Manalyze report for fdd6012a0277205c83958500158759bfcec0fe019d81be76b958331c0c9fdb0d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jan-05 12:15:46

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Leverages the raw socket API to access the Internet: ntohl` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`12160364 bytes of data starting at offset 0x42a00.` `The overlay data has an entropy of 7.99804 and is possibly compressed or encrypted.` `Overlay data amounts for 97.8051% of the executable.`
Safe	VirusTotal score: 0/62 (Scanned on 2025-12-01 14:07:11)	`All the AVs think this file is safe.`

Hashes

MD5	`e5def70e1609173904c164c40dcc702d`
SHA1	`9120427bf9653473b3ac992faf1963c076b78668`
SHA256	`fdd6012a0277205c83958500158759bfcec0fe019d81be76b958331c0c9fdb0d`
SHA3	`305b70ad67282b777369ea4cc58fbae0fbec81f34d19f271e342776315686d2b`
SSDeep	`196608:GjxtQOz7nTP1Suf7q19onJ5hrZERMB2WZufOuD9L/48RmU/3ZlsPvZNTKyPK8Cb:Uxtl7nTP1hm19c5hlERo2WmfDZ/tN3Z`
Imports Hash	`809ea02d92fea89353f33279290e8c9f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2020-Jan-05 12:15:46
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x20e00`
SizeOfInitializedData	`0x21800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000008EF8 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x55000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ff2440518f03dde94ed9e5b2e377f847`
SHA1	`3feba9afeb2e82c0e260427bd887b4f70a0aa058`
SHA256	`03fed4e25f8fe8d1938a57571a1b447ff27498a13d91ca0f63dcb8b581a6846b`
SHA3	`34381bb93f5d1725e5f2085b1143e2da64752fdf25d507903c5b534407466193`
VirtualSize	`0x20d20`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46036`

.rdata

MD5	`2d605f3828b73c4175f7129a3eccba50`
SHA1	`cb6bdee6020fb40f991c48fced75e44a8721a7c1`
SHA256	`b6042e343161a6c745007c25ac8b134743dd5562796810c9f51f94ff590afae7`
SHA3	`2118def5d9abb5fc848e6b50e4dc5e109cfb22c2151be7b33806208808e5cead`
VirtualSize	`0xf57e`
VirtualAddress	`0x22000`
SizeOfRawData	`0xf600`
PointerToRawData	`0x21200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.84303`

.data

MD5	`c926f201a6cca2c9ef076b807b13354f`
SHA1	`b9fdf79a5551c30f6055e43dd5b14ddb2d217369`
SHA256	`7acfc4a551fa8f7e08c75d259a4bbad3b079d123a644627f98628686e512a52a`
SHA3	`c77393efa745b18d88743c82bf190aa1718630b7738c63110b05f9f1f31c6a1e`
VirtualSize	`0xf108`
VirtualAddress	`0x32000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x30800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.84695`

.pdata

MD5	`3d773adc721a0a380af6df220eda7635`
SHA1	`c0d019e315815bcc21b5772618cdcc87467964be`
SHA256	`26d4a5d65ab2c9c24db2fedede6934595b4b0734e724c2a58e599cf48703c2ee`
SHA3	`5c461e2466bd87754aec0450e13b79cadb24395bf14661a2f8c224fe9689a540`
VirtualSize	`0x1cbc`
VirtualAddress	`0x42000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x31400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.18714`

.gfids

MD5	`ecf6785a081e1b4ffbe0ae7dfca3fefb`
SHA1	`5681e0680c0e4cc8dbfe3d9e44b37a95e987bbf3`
SHA256	`2de09582994ecef258e6dd21115387c9e3d17b7c9d6ab368cfe23b5de003be81`
SHA3	`973541ef6ead8ad4002ef468cb92c2f77c57f974ae82dc20aa5b4ae2a9aa1361`
VirtualSize	`0xac`
VirtualAddress	`0x44000`
SizeOfRawData	`0x200`
PointerToRawData	`0x33200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.71804`

.rsrc

MD5	`19e87ab1889766fd554ff33a0b1159b5`
SHA1	`054ef95cb2564a65a6da1cd85530169b3ec07d2a`
SHA256	`99e881e7f1a65310c4cbfa21ee33607b76ba866cf080a34f32091eb860d16978`
SHA3	`b9afe424d67173980a3b7965e40a9f1d15f598f835f0e5b8f3e90115d14355ff`
VirtualSize	`0xed5c`
VirtualAddress	`0x45000`
SizeOfRawData	`0xee00`
PointerToRawData	`0x33400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.49025`

.reloc

MD5	`209b202cf3376b99ed5e06aa5ff871b6`
SHA1	`6839036a520a7fbb9ffd4ee6646a6d2dd5275986`
SHA256	`bb7b98ea92421d4154de90d00c822d5a9a86454c620b42bf266ce2a0ed65d9db`
SHA3	`5faa1269046b202b5152c31851da3848bb2ab511b8857c79ec524939e5448bb9`
VirtualSize	`0x690`
VirtualAddress	`0x54000`
SizeOfRawData	`0x800`
PointerToRawData	`0x42200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.98444`

Imports

USER32.dll	`MessageBoxW` `MessageBoxA`
KERNEL32.dll	`HeapReAlloc` `GetLastError` `SetDllDirectoryW` `GetModuleFileNameW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `ExpandEnvironmentStringsW` `GetTempPathW` `SetEndOfFile` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LoadLibraryExW` `CreateDirectoryW` `GetShortPathNameW` `FormatMessageW` `LoadLibraryA` `MultiByteToWideChar` `WideCharToMultiByte` `WaitForSingleObject` `CreateFileW` `HeapSize` `GetTimeZoneInformation` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetCommandLineA` `ReadFile` `RaiseException` `GetDriveTypeW` `GetFileType` `CloseHandle` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `GetFullPathNameA` `RemoveDirectoryW` `FindClose` `FindFirstFileExW` `FindNextFileW` `SetStdHandle` `SetConsoleCtrlHandler` `DeleteFileW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetACP` `HeapFree` `HeapAlloc` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleCP` `CompareStringW` `LCMapStringW` `GetCurrentDirectoryW` `FlushFileBuffers` `SetEnvironmentVariableA` `GetFileAttributesExW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetStringTypeW` `GetProcessHeap` `WriteConsoleW`
ADVAPI32.dll	`ConvertStringSecurityDescriptorToSecurityDescriptorW`
WS2_32.dll	`ntohl`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.09003`
MD5	`4a55ae59dfe03fe18d90b337ee5601d3`
SHA1	`e37ba9125bfba0a181f229353d5734a4a6bbbcd3`
SHA256	`062c345ecae419cc21373837321f1125c04a8ef00924608d4e6b3d11d6e2bef9`
SHA3	`f505629886dac9ad1a4c5b5ca0c576428c21097625ffe1527130972f18a61348`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.44895`
MD5	`1c06420cfb94514d35c088699a04774d`
SHA1	`2c23d7df4bc8ce3fb15f33e78c042b12814aea3b`
SHA256	`d73c1848a067a0fd094423213dc1e855b5b29b0b441f0bcb315feb90d662972e`
SHA3	`a630c0bd054ccf853d3673897d2a553e10797d288b3f09898503304ecec7d7f3`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.77742`
MD5	`db1208cf5d76055be1c3a34567af9f5a`
SHA1	`c5adcd7407c8b18459e4b4ce96fb70ecf5701a97`
SHA256	`5a008270f7254f5ca861e9936f4b5b7a23c04d63165895234fd1782bc03ec0e5`
SHA3	`549076010917e74ff3fe656848779d90468b96740184b07016dbf2833e9abf99`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x952c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95095`
Detected Filetype	PNG graphic file
MD5	`f6fbada22d6a6c07ef8fdaa504f117d5`
SHA1	`591a723501eff1a4920462f8efcaf3715e829450`
SHA256	`3919b11194f130d310dfe08bdce2891c5b64f2703107f53a5a1cbc016fdb609f`
SHA3	`ceca597fff3f436773eb9e48be245ce9d24439b9527a0d3aedaa1469e49d3f5c`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.0521`
MD5	`86ce219c337119fe35646823cb56d091`
SHA1	`74d3090f01f3128bda93a3a7525f139c495bffbd`
SHA256	`7ef5a24efde1748c0eb12c5817b14cfe1397ae968489a7824a269d02c8223cee`
SHA3	`8daaa7aab035df895cb478d3b92385d12aebd96c8bbde3a05a615ff56d41aebf`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.15081`
MD5	`58b7700e8f20d0a3c77021eb7e7019dc`
SHA1	`87f7668b96ab48bd6ba5c8b9968dbb024a028407`
SHA256	`c5536b396be6dcfc96f4e4f77cc7007b2a56730ee57598a6979cc1c1c71c920a`
SHA3	`13bb36cea0c569109ddca6560016003d3ce662f8e0bc189e9750019ccdc7bc72`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.39466`
MD5	`9de69c1c4b3a06597da9c275b38bffb6`
SHA1	`a4ed3bd1bb4edc0eaa187b68929f596906e9ee87`
SHA256	`ac2e25dc4a4f7bd96a0bcf3ea63cd1bcf26a6f6a05835e32f96ef99cb4323f30`
SHA3	`6ff197b54509b5c0fa643d6bdbc756cccec2b5bc8495c770883c021e833f7509`

0

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.81924`
Detected Filetype	Icon file
MD5	`cbee427fa121aba9b9b265ff05de5383`
SHA1	`24fcae33001c8e0f5ec795c6edf076a69d59589f`
SHA256	`494e4fd717fa1ee0c5c7bb3b4e28fdab4b7f6e95b4f9865f5ab86f03f62ae62c`
SHA3	`a3fa35d56632275ba55716a4964f02031270f61f06a903fc460ac2dd6bebde85`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`cd3a631eace19041876b4c4c6ec8461a`
SHA1	`d4b3f99c4d648e3446dc05e7fb6e444e42dfed01`
SHA256	`f5b94a42f1c77c9eef858a0dfd656419fea900b00318c2c0bf49c2fce345d838`
SHA3	`b6dcbb1b4c262eb5aee12773a52c29ff20fef809a4e61822700d005457944b9f`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x409`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29587`
MD5	`ec21a44aad336195c5612300b5399b2f`
SHA1	`84b9783f2e488b676510ff25568f66530bb0fb61`
SHA256	`3cb381fe97e96ef0149af85ed649cddda2d76935e2d1757135a40d14e7f46641`
SHA3	`32e805259a9a8106a54795d441d63fdf63b61c2fbbb71044a8670d40beae5773`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jan-05 12:15:46
Version	`0.0`
SizeofData	`720`
AddressOfRawData	`0x2eb38`
PointerToRawData	`0x2dd38`

TLS Callbacks

Load Configuration

Size	`0x94`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140032010`

RICH Header

XOR Key	`0x6e58603c`
Unmarked objects	`0`
241 (40116)	`7`
243 (40116)	`171`
242 (40116)	`13`
ASM objects (VS2015 UPD3 build 24123)	`7`
C++ objects (VS2015 UPD3 build 24123)	`28`
C objects (VS2015 UPD3 build 24123)	`19`
Imports (65501)	`9`
Total imports	`117`
C objects (VS2015 UPD3 build 24210)	`17`
Resource objects (VS2015 UPD3 build 24210)	`1`
Linker (VS2015 UPD3 build 24210)	`1`

Errors

Leave a comment

No comments yet.