6a483012eff29af246ec93ccfa07f9c0f343547e28fab097457f61ba0f07300f

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2026-Mar-20 15:11:49
Detected languages English - United States
TLS Callbacks 1 callback(s) detected.

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • 2Flogin.live.com
  • 3Auser.auth.xboxlive.com
  • account.live.com
  • auth.xboxlive.com
  • bgp.tyserve.net
  • github.com
  • https://github.com
  • login.live.com
  • tyserve.net
  • xboxlive.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Uses constants related to SHA512
Uses constants related to AES
Uses constants related to Blowfish
Uses known Diffie-Helman primes
Uses known Mersenne Twister constants
Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
  • LoadLibraryW
  • LoadLibraryExW
 Uses Windows's Native API:
  • ntohs
  • ntohl
 Uses Microsoft's cryptographic API:
  • CryptEnumProvidersW
  • CryptSignHashW
  • CryptDestroyHash
  • CryptCreateHash
  • CryptDecrypt
  • CryptExportKey
  • CryptGetUserKey
  • CryptGetProvParam
  • CryptSetHashParam
  • CryptDestroyKey
  • CryptGenRandom
  • CryptReleaseContext
  • CryptAcquireContextW
 Leverages the raw socket API to access the Internet:
  • accept
  • shutdown
  • socket
  • getservbyname
  • getservbyport
  • gethostbyname
  • gethostbyaddr
  • ntohs
  • inet_ntoa
  • inet_addr
  • sendto
  • recvfrom
  • getpeername
  • WSASocketA
  • send
  • recv
  • freeaddrinfo
  • getaddrinfo
  • WSAStringToAddressW
  • WSASocketW
  • WSASend
  • WSARecv
  • WSAIoctl
  • WSAGetLastError
  • WSASetLastError
  • WSACleanup
  • WSAStartup
  • setsockopt
  • select
  • ntohl
  • listen
  • htons
  • htonl
  • getsockopt
  • getsockname
  • ioctlsocket
  • connect
  • closesocket
  • bind
  • __WSAFDIsSet
 Enumerates local disk drives:
  • GetDriveTypeW
 Interacts with the certificate store:
  • CertOpenStore
  • CertOpenSystemStoreW
Safe VirusTotal score: 0/47 (Scanned on 2026-03-27 00:14:47) All the AVs think this file is safe.

Hashes

MD5 9f5f5f107e10f9e5c312b1fa19aabc4a
SHA1 9141d6685f32daf6c07d4d46adee1c3a0bf31f8d
SHA256 6a483012eff29af246ec93ccfa07f9c0f343547e28fab097457f61ba0f07300f
SHA3 e02dd03bf96c01017aa20c960bcf05e9e1a6ee0b9cb7ebe619ca9ce4ec0b3faa
SSDeep 49152:4mGtlqmVwASOltQAgxNrnuiCD+UlB39baqj1gebHvHF2eTC4LiVBmbiVQcZ+5yX:7xRnGhxVvVin1+5ycLrtXjU+Tu06
Imports Hash 35ba87436cd8b6cd04f72ef60f2cd238

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x120

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2026-Mar-20 15:11:49
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x4ec200
SizeOfInitializedData 0x244800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000004AA65C (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x735000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 45dabd146bbb38973d537330fa9e1361
SHA1 744c8f9b9b128adf8304cb7317ab9daf362e1837
SHA256 25a3335c4d9b1fe451e710deb0bddb42ce2e4d3e678507423ec50bf1604aac15
SHA3 a2b8b8d578ceffb4b3cc544612a04ae8b561485e6ccfdb56baf120fd76e6fadc
VirtualSize 0x4ec1c8
VirtualAddress 0x1000
SizeOfRawData 0x4ec200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.63486

.rdata

MD5 1e99c1753b08660d48b1b47637e3c302
SHA1 a3fb8ea7dbcb5e4c94a0564129d86889c148ce15
SHA256 e0d9498ed5f2da7505e1c2e540183b2d560ad4ad884f02e50c864356b1a0b34e
SHA3 9aea3f6e94f79a6fa8e925e56e51950f19f79414965ae68dd9304ac07a5b3129
VirtualSize 0x1bdd60
VirtualAddress 0x4ee000
SizeOfRawData 0x1bde00
PointerToRawData 0x4ec600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.74198

.data

MD5 22735a59362a55f89a9cf0d4bdf9ee9a
SHA1 0ba61be81751bc740e491954d211830f35e2356a
SHA256 3cd6f6bad4528e288132f8a30f46ce9127cc5df59433d46f8ecf17b32b675969
SHA3 b765a4866579c9c89d7232376af899f46b85a781ce90150ad1081904aeb3ba1c
VirtualSize 0x426f4
VirtualAddress 0x6ac000
SizeOfRawData 0x3ce00
PointerToRawData 0x6aa400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.86299

.pdata

MD5 66c1b0d7493f5fc09d7c3a56f2daf435
SHA1 8e3a9890444d5cd7674cf014f301e68343225a1a
SHA256 6a53334211eaedac9e38113b6c12c94fcbd6bc3236af1e57ee7467a4efff0990
SHA3 3159551263a1daa42b8f36609dc0a88719ee5a023904c1717e508d63c3a5fa3d
VirtualSize 0x34608
VirtualAddress 0x6ef000
SizeOfRawData 0x34800
PointerToRawData 0x6e7200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.34588

.rsrc

MD5 8e347e0d755fbab3a75e82fbea3eaf57
SHA1 44950f01784297d4f65aeab637d822a24728b2a4
SHA256 5ff3d27cd413346a7817f161d8c4b41c58974199ed33911448becb7a1e5fcdf4
SHA3 f9a61a41e9c6476efaab0c0edefb3a9da9de1a51da36de59305913909cffca73
VirtualSize 0x1e0
VirtualAddress 0x724000
SizeOfRawData 0x200
PointerToRawData 0x71ba00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.70696

.reloc

MD5 9ec7a390a5d821bbd4ebd555eb52822a
SHA1 7f3669b00a61f1297009081ca9485abeae073841
SHA256 b038f0c642fe3b6460ce7ace8cd0aa7c73c63d77a3816b5709d7f77d3125dba6
SHA3 0685b60d30378f04439552dda3df69ea8ebc7b15f998c1cda56e3443beebbafc
VirtualSize 0xf668
VirtualAddress 0x725000
SizeOfRawData 0xf800
PointerToRawData 0x71bc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.45336

Imports

WS2_32.dll accept
shutdown
socket
getservbyname
getservbyport
gethostbyname
gethostbyaddr
ntohs
inet_ntoa
inet_addr
sendto
recvfrom
getpeername
WSASocketA
send
recv
freeaddrinfo
getaddrinfo
WSAStringToAddressW
WSASocketW
WSASend
WSARecv
WSAIoctl
WSAGetLastError
WSASetLastError
WSACleanup
WSAStartup
setsockopt
select
ntohl
listen
htons
htonl
getsockopt
getsockname
ioctlsocket
connect
closesocket
bind
__WSAFDIsSet
CRYPT32.dll CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertOpenSystemStoreW
KERNEL32.dll HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetCommandLineW
GetCommandLineA
GetConsoleOutputCP
SetFilePointerEx
ReadFile
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetDriveTypeW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
GetModuleFileNameW
LCMapStringW
GetStdHandle
CreateFileA
GetFileSizeEx
CloseHandle
GetLastError
SetLastError
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CancelIoEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ReleaseMutex
WaitForSingleObject
SleepEx
CreateMutexW
CreateEventW
SetWaitableTimer
Sleep
WaitForMultipleObjects
QueueUserAPC
GetCurrentProcessId
TerminateThread
MapViewOfFile
UnmapViewOfFile
GetLocaleInfoW
FormatMessageA
FormatMessageW
CreateWaitableTimerA
CreateFileMappingA
MultiByteToWideChar
WideCharToMultiByte
GetConsoleMode
SetConsoleMode
SetConsoleCP
SetConsoleOutputCP
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualFree
SwitchToFiber
DeleteFiber
CreateFiberEx
GetSystemTime
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
GetModuleHandleExW
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
InitializeCriticalSection
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
GetEnvironmentVariableW
GetACP
GetFileType
WriteFile
GetModuleHandleW
ConvertFiberToThread
ConvertThreadToFiberEx
GetSystemTimeAsFileTime
RtlVirtualUnwind
LoadLibraryW
ReadConsoleA
ReadConsoleW
GetConsoleScreenBufferInfo
ExitThread
CreateThread
ExitProcess
SetConsoleCtrlHandler
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetTimeZoneInformation
SetStdHandle
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
WriteConsoleW
SetEndOfFile
LocalFree
RtlUnwind
RtlPcToFileHeader
RaiseException
GetLocaleInfoEx
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObjectEx
GetNativeSystemInfo
TryAcquireSRWLockExclusive
SleepConditionVariableSRW
WakeAllConditionVariable
GetCurrentDirectoryW
CreateDirectoryW
CreateFileW
FindFirstFileExW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
AreFileApisANSI
GetFileInformationByHandleEx
InitializeCriticalSectionEx
EncodePointer
DecodePointer
LCMapStringEx
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
LoadLibraryExW
FreeLibraryAndExitThread
USER32.dll GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
ADVAPI32.dll CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2026-Mar-20 15:11:49
Version 0.0
SizeofData 1108
AddressOfRawData 0x66e1a0
PointerToRawData 0x66c7a0

TLS Callbacks

StartAddressOfRawData 0x14066e640
EndAddressOfRawData 0x140670df0
AddressOfIndex 0x1406ed078
AddressOfCallbacks 0x1404ee950
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks 0x00000001404AA010

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1406b38c0

RICH Header

XOR Key 0xc9265d20
Unmarked objects 0
ASM objects (30795) 11
C++ objects (30795) 194
C objects (30795) 19
ASM objects (35207) 10
C objects (35207) 19
C++ objects (35207) 102
Total imports 270
Imports (30795) 11
C++ objects (35225) 19
Unmarked objects (#2) 42
C objects (35225) 939
C++ objects (35222) 1
Resource objects (35222) 1
Linker (35222) 1

Errors

Leave a comment

No comments yet.