Manalyze report for a215edd9d9788492b561858e44184bca

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2023-Sep-23 14:39:06
Detected languages	English - United States
CompanyName	Microsoft Corporation
FileDescription	DiskPart
FileVersion	`10.0.19041.964 (WinBuild.160101.0800)`
InternalName	diskpart.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	diskpart.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.19041.964`

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Possibly launches other programs: CreateProcessW` `Can create temporary files: GetTempPathW CreateFileW` `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW`
Malicious	The PE's digital signature is invalid.	`Signer: Akeo Consulting` `Issuer: Sectigo Public Code Signing CA EV R36` `The file was modified after it was signed.`
Malicious	VirusTotal score: 53/70 (Scanned on 2025-03-11 05:13:04)	`ALYac: Gen:Variant.Tedy.600889` `APEX: Malicious` `AVG: Win32:Agent-BDOJ [Trj]` `AhnLab-V3: Trojan/Win.Evo-gen.R609691` `Alibaba: Packed:Win64/PyInstaller.1df4b6f9` `Arcabit: Trojan.Tedy.D92B39` `Avast: Win32:Agent-BDOJ [Trj]` `Avira: TR/Crypt.FKM.Gen` `BitDefender: Gen:Variant.Tedy.600889` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.1738663137184bca` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `DrWeb: Python.Muldrop.18` `ESET-NOD32: a variant of Win64/Packed.PyInstaller.L` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Tedy.600889 (B)` `F-Secure: Trojan.TR/Crypt.FKM.Gen` `FireEye: Gen:Variant.Tedy.600889` `Fortinet: W64/PackedPyInstaller.L!tr` `GData: Gen:Variant.Tedy.600889` `Google: Detected` `Gridinsoft: Ransom.Win64.Sabsik.sa` `Ikarus: Trojan.Python.SLoader` `Jiangmin: Trojan.PSW.Python.kf` `K7AntiVirus: Trojan ( 005aadfa1 )` `K7GW: Trojan ( 005aadfa1 )` `Kaspersky: Trojan-Spy.Win32.Agent.dffz` `Kingsoft: Win32.Trojan-Spy.Agent.dffz` `Lionic: Trojan.Win32.Agent.tssE` `Malwarebytes: Generic.Malware.Agent.DDS` `MaxSecure: Trojan.Malware.209835899.susgen` `McAfeeD: ti!7FBBEFDAE9AD` `MicroWorld-eScan: Gen:Variant.Tedy.600889` `Microsoft: Trojan:Win64/Lazy.AME!MTB` `NANO-Antivirus: Trojan.Win64.Mlw.kbmlvw` `Paloalto: generic.ml` `Panda: Trj/Chgt.AD` `Rising: Spyware.Agent/PYC!1.EA8F (CLASSIC)` `SentinelOne: Static AI - Malicious PE` `Sophos: Mal/Generic-S` `Symantec: Scr.Malcode!gen129` `Tencent: Win32.Trojan.FalseSign.Cujl` `VIPRE: Gen:Variant.Tedy.600889` `Varist: W64/S-a298a06b!Eldorado` `Xcitium: Malware@#16wgxr17czoxu` `Yandex: Trojan.PyInstaller!RhlJs00MQ5A` `Zillya: Trojan.Agent.Script.1739068` `alibabacloud: Trojan[spy]:Win/Lazy.AZM2XJC` `huorong: TrojanSpy/Python.Stealer.d`

Hashes

MD5	`a215edd9d9788492b561858e44184bca`
SHA1	`77d8816ecce79f525c118687149e2f3b68dcb984`
SHA256	`7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184`
SHA3	`165f03b5bb8b036edc4e18ba70eefb03e6ead18ae76270aa4b7759a90c7fc68a`
SSDeep	`196608:uuWYS6uOshoKMuIkhVastRL5Di3uq1D7mW:IYShOshouIkPftRL54DRX`
Imports Hash	`20d446c1cb128febd23deb17efb67cf6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2023-Sep-23 14:39:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x29c00`
SizeOfInitializedData	`0x17200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000C260 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x48000`
SizeOfHeaders	`0x400`
Checksum	`0x752560`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x1e8480`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0853944fcdf9f6252c04b56f736ad3db`
SHA1	`63d584d0ee23e27cc8b151cf07d91349c53c93ce`
SHA256	`168b79d096bad3ee1927821cf27f2ce8f13930a0086ddb313ca617fbd3687340`
SHA3	`ae25a5e94dd293f22b248a206988c4411d8f61ff53906d0b8de8430ee4d7c3e0`
VirtualSize	`0x29c00`
VirtualAddress	`0x1000`
SizeOfRawData	`0x29c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48723`

.rdata

MD5	`cee77f506df3c8383a6ac95884e6f958`
SHA1	`fb66f88d056613219202973e58fedb937ca3cd1d`
SHA256	`ad99e8ed38ce70963f7fe5780e0c49beb2eebe9bff514a8eca1602ca01b65b10`
SHA3	`710e1d5bb9978f0875196fd9c673f3bd20f2be8192751febf22814f1f6185075`
VirtualSize	`0x12b8c`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x12c00`
PointerToRawData	`0x2a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.83103`

.data

MD5	`f30d0fb4a2c8df89443c7e932db4ab2e`
SHA1	`42bf9a35b684b1c7487267534efb21138ae4a4c8`
SHA256	`1661d6c0541e78bee4c7d813065bc36ce6222bdb05df4bfcaa7a6153e4bc6017`
SHA3	`eb9840e370d24bbeba30632fd1c67e336c124facf29c7bfdcd07d8977725e170`
VirtualSize	`0x3338`
VirtualAddress	`0x3e000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x3cc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.82905`

.pdata

MD5	`09d055e9b29567f082a2a41fbfeb3fe1`
SHA1	`5563887349415e03623d8a577c0c2995437b86f7`
SHA256	`d976385b3a9a0bbc2f8c6d9bb199caa7b6c3418bf54ebdcd9973f8042f4e094c`
SHA3	`b1411d202860370a6ec16f5534799bd289596ea061efc5393143c77ad18444a0`
VirtualSize	`0x22a4`
VirtualAddress	`0x42000`
SizeOfRawData	`0x2400`
PointerToRawData	`0x3da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.31909`

_RDATA

MD5	`2a9dbda52bda894b78b941018aa9866d`
SHA1	`6fafa6ec15aebb275829597e2c16699dbbe6d98e`
SHA256	`0b2e17f54dfa135c4efedb59920e934cf3a8db1e6de746ce7fd43acc4d93c654`
SHA3	`e3e1ac91210db9bae71dc65d5b8603635bf2e6b8b5a2aa07bf4fb3e831f51bff`
VirtualSize	`0x15c`
VirtualAddress	`0x45000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.72677`

.rsrc

MD5	`e97bd0c7684d23d7699ff19ede74cade`
SHA1	`859108e0a36a08961ea686b46e7064acc1a78225`
SHA256	`f977acdff6849b4ac7dca42c0eb820820ea8354edd588383ac22d22a038ee1f0`
SHA3	`ab58b0a653b6891820054ebcb3363cb7e71e85d32a128a43702db7a1de30eb59`
VirtualSize	`0x930`
VirtualAddress	`0x46000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x40000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.13222`

.reloc

MD5	`6134964e304be7b5f920fbcc133988dd`
SHA1	`a213218582ab50a7639b2b09f5398bb2b7be9034`
SHA256	`74c1e520c6bdfa30246c93cd5fe0e8f4e5ffbd188fae660cd8f4a178f015385e`
SHA3	`8e89f788d3480b3992335d06bfe803150999786a25b958baf71592cb6e8b2a09`
VirtualSize	`0x75c`
VirtualAddress	`0x47000`
SizeOfRawData	`0x800`
PointerToRawData	`0x40a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.23547`

Imports

USER32.dll	`CreateWindowExW` `MessageBoxW` `MessageBoxA` `SystemParametersInfoW` `DestroyIcon` `SetWindowLongPtrW` `GetWindowLongPtrW` `GetClientRect` `InvalidateRect` `ReleaseDC` `GetDC` `DrawTextW` `GetDialogBaseUnits` `EndDialog` `DialogBoxIndirectParamW` `MoveWindow` `SendMessageW`
COMCTL32.dll	`#380`
KERNEL32.dll	`GetStringTypeW` `GetFileAttributesExW` `HeapReAlloc` `FlushFileBuffers` `GetCurrentDirectoryW` `IsValidCodePage` `GetACP` `GetModuleHandleW` `MulDiv` `GetLastError` `SetDllDirectoryW` `GetModuleFileNameW` `CreateSymbolicLinkW` `GetProcAddress` `GetCommandLineW` `GetEnvironmentVariableW` `GetOEMCP` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetTempPathW` `WaitForSingleObject` `Sleep` `GetExitCodeProcess` `CreateProcessW` `GetStartupInfoW` `FreeLibrary` `LoadLibraryExW` `SetConsoleCtrlHandler` `FindClose` `FindFirstFileExW` `CloseHandle` `GetCurrentProcess` `LocalFree` `FormatMessageW` `MultiByteToWideChar` `WideCharToMultiByte` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetProcessHeap` `GetTimeZoneInformation` `HeapSize` `WriteConsoleW` `SetEnvironmentVariableW` `RtlUnwindEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `SetEndOfFile` `SetLastError` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `RaiseException` `RtlPcToFileHeader` `GetCommandLineA` `CreateFileW` `GetDriveTypeW` `GetFileInformationByHandle` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `GetFullPathNameW` `RemoveDirectoryW` `FindNextFileW` `SetStdHandle` `DeleteFileW` `ReadFile` `GetStdHandle` `WriteFile` `ExitProcess` `GetModuleHandleExW` `HeapFree` `GetConsoleMode` `ReadConsoleW` `SetFilePointerEx` `GetConsoleOutputCP` `GetFileSizeEx` `HeapAlloc` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW`
ADVAPI32.dll	`OpenProcessToken` `GetTokenInformation` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
GDI32.dll	`SelectObject` `DeleteObject` `CreateFontIndirectW`

Delayed Imports

1

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x380`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4969`
MD5	`ed9413eb7854aa4a7ec95178bb2d3d2a`
SHA1	`72be838c7b1483401d3a02a3b80ce99eff3ed418`
SHA256	`e9e853eb94d24ebc869cec4875fe893926fec675549d44f17d3e3f95ab169907`
SHA3	`b736a0c0cfdfbe30663973f66f7ad1e2d91f32ba3044332152d513172ea8245c`

1 (#2)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x50d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.25791`
MD5	`84da8dee6b319ea0b10b6de5489c6aae`
SHA1	`5f8991f3e065fd95614859a293f88b9c70e4bb23`
SHA256	`abf8f2022f12f350789d961aceaf9ccfd53e7ec58d8c9934cfce77779b4eac11`
SHA3	`08f0562915b54bedce5a84e9d32cb2efcc538268785103b1852338e20a3b4606`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.19041.964
ProductVersion	10.0.19041.964
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	DiskPart
FileVersion (#2)	10.0.19041.964 (WinBuild.160101.0800)
InternalName	diskpart.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	diskpart.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.19041.964

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Sep-23 14:39:06
Version	`0.0`
SizeofData	`772`
AddressOfRawData	`0x3a7e0`
PointerToRawData	`0x397e0`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003e018`
GuardCFCheckFunctionPointer	`5368886304`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xdc64562c`
Unmarked objects	`0`
ASM objects (30795)	`8`
C++ objects (30795)	`187`
C objects (30795)	`10`
253 (VS2022 Update 4 (17.4.2) compiler 31935)	`4`
C++ objects (VS2022 Update 4 (17.4.2) compiler 31935)	`40`
C objects (VS2022 Update 4 (17.4.2) compiler 31935)	`17`
ASM objects (VS2022 Update 4 (17.4.2) compiler 31935)	`9`
Imports (30795)	`11`
Total imports	`139`
C objects (VS2022 Update 5 (17.5.4) compiler 32217)	`21`
Linker (VS2022 Update 5 (17.5.4) compiler 32217)	`1`

a215edd9d9788492b561858e44184bca

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_RDATA

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors