| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date |
2026-Feb-03 12:56:46
|
| Detected languages |
English - United States
|
| Suspicious |
PEiD Signature: |
PeStubOEP v1.x
|
| Suspicious |
This PE is packed with Themida |
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found:
Unusual section name found: .themida
Section .themida is both writable and executable.
Unusual section name found: .boot
The PE only has 3 import(s).
|
| Info |
The PE contains common functions which appear in legitimate applications. |
Can access the registry:
|
| Malicious |
VirusTotal score: 19/72 (Scanned on 2026-02-06 01:21:47) |
APEX:
Malicious
AVG:
MalwareX-gen [Pws]
Avast:
MalwareX-gen [Pws]
Bkav:
W64.AIDetectMalware
CrowdStrike:
win/malicious_confidence_100% (D)
Cylance:
Unsafe
DeepInstinct:
MALICIOUS
ESET-NOD32:
Win64/Packed.Themida.L suspicious application
Elastic:
malicious (high confidence)
Malwarebytes:
Malware.Heuristic.2025
MaxSecure:
Trojan.Malware.300983.susgen
McAfeeD:
Real Protect-LS!3AB166111E0F
Microsoft:
Trojan:Win32/Wacatac.B!ml
Sangfor:
Suspicious.Win32.Save.a
SentinelOne:
Static AI - Malicious PE
Symantec:
ML.Attribute.HighConfidence
Trapmine:
malicious.high.ml.score
Zoner:
Probably Heur.ExeHeaderL
tehtris:
Generic.Malware
|
| MD5 |
3ab166111e0fff9ac4b638945767ab22
|
| SHA1 |
b7868d9056c7e6559d558643055f315b24acf193
|
| SHA256 |
ec3671b5d872eea975ed40b32024b14c175632be7b97a75d118d6b2428b55355
|
| SHA3 |
37df015f133f5d2c078398e5cc38b4bb4dfd9d0ed50a477b88a04692285fb3a3
|
| SSDeep |
98304:T/xzx3W/g43L7fqFpYW4ex1Icjcq4Zcz+u52TvXAyzOLEg:tzx3WXHqHCARjcq2c6vXAyzO
|
| Imports Hash |
c39b1d45cc64be7043952cf84e15395c
|
| e_magic |
MZ
|
| e_cblp |
0x90
|
| e_cp |
0x3
|
| e_crlc |
0
|
| e_cparhdr |
0x4
|
| e_minalloc |
0
|
| e_maxalloc |
0xffff
|
| e_ss |
0
|
| e_sp |
0xb8
|
| e_csum |
0
|
| e_ip |
0
|
| e_cs |
0
|
| e_ovno |
0
|
| e_oemid |
0
|
| e_oeminfo |
0
|
| e_lfanew |
0xc8
|
| Signature |
PE
|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections |
9
|
| TimeDateStamp |
2026-Feb-03 12:56:46
|
| PointerToSymbolTable |
0
|
| NumberOfSymbols |
0
|
| SizeOfOptionalHeader |
0xf0
|
| Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic |
PE32+
|
| LinkerVersion |
14.0
|
| SizeOfCode |
0x8e200
|
| SizeOfInitializedData |
0x50a00
|
| SizeOfUninitializedData |
0
|
| AddressOfEntryPoint |
0x00000000006C1058 (Section: .boot)
|
| BaseOfCode |
0x1000
|
| ImageBase |
0x140000000
|
| SectionAlignment |
0x1000
|
| FileAlignment |
0x200
|
| OperatingSystemVersion |
6.0
|
| ImageVersion |
0.0
|
| SubsystemVersion |
6.0
|
| Win32VersionValue |
0
|
| SizeOfImage |
0xa7c000
|
| SizeOfHeaders |
0x400
|
| Checksum |
0x401dcb
|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve |
0x100000
|
| SizeofStackCommit |
0x1000
|
| SizeofHeapReserve |
0x100000
|
| SizeofHeapCommit |
0x1000
|
| LoaderFlags |
0
|
| NumberOfRvaAndSizes |
16
|
| MD5 |
d117e4339e019207e7bf5ba48d2ff947
|
| SHA1 |
7c4b1b4e88551d02bace4c8990b5a6d9e13a57be
|
| SHA256 |
06b65b142d9ef865a0d401af607715e6d2a29a9e301ca36edb6a99385c04bf05
|
| SHA3 |
a2f99b893e3fbab1bafcb6569d763838dc878b5ccf4a4780bce55a8c3241252e
|
| VirtualSize |
0x8e1bf
|
| VirtualAddress |
0x1000
|
| SizeOfRawData |
0x39a00
|
| PointerToRawData |
0x400
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
| Entropy |
7.98199
|
| MD5 |
3af039a4bf121b674e4cd384f5cd2c4f
|
| SHA1 |
ff48aa21b95eb66a34e9366b06e01a4714b72a72
|
| SHA256 |
de8d04889c69c39045cb18b2fc45583a8fa46e6a8dab3173d4eeb1c7dec2c914
|
| SHA3 |
a391586239887434b94c876e6add8e153096cebb0566d16cf2cefc28842f083d
|
| VirtualSize |
0x4f4a0
|
| VirtualAddress |
0x90000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x39e00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
0.823665
|
| MD5 |
5b8f03206f4028bfe20047022202561e
|
| SHA1 |
3e8a6bff4b4aa078d01da68c2754bf89b48d1ccb
|
| SHA256 |
cc6155ba4e77841bca1e4ec7d55da45cf4d1384e3aa5294102dabfb45a1797fd
|
| SHA3 |
0921744d44cdb757cf6ec5a8ef638569115d240922a691a9483e21f9f19e47d1
|
| VirtualSize |
0xe1a
|
| VirtualAddress |
0xe0000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x3a000
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
4.37443
|
| MD5 |
2a21624646236a1c244baa7320d9668c
|
| SHA1 |
0fd7fefcb9b1f7936c35b96d97a158ce7c24a5bb
|
| SHA256 |
a780a8b65e1f39310c9aad3b72e3bf7311cac566221fa74d67cac5f9bce91084
|
| SHA3 |
5805904519e6e04235d3c0f3659e15110b689140483bc2d1cf2df52879519674
|
| VirtualSize |
0x1e0
|
| VirtualAddress |
0xe1000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x3a200
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
4.65507
|
| MD5 |
8d6fdac33e120af39aa07e413f3c954f
|
| SHA1 |
6ccf0505c9c37f96b1ebbe89303bebb784861bac
|
| SHA256 |
0b450289004ecb27a44b30b76bd84a59c8e295f946c8d1ae2ce217e3c5ebd845
|
| SHA3 |
e035446099573fdc454e7025be8196ebff239717956235efe4ff3c553be92ab8
|
| VirtualSize |
0x14
|
| VirtualAddress |
0xe2000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x3a400
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
|
| Entropy |
0.406802
|
| MD5 |
1a7da0180350fc859f1efce9bc0ae3ea
|
| SHA1 |
ffcb208805498102107a8d4c07a6f4a82d7c77ab
|
| SHA256 |
0bbb4a92dac6d801f11abbe0329d4175b9308a54f2c3213aee2d51188f4b42b8
|
| SHA3 |
aa7cde6d501e34a8261879b2112439ea58781ecd563da019df9aad23ba9b7f00
|
| VirtualSize |
0x1000
|
| VirtualAddress |
0xe3000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x3a600
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| Entropy |
1.76005
|
| MD5 |
e642cffdbdf163ef4a98d0c1fdcd0fcd
|
| SHA1 |
e125b7edeefcc371b033fbfa7f4e3a98321f5dcb
|
| SHA256 |
1b558fe35db26313caed367dcda940b53f1f80c5dd2da75c1970bb7d865f2c86
|
| SHA3 |
89cf06e2e880c5eb5da1e0638b7f486beb0d3991776ef16fc10f3fc5b9c83a57
|
| VirtualSize |
0x1000
|
| VirtualAddress |
0xe4000
|
| SizeOfRawData |
0x200
|
| PointerToRawData |
0x3a800
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
|
| Entropy |
4.71768
|
| MD5 |
d41d8cd98f00b204e9800998ecf8427e
|
| SHA1 |
da39a3ee5e6b4b0d3255bfef95601890afd80709
|
| SHA256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
| SHA3 |
a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
|
| VirtualSize |
0x5dc000
|
| VirtualAddress |
0xe5000
|
| SizeOfRawData |
0
|
| PointerToRawData |
0x3aa00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
|
| MD5 |
94a27b346e97720b54911f417dfebc6b
|
| SHA1 |
f083464bbf55155ca7c0fb5fb6a54965fb41c997
|
| SHA256 |
55969e3763bec9c4a5e1702899c90a19dec72fa7955f7cd43cae77c85beb602b
|
| SHA3 |
5af9d29684f2a0a733a71b6cbb872d9053cee34f47fc60074f01209b691801b6
|
| VirtualSize |
0x3ba400
|
| VirtualAddress |
0x6c1000
|
| SizeOfRawData |
0x3ba400
|
| PointerToRawData |
0x3aa00
|
| PointerToRelocations |
0
|
| PointerToLineNumbers |
0
|
| NumberOfLineNumbers |
0
|
| NumberOfRelocations |
0
|
| Characteristics |
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
|
| Entropy |
7.95019
|
| kernel32.dll |
GetModuleHandleA
|
| USER32.dll |
EnumDisplayDevicesA
|
| ADVAPI32.dll |
RegGetValueW
|
| Type |
RT_MANIFEST
|
| Language |
English - United States
|
| Codepage |
UNKNOWN
|
| Size |
0x17d
|
| TimeDateStamp |
1980-Jan-01 00:00:00
|
| Entropy |
4.91161
|
| MD5 |
1e4a89b11eae0fcf8bb5fdd5ec3b6f61
|
| SHA1 |
4260284ce14278c397aaf6f389c1609b0ab0ce51
|
| SHA256 |
4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
|
| SHA3 |
4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353
|
| XOR Key |
0xd9416cd
|
| Unmarked objects |
0
|
| Imports (33145) |
7
|
| Total imports |
103
|
| Unmarked objects (#2) |
98
|
| Resource objects (35211) |
1
|
| Linker (35211) |
1
|
[*] Warning: Section .themida has a size of 0!