Manalyze report for c47ee9eb720e5ac17fdf8443ebb96b5e

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2026-Jan-30 06:30:06
Detected languages	Chinese - PRC
CompanyName	PerfectWorld Ltd.
FileDescription	Protection Kernel Driver
FileVersion	`1.0.0.2`
InternalName	MessageTransfer.sys
LegalCopyright	Copyright (C) 2022
OriginalFilename	MessageTransfer.sys
ProductName	MessageTransfer
ProductVersion	`1.0.0.2`

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5`
Suspicious	The PE is possibly packed.	`Unusual section name found: PAGE` `Unusual section name found: .pac0`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwQuerySystemInformation ZwClose ZwCreateFile ZwOpenFile ZwReadFile ZwWriteFile ZwOpenKey ZwQueryValueKey ZwQueryVirtualMemory ZwQueryInformationProcess ZwSetInformationFile NtClose ZwOpenDirectoryObject ZwFreeVirtualMemory ZwQueryInformationThread ZwOpenThread ZwQueryDirectoryObject ZwCreateKey ZwFlushKey ZwSetValueKey`
Info	The PE is digitally signed.	`Signer: \xE5\xAE\x8C\xE7\xBE\x8E\xE4\xB8\x96\xE7\x95\x8C\xE5\xBE\x81\xE5\xA5\x87\xEF\xBC\x88\xE4\xB8\x8A\xE6\xB5\xB7\xEF\xBC\x89\xE5\xA4\x9A\xE5\xAA\x92\xE4\xBD\x93\xE7\xA7\x91\xE6\x8A\x80\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`c47ee9eb720e5ac17fdf8443ebb96b5e`
SHA1	`6bb15e82e22f7f40fd66a3ca87d795ed8094e31a`
SHA256	`17b333f042581ed1ffd948f25e3ba2ed900a2cc341a4afcb1c1c5eac902e5f2f`
SHA3	`a8f1d29378c1ed117d5f3f1ff2be3fba80caf7945339889b3d196f26f9ff3044`
SSDeep	`98304:h5l5d2BYHW17LkA+PqxyDMZeKbpAPTSZAHnoDRLu:jd2BY21LX+PqQDOKUAH`
Imports Hash	`e30fa0ff08792e264676bd525011934d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2026-Jan-30 06:30:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x1ce00`
SizeOfInitializedData	`0x219a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000239250 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x646000`
SizeOfHeaders	`0x400`
Checksum	`0x43b70d`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`983bb6ea65f14a1caef95133172b6d9d`
SHA1	`86f038639adaf27c2598c28c977a16157f63e68c`
SHA256	`f90a5d65cced4de743926ae51688bc6046cbcc8cdf188be53eecc8816da31f5b`
SHA3	`6517299020f3eb9c6670cbe99619e801cc8578ae72ca105d3f02de56ca9227df`
VirtualSize	`0x1b42b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1b600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.98085`

.rdata

MD5	`41dcd4507eb0d11b2b7da735441e40af`
SHA1	`4517b10feeec38d78567451b1e2b9fba980c562d`
SHA256	`e583aca39a33de03a91aa32ad2cae0ce7b47b054def24e847e00f35bacd58be4`
SHA3	`60bde4e0391213f5dfaba7d66b1b0be7ec058dd75ff0e143dbf3d4ba8c4c3cc8`
VirtualSize	`0x2560`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x2600`
PointerToRawData	`0x1ba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.23992`

.data

MD5	`fe482459a99eb7d1d368f47c4d01cef4`
SHA1	`c8eee35666e8d07a6219f321cd1fe8a0c9e83d33`
SHA256	`6e9f58ff6560040d00df95fae49ffe57e00f12ca5562e88cfce6680e4651343a`
SHA3	`45ad97ecdd70210b3ab86652798783ba9cb85dce68db3f01f35e3f68533c6518`
VirtualSize	`0x215b10`
VirtualAddress	`0x20000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.939585`

.pdata

MD5	`ae6fab96bf28ac997de824dd4f85c94c`
SHA1	`437294f10a66cf061ac86e4e3eaa8c3d92641008`
SHA256	`b21163fd261b7fc39ec9ff3854c981740a763573409e96cd50cd7d00a3f4b9a2`
SHA3	`5d62ab76f6990e3e3407cdcab9070c0e09cf1ba0599537cdc3f702aa9b9170a1`
VirtualSize	`0x1074`
VirtualAddress	`0x236000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1e200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.49847`

PAGE

MD5	`586b0d3bd314ede610fe5b57b380a479`
SHA1	`fd54d9d516809c17e981ef05a924430b7feb2b11`
SHA256	`744d4c2260f95f0c738223b18588f029ab95f77df7dd9a2cffc53693ace03773`
SHA3	`ecc1b39a8aa0688f8e1cf66a7885ab0eb4bb0dd4c4bcc38f87edb98103da8ec6`
VirtualSize	`0xcb`
VirtualAddress	`0x238000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`3.09791`

INIT

MD5	`7995d8af30ac6a7aa08743e48aa5a2a1`
SHA1	`cafacf468bbb8c025f8732ce3a893b212a074d53`
SHA256	`0c2e384e5c8dd3f5e1a0b364b83542362b8484af10577b3f92a999fb442d800a`
SHA3	`72c4d5840d5a533b2651346880f79a10c00de1a2a729c2bdfa180e66924c54e6`
VirtualSize	`0x143a`
VirtualAddress	`0x239000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x1f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.53181`

.pac0

MD5	`f88549bebf21d4a8dc95c0c13bde4f06`
SHA1	`44f7b263ff51f46f4eec347ae2b006f3c2344b0f`
SHA256	`f2adbd0b69d81e74f6e384d8f0bff149e79480485d6df0f5cebb6c9f22b91b6c`
SHA3	`bc76836befaec44af9e21dc7de57cf3f7f4f39311d1665e109012fecc3a0683d`
VirtualSize	`0x408aec`
VirtualAddress	`0x23b000`
SizeOfRawData	`0x408c00`
PointerToRawData	`0x20c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`7.41405`

.rsrc

MD5	`8466b045629cb650c8addfe0d19dcff4`
SHA1	`8db8c68794779413941320d46e3a90fc644f0179`
SHA256	`37fd9d2c60f94d5e0cefa6257644fc781cf1c2313f7c3274b58b480059c857cd`
SHA3	`f1c0f24245b257e7846e561178edd7cb6bad8a529a6d71c5619b83cbae661b9a`
VirtualSize	`0x35c`
VirtualAddress	`0x644000`
SizeOfRawData	`0x400`
PointerToRawData	`0x429800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.83232`

.reloc

MD5	`7633b03d7e5698f5c1e269e55fe0169e`
SHA1	`10f929ed3771d0440a65516cc53c7ea9697710ba`
SHA256	`dca57cb13cc290c28416e313d69f450b410c22c7ebc49519e598f66053cd0e2b`
SHA3	`a5599c73c849942e78298393b6ba51f668759f88eb76d9d75e22553e6bcdfd08`
VirtualSize	`0x9c`
VirtualAddress	`0x645000`
SizeOfRawData	`0x200`
PointerToRawData	`0x429c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.66895`

Imports

FLTMGR.SYS	`FltRegisterFilter` `FltUnregisterFilter` `FltStartFiltering` `FltGetFileNameInformation` `FltReleaseFileNameInformation` `FltParseFileNameInformation` `FltCreateCommunicationPort` `FltCloseCommunicationPort` `FltCloseClientPort` `FltBuildDefaultSecurityDescriptor` `FltFreeSecurityDescriptor`
ntoskrnl.exe	`vDbgPrintEx` `KeQueryActiveProcessorCountEx` `ExAllocatePoolWithTag` `ExFreePoolWithTag` `MmAllocateContiguousMemory` `MmFreeContiguousMemory` `MmGetPhysicalAddress` `RtlCaptureContext` `KeInitializeDpc` `KeInsertQueueDpc` `RtlWalkFrameChain` `MmIsAddressValid` `PsGetCurrentProcessId` `PsGetCurrentThreadId` `KeInitializeApc` `KeInsertQueueApc` `ZwQuerySystemInformation` `RtlInitAnsiString` `RtlInitUnicodeString` `RtlAnsiStringToUnicodeString` `RtlUnicodeStringToAnsiString` `RtlFreeUnicodeString` `RtlFreeAnsiString` `MmMapIoSpace` `MmUnmapIoSpace` `HalDispatchTable` `KeSetEvent` `MmGetSystemRoutineAddress` `KeInitializeEvent` `KeDelayExecutionThread` `KeWaitForSingleObject` `PsCreateSystemThread` `PsTerminateSystemThread` `ObReferenceObjectByHandle` `ObfDereferenceObject` `ZwClose` `swprintf_s` `PsThreadType` `RtlCompareUnicodeString` `RtlCopyUnicodeString` `KeInitializeGuardedMutex` `KeAcquireGuardedMutex` `KeReleaseGuardedMutex` `RtlStringFromGUID` `ZwCreateFile` `ZwOpenFile` `ZwReadFile` `ZwWriteFile` `ZwOpenKey` `ZwQueryValueKey` `ExUuidCreate` `KeSetSystemGroupAffinityThread` `KeRevertToUserGroupAffinityThread` `KeGetProcessorNumberFromIndex` `KeResetEvent` `MmProbeAndLockPages` `MmUnlockPages` `MmBuildMdlForNonPagedPool` `IoAllocateMdl` `__C_specific_handler` `IoFreeMdl` `IoReuseIrp` `strcat_s` `_stricmp` `_strlwr` `wcscat_s` `MmGetVirtualForPhysical` `RtlAppendUnicodeToString` `ProbeForRead` `MmMapLockedPagesSpecifyCache` `MmUnmapLockedPages` `IoGetCurrentProcess` `ObRegisterCallbacks` `ObUnRegisterCallbacks` `PsSetCreateProcessNotifyRoutine` `PsSetCreateThreadNotifyRoutine` `PsRemoveCreateThreadNotifyRoutine` `PsSetLoadImageNotifyRoutine` `PsRemoveLoadImageNotifyRoutine` `PsGetProcessId` `KeStackAttachProcess` `KeUnstackDetachProcess` `PsLookupProcessByProcessId` `ObOpenObjectByPointer` `ObQueryNameString` `ZwQueryVirtualMemory` `ZwQueryInformationProcess` `PsGetProcessImageFileName` `PsGetProcessSectionBaseAddress` `PsProcessType` `RtlInitializeGenericTableAvl` `RtlInsertElementGenericTableAvl` `RtlDeleteElementGenericTableAvl` `RtlLookupElementGenericTableAvl` `RtlEnumerateGenericTableAvl` `_strnicmp` `strstr` `_wcslwr` `RtlGetVersion` `ExAllocatePool` `MmAllocateContiguousMemorySpecifyCacheNode` `ZwSetInformationFile` `RtlEnumerateGenericTableWithoutSplayingAvl` `PsGetProcessExitStatus` `PsGetThreadId` `PsGetThreadProcessId` `NtClose` `PsLookupThreadByThreadId` `PsGetThreadProcess` `IoQueryFileDosDeviceName` `ZwOpenDirectoryObject` `ZwFreeVirtualMemory` `ZwQueryInformationThread` `ZwOpenThread` `_vsnwprintf` `ObReferenceObjectByName` `RtlFindExportedRoutineByName` `ZwQueryDirectoryObject` `IoFileObjectType` `IoDriverObjectType` `KeClearEvent` `wcscpy_s` `ZwCreateKey` `ZwFlushKey` `ZwSetValueKey` `KeIpiGenericCall` `KeBugCheckEx` `wcsstr` `IoFreeIrp`

Delayed Imports

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	UNKNOWN
Size	`0x304`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.35866`
MD5	`e6941699456ec76e4d0806f924fc9ec2`
SHA1	`a4ce59e234b3afcd7cdad8e582b0c7c2c012a763`
SHA256	`d2ad0301df6e0efd982ea3b9773800090705aa78ff25076d118a141a75ba572a`
SHA3	`6af0e4ac14e4f1b69354e12f9cc3bd5324c4f66a2ff505b399153757e1b198f1`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.2
ProductVersion	1.0.0.2
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Chinese - PRC
CompanyName	PerfectWorld Ltd.
FileDescription	Protection Kernel Driver
FileVersion (#2)	1.0.0.2
InternalName	MessageTransfer.sys
LegalCopyright	Copyright (C) 2022
OriginalFilename	MessageTransfer.sys
ProductName	MessageTransfer
ProductVersion (#2)	1.0.0.2

Resource LangID	Chinese - PRC

TLS Callbacks

Load Configuration

Size	`0x118`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140020098`
GuardCFCheckFunctionPointer	`5368829040`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

c47ee9eb720e5ac17fdf8443ebb96b5e

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

PAGE

INIT

.pac0

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors