Manalyze report for 9326574a8e36956c2a1711833b1611d79127dc6b2aa7c531306564eab8525602

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Feb-13 15:11:00
Detected languages	English - United States

Plugin Output

Suspicious	This PE is packed with Themida	`Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found:` `Unusual section name found: .imports` `Unusual section name found: .themida` `Section .themida is both writable and executable.` `Unusual section name found: .boot`
Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegGetValueW` `Possibly launches other programs: ShellExecuteA`
Malicious	VirusTotal score: 25/72 (Scanned on 2026-02-18 07:18:08)	`APEX: Malicious` `AhnLab-V3: Trojan/Win.Generic.R731706` `Bkav: W64.AIDetectMalware` `CTX: exe.trojan.artemis` `CrowdStrike: win/malicious_confidence_90% (D)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Packed.Themida.L suspicious application` `Elastic: malicious (high confidence)` `Fortinet: Riskware/Application` `GData: Win64.Application.Agent.JRFLD3` `Google: Detected` `Gridinsoft: Trojan.Heur!.03210023` `Lionic: Trojan.Win32.Generic.4!c` `Malwarebytes: Malware.Heuristic.2025` `McAfeeD: ti!9326574A8E36` `Microsoft: Trojan:Win32/Etset!rfn` `Paloalto: generic.ml` `Sangfor: Suspicious.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Skyhigh: Artemis` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!8E2CE9200DB7` `Varist: W64/Trojan.GKA.gen!Eldorado` `alibabacloud: VirTool:Win/Wacatac.B9nj`

Hashes

MD5	`8e2ce9200db7a410a2591a8193ec85b7`
SHA1	`bfba12466b009c63dfd7b969a8d305b2fbd3718e`
SHA256	`9326574a8e36956c2a1711833b1611d79127dc6b2aa7c531306564eab8525602`
SHA3	`6e8533b2c6c4e61b000005464788355791f989aa09fce7aede03d9cd86919a32`
SSDeep	`393216:hnwwFCQep6/LEeeHdkNtUzKfh4UmGEJRkMua5XgxE:hcOgj8YKZTErk3aNj`
Imports Hash	`0ba6741e7c7ce3d84a56eaaa4ac1a6bc`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x110`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`12`
TimeDateStamp	2026-Feb-13 15:11:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5b200`
SizeOfInitializedData	`0xe47600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000016A9058 (Section: .boot)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x1ba5000`
SizeOfHeaders	`0x400`
Checksum	`0x13895a8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

MD5	`1bf95aa44fee44764fcf8bb7da45d3e4`
SHA1	`cd4e25cda4d62b229e8ab35a4873b3251f074a69`
SHA256	`bd5423a54ee1dadb19720f5d6e54e2e8e27a4592b0739488942a8634e171f490`
SHA3	`9e27a26159875a8df61fdd12202fe3e3e83bc9bd48c742130b4202d8ff7b9af0`
VirtualSize	`0x5b0af`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2f422`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.98476`

(#2)

MD5	`b14280198ce8a3f8904d6e2b97b62318`
SHA1	`5fa6c641b97f45c6ef62be793d6a161f9544693e`
SHA256	`43f8f3e094afaae4dfd26e231e1774b3c1edcf71aeec162a6efeebf16a6fe266`
SHA3	`f1b874c0409c26cb4216916c1a232e8db99666611ec1f4e8b815aa02608d9ac7`
VirtualSize	`0x33b68`
VirtualAddress	`0x5d000`
SizeOfRawData	`0x16265`
PointerToRawData	`0x2fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.98157`

(#3)

MD5	`77ddae2173ad2c89196300069d8a66e3`
SHA1	`b49459e91b53f3fe1a3bea85852b0568b0ace122`
SHA256	`1aa2ca94bd35d268be2b68b9772344da81ffc703d503d97ed86dfc2f809a7d21`
SHA3	`56aca96c2a525f44fab8cc94dda9434a1440ef512a51236bd7c8f21d73f07336`
VirtualSize	`0xc948`
VirtualAddress	`0x91000`
SizeOfRawData	`0x91ab`
PointerToRawData	`0x45e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.95466`

(#4)

MD5	`91dc29c95a88ae15ff9557ff01bb7c92`
SHA1	`6e25236a18a555a566181680fa8b1904b56a48e4`
SHA256	`e17718a623f2a28c355817ca1308dbf4dac07be7181b9d2e630553d4b60e644d`
SHA3	`4e7d32b828a8aadad977e7b46d7ce76270e07bf2584286d43b5690bf747c3c78`
VirtualSize	`0x41e8`
VirtualAddress	`0x9e000`
SizeOfRawData	`0x26b5`
PointerToRawData	`0x4f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.55981`

(#5)

MD5	`7de3ba29cba8de43f5f741b4496eeaca`
SHA1	`586b42d66696d79bc73174260b6baed79dc18008`
SHA256	`fb0050a1bf4e0a5481896a13521eb0753907f7c08448dc5fab21b57bb9246168`
SHA3	`9f9ac3bbb37b6f498ae145c32667a2242164aed22028e2ad9f5a5e11265dee8e`
VirtualSize	`0xe02718`
VirtualAddress	`0xa3000`
SizeOfRawData	`0xe02800`
PointerToRawData	`0x51800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.9909`

(#6)

MD5	`102dbbdd62ec2dffa61a52433f65d922`
SHA1	`9ab30182bb2659cb8735a79f498c128684c18cde`
SHA256	`af43f528d4b2981e0ff75a3c8b413df05944faad76bcc536ea80c3a5e5bed3b2`
SHA3	`321ae0d5cf70779462084080aa813d1a78c0223ffe45b4b62e153c292a8d2251`
VirtualSize	`0x550`
VirtualAddress	`0xea6000`
SizeOfRawData	`0x3c6`
PointerToRawData	`0xe54000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`7.05512`

.imports

MD5	`63c9d1cd22187cc904b432eabe206692`
SHA1	`6e0709c53b28379c70d3f4ef8eb6ecaddae96812`
SHA256	`458ddfa3137bc6ebb1529d1f12a0cedf449557586a78252b22c40f3d61edff16`
SHA3	`e4120d446f7dd9163ee51adff90cf9847a1146a1151abf20af719e0047f302c0`
VirtualSize	`0x1000`
VirtualAddress	`0xea7000`
SizeOfRawData	`0x800`
PointerToRawData	`0xe54400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.36134`

.tls

MD5	`f68129f9114ef751e51283d6180412c4`
SHA1	`ae8ab9845b4b220a482fcd59f5da7028754b7738`
SHA256	`c8293488f99d11d7ad879f33d043f63bdbaf5c7fb88c1a7b316d3176d15ea55b`
SHA3	`5b58cbc217d0a79319e611783a4030354f75260ba6f29edf590840ec2f7f4e44`
VirtualSize	`0x1000`
VirtualAddress	`0xea8000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe54c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.27823`

.rsrc

MD5	`cf6f730e3306cca8e462067a274040d2`
SHA1	`df6165e75945e046bd85f689a5753499bc939a50`
SHA256	`a3d0d8145cc5139211265fb758c6c226643c2e7bd72551da0c9ddb04a5db43ca`
SHA3	`588f324524813fba8c74f45cdeeaeaf989d7cbf54420490591cfd906e037f21f`
VirtualSize	`0x2f200`
VirtualAddress	`0xea9000`
SizeOfRawData	`0x2f200`
PointerToRawData	`0xe54e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.15685`

.themida

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x7d0000`
VirtualAddress	`0xed9000`
SizeOfRawData	`0`
PointerToRawData	`0xe84000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.boot

MD5	`e2dba69d422cd49da8c77e10c9b03bc0`
SHA1	`8379df7b8f490cf92f4f452d54a849b4cd5c5883`
SHA256	`25ceb44671f75518ac5a940a37f7f858a31cd7a430d873afbc0b90d3e40fc010`
SHA3	`641a70e55c0ecc29a420fc5017950690325ffad7b594b6530df69e02a3423116`
VirtualSize	`0x4faa00`
VirtualAddress	`0x16a9000`
SizeOfRawData	`0x4faa00`
PointerToRawData	`0xe84000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`7.96302`

.reloc

MD5	`d721f2634330e38b784c70c55a2b704c`
SHA1	`07938f0c026a8bcc372f6611dbfe9c53903b2d15`
SHA256	`30a7bd8ce16487941730dbac0934351f7571d9a07e32c7a2bad97dc4bafbf779`
SHA3	`3180be7fd0a2848082ea080c193dad3060910c30ccd5fc59a7ba078e24be0d64`
VirtualSize	`0x1000`
VirtualAddress	`0x1ba4000`
SizeOfRawData	`0x10`
PointerToRawData	`0x137ea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_MEM_READ`
Entropy	`2.4746`

Imports

kernel32.dll	`GetModuleHandleA`
d3dx11_43.dll	`D3DX11CreateShaderResourceViewFromMemory`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
USER32.dll	`SetWindowLongA`
GDI32.dll	`GetDeviceCaps`
ADVAPI32.dll	`RegGetValueW`
SHELL32.dll	`ShellExecuteA`
MSVCP140.dll	`_Mtx_lock`
D3DCOMPILER_43.dll	`D3DCompile`
IMM32.dll	`ImmGetContext`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`__current_exception_context`
api-ms-win-crt-heap-l1-1-0.dll	`_callnewh`
api-ms-win-crt-runtime-l1-1-0.dll	`_set_app_type`
api-ms-win-crt-stdio-l1-1-0.dll	`_get_stream_buffer_pointers`
api-ms-win-crt-string-l1-1-0.dll	`strncmp`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-filesystem-l1-1-0.dll	`_lock_file`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-locale-l1-1-0.dll	`___lc_codepage_func`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2eee8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.14972`
MD5	`74f7f5673657fc8225920c63f6c8cd12`
SHA1	`0ed3d255d16f1294367895233800ebe596f997ae`
SHA256	`68522123358a2a523bbb1874999faa6c79dbd480084e7440146b823c5986ce61`
SHA3	`3bad3cc2471859a06f4bcf7c73233f600262a4373f22f612261a59eac806b960`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.01924`
Detected Filetype	Icon file
MD5	`9a6d874a2e3c0badfcca210530cfbf87`
SHA1	`04190e4da2e940f6b71bc6bd7a0509c1000f7692`
SHA256	`92041c6756516be6e9ec7320f04c5b49dfce7afea8a5847656c4ccc39a51587a`
SHA3	`2176cf0fda18a3c75323eb6a1199d466f43584ea9c04da5ad2a0cce434ce16e7`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x91`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.8858`
MD5	`f7ad1eab748bc07570a57ec87787cf90`
SHA1	`0b1608da9fef218386e825db575c65616826d9f4`
SHA256	`d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04`
SHA3	`6c9541b36948c19ae507d74223621875b3af4064f7cd8200bdb97e15a047e96a`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x16c8d05e`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`22`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`38`
Imports (35207)	`6`
C++ objects (33134)	`5`
Imports (33145)	`14`
Imports (21202)	`7`
Total imports	`391`
C++ objects (LTCG) (35222)	`17`
Resource objects (35222)	`1`
151	`1`
Linker (35222)	`1`

Errors

[!] Error: Could not reach the TLS callback table.
[*] Warning: Section .themida has a size of 0!

Leave a comment

No comments yet.