Manalyze report for 46291f662bb04daee1c5eca92b87d385ac90262fcfda9a89af8c724f3eead24e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Apr-30 15:18:59
TLS Callbacks	1 callback(s) detected.
Debug artifacts	injector.pdb
FileVersion	`0.0.0.1`
ProductVersion	`1.0.0.0`
OriginalFilename	xproc64.exe
InternalName	xproc64.exe
FileDescription	xproc64.exe
CompanyName
LegalCopyright	bhackariCTF{y3s_5ys7em32_1s_7h3_p3rf3c7_h1d1ng_sp07}
ProductName

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: GoDaddy.com https://docs.rs openssl.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256` `Uses constants related to SHA512`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot NtQueryInformationProcess` `Code injection capabilities: CreateRemoteThread WriteProcessMemory VirtualAllocEx OpenProcess` `Uses Windows's Native API: NtQueryInformationProcess NtWriteFile NtReadFile` `Leverages the raw socket API to access the Internet: closesocket getaddrinfo freeaddrinfo send WSARecv recv WSADuplicateSocketW setsockopt getsockopt WSASocketW WSACleanup WSAStartup select connect ioctlsocket WSAGetLastError getsockname WSASend getpeername` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: Process32FirstW ReadProcessMemory Process32NextW WriteProcessMemory OpenProcess`
Malicious	VirusTotal score: 3/71 (Scanned on 2026-05-30 13:33:33)	`Bkav: W32.Malware.9BB7F012` `CrowdStrike: win/malicious_confidence_60% (D)` `Malwarebytes: Malware.Heuristic.2518`

Hashes

MD5	`072c6bbe554e1dfea6ad266f5b9dbfeb`
SHA1	`4405b213b9d4e37aa15126b4f679820b075bc3e9`
SHA256	`46291f662bb04daee1c5eca92b87d385ac90262fcfda9a89af8c724f3eead24e`
SHA3	`2da3dc073cf37ef9b7dcde414195f8e5f8d98c2660059d3165e30bf689ccd752`
SSDeep	`49152:vW1w7RkrjQoDuxCBNm4nfV11O6urZMYIU6igoq:daHnntn+Zq`
Imports Hash	`8fd3426a68583d3a42b376efae774133`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-Apr-30 15:18:59
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x106400`
SizeOfInitializedData	`0xa5e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000010120C (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1b1000`
SizeOfHeaders	`0x400`
Checksum	`0x1ad1c8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ea4076275c47c26948fb4313c9342cc5`
SHA1	`498aead1b8fd7196c8b2bbebd86121f61b525213`
SHA256	`3e0071d28f09fa062f0c4d8bf6e03af06a913f8e4f32e458d3e4e4b133823da4`
SHA3	`ef14a24367c32ce85c58a3a0bd78bc1556bcb6189230080cd2c1b69b950b136e`
VirtualSize	`0x106359`
VirtualAddress	`0x1000`
SizeOfRawData	`0x106400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40161`

.rdata

MD5	`90312937451bfb3e3e3be04ae4a6d97a`
SHA1	`9f05c2c8ef5640ba55f0e885b64dd9079ddc1e61`
SHA256	`9ef6113d291d0c556dd2883b96a00c3ffad075205a44961ce91b49b527a71449`
SHA3	`8c915243790d68f6370d2d291ee527fe21de9d3f8afac25e9bb13b3513fea0e9`
VirtualSize	`0x9acd4`
VirtualAddress	`0x108000`
SizeOfRawData	`0x9ae00`
PointerToRawData	`0x106800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.72147`

.data

MD5	`808187cb785810ae9018b09c2174dbf9`
SHA1	`e6698bd91fc6b8c6616fd43a64e387799f4c3b90`
SHA256	`3270896032e7c45e3ef4c4bf20407d2adcea2a7d157a7f3713476401470103e4`
SHA3	`f0aed9aae35a2b9973ce2cd925fe50442000a6e7eb5cfdef84c03e4ce0ca8a50`
VirtualSize	`0x8a8`
VirtualAddress	`0x1a3000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1a1600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.68373`

.pdata

MD5	`34763d9b00ca56bb3ba4b802831932e2`
SHA1	`dc7826dc99cd9b6e7d138799971b7ff6efed6754`
SHA256	`bc717760e19788446f05ae7e688e68ab5a3576de98207f0a05659098c19a430d`
SHA3	`0a5174a770330903c427b821be3a6ba44fdeb5877e14547b859836f8e2012c0c`
VirtualSize	`0x97d4`
VirtualAddress	`0x1a4000`
SizeOfRawData	`0x9800`
PointerToRawData	`0x1a1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.21299`

.rsrc

MD5	`6656ca23c0d433f85eda8ebcbf59af18`
SHA1	`14e0022c27eafe72d72a21a98eb6bdf41000b566`
SHA256	`f28d3f96b0af75781050130c72f64cd9c3af959d9b0e8dd609eae8b69b599ff7`
SHA3	`947613e27057529452f516d28ad7e62109027114d492fe6a78a46fec82934c4f`
VirtualSize	`0x328`
VirtualAddress	`0x1ae000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1ab000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.83461`

.reloc

MD5	`fa7297c69d2051f85d08eabe19b7749a`
SHA1	`c23763c46870e7d28884dd0d59a1694cf21a2713`
SHA256	`cdfdd718e1ec4de8813557298c92240f821734ba26c2991c6726976dc6315e65`
SHA3	`65ce04ff9771dd75728401f68081dad2540e00902f5a9e3ca7078c2f8f74e61f`
VirtualSize	`0x11d8`
VirtualAddress	`0x1af000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1ab400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.43071`

Imports

kernel32.dll	`GetProcessIoCounters` `GetProcessTimes` `RtlVirtualUnwind` `FormatMessageW` `RtlLookupFunctionEntry` `Process32FirstW` `ReadProcessMemory` `CreateToolhelp32Snapshot` `VirtualQueryEx` `RtlCaptureContext` `LocalFree` `GlobalMemoryStatusEx` `Sleep` `SetWaitableTimer` `GetSystemTimes` `CreateWaitableTimerExW` `GetFullPathNameW` `FindClose` `FindFirstFileExW` `GetFileInformationByHandleEx` `QueryPerformanceFrequency` `GetFileInformationByHandle` `CreateFileW` `SetHandleInformation` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetProcAddress` `TerminateProcess` `GetSystemInfo` `Process32NextW` `QueryPerformanceCounter` `CreateMutexA` `GetCurrentThreadId` `GetSystemTimePreciseAsFileTime` `HeapAlloc` `GetCurrentProcessId` `HeapReAlloc` `GetCurrentThread` `SetThreadStackGuarantee` `AddVectoredExceptionHandler` `VirtualFreeEx` `CloseHandle` `WaitForSingleObject` `CreateRemoteThread` `WriteProcessMemory` `VirtualAllocEx` `OpenProcess` `ReleaseMutex` `IsProcessorFeaturePresent` `GetLastError` `SetLastError` `WaitForSingleObjectEx` `GetCurrentProcess` `HeapFree` `K32GetPerformanceInfo` `GetProcessHeap`
advapi32.dll	`SystemFunction036` `GetTokenInformation` `CopySid` `GetLengthSid` `IsValidSid` `OpenProcessToken`
ws2_32.dll	`closesocket` `getaddrinfo` `freeaddrinfo` `send` `WSARecv` `recv` `WSADuplicateSocketW` `setsockopt` `getsockopt` `WSASocketW` `WSACleanup` `WSAStartup` `select` `connect` `ioctlsocket` `WSAGetLastError` `getsockname` `WSASend` `getpeername`
api-ms-win-core-synch-l1-2-0.dll	`WakeByAddressAll` `WaitOnAddress` `WakeByAddressSingle`
ntdll.dll	`RtlNtStatusToDosError` `RtlGetVersion` `NtQueryInformationProcess` `NtWriteFile` `NtReadFile`
pdh.dll	`PdhCollectQueryData` `PdhCloseQuery` `PdhRemoveCounter` `PdhAddEnglishCounterW` `PdhGetFormattedCounterValue` `PdhEnumObjectsA` `PdhOpenQueryA`
psapi.dll	`GetProcessMemoryInfo` `GetModuleFileNameExW`
shell32.dll	`CommandLineToArgvW`
oleaut32.dll	`GetErrorInfo`
powrprof.dll	`CallNtPowerInformation`
bcryptprimitives.dll	`ProcessPrng`
bcrypt.dll	`BCryptGenRandom`
KERNEL32.dll	`GetEnvironmentVariableW` `GetModuleHandleA` `GetCurrentDirectoryW` `LoadLibraryA` `lstrlenW` `WideCharToMultiByte` `GetStdHandle` `GetConsoleMode` `GetConsoleOutputCP` `ReadConsoleW` `GetModuleHandleW` `GetModuleFileNameW` `WriteConsoleW` `MultiByteToWideChar`
VCRUNTIME140.dll	`__CxxFrameHandler3` `memcpy` `memset` `memcmp` `memmove` `_CxxThrowException` `__C_specific_handler` `__current_exception` `__current_exception_context`
api-ms-win-crt-string-l1-1-0.dll	`wcslen`
api-ms-win-crt-runtime-l1-1-0.dll	`_initialize_narrow_environment` `_register_thread_local_exe_atexit_callback` `_configure_narrow_argv` `_seh_filter_exe` `_cexit` `_set_app_type` `_get_initial_narrow_environment` `_initterm` `_initterm_e` `exit` `_exit` `__p___argc` `__p___argv` `_c_exit` `terminate` `_crt_atexit` `_register_onexit_function` `_initialize_onexit_table`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-stdio-l1-1-0.dll	`__p__commode` `_set_fmode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `free`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2d0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.35898`
MD5	`92c9aed97172870828e3c4654aeba6bc`
SHA1	`9176b06ac155884f57666b09e9a4751b5bd7e752`
SHA256	`e71f194a361115ec17ae200ae9674252c20ac6f83c999a9b113406728fd58d58`
SHA3	`1fc7b91ab8894e89ff6a68de84eed8df901f256811a9fa2267f6dfc9ca207e1c`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	0.0.0.1
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
FileVersion (#2)	0.0.0.1
ProductVersion (#2)	1.0.0.0
OriginalFilename	xproc64.exe
InternalName	xproc64.exe
FileDescription	xproc64.exe
CompanyName
LegalCopyright	bhackariCTF{y3s_5ys7em32_1s_7h3_p3rf3c7_h1d1ng_sp07}
ProductName

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-Apr-30 15:18:59
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x1853bc`
PointerToRawData	`0x183bbc`
Referenced File	injector.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-Apr-30 15:18:59
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x1853e4`
PointerToRawData	`0x183be4`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Apr-30 15:18:59
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x1853f8`
PointerToRawData	`0x183bf8`

TLS Callbacks

StartAddressOfRawData	`0x140185748`
EndAddressOfRawData	`0x1401857a8`
AddressOfIndex	`0x1401a32a0`
AddressOfCallbacks	`0x1401085d8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x00000001400993A0`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1401a3148`

RICH Header

XOR Key	`0xf8720770`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`12`
Imports (30034)	`2`
C++ objects (30034)	`23`
C objects (30034)	`10`
ASM objects (30034)	`4`
Imports (27412)	`5`
Total imports	`159`
C objects (30152)	`12`
Unmarked objects (#2)	`46`
Linker (30152)	`1`

Errors

Leave a comment

No comments yet.