Manalyze report for 477e1a96ad3096c7eece381b9512afb17208d5298de179ba94a9639bbffcb2ec

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-May-08 15:34:45
Detected languages	English - United States

Plugin Output

Suspicious	The PE is possibly packed.	`Section .text is both writable and executable.` `Unusual section name found: .ddata`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: NtQuerySystemInformation` `Possibly launches other programs: ShellExecuteW` `Has Internet access capabilities: URLDownloadToFileA` `Leverages the raw socket API to access the Internet: WSASetLastError` `Interacts with services: OpenSCManagerW`
Malicious	VirusTotal score: 40/70 (Scanned on 2026-05-30 11:00:27)	`AVG: Win64:MalwareX-gen [Misc]` `Alibaba: Trojan:Win64/Themida.741a32a1` `Antiy-AVL: Trojan[Packed]/Win64.Themida` `Arcabit: QD:Application.GenericQ.CAF50FB4E0` `Avast: Win64:MalwareX-gen [Misc]` `Avira: TR/W64.Agent` `BitDefender: QD:Application.GenericKDQ.CAF50FB4E0` `Bkav: W32.Malware.16AF16A3` `CTX: exe.trojan.themida` `CrowdStrike: win/malicious_confidence_100% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Packed.Themida.Q suspicious application` `Elastic: malicious (high confidence)` `Emsisoft: QD:Application.GenericKDQ.CAF50FB4E0 (B)` `F-Secure: Trojan.TR/W64.Agent` `Fortinet: Riskware/Application` `GData: Win64.Trojan.Agent.E0LK9X` `Google: Detected` `Gridinsoft: Trojan.Heur!.03212023` `K7AntiVirus: Unwanted-Program ( 005ce0bd1 )` `K7GW: Unwanted-Program ( 005ce0bd1 )` `Lionic: Trojan.Win32.Themida.4!c` `Malwarebytes: Trojan.MalPack` `MaxSecure: Trojan.Malware.328690006.susgen` `McAfeeD: ti!477E1A96AD30` `MicroWorld-eScan: QD:Application.GenericKDQ.CAF50FB4E0` `Microsoft: Trojan:Win32/Kepavll!rfn` `Paloalto: generic.ml` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: Artemis` `Sophos: Mal/Generic-S` `TrellixENS: Artemis!F7D9DD4747ED` `TrendMicro: Trojan.Win32.ZYX.USBLEO26` `TrendMicro-HouseCall: Trojan.Win32.ZYX.USBLEO26` `VIPRE: QD:Application.GenericKDQ.CAF50FB4E0` `Varist: W64/ABApplication.BLOT-4762` `alibabacloud: VirTool:Win/Wacatac.B9nj`

Hashes

MD5	`f7d9dd4747ed81c5615f2bfe2761acce`
SHA1	`180801898e05ef651bc771c6908d86fddc0b62bc`
SHA256	`477e1a96ad3096c7eece381b9512afb17208d5298de179ba94a9639bbffcb2ec`
SHA3	`bfdb99f17b018200e5f6df1256de2bd58da9637a1738637c17b0076d10123c55`
SSDeep	`786432:00rU0fGmTTmuGpKI3HuH02Enxps+g+kTM:00AKmuEKSOH02A7O+kTM`
Imports Hash	`0cbe797bfb15d96e9cae666fd32f15e0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x128`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2026-May-08 15:34:45
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x41ae00`
SizeOfInitializedData	`0x84b400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000023B5058 (Section: .ddata)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x32d8000`
SizeOfHeaders	`0x600`
Checksum	`0x183181a`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`3b9ea8d5eb55b1ba4aa2c0cd5d7a0b2e`
SHA1	`f188f710baf581987ad0f0fb600961828157a88a`
SHA256	`f30d42be37b4ecda972084e3c46b7c0185f705ff93ec8a7398c56bf9791bae10`
SHA3	`08dccf47b4fda423d5d4ade2ca85a143bb44c3c850ad7110b998dd85ebf8d816`
VirtualSize	`0x41ac60`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1a9000`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98527`

.rdata

MD5	`2aaf4ec63e304f8b50f29fa40fe23b9d`
SHA1	`58b3748841026c82567d522ca386ea8dbcb543c0`
SHA256	`58998fcbe36ca0236d5356872e20764ad01542dbb493d3166dbf9d5c986e1422`
SHA3	`0a2d6800757abf4f5488a5d6e197b1fdfefb12e614c3596427ee3fa29c3024e0`
VirtualSize	`0x17137e`
VirtualAddress	`0x41c000`
SizeOfRawData	`0x9ae00`
PointerToRawData	`0x1a9600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.97133`

.data

MD5	`5deaa48de60ca7ff925289848683bb3f`
SHA1	`2ace27ed851f3365c896bc37d05b165829a79c60`
SHA256	`6b01fb160921b1e7e4fefb71daf0307180c9addd43c1a99d90342eed58850bc3`
SHA3	`631f038afc7846f8cc00b2d158be5a58644f66d51b1ae5b7152353a5b8656e65`
VirtualSize	`0x6a14b0`
VirtualAddress	`0x58e000`
SizeOfRawData	`0x69e200`
PointerToRawData	`0x244400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.98879`

.pdata

MD5	`15a3bf24e4e53d8153793a85ed3767f8`
SHA1	`73000c7c902afedc9dab86d12fda0b93693aba62`
SHA256	`f32a64459a2981d60257b376f7b30d1423d328dd93da22ef766ca53f086b5d44`
SHA3	`7b8d824adf507f660904f995cc5cad79812da477f291596db2ef88d87860abd4`
VirtualSize	`0x2b0c8`
VirtualAddress	`0xc30000`
SizeOfRawData	`0x18800`
PointerToRawData	`0x8e2600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.69649`

.rsrc

MD5	`10360b1ac7a322c25038285d382510a0`
SHA1	`f3dfe151524f0d951499a15009f23fb6832ae44a`
SHA256	`8d8a566cf74ac71333fb74041085072c75618fdd2184a485020b3518416617bf`
SHA3	`d64d8606347ee587a902de0ebb133c4ff2346e8d60ac4deecc08fa6bc545beea`
VirtualSize	`0x1e8`
VirtualAddress	`0xc5c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x8fae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.76554`

.reloc

MD5	`3e94c7d73043b0d53c777448f5c6f6d6`
SHA1	`b009d53ab57a55a9289110d48b14acd41497c702`
SHA256	`ab15b41b193fd18e4a8ee37c23a050e4bc75c989c85f1d93df3b0f3b8e4cbf61`
SHA3	`58a28e11c6d5a65b3d24155f671df830869357535e750e81f018a5f77ed63d6f`
VirtualSize	`0xd43c`
VirtualAddress	`0xc5d000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x8fb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.86225`

.text (#2)

MD5	`ff792c0eb38fcd2686bbae6f552b6265`
SHA1	`da5127440b0038ebfb593d2f974809d92d7cdcaa`
SHA256	`a84cc38caaf4b338e2f98581edf7642f7637e5c8fcc3f809f55084fce811cf00`
SHA3	`5946d50750378387e729fdb2d9504e78e6910522d2483c3729ec55274ee0caa2`
VirtualSize	`0xa000`
VirtualAddress	`0xc6b000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x901a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.88765`

.idata

MD5	`463b49b4cc972a031fa231efe2a31b75`
SHA1	`cc2f6a6e2b267454fbd07b4edee3c1b31e378d70`
SHA256	`5435faa8b519115459dd80a050db9b3b426d0bea1651dd31ddd6ed82c9819174`
SHA3	`a4b50c49df35173ccb4aa20f71f4c74bbd8529059edc35ecb646cfb4a35b82b6`
VirtualSize	`0x1000`
VirtualAddress	`0xc75000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x90ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.22254`

.tls

MD5	`a693b0fabc8c1ac909e96ef1024b50a6`
SHA1	`eb6b4b24974909fd16ca0bf529884f6d7b9298c7`
SHA256	`09351d3417dbcc112b804f19fa699eb219225e6c53151d320fcee658ff6c7cbf`
SHA3	`07ccb13f10eb3f0913843634fddfe7ed16a1c35df0e06e4fae2962cae208a49d`
VirtualSize	`0x1000`
VirtualAddress	`0xc76000`
SizeOfRawData	`0x200`
PointerToRawData	`0x90c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.353627`

.text (#3)

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x173e000`
VirtualAddress	`0xc77000`
SizeOfRawData	`0`
PointerToRawData	`0x90c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.ddata

MD5	`9167374e74ee38fe989f88dd0be567e7`
SHA1	`f9e8ee8e623b1d6e666bf9e0c3e49febd196ebe4`
SHA256	`3c8321073ad298891e4805e17991790f8c443770f8dfaa32406ed65e8a6010b8`
SHA3	`5fdd93a8f576fe32d73ab88bf17092bc25f90a3e7e1cc85db43acd80fae9a346`
VirtualSize	`0xf21400`
VirtualAddress	`0x23b5000`
SizeOfRawData	`0xf21400`
PointerToRawData	`0x90c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.95517`

.reloc (#2)

MD5	`4cc5c3a7bbf2159d7e92c7fa55c0951a`
SHA1	`4afdfc0324d65dc2d8be01cd5a8bf09eaf14c24c`
SHA256	`033e9e7d283e90b66ac0adb6ee653fe8d5d7301705e17e9e7a5b80fc78ea64a6`
SHA3	`94a72cef84e6dccb129d90c66acbb1e486723280bf35eba46e1dcf38d3c0cf19`
VirtualSize	`0x1000`
VirtualAddress	`0x32d7000`
SizeOfRawData	`0x10`
PointerToRawData	`0x182da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.7744`

Imports

kernel32.dll	`GetModuleHandleA`
urlmon.dll	`URLDownloadToFileA`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_43.dll	`D3DCompile`
dxgi.dll	`CreateDXGIFactory1`
USER32.dll	`GetForegroundWindow`
GDI32.dll	`GetStockObject`
ADVAPI32.dll	`OpenSCManagerW`
SHELL32.dll	`ShellExecuteW`
ole32.dll	`CreateStreamOnHGlobal`
OLEAUT32.dll	`SysFreeString`
MSVCP140.dll	`??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ`
d3dx11_43.dll	`D3DX11CreateShaderResourceViewFromMemory`
WS2_32.dll	`WSASetLastError`
SHLWAPI.dll	`PathFindFileNameW`
ntdll.dll	`NtQuerySystemInformation`
IPHLPAPI.DLL	`GetAdaptersAddresses`
gdiplus.dll	`GdipDisposeImage`
IMM32.dll	`ImmGetContext`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`_CxxThrowException`
api-ms-win-crt-heap-l1-1-0.dll	`_aligned_free`
api-ms-win-crt-runtime-l1-1-0.dll	`_wassert`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-math-l1-1-0.dll	`_dsign`
api-ms-win-crt-time-l1-1-0.dll	`_gmtime64_s`
api-ms-win-crt-string-l1-1-0.dll	`strspn`
api-ms-win-crt-convert-l1-1-0.dll	`strtoll`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vfprintf`
api-ms-win-crt-filesystem-l1-1-0.dll	`_unlock_file`
api-ms-win-crt-environment-l1-1-0.dll	`getenv`
CRYPT32.dll	`CertDuplicateCertificateContext`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x184`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91862`
MD5	`3250787fdcd75aa2587529b89c7738b2`
SHA1	`622b5627941ecee9cfe6179c3017bbf7b43fffaa`
SHA256	`8b0de2e560d8476fb0013b44f1e10c2789ae71e0353866890dc5f9c57fb1f44a`
SHA3	`6bf4f0eaf6795c219d4d808caa895dcb53f7fe9c81e92ce03da1db7841bfcd3d`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140c76000`
EndAddressOfRawData	`0x140c76018`
AddressOfIndex	`0x140c76018`
AddressOfCallbacks	`0x140c76020`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

RICH Header

XOR Key	`0xb25a0564`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`22`
253 (35207)	`1`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`45`
Imports (35207)	`6`
C objects (VS2022 Update 1 (17.1.6) compiler 31107)	`26`
C objects (33145)	`2`
Imports (21202)	`8`
C objects (35211)	`817`
Unmarked objects (#2)	`39`
Imports (2207)	`2`
Imports (33145)	`35`
Total imports	`681`
C++ objects (LTCG) (35211)	`38`
Resource objects (35211)	`1`
Linker (35211)	`1`

Errors

[*] Warning: Section .text has a size of 0!

Leave a comment

No comments yet.