Manalyze report for f76cf8ddcb1038ea56f7ef8cfd80a542

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-May-18 16:07:24
Detected languages	English - United States
Debug artifacts	C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Uses Microsoft's cryptographic API: CryptMsgClose CryptQueryObject CryptMsgGetParam` `Interacts with the certificate store: CertOpenSystemStoreA CertAddCertificateContextToStore`
Info	The PE is digitally signed.	`Signer: ScreenConnect Software` `Issuer: COMODO RSA Code Signing CA`
Malicious	VirusTotal score: 3/67 (Scanned on 2018-06-13 14:23:52)	`TrendMicro-HouseCall: Suspicious_GEN.F47V0516` `Jiangmin: Trojan.Generic.bqwbr` `ViRobot: Trojan.Win32.Agent.86672`

Hashes

MD5	`f76cf8ddcb1038ea56f7ef8cfd80a542`
SHA1	`94d559e42106ce5aee5539327395bf9a9ddf77be`
SHA256	`75212a1c7b18d900cdaf7e23d10b3d379d825825bbb030f1886f4e7420bd351c`
SHA3	`929a2cd7285fc8049628223fe58c5e58af0ae54b256f7f256eb9eec361b00a15`
SSDeep	`1536:6Xn1JYSnExFkcgKKjxfmqshiKW5Xs/iYQqQJtsWFcdfRMvb+xWeuHilE:QE3x5KBDYiKWm/iSw0fRMvygeM`
Imports Hash	`1273eaec87da7c0a308253f29e7857eb`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2016-May-18 16:07:24
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xac00`
SizeOfInitializedData	`0x8200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000016E7 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xc000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x17000`
SizeOfHeaders	`0x400`
Checksum	`0x1c280`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d848ee0b99f8b09b2eb3404bd599f204`
SHA1	`353a50d5fdee90584d509ea3ddf7f1245bd2b698`
SHA256	`6d566f6857b40178a9bab37b775c01d16d7fe478a885c476d2dbf4f590733799`
SHA3	`602705d83f627ba24823d5d4a09886592b618603a67b755e3f7b9bd084fddc33`
VirtualSize	`0xaa97`
VirtualAddress	`0x1000`
SizeOfRawData	`0xac00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6143`

.rdata

MD5	`3682f04d1dfb637ffc6d6744c60942e6`
SHA1	`9d36fc3dcf63fc9cfc2b13bc5696d77d9dff3d50`
SHA256	`c08440bc7823b7f36d010299597442ad0b4d94961b5e95a0c9bdc0ef49997bf0`
SHA3	`6221f4d0fe18bef7f8b7c18bef5c8ecdb3fa25da4d4b21147136a6efceae1936`
VirtualSize	`0x5ae8`
VirtualAddress	`0xc000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.90769`

.data

MD5	`e43936ff24211648aa39f5558d648c0d`
SHA1	`36df2ac63899f27db6f11655ecacbce578d8b5ff`
SHA256	`dbd0da08b6d132cb523a30374c9df378a6c9b1091e27d8703dc29bcf02885505`
SHA3	`e93255760aebb1eadbc98f557f32bdec9c59843f629a47ffe15d5e4ba51e842c`
VirtualSize	`0x11e0`
VirtualAddress	`0x12000`
SizeOfRawData	`0x800`
PointerToRawData	`0x10c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.12918`

.gfids

MD5	`e4273988acc191fcb3d5336b25341398`
SHA1	`075903444fbe8fcd7a924ee499a541f64a5e03c4`
SHA256	`6c5e30f670d14497889d5b3b99d970927ae006644e513f2426ae434e4bb3c958`
SHA3	`e1e5284929a79cc1430c403ee3b55fb156b50f199a0c25f105172d30590c5846`
VirtualSize	`0xb4`
VirtualAddress	`0x14000`
SizeOfRawData	`0x200`
PointerToRawData	`0x11400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.4773`

.rsrc

MD5	`d1b97645795a058db19c32388b97fab2`
SHA1	`6e3cea57e7df02fd5858d49a5ae746e0e5df135d`
SHA256	`cd4abd0addbb0c48d55bc536cadf9857f791e999faefbc5e751542cf31061847`
SHA3	`54b8c62b48ac029ee68b93f88da2a6a09490b1dcc4e026540af6553ae475f374`
VirtualSize	`0x1e0`
VirtualAddress	`0x15000`
SizeOfRawData	`0x200`
PointerToRawData	`0x11600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.70468`

.reloc

MD5	`90a429778b66415560f11e9c987b5e59`
SHA1	`48137269f4dca9c3de01f89d1cfbf20fed3844c9`
SHA256	`276c67be8513f44084b624cad319b2191f26bd9760d5af05241ae152d70f2fc2`
SHA3	`475963dee9f2f421bbc36507913214f1188e9a94cd150beb4dd4c72825a07995`
VirtualSize	`0xe10`
VirtualAddress	`0x16000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x11800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.16675`

Imports

CRYPT32.dll	`CertOpenSystemStoreA` `CryptMsgClose` `CertFreeCertificateContext` `CertDeleteCertificateFromStore` `CryptQueryObject` `CertCloseStore` `CryptMsgGetParam` `CertAddCertificateContextToStore` `CertCreateCertificateContext`
KERNEL32.dll	`SetFilePointer` `LocalAlloc` `CreateFileW` `Sleep` `LoadLibraryA` `CloseHandle` `GetProcAddress` `LocalFree` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `GetLastError` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `RtlUnwind` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `MultiByteToWideChar` `WideCharToMultiByte` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `SetStdHandle` `GetFileType` `GetStringTypeW` `GetProcessHeap` `HeapSize` `HeapReAlloc` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `SetFilePointerEx` `WriteConsoleW` `DecodePointer` `RaiseException` `ReadFile` `GetModuleFileNameA`
ADVAPI32.dll	`SystemFunction036`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2016-May-18 16:07:24
Version	`0.0`
SizeofData	`112`
AddressOfRawData	`0x10c14`
PointerToRawData	`0xfc14`
Referenced File	C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2016-May-18 16:07:24
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x10c84`
PointerToRawData	`0xfc84`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2016-May-18 16:07:24
Version	`0.0`
SizeofData	`808`
AddressOfRawData	`0x10c98`
PointerToRawData	`0xfc98`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2016-May-18 16:07:24
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x412004`
SEHandlerTable	`0x410b50`
SEHandlerCount	`3`

RICH Header

XOR Key	`0x51435d41`
Unmarked objects	`0`
241 (40116)	`9`
243 (40116)	`120`
242 (40116)	`24`
ASM objects (23406)	`17`
C++ objects (23406)	`29`
C objects (23406)	`17`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`100`
264 (VS2015 UPD1 build 23506)	`1`
Resource objects (VS2015 UPD1 build 23506)	`1`
Linker (VS2015 UPD1 build 23506)	`1`

f76cf8ddcb1038ea56f7ef8cfd80a542

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.gfids

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors