Manalyze report for ec3953d5311f6fef2467faecff8eb3f4761d17076d6e96e60fcfccef1d40bb03

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-May-17 06:58:08
Debug artifacts	D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
CompanyName	BlueCoin2
FileDescription	BlueCoin2
FileVersion	`1.0.0.0`
InternalName	BlueCoin2.dll
LegalCopyright
OriginalFilename	BlueCoin2.dll
ProductName	BlueCoin2
ProductVersion	`1.0.0`
Assembly Version	1.0.0.0

Plugin Output

Info	Matching compiler(s):	`.NET executable -> Microsoft`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: .playfabapi.com cacerts.digicert.com crl3.digicert.com crl4.digicert.com digicert.com github.com go.microsoft.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0 http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0 http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E http://crl3.digicert.com/sha2-assured-ts.crl02 http://crl4.digicert.com http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L http://crl4.digicert.com/sha2-assured-ts.crl0 http://james.newtonking.com http://james.newtonking.com/projects/json http://nlog-project.org http://ocsp.digicert.com0C http://ocsp.digicert.com0K http://ocsp.digicert.com0N http://ocsp.digicert.com0O http://schemas.xmlsoap.org http://schemas.xmlsoap.org/soap/envelope/ http://www.digicert.com http://www.digicert.com/CPS0 http://www.w3.org http://www.w3.org/2000/xmlns/ http://www.w3.org/2003/05/soap-envelope https://aka.ms https://github.com https://go.microsoft.com https://go.microsoft.com/fwlink/?linkid https://nlog-project.org https://www.digicert.com https://www.digicert.com/CPS0 https://www.newtonsoft.com https://www.newtonsoft.com/json https://www.newtonsoft.com/jsonschema https://www.nuget.org https://www.nuget.org/packages/NLog.Web.AspNetCore https://www.nuget.org/packages/Newtonsoft.Json.Bson james.newtonking.com microsoft.com microsoft.net newtonking.com newtonsoft.com nlog-project.org nuget.org playfabapi.com project.org schemas.xmlsoap.org www.digicert.com www.newtonsoft.com www.nuget.org www.w3.org xmlsoap.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Can access the registry: RegOpenKeyExW RegGetValueW RegCloseKey` `Possibly launches other programs: ShellExecuteW`
Suspicious	The file contains overlay data.	`1754466 bytes of data starting at offset 0x27800.` `Overlay data amounts for 91.5569% of the executable.`
Suspicious	VirusTotal score: 1/70 (Scanned on 2026-05-06 21:33:20)	`APEX: Malicious`

Hashes

MD5	`c86a38d1702d675e9cf025b3966443b3`
SHA1	`6f5b16b79530ce5314a42f23b0b7477697ab7ffb`
SHA256	`ec3953d5311f6fef2467faecff8eb3f4761d17076d6e96e60fcfccef1d40bb03`
SHA3	`6915cc4fdf18b18552f362f2226f0f46eae2866d2aeefc8c3a514b7c2c18e997`
SSDeep	`49152:UUQoOB7joLIbALsj8b4bW767Qdddb7ddzA7W6J:uiC`
Imports Hash	`72bc4dfff8905033c11dea0c671a7919`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2024-May-17 06:58:08
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x19a00`
SizeOfInitializedData	`0xe600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000140E0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x2d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x180000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`81e655244a7161e07ad47ad730ab5579`
SHA1	`803934a1c97e6de597ea65b80763bd0a79a4c6b9`
SHA256	`e3b6087c33ac2182730dc0cb413371b9eb81a6cb1280cbfa3f0c53e45de4b1b4`
SHA3	`e02bd56e4620b4843de6954916582b00c74430a57ad23a4aa9e25cce8e57744a`
VirtualSize	`0x1996c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x19a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.3716`

.rdata

MD5	`47797c3547ba374df080f4464b372a5c`
SHA1	`b3fd75035705aa3f9e24d1537d51910b36c24e04`
SHA256	`aacd095a73b334c30c2913f4e9ea5748ac0f9e80a69f521637ea523d50a0f887`
SHA3	`15d1bf7f2eb69fe04adbba69a54fa43d6b573a1356bf40bb0cdc6698a8080d29`
VirtualSize	`0x9dda`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x9e00`
PointerToRawData	`0x19e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.53817`

.data

MD5	`350512c9efc277a6e1bde709b5e616a7`
SHA1	`234dafb693d16c5d2ab1a50ca049e1ac19bcdb94`
SHA256	`23a4516c5a676880bb3513dc74cdcb17bd2038a34b6bc9c3414cd313445bd8a7`
SHA3	`b3f08e334730f2c6c6d8e1d035ecb641fcad118ef6bab5ef0588b72f74e6bf5e`
VirtualSize	`0x15c8`
VirtualAddress	`0x25000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x23c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.61896`

.pdata

MD5	`3db1cb20418d86114c0169ee0656e546`
SHA1	`49c717ce3013ecd4cc6bcb9444c430bf3debe3e0`
SHA256	`3bf69b8c66cb941ed2598af0779659968b4c9a382f5c7ac3cf1632a40d93097a`
SHA3	`5dc7ff3ddbcfea485c13391ea874144f17f28b71af779037031b875a9651c1d4`
VirtualSize	`0x15cc`
VirtualAddress	`0x27000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x24600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.17821`

_RDATA

MD5	`ec44dd57375fe515f2a9aae0488f7dcb`
SHA1	`9e9d673db9389b26fc3052a11ccbc0fb2fa06c03`
SHA256	`5a7f28fd244e52ee2987af22b4e03d2cecaaf59f5fffba814f629c6cec34f7e9`
SHA3	`dbc81e92bb588aefc152f627ee37b52925d18d25a9bf349718db7d3129f98fdb`
VirtualSize	`0x1f4`
VirtualAddress	`0x29000`
SizeOfRawData	`0x200`
PointerToRawData	`0x25c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.16046`

.reloc

MD5	`f512d13936eb390f71a1d7d1e5abb919`
SHA1	`740eead0e5944d8d01f922f1f5e031f2e1df6d24`
SHA256	`7de36d5da7f4f2480ac5a826913c7f1b0e33f32f4c939b48c749fef82b6ef702`
SHA3	`5b34ca1df88a2fc67c21ed988a7a8b619cbaae75196487fc75e3fb0855f4115f`
VirtualSize	`0x348`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x400`
PointerToRawData	`0x25e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.85564`

.rsrc

MD5	`75c44ebb1b7b5d1ac2df30228df9868c`
SHA1	`ad2e051cf440fa18be2c85e3ef00f507d198f7b8`
SHA256	`53bf4c11a872799ec7bd0c60afaa9961dc6e2c015e73c1d749bca440924c32f3`
SHA3	`b17a158b1e93821847c3d7566281e0eba90abc01f8d9b7b475b01d31ef694695`
VirtualSize	`0x1424`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x26200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.83594`

Imports

KERNEL32.dll	`FindNextFileW` `GetCurrentProcess` `GetModuleHandleExW` `GetModuleFileNameW` `LeaveCriticalSection` `InitializeCriticalSection` `GetEnvironmentVariableW` `FindClose` `MultiByteToWideChar` `GetLastError` `GetFileAttributesExW` `GetFullPathNameW` `GetProcAddress` `DeleteCriticalSection` `WideCharToMultiByte` `IsWow64Process` `LoadLibraryExW` `FreeLibrary` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `EnterCriticalSection` `FindFirstFileExW` `OutputDebugStringW` `LoadLibraryA` `GetModuleHandleW` `InitializeCriticalSectionAndSpinCount` `SetLastError` `RaiseException` `RtlPcToFileHeader` `RtlUnwindEx` `InitializeSListHead` `GetSystemTimeAsFileTime` `GetCurrentThreadId` `GetCurrentProcessId` `QueryPerformanceCounter` `IsDebuggerPresent` `IsProcessorFeaturePresent` `TerminateProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `LCMapStringEx` `DecodePointer` `EncodePointer` `InitializeCriticalSectionEx` `GetStringTypeW`
USER32.dll	`MessageBoxW`
SHELL32.dll	`ShellExecuteW`
ADVAPI32.dll	`RegOpenKeyExW` `RegGetValueW` `DeregisterEventSource` `RegisterEventSourceW` `ReportEventW` `RegCloseKey`
api-ms-win-crt-runtime-l1-1-0.dll	`_register_onexit_function` `_invalid_parameter_noinfo_noreturn` `__p___argc` `__p___wargv` `exit` `_initterm_e` `_initterm` `_get_initial_wide_environment` `_initialize_wide_environment` `_configure_wide_argv` `_c_exit` `terminate` `_set_app_type` `_seh_filter_exe` `_cexit` `_register_thread_local_exe_atexit_callback` `_errno` `_exit` `abort` `_crt_atexit` `_initialize_onexit_table`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vfwprintf` `__stdio_common_vsprintf_s` `setvbuf` `__stdio_common_vswprintf` `_set_fmode` `__acrt_iob_func` `fputwc` `fputws` `__stdio_common_vsnwprintf_s` `_wfsopen` `fflush` `__p__commode`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `_callnewh` `free` `malloc` `calloc`
api-ms-win-crt-string-l1-1-0.dll	`wcsnlen` `strcpy_s` `_wcsdup` `strcspn` `wcsncmp` `toupper`
api-ms-win-crt-convert-l1-1-0.dll	`wcstoul` `_wtoi`
api-ms-win-crt-locale-l1-1-0.dll	`__pctype_func` `_unlock_locales` `_lock_locales` `___lc_locale_name_func` `___lc_codepage_func` `___mb_cur_max_func` `_configthreadlocale` `setlocale` `localeconv`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `frexp`
api-ms-win-crt-time-l1-1-0.dll	`_gmtime64_s` `wcsftime` `_time64`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xe33`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.63092`
Detected Filetype	PNG graphic file
MD5	`0b3cbbbbe0f91f24d84659f123d3b88f`
SHA1	`1f78a487da5bbfeaace928697cdda3c9784545ac`
SHA256	`9d8d2d0c5c9ca29e47c3a4e0bc010683e73474aaa5e6a37a1ffe351f6aa89514`
SHA3	`6aae8ed06e1ce08321e2701a1e702acdbeacb8a2d04f08d76803f6ef21442d1c`

32512

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.51664`
Detected Filetype	Icon file
MD5	`e7b5a3a3e0511a1d4b3e8f9bfcb6c73f`
SHA1	`056e1f0762d1935d8d958cf9852fc82ee212b0da`
SHA256	`ba38b806af83080d21f7e2eadf79d9fa1241ca7b1f9ba4f12cb94a5159d5cd16`
SHA3	`d112168da533d5f29fdd653fac9a578887a1155d0fb44e59e7e083ac5286b776`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.24559`
MD5	`12eb4c0353a736a02155d3ee783fdabe`
SHA1	`a3dee59b54588a13921fed400585aefb1b3335b6`
SHA256	`cdabaa94a0126aba23a31079f3956069cf58a1c81a40276acca6bde1ca904085`
SHA3	`da886f2ef0f7026c2a2d7e3104a97bfe6f417fe1486890fe76374dcff60e11fe`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`b7db84991f23a680df8e95af8946f9c9`
SHA1	`cac699787884fb993ced8d7dc47b7c522c7bc734`
SHA256	`539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a`
SHA3	`4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	BlueCoin2
FileDescription	BlueCoin2
FileVersion (#2)	1.0.0.0
InternalName	BlueCoin2.dll
LegalCopyright
OriginalFilename	BlueCoin2.dll
ProductName	BlueCoin2
ProductVersion (#2)	1.0.0
Assembly Version	1.0.0.0

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-May-17 18:05:40
Version	`0.0`
SizeofData	`109`
AddressOfRawData	`0x21460`
PointerToRawData	`0x20260`
Referenced File	D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-May-17 18:05:40
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x214d0`
PointerToRawData	`0x202d0`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-May-17 18:05:40
Version	`0.0`
SizeofData	`984`
AddressOfRawData	`0x214e4`
PointerToRawData	`0x202e4`

TLS Callbacks

StartAddressOfRawData	`0x140021908`
EndAddressOfRawData	`0x140021918`
AddressOfIndex	`0x1400265b0`
AddressOfCallbacks	`0x14001b4e8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140025040`
GuardCFCheckFunctionPointer	`5368820752`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xfc4fc1c3`
Unmarked objects	`0`
Unmarked objects (#2)	`1`
C objects (33218)	`12`
ASM objects (33218)	`18`
C++ objects (33218)	`80`
Imports (VS2008 SP1 build 30729)	`16`
Imports (30795)	`9`
Total imports	`164`
C++ objects (LTCG) (33523)	`10`
Linker (33523)	`1`

Errors

Leave a comment

No comments yet.