Manalyze report for 0d597f8e1e530289dd81278bb884d416215ac43676c39d52eb84ed746665384e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Jan-22 03:49:06
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.

Plugin Output

Malicious	The file headers were tampered with.	`Unusual section name found: .xdata1` `Unusual section name found: .rdata1` `Unusual section name found: .idata2` `Unusual section name found: .data2` `Unusual section name found: .pdata2` `Unusual section name found: .xdata1` `Unusual section name found: .tls1` `The RICH header checksum is invalid.` `The number of imports reported in the RICH header is inconsistent.`
Malicious	The PE contains functions mostly used by malware.	`Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`1403fc44d65265504497017175168692`
SHA1	`78077c07bb6461adf6b197c4ecc40dc820200d3e`
SHA256	`0d597f8e1e530289dd81278bb884d416215ac43676c39d52eb84ed746665384e`
SHA3	`8e5f117c0ff54ad5b8441f242a710a8c1ed3d99a2c7ee14103f44bea758fb5a4`
SSDeep	`3072:DdA6d1IkAMIR2gib2ohIz0uFSigUFPGQ+A2aBOk+tnr1CfypRD1Izh00lwG+gLk:DdA6d1IkAMIR2gib2ohIz0uFSigUFPG`
Imports Hash	`d8e9968534c0a6c5dbcca1d30d093f54`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`13`
TimeDateStamp	2025-Jan-22 03:49:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1c600`
SizeOfInitializedData	`0x12e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000038000 (Section: .tls1)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x600`
Checksum	`0x352d7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7578812c4f8541bd62d725b26bcfb6ab`
SHA1	`6381d623959ec9340775884ca07e0defcc2e2cc8`
SHA256	`9bb6c89cd9f7773ddfb5c130b17036daf614466a700bdc20c34a9f3a27683ab9`
SHA3	`9f09872f8c6af85c694ba63c1284ce302a4923f8413331a1c2c114834a52bbcd`
VirtualSize	`0x7567`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7600`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.83388`

.rdata

MD5	`4e076b69c1d7f12124ac95b492d048ec`
SHA1	`c3d888c54b9776ce33f400fbbd6a8a6362d5c3c6`
SHA256	`1215700c77625f05acb299c776cb99664a87c34499800f818b277f4412c66364`
SHA3	`86421730b80215e4627697d86d54eb6e613f04e28dc3144fa474977bf22f7aed`
VirtualSize	`0x66a6`
VirtualAddress	`0x9000`
SizeOfRawData	`0x6800`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.6979`

.data

MD5	`5ee413636a9f18784b26557e94a07e31`
SHA1	`3e36ecd9fdcd3c7fd6dd08d5f8ae40e8cdde3f75`
SHA256	`751082ebd8cdcac581ac3566d595709ca8ab60815c7ed7970f1dec874dd3a50a`
SHA3	`421c775667c0b73f0148c2e89e236a398ac24f55462b5b75d7d032f1956171b3`
VirtualSize	`0x3e8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x400`
PointerToRawData	`0xe400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.39095`

.pdata

MD5	`ba36c1ca93a75fd8be4c6a94495f6089`
SHA1	`138d3a66b63eec9102fee4ba0d2f54aede279676`
SHA256	`1fc36d83486bde7ce705d7e0c9750175a28d5319d9bd0370089943e7196884bb`
SHA3	`3a01e1a94003890a12583c2975b119028a61851b47b3fc2347edd3e84de05b84`
VirtualSize	`0x528`
VirtualAddress	`0x11000`
SizeOfRawData	`0x600`
PointerToRawData	`0xe800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.78006`

.rsrc

MD5	`535e6c34b4922862f1fdcd161b767a6a`
SHA1	`43f7a89f92849bfa89e58c0eb22188e3c676156c`
SHA256	`7e695b97f076251694a0c44e307210e854fca43cca85eb6f75bf6ad3ac2e788c`
SHA3	`103d2c47f30944cd9474ce3ee170d826f795d60c35f4d08024e91505523818c9`
VirtualSize	`0x1e8`
VirtualAddress	`0x12000`
SizeOfRawData	`0x200`
PointerToRawData	`0xee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.7511`

.reloc

MD5	`522c093d8899a2f2a5b71894a9cfafec`
SHA1	`8068135e0a7a27670cd0fa415e80f940d4347783`
SHA256	`55ce7caafcb274a40f6beae38c4e2f31679ebe63317700b91f7e9794506a0320`
SHA3	`c852fee47a3bcf34f565fdfa8afbd38b716860e3945610797ee9fda8f46cb9db`
VirtualSize	`0xa0`
VirtualAddress	`0x13000`
SizeOfRawData	`0x200`
PointerToRawData	`0xf000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.06689`

.xdata1

MD5	`2dc2afe91bd64939630b7dd8d31ed95a`
SHA1	`dcce8a1296a3cc487fad1f7497232121065f4ee2`
SHA256	`764c49b52f15a775622c48a1ec23e3c5942f56935cf7ca8294f2214d0fbe3691`
SHA3	`3c34617a780ef66f7a3b1b85d1096b0fcd64ecedfa03134c7d28b5fd8385f1b7`
VirtualSize	`0xad90`
VirtualAddress	`0x14000`
SizeOfRawData	`0xae00`
PointerToRawData	`0xf200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.44597`

.rdata1

MD5	`05aef90f4a5fd82c470ef7a701c74167`
SHA1	`c4e12c27534f54bae52f4df1c446e3717e8e80ae`
SHA256	`7416b3747d319b3945ad666b3a8b59f92ae8cdb0529ab8bc479285f6d10af4f8`
SHA3	`c8fe52b1ace75f6e0de1cbdc082d411c5e40e61f81be15737061c7218e792af6`
VirtualSize	`0x14dd7`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x14e00`
PointerToRawData	`0x1a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.15352`

.idata2

MD5	`71901cbeb597ce8de659caecfa65dfd9`
SHA1	`feb9a729412210301daa8697b5f4808cf392dcea`
SHA256	`2576831517361e6e71845818c53ce09f9cca5bf3055b6c3601009529e0083ca7`
SHA3	`69350aaa1040f5d1cea57b861b3eb3d4af5ee49f66e554211b2d8cf94355c873`
VirtualSize	`0x268`
VirtualAddress	`0x34000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2ee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.146838`

.data2

MD5	`10fe5582b8ab728645eb2d6f323fca36`
SHA1	`78751d133cc0352552fa0d08415d1baef1c2d4f9`
SHA256	`ee6e88cbcc4d34e8e828f6ebc86ab2d382bf5211bacb6e8ef78121d26ee77dd7`
SHA3	`42fd17b02102eebf272e0a6519c195edf67432a6fae0e2068289655c67c0765b`
VirtualSize	`0x118`
VirtualAddress	`0x35000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.36526`

.pdata2

MD5	`3440ecad5b5d718c48d8a367b1b042fa`
SHA1	`1e4a23cd529589b92a42bd8fc0fa81cd808d6b94`
SHA256	`6c34c490e41a0310f09eda2accafd29d810a14132cc661b9081c9938125ce72e`
SHA3	`39a2ef40f810378b84a5644b2a167c78f93a86b036c9556c1b4ce31f54fc6757`
VirtualSize	`0x134`
VirtualAddress	`0x36000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.10666`

.xdata1 (#2)

MD5	`fd741ae59298736beddf6f146be27708`
SHA1	`217f13f8ca605eebd24fd189356bc4f701483c51`
SHA256	`dc3d29b8d6674913a6d248c8bb76c168a51edf90bb1eb95ac5c6b5dca99e289d`
SHA3	`fcdb945d3ff354ad911ed4abe89071123f4661ae6f4e94bbee741a5e84020e27`
VirtualSize	`0xb0`
VirtualAddress	`0x37000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.20366`

.tls1

MD5	`c38b3080149b1792051bc92252265667`
SHA1	`f43c2ae13c89e9973f8a422552d9b2c3b39fbf6e`
SHA256	`652d486962a6766a57e9ec8f1e6d3391340e71481c8a4eca8cb6e79aa76da2fa`
SHA3	`0a086b2ecf99508438f1ce7d49ce142c519fc998a5dc5bea77b5cbbf28f3fa28`
VirtualSize	`0x18`
VirtualAddress	`0x38000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2f800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`0.460547`

Imports

KERNEL32.dll	`MultiByteToWideChar` `WideCharToMultiByte` `GetTickCount` `GetTickCount64` `QueryPerformanceCounter` `QueryPerformanceFrequency` `GetSystemTime` `CloseHandle` `GetLocalTime` `FileTimeToSystemTime` `SystemTimeToFileTime` `lstrlenA` `GetCurrentProcess` `SetConsoleTitleA` `lstrlenW` `SetConsoleTextAttribute` `lstrcpyA` `lstrcpyW` `lstrcatA` `lstrcatW` `lstrcmpA` `lstrcmpW`
ADVAPI32.dll	`AdjustTokenPrivileges` `OpenProcessToken` `LookupPrivilegeValueW`
MSVCP140.dll	`?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z`
VCRUNTIME140_1.dll	`(EMPTY)`
VCRUNTIME140.dll	`(EMPTY)`
api-ms-win-crt-stdio-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-heap-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-string-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-time-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-runtime-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-filesystem-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-math-l1-1-0.dll	`(EMPTY)`
api-ms-win-crt-locale-l1-1-0.dll	`(EMPTY)`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

TLS Callbacks

StartAddressOfRawData	`0`
EndAddressOfRawData	`0`
AddressOfIndex	`0x140034028`
AddressOfCallbacks	`0x140034030`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x00000001400314D0`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140010040`

RICH Header

XOR Key	`0xa65e45dc`
Unmarked objects	`0`
Total imports	`1`
Linker (33523)	`60`
ASM objects (33523)	`280`
ASM objects (33523) (#2)	`2`
ASM objects (33523) (#3)	`1`
Resource objects (33523)	`350`

Errors

[!] Error: Read the same import twice! This PE was almost certainly crafted manually!
[*] Warning: An error occurred while trying to read functions imported by module MSVCP140.dll.

Leave a comment

No comments yet.