Manalyze report for 3ad4e270ad9eae6adde50c7b1e2076c81919c9dbc1d9c3d0e31f39fcadf67391

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Aug-18 11:17:09

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`10036512 bytes of data starting at offset 0x6c800.` `The overlay data has an entropy of 7.99819 and is possibly compressed or encrypted.` `Overlay data amounts for 95.7598% of the executable.`
Malicious	VirusTotal score: 5/70 (Scanned on 2026-05-02 07:26:32)	`APEX: Malicious` `Bkav: W64.AIDetectMalware` `Cylance: Unsafe` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Dropper.tc`

Hashes

MD5	`c903887249708e0164424e4ee3fed57d`
SHA1	`c8da0f1b779e4dc1f26828a612a0b5e519cc8f9d`
SHA256	`3ad4e270ad9eae6adde50c7b1e2076c81919c9dbc1d9c3d0e31f39fcadf67391`
SHA3	`5087ddc745635e85110308c18dbc5778ec61f902ed8414ff373e0a2cac2ba1b2`
SSDeep	`196608:6K0W8UAZNQ0urH3Q3qemdUSC1z4Jkz9Rwpr2Zwl6JoMi6DmB8M9qgqm9+:69W8HQ0u76mdUSCZLwqQzw3`
Imports Hash	`dcaf48c1f10b0efa0a4472200f3850ed`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2025-Aug-18 11:17:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2be00`
SizeOfInitializedData	`0x40600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000DA30 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x75000`
SizeOfHeaders	`0x400`
Checksum	`0xa0eaa6`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`588e5055fb224a048e508395bf048644`
SHA1	`670aa3f54dad88adb11fe4426d4ca10226c0dd91`
SHA256	`c0c87a7163d2e753cac4c4cd39a229cdab2a951fc5abf048618188dd66e31827`
SHA3	`f9bdaeb1972b3691a9afdd3c21d39105fa73d557fa4edf4d9a5c16c15b93f474`
VirtualSize	`0x2bd80`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2be00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47261`

.rdata

MD5	`2cc91bd08c95281242ef5ded464af7bf`
SHA1	`43940e323d5ca4095b4d7d0366ee257b49c16983`
SHA256	`02ac9ac5d05bd29901632afe04e7d520f5575d3ac51f72932f3ed7d83c1c2b39`
SHA3	`b6ce2459e17f4b67d81aea3004fb89f76ae4033f13e9f3f6bc24f2bb57576034`
VirtualSize	`0x13908`
VirtualAddress	`0x2d000`
SizeOfRawData	`0x13a00`
PointerToRawData	`0x2c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.74409`

.data

MD5	`2fc88032c47ad8e77ba50142b1d7bacb`
SHA1	`de3475f9cc4acf58d0ba321b071078462805f523`
SHA256	`86462ad94449db441ae7a2fa16c6f1543cce53a8acb0960645d4b6039ec73e9f`
SHA3	`a9fec7f0a0205409366f6982529daf9066fa193a96c17e7a1c94a029351861dd`
VirtualSize	`0x50b0`
VirtualAddress	`0x41000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3fc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82152`

.pdata

MD5	`f27272e31cd3260dd36a304bc13f6042`
SHA1	`294e6f201e0a2f112cf24b9ce2439a00320dba39`
SHA256	`5f962a59cd799c45ce2ef13eefde6f6268c3147ed26438c419fcb9091c1d3395`
SHA3	`cd442b465805507e665a9bac8d74060333c694fa6aed56b8ca6b3865aced2af3`
VirtualSize	`0x23f4`
VirtualAddress	`0x47000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x40a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.48773`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x4a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x42e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`ddfbc4614da14e87a38d206c2b29575c`
SHA1	`355e69d64e54c0a2f45f8bc5002a6d9302572380`
SHA256	`8a28f90336ac009a9a5c6aecfa227712fc8717703f4e2ea36e2f81b097179d69`
SHA3	`49dc784b184816d6955543278cd30ed45363e07911bb280470c212bdaa3a6d5d`
VirtualSize	`0x28ef0`
VirtualAddress	`0x4b000`
SizeOfRawData	`0x29000`
PointerToRawData	`0x43000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.06644`

.reloc

MD5	`7b4c05b51855f1fc0294ebfb2ae73776`
SHA1	`6ce048d0aa8b9ff7e9106fa37a5b6ba6928e7d4b`
SHA256	`e5a06de48e4c799b28ab7f285feb207cd42f4f4c2837f2fe23838528710a734c`
SHA3	`b97bcbe7b464730ff82f44b151a5e4e8e20c34eeff35714dfd40112cec55c829`
VirtualSize	`0x774`
VirtualAddress	`0x74000`
SizeOfRawData	`0x800`
PointerToRawData	`0x6c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.27827`

Imports

USER32.dll	`CreateWindowExW` `ShutdownBlockReasonCreate` `MsgWaitForMultipleObjects` `ShowWindow` `DestroyWindow` `RegisterClassW` `DefWindowProcW` `PeekMessageW` `DispatchMessageW` `TranslateMessage` `PostMessageW` `GetMessageW` `MessageBoxW` `MessageBoxA` `SystemParametersInfoW` `DestroyIcon` `SetWindowLongPtrW` `GetWindowLongPtrW` `GetClientRect` `InvalidateRect` `ReleaseDC` `GetDC` `DrawTextW` `GetDialogBaseUnits` `EndDialog` `DialogBoxIndirectParamW` `MoveWindow` `SendMessageW`
COMCTL32.dll	`#380`
KERNEL32.dll	`GetACP` `IsValidCodePage` `GetStringTypeW` `GetFileAttributesExW` `SetEnvironmentVariableW` `FlushFileBuffers` `LCMapStringW` `CompareStringW` `VirtualProtect` `InitializeCriticalSectionEx` `GetOEMCP` `GetCPInfo` `GetLastError` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `GetModuleHandleW` `MulDiv` `FormatMessageW` `GetModuleFileNameW` `SetDllDirectoryW` `GetEnvironmentStringsW` `SetErrorMode` `CreateDirectoryW` `GetCommandLineW` `GetEnvironmentVariableW` `ExpandEnvironmentStringsW` `DeleteFileW` `FindClose` `FindFirstFileW` `FindNextFileW` `GetDriveTypeW` `RemoveDirectoryW` `GetTempPathW` `CloseHandle` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WaitForSingleObject` `Sleep` `GetCurrentProcess` `TerminateProcess` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LocalFree` `SetConsoleCtrlHandler` `K32EnumProcessModules` `K32GetModuleFileNameExW` `CreateFileW` `FindFirstFileExW` `GetFinalPathNameByHandleW` `MultiByteToWideChar` `WideCharToMultiByte` `FlsFree` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `HeapReAlloc` `WriteConsoleW` `SetEndOfFile` `CreateSymbolicLinkW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `ReadFile` `GetFullPathNameW` `SetStdHandle` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `GetCurrentDirectoryW` `FlsAlloc` `FlsGetValue` `FlsSetValue`
ADVAPI32.dll	`OpenProcessToken` `GetTokenInformation` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
GDI32.dll	`SelectObject` `DeleteObject` `CreateFontIndirectW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.89933`
MD5	`3b4d88ae89dea274cc6db0023e2636ca`
SHA1	`283c36f24f75b1376fbc94e38a2d68f8904f0054`
SHA256	`c2851b0fa78496e83e3917764180006ef17049cf28f812cb0cf9e5202f36b027`
SHA3	`75d03fd559d18b827483862a6044e6abadd1d347f2daed3a940f9681df29991b`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.09167`
MD5	`61310b12ef243531a371c73beea5228b`
SHA1	`d5d909e6f3ae11ea94058e55fc2bd03fd0c37b00`
SHA256	`3a5467edf419afdde35ddd9cce24d28717a73322a75b0d093e96b25e58125cd2`
SHA3	`60365b4be16438e56a4f8c69073b7123cca7113c140f5894f41d6ccd7481a34f`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.44773`
MD5	`702d7558442a337ea06193c5abcbdb66`
SHA1	`acdb4f984d89b64c0ae0c40525872cc35b53ae95`
SHA256	`299c0543a9c51f1ef191045d7f698031c8077262bd26f0b86ea7bc8d458626de`
SHA3	`6a0e5f395d0301b66ec29c9863aa807790be7a057366e1e90f6a7e865cbf6577`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.96653`
MD5	`24ddcab63d1e3dc12425e4077b88bf19`
SHA1	`6920b18d04d0a6a53dd4018fc0de91a0e58c01fd`
SHA256	`5a54d34ca6216ab14fa5308a16824ece4a19c88dd8adcce883763eeac4daac0f`
SHA3	`d8fa4a86d808cab179dfaa72564281f98801f9555602137d05b333d52487f2a2`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.80576`
MD5	`27c69b003b291685e95239171f36e823`
SHA1	`00590ef0c3079c1bc678fe29f519c4be8b74b408`
SHA256	`4171dd3561299dd719a8eae4e917b44d7267970d2d9c0df367cb06ea161ca28f`
SHA3	`4445346612ec46eadf57bae68d2f001722dd2aa0aaff40e64e1873dd14b5fea8`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x5488`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.62752`
MD5	`d75d0fdea05954b8b553d96f652d5448`
SHA1	`6a386232b83f6adbf546bc3ca655e1c3a5c9274c`
SHA256	`8b60a8476f55648915fe039b8397ad2310d4ff50508083c147b956f2343405e5`
SHA3	`ad5a41e477e84e3f1ea8f604b26f239abf8d5854a7342d39ccea064d61e3827d`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.52221`
MD5	`8e1a2b312ce43eb6c8a0847f6d964418`
SHA1	`5e0299f53bf045cdf5847d4197e22edd19f10e1e`
SHA256	`811363becfcd5667ad3d643cac7dc4260fd0d6cbf07b73f74d8518213cd4c171`
SHA3	`d61bf3a805bbab3a1fb0c233409239451f8d946ced11a7b6fa44d7fb5c7b4800`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.24983`
MD5	`ae5bb3c6536074daacd7ede98d12b86d`
SHA1	`7a252f2d927fa500cdd58224c2c2192943171aeb`
SHA256	`55e56da8e2c91e0f3d6119f00682c669987e358851dd5363acc50253ed1c0ecb`
SHA3	`c5ed7b9bac31ee489fb6fa8430a5d6075fe734e0417b69315ff106da7851193a`

9

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xf33`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.6147`
Detected Filetype	PNG graphic file
MD5	`b452a33e528fb7e9ae07da7bc907ca37`
SHA1	`ba29ac6dc05f6cf4ed66fb055135ee33f436ceb1`
SHA256	`cf02ced9d71aadc6901d9fc872cd35d938ef9b71db38e6a6db85047434bc10d5`
SHA3	`1de568f849ac1f4d82da5e0552de43de78a62e49c069992f7dcfa9e9658aeba2`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.03466`
Detected Filetype	Icon file
MD5	`897c53eb8bb60382f6ccfef58e4525a4`
SHA1	`6e5b4bbe65281192cfc2c6cbbbbfe7e2f64276b9`
SHA256	`49a7e52ddb631c740f56e0f9e71b5049ea7f2c2beaf71f102797caeeeae6609b`
SHA3	`84b60f12acb2ee05e07e65f698db75b16d24a7b788fc741286b7f86b542c28a3`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Aug-18 11:17:09
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x3cf78`
PointerToRawData	`0x3c178`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140041040`
GuardCFCheckFunctionPointer	`5368894648`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x361d01a7`
Unmarked objects	`0`
C++ objects (33140)	`183`
C objects (33140)	`12`
ASM objects (33140)	`10`
253 (35207)	`3`
ASM objects (35207)	`9`
C objects (35207)	`17`
C++ objects (35207)	`40`
Imports (33140)	`11`
Total imports	`159`
C objects (35213)	`27`
Linker (35213)	`1`

Errors

Leave a comment

No comments yet.