Manalyze report for ec367a19c43ab8a12921ddc16d29c37e

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Dec-11 21:50:45
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegDeleteKeyA RegOpenKeyExA RegEnumValueA RegDeleteValueA RegCloseKey RegCreateKeyExA RegSetValueExA RegQueryValueExA RegEnumKeyA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Changes object ACLs: SetFileSecurityA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`1125794 bytes of data starting at offset 0x2a600.` `The overlay data has an entropy of 7.87046 and is possibly compressed or encrypted.` `Overlay data amounts for 86.6421% of the executable.`
Malicious	VirusTotal score: 43/66 (Scanned on 2021-11-25 16:10:26)	`Bkav: W32.AIDetect.malware2` `Lionic: Riskware.Win32.Malicious.1!c` `Elastic: malicious (high confidence)` `CAT-QuickHeal: Trojan.IGENERIC` `ALYac: Misc.Riskware.MoneroMiner` `Cylance: Unsafe` `VIPRE: Trojan.Win32.Generic!BT` `Sangfor: Suspicious.Win32.Save.a` `CrowdStrike: win/malicious_confidence_90% (D)` `K7GW: Unwanted-Program ( 0052f55b1 )` `K7AntiVirus: Unwanted-Program ( 0052f55b1 )` `Symantec: Trojan Horse` `ESET-NOD32: Win32/Keygen.ACE potentially unsafe` `APEX: Malicious` `Avast: FileRepMetagen [PUP]` `ClamAV: Win.Malware.Score-6997747-0` `SUPERAntiSpyware: Hack.Tool/Gen-KeyGen` `Tencent: Win32.Trojan.Crypt.Akyo` `Sophos: Keygen (PUA)` `Comodo: Malware@#1kk76kg1bnb6e` `DrWeb: Trojan.Siggen8.9905` `Zillya: Trojan.GenericKD.Win32.243546` `TrendMicro: PUA.Win32.KeyGen.CRRM` `McAfee-GW-Edition: BehavesLike.Win32.Generic.tc` `FireEye: Generic.mg.ec367a19c43ab8a1` `SentinelOne: Static AI - Malicious PE` `GData: Win32.Trojan.Agent.QG7HK3` `Webroot: W32.Hack.Tool` `MAX: malware (ai score=99)` `Gridinsoft: Trojan.Win32.Agent.dg` `Microsoft: Trojan:Win32/Occamy.B` `Cynet: Malicious (score: 100)` `AhnLab-V3: Unwanted/Win32.KeyGen.C2198504` `McAfee: Artemis!EC367A19C43A` `VBA32: Trojan.Occamy` `Malwarebytes: Malware.AI.599658422` `TrendMicro-HouseCall: PUA.Win32.KeyGen.CRRM` `Rising: Trojan.Generic@ML.99 (RDML:IDcgyNP+R5LVq2UKQ3JI3A)` `Yandex: Trojan.Igent.bUe6Wm.11` `eGambit: Generic.Malware` `Fortinet: W32/Generic_PUA_MB.ACE!tr` `AVG: FileRepMetagen [PUP]` `Paloalto: generic.ml`

Hashes

MD5	`ec367a19c43ab8a12921ddc16d29c37e`
SHA1	`6ae78c9a5da4ad6a87ded49d7d700b43bdc28171`
SHA256	`84b315464f9786e590299675b6a01f8f7efcaa1b55d78522d86e51cd41621394`
SHA3	`9e4ebac4672a1a961373767bd4214e57af0dc43f4da80e4386b854e1b2dad70d`
SSDeep	`24576:Wo6cLUNPPqWymPLbyrsb0Y667qr/qGMOvI9+f1gBxh/EcHG:WhA4PPCmTGIJGbPMOvuOkhsCG`
Imports Hash	`4f67aeda01a0484282e8c59006b0b352`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Dec-11 21:50:45
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6000`
SizeOfInitializedData	`0x1d000`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x000032BF (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x4f000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1892c55874b94ef60ac62cf77f0ecd0e`
SHA1	`95487725a8bb3a7284cb15204d9d83d8dd16a070`
SHA256	`c46db17bdcc6d27e134436026027456b8e5522cee7aa5056d4f513430c3d203c`
SHA3	`b10a21e295e30ef344b55eeb7b57bd384ed5b3ec36c475bd899a58fc47272aa8`
VirtualSize	`0x5e59`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.42419`

.rdata

MD5	`6389f916226544852e494114faf192ad`
SHA1	`5a8bd7dc51e26e238ac906646d9390d89e9de99b`
SHA256	`96fda7c3b5c92d7089fdd266fb9069a5490e2ae8ea7704c5a15f8ef53ee746ad`
SHA3	`4b0f9cf9e8c6bf0014311228d4e775d5a3ef7c286d6e4b0c9e2e4756a62b3dba`
VirtualSize	`0x1246`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.0004`

.data

MD5	`f02c8b5709d3fb8c6cc1ab777c138d8f`
SHA1	`c95896cfaab005ecd71497fdbf013ea77cf1b85a`
SHA256	`c3888e36a58e370976092a6f7d0374b84cc2465856675cb58dd9c7de3d5f009b`
SHA3	`3653898572e644df42cf75d23f90306c1157fd59276df04098ff493909f5ce50`
VirtualSize	`0x1a818`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.21193`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x24000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`8ce8b13909a57802b3e27de58a4fb858`
SHA1	`5d6e1e5980c3d63204f8b50636805eb6bcae86d2`
SHA256	`5c5bc139a73b10946303beed18fb87bbcbf810797e034e50af1df68038f16a88`
SHA3	`c8454c9f7e2aab49e03256e91bbb0c2016693e20ad965fbd0addf45b3a82a632`
VirtualSize	`0x22910`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x22a00`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.06464`

Imports

KERNEL32.dll	`CopyFileA` `Sleep` `GetTickCount` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `ReadFile` `GetFileAttributesA` `SetFileAttributesA` `ExitProcess` `SetEnvironmentVariableA` `GetWindowsDirectoryA` `GetTempPathA` `GetCommandLineA` `lstrlenA` `GetVersion` `GetCurrentProcess` `GetFullPathNameA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `GetLastError` `CreateDirectoryA` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `WriteFile` `lstrcpyA` `MoveFileExA` `lstrcatA` `GetSystemDirectoryA` `GetProcAddress` `CloseHandle` `SetCurrentDirectoryA` `MoveFileA` `CompareFileTime` `GetShortPathNameA` `SearchPathA` `lstrcmpiA` `SetFileTime` `lstrcmpA` `ExpandEnvironmentStringsA` `lstrcpynA` `SetErrorMode` `GlobalFree` `FindFirstFileA` `FindNextFileA` `DeleteFileA` `SetFilePointer` `GetPrivateProfileStringA` `FindClose` `MultiByteToWideChar` `FreeLibrary` `MulDiv` `WritePrivateProfileStringA` `LoadLibraryExA` `GetModuleHandleA` `GetExitCodeProcess` `WaitForSingleObject` `GlobalAlloc`
USER32.dll	`ScreenToClient` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `GetWindowLongA` `SetCursor` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `PostQuitMessage` `GetWindowRect` `EnableMenuItem` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `EndDialog` `RegisterClassA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `ExitWindowsEx` `GetDC` `CreateDialogParamA` `SetTimer` `GetDlgItem` `SetWindowLongA` `SetForegroundWindow` `LoadImageA` `IsWindow` `SendMessageTimeoutA` `FindWindowExA` `OpenClipboard` `TrackPopupMenu` `AppendMenuA` `EndPaint` `DestroyWindow` `wsprintfA` `ShowWindow` `SetWindowTextA`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectA` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `ShellExecuteA` `SHFileOperationA`
ADVAPI32.dll	`RegDeleteKeyA` `SetFileSecurityA` `OpenProcessToken` `LookupPrivilegeValueA` `AdjustTokenPrivileges` `RegOpenKeyExA` `RegEnumValueA` `RegDeleteValueA` `RegCloseKey` `RegCreateKeyExA` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA`
COMCTL32.dll	`ImageList_Create` `ImageList_AddMasked` `ImageList_Destroy` `#17`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.24511`
MD5	`5b5022130f1d1dbdc6cde71771a5d5a0`
SHA1	`40ed7aa2fd0ab46670369b4cc723c09ac09fc8e9`
SHA256	`6b5fdefe6dd2d528c9945b7278a00145a0ac1bd84e8add4e3e32fca419f25200`
SHA3	`58843017377f6ce0844f0901fc966ee454231422843696c71cbfd89d2a724ed0`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xd3f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92764`
Detected Filetype	PNG graphic file
MD5	`8e234213412bb448337cfb1e05dec880`
SHA1	`69ecdabb73f87016394c1248606bf4e300573343`
SHA256	`47fffaf216469bbbefc3ae26d70990b9892d38f70571cc9179ae48708d63346a`
SHA3	`88a6ee33d21749f4effc806de7844244ec14335679eadb696b1e0e28f991c543`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.51849`
MD5	`be2b1e09de93e06a7fabe277f19fb858`
SHA1	`aac92694a24b2eb88ffefaed4b9a64aa85a38a60`
SHA256	`a41f6bb9977acd547d930b242992726149a0c1be828f2e8738c7086a8ba32c6d`
SHA3	`5038bc717043bd86c27084c5fcd5bd9b136ebdfd3ebb0475d49253ee752c40a6`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.75617`
MD5	`b6c1f5f4eaebd8a47b1e6cde0071bed0`
SHA1	`1674ed40858aae69c1d6dcfcf5cf3edfc88951a8`
SHA256	`82c21bdf67b5d1541a332b95f4d608e53f62b082ddccd7ddce131a7031d0c32f`
SHA3	`d9b8121d1743d57722ef3df47c54a1cfe0c730cb74192464a26f11af428ffb06`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.93004`
MD5	`bcc59368d45b5579e7800956bb51a186`
SHA1	`72b5b91b63245e85893efc630a91d67833bc4710`
SHA256	`61896d486a77df6beb5a61574023efe090d84e4d42466943ff1ea70c609b8050`
SHA3	`7448332a65762b449e00b9934a108b01e7cea71b7c66009f37659727ae5d7357`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08765`
MD5	`f6692c2cdee7c8ac30439647d13abbd5`
SHA1	`a5e21684a8975d88fd875976f1d303bfda80848b`
SHA256	`f3601da020c40d12ebd27f044fae5aef42a1516358fd6a134395428d0de07759`
SHA3	`d81b1a790f5e8ce789cc5f8b3546e145a5a99d940f11e51bd0259232a9958cb8`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.8213`
Detected Filetype	Icon file
MD5	`269365d3bff809f0db865085c4757030`
SHA1	`fb8c074fa6ff8256aaab66a5a628a1114cb83b37`
SHA256	`dda68c1f5ebefcff8004d6425dfd295e6759d5095021abe2f07a687bf2dae53d`
SHA3	`8d1ff02155cc70269b42799bd7fcd3f692cb2d5439df5ab7ac4e655c6c484258`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x349`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28747`
MD5	`cb830782236a4a4916a92da089e3162b`
SHA1	`2f6ef650709a009fbb55a227678b0160e0ba8d69`
SHA256	`6a007d6ad86a712fef161854c5298190aab9486f5ebf17ef3c7f01b60366a3a8`
SHA3	`7bae18417fa2fee41931db860d0173d39e51ef2fb33439b66508b27405da4cb7`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd246d0e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`159`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!