Manalyze report for bf0fd8a28d09f040e9e38366f3011d8adf46ab9321728fd9bec8ce08bb393374

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Apr-15 06:43:12
Debug artifacts	D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb
CompanyName	OpenMooseLogger
FileDescription	OpenMooseLogger
FileVersion	`1.0.0.0`
InternalName	OpenMooseLogger.dll
LegalCopyright
OriginalFilename	OpenMooseLogger.dll
ProductName	OpenMooseLogger
ProductVersion	`1.0.0`
Assembly Version	1.0.0.0

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C# v7.0 / Basic .NET`
Suspicious	PEiD Signature:	`HQR data file`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: sc.exe` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: adobe.com crl.microsoft.com github.com gmail.com go.microsoft.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://michael-kelly.com http://ns.adobe.com http://ns.adobe.com/camera-raw-settings/1.0/ http://ns.adobe.com/photoshop/1.0/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/sType/ResourceEvent# http://purl.org http://schemas.microsoft.com http://schemas.microsoft.com/.NetConfiguration/v2.0 http://www.iec.ch http://www.microsoft.com http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0 http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pkiops/Docs/Repository.htm0 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/docs/primarycps.htm0 http://www.microsoft.com0 http://www.w3.org http://www.w3.org/1999/02/22-rdf-syntax-ns# http://www.w3.org/2001/XMLSchema-instance https://aka.ms https://github.com https://go.microsoft.com https://go.microsoft.com/fwlink/?linkid kelly.com michael-kelly.com microsoft.com microsoft.net ns.adobe.com schemas.microsoft.com system.net www.iec.ch www.microsoft.com www.w3.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegOpenKeyExW RegGetValueW RegCloseKey` `Possibly launches other programs: ShellExecuteW`
Suspicious	The file contains overlay data.	`4210808 bytes of data starting at offset 0x33a00.` `Overlay data amounts for 95.2184% of the executable.`
Suspicious	VirusTotal score: 1/56 (Scanned on 2026-01-12 03:45:44)	`Cylance: Unsafe`

Hashes

MD5	`ef7141dccb596ed379266e5634178bfe`
SHA1	`9be20dcaa473adc1ab4b506b20f5c61318f89934`
SHA256	`bf0fd8a28d09f040e9e38366f3011d8adf46ab9321728fd9bec8ce08bb393374`
SHA3	`2f2ab6c86b0755e9472b31ac7d0162b43157a5f6541a251c85f3a30efd1e060d`
SSDeep	`49152:839qoA5J0tLErnBue4T9GjC49GjCy8vEf6Qw6w:a9q1QWrnp4pAFA+`
Imports Hash	`0d90721887af12fe657c83b997d03c6f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2025-Apr-15 06:43:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x11e00`
SizeOfInitializedData	`0x22000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000EEC0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x13000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x37000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x180000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`bdb3eddd608319c8eb98f80083aebb38`
SHA1	`a72d3dd5046be1be65425966005e9cd6b90bdece`
SHA256	`d83ba61e622f958b9ccfda1930474ef00eb41b8c66d8456bd2a215a05b7b0447`
SHA3	`45858ffe63f2a25717697a57f3d2c00c6536a3baa269cf5e037401d6f169b6fa`
VirtualSize	`0x11d9a`
VirtualAddress	`0x1000`
SizeOfRawData	`0x11e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45512`

.rdata

MD5	`5063a80e4393e44d3737a8ae659ac27e`
SHA1	`aade105e4de17ce04de9da687b3d982a1155129b`
SHA256	`a90e8adf55971b6bf06457ce977b34971658fa30d0e7e0633e6236325e6b9734`
SHA3	`44b6f894f4b843ff3ab0bf7a25237b060587b1a5b34ce937884cfd9757baa3a2`
VirtualSize	`0x6cb6`
VirtualAddress	`0x13000`
SizeOfRawData	`0x6e00`
PointerToRawData	`0x12200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.44257`

.data

MD5	`3d8db8579b52772989ed52dc44051476`
SHA1	`9970f0da9a16066ea557668ccb26e494dbea24be`
SHA256	`0e21d838b022ddb8b9cbaced3d87950c6a5c6117e4706e24957cb9822df138b2`
SHA3	`2292e4e268e8a2f5bb5afd88894783efc4a05085954db537d24e187afeb30965`
VirtualSize	`0x1060`
VirtualAddress	`0x1a000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x19000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.28985`

.reloc

MD5	`0f6755241ba6e1488d1bf6b1aa25c839`
SHA1	`a0589dff3d27dc61c703d479be7d2ea099cc1ff5`
SHA256	`35cbd9950cf73503d4185e8401923991b7fa5e09c0a24c006e4b48e9d1b97285`
SHA3	`b9c81d4002b3f8323a39e53fadf54b9a3889ea479ea03d15a8f5f64e4a1f5b11`
VirtualSize	`0x10e8`
VirtualAddress	`0x1c000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x19a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45793`

.rsrc

MD5	`79dfafcc1137c42ef7a60df94698e5fb`
SHA1	`072537fef48f5e7663c53999bc858bcf6b7c164e`
SHA256	`7b8d44645be303f1d12f32f449b1f2fa248da649c717795087697298e47fbad8`
SHA3	`c4954ead08f1a12f9bf78886fdbf97df0212631bc062237972da1d5205ec96ee`
VirtualSize	`0x18cb4`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x18e00`
PointerToRawData	`0x1ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.83019`

Imports

KERNEL32.dll	`FreeLibrary` `LoadLibraryExW` `OutputDebugStringW` `FindFirstFileExW` `EnterCriticalSection` `GetFullPathNameW` `FindNextFileW` `GetCurrentProcess` `GetModuleHandleExW` `GetModuleFileNameW` `LeaveCriticalSection` `GetEnvironmentVariableW` `GetModuleHandleW` `MultiByteToWideChar` `GetFileAttributesExW` `LoadLibraryA` `DeleteCriticalSection` `WideCharToMultiByte` `IsWow64Process` `TlsFree` `TlsSetValue` `TlsGetValue` `TlsAlloc` `InitializeCriticalSectionAndSpinCount` `GetProcAddress` `GetWindowsDirectoryW` `FindResourceW` `GetLastError` `ActivateActCtx` `FindClose` `CreateActCtxW` `SetLastError` `RaiseException` `RtlUnwind` `InitializeSListHead` `GetCurrentProcessId` `IsDebuggerPresent` `TerminateProcess` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `IsProcessorFeaturePresent` `GetSystemTimeAsFileTime` `GetStringTypeW` `SwitchToThread` `GetCurrentThreadId` `InitializeCriticalSectionEx` `EncodePointer` `DecodePointer` `LCMapStringEx` `QueryPerformanceCounter`
USER32.dll	`MessageBoxW`
SHELL32.dll	`ShellExecuteW`
ADVAPI32.dll	`RegOpenKeyExW` `RegGetValueW` `DeregisterEventSource` `RegisterEventSourceW` `ReportEventW` `RegCloseKey`
api-ms-win-crt-runtime-l1-1-0.dll	`_invalid_parameter_noinfo_noreturn` `__p___argc` `_exit` `exit` `_initterm_e` `_initterm` `_get_initial_wide_environment` `_initialize_wide_environment` `_configure_wide_argv` `_set_app_type` `_seh_filter_exe` `_cexit` `_crt_atexit` `_register_onexit_function` `_errno` `_initialize_onexit_table` `abort` `_c_exit` `_register_thread_local_exe_atexit_callback` `terminate` `_controlfp_s` `__p___wargv`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode` `fputwc` `__p__commode` `__acrt_iob_func` `fputws` `_wfsopen` `fflush` `__stdio_common_vfwprintf` `__stdio_common_vsnwprintf_s` `__stdio_common_vswprintf` `setvbuf`
api-ms-win-crt-heap-l1-1-0.dll	`calloc` `_set_new_mode` `free` `_callnewh` `malloc`
api-ms-win-crt-string-l1-1-0.dll	`toupper` `_wcsdup` `wcsncmp` `wcsnlen` `strcpy_s`
api-ms-win-crt-convert-l1-1-0.dll	`wcstoul` `_wtoi`
api-ms-win-crt-time-l1-1-0.dll	`_gmtime64_s` `_time64` `wcsftime`
api-ms-win-crt-locale-l1-1-0.dll	`___mb_cur_max_func` `_configthreadlocale` `___lc_codepage_func` `___lc_locale_name_func` `__pctype_func` `_lock_locales` `setlocale` `_unlock_locales`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.35058`
MD5	`1b2d4971482e604f1fd6dcd4c479a682`
SHA1	`45a847d9ac283f50ab55c1a7ebef6d88713de85e`
SHA256	`a755f29b2e0ea5d9aaaf0bf785795bfec9f5b777a89b3c3a384528b4d726824d`
SHA3	`9b348d8280a7b6e3b5615a367d566b760d23f7723651e85b58a5be6d8c6cc39e`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.60398`
MD5	`47980beed600898cb6bdb53513fac9a7`
SHA1	`d452d808ae6a1db7f805e8706a7593cb7cfe629c`
SHA256	`0448eb196afa8d838c9a60f13a30f520305ff1b1a68cd4ec51e90ef8adf637c4`
SHA3	`1f26ef05c9a5743fc0457b9e18052f2c4eb11fa322e447cb2dc2dabcb77bb490`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.20302`
MD5	`8bad7ca47a1a9c6bd16f6903ce10e0fb`
SHA1	`4378424dd96f8d764c149c639bcc66942a96c338`
SHA256	`42a7a35343be80264d881f67650eba13bcf3059c600d239c9472938341880c40`
SHA3	`1964034beabb694885140b96452f2a9cb1df0fb3760bfa524271f292e1ed0663`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.03483`
MD5	`bdf459b3972c1606eb2ce6c232872d1a`
SHA1	`4b20e5b277f89a08d6446ac736f8abdb0370e5a2`
SHA256	`3c6b1738a214b92d4f0305d18feac75769e7ebd8d7048444fc549643f9928d94`
SHA3	`5c98dece7a179cb5a7d448f8decf232ef0564a9a22d7442652aab81ea45af870`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.51025`
MD5	`5a0ff13e4b9ccdc5c0dfeb70c9baf953`
SHA1	`01d4b991bedf294c025bc113a675de883751fe45`
SHA256	`db4698b80181a41f3e1175f0a6e4595faf83be7c85c796932845e4ca63f8a283`
SHA3	`82809e450ab8896baeb17127cd278123f13f1e8d9a9a845ab711f4b769329f0b`

32512

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.80283`
Detected Filetype	Icon file
MD5	`da9b70665374e3394540c51191a2dfd6`
SHA1	`c91b3f6407149e322850f6a257923abb260adeb5`
SHA256	`9595be7d246f12c7356d15b8facc45ea482de63d316af484c99156170b9d7362`
SHA3	`d75e51b150e9bb574412de784a1ecf652c36717a52f920f529a2c01e2dfce6af`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2fc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.24462`
MD5	`1dfab07459ad23469e926f3febd9fb4e`
SHA1	`39bb050b3e983c16ff605b9d976e061a9568954f`
SHA256	`6b95547743a1bf56c2d922aa7f06d57e33402b4cdefdd09f2f47a8cedbaf8753`
SHA3	`d5d5364f003ec718826e92df624a42ea180df53293a3ecc97598641e61542a1f`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x273`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.11019`
MD5	`6a2b1232583e8ba1366b182602d0ac1f`
SHA1	`4d54af07d19c268e103a271005d37207255a2568`
SHA256	`b0161bbe1465e7f4752812d2934e97fc48ee072c1cb76cfe891bb93506fbf261`
SHA3	`9e96daf9e8977020f71a4dca1bfea979d06a478ce7842ea63700c0332ae0ec5c`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	OpenMooseLogger
FileDescription	OpenMooseLogger
FileVersion (#2)	1.0.0.0
InternalName	OpenMooseLogger.dll
LegalCopyright
OriginalFilename	OpenMooseLogger.dll
ProductName	OpenMooseLogger
ProductVersion (#2)	1.0.0
Assembly Version	1.0.0.0

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2025-Apr-15 17:35:35
Version	`0.0`
SizeofData	`109`
AddressOfRawData	`0x17ca0`
PointerToRawData	`0x16ea0`
Referenced File	D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2025-Apr-15 17:35:35
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x17d10`
PointerToRawData	`0x16f10`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Apr-15 17:35:35
Version	`0.0`
SizeofData	`900`
AddressOfRawData	`0x17d24`
PointerToRawData	`0x16f24`

TLS Callbacks

StartAddressOfRawData	`0x4180b8`
EndAddressOfRawData	`0x4180c0`
AddressOfIndex	`0x41b054`
AddressOfCallbacks	`0x413250`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x41a040`
SEHandlerTable	`0x417aa0`
SEHandlerCount	`55`
GuardCFCheckFunctionPointer	`4272636`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xbd04e500`
Unmarked objects	`0`
ASM objects (34321)	`15`
C objects (34321)	`17`
C++ objects (34321)	`85`
Imports (VS2008 SP1 build 30729)	`16`
Imports (33140)	`9`
Total imports	`198`
C++ objects (LTCG) (34438)	`10`
Linker (34438)	`1`

Errors

Leave a comment

No comments yet.