Manalyze report for e58b3f06f81e9f454922e56f20875ab5cf5a7d0f99524e02b7603f46b1f831f7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Nov-18 16:27:35
Detected languages	English - United States
CompanyName	Gallery Inc
FileDescription	Defender Remover
FileVersion	`12.8.3`
LegalCopyright	Gallery Inc.
ProductName	Defender Remover
ProductVersion	`12.8.3`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Possibly launches other programs: CreateProcessA` `Can create temporary files: CreateFileW GetTempPathA CreateFileA`
Suspicious	The file contains overlay data.	`434133 bytes of data starting at offset 0x64000.`
Malicious	VirusTotal score: 29/72 (Scanned on 2025-06-01 09:09:03)	`APEX: Malicious` `AhnLab-V3: Malware/Win.Generic.R506848` `Alibaba: Trojan:Application/DisableDefender.2a5e6125` `Antiy-AVL: Trojan/Win32.Agent` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.174867571285524c` `CTX: exe.trojan.disabledefender` `CrowdStrike: win/malicious_confidence_60% (W)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `Elastic: malicious (moderate confidence)` `Fortinet: W32/PossibleThreat` `Google: Detected` `Ikarus: Trojan.WinREG.DisableDefender` `K7AntiVirus: Riskware ( 00584baa1 )` `K7GW: Riskware ( 00584baa1 )` `Kingsoft: malware.kb.a.761` `Lionic: Trojan.Win32.DisableDefender.4!c` `Malwarebytes: RiskWare.KillAV` `MaxSecure: Trojan.Malware.369446871.susgen` `McAfeeD: ti!E58B3F06F81E` `Microsoft: Trojan:WinREG/DisableDefender.C!dha` `Paloalto: generic.ml` `Skyhigh: BehavesLike.Win32.Synaptics.cc` `Trapmine: malicious.high.ml.score` `TrellixENS: Artemis!1A6BF240F438` `TrendMicro-HouseCall: TROJ_GEN.R002H01EP25` `ViRobot: Trojan.Win.Z.Disabledefender.843733` `Webroot: W32.Malware.gen`

Hashes

MD5	`1a6bf240f43808ff58b98bdf3b85524c`
SHA1	`d9e0b62548153f132887c39f72befcbd4b453f9c`
SHA256	`e58b3f06f81e9f454922e56f20875ab5cf5a7d0f99524e02b7603f46b1f831f7`
SHA3	`58c8462686e81b1291425f9dc3b38824d7d8395efd98b19b4b2585f50f52d3b9`
SSDeep	`12288:w1OgLdaaiAqzU7rOv/O6/NH90u9KIyburq6fAdAYmyf:w1OYda0IO6/LXEYr8dAByf`
Imports Hash	`3786a4cf8bfee8b4821db03449141df4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2010-Nov-18 16:27:35
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x19a00`
SizeOfInitializedData	`0x4cc00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00014B04 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1b000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x6a000`
SizeOfHeaders	`0x400`
Checksum	`0xda593`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8c9346b8cd91e8d7aa2e1586eb1a1b30`
SHA1	`b89caf4e5d6b26ae7c31f5883bd6f65b800c62ec`
SHA256	`99f2799afc0c62e358c674048ff12ff8ff6cfbd043fd7dbfdfa6074a4a4abb26`
SHA3	`34a56c9f0cfe149e54193c7bc84123be312fadb6c110b3064148c2c2de9d6f82`
VirtualSize	`0x199ea`
VirtualAddress	`0x1000`
SizeOfRawData	`0x19a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60849`

.rdata

MD5	`5e256dc61db6deff01801e77de19d038`
SHA1	`8e65f609c6e46e1579e4425c2a811297bff84fce`
SHA256	`7cb94e778db30749a87f35d2f7b808a60a2af1f2a39c815ceb4eef1363c67f58`
SHA3	`2f99a585f37918495f1a8040ecd6ee7ce7cdc9eb9213fc572539239ae1a11eec`
VirtualSize	`0x4494`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x4600`
PointerToRawData	`0x19e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.36802`

.data

MD5	`1d347e5500f0d4c5672ba18282b866f7`
SHA1	`3565d4fb3481e36dff2b69d356a4d6d0ad3506c5`
SHA256	`2bc590c7a6e55b782df9aa9aff9db5c6d98acb694c09376274e958a6c1902598`
SHA3	`ceb07de21c9fbb373c98fe57c1a625023eb8da81888324c75ed857a08c4dd32a`
VirtualSize	`0x5a48`
VirtualAddress	`0x20000`
SizeOfRawData	`0x3200`
PointerToRawData	`0x1e400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.37054`

.sxdata

MD5	`35925cfdc1176bd9ffc634a58b40ec17`
SHA1	`1f070e9dfbda0054d1a843e803e1a254701be02a`
SHA256	`bf34b3fc4d68c6e36efc565b159ae9a2de58b3a37034f15484e2e7f56c25972a`
SHA3	`c8f8b902b96f2da26afb84ebe3c80ce3e6045a76e47174f64032fc4e0d1fd9cc`
VirtualSize	`0x4`
VirtualAddress	`0x26000`
SizeOfRawData	`0x200`
PointerToRawData	`0x21600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_LNK_INFO` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.rsrc

MD5	`4a10dc79e61eec431d9b2516df192112`
SHA1	`632f7c45d86f71ce411c4cb7bfc4514f0cac56c6`
SHA256	`5e4f75b44c4bc3d138976c5fddd20dd7908829cfa510a60c23fa6eac8269daff`
SHA3	`ea85714af6bbd752fa283564b103c527155bf3cc68330a2a6a9f1633bc175c07`
VirtualSize	`0x4268c`
VirtualAddress	`0x27000`
SizeOfRawData	`0x42800`
PointerToRawData	`0x21800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.1026`

Imports

OLEAUT32.dll	`VariantClear` `SysAllocString`
USER32.dll	`SendMessageA` `SetTimer` `DialogBoxParamW` `DialogBoxParamA` `SetWindowLongA` `GetWindowLongA` `SetWindowTextW` `LoadIconA` `LoadStringW` `LoadStringA` `CharUpperW` `CharUpperA` `DestroyWindow` `EndDialog` `PostMessageA` `ShowWindow` `MessageBoxW` `GetDlgItem` `KillTimer` `SetWindowTextA`
SHELL32.dll	`ShellExecuteExA`
KERNEL32.dll	`GetStringTypeW` `GetStringTypeA` `LCMapStringW` `LCMapStringA` `InterlockedIncrement` `InterlockedDecrement` `GetProcAddress` `GetOEMCP` `GetACP` `GetCPInfo` `IsBadCodePtr` `IsBadReadPtr` `GetFileType` `SetHandleCount` `GetEnvironmentStringsW` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `FreeEnvironmentStringsA` `UnhandledExceptionFilter` `HeapSize` `GetCurrentProcess` `TerminateProcess` `IsBadWritePtr` `HeapCreate` `HeapDestroy` `GetEnvironmentVariableA` `SetUnhandledExceptionFilter` `TlsAlloc` `ExitProcess` `GetVersion` `GetCommandLineA` `GetStartupInfoA` `GetModuleHandleA` `WaitForSingleObject` `CloseHandle` `CreateProcessA` `SetCurrentDirectoryA` `GetCommandLineW` `GetVersionExA` `LeaveCriticalSection` `EnterCriticalSection` `DeleteCriticalSection` `MultiByteToWideChar` `WideCharToMultiByte` `GetLastError` `LoadLibraryA` `AreFileApisANSI` `GetModuleFileNameA` `GetModuleFileNameW` `LocalFree` `FormatMessageA` `FormatMessageW` `GetWindowsDirectoryA` `SetFileTime` `CreateFileW` `SetLastError` `SetFileAttributesA` `RemoveDirectoryA` `SetFileAttributesW` `RemoveDirectoryW` `CreateDirectoryA` `CreateDirectoryW` `DeleteFileA` `DeleteFileW` `lstrlenA` `GetFullPathNameA` `GetFullPathNameW` `GetCurrentDirectoryA` `GetTempPathA` `GetTempFileNameA` `FindClose` `FindFirstFileA` `FindFirstFileW` `FindNextFileA` `CreateFileA` `GetFileSize` `SetFilePointer` `ReadFile` `WriteFile` `SetEndOfFile` `GetStdHandle` `WaitForMultipleObjects` `Sleep` `VirtualAlloc` `VirtualFree` `CreateEventA` `SetEvent` `ResetEvent` `InitializeCriticalSection` `RtlUnwind` `RaiseException` `HeapAlloc` `HeapFree` `HeapReAlloc` `CreateThread` `GetCurrentThreadId` `TlsSetValue` `TlsGetValue` `ExitThread`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42108`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.11047`
MD5	`3c3176746474e7eb5ca01772db509b1d`
SHA1	`46801be166adffc26796b1080f4d8ee747ebff55`
SHA256	`9f0d587d3904d915575d16ca0af3f7ebd8c55a3643466270203a8d6d64800e68`
SHA3	`18a8981ac7eb907ba9afd7bb227844e66ff17d9832c5fd65f37cfd733ceef0de`

500

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.09294`
MD5	`8af78cd954cddc9ab418bafca9f62e0c`
SHA1	`c6ff8bd069db0ba61c844f4560cf8dfc2f0ec6b0`
SHA256	`3520c29b9987183324e6f3ed0a5ebcab2f73b6e6f3fabe17a327e0b8eb4e5ac0`
SHA3	`f2feb2f43fbe5877993c446781f0733e49a4a780833130903146da49840a4085`

1 (#2)

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x94`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.78284`
MD5	`f10a79138329e5d18b25d47f648946b3`
SHA1	`05d88947da644a07509a64dc081b8b7d498d8648`
SHA256	`5f298d1dfce9f41bd500e89e57e1da7481713c7b2a37b01825a5e6badf940b14`
SHA3	`bd8d1803273589e9ec27a29accbd6a0e63dc51f4dcbbfaaaeee0cc7ee0cdd552`

5

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x34`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.43775`
MD5	`de24c92d0a67718187168052499199cb`
SHA1	`006654de0b450d1f31c7c370a2104558dfe5b9ad`
SHA256	`7bab4b9a6b82cb5e5561b48d0136a492aee4ce78242a5c28e4baa925de511575`
SHA3	`d1e8842da978e4258bf80b8126d03c02506b26d064db7999f6b103b5afb5b50f`

1 (#3)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.77095`
Detected Filetype	Icon file
MD5	`6c493adbaf26f027e1d72e3cbb09f61f`
SHA1	`ba60811370c6529e7daf5fe1a28280bc1e8900e5`
SHA256	`c4c7969f75b3e1f78fae7e5b7d8f276b9fb5ad50a6ce9b80014818357224b876`
SHA3	`f32faf460da64ca77d96ae354190ee9e886b802743dae8bd086eab779b186d54`

1 (#4)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x248`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.31583`
MD5	`ff10dcf55d4f325649d00f1fbd76e7b7`
SHA1	`bc4513dee17259a0e1717fae2b0e494ac15c76e8`
SHA256	`b78acdd9690a8e7ab219fae85b7c1c68890e06576fcd40d6fc4e060c76f94b18`
SHA3	`2ee288a32e700778d8254ef046d7d93ea814f9132ef84a8627725d33d555f7b0`

String Table contents

Extraction Failed
File is corrupt
Cannot create folder '{0}'
Extracting

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	12.8.3.0
ProductVersion	12.8.3.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Gallery Inc
FileDescription	Defender Remover
FileVersion (#2)	12.8.3
LegalCopyright	Gallery Inc.
ProductName	Defender Remover
ProductVersion (#2)	12.8.3

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x4738099`
Unmarked objects	`0`
14 (7299)	`25`
C objects (VS98 SP6 build 8804)	`64`
C objects (2190)	`1`
Total imports	`184`
Imports (2179)	`9`
C++ objects (VS98 SP6 build 8804)	`77`
C objects (VS2010 build 30319)	`7`
ASM objects (VS2010 build 30319)	`1`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

Leave a comment

No comments yet.