1b7c7a9aebe3886858555decae789b2f

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2009-Jul-14 01:09:45
Detected languages English - United States
Debug artifacts nsi.pdb
CompanyName Microsoft Corporation
FileDescription NSI User-mode interface DLL
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName nsi.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename nsi.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385

Plugin Output

Suspicious The PE contains functions most legitimate programs don't use. Uses Windows's Native API:
  • NtDeviceIoControlFile
  • NtWaitForSingleObject
Safe VirusTotal score: 0/69 (Scanned on 2020-12-18 05:02:29) All the AVs think this file is safe.

Hashes

MD5 1b7c7a9aebe3886858555decae789b2f
SHA1 5f2480603991d6eb27d48e9475a4db9af1a6b556
SHA256 d7801c0934182066a06434147279e4b83f39b7ee97263e86d68b22b07585cd1f
SHA3 23793dd122582938041a14d221854cd65b9405c37c6112c524d2d98254cb9e26
SSDeep 192:U2CxpNkN9kUlwvT3UXJb3dkXy4IG8vfiMXWXnVW:+3I5BkXEG8iMXWXnVW
Imports Hash 8b44b0a7cddc55804a3a1fb89e57947b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Jul-14 01:09:45
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.1
SizeOfCode 0x1600
SizeOfInitializedData 0x800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001782 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x3000
ImageBase 0x75be0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x6000
SizeOfHeaders 0x400
Checksum 0x4fe4
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 761deb8dda63e0d8daf8300415431434
SHA1 b0f5848a69e7f13abd66cb30c0028d50eef655bb
SHA256 2f317795b088e25d1e15d9633583987888085db67580b97aa2b8f47ab635152e
SHA3 a4c745bd5375126c2e44c3f292fe20ce815e323461fce5381ce484a03f3729b6
VirtualSize 0x15f8
VirtualAddress 0x1000
SizeOfRawData 0x1600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.19704

.data

MD5 b16f83eae6baec8ba55629b09fcb2c4d
SHA1 959bd923d6a5d68fe0829fcb9c8b1ca1c3b05b72
SHA256 ae1e7d568c4dd21186f450e117c62c72685eada43dae23fb99546a473e30ac58
SHA3 7487765daa7ac2f85d92755a8fdc4135489e2714981e673e1786bc63292d2ec9
VirtualSize 0x10
VirtualAddress 0x3000
SizeOfRawData 0x200
PointerToRawData 0x1a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.269373

.rsrc

MD5 f4cda73e39266148044620e7433cc4a7
SHA1 6338626a763eb76d758e92b4421888d9f5fca048
SHA256 1e634fb966360b609a4d6df45c939ac55030d3ac5ebad988510172fee9b470b9
SHA3 e834995b8b37cbbcbf477ce74e63190e446ba2fd9fd498abb3efcb38ca7ba9bb
VirtualSize 0x3f0
VirtualAddress 0x4000
SizeOfRawData 0x400
PointerToRawData 0x1c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.38347

.reloc

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x58
VirtualAddress 0x5000
SizeOfRawData 0x200
PointerToRawData 0x2000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0

Imports

ntdll.dll memset
NtDeviceIoControlFile
NtWaitForSingleObject
RtlNtStatusToDosError
API-MS-Win-Core-ErrorHandling-L1-1-0.dll GetLastError
API-MS-Win-Core-File-L1-1-0.dll CreateFileW
API-MS-Win-Core-Handle-L1-1-0.dll CloseHandle
API-MS-Win-Core-Heap-L1-1-0.dll GetProcessHeap
HeapFree
HeapAlloc
API-MS-Win-Core-Interlocked-L1-1-0.dll InterlockedCompareExchange
API-MS-Win-Core-IO-L1-1-0.dll DeviceIoControl
API-MS-Win-Core-LibraryLoader-L1-1-0.dll DisableThreadLibraryCalls
API-MS-Win-Core-Synch-L1-1-0.dll CreateEventA

Delayed Imports

NsiAllocateAndGetPersistentDataWithMaskTable

Ordinal 1
Address 0x20d4

NsiAllocateAndGetTable

Ordinal 2
Address 0x1949

NsiCancelChangeNotification

Ordinal 3
Address 0x1d24

NsiDeregisterChangeNotification

Ordinal 4
Address 0x204e

NsiDeregisterChangeNotificationEx

Ordinal 5
Address 0x1bb9

NsiEnumerateObjectsAllParameters

Ordinal 6
Address 0x154e

NsiEnumerateObjectsAllParametersEx

Ordinal 7
Address 0x15d6

NsiEnumerateObjectsAllPersistentParametersWithMask

Ordinal 8
Address 0x1f35

NsiFreePersistentDataWithMaskTable

Ordinal 9
Address 0x2088

NsiFreeTable

Ordinal 10
Address 0x18f4

NsiGetAllParameters

Ordinal 11
Address 0x1640

NsiGetAllParametersEx

Ordinal 12
Address 0x1610

NsiGetAllPersistentParametersWithMask

Ordinal 13
Address 0x1ede

NsiGetObjectSecurity

Ordinal 14
Address 0x1e86

NsiGetParameter

Ordinal 15
Address 0x16c8

NsiGetParameterEx

Ordinal 16
Address 0x1734

NsiRegisterChangeNotification

Ordinal 17
Address 0x2000

NsiRegisterChangeNotificationEx

Ordinal 18
Address 0x1b85

NsiRequestChangeNotification

Ordinal 19
Address 0x1ca8

NsiRequestChangeNotificationEx

Ordinal 20
Address 0x1ce0

NsiSetAllParameters

Ordinal 21
Address 0x1b28

NsiSetAllParametersEx

Ordinal 22
Address 0x1afc

NsiSetAllPersistentParametersWithMask

Ordinal 23
Address 0x1fa2

NsiSetObjectSecurity

Ordinal 24
Address 0x1eb2

NsiSetParameter

Ordinal 25
Address 0x1c0a

NsiSetParameterEx

Ordinal 26
Address 0x1be5

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x38c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.57511
MD5 476daf8bec432f0773b1875aa0697689
SHA1 0ab0ffa3acce6beff775bc8c8d2a38fe3d77dfa4
SHA256 04c53c814dc2239a42935de0498df7a80438e93e212ae9f80c0a69f97268f1e1
SHA3 0fd39265bc3aabf402be70647ea35fba0e56f845c3ebe7cf18ce674c758660a1

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7600.16385
ProductVersion 6.1.7600.16385
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DRV
FileSubtype VFT2_DRV_NETWORK
Language English - United States
CompanyName Microsoft Corporation
FileDescription NSI User-mode interface DLL
FileVersion (#2) 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName nsi.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename nsi.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7600.16385
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2009-Jul-13 23:12:06
Version 0.0
SizeofData 32
AddressOfRawData 0x25d8
PointerToRawData 0x19d8
Referenced File nsi.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2009-Jul-13 23:12:06
Version 565.6526
SizeofData 4
AddressOfRawData 0x25d4
PointerToRawData 0x19d4

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x543f8984
Unmarked objects 0
Total imports 17
Imports (VS2008 SP1 build 30729) 19
Exports (VS2008 SP1 build 30729) 1
C objects (VS2008 SP1 build 30729) 4
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

<-- -->