Manalyze report for 8fa4254dab09488f3fac50debdc7e6e714bf7c6edc924cad5c35949f14889bfa

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Mar-23 11:45:33
Detected languages	English - United States
CompanyName	Wargaming.net
FileDescription	Wargaming.net Error Monitor Client
FileVersion	`03.02.00.2934`
InternalName	Wargaming.net Error Monitor Client
LegalCopyright	Copyright © 2017 - 2021 Wargaming.net
ProductName	Wargaming.net Error Monitor Client
ProductVersion	`03.02.00.2934`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: Monitor.exe` `Contains domain names: Wargaming.net`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryExW` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptCreateHash CryptDestroyHash CryptHashData CryptGetHashParam CryptReleaseContext CryptAcquireContextW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: WSAStartup WSACleanup` `Manipulates other processes: OpenProcess`
Safe	VirusTotal score: 0/66 (Scanned on 2021-09-24 12:43:48)	`All the AVs think this file is safe.`

Hashes

MD5	`f355ca01e4a1b8c5e4d913c807e7627e`
SHA1	`77b648fa3c59335d34fb444dd9a8a0685293ce06`
SHA256	`8fa4254dab09488f3fac50debdc7e6e714bf7c6edc924cad5c35949f14889bfa`
SHA3	`8a454fda2fbbd7e022e5424f3611791dea163ed363b7e7ca2c708656cdb19f17`
SSDeep	`24576:2npA1FWK1S77wPiA6Mf/CaqFGfDMVghm2Y59Ih:6A1UK1k7w6U/CGwVgU2`
Imports Hash	`1f25bb9161a270fb945671700b6d8be4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2021-Mar-23 11:45:33
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xfa400`
SizeOfInitializedData	`0x55e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000009D1A0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x155000`
SizeOfHeaders	`0x400`
Checksum	`0x14e655`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`763cb9e6a9f5a74c5be24620975ccdd0`
SHA1	`8479dfc1078dea0bfc6a1f1ca2ebc913b540e38d`
SHA256	`31ebea746ba51f5698f3cbab523549dc4739d558012608ebcdd85a693ad3c379`
SHA3	`afa5fe1d32f57f2d8806e5caa59bf02eb98cd420d019399047bc4862b49f0475`
VirtualSize	`0xfb000`
VirtualAddress	`0x1000`
SizeOfRawData	`0xfa400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40046`

.rdata

MD5	`83bf0b0e77bbda9445e15a62e7fb917f`
SHA1	`bd729c2eb92a2472d75efbcd32c02cbbcc61624e`
SHA256	`bf76d268d59523b3440462e683b40fe1020ffd53db6fd52711db7ec811df0e9e`
SHA3	`51c5c0e4624227d702321471d222011cde4e7302a4a5cfdb2cf123cd5e4b14ea`
VirtualSize	`0x3e000`
VirtualAddress	`0xfc000`
SizeOfRawData	`0x3de00`
PointerToRawData	`0xfa800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.14122`

.data

MD5	`6c2cd18e9afacb33d349109dc6b2fd01`
SHA1	`1bf4675ccfb9c4b0be0b5c84eb392b14f589f750`
SHA256	`fce2a2d896f0d56ea167dbd9c282575f7487866a038642ef6834caeff7e705ad`
SHA3	`089a2aa051af9e17c81475ef23dfa29a0cf823bedbd620f38952be859794547c`
VirtualSize	`0xb000`
VirtualAddress	`0x13a000`
SizeOfRawData	`0x7a00`
PointerToRawData	`0x138600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.33575`

.pdata

MD5	`78f702fb6a033ce4de703c7fa8f72b15`
SHA1	`c177a71d5554174c3530228cd7299ad4b26e0f43`
SHA256	`d8e3e53f9fd72071ac99d20e0195d28cffc0369f8a003e2f7fc69c7b4250ab9e`
SHA3	`d0b4eea3773ec802d85578b04d340bd92368bf09d474c0f72957c860ccb5e87a`
VirtualSize	`0xc000`
VirtualAddress	`0x145000`
SizeOfRawData	`0xb600`
PointerToRawData	`0x140000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.04475`

_RDATA

MD5	`51e9fe7d35605cd1d62c23e358ba17e7`
SHA1	`cca32a57a2fd09f05fd511debc9ad1bde7a64eff`
SHA256	`c3a82bb7d8f8e07fdd64c862921ce361640c7e54fe157e3bd1a7388345f1def4`
SHA3	`b991e8dd991b151aa620f525bf9d711ce621244ccf9fc4cefb1e6d6db432488b`
VirtualSize	`0x1000`
VirtualAddress	`0x151000`
SizeOfRawData	`0x200`
PointerToRawData	`0x14b600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.43398`

.rsrc

MD5	`5275a411fdfbe91bba0af2924987ced3`
SHA1	`31d91448e3b82a5a1236ec7b93315326e330322a`
SHA256	`60c255909e4569bf2e273b8434c225c69dfc9091dab357daf1d519e6ef7e9c3c`
SHA3	`e2dd49eb148202cf24ff7f140a51143cf6aecc2c0e1f9aeb01cca4118042489d`
VirtualSize	`0x1000`
VirtualAddress	`0x152000`
SizeOfRawData	`0x600`
PointerToRawData	`0x14b800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.83867`

.reloc

MD5	`38c29958d3ceaa051458ac1586c2e14e`
SHA1	`0d998b73e7d3517b2afba026c015e1e93cf07ee1`
SHA256	`b2411801b782b9e6aff36c5168b3679f2b6b6ae4677c6c3058c9f94ecce27911`
SHA3	`80dc26aad49696ce98ab02521abe20938967cb247b230a26a862d109b73d7617`
VirtualSize	`0x1d88`
VirtualAddress	`0x153000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x14be00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.42402`

Imports

dbghelp.dll	`MiniDumpWriteDump` `ImageNtHeader`
KERNEL32.dll	`GetCommandLineW` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `CreateFileW` `GetDiskFreeSpaceExW` `CloseHandle` `GetLastError` `SetLastError` `WaitForSingleObject` `GetCurrentProcess` `GetCurrentProcessId` `TerminateProcess` `CreateProcessW` `GetProcessId` `OpenProcess` `GlobalMemoryStatusEx` `GetVersionExW` `GetModuleHandleA` `GetModuleHandleW` `GetProcAddress` `LoadLibraryW` `VerifyVersionInfoW` `K32EnumProcessModules` `K32GetProcessMemoryInfo` `DeleteFileW` `FindNextFileW` `FlushFileBuffers` `GetFileSizeEx` `RemoveDirectoryW` `WriteFile` `LocalFree` `FormatMessageA` `FormatMessageW` `WideCharToMultiByte` `K32GetModuleFileNameExW` `GetProcessTimes` `GetSystemTimeAsFileTime` `IsDebuggerPresent` `RaiseException` `SetUnhandledExceptionFilter` `RemoveVectoredExceptionHandler` `AddVectoredContinueHandler` `VerSetConditionMask` `TlsFree` `GetModuleFileNameW` `InitializeCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `SetEvent` `ResetEvent` `CreateEventW` `FreeLibrary` `WaitForMultipleObjects` `CreateDirectoryW` `GetFileAttributesW` `GetFileInformationByHandle` `SetFilePointerEx` `DeviceIoControl` `CreateDirectoryExW` `AreFileApisANSI` `MultiByteToWideChar` `CreateFileMappingA` `UnmapViewOfFile` `MapViewOfFile` `ReleaseMutex` `WaitNamedPipeW` `TransactNamedPipe` `SetNamedPipeHandleState` `WriteConsoleW` `HeapSize` `SetStdHandle` `RtlCaptureStackBackTrace` `GetTickCount` `GetLocalTime` `GetCurrentThreadId` `FindFirstFileW` `FindClose` `RtlCaptureContext` `CreateMutexA` `TlsAlloc` `GetProcessHeap` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineA` `GetOEMCP` `GetACP` `IsValidCodePage` `FindFirstFileExW` `GetStringTypeW` `TryEnterCriticalSection` `QueryPerformanceCounter` `QueryPerformanceFrequency` `WaitForSingleObjectEx` `Sleep` `SwitchToThread` `GetExitCodeThread` `RtlPcToFileHeader` `InitializeCriticalSectionAndSpinCount` `TlsGetValue` `TlsSetValue` `EncodePointer` `DecodePointer` `GetCPInfo` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `InitializeSListHead` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `GetStartupInfoW` `IsProcessorFeaturePresent` `CreateTimerQueue` `SignalObjectAndWait` `CreateThread` `SetThreadPriority` `GetThreadPriority` `GetLogicalProcessorInformation` `CreateTimerQueueTimer` `ChangeTimerQueueTimer` `DeleteTimerQueueTimer` `GetNumaHighestNodeNumber` `GetProcessAffinityMask` `SetThreadAffinityMask` `RegisterWaitForSingleObject` `UnregisterWait` `GetCurrentThread` `GetThreadTimes` `FreeLibraryAndExitThread` `LoadLibraryExW` `VirtualAlloc` `VirtualProtect` `VirtualFree` `DuplicateHandle` `ReleaseSemaphore` `InterlockedPopEntrySList` `InterlockedPushEntrySList` `InterlockedFlushSList` `QueryDepthSList` `UnregisterWaitEx` `RtlUnwindEx` `ExitThread` `GetModuleHandleExW` `ExitProcess` `SetConsoleCtrlHandler` `HeapAlloc` `HeapFree` `GetStdHandle` `GetFileType` `GetConsoleCP` `GetConsoleMode` `HeapReAlloc` `GetTimeZoneInformation` `GetDateFormatW` `GetTimeFormatW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW`
SHELL32.dll	`ShellExecuteExW`
ole32.dll	`CoInitializeEx` `CoUninitialize`
ADVAPI32.dll	`CryptCreateHash` `CryptDestroyHash` `CryptHashData` `CryptGetHashParam` `CryptReleaseContext` `CryptAcquireContextW`
WS2_32.dll	`WSAStartup` `WSACleanup`
bcrypt.dll	`BCryptOpenAlgorithmProvider` `BCryptGenRandom` `BCryptCloseAlgorithmProvider`

Delayed Imports

?$TSS0@?1??create@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@CAAEAUVersions@34@XZ@4HA

Ordinal	`1`
Address	`0x141f60`

?$TSS0@?1??lock@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@SA?AVLockGuard@234@XZ@4HA

Ordinal	`2`
Address	`0x142070`

??4?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@QEAAAEAV012@AEBV012@@Z

Ordinal	`3`
Address	`0x7d40`

?create@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@CAAEAUVersions@23@XZ

Ordinal	`4`
Address	`0x68eb0`

?getInstance@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@SAAEAUVersions@23@XZ

Ordinal	`5`
Address	`0x691a0`

?instance@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@0AEAUVersions@23@EA

Ordinal	`6`
Address	`0x141f10`

?instanceMutex@?1??lock@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@SA?AVLockGuard@234@XZ@4Vmutex@std@@A

Ordinal	`7`
Address	`0x142020`

?instantiate@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@CAXAEBUVersions@23@@Z

Ordinal	`8`
Address	`0x8c20`

?lock@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@SA?AVLockGuard@123@XZ

Ordinal	`9`
Address	`0x69390`

?t@?1??create@?$StaticObject@UVersions@detail@cereal@@@detail@cereal@@CAAEAUVersions@34@XZ@4U534@A

Ordinal	`10`
Address	`0x141f20`

GetApiVersion

Ordinal	`11`
Address	`0xb4b0`

GetStatus

Ordinal	`12`
Address	`0xb4c0`

InitLib_Dyn

Ordinal	`13`
Address	`0xb4d0`

RaiseAssert

Ordinal	`14`
Address	`0xb860`

RaiseAssertSync

Ordinal	`15`
Address	`0xb900`

RegisterOnEventBeginCallback_Dyn

Ordinal	`16`
Address	`0xb9a0`

RegisterOnEventEndCallback_Dyn

Ordinal	`17`
Address	`0xba80`

ReportException

Ordinal	`18`
Address	`0xbb60`

ReportSystemExceptionRecord

Ordinal	`19`
Address	`0xbe60`

ReportTermination

Ordinal	`20`
Address	`0xbed0`

StopOutprocessHandlingAndShutdownMonitor_Dyn

Ordinal	`21`
Address	`0xbf20`

TerminateLib

Ordinal	`22`
Address	`0xbfa0`

UnregisterCallback

Ordinal	`23`
Address	`0xbfb0`

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x344`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.37026`
MD5	`3fa2df4a61fe0b61cfc3cce72fd60fd7`
SHA1	`05ec8c0e7595ce5bbc38691aad27e3acb060b06c`
SHA256	`ba14e10a2d5aff513bf5d44c55b1f17b5e289139c628aa6dcb868cbaf710396c`
SHA3	`786b99097c410b81fbd90fd359a43b8b88ca3db14a20f6a011778f313e3d8cd1`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.2.0.2934
ProductVersion	3.2.0.2934
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Wargaming.net
FileDescription	Wargaming.net Error Monitor Client
FileVersion (#2)	03.02.00.2934
InternalName	Wargaming.net Error Monitor Client
LegalCopyright	Copyright © 2017 - 2021 Wargaming.net
ProductName	Wargaming.net Error Monitor Client
ProductVersion (#2)	03.02.00.2934

Resource LangID	UNKNOWN

TLS Callbacks

StartAddressOfRawData	`0x180124770`
EndAddressOfRawData	`0x180124778`
AddressOfIndex	`0x180142d90`
AddressOfCallbacks	`0x1800fc730`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x130`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x18013ade8`

RICH Header

XOR Key	`0x747037f7`
Unmarked objects	`0`
ASM objects (26715)	`12`
C objects (26715)	`21`
C++ objects (26715)	`169`
C objects (VS 2015/2017/2019 runtime 28427)	`14`
ASM objects (VS 2015/2017/2019 runtime 28427)	`9`
C++ objects (VS 2015/2017/2019 runtime 28427)	`142`
Imports (26715)	`19`
Total imports	`239`
C++ objects (VS2019 Update 5 (16.5.2-3) compiler 28612)	`44`
Exports (VS2019 Update 5 (16.5.2-3) compiler 28612)	`1`
Resource objects (VS2019 Update 5 (16.5.2-3) compiler 28612)	`1`
151	`1`
Linker (VS2019 Update 5 (16.5.2-3) compiler 28612)	`1`

Errors

Leave a comment

No comments yet.