Manalyze report for 0ac1fd602f5ec2d2231fe311777791e8

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Sep-17 02:57:05
Detected languages	Chinese - PRC English - United States
Debug artifacts	D:\Devops\agent\workspace\p-111758179e0043a5b011650a32a71ea0\src\TGBDownloader\Output\TGBDownloader\Release\TGBDownloader.pdb
CompanyName	Tencent
FileDescription	Tencent Game Downloader
FileVersion	`1, 0, 0, 1`
InternalName	TGBDownloader.exe
LegalCopyright	Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFilename	TGBDownloader.exe
ProductName	Tencent Game Downloader
ProductVersion	`1, 0, 0, 1`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 6.0 DLL` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: qqpctray.exe` `May have dropper capabilities: %ALLUSERSPROFILE%` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: 2010-aia.verisign.com 2010-crl.verisign.com 3g.qq.com aia.verisign.com aia.ws.symantec.com crl.thawte.com crl.verisign.com crl.ws.symantec.com csc3-2010-aia.verisign.com csc3-2010-crl.verisign.com desktop.qq.com etl.desktop.qq.com eve.mdt.qq.com gameloop.com http://crl.thawte.com http://crl.thawte.com/ThawteTimestampingCA.crl0 http://crl.verisign.com http://crl.verisign.com/pca3-g5.crl04 http://csc3-2010-aia.verisign.com http://csc3-2010-aia.verisign.com/CSC3-2010.cer0 http://csc3-2010-crl.verisign.com http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D http://logo.verisign.com http://logo.verisign.com/vslogo.gif04 http://ocsp.thawte.com0 http://ocsp.verisign.com0 http://ts-aia.ws.symantec.com http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 http://ts-crl.ws.symantec.com http://ts-crl.ws.symantec.com/tss-ca-g2.crl0 http://ts-ocsp.ws.symantec.com07 http://www.openssl.org http://www.openssl.org/support/faq.html https://sy.gameloop.fun https://sy.gameloop.fun/report/clientreport?retflag https://syzs.qq.com https://syzs.qq.com/ https://unifiedaccess.gameloop.com https://unifiedaccess.gameloop.com/syzsclient/update/clientupdate https://unifiedaccess.gameloop.com/v2/gameloopoperate_trpc https://www.verisign.com https://www.verisign.com/cps0 https://www.verisign.com/rpa https://www.verisign.com/rpa0 https://yybadaccess.3g.qq.com https://yybadaccess.3g.qq.com/syzsclient/update/clientupdate https://yybadaccess.3g.qq.com/v2/syzsoperate_trpc logo.verisign.com master.etl.desktop.qq.com mdt.qq.com openssl.org oth.eve.mdt.qq.com symantec.com syzs.qq.com thawte.com ts-aia.ws.symantec.com ts-crl.ws.symantec.com unifiedaccess.gameloop.com verisign.com ws.symantec.com www.openssl.org www.verisign.com yybadaccess.3g.qq.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .QMGuid`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExW LoadLibraryW GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegOpenKeyExA RegDeleteKeyW RegCreateKeyExW RegEnumKeyExW RegSetValueExW RegQueryValueExW RegOpenKeyExW RegCloseKey RegQueryValueExA` `Uses Microsoft's cryptographic API: CryptAcquireContextW CryptReleaseContext CryptGenRandom` `Can create temporary files: GetTempPathW CreateFileA GetTempPathA CreateFileW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Has Internet access capabilities: WinHttpReceiveResponse WinHttpWriteData WinHttpSetOption WinHttpSendRequest WinHttpQueryHeaders WinHttpGetIEProxyConfigForCurrentUser WinHttpAddRequestHeaders WinHttpOpenRequest WinHttpConnect WinHttpCrackUrl WinHttpQueryDataAvailable WinHttpReadData WinHttpGetProxyForUrl WinHttpSetTimeouts WinHttpCloseHandle WinHttpOpen` `Leverages the raw socket API to access the Internet: htons WSAStartup WSAGetLastError WSACleanup gethostbyname closesocket setsockopt ioctlsocket __WSAFDIsSet select shutdown connect recv send htonl ntohl socket` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: OpenProcess` `Can take screenshots: GetDC BitBlt CreateCompatibleDC`
Malicious	The PE is possibly a dropper.	`Resource 136 detected as a PE Executable.`
Malicious	VirusTotal score: 6/71 (Scanned on 2024-04-07 15:08:22)	`Bkav: W32.AIDetectMalware` `DeepInstinct: MALICIOUS` `ESET-NOD32: a variant of Win32/Tencent.X potentially unwanted` `Gridinsoft: PUP.Win32.Tencent.cl` `VBA32: Riskware.Tencent` `Xcitium: ApplicUnwnt@#24mn2cl07bo9k`

Hashes

MD5	`0ac1fd602f5ec2d2231fe311777791e8`
SHA1	`52ca6ccd121faf4f3aad9e7760ee1a519b323d83`
SHA256	`bb68113cfaba1def162b8a0df4b1d41b83ea34ce4fd5b23e0a0b75b259b62bfc`
SHA3	`a640a486f2b8e74715f29535e0774cc9cb72bb0a33d9ee0586fe689044dc2610`
SSDeep	`49152:808OhxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXe9emEPGKOPkQThMYRMnm7LBg:808vdsGaQNgS1C6e6ngKpqM`
Imports Hash	`0e2b0c48d5c7e0af756a1d45ad1efe66`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x130`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2021-Sep-17 02:57:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x27be00`
SizeOfInitializedData	`0x127c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00220BE4 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x27d000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x3a9000`
SizeOfHeaders	`0x400`
Checksum	`0x3a7263`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2bd24d366544b5191c8d3852ea95a081`
SHA1	`aa5633afe4d48e052502652fb0548ea02245f7f4`
SHA256	`11fbed91def287b08718a2afb4f8870bb6dd07600ef22483f95a9496f362d55a`
SHA3	`0f118a24b3d70718ee48e55ff8346db7a3d98ab9a2044b53dfb87f9683ccf593`
VirtualSize	`0x27bc4a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x27be00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.70671`

.rdata

MD5	`d927738a1adb744e5a2944b0b2ea4b18`
SHA1	`79be49fdc296e335974f5b58c7553f0be14586fa`
SHA256	`0b86a384fee9ec7b5294eb075e4f98cf62b50f5dc247b1efcd7187ebc49f5e98`
SHA3	`9e16176e3c5eb0a3bdc7ab523accb8bf8f5577152a469f539d7a56da9be8ae3c`
VirtualSize	`0x84486`
VirtualAddress	`0x27d000`
SizeOfRawData	`0x84600`
PointerToRawData	`0x27c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.4355`

.data

MD5	`0330018292c674234c21b81a173aa699`
SHA1	`9507f889bee63ee2f1a49a1064c8d3361dee3c4e`
SHA256	`692497137c4b767405b7cc53b19a1c2ac290bb1f673fffa37c7b319d0ff0c94a`
SHA3	`0f0cae806224895651a06297f3da1f9c6d8f71ff9f4cb18ccf3b8ffc9fac1fdc`
VirtualSize	`0x149d4`
VirtualAddress	`0x302000`
SizeOfRawData	`0x10200`
PointerToRawData	`0x300800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.13707`

.gfids

MD5	`a0ed665c78bf78565665339dbadff427`
SHA1	`4e24ea772747663603cd34211283cabd67b403ab`
SHA256	`da016bd71c2b1089276ed7f748e8c4d29d3b705a24cda09deb8eb0cf780b11f1`
SHA3	`1327ff36d0a6fd1ae46c6798484529f721dd1a82efa34e9d6da8a085746852e6`
VirtualSize	`0x1108`
VirtualAddress	`0x317000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x310a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.98895`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x319000`
SizeOfRawData	`0x200`
PointerToRawData	`0x311c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.QMGuid

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x14`
VirtualAddress	`0x31a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x311e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_SHARED` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`491e51d60f59c3a97d4821955c4f2e50`
SHA1	`6ed2d21f9d6174085d3bbfb47f4978b03099fbed`
SHA256	`e3b903499fe5f330f240578cc09834ab1ae7189fef1ae985f320e0b3746f99e1`
SHA3	`38c7dc61dc7933df4864179e84451cb69c1feadd16e04f2e07922757184e3cb2`
VirtualSize	`0x6ffc8`
VirtualAddress	`0x31b000`
SizeOfRawData	`0x70000`
PointerToRawData	`0x312000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.79013`

.reloc

MD5	`6b73cec0e79cf9dc9f83d95989159a57`
SHA1	`58b2b613141ddfd44bf7faa9e2a6cb62f585cf78`
SHA256	`83faf1c7c204bc85846f4dd9df6af89676c3a470f37ddd998648a9462a05b93d`
SHA3	`bcccbebe5b59f1dd50565acdfac1fee2157e7d5094b3e103c21be0f0101e26fb`
VirtualSize	`0x1d480`
VirtualAddress	`0x38b000`
SizeOfRawData	`0x1d600`
PointerToRawData	`0x382000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.59191`

Imports

PSAPI.DLL	`GetModuleFileNameExA`
WS2_32.dll	`htons` `WSAStartup` `WSAGetLastError` `WSACleanup` `gethostbyname` `closesocket` `setsockopt` `ioctlsocket` `__WSAFDIsSet` `select` `shutdown` `connect` `recv` `send` `htonl` `ntohl` `socket`
KERNEL32.dll	`UnmapViewOfFile` `EnterCriticalSection` `LeaveCriticalSection` `DuplicateHandle` `SetErrorMode` `TerminateProcess` `RaiseException` `GetFileTime` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `GetTempPathW` `GetFileAttributesW` `GetFileSizeEx` `TerminateThread` `FreeResource` `GetUserDefaultUILanguage` `DecodePointer` `ProcessIdToSessionId` `OpenMutexW` `CreateMutexW` `GetLogicalDrives` `GetDriveTypeW` `DeviceIoControl` `FindFirstFileW` `RemoveDirectoryW` `MoveFileExW` `FindNextFileW` `FindClose` `GetExitCodeProcess` `IsDBCSLeadByte` `GetFullPathNameW` `SetEndOfFile` `SetFilePointerEx` `CopyFileW` `CreateFileA` `SwitchToThread` `CreateDirectoryA` `GetPrivateProfileIntA` `GetPrivateProfileStringA` `GetVersionExW` `LoadLibraryA` `GetSystemDefaultLangID` `OpenProcess` `SleepEx` `CreateMutexA` `AreFileApisANSI` `TryEnterCriticalSection` `HeapCreate` `GetDiskFreeSpaceW` `OutputDebugStringA` `LockFile` `GetFullPathNameA` `UnlockFileEx` `HeapValidate` `GetTempPathA` `FormatMessageW` `GetDiskFreeSpaceA` `GetFileAttributesA` `FlushViewOfFile` `WaitForSingleObjectEx` `GetVersionExA` `DeleteFileA` `HeapCompact` `UnlockFile` `CreateFileMappingA` `LocalFree` `LockFileEx` `SystemTimeToFileTime` `GetSystemTimeAsFileTime` `GetSystemTime` `FormatMessageA` `QueryPerformanceCounter` `FlushFileBuffers` `GetStdHandle` `GetFileType` `GetModuleHandleA` `GlobalMemoryStatus` `FlushConsoleInputBuffer` `MulDiv` `GetACP` `lstrlenW` `GlobalUnlock` `ExitProcess` `VerifyVersionInfoW` `VerSetConditionMask` `CreateDirectoryW` `MapViewOfFile` `LocalFileTimeToFileTime` `GlobalAlloc` `lstrcpyW` `lstrcmpiW` `IsValidCodePage` `SetStdHandle` `GetTimeZoneInformation` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetTimeFormatW` `GetDateFormatW` `GetConsoleCP` `ReadConsoleW` `SetEnvironmentVariableA` `SetConsoleMode` `ReadConsoleInputA` `GetConsoleMode` `SetConsoleCtrlHandler` `GetModuleHandleExW` `ExitThread` `FileTimeToSystemTime` `SystemTimeToTzSpecificLocalTime` `PeekNamedPipe` `RtlUnwind` `UnregisterWaitEx` `QueryDepthSList` `InterlockedFlushSList` `InterlockedPushEntrySList` `InterlockedPopEntrySList` `ReleaseSemaphore` `VirtualProtect` `VirtualFree` `VirtualAlloc` `LoadLibraryExW` `FreeLibraryAndExitThread` `GetThreadTimes` `UnregisterWait` `RegisterWaitForSingleObject` `SetThreadAffinityMask` `GetProcessAffinityMask` `GetNumaHighestNodeNumber` `DeleteTimerQueueTimer` `ChangeTimerQueueTimer` `CreateTimerQueueTimer` `GetLogicalProcessorInformation` `GetThreadPriority` `SetThreadPriority` `CreateThread` `SignalObjectAndWait` `CreateTimerQueue` `InitializeSListHead` `GetStartupInfoW` `IsProcessorFeaturePresent` `UnhandledExceptionFilter` `ResetEvent` `IsDebuggerPresent` `LCMapStringW` `CompareStringW` `GetCPInfo` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `SetLastError` `QueryPerformanceFrequency` `FindFirstFileExW` `GetNativeSystemInfo` `GetExitCodeThread` `GetCurrentThread` `GetStringTypeW` `EncodePointer` `SetUnhandledExceptionFilter` `InitializeCriticalSection` `GetCurrentProcessId` `GetModuleFileNameA` `GetSystemDirectoryW` `CreateFileMappingW` `GetEnvironmentVariableW` `GetLocaleInfoW` `GetPrivateProfileSectionW` `GetPrivateProfileIntW` `GetPrivateProfileStringW` `GetCommandLineW` `GetSystemInfo` `GetDiskFreeSpaceExW` `GlobalMemoryStatusEx` `OutputDebugStringW` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `LoadLibraryW` `FreeLibrary` `InterlockedExchangeAdd` `GetTickCount` `GetFileAttributesExW` `GetLocalTime` `GetModuleFileNameW` `InterlockedDecrement` `InterlockedIncrement` `MoveFileW` `DeleteFileW` `SetFilePointer` `SetEvent` `WaitForSingleObject` `CreateEventW` `FindResourceExW` `FindResourceW` `LoadResource` `LockResource` `SizeofResource` `WideCharToMultiByte` `Sleep` `InterlockedExchange` `InterlockedCompareExchange` `GetProcessHeap` `HeapAlloc` `HeapFree` `HeapReAlloc` `HeapSize` `HeapDestroy` `GetCurrentThreadId` `GlobalFree` `MultiByteToWideChar` `GetCurrentProcess` `GetFileSize` `WriteFile` `ReadFile` `GetLastError` `GetModuleHandleW` `GetProcAddress` `CreateFileW` `CloseHandle` `GetOEMCP` `GetCommandLineA` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `WriteConsoleW` `GlobalLock`
USER32.dll	`wsprintfW` `EnumDisplayDevicesW` `GetDC` `MonitorFromWindow` `GetMonitorInfoW` `ReleaseDC` `DestroyWindow` `DefWindowProcW` `GetSystemMetrics` `MessageBoxW` `InvalidateRgn` `GetWindowTextW` `GetWindowTextLengthW` `SetWindowTextW` `IsWindowEnabled` `InvalidateRect` `IsWindow` `GetProcessWindowStation` `GetUserObjectInformationW` `MessageBoxA` `IsRectEmpty` `IntersectRect` `PtInRect` `SetCursor` `LoadCursorW` `CharNextW` `CreateAcceleratorTableW` `InflateRect` `UnionRect` `SendMessageW` `GetWindowRect` `ScreenToClient` `GetKeyState` `GetClientRect` `SetWindowPos` `GetWindowLongW` `SetWindowLongW` `IsIconic` `GetActiveWindow` `GetWindow` `SetFocus` `BeginPaint` `EndPaint` `GetUpdateRect` `IsWindowVisible` `MapWindowPoints` `CreateWindowExW` `GetCursorPos` `ReleaseCapture` `GetSysColor` `GetMessageW` `DestroyMenu` `TrackPopupMenu` `EnableMenuItem` `AppendMenuW` `TranslateMessage` `DispatchMessageW` `IsZoomed` `PostMessageW` `GetFocus` `SetTimer` `KillTimer` `SetCapture` `GetParent` `LoadImageW` `SetWindowRgn` `ShowWindow` `EnableWindow` `PostQuitMessage` `RegisterClassW` `GetClassInfoExW` `RegisterClassExW` `GetGUIThreadInfo` `SetForegroundWindow` `MapVirtualKeyExW` `GetKeyboardLayout` `OffsetRect` `CallWindowProcW` `SetPropW` `CreatePopupMenu` `GetCaretBlinkTime` `ClientToScreen` `SetCaretPos` `GetCaretPos` `GetKeyNameTextW` `GetPropW` `HideCaret` `ShowCaret` `CreateCaret` `GetWindowRgn` `UpdateLayeredWindow` `EqualRect` `FillRect` `DrawTextW` `SetRect` `CharPrevW` `MoveWindow`
GDI32.dll	`CreateRectRgnIndirect` `GetClipBox` `SelectClipRgn` `CreateRoundRectRgn` `PlayEnhMetaFile` `GetEnhMetaFileHeader` `CreateDIBitmap` `AddFontMemResourceEx` `GetTextMetricsW` `CloseEnhMetaFile` `CreateEnhMetaFileW` `SetWindowOrgEx` `Rectangle` `RestoreDC` `BitBlt` `SaveDC` `StretchBlt` `CreateCompatibleDC` `DeleteDC` `ExtSelectClipRgn` `CreatePen` `CreateFontIndirectW` `GetStockObject` `GetObjectW` `GetObjectA` `DeleteObject` `CreateCompatibleBitmap` `GetDeviceCaps` `SetStretchBltMode` `CreatePatternBrush` `CreateSolidBrush` `CreatePenIndirect` `MoveToEx` `LineTo` `RoundRect` `GetBitmapBits` `SetBitmapBits` `CombineRgn` `RemoveFontMemResourceEx` `CreateDIBSection` `SetBkMode` `SetTextColor` `SetBkColor` `GetCharABCWidthsW` `GetTextExtentPoint32W` `TextOutW` `GdiFlush` `CreateRectRgn` `SelectObject` `PtInRegion`
ADVAPI32.dll	`CryptAcquireContextW` `RegOpenKeyExA` `RegDeleteKeyW` `RegCreateKeyExW` `RegEnumKeyExW` `RegSetValueExW` `RegQueryValueExW` `RegOpenKeyExW` `RegCloseKey` `ReportEventA` `RegisterEventSourceA` `DeregisterEventSource` `CryptReleaseContext` `CryptGenRandom` `RegQueryValueExA`
SHELL32.dll	`SHBrowseForFolderW` `DragQueryFileW` `SHGetFolderPathA` `#165` `ShellExecuteExW` `SHGetSpecialFolderPathW` `SHCreateDirectoryExW` `CommandLineToArgvW` `SHGetPathFromIDListW` `SHChangeNotify`
ole32.dll	`RegisterDragDrop` `DoDragDrop` `OleDuplicateData` `CoInitialize` `CoCreateInstance` `CoUninitialize` `CoInitializeEx` `CoTaskMemFree` `CoCreateGuid` `ReleaseStgMedium` `OleLockRunning` `CLSIDFromString` `CLSIDFromProgID` `CreateStreamOnHGlobal`
COMCTL32.dll	`#17` `_TrackMouseEvent`
gdiplus.dll	`GdipSetStringFormatLineAlign` `GdipSetStringFormatAlign` `GdipSetStringFormatFlags` `GdipSetStringFormatTrimming` `GdipDeleteStringFormat` `GdipTranslateWorldTransform` `GdipCloneStringFormat` `GdipSetInterpolationMode` `GdipSetSmoothingMode` `GdipSetTextRenderingHint` `GdipDeleteFont` `GdipCreateFontFromLogfontA` `GdipCreateFontFromDC` `GdipDrawRectangleI` `GdipSetPenMode` `GdipMeasureString` `GdipCreatePen1` `GdipFillRectangleI` `GdipDeleteBrush` `GdipCreateSolidFill` `GdipDeleteGraphics` `GdipCreateFromHDC` `GdipDisposeImage` `GdipCloneImage` `GdipAlloc` `GdipFree` `GdipLoadImageFromStream` `GdiplusShutdown` `GdiplusStartup` `GdipDeletePen` `GdipDrawString` `GdipDrawImageRectI` `GdipRotateWorldTransform` `GdipStringFormatGetGenericTypographic`
IMM32.dll	`ImmGetContext` `ImmReleaseContext` `ImmSetCompositionWindow`
WINHTTP.dll	`WinHttpReceiveResponse` `WinHttpWriteData` `WinHttpSetOption` `WinHttpSendRequest` `WinHttpQueryHeaders` `WinHttpGetIEProxyConfigForCurrentUser` `WinHttpAddRequestHeaders` `WinHttpOpenRequest` `WinHttpConnect` `WinHttpCrackUrl` `WinHttpQueryDataAvailable` `WinHttpReadData` `WinHttpGetProxyForUrl` `WinHttpSetTimeouts` `WinHttpCloseHandle` `WinHttpOpen`
SHLWAPI.dll	`PathFileExistsW` `PathRemoveFileSpecW` `PathAddBackslashW` `PathRemoveFileSpecA` `PathIsDirectoryW`
d3d9.dll	`Direct3DCreate9`
VERSION.dll	`GetFileVersionInfoSizeW` `VerQueryValueW` `GetFileVersionInfoW`
NETAPI32.dll	`Netbios`

Delayed Imports

135

Type	`CUSTOM`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x25be`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.642`
Detected Filetype	Icon file
MD5	`82a912296f732ac6b39d1efa3d5ff8ba`
SHA1	`0d3cbe0d2dbc7e514c145fb937e72f844bf3af1d`
SHA256	`acd8b47de7e51f1fccda489d9615290a18b083736c9dd4a7bbd00a14dd998ce0`
SHA3	`527ba14f2a1ae24f909ecd98ecd96bd71ba837aa4f0f8d38da5607567a7b4def`

136

Type	`CUSTOM`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x12988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.81636`
Detected Filetype	PE Executable
MD5	`2814acbd607ba47bdbcdf6ac3076ee95`
SHA1	`50ab892071bed2bb2365ca1d4bf5594e71c6b13b`
SHA256	`5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67`
SHA3	`26df29fea3fd9b53c4f7da049e993e915aeff5e78a7dcb91eac6d6382d4edd57`

133

Type	`ZIPRES`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x581a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99533`
Detected Filetype	Zip Compressed Archive
MD5	`f7d93da7377ac108c692d7d1f37280bf`
SHA1	`11a639a509555a5f00d9014a60ca7eee95a2d854`
SHA256	`61c6e24ff9b3473efaad0c380c319280e8696574abbfc65695824d35db269d30`
SHA3	`b2b182e93f40184599352b60378bdb9fc7b750dc9243067181d3655c0308d7dd`

1

Type	`RT_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.64298`
MD5	`3ccce0bfad1f21645d8f369bce651803`
SHA1	`a1ba4d5577d3b040efb3e9b5e17ae943e5b7e465`
SHA256	`4020373595980f804ccc0f57642141c2abe6e03c3af8f5a6cc5e880f038ad835`
SHA3	`fc895b337f7d4ee9e8cb8231ca62224c0a6813e378e9782213c5a0d06e2e50d7`

109

Type	`RT_MENU`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x50`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.24529`
MD5	`3768d661f1606dafe0bbd6dbcbb1aa50`
SHA1	`250a2f56a3becde33eceeb3ef69a502fc3bdfcca`
SHA256	`8f0d417b64215ec2f33379d29e91fbdcd15cd710652ef28e0478c7f4be0a030c`
SHA3	`e3cf07897350f1c39ad0376f00125782ae1786e1592554044d93e4f679f73935`

7

Type	`RT_STRING`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x54`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.32128`
MD5	`4d190c39e520b0dbd1fc5af1025ecc8a`
SHA1	`755ad01b0b2e62a133f7f38b64101d9fb827300c`
SHA256	`d2be6d518e0d0a48cdf2e2371338a253f89612a6afecbb2a78278bcfa8f590c5`
SHA3	`9f61c2bad2b204373c7bc2c5293329cd7a75f18361edecd276cac32cfce73fc9`

107

Type	`RT_GROUP_ICON`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`6da8e7d5ae1d5d15e0230a67a7c16c6d`
SHA1	`678db52cbe5d617c33c6269bfd4b6d8d1a17f956`
SHA256	`6eb54801f91b6d8effccbfaefe6b2d7705a274a75940e6226e24e0d4ec58c396`
SHA3	`994fc217c7b8bc8008ac262ff58044403206de6eceafd424d4640ecad395eb2f`

1 (#2)

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x33c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.38023`
MD5	`6a21618faec96a671464b503c98cbb0c`
SHA1	`0c21b684459144b1c7ee32a643549d6ac93b1113`
SHA256	`76e2c6ebb04c5ad98b33a726554b98d79911dd9123f2562ad8fc4fb97fa764c0`
SHA3	`9c1035d841f76d19d8c9e40c062166a96a4a0435d9fbc91fc14e392d68a42c38`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x28b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.06216`
MD5	`70a8f12fee2c81f7a33abe763f22ce98`
SHA1	`b6c0be4e48344607571d311e30a3a343bd5eb7fb`
SHA256	`8ca168710ef6c65f4c63fbe77ba7a3b863b8779306ea4e64087259925750a62a`
SHA3	`e121811540c8946d89962695b6e83e5d49aa95fed60a72e657f5e72b73f349c8`

String Table contents

TGBDownloader
TGBDOWNLOADER

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Tencent
FileDescription	Tencent Game Downloader
FileVersion (#2)	1, 0, 0, 1
InternalName	TGBDownloader.exe
LegalCopyright	Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFilename	TGBDownloader.exe
ProductName	Tencent Game Downloader
ProductVersion (#2)	1, 0, 0, 1

Resource LangID	Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Sep-17 02:57:05
Version	`0.0`
SizeofData	`150`
AddressOfRawData	`0x2e6608`
PointerToRawData	`0x2e5808`
Referenced File	D:\Devops\agent\workspace\p-111758179e0043a5b011650a32a71ea0\src\TGBDownloader\Output\TGBDownloader\Release\TGBDownloader.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Sep-17 02:57:05
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x2e66a0`
PointerToRawData	`0x2e58a0`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Sep-17 02:57:05
Version	`0.0`
SizeofData	`1012`
AddressOfRawData	`0x2e66b4`
PointerToRawData	`0x2e58b4`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2021-Sep-17 02:57:05
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x719000`
EndAddressOfRawData	`0x719008`
AddressOfIndex	`0x714afc`
AddressOfCallbacks	`0x67d90c`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x5c`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x703034`
SEHandlerTable	`0x6e5000`
SEHandlerCount	`1410`

RICH Header

XOR Key	`0x4ebe987d`
Unmarked objects	`0`
241 (40116)	`24`
243 (40116)	`199`
242 (40116)	`32`
199 (41118)	`3`
ASM objects (VS2015 UPD3 build 24123)	`26`
C++ objects (23013)	`2`
C++ objects (VS2015 UPD3 build 24123)	`126`
C objects (VS2015 UPD3 build 24123)	`39`
C objects (VS2008 SP1 build 30729)	`8`
Unmarked objects (#2)	`14`
C objects (VS2015 UPD3.1 build 24215)	`329`
C++ objects (VS2015 UPD3.1 build 24215)	`28`
Imports (VS2008 SP1 build 30729)	`37`
Total imports	`553`
C++ objects (LTCG) (VS2015 UPD3 build 24210)	`119`
Resource objects (VS2015 UPD3 build 24210)	`1`
151	`1`
Linker (VS2015 UPD3 build 24210)	`1`

Errors

[!] Error: Could not read a WIN_CERTIFICATE's data.