e5ba2600809cdd533f25947bdbcef16d

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2011-Aug-02 17:41:58
Detected languages English - United States
CompanyName Viatech Inc. - www.elicense.com
FileDescription elicen40.dll
FileVersion 4, 0, 0, 2
InternalName elicen40.dll
LegalCopyright Copyright © 1998-2009, ViaTech Inc.
OriginalFilename elicen40.dll
ProductName Elicense System
ProductVersion 4, 0, 0, 2

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 8.0
MSVC++ v.8 (procedure 1 recognized - h)
Suspicious PEiD Signature: ASPack v2.12
Suspicious Strings found in the binary may indicate undesirable behavior: Contains another PE executable:
  • This program cannot be run in DOS mode.
Contains domain names:
  • elicense.com
  • www.elicense.com
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Suspicious The PE is possibly packed. Unusual section name found: .itext
Unusual section name found: .triple
Section .triple is both writable and executable.
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessA
Can create temporary files:
  • CreateFileA
  • GetTempPathA
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Interacts with services:
  • OpenSCManagerA
  • OpenServiceA
  • QueryServiceStatus
  • ControlService
Enumerates local disk drives:
  • GetDriveTypeA
Manipulates other processes:
  • OpenProcess
Can shut the system down or lock the screen:
  • ExitWindowsEx
Malicious The PE is possibly a dropper. Resource 101 detected as a PE Executable.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 e5ba2600809cdd533f25947bdbcef16d
SHA1 966649803e61b69a054c69650cb9c7a528c36751
SHA256 ed5ea0bc583ed196ee1ecd60836c3c2e4ab85614bc42093e81e9f943649aa19f
SHA3 541e8240a3b837f034394b5a156bacab317667ab1c100d7a7485f4055cf40c87
SSDeep 3072:1rNpZciifhb4PPq2vBIETW1CwAy1OKh18P0EO9yJJPtZHuLCSo7j:BNpZ0hb462J6P1t60lOH
Imports Hash 3756f3f1b593821f0131e1e5a35bcd61

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 7
TimeDateStamp 2011-Aug-02 17:41:58
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x1f000
SizeOfInitializedData 0xc000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00005F6D (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x20000
ImageBase 0x2480000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x32000
SizeOfHeaders 0x1000
Checksum 0x37827
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 7aa8d6efc41bc4df4b1ca84e7fcc192b
SHA1 6d09afc2f0bc6d6cf51f9c2b9ec0432131b466f6
SHA256 f2c18f606315d1c0cbd5948e3b13fa5a40ab3c8c7acbe26d601827cf7b664406
SHA3 5e5939a5f5fdc7ed1956b5d8df907c5f0127c5bdeb3656997520ef11dc574dba
VirtualSize 0x1f000
VirtualAddress 0x1000
SizeOfRawData 0x1f000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.64701

.rdata

MD5 995a95afaf34282ed24a572768ccc61d
SHA1 bfee6e626d401531ec7d323be53f45c602cb0628
SHA256 5a38b4628417b2adcdaf68ac09ad2c44a8920b7fbd9b00e322927dc5d53a2e3f
SHA3 16a7d3ed700990bd0c4028d37f8a828dd8a83a74e8ddd2bb45cef476110e2806
VirtualSize 0x4000
VirtualAddress 0x20000
SizeOfRawData 0x4000
PointerToRawData 0x20000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.9785

.data

MD5 4fb4730613b23d3dd8a79bdb3a0341a4
SHA1 dc88c779f52f57a35747d189efbc54323c649156
SHA256 e66a187f6b032b772a59f10a050446535652c77982363b31be01a62b6990c732
SHA3 fcff67a33a2c559fa12614214215103a36091ecf47702dcf46775b22f9d580b4
VirtualSize 0x5000
VirtualAddress 0x24000
SizeOfRawData 0x5000
PointerToRawData 0x24000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.89632

.rsrc

MD5 fb8c2b844532e7815bc0415472b1247a
SHA1 a81e3e13d0ceb0230e99568bcef928891e0f960f
SHA256 142e076902afcbd463875a26fff353b9d3ed377aafe241f692868688face1079
SHA3 ce9647f678a937046ecf59dc7663b8eafbacc5052633c643f39dfedc818d0948
VirtualSize 0x2000
VirtualAddress 0x29000
SizeOfRawData 0x2000
PointerToRawData 0x29000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.48735

.reloc

MD5 a3bbd1f233f8e4bf0d35861f15366bb0
SHA1 7085147e92e33bdc4cbda6a4160c5ba1c89eb5a3
SHA256 7e87ed71170e369a3362624a1cd54f278ea5ead6040185d4975ec0a0803068b7
SHA3 aaeb45cfd2c6ca31365b099b0ca21ef407f7298019b4a27ddc6ab3353c977733
VirtualSize 0x3000
VirtualAddress 0x2b000
SizeOfRawData 0x3000
PointerToRawData 0x2b000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.00945

.itext

MD5 bc374d4835f4cd64f565d2143080f3a5
SHA1 67d7ccdbc6ace60ba21d70b7c7fef76a92b8e754
SHA256 5ab1effa9aa204892c1eae234f30a030faa6985e9dfd3a8e97f72c265b2b922b
SHA3 b2fcfdb10a7b5ad51f3780ee0e13f0952f7a250353d191701126c3944cb85996
VirtualSize 0x3000
VirtualAddress 0x2e000
SizeOfRawData 0x2000
PointerToRawData 0x2e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.16164

.triple

MD5 17f30367ebd77290c0ec1fffffce5274
SHA1 89ff07ecf94085e3d2cbe36a5e3950911f1ded88
SHA256 84c6bd18b36d46af3b842ad41977d634f52452252ddde3e74d1dad1ec9e0bef2
SHA3 b3eddf4d90a5fefe1472baf17f456831fef83f5eeadf6cc9e233b884533075c3
VirtualSize 0x1000
VirtualAddress 0x31000
SizeOfRawData 0x1000
PointerToRawData 0x30000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.67447

Imports

ADVAPI32.dll StartServiceA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenSCManagerA
OpenServiceA
QueryServiceStatus
ControlService
CloseServiceHandle
kernel32.dll CreateFileA
GetModuleFileNameA
VirtualQuery
Sleep
GetLastError
TerminateProcess
OpenProcess
lstrcmpiA
GetProcAddress
GetModuleHandleA
DisableThreadLibraryCalls
GetCurrentProcess
WriteFile
LocalFree
FormatMessageA
lstrcatA
GetWindowsDirectoryA
SizeofResource
LockResource
LoadResource
FindResourceA
FreeLibrary
SetFilePointer
MoveFileExA
ExitProcess
lstrlenA
FindClose
FindNextFileA
FindFirstFileA
MoveFileA
GetSystemDirectoryA
CreateProcessA
DeleteFileA
LoadLibraryA
lstrcpyA
GetTempPathA
GetVersionExA
RtlUnwind
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
HeapFree
HeapAlloc
GetCurrentThreadId
GetCommandLineA
GetProcessHeap
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
ReadFile
InterlockedDecrement
GetFullPathNameA
GetCurrentDirectoryA
GetCurrentProcessId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetFileAttributesA
GetFileType
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
GetStdHandle
SetHandleCount
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
MultiByteToWideChar
GetConsoleCP
GetConsoleMode
GetTimeZoneInformation
LCMapStringA
LCMapStringW
InitializeCriticalSection
SetStdHandle
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
CompareStringA
CompareStringW
SetEnvironmentVariableA
CloseHandle
VirtualProtect
SetLastError
USER32.dll ExitWindowsEx
LoadStringA
MessageBoxA
version.dll GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA
wsock32.dll WSAStartup
WSACleanup

Delayed Imports

cyb

Ordinal 1
Address 0x191e0

101

Type RSERV
Language English - United States
Codepage Latin 1 / Western European
Size 0xa00
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.50902
Detected Filetype PE Executable
MD5 29fab5363138f6e322f4cd780ed9d337
SHA1 a8b494d736c665b463b71c44ca99f248fd938d6d
SHA256 39ae6e21d116aec9ea65632f3325e848ffbec6169a88adc4814639f97a290d91
SHA3 60863e55948496f5ea93ef704357fc478865b86ed9145d8f36bc0508e289d4c5

7

Type RT_STRING
Language English - United States
Codepage Latin 1 / Western European
Size 0x326
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.12392
MD5 232311c94e83521aca521e758099c405
SHA1 fe5f17ea8f1eb10f0cd03d3735355ae51221c7f7
SHA256 6d8614be9917e590d845c3be5fdee550c9d6948f228756db37dd2950eb605e6a
SHA3 5207392bb252466a3a7d1b27ca140194270546820a4a7ac417ddf8908764fce6

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x320
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.36533
MD5 913c9ad7e1a01546597394956d10fcc4
SHA1 05e0459f15a6190b0db21ec9fb67c80b78a28cc6
SHA256 71e1b35b03909f1103b64dd4f133c0c1b3166053cbe3c94e10eb8001dd3583b2
SHA3 c4427c3c7c9504da70c1193054964507feb4c3ec7c8c8c459fcd221a9bf9906f

2

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x56
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.65542
MD5 bd62b6f553a2d1d012cc53fc325221d2
SHA1 c5353cec27b30fb35e414dd5f3d0e9205aaf1c07
SHA256 388f75e900f0c15fd66249d7b2e7edf6e14eeefb859e6f766b75058e44f27af6
SHA3 b59854a353caba5e0be1002399bcb847b4dd99e37cff0c7967dd0d42c1eab089

String Table contents

In order to finish initializing, this application must
first be run by a user with administrator privileges.
Please contact your system administrator for help.
eLicense Control
It is necessary to restart your computer in order to update the eLicense Control.
Do you want to reboot now?
Unable to force a system restart.
Please reboot your system manually.
eLicense Control - Prepare Reboot

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.0.0.2
ProductVersion 4.0.0.2
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Viatech Inc. - www.elicense.com
FileDescription elicen40.dll
FileVersion (#2) 4, 0, 0, 2
InternalName elicen40.dll
LegalCopyright Copyright © 1998-2009, ViaTech Inc.
OriginalFilename elicen40.dll
ProductName Elicense System
ProductVersion (#2) 4, 0, 0, 2
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x796076c7
Unmarked objects 0
Unmarked objects (#2) 52
Imports (VS2003 (.NET) build 4035) 11
Total imports 137
ASM objects (VS2012 build 50727 / VS2005 build 50727) 20
C objects (VS2012 build 50727 / VS2005 build 50727) 140
C++ objects (VS2012 build 50727 / VS2005 build 50727) 53
Exports (VS2012 build 50727 / VS2005 build 50727) 1
Resource objects (VS2012 build 50727 / VS2005 build 50727) 1
Linker (VS2012 build 50727 / VS2005 build 50727) 1

Errors