3b4138b28c74335f644b7dd544e4445d

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Apr-26 07:07:39
Detected languages English - United States
Debug artifacts d:\jenkins\workspace\CIS_UM_brunch\Release\x64\cmdapt.pdb
CompanyName COMODO
FileVersion 10, 0, 1, 6225
FileDescription COMODO Internet Security
LegalCopyright 2005-2017 COMODO. All rights reserved.
ProductName COMODO Internet Security
ProductVersion 10, 0, 1, 6225

Plugin Output

Info Matching compiler(s): MASM/TASM - sig2(h)
MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • rundll32.exe
May have dropper capabilities:
  • CurrentControlSet\Services
  • CurrentVersion\Run
Accesses the WMI:
  • root\cimv2
Contains domain names:
  • comodo.com
  • download.comodo.com
  • fls.security.comodo.com
  • security.comodo.com
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryExW
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • SwitchToThread
Can access the registry:
  • RegDeleteKeyW
  • RegQueryInfoKeyW
  • RegEnumValueW
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegLoadKeyW
  • RegEnumKeyExW
  • RegCloseKey
Uses Microsoft's cryptographic API:
  • CryptDestroyHash
  • CryptHashData
  • CryptCreateHash
  • CryptGetHashParam
  • CryptReleaseContext
  • CryptAcquireContextW
  • CryptBinaryToStringW
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Has Internet access capabilities:
  • InternetCloseHandle
  • InternetGetLastResponseInfoW
  • InternetSetOptionW
  • InternetReadFile
  • InternetConnectW
  • InternetQueryOptionW
  • InternetOpenW
Leverages the raw socket API to access the Internet:
  • #115
  • #17
  • #16
  • WSAEventSelect
  • #4
  • #3
  • #116
  • #52
  • WSAAddressToStringW
  • #19
  • #111
  • #23
  • #9
  • #20
  • WSAEnumNetworkEvents
Functions related to the privilege level:
  • DuplicateTokenEx
  • AdjustTokenPrivileges
  • OpenProcessToken
Interacts with services:
  • DeleteService
  • CreateServiceW
  • ControlService
  • QueryServiceStatus
  • QueryServiceConfigW
  • OpenServiceW
  • OpenSCManagerW
  • ChangeServiceConfigW
Enumerates local disk drives:
  • GetDriveTypeW
  • GetLogicalDriveStringsW
Manipulates other processes:
  • Process32FirstW
  • Process32NextW
  • OpenProcess
  • EnumProcessModules
  • EnumProcesses
Info The PE is digitally signed. Signer: Comodo Security Solutions
Issuer: COMODO RSA Code Signing CA
Safe VirusTotal score: 0/69 (Scanned on 2019-10-02 17:55:20) All the AVs think this file is safe.

Hashes

MD5 3b4138b28c74335f644b7dd544e4445d
SHA1 e530922253269ede322d001195b64233a1075de2
SHA256 9e9990a3d368dfc51205a617d71ff7d2a675231ba993f227770e316ba6b4383e
SHA3 8b6e7d7e5e136d4ecfe421929e589a6d7d161851e68f6067236fc23df0d13925
SSDeep 24576:6CQg3iuBQ1A7CZyIPh0jIvTx85XyrITQnxA2i/hcefo38Pqbf:FqZpPh0jq85XyrIAAlZcrn
Imports Hash af54aa749a07bfcd4217ffd7dc7a1e31

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x138

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2017-Apr-26 07:07:39
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0xb3c00
SizeOfInitializedData 0x6ae00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000068FA0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 0.0
SubsystemVersion 5.2
Win32VersionValue 0
SizeOfImage 0x123000
SizeOfHeaders 0x400
Checksum 0x124b07
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 88c16110a86bccbbba3b826767c9ca9e
SHA1 b14560dcb503e7817cb94a2ce8412290ababb3e1
SHA256 836fefa813ec6b821193f03b72e27d0674bb0c14b79dadcb1750e6ffe1cd2118
SHA3 f6a29a42c8a177f10825434304bece840f316f0408214444a0af34448ab9a65b
VirtualSize 0xb3b08
VirtualAddress 0x1000
SizeOfRawData 0xb3c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.34628

.rdata

MD5 1e6d446b9f163508a9e17f882569ebcf
SHA1 46a0378b77ac177052b3f960acaebbfa54861ecf
SHA256 855c56e5918393df2780825b8db83325a7c011989590d1b1eaa4b7f2249a3d1c
SHA3 d6684851c74a4b60e4ff44592776a54f1426dda2a11b51e1ff296c87718802f8
VirtualSize 0x59404
VirtualAddress 0xb5000
SizeOfRawData 0x59600
PointerToRawData 0xb4000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.57034

.data

MD5 74bea8d57c62811774b3ceac26210411
SHA1 aeab91abb7251283d95b8a0d31ce10c2e7cfb33b
SHA256 ea5d1c48692e1db34f700228e745db20f38faec24ab8cc38724ecb1d957e7aa7
SHA3 1587294ca397b654afee1b708d0444023f6aa96d9c86d02a75ae7133876693ac
VirtualSize 0x676c
VirtualAddress 0x10f000
SizeOfRawData 0x4000
PointerToRawData 0x10d600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.4637

.pdata

MD5 cb3c88707860b18d4f045414a38b1b71
SHA1 dc1ebbfaceb33f74b613e1ed7efc059ab833d3d2
SHA256 99a615690af7a4b8bb95ec32ebac9d25ab802549f382520a0c8a0347c17cdf4f
SHA3 b5947e5d0fa044f04e97766eb09ea2fc572f8cb70ec532e718947ca322c16134
VirtualSize 0x87d8
VirtualAddress 0x116000
SizeOfRawData 0x8800
PointerToRawData 0x111600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.97091

.gfids

MD5 60307d18706ee6e7b223bf428fe9ddda
SHA1 ef873bfe9b924ce104eb48ae53d82159ab89c47a
SHA256 b617b1c122958bdfbce525d14174c0f971b1672ab4a319770168e300432e2d78
SHA3 5738719e9e2bbc2dc26e9511d87df3abaf4b28eaeaa71f6b82c48e68a0d9ade1
VirtualSize 0x9a0
VirtualAddress 0x11f000
SizeOfRawData 0xa00
PointerToRawData 0x119e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.71589

.rsrc

MD5 d4a0866fd6d56aa03d57115c7e5208cc
SHA1 e49279e46d71ac22db6bd58906ecbaa309cb1313
SHA256 a44a4cabc416fb49ccdbda3a544d3dbb626d69ea88065710843447f9993a0a82
SHA3 fe00235d4b6ba57ff4887aa4d45e049c0ba11096582200a829c139498458464b
VirtualSize 0x558
VirtualAddress 0x120000
SizeOfRawData 0x600
PointerToRawData 0x11a800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.76518

.reloc

MD5 851514bd64333dd0d6e1e49e92bfb300
SHA1 ceb2cb41d10d1a7cf21c1641033addec9960e816
SHA256 5b7d73326edfb229d040cdf74e08b7ec87d40aa530a52b311a281464c8294fa9
SHA3 d67f4ab750d9871113da1db571666957e31e5f3cd4ebe0ce4a5952989724ddbf
VirtualSize 0x1644
VirtualAddress 0x121000
SizeOfRawData 0x1800
PointerToRawData 0x11ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.31714

Imports

KERNEL32.dll GetSystemInfo
GetSystemWindowsDirectoryW
ResetEvent
WaitForMultipleObjects
CreateWaitableTimerW
SetWaitableTimer
CreateFileMappingW
lstrlenW
SetLastError
CreateThread
DecodePointer
OpenEventW
GetCommandLineW
GetFileAttributesExW
MapViewOfFileEx
GetProcessTimes
GetModuleHandleA
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
WriteConsoleW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
FlushFileBuffers
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
ReleaseSemaphore
GetCurrentThread
FileTimeToSystemTime
SetFilePointer
WriteFile
GetComputerNameW
GetSystemDirectoryW
GetDriveTypeW
ReadFile
GetTickCount
WideCharToMultiByte
CreateEventW
LockResource
GetFileSize
Sleep
WaitForSingleObject
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
ExitProcess
CreateFileW
GetModuleFileNameW
lstrcpyW
FileTimeToDosDateTime
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
GetCurrentThreadId
SetUnhandledExceptionFilter
RaiseException
GetCurrentProcessId
GetPrivateProfileStringW
VerifyVersionInfoW
VerSetConditionMask
FindNextFileW
FindFirstFileW
FindClose
GetFileAttributesW
QueryDosDeviceW
GetWindowsDirectoryW
GetLongPathNameW
MultiByteToWideChar
FindResourceExW
FindResourceW
ExpandEnvironmentStringsW
GetModuleHandleW
LoadLibraryW
CloseHandle
SizeofResource
LoadResource
GetLastError
GetCurrentProcess
OpenProcess
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
LocalFree
GetProcAddress
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindFirstFileExW
IsDebuggerPresent
GetTimeZoneInformation
GetTimeFormatW
GetDateFormatW
GetFileType
GetACP
GetStdHandle
GetCommandLineA
VirtualQuery
GetModuleHandleExW
ExitThread
RtlUnwindEx
UnregisterWaitEx
GetStringTypeW
RtlPcToFileHeader
EncodePointer
TryEnterCriticalSection
QueueUserWorkItem
IsProcessorFeaturePresent
GetCPInfo
QueryPerformanceCounter
TlsFree
DuplicateHandle
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
VirtualProtect
VirtualFree
VirtualAlloc
GetVersionExW
LoadLibraryExW
FreeLibraryAndExitThread
FreeLibrary
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
UnmapViewOfFile
GetLogicalDriveStringsW
TlsSetValue
TlsGetValue
TlsAlloc
OutputDebugStringW
GetPrivateProfileSectionW
SystemTimeToTzSpecificLocalTime
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
SwitchToThread
SignalObjectAndWait
CreateTimerQueue
InitializeSListHead
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringW
CompareStringW
WaitForSingleObjectEx
USER32.dll wsprintfW
LoadStringW
GetSystemMetrics
PostThreadMessageW
MessageBoxW
ADVAPI32.dll StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
CreateServiceW
ControlService
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
GetTokenInformation
RegDeleteKeyW
DuplicateTokenEx
GetUserNameW
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
CloseServiceHandle
ChangeServiceConfigW
RegQueryInfoKeyW
RegEnumValueW
ConvertStringSidToSidW
ConvertSidToStringSidW
RegQueryValueExW
RegOpenKeyExW
RegLoadKeyW
RegEnumKeyExW
RegConnectRegistryW
RegCloseKey
ImpersonateLoggedOnUser
LookupPrivilegeValueW
LookupAccountSidW
CopySid
GetLengthSid
IsValidSid
AdjustTokenPrivileges
OpenProcessToken
RevertToSelf
SHELL32.dll #165
CommandLineToArgvW
SHGetFolderPathW
ole32.dll CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoInitialize
CoTaskMemFree
StringFromGUID2
CoSetProxyBlanket
CoAddRefServerProcess
CoReleaseServerProcess
CLSIDFromProgID
OLEAUT32.dll #7
#8
#6
#2
#9
SHLWAPI.dll PathStripPathW
PathRemoveExtensionW
PathRemoveFileSpecW
PathFindFileNameW
PathAppendW
PathAddBackslashW
UrlUnescapeW
USERENV.dll UnloadUserProfile
dbghelp.dll MiniDumpWriteDump
CRYPT32.dll CertDuplicateCertificateContext
CryptBinaryToStringW
CertGetNameStringW
CertFreeCertificateContext
WINTRUST.dll WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WinVerifyTrust
WTHelperProvDataFromStateData
msi.dll #224
WS2_32.dll #115
#17
#16
WSAEventSelect
#4
#3
#116
#52
WSAAddressToStringW
#19
#111
#23
#9
#20
WSAEnumNetworkEvents
WTSAPI32.dll WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken
VERSION.dll VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
WININET.dll HttpQueryInfoW
InternetCloseHandle
HttpSendRequestW
HttpOpenRequestW
InternetGetLastResponseInfoW
InternetSetOptionW
InternetReadFile
InternetConnectW
InternetQueryOptionW
InternetOpenW
WINMM.dll timeGetTime
PSAPI.DLL GetModuleFileNameExW
EnumProcessModules
EnumProcesses
IPHLPAPI.DLL GetAdaptersAddresses

Delayed Imports

7

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x30
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.24891
MD5 d96870fa5dc82b87f122e94bcfabc6d4
SHA1 a1fc73c4df79a428f0d9ce362fbc0c790a730fc1
SHA256 3242d3eea14e2a60013c4b3975eb32a8fe6cb446e54aaa0ffac22245ac24dd57
SHA3 bcf30ae491e26097579dc8d87ee56b40a0fa4cb7808fc7a5ab8c2d16790682d4

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x2b4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.43663
MD5 991df3b2e62d5db4c6f2db576e399503
SHA1 13eb4e9dd7f834a1fd359d2ab984f60b7585c615
SHA256 ca42a8ca4634a1a11369c7554976ff28ec2b356350100a84e500a7298228346a
SHA3 5a2a1c210c627779189ea9c4f19279ff6352464e3bbc49dfbf5b4a6c91f603d2

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

String Table contents

cmdaptag

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.1.6225
ProductVersion 10.0.1.6225
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName COMODO
FileVersion (#2) 10, 0, 1, 6225
FileDescription COMODO Internet Security
LegalCopyright 2005-2017 COMODO. All rights reserved.
ProductName COMODO Internet Security
ProductVersion (#2) 10, 0, 1, 6225
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2017-Apr-26 07:07:39
Version 0.0
SizeofData 82
AddressOfRawData 0xed9cc
PointerToRawData 0xec9cc
Referenced File d:\jenkins\workspace\CIS_UM_brunch\Release\x64\cmdapt.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2017-Apr-26 07:07:39
Version 0.0
SizeofData 20
AddressOfRawData 0xeda20
PointerToRawData 0xeca20

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2017-Apr-26 07:07:39
Version 0.0
SizeofData 928
AddressOfRawData 0xeda34
PointerToRawData 0xeca34

TLS Callbacks

Load Configuration

Size 0x94
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14010f200

RICH Header

XOR Key 0xf94f4802
Unmarked objects 0
241 (40116) 11
243 (40116) 156
242 (40116) 27
ASM objects (VS2015 UPD3 build 24123) 8
C++ objects (VS2015 UPD3 build 24123) 122
C objects (VS2015 UPD3 build 24123) 43
C++ objects (23013) 2
C objects (VS2008 SP1 build 30729) 3
135 (VS2008 SP1 build 30729) 3
Imports (VS2008 SP1 build 30729) 43
Total imports 406
ASM objects (VS2015 UPD3 build 24210) 1
C objects (VS2015 UPD3 build 24213) 1
C++ objects (VS2015 UPD3 build 24213) 62
Resource objects (VS2015 UPD3 build 24210) 1
151 1
Linker (VS2015 UPD3 build 24213) 1

Errors