Manalyze report for 945a9eaff60eb6ed9b235918d46b83c226b568e06b666690a10701c3e958e6b4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Feb-01 20:18:05

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig2(h)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW`
Info	The PE's resources present abnormal characteristics.	`Resource 1D990F5C717D70FB40655C54AC98B1E2 is possibly compressed or encrypted.`
Malicious	VirusTotal score: 19/63 (Scanned on 2026-05-15 03:03:15)	`CAT-QuickHeal: Trojan.GenericPMF.S15065801` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_60% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (high confidence)` `Fortinet: W32/PossibleThreat` `Google: Detected` `Kingsoft: malware.kb.a.784` `Malwarebytes: Trojan.PowerShell` `McAfeeD: Real Protect-LS!9DE9D8D76198` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: Generic ML PUA (PUA)` `Trapmine: malicious.high.ml.score` `TrellixENS: GenericRXWU-EY!9DE9D8D76198` `Varist: W32/SchoolBoy.B.gen!Eldorado`

Hashes

MD5	`9de9d8d7619876131e81159de736e08c`
SHA1	`25ec9d4355b2b2f29eb2f2c71b6cb15261276fa7`
SHA256	`945a9eaff60eb6ed9b235918d46b83c226b568e06b666690a10701c3e958e6b4`
SHA3	`1a7c3a83f5d20b30b8ea652c5c0bebbeeae051d3ad6ce393ed9f412e73c5cdf5`
SSDeep	`1536:Ag7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf0wTjOx:AeFfHgTWmCRkGbKGLeNTBf0T`
Imports Hash	`2c5f2513605e48f2d8ea5440a870cb9e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Feb-01 20:18:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x11200`
SizeOfInitializedData	`0x5400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00001000 (Section: .code)`
BaseOfCode	`0x1000`
BaseOfData	`0x13000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x1a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.code

MD5	`da73045b586ab1e28e607f483a0c2ce0`
SHA1	`507983a0abe672ba6203b221d333ee56d059efd9`
SHA256	`9e4a4a5a85d7f56dbe993993414ad1845cda9d3f676803a7a3bbc95cfb8dec2a`
SHA3	`2206812f5c8ca53d71da884605200869a369ab2dcf9c347f0e057f122989afd4`
VirtualSize	`0x387e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.52797`

.text

MD5	`45a4903077d6f7155f4006b168c87dca`
SHA1	`e45017f5e1a6c39a392914fc2b62281d81e3d806`
SHA256	`2785518da47da968edd245918c6ce4b38a1f1d314c9556b36b26d14e4cb00c94`
SHA3	`29b0134b9172776f45523d8b8f87084f34819a92754a0f43c6abd57c5fe03cf5`
VirtualSize	`0xd642`
VirtualAddress	`0x5000`
SizeOfRawData	`0xd800`
PointerToRawData	`0x3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.54615`

.rdata

MD5	`fc9dcbeb475affc5d4c8d32f8314c9b3`
SHA1	`372c95f62895d5a5c1d8b320ce5c57a1cae3d3a8`
SHA256	`be3aaad4078e702cd46b669fec9d297dfb3684b17454dbaca12b835376f9d542`
SHA3	`c63e0fefe810327ac7eea78ccbe4000fd153b28a413add8bcf628052a546845f`
VirtualSize	`0x33a8`
VirtualAddress	`0x13000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x11600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.11033`

.data

MD5	`a7ce321ecc8d3b0e5a6860e693862be4`
SHA1	`5264b85530f54b6ad326917e25aa5fbb7556f971`
SHA256	`20ff3b467104fc6daa01003bdf47ed8f31fe3c0d92a57822da1dcfc47266b020`
SHA3	`74e734e90eb6b2d3c3de272d7630814717f29fab6ed4f9693c14c524c5ebe4e2`
VirtualSize	`0x178c`
VirtualAddress	`0x17000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x14a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.10122`

.rsrc

MD5	`3076b9c55c64af784f54d21b0c5490e6`
SHA1	`b9ff14ee4aca1f2900ed9a5f4915ec250410fe44`
SHA256	`9de4b8809f8ecae09db6d318bcbd7138a24145c0c2ce7d419cff360515297401`
SHA3	`abae9ff9218850a466fa70867cb894dcd2271e04feb74f070a693c0705e32b60`
VirtualSize	`0xc50`
VirtualAddress	`0x19000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x15c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.20839`

Imports

MSVCRT.dll	`memset` `wcsncmp` `memmove` `wcsncpy` `wcsstr` `_wcsnicmp` `_wcsdup` `free` `_wcsicmp` `wcslen` `wcscpy` `wcscmp` `wcscat` `memcpy` `tolower` `malloc`
KERNEL32.dll	`GetModuleHandleW` `HeapCreate` `GetStdHandle` `SetConsoleCtrlHandler` `HeapDestroy` `ExitProcess` `WriteFile` `GetTempFileNameW` `LoadLibraryExW` `EnumResourceTypesW` `FreeLibrary` `RemoveDirectoryW` `EnumResourceNamesW` `GetCommandLineW` `LoadResource` `SizeofResource` `FreeResource` `FindResourceW` `GetNativeSystemInfo` `GetShortPathNameW` `GetWindowsDirectoryW` `GetSystemDirectoryW` `EnterCriticalSection` `CloseHandle` `LeaveCriticalSection` `InitializeCriticalSection` `WaitForSingleObject` `TerminateThread` `CreateThread` `GetProcAddress` `GetVersionExW` `Sleep` `WideCharToMultiByte` `HeapAlloc` `HeapFree` `LoadLibraryW` `GetCurrentProcessId` `GetCurrentThreadId` `GetModuleFileNameW` `PeekNamedPipe` `TerminateProcess` `GetEnvironmentVariableW` `SetEnvironmentVariableW` `GetCurrentProcess` `DuplicateHandle` `CreatePipe` `CreateProcessW` `GetExitCodeProcess` `SetUnhandledExceptionFilter` `HeapSize` `MultiByteToWideChar` `CreateDirectoryW` `SetFileAttributesW` `GetTempPathW` `DeleteFileW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `CreateFileW` `SetFilePointer` `TlsFree` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapReAlloc` `DeleteCriticalSection` `InterlockedCompareExchange` `InterlockedExchange` `GetLastError` `SetLastError` `UnregisterWait` `GetCurrentThread` `RegisterWaitForSingleObject`
USER32.DLL	`CharUpperW` `CharLowerW` `MessageBoxW` `DefWindowProcW` `DestroyWindow` `GetWindowLongW` `GetWindowTextLengthW` `GetWindowTextW` `UnregisterClassW` `LoadIconW` `LoadCursorW` `RegisterClassExW` `IsWindowEnabled` `EnableWindow` `GetSystemMetrics` `CreateWindowExW` `SetWindowLongW` `SendMessageW` `SetFocus` `CreateAcceleratorTableW` `SetForegroundWindow` `BringWindowToTop` `GetMessageW` `TranslateAcceleratorW` `TranslateMessage` `DispatchMessageW` `DestroyAcceleratorTable` `PostMessageW` `GetForegroundWindow` `GetWindowThreadProcessId` `IsWindowVisible` `EnumWindows` `SetWindowPos`
GDI32.DLL	`GetStockObject`
COMCTL32.DLL	`InitCommonControlsEx`
SHELL32.DLL	`ShellExecuteExW` `SHGetFolderLocation` `SHGetPathFromIDListW`
WINMM.DLL	`timeBeginPeriod`
OLE32.DLL	`CoInitialize` `CoTaskMemFree`
SHLWAPI.DLL	`PathAddBackslashW` `PathRenameExtensionW` `PathQuoteSpacesW` `PathRemoveArgsW` `PathRemoveBackslashW`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x540`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.9475`
MD5	`58ec4ee26e74fa69222dca3e58c07363`
SHA1	`e99c78671e3325a5c6829b14ce5bee2f2e7de834`
SHA256	`7ca05d8ce45135deb7cd13d3fd6f46d1cdf95e2620706ba1ce84336583caa597`
SHA3	`0c11d24ac627a37bbacbc809b0496706d06aa5a24f309be65e14e5d6f9844a39`

1D990F5C717D70FB40655C54AC98B1E2

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1c6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.51559`
MD5	`0435e44ce082f40ddd2a1c521649a188`
SHA1	`202397af813e7a22f5dfcb35dee33755de506d46`
SHA256	`c34c90377d2cd0821dee8ee9b7054350dc29e1bb6e1339e1c5efd44a60ef77db`
SHA3	`68cea39f72637918df9c6ad9b4c3ce3fea93c049617e301dd434941058ab481a`

878EC302C6D54473C58A010FBE312FF0

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23593`
MD5	`7bb55e591962edd967c9a3039407256c`
SHA1	`e84642313805d66ef70fdada202992d040a1c2cc`
SHA256	`8fcbd3ba77d0af716d0b3f342b877539512ba665a6c5ad7999a531bff05a6a91`
SHA3	`116f25e12adcabbb7a50c5223cf85536391d06d1114f226b2e5d018f6907ff91`

97FFA93DA00B41FCC4BD46294891BAE8CB9D7F9A

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xd`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.70044`
MD5	`d2114ae91dedaee913f163eac0f242f8`
SHA1	`3c27df65ea8076481709165d79c010bf9cabff66`
SHA256	`d3d3159b2abdf1434260c7586841a1762e8d92e0f24338be5b640457cf930d46`
SHA3	`5cdae477a519f672018673648272ece0e2f5d9106bf01f30bea8962ef3217543`

CEE8F31458

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

1 (#2)

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.01924`
Detected Filetype	Icon file
MD5	`c1432d505caadc3846ad4d6c4c0c097d`
SHA1	`bcfd458c22d534fdfe576785afe80fd129729677`
SHA256	`48982016e370effa827d54e330478713a3231aa5c775a1b04bb5c6af744535f0`
SHA3	`e22b712da268c5ec9863da32584e81f0276b809d02f95cd35d852dda1fa9a5a7`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x263`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.92322`
MD5	`841795bb3b61ebd511249778aa26af77`
SHA1	`59f426938522ef9906b0740821e8cc270d1ca897`
SHA256	`be809cba9d14bfb52a969d766992832b10e99e133babcdd99dc6d1bba5597cf7`
SHA3	`5fa5c36711cc5c3661248b1180ce35543201ff1dc77d158129b844f03a2144c9`

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors

Leave a comment

No comments yet.