Manalyze report for 0991065b2191e7715d96983983e3207d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2022-Mar-18 03:04:42
Detected languages	Chinese - PRC English - United States

Plugin Output

Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW`
Suspicious	VirusTotal score: 2/72 (Scanned on 2025-01-24 16:03:28)	`APEX: Malicious` `CrowdStrike: win/malicious_confidence_70% (W)`

Hashes

MD5	`0991065b2191e7715d96983983e3207d`
SHA1	`827093e196b9c3081002f17cee192e590bb96657`
SHA256	`0078f3f5cea79e68ff7eb526ad8a2151ef1a2e88904ff5038c5cdd82d1ca8b6c`
SHA3	`eaa50c11199550ceee6f72e17538127799f1c95d53bd1063d30925c9678513f0`
SSDeep	`3072:+J5fEmNK1AvXpr9+pWnReBs10a9qQQr0ngg2/:+J2mNK1AfL+pWL1Z+r8R2/`
Imports Hash	`22fb3dca347bf85f9603d221f94faa33`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2022-Mar-18 03:04:42
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x11400`
SizeOfInitializedData	`0x2f800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000002940 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x45000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e22ea9f50c231a30608591e26f0889a8`
SHA1	`867b320740fb539198ac78cd76b8997474441383`
SHA256	`02e5e5c4064c7d563ed37681908227bc36ce3b1aefb6bb4912abce30227c51ab`
SHA3	`d2ef1eaa1662309977ac58e60de46e110958652538dd3abbfdd60b475dd2020b`
VirtualSize	`0x113b0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x11400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45237`

.rdata

MD5	`14dcc0f3dd27cc8b9a72d8b690ee4f75`
SHA1	`886ac7a1fc3fd177e42f079ec43dcc84b847199c`
SHA256	`66c51c802b60a2b1b174ebf3f564d503f612078fa7a311fe382159ad1da27992`
SHA3	`8a9d2ef27f697174f047c9ebbef836b33d1f8d5f8c079f7f582ba5265743720c`
VirtualSize	`0x9e74`
VirtualAddress	`0x13000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x11800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.6345`

.data

MD5	`4516d53475a220e68e35a98685ecdd90`
SHA1	`57eca52b10fe178499fc09fc332d58a65637bbaf`
SHA256	`ea19e891fa8eec26c3f674f2f88086fa4e54d4518d0a8cb9eec8f7c1f4ba2eb5`
SHA3	`49b6183ebf97ef4f8fe1b455809992c6a92333cec0e591627414f4a9f6c844a9`
VirtualSize	`0x1cf0`
VirtualAddress	`0x1d000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x1b800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.23279`

.pdata

MD5	`dac6cf3388692f6761e85ab103a169a4`
SHA1	`9937c7ba6b5b9549c65eea223d815d94a8b2d737`
SHA256	`b425d137070134a98bc8ecbd2f3c23892e4f87d0d35e556480674cb9d386ab56`
SHA3	`2529ea938d5c3a0966dac7dffbf5337c98c2fd45447cff8eeeeeb3e82dc40bae`
VirtualSize	`0x1248`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x1c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.66596`

_RDATA

MD5	`6c2142a6a321a1d6227e28e1245aec2c`
SHA1	`18cdf4393043e59f361db539e5fdcc7d4945fc04`
SHA256	`d1f2e0a16b2cd16493dc3c151f14af18497ce5179cc9b5cac2fb4f01be65bc61`
SHA3	`e8e0797f3b23bb33ff5185d86714ff7ddf68ed4b5e23517e106dbdbffd1062fa`
VirtualSize	`0xfc`
VirtualAddress	`0x21000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1d800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.98717`

.rsrc

MD5	`6961a6c966f69342282084f4458c2aa7`
SHA1	`ad4fdd5ddc98c5e985dd7db4ff309be11af985df`
SHA256	`ae4f8b75550a7a580dacf3c13321115a472053b91724baba990f77c7170ffe0e`
SHA3	`8e3d5ed6d7e23c69d4a65a9a2c4b1fe53c863b3cfa2f1b67ec21b3757162121f`
VirtualSize	`0x21b18`
VirtualAddress	`0x22000`
SizeOfRawData	`0x21c00`
PointerToRawData	`0x1da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.66526`

.reloc

MD5	`c4c2a6e3fac80136e90c4fe88d07d7ed`
SHA1	`9d3d6a425afa32b8651bd149d69a8c7b036c7920`
SHA256	`bfc5f451352203a8ec99d3b8636922c5830008b111e27575fb133e6a2d0a0b35`
SHA3	`233d45336bc94ba44480a3f3bb8fb74f00b962dface81e4b76ef8036d27f3150`
VirtualSize	`0x678`
VirtualAddress	`0x44000`
SizeOfRawData	`0x800`
PointerToRawData	`0x3f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.92408`

Imports

KERNEL32.dll	`GetModuleFileNameW` `FormatMessageW` `GetLastError` `CloseHandle` `CreateProcessW` `GetModuleHandleW` `WriteConsoleW` `CreateFileW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `RtlUnwindEx` `RtlPcToFileHeader` `RaiseException` `SetLastError` `EncodePointer` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapAlloc` `HeapFree` `FindClose` `FindFirstFileExW` `FindNextFileW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `MultiByteToWideChar` `WideCharToMultiByte` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetStdHandle` `GetFileType` `GetStringTypeW` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `LCMapStringW` `GetProcessHeap` `HeapSize` `HeapReAlloc` `FlushFileBuffers` `GetConsoleOutputCP` `GetConsoleMode` `SetFilePointerEx`
USER32.dll	`MessageBoxW`

Delayed Imports

1

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x3510`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.96015`
Detected Filetype	PNG graphic file
MD5	`e57766d522c3d8c76db969c6917a86f9`
SHA1	`f1e4f32fb8dff285d0ec4a556b602e8c4ac24484`
SHA256	`c1967dabee33f094935e3d68156a35084a1ff1641bcffd9904d16edb9a901510`
SHA3	`2b55e2c49cdabf30d4c1ced830117ef41c22d3305bdd61f0744c470cc5100ca1`

2

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.75423`
MD5	`08948752c96c1a5f45dea823615400b9`
SHA1	`51f402fcad8d33ca2eb99db2747b30a7feff91c1`
SHA256	`0aed71f0d654c821fa3b724844624d517da8af2c6cf655c274d5fa83d42939c0`
SHA3	`d0928334ddee5383941936e71662770d728507043d064b7e119e8abf3f5ff32a`

3

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.93908`
MD5	`15808cf45596ccd6133abdd0ec5b612c`
SHA1	`9bd7a3f2a0bb7c8f865f494bcdd089962d6a11d9`
SHA256	`342b9c18f4291ed9f251f650f24917acb82fe8ab54f82976c503cd9fe1dd899c`
SHA3	`7f3b8d6e28caadcbefe1c7c9c32a97c75ba0b4c81ef62a7f5eb86dcc8d61ba55`

4

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.60187`
MD5	`537fc148f04f9e21d83162b51e5cb47a`
SHA1	`181211551b2f8b1a36c9fac6b1786f16981b4c56`
SHA256	`15f74a6b587e3a334695d107e1c22043a82bc27b8e2d66255c896b817d4332c1`
SHA3	`2e83ea869ad5dbee05462360dde4953b04c61d74d79843aa3523c35d793f5c3a`

5

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.07282`
MD5	`768656e4fdb5e2aa2b24edd69d88b3bd`
SHA1	`69d1b9d258ad85a1acd034277f088855d5dd1ac4`
SHA256	`0a4b31f694688cd2d3ec1c988a3ad7045a9cfa437c177fa5baf3b3f135353fb8`
SHA3	`e9272bc5c8cf32ccf5de06efa42f58ddb608182d5c40808e065df27ccd54ee8d`

6

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.44048`
MD5	`0fed35d36e61a60e7e21910aefedf13d`
SHA1	`d6499d58649331acb114833afed69ff55c21cc46`
SHA256	`af92db18f5f03521395ec0c7d59a478a1f99f21b908755c59b98ba1649dc6907`
SHA3	`517ae3c9422157d88122aa1f32765b63d0d970264a9b63e23cfbe969c096f174`

7

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.94554`
MD5	`baf6be44a734c85ddee3a91e3c208286`
SHA1	`a741371f4bdb75e76bd5819b437d909696f767f1`
SHA256	`4b21a359b4e73c4fe5256e6f621d1643afa9936995cd77fbdb8955ee2f6f4914`
SHA3	`901f2329f2592c4e4eba4db8d40b43bd41aa99145cd30c167de62a7f78619022`

101

Type	`RT_GROUP_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88056`
Detected Filetype	Icon file
MD5	`3ffb5158e5b1b248f903a4f149310795`
SHA1	`5884cdc9bee7c5ce1f5cad5662b4b3dbcd597eeb`
SHA256	`85a263cd025f0c72210202a6865d0b04cac29610598c45884452ea468d69d026`
SHA3	`43189f44b1386a2bb1886e5381e2130ad9c6eaf8f067a9f141829b78d808fec8`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x27e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.06467`
MD5	`d875a3e09bd74a8f760449a19a351827`
SHA1	`870df3cd183e92816fb4f92427cafa686f946a33`
SHA256	`a148bb733a7a6233501d6e615bcd37bedb995c29670798088e6c9c325b4429c8`
SHA3	`782f36c3fdf8521b0f1ebd9c721ce82161d3bd77c965734f3fd2714a3113db23`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2022-Mar-18 03:04:42
Version	`0.0`
SizeofData	`796`
AddressOfRawData	`0x1b01c`
PointerToRawData	`0x1981c`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2022-Mar-18 03:04:42
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14001d008`

RICH Header

XOR Key	`0x229e3ca5`
Unmarked objects	`0`
ASM objects (28900)	`5`
C++ objects (28900)	`138`
C objects (28900)	`10`
C objects (30034)	`16`
ASM objects (30034)	`9`
C++ objects (30034)	`45`
Imports (28900)	`5`
Total imports	`91`
C++ objects (LTCG) (VS2019 Update 11 (16.11.6-7) compiler 30137)	`1`
Resource objects (VS2019 Update 11 (16.11.6-7) compiler 30137)	`1`
151	`1`
Linker (VS2019 Update 11 (16.11.6-7) compiler 30137)	`1`

0991065b2191e7715d96983983e3207d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

7

101

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors