Manalyze report for 11fb524c3210918ff98de8ac2aa788bd65442fafa81703a5ac102a40c1ef66a6

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Apr-02 03:20:09
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegDeleteValueA RegOpenKeyExA RegDeleteKeyA RegEnumValueA RegCloseKey RegCreateKeyExA RegSetValueExA RegQueryValueExA RegEnumKeyA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Can create temporary files: CreateFileA GetTempPathA` `Changes object ACLs: SetFileSecurityA` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The file contains overlay data.	`806043 bytes of data starting at offset 0x2a400.` `The overlay data has an entropy of 7.99976 and is possibly compressed or encrypted.` `Overlay data amounts for 82.325% of the executable.`
Malicious	VirusTotal score: 39/72 (Scanned on 2025-12-23 04:35:04)	`APEX: Malicious` `Antiy-AVL: Trojan/Win32.Agent` `Bkav: W32.AIDetectMalware` `CAT-QuickHeal: Trojan.Agent` `CTX: exe.trojan.keygen` `CrowdStrike: win/grayware_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Trojan.Siggen8.9905` `ESET-NOD32: Win32/Keygen.ACE potentially unsafe application` `Elastic: malicious (high confidence)` `Fortinet: Malicious_Behavior.SB` `GData: Win32.Trojan.Agent.TAD4D0` `Google: Detected` `Gridinsoft: Malware.Win32.GenericMC.cc` `Ikarus: not-a-virus:Keygen.R2R` `K7AntiVirus: Unwanted-Program ( 005cde151 )` `K7GW: Unwanted-Program ( 005cde151 )` `Kingsoft: Win32.Riskware.Keygen.fn` `Lionic: Trojan.Win32.Keygen.4!c` `Malwarebytes: Generic.Malware.Gen.DDS` `McAfeeD: ti!11FB524C3210` `Microsoft: HackTool:Win32/Keygen` `Paloalto: generic.ml` `Panda: PUP/Keygen` `Rising: Malware.Undefined!8.C (CLOUD)` `SUPERAntiSpyware: Hack.Tool/Gen-Keygen` `Sangfor: Trojan.Win32.Keygen.Veyd` `Skyhigh: BehavesLike.Win32.Trojan.dc` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!C2C0A08CB1C6` `TrendMicro: PUA.Win32.KeyGen.CRRM` `TrendMicro-HouseCall: PUA.Win32.KeyGen.CRRM` `VBA32: Adware.Keygen` `Varist: W32/Trojan.BKQV-4754` `Xcitium: ApplicUnwnt@#2f8yyd5w443r6` `Yandex: Trojan.Igent.bUBfCn.1`

Hashes

MD5	`c2c0a08cb1c65a99486140c9866f8730`
SHA1	`161dfdec73612c86ed3ec2de17446cf1adbdc389`
SHA256	`11fb524c3210918ff98de8ac2aa788bd65442fafa81703a5ac102a40c1ef66a6`
SHA3	`be5738b7746a2918e6856a7cb4257c216e47031453c3943183960a41a43e57e9`
SSDeep	`24576:UcLjJp/iH5jDcA43IKfTEY9BLhQltGMxFZs+kNmb:UAvM5jaIaT1X0HxTVt`
Imports Hash	`b1a57b635b23ffd553b3fd1e0960b2bd`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Apr-02 03:20:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x5e00`
SizeOfInitializedData	`0x1d600`
SizeOfUninitializedData	`0x400`
AddressOfEntryPoint	`0x0000326C (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x50000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`51e2544a6971f687f7a1241f613014c1`
SHA1	`1dc9b7d6bb158fee5b9f3b28181b389987a1c350`
SHA256	`3f5f7b309092988af8c9e92567926a5e523cad3af0051c20bdf29aad00a33510`
SHA3	`ead501114661f03aac31abc76b71034653f300508cc4ce3d8a5490f65fbe4151`
VirtualSize	`0x5c74`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.41039`

.rdata

MD5	`4c84e530bf8db37146334e6c487170bf`
SHA1	`076dcc532f1c101e21550e104a20a7f8e4c30781`
SHA256	`3575075347d3cfff06e9f5c296d8c71c30f2fbcc62228eef437e236010397471`
SHA3	`0eec1a1d948468a2f710745acc56943954e864ce6901ed769f2e04c3dbddd8ea`
VirtualSize	`0x1196`
VirtualAddress	`0x7000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x6200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.20374`

.data

MD5	`75d996f724e5e900c022f56b3df3ae1b`
SHA1	`7b247661a46a3527556a9637ece6c600bf6777ec`
SHA256	`4a63c7ca63538039a0213c12377fc6b0d36530bb0eecc9d4d24728c851334352`
SHA3	`9e187facab9fe47c274f1195debae1114b0f20015ddbfe91134d735bc745713a`
VirtualSize	`0x1b058`
VirtualAddress	`0x9000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.13053`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x8000`
VirtualAddress	`0x25000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`2bac896c655fb3eb2face23552adb6f8`
SHA1	`679ef909a0e7496b5f4beea5ee231e3bb3c00077`
SHA256	`e24673ef21554dc19125b1a04948dbeb34f4a0d0339fbdc7b3334ac1f8192945`
SHA3	`0165261e3f1013fd593518dcf30dc32ad7b13f7b2472d46a18f429d45593149a`
VirtualSize	`0x22898`
VirtualAddress	`0x2d000`
SizeOfRawData	`0x22a00`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.05877`

Imports

KERNEL32.dll	`GetTickCount` `GetShortPathNameA` `GetFullPathNameA` `MoveFileA` `SetCurrentDirectoryA` `GetFileAttributesA` `SetFileAttributesA` `CompareFileTime` `SearchPathA` `CreateFileA` `GetFileSize` `GetModuleFileNameA` `GetCurrentProcess` `CopyFileA` `ExitProcess` `GetWindowsDirectoryA` `Sleep` `lstrcmpiA` `lstrlenA` `GetVersion` `SetErrorMode` `lstrcpynA` `GetDiskFreeSpaceA` `GlobalUnlock` `GlobalLock` `CreateThread` `GetLastError` `CreateDirectoryA` `CreateProcessA` `RemoveDirectoryA` `GetTempFileNameA` `lstrcatA` `GetSystemDirectoryA` `WaitForSingleObject` `SetFileTime` `CloseHandle` `GlobalFree` `lstrcmpA` `ExpandEnvironmentStringsA` `GetExitCodeProcess` `GlobalAlloc` `GetCommandLineA` `GetTempPathA` `GetProcAddress` `FindFirstFileA` `FindNextFileA` `DeleteFileA` `SetFilePointer` `ReadFile` `FindClose` `GetPrivateProfileStringA` `WritePrivateProfileStringA` `WriteFile` `MulDiv` `MultiByteToWideChar` `LoadLibraryExA` `GetModuleHandleA` `FreeLibrary`
USER32.dll	`SetCursor` `GetWindowRect` `EnableMenuItem` `GetSystemMenu` `SetClassLongA` `IsWindowEnabled` `SetWindowPos` `GetSysColor` `EndDialog` `ScreenToClient` `LoadCursorA` `CheckDlgButton` `GetMessagePos` `LoadBitmapA` `CallWindowProcA` `IsWindowVisible` `CloseClipboard` `SetForegroundWindow` `GetWindowLongA` `RegisterClassA` `TrackPopupMenu` `AppendMenuA` `CreatePopupMenu` `GetSystemMetrics` `SetDlgItemTextA` `GetDlgItemTextA` `MessageBoxIndirectA` `CharPrevA` `DispatchMessageA` `PeekMessageA` `GetDC` `EnableWindow` `InvalidateRect` `SendMessageA` `DefWindowProcA` `BeginPaint` `GetClientRect` `FillRect` `DrawTextA` `SystemParametersInfoA` `CreateWindowExA` `GetClassInfoA` `DialogBoxParamA` `CharNextA` `ExitWindowsEx` `SetTimer` `PostQuitMessage` `SetWindowLongA` `SendMessageTimeoutA` `LoadImageA` `wsprintfA` `GetDlgItem` `FindWindowExA` `IsWindow` `SetClipboardData` `EmptyClipboard` `OpenClipboard` `EndPaint` `CreateDialogParamA` `DestroyWindow` `ShowWindow` `SetWindowTextA`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectA` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListA` `SHBrowseForFolderA` `SHGetFileInfoA` `SHFileOperationA` `ShellExecuteA`
ADVAPI32.dll	`RegDeleteValueA` `SetFileSecurityA` `RegOpenKeyExA` `RegDeleteKeyA` `RegEnumValueA` `RegCloseKey` `RegCreateKeyExA` `RegSetValueExA` `RegQueryValueExA` `RegEnumKeyA`
COMCTL32.dll	`ImageList_AddMasked` `ImageList_Destroy` `ImageList_Create` `#17`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.24511`
MD5	`5b5022130f1d1dbdc6cde71771a5d5a0`
SHA1	`40ed7aa2fd0ab46670369b4cc723c09ac09fc8e9`
SHA256	`6b5fdefe6dd2d528c9945b7278a00145a0ac1bd84e8add4e3e32fca419f25200`
SHA3	`58843017377f6ce0844f0901fc966ee454231422843696c71cbfd89d2a724ed0`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xd3f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92764`
Detected Filetype	PNG graphic file
MD5	`8e234213412bb448337cfb1e05dec880`
SHA1	`69ecdabb73f87016394c1248606bf4e300573343`
SHA256	`47fffaf216469bbbefc3ae26d70990b9892d38f70571cc9179ae48708d63346a`
SHA3	`88a6ee33d21749f4effc806de7844244ec14335679eadb696b1e0e28f991c543`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.51849`
MD5	`be2b1e09de93e06a7fabe277f19fb858`
SHA1	`aac92694a24b2eb88ffefaed4b9a64aa85a38a60`
SHA256	`a41f6bb9977acd547d930b242992726149a0c1be828f2e8738c7086a8ba32c6d`
SHA3	`5038bc717043bd86c27084c5fcd5bd9b136ebdfd3ebb0475d49253ee752c40a6`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.75617`
MD5	`b6c1f5f4eaebd8a47b1e6cde0071bed0`
SHA1	`1674ed40858aae69c1d6dcfcf5cf3edfc88951a8`
SHA256	`82c21bdf67b5d1541a332b95f4d608e53f62b082ddccd7ddce131a7031d0c32f`
SHA3	`d9b8121d1743d57722ef3df47c54a1cfe0c730cb74192464a26f11af428ffb06`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.93004`
MD5	`bcc59368d45b5579e7800956bb51a186`
SHA1	`72b5b91b63245e85893efc630a91d67833bc4710`
SHA256	`61896d486a77df6beb5a61574023efe090d84e4d42466943ff1ea70c609b8050`
SHA3	`7448332a65762b449e00b9934a108b01e7cea71b7c66009f37659727ae5d7357`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.08765`
MD5	`f6692c2cdee7c8ac30439647d13abbd5`
SHA1	`a5e21684a8975d88fd875976f1d303bfda80848b`
SHA256	`f3601da020c40d12ebd27f044fae5aef42a1516358fd6a134395428d0de07759`
SHA3	`d81b1a790f5e8ce789cc5f8b3546e145a5a99d940f11e51bd0259232a9958cb8`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x100`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.66174`
MD5	`3409f314895161597f3c395cc5f65525`
SHA1	`1a99d016d65e567f24449d9362afb6ac44006d0b`
SHA256	`fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96`
SHA3	`b3b19241cc6454389e45833e50b742ae1927a5f161017350a99f2cbc66914f26`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88094`
MD5	`2d12c45dc2c029044aaff357141cb900`
SHA1	`083db861ab3c7db23c6257878296e73a89a74b8b`
SHA256	`69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729`
SHA3	`349b5d605c9c3efe5e0c4e2faa12dd21022fc5f9b053f2cbf4e2a6b8bc656442`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x60`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.48825`
MD5	`6be4e1387d369cf86e68eacbdd0e81dd`
SHA1	`351970fe2681b9b35b5d59ad052011ed96a96e17`
SHA256	`85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0`
SHA3	`45e552e173141e06d113209b6cc915042ad0b4d5531464b8dbe5637029f489cb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.8213`
Detected Filetype	Icon file
MD5	`269365d3bff809f0db865085c4757030`
SHA1	`fb8c074fa6ff8256aaab66a5a628a1114cb83b37`
SHA256	`dda68c1f5ebefcff8004d6425dfd295e6759d5095021abe2f07a687bf2dae53d`
SHA3	`8d1ff02155cc70269b42799bd7fcd3f692cb2d5439df5ab7ac4e655c6c484258`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2d7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.19285`
MD5	`7ab03de55522fe34219efc4791f40b36`
SHA1	`3298f3512c51e53d772a608fca1c3fb432d0e6b8`
SHA256	`ba8567985d6c9178aa220c91ccb969cf31d37670562d0641b10d4e3a1e9fd4e2`
SHA3	`99def2fdcb504323fb0551231044ee00165aa07bf28f0804e136a7925ba7ce43`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd24651e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`152`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!

Leave a comment

No comments yet.