d8121739516847d184279fab42067e14

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2018-Mar-03 07:27:35
Detected languages English - United States
FileDescription ClamWin Antivirus
FileVersion 0, 99, 4, 0
InternalName clamscan.exe
LegalCopyright Copyright (C) 2005-2018 Cisco Systems, Inc. / ClamWin Pty Ltd
OriginalFilename clamscan.exe
ProductName ClamWin Antivirus
ProductVersion 0, 99, 4, 0

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Section .rsrc is both writable and executable.
Unusual section name found:
Section is both writable and executable.
Section .data is both writable and executable.
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Can access the registry:
  • RegCloseKey
 Possibly launches other programs:
  • ShellExecuteA
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 d8121739516847d184279fab42067e14
SHA1 87d0e79aa9297d2c3905d54bcc93693898f0598a
SHA256 f9332ba559917ff75bb8d773cd654c78db81fd206ecba546ee30514e5d892fbe
SHA3 c3d2837881c419bd2d413f20fbb07fcee07af0877e1a23e64ae874d93a44d940
SSDeep 24576:7Ro4tpeix8vewX/32969BdcEveuyb5fQTQSVnpKxD0UIG:NFpeix0Xf2Irfyb5fSVIxoU
Imports Hash 3af974ddd6dda6256814a39c0644e1ce

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2018-Mar-03 07:27:35
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x7000
SizeOfInitializedData 0x10000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0039B38C (Section: .data)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x39e000
SizeOfHeaders 0x1000
Checksum 0x25e09
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
SizeofStackReserve 0x200000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x200000
SizeofHeapCommit 0x2000
LoaderFlags 0
NumberOfRvaAndSizes 16

MD5 192273daca1a351afbf7dccca4d163cd
SHA1 6242e7d0d8a33a4e9952ea6cafbff60dc5ac2f5e
SHA256 546a7440d9bf95659509a91aefd5e9012e5db35f0c8300b5100fa65399c4adb0
SHA3 cf1f5f92acec26b1fece012bdc4daaa5527777a10a49fc5c3e420333eb2239c0
VirtualSize 0x7000
VirtualAddress 0x1000
SizeOfRawData 0x4000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.55978

(#2)

MD5 eaa617fb85c1721c80caf3e0a06bf731
SHA1 85acd95af1f09f11df51c0f155bd7984fd7b6569
SHA256 e076eef3229806c1d9ff092d73160e0b5149bb379bd136bba6e29a22a941fe16
SHA3 1133f0b532d2c32d72d0d2bde037a16fb12ab1b41a7736eb5b9b27baec33e845
VirtualSize 0x8000
VirtualAddress 0x8000
SizeOfRawData 0x2000
PointerToRawData 0x5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.20717

(#3)

MD5 f5c5dc34c7cbcf6d39fe202f982cd9b9
SHA1 a9cc16e4eeda4f98814f0d0f6613d4e1b0017b1e
SHA256 2ce9f6b8f3d9a7aae305383fd8d3ab71ac873975c77b8007d8071c0cb4688eae
SHA3 fba479d28185084c6338fa455bc1cf40abe70784fc505665a3963441245ed797
VirtualSize 0x1000
VirtualAddress 0x10000
SizeOfRawData 0x1000
PointerToRawData 0x7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.51289

(#4)

MD5 fe7635f98d46d4b395602e771c16e577
SHA1 1355f7936a90f069f8562c9a160d28a984a67801
SHA256 8e34ee62c6c45a70c41a43fcc06944892c04416efa79dd20b501cf0bd9590560
SHA3 fa801ef6174997f2fe78b41309d9a9a9b1e4b384b6249128f01f12181222cfa2
VirtualSize 0x7000
VirtualAddress 0x11000
SizeOfRawData 0x1000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0810442

.rsrc

MD5 1af7e0395d0606ca73771ee1c68b6553
SHA1 a435fcc4d07bf8dfce4cf9dfc26f7f9b046796fa
SHA256 8fa2ec9e98de506954547713cffb0af668ac21c5363935aceeb163cb2fc16793
SHA3 ce273f60a648f2adc75519881365123a7de31ccc9680ca9970599b3b514088b7
VirtualSize 0x7000
VirtualAddress 0x18000
SizeOfRawData 0x7000
PointerToRawData 0x9000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.68132

(#5)

MD5 6f0c37b1c3f77a7986bb77021db46270
SHA1 a5859e1b86407eac4578e44e6d45b9df2509de26
SHA256 9195f861eaec978ff1246d71ccf600bf343f9b43fb7013b78c272f00e83c8a81
SHA3 67b06881d32ce222588825df9d02667fa284a680ab2db09f2a23c68e5ee4fe99
VirtualSize 0x291000
VirtualAddress 0x1f000
SizeOfRawData 0x2f000
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.98341

.data

MD5 2d1ee90cf3765e80579ff7f0139e4a9b
SHA1 7eac95363fe0de26a67b1a46212d18e9499244f2
SHA256 0a4efa9e26930e84985658272b4f3a6d15668bd74cdddc1e56a8668e8951b168
SHA3 e2feacb3b46d60a09266db268ab46f60449fd4b036fcd3631430d17394b865c7
VirtualSize 0xee000
VirtualAddress 0x2b0000
SizeOfRawData 0xee000
PointerToRawData 0x3f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.96893

Imports

kernel32.dll GetModuleHandleA
GetProcAddress
ExitProcess
LoadLibraryA
user32.dll MessageBoxA
advapi32.dll RegCloseKey
oleaut32.dll SysFreeString
gdi32.dll CreateFontA
shell32.dll ShellExecuteA
version.dll GetFileVersionInfoA
libclamav.dll #104
MSVCR80.dll _lseek

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.35688
MD5 af894620285e7978a4b197866dd85cd6
SHA1 9c292927e64d53d1232fd1aa884145e1615f387f
SHA256 b2643dfd78a1fae84809aa1794baa0ab6e6c1023ae75b8b56ce564625440600b
SHA3 ba2d35caad1ee22ecf8c7ee88d8055490bcf6fa1c8a07327741ab26d4082b164

2

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.67718
MD5 9058ef77f687b9656e135b52c0c15a84
SHA1 0d838cfcebadf07ba97bd4a93ae5daf62562e6bf
SHA256 dd2bbed0a7f8cc7591c4238879d3d84666c504a736ab7869faea7dbcf963d520
SHA3 d7848eb9dbc3e70efa77b5274ee71e915bd4cdb9245c4b44a47b49f8f993a174

3

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0xea8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.42674
MD5 f64674442aff7108a7d085a3aeacdc00
SHA1 a37edbbfe7b6bfd550a2b243a6d8a49a13b797db
SHA256 2b2778284b5ff61ea2051dea06f738c5fa74fb02182e4ea38eef08b8498a8917
SHA3 e4b449dfb5ae21416e17f9c2b56e30275f50378629cfd3624ed55de0c5843114

4

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x8a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.45585
MD5 0a31946a537eefce914f1e6ffae837e4
SHA1 a21e550f315da81d4434d198275b66aa820330f7
SHA256 e817f6bdd1d34e768ff851fd7d02acbdd6e9bc66b2b02516de4cb6832a1b5b9d
SHA3 4c72b21e6e9bc9ead97edec6228d6e94a6c8515e5ed632c365007c30731e4c41

5

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x568
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.10645
MD5 ca9953916b8f0c32f7d9bbd818cda43a
SHA1 9e55785d2650f09e45ac167beb9032b974c3ae5d
SHA256 381a49f826ef673360eed55832c78374bacacadb3fb15dc1aee1b4d4dcf777fd
SHA3 411b4f67e48b6c9f6fc6fd951c383953ec261330a096de4972dfde13d9b2f8d8

6

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.44717
MD5 a4f23e215e22b1ee2737ec1eb4c077f7
SHA1 cca549d9606600b141e035fcc71e03a4c161b5fb
SHA256 d0ef2aa8f2daf25212276b365dfd90b3f0f3e71989c9cb501865363b48c74de3
SHA3 f15a74017a879b38c021e68973968a56e5a3f8acdecb30bd56ce934ee2a936e7

7

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.65633
MD5 e49d449ddfa7d6bcee0a22e434e1a006
SHA1 386f8721cc3306105155b43d45450cdd108d2054
SHA256 79fe12351f25e672bf6626c07375e3e5fe88cd9370c24f02cf9b85640eff36dc
SHA3 90a92303f300b6088cd190f8b6af101128f3694f49114dd5e53b4badf0b89d37

8

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.78185
MD5 3227d16ff577129c80b8deda3ac4bf15
SHA1 283db7a56fce51d2a4913c60c91355fa5b942e75
SHA256 73f3902a8cea48e9267f4a246ff87949bff69ab357199b174c2b03d731e90bbc
SHA3 fcc0bdc7d4e2db49ded9513ab19fd7fc4c113b833d358af660c10428207329e2

9

Type RT_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.87391
MD5 29684b213f50ed6ead0612a4caf0b606
SHA1 61ac1bddc3ee55455c40b8eb973e8055bb7fcac9
SHA256 39c42491226aab9ebe40e7815ed88e36fa1adec55138c4b29dc0d19957f10671
SHA3 1248c26daeded1b801ecb006d2ff5bfd981da80850edbc4056e8e5cc478e20fd

100

Type RT_GROUP_ICON
Language English - United States
Codepage Latin 1 / Western European
Size 0x84
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.91874
Detected Filetype Icon file
MD5 19361f4bc063553ed93001187ff0d38f
SHA1 fb031954f420b4ac2fedf74cbbca09cd7f90c0a8
SHA256 405faedb755d5a18c5736ff0feb1a10fe46622b5f8ec43b7c3e47c8db7124332
SHA3 52f783860bbd84de4a69da443b43c153422d9b4d442ecbe61591fa098fa1e961

1 (#2)

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x300
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.39826
MD5 96c75b00f5463091736e264fe6d8b91e
SHA1 9315f3cb7f3e425524d7db1a6480300b23ef6498
SHA256 af6c82bfef0c1e1a753771effd1bf17cd98639314f8e1f6a920c123f49f931d3
SHA3 6f47df4342c1cbf2c48e3922a6017716d28b1f5efc3830a2c79612d3fe5dd8b3

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x155
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.09264
MD5 5a000145fa5794ca1d45e479ab47b127
SHA1 a4a9c58152c765b3e31d4ab2f8d18ee5d926ed68
SHA256 051076e9d573943752a14858930365e0763f7f2920d824951787f199ddbc7859
SHA3 ac169575d584ac2f6061470b0926c8dd4c1184cc21509240e738016f0b5bb64f

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.99.4.0
ProductVersion 0.99.4.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_DLL
Language UNKNOWN
FileDescription ClamWin Antivirus
FileVersion (#2) 0, 99, 4, 0
InternalName clamscan.exe
LegalCopyright Copyright (C) 2005-2018 Cisco Systems, Inc. / ClamWin Pty Ltd
OriginalFilename clamscan.exe
ProductName ClamWin Antivirus
ProductVersion (#2) 0, 99, 4, 0
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x376b278b
Unmarked objects 0
126 (50327) 7
C++ objects (VS2012 build 50727 / VS2005 build 50727) 2
ASM objects (VS2012 build 50727 / VS2005 build 50727) 4
C objects (VS2012 build 50727 / VS2005 build 50727) 22
Imports (VS2012 build 50727 / VS2005 build 50727) 4
Total imports 185
Imports (VS2003 (.NET) build 4035) 5
113 (VS2012 build 50727 / VS2005 build 50727) 10
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors

<-- -->