Manalyze report for 4e154314e60c6b717ad777c67fead2dc9cf6a9965cd0dfee18adaa5f3dd17068

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Jul-20 15:22:22
Detected languages	English - United States
Debug artifacts	C:\Users\user\Desktop\patches\ExitLag\x64\Release\ExitLoader.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: OpenProcess VirtualAllocEx CreateRemoteThread WriteProcessMemory` `Possibly launches other programs: CreateProcessW ShellExecuteW` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: Process32Next OpenProcess WriteProcessMemory Process32First`
Malicious	VirusTotal score: 50/72 (Scanned on 2026-03-09 11:29:05)	`ALYac: Adware.GenericKD.61029450` `APEX: Malicious` `AVG: Win64:MalwareX-gen [Misc]` `AhnLab-V3: Trojan/Win.Generic.C5675809` `Alibaba: RiskWare:Win32/MalwareX.e6bdb232` `Antiy-AVL: Trojan/Win32.Wacatac` `Arcabit: Adware.Generic.D3A33C4A` `Avast: Win64:MalwareX-gen [Misc]` `BitDefender: Adware.GenericKD.61029450` `Bkav: W32.Common.68F3EB34` `CAT-QuickHeal: Trojan.Ghanarava.17351417820703f7` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_90% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win32/RiskWare.GameHack.GL application` `Elastic: malicious (high confidence)` `Emsisoft: Adware.GenericKD.61029450 (B)` `Fortinet: PossibleThreat.PALLAS.H` `GData: Adware.GenericKD.61029450` `Google: Detected` `Gridinsoft: Trojan.Win64.Wacatac.cl` `Ikarus: Trojan-Dropper.Win64.Agent` `K7AntiVirus: Riskware ( 00584baa1 )` `K7GW: Riskware ( 00584baa1 )` `Lionic: Trojan.Win32.GameHack.4!c` `Malwarebytes: Malware.AI.205370312` `MaxSecure: Trojan.Malware.281275190.susgen` `McAfeeD: ti!4E154314E60C` `MicroWorld-eScan: Adware.GenericKD.61029450` `Microsoft: Adware:Win32/Agent` `Paloalto: generic.ml` `Panda: Trj/Chgt.AD` `Rising: Hacktool.GameHack!8.59E (CLOUD)` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Dropper.dh` `Sophos: Generic Reputation PUA (PUA)` `Symantec: ML.Attribute.HighConfidence` `Tencent: Malware.Win32.Gencirc.14621066` `Trapmine: malicious.high.ml.score` `TrellixENS: Artemis!2F223E6DCDD1` `TrendMicro: TROJ_FRS.VSNTI524` `TrendMicro-HouseCall: TROJ_FRS.VSNTI524` `VIPRE: Adware.GenericKD.61029450` `Varist: W64/ABTrojan.SCHY-5056` `ViRobot: Trojan.Win.Z.Mikey.269312` `Webroot: Win.Trojan.Gen` `Zillya: Tool.GameHack.Win32.27874`

Hashes

MD5	`2f223e6dcdd155ecdc91630d2a0703f7`
SHA1	`3e631b0c3c2d5440abb266f9ba063b3e05adceb6`
SHA256	`4e154314e60c6b717ad777c67fead2dc9cf6a9965cd0dfee18adaa5f3dd17068`
SHA3	`77f92978cedc309b288431bde0e74d51880355987ece71e4f1433434642cf9d1`
SSDeep	`6144:ZC212AVc8pA27dryrvlVuk0mY8gZ8waH:k2148pA2dryrqk5bO8w`
Imports Hash	`115d8650fad19c4e59d8440b8dabeafe`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2024-Jul-20 15:22:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2c200`
SizeOfInitializedData	`0x16e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000009BE8 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x47000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`de6b95d8c9d7805b2d6c6f6a1e3f6281`
SHA1	`623047577c8cf0eb64e48792ae8a476240369348`
SHA256	`fc9b85e82fdc831f167e8a41a239c9aa86847650ebfe6d3741685d384542cdaf`
SHA3	`361558f0a324f404d3d838c2362156597208ede741dd5dbf4133dcff82c6f79c`
VirtualSize	`0x2c200`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2c200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47424`

.rdata

MD5	`57001f073fc815158b247a44a639d3fe`
SHA1	`0cc6cd32d25412fbc1b6156bb9a165c83ef6e01a`
SHA256	`e784c2e3f46654f7952c3a8ee4a268a4735ac10732726bea5c100c4d83030350`
SHA3	`882991cd9f8b7f372a40fce320f554a9ffa8df59e878f156e6f2716b98d92a99`
VirtualSize	`0x10c82`
VirtualAddress	`0x2e000`
SizeOfRawData	`0x10e00`
PointerToRawData	`0x2c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.87863`

.data

MD5	`91193b32d6197f9c867c55bb8031149c`
SHA1	`d1b45c0b3f65de0ed785532c7dbd1ba97f8d53bd`
SHA256	`f6ed8ce122353e8abdb1b63d1b5c6fe386305dadd62852fff32d04255c26cb22`
SHA3	`eaa938f8206e944e33f19a35cec1bcaea1197617ae6f788f7ffb34b6b2d167aa`
VirtualSize	`0x2bc0`
VirtualAddress	`0x3f000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x3d400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.94608`

.pdata

MD5	`f86b5f76786d4eff947706c8812b1087`
SHA1	`adda42829567cd9b8ef10354af7749026cc71481`
SHA256	`0931c583034cc3e469f20cf2c889f6e09644f795d943274edaca9a818eb11f70`
SHA3	`af600711f5bc24eb4fdbdbd8c20db3525a4858488c8655b2bed6a1d6e41b090c`
VirtualSize	`0x2724`
VirtualAddress	`0x42000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x3e800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.35947`

.rsrc

MD5	`e9766094845606e834393c31bb811486`
SHA1	`fefd797dfa27b5766c240a4071e5e9866e0e79cc`
SHA256	`2f414463f64f87405302cba6f5a0faae43e08ee4142afef91eba26e364cb3abe`
SHA3	`e08346c9d98d543dc8d4f5921b984355fa9de5a0c726199110e8c5f0ae533fc7`
VirtualSize	`0x1e0`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x41000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.70839`

.reloc

MD5	`39f2fb9a8c8fdb77e1f6e6b506eea255`
SHA1	`b8211732d6c4c1e6712c4fdb04beecc720907b54`
SHA256	`789a68087d2977876a5cb927d28ee2da069d59c905d49af5975646dbf90afa13`
SHA3	`676771886745b221d9a3822f57531724f7e73674e1a66f96c3c7411cfd13c15a`
VirtualSize	`0x994`
VirtualAddress	`0x46000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x41200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.36288`

Imports

KERNEL32.dll	`CreateToolhelp32Snapshot` `Sleep` `LoadLibraryA` `Process32Next` `OpenProcess` `VirtualAllocEx` `CreateRemoteThread` `VirtualFreeEx` `SetEndOfFile` `GetCurrentProcess` `GetFullPathNameA` `WriteProcessMemory` `CloseHandle` `Process32First` `WriteConsoleW` `HeapSize` `GetProcessHeap` `SetStdHandle` `SetEnvironmentVariableW` `LocalFree` `FormatMessageA` `GetLocaleInfoEx` `CreateDirectoryW` `CreateFileW` `FindClose` `FindFirstFileW` `FindFirstFileExW` `FindNextFileW` `GetFileAttributesExW` `AreFileApisANSI` `GetLastError` `GetModuleHandleW` `GetProcAddress` `GetFileInformationByHandleEx` `MultiByteToWideChar` `WideCharToMultiByte` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `EncodePointer` `DecodePointer` `LCMapStringEx` `GetStringTypeW` `GetCPInfo` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `RtlUnwindEx` `RtlPcToFileHeader` `RaiseException` `SetLastError` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `GetFileSizeEx` `SetFilePointerEx` `GetFileType` `HeapAlloc` `HeapFree` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `WaitForSingleObject` `GetExitCodeProcess` `CreateProcessW` `ReadFile` `ReadConsoleW` `HeapReAlloc` `IsValidCodePage` `GetACP` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `RtlUnwind`
COMDLG32.dll	`GetOpenFileNameA`
ADVAPI32.dll	`GetTokenInformation` `OpenProcessToken`
SHELL32.dll	`SHGetKnownFolderPath` `ShellExecuteW`
ole32.dll	`CoTaskMemFree`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Jul-20 15:22:22
Version	`0.0`
SizeofData	`89`
AddressOfRawData	`0x3aae4`
PointerToRawData	`0x390e4`
Referenced File	C:\Users\user\Desktop\patches\ExitLag\x64\Release\ExitLoader.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-Jul-20 15:22:22
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x3ab40`
PointerToRawData	`0x39140`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Jul-20 15:22:22
Version	`0.0`
SizeofData	`900`
AddressOfRawData	`0x3ab54`
PointerToRawData	`0x39154`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2024-Jul-20 15:22:22
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003f080`

RICH Header

XOR Key	`0x1801c60e`
Unmarked objects	`0`
ASM objects (30795)	`6`
C++ objects (30795)	`185`
C objects (30795)	`16`
ASM objects (33731)	`10`
C objects (33731)	`17`
C++ objects (33731)	`82`
C objects (CVTCIL) (30795)	`1`
Imports (30795)	`11`
Total imports	`139`
C++ objects (LTCG) (33812)	`1`
Resource objects (33812)	`1`
Linker (33812)	`1`

Errors

Leave a comment

No comments yet.