| _id | Summary | DOS Header | PE Header | Image Optional Header | Sections | Imports | Exports | Resources | Debug Info | Load Configuration | RICH Header | file_path | md5 | Version Info | sha256 | analysis_data | timestamp |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
69184e000999409cf96ec559
|
{
"Architecture": "IMAGE_FILE_MACHINE_I386",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"Compilation_Date": "2025-Nov-08 09:48:44",
"Detected_Languages": {
"Language": "English",
"Country": "United States"
},
"Debug_Artifacts": "C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb"
}
|
{
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000110"
}
|
{
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_I386",
"NumberofSections": 5,
"TimeDateStamp": "2025-Nov-08 09:48:44",
"PointerToSymbolTable": 0,
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": 224,
"Characteristics": [
"IMAGE_FILE_32BIT_MACHINE",
"IMAGE_FILE_DLL",
"IMAGE_FILE_EXECUTABLE_IMAGE"
]
}
|
{
"Magic": "PE32",
"LinkerVersion": "14.0",
"SizeOfCode": "0x00006E00",
"SizeOfInitializedData": "0x00005E00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x00006EAF (Section: .text)",
"BaseOfCode": "0x00001000",
"BaseOfData": "0x00008000",
"ImageBase": "0x10000000",
"SectionAlignment": "0x00001000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "6.0",
"ImageVersion": "0.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x00010000",
"SizeOfHeaders": "0x00000400",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
}
|
{
"Sections": {
"Section1": {
"Name": ".text",
"VirtualSize": "0x00006C92",
"VirtualAddress": "0x00001000",
"SizeOfRawData": "0x00006E00",
"PointerToRawData": "0x00000400",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 6.38822
},
"Section2": {
"Name": ".rdata",
"VirtualSize": "0x00004B34",
"VirtualAddress": "0x00008000",
"SizeOfRawData": "0x00004C00",
"PointerToRawData": "0x00007200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 5.27572
},
"Section3": {
"Name": ".data",
"VirtualSize": "0x00000730",
"VirtualAddress": "0x0000D000",
"SizeOfRawData": "0x00000400",
"PointerToRawData": "0x0000BE00",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ",
"IMAGE_SCN_MEM_WRITE"
],
"Entropy": 4.04237
},
"Section4": {
"Name": ".rsrc",
"VirtualSize": "0x000000F8",
"VirtualAddress": "0x0000E000",
"SizeOfRawData": "0x00000200",
"PointerToRawData": "0x0000C200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 2.51196
},
"Section5": {
"Name": ".reloc",
"VirtualSize": "0x0000060C",
"VirtualAddress": "0x0000F000",
"SizeOfRawData": "0x00000800",
"PointerToRawData": "0x0000C400",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 5.58572
}
}
}
|
{
"KERNEL32.dll": [
"CreateDirectoryW",
"WriteFile",
"TerminateProcess",
"GetModuleFileNameW",
"WaitForSingleObject",
"CreateFileW",
"GetFileAttributesW",
"Sleep",
"CloseHandle",
"CreateProcessW",
"GetExitCodeProcess",
"UnhandledExceptionFilter",
"IsDebuggerPresent",
"InitializeSListHead",
"GetSystemTimeAsFileTime",
"GetCurrentThreadId",
"GetCurrentProcessId",
"QueryPerformanceCounter",
"GetCurrentProcess",
"SetUnhandledExceptionFilter",
"IsProcessorFeaturePresent"
],
"SHELL32.dll": [
"SHFileOperationW",
"ShellExecuteExW"
],
"ole32.dll": [
"CoCreateInstance",
"CoInitialize",
"CoUninitialize"
],
"OLEAUT32.dll": [
"VariantInit",
"SysFreeString",
"SysAllocString",
"VariantClear"
],
"MSVCP140.dll": [
"??1_Lockit@std@@QAE@XZ",
"??0_Lockit@std@@QAE@H@Z",
"?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ",
"?_Id_cnt@id@locale@std@@0HA",
"?_Xout_of_range@std@@YAXPBD@Z",
"?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z",
"?_Xlength_error@std@@YAXPBD@Z",
"?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ",
"??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ",
"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ",
"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z",
"??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z",
"unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z",
"?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z",
"?_Setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z",
"??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ",
"??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z",
"in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z",
"out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z",
"??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ",
"??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ",
"?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",
"?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",
"?_Showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ",
"?_Uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ",
"?_Xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z",
"?_Xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z",
"?_Setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z",
"?_Sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ",
"?_Imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z",
"??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ",
"??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z",
"??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ",
"?_Always_noconv@codecvt_base@std@@QBE_NXZ",
"?_Xbad_alloc@std@@YAXXZ"
],
"VCRUNTIME140.dll": [
"memmove",
"__CxxFrameHandler3",
"__std_exception_destroy",
"__std_exception_copy",
"__std_terminate",
"memcpy",
"memset",
"_CxxThrowException",
"__std_type_info_destroy_list",
"_except_handler4_common"
],
"api-ms-win-crt-stdio-l1-1-0.dll": [
"fputc",
"_fseeki64",
"_get_stream_buffer_pointers",
"fread",
"fflush",
"fclose",
"ungetc",
"fgetc",
"setvbuf",
"fgetpos",
"fwrite",
"fsetpos"
],
"api-ms-win-crt-runtime-l1-1-0.dll": [
"_cexit",
"_invoke_watson",
"_initterm",
"_initterm_e",
"_seh_filter_dll",
"_configure_narrow_argv",
"_initialize_narrow_environment",
"_initialize_onexit_table",
"_register_onexit_function",
"_execute_onexit_table",
"_crt_atexit"
],
"api-ms-win-crt-filesystem-l1-1-0.dll": [
"_lock_file",
"_wstat64i32",
"_unlock_file"
],
"api-ms-win-crt-convert-l1-1-0.dll": [
"strtol"
],
"api-ms-win-crt-string-l1-1-0.dll": [
"isspace",
"_stricmp"
],
"api-ms-win-crt-heap-l1-1-0.dll": [
"_callnewh",
"malloc",
"free"
]
}
|
{
"ax": {
"Ordinal": 1,
"Address": "0x00002580"
}
}
|
{
"Type": "RT_MANIFEST",
"Language": "English - United States",
"Codepage": "UNKNOWN",
"Size": 145,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 4.8858
}
|
{
"IMAGE_DEBUG_TYPE_CODEVIEW": {
"Characteristics": 0,
"TimeDateStamp": "2025-Nov-08 09:48:44",
"Version": 0,
"SizeofData": 108,
"AddressOfRawData": 45628,
"PointerToRawData": 42044,
"ReferencedFile": "C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb"
},
"IMAGE_DEBUG_TYPE_VC_FEATURE": {
"Characteristics": 0,
"TimeDateStamp": "2025-Nov-08 09:48:44",
"Version": 0,
"SizeofData": 20,
"AddressOfRawData": 45736,
"PointerToRawData": 42152
},
"IMAGE_DEBUG_TYPE_POGO": {
"Characteristics": 0,
"TimeDateStamp": "2025-Nov-08 09:48:44",
"Version": 0,
"SizeofData": 708,
"AddressOfRawData": 45756,
"PointerToRawData": 42172
},
"IMAGE_DEBUG_TYPE_ILTCG": {
"Characteristics": 0,
"TimeDateStamp": "2025-Nov-08 09:48:44",
"Version": 0,
"SizeofData": 0,
"AddressOfRawData": 0,
"PointerToRawData": 0
}
}
|
{
"Size": 192,
"TimeDateStamp": "1970-Jan-01 00:00:00",
"Version": "0.0",
"GlobalFlagsClear": "(EMPTY)",
"GlobalFlagsSet": "(EMPTY)",
"CriticalSectionDefaultTimeout": 0,
"DeCommitFreeBlockThreshold": 0,
"DeCommitTotalFreeThreshold": 0,
"LockPrefixTable": 0,
"MaximumAllocationSize": 0,
"VirtualMemoryThreshold": 0,
"ProcessAffinityMask": 0,
"ProcessHeapFlags": "(EMPTY)",
"CSDVersion": 0,
"Reserved1": 0,
"EditList": 0,
"SecurityCookie": 268488768,
"SEHandlerTable": 268480912,
"SEHandlerCount": 10
}
|
{
"xor_key": "0x3271BA7A",
"unmarked_objects": 0,
"imports_vs2008_sp1": 12,
"asm_objects": 1,
"c_objects": 10,
"c_plus_plus_objects": 18,
"imports_general": 4,
"c_objects_ltcg": 1,
"exports": 1,
"resource_objects": 1,
"linker": 1,
"total_imports": 140,
"interesting_strings": [
"g550.onrender.com",
"githostaduviep-g550.onrender.com",
"https://githostaduviep-g550.onrender.com",
"onrender.com"
],
"common_functions": [
"CreateProcessW",
"WinHttpQueryDataAvailable",
"WinHttpReceiveResponse",
"WinHttpConnect",
"WinHttpSendRequest",
"WinHttpOpen",
"WinHttpCloseHandle",
"WinHttpReadData",
"WinHttpOpenRequest"
],
"internet_access_capabilities": [
"WinHttpQueryDataAvailable",
"WinHttpReceiveResponse",
"WinHttpConnect",
"WinHttpSendRequest",
"WinHttpOpen",
"WinHttpCloseHandle",
"WinHttpReadData",
"WinHttpOpenRequest"
],
"exploit_mitigation_techniques": {
"stack_canary": "enabled",
"safe_seh": "enabled (10 registered handlers)",
"aslr": "enabled",
"dep": "enabled",
"cfg": "disabled"
},
"virus_total_score": {
"total_scanned": "21/71",
"scanned_date": "2025-11-11 16:31:18",
"antivirus_detections": [
"AhnLab-V3: Malware/Win.Generic.C5813078",
"CrowdStrike: win/malicious_confidence_100% (W)",
"Cynet: Malicious (score: 100)",
"DeepInstinct: MALICIOUS",
"ESET-NOD32: Win32/TrojanDownloader.Agent.IKA trojan",
"Google: Detected",
"Ikarus: Trojan-Downloader.Win32.Agent",
"K7AntiVirus: Trojan-Downloader ( 005d8a0f1 )",
"K7GW: Trojan-Downloader ( 005d8a0f1 )",
"Kaspersky: Trojan.Win32.Agentb.tmwb",
"Lionic: Trojan.Win32.Agentb.X!c",
"McAfeeD: ti!CF9CDD5D2628",
"Microsoft: Trojan:Win32/Egairtigado!rfn",
"Rising: Trojan.Agent!8.B1E (LESS:bWQ1OsuPiB2h+9kL)",
"Sophos: Mal/Generic-S",
"Symantec: Trojan.Gen.MBT",
"Tencent: Win32.Trojan-Downloader.Oader.Ocnw",
"TrellixENS: Artemis!40784DCA35FA",
"TrendMicro: Backdoor.Win32.ASYNCRAT.YXFKJZ",
"TrendMicro-HouseCall: Backdoor.Win32.ASYNCRAT.YXFKJZ",
"alibabacloud: Trojan[downloader]:Win/Agentb.ttxe"
]
}
}
|
/home/apogean/projects/malware/windows/samples/dll_sample.dll
|
40784dca35fa06d4c4cb932e101e56ab
|
||||
693190fba91f83988d51bb0f
|
{
"Architecture": "IMAGE_FILE_MACHINE_I386",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"Compilation Date": "2088-Mar-06 18:36:34",
"Debug Artifacts": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb",
"Comments": "RMM Client",
"CompanyName": "",
"FileDescription": "Client",
"FileVersion": "1.0.0.0",
"InternalName": "Client.exe",
"LegalCopyright": "",
"LegalTrademarks": "",
"OriginalFilename": "Client.exe",
"ProductName": "Client",
"ProductVersion": "1.0.0.0",
"Assembly Version": "1.0.0.0"
}
|
{
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000080"
}
|
{
"raw_response": "{\n \"Signature\": \"PE\",\n \"Machine\": \"IMAGE_FILE_MACHINE_I386\",\n \"NumberofSections\": 3,\n \"TimeDateStamp\": \"2088-Mar-06 18:36:34\",\n \"PointerToSymbolTable\": 0,\n \"NumberOfSymbols\": 0,\n \"SizeOfOptionalHeader\": 0x00E0,\n \"Characteristics\": [\n \"IMAGE_FILE_EXECUTABLE_IMAGE\",\n \"IMAGE_FILE_LARGE_ADDRESS_AWARE\"\n ]\n}"
}
|
{
"Magic": "PE32",
"LinkerVersion": "48.0",
"SizeOfCode": "0x00037000",
"SizeOfInitializedData": "0x00000A00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x00038F5E",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x0003A000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0003E000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA | IMAGE_DLLCHARACTERISTICS_NO_SEH | IMAGE_DLLCHARACTERISTICS_NX_COMPAT | IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE",
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": 16
}
|
{
".text": {
"VirtualSize": "0x00036FD0",
"VirtualAddress": "0x00002000",
"SizeOfRawData": "0x00037000",
"PointerToRawData": "0x00000200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "5.55645"
},
".rsrc": {
"VirtualSize": "0x000006AC",
"VirtualAddress": "0x0003A000",
"SizeOfRawData": "0x00000800",
"PointerToRawData": "0x00037200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "4.50595"
},
".reloc": {
"VirtualSize": "0x0000000C",
"VirtualAddress": "0x0003C000",
"SizeOfRawData": "0x00000200",
"PointerToRawData": "0x00037A00",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "0.10191"
}
}
|
{
"entity1": "mscoree.dll",
"entity2": "_CorExeMain"
}
|
[
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 30,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 2.48173
},
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 10,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 1.37095
},
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 76,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 2.87727
},
{
"Type": "RT_VERSION",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 768,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 3.16411
},
{
"Type": "RT_MANIFEST",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 490,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 5.00112
}
]
|
{
"raw_response": "{\n \"IMAGE_DEBUG_TYPE_CODEVIEW\": {\n \"Characteristics\": 0,\n \"TimeDateStamp\": \"2068-May-04 18:04:16\",\n \"Version\": 0.0,\n \"SizeofData\": 101,\n \"AddressOfRawData\": 0x00038EA4,\n \"PointerToRawData\": 0x000370A4,\n \"ReferencedFile\": \"C:\\\\Users\\\\sulum\\\\OneDrive\\\\Desktop\\\\datacenter\\\\stubCsharp\\\\obj\\\\Release\\\\Client.pdb\"\n },\n \"UNKNOWN\": {\n \"Characteristics\": 0,\n \"TimeDateStamp\": \"1970-Jan-01 00:00:00\",\n \"Version\": 0.0,\n \"SizeofData\": 0,\n \"AddressOfRawData\": 0x00000000,\n \"PointerToRawData\": 0x00000000\n },\n \"SUSPICIOUS_STRINGS\": [\n {\n \"Type\": \"System_or_Monitoring_Tool\",\n \"Strings\": [\n \"rundll32.exe\",\n \"schtask\"\n ]\n },\n {\n \"Type\": \"Security_Software\",\n \"Strings\": [\n \"rshell.exe\"\n ]\n },\n {\n \"Type\": \"Dropper_Capabilities\",\n \"Strings\": [\n \"CurrentVersion\\\\Run\"\n ]\n },\n {\n \"Type\": \"Miscellaneous_Malware_Strings\",\n \"Strings\": [\n \"cmd.Exe\"\n ]\n },\n {\n \"Type\": \"Domain_Names\",\n \"Strings\": [\n \"ftp://server09.mentality.cloud\",\n \"ftp://server09.mentality.cloud/public_html/sqlite3.dll\",\n \"http://ip-api.com\",\n \"ip-api.com\"\n ]\n }\n ],\n \"EXPLOIT_MITIGATION_TECHNIQUES\": {\n \"Stack_Canary\": \"disabled\",\n \"SafeSEH\": \"disabled\",\n \"ASLR\": \"enabled\",\n \"DEP\": \"enabled\",\n \"CFG\": \"disabled\"\n }\n}"
}
|
{
"raw_response": "{\n \"Resource\": {\n \"LangID\": \"UNKNOWN\",\n \"VS_VERSION_INFO\": {\n \"Signature\": 0xFEEF04BD,\n \"StructVersion\": 0x00010000,\n \"FileVersion\": {\n \"Major\": 1,\n \"Minor\": 0,\n \"Build\": 0,\n \"Revision\": 0\n },\n \"ProductVersion\": {\n \"Major\": 1,\n \"Minor\": 0,\n \"Build\": 0,\n \"Revision\": 0\n },\n \"FileFlags\": 0,\n \"FileOs\": [\n \"VOS_DOS_WINDOWS32\",\n \"VOS_NT_WINDOWS32\",\n \"VOS__WINDOWS32\"\n ],\n \"FileType\": \"VFT_APP\",\n \"Language\": \"UNKNOWN\",\n \"Comments\": \"\",\n \"CompanyName\": \"\",\n \"FileDescription\": \"Client\",\n \"FileVersion_2\": \"1.0.0.0\",\n \"InternalName\": \"Client.exe\",\n \"LegalCopyright\": \"\",\n \"LegalTrademarks\": \"\",\n \"OriginalFilename\": \"Client.exe\",\n \"ProductName\": \"Client\",\n \"ProductVersion_2\": \"1.0.0.0\",\n \"Assembly_Version\": \"1.0.0.0\"\n }\n }\n}"
}
|
||||||||
697df9f5c45b753179b2cedc
|
{
"Architecture": "IMAGE_FILE_MACHINE_I386",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"Compilation Date": "2088-Mar-06 18:36:34",
"Debug Artifacts": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb",
"Comments": "RMM Client",
"CompanyName": "",
"FileDescription": "Client",
"FileVersion": "1.0.0.0",
"InternalName": "Client.exe",
"LegalCopyright": "",
"LegalTrademarks": "",
"OriginalFilename": "Client.exe",
"ProductName": "Client",
"ProductVersion": "1.0.0.0",
"Assembly Version": "1.0.0.0"
}
|
{
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000080"
}
|
{
"raw_response": "{\n \"Signature\": \"PE\",\n \"Machine\": \"IMAGE_FILE_MACHINE_I386\",\n \"NumberofSections\": 3,\n \"TimeDateStamp\": \"2088-Mar-06 18:36:34\",\n \"PointerToSymbolTable\": 0,\n \"NumberOfSymbols\": 0,\n \"SizeOfOptionalHeader\": 0x00E0,\n \"Characteristics\": [\n \"IMAGE_FILE_EXECUTABLE_IMAGE\",\n \"IMAGE_FILE_LARGE_ADDRESS_AWARE\"\n ]\n}"
}
|
{
"Magic": "PE32",
"LinkerVersion": "48.0",
"SizeOfCode": "0x00037000",
"SizeOfInitializedData": "0x00000A00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x00038F5E",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x0003A000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0003E000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA | IMAGE_DLLCHARACTERISTICS_NO_SEH | IMAGE_DLLCHARACTERISTICS_NX_COMPAT | IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE",
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": 16
}
|
{
".text": {
"VirtualSize": "0x00036FD0",
"VirtualAddress": "0x00002000",
"SizeOfRawData": "0x00037000",
"PointerToRawData": "0x00000200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "5.55645"
},
".rsrc": {
"VirtualSize": "0x000006AC",
"VirtualAddress": "0x0003A000",
"SizeOfRawData": "0x00000800",
"PointerToRawData": "0x00037200",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "4.50595"
},
".reloc": {
"VirtualSize": "0x0000000C",
"VirtualAddress": "0x0003C000",
"SizeOfRawData": "0x00000200",
"PointerToRawData": "0x00037A00",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": "0",
"NumberOfRelocations": "0",
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": "0.10191"
}
}
|
{
"entity1": "mscoree.dll",
"entity2": "_CorExeMain"
}
|
[
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 30,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 2.48173
},
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 10,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 1.37095
},
{
"Type": "RT_RCDATA",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 76,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 2.87727
},
{
"Type": "RT_VERSION",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 768,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 3.16411
},
{
"Type": "RT_MANIFEST",
"Language": "UNKNOWN",
"Codepage": "Latin 1 / Western European",
"Size": 490,
"TimeDateStamp": "1980-Jan-01 00:00:00",
"Entropy": 5.00112
}
]
|
{
"raw_response": "Here is the valid JSON output extracted from the input:\n\n```json\n{\n \"IMAGE_DEBUG_TYPE_CODEVIEW\": {\n \"Characteristics\": 0,\n \"TimeDateStamp\": \"2068-May-04 18:04:16\",\n \"Version\": 0.0,\n \"SizeofData\": 101,\n \"AddressOfRawData\": 0x00038EA4,\n \"PointerToRawData\": 0x000370A4,\n \"Referenced File\": \"C:\\\\Users\\\\sulum\\\\OneDrive\\\\Desktop\\\\datacenter\\\\stubCsharp\\\\obj\\\\Release\\\\Client.pdb\"\n },\n \"UNKNOWN\": {\n \"Characteristics\": 0,\n \"TimeDateStamp\": \"1970-Jan-01 00:00:00\",\n \"Version\": 0.0,\n \"SizeofData\": 0,\n \"AddressOfRawData\": 0x00000000,\n \"PointerToRawData\": 0x00000000\n },\n \"SUSPICIOUS\": {\n \"SystemOrMonitoringTools\": [\n \"rundll32.exe\",\n \"schtask\"\n ],\n \"SecuritySoftware\": [\n \"rshell.exe\"\n ],\n \"DropperCapabilities\": [\n \"CurrentVersion\\\\Run\"\n ],\n \"MiscellaneousMalwareStrings\": [\n \"cmd.Exe\"\n ],\n \"DomainNames\": [\n \"ftp://server09.mentality.cloud\",\n \"ftp://server09.mentality.cloud/public_html/sqlite3.dll\",\n \"http://ip-api.com\",\n \"ip-api.com\"\n ]\n },\n \"ExploitMitigationTechniques\": {\n \"StackCanary\": \"disabled\",\n \"SafeSEH\": \"disabled\",\n \"ASLR\": \"enabled\",\n \"DEP\": \"enabled\",\n \"CFG\": \"disabled\"\n }\n}\n```"
}
|
{
"raw_response": "{\n \"Resource\": {\n \"LangID\": \"UNKNOWN\",\n \"VS_VERSION_INFO\": {\n \"Signature\": 0xFEEF04BD,\n \"StructVersion\": 0x00010000,\n \"FileVersion\": {\n \"Major\": 1,\n \"Minor\": 0,\n \"Build\": 0,\n \"Revision\": 0\n },\n \"ProductVersion\": {\n \"Major\": 1,\n \"Minor\": 0,\n \"Build\": 0,\n \"Revision\": 0\n },\n \"FileFlags\": 0,\n \"FileOs\": [\n \"VOS_DOS_WINDOWS32\",\n \"VOS_NT_WINDOWS32\",\n \"VOS__WINDOWS32\"\n ],\n \"FileType\": \"VFT_APP\",\n \"Language\": \"UNKNOWN\",\n \"Comments\": \"\",\n \"CompanyName\": \"\",\n \"FileDescription\": \"Client\",\n \"FileVersion_2\": \"1.0.0.0\",\n \"InternalName\": \"Client.exe\",\n \"LegalCopyright\": \"\",\n \"LegalTrademarks\": \"\",\n \"OriginalFilename\": \"Client.exe\",\n \"ProductName\": \"Client\",\n \"ProductVersion_2\": \"1.0.0.0\",\n \"Assembly_Version\": \"1.0.0.0\"\n }\n }\n}"
}
|
||||||||
69e716f959a6632dae07ddfc
|
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b…
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/2\nDate: 2026-04-26 23:28:59\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/home/apogean/projects/malware/windows/all_runs/2\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_I386\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2026-Feb-13 01:35:27\nDebug artifacts: kZZhV.pdb\nComments: Zihin Sarayi - Hafiza Sarayi Olusturucu\nCompanyName: \nFileDescription: MindPalace\nFileVersion: 1.0.0.0\nInternalName: kZZhV.exe\nLegalCopyright: Copyright 2026\nLegalTrademarks: \nOriginalFilename: kZZhV.exe\nProductName: MindPalace\nProductVersion: 1.0.0.0\nAssembly Version: 1.0.0.0\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x00000080\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_I386\nNumberofSections: 3\nTimeDateStamp: 2026-Feb-13 01:35:27\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00E0\nCharacteristics: IMAGE_FILE_32BIT_MACHINE\n IMAGE_FILE_EXECUTABLE_IMAGE\n IMAGE_FILE_LINE_NUMS_STRIPPED\n IMAGE_FILE_LOCAL_SYMS_STRIPPED\n\nImage Optional Header:\n----------------------\nMagic: PE32\nLinkerVersion: 48.0\nSizeOfCode: 0x00182A00\nSizeOfInitializedData: 0x00000800\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x0018490E (Section: .text)\nBaseOfCode: 0x00002000\nBaseOfData: 0x00186000\nImageBase: 0x00400000\nSectionAlignment: 0x00002000\nFileAlignment: 0x00000200\nOperatingSystemVersion: 4.0\nImageVersion: 0.0\nSubsystemVersion: 4.0\nWin32VersionValue: 0\nSizeOfImage: 0x0018A000\nSizeOfHeaders: 0x00000200\nChecksum: 0x00000000\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_NO_SEH\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x00100000\nSizeofStackCommit: 0x00001000\nSizeofHeapReserve: 0x00100000\nSizeofHeapCommit: 0x00001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 15\n\nSections:\n---------\n.text:\n VirtualSize: 0x00182914\n VirtualAddress: 0x00002000\n SizeOfRawData: 0x00182A00\n PointerToRawData: 0x00000200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 7.89677\n\n.rsrc:\n VirtualSize: 0x000005E8\n VirtualAddress: 0x00186000\n SizeOfRawData: 0x00000600\n PointerToRawData: 0x00182C00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 4.19379\n\n.reloc:\n VirtualSize: 0x0000000C\n VirtualAddress: 0x00188000\n SizeOfRawData: 0x00000200\n PointerToRawData: 0x00183200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 0.10191\n\n\nImports:\n--------\nmscoree.dll: _CorExeMain\n\nResources:\n----------\n1:\n Type: RT_VERSION\n Language: UNKNOWN\n Codepage: UNKNOWN\n Size: 860\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.33583\n\n1 (#2):\n Type: RT_MANIFEST\n Language: UNKNOWN\n Codepage: UNKNOWN\n Size: 490\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 5.00112\n\n\nVersion Info:\n-------------\nResource LangID: UNKNOWN\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 1.0.0.0\n ProductVersion: 1.0.0.0\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT_WINDOWS32\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: UNKNOWN\n Comments: Zihin Sarayi - Hafiza Sarayi Olusturucu\n CompanyName: \n FileDescription: MindPalace\n FileVersion (#2): 1.0.0.0\n InternalName: kZZhV.exe\n LegalCopyright: Copyright 2026\n LegalTrademarks: \n OriginalFilename: kZZhV.exe\n ProductName: MindPalace\n ProductVersion (#2): 1.0.0.0\n Assembly Version: 1.0.0.0\n\n\nDebug Info:\n-----------\nIMAGE_DEBUG_TYPE_CODEVIEW:\n Characteristics: 0\n TimeDateStamp: 1970-Jan-01 00:00:00\n Version: 0.0\n SizeofData: 34\n AddressOfRawData: 0x00184897\n PointerToRawData: 0x00182A97\n Referenced File: kZZhV.pdb\n\n\nMatching compiler(s):\n Microsoft Visual C# v7.0 / Basic .NET\n\nCryptographic algorithms detected in the binary:\n Uses constants related to MD5\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: disabled\n SafeSEH: disabled\n ASLR: enabled\n DEP: enabled\n CFG: disabled\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_I386",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2026-Feb-13 01:35:27",
"debug_artifacts": "kZZhV.pdb",
"comments": "Zihin Sarayi - Hafiza Sarayi Olusturucu",
"company_name": "",
"file_description": "MindPalace",
"file_version": "1.0.0.0",
"internal_name": "kZZhV.exe",
"legal_copyright": "Copyright 2026",
"legal_trademarks": "",
"original_filename": "kZZhV.exe",
"product_name": "MindPalace",
"product_version": "1.0.0.0",
"assembly_version": "1.0.0.0"
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000080"
},
"PE Header": {
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_I386",
"NumberofSections": 3,
"TimeDateStamp": "2026-Feb-13 01:35:27",
"PointerToSymbolTable": "0x00000000",
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": "0x00E0",
"Characteristics": [
"IMAGE_FILE_32BIT_MACHINE",
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_LINE_NUMS_STRIPPED",
"IMAGE_FILE_LOCAL_SYMS_STRIPPED"
]
},
"Image Optional Header": {
"Magic": "PE32",
"LinkerVersion": "48.0",
"SizeOfCode": "0x00182A00",
"SizeOfInitializedData": "0x00000800",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x0018490E",
"Section": ".text",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x00186000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "4.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0018A000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "15"
},
"Sections": {
"sections": [
{
"name": ".text",
"virtual_size": "0x00182914",
"virtual_address": "0x00002000",
"size_of_raw_data": "0x00182A00",
"pointer_to_raw_data": "0x00000200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 7.89677
},
{
"name": ".rsrc",
"virtual_size": "0x000005E8",
"virtual_address": "0x00186000",
"size_of_raw_data": "0x00000600",
"pointer_to_raw_data": "0x00182C00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 4.19379
},
{
"name": ".reloc",
"virtual_size": "0x0000000C",
"virtual_address": "0x00188000",
"size_of_raw_data": "0x00000200",
"pointer_to_raw_data": "0x00183200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 0.10191
}
]
},
"Imports": {
"file_info": {
"internal_name": "kZZhV.exe",
"file_description": "MindPalace",
"original_filename": "kZZhV.exe",
"product_name": "MindPalace",
"company_name": "",
"legal_copyright": "Copyright 2026",
"legal_trademarks": "",
"file_version": "1.0.0.0",
"product_version": "1.0.0.0",
"assembly_version": "1.0.0.0",
"comments": "Zihin Sarayi - Hafiza Sarayi Olusturucu"
},
"resources": [
{
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "UNKNOWN",
"size": 860,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 3.33583
},
{
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "UNKNOWN",
"size": 490,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 5.00112
}
],
"debug_info": {
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"timedatestamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"sizeofdata": 34,
"addressofrawdata": "0x00184897",
"pointertorawdata": "0x00182A97",
"referenced_file": "kZZhV.pdb"
},
"compiler": "Microsoft Visual C# v7.0 / Basic .NET",
"crypto": [
"MD5"
],
"mitigations": {
"stack_canary": false,
"safe_seh": false,
"aslr": true,
"dep": true,
"cfg": false
}
},
"Exports": {},
"Resources": {
"entities": [
{
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "UNKNOWN",
"size": 860,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 3.33583
},
{
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "UNKNOWN",
"size": 490,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 5.00112
}
],
"version_info": {
"resource_lang_id": "UNKNOWN",
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "1.0.0.0",
"product_version": "1.0.0.0",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "UNKNOWN",
"comments": "Zihin Sarayi - Hafiza Sarayi Olusturucu",
"company_name": "",
"file_description": "MindPalace",
"internal_name": "kZZhV.exe",
"legal_copyright": "Copyright 2026",
"legal_trademarks": "",
"original_filename": "kZZhV.exe",
"product_name": "MindPalace",
"assembly_version": "1.0.0.0"
}
},
"Debug Info": {
"IMAGE_DEBUG_TYPE_CODEVIEW": {
"Characteristics": 0,
"TimeDateStamp": "1970-Jan-01 00:00:00",
"Version": "0.0",
"SizeofData": 34,
"AddressOfRawData": "0x00184897",
"PointerToRawData": "0x00182A97",
"ReferencedFile": "kZZhV.pdb"
},
"MatchingCompilers": [
"Microsoft Visual C# v7.0 / Basic .NET"
],
"CryptographicAlgorithms": [
"MD5"
],
"ExploitMitigationTechniques": {
"StackCanary": false,
"SafeSEH": false,
"ASLR": true,
"DEP": true,
"CFG": false
}
},
"Load Configuration": {},
"RICH Header": {},
"Interesting strings found in the binary": {},
"file_path": "/home/apogean/projects/malware/windows/all_runs/2"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_uk15fdqw/output.txt"
}
|
2026-04-26 23:29:18
|
||||||||||||||
69e917a859a6632dae07de0f
|
9a5ff998dbf0f6923d0b454d89800fb4
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe\nDate: 2026-04-23 00:49:03\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_I386\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2088-Mar-06 18:36:34\nDebug artifacts: C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\nComments: RMM Client\nCompanyName: \nFileDescription: Client\nFileVersion: 1.0.0.0\nInternalName: Client.exe\nLegalCopyright: \nLegalTrademarks: \nOriginalFilename: Client.exe\nProductName: Client\nProductVersion: 1.0.0.0\nAssembly Version: 1.0.0.0\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x00000080\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_I386\nNumberofSections: 3\nTimeDateStamp: 2088-Mar-06 18:36:34\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00E0\nCharacteristics: IMAGE_FILE_EXECUTABLE_IMAGE\n IMAGE_FILE_LARGE_ADDRESS_AWARE\n\nImage Optional Header:\n----------------------\nMagic: PE32\nLinkerVersion: 48.0\nSizeOfCode: 0x00037000\nSizeOfInitializedData: 0x00000A00\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x00038F5E (Section: .text)\nBaseOfCode: 0x00002000\nBaseOfData: 0x0003A000\nImageBase: 0x00400000\nSectionAlignment: 0x00002000\nFileAlignment: 0x00000200\nOperatingSystemVersion: 4.0\nImageVersion: 0.0\nSubsystemVersion: 6.0\nWin32VersionValue: 0\nSizeOfImage: 0x0003E000\nSizeOfHeaders: 0x00000200\nChecksum: 0x00000000\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA\n IMAGE_DLLCHARACTERISTICS_NO_SEH\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x00100000\nSizeofStackCommit: 0x00001000\nSizeofHeapReserve: 0x00100000\nSizeofHeapCommit: 0x00001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 16\n\nSections:\n---------\n.text:\n VirtualSize: 0x00036FD0\n VirtualAddress: 0x00002000\n SizeOfRawData: 0x00037000\n PointerToRawData: 0x00000200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 5.55645\n\n.rsrc:\n VirtualSize: 0x000006AC\n VirtualAddress: 0x0003A000\n SizeOfRawData: 0x00000800\n PointerToRawData: 0x00037200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 4.50595\n\n.reloc:\n VirtualSize: 0x0000000C\n VirtualAddress: 0x0003C000\n SizeOfRawData: 0x00000200\n PointerToRawData: 0x00037A00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 0.10191\n\n\nImports:\n--------\nmscoree.dll: _CorExeMain\n\nResources:\n----------\n1:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 30\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.48173\n\n2:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 10\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 1.37095\n\n3:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 76\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.87727\n\n1 (#2):\n Type: RT_VERSION\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 768\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.16411\n\n1 (#3):\n Type: RT_MANIFEST\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 490\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 5.00112\n\n\nVersion Info:\n-------------\nResource LangID: UNKNOWN\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 1.0.0.0\n ProductVersion: 1.0.0.0\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT_WINDOWS32\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: UNKNOWN\n Comments: RMM Client\n CompanyName: \n FileDescription: Client\n FileVersion (#2): 1.0.0.0\n InternalName: Client.exe\n LegalCopyright: \n LegalTrademarks: \n OriginalFilename: Client.exe\n ProductName: Client\n ProductVersion (#2): 1.0.0.0\n Assembly Version: 1.0.0.0\n\n\nDebug Info:\n-----------\nIMAGE_DEBUG_TYPE_CODEVIEW:\n Characteristics: 0\n TimeDateStamp: 2068-May-04 18:04:16\n Version: 0.0\n SizeofData: 101\n AddressOfRawData: 0x00038EA4\n PointerToRawData: 0x000370A4\n Referenced File: C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\n\nUNKNOWN:\n Characteristics: 0\n TimeDateStamp: 1970-Jan-01 00:00:00\n Version: 0.0\n SizeofData: 0\n AddressOfRawData: 0x00000000\n PointerToRawData: 0x00000000\n\n\n[ SUSPICIOUS ] Strings found in the binary may indicate undesirable behavior:\n Contains references to system / monitoring tools:\n rundll32.exe\n schtask\n Contains references to security software:\n rshell.exe\n May have dropper capabilities:\n CurrentVersion\\Run\n Miscellaneous malware strings:\n cmd.Exe\n Contains domain names:\n ftp://server09.mentality.cloud\n ftp://server09.mentality.cloud/public_html/sqlite3.dll\n http://ip-api.com\n ip-api.com\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: disabled\n SafeSEH: disabled\n ASLR: enabled\n DEP: enabled\n CFG: disabled\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_I386",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2088-Mar-06 18:36:34",
"debug_artifacts": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb",
"comments": "RMM Client",
"company_name": "",
"file_description": "Client",
"file_version": "1.0.0.0",
"internal_name": "Client.exe",
"legal_copyright": "",
"legal_trademarks": "",
"original_filename": "Client.exe",
"product_name": "Client",
"product_version": "1.0.0.0",
"assembly_version": "1.0.0.0"
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000080"
},
"PE Header": {
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_I386",
"NumberofSections": 3,
"TimeDateStamp": "2088-Mar-06 18:36:34",
"PointerToSymbolTable": "0x00000000",
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": "0x00E0",
"Characteristics": [
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_LARGE_ADDRESS_AWARE"
]
},
"Image Optional Header": {
"Magic": "PE32",
"LinkerVersion": "48.0",
"SizeOfCode": "0x00037000",
"SizeOfInitializedData": "0x00000A00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x00038F5E",
"EntryPointSection": ".text",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x0003A000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0003E000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
},
"Sections": {
"sections": [
{
"name": ".text",
"virtual_size": "0x00036FD0",
"virtual_address": "0x00002000",
"size_of_raw_data": "0x00037000",
"pointer_to_raw_data": "0x00000200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 5.55645
},
{
"name": ".rsrc",
"virtual_size": "0x000006AC",
"virtual_address": "0x0003A000",
"size_of_raw_data": "0x00000800",
"pointer_to_raw_data": "0x00037200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 4.50595
},
{
"name": ".reloc",
"virtual_size": "0x0000000C",
"virtual_address": "0x0003C000",
"size_of_raw_data": "0x00000200",
"pointer_to_raw_data": "0x00037A00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 0.10191
}
]
},
"Imports": {
"final_response": {
"mscoree.dll": "_CorExeMain"
},
"resources": [
{
"id": 1,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 30,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 2.48173
},
{
"id": 2,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 10,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 1.37095
},
{
"id": 3,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 76,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 2.87727
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 768,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 3.16411
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 490,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 5.00112
}
],
"version_info": {
"resource_langid": "UNKNOWN",
"vs_version_info": {
"signature": "0xFEEF04BD",
"structversion": "0x00010000",
"fileversion": "1.0.0.0",
"productversion": "1.0.0.0",
"fileflags": "(EMPTY)",
"fileos": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"filetype": "VFT_APP",
"language": "UNKNOWN",
"comments": "RMM Client",
"companyname": "",
"filedescription": "Client",
"fileversion_2": "1.0.0.0",
"internalname": "Client.exe",
"legalcopyright": "",
"legaltrademarks": "",
"originalfilename": "Client.exe",
"productname": "Client",
"productversion_2": "1.0.0.0",
"assembly_version": "1.0.0.0"
}
},
"debug_info": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"timedatestamp": "2068-May-04 18:04:16",
"version": "0.0",
"sizeofdata": 101,
"addressofrawdata": "0x00038EA4",
"pointertorawdata": "0x000370A4",
"referenced_file": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"timedatestamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"sizeofdata": 0,
"addressofrawdata": "0x00000000",
"pointertorawdata": "0x00000000"
}
],
"suspicious_strings": {
"system_monitoring_tools": [
"rundll32.exe",
"schtask"
],
"security_software": [
"rshell.exe"
],
"dropper_capabilities": [
"CurrentVersion\\Run"
],
"miscellaneous_malware_strings": [
"cmd.Exe"
],
"domain_names": [
"ftp://server09.mentality.cloud",
"ftp://server09.mentality.cloud/public_html/sqlite3.dll",
"http://ip-api.com",
"ip-api.com"
]
},
"exploit_mitigation_techniques": {
"stack_canary": "disabled",
"safe_seh": "disabled",
"aslr": "enabled",
"dep": "enabled",
"cfg": "disabled"
}
},
"Exports": {},
"Resources": {
"entities": [
{
"id": 1,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 30,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 2.48173
},
{
"id": 2,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 10,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 1.37095
},
{
"id": 3,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 76,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 2.87727
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 768,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 3.16411
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 490,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 5.00112
}
],
"version_info": {
"resource_lang_id": "UNKNOWN",
"vs_version_info": {
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "1.0.0.0",
"product_version": "1.0.0.0",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "UNKNOWN",
"comments": "RMM Client",
"company_name": "",
"file_description": "Client",
"file_version_2": "1.0.0.0",
"internal_name": "Client.exe",
"legal_copyright": "",
"legal_trademarks": "",
"original_filename": "Client.exe",
"product_name": "Client",
"product_version_2": "1.0.0.0",
"assembly_version": "1.0.0.0"
}
}
},
"Debug Info": {
"debug_info": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"time_date_stamp": "2068-May-04 18:04:16",
"version": "0.0",
"size_of_data": 101,
"address_of_raw_data": "0x00038EA4",
"pointer_to_raw_data": "0x000370A4",
"referenced_file": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"time_date_stamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"size_of_data": 0,
"address_of_raw_data": "0x00000000",
"pointer_to_raw_data": "0x00000000"
}
],
"suspicious_strings": {
"system_monitoring_tools": [
"rundll32.exe",
"schtask"
],
"security_software_references": [
"rshell.exe"
],
"dropper_capabilities": [
"CurrentVersion\\Run"
],
"malware_strings": [
"cmd.Exe"
],
"domain_names": [
"ftp://server09.mentality.cloud",
"ftp://server09.mentality.cloud/public_html/sqlite3.dll",
"http://ip-api.com",
"ip-api.com"
]
},
"exploit_mitigations": {
"stack_canary": "disabled",
"safe_seh": "disabled",
"aslr": "enabled",
"dep": "enabled",
"cfg": "disabled"
}
},
"Load Configuration": {},
"RICH Header": {},
"Interesting strings found in the binary": {},
"file_path": "/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_rs4a4k_u/output.txt"
}
|
2026-04-23 00:49:24
|
||||||||||||||
69e9bbc859a6632dae07de21
|
360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e…
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/now_you_see_me_again.exe\nDate: 2026-04-29 20:29:21\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/home/apogean/projects/malware/windows/all_runs/now_you_see_me_again.exe\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_I386\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2088-Mar-06 18:36:34\nDebug artifacts: C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\nComments: RMM Client\nCompanyName: \nFileDescription: Client\nFileVersion: 1.0.0.0\nInternalName: Client.exe\nLegalCopyright: \nLegalTrademarks: \nOriginalFilename: Client.exe\nProductName: Client\nProductVersion: 1.0.0.0\nAssembly Version: 1.0.0.0\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x00000080\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_I386\nNumberofSections: 3\nTimeDateStamp: 2088-Mar-06 18:36:34\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00E0\nCharacteristics: IMAGE_FILE_EXECUTABLE_IMAGE\n IMAGE_FILE_LARGE_ADDRESS_AWARE\n\nImage Optional Header:\n----------------------\nMagic: PE32\nLinkerVersion: 48.0\nSizeOfCode: 0x00037000\nSizeOfInitializedData: 0x00000A00\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x00038F5E (Section: .text)\nBaseOfCode: 0x00002000\nBaseOfData: 0x0003A000\nImageBase: 0x00400000\nSectionAlignment: 0x00002000\nFileAlignment: 0x00000200\nOperatingSystemVersion: 4.0\nImageVersion: 0.0\nSubsystemVersion: 6.0\nWin32VersionValue: 0\nSizeOfImage: 0x0003E000\nSizeOfHeaders: 0x00000200\nChecksum: 0x00000000\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA\n IMAGE_DLLCHARACTERISTICS_NO_SEH\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x00100000\nSizeofStackCommit: 0x00001000\nSizeofHeapReserve: 0x00100000\nSizeofHeapCommit: 0x00001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 16\n\nSections:\n---------\n.text:\n VirtualSize: 0x00036FD0\n VirtualAddress: 0x00002000\n SizeOfRawData: 0x00037000\n PointerToRawData: 0x00000200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 5.55645\n\n.rsrc:\n VirtualSize: 0x000006AC\n VirtualAddress: 0x0003A000\n SizeOfRawData: 0x00000800\n PointerToRawData: 0x00037200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 4.50595\n\n.reloc:\n VirtualSize: 0x0000000C\n VirtualAddress: 0x0003C000\n SizeOfRawData: 0x00000200\n PointerToRawData: 0x00037A00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 0.10191\n\n\nImports:\n--------\nmscoree.dll: _CorExeMain\n\nResources:\n----------\n1:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 30\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.48173\n\n2:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 10\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 1.37095\n\n3:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 76\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.87727\n\n1 (#2):\n Type: RT_VERSION\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 768\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.16411\n\n1 (#3):\n Type: RT_MANIFEST\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 490\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 5.00112\n\n\nVersion Info:\n-------------\nResource LangID: UNKNOWN\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 1.0.0.0\n ProductVersion: 1.0.0.0\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT_WINDOWS32\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: UNKNOWN\n Comments: RMM Client\n CompanyName: \n FileDescription: Client\n FileVersion (#2): 1.0.0.0\n InternalName: Client.exe\n LegalCopyright: \n LegalTrademarks: \n OriginalFilename: Client.exe\n ProductName: Client\n ProductVersion (#2): 1.0.0.0\n Assembly Version: 1.0.0.0\n\n\nDebug Info:\n-----------\nIMAGE_DEBUG_TYPE_CODEVIEW:\n Characteristics: 0\n TimeDateStamp: 2068-May-04 18:04:16\n Version: 0.0\n SizeofData: 101\n AddressOfRawData: 0x00038EA4\n PointerToRawData: 0x000370A4\n Referenced File: C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\n\nUNKNOWN:\n Characteristics: 0\n TimeDateStamp: 1970-Jan-01 00:00:00\n Version: 0.0\n SizeofData: 0\n AddressOfRawData: 0x00000000\n PointerToRawData: 0x00000000\n\n\n[ SUSPICIOUS ] Strings found in the binary may indicate undesirable behavior:\n Contains references to system / monitoring tools:\n rundll32.exe\n schtask\n Contains references to security software:\n rshell.exe\n May have dropper capabilities:\n CurrentVersion\\Run\n Miscellaneous malware strings:\n cmd.Exe\n Contains domain names:\n ftp://server09.mentality.cloud\n ftp://server09.mentality.cloud/public_html/sqlite3.dll\n http://ip-api.com\n ip-api.com\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: disabled\n SafeSEH: disabled\n ASLR: enabled\n DEP: enabled\n CFG: disabled\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_I386",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2088-Mar-06 18:36:34",
"debug_artifacts": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb",
"comments": "RMM Client",
"company_name": "",
"file_description": "Client",
"file_version": "1.0.0.0",
"internal_name": "Client.exe",
"legal_copyright": "",
"legal_trademarks": "",
"original_filename": "Client.exe",
"product_name": "Client",
"product_version": "1.0.0.0",
"assembly_version": "1.0.0.0"
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000080"
},
"PE Header": {
"signature": "PE",
"machine": "IMAGE_FILE_MACHINE_I386",
"numberOfSections": 3,
"timeDateStamp": "2088-Mar-06 18:36:34",
"pointerToSymbolTable": "0x00000000",
"numberOfSymbols": 0,
"sizeOfOptionalHeader": "0x00E0",
"characteristics": [
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_LARGE_ADDRESS_AWARE"
]
},
"Image Optional Header": {
"Magic": "PE32",
"LinkerVersion": "48.0",
"SizeOfCode": "0x00037000",
"SizeOfInitializedData": "0x00000A00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x00038F5E",
"EntryPointSection": ".text",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x0003A000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0003E000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
},
"Sections": {
"sections": [
{
"name": ".text",
"virtual_size": "0x00036FD0",
"virtual_address": "0x00002000",
"size_of_raw_data": "0x00037000",
"pointer_to_raw_data": "0x00000200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 5.55645
},
{
"name": ".rsrc",
"virtual_size": "0x000006AC",
"virtual_address": "0x0003A000",
"size_of_raw_data": "0x00000800",
"pointer_to_raw_data": "0x00037200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 4.50595
},
{
"name": ".reloc",
"virtual_size": "0x0000000C",
"virtual_address": "0x0003C000",
"size_of_raw_data": "0x00000200",
"pointer_to_raw_data": "0x00037A00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 0.10191
}
]
},
"Imports": {
"entities": {
"file_info": {
"entry_point": "mscoree.dll: _CorExeMain",
"resources": [
{
"id": 1,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 30,
"timestamp": "1980-01-01T00:00:00",
"entropy": 2.48173
},
{
"id": 2,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 10,
"timestamp": "1980-01-01T00:00:00",
"entropy": 1.37095
},
{
"id": 3,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 76,
"timestamp": "1980-01-01T00:00:00",
"entropy": 2.87727
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 768,
"timestamp": "1980-01-01T00:00:00",
"entropy": 3.16411
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 490,
"timestamp": "1980-01-01T00:00:00",
"entropy": 5.00112
}
],
"version_info": {
"lang_id": "UNKNOWN",
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "1.0.0.0",
"product_version": "1.0.0.0",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "UNKNOWN",
"comments": "RMM Client",
"company_name": "",
"file_description": "Client",
"internal_name": "Client.exe",
"legal_copyright": "",
"legal_trademarks": "",
"original_filename": "Client.exe",
"product_name": "Client",
"assembly_version": "1.0.0.0"
},
"debug_info": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"timestamp": "2068-05-04T18:04:16",
"version": "0.0",
"sizeof_data": 101,
"address_of_raw_data": "0x00038EA4",
"pointer_to_raw_data": "0x000370A4",
"referenced_file": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"timestamp": "1970-01-01T00:00:00",
"version": "0.0",
"sizeof_data": 0,
"address_of_raw_data": "0x00000000",
"pointer_to_raw_data": "0x00000000"
}
]
},
"suspicious_strings": {
"system_monitoring_tools": [
"rundll32.exe",
"schtask"
],
"security_software": [
"rshell.exe"
],
"dropper_capabilities": [
"CurrentVersion\\Run"
],
"malware_strings": [
"cmd.Exe"
],
"domain_names": [
"ftp://server09.mentality.cloud",
"ftp://server09.mentality.cloud/public_html/sqlite3.dll",
"http://ip-api.com",
"ip-api.com"
]
},
"exploit_mitigations": {
"stack_canary": "disabled",
"safe_seh": "disabled",
"aslr": "enabled",
"dep": "enabled",
"cfg": "disabled"
}
}
},
"Exports": {},
"Resources": {
"entities": [
{
"id": 1,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 30,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 2.48173
},
{
"id": 2,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 10,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 1.37095
},
{
"id": 3,
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 76,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 2.87727
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 768,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 3.16411
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 490,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 5.00112
}
],
"version_info": {
"resource_lang_id": "UNKNOWN",
"vs_version_info": {
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "1.0.0.0",
"product_version": "1.0.0.0",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "UNKNOWN",
"comments": "RMM Client",
"company_name": "",
"file_description": "Client",
"file_version_2": "1.0.0.0",
"internal_name": "Client.exe",
"legal_copyright": "",
"legal_trademarks": "",
"original_filename": "Client.exe",
"product_name": "Client",
"product_version_2": "1.0.0.0",
"assembly_version": "1.0.0.0"
}
}
},
"Debug Info": {
"debug_info": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"time_date_stamp": "2068-May-04 18:04:16",
"version": "0.0",
"size_of_data": 101,
"address_of_raw_data": "0x00038EA4",
"pointer_to_raw_data": "0x000370A4",
"referenced_file": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"time_date_stamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"size_of_data": 0,
"address_of_raw_data": "0x00000000",
"pointer_to_raw_data": "0x00000000"
}
],
"suspicious_strings": {
"system_monitoring_tools": [
"rundll32.exe",
"schtask"
],
"security_software_references": [
"rshell.exe"
],
"dropper_capabilities": [
"CurrentVersion\\Run"
],
"malware_strings": [
"cmd.Exe"
],
"domain_names": [
"ftp://server09.mentality.cloud",
"ftp://server09.mentality.cloud/public_html/sqlite3.dll",
"http://ip-api.com",
"ip-api.com"
]
},
"exploit_mitigations": {
"stack_canary": "disabled",
"safe_seh": "disabled",
"aslr": "enabled",
"dep": "enabled",
"cfg": "disabled"
}
},
"Load Configuration": {},
"RICH Header": {},
"Interesting strings found in the binary": {},
"file_path": "/home/apogean/projects/malware/windows/all_runs/now_you_see_me_again.exe"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_xey_u5_3/output.txt"
}
|
2026-04-29 20:29:55
|
||||||||||||||
69edc3cf59a6632dae07de33
|
2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009…
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /tmp/sdm_unpack_12ohn_ul/2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130_2aa5ce3561dc/001_upx_unpacked.exe\nDate: 2026-05-15 14:31:39\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/tmp/sdm_unpack_12ohn_ul/2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130_2aa5ce3561dc/001_upx_unpacked.exe\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_I386\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2025-Nov-28 09:36:05\nDetected languages: English - United Kingdom\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x00000120\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_I386\nNumberofSections: 5\nTimeDateStamp: 2025-Nov-28 09:36:05\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00E0\nCharacteristics: IMAGE_FILE_32BIT_MACHINE\n IMAGE_FILE_EXECUTABLE_IMAGE\n IMAGE_FILE_LARGE_ADDRESS_AWARE\n\nImage Optional Header:\n----------------------\nMagic: PE32\nLinkerVersion: 14.0\nSizeOfCode: 0x0009AC00\nSizeOfInitializedData: 0x00090000\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x000204F7 (Section: .text)\nBaseOfCode: 0x00001000\nBaseOfData: 0x0009C000\nImageBase: 0x00400000\nSectionAlignment: 0x00001000\nFileAlignment: 0x00000200\nOperatingSystemVersion: 5.1\nImageVersion: 0.0\nSubsystemVersion: 5.1\nWin32VersionValue: 0\nSizeOfImage: 0x00131000\nSizeOfHeaders: 0x00000400\nChecksum: 0x00000000\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x00400000\nSizeofStackCommit: 0x00001000\nSizeofHeapReserve: 0x00400000\nSizeofHeapCommit: 0x00001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 16\n\nSections:\n---------\n.text:\n VirtualSize: 0x0009AA37\n VirtualAddress: 0x00001000\n SizeOfRawData: 0x0009AC00\n PointerToRawData: 0x00000400\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 6.66568\n\n.rdata:\n VirtualSize: 0x0002FB92\n VirtualAddress: 0x0009C000\n SizeOfRawData: 0x0002FC00\n PointerToRawData: 0x0009B000\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 5.61024\n\n.data:\n VirtualSize: 0x0000705C\n VirtualAddress: 0x000CC000\n SizeOfRawData: 0x00004800\n PointerToRawData: 0x000CAC00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n IMAGE_SCN_MEM_WRITE\n Entropy: 0.584577\n\n.rsrc:\n VirtualSize: 0x000545C4\n VirtualAddress: 0x000D4000\n SizeOfRawData: 0x00054600\n PointerToRawData: 0x000CF400\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 7.8804\n\n.reloc:\n VirtualSize: 0x000075CC\n VirtualAddress: 0x00129000\n SizeOfRawData: 0x00007600\n PointerToRawData: 0x00123A00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 6.7982\n\n\nImports:\n--------\nKERNEL32.DLL: DuplicateHandle\n CreateThread\n WaitForSingleObject\n HeapAlloc\n GetProcessHeap\n HeapFree\n Sleep\n GetCurrentThreadId\n MultiByteToWideChar\n MulDiv\n GetVersionExW\n IsWow64Process\n GetSystemInfo\n FreeLibrary\n LoadLibraryA\n GetProcAddress\n SetErrorMode\n GetModuleFileNameW\n WideCharToMultiByte\n lstrcpyW\n lstrlenW\n GetModuleHandleW\n QueryPerformanceCounter\n VirtualFreeEx\n OpenProcess\n VirtualAllocEx\n WriteProcessMemory\n ReadProcessMemory\n CreateFileW\n SetFilePointerEx\n SetEndOfFile\n ReadFile\n WriteFile\n FlushFileBuffers\n TerminateProcess\n CreateToolhelp32Snapshot\n Process32FirstW\n Process32NextW\n SetFileTime\n GetFileAttributesW\n FindFirstFileW\n FindClose\n GetLongPathNameW\n GetShortPathNameW\n DeleteFileW\n IsDebuggerPresent\n CopyFileExW\n MoveFileW\n CreateDirectoryW\n RemoveDirectoryW\n SetSystemPowerState\n QueryPerformanceFrequency\n LoadResource\n LockResource\n SizeofResource\n OutputDebugStringW\n GetTempPathW\n GetTempFileNameW\n DeviceIoControl\n GetLocalTime\n CompareStringW\n GetCurrentThread\n LeaveCriticalSection\n GetStdHandle\n CreatePipe\n InterlockedExchange\n TerminateThread\n LoadLibraryExW\n FindResourceExW\n CopyFileW\n VirtualFree\n FormatMessageW\n GetExitCodeProcess\n GetPrivateProfileStringW\n WritePrivateProfileStringW\n GetPrivateProfileSectionW\n WritePrivateProfileSectionW\n GetPrivateProfileSectionNamesW\n FileTimeToLocalFileTime\n FileTimeToSystemTime\n SystemTimeToFileTime\n LocalFileTimeToFileTime\n GetDriveTypeW\n GetDiskFreeSpaceExW\n GetDiskFreeSpaceW\n GetVolumeInformationW\n SetVolumeLabelW\n CreateHardLinkW\n SetFileAttributesW\n CreateEventW\n SetEvent\n GetEnvironmentVariableW\n SetEnvironmentVariableW\n GlobalLock\n GlobalUnlock\n GlobalAlloc\n GetFileSize\n GlobalFree\n GlobalMemoryStatusEx\n Beep\n GetSystemDirectoryW\n HeapReAlloc\n HeapSize\n GetComputerNameW\n GetWindowsDirectoryW\n GetCurrentProcessId\n GetProcessIoCounters\n CreateProcessW\n GetProcessId\n SetPriorityClass\n LoadLibraryW\n VirtualAlloc\n GetCurrentDirectoryW\n lstrcmpiW\n DecodePointer\n GetLastError\n RaiseException\n InitializeCriticalSectionAndSpinCount\n DeleteCriticalSection\n InterlockedDecrement\n InterlockedIncrement\n ResetEvent\n WaitForSingleObjectEx\n IsProcessorFeaturePresent\n UnhandledExceptionFilter\n SetUnhandledExceptionFilter\n GetCurrentProcess\n CloseHandle\n GetFullPathNameW\n EnterCriticalSection\n GetStartupInfoW\n GetSystemTimeAsFileTime\n InitializeSListHead\n RtlUnwind\n SetLastError\n TlsAlloc\n TlsGetValue\n TlsSetValue\n TlsFree\n EncodePointer\n ExitProcess\n GetModuleHandleExW\n ExitThread\n ResumeThread\n FreeLibraryAndExitThread\n GetACP\n GetDateFormatW\n GetTimeFormatW\n LCMapStringW\n GetStringTypeW\n GetFileType\n SetStdHandle\n GetConsoleCP\n GetConsoleMode\n ReadConsoleW\n GetTimeZoneInformation\n FindFirstFileExW\n IsValidCodePage\n GetOEMCP\n GetCPInfo\n GetCommandLineA\n GetCommandLineW\n GetEnvironmentStringsW\n FreeEnvironmentStringsW\n SetEnvironmentVariableA\n SetCurrentDirectoryW\n FindNextFileW\n WriteConsoleW\nADVAPI32.dll: GetAce\n RegEnumValueW\n RegDeleteValueW\n RegDeleteKeyW\n RegEnumKeyExW\n RegSetValueExW\n RegOpenKeyExW\n RegCloseKey\n RegQueryValueExW\n RegConnectRegistryW\n InitializeSecurityDescriptor\n InitializeAcl\n AdjustTokenPrivileges\n OpenThreadToken\n OpenProcessToken\n LookupPrivilegeValueW\n DuplicateTokenEx\n CreateProcessAsUserW\n CreateProcessWithLogonW\n GetLengthSid\n CopySid\n LogonUserW\n AllocateAndInitializeSid\n CheckTokenMembership\n FreeSid\n GetTokenInformation\n RegCreateKeyExW\n GetSecurityDescriptorDacl\n GetAclInformation\n GetUserNameW\n AddAce\n SetSecurityDescriptorDacl\n InitiateSystemShutdownExW\nCOMCTL32.dll: ImageList_ReplaceIcon\n ImageList_Destroy\n ImageList_Remove\n ImageList_SetDragCursorImage\n ImageList_BeginDrag\n ImageList_DragEnter\n ImageList_DragLeave\n ImageList_EndDrag\n ImageList_DragMove\n InitCommonControlsEx\n ImageList_Create\nCOMDLG32.dll: GetSaveFileNameW\n GetOpenFileNameW\nGDI32.dll: EndPath\n DeleteObject\n GetTextExtentPoint32W\n ExtCreatePen\n StrokeAndFillPath\n GetDeviceCaps\n SetPixel\n CloseFigure\n LineTo\n AngleArc\n MoveToEx\n Ellipse\n CreateCompatibleBitmap\n CreateCompatibleDC\n PolyDraw\n BeginPath\n Rectangle\n SetViewportOrgEx\n GetObjectW\n SetBkMode\n RoundRect\n SetBkColor\n CreatePen\n SelectObject\n StretchBlt\n CreateSolidBrush\n SetTextColor\n CreateFontW\n GetTextFaceW\n GetStockObject\n CreateDCW\n GetPixel\n DeleteDC\n GetDIBits\n StrokePath\nIPHLPAPI.DLL: IcmpSendEcho\n IcmpCloseHandle\n IcmpCreateFile\nMPR.dll: WNetGetConnectionW\n WNetCancelConnection2W\n WNetUseConnectionW\n WNetAddConnection2W\nole32.dll: CoTaskMemAlloc\n CoTaskMemFree\n CLSIDFromString\n ProgIDFromCLSID\n CLSIDFromProgID\n OleSetMenuDescriptor\n MkParseDisplayName\n OleSetContainedObject\n CoCreateInstance\n IIDFromString\n StringFromGUID2\n CreateStreamOnHGlobal\n OleInitialize\n OleUninitialize\n CoInitialize\n CoUninitialize\n GetRunningObjectTable\n CoGetInstanceFromFile\n CoGetObject\n CoInitializeSecurity\n CoCreateInstanceEx\n CoSetProxyBlanket\nOLEAUT32.dll: CreateStdDispatch\n CreateDispTypeInfo\n UnRegisterTypeLib\n UnRegisterTypeLibForUser\n RegisterTypeLibForUser\n RegisterTypeLib\n LoadTypeLibEx\n VariantCopyInd\n SysReAllocString\n SysFreeString\n VariantChangeType\n SafeArrayDestroyData\n SafeArrayUnaccessData\n SafeArrayAccessData\n SafeArrayAllocData\n SafeArrayAllocDescriptorEx\n SafeArrayCreateVector\n SysStringLen\n QueryPathOfRegTypeLib\n SysAllocString\n VariantInit\n VariantClear\n DispCallFunc\n VariantTimeToSystemTime\n VarR8FromDec\n SafeArrayGetVartype\n SafeArrayDestroyDescriptor\n VariantCopy\n OleLoadPicture\nPSAPI.DLL: GetProcessMemoryInfo\nSHELL32.dll: DragFinish\n DragQueryPoint\n ShellExecuteExW\n DragQueryFileW\n SHEmptyRecycleBinW\n SHGetPathFromIDListW\n SHBrowseForFolderW\n SHCreateShellItem\n SHGetDesktopFolder\n SHGetSpecialFolderLocation\n SHGetFolderPathW\n SHFileOperationW\n ExtractIconExW\n Shell_NotifyIconW\n ShellExecuteW\nUSER32.dll: IsCharAlphaW\n IsCharAlphaNumericW\n IsCharLowerW\n IsCharUpperW\n GetMenuStringW\n GetSubMenu\n GetCaretPos\n IsZoomed\n MonitorFromPoint\n GetMonitorInfoW\n SetWindowLongW\n SetLayeredWindowAttributes\n FlashWindow\n GetClassLongW\n TranslateAcceleratorW\n IsDialogMessageW\n GetSysColor\n InflateRect\n DrawFocusRect\n DrawTextW\n FrameRect\n DrawFrameControl\n FillRect\n PtInRect\n DestroyAcceleratorTable\n CreateAcceleratorTableW\n SetCursor\n GetWindowDC\n GetSystemMetrics\n GetActiveWindow\n CharNextW\n wsprintfW\n RedrawWindow\n DrawMenuBar\n DestroyMenu\n SetMenu\n GetWindowTextLengthW\n CreateMenu\n IsDlgButtonChecked\n DefDlgProcW\n CallWindowProcW\n ReleaseCapture\n SetCapture\n TranslateMessage\n PeekMessageW\n GetInputState\n UnregisterHotKey\n CharLowerBuffW\n MonitorFromRect\n LoadImageW\n mouse_event\n ExitWindowsEx\n SetActiveWindow\n FindWindowExW\n EnumThreadWindows\n SetMenuDefaultItem\n InsertMenuItemW\n IsMenu\n GetKeyboardLayoutNameW\n GetCursorPos\n DeleteMenu\n CheckMenuRadioItem\n GetMenuItemID\n GetMenuItemCount\n SetMenuItemInfoW\n GetMenuItemInfoW\n SetForegroundWindow\n IsIconic\n FindWindowW\n SystemParametersInfoW\n GetMessageW\n SendInput\n GetAsyncKeyState\n SetKeyboardState\n GetKeyboardState\n GetKeyState\n VkKeyScanW\n LoadStringW\n DialogBoxParamW\n MessageBeep\n EndDialog\n SendDlgItemMessageW\n GetDlgItem\n SetWindowTextW\n CopyRect\n EndPaint\n BeginPaint\n GetClientRect\n GetMenu\n DestroyWindow\n EnumWindows\n GetDesktopWindow\n IsWindow\n IsWindowEnabled\n IsWindowVisible\n EnableWindow\n InvalidateRect\n GetWindowLongW\n ReleaseDC\n GetDC\n GetWindowThreadProcessId\n AttachThreadInput\n GetFocus\n GetWindowTextW\n SendMessageTimeoutW\n EnumChildWindows\n CharUpperBuffW\n GetClassNameW\n GetParent\n GetDlgCtrlID\n SendMessageW\n MapVirtualKeyW\n PostMessageW\n GetWindowRect\n SetUserObjectSecurity\n CloseDesktop\n CloseWindowStation\n OpenDesktopW\n ClientToScreen\n RegisterHotKey\n GetCursorInfo\n SetWindowPos\n CopyImage\n AdjustWindowRectEx\n SetRect\n SetClipboardData\n EmptyClipboard\n CountClipboardFormats\n CloseClipboard\n GetClipboardData\n IsClipboardFormatAvailable\n OpenClipboard\n TrackPopupMenuEx\n BlockInput\n SetProcessWindowStation\n GetProcessWindowStation\n OpenWindowStationW\n GetUserObjectSecurity\n MessageBoxW\n DefWindowProcW\n MoveWindow\n SetFocus\n PostQuitMessage\n KillTimer\n CreatePopupMenu\n RegisterWindowMessageW\n SetTimer\n ShowWindow\n CreateWindowExW\n RegisterClassExW\n LoadIconW\n LoadCursorW\n GetSysColorBrush\n GetForegroundWindow\n MessageBoxA\n DestroyIcon\n LockWindowUpdate\n keybd_event\n DispatchMessageW\n ScreenToClient\nUSERENV.dll: DestroyEnvironmentBlock\n LoadUserProfileW\n CreateEnvironmentBlock\n UnloadUserProfile\nUxTheme.dll: IsThemeActive\nVERSION.dll: GetFileVersionInfoW\n VerQueryValueW\n GetFileVersionInfoSizeW\nWININET.dll: HttpOpenRequestW\n InternetCloseHandle\n InternetOpenW\n InternetSetOptionW\n InternetCrackUrlW\n HttpQueryInfoW\n InternetQueryOptionW\n InternetConnectW\n HttpSendRequestW\n FtpOpenFileW\n FtpGetFileSize\n InternetOpenUrlW\n InternetReadFile\n InternetQueryDataAvailable\nWINMM.dll: timeGetTime\n waveOutSetVolume\n mciSendStringW\nWSOCK32.dll: gethostbyname\n recv\n send\n socket\n inet_ntoa\n setsockopt\n ntohs\n WSACleanup\n WSAStartup\n sendto\n htons\n __WSAFDIsSet\n select\n accept\n listen\n bind\n inet_addr\n ioctlsocket\n recvfrom\n WSAGetLastError\n closesocket\n gethostname\n connect\n\nResources:\n----------\n1:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 296\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.66371\n\n2:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 296\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.05883\n\n3:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 296\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.25499\n\n4:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 744\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.65355\n\n5:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 296\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.43704\n\n6:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 3752\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 4.16139\n\n7:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 2216\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 4.07494\n\n8:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1384\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.18302\n\n9:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 9640\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 4.52312\n\n10:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 4264\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 4.65168\n\n11:\n Type: RT_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1128\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 4.39178\n\n166:\n Type: RT_MENU\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 80\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.68292\n\n7 (#2):\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1428\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.34702\n\n8 (#2):\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1674\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.2804\n\n9 (#2):\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1168\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.28849\n\n10 (#2):\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1532\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.28373\n\n11 (#2):\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1628\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.26322\n\n12:\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1126\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.25812\n\n313:\n Type: RT_STRING\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 344\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.08572\n\nSCRIPT:\n Type: RT_RCDATA\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 309386\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 7.99935\n\n99:\n Type: RT_GROUP_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 118\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.8695\n Detected Filetype: Icon file\n\n162:\n Type: RT_GROUP_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 20\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.02322\n Detected Filetype: Icon file\n\n164:\n Type: RT_GROUP_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 20\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 1.84274\n Detected Filetype: Icon file\n\n169:\n Type: RT_GROUP_ICON\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 20\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.02322\n Detected Filetype: Icon file\n\n1 (#2):\n Type: RT_VERSION\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 220\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 2.77862\n\n1 (#3):\n Type: RT_MANIFEST\n Language: English - United Kingdom\n Codepage: Latin 1 / Western European\n Size: 1007\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 5.40026\n\n\nVersion Info:\n-------------\nResource LangID: English - United Kingdom\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 0.0.0.0\n ProductVersion: 0.0.0.0\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT_WINDOWS32\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: English - United Kingdom\n\n\nTLS Callbacks:\n--------------\nStartAddressOfRawData: 0x004C868C\nEndAddressOfRawData: 0x004C8694\nAddressOfIndex: 0x004D0740\nAddressOfCallbacks: 0x0049C8F8\nSizeOfZeroFill: 0x00000000\nCharacteristics: IMAGE_SCN_ALIGN_4BYTES\nCallbacks: (EMPTY)\n\nLoad Configuration:\n-------------------\nSize: 160\nTimeDateStamp: 1970-Jan-01 00:00:00\nVersion: 0.0\nGlobalFlagsClear: (EMPTY)\nGlobalFlagsSet: (EMPTY)\nCriticalSectionDefaultTimeout: 0\nDeCommitFreeBlockThreshold: 0x00000000\nDeCommitTotalFreeThreshold: 0x00000000\nLockPrefixTable: 0x00000000\nMaximumAllocationSize: 0x00000000\nVirtualMemoryThreshold: 0x00000000\nProcessAffinityMask: 0x00000000\nProcessHeapFlags: (EMPTY)\nCSDVersion: 0\nReserved1: 0x0000\nEditList: 0x00000000\nSecurityCookie: 0x004CC014\nSEHandlerTable: 0x00000000\nSEHandlerCount: 0\n\nRICH Header:\n------------\nXOR Key: 0xFDEDA6DE\nUnmarked objects: 0\n241 (40116): 35\n243 (40116): 157\n242 (40116): 35\n199 (41118): 1\nC++ objects (VS 2015/2017 runtime 26706): 45\nC objects (VS 2015/2017 runtime 26706): 18\nASM objects (VS 2015/2017 runtime 26706): 21\nC objects (VS2008 SP1 build 30729): 9\nImports (VS2008 SP1 build 30729): 37\nTotal imports: 553\nC++ objects (POGO O) (27045): 80\nASM objects (27045): 1\nResource objects (27045): 1\n151: 1\nLinker (27045): 1\n\nMatching compiler(s):\n Microsoft Visual C++ 6.0 - 8.0\n\n[ SUSPICIOUS ] Strings found in the binary may indicate undesirable behavior:\n Is an AutoIT compiled script:\n AutoIt Error\n reserved for AutoIt internal use\n\nCryptographic algorithms detected in the binary:\n Uses constants related to CRC32\n Uses known Mersenne Twister constants\n\n[ MALICIOUS ] The PE contains functions mostly used by malware.\n [!] The program may be hiding some of its imports:\n LoadLibraryA\n GetProcAddress\n LoadLibraryExW\n LoadLibraryW\n Functions which can be used for anti-debugging purposes:\n CreateToolhelp32Snapshot\n FindWindowW\n Code injection capabilities:\n OpenProcess\n VirtualAllocEx\n WriteProcessMemory\n VirtualAlloc\n Code injection capabilities (PowerLoader):\n FindWindowW\n GetWindowLongW\n Can access the registry:\n RegEnumValueW\n RegDeleteValueW\n RegDeleteKeyW\n RegEnumKeyExW\n RegSetValueExW\n RegOpenKeyExW\n RegCloseKey\n RegQueryValueExW\n RegCreateKeyExW\n RegisterHotKey\n Possibly launches other programs:\n CreateProcessW\n CreateProcessAsUserW\n CreateProcessWithLogonW\n ShellExecuteW\n Can create temporary files:\n CreateFileW\n GetTempPathW\n Uses functions commonly found in keyloggers:\n GetAsyncKeyState\n AttachThreadInput\n MapVirtualKeyW\n GetForegroundWindow\n Has Internet access capabilities:\n InternetCloseHandle\n InternetOpenW\n InternetSetOptionW\n InternetCrackUrlW\n InternetQueryOptionW\n InternetConnectW\n InternetOpenUrlW\n InternetReadFile\n InternetQueryDataAvailable\n Functions related to the privilege level:\n AdjustTokenPrivileges\n OpenProcessToken\n DuplicateTokenEx\n CheckTokenMembership\n Enumerates local disk drives:\n GetDriveTypeW\n GetVolumeInformationW\n Manipulates other processes:\n OpenProcess\n WriteProcessMemory\n ReadProcessMemory\n Process32FirstW\n Process32NextW\n Can take screenshots:\n CreateCompatibleDC\n FindWindowW\n GetDC\n Reads the contents of the clipboard:\n GetClipboardData\n Can shut the system down or lock the screen:\n InitiateSystemShutdownExW\n ExitWindowsEx\n\nThe PE's resources present abnormal characteristics.\n Resource SCRIPT is possibly compressed or encrypted.\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: enabled\n SafeSEH: enabled (0 registered handlers)\n ASLR: enabled\n DEP: disabled\n CFG: disabled\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_I386",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2025-11-28T09:36:05",
"detected_languages": [
"English - United Kingdom"
]
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x00000120"
},
"PE Header": {
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_I386",
"NumberofSections": 5,
"TimeDateStamp": "2025-Nov-28 09:36:05",
"PointerToSymbolTable": "0x00000000",
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": "0x00E0",
"Characteristics": [
"IMAGE_FILE_32BIT_MACHINE",
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_LARGE_ADDRESS_AWARE"
]
},
"Image Optional Header": {
"Magic": "PE32",
"LinkerVersion": "14.0",
"SizeOfCode": "0x0009AC00",
"SizeOfInitializedData": "0x00090000",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x000204F7",
"EntryPointSection": ".text",
"BaseOfCode": "0x00001000",
"BaseOfData": "0x0009C000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00001000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "5.1",
"ImageVersion": "0.0",
"SubsystemVersion": "5.1",
"Win32VersionValue": "0",
"SizeOfImage": "0x00131000",
"SizeOfHeaders": "0x00000400",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x00400000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00400000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
},
"Sections": {
"sections": [
{
"name": ".text",
"virtual_size": "0x0009AA37",
"virtual_address": "0x00001000",
"size_of_raw_data": "0x0009AC00",
"pointer_to_raw_data": "0x00000400",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 6.66568
},
{
"name": ".rdata",
"virtual_size": "0x0002FB92",
"virtual_address": "0x0009C000",
"size_of_raw_data": "0x0002FC00",
"pointer_to_raw_data": "0x0009B000",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 5.61024
},
{
"name": ".data",
"virtual_size": "0x0000705C",
"virtual_address": "0x000CC000",
"size_of_raw_data": "0x00004800",
"pointer_to_raw_data": "0x000CAC00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ",
"IMAGE_SCN_MEM_WRITE"
],
"entropy": 0.584577
},
{
"name": ".rsrc",
"virtual_size": "0x000545C4",
"virtual_address": "0x000D4000",
"size_of_raw_data": "0x00054600",
"pointer_to_raw_data": "0x000CF400",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 7.8804
},
{
"name": ".reloc",
"virtual_size": "0x000075CC",
"virtual_address": "0x00129000",
"size_of_raw_data": "0x00007600",
"pointer_to_raw_data": "0x00123A00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 6.7982
}
]
},
"Imports": {
"entities": {
"dlls": [
"KERNEL32.DLL",
"ADVAPI32.dll",
"COMCTL32.dll",
"COMDLG32.dll",
"GDI32.dll",
"IPHLPAPI.DLL",
"MPR.dll",
"ole32.dll",
"OLEAUT32.dll",
"PSAPI.DLL",
"SHELL32.dll",
"USER32.dll",
"USERENV.dll",
"UxTheme.dll",
"VERSION.dll",
"WININET.dll",
"WINMM.dll",
"WSOCK32.dll"
],
"resources": [
{
"id": 1,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"entropy": 3.66371
},
{
"id": 2,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"entropy": 2.05883
},
{
"id": 3,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"entropy": 2.25499
},
{
"id": 4,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 744,
"entropy": 3.65355
},
{
"id": 5,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"entropy": 3.43704
},
{
"id": 6,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 3752,
"entropy": 4.16139
},
{
"id": 7,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 2216,
"entropy": 4.07494
},
{
"id": 8,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1384,
"entropy": 2.18302
},
{
"id": 9,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 9640,
"entropy": 4.52312
},
{
"id": 10,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 4264,
"entropy": 4.65168
},
{
"id": 11,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1128,
"entropy": 4.39178
},
{
"id": 166,
"type": "RT_MENU",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 80,
"entropy": 2.68292
},
{
"id": "7 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1428,
"entropy": 3.34702
},
{
"id": "8 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1674,
"entropy": 3.2804
},
{
"id": "9 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1168,
"entropy": 3.28849
},
{
"id": "10 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1532,
"entropy": 3.28373
},
{
"id": "11 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1628,
"entropy": 3.26322
},
{
"id": 12,
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1126,
"entropy": 3.25812
},
{
"id": 313,
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 344,
"entropy": 3.08572
},
{
"id": "SCRIPT",
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 309386,
"entropy": 7.99935
},
{
"id": 99,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 118,
"entropy": 2.8695,
"detected_filetype": "Icon file"
},
{
"id": 162,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"entropy": 2.02322,
"detected_filetype": "Icon file"
},
{
"id": 164,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"entropy": 1.84274,
"detected_filetype": "Icon file"
},
{
"id": 169,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"entropy": 2.02322,
"detected_filetype": "Icon file"
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 220,
"entropy": 2.77862
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1007,
"entropy": 5.40026
}
],
"version_info": {
"resource_langid": "English - United Kingdom",
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "0.0.0.0",
"product_version": "0.0.0.0",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "English - United Kingdom"
},
"tls_callbacks": {
"start_address_of_raw_data": "0x004C868C",
"end_address_of_raw_data": "0x004C8694",
"address_of_index": "0x004D0740",
"address_of_callbacks": "0x0049C8F8",
"size_of_zero_fill": "0x00000000",
"characteristics": "IMAGE_SCN_ALIGN_4BYTES",
"callbacks": "(EMPTY)"
},
"load_configuration": {
"size": 160,
"time_date_stamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"global_flags_clear": "(EMPTY)",
"global_flags_set": "(EMPTY)",
"critical_section_default_timeout": 0,
"de_commit_free_block_threshold": "0x00000000",
"de_commit_total_free_threshold": "0x00000000",
"lock_prefix_table": "0x00000000",
"maximum_allocation_size": "0x00000000",
"virtual_memory_threshold": "0x00000000",
"process_affinity_mask": "0x00000000",
"process_heap_flags": "(EMPTY)",
"csd_version": 0,
"reserved1": "0x0000",
"edit_list": "0x00000000",
"security_cookie": "0x004CC014",
"se_handler_table": "0x00000000",
"se_handler_count": 0
},
"rich_header": {
"xor_key": "0xFDEDA6DE",
"unmarked_objects": 0,
"objects": {
"151": 1,
"241 (40116)": 35,
"243 (40116)": 157,
"242 (40116)": 35,
"199 (41118)": 1,
"C++ objects (VS 2015/2017 runtime 26706)": 45,
"C objects (VS 2015/2017 runtime 26706)": 18,
"ASM objects (VS 2015/2017 runtime 26706)": 21,
"C objects (VS2008 SP1 build 30729)": 9,
"Imports (VS2008 SP1 build 30729)": 37,
"Total imports": 553,
"C++ objects (POGO O) (27045)": 80,
"ASM objects (27045)": 1,
"Resource objects (27045)": 1,
"Linker (27045)": 1
},
"matching_compilers": [
"Microsoft Visual C++ 6.0 - 8.0"
]
},
"strings": [
"AutoIt Error",
"reserved for AutoIt internal use"
],
"cryptographic_algorithms": [
"Uses constants related to CRC32",
"Uses known Mersenne Twister constants"
],
"malicious_indicators": [
"LoadLibraryA",
"GetProcAddress",
"LoadLibraryExW",
"LoadLibraryW",
"CreateToolhelp32Snapshot",
"FindWindowW",
"OpenProcess",
"VirtualAllocEx",
"WriteProcessMemory",
"VirtualAlloc",
"RegEnumValueW",
"RegDeleteValueW",
"RegDeleteKeyW",
"RegEnumKeyExW",
"RegSetValueExW",
"RegOpenKeyExW",
"RegCloseKey",
"RegQueryValueExW",
"RegCreateKeyExW",
"RegisterHotKey",
"CreateProcessW",
"CreateProcessAsUserW",
"CreateProcessWithLogonW",
"ShellExecuteW",
"CreateFileW",
"GetTempPathW",
"GetAsyncKeyState",
"AttachThreadInput",
"MapVirtualKeyW",
"GetForegroundWindow",
"InternetCloseHandle",
"InternetOpenW",
"InternetSetOptionW",
"InternetCrackUrlW",
"InternetQueryOptionW",
"InternetConnectW",
"InternetOpenUrlW",
"InternetReadFile",
"InternetQueryDataAvailable",
"AdjustTokenPrivileges",
"OpenProcessToken",
"DuplicateTokenEx",
"CheckTokenMembership",
"GetDriveTypeW",
"GetVolumeInformationW",
"ReadProcessMemory",
"Process32FirstW",
"Process32NextW",
"CreateCompatibleDC",
"GetDC",
"GetClipboardData",
"InitiateSystemShutdownExW",
"ExitWindowsEx"
],
"exploit_mitigation_techniques": {
"stack_canary": "enabled",
"safe_seh": "enabled (0 registered handlers)",
"aslr": "enabled",
"dep": "disabled",
"cfg": "disabled"
}
}
},
"Exports": {},
"Resources": {
"entities": [
{
"id": 1,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.66371
},
{
"id": 2,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.05883
},
{
"id": 3,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.25499
},
{
"id": 4,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 744,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.65355
},
{
"id": 5,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 296,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.43704
},
{
"id": 6,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 3752,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 4.16139
},
{
"id": 7,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 2216,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 4.07494
},
{
"id": 8,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1384,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.18302
},
{
"id": 9,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 9640,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 4.52312
},
{
"id": 10,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 4264,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 4.65168
},
{
"id": 11,
"type": "RT_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1128,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 4.39178
},
{
"id": 166,
"type": "RT_MENU",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 80,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.68292
},
{
"id": "7 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1428,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.34702
},
{
"id": "8 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1674,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.2804
},
{
"id": "9 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1168,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.28849
},
{
"id": "10 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1532,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.28373
},
{
"id": "11 (#2)",
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1628,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.26322
},
{
"id": 12,
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1126,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.25812
},
{
"id": 313,
"type": "RT_STRING",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 344,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.08572
},
{
"id": "SCRIPT",
"type": "RT_RCDATA",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 309386,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 7.99935
},
{
"id": 99,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 118,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.8695,
"detected_filetype": "Icon file"
},
{
"id": 162,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.02322,
"detected_filetype": "Icon file"
},
{
"id": 164,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 1.84274,
"detected_filetype": "Icon file"
},
{
"id": 169,
"type": "RT_GROUP_ICON",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 20,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.02322,
"detected_filetype": "Icon file"
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 220,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 2.77862
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "English - United Kingdom",
"codepage": "Latin 1 / Western European",
"size": 1007,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 5.40026
}
]
},
"Debug Info": {},
"Load Configuration": {
"Size": 160,
"TimeDateStamp": "1970-Jan-01 00:00:00",
"Version": "0.0",
"GlobalFlagsClear": "",
"GlobalFlagsSet": "",
"CriticalSectionDefaultTimeout": 0,
"DeCommitFreeBlockThreshold": 0,
"DeCommitTotalFreeThreshold": 0,
"LockPrefixTable": 0,
"MaximumAllocationSize": 0,
"VirtualMemoryThreshold": 0,
"ProcessAffinityMask": 0,
"ProcessHeapFlags": "",
"CSDVersion": 0,
"Reserved1": 0,
"EditList": 0,
"SecurityCookie": 5038100,
"SEHandlerTable": 0,
"SEHandlerCount": 0
},
"RICH Header": {
"xor_key": "0xFDEDA6DE",
"unmarked_objects": 0,
"object_counts": {
"151": 1,
"241_40116": 35,
"243_40116": 157,
"242_40116": 35,
"199_41118": 1,
"cpp_objects_vs_2015_2017_runtime_26706": 45,
"c_objects_vs_2015_2017_runtime_26706": 18,
"asm_objects_vs_2015_2017_runtime_26706": 21,
"c_objects_vs2008_sp1_build_30729": 9,
"imports_vs2008_sp1_build_30729": 37,
"total_imports": 553,
"cpp_objects_pogo_o_27045": 80,
"asm_objects_27045": 1,
"resource_objects_27045": 1,
"linker_27045": 1
},
"matching_compilers": [
"Microsoft Visual C++ 6.0 - 8.0"
],
"suspicious_strings": {
"autoit_compiled_script": [
"AutoIt Error",
"reserved for AutoIt internal use"
]
},
"cryptographic_algorithms": [
"Uses constants related to CRC32",
"Uses known Mersenne Twister constants"
],
"malicious_indicators": {
"hidden_imports": [
"LoadLibraryA",
"GetProcAddress",
"LoadLibraryExW",
"LoadLibraryW"
],
"anti_debugging_functions": [
"CreateToolhelp32Snapshot",
"FindWindowW"
],
"code_injection_capabilities": [
"OpenProcess",
"VirtualAllocEx",
"WriteProcessMemory",
"VirtualAlloc"
],
"powerloader_code_injection": [
"FindWindowW",
"GetWindowLongW"
],
"registry_access_functions": [
"RegEnumValueW",
"RegDeleteValueW",
"RegDeleteKeyW",
"RegEnumKeyExW",
"RegSetValueExW",
"RegOpenKeyExW",
"RegCloseKey",
"RegQueryValueExW",
"RegCreateKeyExW",
"RegisterHotKey"
],
"program_launching_functions": [
"CreateProcessW",
"CreateProcessAsUserW",
"CreateProcessWithLogonW",
"ShellExecuteW"
],
"temporary_file_creation": [
"CreateFileW",
"GetTempPathW"
],
"keylogger_functions": [
"GetAsyncKeyState",
"AttachThreadInput",
"MapVirtualKeyW",
"GetForegroundWindow"
],
"internet_access_capabilities": [
"InternetCloseHandle",
"InternetOpenW",
"InternetSetOptionW",
"InternetCrackUrlW",
"InternetQueryOptionW",
"InternetConnectW",
"InternetOpenUrlW",
"InternetReadFile",
"InternetQueryDataAvailable"
],
"privilege_level_functions": [
"AdjustTokenPrivileges",
"OpenProcessToken",
"DuplicateTokenEx",
"CheckTokenMembership"
],
"disk_drive_enumeration": [
"GetDriveTypeW",
"GetVolumeInformationW"
],
"process_manipulation": [
"OpenProcess",
"WriteProcessMemory",
"ReadProcessMemory",
"Process32FirstW",
"Process32NextW"
],
"screenshot_capabilities": [
"CreateCompatibleDC",
"FindWindowW",
"GetDC"
],
"clipboard_reading": [
"GetClipboardData"
],
"system_shutdown_lock": [
"InitiateSystemShutdownExW",
"ExitWindowsEx"
]
},
"abnormal_resource_characteristics": [
"Resource SCRIPT is possibly compressed or encrypted"
],
"exploit_mitigation_techniques": {
"stack_canary": "enabled",
"safe_seh": "enabled (0 registered handlers)",
"aslr": "enabled",
"dep": "disabled",
"cfg": "disabled"
}
},
"Interesting strings found in the binary": {},
"file_path": "/tmp/sdm_unpack_12ohn_ul/2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130_2aa5ce3561dc/001_upx_unpacked.exe"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_j57fwxw4/output.txt"
}
|
2026-05-15 14:33:42
|
||||||||||||||
69edf0bc59a6632dae07de45
|
02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19…
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/secondary_sample_try\nDate: 2026-04-29 18:18:53\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/home/apogean/projects/malware/windows/all_runs/secondary_sample_try\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_I386\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2023-Oct-16 21:40:53\nComments: \nCompanyName: Google LLC\nFileDescription: Note-taking and task management application\nFileVersion: 5.9.1.204\nInternalName: GoogleKeep.exe\nLegalCopyright: © Google LLC\nLegalTrademarks: Google, Keep\nOriginalFilename: GoogleKeep.exe\nProductName: Google Keep\nProductVersion: 5.9.1.204\nAssembly Version: 5.9.1.204\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x00000080\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_I386\nNumberofSections: 3\nTimeDateStamp: 2023-Oct-16 21:40:53\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00E0\nCharacteristics: IMAGE_FILE_32BIT_MACHINE\n IMAGE_FILE_EXECUTABLE_IMAGE\n\nImage Optional Header:\n----------------------\nMagic: PE32\nLinkerVersion: 8.0\nSizeOfCode: 0x0000A800\nSizeOfInitializedData: 0x00001A00\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x0000C72E (Section: .text)\nBaseOfCode: 0x00002000\nBaseOfData: 0x0000E000\nImageBase: 0x00400000\nSectionAlignment: 0x00002000\nFileAlignment: 0x00000200\nOperatingSystemVersion: 4.0\nImageVersion: 0.0\nSubsystemVersion: 4.0\nWin32VersionValue: 0\nSizeOfImage: 0x00012000\nSizeOfHeaders: 0x00000200\nChecksum: 0x00000000\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_NO_SEH\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x00100000\nSizeofStackCommit: 0x00001000\nSizeofHeapReserve: 0x00100000\nSizeofHeapCommit: 0x00001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 16\n\nSections:\n---------\n.text:\n VirtualSize: 0x0000A734\n VirtualAddress: 0x00002000\n SizeOfRawData: 0x0000A800\n PointerToRawData: 0x00000200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 5.50576\n\n.rsrc:\n VirtualSize: 0x00001708\n VirtualAddress: 0x0000E000\n SizeOfRawData: 0x00001800\n PointerToRawData: 0x0000AA00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 6.55153\n\n.reloc:\n VirtualSize: 0x0000000C\n VirtualAddress: 0x00010000\n SizeOfRawData: 0x00000200\n PointerToRawData: 0x0000C200\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 0.0815394\n\n\nImports:\n--------\nmscoree.dll: _CorExeMain\n\nResources:\n----------\n1:\n Type: RT_ICON\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 3476\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 7.05814\n Detected Filetype: PNG graphic file\n\n1 (#2):\n Type: RT_GROUP_ICON\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 20\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 1.15402\n Detected Filetype: Icon file\n\n1 (#3):\n Type: RT_VERSION\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 924\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 3.39908\n\n1 (#4):\n Type: RT_MANIFEST\n Language: UNKNOWN\n Codepage: Latin 1 / Western European\n Size: 1171\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 5.22615\n\n\nVersion Info:\n-------------\nResource LangID: UNKNOWN\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 5.9.1.204\n ProductVersion: 5.9.1.204\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT_WINDOWS32\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: UNKNOWN\n Comments: \n CompanyName: Google LLC\n FileDescription: Note-taking and task management application\n FileVersion (#2): 5.9.1.204\n InternalName: GoogleKeep.exe\n LegalCopyright: © Google LLC\n LegalTrademarks: Google, Keep\n OriginalFilename: GoogleKeep.exe\n ProductName: Google Keep\n ProductVersion (#2): 5.9.1.204\n Assembly Version: 5.9.1.204\n\n\nMatching compiler(s):\n Microsoft Visual C# v7.0 / Basic .NET\n .NET executable -> Microsoft\n\n[ SUSPICIOUS ] Strings found in the binary may indicate undesirable behavior:\n Contains references to system / monitoring tools:\n schtask\n Looks for VMWare presence:\n vmware\n Looks for Sandboxie presence:\n SbieDll.dll\n Accesses the WMI:\n root\\Security\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: disabled\n SafeSEH: disabled\n ASLR: enabled\n DEP: enabled\n CFG: disabled\n\n[ MALICIOUS ] The program tries to mislead users about its origins.\n The PE pretends to be from Google but is not signed!\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_I386",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2023-Oct-16 21:40:53",
"company_name": "Google LLC",
"file_description": "Note-taking and task management application",
"file_version": "5.9.1.204",
"internal_name": "GoogleKeep.exe",
"legal_copyright": "© Google LLC",
"legal_trademarks": "Google, Keep",
"original_filename": "GoogleKeep.exe",
"product_name": "Google Keep",
"product_version": "5.9.1.204",
"assembly_version": "5.9.1.204"
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": 144,
"e_cp": 3,
"e_crlc": 0,
"e_cparhdr": 4,
"e_minalloc": 0,
"e_maxalloc": 65535,
"e_ss": 0,
"e_sp": 184,
"e_csum": 0,
"e_ip": 0,
"e_cs": 0,
"e_ovno": 0,
"e_oemid": 0,
"e_oeminfo": 0,
"e_lfanew": 128
},
"PE Header": {
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_I386",
"NumberofSections": 3,
"TimeDateStamp": "2023-Oct-16 21:40:53",
"PointerToSymbolTable": "0x00000000",
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": "0x00E0",
"Characteristics": [
"IMAGE_FILE_32BIT_MACHINE",
"IMAGE_FILE_EXECUTABLE_IMAGE"
]
},
"Image Optional Header": {
"Magic": "PE32",
"LinkerVersion": "8.0",
"SizeOfCode": "0x0000A800",
"SizeOfInitializedData": "0x00001A00",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x0000C72E",
"BaseOfCode": "0x00002000",
"BaseOfData": "0x0000E000",
"ImageBase": "0x00400000",
"SectionAlignment": "0x00002000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "4.0",
"ImageVersion": "0.0",
"SubsystemVersion": "4.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x00012000",
"SizeOfHeaders": "0x00000200",
"Checksum": "0x00000000",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x00100000",
"SizeofStackCommit": "0x00001000",
"SizeofHeapReserve": "0x00100000",
"SizeofHeapCommit": "0x00001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
},
"Sections": {
"sections": [
{
"name": ".text",
"virtual_size": "0x0000A734",
"virtual_address": "0x00002000",
"size_of_raw_data": "0x0000A800",
"pointer_to_raw_data": "0x00000200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 5.50576
},
{
"name": ".rsrc",
"virtual_size": "0x00001708",
"virtual_address": "0x0000E000",
"size_of_raw_data": "0x00001800",
"pointer_to_raw_data": "0x0000AA00",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"entropy": 6.55153
},
{
"name": ".reloc",
"virtual_size": "0x0000000C",
"virtual_address": "0x00010000",
"size_of_raw_data": "0x00000200",
"pointer_to_raw_data": "0x0000C200",
"pointer_to_relocations": "0x00000000",
"pointer_to_line_numbers": "0x00000000",
"number_of_line_numbers": 0,
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"entropy": 0.0815394
}
]
},
"Imports": {
"entities": {
"file": {
"name": "GoogleKeep.exe",
"version": "5.9.1.204",
"description": "Note-taking and task management application",
"company": "Google LLC",
"copyright": "© Google LLC",
"trademarks": "Google, Keep",
"internal_name": "GoogleKeep.exe",
"original_filename": "GoogleKeep.exe",
"product_name": "Google Keep",
"assembly_version": "5.9.1.204"
},
"resources": [
{
"type": "RT_ICON",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 3476,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 7.05814,
"filetype": "PNG graphic file"
},
{
"type": "RT_GROUP_ICON",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 20,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 1.15402,
"filetype": "Icon file"
},
{
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 924,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 3.39908
},
{
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 1171,
"timestamp": "1980-Jan-01 00:00:00",
"entropy": 5.22615
}
],
"compiler": [
"Microsoft Visual C# v7.0 / Basic .NET",
".NET executable -> Microsoft"
],
"suspicious_strings": [
"schtask",
"vmware",
"SbieDll.dll",
"root\\Security"
],
"mitigations": {
"stack_canary": false,
"safe_seh": false,
"aslr": true,
"dep": true,
"cfg": false
},
"malicious_indicators": [
"The PE pretends to be from Google but is not signed!"
]
}
},
"Exports": {},
"Resources": {
"entities": [
{
"type": "RT_ICON",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 3476,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 7.05814,
"detected_filetype": "PNG graphic file"
},
{
"type": "RT_GROUP_ICON",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 20,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 1.15402,
"detected_filetype": "Icon file"
},
{
"type": "RT_VERSION",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 924,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 3.39908
},
{
"type": "RT_MANIFEST",
"language": "UNKNOWN",
"codepage": "Latin 1 / Western European",
"size": 1171,
"time_date_stamp": "1980-Jan-01 00:00:00",
"entropy": 5.22615
}
],
"version_info": {
"resource_lang_id": "UNKNOWN",
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "5.9.1.204",
"product_version": "5.9.1.204",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT_WINDOWS32",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "UNKNOWN",
"comments": "",
"company_name": "Google LLC",
"file_description": "Note-taking and task management application",
"internal_name": "GoogleKeep.exe",
"legal_copyright": "© Google LLC",
"legal_trademarks": "Google, Keep",
"original_filename": "GoogleKeep.exe",
"product_name": "Google Keep",
"assembly_version": "5.9.1.204"
},
"compiler_info": [
"Microsoft Visual C# v7.0 / Basic .NET",
".NET executable -> Microsoft"
],
"suspicious_strings": [
"schtask",
"vmware",
"SbieDll.dll",
"root\\Security"
],
"exploit_mitigation": {
"stack_canary": false,
"safe_seh": false,
"aslr": true,
"dep": true,
"cfg": false
},
"malicious_indicators": [
"The PE pretends to be from Google but is not signed!"
]
},
"Debug Info": {},
"Load Configuration": {},
"RICH Header": {},
"Interesting strings found in the binary": {},
"file_path": "/home/apogean/projects/malware/windows/all_runs/secondary_sample_try"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_wf9fp3on/output.txt"
}
|
2026-04-29 18:19:08
|
||||||||||||||
69edf1ce59a6632dae07de55
|
6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc7…
|
{
"success": true,
"output": "\n================================================================================\nMANALYZE ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/3\nDate: 2026-04-27 00:20:32\nExit Code: 0\n================================================================================\n\n* Manalyze 0.9 *\n\n-------------------------------------------------------------------------------\n/home/apogean/projects/malware/windows/all_runs/3\n-------------------------------------------------------------------------------\n\nSummary:\n--------\nArchitecture: IMAGE_FILE_MACHINE_AMD64\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nCompilation Date: 2016-Aug-20 04:34:21\nDetected languages: English - United States\nDebug artifacts: wextract.pdb\nCompanyName: Microsoft Corporation\nFileDescription: Win32 Cabinet Self-Extractor \nFileVersion: 11.00.22688.1 (WinBuild.160101.0800)\nInternalName: Wextract \nLegalCopyright: © Microsoft Corporation. All rights reserved.\nOriginalFilename: WEXTRACT.EXE .MUI\nProductName: Internet Explorer\nProductVersion: 11.00.22688.1\n\nDOS Header:\n-----------\ne_magic: MZ\ne_cblp: 0x0090\ne_cp: 0x0003\ne_crlc: 0x0000\ne_cparhdr: 0x0004\ne_minalloc: 0x0000\ne_maxalloc: 0xFFFF\ne_ss: 0x0000\ne_sp: 0x00B8\ne_csum: 0x0000\ne_ip: 0x0000\ne_cs: 0x0000\ne_ovno: 0x0000\ne_oemid: 0x0000\ne_oeminfo: 0x0000\ne_lfanew: 0x000000E8\n\nPE Header:\n----------\nSignature: PE\nMachine: IMAGE_FILE_MACHINE_AMD64\nNumberofSections: 6\nTimeDateStamp: 2016-Aug-20 04:34:21\nPointerToSymbolTable: 0x00000000\nNumberOfSymbols: 0\nSizeOfOptionalHeader: 0x00F0\nCharacteristics: IMAGE_FILE_EXECUTABLE_IMAGE\n IMAGE_FILE_LARGE_ADDRESS_AWARE\n\nImage Optional Header:\n----------------------\nMagic: PE32+\nLinkerVersion: 14.0\nSizeOfCode: 0x00007C00\nSizeOfInitializedData: 0x0026D800\nSizeOfUninitializedData: 0x00000000\nAddressOfEntryPoint: 0x0000000000008200 (Section: .text)\nBaseOfCode: 0x00001000\nImageBase: 0x0000000140000000\nSectionAlignment: 0x00001000\nFileAlignment: 0x00000200\nOperatingSystemVersion: A.0\nImageVersion: A.0\nSubsystemVersion: 6.0\nWin32VersionValue: 0\nSizeOfImage: 0x0027B000\nSizeOfHeaders: 0x00000400\nChecksum: 0x0027F3E6\nSubsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI\nDllCharacteristics: IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_GUARD_CF\n IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\nSizeofStackReserve: 0x0000000000080000\nSizeofStackCommit: 0x0000000000002000\nSizeofHeapReserve: 0x0000000000100000\nSizeofHeapCommit: 0x0000000000001000\nLoaderFlags: 0x00000000\nNumberOfRvaAndSizes: 16\n\nSections:\n---------\n.text:\n VirtualSize: 0x00007B80\n VirtualAddress: 0x00001000\n SizeOfRawData: 0x00007C00\n PointerToRawData: 0x00000400\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_CODE\n IMAGE_SCN_MEM_EXECUTE\n IMAGE_SCN_MEM_READ\n Entropy: 6.09647\n\n.rdata:\n VirtualSize: 0x000022C8\n VirtualAddress: 0x00009000\n SizeOfRawData: 0x00002400\n PointerToRawData: 0x00008000\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 4.72784\n\n.data:\n VirtualSize: 0x00001F00\n VirtualAddress: 0x0000C000\n SizeOfRawData: 0x00000400\n PointerToRawData: 0x0000A400\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n IMAGE_SCN_MEM_WRITE\n Entropy: 3.18898\n\n.pdata:\n VirtualSize: 0x00000408\n VirtualAddress: 0x0000E000\n SizeOfRawData: 0x00000600\n PointerToRawData: 0x0000A800\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 3.15637\n\n.rsrc:\n VirtualSize: 0x0026A616\n VirtualAddress: 0x0000F000\n SizeOfRawData: 0x0026A800\n PointerToRawData: 0x0000AE00\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_READ\n Entropy: 7.74936\n\n.reloc:\n VirtualSize: 0x00000020\n VirtualAddress: 0x0027A000\n SizeOfRawData: 0x00000200\n PointerToRawData: 0x00275600\n PointerToRelocations: 0x00000000\n PointerToLineNumbers: 0x00000000\n NumberOfLineNumbers: 0\n NumberOfRelocations: 0\n Characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA\n IMAGE_SCN_MEM_DISCARDABLE\n IMAGE_SCN_MEM_READ\n Entropy: 0.406847\n\n\nImports:\n--------\nADVAPI32.dll: GetTokenInformation\n RegDeleteValueA\n RegOpenKeyExA\n RegQueryInfoKeyA\n FreeSid\n OpenProcessToken\n RegSetValueExA\n RegCreateKeyExA\n LookupPrivilegeValueA\n AllocateAndInitializeSid\n RegQueryValueExA\n EqualSid\n RegCloseKey\n AdjustTokenPrivileges\nKERNEL32.dll: _lopen\n _llseek\n CompareStringA\n GetLastError\n GetFileAttributesA\n GetSystemDirectoryA\n LoadLibraryA\n DeleteFileA\n GlobalAlloc\n GlobalFree\n CloseHandle\n WritePrivateProfileStringA\n IsDBCSLeadByte\n GetWindowsDirectoryA\n SetFileAttributesA\n GetProcAddress\n GlobalLock\n LocalFree\n RemoveDirectoryA\n FreeLibrary\n _lclose\n CreateDirectoryA\n GetPrivateProfileIntA\n GetPrivateProfileStringA\n GlobalUnlock\n ReadFile\n SizeofResource\n WriteFile\n GetDriveTypeA\n LoadLibraryExA\n SetFileTime\n SetFilePointer\n FindResourceA\n CreateMutexA\n GetVolumeInformationA\n WaitForSingleObject\n GetCurrentDirectoryA\n FreeResource\n GetVersion\n SetCurrentDirectoryA\n GetTempPathA\n LocalFileTimeToFileTime\n CreateFileA\n SetEvent\n TerminateThread\n GetVersionExA\n LockResource\n GetSystemInfo\n CreateThread\n ResetEvent\n LoadResource\n ExitProcess\n GetModuleHandleW\n CreateProcessA\n FormatMessageA\n GetTempFileNameA\n DosDateTimeToFileTime\n CreateEventA\n GetExitCodeProcess\n ExpandEnvironmentStringsA\n LocalAlloc\n lstrcmpA\n FindNextFileA\n GetCurrentProcess\n FindFirstFileA\n GetModuleFileNameA\n GetShortPathNameA\n Sleep\n GetStartupInfoW\n RtlCaptureContext\n RtlLookupFunctionEntry\n RtlVirtualUnwind\n UnhandledExceptionFilter\n SetUnhandledExceptionFilter\n TerminateProcess\n QueryPerformanceCounter\n GetCurrentProcessId\n GetCurrentThreadId\n GetSystemTimeAsFileTime\n GetTickCount\n EnumResourceLanguagesA\n GetDiskFreeSpaceA\n MulDiv\n FindClose\nGDI32.dll: GetDeviceCaps\nUSER32.dll: ShowWindow\n MsgWaitForMultipleObjects\n SetWindowPos\n GetDC\n GetWindowRect\n DispatchMessageA\n GetSystemMetrics\n CallWindowProcA\n SetWindowTextA\n MessageBoxA\n SendDlgItemMessageA\n SendMessageA\n GetDlgItem\n DialogBoxIndirectParamA\n GetWindowLongPtrA\n SetWindowLongPtrA\n SetForegroundWindow\n ReleaseDC\n EnableWindow\n CharNextA\n LoadStringA\n CharPrevA\n EndDialog\n MessageBeep\n ExitWindowsEx\n SetDlgItemTextA\n CharUpperA\n GetDesktopWindow\n PeekMessageA\n GetDlgItemTextA\nmsvcrt.dll: ?terminate@@YAXXZ\n _commode\n _fmode\n _acmdln\n __C_specific_handler\n memset\n __setusermatherr\n _ismbblead\n _cexit\n _exit\n exit\n __set_app_type\n __getmainargs\n _amsg_exit\n _XcptFilter\n memcpy_s\n _vsnprintf\n _initterm\n memcpy\nCOMCTL32.dll: #17\nCabinet.dll: #20\n #21\n #23\n #22\nVERSION.dll: VerQueryValueA\n GetFileVersionInfoSizeA\n GetFileVersionInfoA\n\nResources:\n----------\n3001:\n Type: AVI\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 11802\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.52241\n Detected Filetype: AVI Resource Interchange File Format\n Detected Filetype (#2): Windows animated cursor\n\n1:\n Type: RT_ICON\n Language: English - United States\n Codepage: UNKNOWN\n Size: 278568\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 6.16766\n\n2:\n Type: RT_ICON\n Language: English - United States\n Codepage: UNKNOWN\n Size: 278568\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 6.16766\n\n3:\n Type: RT_ICON\n Language: English - United States\n Codepage: UNKNOWN\n Size: 17448\n TimeDateStamp: 1980-Jan-01 00:00:00\n Entropy: 6.135\n\n2001:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 754\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.25575\n\n2002:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 432\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.16025\n\n2003:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 358\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.99713\n\n2004:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 448\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.11992\n\n2005:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 304\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.97326\n\n2006:\n Type: RT_DIALOG\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 288\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.97672\n\n63:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 140\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.48958\n\n76:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1312\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.2674\n\n77:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1484\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.29977\n\n80:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1200\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.27174\n\n83:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1098\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.2912\n\n85:\n Type: RT_STRING\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 974\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.13591\n\nADMQCMD:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 7\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.80735\n\nCABINET:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1932347\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 7.99986\n Detected Filetype: CAB Installer file\n\nEXTRACTOPT:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 4\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 0.811278\n\nFILESIZES:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 36\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.6383\n\nFINISHMSG:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 7\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.80735\n\nLICENSE:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 7\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.80735\n\nPACKINSTSPACE:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 4\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 0\n\nPOSTRUNPROGRAM:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 45\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 4.37171\n\nREBOOT:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 4\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 0\n\nRUNPROGRAM:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 24\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.26789\n\nSHOWWINDOW:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 4\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 0.811278\n\nTITLE:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 10\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.84644\n\nUPROMPT:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 7\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.80735\n\nUSRQCMD:\n Type: RT_RCDATA\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 7\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.80735\n\n3000:\n Type: RT_GROUP_ICON\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 48\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 2.22035\n Detected Filetype: Icon file\n\n1 (#2):\n Type: RT_VERSION\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 1032\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 3.38987\n\n1 (#3):\n Type: RT_MANIFEST\n Language: English - United States\n Codepage: Latin 1 / Western European\n Size: 2022\n TimeDateStamp: 2059-Dec-25 05:41:58\n Entropy: 5.00142\n\n\nVersion Info:\n-------------\nResource LangID: English - United States\nVS_VERSION_INFO:\n Signature: 0xFEEF04BD\n StructVersion: 0x00010000\n FileVersion: 11.0.22688.1\n ProductVersion: 11.0.22688.1\n FileFlags: (EMPTY)\n FileOs: VOS_DOS_WINDOWS32\n VOS_NT\n VOS_NT_WINDOWS32\n VOS_WINCE\n VOS__WINDOWS32\n FileType: VFT_APP\n Language: English - United States\n CompanyName: Microsoft Corporation\n FileDescription: Win32 Cabinet Self-Extractor \n FileVersion (#2): 11.00.22688.1 (WinBuild.160101.0800)\n InternalName: Wextract \n LegalCopyright: © Microsoft Corporation. All rights reserved.\n OriginalFilename: WEXTRACT.EXE .MUI\n ProductName: Internet Explorer\n ProductVersion (#2): 11.00.22688.1\n\n\nDebug Info:\n-----------\nIMAGE_DEBUG_TYPE_CODEVIEW:\n Characteristics: 0\n TimeDateStamp: 2062-Jul-25 12:18:00\n Version: 0.0\n SizeofData: 37\n AddressOfRawData: 0x00009A64\n PointerToRawData: 0x00008A64\n Referenced File: wextract.pdb\n\nIMAGE_DEBUG_TYPE_POGO:\n Characteristics: 0\n TimeDateStamp: 2062-Jul-25 12:18:00\n Version: 0.0\n SizeofData: 496\n AddressOfRawData: 0x00009A8C\n PointerToRawData: 0x00008A8C\n\nUNKNOWN:\n Characteristics: 0\n TimeDateStamp: 2062-Jul-25 12:18:00\n Version: 0.0\n SizeofData: 36\n AddressOfRawData: 0x00009C7C\n PointerToRawData: 0x00008C7C\n\n\nLoad Configuration:\n-------------------\nSize: 280\nTimeDateStamp: 1970-Jan-01 00:00:00\nVersion: 0.0\nGlobalFlagsClear: (EMPTY)\nGlobalFlagsSet: (EMPTY)\nCriticalSectionDefaultTimeout: 0\nDeCommitFreeBlockThreshold: 0x0000000000000000\nDeCommitTotalFreeThreshold: 0x0000000000000000\nLockPrefixTable: 0x0000000000000000\nMaximumAllocationSize: 0x0000000000000000\nVirtualMemoryThreshold: 0x0000000000000000\nProcessAffinityMask: 0x0000000000000000\nProcessHeapFlags: (EMPTY)\nCSDVersion: 0\nReserved1: 0x0000\nEditList: 0x0000000000000000\nSecurityCookie: 0x000000014000C008\nGuardCFCheckFunctionPointer: 0x0000000140009648\nGuardCFDispatchFunctionPointer: 0x0000000000000000\nGuardCFFunctionTable: 0x0000000000000000\nGuardCFFunctionCount: 0x0000000000000000\nGuardFlags: (EMPTY)\nCodeIntegrity.Flags: 0x0000\nCodeIntegrity.Catalog: 0x0000\nCodeIntegrity.CatalogOffset: 0x00000000\nCodeIntegrity.Reserved: 0x00000000\nGuardAddressTakenIatEntryTable: 0x0000000000000000\nGuardAddressTakenIatEntryCount: 0\nGuardLongJumpTargetTable: 0x0000000000000000\nGuardLongJumpTargetCount: 0\n\nRICH Header:\n------------\nXOR Key: 0x3690B900\nUnmarked objects: 0\nC++ objects (27412): 1\nASM objects (27412): 2\nC objects (27412): 18\nImports (27412): 17\nTotal imports: 160\nC objects (LTCG) (27412): 10\nResource objects (27412): 1\nLinker (27412): 1\n\n[ SUSPICIOUS ] Strings found in the binary may indicate undesirable behavior:\n Contains references to system / monitoring tools:\n rundll32.exe\n May have dropper capabilities:\n CurrentVersion\\Run\n Contains domain names:\n Command.com\n\n[ MALICIOUS ] The PE contains functions mostly used by malware.\n [!] The program may be hiding some of its imports:\n LoadLibraryA\n GetProcAddress\n LoadLibraryExA\n Can access the registry:\n RegDeleteValueA\n RegOpenKeyExA\n RegQueryInfoKeyA\n RegSetValueExA\n RegCreateKeyExA\n RegQueryValueExA\n RegCloseKey\n Possibly launches other programs:\n CreateProcessA\n Can create temporary files:\n GetTempPathA\n CreateFileA\n Functions related to the privilege level:\n OpenProcessToken\n AdjustTokenPrivileges\n Enumerates local disk drives:\n GetDriveTypeA\n GetVolumeInformationA\n Can shut the system down or lock the screen:\n ExitWindowsEx\n\n[ MALICIOUS ] The PE header may have been manually modified.\n Resource CABINET detected as a CAB Installer file.\n The resource timestamps differ from the PE header:\n 2059-Dec-25 05:41:58\n Resources amount for 98.1524% of the executable.\n\nThe following exploit mitigation techniques have been detected\n Stack Canary: enabled\n SafeSEH: enabled (0 registered handlers)\n ASLR: enabled\n DEP: enabled\n CFG: enabled\n\n\n\n[!] Error: [plugin_virustotal] VirusTotal API access denied. Please verify that your API key is valid.\n[!] Error: [Yara compiler] yara_rules/clamav.yara (999960) : syntax error, unexpected '{', expecting text string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (1089890) : syntax error, unexpected string identifier, expecting '}'\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2064551) : unreferenced string \"$a7\"\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2510733) : invalid hex string \"$a0\": uneven number of digits in hex string\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2597376) : invalid hex string \"$a5\": syntax error\n[!] Error: [Yara compiler] yara_rules/clamav.yara (2983072) : invalid hex string \"$a0\": invalid character in hex string\n[!] Error: Could not compile yara rules (6 error(s)).\n[!] Error: ClamAV rules haven't been generated yet!\n[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.\n",
"json_output": {
"Summary": {
"architecture": "IMAGE_FILE_MACHINE_AMD64",
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"compilation_date": "2016-Aug-20 04:34:21",
"detected_languages": [
"English - United States"
],
"debug_artifacts": [
"wextract.pdb"
],
"company_name": "Microsoft Corporation",
"file_description": "Win32 Cabinet Self-Extractor",
"file_version": "11.00.22688.1 (WinBuild.160101.0800)",
"internal_name": "Wextract",
"legal_copyright": "© Microsoft Corporation. All rights reserved.",
"original_filename": "WEXTRACT.EXE.MUI",
"product_name": "Internet Explorer",
"product_version": "11.00.22688.1"
},
"DOS Header": {
"e_magic": "MZ",
"e_cblp": "0x0090",
"e_cp": "0x0003",
"e_crlc": "0x0000",
"e_cparhdr": "0x0004",
"e_minalloc": "0x0000",
"e_maxalloc": "0xFFFF",
"e_ss": "0x0000",
"e_sp": "0x00B8",
"e_csum": "0x0000",
"e_ip": "0x0000",
"e_cs": "0x0000",
"e_ovno": "0x0000",
"e_oemid": "0x0000",
"e_oeminfo": "0x0000",
"e_lfanew": "0x000000E8"
},
"PE Header": {
"Signature": "PE",
"Machine": "IMAGE_FILE_MACHINE_AMD64",
"NumberofSections": 6,
"TimeDateStamp": "2016-Aug-20 04:34:21",
"PointerToSymbolTable": "0x00000000",
"NumberOfSymbols": 0,
"SizeOfOptionalHeader": "0x00F0",
"Characteristics": [
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_LARGE_ADDRESS_AWARE"
]
},
"Image Optional Header": {
"Magic": "PE32+",
"LinkerVersion": "14.0",
"SizeOfCode": "0x00007C00",
"SizeOfInitializedData": "0x0026D800",
"SizeOfUninitializedData": "0x00000000",
"AddressOfEntryPoint": "0x0000000000008200",
"BaseOfCode": "0x00001000",
"ImageBase": "0x0000000140000000",
"SectionAlignment": "0x00001000",
"FileAlignment": "0x00000200",
"OperatingSystemVersion": "A.0",
"ImageVersion": "A.0",
"SubsystemVersion": "6.0",
"Win32VersionValue": "0",
"SizeOfImage": "0x0027B000",
"SizeOfHeaders": "0x00000400",
"Checksum": "0x0027F3E6",
"Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"DllCharacteristics": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_GUARD_CF",
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"SizeofStackReserve": "0x0000000000080000",
"SizeofStackCommit": "0x0000000000002000",
"SizeofHeapReserve": "0x0000000000100000",
"SizeofHeapCommit": "0x0000000000001000",
"LoaderFlags": "0x00000000",
"NumberOfRvaAndSizes": "16"
},
"Sections": {
"sections": [
{
"name": ".text",
"VirtualSize": "0x00007B80",
"VirtualAddress": "0x00001000",
"SizeOfRawData": "0x00007C00",
"PointerToRawData": "0x00000400",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 6.09647
},
{
"name": ".rdata",
"VirtualSize": "0x000022C8",
"VirtualAddress": "0x00009000",
"SizeOfRawData": "0x00002400",
"PointerToRawData": "0x00008000",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 4.72784
},
{
"name": ".data",
"VirtualSize": "0x00001F00",
"VirtualAddress": "0x0000C000",
"SizeOfRawData": "0x00000400",
"PointerToRawData": "0x0000A400",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ",
"IMAGE_SCN_MEM_WRITE"
],
"Entropy": 3.18898
},
{
"name": ".pdata",
"VirtualSize": "0x00000408",
"VirtualAddress": "0x0000E000",
"SizeOfRawData": "0x00000600",
"PointerToRawData": "0x0000A800",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 3.15637
},
{
"name": ".rsrc",
"VirtualSize": "0x0026A616",
"VirtualAddress": "0x0000F000",
"SizeOfRawData": "0x0026A800",
"PointerToRawData": "0x0000AE00",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 7.74936
},
{
"name": ".reloc",
"VirtualSize": "0x00000020",
"VirtualAddress": "0x0027A000",
"SizeOfRawData": "0x00000200",
"PointerToRawData": "0x00275600",
"PointerToRelocations": "0x00000000",
"PointerToLineNumbers": "0x00000000",
"NumberOfLineNumbers": 0,
"NumberOfRelocations": 0,
"Characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"Entropy": 0.406847
}
]
},
"Imports": {
"entities": {
"dlls": [
"ADVAPI32.dll",
"KERNEL32.dll",
"GDI32.dll",
"USER32.dll",
"msvcrt.dll",
"COMCTL32.dll",
"Cabinet.dll",
"VERSION.dll"
],
"functions": {
"ADVAPI32.dll": [
"GetTokenInformation",
"RegDeleteValueA",
"RegOpenKeyExA",
"RegQueryInfoKeyA",
"FreeSid",
"OpenProcessToken",
"RegSetValueExA",
"RegCreateKeyExA",
"LookupPrivilegeValueA",
"AllocateAndInitializeSid",
"RegQueryValueExA",
"EqualSid",
"RegCloseKey",
"AdjustTokenPrivileges"
],
"KERNEL32.dll": [
"_lopen",
"_llseek",
"CompareStringA",
"GetLastError",
"GetFileAttributesA",
"GetSystemDirectoryA",
"LoadLibraryA",
"DeleteFileA",
"GlobalAlloc",
"GlobalFree",
"CloseHandle",
"WritePrivateProfileStringA",
"IsDBCSLeadByte",
"GetWindowsDirectoryA",
"SetFileAttributesA",
"GetProcAddress",
"GlobalLock",
"LocalFree",
"RemoveDirectoryA",
"FreeLibrary",
"_lclose",
"CreateDirectoryA",
"GetPrivateProfileIntA",
"GetPrivateProfileStringA",
"GlobalUnlock",
"ReadFile",
"SizeofResource",
"WriteFile",
"GetDriveTypeA",
"LoadLibraryExA",
"SetFileTime",
"SetFilePointer",
"FindResourceA",
"CreateMutexA",
"GetVolumeInformationA",
"WaitForSingleObject",
"GetCurrentDirectoryA",
"FreeResource",
"GetVersion",
"SetCurrentDirectoryA",
"GetTempPathA",
"LocalFileTimeToFileTime",
"CreateFileA",
"SetEvent",
"TerminateThread",
"GetVersionExA",
"LockResource",
"GetSystemInfo",
"CreateThread",
"ResetEvent",
"LoadResource",
"ExitProcess",
"GetModuleHandleW",
"CreateProcessA",
"FormatMessageA",
"GetTempFileNameA",
"DosDateTimeToFileTime",
"CreateEventA",
"GetExitCodeProcess",
"ExpandEnvironmentStringsA",
"LocalAlloc",
"lstrcmpA",
"FindNextFileA",
"GetCurrentProcess",
"FindFirstFileA",
"GetModuleFileNameA",
"GetShortPathNameA",
"Sleep",
"GetStartupInfoW",
"RtlCaptureContext",
"RtlLookupFunctionEntry",
"RtlVirtualUnwind",
"UnhandledExceptionFilter",
"SetUnhandledExceptionFilter",
"TerminateProcess",
"QueryPerformanceCounter",
"GetCurrentProcessId",
"GetCurrentThreadId",
"GetSystemTimeAsFileTime",
"GetTickCount",
"EnumResourceLanguagesA",
"GetDiskFreeSpaceA",
"MulDiv",
"FindClose"
],
"GDI32.dll": [
"GetDeviceCaps"
],
"USER32.dll": [
"ShowWindow",
"MsgWaitForMultipleObjects",
"SetWindowPos",
"GetDC",
"GetWindowRect",
"DispatchMessageA",
"GetSystemMetrics",
"CallWindowProcA",
"SetWindowTextA",
"MessageBoxA",
"SendDlgItemMessageA",
"SendMessageA",
"GetDlgItem",
"DialogBoxIndirectParamA",
"GetWindowLongPtrA",
"SetWindowLongPtrA",
"SetForegroundWindow",
"ReleaseDC",
"EnableWindow",
"CharNextA",
"LoadStringA",
"CharPrevA",
"EndDialog",
"MessageBeep",
"ExitWindowsEx",
"SetDlgItemTextA",
"CharUpperA",
"GetDesktopWindow",
"PeekMessageA",
"GetDlgItemTextA"
],
"msvcrt.dll": [
"?terminate@@YAXXZ",
"_commode",
"_fmode",
"_acmdln",
"__C_specific_handler",
"memset",
"__setusermatherr",
"_ismbblead",
"_cexit",
"_exit",
"exit",
"__set_app_type",
"__getmainargs",
"_amsg_exit",
"_XcptFilter",
"memcpy_s",
"_vsnprintf",
"_initterm",
"memcpy"
],
"COMCTL32.dll": [
"#17"
],
"Cabinet.dll": [
"#20",
"#21",
"#23",
"#22"
],
"VERSION.dll": [
"VerQueryValueA",
"GetFileVersionInfoSizeA",
"GetFileVersionInfoA"
]
},
"resources": [
{
"id": "3001",
"type": "AVI",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 11802,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.52241,
"detected_filetype": "AVI Resource Interchange File Format",
"detected_filetype_2": "Windows animated cursor"
},
{
"id": "1",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 278568,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 6.16766
},
{
"id": "2",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 278568,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 6.16766
},
{
"id": "3",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 17448,
"timedatestamp": "1980-Jan-01 00:00:00",
"entropy": 6.135
},
{
"id": "2001",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 754,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.25575
},
{
"id": "2002",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 432,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.16025
},
{
"id": "2003",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 358,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.99713
},
{
"id": "2004",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 448,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.11992
},
{
"id": "2005",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 304,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.97326
},
{
"id": "2006",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 288,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.97672
},
{
"id": "63",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 140,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.48958
},
{
"id": "76",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1312,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.2674
},
{
"id": "77",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1484,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.29977
},
{
"id": "80",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1200,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.27174
},
{
"id": "83",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1098,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.2912
},
{
"id": "85",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 974,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.13591
},
{
"id": "ADMQCMD",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.80735
},
{
"id": "CABINET",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1932347,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 7.99986,
"detected_filetype": "CAB Installer file"
},
{
"id": "EXTRACTOPT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 0.811278
},
{
"id": "FILESIZES",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 36,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.6383
},
{
"id": "FINISHMSG",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.80735
},
{
"id": "LICENSE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.80735
},
{
"id": "PACKINSTSPACE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 0
},
{
"id": "POSTRUNPROGRAM",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 45,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 4.37171
},
{
"id": "REBOOT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 0
},
{
"id": "RUNPROGRAM",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 24,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.26789
},
{
"id": "SHOWWINDOW",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 0.811278
},
{
"id": "TITLE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 10,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.84644
},
{
"id": "UPROMPT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.80735
},
{
"id": "USRQCMD",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.80735
},
{
"id": "3000",
"type": "RT_GROUP_ICON",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 48,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 2.22035,
"detected_filetype": "Icon file"
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1032,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 3.38987
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 2022,
"timedatestamp": "2059-Dec-25 05:41:58",
"entropy": 5.00142
}
],
"version_info": {
"resource_langid": "English - United States",
"vs_version_info": {
"signature": "0xFEEF04BD",
"structversion": "0x00010000",
"fileversion": "11.0.22688.1",
"productversion": "11.0.22688.1",
"fileflags": "(EMPTY)",
"fileos": [
"VOS_DOS_WINDOWS32",
"VOS_NT",
"VOS_NT_WINDOWS32",
"VOS_WINCE",
"VOS__WINDOWS32"
],
"filetype": "VFT_APP",
"language": "English - United States",
"companyname": "Microsoft Corporation",
"filedescription": "Win32 Cabinet Self-Extractor",
"fileversion_2": "11.00.22688.1 (WinBuild.160101.0800)",
"internalname": "Wextract",
"legalcopyright": "© Microsoft Corporation. All rights reserved.",
"originalfilename": "WEXTRACT.EXE .MUI",
"productname": "Internet Explorer",
"productversion_2": "11.00.22688.1"
}
},
"debug_info": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"timedatestamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"sizeofdata": 37,
"addressofrawdata": "0x00009A64",
"pointertorawdata": "0x00008A64",
"referenced_file": "wextract.pdb"
},
{
"type": "IMAGE_DEBUG_TYPE_POGO",
"characteristics": 0,
"timedatestamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"sizeofdata": 496,
"addressofrawdata": "0x00009A8C",
"pointertorawdata": "0x00008A8C"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"timedatestamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"sizeofdata": 36,
"addressofrawdata": "0x00009C7C",
"pointertorawdata": "0x00008C7C"
}
],
"load_configuration": {
"size": 280,
"timedatestamp": "1970-Jan-01 00:00:00",
"version": "0.0",
"globalflagsclear": "(EMPTY)",
"globalflagsset": "(EMPTY)",
"criticalsectiondefaulttimeout": 0,
"decommitfreeblockthreshold": "0x0000000000000000",
"decommittotalfreethreshold": "0x0000000000000000",
"lockprefixtable": "0x0000000000000000",
"maximumallocationsize": "0x0000000000000000",
"virtualmemorythreshold": "0x0000000000000000",
"processaffinitymask": "0x0000000000000000",
"processheapflags": "(EMPTY)",
"csdversion": 0,
"reserved1": "0x0000",
"editlist": "0x0000000000000000",
"securitycookie": "0x000000014000C008",
"guardcfcheckfunctionpointer": "0x0000000140009648",
"guardcfdispatchfunctionpointer": "0x0000000000000000",
"guardcffunctiontable": "0x0000000000000000",
"guardcffunctioncount": "0x0000000000000000",
"guardflags": "(EMPTY)",
"codeintegrity_flags": "0x0000",
"codeintegrity_catalog": "0x0000",
"codeintegrity_catalogoffset": "0x00000000",
"codeintegrity_reserved": "0x00000000",
"guardaddresstakeniatentrytable": "0x0000000000000000",
"guardaddresstakeniatentrycount": 0,
"guardlongjumptargettable": "0x0000000000000000",
"guardlongjumptargetcount": 0
},
"rich_header": {
"xor_key": "0x3690B900",
"unmarked_objects": 0,
"cpp_objects": 1,
"asm_objects": 2,
"c_objects": 18,
"imports": 17,
"total_imports": 160,
"c_objects_ltcg": 10,
"resource_objects": 1,
"linker": 1
},
"suspicious_strings": [
"rundll32.exe",
"CurrentVersion\\Run",
"Command.com"
],
"malicious_indicators": [
"LoadLibraryA",
"GetProcAddress",
"LoadLibraryExA",
"RegDeleteValueA",
"RegOpenKeyExA",
"RegQueryInfoKeyA",
"RegSetValueExA",
"RegCreateKeyExA",
"RegQueryValueExA",
"RegCloseKey",
"CreateProcessA",
"GetTempPathA",
"CreateFileA",
"OpenProcessToken",
"AdjustTokenPrivileges",
"GetDriveTypeA",
"GetVolumeInformationA",
"ExitWindowsEx"
],
"exploit_mitigation_techniques": [
"Stack Canary: enabled",
"SafeSEH: enabled (0 registered handlers)",
"ASLR: enabled",
"DEP: enabled",
"CFG: enabled"
]
}
},
"Exports": {},
"Resources": {
"entities": [
{
"id": "3001",
"type": "AVI",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 11802,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.52241,
"detected_filetype": "AVI Resource Interchange File Format",
"detected_filetype_2": "Windows animated cursor"
},
{
"id": "1",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 278568,
"time_date_stamp": "1980-01-01T00:00:00",
"entropy": 6.16766
},
{
"id": "2",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 278568,
"time_date_stamp": "1980-01-01T00:00:00",
"entropy": 6.16766
},
{
"id": "3",
"type": "RT_ICON",
"language": "English - United States",
"codepage": "UNKNOWN",
"size": 17448,
"time_date_stamp": "1980-01-01T00:00:00",
"entropy": 6.135
},
{
"id": "2001",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 754,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.25575
},
{
"id": "2002",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 432,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.16025
},
{
"id": "2003",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 358,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.99713
},
{
"id": "2004",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 448,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.11992
},
{
"id": "2005",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 304,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.97326
},
{
"id": "2006",
"type": "RT_DIALOG",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 288,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.97672
},
{
"id": "63",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 140,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.48958
},
{
"id": "76",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1312,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.2674
},
{
"id": "77",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1484,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.29977
},
{
"id": "80",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1200,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.27174
},
{
"id": "83",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1098,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.2912
},
{
"id": "85",
"type": "RT_STRING",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 974,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.13591
},
{
"id": "ADMQCMD",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.80735
},
{
"id": "CABINET",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1932347,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 7.99986,
"detected_filetype": "CAB Installer file"
},
{
"id": "EXTRACTOPT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 0.811278
},
{
"id": "FILESIZES",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 36,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.6383
},
{
"id": "FINISHMSG",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.80735
},
{
"id": "LICENSE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.80735
},
{
"id": "PACKINSTSPACE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 0
},
{
"id": "POSTRUNPROGRAM",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 45,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 4.37171
},
{
"id": "REBOOT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 0
},
{
"id": "RUNPROGRAM",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 24,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.26789
},
{
"id": "SHOWWINDOW",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 4,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 0.811278
},
{
"id": "TITLE",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 10,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.84644
},
{
"id": "UPROMPT",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.80735
},
{
"id": "USRQCMD",
"type": "RT_RCDATA",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 7,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.80735
},
{
"id": "3000",
"type": "RT_GROUP_ICON",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 48,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 2.22035,
"detected_filetype": "Icon file"
},
{
"id": "1 (#2)",
"type": "RT_VERSION",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 1032,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 3.38987
},
{
"id": "1 (#3)",
"type": "RT_MANIFEST",
"language": "English - United States",
"codepage": "Latin 1 / Western European",
"size": 2022,
"time_date_stamp": "2059-12-25T05:41:58",
"entropy": 5.00142
}
],
"version_info": {
"resource_lang_id": "English - United States",
"vs_version_info": {
"signature": "0xFEEF04BD",
"struct_version": "0x00010000",
"file_version": "11.0.22688.1",
"product_version": "11.0.22688.1",
"file_flags": "(EMPTY)",
"file_os": [
"VOS_DOS_WINDOWS32",
"VOS_NT",
"VOS_NT_WINDOWS32",
"VOS_WINCE",
"VOS__WINDOWS32"
],
"file_type": "VFT_APP",
"language": "English - United States",
"company_name": "Microsoft Corporation",
"file_description": "Win32 Cabinet Self-Extractor",
"file_version_2": "11.00.22688.1 (WinBuild.160101.0800)",
"internal_name": "Wextract",
"legal_copyright": "© Microsoft Corporation. All rights reserved.",
"original_filename": "WEXTRACT.EXE .MUI",
"product_name": "Internet Explorer",
"product_version_2": "11.00.22688.1"
}
}
},
"Debug Info": {
"debug_entries": [
{
"type": "IMAGE_DEBUG_TYPE_CODEVIEW",
"characteristics": 0,
"time_date_stamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"size_of_data": 37,
"address_of_raw_data": "0x00009A64",
"pointer_to_raw_data": "0x00008A64",
"referenced_file": "wextract.pdb"
},
{
"type": "IMAGE_DEBUG_TYPE_POGO",
"characteristics": 0,
"time_date_stamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"size_of_data": 496,
"address_of_raw_data": "0x00009A8C",
"pointer_to_raw_data": "0x00008A8C"
},
{
"type": "UNKNOWN",
"characteristics": 0,
"time_date_stamp": "2062-Jul-25 12:18:00",
"version": "0.0",
"size_of_data": 36,
"address_of_raw_data": "0x00009C7C",
"pointer_to_raw_data": "0x00008C7C"
}
]
},
"Load Configuration": {
"Size": 280,
"TimeDateStamp": "1970-Jan-01 00:00:00",
"Version": "0.0",
"GlobalFlagsClear": "",
"GlobalFlagsSet": "",
"CriticalSectionDefaultTimeout": 0,
"DeCommitFreeBlockThreshold": 0,
"DeCommitTotalFreeThreshold": 0,
"LockPrefixTable": 0,
"MaximumAllocationSize": 0,
"VirtualMemoryThreshold": 0,
"ProcessAffinityMask": 0,
"ProcessHeapFlags": "",
"CSDVersion": 0,
"Reserved1": 0,
"EditList": 0,
"SecurityCookie": "0x000000014000C008",
"GuardCFCheckFunctionPointer": "0x0000000140009648",
"GuardCFDispatchFunctionPointer": 0,
"GuardCFFunctionTable": 0,
"GuardCFFunctionCount": 0,
"GuardFlags": "",
"CodeIntegrity": {
"Flags": 0,
"Catalog": 0,
"CatalogOffset": 0,
"Reserved": 0
},
"GuardAddressTakenIatEntryTable": 0,
"GuardAddressTakenIatEntryCount": 0,
"GuardLongJumpTargetTable": 0,
"GuardLongJumpTargetCount": 0
},
"RICH Header": {
"xor_key": "0x3690B900",
"unmarked_objects": 0,
"cpp_objects": 1,
"asm_objects": 2,
"c_objects": 18,
"imports": 17,
"total_imports": 160,
"ltcg_c_objects": 10,
"resource_objects": 1,
"linker": 1,
"suspicious_strings": {
"system_tools": [
"rundll32.exe"
],
"dropper_capabilities": [
"CurrentVersion\\Run"
],
"domain_names": [
"Command.com"
]
},
"malicious_functions": {
"hidden_imports": [
"LoadLibraryA",
"GetProcAddress",
"LoadLibraryExA"
],
"registry_access": [
"RegDeleteValueA",
"RegOpenKeyExA",
"RegQueryInfoKeyA",
"RegSetValueExA",
"RegCreateKeyExA",
"RegQueryValueExA",
"RegCloseKey"
],
"process_creation": [
"CreateProcessA"
],
"temp_files": [
"GetTempPathA",
"CreateFileA"
],
"privilege_functions": [
"OpenProcessToken",
"AdjustTokenPrivileges"
],
"disk_enumeration": [
"GetDriveTypeA",
"GetVolumeInformationA"
],
"system_shutdown": [
"ExitWindowsEx"
]
},
"pe_modifications": {
"resource_cabinet": true,
"timestamp_mismatch": "2059-Dec-25 05:41:58",
"resource_percentage": 98.1524
},
"exploit_mitigations": {
"stack_canary": true,
"safe_seh": {
"enabled": true,
"handlers": 0
},
"aslr": true,
"dep": true,
"cfg": true
}
},
"Interesting strings found in the binary": {},
"file_path": "/home/apogean/projects/malware/windows/all_runs/3"
},
"exit_code": 0,
"output_file": "/tmp/sdm_manalyze_re990g1q/output.txt"
}
|
2026-04-27 00:24:29
|
||||||||||||||
69f0fbd759a6632dae07de67
|
c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227…
|
*** LARGE PROPERTY ***
~112 KB Preview:{"success":true,"output": Click to fetch this property |
2026-04-28 23:56:31
|
| Documents | 18 |
| Total doc size | 663.97 KB |
| Average doc size | 36.89 KB |
| Pre-allocated size | 300 KB |
| Indexes | 1 |
| Total index size | 36 KB |
| Padding factor | |
| Extents |
| Name | Columns | Size | Attributes | Actions |
|---|---|---|---|---|
| _id_ |
_id ASC
|
36 KB | DEL |