571ca9768d7b7a96678cf75a24024977f16b2031d263f07a9ad34661c4dee615

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Apr-14 09:43:49
Detected languages English - United States
Debug artifacts C:\test\mssip32\x64\Release\mssip32.pdb

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • bundle.exe
Miscellaneous malware strings:
  • cmd.exe
Contains domain names:
  • dl.multiextension.com
  • geo.opera.com
  • http://194.87.138.68
  • http://194.87.138.68/setup.exe','C
  • http://dl.multiextension.com
  • http://dl.multiextension.com/setup-win32-bundle.exe','C
  • https://net.geo.opera.com
  • https://net.geo.opera.com/opera/stable?utm_medium
  • multiextension.com
  • net.geo.opera.com
  • opera.com
Malicious The PE contains functions mostly used by malware. Can access the registry:
  • RegSetValueExW
  • RegCreateKeyExW
  • RegCloseKey
Possibly launches other programs:
  • CreateProcessW
Functions related to the privilege level:
  • OpenProcessToken
Suspicious The file contains overlay data. 12288 bytes of data starting at offset 0x4200.
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 7e4ee8d6755541748745b88b9dd5b499
SHA1 3bf45cd5d797cd121d2d4f17bfeba133647cd6fd
SHA256 571ca9768d7b7a96678cf75a24024977f16b2031d263f07a9ad34661c4dee615
SHA3 119c7dd85e2f1b1e25d36c55db264ce0984c93078317c7142289a06e05983cc2
SSDeep 384:phZZrCh4wPDJGtB4rV0mnY4MgUM9JWeHHC9sYSLknpLjdg:LZ0lbr+L4gMDNHFL4Z
Imports Hash 59e404eb82dcd25f68ffe732d191c751

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2026-Apr-14 09:43:49
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x1600
SizeOfInitializedData 0x2800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000001AF4 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x9000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 db3a1ec4dadb90dbcb789f12b2740c66
SHA1 be6a2d90dedb08371fd5ffb2f6bc714ddb3ee41d
SHA256 2b0273cf5377869a93534ac4577d7c7d75d352a039261dc17688c8dbe886b0a6
SHA3 a0679b471df1dcb854976965d3d31f5193e2f39ed9afb4fc237ae42fdcd08da1
VirtualSize 0x1488
VirtualAddress 0x1000
SizeOfRawData 0x1600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.89765

.rdata

MD5 79303dfb9d5bf72a948657d6a2a4be07
SHA1 e43bc6cb559b44e993d2574c1905d783b03dfdd5
SHA256 49785e755b31924a05b94b6abe37abfab1b56a96047dc2f577064f98cd2e1e7d
SHA3 3554a47bcb969c5b0f12235c9f2fb21aaa4577589ce889bc82f35949f1cd06b8
VirtualSize 0x1de0
VirtualAddress 0x3000
SizeOfRawData 0x1e00
PointerToRawData 0x1a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.1296

.data

MD5 21fe78f3192d0eb150dee52038fd836d
SHA1 a8afd532719371b17b9e1f59448ca66f9a5bda59
SHA256 a14dd027485630ab7db105f24fafc06fe665b8b5a1c1b4e987f026812e4d2c91
SHA3 4d8e1ce520a477eb128dd77df44594ba4a2d3418f8b1fb9ccbaed8443839693c
VirtualSize 0x118
VirtualAddress 0x5000
SizeOfRawData 0x200
PointerToRawData 0x3800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.517653

.pdata

MD5 931da36d460292757c69ccb3ca1d89ce
SHA1 fd1795234fe55204bc7032ae447f3bff49825f37
SHA256 367f5d6b629ba1d5d8f3fec5e491d03ad43ee1c4abf4cf4b21a56d18ff5e34c0
SHA3 3be0d7f9043f0e243ef381f1015d8cb77ca148df4fd24da02285b3e236378c93
VirtualSize 0x210
VirtualAddress 0x6000
SizeOfRawData 0x400
PointerToRawData 0x3a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.29845

.rsrc

MD5 74421ade29ae659aa6b7217dd935979e
SHA1 dced4cc99cbea0a5455dffd54e2e246a0fc2ca18
SHA256 719c24aac5529e19e2b4dee43bc11eb1d8d10b081ba3f35b0eeb9df2e2eaea83
SHA3 bb11f1600ba2a5afe88f7cd664cb4583363d840867f5e40962d9aed2872ed681
VirtualSize 0xf8
VirtualAddress 0x7000
SizeOfRawData 0x200
PointerToRawData 0x3e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.51196

.reloc

MD5 8e2b2f835db3099501a0f98ebfe6d7dd
SHA1 2ca30425ec30ab6fa02b0c1a1760cc5f2f4df1d3
SHA256 5a7f536672716dc65d7f97fd22d5e336070ef1c7144d86fb13be6553ab20da20
SHA3 c3d5c49a9c9b9e6ba699e470608b093da7570c029186c127f8801c1f457b2a19
VirtualSize 0x30
VirtualAddress 0x8000
SizeOfRawData 0x200
PointerToRawData 0x4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.589084

Imports

KERNEL32.dll GetCurrentProcess
GetFileAttributesW
CopyFileW
Sleep
DisableThreadLibraryCalls
GetCurrentProcessId
GetModuleFileNameW
GetModuleHandleW
CloseHandle
WaitForSingleObject
CreateProcessW
ExitProcess
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
QueryPerformanceCounter
ADVAPI32.dll RegSetValueExW
RegCreateKeyExW
GetTokenInformation
OpenProcessToken
RegCloseKey
VCRUNTIME140.dll __std_type_info_destroy_list
__C_specific_handler
wcsrchr
memcpy
memset
api-ms-win-crt-stdio-l1-1-0.dll __stdio_common_vswprintf
api-ms-win-crt-string-l1-1-0.dll wcscpy_s
api-ms-win-crt-runtime-l1-1-0.dll _execute_onexit_table
_cexit
_initialize_onexit_table
_initterm
_seh_filter_dll
_initialize_narrow_environment
_configure_narrow_argv
_initterm_e

Delayed Imports

curl_easy_cleanup

Ordinal 1
Address 0x1750

curl_easy_init

Ordinal 2
Address 0x1720

curl_easy_perform

Ordinal 3
Address 0x1740

curl_easy_setopt

Ordinal 4
Address 0x1760

curl_global_cleanup

Ordinal 5
Address 0x1750

curl_global_init

Ordinal 6
Address 0x1750

curl_version

Ordinal 7
Address 0x1770

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x91
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.8858
MD5 f7ad1eab748bc07570a57ec87787cf90
SHA1 0b1608da9fef218386e825db575c65616826d9f4
SHA256 d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04
SHA3 6c9541b36948c19ae507d74223621875b3af4064f7cd8200bdb97e15a047e96a

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2026-Apr-14 09:43:49
Version 0.0
SizeofData 64
AddressOfRawData 0x42d0
PointerToRawData 0x2cd0
Referenced File C:\test\mssip32\x64\Release\mssip32.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2026-Apr-14 09:43:49
Version 0.0
SizeofData 20
AddressOfRawData 0x4310
PointerToRawData 0x2d10

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2026-Apr-14 09:43:49
Version 0.0
SizeofData 600
AddressOfRawData 0x4324
PointerToRawData 0x2d24

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2026-Apr-14 09:43:49
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x180005000

RICH Header

XOR Key 0x2ca449ca
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 6
Imports (35403) 2
ASM objects (35403) 4
C objects (35403) 8
C++ objects (35403) 11
Imports (33145) 5
Total imports 44
C++ objects (LTCG) (35722) 2
Exports (35722) 1
Resource objects (35722) 1
Linker (35722) 1

Errors

Leave a comment

No comments yet.