9641dd61967ff63f4c03b525693df3cb060a91ace3b8446aa31742a7297c282c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Apr-19 12:40:11
Detected languages English - United States

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Tries to detect virtualized environments:
  • HARDWARE\DESCRIPTION\System
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Contains domain names:
  • 2010-aia.verisign.com
  • 2010-crl.verisign.com
  • aia.verisign.com
  • aia.ws.symantec.com
  • crl.microsoft.com
  • crl.thawte.com
  • crl.verisign.com
  • crl.ws.symantec.com
  • csc3-2010-aia.verisign.com
  • csc3-2010-crl.verisign.com
  • google.com
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
  • http://crl.thawte.com
  • http://crl.thawte.com/ThawteTimestampingCA.crl0
  • http://crl.verisign.com
  • http://crl.verisign.com/pca3-g5.crl04
  • http://csc3-2010-aia.verisign.com
  • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
  • http://csc3-2010-crl.verisign.com
  • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
  • http://logo.verisign.com
  • http://logo.verisign.com/vslogo.gif04
  • http://ocsp.thawte.com0
  • http://ocsp.verisign.com0
  • http://scripts.sil.org
  • http://scripts.sil.org/OFL
  • http://scripts.sil.org/OFLhttp
  • http://ts-aia.ws.symantec.com
  • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
  • http://ts-crl.ws.symantec.com
  • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
  • http://ts-ocsp.ws.symantec.com07
  • http://www.google.com
  • http://www.google.com/fontshttp
  • http://www.hubertfischer.comThis
  • https://www.verisign.com
  • https://www.verisign.com/cps0
  • https://www.verisign.com/rpa
  • https://www.verisign.com/rpa0
  • logo.verisign.com
  • microsoft.com
  • scripts.sil.org
  • symantec.com
  • thawte.com
  • ts-aia.ws.symantec.com
  • ts-crl.ws.symantec.com
  • verisign.com
  • ws.symantec.com
  • www.google.com
  • www.verisign.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
 Can access the registry:
  • RegCloseKey
  • RegEnumKeyExA
  • RegQueryValueExA
  • RegSetValueExA
  • RegOpenKeyExA
 Possibly launches other programs:
  • system
 Can create temporary files:
  • CreateFileW
  • GetTempPathA
 Has Internet access capabilities:
  • URLDownloadToFileA
 Interacts with services:
  • EnumServicesStatusA
  • CreateServiceA
  • QueryServiceConfigA
  • OpenSCManagerA
  • DeleteService
  • ControlService
  • OpenServiceA
 Reads the contents of the clipboard:
  • GetClipboardData
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 bf50ac70f7b4544f5a18ea55b04e02a4
SHA1 6a7f376a844d33eecef313fb4f5e4f5706d75812
SHA256 9641dd61967ff63f4c03b525693df3cb060a91ace3b8446aa31742a7297c282c
SHA3 2140f18b59ac6f605929871241ae4081b1fc10fcc111d8c9f4c7a5d8bb5f0a4e
SSDeep 24576:+69pzSnMF09AspQ+QkYafIRvnJ7k/j9CtWBlsSuGKFzFTSpkPb6n:ytp7QzafmnBkgWBeFTFOn
Imports Hash 7b44c77d297eedf9ff17092f75e546d1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2026-Apr-19 12:40:11
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x100400
SizeOfInitializedData 0x5da00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000000FEA40 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x162000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 3a7e8999a8886d49716a139bfb2d95c4
SHA1 22ebabb45847e9c2206ef2e73d7303ece94b209b
SHA256 055b39c2d3cd650d76390994dbb4f06a20a408fbf81163440e4277ee286638ea
SHA3 c544152d4c5f8572a42cadfa62c7c64c066e917ac1c7ac3b83d7d2a7b4a791e7
VirtualSize 0x1002e8
VirtualAddress 0x1000
SizeOfRawData 0x100400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.63248

.rdata

MD5 56ee53cb0cd27941caf91a801bc02919
SHA1 88004f309f9dfa48e8c942a5933812abe21a4012
SHA256 85b0abc66346378cfd0899343935773b9b3075a41fe89a0dc51f6c2559b31e6e
SHA3 225bc82d4f1a067ab6ffa58a28436934a5c608025da16bfe39f425c078f8c2e2
VirtualSize 0x59cf0
VirtualAddress 0x102000
SizeOfRawData 0x59e00
PointerToRawData 0x100800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.74645

.data

MD5 1265c44b70665ad68a207bdff545b704
SHA1 cc6d20ec0be83f52ca3d51c1d438687d6386b2d3
SHA256 e16a059103a69d2c4e1155cf1f46bd89267db85c2f2223db31de066ba2a942de
SHA3 94934ee37f73227c3523d095ceee20a12763acda2da80b8509c090cfda3ff114
VirtualSize 0xfc8
VirtualAddress 0x15c000
SizeOfRawData 0x800
PointerToRawData 0x15a600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.66972

.pdata

MD5 f9d3cc80931f98eef08f5ff46efd1bce
SHA1 f38db8960d3ed391e6f4b28149f0dd9655609566
SHA256 14024e98f947eabb4821ef220dec60b6efb56ce742038b054a7a0b047d31675b
SHA3 ea14727c998a1369987bf7ef62b64e2c2766cd0b908d847a27bdcc997f03902b
VirtualSize 0x2724
VirtualAddress 0x15d000
SizeOfRawData 0x2800
PointerToRawData 0x15ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.78811

.rsrc

MD5 3018f6d08e67be04b39557f53a033aa1
SHA1 282769409f6cdb657adb312c880e727953108a09
SHA256 ff6bd031307067990ee9d46d1e8018c403ff4467c7b3c6aeea96e6cef6a3d1e0
SHA3 bd2d14be6e70e95331945a73e22c4b5293034c8448f5a43a16b8db7979d4154d
VirtualSize 0x1e0
VirtualAddress 0x160000
SizeOfRawData 0x200
PointerToRawData 0x15d600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.7015

.reloc

MD5 d5eb7ed98cab661014ac1b2e9b4aaa47
SHA1 fa71ff4406dcb5ffdd5d6b5672c9e4c2442b8196
SHA256 1c97f245573987d071a544a7c570b10c24a38c77b7b8cf97729813584f8cd566
SHA3 81104538ac80167dab54711e9d7f00f7f2e11159e69ba3f30e303b5595186c86
VirtualSize 0x188
VirtualAddress 0x161000
SizeOfRawData 0x200
PointerToRawData 0x15d800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.24962

Imports

KERNEL32.dll HeapAlloc
DeleteCriticalSection
GetProcessHeap
DeleteFileW
Beep
ExitProcess
DeviceIoControl
CreateFileW
GetTempPathA
CloseHandle
GetCurrentProcessId
GetLastError
OutputDebugStringW
AreFileApisANSI
GetLocaleInfoEx
FormatMessageA
LocalFree
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
Sleep
GetVersionExA
InitializeCriticalSectionEx
VirtualAlloc
GetStdHandle
VirtualFree
SetConsoleTextAttribute
HeapFree
QueryPerformanceCounter
VerifyVersionInfoW
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
USER32.dll GetCapture
SetWindowLongA
ClientToScreen
IsChild
GetMonitorInfoA
WindowFromPoint
SetWindowTextW
LoadCursorA
GetKeyState
AdjustWindowRectEx
GetWindowLongW
BlockInput
UpdateWindow
PostQuitMessage
SetClipboardData
DispatchMessageA
TranslateMessage
GetClipboardData
EmptyClipboard
GetForegroundWindow
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
SetFocus
BringWindowToTop
SetCapture
ScreenToClient
EnumDisplayMonitors
MonitorFromWindow
SetWindowPos
GetDC
DestroyWindow
SetCursor
SetWindowLongW
PeekMessageA
GetClientRect
ShowWindow
CloseClipboard
OpenClipboard
GetCursorPos
ReleaseDC
SetCursorPos
IsIconic
SetForegroundWindow
ReleaseCapture
RegisterClassExA
UnregisterClassA
GDI32.dll GetDeviceCaps
ADVAPI32.dll RegCloseKey
RegEnumKeyExA
EnumServicesStatusA
CreateServiceA
CloseServiceHandle
QueryServiceConfigA
OpenSCManagerA
DeleteService
ControlService
StartServiceA
OpenServiceA
GetUserNameW
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
VERSION.dll GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW
XINPUT1_4.dll #4
#2
IMM32.dll ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
MSVCP140.dll ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??7ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?good@ios_base@std@@QEBA_NXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Id_cnt@id@locale@std@@0HA
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
ntdll.dll NtQuerySystemInformation
RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
d3d9.dll Direct3DCreate9
IPHLPAPI.DLL GetAdaptersInfo
urlmon.dll URLDownloadToFileA
VCRUNTIME140_1.dll __CxxFrameHandler4
VCRUNTIME140.dll memmove
memcpy
memcmp
memchr
_CxxThrowException
memset
__C_specific_handler
__current_exception_context
__current_exception
__std_exception_copy
__std_exception_destroy
__std_terminate
strstr
api-ms-win-crt-stdio-l1-1-0.dll fread
ftell
fwrite
_wfopen
__p__commode
_set_fmode
_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
__stdio_common_vsprintf
setvbuf
fgetpos
fgetc
fputc
__acrt_iob_func
fflush
fclose
__stdio_common_vsscanf
fseek
api-ms-win-crt-string-l1-1-0.dll toupper
strncmp
strncpy
_stricmp
strcmp
api-ms-win-crt-utility-l1-1-0.dll rand
srand
qsort
api-ms-win-crt-heap-l1-1-0.dll malloc
free
_callnewh
_set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll _c_exit
_exit
exit
_invoke_watson
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_register_thread_local_exe_atexit_callback
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
terminate
system
api-ms-win-crt-multibyte-l1-1-0.dll _mbscmp
api-ms-win-crt-time-l1-1-0.dll _time64
api-ms-win-crt-filesystem-l1-1-0.dll _unlock_file
remove
_lock_file
api-ms-win-crt-math-l1-1-0.dll ceilf
floorf
sinf
sqrtf
cosf
__setusermatherr
acosf
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale
___lc_codepage_func

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2026-Apr-19 12:40:11
Version 0.0
SizeofData 912
AddressOfRawData 0x155298
PointerToRawData 0x153a98

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2026-Apr-19 12:40:11
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x140155648
EndAddressOfRawData 0x140155650
AddressOfIndex 0x14015cd68
AddressOfCallbacks 0x140102998
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14015c040

RICH Header

XOR Key 0x206a983c
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 22
Imports (35207) 6
ASM objects (35207) 4
C objects (35207) 10
C++ objects (35207) 38
Imports (33145) 23
Total imports 338
C++ objects (LTCG) (35225) 13
Resource objects (35225) 1
Linker (35225) 1

Errors

Leave a comment

No comments yet.