Manalyze report for d934cfb5439dbe9e7818745a538a8deb

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2023-Jan-28 19:36:59
Detected languages	English - United States
Debug artifacts	C:\Users\Corey\source\repos\rwxmeme\x64\Release\rwxmeme.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` Contains domain names: 2-aia.verisign.com 2-crl.verisign.com 2009-2-aia.verisign.com 2009-2-crl.verisign.com aia.verisign.com crl.microsoft.com crl.verisign.com csc3-2009-2-aia.verisign.com csc3-2009-2-crl.verisign.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0 http://crl.verisign.com http://crl.verisign.com/ThawteTimestampingCA.crl0 http://crl.verisign.com/pca3.crl0 http://crl.verisign.com/tss-ca.crl0 http://csc3-2009-2-aia.verisign.com http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0 http://csc3-2009-2-crl.verisign.com http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D http://logo.verisign.com http://logo.verisign.com/vslogo.gif0 http://ocsp.verisign.com0 http://ocsp.verisign.com01 http://ocsp.verisign.com0? https://www.verisign.com https://www.verisign.com/cps0 https://www.verisign.com/rpa https://www.verisign.com/rpa0 logo.verisign.com microsoft.com verisign.com www.verisign.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA1`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot FindWindowA NtQuerySystemInformation` `Code injection capabilities: WriteProcessMemory OpenProcess VirtualAlloc` `Can access the registry: RegCloseKey RegDeleteKeyW RegCreateKeyW RegOpenKeyW RegSetKeyValueW` `Uses Windows's Native API: NtQuerySystemTime NtQuerySystemInformation` `Can create temporary files: GetTempPathW CreateFileW` `Manipulates other processes: WriteProcessMemory OpenProcess Process32NextW Process32FirstW ReadProcessMemory`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`d934cfb5439dbe9e7818745a538a8deb`
SHA1	`aff2e31cff5a6a551760474e42bda102e147ae2f`
SHA256	`ffedb6a9dcd3804d2fc9dc8035fa4a735681596f489aa62a83f08353dd195aca`
SHA3	`bb4e7b9fb465c047c2fe86ac1a430d8ae7054b15ccb57746c0d3d2649c580989`
SSDeep	`3072:iDXEKSUPvjlz1+lE5rgsqPDhhTFCJjnSdXkT6OOQT:ijyUXvYE57YM80bxT`
Imports Hash	`168003f2398e62012602806525af1b06`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2023-Jan-28 19:36:59
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x13e00`
SizeOfInitializedData	`0xee00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000013250 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x26000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e5e10396cea542ef72d3b53a86abd571`
SHA1	`92005b484801de548b5c8672fa993482d105bb54`
SHA256	`e6313d262d44f0600eac43111b53e08bd76af6dac2c4eaebd6afe5d3ffb9ddb1`
SHA3	`801b65b183d0fa776ed3af6e92bfcd9ce2b186d3fb07dd57e8416b447e872fe5`
VirtualSize	`0x13d0b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x13e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45506`

.rdata

MD5	`a9724bd5ffed06d604df9d521f973c49`
SHA1	`975835d39aa61fbfc78ed92d7a92aa85ab132720`
SHA256	`149e7ff9a6ac9a79fdf92365b8f4dc8af331695c7d96294b6b9b38bc2adb3bd4`
SHA3	`0baf7912eacb413f1e0e0ece2f6062989a165408189350634172a952c1ab0cf2`
VirtualSize	`0x4dd0`
VirtualAddress	`0x15000`
SizeOfRawData	`0x4e00`
PointerToRawData	`0x14200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.85716`

.data

MD5	`969b1d5c8074c3c2971c571eb1893176`
SHA1	`cce31a11ac99e8a02d0f1e89feeeee0ff99a6b5d`
SHA256	`7db5c33d46d99036271a987835ce3775dff1e9d864a43b3132f5d2b6e80f9312`
SHA3	`774c05fa6d8b92b0186d2acefa9c5d1f5186fa8188d6a1c7e2ec2f45fa3557e7`
VirtualSize	`0x8e00`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x8600`
PointerToRawData	`0x19000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.38142`

.pdata

MD5	`079e9fe3a1cffaf1de92e70ddd93bcd6`
SHA1	`dcb7d576da29bfe6e57fc9565d20b16b99f7e2cb`
SHA256	`298009d85bca20914c592f42e931b4e3cd1129aa9cf0ffdc160d57c03ed5439d`
SHA3	`757ed692e0816a72f0c6a2f4ad0b68cb478fcdb02841ad741b1bd3913873dd5b`
VirtualSize	`0xde0`
VirtualAddress	`0x23000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x21600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.98947`

.rsrc

MD5	`e8f29e6669a480a4d72efeb174b889d9`
SHA1	`ccc902ff6f429efad957feaa4d76d13e0dc9e962`
SHA256	`c66609fa6b26cacf4e17abfdeb3b0db688fce44e6432a2d3b425b6cf196de6ff`
SHA3	`0e97052ae014bdf224702f64906ef4cf718601d68ed7191748b02e4a3e5d6cd3`
VirtualSize	`0x1e0`
VirtualAddress	`0x24000`
SizeOfRawData	`0x200`
PointerToRawData	`0x22400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.71768`

.reloc

MD5	`74cf0a2da056abb6182ad4f270522532`
SHA1	`07776411e8fdb6e095cb8a22e81d3f294ac74fe2`
SHA256	`9d0b74f61f3efff835a1c0ea5587da545d2ddf4007d5dfa3ccd2b655094044bf`
SHA3	`f406ccd56c7e6caabdb6ed2ef7fe1e3be8b303e0b52a7ea240927b20cdb08a5c`
VirtualSize	`0xf0`
VirtualAddress	`0x25000`
SizeOfRawData	`0x200`
PointerToRawData	`0x22600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.25953`

Imports

KERNEL32.dll	`CloseHandle` `GetProcAddress` `GetCurrentProcessId` `Sleep` `CreateThread` `WriteProcessMemory` `OpenProcess` `CreateToolhelp32Snapshot` `Process32NextW` `Process32FirstW` `Module32FirstW` `ReadProcessMemory` `Module32NextW` `GetTempPathW` `GetModuleHandleA` `SetConsoleTextAttribute` `GetStdHandle` `LeaveCriticalSection` `InitializeCriticalSectionAndSpinCount` `DeleteCriticalSection` `SetEvent` `ResetEvent` `WaitForSingleObjectEx` `CreateEventW` `GetModuleHandleW` `IsDebuggerPresent` `GetCurrentThreadId` `CreateFileW` `VirtualAlloc` `DeviceIoControl` `LoadLibraryExA` `VirtualFree` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `InitializeSListHead` `LocalFree` `FormatMessageA` `GetLocaleInfoEx` `FindClose` `FindFirstFileW` `GetFileAttributesExW` `AreFileApisANSI` `GetLastError` `GetFileInformationByHandleEx` `MultiByteToWideChar` `WideCharToMultiByte` `GetCurrentProcess` `TerminateProcess` `EnterCriticalSection`
USER32.dll	`UnhookWindowsHookEx` `SetWindowsHookExA` `PostThreadMessageA` `GetWindowThreadProcessId` `FindWindowA`
ADVAPI32.dll	`RegCloseKey` `RegDeleteKeyW` `RegCreateKeyW` `RegOpenKeyW` `RegSetKeyValueW`
MSVCP140.dll	`?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z` `??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ` `??Bid@locale@std@@QEAA_KXZ` `?_Throw_C_error@std@@YAXH@Z` `_Mtx_destroy_in_situ` `_Mtx_lock` `_Mtx_init_in_situ` `_Mtx_unlock` `?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ` `?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ` `??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z` `??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ` `?_Winerror_map@std@@YAHH@Z` `?_Syserror_map@std@@YAPEBDH@Z` `??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ` `??1_Lockit@std@@QEAA@XZ` `?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z` `?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z` `?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ` `??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ` `??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z` `??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ` `??0_Lockit@std@@QEAA@H@Z` `?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ` `?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A` `?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z` `?_Xlength_error@std@@YAXPEBD@Z` `?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z` `?always_noconv@codecvt_base@std@@QEBA_NXZ` `?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z` `?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ` `?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z` `?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z` `?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ` `?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ` `??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ` `?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z`
ntdll.dll	`RtlVirtualUnwind` `RtlCaptureContext` `NtQuerySystemTime` `RtlInitUnicodeString` `NtQuerySystemInformation` `RtlLookupFunctionEntry`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
VCRUNTIME140.dll	`memcpy` `__std_exception_copy` `__std_exception_destroy` `__C_specific_handler` `__current_exception` `__current_exception_context` `memset` `_CxxThrowException` `memcmp` `memmove`
api-ms-win-crt-stdio-l1-1-0.dll	`getchar` `__stdio_common_vfprintf` `__p__commode` `_get_stream_buffer_pointers` `_set_fmode` `__acrt_iob_func` `_fseeki64` `fread` `fsetpos` `ungetc` `fputc` `fflush` `setvbuf` `fgetpos` `fwrite` `fclose` `fgetc`
api-ms-win-crt-heap-l1-1-0.dll	`_callnewh` `free` `_set_new_mode` `malloc`
api-ms-win-crt-utility-l1-1-0.dll	`srand` `rand`
api-ms-win-crt-filesystem-l1-1-0.dll	`_wremove` `_unlock_file` `_lock_file`
api-ms-win-crt-string-l1-1-0.dll	`_wcsicmp` `_stricmp`
api-ms-win-crt-time-l1-1-0.dll	`_time64` `strftime` `_localtime64`
api-ms-win-crt-runtime-l1-1-0.dll	`_exit` `exit` `_initterm_e` `_initterm` `_invalid_parameter_noinfo_noreturn` `_get_initial_narrow_environment` `terminate` `__p___argc` `_seh_filter_exe` `_cexit` `_crt_atexit` `_register_onexit_function` `_initialize_onexit_table` `_initialize_narrow_environment` `_configure_narrow_argv` `_register_thread_local_exe_atexit_callback` `_set_app_type` `_c_exit` `__p___argv`
api-ms-win-crt-convert-l1-1-0.dll	`mbstowcs`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-locale-l1-1-0.dll	`___lc_codepage_func` `_configthreadlocale`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2023-Jan-28 19:36:59
Version	`0.0`
SizeofData	`84`
AddressOfRawData	`0x16918`
PointerToRawData	`0x15b18`
Referenced File	C:\Users\Corey\source\repos\rwxmeme\x64\Release\rwxmeme.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2023-Jan-28 19:36:59
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x1696c`
PointerToRawData	`0x15b6c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2023-Jan-28 19:36:59
Version	`0.0`
SizeofData	`932`
AddressOfRawData	`0x16980`
PointerToRawData	`0x15b80`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2023-Jan-28 19:36:59
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x140016d48`
EndAddressOfRawData	`0x140016d50`
AddressOfIndex	`0x140022644`
AddressOfCallbacks	`0x140015668`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14001a038`

RICH Header

XOR Key	`0x5d52b3b`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`20`
Imports (31823)	`6`
C++ objects (31823)	`31`
C objects (31823)	`10`
ASM objects (31823)	`4`
Imports (29395)	`9`
Total imports	`227`
C++ objects (LTCG) (31937)	`9`
Resource objects (31937)	`1`
Linker (31937)	`1`

d934cfb5439dbe9e7818745a538a8deb

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors