Manalyze report for dcb04bad2eb62d8e258a8038e741c554

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services` Contains domain names: 2019.www.torproject.org blog.torproject.org bridges.torproject.org bugs.torproject.org freehaven.net google.com https://2019.www.torproject.org https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s https://blog.torproject.org https://blog.torproject.org/lifecycle-of-a-new-relay https://blog.torproject.org/v2-deprecation-timeline https://bridges.torproject.org https://bridges.torproject.org/status?id https://bugs.torproject.org https://bugs.torproject.org/tpo/core/tor/14917. https://bugs.torproject.org/tpo/core/tor/21155. https://bugs.torproject.org/tpo/core/tor/8742. https://freehaven.net https://support.torproject.org https://support.torproject.org/faq/staying-anonymous/ https://www.gnu.org https://www.gnu.org/licenses/gpl-3.0.en.html https://www.torproject.org https://www.torproject.org/ https://www.torproject.org/docs/faq.html#BestOSForRelay https://www.torproject.org/documentation.html lists.torproject.org openssl.org slashdot.org support.torproject.org torproject.org www.gnu.org www.google.com www.mit.edu www.slashdot.org www.torproject.org www.yahoo.com yahoo.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .buildid`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW` `Can access the registry: RegCloseKey RegOpenKeyExA RegQueryValueExA` `Possibly launches other programs: CreateProcessA` `Uses Windows's Native API: ntohl ntohs` `Uses Microsoft's cryptographic API: CryptAcquireContextA CryptAcquireContextW CryptGenRandom CryptReleaseContext` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: WSACleanup WSAGetLastError WSAIoctl WSASetLastError WSAStartup accept bind closesocket connect freeaddrinfo getaddrinfo gethostbyaddr gethostbyname gethostname getprotobynumber getservbyname getservbyport getsockname getsockopt htonl htons inet_addr inet_ntoa ioctlsocket listen ntohl ntohs recv recvfrom select send sendto setsockopt shutdown socket` `Manipulates other processes: OpenProcess`
Safe	VirusTotal score: 0/71 (Scanned on 2024-04-23 12:23:49)	`All the AVs think this file is safe.`

Hashes

MD5	`dcb04bad2eb62d8e258a8038e741c554`
SHA1	`ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f`
SHA256	`33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875`
SHA3	`7305c69a0e3e23e3b8e50971f32f87077b22d12c9501d3f7dfde5d2da2f3023f`
SSDeep	`98304:t6cZV1QNa2cGlKTdAp1VdV/b+tAeGJwTt1BWmJwL+lTBHMjr3:nZbQ5zdtb6p1BWYH`
Imports Hash	`7159df2f64515146daa2fa421ec17aa6`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x6cc200`
SizeOfInitializedData	`0x1c3400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000001350 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x89f000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`50fa4432a863a6efa1e2f4d532f96e17`
SHA1	`d459adc67ff0045f7203443462245e0129364f35`
SHA256	`99dcac96f84bee1fb47e52972ffd4f588ef56c10a8b9df42d85d33f987a3860c`
SHA3	`e1c9fe2c4eadf74376aa94d0ed6f50ff944f6cdedae41a815ecf86fea3794ebe`
VirtualSize	`0x6cc1b6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6cc200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.05664`

.rdata

MD5	`61709093815df0b0d28652b51df8dd67`
SHA1	`476f2b66190dc751cd1c7958796b08ca3b70a627`
SHA256	`0f693aef1b3e8d8ec4e6e66bdee8141894b53a7a767ea93793f1120db0a28b87`
SHA3	`c82f1413c3344e114d580af70177cf582e83b39d82626451cdb59a9a64fbd8ec`
VirtualSize	`0x176460`
VirtualAddress	`0x6ce000`
SizeOfRawData	`0x176600`
PointerToRawData	`0x6cc600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.67059`

.buildid

MD5	`82a86b025996e59c53a28b7e62a827f0`
SHA1	`73a63f916d8f0bc141d7bcb37c43d474d31646d3`
SHA256	`3293855f05475f95f6661fd194ed727fc7b309d16b0d4e7d51b020d5bb7823da`
SHA3	`1152516d116a19d15523f3b77e328626a4581e79151de4523b2bb14b88842e35`
VirtualSize	`0x35`
VirtualAddress	`0x845000`
SizeOfRawData	`0x200`
PointerToRawData	`0x842c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.556397`

.data

MD5	`f6e5f75e79cc5e1b88e9104876c68a31`
SHA1	`1d6919d629d9b361f998671297a3194118998996`
SHA256	`83d7c9a8c2d609175684e611cbccda3395ffcb2403f37bc23815f9142b668649`
SHA3	`fcf261e9e80a90ad6bf1d1ce4c452829d842cef6f36df9e07254f28e9f04d03b`
VirtualSize	`0x1ceec`
VirtualAddress	`0x846000`
SizeOfRawData	`0x13400`
PointerToRawData	`0x842e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.02496`

.pdata

MD5	`a11f522eab893976027bf5d6c5171718`
SHA1	`7a05f3e3650a8ddf514344333c8956bdd3d6f549`
SHA256	`b059f86ffb89f78fda29ea4325c9b79a24b1887ea58363726ad0b8cb441546b9`
SHA3	`d2c89bd5f3938e409cd4443e4cdfae06ff098e679e376c362b6596917ab089f1`
VirtualSize	`0x2e2d8`
VirtualAddress	`0x863000`
SizeOfRawData	`0x2e400`
PointerToRawData	`0x856200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.39092`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x892000`
SizeOfRawData	`0x200`
PointerToRawData	`0x884600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.reloc

MD5	`d932914771b3e112135aa7f316d2b24b`
SHA1	`68cadd45dfd27a0c2d302dbf9bbb6c11294c90de`
SHA256	`3bf2406e32d9a6125940e1a15ae4e8d8c5d9c1b4bcf49c0af4bac5982d808fae`
SHA3	`bda33a0f55d2e9226bed0bc0ac1c27c57d976afbd4d2efe1402fd8c44f2d82db`
VirtualSize	`0xb10c`
VirtualAddress	`0x893000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x884800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.46176`

Imports

api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `calloc` `free` `malloc` `realloc`
api-ms-win-crt-private-l1-1-0.dll	`__C_specific_handler` `memchr` `memcmp` `memcpy` `memmove` `strchr` `strrchr` `strstr` `wcsstr`
api-ms-win-crt-runtime-l1-1-0.dll	`__p___argc` `__p___argv` `__p___wargv` `_assert` `_beginthread` `_cexit` `_configure_narrow_argv` `_configure_wide_argv` `_crt_at_quick_exit` `_crt_atexit` `_endthread` `_errno` `_exit` `_getpid` `_initialize_narrow_environment` `_initialize_wide_environment` `_initterm` `_set_app_type` `_set_invalid_parameter_handler` `abort` `exit` `raise` `signal` `strerror`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `__p__commode` `__p__fmode` `__stdio_common_vfprintf` `__stdio_common_vfwprintf` `__stdio_common_vsprintf` `__stdio_common_vsscanf` `__stdio_common_vswprintf` `_chsize` `_close` `_fileno` `_getcwd` `_locking` `_lseek` `_lseeki64` `_open` `_read` `_setmode` `_wfopen` `_write` `fclose` `feof` `ferror` `fflush` `fgetc` `fgets` `fopen` `fputc` `fputs` `fread` `fseek` `ftell` `fwrite` `getc` `puts` `setvbuf` `ungetc`
api-ms-win-crt-string-l1-1-0.dll	`_strdup` `_stricmp` `_strnicmp` `isdigit` `isspace` `isxdigit` `mbrlen` `memset` `strcat` `strcmp` `strcpy` `strcspn` `strlen` `strncmp` `strncpy` `strpbrk` `strspn` `tolower` `wcscpy` `wcslen`
KERNEL32.dll	`AcquireSRWLockExclusive` `AcquireSRWLockShared` `CloseHandle` `ConvertFiberToThread` `ConvertThreadToFiberEx` `CreateFiberEx` `CreateFileA` `CreateFileMappingA` `CreateIoCompletionPort` `CreateNamedPipeA` `CreateProcessA` `CreateSemaphoreA` `CreateWaitableTimerA` `DeleteCriticalSection` `DeleteFiber` `EnterCriticalSection` `FindClose` `FindFirstFileA` `FindFirstFileW` `FindNextFileA` `FindNextFileW` `FormatMessageA` `FormatMessageW` `FreeLibrary` `GetACP` `GetConsoleMode` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetEnvironmentVariableW` `GetExitCodeProcess` `GetFileSize` `GetFileType` `GetLastError` `GetModuleFileNameA` `GetModuleHandleA` `GetModuleHandleExW` `GetModuleHandleW` `GetProcAddress` `GetQueuedCompletionStatus` `GetStdHandle` `GetSystemDirectoryA` `GetSystemInfo` `GetSystemTime` `GetSystemTimeAsFileTime` `GetTickCount` `GetTimeZoneInformation` `GetVersion` `GetVersionExA` `GlobalMemoryStatusEx` `HeapSetInformation` `InitializeConditionVariable` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `InitializeSRWLock` `IsProcessorFeaturePresent` `LeaveCriticalSection` `LoadLibraryA` `LoadLibraryW` `LocalAlloc` `LocalFree` `MapViewOfFile` `MultiByteToWideChar` `OpenProcess` `PostQueuedCompletionStatus` `QueryPerformanceCounter` `QueryPerformanceFrequency` `ReadConsoleA` `ReadConsoleW` `ReadFileEx` `ReleaseSRWLockExclusive` `ReleaseSRWLockShared` `ReleaseSemaphore` `RtlVirtualUnwind` `SetConsoleCtrlHandler` `SetConsoleMode` `SetHandleInformation` `SetLastError` `SetUnhandledExceptionFilter` `SetWaitableTimer` `Sleep` `SleepConditionVariableSRW` `SleepEx` `SwitchToFiber` `SystemTimeToFileTime` `TerminateProcess` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `UnmapViewOfFile` `VirtualAlloc` `VirtualFree` `VirtualLock` `VirtualProtect` `VirtualQuery` `WaitForSingleObject` `WakeAllConditionVariable` `WakeConditionVariable` `WideCharToMultiByte` `WriteFile` `WriteFileEx`
WS2_32.dll	`WSACleanup` `WSAGetLastError` `WSAIoctl` `WSASetLastError` `WSAStartup` `accept` `bind` `closesocket` `connect` `freeaddrinfo` `getaddrinfo` `gethostbyaddr` `gethostbyname` `gethostname` `getprotobynumber` `getservbyname` `getservbyport` `getsockname` `getsockopt` `htonl` `htons` `inet_addr` `inet_ntoa` `ioctlsocket` `listen` `ntohl` `ntohs` `recv` `recvfrom` `select` `send` `sendto` `setsockopt` `shutdown` `socket`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `_fdopen` `frexp`
api-ms-win-crt-utility-l1-1-0.dll	`abs` `labs` `qsort` `rand_s`
api-ms-win-crt-environment-l1-1-0.dll	`__p__environ` `__p__wenviron` `getenv`
api-ms-win-crt-time-l1-1-0.dll	`__daylight` `__timezone` `__tzname` `_gmtime64` `_gmtime64_s` `_localtime64` `_mktime64` `_time64` `_tzset` `_utime64` `strftime`
api-ms-win-crt-convert-l1-1-0.dll	`atoi` `mbrtowc` `strtol` `strtoll` `strtoul` `strtoull` `wcrtomb` `wcstombs`
SHELL32.dll	`SHGetMalloc` `SHGetPathFromIDListA` `SHGetSpecialFolderLocation` `SHGetSpecialFolderPathA`
api-ms-win-crt-filesystem-l1-1-0.dll	`_fstat64` `_fullpath` `_lock_file` `_mkdir` `_stat64` `_unlink` `_unlock_file` `rename`
SHLWAPI.dll	`PathMatchSpecA`
ADVAPI32.dll	`CryptAcquireContextA` `CryptAcquireContextW` `CryptGenRandom` `CryptReleaseContext` `DeregisterEventSource` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA` `RegisterEventSourceW` `ReportEventW`
IPHLPAPI.DLL	`GetAdaptersAddresses` `if_nametoindex`
api-ms-win-crt-locale-l1-1-0.dll	`localeconv`
api-ms-win-crt-conio-l1-1-0.dll	`_getwch` `_putch`
USER32.dll	`GetProcessWindowStation` `GetUserObjectInformationW` `MessageBoxW`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	1970-Jan-01 00:00:00
Version	`0.0`
SizeofData	`25`
AddressOfRawData	`0x84501c`
PointerToRawData	`0x842c1c`

TLS Callbacks

StartAddressOfRawData	`0x140892000`
EndAddressOfRawData	`0x140892008`
AddressOfIndex	`0x1408593c0`
AddressOfCallbacks	`0x140818bd0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000140001B20` `0x0000000140001BA0`

Load Configuration

RICH Header

dcb04bad2eb62d8e258a8038e741c554

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.buildid

.data

.pdata

.tls

.reloc

Imports

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors