Manalyze report for 2ad94b534400769dc5118c3fdfa28f5072282608adefa7db551e339486b198d5

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Jun-07 00:45:39
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains a XORed PE executable: 2a 16 17 0d 5e 0e 0c 11 19 0c 1f 13 5e 1d 1f 10 10 11 0a 5e ...` `Miscellaneous malware strings: cmd.exe` `Contains domain names: example.com github.com https://curl.se https://github.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses constants related to RC5 or RC6` `Uses known Mersenne Twister constants` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegOpenKeyExW RegQueryValueExW RegOpenKeyExA RegQueryValueExA RegCloseKey` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptQueryObject CryptStringToBinaryW CryptDecodeObjectEx CryptEnumProvidersW CryptSignHashW CryptDecrypt CryptExportKey CryptGetUserKey CryptGetProvParam CryptSetHashParam CryptGenRandom CryptEncrypt CryptImportKey CryptDestroyKey CryptDestroyHash CryptHashData CryptCreateHash CryptGetHashParam CryptReleaseContext CryptAcquireContextW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Has Internet access capabilities: InternetReadFile InternetOpenUrlA InternetOpenA InternetCloseHandle` Leverages the raw socket API to access the Internet: getsockopt send recv setsockopt WSACloseEvent WSACreateEvent WSAEnumNetworkEvents WSAEventSelect WSAResetEvent WSAWaitForMultipleEvents WSASetLastError WSAIoctl closesocket WSAGetLastError htons socket ntohs WSAStartup WSACleanup accept bind connect getpeername ioctlsocket __WSAFDIsSet shutdown getservbyname getservbyport gethostbyaddr inet_ntoa inet_addr gethostbyname gethostname select sendto recvfrom freeaddrinfo getaddrinfo listen htonl getsockname `Functions related to the privilege level: OpenProcessToken` `Interacts with services: OpenSCManagerA EnumServicesStatusA` `Enumerates local disk drives: GetDriveTypeW GetVolumeInformationA` `Manipulates other processes: Process32FirstW Process32NextW OpenProcess` `Reads the contents of the clipboard: GetClipboardData` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenSystemStoreW CertOpenStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`b1556c7c62b7613c8b57f7c6347c4162`
SHA1	`7bf7d0c66aa9fad2979d7cf39a88779da5645b08`
SHA256	`2ad94b534400769dc5118c3fdfa28f5072282608adefa7db551e339486b198d5`
SHA3	`98d71a3030343d73b102cc071ce497964938d3f873c42a6ac221563038552462`
SSDeep	`196608:twsijjL107Mp6BcArsqAb3vbZQJBOynCGR:twsiD107Mp6BcArsHb3vbZQDOyCGR`
Imports Hash	`0a11fe6d7682c59d72960f1f61d9b488`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x128`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2026-Jun-07 00:45:39
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x44c600`
SizeOfInitializedData	`0x214800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000040C3A8 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x666000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2680eee1286b16544de54089b909845e`
SHA1	`914a9ef0277e9a03cc7b9544320e10d3c885207f`
SHA256	`26d0ce2611c506218833e3e7f5efa79c3e0ac07b1644279c693186d6dc34b738`
SHA3	`80656c4b54dcd150ea08f3e587a3ddc4a71c9a40ad5a1597310097e9f4dc2e86`
VirtualSize	`0x44c5a0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x44c600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.70342`

.rdata

MD5	`1c99d5dacf7c1544ea2d2d913b2059ed`
SHA1	`e0553303983fee46fac3f2c138f1a6757468557e`
SHA256	`453acd6da7448295a6366888d05159d67e8085db9cb084be289d289fe7578f46`
SHA3	`8117e73603c60fb7a6d57e80b77de1909b1b61c6392783d3c6ccd5da685612da`
VirtualSize	`0x1769fe`
VirtualAddress	`0x44e000`
SizeOfRawData	`0x176a00`
PointerToRawData	`0x44ca00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.8075`

.data

MD5	`c5918f9a8893903841c1f7f09cac0c8d`
SHA1	`c774b93d260c33c83bc8dcee9f974021aa01b1a5`
SHA256	`2357b6ef48b86f48a133df895c5495fb42a9c5216092f8baedae8e5a3cb839db`
SHA3	`578486d191a19b5ac4551654651049d2f3515f2f58f9cb0010aea665b27ddc65`
VirtualSize	`0x5b93c`
VirtualAddress	`0x5c5000`
SizeOfRawData	`0x4b400`
PointerToRawData	`0x5c3400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.57339`

.pdata

MD5	`2582207f16caaeac5da4ded82f1743be`
SHA1	`5f67b616edc732ffbd77a1a30848d9675066cd5b`
SHA256	`977c4be31ae88ecb28f12f1a1996a97e6b60c3247ce99b09f3404ac58ca34e1e`
SHA3	`0039818e780ffb13a0c23b0572653951423f1b7c2c45c091077efbe13238e22f`
VirtualSize	`0x343c8`
VirtualAddress	`0x621000`
SizeOfRawData	`0x34400`
PointerToRawData	`0x60e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.31343`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x656000`
SizeOfRawData	`0x200`
PointerToRawData	`0x642c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`5251cded6c44b94295b8862a81f58fbb`
SHA1	`d3d50181d829b1b7db9f819b4af421ca37cd5c6b`
SHA256	`67b3ff9db4644aaa456eb669206fd0c0306a5808314923d5354430ec04184a1a`
SHA3	`698cab06af13a4cdfa870b877dafb85b278759bc175d4a5a8a759a0d06474fc3`
VirtualSize	`0x1e8`
VirtualAddress	`0x657000`
SizeOfRawData	`0x200`
PointerToRawData	`0x642e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75924`

.reloc

MD5	`51a0ba80ce9a7b45891b47b21e1de7c3`
SHA1	`123fc63a70a894dd066c99722f2c2f62ad86db23`
SHA256	`ffe2b75ab6b264bceab371dc4a320b16ad621e1ef7ed4de85985c3b2bf032005`
SHA3	`554f3e90d941228df0430e7c25e90a943271cec9483b9da110f7eadc86094468`
VirtualSize	`0xdbd8`
VirtualAddress	`0x658000`
SizeOfRawData	`0xdc00`
PointerToRawData	`0x643000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.43757`

Imports

d3dx9_43.dll	`D3DXCreateTextureFromFileInMemoryEx`
WS2_32.dll	`getsockopt` `send` `recv` `setsockopt` `WSACloseEvent` `WSACreateEvent` `WSAEnumNetworkEvents` `WSAEventSelect` `WSAResetEvent` `WSAWaitForMultipleEvents` `WSASetLastError` `WSAIoctl` `closesocket` `WSAGetLastError` `htons` `socket` `ntohs` `WSAStartup` `WSACleanup` `accept` `bind` `connect` `getpeername` `ioctlsocket` `__WSAFDIsSet` `shutdown` `getservbyname` `getservbyport` `gethostbyaddr` `inet_ntoa` `inet_addr` `gethostbyname` `gethostname` `select` `sendto` `recvfrom` `freeaddrinfo` `getaddrinfo` `listen` `htonl` `getsockname`
CRYPT32.dll	`CertFreeCTLContext` `CertFindExtension` `CertGetNameStringW` `CryptQueryObject` `CertGetCertificateContextProperty` `CertFreeCertificateChainEngine` `CertGetCertificateChain` `CertFreeCertificateChain` `CertDuplicateCertificateContext` `CertCreateCertificateChainEngine` `CertAddCertificateContextToStore` `CertOpenSystemStoreW` `CertOpenStore` `CertCloseStore` `CertEnumCertificatesInStore` `CertFindCertificateInStore` `CertFreeCertificateContext` `CryptStringToBinaryW` `PFXImportCertStore` `CryptDecodeObjectEx` `CertFreeCRLContext`
Secur32.dll	`InitSecurityInterfaceW`
ADVAPI32.dll	`OpenSCManagerA` `RegOpenKeyExW` `RegQueryValueExW` `OpenProcessToken` `GetTokenInformation` `GetUserNameA` `RegOpenKeyExA` `RegQueryValueExA` `CloseServiceHandle` `EnumServicesStatusA` `ConvertSidToStringSidA` `CryptEnumProvidersW` `CryptSignHashW` `CryptDecrypt` `CryptExportKey` `CryptGetUserKey` `CryptGetProvParam` `CryptSetHashParam` `CryptGenRandom` `ReportEventW` `RegisterEventSourceW` `DeregisterEventSource` `CryptEncrypt` `CryptImportKey` `CryptDestroyKey` `CryptDestroyHash` `CryptHashData` `CryptCreateHash` `CryptGetHashParam` `CryptReleaseContext` `CryptAcquireContextW` `RegCloseKey`
IPHLPAPI.DLL	`GetAdaptersInfo` `if_nametoindex`
KERNEL32.dll	`ExitProcess` `GetConsoleCP` `GetDriveTypeW` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetConsoleOutputCP` `SetFilePointerEx` `GetCommandLineA` `GetCommandLineW` `HeapFree` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `ExitThread` `GetTimeFormatW` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `FlushFileBuffers` `GetExitCodeProcess` `CreateProcessW` `GetTimeZoneInformation` `ReadConsoleInputW` `HeapReAlloc` `SetStdHandle` `SetEndOfFile` `FreeLibraryAndExitThread` `GetDateFormatW` `CreateFileW` `CloseHandle` `DeviceIoControl` `CreateToolhelp32Snapshot` `Process32FirstW` `Process32NextW` `GlobalAlloc` `GlobalUnlock` `GlobalLock` `GlobalFree` `MultiByteToWideChar` `WideCharToMultiByte` `VerSetConditionMask` `QueryPerformanceCounter` `QueryPerformanceFrequency` `FreeLibrary` `GetModuleHandleA` `GetProcAddress` `LoadLibraryA` `IsDebuggerPresent` `GetCurrentProcessId` `GetCurrentThreadId` `VirtualAlloc` `VirtualFree` `SetUnhandledExceptionFilter` `GetLastError` `GetCurrentProcess` `GetSystemDirectoryW` `VirtualQuery` `CreateFileMappingW` `MapViewOfFile` `UnmapViewOfFile` `K32GetModuleInformation` `GetModuleFileNameW` `GetStdHandle` `GetEnvironmentVariableA` `CreateDirectoryA` `DeleteFileA` `GetFileAttributesA` `SetFileAttributesA` `GetVolumeInformationA` `CreateMutexA` `IsValidCodePage` `TerminateProcess` `CreateThread` `GetCurrentThread` `SetThreadPriority` `SetPriorityClass` `OpenProcess` `GlobalMemoryStatusEx` `GetSystemInfo` `GetSystemTime` `GetLocalTime` `GetTickCount` `GetTickCount64` `GetWindowsDirectoryA` `GetNativeSystemInfo` `VirtualProtect` `GetModuleFileNameA` `GetModuleHandleW` `GlobalSize` `LocalAlloc` `LocalFree` `QueryFullProcessImageNameA` `GetComputerNameA` `FreeConsole` `GetConsoleMode` `SetConsoleMode` `SetConsoleCtrlHandler` `SetConsoleCP` `SetConsoleOutputCP` `GetConsoleCursorInfo` `SetConsoleCursorInfo` `GetConsoleScreenBufferInfo` `SetConsoleTextAttribute` `SetConsoleTitleA` `SetCurrentConsoleFontEx` `GetConsoleWindow` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `FormatMessageW` `SleepEx` `GetFullPathNameW` `MoveFileExW` `WaitForSingleObjectEx` `GetFileType` `ReadFile` `PeekNamedPipe` `WaitForMultipleObjects` `VerifyVersionInfoW` `GetFileSizeEx` `WriteFile` `RtlVirtualUnwind` `InitializeSRWLock` `ReleaseSRWLockShared` `AcquireSRWLockShared` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetModuleHandleExW` `GetSystemTimeAsFileTime` `GetEnvironmentVariableW` `RtlUnwind` `InitializeCriticalSection` `ReleaseSemaphore` `WaitForSingleObject` `GetExitCodeThread` `CreateSemaphoreA` `GetSystemDirectoryA` `FormatMessageA` `LoadLibraryW` `SystemTimeToFileTime` `FindClose` `FindFirstFileW` `FindNextFileW` `ReadConsoleA` `ReadConsoleW` `DeleteFileW` `LoadLibraryExW` `InitializeCriticalSectionAndSpinCount` `RtlUnwindEx` `RaiseException` `RtlPcToFileHeader` `InitializeSListHead` `GetStartupInfoW` `IsProcessorFeaturePresent` `UnhandledExceptionFilter` `GetCPInfo` `GetStringTypeW` `WakeAllConditionVariable` `LCMapStringEx` `DecodePointer` `EncodePointer` `GetFileInformationByHandleEx` `AreFileApisANSI` `SetFileInformationByHandle` `GetFileInformationByHandle` `GetFileAttributesExW` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `FindFirstFileExW` `CreateDirectoryW` `GetCurrentDirectoryW` `GetProcessHeap` `WriteConsoleW` `HeapSize` `Sleep` `GetACP` `InitOnceComplete` `InitOnceBeginInitialize` `GetLocaleInfoEx` `SleepConditionVariableSRW` `TryAcquireSRWLockExclusive`
USER32.dll	`ShowWindow` `DestroyWindow` `IsWindow` `GetSystemMetrics` `OpenClipboard` `CloseClipboard` `SetClipboardData` `GetClipboardData` `EmptyClipboard` `GetKeyState` `SetWindowPos` `GetForegroundWindow` `IsWindowVisible` `GetClientRect` `SetCursorPos` `SetCursor` `GetCursorPos` `ClientToScreen` `ScreenToClient` `LoadCursorW` `GetLastInputInfo` `MessageBoxW` `GetUserObjectInformationW` `GetProcessWindowStation` `EnumDisplayMonitors` `GetMonitorInfoA` `LoadIconW` `GetWindow` `GetWindowThreadProcessId` `EnumWindows` `GetDesktopWindow` `SetWindowLongPtrW` `GetWindowLongPtrW` `MessageBoxA` `GetWindowRect` `SendMessageW`
ole32.dll	`CreateStreamOnHGlobal` `GetHGlobalFromStream`
d3d9.dll	`Direct3DCreate9Ex`
IMM32.dll	`ImmGetContext` `ImmReleaseContext` `ImmAssociateContextEx` `ImmSetCompositionWindow` `ImmSetCandidateWindow`
ntdll.dll	`RtlLookupFunctionEntry` `RtlCaptureContext`
WININET.dll	`HttpQueryInfoA` `InternetReadFile` `InternetOpenUrlA` `InternetOpenA` `InternetCloseHandle`
gdiplus.dll	`GdipDisposeImage` `GdipSaveImageToStream` `GdipCloneImage` `GdipGetImageEncodersSize` `GdipGetImageEncoders` `GdiplusShutdown` `GdiplusStartup` `GdipFree` `GdipCreateBitmapFromHBITMAP` `GdipAlloc`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Jun-07 00:45:39
Version	`0.0`
SizeofData	`1068`
AddressOfRawData	`0x58e598`
PointerToRawData	`0x58cf98`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2026-Jun-07 00:45:39
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x14058ea10`
EndAddressOfRawData	`0x1405920f4`
AddressOfIndex	`0x14061f370`
AddressOfCallbacks	`0x14044ee90`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14060e7c0`

RICH Header

XOR Key	`0x36f65e4b`
Unmarked objects	`0`
C++ objects (33145)	`211`
C objects (33145)	`45`
ASM objects (33145)	`25`
253 (35207)	`3`
C objects (35207)	`19`
ASM objects (35207)	`12`
C++ objects (35207)	`100`
Imports (VS2012 build 50727 / VS2005 build 50727)	`2`
Imports (33145)	`30`
Unmarked objects (#2)	`42`
C objects (35223)	`970`
Imports (21202)	`3`
Total imports	`411`
C++ objects (35223)	`18`
Resource objects (35223)	`1`
Linker (35223)	`1`

Errors

Leave a comment

No comments yet.