d75cec907b742a8d4fb396738f0cbad0

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1992-Jun-19 22:22:17
Detected languages Russian - Russia

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/SMI/2005/WindowsSettings
  • microsoft.com
  • schemas.microsoft.com
Suspicious The PE contains functions most legitimate programs don't use. Can access the registry:
  • RegQueryValueExA
  • RegOpenKeyExA
  • RegCloseKey
  • RegSetValueExA
 Possibly launches other programs:
  • WinExec
  • ShellExecuteA
 Can create temporary files:
  • GetTempPathA
  • CreateFileA
 Enumerates local disk drives:
  • GetLogicalDriveStringsA
  • GetDriveTypeA
 Can take screenshots:
  • CreateCompatibleDC
  • BitBlt
  • GetDC
Suspicious The PE header may have been manually modified. The resource timestamps differ from the PE header:
  • 2005-Nov-17 17:09:42
Suspicious The file contains overlay data. 4940402 bytes of data starting at offset 0xa200.
The overlay data has an entropy of 7.92642 and is possibly compressed or encrypted.
Overlay data amounts for 99.1675% of the executable.
Info No VirusTotal score. A scan of the file is currently queued.

Hashes

MD5 d75cec907b742a8d4fb396738f0cbad0
SHA1 31095e1b9235de534b51319bae0da4f614f6033b
SHA256 fe0ee13db44ea69994a2c0c4aa3df288a8ea0ac94ebf715b6f007dccbbb87887
SHA3 b3144f3659b993cf72f0c20143d9e9227b54b40b02e32f88ca71dca4346b19b2
SSDeep 98304:C3t1ikgTfI6Kt2kMHeBb8zWKpLYemirSDpxrTK7OqS/Fzc+:wt1irDI6Ktqe52WeYemiEpxrIOqSNzB
Imports Hash b7664abad11f7001f4504cb044cb4c11

DOS Header

e_magic MZ
e_cblp 0x50
e_cp 0x2
e_crlc 0
e_cparhdr 0x4
e_minalloc 0xf
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0x1a
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 1992-Jun-19 22:22:17
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x7400
SizeOfInitializedData 0x2a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000080E4 (Section: CODE)
BaseOfCode 0x1000
BaseOfData 0x9000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x1b000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

CODE

MD5 ca3464d4f08c9010e7ffa2fe3e890344
SHA1 d8e5632fdd666820b7dabaa20495c25a6389f778
SHA256 cd79518b7af1303faf53f83deb9483e18bd37edec38bc090d9cadc2b8ae5981a
SHA3 7f7d1beefbd635253eb4b8cb19b84ac9aa79a85fbae1056ba0ec4d3ab2ef3d84
VirtualSize 0x722c
VirtualAddress 0x1000
SizeOfRawData 0x7400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.51167

DATA

MD5 7ffc3168a7f3103634abdf3a768ed128
SHA1 a47fe8a4fd97fa97a36e545b5f135e580fb0f57a
SHA256 9a034863e58f6fc6a23b8f8cd8732641dcacf70ba8dc7316e1b6664a883cfaa6
SHA3 18e4b75887aa1e0a4a947b88ecbdf218e71ca0c2208a19a3f80897a05ca5b3d8
VirtualSize 0x218
VirtualAddress 0x9000
SizeOfRawData 0x400
PointerToRawData 0x7800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.1517

BSS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0xa899
VirtualAddress 0xa000
SizeOfRawData 0
PointerToRawData 0x7c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata

MD5 6e7a45521bfca94f1e506361f70e7261
SHA1 3f7c121baf4a9bd57538b97806920cc8a1d1ba24
SHA256 986a821ac30aec6cb19741d0232ff2b7138505eb39fc2a4046738afec41c5672
SHA3 f2be6900b72e66853accc440aa203890b997355b1376a796d9d09b9844fa6eea
VirtualSize 0x864
VirtualAddress 0x15000
SizeOfRawData 0xa00
PointerToRawData 0x7c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.17386

.tls

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x8
VirtualAddress 0x16000
SizeOfRawData 0
PointerToRawData 0x8600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata

MD5 7e6c0f4f4435abc870eb550d5072bad6
SHA1 5fc2d532c93cc509a9e75941fc9cfed27be87979
SHA256 093d78850946c78a94ddcd867ff22c69249be3dfd6fbe7e05fbb6ecfdf93a10f
SHA3 14e0f2c1d53235f005ec549b6f6aa625c0d41aa053b569471123e90eaf2a2e7b
VirtualSize 0x18
VirtualAddress 0x17000
SizeOfRawData 0x200
PointerToRawData 0x8600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 0.20692

.reloc

MD5 16968c66d220638496d6b095f21de777
SHA1 fd6e0154406bd02a1b8596ca6fe904c176f2372b
SHA256 5aedee862e267d21a90e3ff52da441ea272f434f232f3ccbd586de6ce887cfc8
SHA3 c82a8235a519ecf83ca640f6cb23df97287654683cbe9f3bdd11d9ae20ed2744
VirtualSize 0x5cc
VirtualAddress 0x18000
SizeOfRawData 0x600
PointerToRawData 0x8800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 6.44309

.rsrc

MD5 ddf3153082518dac91d52a0d0a455282
SHA1 061629633eda68212eac3d0b3e41112a1115bd50
SHA256 68e52111b072e2a1c30364fd4c02f87b845bd2a5f6d17ac791a64f879c7047cc
SHA3 71fcca7f2bee056142ac6924e5f3304d49bd0c8370954ba3ed39a40bd7943575
VirtualSize 0x1400
VirtualAddress 0x19000
SizeOfRawData 0x1400
PointerToRawData 0x8e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED
Entropy 2.8132

Imports

kernel32.dll DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll GetKeyboardType
MessageBoxA
advapi32.dll RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll SysFreeString
SysReAllocStringLen
kernel32.dll (#2) DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
advapi32.dll (#2) RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll (#3) DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
gdi32.dll StretchDIBits
SetDIBits
SelectObject
GetObjectA
GetDIBits
DeleteObject
DeleteDC
CreateSolidBrush
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
user32.dll (#2) GetKeyboardType
MessageBoxA
shell32.dll ShellExecuteA
ExtractIconA

Delayed Imports

1

Type RT_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 2005-Nov-17 17:09:42
Entropy 1.75622
MD5 931b9bed5060100319cc46c148b2d301
SHA1 92dbe8d5b9d49bc743f521038416700a4394af2f
SHA256 44e6f79ff0ea390c343e74620c58e98246d0682cef87d7a2415a944d7cad4f7c
SHA3 5f20e2b3d021a45429311688407c8bfc55e27b74f7c55df263705a92c6efa2f5

DVCLAL

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x10
TimeDateStamp 2005-Nov-17 17:09:42
Entropy 4
MD5 d8090aba7197fbf9c7e2631c750965a8
SHA1 04f73efb0801b18f6984b14cd057fb56519cd31b
SHA256 88d14cc6638af8a0836f6d868dfab60df92907a2d7becaefbbd7e007acb75610
SHA3 a5a67ad8166061d38fc75cfb2c227911de631166c6531a6664cd49cfb207e8bb

PACKAGEINFO

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0xac
TimeDateStamp 2005-Nov-17 17:09:42
Entropy 6.90278
MD5 11aae92e51bd22430c8b146fb95bf3cb
SHA1 d688ffd94d2d58a51105f37c8e8dd2d5590990ad
SHA256 fb176a7d735dd977472c70a0fcb12715d652a46701d6f7d7c0a6e378a4327c83
SHA3 0d004d0968e343a0c8c942038f4bc0a6212c90b8961478f133f997d3a64ffb74

MAINICON

Type RT_GROUP_ICON
Language Russian - Russia
Codepage UNKNOWN
Size 0x14
TimeDateStamp 2005-Nov-17 17:09:42
Entropy 1.7815
Detected Filetype Icon file
MD5 3c68f77c35c26ff079a1c410ee44fa62
SHA1 0b40150c95fc2c6414c90d44ee78b8d8814b3393
SHA256 a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0
SHA3 590dcbf2ec3f485a6c24e3e627f383ee7588eb49978321f12c07d8190a6c1396

Version Info

TLS Callbacks

StartAddressOfRawData 0x416000
EndAddressOfRawData 0x416008
AddressOfIndex 0x409090
AddressOfCallbacks 0x417010
SizeOfZeroFill 0
Characteristics IMAGE_SCN_TYPE_REG
Callbacks (EMPTY)

Load Configuration

RICH Header

Errors

[*] Warning: Section BSS has a size of 0! [*] Warning: Section .tls has a size of 0!
<-- -->