Manalyze report for 554de671eceb3721276497a7a03e7303261d0efabe855021b231092d84bc5dfb

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Dec-12 11:44:00
Debug artifacts	D:\a\_work\1\s\src\runtime\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
CompanyName	Anvil_Installer
FileDescription	Anvil_Installer
FileVersion	`1.0.0.0`
InternalName	Anvil_Installer.dll
LegalCopyright
OriginalFilename	Anvil_Installer.dll
ProductName	Anvil_Installer
ProductVersion	`1.0.0`
Assembly Version	1.0.0.0

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentVersion\Run` `Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: https://aka.ms`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegCloseKey RegOpenKeyExW RegGetValueW` `Possibly launches other programs: ShellExecuteW`
Suspicious	The file contains overlay data.	`27857 bytes of data starting at offset 0x27a00.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`ec05da3204ac7aa69f0448f2925b166e`
SHA1	`8d595261324172a56ab2568eb477f2aed5d2a4f2`
SHA256	`554de671eceb3721276497a7a03e7303261d0efabe855021b231092d84bc5dfb`
SHA3	`775ac737f1120d8a9b962d22e90c274f0f24335de6f74ea7ae4d1c2aef774a79`
SSDeep	`3072:FXwANETcQt1Onb5RHrfqDQXFn4dPPYseJwmZ82jT6Pbdy6Mtaz:9lxnlRLfyQXN42D7iy6`
Imports Hash	`53e4e12437621212a425d294842d0a96`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2025-Dec-12 11:44:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x18400`
SizeOfInitializedData	`0x10200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000013B80 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x2d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x180000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`542bbb6189c731190df7d68ac07232c5`
SHA1	`a534ee9585f711d3268a09598c23402954d58f33`
SHA256	`4620f2521a9f2a779dfcd034db28db6c17a01e72aa10d41330eb910000472773`
SHA3	`b3b350f38831c1834a54887174a675e6ccd1d7fe6029328950e31bbcf48f59b1`
VirtualSize	`0x1839c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x18400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.36301`

.rdata

MD5	`067891b0dcafcc999ed454b8a7a443fc`
SHA1	`871ed85304705ae11abef6ae0d7bcb51f963695a`
SHA256	`0c7397c2a4a19ab8684b09c22c68cfdc50a747a2e2bd2806338efa85748d7174`
SHA3	`11a41d23ef9fb4fab8e051ae5319b9f3903a6422c50f082a8657f3a0bacc51ac`
VirtualSize	`0xc5fe`
VirtualAddress	`0x1a000`
SizeOfRawData	`0xc600`
PointerToRawData	`0x18800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.84695`

.data

MD5	`2e57c48d157bfaad7560e9cbb68c9572`
SHA1	`55a9d235682df62e239b7479e327c97543a9846a`
SHA256	`37886c20618cacdde68102ba3f876b9fb17631f0e398f6e836491c7b1e4f7168`
SHA3	`3410001bfec8c586f7b50654e05ea2905f53d7ca27436bedf8cf7c43a8a908d0`
VirtualSize	`0x1a40`
VirtualAddress	`0x27000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x24e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.25021`

.pdata

MD5	`145209890bbc2ecbc84762fcd08efd0b`
SHA1	`b977d1f04a2d16147d86562124dde273386113bc`
SHA256	`5fd25e8acfaad5694cf25ea9676bd7e8569b1d9689e1c363afbba3e2f5180860`
SHA3	`8f915a320403176e49869b53edef17d54c34f98d1f3d35ed9e055ac17e6cfd7b`
VirtualSize	`0x14c4`
VirtualAddress	`0x29000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x25a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.92549`

.reloc

MD5	`013117ac819f8cbe20d402f784ee2731`
SHA1	`2f089ff04f134328ae06b14119155796239226aa`
SHA256	`f6bfd84f8de960552694e3ba178d8b40ea4a0ea893f4dfe14706415288487e4a`
SHA3	`a31b80535fd6738c1909a024a81da7b26e3dcca70b1f62a8a3c9ef72b219e1c9`
VirtualSize	`0x33c`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x400`
PointerToRawData	`0x27000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.80647`

.rsrc

MD5	`aeab8437a50b1a87c6026d7acdd9e9b5`
SHA1	`d01b1a8487592d2ff51139e5156cc649831ee4c5`
SHA256	`56cac425bbc54faf3ef215cc95f1cb1a87e243176c70fe50d3fe7d0754652511`
SHA3	`597f5a502dda2ee9b5f84117f5ced688bf8bf710d00026bac46bb3a4768ba75c`
VirtualSize	`0x588`
VirtualAddress	`0x2c000`
SizeOfRawData	`0x600`
PointerToRawData	`0x27400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.07313`

Imports

SHELL32.dll	`ShellExecuteW`
ADVAPI32.dll	`RegCloseKey` `ReportEventW` `RegisterEventSourceW` `RegOpenKeyExW` `RegGetValueW` `DeregisterEventSource`
KERNEL32.dll	`TlsFree` `CreateActCtxW` `ActivateActCtx` `GetLastError` `FindResourceW` `GetWindowsDirectoryW` `GetProcAddress` `GetModuleHandleW` `FreeLibrary` `LoadLibraryExW` `FindFirstFileExW` `EnterCriticalSection` `GetFullPathNameW` `FindNextFileW` `GetCurrentProcess` `GetStdHandle` `GetModuleHandleExW` `GetModuleFileNameW` `LeaveCriticalSection` `GetEnvironmentVariableW` `FindClose` `GetFileAttributesW` `MultiByteToWideChar` `GetConsoleMode` `GetFileAttributesExW` `LoadLibraryA` `WriteConsoleW` `DeleteCriticalSection` `WideCharToMultiByte` `IsWow64Process` `OutputDebugStringW` `GetCurrentProcessId` `TlsSetValue` `TlsGetValue` `TlsAlloc` `InitializeCriticalSectionAndSpinCount` `SetLastError` `RaiseException` `RtlPcToFileHeader` `RtlUnwindEx` `InitializeSListHead` `IsDebuggerPresent` `IsProcessorFeaturePresent` `TerminateProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `GetStringTypeW` `SwitchToThread` `GetCurrentThreadId` `InitializeCriticalSectionEx` `EncodePointer` `DecodePointer` `LCMapStringEx` `QueryPerformanceCounter` `GetSystemTimeAsFileTime`
USER32.dll	`MessageBoxW`
api-ms-win-crt-runtime-l1-1-0.dll	`terminate` `_register_thread_local_exe_atexit_callback` `_c_exit` `__p___wargv` `__p___argc` `_exit` `exit` `_initterm_e` `_errno` `_initterm` `_get_initial_wide_environment` `_initialize_wide_environment` `_configure_wide_argv` `_set_app_type` `_seh_filter_exe` `_cexit` `_crt_atexit` `_register_onexit_function` `_initialize_onexit_table` `abort` `_invoke_watson`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `calloc` `malloc` `_callnewh` `free`
api-ms-win-crt-time-l1-1-0.dll	`_time64` `_gmtime64_s` `wcsftime`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vfwprintf` `__p__commode` `fputwc` `__acrt_iob_func` `__stdio_common_vswprintf` `_set_fmode` `_wfsopen` `fflush` `setvbuf` `__stdio_common_vsnwprintf_s`
api-ms-win-crt-locale-l1-1-0.dll	`_create_locale` `___mb_cur_max_func` `___lc_codepage_func` `___lc_locale_name_func` `__pctype_func` `_configthreadlocale` `setlocale` `_lock_locales` `_free_locale` `_unlock_locales`
api-ms-win-crt-string-l1-1-0.dll	`strlen` `strcmp` `wcsncmp` `toupper` `strcpy_s` `_wcsdup` `wcsnlen`
api-ms-win-crt-convert-l1-1-0.dll	`_wtoi` `wcstoul`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23936`
MD5	`8cb9c32e2e927a689f842352f3a735e6`
SHA1	`3d0abe1ed8b2fae68595942c8cca714779a53d94`
SHA256	`8d7d883b62446220a5e4d8f872dd712970646a3ad7d70054eb8c5eea6e0d4320`
SHA3	`bcc698cae81b3dda5d1644c1baf5e616a9b58cf0187968c7aea2e4366da19600`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`b7db84991f23a680df8e95af8946f9c9`
SHA1	`cac699787884fb993ced8d7dc47b7c522c7bc734`
SHA256	`539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a`
SHA3	`4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Anvil_Installer
FileDescription	Anvil_Installer
FileVersion (#2)	1.0.0.0
InternalName	Anvil_Installer.dll
LegalCopyright
OriginalFilename	Anvil_Installer.dll
ProductName	Anvil_Installer
ProductVersion (#2)	1.0.0
Assembly Version	1.0.0.0

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Dec-12 16:42:09
Version	`0.0`
SizeofData	`121`
AddressOfRawData	`0x22e2c`
PointerToRawData	`0x2162c`
Referenced File	D:\a\_work\1\s\src\runtime\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2025-Dec-12 16:42:09
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x22ea8`
PointerToRawData	`0x216a8`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Dec-12 16:42:09
Version	`0.0`
SizeofData	`988`
AddressOfRawData	`0x22ebc`
PointerToRawData	`0x216bc`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2025-Dec-12 16:42:09
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x232c0`
PointerToRawData	`0x21ac0`

TLS Callbacks

StartAddressOfRawData	`0x1400232e8`
EndAddressOfRawData	`0x1400232f8`
AddressOfIndex	`0x140028a28`
AddressOfCallbacks	`0x14001a518`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0x800`
EditList	`0`
SecurityCookie	`0x1400270c0`
GuardCFCheckFunctionPointer	`5368816712`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x2c9db172`
Unmarked objects	`0`
ASM objects (35207)	`10`
C objects (35207)	`13`
C++ objects (35207)	`86`
Imports (VS2008 SP1 build 30729)	`16`
Imports (33140)	`9`
Total imports	`212`
C++ objects (LTCG) (35217)	`10`
Linker (35217)	`1`

Errors

Leave a comment

No comments yet.