Manalyze report for a7c8d7e6eb5c8661a0c2a7bc16de4c49398461baadd2f0e9b4d9b43b98897aae

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2025-Dec-23 12:47:49
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to mining pools: stratum+tcp://` `Contains domain names: api.xmrig.com donate.ssl.xmrig.com donate.v2.xmrig.com https://xmrig.com nicehash.com randomx.xmrig.com ssl.xmrig.com v2.xmrig.com www.xmrig.com xmrig.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Uses known Mersenne Twister constants` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: _RANDOMX` `Unusual section name found: _TEXT_CN` `Unusual section name found: _TEXT_CN` `Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW LoadLibraryExW LoadLibraryExA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Uses Microsoft's cryptographic API: CryptEnumProvidersW CryptSignHashW CryptDestroyHash CryptCreateHash CryptDecrypt CryptExportKey CryptGetUserKey CryptGetProvParam CryptSetHashParam CryptDestroyKey CryptReleaseContext CryptAcquireContextW` `Can create temporary files: CreateFileW CreateFileA GetTempPathW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: WSASetLastError send recv ntohs htons htonl inet_addr inet_ntoa gethostbyaddr WSAGetLastError WSAIoctl gethostbyname WSARecvFrom WSASocketW WSASend WSARecv gethostname WSADuplicateSocketW getpeername FreeAddrInfoW GetAddrInfoW shutdown socket setsockopt listen connect closesocket bind WSACleanup WSAStartup select getsockopt getsockname ioctlsocket getservbyname getservbyport` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Interacts with services: CreateServiceW QueryServiceStatus OpenSCManagerW QueryServiceConfigA DeleteService ControlService OpenServiceW` `Enumerates local disk drives: GetDriveTypeW` `Interacts with the certificate store: CertOpenStore`
Malicious	VirusTotal score: 49/68 (Scanned on 2026-02-05 05:13:26)	`ALYac: Gen:Variant.Application.Miner.293` `APEX: Malicious` `AhnLab-V3: CoinMiner/Win.Generic.X2238` `Alibaba: Trojan:Win32/Coinminer.449` `Antiy-AVL: RiskWare/Win64.Agent` `Arcabit: Trojan.Application.Miner.293` `Avira: PUA/CoinMiner.Gen` `BitDefender: Gen:Variant.Application.Miner.293` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Ghanarava.17696697178b5609` `CTX: exe.miner.generic` `ClamAV: Win.Coinminer.Generic-7151250-0` `CrowdStrike: win/malicious_confidence_100% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 99)` `DeepInstinct: MALICIOUS` `DrWeb: Tool.BtcMine.2816` `ESET-NOD32: Win64/CoinMiner.IZ potentially unwanted application` `Elastic: Multi.Cryptominer.Xmrig` `Emsisoft: Gen:Variant.Application.Miner.293 (B)` `F-Secure: PotentialRisk.PUA/CoinMiner.Gen` `Fortinet: Riskware/CoinMiner` `GData: Win64.Application.Coinminer.CP` `Google: Detected` `Gridinsoft: Trojan.Win64.CoinMiner.mz!s6` `Ikarus: PUA.CoinMiner` `K7AntiVirus: Unwanted-Program ( 005cde501 )` `K7GW: Unwanted-Program ( 005cde501 )` `Kingsoft: Win32.Troj.Undef.a` `Lionic: Riskware.Win32.BitMiner.1!c` `Malwarebytes: CoinMiner.Trojan.Miner.DDS` `McAfeeD: ti!A7C8D7E6EB5C` `MicroWorld-eScan: Gen:Variant.Application.Miner.293` `Paloalto: generic.ml` `Panda: Trj/GdSda.A` `Rising: HackTool.XMRMiner!1.C2EC (CLASSIC)` `Sangfor: Trojan.Win64.XMR.Miner` `SentinelOne: Static AI - Malicious PE` `Sophos: XMRig Miner (PUA)` `Symantec: ML.Attribute.HighConfidence` `Tencent: Riskware.Win64.Miner_l.16001723` `Trapmine: suspicious.low.ml.score` `TrellixENS: CoinMiner-FEF` `VIPRE: Gen:Variant.Application.Miner.293` `Varist: W64/Trojan3.ASMH` `Yandex: Riskware.Agent!bWkslVCn6+Y` `Zillya: Tool.BitMiner.Win32.5685` `alibabacloud: Miner:Multi/XmrigGo.SY` `huorong: HackTool/W64.CoinMiner.a!crit`

Hashes

MD5	`ab2e22e334c70bb81fff355fd08b5609`
SHA1	`b4e6fec42d3480b6aa9979867e149157072c2fc8`
SHA256	`a7c8d7e6eb5c8661a0c2a7bc16de4c49398461baadd2f0e9b4d9b43b98897aae`
SHA3	`a05a5ce9f80e5a537c747d5cb018431ced9d642c73a772070ddb915ca68c7aa8`
SSDeep	`98304:d36U0mJMOqh9s03ZMza32r4vQmI4eXUMltMQXfPJFWNNrgs4u/EKgIymvloXMPw:dL7y5h9FcJFwrgDu/nGmv6iL0QC`
Imports Hash	`3a3643ded1fedfee82a3324c3db3bf43`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`10`
TimeDateStamp	2025-Dec-23 12:47:49
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x42de00`
SizeOfInitializedData	`0x1f4c00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000003F4164 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x8c8000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4ab77b2d3b6a378bd775c12d046052e0`
SHA1	`6d1209b0793f0d40a4f97a6c6740bde04ce7891e`
SHA256	`b39f7ce195e83a06408ab428a6cc5f0b9661d2af411ef3e41ad65160276304d8`
SHA3	`af4c8657db0fb0288dc59396c14e4f79a1f28634a3032a1c2e8495ea62fc2e61`
VirtualSize	`0x42dd34`
VirtualAddress	`0x1000`
SizeOfRawData	`0x42de00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.50585`

.rdata

MD5	`ebda75867f200d931f99de78ff242355`
SHA1	`1623262c0d8c4a77a6910a3a6ae1e18504085f28`
SHA256	`7fe6eca8bf692b056eb504d163a74685f628e0cf1d072636f0e7059411d4a1bb`
SHA3	`f8c54e45eb02870f065df0d8460f60a6323fe1db4ae6865f942ada443bfce8b6`
VirtualSize	`0x1a8d8c`
VirtualAddress	`0x42f000`
SizeOfRawData	`0x1a8e00`
PointerToRawData	`0x42e200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.17141`

.data

MD5	`9fdb9dc6e73b719476dae284eafa1801`
SHA1	`8f6559a44fd7ed81d7ae6dd4a5285d7699d5d7f6`
SHA256	`899d4efdd03c249a6b5a63c80d5fe6b6c1395290fb443798d426eac0bbc7fb01`
SHA3	`cdd3eac0b404dcc7aa89f91e9dba2180b98ef158b915a117f66a3ac5ef822702`
VirtualSize	`0x2af32c`
VirtualAddress	`0x5d8000`
SizeOfRawData	`0x10600`
PointerToRawData	`0x5d7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.93953`

.pdata

MD5	`77e3a75aaa2bddab28b61a2a6ef04345`
SHA1	`4532b5d71a65091f1a2871b812d6cf06c757f2d9`
SHA256	`ae46aeb6eb1e1f014c8016dd71e8b3421158ce0e0f50943acec0956b28c082e6`
SHA3	`b47a7515a8309037309d4891e5fc3e977da5c4571432923e01b6059c059b669d`
VirtualSize	`0x2b1dc`
VirtualAddress	`0x888000`
SizeOfRawData	`0x2b200`
PointerToRawData	`0x5e7600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.34447`

_RANDOMX

MD5	`9ee63642b94966ecb630ee0843e46b26`
SHA1	`11bd5b6446d56158259a24b938f7c4959bd56e21`
SHA256	`a0e8dcaf970131535f4e5292a291692b43dc1fe5112d3fa7540a851de29664ea`
SHA3	`3340b30c98f35504dbecd4eff4680013fe534c1f1e5df6ea50f6fe41274e85ff`
VirtualSize	`0xc56`
VirtualAddress	`0x8b4000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x612800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.68241`

_TEXT_CN

MD5	`afea7882aa31e5987db2f12b8933de56`
SHA1	`91d62ae67c7e250650c5d785cffb0a794da2f085`
SHA256	`22da176111a6792ee42e810c4381316e710e95c28567224e7c5b5d4d703400fe`
SHA3	`45f964cd6a8a2b7d2570bc7d428bc928e75fa4ee11032f599a5f7f02435d9ed3`
VirtualSize	`0x26d1`
VirtualAddress	`0x8b5000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x613600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.07727`

_TEXT_CN (#2)

MD5	`409bf3f918f2402291cb56c2e9354b47`
SHA1	`4992a8b9c3e33a7f8659bd20066f907134f7c337`
SHA256	`97edf367117028c754aed0c10748bfa55d73a87af588af16d5b24610e1652b08`
SHA3	`a8379e211aa90421ff01b9567092fde1be282d339ea986b42067baed4539be96`
VirtualSize	`0x1184`
VirtualAddress	`0x8b8000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x615e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.04792`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x100`
VirtualAddress	`0x8ba000`
SizeOfRawData	`0x200`
PointerToRawData	`0x617000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`e1bea44b6fb1b0cb7332e3748ec47b09`
SHA1	`d6907c965aae59ff3767262567caac5158f66d12`
SHA256	`d4d5df970b15a0bc28b7ed6699ac70b7b16faa449617581daf0439006434227e`
SHA3	`de06decf52b2d22e8d017ded1e205fc85153243f84adfc48aa73130653bfc732`
VirtualSize	`0x500`
VirtualAddress	`0x8bb000`
SizeOfRawData	`0x600`
PointerToRawData	`0x617200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.68618`

.reloc

MD5	`11f755c0f697f015c50ea4a7d6b48d51`
SHA1	`74a3f70f53aeeeb4642cc29b2542de277c767a73`
SHA256	`9b628eb85ebb316e74f2b41f842954f56e5b7d3e91a6b282a88c6ddf22e13888`
SHA3	`d8ae5e9b59152c74bbd3510422821e64f03ba30b9246d303323a1a16244e6e31`
VirtualSize	`0xb540`
VirtualAddress	`0x8bc000`
SizeOfRawData	`0xb600`
PointerToRawData	`0x617800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45396`

Imports

WS2_32.dll	`WSASetLastError` `send` `recv` `ntohs` `htons` `htonl` `inet_addr` `inet_ntoa` `gethostbyaddr` `WSAGetLastError` `WSAIoctl` `gethostbyname` `WSARecvFrom` `WSASocketW` `WSASend` `WSARecv` `gethostname` `WSADuplicateSocketW` `getpeername` `FreeAddrInfoW` `GetAddrInfoW` `shutdown` `socket` `setsockopt` `listen` `connect` `closesocket` `bind` `WSACleanup` `WSAStartup` `select` `getsockopt` `getsockname` `ioctlsocket` `getservbyname` `getservbyport`
IPHLPAPI.DLL	`GetAdaptersAddresses`
USERENV.dll	`GetUserProfileDirectoryW`
CRYPT32.dll	`CertFreeCertificateContext` `CertFindCertificateInStore` `CertEnumCertificatesInStore` `CertCloseStore` `CertOpenStore` `CertGetCertificateContextProperty` `CertDuplicateCertificateContext`
KERNEL32.dll	`UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `WriteConsoleW` `SetConsoleTitleA` `GetStdHandle` `SetConsoleMode` `GetConsoleMode` `QueryPerformanceFrequency` `QueryPerformanceCounter` `SizeofResource` `LockResource` `LoadResource` `FindResourceW` `ExpandEnvironmentStringsA` `GetConsoleWindow` `GetSystemFirmwareTable` `HeapFree` `HeapAlloc` `GetProcessHeap` `MultiByteToWideChar` `SetPriorityClass` `GetCurrentProcess` `SetThreadPriority` `GetSystemPowerStatus` `GetCurrentThread` `GetProcAddress` `GetModuleHandleW` `GetTickCount` `CloseHandle` `FreeConsole` `VirtualProtect` `VirtualFree` `VirtualAlloc` `GetLargePageMinimum` `LocalAlloc` `GetLastError` `LocalFree` `FlushInstructionCache` `GetCurrentThreadId` `AddVectoredExceptionHandler` `DeviceIoControl` `GetModuleFileNameW` `CreateFileW` `SetLastError` `GetSystemTime` `SystemTimeToFileTime` `GetModuleHandleExW` `Sleep` `InitializeSRWLock` `ReleaseSRWLockExclusive` `ReleaseSRWLockShared` `AcquireSRWLockExclusive` `AcquireSRWLockShared` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetSystemInfo` `SwitchToFiber` `DeleteFiber` `CreateFiberEx` `FindClose` `FindFirstFileW` `FindNextFileW` `WideCharToMultiByte` `GetSystemDirectoryA` `FreeLibrary` `LoadLibraryA` `FormatMessageA` `GetFileType` `WriteFile` `GetEnvironmentVariableW` `GetACP` `ConvertFiberToThread` `ConvertThreadToFiberEx` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `LoadLibraryW` `ReadConsoleA` `ReadConsoleW` `PostQueuedCompletionStatus` `CreateFileA` `DuplicateHandle` `SetEvent` `ResetEvent` `WaitForSingleObject` `CreateEventA` `QueueUserWorkItem` `RegisterWaitForSingleObject` `UnregisterWait` `GetNumberOfConsoleInputEvents` `ReadConsoleInputW` `FillConsoleOutputCharacterW` `FillConsoleOutputAttribute` `GetConsoleCursorInfo` `SetConsoleCursorInfo` `GetConsoleScreenBufferInfo` `SetConsoleCursorPosition` `SetConsoleTextAttribute` `WriteConsoleInputW` `CreateDirectoryW` `FlushFileBuffers` `GetDiskFreeSpaceW` `GetFileAttributesW` `GetFileInformationByHandle` `IsDebuggerPresent` `InitializeSListHead` `GetFullPathNameW` `ReadFile` `RemoveDirectoryW` `SetFilePointerEx` `SetFileTime` `MapViewOfFile` `FlushViewOfFile` `UnmapViewOfFile` `CreateFileMappingA` `ReOpenFile` `CopyFileW` `MoveFileExW` `CreateHardLinkW` `GetFileInformationByHandleEx` `CreateSymbolicLinkW` `TryAcquireSRWLockExclusive` `InitializeCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitOnceExecuteOnce` `InitializeConditionVariable` `WakeConditionVariable` `WakeAllConditionVariable` `SleepConditionVariableCS` `ReleaseSemaphore` `GetExitCodeThread` `ResumeThread` `GetNativeSystemInfo` `GetModuleHandleA` `GetProcessAffinityMask` `RtlUnwind` `CreateSemaphoreA` `SetConsoleCtrlHandler` `GetCurrentDirectoryW` `GetLongPathNameW` `GetShortPathNameW` `CreateIoCompletionPort` `ReadDirectoryChangesW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `SetCurrentDirectoryW` `GetTempPathW` `GlobalMemoryStatusEx` `FileTimeToSystemTime` `K32GetProcessMemoryInfo` `SetHandleInformation` `CancelIoEx` `CancelIo` `SwitchToThread` `SetFileCompletionNotificationModes` `LoadLibraryExW` `SetErrorMode` `GetQueuedCompletionStatusEx` `ConnectNamedPipe` `SetNamedPipeHandleState` `PeekNamedPipe` `CreateNamedPipeW` `GetOverlappedResult` `CancelSynchronousIo` `GetNamedPipeHandleStateA` `GetNamedPipeClientProcessId` `GetNamedPipeServerProcessId` `TerminateProcess` `GetExitCodeProcess` `UnregisterWaitEx` `DebugBreak` `LoadLibraryExA` `GetStartupInfoW` `GetModuleFileNameA` `GetVersionExA` `SetProcessAffinityMask` `GetComputerNameA` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `GetStringTypeW` `GetCPInfo` `CompareStringEx` `LCMapStringEx` `DecodePointer` `RtlUnwindEx` `GetFinalPathNameByHandleW` `RtlPcToFileHeader` `RaiseException` `InitializeCriticalSectionAndSpinCount` `SetStdHandle` `GetCommandLineA` `GetCommandLineW` `CreateThread` `ExitThread` `FreeLibraryAndExitThread` `GetDriveTypeW` `SystemTimeToTzSpecificLocalTime` `ExitProcess` `GetFileAttributesExW` `SetFileAttributesW` `GetConsoleOutputCP` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `HeapReAlloc` `GetTimeZoneInformation` `HeapSize` `HeapQueryInformation` `SetEndOfFile` `FindFirstFileExW` `IsValidCodePage` `GetOEMCP` `GetFileSizeEx` `SetThreadAffinityMask` `EncodePointer` `InitializeCriticalSectionEx` `WaitForSingleObjectEx` `SleepConditionVariableSRW`
USER32.dll	`GetLastInputInfo` `MessageBoxW` `GetProcessWindowStation` `TranslateMessage` `GetUserObjectInformationW` `ShowWindow` `DispatchMessageA` `GetSystemMetrics` `MapVirtualKeyW` `GetMessageA`
SHELL32.dll	`SHGetSpecialFolderPathA`
ole32.dll	`CoInitializeEx` `CoUninitialize` `CoCreateInstance`
ADVAPI32.dll	`SystemFunction036` `GetUserNameW` `ReportEventW` `RegisterEventSourceW` `DeregisterEventSource` `CryptEnumProvidersW` `CryptSignHashW` `CryptDestroyHash` `CryptCreateHash` `CryptDecrypt` `CryptExportKey` `CryptGetUserKey` `CryptGetProvParam` `CryptSetHashParam` `CryptDestroyKey` `CryptReleaseContext` `CryptAcquireContextW` `CreateServiceW` `QueryServiceStatus` `CloseServiceHandle` `OpenSCManagerW` `QueryServiceConfigA` `DeleteService` `ControlService` `StartServiceW` `OpenServiceW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `OpenProcessToken` `LsaOpenPolicy` `LsaAddAccountRights` `LsaClose` `GetTokenInformation`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2de`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.62317`
MD5	`189929c9805e4fa8c001fc9328244c12`
SHA1	`a7693d6f9460712c6c51b89fce9f87ce1da7ad2d`
SHA256	`2e2329375789f472636a376a1689dcec28794855acb9158215080fdeaac2e3cd`
SHA3	`f834bfb526589d9ea977a0260c26c8e41f990013750525b461df71def3088e9c`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Dec-23 12:47:49
Version	`0.0`
SizeofData	`1140`
AddressOfRawData	`0x5a3978`
PointerToRawData	`0x5a2b78`

TLS Callbacks

StartAddressOfRawData	`0x1405a3e38`
EndAddressOfRawData	`0x1405a3e68`
AddressOfIndex	`0x140874528`
AddressOfCallbacks	`0x14042fd78`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1405de1c0`

RICH Header

XOR Key	`0x89506a34`
Unmarked objects	`0`
C++ objects (33140)	`203`
ASM objects (33140)	`11`
ASM objects (35207)	`10`
C objects (35207)	`19`
C++ objects (35207)	`96`
C objects (33140)	`22`
Total imports	`386`
Imports (33140)	`23`
C objects (35208)	`818`
C++ objects (LTCG) (35208)	`265`
ASM objects (35208)	`3`
Resource objects (35208)	`1`
151	`1`
Linker (35208)	`1`

Errors

[!] Error: Could not read a VS_FIXED_FILE_INFO!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!

Leave a comment

No comments yet.