Manalyze report for 0c5c5259ecfdd0ec12c44ec23b38e91c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Feb-12 01:13:43
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .RZX0` `Unusual section name found: .RZX1` `Unusual section name found: .RZX2`
Suspicious	The PE contains functions most legitimate programs don't use.	`Possibly launches other programs: ShellExecuteA` `Manipulates other processes: Process32FirstW`
Malicious	VirusTotal score: 23/72 (Scanned on 2026-02-13 17:00:49)	`APEX: Malicious` `Antiy-AVL: Trojan[Packed]/Win64.VMProtect` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Packed.VMProtect.AC suspicious application` `Elastic: malicious (high confidence)` `Fortinet: Riskware/Application` `Gridinsoft: Trojan.Heur!.02212023` `Kaspersky: Trojan.Win32.Arkmblk.arr` `Malwarebytes: Malware.AI.4062054861` `McAfeeD: Real Protect-LS!0C5C5259ECFD` `Microsoft: Trojan:Win32/Kepavll!rfn` `Paloalto: generic.ml` `Rising: Trojan.Convagent!8.12323 (CLOUD)` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Symantec: ML.Attribute.HighConfidence` `alibabacloud: Trojan:Win/Wacatac.B9nj` `tehtris: Generic.Malware`

Hashes

MD5	`0c5c5259ecfdd0ec12c44ec23b38e91c`
SHA1	`2d1368be5c96ced2cab3a31c5fde07ebef9628c0`
SHA256	`6ff0294725916495308a5f20aef79b70bd584ccdd10b7fb9cbe8e59e50d89689`
SHA3	`9ee43aec8269ec887d42f4cac743235f9fe61cc75aeb323b2242537e2010fcd1`
SSDeep	`196608:RShsO1bTHOr1m5lIWKZrK8+XK5jtVjxIH:4mOBTuxmg5ITGj3`
Imports Hash	`abceb6c56b524cd8f8c59518c9b65a9b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2026-Feb-12 01:13:43
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x7a800`
SizeOfInitializedData	`0x6ce00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000061BC6F (Section: .RZX2)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xb85000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x7a627`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.rdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x422f8`
VirtualAddress	`0x7c000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.data

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2d08`
VirtualAddress	`0xbf000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.pdata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x5760`
VirtualAddress	`0xc2000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`

.RZX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x42a90a`
VirtualAddress	`0xc8000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`

.RZX1

MD5	`86d41cc5879775440acca9455dba6f36`
SHA1	`9e0765fbf801080185d246f66d489d345f4fb93f`
SHA256	`c3b70d3e968d768b34d04f6c58b806261e825b9448ec5588ed9caf86d1a21d42`
SHA3	`0c2d4ca7f75e0d31f87255ba2d9a70640f14790352ae597bd71cbf402b598c9d`
VirtualSize	`0x180`
VirtualAddress	`0x4f3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.22224`

.RZX2

MD5	`9289b2f22f3afe26ae1b843545e5e01b`
SHA1	`c32b41d6338eccaf6f73c60c3ee5de16378134d4`
SHA256	`f8c554d247e6803e7a20b76d3e611766f5208732ff686ada294f4ee7cb6853fc`
SHA3	`400dfcca975a5d5d109ff1ac542b0d4359bd491c5b04e8bcda3666c5dce3bb48`
VirtualSize	`0x68e294`
VirtualAddress	`0x4f4000`
SizeOfRawData	`0x68e400`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.89655`

.rsrc

MD5	`1ba333f344517ae40e284929a34bde9d`
SHA1	`7eeeac36b9e04b9dd2007ad2755c7be251502d11`
SHA256	`f387a4f5974af1d1e52802a0110a16866c10907a1319ac2ee111b31efd939786`
SHA3	`58b00580b119425dc5fe665f6f049aefd6c7ecb35abdd59fe420c23d181f730d`
VirtualSize	`0x1e0`
VirtualAddress	`0xb83000`
SizeOfRawData	`0x200`
PointerToRawData	`0x68ea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7657`

.reloc

MD5	`a9f47535a7a57f5427cdca76feb5aeb5`
SHA1	`448760602cc3595a6f63b7d3721ecd9677c4ea43`
SHA256	`b5eaa5ee93acb053c27f28dfc858733cf8f82196c6fd1614e0895a7ae0f02ab3`
SHA3	`a85394dba94630a1034cd482a70f8fe966841606806d4cd8e250e5a584016626`
VirtualSize	`0x80`
VirtualAddress	`0xb84000`
SizeOfRawData	`0x200`
PointerToRawData	`0x68ec00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.28711`

Imports

dwmapi.dll	`DwmExtendFrameIntoClientArea`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
KERNEL32.dll	`Process32FirstW`
USER32.dll	`GetKeyNameTextA`
SHELL32.dll	`ShellExecuteA`
MSVCP140.dll	`?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ`
IMM32.dll	`ImmGetContext`
D3DCOMPILER_47.dll	`D3DCompile`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`__std_exception_copy`
api-ms-win-crt-runtime-l1-1-0.dll	`_initterm`
api-ms-win-crt-string-l1-1-0.dll	`strncmp`
api-ms-win-crt-stdio-l1-1-0.dll	`__p__commode`
api-ms-win-crt-time-l1-1-0.dll	`strftime`
api-ms-win-crt-convert-l1-1-0.dll	`atof`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode`
api-ms-win-crt-filesystem-l1-1-0.dll	`_unlock_file`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-math-l1-1-0.dll	`fmodf`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400bf040`

RICH Header

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .text has a size of 0!
[*] Warning: Section .rdata has a size of 0!
[*] Warning: Section .data has a size of 0!
[*] Warning: Section .pdata has a size of 0!
[*] Warning: Section .RZX0 has a size of 0!