Manalyze report for 634ed6847c19b988eac06dc6aa4b0802

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Jul-31 08:40:02
Detected languages	Chinese - PRC English - United States
CompanyName	Microsoft Corporation
FileDescription	Runtime Handler
FileVersion	`10.0.19041.3636`
InternalName	ccSet.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	reqhandler.dll
ProductName	Internet Information Services
ProductVersion	`10.0.19041.3636`

Plugin Output

Suspicious	The PE is packed with mpress	`Unusual section name found: .MPRESS1` `Section .MPRESS1 is both writable and executable.` `Unusual section name found: .MPRESS2` `Section .MPRESS2 is both writable and executable.` `The PE only has 4 import(s).`
Suspicious	The PE contains functions most legitimate programs don't use.	`Has Internet access capabilities: WinHttpOpen` `Leverages the raw socket API to access the Internet: socket`
Malicious	The PE's digital signature is invalid.	`Signer: Microsoft Corporation` `Issuer: Microsoft Code Signing PCA 2011` `The file was modified after it was signed.`

Hashes

MD5	`634ed6847c19b988eac06dc6aa4b0802`
SHA1	`caa567043d9f1cb7e362a7b99574d77a648a52b4`
SHA256	`fbfd7da9c76bc476ae8826c5db6cb5f393300f4e600a9cb28c0feace7fbf71cc`
SHA3	`1571de88d752310f994f7d5cbfa9f72f4718aa13ebbbcf08af009b19f27abde2`
SSDeep	`6144:dLSrr0qIiVgfTnZPiaEr1rvyqMlbvF2wB:FoHjufTnZqvRr9MB0s`
Imports Hash	`d0b908805bd8ba493d39d39f00e915d6`

DOS Header

e_magic	`MZ`
e_cblp	`0x40`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x2`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0xb400`
e_oeminfo	`0xcd09`
e_lfanew	`0x40`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`3`
TimeDateStamp	2025-Jul-31 08:40:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x49800`
SizeOfInitializedData	`0x26a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000006E13E (Section: .MPRESS2)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x70000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.MPRESS1

MD5	`9bb41cbe356db007692fbeb5f321140d`
SHA1	`13117e9e3d5f49b6fa025020de36b85f03b64efe`
SHA256	`1d1cfe4ce3347b8841921ec4b7787a049716f256c6d252ed2461af6a5513f90f`
SHA3	`c534f438eda4e0d09dc229b23cbbafb94267a76e1c4208c7de2e786b3519e353`
VirtualSize	`0x6d000`
VirtualAddress	`0x1000`
SizeOfRawData	`0x25600`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99842`

.MPRESS2

MD5	`0a09e08774c10636e95b0b241c5c4b7e`
SHA1	`13a3677a4a6274a6ffcd5704a7689abc60e0eb3a`
SHA256	`d8be06985d1cd3434e3d8994e3e6e34993716ca06ea8e2ed74b2665fdbae6c35`
SHA3	`770c1fdfa94cf73f53404af05cf3d63f99ea794a3e4c8bd0b582dfa4a3f23f9f`
VirtualSize	`0xc48`
VirtualAddress	`0x6e000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x25800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.66465`

.rsrc

MD5	`d906047bfdae63629619f5d2e858d751`
SHA1	`39e43769a448ac46cd93fce7e109880ca7fc07e8`
SHA256	`eecc5a6cd2543bff65194d4e74041135081882a7c15738ac3cedceb617c812d5`
SHA3	`f321f1db64da515ce6a98cf881b24717473e3fe054e42bf864221c3cff852d27`
VirtualSize	`0x588`
VirtualAddress	`0x6f000`
SizeOfRawData	`0x600`
PointerToRawData	`0x26600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.38764`

Imports

KERNEL32	`GetModuleHandleA` `GetProcAddress`
WINHTTP.dll	`WinHttpOpen`
WS2_32.dll	`socket`

Delayed Imports

RegisterModule

Ordinal	`1`
Address	`0xbe50`

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.31867`
MD5	`444a45372c5a4e251091c7ab116999d7`
SHA1	`fcf06ea5395a6193acc7d9ef9532308e2dfe04bb`
SHA256	`21d660e97f5c4e4bbd64c52745c4c983b833cd7e26893c2047955e0cfb2b46ba`
SHA3	`3693dc22c85f00ed9499767c71b8edecaac7ee54e81a81abbcc9c5dc303ee23d`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	UNKNOWN
CompanyName	Microsoft Corporation
FileDescription	Runtime Handler
FileVersion (#2)	10.0.19041.3636
InternalName	ccSet.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	reqhandler.dll
ProductName	Internet Information Services
ProductVersion (#2)	10.0.19041.3636

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Please edit the configuration file with your VirusTotal API key.
[!] Error: Could not load yara_rules/bitcoin.yara!
[!] Error: Could not load yara_rules/monero.yara!
[!] Error: Could not load yara_rules/compilers.yara!
[!] Error: Could not load yara_rules/findcrypt.yara!
[!] Error: Could not load yara_rules/suspicious_strings.yara!
[!] Error: Could not load yara_rules/domains.yara!
[!] Error: Could not load yara_rules/peid.yara!