Manalyze report for 9eabad0ffe51d7adfc7c8b7c734137cab7075dd1c78fc632ab9ec264fa1ac421

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2025-Jan-30 13:42:06
Detected languages	English - United States
Debug artifacts	E:\Adlice\Truesight\x64\Release\truesight.pdb
CompanyName	Adlice Software
FileDescription	Adlice RootLaser
FileVersion	`3.4.1`
InternalName	Adlice RootLaser
LegalCopyright	Copyright Adlice Software(C) 2025
LegalTrademarks1	Adlice Software
LegalTrademarks2	Adlice Software
OriginalFilename	Adlice RootLaser
ProductName	Adlice RootLaser
ProductVersion	`3.4.1`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: PAGE`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwClose ZwSetSecurityObject ZwOpenKey ZwSetValueKey ZwQueryValueKey ZwCreateKey ZwOpenDirectoryObject ZwQueryDirectoryObject ZwTerminateProcess ZwOpenProcess ZwQuerySystemInformation ZwQueryInformationProcess ZwDeleteKey ZwEnumerateKey ZwQueryKey`
Info	The PE is digitally signed.	`Signer: ADLICE` `Issuer: Sectigo Public Code Signing CA EV R36`
Safe	VirusTotal score: 0/72 (Scanned on 2025-12-12 12:30:59)	`All the AVs think this file is safe.`

Hashes

MD5	`b9d60b19fe56193294cdf9866ee0808d`
SHA1	`f42790a62c2de0173d81589d5970196b66089f97`
SHA256	`9eabad0ffe51d7adfc7c8b7c734137cab7075dd1c78fc632ab9ec264fa1ac421`
SHA3	`e94affa5b2695be940aa2d62b0df86f12042091ed49dec88ce002ff5f5331355`
SSDeep	`1536:8YFg4pLhiOVq4ZD2YxndHm4cMWzqHmjVvw:8OjLhiKl2YxnNm4XWGmjVvw`
Imports Hash	`0eb51e596d61207161f28b7dbb0621c2`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2025-Jan-30 13:42:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5a00`
SizeOfInitializedData	`0x2200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000A170 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0xd000`
SizeOfHeaders	`0x400`
Checksum	`0x1af16`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8d0926641bedc0ea016b0babbf838666`
SHA1	`9f473959c465b2ccf4481ba5cd97ccf6d545e9d7`
SHA256	`d4a7cde71cf16f5ee2d369e7b3080d464ffe0da80afc2dfd97300334aa5faf91`
SHA3	`3e903f7ae1ffe2feeaaf96ae3bc4b0a845d62da63127f066ef8807bb7ba2b02e`
VirtualSize	`0x2f54`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.2122`

.rdata

MD5	`b66682968ce6158281e11feb09c14cf6`
SHA1	`501a869e57c9d747d8be5bdd0dc6a0839a27b059`
SHA256	`7684655436ae8182aec369dd3fa053c589c9b9034b486e2b6f78626d0cba8758`
SHA3	`3f19faa330d7c72521db70f6ccc575174a90c92155a70124b4f25258f03288fd`
VirtualSize	`0x119c`
VirtualAddress	`0x4000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x3400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.60863`

.data

MD5	`12b3b2dc49abcc32a3c236f058992487`
SHA1	`2386acfd5028b7cf907a341e6581379a18279def`
SHA256	`4a72cefbaa9e117586209e5190b00eed356dd14c92b8b30b08b7afea351bcec2`
SHA3	`80a9c73ac82edb1afd286911d5b0138544e85dbf00337c27c1c09e3528792711`
VirtualSize	`0x320`
VirtualAddress	`0x6000`
SizeOfRawData	`0x400`
PointerToRawData	`0x4600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.01022`

.pdata

MD5	`a91e238fd77800d00e4fcf30f33d9670`
SHA1	`25f414d66f77057e8ef83edf61e9f56e2341655a`
SHA256	`83cbd6c134c01a1aec3ce1b0950d87a425facd9918d82ca86eeb094235f3e962`
SHA3	`494cb06405e2f68b4ab875d5dcc47131f41d229313975dd07e1c91092f233fb6`
VirtualSize	`0x450`
VirtualAddress	`0x7000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`3.31945`

PAGE

MD5	`e6a298a9578e2458c6461309739dd834`
SHA1	`cd1596f806ed227b3e82f816f6d815cdb22a755f`
SHA256	`bf5aac62e25960371b3b5894b3e0ee76fe53a7fa51c98ae74a7a8ab44632ffc9`
SHA3	`6cf6f3188d18ed1a8509d4b3b019563b1852d622a5c42ef1a3efa4419aae4d1d`
VirtualSize	`0x1cbc`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.12385`

INIT

MD5	`9510747a51e17b31b4f4c74b36a78347`
SHA1	`b2f9f794888e43ede31f88b7ae472fcfbc074e63`
SHA256	`b6361276f263a9c885997628f03bd2ae5650acce4ee6800aa4ab5e2f95ecf129`
SHA3	`6e2511a157ad5c2bd11dc5b89755703c8f38ff0c9dfbea1a7fb84e619180bfd6`
VirtualSize	`0xb5e`
VirtualAddress	`0xa000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x6e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.33328`

.rsrc

MD5	`e09f65b4111e284c1c5b0e3ce3aedb6e`
SHA1	`47180b8059c37b265722d5a59d4d987a71805a95`
SHA256	`10cc1836ed2804eabb4bd4d0190b6a8652109b33a9c8a342481921d363bdcd4c`
SHA3	`7e9f62fabc3b3932b005d51428b5fc499ddd64ef9796ee8c78b9286b0cdd66f1`
VirtualSize	`0x3f0`
VirtualAddress	`0xb000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.2503`

.reloc

MD5	`550a73c0e388484b60754cd313507783`
SHA1	`4cc67d92a3a197a9499c573cbb41aa1d4e78e384`
SHA256	`77288b72ab5a5d8164a1901ced6851422affae609840da8937a04b253a815c9c`
SHA3	`855e68e9b60995b57c305a7402e0095a59660126cb856fe6ebfe540cdf63a0e0`
VirtualSize	`0x6c`
VirtualAddress	`0xc000`
SizeOfRawData	`0x200`
PointerToRawData	`0x7e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.44985`

Imports

ntoskrnl.exe	`ExFreePoolWithTag` `RtlInitUnicodeString` `RtlGetVersion` `IofCompleteRequest` `IoCreateSymbolicLink` `IoDeleteDevice` `IoDeleteSymbolicLink` `__C_specific_handler` `MmGetSystemRoutineAddress` `ZwClose` `ZwSetSecurityObject` `IoDeviceObjectType` `IoCreateDevice` `ObOpenObjectByPointer` `RtlGetDaclSecurityDescriptor` `RtlGetGroupSecurityDescriptor` `RtlGetOwnerSecurityDescriptor` `RtlGetSaclSecurityDescriptor` `SeCaptureSecurityDescriptor` `_snwprintf` `RtlLengthSecurityDescriptor` `SeExports` `RtlCreateSecurityDescriptor` `_wcsnicmp` `ExAllocatePoolWithTag` `wcschr` `RtlAbsoluteToSelfRelativeSD` `RtlAddAccessAllowedAce` `RtlLengthSid` `IoIsWdmVersionAvailable` `RtlSetDaclSecurityDescriptor` `ZwOpenKey` `ZwSetValueKey` `ZwQueryValueKey` `ZwCreateKey` `RtlFreeUnicodeString` `KeInitializeEvent` `KeResetEvent` `KeSetEvent` `KeWaitForSingleObject` `ObfDereferenceObject` `PsGetCurrentThreadId` `RtlCaptureStackBackTrace` `PsLookupThreadByThreadId` `KeInitializeApc` `KeInsertQueueApc` `_wcsicmp` `IoGetDeviceObjectPointer` `ObReferenceObjectByHandle` `MmIsAddressValid` `ObQueryNameString` `ZwOpenDirectoryObject` `ZwQueryDirectoryObject` `ObOpenObjectByName` `IoDriverObjectType` `ZwTerminateProcess` `ZwOpenProcess` `PsLookupProcessByProcessId` `ZwQuerySystemInformation` `ZwQueryInformationProcess` `ZwDeleteKey` `ZwEnumerateKey` `ZwQueryKey` `IoAllocateIrp` `IofCallDriver` `IoCreateFile` `IoFreeIrp` `IoGetRelatedDeviceObject` `IoGetAttachedDevice` `IoFileObjectType` `MmProbeAndLockPages` `MmUnlockPages` `MmMapLockedPagesSpecifyCache` `IoAllocateMdl` `IoFreeMdl` `KeBugCheckEx`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x390`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4153`
MD5	`e97912f439e3e76aab21a9a5a0e24af3`
SHA1	`9216d5e6f298ec66fb73c9e643b6911c6faeed23`
SHA256	`75dd0e2f898423dc477b8c100c82ee51612e8c73c58060474aab5cf62cd49119`
SHA3	`e74c5a1406ec78c085c51d67084560a79ff961de605cb7d4088b940b1b73e9b2`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.4.1.0
ProductVersion	3.4.1.0
FileFlags	`VS_FF_DEBUG`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_SYSTEM
Language	English - United States
CompanyName	Adlice Software
FileDescription	Adlice RootLaser
FileVersion (#2)	3.4.1
InternalName	Adlice RootLaser
LegalCopyright	Copyright Adlice Software(C) 2025
LegalTrademarks1	Adlice Software
LegalTrademarks2	Adlice Software
OriginalFilename	Adlice RootLaser
ProductName	Adlice RootLaser
ProductVersion (#2)	3.4.1

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Jan-30 13:42:06
Version	`0.0`
SizeofData	`70`
AddressOfRawData	`0x4a98`
PointerToRawData	`0x3e98`
Referenced File	E:\Adlice\Truesight\x64\Release\truesight.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Jan-30 13:42:06
Version	`0.0`
SizeofData	`436`
AddressOfRawData	`0x4ae0`
PointerToRawData	`0x3ee0`

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400062f0`
GuardCFCheckFunctionPointer	`5368726120`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xa3fc7132`
Unmarked objects	`0`
ASM objects (VS2017 v14.15 compiler 26715)	`4`
C objects (VS2017 v14.15 compiler 26715)	`5`
Imports (VS2017 v14.15 compiler 26715)	`3`
Total imports	`88`
C objects (CVTCIL) (VS2017 v14.15 compiler 26715)	`7`
C++ objects (VS2019 Update 4 (16.4.0-2) compiler 28314)	`14`
Resource objects (VS2019 Update 4 (16.4.0-2) compiler 28314)	`1`
Linker (VS2019 Update 4 (16.4.0-2) compiler 28314)	`1`

Errors

Leave a comment

No comments yet.