Manalyze report for 3610c3a0b1ef7c4844c5d5765c6012f7819ed2efbfe20b886c3d791bfcab118c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Jun-01 11:03:37
TLS Callbacks	2 callback(s) detected.

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: qEMU`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to Blowfish`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Manipulates other processes: OpenProcess`
Malicious	VirusTotal score: 17/68 (Scanned on 2026-06-16 13:18:27)	`APEX: Malicious` `Bkav: W32.Malware.E0E21C80` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_70% (W)` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Generik.MKPHITE trojan` `Elastic: malicious (high confidence)` `Google: Detected` `McAfeeD: ti!3610C3A0B1EF` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Rising: Trojan.Undefined!8.1327C (CLOUD)` `SentinelOne: Static AI - Suspicious PE` `Symantec: ML.Attribute.HighConfidence` `TrendMicro-HouseCall: Trojan.Win64.Gen.TL0101FB26ZU` `Varist: W64/ABTrojan.MWZT-0574`

Hashes

MD5	`f49bd9c812136b3776ef1dd84e08e5c7`
SHA1	`97d213584189bc1518c5d723f7b40dcb8cb5eea5`
SHA256	`3610c3a0b1ef7c4844c5d5765c6012f7819ed2efbfe20b886c3d791bfcab118c`
SHA3	`1c7148c6c8efd6e6d17b8f6dcb99327c54e466d196a523ab4d2adeadc34b6074`
SSDeep	`196608:dzmrBKHcneDFZWE8G+3TrymQDnu5FPG82UV9/S7YNV:dzxH+eDFlm3yBgG83r67Yf`
Imports Hash	`f92fec1ef585a1de172413a4c9ef0956`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2026-Jun-01 11:03:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x20000`
SizeOfInitializedData	`0x914e00`
SizeOfUninitializedData	`0x29600`
AddressOfEntryPoint	`0x0000000000001017 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x965000`
SizeOfHeaders	`0x400`
Checksum	`0x943b32`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`16d12ec914f2f1959a58a03e938d7247`
SHA1	`777b82a7f7b36088324a5eae7b456f24f15354b0`
SHA256	`21874c204d4aefe541dccd847787d429aaa1abf15d2b7769fde3035926426984`
SHA3	`3998e00568e0970b0ac03a1d6b011cf80ad927891f9066de7438be2aaa8b0cda`
VirtualSize	`0x1fec0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.35404`

.data

MD5	`989b40aa8ae34c430d9d47863ff6642e`
SHA1	`e8c9b3bcd2084b020093fdafd011210d71bd4929`
SHA256	`bd60b7eaea8fe359682ba6db27cb965caa741d6c2e49565997d85e4e0a5163b0`
SHA3	`a0ddf3d8234f02bc8933b37f776b5164cbde6911525e9846b3adba6d1b99c2ec`
VirtualSize	`0x180`
VirtualAddress	`0x21000`
SizeOfRawData	`0x200`
PointerToRawData	`0x20400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.65591`

.rdata

MD5	`a585dc126a7e57119344195e7c737a56`
SHA1	`a6dbe025be9b1dc9ab7e112134b632d6f340e965`
SHA256	`d4e9eb2985f00fda629a40dfc9907c14b0d92b865ea6e59bb76fb95794bb03c4`
SHA3	`8180c483000b0aa3a78aadee39de06d71db631f4a2677872ca9e5f93fb95df76`
VirtualSize	`0x9118f8`
VirtualAddress	`0x22000`
SizeOfRawData	`0x911a00`
PointerToRawData	`0x20600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99894`

.eh_fram

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x4`
VirtualAddress	`0x934000`
SizeOfRawData	`0x200`
PointerToRawData	`0x932000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.pdata

MD5	`e3b5b816589da541a74de67ce48be388`
SHA1	`c245a306a3b14697669085935b297ea3703a819e`
SHA256	`f6f36b8970f2ece035d02abd2ccbc753c5f82caba832b8475dec2e878ba94cbd`
SHA3	`3635bd3cfadd3f58c90d1e06d7acd7b8f0eb48731a5489193cc371d2c2b18de8`
VirtualSize	`0x978`
VirtualAddress	`0x935000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x932200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.17836`

.xdata

MD5	`a68ff505c5bdfff7290da5fb2c5a477b`
SHA1	`25575f3a726e763392ac3decd4c60aef9a014e66`
SHA256	`80f42c18532426a4bef10582d2f4854b854d9f1ce198743a10d107c492c40d4b`
SHA3	`41dfbd0402609d41bba3877a855b26775ba1fc603fce229d47ec97ac92615cf1`
VirtualSize	`0xb24`
VirtualAddress	`0x936000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x932c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.47581`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x294a0`
VirtualAddress	`0x937000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`0c64f7da2a94fd675794f6aedab81147`
SHA1	`95c720fb84ab8a9435c10c79ead84e3be1c473bb`
SHA256	`50918eca723c1be6817bd107661f209fe2b4d3a732ace189e8feb9a48305beda`
SHA3	`cd021e76f45ec02a3a62068c4ca7f0da69afc1e217e370214499e2758dde4554`
VirtualSize	`0xf84`
VirtualAddress	`0x961000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x933800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.43744`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x962000`
SizeOfRawData	`0x200`
PointerToRawData	`0x934800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`f8f79e2f108b2395cf70dbd1d52efe4b`
SHA1	`b7bcae3cf6d87718ed3ee2f6c909cbb080f78989`
SHA256	`3e558b46d1e9f5007d01e68465b1ceba640053ea77893152cc7fb26c4eb620f7`
SHA3	`9d920b28ebe149e6580b598e0c4ae10993f7137aaffb41cbc94858028dc770ef`
VirtualSize	`0x554`
VirtualAddress	`0x963000`
SizeOfRawData	`0x600`
PointerToRawData	`0x934a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.52784`

.reloc

MD5	`6af9238529d9b32dae21882ffcb3bb70`
SHA1	`97162387d0951c9e90ff22ffe032a84d88439eb2`
SHA256	`8f7a2083ae388bfb3022f55a6f83dd017a9407fc5246ea81aadbd1d7585ade6a`
SHA3	`04ee3f3dc0ba6323425e4e2e5bf02881d731dbf4d98aad9839c829096c7b32d1`
VirtualSize	`0xa0`
VirtualAddress	`0x964000`
SizeOfRawData	`0x200`
PointerToRawData	`0x935000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.0864`

Imports

KERNEL32.dll	`AddDllDirectory` `CloseHandle` `CopyFileW` `CreateDirectoryW` `CreateFileMappingW` `CreateFileW` `CreateProcessW` `DeleteCriticalSection` `DeleteFileW` `EnterCriticalSection` `FormatMessageA` `FreeLibrary` `GenerateConsoleCtrlEvent` `GetCommandLineW` `GetCurrentProcessId` `GetEnvironmentVariableW` `GetExitCodeProcess` `GetFileAttributesW` `GetFileSize` `GetLastError` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleExA` `GetProcAddress` `GetProcessId` `GetShortPathNameW` `GetStartupInfoW` `GetStdHandle` `GetSystemTimeAsFileTime` `GetTempPathW` `InitializeCriticalSection` `IsDBCSLeadByteEx` `K32GetModuleFileNameExW` `LeaveCriticalSection` `LoadLibraryA` `LoadLibraryExW` `MapViewOfFile` `MultiByteToWideChar` `OpenProcess` `QueryPerformanceCounter` `ReadFile` `SetConsoleCtrlHandler` `SetDllDirectoryW` `SetEnvironmentVariableW` `SetUnhandledExceptionFilter` `Sleep` `TerminateProcess` `TlsGetValue` `UnmapViewOfFile` `VirtualProtect` `VirtualQuery` `WaitForSingleObject` `WideCharToMultiByte` `WriteFile`
msvcrt.dll	`__C_specific_handler` `___lc_codepage_func` `___mb_cur_max_func` `__argc` `__iob_func` `__set_app_type` `__setusermatherr` `__wargv` `__wgetmainargs` `__winitenv` `_amsg_exit` `_cexit` `_commode` `_errno` `_fmode` `_initterm` `_lock` `_unlock` `_wcmdln` `_wcsicmp` `_wcsdup` `_wrename` `abort` `atexit` `calloc` `exit` `fprintf` `fputc` `fputwc` `free` `fwprintf` `iswctype` `localeconv` `malloc` `mbstowcs` `memcpy` `memmove` `memset` `puts` `signal` `strerror` `strlen` `strncmp` `vfprintf` `wcschr` `wcscmp` `wcslen` `wcsncmp` `wcstoul`
SHELL32.dll	`CommandLineToArgvW` `SHFileOperationW` `SHGetFolderPathW`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.27037`
MD5	`4ca7ed0b93a26e63b06e883828f8dc35`
SHA1	`0d31369d919517f6fcafb97dc92c2539b6ccb4ba`
SHA256	`4a6a1dce6b90dcdec54f805a36e6834624b5e33691d5a9c33c1d243c6e5efdc4`
SHA3	`c2f10f57c37bd3f42aae14a0a0a01f9ac16d4d8819c0d8173d3cd098ac49a1ed`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140962000`
EndAddressOfRawData	`0x140962008`
AddressOfIndex	`0x14095f9b0`
AddressOfCallbacks	`0x1409338d0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140015FE0` `0x0000000140016099`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.