Manalyze report for b8650aed8e7282bffedb0d80e8e5c0cf8810ed9e2be97acc4d45a5fb5f609b30

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Feb-09 15:56:04
Detected languages	English - United States
Debug artifacts	D:\coding\WInLoad\x64\Release\Winloader.pdb

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Suspicious	PEiD Signature:	`UPolyX V0.1 -> Delikon`
Info	Interesting strings found in the binary:	Contains domain names: acutedotcomb.cn breveacutecomb.cn brevegravecomb.cn brevetildecomb.cn circumflexacutecomb.cn circumflexgravecomb.cn circumflexhookcomb.cn circumflextildecomb.cn commaaccentright.cn commaaccentrotate.cn github.com http://scripts.sil.org http://scripts.sil.org/OFLInterMediumInterMediumOpen http://scripts.sil.org/OFLhttp https://discord.gg https://github.com https://rsms.me https://scripts.sil.org https://scripts.sil.org/OFLThis https://scripts.sil.org/OFLhttps https://www.lexend.comBonnie koronisaccentleft.cn macrondieresiscomb.cn scripts.sil.org tildecross.cn tildemacroncomb.cn tonos.top uni02E5.cn uni02E6.cn uni02E7.cn uni02E8.cn uni02E9.cn uni1DC4.cn uni1DC6.cn
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: CreateProcessA ShellExecuteA system` `Can create temporary files: GetTempPathA CreateFileA` `Has Internet access capabilities: InternetOpenUrlA InternetCloseHandle InternetReadFile InternetOpenA` `Reads the contents of the clipboard: GetClipboardData`
Malicious	VirusTotal score: 45/72 (Scanned on 2026-04-11 11:40:23)	`ALYac: Gen:Variant.Application.Lazy.458736` `APEX: Malicious` `AVG: Win64:MalwareX-gen [Misc]` `Alibaba: Trojan:Win64/MalwareX.ebaab186` `Antiy-AVL: Trojan/Win32.Agent` `Arcabit: Trojan.Application.Lazy.D6FFF0` `Avast: Win64:MalwareX-gen [Misc]` `BitDefender: Gen:Variant.Application.Lazy.458736` `Bkav: W64.AIDetectMalware` `CAT-QuickHeal: Trojan.Kepavll` `CTX: exe.trojan.generic` `CrowdStrike: win/malicious_confidence_60% (W)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/Agent_AGen.GTT trojan` `Elastic: malicious (high confidence)` `Emsisoft: Gen:Variant.Application.Lazy.458736 (B)` `GData: Gen:Variant.Application.Lazy.458736` `Google: Detected` `Ikarus: Trojan.Win32.Generic` `K7AntiVirus: Trojan ( 005d23831 )` `K7GW: Trojan ( 005d23831 )` `Lionic: Trojan.Win32.Kepavll.4!c` `Malwarebytes: Malware.AI.4284191138` `MaxSecure: Trojan.Malware.345033516.susgen` `McAfeeD: ti!B8650AED8E72` `MicroWorld-eScan: Gen:Variant.Application.Lazy.458736` `Microsoft: Trojan:Win32/Kepavll!rfn` `Rising: Trojan.Kryptik@AI.100 (RDML:JV3mWzC3zYzi1v2AfDWdlQ)` `SentinelOne: Static AI - Suspicious PE` `Skyhigh: BehavesLike.Win64.Dropper.vc` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `Tencent: Malware.Win32.Gencirc.14a9517c` `TrellixENS: Artemis!C09846027BE8` `TrendMicro: TROJ_FRS.VSNTC326` `TrendMicro-HouseCall: TROJ_FRS.VSNTC326` `VBA32: Trojan.Kepavll` `VIPRE: Gen:Variant.Application.Lazy.458736` `Varist: W64/ABApplication.DNCT-5773` `ViRobot: Trojan.Win.Z.Lazy.6593024` `Yandex: Trojan.Igent.b52gZp.2` `Zillya: Trojan.AgentAGen.Win64.30611` `alibabacloud: Riskware:Win/Agent_AGen.GSB`

Hashes

MD5	`c09846027be8f021f7f83b068a610fec`
SHA1	`b9ee3e5268480cbd804c962ea9ac501ac0159ff0`
SHA256	`b8650aed8e7282bffedb0d80e8e5c0cf8810ed9e2be97acc4d45a5fb5f609b30`
SHA3	`937c8787cce48bf06d7e487a9cd1214a6d9e9c13e5adfd6db9c481632e82db8e`
SSDeep	`98304:Y4BUjb8tmxvWtv3D1dAq1PmHDTl5NutukESs42we0jZeVDnZdcJILS0Qdl0e5hx:Yratvz1dkHXl5PkE/mCrZdpe3rxiNM3`
Imports Hash	`dc35d69ac2e55dce2b87a3624c5af6c9`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-Feb-09 15:56:04
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xadc00`
SizeOfInitializedData	`0x59c400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000ACFCC (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x64d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`43ea8488340054451626e79b56efc216`
SHA1	`5b2166cdc282ee0b579a69282427175b3fc855fe`
SHA256	`7be1cec0b4eb6be2dde82064c8e1dcce8de5ba440eb1dc859a890bf25d9ad3e4`
SHA3	`4243d9cfdedc6f28fb4e9eef3400aa009085397e81b954efc6dc9ab6e2ec64aa`
VirtualSize	`0xadb53`
VirtualAddress	`0x1000`
SizeOfRawData	`0xadc00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52567`

.rdata

MD5	`c5c506e4b85af30cc58a73061b538ae1`
SHA1	`123c71fcf3c7872eaf0092a8706445930d641858`
SHA256	`aef7783becc326518acb8f44fe83a7b3020597d03bb62532097cd81f55f2100b`
SHA3	`8f51fd836064ca70a31bcdb7d47fbff64b950f5bd26bd5addc9d89ce2a7f95dd`
VirtualSize	`0x32d66`
VirtualAddress	`0xaf000`
SizeOfRawData	`0x32e00`
PointerToRawData	`0xae000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.31546`

.data

MD5	`6da1f79e70ed0067e600d90a34ae949a`
SHA1	`f11212a14900280bf75225007c97934b1571bd42`
SHA256	`19e7d7043ddc84622786f8999f7a02da0a9cea291f139ba29dbe996d7a1eea8f`
SHA3	`99f29d0e5e8f38ca16278bc74544f200388c4d30c0080b428f0b53a7984dff70`
VirtualSize	`0x55ffe8`
VirtualAddress	`0xe2000`
SizeOfRawData	`0x55f600`
PointerToRawData	`0xe0e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.92263`

.pdata

MD5	`3bfb2361d571746996390547f1732284`
SHA1	`48dc598f6d17b540e0c8ea8ba56b5a1b879264ae`
SHA256	`5a6e3c8ea9707fda745a67e419780a261b9268684f8b7b2690bcaa9df3cd7f1c`
SHA3	`b92763ea631c511eb65df5533de51df3419c0ce8fd3f724d8eda4f8bfb904857`
VirtualSize	`0x852c`
VirtualAddress	`0x642000`
SizeOfRawData	`0x8600`
PointerToRawData	`0x640400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.00488`

.rsrc

MD5	`3d567e1253f1095787321927510033f6`
SHA1	`8a8cbce7566348c47ffc42a997918a0d1cb3aa52`
SHA256	`8d0ab5a9f4958c81adb5b473fe72d6e384c466e6c1b8a31d1a0ef11b20c18528`
SHA3	`5e8179c34b053479c9d7d79ca1104828ce5729b9b7372d006f71711ecf6c0168`
VirtualSize	`0x1e0`
VirtualAddress	`0x64b000`
SizeOfRawData	`0x200`
PointerToRawData	`0x648a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71006`

.reloc

MD5	`0b74d060c5d2942e6ff42ac9edd5cbca`
SHA1	`9891b43328d09ffbccfe14721648bb5202f2f603`
SHA256	`92c4c77fa74972deeae651612f8d5761fe761df664c248b567ed82e6875f053b`
SHA3	`9772e69c18393b78446f3f7d1b0ee173cf1250bfb86120dfa5f73d30218e7e4b`
VirtualSize	`0xd48`
VirtualAddress	`0x64c000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x648c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.35069`

Imports

d3d11.dll	`D3D11CreateDeviceAndSwapChain`
D3DCOMPILER_43.dll	`D3DCompile`
KERNEL32.dll	`GetLocaleInfoA` `LoadLibraryA` `QueryPerformanceFrequency` `GetProcAddress` `FreeLibrary` `QueryPerformanceCounter` `ReadFile` `SetHandleInformation` `WriteFile` `CreatePipe` `PeekNamedPipe` `WaitForSingleObject` `Sleep` `GetTempPathA` `GetFileAttributesA` `DeleteFileA` `CloseHandle` `CreateThread` `SetFileAttributesA` `GetCurrentProcessId` `CreateProcessA` `GetExitCodeProcess` `GlobalUnlock` `GetCurrentThreadId` `GetStartupInfoW` `IsDebuggerPresent` `IsProcessorFeaturePresent` `TerminateProcess` `GetCurrentProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `SleepConditionVariableSRW` `WakeAllConditionVariable` `AcquireSRWLockExclusive` `ReleaseSRWLockExclusive` `CreateFileMappingA` `UnmapViewOfFile` `MapViewOfFile` `HeapFree` `HeapAlloc` `GetFileSizeEx` `CreateFileA` `WideCharToMultiByte` `GlobalLock` `InitializeSListHead` `GlobalFree` `GlobalAlloc` `MultiByteToWideChar` `GetSystemTimeAsFileTime` `GetModuleHandleW`
USER32.dll	`PostQuitMessage` `TranslateMessage` `SetLayeredWindowAttributes` `PeekMessageW` `GetCapture` `GetWindowLongW` `SetWindowLongA` `DefWindowProcW` `DestroyWindow` `CreateWindowExW` `GetSystemMetrics` `UnregisterClassW` `RegisterClassExW` `ShowWindow` `DispatchMessageW` `MoveWindow` `UpdateWindow` `GetKeyState` `GetMessageExtraInfo` `GetWindowRect` `SetClipboardData` `GetClipboardData` `EmptyClipboard` `CloseClipboard` `OpenClipboard` `GetCursorPos` `SetCursorPos` `ReleaseCapture` `IsWindowUnicode` `ClientToScreen` `TrackMouseEvent` `GetKeyboardLayout` `GetForegroundWindow` `LoadCursorW` `SetCapture` `SetCursor` `GetClientRect` `ScreenToClient`
SHELL32.dll	`ShellExecuteA`
d3dx11_43.dll	`D3DX11CreateShaderResourceViewFromMemory`
MSVCP140.dll	`?always_noconv@codecvt_base@std@@QEBA_NXZ` `?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z` `??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ` `?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z` `?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z` `??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ` `??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ` `?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z` `?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z` `?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ` `?_Xlength_error@std@@YAXPEBD@Z` `??1_Lockit@std@@QEAA@XZ` `??0_Lockit@std@@QEAA@H@Z` `?_Throw_Cpp_error@std@@YAXH@Z` `?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ` `?_Xbad_alloc@std@@YAXXZ` `?_Id_cnt@id@locale@std@@0HA` `?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A` `?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z` `_Cnd_do_broadcast_at_thread_exit` `_Thrd_detach` `??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ` `?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ` `??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ` `?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ` `??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z` `?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z` `?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z` `?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z`
IMM32.dll	`ImmSetCandidateWindow` `ImmReleaseContext` `ImmGetContext` `ImmSetCompositionWindow`
dwmapi.dll	`DwmExtendFrameIntoClientArea`
WININET.dll	`InternetOpenUrlA` `InternetCloseHandle` `InternetReadFile` `HttpQueryInfoA` `InternetOpenA`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`memchr` `memcmp` `__C_specific_handler` `memset` `__current_exception_context` `__intrinsic_setjmp` `_CxxThrowException` `__current_exception` `memmove` `memcpy` `longjmp` `strrchr` `strstr` `__std_terminate` `__std_exception_copy` `__std_exception_destroy`
api-ms-win-crt-runtime-l1-1-0.dll	`_initialize_onexit_table` `_register_onexit_function` `_crt_atexit` `_initialize_narrow_environment` `_cexit` `_seh_filter_exe` `_set_app_type` `_configure_narrow_argv` `_get_narrow_winmain_command_line` `_initterm` `_initterm_e` `_exit` `_c_exit` `_register_thread_local_exe_atexit_callback` `exit` `_invoke_watson` `_beginthreadex` `system` `terminate`
api-ms-win-crt-math-l1-1-0.dll	`acosf` `sinf` `roundf` `sqrtf` `ceilf` `fmodf` `powf` `cosf` `expf` `__setusermatherr`
api-ms-win-crt-string-l1-1-0.dll	`strcpy_s` `strncmp` `strncpy` `strcmp`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vsprintf` `_wfopen` `_get_stream_buffer_pointers` `__p__commode` `_set_fmode` `fread` `__stdio_common_vsscanf` `__stdio_common_vfprintf` `fseek` `fclose` `fflush` `__acrt_iob_func` `ftell` `fputc` `fgetc` `fwrite` `_fseeki64` `fsetpos` `ungetc` `setvbuf` `fgetpos`
api-ms-win-crt-heap-l1-1-0.dll	`free` `_callnewh` `malloc` `_set_new_mode`
api-ms-win-crt-convert-l1-1-0.dll	`atol` `strtol`
api-ms-win-crt-filesystem-l1-1-0.dll	`_unlock_file` `_lock_file`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-Feb-09 15:56:04
Version	`0.0`
SizeofData	`68`
AddressOfRawData	`0xd359c`
PointerToRawData	`0xd259c`
Referenced File	D:\coding\WInLoad\x64\Release\Winloader.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-Feb-09 15:56:04
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0xd35e0`
PointerToRawData	`0xd25e0`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Feb-09 15:56:04
Version	`0.0`
SizeofData	`912`
AddressOfRawData	`0xd35f4`
PointerToRawData	`0xd25f4`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2026-Feb-09 15:56:04
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x1400d39a8`
EndAddressOfRawData	`0x1400d39b0`
AddressOfIndex	`0x140641b40`
AddressOfCallbacks	`0x1400af930`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400e2040`

RICH Header

XOR Key	`0x7a7f233e`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`20`
253 (35207)	`1`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`33`
Imports (35207)	`6`
C objects (VS2022 Update 1 (17.1.6) compiler 31107)	`26`
Imports (33140)	`14`
Imports (21202)	`7`
Total imports	`257`
C++ objects (LTCG) (35209)	`19`
Resource objects (35209)	`1`
Linker (35209)	`1`

Errors

Leave a comment

No comments yet.