030bfbea61413f2af1196d957cb5dec0

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2013-Aug-22 10:19:59
Detected languages English - United States
Debug artifacts aaedge.pdb
CompanyName Microsoft Corporation
FileDescription Anywhere Access Edge
FileVersion 6.3.9600.16384 (winblue_rtm.130821-1623)
InternalName aaedge.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename aaedge.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.3.9600.16384

Plugin Output

Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malwares. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
  • CryptAcquireCertificatePrivateKey
  • CryptStringToBinaryA
  • CryptSignMessage
  • CryptVerifyMessageSignature
  • CryptDecryptMessage
  • CryptBinaryToStringW
Leverages the raw socket API to access the Internet:
  • WSASocketW
  • #8
  • #9
  • #14
  • WSAAddressToStringW
  • #116
  • #111
  • #115
  • #21
  • #2
  • #3
  • FreeAddrInfoW
  • GetAddrInfoW
  • GetNameInfoW
  • WSAStringToAddressW
  • InetNtopW
  • WSAIoctl
Functions related to the privilege level:
  • DuplicateToken
  • CheckTokenMembership
  • DuplicateTokenEx
  • OpenProcessToken
Interacts with the certificate store:
  • CertOpenStore
Safe VirusTotal score: 0/65 (Scanned on 2017-11-13 17:06:55) All the AVs think this file is safe.

Hashes

MD5 030bfbea61413f2af1196d957cb5dec0
SHA1 232787cc600ac7bec19a630d37ab76a360625dfd
SHA256 d258a1c4952d5058fe4b5c6295e6d678dee70e829f88ddc9d91c70a4fca74829
SHA3 1462544fe9dfcc865abde53d266b327ac5762092cef22b05c905f0e3d1f080e8
SSDeep 12288:hoSOExXjV5FfRJWcE4T6HWGGYFzdm4kcmbOsYBVD9MbqV0I0mq5qC:hoCx55FfjzmHWGGuzdwOsmVD9MbqV0I
Imports Hash 59c6c4c3fd09369a8c6dbfd7c2b35e02

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2013-Aug-22 10:19:59
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 11.3
SizeOfCode 0x96e00
SizeOfInitializedData 0xd400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x902f4 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.3
ImageVersion 6.3
SubsystemVersion 6.3
Win32VersionValue 0
SizeOfImage 0xa8000
SizeOfHeaders 0x400
Checksum 0xaa30b
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 71e01231c7fa4e6fde47e2eddc636c08
SHA1 43e1d0be2db0e4798293984ef1089f3bedbeb6fc
SHA256 7d13f98fe22e8fffd92683f20522175ff3d6994d7d019bf71a51d1749c705e00
SHA3 b8efd2559105efc862acc56b834686fc9cffb5d53c99f61403bcf0bb9841b0df
VirtualSize 0x96cd9
VirtualAddress 0x1000
SizeOfRawData 0x96e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.39044

.data

MD5 b5abde93433369533283d304e5a018eb
SHA1 fc5d3f9b4376f7a226e121a32274270f1c9bb172
SHA256 c8b31f5716c52b072b091f70d9b249dacda2986c2829e80c073818944d6cacd5
SHA3 238c47c78f29cf4dd314a168c8bae2ac5d7f5b804609668ac949d7f02dd4fb2d
VirtualSize 0x1470
VirtualAddress 0x98000
SizeOfRawData 0x800
PointerToRawData 0x97200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.27161

.pdata

MD5 87d2b7e0419fc3af9eeace9acbfa5c80
SHA1 df4cdf1f489fdf698b5efb6f4da2712f090ee38f
SHA256 48b07348ada78e5dcbb038f52bb2fb061ae523d253189f6eb18eeb87af003830
SHA3 e17c858240e5b21fc7417707b3a1892b6bf769d68b3d4dd057af79394a2e5d48
VirtualSize 0x3390
VirtualAddress 0x9a000
SizeOfRawData 0x3400
PointerToRawData 0x97a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.80522

.idata

MD5 746b6fa25a5fc3bebed93981f9a7b36d
SHA1 9b89470c4bca80db0b9f004269bcc1b41fc8d2fc
SHA256 9f4414cb9921f2a1a80e8089408e34c84c1ca083ad567436e7152e14e41aa60c
SHA3 6c8c1c9e87f240055e92489c7555064b80664e18eda9dd5b09c9acf13f4368bc
VirtualSize 0x358a
VirtualAddress 0x9e000
SizeOfRawData 0x3600
PointerToRawData 0x9ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.76871

.rsrc

MD5 0cf2844d2d7e17edf429f77a33a8a6ff
SHA1 d247f15bd4abc413b078ed526c8747120740f4f1
SHA256 45bff201f5cf90c53597d229eb034e8c2939059890f98ea5a60592ec7a8c4dcb
SHA3 d943c931ae6e867e5e5649e2bdeb436d384e23e8c3069133042ae4bbc9e5a144
VirtualSize 0x3df8
VirtualAddress 0xa2000
SizeOfRawData 0x3e00
PointerToRawData 0x9e400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.87323

.reloc

MD5 b437bcbc95670fbc8df89e3719088595
SHA1 229cd114643fed0e53594179888b646d50eea6a7
SHA256 396245f8618960930c6108b125b8c1b16e39ffe6ec79ba2c701fc6ccabe31085
SHA3 da046686280c38c0470a25ad7c6b5f19e83a4d7ddcf049de56c1d74123e8428f
VirtualSize 0x14ec
VirtualAddress 0xa6000
SizeOfRawData 0x1600
PointerToRawData 0xa2200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.00075

Imports

msvcrt.dll memcpy_s
wcstok
wcsstr
?terminate@@YAXXZ
wcschr
_itow
_ui64tow
_wtoi
wcsrchr
_stricmp
_beginthreadex
memset
memcpy
memcmp
_wcsicmp
strchr
wcstok_s
swscanf_s
_ultow
vswprintf_s
memmove_s
??0exception@@QEAA@XZ
ldiv
??0exception@@QEAA@AEBQEBD@Z
_aligned_malloc
_aligned_free
_ui64tow_s
wcsncat_s
wcsncpy_s
_purecall
memmove
wcscpy_s
strncmp
_vsnprintf
_strcmpi
_strnicmp
atoi
wcsncmp
__CxxFrameHandler3
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
malloc
free
_vsnwprintf
calloc
wcscmp
WS2_32.dll WSASocketW
#8
#9
#14
WSAAddressToStringW
#116
#111
#115
#21
#2
#3
FreeAddrInfoW
GetAddrInfoW
GetNameInfoW
WSAStringToAddressW
InetNtopW
WSAIoctl
KERNEL32.dll VerSetConditionMask
LoadLibraryExW
TerminateProcess
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
ResetEvent
EnterCriticalSection
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
GetProcessHeap
GetModuleHandleExW
HeapFree
LocalReAlloc
CreateTimerQueue
DeleteTimerQueueEx
SystemTimeToTzSpecificLocalTime
CompareFileTime
GetFileAttributesExW
ReadFile
InitializeSListHead
InitializeSRWLock
InterlockedPopEntrySList
InterlockedFlushSList
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InterlockedPushEntrySList
CreateThreadpoolIo
StartThreadpoolIo
HeapAlloc
WaitForThreadpoolIoCallbacks
CloseThreadpoolIo
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
WaitForSingleObject
QueryPerformanceCounter
Sleep
UnregisterWait
SetEvent
CloseHandle
SetLastError
GetCurrentProcess
CreateEventW
GetCurrentThread
GetSystemTime
SystemTimeToFileTime
OutputDebugStringA
PostQueuedCompletionStatus
ExpandEnvironmentStringsW
CreateTimerQueueTimer
DeleteTimerQueueTimer
RegisterWaitForSingleObject
UnregisterWaitEx
CreateIoCompletionPort
GetQueuedCompletionStatus
IsBadWritePtr
SetWaitableTimer
CreateWaitableTimerW
GetVersionExW
GetComputerNameExW
DeleteFileW
ChangeTimerQueueTimer
MoveFileW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
CreateDirectoryW
GetLastError
SetUnhandledExceptionFilter
GetModuleHandleExA
GetProcAddress
FreeLibrary
DisableThreadLibraryCalls
TryEnterCriticalSection
GetComputerNameW
WideCharToMultiByte
LoadLibraryW
CreateFileW
SwitchToThread
GetTickCount64
CreateThread
DeleteCriticalSection
GetSystemInfo
GetCurrentProcessId
LocalAlloc
GetModuleHandleW
lstrcmpiW
LocalFree
WaitForMultipleObjects
CancelThreadpoolIo
MultiByteToWideChar
ADVAPI32.dll ConvertSidToStringSidW
LookupAccountNameW
PerfStopProvider
PerfStartProvider
PerfSetCounterSetInfo
PerfCreateInstance
PerfSetCounterRefValue
EventUnregister
EventWrite
EventRegister
RegNotifyChangeKeyValue
RegDeleteKeyW
RegQueryInfoKeyW
DuplicateToken
IsValidSid
RegGetValueW
RegEnumValueW
RegEnumKeyExW
RegSetValueExW
RegCreateKeyExW
LookupAccountSidW
EqualSid
GetTokenInformation
OpenThreadToken
CheckTokenMembership
CreateWellKnownSid
ControlTraceW
StartTraceW
RegDeleteValueW
EnableTraceEx2
CopySid
GetLengthSid
DuplicateTokenEx
CryptReleaseContext
IsTextUnicode
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
EventActivityIdControl
OpenProcessToken
SetServiceStatus
RegisterServiceCtrlHandlerW
TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
OLEAUT32.dll #6
#9
#4
#2
#7
#23
#24
#149
#8
#150
AUTHZ.dll AuthzFreeResourceManager
AuthzFreeContext
AuthzGetInformationFromContext
AuthzInitializeContextFromSid
AuthzInitializeResourceManager
ntdll.dll RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlVerifyVersionInfo
RtlGetLastNtStatus
NtDuplicateObject
WinSqmSetDWORD
Secur32.dll GetComputerObjectNameW
FreeCredentialsHandle
SetContextAttributesW
InitializeSecurityContextW
InitSecurityInterfaceW
QuerySecurityPackageInfoW
QueryContextAttributesW
EncryptMessage
FreeContextBuffer
AcquireCredentialsHandleW
DecryptMessage
GetUserNameExW
AcceptSecurityContext
DeleteSecurityContext
ole32.dll IIDFromString
CoInitializeEx
StringFromGUID2
CLSIDFromString
CoCreateInstance
CoInitialize
CoUninitialize
CoCreateGuid
CRYPT32.dll CertCloseStore
CertFindCertificateInStore
CertOpenStore
CryptAcquireCertificatePrivateKey
CertGetCertificateContextProperty
CryptStringToBinaryA
CertFreeCertificateContext
CryptSignMessage
CryptVerifyMessageSignature
CertGetEnhancedKeyUsage
CertGetCertificateChain
CertFreeCertificateChain
CryptDecryptMessage
CryptBinaryToStringW
NETAPI32.dll DsRoleFreeMemory
DsGetDcNameW
NetApiBufferFree
DsRoleGetPrimaryDomainInformation
SLC.dll SLRegisterWindowsEvent
VSSAPI.DLL CreateWriter
SHLWAPI.dll PathFindFileNameW
ACTIVEDS.dll #9
#17
#13
#6
#4
#15
#3
#18
#5
WLDAP32.dll #73
#170
#41
#26
#79
#14
#16
#18
#46
#142
#210
ualapi.dll UalStop
UalInstrument
UalStart
UalRegisterProduct
RPCRT4.dll I_RpcAsyncSetHandle
RpcRevertToSelf
RpcAsyncInitializeHandle
RpcServerInqCallAttributesW
I_RpcGetBuffer
RpcServerSubscribeForNotification
RpcServerUnsubscribeForNotification
RpcMgmtWaitServerListen
I_RpcReallocPipeBuffer
I_RpcSend
RpcImpersonateClient
RpcServerUnregisterIfEx
RpcAsyncAbortCall
RpcSsContextLockExclusive
RpcBindingInqAuthClientW
NdrAsyncServerCall
RpcServerTestCancel
NdrServerCall2
NdrServerCallAll
RpcAsyncCompleteCall
I_RpcExceptionFilter
NDRSContextUnmarshall2
NDRSContextMarshall2
RpcBindingSetOption
RpcBindingVectorFree
RpcMgmtStopServerListening
RpcRaiseException
RpcCertGeneratePrincipalNameW
RpcStringFreeW
RpcServerRegisterAuthInfoW
RpcServerInqDefaultPrincNameW
RpcServerRegisterIfEx
I_RpcServerUseProtseqEp2W
RpcServerUseProtseqEpExW
RpcServerListen
RpcEpRegisterW
RpcBindingFree
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcBindingServerFromClient
RpcFreeAuthorizationContext
RpcServerInqBindings
RpcGetAuthorizationContextForClient
HTTPAPI.dll HttpQueryServiceConfiguration
HttpWaitForDisconnect
HttpCancelHttpRequest
HttpSendHttpResponse
HttpTerminate
HttpCloseServerSession
HttpCloseRequestQueue
HttpShutdownRequestQueue
HttpCloseUrlGroup
HttpRemoveUrlFromUrlGroup
HttpReceiveRequestEntityBody
HttpSendResponseEntityBody
HttpReceiveHttpRequest
HttpSetUrlGroupProperty
HttpCreateRequestQueue
HttpAddUrlToUrlGroup
HttpCreateUrlGroup
HttpSetServerSessionProperty
HttpCreateServerSession
HttpInitialize

Delayed Imports

StandAloneMain

Ordinal 1
Address 0x15ce0

AddProtocolProcessor

Ordinal 2
Address 0x15d08

InitializeTestHooks

Ordinal 3
Address 0x15d14

ServiceMain

Ordinal 4
Address 0x15c9c

OpenKeyReader

Ordinal 5
Address 0x15d30

OpenKeyReaderWriter

Ordinal 6
Address 0x15d3c

SvchostPushServiceGlobals

Ordinal 7
Address 0x161a4

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xf0
Entropy 2.77324
MD5 4f51bdf27c7ac013cb9acca125d78deb
SHA1 21fd7cb24a08f1b8f1450d2549b5ac372569eb2e
SHA256 1b0f71059ec4d39f1c8a91ac8840157449b0bfa0717771fd6280d7a50df1affb
SHA3 10d023d9347ff102615a0f96f96bfee9ffb5690218636f84c9d32cfff8c08824

1 (#2)

Type WEVT_TEMPLATE
Language English - United States
Codepage UNKNOWN
Size 0x385a
Entropy 3.87717
MD5 c5b16c013a6dc733b945f99411807f1b
SHA1 1b7636c590ddfcc8059c1acba6d96b28819ebb3d
SHA256 443c04164135d9206b228fc0d471e719168da0468b6f74384f960b5d98e37cb0
SHA3 8d838f046bc4a36fb99a51dc0fff462031643a0b8817a1ea70bda0345522d768

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x398
Entropy 3.52917
MD5 579eff6682fa061069ace7df9c24036d
SHA1 b0a083babc3fa9b7dfa9f5c5688014a5d6470824
SHA256 ecf91b9631381073aad5899b8815c1ac647249faefda5c5d2ae4df677e737a42
SHA3 2313ac73000e42fc212a19e76356bbf02406cdc3c58c8cfae46af6a81516067d

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.3.9600.16384
ProductVersion 6.3.9600.16384
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription Anywhere Access Edge
FileVersion (#2) 6.3.9600.16384 (winblue_rtm.130821-1623)
InternalName aaedge.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename aaedge.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.3.9600.16384
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2013-Aug-22 10:19:59
Version 0.0
SizeofData 35
AddressOfRawData 0x15964
PointerToRawData 0x14d64
Referenced File aaedge.pdb

TLS Callbacks

Load Configuration

Size 0x94
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x180098008
SEHandlerTable 0
SEHandlerCount 0

Errors