Manalyze report for da77979eaaf8859b3ab2436d262241b6b8343183058b039fd749e655e2a485bd

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-May-23 10:44:09
Detected languages	English - United States

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: api.virginclient.xyz github.com groov-api.virginclient.xyz https://github.com https://groov-api.virginclient.xyz https://indiantypefoundry.comNinad https://scripts.sil.org https://scripts.sil.org/OFLThis https://scripts.sil.org/OFLhttps scripts.sil.org virginclient.xyz`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Code injection capabilities: OpenProcess CreateRemoteThread VirtualAllocEx WriteProcessMemory` `Code injection capabilities (mapping injection): MapViewOfFile CreateFileMappingA CreateRemoteThread` `Possibly launches other programs: ShellExecuteW` `Has Internet access capabilities: InternetOpenA InternetReadFile InternetConnectA InternetSetOptionA InternetOpenUrlA InternetCloseHandle` `Manipulates other processes: Process32FirstW Process32NextW OpenProcess ReadProcessMemory WriteProcessMemory` `Reads the contents of the clipboard: GetClipboardData`
Malicious	The PE is possibly a dropper.	`Resource 101 detected as a PE Executable.`
Malicious	VirusTotal score: 24/68 (Scanned on 2026-05-30 02:32:53)	`APEX: Malicious` `Antiy-AVL: RiskWare/Win64.Gamehack` `Bkav: W32.Malware.616478BC` `CTX: exe.trojan.agen` `CrowdStrike: win/malicious_confidence_90% (W)` `Cylance: Unsafe` `DeepInstinct: MALICIOUS` `ESET-NOD32: Win64/GameHack_AGen.BHR potentially unsafe application` `Elastic: malicious (high confidence)` `Fortinet: Adware/GameHack_AGen` `Google: Detected` `Lionic: Trojan.Win32.GameHack.4!c` `MaxSecure: Trojan.Malware.300983.susgen` `McAfeeD: Real Protect-LS!BE89B934FE9B` `Microsoft: Trojan:Win32/Wacatac.B!ml` `Paloalto: generic.ml` `Sangfor: Trojan.Win32.Save.a` `SentinelOne: Static AI - Malicious PE` `Sophos: Mal/Generic-S` `Symantec: ML.Attribute.HighConfidence` `TrellixENS: Artemis!BE89B934FE9B` `TrendMicro: Trojan.Win32.ZYX.USBLEQ26` `TrendMicro-HouseCall: Trojan.Win32.ZYX.USBLEQ26` `Varist: W64/ABApplication.QDLZ-8003`

Hashes

MD5	`be89b934fe9bddcfcf3437e92b21f37a`
SHA1	`59f0f380708dc4c796044b9255798ea4331dee1a`
SHA256	`da77979eaaf8859b3ab2436d262241b6b8343183058b039fd749e655e2a485bd`
SHA3	`a05b7e0c1cedec60d8f8b1dbdb6b02901e8377454417a33be021debcb7caf9b3`
SSDeep	`12288:6CldmvSHHQRHEopYX4JVuzZUGiJDrzFxvwiC+ngU1ruJX1Q:5ldmfRHEopfJMuGiJLFOiRngU4`
Imports Hash	`bcdf70e3d91a293b3bea2cad66bc8f36`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-May-23 10:44:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5a000`
SizeOfInitializedData	`0x91e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000596FC (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xf0000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`cb3875152fdd2ae317bafeaa4e061908`
SHA1	`c5a4d59973f745f6c370075598abdddb9c96f98e`
SHA256	`ddbe19917fcb079dac316e6a5001360507f0a92d9af1466e361facb3a870bbb9`
SHA3	`1c3a516516549f5f98b23508ebea5c9737e1f799b22eb239e617bf9e0b538ae0`
VirtualSize	`0x59e6c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5a000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.49627`

.rdata

MD5	`43e11e8eed22fda007e78dbeb400206b`
SHA1	`3be8cf5d8523a358be53bfb0ca70a1cefb89488e`
SHA256	`232f0e67c173f09529781a5d248353d82c12977b24a61eeba08d0c9713d20ed3`
SHA3	`1a635c7b0fad8bf67a69a32ae2a82be743181c563eba90a578dd81e5f596e641`
VirtualSize	`0x62a40`
VirtualAddress	`0x5b000`
SizeOfRawData	`0x62c00`
PointerToRawData	`0x5a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.76718`

.data

MD5	`7832a92d480f85083fa856cc03a2c1dd`
SHA1	`d573d35d749e4b248fbcd00f1e3a929f5f1d9e82`
SHA256	`458672a85ba1a86a46db90090af6986fb5da912ab98f16da71b5bd2da00d00a9`
SHA3	`e120137c811db3f5fc61345fe46f9d8dfa516aa67e0d8a5ce44c9164e7e89f20`
VirtualSize	`0x1210`
VirtualAddress	`0xbe000`
SizeOfRawData	`0x600`
PointerToRawData	`0xbd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.0869`

.pdata

MD5	`e3854ce635332bcad77ece4bef93910e`
SHA1	`802a2e49bab6bb8460ede2ea7d3793cc5bf8bc35`
SHA256	`be4c7e02528e84897225e96f4c7fc34b20076804b406cdcc15d03ca69d4cff07`
SHA3	`0289f8e57af146bbece5c79cf2267fa16d476358fefe92d4ddd729779415725c`
VirtualSize	`0x44e8`
VirtualAddress	`0xc0000`
SizeOfRawData	`0x4600`
PointerToRawData	`0xbd600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.80028`

.rsrc

MD5	`057a941e352a166695e3e0e2d4c50752`
SHA1	`81d2fd0f3299d9779df59c01ec7654fe9bafd15c`
SHA256	`246acb88383800966434d52d6bc06dd862653704e33f09b728760e07ab10c57a`
SHA3	`d74725e0588a51fa2ece81fd0ea5398c9be7449062415268e0164c881978b98c`
VirtualSize	`0x29230`
VirtualAddress	`0xc5000`
SizeOfRawData	`0x29400`
PointerToRawData	`0xc1c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.13394`

.reloc

MD5	`c5e018a81a8c25127d20d53b5a9e0dda`
SHA1	`c534c167844fb257da6e9498a335845cc7bdb1c6`
SHA256	`90058a18c1b69bcc39f9b8f89924d6b163c232cda83af67f73ed8c62473fd5ad`
SHA3	`041c6881422fee33d52fa4e3c874da26c132c8b8c7b3d0b6d3c2a42764a1434c`
VirtualSize	`0x2ac`
VirtualAddress	`0xef000`
SizeOfRawData	`0x400`
PointerToRawData	`0xeb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.21514`

Imports

SHELL32.dll	`ShellExecuteW` `Shell_NotifyIconW`
WININET.dll	`InternetOpenA` `InternetReadFile` `InternetConnectA` `InternetSetOptionA` `InternetOpenUrlA` `InternetCloseHandle` `HttpOpenRequestA` `HttpSendRequestA` `HttpQueryInfoA`
d3d11.dll	`D3D11CreateDeviceAndSwapChain`
KERNEL32.dll	`RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `CloseHandle` `Sleep` `MapViewOfFile` `UnmapViewOfFile` `CreateFileMappingA` `CreateToolhelp32Snapshot` `Process32FirstW` `Process32NextW` `OpenProcess` `ReadProcessMemory` `GetModuleHandleW` `GetProcAddress` `WaitForSingleObject` `CreateRemoteThread` `VirtualAllocEx` `WriteProcessMemory` `VirtualFreeEx` `GetModuleHandleA` `LoadResource` `UnhandledExceptionFilter` `SizeofResource` `FindResourceW` `K32EnumProcessModulesEx` `K32GetModuleBaseNameA` `GetLastError` `GetTickCount64` `WideCharToMultiByte` `OutputDebugStringA` `GlobalAlloc` `GlobalUnlock` `GlobalLock` `GlobalFree` `MultiByteToWideChar` `QueryPerformanceCounter` `QueryPerformanceFrequency` `FreeLibrary` `LoadLibraryA` `GetLocaleInfoA` `IsDBCSLeadByte` `SetUnhandledExceptionFilter` `GetStartupInfoW` `IsDebuggerPresent` `IsProcessorFeaturePresent` `GetCurrentProcess` `InitializeSListHead` `TerminateProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `LockResource`
USER32.dll	`SetClipboardData` `GetClipboardData` `EmptyClipboard` `GetKeyboardLayout` `TrackMouseEvent` `GetMessageExtraInfo` `GetKeyState` `GetCapture` `SetCapture` `ReleaseCapture` `IsWindowUnicode` `GetForegroundWindow` `OpenClipboard` `SetCursorPos` `SetCursor` `ClientToScreen` `LoadIconW` `GetSystemMetrics` `IsWindowVisible` `SetLayeredWindowAttributes` `ShowWindow` `LoadCursorW` `SetWindowLongPtrW` `GetWindowLongPtrW` `ScreenToClient` `GetCursorPos` `ValidateRect` `SetForegroundWindow` `UpdateWindow` `TrackPopupMenu` `AppendMenuW` `DestroyMenu` `DestroyWindow` `CreateWindowExW` `RegisterClassExW` `PostQuitMessage` `DefWindowProcW` `CloseClipboard` `GetClientRect` `MessageBoxW` `TranslateMessage` `PeekMessageW` `DispatchMessageW` `CreatePopupMenu`
MSVCP140.dll	`_Thrd_detach` `?_Xout_of_range@std@@YAXPEBD@Z` `_Thrd_id` `_Thrd_join` `?_Xbad_function_call@std@@YAXXZ` `?_Throw_Cpp_error@std@@YAXH@Z` `_Cnd_do_broadcast_at_thread_exit` `_Mtx_unlock` `_Mtx_lock` `?_Xlength_error@std@@YAXPEBD@Z`
IMM32.dll	`ImmSetCandidateWindow` `ImmGetContext` `ImmSetCompositionWindow` `ImmReleaseContext`
D3DCOMPILER_47.dll	`D3DCompile`
VCRUNTIME140.dll	`_CxxThrowException` `__std_exception_copy` `memcpy` `memmove` `memset` `strchr` `memchr` `memcmp` `__std_terminate` `__C_specific_handler` `__current_exception` `__current_exception_context` `__std_exception_destroy`
VCRUNTIME140_1.dll	`__CxxFrameHandler4`
api-ms-win-crt-runtime-l1-1-0.dll	`_invoke_watson` `_beginthreadex` `_register_thread_local_exe_atexit_callback` `terminate` `_c_exit` `_exit` `exit` `_initialize_onexit_table` `_register_onexit_function` `_crt_atexit` `_cexit` `_seh_filter_exe` `_set_app_type` `_initterm_e` `_configure_wide_argv` `_initialize_wide_environment` `_get_wide_winmain_command_line` `_initterm`
api-ms-win-crt-string-l1-1-0.dll	`strncpy` `strlen` `wcslen` `towlower` `strncpy_s` `strncmp` `wcscmp` `wcscpy_s` `strcmp` `_stricmp`
api-ms-win-crt-stdio-l1-1-0.dll	`fseek` `ftell` `_set_fmode` `fwrite` `__acrt_iob_func` `fflush` `fclose` `__p__commode` `fread` `__stdio_common_vfprintf` `__stdio_common_vsprintf` `__stdio_common_vsscanf` `_wfopen`
api-ms-win-crt-math-l1-1-0.dll	`cosf` `sinf` `__setusermatherr` `expf` `powf` `fmodf` `roundf` `ceilf` `sqrtf` `acosf`
api-ms-win-crt-heap-l1-1-0.dll	`_callnewh` `free` `_set_new_mode` `malloc`
api-ms-win-crt-utility-l1-1-0.dll	`qsort`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

101

Type	`PAYLOAD`
Language	English - United States
Codepage	UNKNOWN
Size	`0x29000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.14509`
Detected Filetype	PE Executable
MD5	`8e3f6683d20932ddb41fcee57035b1aa`
SHA1	`6da7169837d1aed537ef7c6529a89aac2a2fa515`
SHA256	`ec12791bff3bf68bc4d7dc63a50f779bfc62b8dc41123068deda9a9c99e3f2bd`
SHA3	`837b83c629199357f18cd2d54773125ee56a195cb05580787cc408906a742c2d`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-23 10:44:09
Version	`0.0`
SizeofData	`892`
AddressOfRawData	`0xb5268`
PointerToRawData	`0xb4668`

TLS Callbacks

StartAddressOfRawData	`0x1400b5608`
EndAddressOfRawData	`0x1400b5610`
AddressOfIndex	`0x1400bec70`
AddressOfCallbacks	`0x14005b740`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400be1c0`

RICH Header

XOR Key	`0x4d31be27`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`16`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`31`
Imports (35207)	`6`
Imports (33145)	`19`
Total imports	`225`
C++ objects (35224)	`12`
Resource objects (35224)	`1`
151	`1`
Linker (35224)	`1`

Errors

Leave a comment

No comments yet.