Manalyze report for 149af02ae31b64b799ac36aaf9f8c0e9

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1970-Jan-01 00:00:00
TLS Callbacks	1 callback(s) detected.
Debug artifacts	Embedded COFF debugging symbols

Plugin Output

Suspicious	The PE contains functions most legitimate programs don't use.	`Manipulates other processes: ReadProcessMemory`
Suspicious	The file contains overlay data.	`91512 bytes of data starting at offset 0x1ea00.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`149af02ae31b64b799ac36aaf9f8c0e9`
SHA1	`f1a437ebabbc4a2dfd8d11774a082f5d55b3a3c3`
SHA256	`c203862cc6f6365629508850db3625233c8e5c2410dbf227ffa5e52c48135598`
SHA3	`622e14b34f4a22bcb71c7ba2a4eb19c00c8af9c4a19b418d9f3231aca8b7078e`
SSDeep	`3072:UzrOEVE4YP52ysBCtNG5+TKkJ7WUEqasNkfZC5U2:UToZsBCHGfnA`
Imports Hash	`181212a4ab38683c17362236988c4c9c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	1970-Jan-01 00:00:00
PointerToSymbolTable	`0x1ea00`
NumberOfSymbols	`1717`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`3.0`
SizeOfCode	`0x135b0`
SizeOfInitializedData	`0x1ca4`
SizeOfUninitializedData	`0x2288`
AddressOfEntryPoint	`0x000000000000D6D0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x100000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x25000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x1000000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7a7554006c95674b928a33bc155d8ee2`
SHA1	`a10af931809a8c5f7a059b3665480b9b81564c20`
SHA256	`c2045a33f229847b9459ddc57d1c0556e4a0ab2cba12333524062700db356f30`
SHA3	`f439ee96cf952a7b6db3918bfc474c68b6e67ed4f2fcb4ccbb0d08d9740bb0e1`
VirtualSize	`0x135b0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x13600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.88258`

.data

MD5	`18d25cf6a1665db8ca654ef825f32c02`
SHA1	`3f6cec4386238fdb35a126488b0ec9f6e3a01251`
SHA256	`f6a7ed943968466f3e47efb9aa32890a583a346f8d6abda58840f419c67c6a4f`
SHA3	`d3783701f9bef4cf088b7685331c0546ec3406701436e25a27bcdbac9641bec5`
VirtualSize	`0x1ca4`
VirtualAddress	`0x15000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x13a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.99399`

.rdata

MD5	`9a9acd6f8e5ab6b01d2a7f7aecd5e90e`
SHA1	`e69de7dddf5078407962bb594a15f91d85e8eb3e`
SHA256	`928b675edcc271beea024eaea1a9f2c573adbd23c14612ba968cd4cc3b3f49f4`
SHA3	`11f0f7d2c5d287a7efeee7d7784564a30094747d772f139242b5fcc1d40b6d57`
VirtualSize	`0x6d18`
VirtualAddress	`0x17000`
SizeOfRawData	`0x6e00`
PointerToRawData	`0x15800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.1058`

.pdata

MD5	`7f341a505ce93f730fbd4879dd2e0f8c`
SHA1	`20ac65417e40c54335509282acbe744d10cd9b7f`
SHA256	`95be86cba434f220d78a91e8b800606e2babeaefa393b398dafa234ee7ff0027`
SHA3	`b83183244dd519cd1a86ce59c1acb6f27dc49e46bd31206d9ead36aba7e30993`
VirtualSize	`0x13ec`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x1c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.01818`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x2288`
VirtualAddress	`0x20000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.CRT

MD5	`5a34040502df287ca2158950ae89ad65`
SHA1	`82ab4e1eb2887a5c0d3eff91a747836039943a44`
SHA256	`989d0cc9b29556beab2c9cee557bebde7e6726271eca5c85ad7954bf5e021528`
SHA3	`909ff343c43eab1a3c9cfe39ffab3af78c0526a08b8c5b872544e4d116040873`
VirtualSize	`0x28`
VirtualAddress	`0x23000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0611629`

.idata

MD5	`ca71bcc60121dff62b6a608fa012c53c`
SHA1	`3ad1742c3d444c727773cf467af4e4e7d87e0873`
SHA256	`20636ee3e250385b33823075061e8e5651371d2f4f66f0ae4704a69325f01007`
SHA3	`491c60e2de209f02507cb35cc814336c9df092b108a2b6112f27a96911b376be`
VirtualSize	`0xcc9`
VirtualAddress	`0x24000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x1dc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.87303`

Imports

kernel32.dll	`GetLastError` `SetLastError` `ExitProcess` `GetStartupInfoA` `GetStdHandle` `GetCommandLineA` `GetCurrentProcessId` `GetCurrentThreadId` `GetCurrentProcess` `ReadProcessMemory` `GetModuleFileNameA` `GetModuleHandleA` `WriteFile` `ReadFile` `CloseHandle` `SetFilePointer` `FreeLibrary` `GetProcAddress` `CreateFileW` `GetConsoleMode` `GetConsoleOutputCP` `GetOEMCP` `GetProcessHeap` `HeapAlloc` `HeapFree` `TlsAlloc` `TlsGetValue` `TlsSetValue` `CreateThread` `ExitThread` `LocalAlloc` `LocalFree` `Sleep` `SuspendThread` `ResumeThread` `TerminateThread` `WaitForSingleObject` `SetThreadPriority` `GetThreadPriority` `CreateEventA` `ResetEvent` `SetEvent` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `TryEnterCriticalSection` `RaiseException` `MultiByteToWideChar` `WideCharToMultiByte` `GetACP` `GetConsoleCP` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlUnwindEx` `EnumResourceTypesA` `EnumResourceNamesA` `EnumResourceLanguagesA` `FindResourceA` `FindResourceExA` `LoadResource` `SizeofResource` `LockResource` `FreeResource` `GetWindowsDirectoryA` `GetVersionExA` `CompareStringA` `GetLocaleInfoA` `EnumCalendarInfoA` `FormatMessageW` `FindFirstFileW` `FindNextFileW` `CompareStringW` `FindClose` `FileTimeToLocalFileTime` `FileTimeToDosDateTime` `GetThreadLocale` `SetThreadLocale` `GetUserDefaultLCID`
oleaut32.dll	`SysAllocStringLen` `SysFreeString` `SysReAllocStringLen`
user32.dll	`MessageBoxA` `CharUpperBuffW` `CharLowerBuffW` `CharUpperA` `CharUpperBuffA` `CharLowerA` `CharLowerBuffA` `GetSystemMetrics` `MessageBeep`

Delayed Imports

Version Info

TLS Callbacks

StartAddressOfRawData	`0x100000000`
EndAddressOfRawData	`0x100000000`
AddressOfIndex	`0x100016ca0`
AddressOfCallbacks	`0x100023000`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x000000010000CAA0`

Load Configuration

RICH Header

Errors

[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF symbol's section number is bigger than the number of sections!
[*] Warning: COFF String Table's reported size is bigger than the remaining bytes!
[*] Warning: Section .bss has a size of 0!