Manalyze report for e9db7c7970119aaa0df60ff2a8d39721d5154f7e34268640a14e986435892214

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2017-Nov-16 22:26:31
Detected languages	English - United States
CompanyName	Sysinternals - www.sysinternals.com
FileDescription	Reports effective permissions for securable objects
FileVersion	`6.12`
InternalName	Accesschk
LegalCopyright	Copyright (C) 2006-2017 Mark Russinovich
OriginalFilename	accesschk.exe
ProductName	Sysinternals AccessChk
ProductVersion	`6.12`
SpecialBuild

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	PEiD Signature:	`MoleBox v2.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` Contains domain names: Systinternals.com crl.microsoft.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T http://www.microsoft.com http://www.microsoft.com/PKI/docs/CPS/default.htm0 http://www.microsoft.com/exporting http://www.microsoft.com/pki/CRL/products/Microsoft%20Windows%20Hardware%20Compatibility%20PCA http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0 http://www.microsoft.com/pki/certs/Microsoft%20Windows%20Hardware%20Compatibility%20PCA http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0 http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt0 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl0 http://www.microsoft.com/pkiops/docs/primarycps.htm0 http://www.sysinternals.com microsoft.com sysinternals.com technet.microsoft.com www.microsoft.com www.sysinternals.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA1` `Uses constants related to SHA256`
Suspicious	The PE is possibly packed.	`Unusual section name found: 0\x00ext` `Section 0\x00ext is both writable and executable.` `Unusual section name found: 1\x00data` `Section 1\x00data is both writable and executable.` `Unusual section name found: 2\x00ata` `Section 2\x00ata is both writable and executable.` `Unusual section name found: 3\x00src` `Section 3\x00src is both writable and executable.` `Unusual section name found: 4\x00eloc` `Section 4\x00eloc is both writable and executable.` `Unusual section name found: 5\x00ext` `Section 5\x00ext is both writable and executable.` `Unusual section name found: 6\x00data` `Section 6\x00data is both writable and executable.` `Unusual section name found: 7\x00ata` `Section 7\x00ata is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Manipulates other processes: WriteProcessMemory`
Malicious	The PE is possibly a dropper.	`Resource RCACCESSCHK64 detected as a PE Executable.` `Resource 101 detected as a PE Executable.`
Malicious	VirusTotal score: 31/69 (Scanned on 2026-02-01 15:18:19)	`ALYac: Gen:Variant.Application.Fragtor.1110` `APEX: Malicious` `Arcabit: Trojan.Application.Fragtor.D456` `BitDefender: Gen:Variant.Application.Fragtor.1110` `CAT-QuickHeal: Trojan.Ghanarava.1767966591648653` `CTX: exe.trojan.fragtor` `CrowdStrike: win/malicious_confidence_70% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Emsisoft: Gen:Variant.Application.Fragtor.1110 (B)` `Fortinet: W32/PossibleThreat` `GData: Gen:Variant.Application.Fragtor.1110` `Google: Detected` `Gridinsoft: Pack.Win32.Gen.bot!ep-45894` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Generic.Malware/Suspicious` `McAfeeD: ti!E9DB7C797011` `MicroWorld-eScan: Gen:Variant.Application.Fragtor.1110` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: BehavesLike.Win32.Infected.hm` `Sophos: Generic ML PUA (PUA)` `Trapmine: malicious.high.ml.score` `TrellixENS: GenericRXWR-SB!1CD491C1BD46` `VIPRE: Gen:Variant.Application.Fragtor.1110` `Varist: W32/ABApplication.DLKV-3405` `Yandex: Packed/MoleBox` `tehtris: Generic.Malware`

Hashes

MD5	`1cd491c1bd466358376979f11e648653`
SHA1	`9ba87fa311871ab5aef57e011963556140b65f7f`
SHA256	`e9db7c7970119aaa0df60ff2a8d39721d5154f7e34268640a14e986435892214`
SHA3	`206f9183e9b9775d637404025c992638afdbbbc6a3e1d5e4d09966a2079d99a6`
SSDeep	`6144:fDOcACS4eEIy3rvjs23EYkHB9+2in1TnwFJe0I05w3i0Y1DWbcY:LVRPIy3rvjs2PmYnr25b0QagY`
Imports Hash	`4f3eb218f5117152444b5a7a0671d89d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2017-Nov-16 22:26:31
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0`
SizeOfInitializedData	`0x8ea00`
SizeOfUninitializedData	`0x2000`
AddressOfEntryPoint	`0x000C3B23 (Section: 5\x00ext)`
BaseOfCode	`0xc2000`
BaseOfData	`0x1e000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0xdd000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

0\x00ext

MD5	`afb0c44b3ff9ca4c5d8bc8dc21d1dd1f`
SHA1	`86b8b6929e8d516846210eb222228f703539e105`
SHA256	`04c7d146b2d3310553f354289265e5e50c82ff605dbf0631cd731f7d5a0c331b`
SHA3	`10b4e304407e5910ee37a65dcec47ae83e7df9b402b503b4c8d398d8e406cf62`
VirtualSize	`0x1c426`
VirtualAddress	`0x1000`
SizeOfRawData	`0xfe00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99541`

1\x00data

MD5	`0894f292b74b9593cd0595b1989de9d8`
SHA1	`15af0c12c343aa1e5c0ca1cd14690cf44770314f`
SHA256	`0c921a820a9aebd4e5f04201b3f6080fb00443af91ec7b456cadbe11c958c365`
SHA3	`78ee3e9c1105dffb6602cecb5aaa8b141ce79c721433944e3dca8fbce4c64b28`
VirtualSize	`0x11a94`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x10200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99161`

2\x00ata

MD5	`60f328e5d2b30438b4b99b5ae51bdd1e`
SHA1	`973c610df6024a863e7e441b54a8c69c28458be0`
SHA256	`92d23c157046c7ecc782256e392805d759ceec434bd6620ab1f06609c85e87a0`
SHA3	`8ef6724d79cca215097abfc91c5272a6b98647dca2ff4baca9a39fa555dec758`
VirtualSize	`0x2527c`
VirtualAddress	`0x30000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x16200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.94948`

3\x00src

MD5	`5d8b8bfad50699a6d35fc91bd7f02c78`
SHA1	`79f96355c686b6eb9c1637ebcc0e8c3fe44fea0c`
SHA256	`8e6f2f19d520e826bd8b1ec6cb3f5f7c13ad8b9856ba3de314ad4e8d94041df1`
SHA3	`ecdc00efe81ea74f237a0745a102f88f35769f0d08b9ab78e9f5ea80bd421b5d`
VirtualSize	`0x69c48`
VirtualAddress	`0x56000`
SizeOfRawData	`0x69e00`
PointerToRawData	`0x17600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.77962`

4\x00eloc

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1e7c`
VirtualAddress	`0xc0000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

5\x00ext

MD5	`5b91b4fc3b1313daf565e022ffb4c370`
SHA1	`226850a2533404cd6e7fa6cfe8808d8afbdae49c`
SHA256	`4b842f9b1c9fde366bbc729b4d30c64f5ae56d593fa908b4c61041d23dbcf641`
SHA3	`ca3a3b40dc912ada5777f313dbdae8907a500f258ec36d32dce0eaa309442743`
VirtualSize	`0x1103f`
VirtualAddress	`0xc2000`
SizeOfRawData	`0xb000`
PointerToRawData	`0x81400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.89356`

6\x00data

MD5	`16ff585dbf946cc10acf55f4a2ecb353`
SHA1	`955746e4a52e6db9f323e401cd851a1b2cb5059d`
SHA256	`b6f064f38328d1baa4127bd8864f34315b3a36e5f647f21d12c8c131c68aca0d`
SHA3	`961b2dc2570062dd1ec1f31dac82e2737fe9a923e711ee95835c885fec53c644`
VirtualSize	`0xcf6`
VirtualAddress	`0xd4000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x8c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.31104`

7\x00ata

MD5	`bdfa943c910d81c42b63406363299fba`
SHA1	`80acb885874eb93228147f075336ab5fda88cc8c`
SHA256	`d6aa3ee826ca9a2a386960900489a9c955f50f3f6b2cd0c08e38b20c99af303b`
SHA3	`60d5faa7bd6f4c3f26fdc850c62dcfcc606c2d030d750ed28dd5be1c52c540ae`
VirtualSize	`0x7110`
VirtualAddress	`0xd5000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x8d200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97368`

Imports

KERNEL32.dll	`lstrcatA` `InitializeCriticalSection` `GetProcAddress` `LocalFree` `RaiseException` `LocalAlloc` `GetModuleHandleA` `LeaveCriticalSection` `EnterCriticalSection` `ResumeThread` `WriteProcessMemory` `GetPrivateProfileSectionA` `GetStringTypeA` `LCMapStringW` `LCMapStringA` `RtlUnwind` `WideCharToMultiByte` `MultiByteToWideChar` `GetStringTypeW`
USER32.dll	`DefWindowProcA` `AdjustWindowRectEx`

Delayed Imports

RCACCESSCHK64

Type	`BINRES`
Language	English - United States
Codepage	UNKNOWN
Size	`0x640a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.63527`
Detected Filetype	PE Executable
MD5	`dbdce12349b96f4c9747a4cd23312205`
SHA1	`166bf5eb67ef473f8b90a5785f159babed6cbfd1`
SHA256	`938273bc3b905c1385ce5a16ae1a7ae148b0ee10d115735d261078e4bceb69d4`
SHA3	`59b489b672f307e72dccdbbaba0259c2b1609f00415ff036539b92072bd9946d`

101

Type	`BINRES`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5340`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.89826`
Detected Filetype	PE Executable
MD5	`74da76c36e625c7b20edeea321d97999`
SHA1	`d16c24ff675b2049fb847cc23d15a17a341f3fc9`
SHA256	`d2875fc25d5e16423de4f8cd16185ca1b1436787d0a651c32f360fb42d75132d`
SHA3	`b4e6fd83e8d1e000be7a7e1507c3516879003b190fa85618702f0132fbd8e1e1`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x394`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44316`
MD5	`a4afa184ceb88ca157505f729efe2403`
SHA1	`161a567f301be006605116fbc5af3172d4d1bccc`
SHA256	`30e8e6a04828d84b07e9e5062839d412a5bf9260e166fbd889be4e0fd9309dbe`
SHA3	`660fb8e6732ab85d14871953e7f02bbbae1aea215091a3c9dfcb0ee90d871dcc`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x37b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89381`
MD5	`2987ae885596b267fa4a7d452ab5a0de`
SHA1	`1b6daa2d861ffad8dd84fd8a5c7b7c6dc36416a4`
SHA256	`102040b3655484164dcce6dab30f349829787e443f5b963d26b28e25679be33b`
SHA3	`f3194108ab982bb6e612fc9d4d4f8bd0a84b030d5a83b7de8de2a690f4456ba2`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.12.0.0
ProductVersion	6.12.0.0
FileFlags	`VS_FF_SPECIALBUILD`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Sysinternals - www.sysinternals.com
FileDescription	Reports effective permissions for securable objects
FileVersion (#2)	6.12
InternalName	Accesschk
LegalCopyright	Copyright (C) 2006-2017 Mark Russinovich
OriginalFilename	accesschk.exe
ProductName	Sysinternals AccessChk
ProductVersion (#2)	6.12
SpecialBuild

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x8806005c`
Unmarked objects	`0`
C++ objects (VS2013 build 21005)	`51`
ASM objects (VS2013 build 21005)	`21`
C objects (VS2013 build 21005)	`148`
Imports (VS2008 SP1 build 30729)	`17`
Total imports	`190`
C objects (VS2013 UPD4 build 31101)	`1`
C++ objects (VS2013 UPD4 build 31101)	`12`
Resource objects (VS2013 build 21005)	`1`
Linker (VS2013 UPD4 build 31101)	`1`

Errors

[*] Warning: Section 4\x00eloc has a size of 0!

Leave a comment

No comments yet.