Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2015-Jul-10 03:18:47 |
Detected languages |
English - United States
|
Debug artifacts |
msv1_0.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Microsoft Authentication Package v1.0 |
FileVersion | 10.0.10240.16384 (th1.150709-1700) |
InternalName | MSV1_0.DLL |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | MSV1_0.DLL |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.10240.16384 |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
Suspicious | The PE is possibly packed. | Unusual section name found: .didat |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011 |
Safe | VirusTotal score: 0/71 (Scanned on 2019-05-18 08:12:24) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 7 |
TimeDateStamp | 2015-Jul-10 03:18:47 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0x46200 |
SizeOfInitializedData | 0x14c00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000016420 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x180000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | A.0 |
ImageVersion | A.0 |
SubsystemVersion | A.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x5f000 |
SizeOfHeaders | 0x400 |
Checksum | 0x66cf6 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
msvcrt.dll |
memcmp
memcpy _wcsicmp strcpy_s sprintf_s _vsnprintf_s wcsncat_s wcscat_s wcsncmp wcscpy_s wcsncpy_s memmove wcsrchr towupper strncmp wcschr _snwprintf_s swprintf_s _purecall ??3@YAXPEAX@Z _XcptFilter _amsg_exit free _onexit __dllonexit _ultow _wsplitpath_s _unlock _lock __C_specific_handler _initterm malloc memset |
---|---|
api-ms-win-security-base-l1-2-0.dll |
GetTokenInformation
CheckTokenMembership RevertToSelf AdjustTokenPrivileges ImpersonateAnonymousToken |
api-ms-win-core-file-l1-2-1.dll |
WriteFile
CreateFileW FlushFileBuffers CreateDirectoryW CompareFileTime SetFilePointer |
api-ms-win-core-libraryloader-l1-2-0.dll |
GetModuleHandleW
GetModuleFileNameW FreeLibrary LoadLibraryExW LoadLibraryExA DisableThreadLibraryCalls GetProcAddress |
api-ms-win-core-processthreads-l1-1-2.dll |
GetCurrentProcessId
GetCurrentThread OpenProcess SetThreadToken GetCurrentThreadId SetThreadStackGuarantee TerminateProcess GetCurrentProcess |
api-ms-win-core-errorhandling-l1-1-1.dll |
SetLastError
GetLastError UnhandledExceptionFilter SetUnhandledExceptionFilter |
api-ms-win-core-sysinfo-l1-2-1.dll |
GetSystemTimeAsFileTime
GetTickCount GetWindowsDirectoryW GetComputerNameExW GetVersionExW GetLocalTime GetSystemInfo |
api-ms-win-core-handle-l1-1-0.dll |
CloseHandle
|
api-ms-win-core-rtlsupport-l1-2-0.dll |
RtlCompareMemory
RtlVirtualUnwind RtlLookupFunctionEntry RtlCaptureContext |
api-ms-win-core-registry-l1-1-0.dll |
RegCloseKey
RegOpenKeyExA RegSetValueExW RegOpenKeyExW RegDeleteValueW RegQueryValueExA RegQueryValueExW RegNotifyChangeKeyValue |
api-ms-win-core-debug-l1-1-1.dll |
DebugBreak
IsDebuggerPresent |
bcrypt.dll |
BCryptEncrypt
BCryptFinishHash BCryptHashData BCryptDestroyHash BCryptExportKey BCryptGenerateSymmetricKey BCryptOpenAlgorithmProvider BCryptDuplicateKey BCryptCreateHash BCryptDestroyKey BCryptImportKey BCryptCloseAlgorithmProvider |
api-ms-win-core-heap-l2-1-0.dll |
LocalFree
LocalAlloc |
api-ms-win-core-synch-l1-2-0.dll |
Sleep
DeleteCriticalSection LeaveCriticalSection EnterCriticalSection InitializeCriticalSection CreateEventW |
api-ms-win-core-processenvironment-l1-2-0.dll |
ExpandEnvironmentStringsW
SetCurrentDirectoryW GetCurrentDirectoryW |
api-ms-win-core-localization-l1-2-1.dll |
FormatMessageW
FormatMessageA |
api-ms-win-core-psapi-l1-1-0.dll |
QueryFullProcessImageNameW
|
RPCRT4.dll |
I_RpcMapWin32Status
RpcExceptionFilter NdrClientCall3 RpcStringFreeW RpcBindingFree RpcStringBindingComposeW RpcBindingFromStringBindingW |
api-ms-win-core-profile-l1-1-0.dll |
QueryPerformanceCounter
|
api-ms-win-security-activedirectoryclient-l1-1-0.dll |
DsBindWithSpnExW
DsCrackNamesW DsFreeNameResultW DsUnBindW |
api-ms-win-core-threadpool-private-l1-1-0.dll |
RegisterWaitForSingleObjectEx
|
api-ms-win-core-threadpool-legacy-l1-1-0.dll |
CreateTimerQueueTimer
ChangeTimerQueueTimer UnregisterWaitEx DeleteTimerQueueTimer |
api-ms-win-core-privateprofile-l1-1-1.dll |
GetProfileIntW
|
NtlmShared.dll |
MsvpLm20GetNtlm3ChallengeResponse
MsvpCompareCredentials MsvpCredentialToCachePasswords MsvpDecryptDpapiMasterKey MsvpUpdateSharedConfiguration NtlmSharedInit NtlmSharedFree MsvpMakeSecretPasswordNT5 MsvpComputeSaltedHashedPassword MsvpLm3Response MsvpPutClearOwfsInPrimaryCredential MsvpCachePasswordsToCredential MsvpGMSACred MsvpPasswordValidate |
ntdll.dll |
RtlCheckTokenMembershipEx
RtlCopyUnicodeString EtwEventWriteTransfer NtAllocateLocallyUniqueId RtlGetNtProductType RtlAvlInsertNodeEx RtlAvlRemoveNode RtlIntegerToUnicodeString NtDeleteValueKey NtCreateKey RtlDeleteResource NtQueryValueKey NtSetValueKey NtOpenKey NtQuerySystemInformation WinSqmSetDWORD EtwEventSetInformation RtlUpperChar EtwEventRegister EtwEventUnregister RtlFreeOemString RtlInitializeCriticalSection RtlCreateServiceSid RtlUpcaseUnicodeStringToOemString RtlOemStringToUnicodeString RtlNtStatusToDosError RtlCreateAcl RtlSetDaclSecurityDescriptor RtlAddAccessAllowedAce NtOpenProcessToken NtQueryInformationToken NtSetSecurityObject NtDuplicateObject RtlCreateSecurityDescriptor RtlNumberGenericTableElements RtlGetElementGenericTable RtlEnterCriticalSection RtlDeleteElementGenericTable NtQueryInformationProcess RtlLookupElementGenericTable RtlIpv6StringToAddressExW RtlLeaveCriticalSection NtDuplicateToken NtOpenProcess RtlInitializeGenericTable RtlInsertElementGenericTable RtlSystemTimeToLocalTime RtlEqualString RtlTimeToTimeFields EtwEventEnabled EtwEventWrite NtSetEvent RtlFreeHeap RtlAllocateHeap RtlImageNtHeader RtlAppendUnicodeStringToString NtOpenEvent RtlPrefixUnicodeString EtwEventActivityIdControl RtlConvertSharedToExclusive NtWaitForSingleObject RtlAppendUnicodeToString RtlCopySid RtlUpcaseUnicodeString EtwGetTraceLoggerHandle EtwUnregisterTraceGuids EtwRegisterTraceGuidsW EtwGetTraceEnableFlags EtwGetTraceEnableLevel RtlAcquireResourceExclusive RtlIntegerToChar RtlInitializeResource RtlLengthSid RtlSubAuthorityCountSid RtlInitializeSid EtwLogTraceEvent RtlEqualSid RtlDowncaseUnicodeString NtQuerySystemTime RtlIdentifierAuthoritySid WinSqmIncrementDWORD RtlLengthRequiredSid RtlSubAuthoritySid RtlAcquireResourceShared NtFilterToken RtlAllocateAndInitializeSid RtlDuplicateUnicodeString RtlReleaseResource NtClose RtlImpersonateSelf NtSetInformationThread RtlFreeUnicodeString RtlEqualDomainName RtlEqualUnicodeString NtOpenThreadToken RtlFreeSid RtlRunDecodeUnicodeString RtlEraseUnicodeString EtwTraceMessage RtlInitString RtlInitUnicodeString NtCreateEvent |
cryptdll.dll |
CDLocateCheckSum
aesCTSDecryptMsg HMACwithSHA aesCTSEncryptMsg |
api-ms-win-eventing-controller-l1-1-0.dll |
StartTraceW
ControlTraceW EnableTraceEx2 |
api-ms-win-core-memory-l1-1-2.dll |
UnmapViewOfFile
VirtualQuery VirtualProtect OpenFileMappingW CreateFileMappingW VirtualAlloc MapViewOfFileEx |
api-ms-win-core-file-l2-1-1.dll |
MoveFileExW
|
api-ms-win-core-version-l1-1-0.dll |
GetFileVersionInfoExW
GetFileVersionInfoSizeExW VerQueryValueW |
api-ms-win-core-delayload-l1-1-1.dll |
ResolveDelayLoadedAPI
DelayLoadFailureHook |
NETLOGON.dll (delay-loaded) |
NetILogonSamLogon
I_NetLogonMixedDomain |
Attributes | 0x1 |
---|---|
Name | NETLOGON.dll |
ModuleHandle | 0x55ac0 |
DelayImportAddressTable | 0x5b1d0 |
DelayImportNameTable | 0x50ba0 |
BoundDelayImportTable | 0x51960 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Ordinal | 1 |
---|---|
Address | 0x14fa0 |
Ordinal | 2 |
---|---|
Address | 0xe950 |
Ordinal | 3 |
---|---|
Address | 0x14550 |
Ordinal | 4 |
---|---|
Address | 0x11d30 |
Ordinal | 5 |
---|---|
Address | 0x3d160 |
Ordinal | 6 |
---|---|
Address | 0x12230 |
Ordinal | 7 |
---|---|
Address | 0x2b7a0 |
Ordinal | 8 |
---|---|
Address | 0x2b7f0 |
Ordinal | 9 |
---|---|
Address | 0x156a0 |
Ordinal | 10 |
---|---|
Address | 0x1030 |
Ordinal | 11 |
---|---|
Address | 0x12bf0 |
Ordinal | 12 |
---|---|
Address | 0x32940 |
Ordinal | 13 |
---|---|
Address | 0x32a50 |
Ordinal | 14 |
---|---|
Address | 0x2f200 |
Ordinal | 15 |
---|---|
Address | 0x2f210 |
Ordinal | 16 |
---|---|
Address | 0x2f220 |
Ordinal | 17 |
---|---|
Address | 0x2f620 |
Ordinal | 32 |
---|---|
Address | 0x10b00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.10240.16384 |
ProductVersion | 10.0.10240.16384 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Microsoft Authentication Package v1.0 |
FileVersion (#2) | 10.0.10240.16384 (th1.150709-1700) |
InternalName | MSV1_0.DLL |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | MSV1_0.DLL |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 10.0.10240.16384 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2015-Jul-10 03:18:47 |
Version | 0.0 |
SizeofData | 35 |
AddressOfRawData | 0x4d2d8 |
PointerToRawData | 0x4b8d8 |
Referenced File | msv1_0.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2015-Jul-10 03:18:47 |
Version | 0.0 |
SizeofData | 1416 |
AddressOfRawData | 0x4d310 |
PointerToRawData | 0x4b910 |
Size | 0xa0 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x180055010 |
GuardCFCheckFunctionPointer | 6442748224 |
GuardCFDispatchFunctionPointer | 0 |
GuardCFFunctionTable | 0 |
GuardCFFunctionCount | 0 |
GuardFlags | (EMPTY) |
CodeIntegrity.Flags | 0 |
CodeIntegrity.Catalog | 0 |
CodeIntegrity.CatalogOffset | 0 |
CodeIntegrity.Reserved | 0 |
GuardAddressTakenIatEntryTable | 0 |
GuardAddressTakenIatEntryCount | 0 |
GuardLongJumpTargetTable | 0 |
GuardLongJumpTargetCount | 0 |
XOR Key | 0x1f08ece7 |
---|---|
Unmarked objects | 0 |
Imports (VS2008 SP1 build 30729) | 54 |
242 (40116) | 12 |
241 (40116) | 3 |
Total imports | 391 |
239 (40116) | 9 |
238 (40116) | 1 |
251 (40116) | 39 |
Imports (40116) | 1 |
240 (40116) | 1 |