Manalyze report for 6f0d9b1c05af29b517183882f0993cb9

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2024-Nov-20 22:37:22
TLS Callbacks	1 callback(s) detected.
Debug artifacts	hooks.pdb

Plugin Output

Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities (process hollowing): WriteProcessMemory SetThreadContext ResumeThread` `Memory manipulation functions often used by packers: VirtualAllocEx VirtualProtect VirtualAlloc` `Manipulates other processes: ReadProcessMemory WriteProcessMemory`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`6f0d9b1c05af29b517183882f0993cb9`
SHA1	`5c3b8da73f45900caeb759483792b64628e1f081`
SHA256	`3c00ca9fb121dbae30a60fc30999416e3ad94c9b4fce82fc158b49d16cf47b46`
SHA3	`184e45bc475dc3647104d52d138a4fcb8d46c7ee2499974feeadb6b5f49aeaf0`
SSDeep	`6144:6ckC7kKO+NPlHzccxIyIX7hoMH8DwyoqZpI9tA5U6YTMzgrIBw:rkokh+NNTnwLhoMHl4I9p5Rsw`
Imports Hash	`58cbdd9794e63eeb15e0673c8526acbe`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2024-Nov-20 22:37:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x3a000`
SizeOfInitializedData	`0x1e200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000383EC (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x5b000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`05713ee72bd39605db4fc2a44efb2856`
SHA1	`84c9e17ba297d00c1d358c9bb400f8a6b555bb25`
SHA256	`b6b036247b7def8a0df65fdf8ef491a00117b091e7358bbf584e702688a214e4`
SHA3	`58f52eeabcf65f41c788891009a55455700344dd60f730ed848342ac9f894b7c`
VirtualSize	`0x39f5b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3a000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.33381`

.rdata

MD5	`f21eb45615aa0cb4bad6847f3910a94c`
SHA1	`043bf11ef6b2b3501fbfa056ab60dcd89798b730`
SHA256	`b7e54cb69103fd54965f9a0a338a29661802d546731da7eddcd9265a31622275`
SHA3	`7ab1bac057e3dfe7fd5e75794ee825551cfed88fbbaca694e64a0552a8e1cc98`
VirtualSize	`0x19376`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x19400`
PointerToRawData	`0x3a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.21885`

.data

MD5	`89bef36e3a14435a46519d6af1e9d729`
SHA1	`0720854e726b7e46254151b16c65d4f06f24e524`
SHA256	`4ca20fe6bdd5e77c7e43fada4cb7025589b7dd8545130123e89c4344fa5df82a`
SHA3	`b59fbd2178a5ab11e6d3ff96bf7401b92d4bcbf05ca36df12e54473b323078fc`
VirtualSize	`0x10e8`
VirtualAddress	`0x55000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x53800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.78195`

.pdata

MD5	`1e0029eaec8cd0d0bb29aed429babe87`
SHA1	`0a3858e01bee1a8bf967c5ca2161f01930e1e8e1`
SHA256	`48465841dd4363e97fee9bd925b293b8fbff7a6f7b4cefb457674434f88200a3`
SHA3	`54058b5d9f3a947d49a6c5a0277ff70dedd78a60bc7dfe34bca7099c2ea2e6b2`
VirtualSize	`0x2eb0`
VirtualAddress	`0x57000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x54200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.52668`

.reloc

MD5	`1cc69d6409acd6aaaa4b7fcee5efaead`
SHA1	`7a524cf9cbff6ec936f858a883a359ccfa0af2da`
SHA256	`a526d8ae3a6de79419d7b8fd5e3f8bc95902da41d338f8dcd5f2fb019afcb491`
SHA3	`43a64bfd5c00148bdc050c3e5cd6c2e32c9a3407ad2ca7f7726b12bc05471e90`
VirtualSize	`0xa98`
VirtualAddress	`0x5a000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x57200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.19187`

Imports

api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress` `WakeByAddressAll` `WakeByAddressSingle`
ntdll.dll	`RtlCaptureContext` `RtlNtStatusToDosError` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `NtWriteFile`
KERNEL32.dll	`SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `IsDebuggerPresent` `InitializeSListHead` `DisableThreadLibraryCalls` `CreateMutexA` `LoadLibraryA` `WaitForSingleObjectEx` `ReadProcessMemory` `GetTickCount` `GetSystemTimeAsFileTime` `CreateWaitableTimerExA` `CreateWaitableTimerExW` `GetCurrentThreadId` `CloseHandle` `GetCurrentProcess` `GetProcessId` `CreateToolhelp32Snapshot` `VirtualAllocEx` `Thread32Next` `Thread32First` `Module32Next` `Module32First` `VirtualFreeEx` `WriteProcessMemory` `DuplicateHandle` `RegisterWaitForSingleObject` `UnregisterWait` `CreateEventA` `WaitForSingleObject` `SetEvent` `ResetEvent` `WriteFile` `PeekNamedPipe` `ReadFile` `GetThreadContext` `SetThreadContext` `OpenThread` `SuspendThread` `ResumeThread` `GetLastError` `HeapCreate` `HeapAlloc` `HeapReAlloc` `HeapFree` `Sleep` `GetCurrentProcessId` `FlushInstructionCache` `VirtualProtect` `GetModuleHandleW` `GetProcAddress` `GetSystemInfo` `VirtualAlloc` `VirtualFree` `VirtualQuery` `QueryPerformanceCounter` `SetLastError` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `GetStdHandle` `TerminateProcess` `lstrlenW` `ReleaseMutex` `GetProcessHeap` `IsProcessorFeaturePresent` `GetConsoleMode` `FormatMessageW` `MultiByteToWideChar` `WriteConsoleW` `WideCharToMultiByte`
USER32.dll	`PeekMessageW` `PeekMessageA` `IsWindowVisible` `EnumThreadWindows` `GetKeyState`
VCRUNTIME140.dll	`memcpy` `memset` `_CxxThrowException` `__CxxFrameHandler3` `__std_type_info_destroy_list` `__C_specific_handler` `memcmp` `memmove`
api-ms-win-crt-string-l1-1-0.dll	`strlen`
api-ms-win-crt-math-l1-1-0.dll	`round`
api-ms-win-crt-runtime-l1-1-0.dll	`_initterm` `_initterm_e` `_seh_filter_dll` `_configure_narrow_argv` `_initialize_narrow_environment` `_initialize_onexit_table` `_execute_onexit_table` `_cexit`
api-ms-win-crt-heap-l1-1-0.dll	`free`

Delayed Imports

initialize

Ordinal	`1`
Address	`0x91c0`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Nov-20 22:37:22
Version	`0.0`
SizeofData	`34`
AddressOfRawData	`0x4b0b4`
PointerToRawData	`0x4a4b4`
Referenced File	hooks.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-Nov-20 22:37:22
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x4b0d8`
PointerToRawData	`0x4a4d8`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Nov-20 22:37:22
Version	`0.0`
SizeofData	`772`
AddressOfRawData	`0x4b0ec`
PointerToRawData	`0x4a4ec`

TLS Callbacks

StartAddressOfRawData	`0x18004b410`
EndAddressOfRawData	`0x18004b4b8`
AddressOfIndex	`0x180055ad4`
AddressOfCallbacks	`0x18003b3d8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000180025290`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x180055880`

RICH Header

XOR Key	`0x56d93619`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`8`
Imports (33808)	`2`
ASM objects (33808)	`4`
C objects (33808)	`8`
C++ objects (33808)	`17`
Imports (30795)	`10`
Total imports	`211`
C objects (34120)	`4`
Unmarked objects (#2)	`52`
Exports (34120)	`1`
Linker (34120)	`1`

6f0d9b1c05af29b517183882f0993cb9

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.reloc

Imports

Delayed Imports

initialize

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors