Manalyze report for cfb2adccdd6998111a27264f5729e5521dd2bad87da6c22cc1b31d3859f1e267

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Feb-28 02:56:33
Detected languages	English - United States
TLS Callbacks	2 callback(s) detected.

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .xdata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CheckRemoteDebuggerPresent CreateToolhelp32Snapshot` `Can access the registry: RegCloseKey RegOpenKeyExA RegQueryValueExA` `Possibly launches other programs: ShellExecuteA` `Uses Microsoft's cryptographic API: CryptCATAdminEnumCatalogFromHash CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseContext CryptCATCatalogInfoFromContext` `Can create temporary files: CreateFileA GetTempPathA` `Has Internet access capabilities: WinHttpCloseHandle WinHttpConnect WinHttpOpen WinHttpOpenRequest WinHttpQueryHeaders WinHttpReadData WinHttpReceiveResponse WinHttpSendRequest WinHttpSetOption WinHttpWebSocketClose WinHttpWebSocketCompleteUpgrade WinHttpWebSocketReceive WinHttpWebSocketSend` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Enumerates local disk drives: GetVolumeInformationA` `Manipulates other processes: OpenProcess Process32FirstW Process32NextW` `Changes object ACLs: SetSecurityInfo` `Can take screenshots: BitBlt CreateCompatibleDC GetDC`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`68469ac1f2f05d81440bc975c6dc651f`
SHA1	`3ff7b59378fa8f2a3b5578be857f47d0c49ba697`
SHA256	`cfb2adccdd6998111a27264f5729e5521dd2bad87da6c22cc1b31d3859f1e267`
SHA3	`7a2c870f86895d9da01736633115509cfbb34a49ce0a8ef05ed1ddf8b8acd0d8`
SSDeep	`3072:jS+WeB3WYf6cZRIwZ5ZJJ99SDC1GcoEooLwMerqzHHHHHHHbHCwoks2:jS+dBjKw5oODzHHHHHHHbHFT/`
Imports Hash	`0ae496155761529a96779e2646554fde`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2026-Feb-28 02:56:33
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`2.0`
SizeOfCode	`0x1b200`
SizeOfInitializedData	`0x23600`
SizeOfUninitializedData	`0x110e00`
AddressOfEntryPoint	`0x00000000000014D0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x13b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`5696bf82c82d44324ff4c4a32cfec891`
SHA1	`4e0e3adabf90d0095a4c8f5492cd5a8eb0fc556c`
SHA256	`435ed5c07057c72ed1f9fdafb93af67e753580cce01aa6219bb9ede68791aaf9`
SHA3	`7f89baf7a65da305908d1fa2048f71a18393bf4de92f3832c0b611b98a4af3ab`
VirtualSize	`0x1b138`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1b200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.07459`

.data

MD5	`d6fa2eb2ac5990702bcdc17ff6ea4c63`
SHA1	`65c57a5f88384304e06e177bda8c82a7aff3a6ef`
SHA256	`e46f4a1222ac13c014aa1a65c2e936e5c2d088d1775dbff3399587d3190943c1`
SHA3	`24a64c1381b33bb1f83e677271ce0074b4568807943f3eff679cf840c900c2f5`
VirtualSize	`0x170`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.52104`

.rdata

MD5	`126615a3e000fe079ea050ebda57436d`
SHA1	`ce5400626b26ef22ea3e3d49e890397fc3b94fbc`
SHA256	`2072179f933ce1bb35fb52c3b51b4b40508aacdfb0f9fc96fc83034c4938dece`
SHA3	`f3666f38af0190d1ce496a05a5d86bde766ee68027c5537897831ee5f423d721`
VirtualSize	`0x3c10`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x3e00`
PointerToRawData	`0x1b800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.02485`

.pdata

MD5	`4d223bf8816ef57084da549cf500bbca`
SHA1	`01e54366d9c4eea2bb1b4699e366b426ba375f80`
SHA256	`198ec832cf4bf605025845e1738670711153867c28c37b5b65ef18d15aeec776`
SHA3	`e21a4321af0cd95f711eaa38949f4353e62bb53803db302685a0e05b2adabd6f`
VirtualSize	`0xc78`
VirtualAddress	`0x22000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x1f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.75577`

.xdata

MD5	`fa40c1e8b79489b6a83832408cc29d4b`
SHA1	`0515fb5997c3958cad7cff6b63a8c0cf232fc733`
SHA256	`9843286adeaf9624e1626ea783b8c36e2f61672ec11e80c2e1725f3f45fadf9b`
SHA3	`11dbb2981288ecd9272e031ea54e19a7c2194d215b9717f9559c9001da99922f`
VirtualSize	`0xc5c`
VirtualAddress	`0x23000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x20400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.09412`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x110c40`
VirtualAddress	`0x24000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`d0effae29ede86f67e87dcfec390b51b`
SHA1	`e84b564223a3f57f0524b945ac0c30ca444e721f`
SHA256	`84a9f25b785d01cf3f36cfd81bf4732b70e7461e4a58211e55432f01dcd7d082`
SHA3	`ae9d8b01988148771d4d4476fc4879385ab936bd21ab064da42936e41b79abbd`
VirtualSize	`0x1ccc`
VirtualAddress	`0x135000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x21200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.01968`

.CRT

MD5	`a7f0ea8fa9476b0cd0c63f497711c9a9`
SHA1	`7a9f36781800925e550dfea079951c120c791484`
SHA256	`4326176127f852992b63bfb83a7a1d2500cfe9889b53a9c68763fb6980b9a95e`
SHA3	`781bae6d075d652219d3a8f272dcddf2cc30560822676c43ddf3eafa6dfd5219`
VirtualSize	`0x60`
VirtualAddress	`0x137000`
SizeOfRawData	`0x200`
PointerToRawData	`0x23000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.28656`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x138000`
SizeOfRawData	`0x200`
PointerToRawData	`0x23200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`68586396dc02ddb404ebe180800118ab`
SHA1	`0148f9121eedef069ea1821733d8575846e50229`
SHA256	`52f7c5a9855852c5b87a6dff96c21ace808f68b2e4410395787c69ab30cdc611`
SHA3	`62ef9e952063336f7ef368ec30b99bbd1db902e9ea8f247f9c688b671ebe2d8e`
VirtualSize	`0x320`
VirtualAddress	`0x139000`
SizeOfRawData	`0x400`
PointerToRawData	`0x23400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.47348`

.reloc

MD5	`629fb1137c17bbb4960a3b136d061d53`
SHA1	`7b168a00f6c2f0244f3d00b0fdb1b342b6f56542`
SHA256	`d52ec23940694a239c616e908954a200b0eafb2d52548cf0edf3a76e591eb470`
SHA3	`93779937b1017e7d817ee38fa400967d89cb38fa73d1baa1e058b4d408b86d22`
VirtualSize	`0xa4`
VirtualAddress	`0x13a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x23800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.98239`

Imports

KERNEL32.DLL	`AllocConsole` `CheckRemoteDebuggerPresent` `CloseHandle` `CreateFileA` `CreateMutexA` `CreateThread` `CreateToolhelp32Snapshot` `DeleteCriticalSection` `DeleteFileA` `DuplicateHandle` `EnterCriticalSection` `FindClose` `FindFirstFileA` `FindNextFileA` `FreeConsole` `FreeLibrary` `GetCurrentProcess` `GetCurrentProcessId` `GetEnvironmentVariableA` `GetFileAttributesA` `GetFileAttributesExA` `GetFileSize` `GetFileSizeEx` `GetFullPathNameA` `GetLastError` `GetLocalTime` `GetModuleFileNameA` `GetModuleHandleA` `GetProcAddress` `GetProcessId` `GetStartupInfoA` `GetTempPathA` `GetVersionExA` `GetVolumeInformationA` `InitializeCriticalSection` `IsDBCSLeadByteEx` `IsDebuggerPresent` `K32GetModuleFileNameExW` `LeaveCriticalSection` `LoadLibraryA` `LocalFree` `Module32FirstW` `Module32NextW` `MoveFileA` `MultiByteToWideChar` `OpenProcess` `Process32FirstW` `Process32NextW` `QueryFullProcessImageNameW` `ReadFile` `ReleaseMutex` `SetConsoleCtrlHandler` `SetUnhandledExceptionFilter` `Sleep` `TlsGetValue` `VirtualProtect` `VirtualQuery` `VirtualQueryEx` `WaitForSingleObject` `WideCharToMultiByte` `__C_specific_handler`
ADVAPI32.dll	`AdjustTokenPrivileges` `AllocateAndInitializeSid` `FreeSid` `GetSecurityInfo` `LookupPrivilegeValueA` `OpenProcessToken` `RegCloseKey` `RegOpenKeyExA` `RegQueryValueExA` `SetEntriesInAclA` `SetSecurityInfo`
bcrypt.dll	`BCryptCloseAlgorithmProvider` `BCryptCreateHash` `BCryptDestroyHash` `BCryptFinishHash` `BCryptHashData` `BCryptOpenAlgorithmProvider`
CRYPT32.dll	`CertGetNameStringA`
GDI32.dll	`BitBlt` `CreateCompatibleBitmap` `CreateCompatibleDC` `DeleteDC` `DeleteObject` `GetDIBits` `SelectObject`
IPHLPAPI.DLL	`GetAdaptersInfo`
msvcrt.dll	`___lc_codepage_func` `___mb_cur_max_func` `__getmainargs` `__initenv` `__iob_func` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_cexit` `_commode` `_errno` `_fmode` `_initterm` `_localtime64` `_lock` `_onexit` `_stricmp` `_strnicmp` `_time64` `_unlock` `abort` `atoi` `calloc` `exit` `fclose` `fflush` `fopen` `fprintf` `fputc` `free` `freopen` `fwrite` `getc` `islower` `isspace` `isupper` `isxdigit` `localeconv` `malloc` `memcpy` `memset` `realloc` `signal` `strchr` `strcmp` `strerror` `strftime` `strlen` `strncmp` `strncpy` `strrchr` `strstr` `strtol` `strtoul` `tolower` `ungetc` `vfprintf` `wcslen` `wcsrchr`
ole32.dll	`CoCreateInstance` `CoInitializeEx` `CoUninitialize` `CreateStreamOnHGlobal`
SHELL32.dll	`ShellExecuteA`
USER32.dll	`EnumWindows` `GetClassNameW` `GetDC` `GetSystemMetrics` `GetWindowTextW` `GetWindowThreadProcessId` `IsWindowVisible` `ReleaseDC` `wsprintfW`
WINHTTP.dll	`WinHttpCloseHandle` `WinHttpConnect` `WinHttpOpen` `WinHttpOpenRequest` `WinHttpQueryHeaders` `WinHttpReadData` `WinHttpReceiveResponse` `WinHttpSendRequest` `WinHttpSetOption` `WinHttpWebSocketClose` `WinHttpWebSocketCompleteUpgrade` `WinHttpWebSocketReceive` `WinHttpWebSocketSend`
WINTRUST.dll	`CryptCATAdminEnumCatalogFromHash` `CryptCATAdminReleaseCatalogContext` `CryptCATAdminReleaseContext` `CryptCATCatalogInfoFromContext` `WTHelperGetProvCertFromChain` `WTHelperGetProvSignerFromChain` `WTHelperProvDataFromStateData` `WinVerifyTrust`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2c3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.97531`
MD5	`1b16f47a080f2c9e0392649fcc797dfc`
SHA1	`6bc40ae7adbac97f183b1c1a4c844e85fbf0565c`
SHA256	`93105385e01db5e12d9b502de55f435e38c826c8c980c8d84b56a93b930cc130`
SHA3	`92dc25d0fe89db11a033833707e8c0d1404f3889e73e1c5ec8cd54b520dc9867`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140138000`
EndAddressOfRawData	`0x140138008`
AddressOfIndex	`0x14013402c`
AddressOfCallbacks	`0x140137038`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x000000014000D5F0` `0x000000014000D5C0`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.