Manalyze report for 16c5b5ea385bb9633de600e26ba4e23f

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Mar-11 07:32:41

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Info	The PE is digitally signed.	`Signer: \xD0\x9A\xD1\x80\xD1\x83\xD1\x82\xD1\x96\xD0\xB9 \xD0\x9E\xD0\xBB\xD0\xB5\xD0\xBA\xD1\x81\xD0\xB0\xD0\xBD\xD0\xB4\xD1\x80 \xD0\x86\xD0\xB3\xD0\xBE\xD1\x80\xD0\xBE\xD0\xB2\xD0\xB8\xD1\x87` `Issuer: mg-ALPHA-CA`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`16c5b5ea385bb9633de600e26ba4e23f`
SHA1	`a47c739133d449655bc48a22836a119037e7a40d`
SHA256	`356e3caf177f43d9b276d9d01ff9baea417400a0f6f3a93b13ff7b27ff0f187e`
SHA3	`f835d17cc44edf78370235d81fc80cd8e904f6754b69fc217d62b87f803073c9`
SSDeep	`98304:X0NaMM3C7l9zZgxaMDUwHUYB94RQ85mJq:X0FyWlsxaMDH0msTz`
Imports Hash	`965e162fe6366ee377aa9bc80bdd5c65`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2025-Mar-11 07:32:41
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2a600`
SizeOfInitializedData	`0x1f400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000CE20 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x53000`
SizeOfHeaders	`0x400`
Checksum	`0x32c5da`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7f9d412c28e642c8e84be872e83b4f9f`
SHA1	`32f0e5310a01ecb56f0557137f3717af90615281`
SHA256	`ae3e78d3929b939eae442031ce4ffe697b9be8afa3937ca2d998074693d0d9a5`
SHA3	`b88bfb0925021a9fe6d73ac5032577afcf567404b472737d5705f1375ebab3ad`
VirtualSize	`0x2a4d0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2a600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48572`

.rdata

MD5	`4f62e569a5a0ea0ce4c425ed60404014`
SHA1	`cea1678d7bb29f3bc33a7121c0be1c7709795869`
SHA256	`a0e9dc70d60c77e4d81e626bc975a64ac6cc4592298ebb0e5e348e60868cc5b1`
SHA3	`facf1db480809da730740129ec2a33c9cb5889fde6e536da7de88ca65b38c3c9`
VirtualSize	`0x12d38`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x12e00`
PointerToRawData	`0x2aa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.76072`

.data

MD5	`2b048c55a32efa293a19bc62cce0e4b8`
SHA1	`a350ca3e48678cffb9a5c94045d0b6eef8901ce6`
SHA256	`578fde989f2664fd7eb864e0537ef2cfeecf43f750d546094f16fbda761279db`
SHA3	`ab99a19696fcfbb26bb95dfe52986827235916ef1039d985bf56d4c81bf9af9a`
VirtualSize	`0x5350`
VirtualAddress	`0x3f000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3d800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.83203`

.pdata

MD5	`ff7327f24043dee11db09e993f85caab`
SHA1	`9a1c029f60033deab1ec4bd2dbbc6a2b38661e74`
SHA256	`51e87151675e845609afae55fb482b9db04b69e8234e34340c8fa6408ca44502`
SHA3	`28caf41f44823bce4a6888e2a9b5f4ecf5818bb7becd66546a3e968b6a57db93`
VirtualSize	`0x228c`
VirtualAddress	`0x45000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x3e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.31839`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x48000`
SizeOfRawData	`0x200`
PointerToRawData	`0x40a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`f237a319d18ac063200e712e4e49fb01`
SHA1	`122fae8bc1035ef977c7d3847f0509673cc36f7f`
SHA256	`cba88485891459bc035601d56cf6f0bbad417f5668a87782212b6d4db38a9aee`
SHA3	`16ef216c26f4670d7d26653c7ac76c119f274df35b5e8c6bfb0a2acab9089524`
VirtualSize	`0x88fc`
VirtualAddress	`0x49000`
SizeOfRawData	`0x8a00`
PointerToRawData	`0x40c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.03227`

.reloc

MD5	`f390b176355c1ae2e1386b761add6032`
SHA1	`cb25d48441da5c52b65e59e9cba0f5b74e0aba6b`
SHA256	`fcda47318ecd3ae461089ed4cec21a66dd8bcecabc58482872ee02a2044bdcfc`
SHA3	`3c6dc1c1a0f26044627ec27eded0e3ba503a236bbaa6e71099660c79011c1a91`
VirtualSize	`0x764`
VirtualAddress	`0x52000`
SizeOfRawData	`0x800`
PointerToRawData	`0x49600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.26396`

Imports

USER32.dll	`CreateWindowExW` `ShutdownBlockReasonCreate` `MsgWaitForMultipleObjects` `ShowWindow` `DestroyWindow` `RegisterClassW` `DefWindowProcW` `PeekMessageW` `DispatchMessageW` `TranslateMessage` `PostMessageW` `GetMessageW` `MessageBoxW` `MessageBoxA` `SystemParametersInfoW` `DestroyIcon` `SetWindowLongPtrW` `GetWindowLongPtrW` `GetClientRect` `InvalidateRect` `ReleaseDC` `GetDC` `DrawTextW` `GetDialogBaseUnits` `EndDialog` `DialogBoxIndirectParamW` `MoveWindow` `SendMessageW`
COMCTL32.dll	`#380`
KERNEL32.dll	`GetACP` `IsValidCodePage` `GetStringTypeW` `GetFileAttributesExW` `SetEnvironmentVariableW` `FlushFileBuffers` `GetCurrentDirectoryW` `LCMapStringW` `CompareStringW` `VirtualProtect` `GetOEMCP` `GetCPInfo` `GetModuleHandleW` `MulDiv` `FormatMessageW` `GetLastError` `GetModuleFileNameW` `LoadLibraryExW` `SetDllDirectoryW` `CreateSymbolicLinkW` `GetProcAddress` `GetEnvironmentStringsW` `GetCommandLineW` `GetEnvironmentVariableW` `ExpandEnvironmentStringsW` `DeleteFileW` `FindClose` `FindFirstFileW` `FindNextFileW` `GetDriveTypeW` `RemoveDirectoryW` `GetTempPathW` `CloseHandle` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WaitForSingleObject` `Sleep` `GetCurrentProcess` `TerminateProcess` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `FreeLibrary` `LocalFree` `SetConsoleCtrlHandler` `K32EnumProcessModules` `K32GetModuleFileNameExW` `CreateFileW` `FindFirstFileExW` `GetFinalPathNameByHandleW` `MultiByteToWideChar` `WideCharToMultiByte` `InitializeCriticalSectionEx` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `HeapReAlloc` `WriteConsoleW` `SetEndOfFile` `CreateDirectoryW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `ReadFile` `GetFullPathNameW` `SetStdHandle` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree`
ADVAPI32.dll	`OpenProcessToken` `GetTokenInformation` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
GDI32.dll	`SelectObject` `DeleteObject` `CreateFontIndirectW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x82f0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.61856`
MD5	`14ae65848ba01265034aa5e67ba41dd0`
SHA1	`5f998eb45575d36c2b68c036c9059d8cec46f44c`
SHA256	`56d4b5487e6122869249d3a42700710f8ba420f77b7d48f9e6426b259085a94e`
SHA3	`5c91414f032b23d1ef08436dc1ace4d2ba09996b8e599551dc18cc79d8362adc`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`fab306194c1a828319341fd6b871eee0`
SHA1	`6b3fd066ce777baea14cac8ae03b645d89e88a75`
SHA256	`45f96013b296e8c6ff9018d80d4133251cbea700a110e6404d385cfb4a9d1557`
SHA3	`d85b46ec34dbb974e4c192ad09aaa78d681c6760ed6186452e1fa7ae6e2ce22e`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Mar-11 07:32:41
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x3b600`
PointerToRawData	`0x3a000`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003f040`
GuardCFCheckFunctionPointer	`5368890544`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc39b94a3`
Unmarked objects	`0`
C++ objects (33138)	`183`
C objects (33138)	`12`
ASM objects (33138)	`8`
253 (34321)	`3`
ASM objects (34321)	`9`
C objects (34321)	`17`
C++ objects (34321)	`40`
Imports (33138)	`11`
Total imports	`158`
C objects (34436)	`25`
Linker (34436)	`1`

16c5b5ea385bb9633de600e26ba4e23f

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.fptable

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors