Manalyze report for 497bd790973f40b86e04d2ceb3488a0ce073b9dc7ada7bbc96a0da9213775088

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Nov-11 14:48:37

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`15271471 bytes of data starting at offset 0x6d400.` `The overlay data has an entropy of 7.99784 and is possibly compressed or encrypted.` `Overlay data amounts for 97.1532% of the executable.`
Malicious	VirusTotal score: 13/70 (Scanned on 2026-06-10 11:27:31)	`APEX: Malicious` `Arcabit: Trojan.Clyp.14` `BitDefender: Gen:Heur.Clyp.14` `Bkav: W32.Malware.F3FF6D16` `CTX: exe.unknown.clyp` `CrowdStrike: win/malicious_confidence_70% (D)` `Emsisoft: Gen:Heur.Clyp.14 (B)` `GData: Gen:Heur.Clyp.14` `Kaspersky: HEUR:Trojan-Ransom.Python.Agent.gen` `MicroWorld-eScan: Gen:Heur.Clyp.14` `Skyhigh: BehavesLike.Win64.Dropper.vc` `Symantec: ML.Attribute.HighConfidence` `VIPRE: Gen:Heur.Clyp.14`

Hashes

MD5	`4b6b4e2be7e2570b498fe24e7555a0d4`
SHA1	`16094329937f0c6ddf4f438d861d5d25420e31c4`
SHA256	`497bd790973f40b86e04d2ceb3488a0ce073b9dc7ada7bbc96a0da9213775088`
SHA3	`3f3dc937e37cc4b41c211bd89f783de624beba4b904a23611543ed6cc1aa9178`
SSDeep	`393216:CT/GjmFDauMiCTNC07XQtW+tHjd2p6XWthBhbCxjkwO:KujmF/XkotW+NjnghB1CdkwO`
Imports Hash	`351592d5ead6df0859b0cc0056827c95`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2025-Nov-11 14:48:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2d200`
SizeOfInitializedData	`0x3fe00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000CF30 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x77000`
SizeOfHeaders	`0x400`
Checksum	`0xf002fc`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`194780c621c11fb10b1193849fdb2d36`
SHA1	`911239ba0be6be0737dbfa5d9f1dc02a2f9279ae`
SHA256	`fed1cb85cacdcbb2699e0500fde5dc40654025145cef01937c96a8a30a6ea489`
SHA3	`0c9a205efdcef4efed4bee0f93e578b9a002124fcb09b81e072069de6302e19e`
VirtualSize	`0x2d1b0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2d200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48387`

.rdata

MD5	`ec89d9982c4531c43054ca9997577216`
SHA1	`d1d807e2701a63f6a71aa9715953a0a62da176be`
SHA256	`8c521d944274c29caeee7c2d06c1f9b4609d9f2da170b9c37c6a6b750cb45acd`
SHA3	`d1bff97e8c5573a51f9695824ee115d0c6e9c91daae0b04a4ca160736a1279c4`
VirtualSize	`0x136da`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x13800`
PointerToRawData	`0x2d600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.75481`

.data

MD5	`03be87f74b83cf5fb04c525b81b27c53`
SHA1	`bde8180499a4b4307432d1cec6c926f7e96277d5`
SHA256	`36a1afad86ec4e5093956932cb7547da78b36977b8dff6ccde474531868cd529`
SHA3	`d68a18f5ff8225438f18063e2b461fe44c82787f1fb6a8217bc80c6819cdea69`
VirtualSize	`0x50b0`
VirtualAddress	`0x43000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x40e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82565`

.pdata

MD5	`128caf62f437b202260da7396ddd0bf7`
SHA1	`3b0a443bb53e4f88c5464527cc0dc0e357586ae1`
SHA256	`810694d3c32fe16b8a76efee7e94a744a7fa2e1d905cd242b8abf11a926525ea`
SHA3	`05c69a2ed7a118cf448a56ceee922a7b0a0458612c04482f65370702223ce1b0`
VirtualSize	`0x2448`
VirtualAddress	`0x49000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x41c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.32839`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x4c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x44200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`73a0c937ad1f756e0f2baf6836222375`
SHA1	`ea409ecb7a4594353b82641cd0afbd0e0955abba`
SHA256	`84a007e9a903826a05aeddd208fc3fb5a36371a38feae89892b9d65659e76532`
SHA3	`82ae29eaf1f8e4bc8ef98a06a759d09ad83c8fa26d5b1f1e3221911194ab1cef`
VirtualSize	`0x28638`
VirtualAddress	`0x4d000`
SizeOfRawData	`0x28800`
PointerToRawData	`0x44400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.0983`

.reloc

MD5	`ca65027011cd43e1dcb6ac16b46171a4`
SHA1	`afcea9f3a08ffaa197f0a949434d2129d063e8aa`
SHA256	`a003ab9cfcd634df1220f13d4f00203240524043b826bdf32863bc3c2ea1e14d`
SHA3	`4fec2bf198b4f88cfe0deac974ba9d7b740c12453afba0d00dc583baf1633120`
VirtualSize	`0x770`
VirtualAddress	`0x76000`
SizeOfRawData	`0x800`
PointerToRawData	`0x6cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.27116`

Imports

USER32.dll	`TranslateMessage` `ShutdownBlockReasonCreate` `GetWindowThreadProcessId` `SetWindowLongPtrW` `GetWindowLongPtrW` `MsgWaitForMultipleObjects` `ShowWindow` `DestroyWindow` `CreateWindowExW` `RegisterClassW` `DefWindowProcW` `PeekMessageW` `DispatchMessageW` `GetMessageW`
KERNEL32.dll	`GetTimeZoneInformation` `GetProcessHeap` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCPInfo` `GetOEMCP` `GetACP` `IsValidCodePage` `GetStringTypeW` `GetLastError` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `FormatMessageW` `GetModuleFileNameW` `SetDllDirectoryW` `CreateSymbolicLinkW` `SetErrorMode` `CreateDirectoryW` `GetCommandLineW` `GetEnvironmentVariableW` `ExpandEnvironmentStringsW` `DeleteFileW` `FindClose` `HeapSize` `FindNextFileW` `GetDriveTypeW` `RemoveDirectoryW` `GetTempPathW` `CloseHandle` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WaitForSingleObject` `Sleep` `GetCurrentProcess` `GetCurrentProcessId` `TerminateProcess` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LocalFree` `SetConsoleCtrlHandler` `GetConsoleWindow` `K32EnumProcessModules` `K32GetModuleFileNameExW` `CreateFileW` `FindFirstFileExW` `GetFinalPathNameByHandleW` `MultiByteToWideChar` `WideCharToMultiByte` `GetFileAttributesExW` `HeapReAlloc` `WriteConsoleW` `SetEndOfFile` `FindFirstFileW` `GetModuleHandleW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `ReadFile` `GetFullPathNameW` `SetStdHandle` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `GetCurrentDirectoryW` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `InitializeCriticalSectionEx` `VirtualProtect` `CompareStringW` `LCMapStringW` `FlushFileBuffers` `SetEnvironmentVariableW`
ADVAPI32.dll	`ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.64014`
MD5	`6eba408b7a9b50c7d8cc4c37df3f40dc`
SHA1	`68298c782b2bb93ee72b25f6ce30bc8539539179`
SHA256	`f98a7ada2b726b79ebf86244c861dfa40f86c501a764ced701e2b22ae462568d`
SHA3	`51c0c086781a368344bbf179df9b1f340d8316102e537f8e07df2d29c1246e58`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.24561`
MD5	`76c9d8d1d1a3666fad5e136a5735d61c`
SHA1	`502a81d260bd0e9a281695d73d33fcc801499ffb`
SHA256	`23dcc25d435fae30b1d0dfd4d56af323dc702e428202185bd2b53707b357b382`
SHA3	`6f9c9edbdd84854aea281125d60ef8eb061d78ed658cab8f18a79e3a78fece14`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.83975`
MD5	`c54b98159bed4d5800a3f74f36569768`
SHA1	`bc728ae716da6e9bce49a4b20a3bb856772866f2`
SHA256	`e9c004b1555a09d721d6fb82009b053814811cd651083bbb46cbead7c14cff03`
SHA3	`5e358b5457f7fcc27a9c94249e0274597061c4594e3bfafef6c59ca60380e35d`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.31172`
MD5	`58947a381cf083174c1ce205be2e6543`
SHA1	`a58e6a0aacf54f10bfea049ef8c76ddb5c3600ca`
SHA256	`fdb21d2f9b388ce08155607bc30e10b926ca1393b9e04c648acb7f20787328ff`
SHA3	`4f99aaed44560c16c481b6a016a1c5b1782a96369bb5cfbb8737f947d3359858`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.11607`
MD5	`b93878b16a3a5f081d1e80cf2b0ccaac`
SHA1	`8d0bd598b53b3f65cb13d53a6eb8ba1d7af88b94`
SHA256	`a7a53fe86fe196905210471f0b6e7b2f5201741ec9b78bcd4c93c65a59ad5521`
SHA3	`3b98639c9b610116438c692f2818983414f1588e45c603d664d7a4b929469cd0`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.99559`
MD5	`fe0da8ad5b2b270e085313a3d7f69489`
SHA1	`9ef145ce0388d149eadc765680e90c58619cdff6`
SHA256	`b37a69561504e6258860a2a1b75b99c21cf4849e582d679a5b5149981f22bfd5`
SHA3	`5e2fe351127837b7c2c4dfe77e8670596686f67bd805cf2b8e37fc5777228aff`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.75621`
MD5	`9888afa945596d2920e5ce79a8c68c26`
SHA1	`b038c03b9610efdb71b3fda0d2d5620c01d1f94a`
SHA256	`fc0bc8f422509147336a29a79d3ea276dbe5b9f8578238d1add3be46de96feeb`
SHA3	`194f93b83929618ff641817abba6ed21b6f3a7275eb45d81dac7017619e3b9d7`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.58278`
MD5	`132d6c6ca5f1343cf784348cbf1c1ee4`
SHA1	`1690f2fcb682ff758d541e57906c826c8260274b`
SHA256	`90c1875cbaac08a98f207f981ba7366189e910751ded194b57a266c8d33a758c`
SHA3	`3e606babf41ed90e46854e5cd154f179bb0d6887a905170f513631472339633c`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x67b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.90349`
Detected Filetype	PNG graphic file
MD5	`cf6e304d3cf7e73e6bd9e199d540140a`
SHA1	`630157472520b5bddedfadb841a929d3d9f31587`
SHA256	`606d2d6fd6f6f6464f092a47009a1c0712dc795549537e7fcb2cec2632516877`
SHA3	`6f046d2316f51f4df1a5a8f8299bd3b1719b55b6a3c340e619c9c2f2b6d2fefa`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.0195`
Detected Filetype	Icon file
MD5	`e9cd62c9ac004e4302dee679a2841697`
SHA1	`9b2aac9b6a50faf91450b506a77737e3f6b35e2c`
SHA256	`fe1b8f4a4c9358c66a95021404a664d73b2ab1f5762d722b6c09df13359481b6`
SHA3	`167fc1253bcfeb4c824287e911dcf17c17186125bd68c7deccdb792b534b34d2`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Nov-11 14:48:37
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x3eef8`
PointerToRawData	`0x3d4f8`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140043040`
GuardCFCheckFunctionPointer	`5368902680`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x7dd15a43`
Unmarked objects	`0`
C++ objects (33140)	`182`
C objects (33140)	`12`
ASM objects (33140)	`10`
253 (35207)	`3`
ASM objects (35207)	`9`
C objects (35207)	`17`
C++ objects (35207)	`40`
Imports (33140)	`7`
Total imports	`141`
C objects (35215)	`27`
Linker (35215)	`1`

Errors

Leave a comment

No comments yet.