Manalyze report for 8277ef2185c4e3038e95c3a7c22ddd32dd0febf79d9ef6ef010719408745e6db

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Nov-21 05:25:48
Detected languages	Chinese - Taiwan English - United States
TLS Callbacks	2 callback(s) detected.
CompanyName	ASUSTeK COMPUTER INC.
FileDescription	CPUControlLibrary.dll
FileVersion	`6.4.1.0`
InternalName	CPUControlLibrary.dll
LegalCopyright	Â©ASUSTeK Computer Inc.All rights reserved.
OriginalFilename	CPUControlLibrary.dll
ProductName	Armoury Crate Service
ProductVersion	`6.4.1.0`

Plugin Output

Suspicious	PEiD Signature:	`HQR data file`
Info	Interesting strings found in the binary:	`Contains domain names: j7P332x.se`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryW` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect`
Info	The PE is digitally signed.	`Signer: deZLjYEGhAJXN.cloudfront.net` `Issuer: Amazon RSA 2048 M02`
Malicious	VirusTotal score: 27/71 (Scanned on 2026-04-10 18:47:20)	`ALYac: Gen:Variant.Ulise.596178` `AVG: MalwareX-gen [Misc]` `AhnLab-V3: Trojan/Win.Generic.R768257` `Arcabit: Trojan.Ulise.D918D2` `Avast: MalwareX-gen [Misc]` `Avira: TR/AVI.Agent.mouct` `BitDefender: Gen:Variant.Ulise.596178` `CTX: dll.trojan.ulise` `DeepInstinct: MALICIOUS` `ESET-NOD32: WinGo/Agent_AGen.ACA trojan` `Emsisoft: Gen:Variant.Ulise.596178 (B)` `F-Secure: Trojan.TR/AVI.Agent.mouct` `Fortinet: W32/Agent_AGen.ACA!tr` `GData: Gen:Variant.Ulise.596178` `Google: Detected` `Ikarus: Trojan-Spy.WinGo.Agent` `McAfeeD: ti!8277EF2185C4` `MicroWorld-eScan: Gen:Variant.Ulise.596178` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Rising: Trojan.Agent!8.B1E (CLOUD)` `Sangfor: Trojan.Win32.Agent.V7bz` `Sophos: Mal/Generic-S` `TrellixENS: Artemis!9D98503A0862` `TrendMicro-HouseCall: TROJ_GEN.R002H09D926` `VIPRE: Gen:Variant.Ulise.596178` `alibabacloud: Trojan:Multi/Agent_AGen.AWZ` `huorong: Trojan/W64.Loader.j!crit`

Hashes

MD5	`9d98503a0862b169906f264644860ed2`
SHA1	`62f3525095c04dfe3f23e00288d6ae00ec4db203`
SHA256	`8277ef2185c4e3038e95c3a7c22ddd32dd0febf79d9ef6ef010719408745e6db`
SHA3	`cc267b6ffc569e8d11b3b9521662e854113e219cb581559d0cd70c644e1b6267`
SSDeep	`49152:z/Y5znsx7NqioipAGjR10UXCC4eFj+QceaCQ:z1Imj/XRlw`
Imports Hash	`3271ee162568f50a6810be9b8973807f`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2024-Nov-21 05:25:48
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1a5200`
SizeOfInitializedData	`0x1a4400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000011F0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`0.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x3a5000`
SizeOfHeaders	`0x400`
Checksum	`0x354a29`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`91db96fa10d1ac503391aea29e7e1a9c`
SHA1	`30833b3f9af1cdc2386f5705a10c2e272c3c6791`
SHA256	`1463ed5c10267116648cea0694c78fd3f9888b469191b341c97c4ee77b12ef41`
SHA3	`664faef3f7e9acd983330632c12b00fb198e9cce978a54042e2acf4680924d3c`
VirtualSize	`0x1a51c0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1a5200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52062`

.rdata

MD5	`9f9f9fe46664326b437663fa8d4be53e`
SHA1	`121105af59cba14e0fbd2c951451c8c0ec7d1e7b`
SHA256	`1f0c2ff9ff1664cbefda0dfe1de2a6ce7f9496298d27e2c824fe7fa57d79cf9a`
SHA3	`01bb29437de529efc0f9a70f0f8d4662c894f3cb4f2e532a7571c629d3c54904`
VirtualSize	`0x179acc`
VirtualAddress	`0x1a7000`
SizeOfRawData	`0x179c00`
PointerToRawData	`0x1a5600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.46895`

.data

MD5	`6f8eb00d85fd0431fadc8ad8e2a31724`
SHA1	`8bbcfaef1eec51e14cfc4e64ba61702963215a75`
SHA256	`261f8a8442b38637830642acda5d3c3ec02b35b1b3f220bf01d92cd2cfc88e19`
SHA3	`4bc9e42aed7bfbf1d71a42296f134bddde39a7b68f0cb614499e4da22d0f927d`
VirtualSize	`0x70f70`
VirtualAddress	`0x321000`
SizeOfRawData	`0x19600`
PointerToRawData	`0x31f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.72645`

.pdata

MD5	`9d9686beef0edeb0188c311ade29cf72`
SHA1	`9b1bef4b24e11536e192c1af9475925835c380c1`
SHA256	`62ae02737bf7ff7aa369bc5406e6d6d7ab96167fb73c41ad3310cc9a770b8c5b`
SHA3	`dded379b281a5d9326a075e887dcf237391367b252573c6b8d9352a01facffa0`
VirtualSize	`0xa7d0`
VirtualAddress	`0x392000`
SizeOfRawData	`0xa800`
PointerToRawData	`0x338800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.44107`

.gfids

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x10`
VirtualAddress	`0x39d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x343000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`ec49934f2fcbe768b8502b1d6121d8cb`
SHA1	`ec9c03a5577e3965a03f42936216cc4eb261351a`
SHA256	`dec8cde91ca379d039bf3489e26c93650ab95f1939a47be60bdc8cc57fcd7ab4`
SHA3	`018417293dc8fdb6610a985d1ddba6afd2f926aa51336568f3a60ec66fc8f684`
VirtualSize	`0x600`
VirtualAddress	`0x39e000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x343200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.99271`

.reloc

MD5	`0fae58e0be9ae3c6b989e762b0320e4f`
SHA1	`a80378bf0d2d62419209178a7a1c1393a1854cb0`
SHA256	`219682f0a7c031bdc0386524b05efa17870a97a7190267f9a63cbe09a38cce49`
SHA3	`5873110338d6a9cbdaafe5adf8971479e27943123df3efadf0cb3906f7319ac3`
VirtualSize	`0x5dd0`
VirtualAddress	`0x39f000`
SizeOfRawData	`0x5e00`
PointerToRawData	`0x343c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.422`

Imports

KERNEL32.dll	`AddVectoredContinueHandler` `AddVectoredExceptionHandler` `CloseHandle` `CreateEventA` `CreateIoCompletionPort` `CreateThread` `CreateWaitableTimerExW` `DeleteCriticalSection` `DuplicateHandle` `EnterCriticalSection` `ExitProcess` `FreeEnvironmentStringsW` `GetConsoleMode` `GetCurrentThreadId` `GetEnvironmentStringsW` `GetErrorMode` `GetLastError` `GetProcAddress` `GetProcessAffinityMask` `GetQueuedCompletionStatusEx` `GetStdHandle` `GetSystemDirectoryA` `GetSystemInfo` `GetThreadContext` `InitializeCriticalSection` `LeaveCriticalSection` `LoadLibraryExW` `LoadLibraryW` `PostQueuedCompletionStatus` `RaiseFailFastException` `ResumeThread` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `SetConsoleCtrlHandler` `SetErrorMode` `SetEvent` `SetProcessPriorityBoost` `SetThreadContext` `SetWaitableTimer` `Sleep` `SuspendThread` `SwitchToThread` `TlsAlloc` `TlsGetValue` `VirtualAlloc` `VirtualFree` `VirtualProtect` `VirtualQuery` `WaitForMultipleObjects` `WaitForSingleObject` `WerGetFlags` `WerSetFlags` `WriteConsoleW` `WriteFile`
api-ms-win-crt-heap-l1-1-0.dll	`calloc` `free` `malloc`
api-ms-win-crt-private-l1-1-0.dll	`memcpy`
api-ms-win-crt-runtime-l1-1-0.dll	`_execute_onexit_table` `_exit` `_initialize_onexit_table` `_initterm` `_initterm_e` `_register_onexit_function` `abort`
api-ms-win-crt-stdio-l1-1-0.dll	`__acrt_iob_func` `__stdio_common_vfprintf` `fwrite`
api-ms-win-crt-string-l1-1-0.dll	`strlen` `strncmp`

Delayed Imports

GetDllVersion

Ordinal	`1`
Address	`0x1a4b40`

xpMOHQKLPnAUWSesI

Ordinal	`2`
Address	`0x391e50`

1

Type	`RT_VERSION`
Language	Chinese - Taiwan
Codepage	UNKNOWN
Size	`0x348`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43656`
MD5	`66e0b88a3c2f40071995dc183831f3f9`
SHA1	`7683ba2139261eff307262d992e04e47903a9b6e`
SHA256	`fc0581a8d446a4b2330cbf78ebda1f48e31069937317a6d4db9231cba641e509`
SHA3	`2021fdc183de70c45477b84e683ab83ec802d5f4b5b55437689caa89fa5ea613`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x91`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.8858`
MD5	`f7ad1eab748bc07570a57ec87787cf90`
SHA1	`0b1608da9fef218386e825db575c65616826d9f4`
SHA256	`d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04`
SHA3	`6c9541b36948c19ae507d74223621875b3af4064f7cd8200bdb97e15a047e96a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.4.1.0
ProductVersion	6.4.1.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	ASUSTeK COMPUTER INC.
FileDescription	CPUControlLibrary.dll
FileVersion (#2)	6.4.1.0
InternalName	CPUControlLibrary.dll
LegalCopyright	Â©ASUSTeK Computer Inc.All rights reserved.
OriginalFilename	CPUControlLibrary.dll
ProductName	Armoury Crate Service
ProductVersion (#2)	6.4.1.0

Resource LangID	Chinese - Taiwan

TLS Callbacks

StartAddressOfRawData	`0x18039d000`
EndAddressOfRawData	`0x18039d008`
AddressOfIndex	`0x180391eac`
AddressOfCallbacks	`0x18031fb98`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x00000001801A51B0` `0x00000001801A5190`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0`

RICH Header

Errors

Leave a comment

No comments yet.