_wtol` `memset` `memmove` `memcpy` `_wcsnicmp` `_controlfp` `_except_handler3` `__set_app_type` `__p__fmode` `__p__commode` `_adjust_fdiv` `__setusermatherr` `_initterm` `__getmainargs` `_acmdln` `exit` `_XcptFilter` `_exit` `??1type_info@@UAE@XZ` `_onexit` `__dllonexit` `malloc` `realloc` `free` `wcsstr` `_CxxThrowException` `_beginthreadex` `_EH_prolog` `?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z` `strncmp` `wcsncmp` `wcsncpy` `strncpy` `??3@YAXPAX@Z`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.1359`
MD5	`b3e65ae20b308c584a48e30c471e8019`
SHA1	`fa5fbbce19371d210dddf28970d9e73350350793`
SHA256	`8c6f1fe099115380345b5d4cc65ecf8d8c5fdcad97abf41a7538318ca5543512`
SHA3	`b75841f55428ab967fac0943fbb104d23491cb219b1f2b077a45339ad8e8e0e2`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.60602`
MD5	`6a034f265793bbd5e677bf682c0d2742`
SHA1	`86f908fe1f2a6cc2dbaf3fc4ee371c164ee79061`
SHA256	`f124dfe6e202fe58203edbdae89af837860e9b30ebcdecfa631181c89c12eeaa`
SHA3	`aa36db07693387113a2eefbdc308376622db184cc77b5a50526cda137b9cc2e7`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.63074`
MD5	`05b53ec0b7816b0cfefacc0f5f0b1037`
SHA1	`b750d7343f4cb4cbdb227fbf0ad488af9e06891e`
SHA256	`d95f957bd2c5ad21cdda8ff0e3bc34643c433a89631a698f46c3cbadd481bef8`
SHA3	`a9805dbdf1f9250dd9a17d2fd443e664c85be6c02ba163edd0ef072c42d4309e`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.3817`
MD5	`8528f1e7df7b6d98bc54ddd9fb8d27f2`
SHA1	`6a985f2c03ef8cb14135fe46db8af9c434cc87e9`
SHA256	`019b84b7510645d6a52a703f9b6a56039efbaf3bef33709fc96aba6dfb736077`
SHA3	`356e879eaf0a682d5e8639e08d782c5e36b4c84346c9ebc5cb9aff67fd4ad863`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.71557`
MD5	`e6cf696e727db39e9c4328bd76cd5b35`
SHA1	`3a96c2c88aaa36391052d94c0ed7b6552bcd91aa`
SHA256	`7c2f333bf09d1ba1e5735a6f7959242aa5d7f8af1a490ae284d20783dfda5cbf`
SHA3	`247d6473073196f8f4206b37134a0d06e1ad5868b4cb3ad165cfcc81b0264703`

2001

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.1203`
MD5	`056f95c03ef919763fe1e1ed081bee3a`
SHA1	`4d3abc659779c5809daeabbe49e1a5347c42375a`
SHA256	`60a10176dcaefbc1a2f6b244106e40525b4fe370dc4f05a8da75b8862d63ae8e`
SHA3	`6ff4f00b3cf4cf0376d91b093765a311ae3e720b24f36e4768cf2d5dfa155a59`

2002

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x210`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.14779`
MD5	`30f5f4c000b7c018aab527138e92f418`
SHA1	`39803e92f1c679a7a02ca243fca1ea098ff08c2f`
SHA256	`253cb84eced7a5e556ed3f5719f22d38be6a09034600e258420b6efd54473d93`
SHA3	`1b2f88e538ba2bf67fc771e15e5b65546483c118c372217a95bd6461a7b3071c`

2003

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x260`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.22261`
MD5	`777abbd0c7e06efd4465146b99529874`
SHA1	`810348ff5f185d9c5eac51392d0e2829227fd0b8`
SHA256	`8e2609baa2d444a691d87cfeae6fd84d6f6cedf3130c4dd7185483afc57f255f`
SHA3	`9a1adcac494cfb565320a403387cca922458af3cdfd2e42e643b740d0ebe6fcf`

2004

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x234`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.18908`
MD5	`e30bcc962ac3e7958d73404e55873e04`
SHA1	`3e7e408d8d9588eaefe87fc8675d045d91117d99`
SHA256	`8cb58a8ddd90114a493218c5037d3d8110f0b3a77ba3f6fc760c4a2cd4f83250`
SHA3	`1e4c6767fe707fc215e439f6acf2347a307446837beca254cf5078ca5020519a`

2005

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.12072`
MD5	`d60578138e699993c9c00c363b97fd01`
SHA1	`2c1777b76ea93b0bde6f32b87dcacbd402f344ce`
SHA256	`cf8f13c52722597a2903a068c1200b95ae75bc6006afe0ad91f549920528d9d3`
SHA3	`299ded1c18b3841c0d751986498210e89dc69cd3e3c607cbe7dd29c252431cdf`

2006

Type	`RT_DIALOG`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x13c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.12056`
MD5	`69420950c76108e65ae9d4420a18de3c`
SHA1	`a3bf3a3207b338d496b41dfb0beb4ebf896b1833`
SHA256	`4e19f1101600eb5807cd581bd320b8b18e2576055498b8eeae78de25f8a4843a`
SHA3	`6c090c87acc5056d5ed3726024f8a2a49fffc4d419477890a544a018339af866`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83321`
Detected Filetype	Icon file
MD5	`69156268e54ec6a784aca586e9597771`
SHA1	`c2c9e4a9723d89e82008a9c6604d2359358f6f6d`
SHA256	`5e606e9a3689d4d066d9700bed9cb577cc45ea281091b0f9f77cc7325ca1575f`
SHA3	`be8a82931962a3ac1f063099938b65a4a8316ab6317ac0c1a4a91708f6fa76af`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.73443`
Detected Filetype	Icon file
MD5	`315a906b368711fadbca44b8b80d415f`
SHA1	`ca70f5cc29e33fbeb93b87db5ab843c3965628a1`
SHA256	`f464fe8a46a2c1472b47367e08653f41815c62d7e935aa5726fe3bbe7ff8b94c`
SHA3	`197e1ab7c832b8cb20477f7517f83ac3baccbee4809cbbe5793a5e376cce1f6f`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x350`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54276`
MD5	`2936a90e264804b2a2df4807a27f164c`
SHA1	`d0cd007c74a1ff9525ca3284dafa5c3d4a6961e8`
SHA256	`0e72dfdf939318841d4240e183b602c50aca2d1fee9c083f6f54d3fbdcf39cfa`
SHA3	`8d3d78d0933c473cce682faa15911021df76b875ede3ca25a1ed8d05ef2b3817`

1 (#4)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x309`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.2117`
MD5	`2f5809a93373a43b7ebf151732eaab47`
SHA1	`439fef5ca99a62277be30af9871111bd859be823`
SHA256	`1cbef81a3cbf8967be403cb25f824f41bf9f1bea039cb56e9c7d5e1b740c4d90`
SHA3	`1f3e15a2b9a75036e06c32ef82dec3cf29d42afb9fe8a9d2507aeb3c8d65c2ec`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.7.0.3900
ProductVersion	1.7.0.3900
FileFlags	`VS_FF_PRIVATEBUILD`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Oleg N. Scherbakov
FileDescription	7z Setup SFX (x86)
FileVersion (#2)	1.7.0.3900
InternalName	7ZSfxMod
LegalCopyright	Copyright © 2005-2016 Oleg N. Scherbakov
OriginalFilename	7ZSfxMod_x86.exe
PrivateBuild	April 1, 2016
ProductName	7-Zip SFX
ProductVersion (#2)	1.7.0.3900

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

c528e0069a2b38a2842f466d599b8142

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

5

2001

2002

2003

2004

2005

2006

1 (#2)

101

1 (#3)

1 (#4)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors