3662bc067ce173539d9015d3b872d549

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Feb-09 16:34:14
TLS Callbacks 1 callback(s) detected.

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • schtask
 Accesses the WMI:
  • root\WMI
  • root\cimv2
  • root\subscription
 Miscellaneous malware strings:
  • cmd.exe
 Contains domain names:
  • .roblox.com
  • api.ipify.org
  • api.telegram.org
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/windows/2004/02/mit/task'
  • https://api.ipify.org
  • https://api.telegram.org
  • https://api.telegram.org/bot
  • ipify.org
  • microsoft.com
  • roblox.com
  • schemas.microsoft.com
  • telegram.org
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
  • NtQuerySystemInformation
  • NtQueryInformationProcess
 Can access the registry:
  • RegCloseKey
  • RegOpenKeyExW
  • RegQueryValueExW
 Possibly launches other programs:
  • CreateProcessW
 Uses Windows's Native API:
  • NtReadFile
  • NtOpenFile
  • NtCreateNamedPipeFile
  • NtQuerySystemInformation
  • NtWriteFile
  • NtQueryInformationProcess
  • NtCancelIoFileEx
  • NtDeviceIoControlFile
  • NtCreateFile
 Uses Microsoft's cryptographic API:
  • CryptUnprotectData
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
  • CreateFileA
  • GetTempPathA
 Leverages the raw socket API to access the Internet:
  • setsockopt
  • getsockname
  • getpeername
  • send
  • recv
  • WSASocketW
  • shutdown
  • WSAStartup
  • WSACleanup
  • WSAGetLastError
  • WSAIoctl
  • getsockopt
  • bind
  • ioctlsocket
  • closesocket
  • connect
  • freeaddrinfo
  • WSASend
  • getaddrinfo
 Functions related to the privilege level:
  • OpenProcessToken
  • LsaEnumerateLogonSessions
 Enumerates local disk drives:
  • GetDriveTypeW
  • GetVolumeInformationW
 Manipulates other processes:
  • OpenProcess
  • ReadProcessMemory
 Interacts with the certificate store:
  • CertOpenStore
  • CertAddCertificateContextToStore
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 3662bc067ce173539d9015d3b872d549
SHA1 d200964b4761e329d97d041168e8009ab1ab9ee3
SHA256 930a28d184c776f8c3d15d0021cbe983a2883330303486f0d257f4062090518b
SHA3 f6aa6e9ceb17b0d62ff4287025f6badc026763110da40b6242cc845b020c51bc
SSDeep 49152:Ek1rjhxgRyiaOrkjDxpxsOFn+s2VaoZ5xFRKlaSKsi6Tkx4dxQbxF6P9XwQgfMm:Zca1BnsOdWRPPhDyHQgr2Ijf3p
Imports Hash 3ae8878ad949672d0625052c25537e1d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 5
TimeDateStamp 2026-Feb-09 16:34:14
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x77cc00
SizeOfInitializedData 0x224c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000077D098 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x9a5000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 1ab1a7a891225643313090f9ed3d8fc7
SHA1 e20066eca0f7f0b4847b61af2776b05ea99a82a7
SHA256 0a18f651bb4afe1ff47c64823361fe683a1169fac1ec2f9f0cfcdba0f2cf4f35
SHA3 387b6f2e35b92a651174974915242aed40f7dccf954cbb95ef810ae33c4536c3
VirtualSize 0x77caec
VirtualAddress 0x1000
SizeOfRawData 0x77cc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.57902

.rdata

MD5 02348f9d255c9f838e0a3b16ff95b194
SHA1 3e86fec7f095608477ccb8d4d6a690d3168361c3
SHA256 c03866bc2d7a66e80f5147e5173660b056ccb0e21d579b1951046a139efd85aa
SHA3 e854b8ecd4ec85bd5051a8dd687dca9666dcf7f85a257d6b4d866dc4b396d46f
VirtualSize 0x19b720
VirtualAddress 0x77e000
SizeOfRawData 0x19b800
PointerToRawData 0x77d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.1573

.data

MD5 132e7a29d8543f21e801afb4c24288a2
SHA1 540ad6c7e930d609a31d02bdca77de10127329b8
SHA256 49039729e757b8ca0d495379815aae6aabac5f773a63e8ef88dd2a45111ee665
SHA3 63cafa2427c8574ee483f4319fd3a8471699da6075f717b1408c71dec0867674
VirtualSize 0x1b020
VirtualAddress 0x91a000
SizeOfRawData 0x1aa00
PointerToRawData 0x918800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.94287

.pdata

MD5 fb34232f3ace6247b6dfe8a2724231b5
SHA1 caeafa9f4c5ea19135a8a6be0542f6b72cd69dc4
SHA256 8e7760d6f2cdf008c68a7292add7e2dfa0ec55bdbc16b77be9a8c52ce637d4c7
SHA3 5e86f4e0bd16dddfcac84c423272941b29796813b590b0002e0ccaf8215c6118
VirtualSize 0x61e78
VirtualAddress 0x936000
SizeOfRawData 0x62000
PointerToRawData 0x933200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.42173

.reloc

MD5 31deb4e5357b26237727f880cec0091f
SHA1 e2cea1c23aaa1809392a587410411de67ca5f2f8
SHA256 54669f3363459f403ebfe151d517e508a83bc339bc961809066d7211fa15cc23
SHA3 5d3722864fc1c8a8c919899e437c4ed956e552b5e966b77509187ba74ee8f648
VirtualSize 0xc080
VirtualAddress 0x998000
SizeOfRawData 0xc200
PointerToRawData 0x995200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.46874

Imports

crypt32.dll CertEnumCertificatesInStore
CertGetCertificateChain
CertCloseStore
CertFreeCertificateContext
CertOpenStore
CertAddCertificateContextToStore
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertDuplicateStore
CertDuplicateCertificateContext
CryptUnprotectData
CertDuplicateCertificateChain
kernel32.dll CopyFileExW
DeviceIoControl
GetModuleHandleA
WriteFileEx
ReadFileEx
GetSystemTimePreciseAsFileTime
GetSystemInfo
GetSystemDirectoryW
GetWindowsDirectoryW
GetFileAttributesW
SetFilePointerEx
FindNextFileW
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
DuplicateHandle
FlushFileBuffers
UnlockFile
VirtualQueryEx
LockFileEx
GetFileInformationByHandleEx
SetFileInformationByHandle
GetTickCount64
GlobalMemoryStatusEx
CreateFileW
FindClose
FindFirstFileExW
GetLogicalDrives
GetFinalPathNameByHandleW
GetFullPathNameW
CreateDirectoryW
HeapFree
HeapAlloc
HeapReAlloc
GetProcessHeap
WriteConsoleW
GetConsoleOutputCP
GetConsoleMode
GetStdHandle
LoadLibraryA
SetLastError
GetLastError
SetHandleInformation
GetProcAddress
GetModuleHandleW
GetCurrentThreadId
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
DeleteFileW
WaitForSingleObjectEx
GetCurrentProcessId
CreateMutexA
ReleaseMutex
GetCurrentProcess
lstrlenW
WideCharToMultiByte
WaitForSingleObject
MultiByteToWideChar
GetEnvironmentVariableW
CreateEventW
FormatMessageW
AddVectoredExceptionHandler
SetThreadStackGuarantee
GetCurrentThread
GetCommandLineW
GetEnvironmentStringsW
GetFileInformationByHandle
SwitchToThread
QueryPerformanceFrequency
CreateThread
CompareStringOrdinal
SleepEx
QueryPerformanceCounter
CreateWaitableTimerExW
SetWaitableTimer
Sleep
ExitProcess
GetExitCodeProcess
WaitForMultipleObjects
CreateProcessW
FreeEnvironmentStringsW
OpenProcess
CreateIoCompletionPort
ReadProcessMemory
SetFileCompletionNotificationModes
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
GetQueuedCompletionStatusEx
InitializeSListHead
SetUnhandledExceptionFilter
ReadFile
PostQueuedCompletionStatus
WriteFile
GetOverlappedResult
GetModuleFileNameW
DeleteCriticalSection
CloseHandle
TryEnterCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
AreFileApisANSI
HeapCreate
GetCurrentDirectoryW
GetTempPathW
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
CreateMutexW
UnmapViewOfFile
GetComputerNameExW
LocalFree
CancelIo
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
GetSystemTimeAsFileTime
FreeLibrary
SystemTimeToFileTime
GetFileSize
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
advapi32.dll RegCloseKey
IsValidSid
CopySid
LookupAccountSidW
GetTokenInformation
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken
GetLengthSid
ntdll.dll NtReadFile
NtOpenFile
NtCreateNamedPipeFile
NtQuerySystemInformation
RtlGetVersion
NtWriteFile
NtQueryInformationProcess
NtCancelIoFileEx
RtlNtStatusToDosError
NtDeviceIoControlFile
NtCreateFile
ws2_32.dll setsockopt
getsockname
getpeername
send
recv
WSASocketW
shutdown
WSAStartup
WSACleanup
WSAGetLastError
WSAIoctl
getsockopt
bind
ioctlsocket
closesocket
connect
freeaddrinfo
WSASend
getaddrinfo
secur32.dll LsaFreeReturnBuffer
LsaGetLogonSessionData
LsaEnumerateLogonSessions
AcquireCredentialsHandleA
DeleteSecurityContext
FreeCredentialsHandle
EncryptMessage
InitializeSecurityContextW
AcceptSecurityContext
QueryContextAttributesW
ApplyControlToken
FreeContextBuffer
DecryptMessage
bcryptprimitives.dll ProcessPrng
oleaut32.dll VariantClear
SysAllocString
SysFreeString
api-ms-win-core-synch-l1-2-0.dll WaitOnAddress
WakeByAddressSingle
WakeByAddressAll
user32.dll MessageBoxA
psapi.dll GetPerformanceInfo
GetModuleFileNameExW
shell32.dll CommandLineToArgvW
netapi32.dll NetUserGetLocalGroups
NetUserGetInfo
NetUserEnum
NetApiBufferFree
pdh.dll PdhRemoveCounter
PdhCloseQuery
PdhAddEnglishCounterW
PdhOpenQueryA
PdhCollectQueryData
PdhGetFormattedCounterValue
ole32.dll CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoCreateInstance
powrprof.dll CallNtPowerInformation
iphlpapi.dll GetIfEntry2
FreeMibTable
GetIfTable2
GetAdaptersAddresses
VCRUNTIME140.dll __current_exception
__C_specific_handler
strrchr
__current_exception_context
memcmp
memcpy
__CxxFrameHandler3
memset
memmove
api-ms-win-crt-string-l1-1-0.dll strncmp
strcmp
strcspn
strlen
wcslen
api-ms-win-crt-heap-l1-1-0.dll _set_new_mode
calloc
_msize
free
malloc
realloc
api-ms-win-crt-utility-l1-1-0.dll _byteswap_uint64
qsort_s
qsort
_rotl64
_byteswap_ulong
api-ms-win-crt-stdio-l1-1-0.dll fflush
__p__commode
_set_fmode
__stdio_common_vfprintf
__acrt_iob_func
api-ms-win-crt-time-l1-1-0.dll clock
_localtime64_s
api-ms-win-crt-runtime-l1-1-0.dll _c_exit
terminate
_register_thread_local_exe_atexit_callback
_wassert
_beginthreadex
_endthreadex
_seh_filter_exe
_set_app_type
_crt_atexit
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
__p___argc
__p___argv
_register_onexit_function
_initialize_onexit_table
_cexit
api-ms-win-crt-math-l1-1-0.dll _dclass
log
__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2026-Feb-09 16:34:14
Version 0.0
SizeofData 792
AddressOfRawData 0x8cf1d0
PointerToRawData 0x8ce1d0

TLS Callbacks

StartAddressOfRawData 0x1408cf508
EndAddressOfRawData 0x1408cf650
AddressOfIndex 0x140934f90
AddressOfCallbacks 0x14077ea70
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_8BYTES
Callbacks 0x00000001404998E0

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140934840

RICH Header

XOR Key 0x2b156a41
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 16
Imports (35403) 2
ASM objects (35403) 4
C objects (35403) 10
C++ objects (35403) 24
Imports (30151) 19
C objects (35723) 41
Total imports 376
Unmarked objects (#2) 38
Linker (35723) 1

Errors