eb6183f540e6de63af8a07dd36ff24df

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2008-Sep-16 14:17:44
Detected languages Process Default Language
Russian - Russia

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Can access the registry:
  • RegCloseKey
  • RegCreateKeyExA
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegSetValueExA
 Can create temporary files:
  • CreateFileA
  • CreateFileW
  • GetTempPathA
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Changes object ACLs:
  • SetFileSecurityA
  • SetFileSecurityW
Suspicious The file contains overlay data. 1389050 bytes of data starting at offset 0x1a200.
The overlay data has an entropy of 7.99945 and is possibly compressed or encrypted.
Overlay data amounts for 92.8473% of the executable.
Suspicious VirusTotal score: 1/69 (Scanned on 2020-07-30 16:33:46) APEX: Malicious

Hashes

MD5 eb6183f540e6de63af8a07dd36ff24df
SHA1 9ea2a279d7612f54ff84809e06b8ef9e450d0dd8
SHA256 990f5fe4dda05d3aafb2babde45c30b2d0db36bcd6a4af630bc088aa9c396c5a
SHA3 3376007243b608d9a5a69f91fa91a37101a603e29924509c5fbf8012a661b1c6
SSDeep 24576:kIHsDPmgUerE03qp2LYUcw+HsNphJ6y7Gox6les/hxaXNxT/BpReRuZ4I15Oxdu6:kIMuTxUcwMsP36yHShQXNxTZpRO9IHO7
Imports Hash 66b351fddb6ff9ed55bc15f78e779b17

DOS Header

e_magic MZ
e_cblp 0x50
e_cp 0x2
e_crlc 0
e_cparhdr 0x4
e_minalloc 0xf
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0x1a
e_oemid 0
e_oeminfo 0
e_lfanew 0x200

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2008-Sep-16 14:17:44
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 5.0
SizeOfCode 0x14000
SizeOfInitializedData 0x6200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001000 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x15000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x24000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d9c3b0b82d7da6d18b0896fb360cea84
SHA1 7cb02843861bd678c359daa99806510e86cdc828
SHA256 05d071ebbf103a17113d8b70ca5ac9230ba26f405c948020fb40d3d09c4dbcb7
SHA3 d2a8a29e4b9cceac9bf5f165b48920fe523c148994ebb0ff4c2f73e534e3ff31
VirtualSize 0x14000
VirtualAddress 0x1000
SizeOfRawData 0x13a00
PointerToRawData 0x600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.48361

.data

MD5 568dd221456d807ca821813c84d65e70
SHA1 2021639acc37bc81edbc445ab882a1a9a1f522c0
SHA256 c12a790b9705e6f8192a71642fb63811b169bc415dde30da0834c6fdb8c84ca5
SHA3 e4e54daa5af1191f36cef7a8b0092e3c752c235f66415f2cd9b0642838d80be8
VirtualSize 0x8000
VirtualAddress 0x15000
SizeOfRawData 0xa00
PointerToRawData 0x14000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.93186

.idata

MD5 bc7806e1c1ce9ebfd00ad834c1f7a647
SHA1 47dc9006aadaaf721785c9a05454a0459edef44e
SHA256 26d1a6e186b6bc01e71c560cb58263e778bab048868cf8d2c038477de68610df
SHA3 5eaf1849140a12da4511f4750a93ce139697eabfc2efd6da7924e97ebd7af1f6
VirtualSize 0x2000
VirtualAddress 0x1d000
SizeOfRawData 0x1200
PointerToRawData 0x14a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.78952

.rsrc

MD5 8c0e8b1aae38600bd9eae36363cea659
SHA1 9024aaea5e9f9aa2210d1670635deb4e3648d522
SHA256 f34592c1137acd9e0a75882b3fbe370f16a81effd6ca88077b3d983ef022b12e
SHA3 c2defe69c7eeaf122ba8ddcc228f087da58c84ef12cf43cfd482cc410c249e40
VirtualSize 0x457c
VirtualAddress 0x1f000
SizeOfRawData 0x4600
PointerToRawData 0x15c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.39154

Imports

ADVAPI32.DLL AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetFileSecurityA
SetFileSecurityW
KERNEL32.DLL CloseHandle
CompareStringA
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
DeleteFileA
DeleteFileW
DosDateTimeToFileTime
ExitProcess
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FreeLibrary
GetCPInfo
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetNumberFormatA
GetProcAddress
GetProcessHeap
GetStdHandle
GetSystemTime
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GlobalAlloc
HeapAlloc
HeapFree
HeapReAlloc
IsDBCSLeadByte
LoadLibraryA
LocalFileTimeToFileTime
MoveFileA
MoveFileExA
MultiByteToWideChar
ReadFile
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
Sleep
SystemTimeToFileTime
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcmpiA
lstrlenA
COMCTL32.DLL #17
COMDLG32.DLL CommDlgExtendedError
GetOpenFileNameA
GetSaveFileNameA
GDI32.DLL DeleteObject
SHELL32.DLL SHBrowseForFolderA
SHChangeNotify
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
USER32.DLL CharToOemA
CharToOemBuffA
CharUpperA
CopyRect
CreateWindowExA
DefWindowProcA
DestroyIcon
DestroyWindow
DialogBoxParamA
DispatchMessageA
EnableWindow
EndDialog
FindWindowExA
GetClassNameA
GetClientRect
GetDlgItem
GetDlgItemTextA
GetMessageA
GetParent
GetSysColor
GetSystemMetrics
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
IsWindow
IsWindowVisible
LoadBitmapA
LoadCursorA
LoadIconA
LoadStringA
MapWindowPoints
MessageBoxA
OemToCharA
OemToCharBuffA
PeekMessageA
PostMessageA
RegisterClassExA
SendDlgItemMessageA
SendMessageA
SetDlgItemTextA
SetFocus
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
ShowWindow
TranslateMessage
UpdateWindow
WaitForInputIdle
wsprintfA
wvsprintfA
OLE32.DLL CLSIDFromString
CoCreateInstance
CreateStreamOnHGlobal
OleInitialize
OleUninitialize

Delayed Imports

101

Type RT_BITMAP
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0xbb6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.19099
MD5 5c475f4b07e1e05af29d25e1700f7279
SHA1 b139902d2f9eae34727ba4f740b4b1e99d4bc4e8
SHA256 690c938562399f89ad78e3fde2a7edaee8ddf2fafef987a7b37e577a8f6126ea
SHA3 1d3dd19fbcc656a30478c2b4ba98485853b464fe09ea2debc4cfc64271677d1e
Preview

1

Type RT_ICON
Language Process Default Language
Codepage Latin 1 / Western European
Size 0x1ca8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.19712
MD5 a14c6fd1f60ee3be0b7b2a0c32cedbfd
SHA1 b5cf4e7fe1ed7c9cf7af0a9ad99ad4c4f36a8281
SHA256 7690e02aaef7a7749983ea361af606a3052d81949cfdb3ccc86cd724c802e4f2
SHA3 4a2277a88a342d9e4266184b4f8d01d287904d6f4a681ce640787d7727f60a96

ASKNEXTVOL

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x282
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.42606
MD5 7f80bdcb87b3861361d472c6af7c4f34
SHA1 70e17f378e4b87b5a170bcbec456d4abe2777c97
SHA256 25765d1fe92190f3bffcc45df9d52274bf45dabc9e7cadf93d89566531b86793
SHA3 8b5c16ade622606916bc7e268e48c73bea35439456b234c1007c06df813b097b

GETPASSWORD1

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x136
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.33783
MD5 934599e025ba216cf6690465dd49474a
SHA1 4500946135b0d47a5d9bdf1cb2ae45f01478e177
SHA256 69959ccafcf9c9e8b4c582c78349be839c4f5fbcb252e44f04f6ec10105f4cab
SHA3 0ffeae6247bdf0ad0036b8d6e5bca12891130a55a0062d8ed9b5f86bf3148bc1

LICENSEDLG

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0xe8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.1404
MD5 41a6896781fa8aeb2eba9eabdeea2d43
SHA1 8f690873d4df453cf06501f83f6a6ddb548b8d68
SHA256 ae75c9e24eac44860e7e2706742593107294d4e39fd7681bac8e2ec5b87e9c66
SHA3 d08759eda57af8e740d2ec2f28b93bd9b63c0b3552a4a44b99842bad566a63ce

RENAMEDLG

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x12a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.08066
MD5 a0ce4a9a2df219123f493bd16cd2bba3
SHA1 afef9df42a121b8380b751de1b05b63047be474e
SHA256 2463cb6e0c4957f812984d4ed5ce917e56eb9186b26d2329e9b0fc4bbcc371eb
SHA3 f58027dde83197d46d0ea8f924318197c54961af4fdf84b60e8c5f26a3c952ed

REPLACEFILEDLG

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x334
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.27209
MD5 9a5a34b841584ee0626743095e03f86e
SHA1 c43f6dc93be02ff146c808b12277607c05af4cff
SHA256 d695ae65ec746731a281cdebf43b6a7f13501a526bc72cf60459403554c776a5
SHA3 f3042186e03aa36d2aea9cbd33b72e46a24452435d37c841341ec52231f67922

STARTDLG

Type RT_DIALOG
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x21e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.46021
MD5 2ec6f7c45e3b748e0b58d8293bdc9aa9
SHA1 f8fc2d15de7e261dfd0e286fd5a1418d4a595310
SHA256 533be4efa01cd3b295755e892bb9eb37566a05c58b22d9db2337eb3997ec7f75
SHA3 333b8066953df8300f552dba2b88728a4d26416b1200ea345f5505ed79f3fa0b

7

Type RT_STRING
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x22c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.24143
MD5 fb61b3469ae245a497410d4de5b70d45
SHA1 fbc73ddd8d7c9099ab425bfb2c0776bb8251e8d9
SHA256 99dbe051efdcf261267620d163c0c2e02109d7b2207f70492b79245b7fc3219b
SHA3 ada313e02983cdccf389ba63e0ce66948cc82b05aa9a5085644923f1ea268cd2

8

Type RT_STRING
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x3b2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.28574
MD5 40af8f5e67322567fa168093753945fc
SHA1 b162cfa156d54acd08b7d876b0dadce621ef683c
SHA256 1750fcca6d01cfba66d6d910b82f0c98779eaa29062bb411c2aa19fb9fa0e337
SHA3 cc4ef287baea3a510a31666760e52e3cde1d3f7dac86a645ade95b6fad19af14

9

Type RT_STRING
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x212
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.04375
MD5 c1d1d43f5fa2588205da7bc620ee7020
SHA1 c68a9fcf6f70b5f17ea1adcd93f48b68da9407bc
SHA256 1c02c9c1f7683c2de81796ccbfd9aa13c8a4a9147d0cf146f76f9d5df50f8ca3
SHA3 066b9e7de99aea5ed745dac0ce210e3c2387d26ecc9245592073936b5031b80d

10

Type RT_STRING
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x27e
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.15563
MD5 2e187dbd96ef2cf97d74d14d58e565fe
SHA1 1b893afcd3a9cbe96a15a218504291994116ac5e
SHA256 4f3a2ca9dca82d4b3dac64a998a07251312d9b3845b149cf5c8ce8ca54daf4c6
SHA3 6719aeb4077e168cb2e28500aa3b162f17927df8ecd48d61b287c418b8d38cb8

DVCLAL

Type RT_RCDATA
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x10
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4
MD5 a40263c75fde7440b1086b7da9c51fc2
SHA1 139a84f87110fb5cb16a386adade21f30cae98b0
SHA256 e7dbe99baa5c1045cdf7004edb037018b2e0f639a5edcf800ec4514d5c8e35b5
SHA3 d3a734fa7d36868d301f9569de92e1bfc551e4b5cf6d7c59eace8d0a554093c0

100

Type RT_GROUP_ICON
Language Process Default Language
Codepage Latin 1 / Western European
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 ecb3fea9b8fba3816da208767162ebaf
SHA1 ddefd39f5270bb56f9de023bf02862982d3069ae
SHA256 1f08569caa4db78cd12752e0343cd4bfd02c5990676e45b472c5e0572a841b7c
SHA3 13025b2d842232c33f3c6cb9e7df07905c5c0c080f9706c2d98d97b4d86e085d

1 (#2)

Type RT_MANIFEST
Language Russian - Russia
Codepage Latin 1 / Western European
Size 0x33f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.06643
MD5 b89cf5ffa42c500398cdda4e52ca5a42
SHA1 cd973da0629778687de5868636f34882d1573ed5
SHA256 0e9f6de342f3f45a47499eff46a9419759de61559bbe2cff6c3574ee75238118
SHA3 b264c429c279711c226234b7432a080f4387f396b24ce6965fa686d5ca2ae4ca

String Table contents

Select destination folder
Extracting %s
Skipping %s
Unexpected end of archive
The file "%s" header is corrupt
The archive comment header is corrupt
The archive comment is corrupt
Not enough memory
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %s
CRC failed in the encrypted file %s (wrong password ?)
CRC failed in %s
Packed data CRC failed in %s
Wrong password for %s
Write error in the file %s. Probably the disk is full
Read error in the file %s
File close error
The required volume is absent
The archive is either in unknown format or damaged
Extracting from %s
Next volume
The archive header is corrupt
Close
Error
Errors encountered while performing the operation
Look at the information window for more details
bytes
modified on
folder is not accessible
Some files could not be created.
Please close all applications, reboot Windows and restart this installation
Some installation files are corrupt.
Please download a fresh copy and retry the installation
All files
<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>
<li>Use <b>Browse</b> button to select the destination
folder from the folders tree. It can be also entered
manually.</lI><br><br>
<lI>If the destination folder does not exist, it will be
created automatically before extraction.</lI></ul>

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

<-- -->