Manalyze report for 7c00e4f028f2f44a440ffa02e32b250b

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2063-Dec-08 19:12:01
TLS Callbacks	1 callback(s) detected.
Debug artifacts	Deep.pdb
Comments
CompanyName
FileDescription
FileVersion	`1.0.1`
InternalName	Deep.exe
LegalCopyright	Copyright © BuPyC12 2022
LegalTrademarks
OriginalFilename	Deep.exe
ProductName
ProductVersion	`1.0.1`
Assembly Version	1.0.0.1

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: regsvr32.exe` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: github.com google.com http://schemas.microsoft.com http://schemas.microsoft.com/expression/blend/2008 http://schemas.microsoft.com/winfx/2006/xaml http://schemas.microsoft.com/winfx/2006/xaml/presentation http://schemas.openxmlformats.org http://schemas.openxmlformats.org/markup-compatibility/2006 http://scripts.sil.org http://scripts.sil.org/OFLOpen http://scripts.sil.org/OFLOpenSansRomanWeightWidthNormalItalicRoman http://www.google.com http://www.google.com/get/noto/http http://www.monotype.com http://www.monotype.com/studioThis https://github.com https://scripts.sil.org https://scripts.sil.org/OFLhttp microsoft.com monotype.com openxmlformats.org schemas.microsoft.com schemas.openxmlformats.org scripts.sil.org www.google.com www.monotype.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses known Mersenne Twister constants`
Suspicious	The PE is possibly packed.	`Unusual section name found: * ~K5 \x1e\x05` `Section * ~K5 \x1e\x05 is both writable and executable.` `Unusual section name found: .ldata` `Section .ldata is both writable and executable.` `Section .textbss is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryA GetProcAddress` `Code injection capabilities: VirtualAlloc VirtualAllocEx CreateRemoteThread WriteProcessMemory` `Code injection capabilities (process hollowing): ResumeThread WriteProcessMemory SetThreadContext` `Can access the registry: RegOpenKeyA` `Can create temporary files: CreateFileW GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect VirtualAllocEx VirtualProtectEx` `Enumerates local disk drives: GetLogicalDriveStringsW` `Manipulates other processes: ReadProcessMemory WriteProcessMemory`
Malicious	VirusTotal score: 26/72 (Scanned on 2025-01-17 22:15:38)	`ALYac: Gen:Variant.Ulise.527307` `APEX: Malicious` `Antiy-AVL: GrayWare/Win32.Wacapew` `Arcabit: Trojan.Ulise.D80BCB` `BitDefender: Gen:Variant.Ulise.527307` `Bkav: W64.AIDetectMalware` `CTX: exe.unknown.ulise` `ClamAV: Win.Malware.Lazy-10040068-0` `CrowdStrike: win/malicious_confidence_70% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Ulise.527307 (B)` `FireEye: Generic.mg.7c00e4f028f2f44a` `GData: Gen:Variant.Ulise.527307` `Gridinsoft: Trojan.Heur!.03012203` `Malwarebytes: Generic.Malware.AI.DDS` `McAfeeD: Real Protect-LS!7C00E4F028F2` `MicroWorld-eScan: Gen:Variant.Ulise.527307` `NANO-Antivirus: Virus.Win64.Virut-Gen.bwpxnc` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Generic.wc` `Symantec: ML.Attribute.HighConfidence` `Trapmine: malicious.moderate.ml.score` `VIPRE: Gen:Variant.Ulise.527307` `Zoner: Probably Heur.ExeHeaderL`

Hashes

MD5	`7c00e4f028f2f44a440ffa02e32b250b`
SHA1	`9d787339842f2e6ec2b0e33ffb59f713cb9b9b01`
SHA256	`6b0a9be2a97baa88cf88fb4fe6eafda272575afe48bd48544bf2dece2048db95`
SHA3	`88e5d27da335865d49722a35c0b0f1dfcbdd3e2e3e487007f7de3c4fc315964a`
SSDeep	`49152:LJ2ssBQNfdOWStQ0PPNlhzxxRFlEXFC7rDS6aLpxjHBXN:IsoQNfdObQ0PPr7FlEkaLp5f`
Imports Hash	`4a69501d065aecd17da3f8f42bc46478`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2063-Dec-08 19:12:01
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`48.0`
SizeOfCode	`0x141600`
SizeOfInitializedData	`0x50000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000019BB70 (Section: .textbss)`
BaseOfCode	`0x28000`
ImageBase	`0x400000`
SectionAlignment	`0x2000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x24e000`
SizeOfHeaders	`0x2000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x800000`
SizeofStackCommit	`0x8000`
SizeofHeapReserve	`0x200000`
SizeofHeapCommit	`0x4000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

* ~K5 \x1e\x05

MD5	`dbc79ec1440c1064c5a4532341f4e6f5`
SHA1	`f5f5d1bcbf939869a13496e86b6eebf44978e15e`
SHA256	`3eed9a0bda3ac7a616f4f298575461aa856c31a21d411feb0e7435420c91582c`
SHA3	`42ec2b54a0ffa76c2e42724c249f72d570a29bd786af1de3d1e6817461b498f7`
VirtualSize	`0x25954`
VirtualAddress	`0x2000`
SizeOfRawData	`0x25a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.999`

.text

MD5	`39435f9c10ac72ec079a39588528c931`
SHA1	`1a423bfdcbbf6d09f428ae5158bff34faab54b50`
SHA256	`89e87864c7a960a95450a9691e1897a6ef4772a7e058cda50714f3f4aee861d0`
SHA3	`6af878067179c29a18cc199e8bb6e1e810ffd8352a0f37b40432fe4cb216dfa1`
VirtualSize	`0x1415d0`
VirtualAddress	`0x28000`
SizeOfRawData	`0x141600`
PointerToRawData	`0x25e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.21748`

.rsrc

MD5	`d6b32abb6565553eca04785014e5f475`
SHA1	`5731d95d37ffcae02fcf26f093ac6f2c2e4e612f`
SHA256	`f3abce8b1d55d9a6da9b1abdce6d347c2b4aeebc1bfed5a6c0bcf246d6621127`
SHA3	`23d3568a756d8513742af2e05883e911cb8e216bd29f5e989efc4866b1109d0a`
VirtualSize	`0x2a4a6`
VirtualAddress	`0x16a000`
SizeOfRawData	`0x2a600`
PointerToRawData	`0x167400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.25433`

.ldata

MD5	`8572a64d883fb5c8d5cda142e224833e`
SHA1	`464e94ea7bde3d9afebf60deed15fea81e2c3092`
SHA256	`feed5b8a2b4ed4a794df6ffa0f325a62c8b75eb5755ace14ff5e8df54a9e75cf`
SHA3	`8efc9fa389564cc3e6545741237020e1bc2f0487f765f5e0b6f3d3a0076eafb8`
VirtualSize	`0x2000`
VirtualAddress	`0x196000`
SizeOfRawData	`0x11a000`
PointerToRawData	`0x191a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.97358`

.textbss

MD5	`23df9f49cb0302f71217d41f38772a47`
SHA1	`853c933335a16fb74560034badeccceeae248740`
SHA256	`ed1a56110ec46aeadf16447d089eef99815f0d40d4fefd501a1f0b391b19dc6a`
SHA3	`ac366851d60f8ab4794cd6762d926377522d8787c701a9179eccd7bf77b7f073`
VirtualSize	`0xb6000`
VirtualAddress	`0x198000`
SizeOfRawData	`0xb6000`
PointerToRawData	`0x2aba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.38993`

Imports

kernel32.dll	`GetStdHandle` `GetConsoleMode` `TlsGetValue` `GetLastError` `SetLastError` `RaiseException` `GetTickCount` `ExitProcess` `GetStartupInfoA` `GetCommandLineA` `GetCurrentProcessId` `GetCurrentThreadId` `GetCurrentProcess` `ReadProcessMemory` `GetModuleFileNameA` `GetModuleHandleA` `WriteFile` `ReadFile` `CloseHandle` `SetFilePointer` `GetFileSize` `SetEndOfFile` `GetSystemInfo` `LoadLibraryW` `LoadLibraryA` `GetProcAddress` `FreeLibrary` `FormatMessageW` `DeleteFileW` `CreateFileW` `GetFileAttributesW` `CreateDirectoryW` `RemoveDirectoryW` `SetCurrentDirectoryW` `GetCurrentDirectoryW` `GetFullPathNameW` `SetEnvironmentVariableW` `GetConsoleOutputCP` `GetOEMCP` `GetProcessHeap` `HeapAlloc` `HeapFree` `TlsAlloc` `TlsFree` `TlsSetValue` `CreateThread` `ExitThread` `LocalAlloc` `LocalFree` `Sleep` `SuspendThread` `ResumeThread` `TerminateThread` `WaitForSingleObject` `SetThreadPriority` `GetThreadPriority` `GetCurrentThread` `OpenThread` `IsDebuggerPresent` `CreateEventA` `ResetEvent` `SetEvent` `InitializeCriticalSection` `DeleteCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `TryEnterCriticalSection` `MultiByteToWideChar` `WideCharToMultiByte` `GetACP` `GetConsoleCP` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlUnwindEx` `EnumResourceTypesA` `EnumResourceNamesA` `EnumResourceLanguagesA` `FindResourceA` `FindResourceExA` `LoadResource` `SizeofResource` `LockResource` `FreeResource` `GetVersion` `FlushInstructionCache` `VirtualAlloc` `VirtualFree` `VirtualProtect` `VirtualAllocEx` `VirtualProtectEx` `CreateRemoteThread` `PostQueuedCompletionStatus` `SetErrorMode` `WriteProcessMemory` `GetThreadContext` `SetThreadContext` `FlushFileBuffers` `DeviceIoControl` `FindClose` `GetLocalTime` `SystemTimeToFileTime` `FileTimeToLocalFileTime` `FileTimeToDosDateTime` `GetLogicalDriveStringsW` `GetModuleFileNameW` `GetSystemDirectoryW` `GetTempPathW` `GetTempFileNameW` `GetWindowsDirectoryA` `GetWindowsDirectoryW` `QueryDosDeviceW` `SetFileAttributesW` `FindFirstFileExW` `FindNextFileW` `IsBadReadPtr` `IsBadWritePtr` `GetVersionExA` `CreateActCtxW` `ActivateActCtx` `CompareStringA` `GetLocaleInfoA` `GetDateFormatA` `EnumCalendarInfoA` `CompareStringW` `GetLocaleInfoW` `GetDateFormatW` `GetCPInfo` `GetThreadLocale` `SetThreadLocale` `GetUserDefaultLCID`
oleaut32.dll	`SysAllocStringLen` `SysFreeString` `SysReAllocStringLen` `SafeArrayCreate` `SafeArrayRedim` `SafeArrayGetUBound` `SafeArrayGetLBound` `SafeArrayAccessData` `SafeArrayUnaccessData` `SafeArrayGetElement` `SafeArrayPutElement` `SafeArrayPtrOfIndex` `VariantChangeTypeEx` `VariantClear` `VariantCopy` `VariantInit`
user32.dll	`MessageBoxA` `CharUpperBuffW` `CharLowerBuffW` `CharUpperA` `CharUpperBuffA` `CharLowerA` `CharLowerBuffA` `GetSystemMetrics` `MessageBeep`
advapi32.dll	`RegOpenKeyA`
ole32.dll	`CoUninitialize` `CoInitialize`
ntdll.dll	`ZwProtectVirtualMemory` `RtlFormatCurrentUserKeyPath` `RtlDosPathNameToNtPathName_U` `RtlFreeUnicodeString` `RtlInitUnicodeString`
shlwapi.dll	`PathMatchSpecW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x29e84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.22562`
MD5	`8899b0ab1da7b45affc09d422695ada3`
SHA1	`1f89eb271e79675b5c0437c22efb3ec82b476172`
SHA256	`8c56936ae858bf9607323fbb8c1e1b20e4d1d08b7f6a9d7ad8f713a0c8516eb8`
SHA3	`8ababe4acbcd064f9458f84d572d60d46edddd485e30d93c8322d359913c0774`

32512

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.26096`
Detected Filetype	Icon file
MD5	`893254af00b8068b4778368366d386c7`
SHA1	`b1f66749c7f3c5858fd7e8da3940d15da0f25149`
SHA256	`d5a7d71f0de50d9e0b830187078aa65c3dc179246a045ef3d37114c61cdaefe4`
SHA3	`ee204047e09f7dd74ff55ec8faa5fababd98d7b4774dd8bc466c8419fa844efd`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x2f4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23991`
MD5	`4ff60350d45e9a0ad8b7c77a09bba752`
SHA1	`c5030a27cf4e19dccdd96f54d77076cf83e71c53`
SHA256	`2330bdec9a76877070ff154c5735a0cbb72e1085362068da4bef350b16030f0b`
SHA3	`97e6704d8791bbd64786382b00cb1afddc8a738bc88cfe852211fab414b9f7f9`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x1ea`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.00112`
MD5	`b7db84991f23a680df8e95af8946f9c9`
SHA1	`cac699787884fb993ced8d7dc47b7c522c7bc734`
SHA256	`539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a`
SHA3	`4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.1.0
ProductVersion	1.0.1.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
Comments
CompanyName
FileDescription
FileVersion (#2)	1.0.1
InternalName	Deep.exe
LegalCopyright	Copyright © BuPyC12 2022
LegalTrademarks
OriginalFilename	Deep.exe
ProductName
ProductVersion (#2)	1.0.1
Assembly Version	1.0.0.1

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Jan-04 03:39:53
Version	`0.0`
SizeofData	`33`
AddressOfRawData	`0x2a0f0`
PointerToRawData	`0x27ef0`
Referenced File	Deep.pdb

TLS Callbacks

StartAddressOfRawData	`0x596028`
EndAddressOfRawData	`0x596050`
AddressOfIndex	`0x596050`
AddressOfCallbacks	`0x596058`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000000599A70`

Load Configuration

RICH Header

7c00e4f028f2f44a440ffa02e32b250b

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

* ~K5 \x1e\x05

.text

.rsrc

.ldata

.textbss

Imports

Delayed Imports

1

32512

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors