Manalyze report for 85d9bf29502892e6d08c60fdcd47c242

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-Feb-10 17:26:22

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Suspicious	The file contains overlay data.	`6910534 bytes of data starting at offset 0x54600.` `The overlay data has an entropy of 7.98858 and is possibly compressed or encrypted.` `Overlay data amounts for 95.2371% of the executable.`
Malicious	VirusTotal score: 6/71 (Scanned on 2026-02-11 18:18:43)	`APEX: Malicious` `Bkav: W64.AIDetectMalware` `DeepInstinct: MALICIOUS` `Microsoft: Trojan:Win32/Wacatac.B!ml` `SentinelOne: Static AI - Suspicious PE` `Zillya: Backdoor.Agent.Win32.100681`

Hashes

MD5	`85d9bf29502892e6d08c60fdcd47c242`
SHA1	`b6f43f7c36194c66a51bda066f8f4506d7289e97`
SHA256	`03adbb64540b7d26acd067c9da9a59cea3087b2240b641cfd1c9ee5948a8dd4e`
SHA3	`bc1330be3f4595aa2b9ef7444f6177f4bc3d3c6c8b5ddf9315f8e79c823cbc68`
SSDeep	`196608:lN1+1QurHeD9BKG+5fc2S/ErXKEtw+Goz8MsqfNmd:PoQuyDvV+53SM8+zzD0`
Imports Hash	`351592d5ead6df0859b0cc0056827c95`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2026-Feb-10 17:26:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2da00`
SizeOfInitializedData	`0x26800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000D4A0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x5d000`
SizeOfHeaders	`0x400`
Checksum	`0x6f1c9f`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`dcbd2286739e348cc96c3770499eac40`
SHA1	`f83fc6fd7e438603537bf1bc8138095081738bc2`
SHA256	`182fd1a0bfc99e0323be8810e9f24c01ddc2314c4ec427a52da47fb4467b188c`
SHA3	`f4ecf979f9784693ce74b15af3f47ff97f87d0e178dfebe53ddaedcfafb08338`
VirtualSize	`0x2d8a0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2da00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.47657`

.rdata

MD5	`95935875f803dd94782a28d783eeb308`
SHA1	`b5d0e9722588523210b84fcd99399875774e4e0f`
SHA256	`e7fabf2c94273520738b344592344051876179d980ec6dcb157a68a35b53cc41`
SHA3	`d40fb00f319b2fa3d08f8f6d546d04e9ebd9ef644f36f2d5ff9d80f2e3ffe37a`
VirtualSize	`0x1396a`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x13a00`
PointerToRawData	`0x2de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.76409`

.data

MD5	`b2a2b4610e1a32ff11d5f0a359ac8f88`
SHA1	`91f72167adf232b75e63611ee7e01703dc831c07`
SHA256	`47731e6e902f1d83980a1014f89201f13e5cb820552f93427aa9185c66b24ff0`
SHA3	`7eb386ecfca935ea9cb0d2ac955598d8053a514f990e72c8e6ccfc6df7f477a0`
VirtualSize	`0x50b0`
VirtualAddress	`0x43000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x41800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82145`

.pdata

MD5	`da49fbee77be5d7f294b9d2f32c9bcaa`
SHA1	`af31b5d72aa41cc32ac74e0c2a8397e3f6338be7`
SHA256	`be49c00ca9581ed28acb5f3e1fc8b2e9ce76e1e601079e50520d71c668dab61a`
SHA3	`a628e7493b8e60fe7366f30e83470bd1aa0b1b0702311cfac462621e4a0f5047`
VirtualSize	`0x2490`
VirtualAddress	`0x49000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x42600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.38254`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x4c000`
SizeOfRawData	`0x200`
PointerToRawData	`0x44c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`f9bdbc05903747291280295478698634`
SHA1	`a5e3936b3c1408b9fcf049af35139a431fe3d7a4`
SHA256	`2e510bbd1d159834c7bb9fb44de7b03706ca426e1450dea2f54e8ab8d0b5c9bf`
SHA3	`77abcb53384be3b52d7a170b7815e8b2423ee86670586eb1d8696c02fad28e5a`
VirtualSize	`0xef8c`
VirtualAddress	`0x4d000`
SizeOfRawData	`0xf000`
PointerToRawData	`0x44e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.35015`

.reloc

MD5	`a93b3a1977afcf926ff83c8ed4ffb307`
SHA1	`23054409d91f698f202b7543a8bf9c09685290a1`
SHA256	`9f37c1c4fe7bed8ea2c05a4b314b4d89de9ee8dd8c01cd62a16fb07294b43de9`
SHA3	`579067d8558813db899ca33eccf6d65513269c1106f72ebaeb985f4637bd71a1`
VirtualSize	`0x774`
VirtualAddress	`0x5c000`
SizeOfRawData	`0x800`
PointerToRawData	`0x53e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.27138`

Imports

USER32.dll	`TranslateMessage` `ShutdownBlockReasonCreate` `GetWindowThreadProcessId` `SetWindowLongPtrW` `GetWindowLongPtrW` `MsgWaitForMultipleObjects` `ShowWindow` `DestroyWindow` `CreateWindowExW` `RegisterClassW` `DefWindowProcW` `PeekMessageW` `DispatchMessageW` `GetMessageW`
KERNEL32.dll	`GetTimeZoneInformation` `GetProcessHeap` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCPInfo` `GetOEMCP` `GetACP` `IsValidCodePage` `GetStringTypeW` `GetLastError` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `FormatMessageW` `GetModuleFileNameW` `SetDllDirectoryW` `CreateSymbolicLinkW` `SetErrorMode` `CreateDirectoryW` `GetCommandLineW` `GetEnvironmentVariableW` `ExpandEnvironmentStringsW` `DeleteFileW` `FindClose` `HeapSize` `FindNextFileW` `GetDriveTypeW` `RemoveDirectoryW` `GetTempPathW` `CloseHandle` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WaitForSingleObject` `Sleep` `GetCurrentProcess` `GetCurrentProcessId` `TerminateProcess` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `LocalFree` `SetConsoleCtrlHandler` `GetConsoleWindow` `K32EnumProcessModules` `K32GetModuleFileNameExW` `CreateFileW` `FindFirstFileExW` `GetFinalPathNameByHandleW` `MultiByteToWideChar` `WideCharToMultiByte` `GetFileAttributesExW` `HeapReAlloc` `WriteConsoleW` `SetEndOfFile` `FindFirstFileW` `GetModuleHandleW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `RtlUnwindEx` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `ReadFile` `GetFullPathNameW` `SetStdHandle` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `GetCommandLineA` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `GetCurrentDirectoryW` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `InitializeCriticalSectionEx` `VirtualProtect` `CompareStringW` `LCMapStringW` `FlushFileBuffers` `SetEnvironmentVariableW`
ADVAPI32.dll	`ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.58652`
MD5	`008578f1b7acebecd90bf1f3ac6ee061`
SHA1	`a013b9ba662b5244fd84a9d09404e999dc6333ad`
SHA256	`e77bc44fd6a201637eac3e56a126a84580ab6b33761957d65207c55029764b96`
SHA3	`1538f6df4b7b6c5c7824eea77b2d381650c4cfae7bce052c6d387b2497e839c4`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.05629`
MD5	`5096923956b255386181e7c44af9b552`
SHA1	`9d3f9d245fd7721707ad0dda9d133bc9398684af`
SHA256	`46c2b0eb26f174d48398a544b85203ec233adb7e17d1ced37c888eff8fcfd4c5`
SHA3	`d03024b793e39522b3ee98a5f6e0f548a989115ac2614924a5cfa436c2070a6b`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.5741`
MD5	`5a64b725f24048ed51af35b9ee7d2fff`
SHA1	`a7bc3d4bf5cc5c36d68c78a5f5b323fcd59ee53e`
SHA256	`c46f3921297eea0c08a032e0d0e0378643892fd1e95814fe6728c944574399cc`
SHA3	`4aec1e212baa392dfd28bceb7027f12f5767f9337caea3a3f5a22c8cdcef2164`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x909b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.95079`
Detected Filetype	PNG graphic file
MD5	`20d36c0a435caad0ae75d3e5f474650c`
SHA1	`e9e536a2c9d009666e5de2b3e5823269204aabb6`
SHA256	`c3d7626d87aa28c33a054d30be26108fd09ea01ba470d41c94d7bdf6b80b83f2`
SHA3	`a842fc9423038b5b29fc431bb998e715979788e40d387431f74457de25a57fac`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29119`
MD5	`b21a1cea6c1a6796700a0c7ee394ff2b`
SHA1	`c9b5246eddedabf11534c9c984e305a86151be9f`
SHA256	`01e270742614e92e2a2252ba46cee5b95ad5f13448ac3516f48fb3ee0af3e6c8`
SHA3	`9f392589e26f353c6962e2b9055ac344bfbfe2d82b95cce9441273a296beff95`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.43869`
MD5	`a12bdfb484bb481e1f106beb19aa4765`
SHA1	`18228c2e61981dd29f67cd938ef2a2303d75b81b`
SHA256	`b0835a0afca51295ee6e3827b5e4f79f0632f353c9d10dd78c0dcec478fab8b8`
SHA3	`01196ee531896c2f7ab6c87039bc68252b76609e8e0a26f63a0571485e3b506e`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.89356`
MD5	`3343c0fa901ae372eb7c9d1159386193`
SHA1	`16944a8dcace69148c0628b723e0fa124279a79d`
SHA256	`0cd74e1b2fd85cc9e251e8ab5aca5a303329809c6b0ab70a3e440f9df1aab2be`
SHA3	`a7f6a8159086a1eac7b0d564a6c2f3ccc302ff083602fcb01d9b09a3f45b9a22`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71858`
Detected Filetype	Icon file
MD5	`d06bb5f499a7e63fdebdde478b53af68`
SHA1	`f4b46ca808dc838d436be1d2c13a40d51bdd8f4f`
SHA256	`038506ab04814afcdce660ffc0de198ebe40a5b0d8e090799549e208c689fed5`
SHA3	`af3d6a80a0ad9e117953a9e1466a44d29b3d32a19a456a9297995e94ead2efd7`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Feb-10 17:26:22
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x3f0f8`
PointerToRawData	`0x3def8`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140043040`
GuardCFCheckFunctionPointer	`5368902680`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc517a4d5`
Unmarked objects	`0`
C++ objects (33145)	`182`
C objects (33145)	`12`
ASM objects (33145)	`11`
253 (35207)	`3`
ASM objects (35207)	`9`
C objects (35207)	`17`
C++ objects (35207)	`40`
Imports (33145)	`7`
Total imports	`141`
C objects (35222)	`27`
Linker (35222)	`1`

85d9bf29502892e6d08c60fdcd47c242

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.fptable

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

7

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors