Manalyze report for 065d7b9160db3661a075fc5de399a8e1

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2007-Oct-29 08:14:12
Detected languages	Korean - Korea
CompanyName	WebZen
FileDescription	main
FileVersion	`1, 4, 10, 0`
InternalName	main
LegalCopyright	Copyright ⓒ 2002
OriginalFilename	main.exe
ProductName	WebZen mu main
ProductVersion	`1, 0, 0, 1`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Info	Interesting strings found in the binary:	`Contains domain names: PCGameHacks.com connect.muchina.com connect.muonline.com connection.muonline.com cs.muonline.jp muchina.com muonline.com muonline.jp`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExA GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot FindWindowA` `Code injection capabilities (PowerLoader): GetWindowLongA FindWindowA` `Can access the registry: RegisterHotKey RegDeleteKeyA RegDeleteValueA RegEnumValueA RegOpenKeyExA RegSetValueExA RegCreateKeyExA RegQueryValueExA RegCloseKey` `Possibly launches other programs: WinExec CreateProcessA ShellExecuteA` `Uses Microsoft's cryptographic API: CryptGetHashParam CryptDeriveKey CryptDecrypt CryptImportKey CryptCreateHash CryptHashData CryptVerifySignatureA CryptDestroyHash CryptDestroyKey CryptReleaseContext CryptAcquireContextA` `Can create temporary files: GetTempPathA CreateFileA` `Uses functions commonly found in keyloggers: GetAsyncKeyState CallNextHookEx` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: gethostbyname WSAAsyncSelect setsockopt socket shutdown recv WSASend WSAStartup WSACleanup send WSAGetLastError inet_addr htons connect closesocket` `Manipulates other processes: Process32Next OpenProcess Process32First` `Can take screenshots: GetDC FindWindowA CreateCompatibleDC` `Reads the contents of the clipboard: GetClipboardData`
Malicious	VirusTotal score: 6/73 (Scanned on 2024-11-18 01:35:42)	`Bkav: W32.AIDetectMalware` `Cylance: Unsafe` `Gridinsoft: Trojan.Win32.Gen.vb!n` `McAfee: Artemis!065D7B9160DB` `Panda: PUP/FreeGames` `Webroot: W32.Malware.Gen`

Hashes

MD5	`065d7b9160db3661a075fc5de399a8e1`
SHA1	`d5f32bbdacfc81e27d6a97160f8c65263b7ccbb7`
SHA256	`fa6d2bce140d007326fbfb2cb83bea90f7675e6793a35e4d05cd60004edb4b96`
SHA3	`ad88b992368caf1670180fab405ceba8f32aa723fe1f8a5385af45ca6a29f61b`
SSDeep	`98304:kbCTNIrMhRhXf278g8VpW0TDw+a1meWDjDD2p/0sB+Hbo7m0r:VTNIrMhRlf27x8VpW0TDw+a1meWDjDD`
Imports Hash	`502fa097ecb49cd9b7030b7ab6135a3e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2007-Oct-29 08:14:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x355000`
SizeOfInitializedData	`0x36200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00355A90 (Section: .text)`
BaseOfCode	`0x400`
BaseOfData	`0x356400`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x799c000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`58618c250c55882565c12547858730c6`
SHA1	`d1b7b521ea242569ac571c769cdcd01900a49721`
SHA256	`26d7b2eefafacbf4623890cc43bd8b60c8648526d791185c42666017fdf382c1`
SHA3	`ad4720868c0d1ce24392312da2464609b16a83cebe36215017b74c9a450644aa`
VirtualSize	`0x354a6e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x355000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60375`

.rdata

MD5	`aea12e2560e37d6a872bd4ca137f3f66`
SHA1	`f85463013db1964de7de25d5b97e1b2e1c26585e`
SHA256	`28407a3213c104288256c317a2d05b9d4b760d222bc463c72f9701807074a0bd`
SHA3	`c1c486d083a13917918323901eb372852ce4ac2d3f91604ec0a9675a5e4232b8`
VirtualSize	`0x1453a`
VirtualAddress	`0x356000`
SizeOfRawData	`0x15000`
PointerToRawData	`0x355400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.97867`

.data

MD5	`6f8a923451040898eccf88b584ab798c`
SHA1	`55ce34521de3cc2c8771d38a05ebbf4172ad0d15`
SHA256	`9b0d1b2c98ab2b69f27d33bc901837454f4c5a07f4be80e4fd81d904a7a825af`
SHA3	`f898c4a6bfd1c1d8978e2bad3b0b0b767f00b67dc63e4f5f31da9312a607b1a2`
VirtualSize	`0x762de70`
VirtualAddress	`0x36b000`
SizeOfRawData	`0x1f000`
PointerToRawData	`0x36a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.53611`

.rsrc

MD5	`0807f2edbd9e0bbab50dabd0260681bb`
SHA1	`704122bea464845983a6104f63d93ff8a204cea2`
SHA256	`769896727cd02a6047caab7b218e80e83959b01765a0c7f77cd423c3b3db0a4c`
SHA3	`a0dece338700007b6838adb23f3bac18607b61c8e71ebdc250d46e402f0e008e`
VirtualSize	`0x2048`
VirtualAddress	`0x7999000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x389400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.99077`

Imports

IMM32.dll	`ImmGetIMEFileNameA` `ImmGetDefaultIMEWnd` `ImmGetCompositionStringA` `ImmGetCompositionWindow` `ImmGetDescriptionA` `ImmGetContext` `ImmGetOpenStatus` `ImmSetOpenStatus` `ImmGetConversionStatus` `ImmSetConversionStatus` `ImmReleaseContext` `ImmSetCompositionWindow`
DSOUND.dll	`#1` `#2`
OPENGL32.dll	`glColor4f` `glDisable` `glEnd` `glVertex2f` `glTexCoord2f` `glColor4ub` `glBegin` `glColor3f` `glTexImage2D` `glBindTexture` `glFlush` `glClear` `glPopMatrix` `glAlphaFunc` `glDepthFunc` `glTranslatef` `glRotatef` `glLoadIdentity` `glPushMatrix` `glMatrixMode` `glVertex3fv` `glColor3fv` `glFogf` `glFogfv` `glClearColor` `glVertex3f` `glDepthMask` `glPolygonMode` `glFrontFace` `glStencilFunc` `glColorMask` `glStencilOp` `glTexParameteri` `glTexEnvf` `glScalef` `glGetFloatv` `glReadPixels` `glBlendFunc` `glViewport` `glFogi` `wglDeleteContext` `wglMakeCurrent` `glGetString` `wglCreateContext` `glTexEnvi` `glGenTextures` `glGetIntegerv` `glDeleteTextures` `glEnable`
GLU32.dll	`gluPerspective` `gluOrtho2D`
WINMM.dll	`mmioAscend` `mmioOpenA` `mmioClose` `timeGetTime` `mmioDescend` `mmioRead` `timeGetDevCaps` `timeBeginPeriod` `mmioWrite` `timeEndPeriod`
KERNEL32.dll	`ReleaseMutex` `TerminateThread` `CreateThread` `OpenMutexA` `EnterCriticalSection` `LeaveCriticalSection` `lstrcatA` `OpenEventA` `GetComputerNameA` `lstrcmpA` `ExitProcess` `VirtualAlloc` `VirtualFree` `VirtualProtect` `LoadLibraryExA` `GetTempFileNameA` `GetTempPathA` `HeapFree` `GetProcessHeap` `HeapAlloc` `GetFileInformationByHandle` `FlushFileBuffers` `GetTickCount` `IsBadReadPtr` `lstrlenA` `GlobalUnlock` `GlobalLock` `OutputDebugStringA` `GetCurrentThreadId` `Sleep` `MoveFileA` `GetFileAttributesA` `CreateFileA` `GetCommandLineA` `CloseHandle` `ReadFile` `GetFileSize` `GetLastError` `GetPrivateProfileStringA` `GetCurrentDirectoryA` `DeleteFileA` `CopyFileA` `SetFileAttributesA` `Process32Next` `TerminateProcess` `OpenProcess` `Process32First` `CreateToolhelp32Snapshot` `WinExec` `FindClose` `FindFirstFileA` `CreateMutexA` `GetLocalTime` `GetModuleFileNameA` `DuplicateHandle` `WriteFile` `GetSystemDirectoryA` `lstrcmpiA` `GetVersionExA` `QueryPerformanceCounter` `SetProcessAffinityMask` `SetThreadPriority` `SetPriorityClass` `GetProcessAffinityMask` `GetThreadPriority` `GetPriorityClass` `GetCurrentThread` `GetCurrentProcess` `QueryPerformanceFrequency` `FreeLibrary` `GetProcAddress` `LoadLibraryA` `GlobalMemoryStatus` `SetConsoleMode` `GetStdHandle` `AllocConsole` `FreeConsole` `SetConsoleTitleA` `GetConsoleTitleA` `SetConsoleCursorPosition` `FillConsoleOutputAttribute` `FillConsoleOutputCharacterA` `GetConsoleScreenBufferInfo` `SetConsoleTextAttribute` `ReadConsoleOutputA` `GetCurrentProcessId` `WaitForSingleObject` `CreateEventA` `CreateProcessA` `WaitForMultipleObjects` `GetExitCodeProcess` `GetModuleHandleA` `ResetEvent` `ResumeThread` `SetEndOfFile` `DeleteCriticalSection` `InitializeCriticalSection` `SetEvent` `WideCharToMultiByte` `CreateFileMappingA` `UnmapViewOfFile` `MapViewOfFile` `FileTimeToLocalFileTime` `FileTimeToSystemTime` `GetFullPathNameA` `FindNextFileA` `RemoveDirectoryA` `CreateDirectoryA` `GetThreadContext` `lstrcpynA` `Module32First` `Module32Next` `SetUnhandledExceptionFilter` `GetACP` `GetOEMCP` `SetHandleCount` `GetFileType` `TlsGetValue` `GetEnvironmentVariableA` `HeapDestroy` `HeapCreate` `IsBadWritePtr` `IsValidLocale` `IsValidCodePage` `GetLocaleInfoA` `EnumSystemLocalesA` `GetUserDefaultLCID` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `GetEnvironmentStrings` `GetEnvironmentStringsW` `GetStringTypeA` `GetStringTypeW` `IsBadCodePtr` `SetEnvironmentVariableA` `SetConsoleCtrlHandler` `GetLocaleInfoW` `SetStdHandle` `CreatePipe` `PeekNamedPipe` `lstrcpyA` `InterlockedExchange` `InterlockedDecrement` `InterlockedIncrement` `MultiByteToWideChar` `RtlUnwind` `RaiseException` `GetTimeZoneInformation` `GetSystemTime` `GetStartupInfoA` `GetVersion` `GetSystemTimeAsFileTime` `HeapReAlloc` `FatalAppExitA` `LCMapStringA` `LCMapStringW` `GetCPInfo` `CompareStringA` `CompareStringW` `HeapSize` `TlsSetValue` `TlsAlloc` `TlsFree` `SetLastError` `SetFilePointer`
USER32.dll	`ShowWindow` `GetDC` `SetWindowPos` `SetWindowTextA` `GetWindowTextA` `GetCaretPos` `GetWindowLongA` `SendMessageA` `CallWindowProcA` `OpenClipboard` `GetClipboardData` `IsWindowVisible` `SetWindowLongA` `DestroyWindow` `GetFocus` `SetRect` `GetActiveWindow` `GetCursorPos` `ScreenToClient` `GetDoubleClickTime` `PtInRect` `OffsetRect` `MessageBoxA` `PostMessageA` `GetAsyncKeyState` `GetScrollPos` `CreateWindowExA` `SetTimer` `IntersectRect` `GetDesktopWindow` `SetWindowsHookExA` `UnhookWindowsHookEx` `CallNextHookEx` `GetWindowRect` `RegisterHotKey` `UnregisterHotKey` `SetCursorPos` `FindWindowA` `ShowCursor` `ChangeDisplaySettingsA` `ReleaseDC` `SystemParametersInfoA` `ReleaseCapture` `SetCapture` `DefWindowProcA` `PostQuitMessage` `EndPaint` `BeginPaint` `KillTimer` `RegisterClassA` `LoadCursorA` `LoadIconA` `SetForegroundWindow` `GetSystemMetrics` `SetScrollPos` `SetFocus` `AdjustWindowRect` `IsIconic` `DispatchMessageA` `TranslateMessage` `GetMessageA` `PeekMessageA` `UpdateWindow` `EnumDisplaySettingsA` `GetKeyboardLayoutNameA` `GetKeyboardLayout` `wvsprintfA` `EnumChildWindows` `RemoveMenu` `DrawMenuBar` `GetSystemMenu` `GetClassNameA` `GetWindowThreadProcessId` `CloseClipboard` `wsprintfA`
GDI32.dll	`SwapBuffers` `GetStockObject` `SetPixelFormat` `ChoosePixelFormat` `SetBkColor` `CreateDIBSection` `SelectObject` `GetTextExtentPoint32A` `CreateFontA` `DeleteObject` `SetTextColor` `DeleteDC` `TextOutA` `CreateCompatibleDC` `GetTextExtentPointA`
ADVAPI32.dll	`SetSecurityDescriptorDacl` `CryptGetHashParam` `CryptDeriveKey` `CryptDecrypt` `CryptImportKey` `CryptCreateHash` `CryptHashData` `CryptVerifySignatureA` `CryptDestroyHash` `CryptDestroyKey` `CryptReleaseContext` `CryptAcquireContextA` `RegDeleteKeyA` `GetUserNameA` `RegDeleteValueA` `RegEnumValueA` `RegOpenKeyExA` `RegSetValueExA` `RegCreateKeyExA` `InitializeSecurityDescriptor` `RegQueryValueExA` `RegCloseKey`
SHELL32.dll	`ShellExecuteA`
ole32.dll	`CoUninitialize` `CoCreateInstance` `CoInitialize`
WS2_32.dll	`gethostbyname` `WSAAsyncSelect` `setsockopt` `socket` `shutdown` `recv` `WSASend` `WSAStartup` `WSACleanup` `send` `WSAGetLastError` `inet_addr` `htons` `connect` `closesocket`
VERSION.dll	`VerQueryValueA` `GetFileVersionInfoSizeA` `GetFileVersionInfoA`
wzAudio.dll	`wzAudioStop` `wzAudioPlay` `wzAudioGetStreamOffsetRange` `wzAudioDestroy` `wzAudioOption` `wzAudioCreate`

Delayed Imports

1

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.07176`
MD5	`46bd0e570128820855709b0ef7baedf1`
SHA1	`e3a00e970a62c66795522d5638fd07feb0ec9cee`
SHA256	`419f856569df391049fe54baa3eaba23333af684d468b3db54032b1ae99da84a`
SHA3	`273d3ff86bc30ad79810481368f1ef676f2541739920ac15a65e4afa13cde7c5`

2

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.70736`
MD5	`9326002520adbb64c0e22cfe4b56ef9f`
SHA1	`23fb80ddf56393ca578790aab88b93c089a06537`
SHA256	`e17119d66f71f8a055295d5f87c9c2cca081bbd83904fe01ab6bdc6381c6e191`
SHA3	`eb013a7517ae50bb603f8250befe6b486888245afa87edb5ce2cd7c5faf202db`

3

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.91116`
MD5	`5b3f8baf6ed52b5f2a5c88c5001736fa`
SHA1	`c9b4a610997f92be3f21c555f4b517308cac47c0`
SHA256	`ae3c6b324c9eaa11bde5b44c15c87968f088fec942f9b483b75741da8fce6813`
SHA3	`d7d179d7618467f6554a6a91a8d6c1966a8025551b1f1208fb792e72039b9bac`

4

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67625`
MD5	`8a36e0ba48ea6216c985b760e8601777`
SHA1	`79ed19e9df7265a95acdac0945fe4e887095c78e`
SHA256	`f8e4fc643d9f8874d5180c8f75795d3cdf10c5344390a42320d3a3f5bcc3e07d`
SHA3	`1bcb14873608eb156ee667c93b68e3328363931b0c9f75d27e4696081e6c14fb`

101

Type	`RT_GROUP_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.70237`
Detected Filetype	Icon file
MD5	`7a5323bc7bc1f8b5d24ac4563187979e`
SHA1	`0cf74ff14e9af6df11b035640c019fb5acd9f38f`
SHA256	`30318b36a5012a6a445f593ce7966ba1a0c19d9e74a8009c94903e019fd12a27`
SHA3	`21e12534926c86bf2785d56922f6e48dce8230252a7023bdf1f9549c5177b8ed`

1 (#2)

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x324`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.33637`
MD5	`9e66c993f37f4c7a10330cd2df533f71`
SHA1	`505058dbbbd832988cfb7497a1539c372d6bf098`
SHA256	`3c034db7fff9526b2ce5b21c9a241250e801009ca3c083f00db116be69c9dc5d`
SHA3	`60f09cced4bd4756d4aefbeffe89f71856a4769c1bc9725d88a10555af193628`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.4.10.0
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Korean - Korea
CompanyName	WebZen
FileDescription	main
FileVersion (#2)	1, 4, 10, 0
InternalName	main
LegalCopyright	Copyright ⓒ 2002
OriginalFilename	main.exe
ProductName	WebZen mu main
ProductVersion (#2)	1, 0, 0, 1

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xc4c0f08b`
Unmarked objects	`0`
Linker (VC++ 6.0 SP5 imp/exp build 8447)	`2`
12 (7291)	`4`
14 (7299)	`44`
C++ objects (8047)	`24`
C objects (8047)	`184`
C++ objects (VS98 SP6 build 8804)	`17`
C objects (VS98 build 8168)	`44`
C++ objects (9178)	`1`
Imports (9210)	`2`
Total imports	`381`
19 (8034)	`25`
C++ objects (VC++ 6.0 SP5 build 8804)	`174`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[!] Error: Could not read PDB file information of invalid magic number.