Manalyze report for cc4b1354e518f62f8365f3cae4d60edb

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Aug-26 09:03:29
Detected languages	Chinese - PRC English - United States
Debug artifacts	E:\tk\Fun Player\Rel2.8.6\src\toolkits\FunPuppet\Release\AptSpare.pdb
CompanyName	北京风行在线技术有限公司
FileDescription	AptSpare
FileVersion	`3.0.0.4`
InternalName	AptSpare.exe
LegalCopyright	Copyright (C) 2014-2016 Funshion All Rights Reserved
OriginalFilename	AptSpare.exe
ProductName	AptSpare
ProductVersion	`3.0.0.4`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to SHA512` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW` `Code injection capabilities (process hollowing): ResumeThread WriteProcessMemory SetThreadContext` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptVerifyMessageSignature` `Can create temporary files: CreateFileW GetTempPathW` `Manipulates other processes: WriteProcessMemory ReadProcessMemory`
Info	The PE is digitally signed.	`Signer: Beijing Funshion Online Technologies Ltd.` `Issuer: thawte SHA256 Code Signing CA`
Malicious	VirusTotal score: 33/66 (Scanned on 2017-12-28 04:27:25)	`Bkav: W32.HfsAdware.E35D` `MicroWorld-eScan: Trojan.Agent.CEIY` `CAT-QuickHeal: Pua.Funshion` `McAfee: GenericRXBK-AO!CC4B1354E518` `Zillya: Adware.CrossRiderCRTD.Win32.4629` `TrendMicro-HouseCall: ADW_Funshion` `GData: Trojan.Agent.CEIY` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Trojan.Agent.CEIY` `NANO-Antivirus: Trojan.Win32.Agent.epachn` `Ad-Aware: Trojan.Agent.CEIY` `Comodo: ApplicUnwnt.UnclassifiedMalware` `F-Secure: Trojan.Agent.CEIY` `VIPRE: Trojan.Win32.Generic!BT` `Invincea: heuristic` `McAfee-GW-Edition: GenericRXBK-AO!CC4B1354E518` `Emsisoft: Application.AdBundle (A)` `Ikarus: PUA.Funshion` `Cyren: W32/Trojan.MJKV-3924` `Jiangmin: Trojan.Generic.aikna` `Webroot: Pua.Funshion` `Avira: TR/Agent.ssbfg` `Antiy-AVL: Trojan/Win32.AGeneric` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Agent.CEIY` `ViRobot: Trojan.Win32.U.Injector.121816` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `ALYac: Trojan.Agent.CEIY` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `Yandex: Trojan.Agent!qpmQYXuupuM` `Fortinet: W32/Generic.AP.E62EE!tr` `Cybereason: malicious.1b8fb7`

Hashes

MD5	`cc4b1354e518f62f8365f3cae4d60edb`
SHA1	`b95bfcf5923fa3c9a07e5625c18160d7095a1a6a`
SHA256	`2c9b3cfff81b5aed3946f5f3de76f65715a940a2a947bc43e9e14d7cec31b71f`
SHA3	`7f96f041e6df13dc83324eb3dfd34bb5d146ecc5a447a6f7dccb33662c57e498`
SSDeep	`1536:juXbkBQuIjw8MIa3iFXdDANfTkdh3nKV3+yovmhLVnZPSb5:j0bvuIjw9Ia+N8qK3c+ZnZPSb5`
Imports Hash	`f4236cbb30f0132b6d142331fbc75475`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Aug-26 09:03:29
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0xfa00`
SizeOfInitializedData	`0xc600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00004021 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x11000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x22000`
SizeOfHeaders	`0x400`
Checksum	`0x27958`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`676e0f01007342719dc0094f79e399ef`
SHA1	`32e56802635626e0032427aa17c3f072fb0b2181`
SHA256	`ff7e4e4dc8f3e9ed38cef63578e6106ff41988de70960fa437a5beb4909a4bff`
SHA3	`7d0ccb3f67d53ca877d22c78ac2a5d53f2fe8ecb4684dca566680d6895bf441c`
VirtualSize	`0xf88c`
VirtualAddress	`0x1000`
SizeOfRawData	`0xfa00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60686`

.rdata

MD5	`18f8231d32069babf2f546c9210d07bc`
SHA1	`8fe03c1d8bcebb11c1652595a41e9bc26ebf24ce`
SHA256	`4911dfa164583f82b61c31b061381d1d8147a3da16464da03482c06731fabb24`
SHA3	`b98e12776ddf37d95713a74cdcec99a55ec19372a1b32b377f12c4683b66597d`
VirtualSize	`0x5238`
VirtualAddress	`0x11000`
SizeOfRawData	`0x5400`
PointerToRawData	`0xfe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.07772`

.data

MD5	`bcf548b7e2396f197fd7165bb18173a4`
SHA1	`7e1e62b2d05817fbebf7ffcc356c747e8a6dc365`
SHA256	`1c93d5c4eb3d7ef9d587984fb589eee679bdd14de3670d3e60c66972c8905712`
SHA3	`5885f3c9912bd7466256982366bfc0687626ae4a481f098708cabac8aa265733`
VirtualSize	`0x3b8c`
VirtualAddress	`0x17000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x15200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.62982`

.rsrc

MD5	`e2480fdf55ceab6bc509b1ea63d51700`
SHA1	`575eb9d2b89adab635c1f365fd105b3c9b3eb243`
SHA256	`a31a73f5a87fa70dcf0df41d66fc2dc3cc1c98bfdeca6eb4d7178d484ce361db`
SHA3	`a97039eb05f711e5c4c827b10b3a349ae3288e254ce5f9976c9bf58aeecb6bec`
VirtualSize	`0x4f8`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x600`
PointerToRawData	`0x16c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.59149`

.reloc

MD5	`7920d51bbc846596de7567dbd20977f2`
SHA1	`beb41eca10eb7f272f342dfb238b3684bb59a159`
SHA256	`e66e31c8a00ce304bf1dab2651791bd2397c5f22e1faab0718b5de1eec365168`
SHA3	`e527441bc0b1f1503693452b83192ff82b594d3f9838e674615b7df8bda6cec8`
VirtualSize	`0x51f2`
VirtualAddress	`0x1c000`
SizeOfRawData	`0x5200`
PointerToRawData	`0x17200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.93839`

Imports

KERNEL32.dll	`DeleteFileW` `GetPrivateProfileStringW` `GetPrivateProfileIntW` `CreateMutexW` `WaitForSingleObject` `WriteFile` `CreateFileW` `FlushFileBuffers` `OpenMutexW` `GetCurrentThreadId` `ReleaseMutex` `GetCurrentProcessId` `Sleep` `SetLastError` `LocalFree` `InterlockedDecrement` `SetFilePointer` `InitializeCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `DeleteCriticalSection` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `WritePrivateProfileStringW` `HeapReAlloc` `GetProcessHeap` `WriteConsoleW` `GetTempPathW` `lstrcpyW` `GetNativeSystemInfo` `LockResource` `GetLastError` `MultiByteToWideChar` `SizeofResource` `WideCharToMultiByte` `GetCurrentProcess` `LoadResource` `FindResourceW` `FindResourceExW` `lstrcatW` `ResumeThread` `WriteProcessMemory` `CloseHandle` `lstrcmpiW` `VirtualAllocEx` `GetProcAddress` `GetModuleFileNameW` `TerminateProcess` `SetStdHandle` `HeapAlloc` `GetConsoleMode` `GetConsoleCP` `GetStringTypeW` `InterlockedExchange` `HeapFree` `LCMapStringW` `IsProcessorFeaturePresent` `HeapSize` `GetTickCount` `QueryPerformanceCounter` `HeapDestroy` `HeapCreate` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `ExitProcess` `ReadProcessMemory` `LoadLibraryW` `GetModuleHandleW` `CreateProcessW` `FreeLibrary` `SetThreadContext` `GetThreadContext` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `IsValidCodePage` `GetOEMCP` `GetACP` `InterlockedIncrement` `GetCPInfo` `RaiseException` `GetFileType` `GetStdHandle` `SetHandleCount` `RtlUnwind` `InitializeCriticalSectionAndSpinCount` `GetCommandLineW` `HeapSetInformation` `GetStartupInfoW` `EncodePointer` `DecodePointer` `GetSystemTimeAsFileTime` `IsDebuggerPresent`
SHELL32.dll	`SHGetSpecialFolderPathW`
OLEAUT32.dll	`#9`
SHLWAPI.dll	`PathRemoveFileSpecW` `PathFileExistsW`
imagehlp.dll	`ImageGetCertificateHeader` `ImageGetCertificateData`
CRYPT32.dll	`CryptVerifyMessageSignature`

Delayed Imports

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x2fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.55402`
MD5	`f9da38a4b12f22788c2f4bf4c6c38a57`
SHA1	`ddc7ef9d768af33ce41201ad1477f7426955bec4`
SHA256	`81c24e5eb277241954a934a326fe6b2edde940d47c47dfce76142c5b780d1516`
SHA3	`057697cec2b3d1dac58b86fb813857d6d8ea5539673acc0ae71923b3aad71655`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.0.0.4
ProductVersion	3.0.0.4
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Chinese - PRC
CompanyName	北京风行在线技术有限公司
FileDescription	AptSpare
FileVersion (#2)	3.0.0.4
InternalName	AptSpare.exe
LegalCopyright	Copyright (C) 2014-2016 Funshion All Rights Reserved
OriginalFilename	AptSpare.exe
ProductName	AptSpare
ProductVersion (#2)	3.0.0.4

Resource LangID	Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2016-Aug-26 09:03:29
Version	`0.0`
SizeofData	`94`
AddressOfRawData	`0x14a40`
PointerToRawData	`0x13840`
Referenced File	E:\tk\Fun Player\Rel2.8.6\src\toolkits\FunPuppet\Release\AptSpare.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x417310`
SEHandlerTable	`0x414f50`
SEHandlerCount	`17`

RICH Header

XOR Key	`0x146fe0bd`
Unmarked objects	`0`
C++ objects (VS2010 build 30319)	`5`
152 (20115)	`1`
C++ objects (VS2010 SP1 build 40219)	`77`
ASM objects (VS2010 SP1 build 40219)	`27`
C objects (VS2010 SP1 build 40219)	`202`
C objects (VS2008 SP1 build 30729)	`1`
Imports (VS2008 SP1 build 30729)	`31`
Total imports	`235`
175 (VS2010 SP1 build 40219)	`45`
Resource objects (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

cc4b1354e518f62f8365f3cae4d60edb

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors