eeb4582837b61879e05ecb5050a84c1d
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2022-Mar-03 13:15:57 |
| Detected languages |
English - United States
|
| Debug artifacts |
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
|
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Accesses the WMI:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 Uses constants related to AES |
| Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The file contains overlay data. |
29383752 bytes of data starting at offset 0x4e600.
The overlay data has an entropy of 7.99927 and is possibly compressed or encrypted. Overlay data amounts for 98.9193% of the executable. |
| Malicious | VirusTotal score: 5/71 (Scanned on 2024-10-01 19:31:00) |
Bkav:
W32.AIDetectMalware
ClamAV: Win.Packed.Nanocore-9942160-0 Google: Detected Malwarebytes: Malware.AI.3811833045 VirIT: Trojan.Win32.MSIL_Heur.A |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x110 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 6 |
| TimeDateStamp | 2022-Mar-03 13:15:57 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 14.0 |
| SizeOfCode | 0x31c00 |
| SizeOfInitializedData | 0x3fe00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0001F530 (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x33000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.1 |
| ImageVersion | 0.0 |
| SubsystemVersion | 5.1 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x75000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.rdata
.data
.didat
.rsrc
.reloc
Imports
| KERNEL32.dll |
GetLastError
SetLastError FormatMessageW GetCurrentProcess DeviceIoControl SetFileTime CloseHandle CreateDirectoryW RemoveDirectoryW CreateFileW DeleteFileW CreateHardLinkW GetShortPathNameW GetLongPathNameW MoveFileW GetFileType GetStdHandle WriteFile ReadFile FlushFileBuffers SetEndOfFile SetFilePointer SetFileAttributesW GetFileAttributesW FindClose FindFirstFileW FindNextFileW InterlockedDecrement GetVersionExW GetCurrentDirectoryW GetFullPathNameW FoldStringW GetModuleFileNameW GetModuleHandleW FindResourceW FreeLibrary GetProcAddress GetCurrentProcessId ExitProcess SetThreadExecutionState Sleep LoadLibraryW GetSystemDirectoryW CompareStringW AllocConsole FreeConsole AttachConsole WriteConsoleW GetProcessAffinityMask CreateThread SetThreadPriority InitializeCriticalSection EnterCriticalSection LeaveCriticalSection DeleteCriticalSection SetEvent ResetEvent ReleaseSemaphore WaitForSingleObject CreateEventW CreateSemaphoreW GetSystemTime SystemTimeToTzSpecificLocalTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime FileTimeToLocalFileTime LocalFileTimeToFileTime FileTimeToSystemTime GetCPInfo IsDBCSLeadByte MultiByteToWideChar WideCharToMultiByte GlobalAlloc LockResource GlobalLock GlobalUnlock GlobalFree LoadResource SizeofResource SetCurrentDirectoryW GetExitCodeProcess GetLocalTime GetTickCount MapViewOfFile UnmapViewOfFile CreateFileMappingW OpenFileMappingW GetCommandLineW SetEnvironmentVariableW ExpandEnvironmentStringsW GetTempPathW MoveFileExW GetLocaleInfoW GetTimeFormatW GetDateFormatW GetNumberFormatW DecodePointer SetFilePointerEx GetConsoleMode GetConsoleCP HeapSize SetStdHandle GetProcessHeap FreeEnvironmentStringsW GetEnvironmentStringsW GetCommandLineA GetOEMCP RaiseException GetSystemInfo VirtualProtect VirtualQuery LoadLibraryExA IsProcessorFeaturePresent IsDebuggerPresent UnhandledExceptionFilter SetUnhandledExceptionFilter GetStartupInfoW QueryPerformanceCounter GetCurrentThreadId GetSystemTimeAsFileTime InitializeSListHead TerminateProcess LocalFree RtlUnwind EncodePointer InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW QueryPerformanceFrequency GetModuleHandleExW GetModuleFileNameA GetACP HeapFree HeapAlloc HeapReAlloc GetStringTypeW LCMapStringW FindFirstFileExA FindNextFileA IsValidCodePage |
|---|---|
| OLEAUT32.dll |
SysAllocString
SysFreeString VariantClear |
| gdiplus.dll |
GdipAlloc
GdipDisposeImage GdipCloneImage GdipCreateBitmapFromStream GdipCreateBitmapFromStreamICM GdipCreateHBITMAPFromBitmap GdiplusStartup GdiplusShutdown GdipFree |
| USER32.dll (delay-loaded) |
PostMessageW
WaitForInputIdle IsWindowVisible DialogBoxParamW EndDialog GetDlgItemTextW DispatchMessageW SetFocus SetForegroundWindow GetSysColor LoadBitmapW LoadIconW DestroyIcon IsDialogMessageW TranslateMessage GetMessageW wvsprintfW CopyImage GetClassNameW FindWindowExW MessageBoxW ReleaseDC GetDC SendMessageW LoadCursorW CopyRect MapWindowPoints UpdateWindow DestroyWindow IsWindow CreateWindowExW RegisterClassExW DefWindowProcW CharUpperW OemToCharBuffA LoadStringW GetWindow SetProcessDefaultLayout SetWindowLongW GetWindowLongW GetWindowRect GetClientRect GetSystemMetrics SetDlgItemTextW SetWindowPos GetParent SetWindowTextW EnableWindow GetDlgItem PeekMessageW SendDlgItemMessageW ShowWindow |
Delayed Imports
| Attributes | 0x1 |
|---|---|
| Name | USER32.dll |
| ModuleHandle | 0x61cc0 |
| DelayImportAddressTable | 0x630a0 |
| DelayImportNameTable | 0x3c7ac |
| BoundDelayImportTable | 0x3cee0 |
| UnloadDelayImportTable | 0 |
| TimeStamp | 1970-Jan-01 00:00:00 |
101
102
1
2
3
4
5
6
7
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
7 (#2)
8
9
10
11
12
13
14
15
16
100
1 (#2)
String Table contents
| Select destination folder |
| Extracting %s |
| Skipping %s |
| Unexpected end of archive |
| The file "%s" header is corrupt |
| Corrupt header is found |
| Main archive header is corrupt |
| The archive comment header is corrupt |
| The archive comment is corrupt |
| Not enough memory |
| Unknown method in %s |
| Cannot open %s |
| Cannot create %s |
| Cannot create folder %s |
| Checksum error in the encrypted file %s. Corrupt file or wrong password. |
| Checksum error in %s |
| Packed data checksum error in %s |
| Write error in the file %s |
| Read error in the file %s |
| File close error |
| The required volume is absent |
| The archive is either in unknown format or damaged |
| Extracting from %s |
| Next volume |
| The archive header is corrupt |
| Close |
| Error |
| Errors encountered while performing the operation |
| Look at the information window for more details |
| bytes |
| modified on |
| folder is not accessible |
| Some files could not be created. |
| You can try to repeat the installation after closing other applications and restarting Windows. |
| Some installation files are corrupt. |
| Please download a fresh copy and retry the installation |
| All files |
| <ul><li>Press <b>Install</b> button to start extraction.</li><br><br> |
| <ul><li>Press <b>Extract</b> button to start extraction.</li><br><br> |
| <li>Use <b>Browse</b> button to select the destination |
| folder from the folders tree. It can be also entered |
| manually.</li><br><br> |
| <li>If the destination folder does not exist, it will be |
| created automatically before extraction.</li></ul> |
| The archive is corrupt |
| Extracting files to %s folder |
| Extracting files to temporary folder |
| Extract |
| Extraction progress |
| Total path and file name length must not exceed %d characters |
| Unknown encryption method in %s |
| The specified password is incorrect. |
| Incorrect password for %s |
| Cannot copy %s to %s. |
| Cannot create symbolic link %s |
| Cannot create hard link %s |
| You need to unpack the link target first |
| You may need to run this self-extracting archive as administrator |
| Pause |
| Continue |
| Security warning |
| Please remove %s from folder %s. It is unsecure to run %s until it is done. |
Version Info
IMAGE_DEBUG_TYPE_CODEVIEW
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2022-Mar-03 13:15:57 |
| Version | 0.0 |
| SizeofData | 81 |
| AddressOfRawData | 0x3b3dc |
| PointerToRawData | 0x3a3dc |
| Referenced File | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
IMAGE_DEBUG_TYPE_VC_FEATURE
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2022-Mar-03 13:15:57 |
| Version | 0.0 |
| SizeofData | 20 |
| AddressOfRawData | 0x3b430 |
| PointerToRawData | 0x3a430 |
IMAGE_DEBUG_TYPE_POGO
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2022-Mar-03 13:15:57 |
| Version | 0.0 |
| SizeofData | 964 |
| AddressOfRawData | 0x3b444 |
| PointerToRawData | 0x3a444 |
TLS Callbacks
Load Configuration
| Size | 0xbc |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x43e7ac |
| SEHandlerTable | 0x43b2f8 |
| SEHandlerCount | 40 |
| GuardCFCheckFunctionPointer | 4403832 |
| GuardCFDispatchFunctionPointer | 0 |
| GuardCFFunctionTable | 0 |
| GuardCFFunctionCount | 0 |
| GuardFlags | (EMPTY) |
| CodeIntegrity.Flags | 0 |
| CodeIntegrity.Catalog | 0 |
| CodeIntegrity.CatalogOffset | 0 |
| CodeIntegrity.Reserved | 0 |
| GuardAddressTakenIatEntryTable | 0 |
| GuardAddressTakenIatEntryCount | 0 |
| GuardLongJumpTargetTable | 0 |
| GuardLongJumpTargetCount | 0 |
RICH Header
| XOR Key | 0xbe0d3e3c |
|---|---|
| Unmarked objects | 0 |
| 241 (40116) | 13 |
| 243 (40116) | 142 |
| 242 (40116) | 24 |
| 253 (30625) | 2 |
| C objects (30625) | 19 |
| ASM objects (30625) | 23 |
| C++ objects (30625) | 52 |
| C objects (VS2008 SP1 build 30729) | 11 |
| Imports (VS2008 SP1 build 30729) | 7 |
| Total imports | 277 |
| C++ objects (VS2022 (17.0.5) compiler 30709) | 49 |
| Exports (VS2022 (17.0.5) compiler 30709) | 1 |
| Resource objects (VS2022 (17.0.5) compiler 30709) | 1 |
| Linker (VS2022 (17.0.5) compiler 30709) | 1 |