Manalyze report for 3a5f082971ee67165580459e9d505ed2

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Dec-06 10:05:52
Debug artifacts	D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
CompanyName	Deminimis
FileDescription	MinimalFirewall-NET8
FileVersion	`2.6.7.0`
InternalName	MinimalFirewall-NET8.dll
LegalCopyright
OriginalFilename	MinimalFirewall-NET8.dll
ProductName	Minimal Firewall
ProductVersion	`1.0.0+80631ca7fce8943d3fb4098645aac3151936026a`
Assembly Version	2.6.7.0

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C# v7.0 / Basic .NET` `.NET DLL -> Microsoft`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: sc.exe schtask` `May have dropper capabilities: %Temp% CurrentVersion\Run` `Accesses the WMI: root\StandardCimv2` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: buymeacoffee.com crl.microsoft.com github.com go.microsoft.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://schemas.microsoft.com http://schemas.microsoft.com/SMI/2005/WindowsSettings http://schemas.microsoft.com/SMI/2016/WindowsSettings http://www.microsoft.com http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pkiops/Docs/Repository.htm0 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/docs/primarycps.htm0 http://www.microsoft.com0 https://aka.ms https://github.com https://go.microsoft.com https://go.microsoft.com/fwlink/?linkid https://www.buymeacoffee.com https://www.buymeacoffee.com/deminimis microsoft.com microsoft.net schemas.microsoft.com www.buymeacoffee.com www.microsoft.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegOpenKeyExW RegGetValueW RegCloseKey` `Possibly launches other programs: ShellExecuteW`
Suspicious	The file contains overlay data.	`1950219 bytes of data starting at offset 0x34800.` `Overlay data amounts for 90.0686% of the executable.`
Suspicious	VirusTotal score: 1/72 (Scanned on 2026-02-11 02:47:47)	`APEX: Malicious`

Hashes

MD5	`3a5f082971ee67165580459e9d505ed2`
SHA1	`cca06d7f655db537ea8653f41c35f62a096a7ae4`
SHA256	`402ee8668fda6cbd4785735c2da7c133b5190d13bf7d31fa2f2f629efc297bf7`
SHA3	`3b6c2ba6bd636afed91c7674b05a8ea41c97ad33a57e48c982e21f20b18fae51`
SSDeep	`24576:If6jyHAVO1SUUCxgFYAZ4vy8hP5hbiyYX+PHI08v9Rq0igNxp0:IWySUgFYlliFC`
Imports Hash	`bb3ac2c21e02c68abcad237dc3fa6d00`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2025-Dec-06 10:05:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x16400`
SizeOfInitializedData	`0x1f000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000011AB0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x180000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3ed5512b293aa5ccb14a2730a5a29785`
SHA1	`df85598271374ab44b618dd3406484df92cd74ce`
SHA256	`b55ea7f36007bb04f989c752a29e245bead9bdfc3913702e9f05cc1b26272d3e`
SHA3	`eac0d6142726512bc274619ea3ba58da9a701cbd4d73d4a2d5ed47b15533630a`
VirtualSize	`0x1627c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x16400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.34417`

.rdata

MD5	`87c2f5897217e01976ff658e70cc68ef`
SHA1	`a45b803c5189e6a37cd5dce4c0cd427ed5bc7053`
SHA256	`8e066d0edb091c2c8948cd09703c967848a619c75dde73bf842cd5468b8d64a7`
SHA3	`91c00399ab832c2aea6d294fab3598725a755c00a7b601fc4de240b69d44a74a`
VirtualSize	`0xbd1e`
VirtualAddress	`0x18000`
SizeOfRawData	`0xbe00`
PointerToRawData	`0x16800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.8319`

.data

MD5	`a482d927c1f6f3548f5533f10c2a544b`
SHA1	`17d505f8dfd30cb47e229d60f6ba758a2f38bce8`
SHA256	`7c5ea44c2fda4afbfcc55287dcd5cd035d9927a16c82263459306e25fbd24abd`
SHA3	`3f2b3ba03ebafbb33398332aa5dd47b9d0f175cd006e3f09a90aaf17070f3355`
VirtualSize	`0x1838`
VirtualAddress	`0x24000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x22600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.43069`

.pdata

MD5	`c20628de244b4ad26d738fc5023ef5c1`
SHA1	`c4b6e73956dda9cc2bfc4b9f53d3cc6e8b6181be`
SHA256	`26d28ab08308ebbe19dea4673b4bd8cd46120a4826971710fa82c36ef53f389e`
SHA3	`d76843777bf9942d2219f35c7159ac599bcae19ec5b1fe5d9dc464b35914811a`
VirtualSize	`0x141c`
VirtualAddress	`0x26000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x23000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.84522`

.reloc

MD5	`37812f81534460a128d06d0d29b2cb00`
SHA1	`8dcae4bb04c6e5e5d5a68d9e1d0bdc85c923ad95`
SHA256	`7d1932eae9901ec74760eb2c44a2df4a20f3a8bfb1a595db5dd20e43af7c73cf`
SHA3	`fa934fd7324404a9d4dd0c78dee6a4cbae71cf80f9cf2820ab6a74fe3716a019`
VirtualSize	`0x338`
VirtualAddress	`0x28000`
SizeOfRawData	`0x400`
PointerToRawData	`0x24600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.80573`

.rsrc

MD5	`1df19703bbfb23d416905cb83814816b`
SHA1	`515ed626caa8e3d630125d996999a94927f63e8e`
SHA256	`498b2d893736a8615d86536c9248a2fc2e12f451b753f79791eab0daccfc4198`
SHA3	`6183b1d434b09768fea4f07b9e1a92cb84a79a13343165831a08bc2069202245`
VirtualSize	`0xfdc0`
VirtualAddress	`0x29000`
SizeOfRawData	`0xfe00`
PointerToRawData	`0x24a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.94525`

Imports

KERNEL32.dll	`FreeLibrary` `LoadLibraryExW` `OutputDebugStringW` `FindFirstFileExW` `EnterCriticalSection` `GetFullPathNameW` `FindNextFileW` `GetCurrentProcess` `GetModuleHandleExW` `GetModuleFileNameW` `LeaveCriticalSection` `GetEnvironmentVariableW` `GetModuleHandleW` `MultiByteToWideChar` `GetFileAttributesExW` `LoadLibraryA` `DeleteCriticalSection` `WideCharToMultiByte` `IsWow64Process` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `InitializeCriticalSectionAndSpinCount` `GetProcAddress` `GetWindowsDirectoryW` `FindResourceW` `GetLastError` `ActivateActCtx` `FindClose` `CreateActCtxW` `SetLastError` `RaiseException` `RtlPcToFileHeader` `RtlUnwindEx` `InitializeSListHead` `GetCurrentProcessId` `IsDebuggerPresent` `IsProcessorFeaturePresent` `TerminateProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `GetStringTypeW` `SwitchToThread` `GetCurrentThreadId` `InitializeCriticalSectionEx` `EncodePointer` `DecodePointer` `LCMapStringEx` `QueryPerformanceCounter` `GetSystemTimeAsFileTime`
USER32.dll	`MessageBoxW`
SHELL32.dll	`ShellExecuteW`
ADVAPI32.dll	`RegOpenKeyExW` `RegGetValueW` `DeregisterEventSource` `RegisterEventSourceW` `ReportEventW` `RegCloseKey`
api-ms-win-crt-runtime-l1-1-0.dll	`_invoke_watson` `__p___argc` `_exit` `exit` `_initterm_e` `_initterm` `_get_initial_wide_environment` `_initialize_wide_environment` `_configure_wide_argv` `_set_app_type` `_seh_filter_exe` `_cexit` `_crt_atexit` `_register_onexit_function` `_errno` `_initialize_onexit_table` `abort` `_c_exit` `_register_thread_local_exe_atexit_callback` `terminate` `__p___wargv`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `_set_fmode` `fputwc` `__p__commode` `fputws` `_wfsopen` `fflush` `__stdio_common_vfwprintf` `__stdio_common_vsnwprintf_s` `__stdio_common_vswprintf` `setvbuf`
api-ms-win-crt-heap-l1-1-0.dll	`calloc` `_set_new_mode` `free` `_callnewh` `malloc`
api-ms-win-crt-string-l1-1-0.dll	`wcsncmp` `toupper` `strcmp` `strlen` `_wcsdup` `wcsnlen` `strcpy_s`
api-ms-win-crt-convert-l1-1-0.dll	`wcstoul` `_wtoi`
api-ms-win-crt-time-l1-1-0.dll	`wcsftime` `_gmtime64_s` `_time64`
api-ms-win-crt-locale-l1-1-0.dll	`___mb_cur_max_func` `_configthreadlocale` `___lc_codepage_func` `___lc_locale_name_func` `__pctype_func` `_lock_locales` `setlocale` `_unlock_locales`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2ca`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.61535`
Detected Filetype	PNG graphic file
MD5	`e817b052aa7663258cc9a302bf88860f`
SHA1	`dbc48391538d11d37ae9b5c65457118eefd96a56`
SHA256	`c66e5212f1eac2e6affc35c3dd059712569aa9ec25b4f636938d43a1ad27b032`
SHA3	`49f3ca555cfb11b14b59ab5e1e99df8cd9c98ae5ed695009d3a8a701620be3e3`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.7981`
Detected Filetype	PNG graphic file
MD5	`e473524215e4f8f51c780d2ea2209b40`
SHA1	`45cabcc898883100837fc6541bd5a0f84255fa04`
SHA256	`06a975da18101101c6b5f9501d79951836907122959337bf71c3d0cf17fd8311`
SHA3	`958d849ccea25397a4c4b9c8e6791ccc61f5e07887b9676a91ede7c665c172ab`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x7c2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.90213`
Detected Filetype	PNG graphic file
MD5	`5a5ac7fb485641606bd1a672b6c4e168`
SHA1	`7fbabcf4dba880b85dfbc01647d8a76a8550c0f6`
SHA256	`338dbc7ea75dfb93d16e1f2bab597b97f6f718cdca9b4722760ef792947ee61a`
SHA3	`d64c9c96edd893699ced57a0767b3e4f66e2fff7bdf62742f9ea7a22b6ea7ca9`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xf6e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.93689`
Detected Filetype	PNG graphic file
MD5	`d0984be0013a8197df263617886ec1e9`
SHA1	`92686482d98ce2107a372a4dd8f6e303968bb408`
SHA256	`3ec1b8a853fe9f0922dbd82152aaaa781de9021d8000f8fe2359acdecf70c8ce`
SHA3	`81bb02aee1152c42fbf4edc831cb8d5efcbdd6b6d46833bd9b08e86cd8021d49`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xd43f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98169`
Detected Filetype	PNG graphic file
MD5	`0fa38a6104a503772e943bdc5e97bc9c`
SHA1	`d4828a7bf4cdecafafceb861c66dbda15f0e001a`
SHA256	`b9d8c69fbdb8cfb641e63d7a1eef59776d3b8568675683d22a310cbdc2e62924`
SHA3	`aabab177bf54d31153f5df2a07e44e2e18c858bc8e71b702552327f957c2171e`

32512

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.68263`
Detected Filetype	Icon file
MD5	`5a7ff705ee3c712e67061278bb484ae3`
SHA1	`c57914b5d96398d665f42ff9d412d3b49fc527e9`
SHA256	`dfaac5a5429568920e079f87e8abf46223126478d279329c28d8c091f8361603`
SHA3	`2ef01b7ce25d8769286eeed91abf84f9a5b8d4ca709561ee25ab18031ddf1cd8`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x36c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40758`
MD5	`4dda61e3cd471023227ee9c980d9b723`
SHA1	`c325749768c496ffeafbf08573a4b0d2aa6e36d8`
SHA256	`34c365d10a85b65c5db9069621877fce212261566186227bae94e906ccfe5e20`
SHA3	`297e0703a2eafb567cfe919af31c10ba351eec8814594ef950dafba7f5315713`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4df`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.41452`
MD5	`fe6f4d4c26fc2c434b8de62b3d019d4b`
SHA1	`3e517baa982bfeb1e67b737fb78ee42feb0e5f52`
SHA256	`10063f628bd2005d7b326f585a1c2614bb331432cbcf2ec7e4a427e62e206d9c`
SHA3	`95a0146017ac95fbab721c2eb261f122f3963c05ea688f8b6c8c9af8e366d056`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.6.7.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Deminimis
FileDescription	MinimalFirewall-NET8
FileVersion (#2)	2.6.7.0
InternalName	MinimalFirewall-NET8.dll
LegalCopyright
OriginalFilename	MinimalFirewall-NET8.dll
ProductName	Minimal Firewall
ProductVersion (#2)	1.0.0+80631ca7fce8943d3fb4098645aac3151936026a
Assembly Version	2.6.7.0

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Dec-06 22:42:45
Version	`0.0`
SizeofData	`109`
AddressOfRawData	`0x2079c`
PointerToRawData	`0x1ef9c`
Referenced File	D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2025-Dec-06 22:42:45
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x2080c`
PointerToRawData	`0x1f00c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Dec-06 22:42:45
Version	`0.0`
SizeofData	`988`
AddressOfRawData	`0x20820`
PointerToRawData	`0x1f020`

TLS Callbacks

StartAddressOfRawData	`0x140020c48`
EndAddressOfRawData	`0x140020c58`
AddressOfIndex	`0x140025820`
AddressOfCallbacks	`0x1400184f0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140024080`
GuardCFCheckFunctionPointer	`5368808480`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x55c582b4`
Unmarked objects	`0`
ASM objects (35207)	`10`
C objects (35207)	`12`
C++ objects (35207)	`87`
Imports (VS2008 SP1 build 30729)	`16`
Imports (33140)	`9`
Total imports	`204`
C++ objects (LTCG) (35217)	`10`
Linker (35217)	`1`

3a5f082971ee67165580459e9d505ed2

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.reloc

.rsrc

Imports

Delayed Imports

1

2

3

4

5

32512

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors