Manalyze report for 4bc35649f9d9aec62490376c47b6c143

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Feb-13 12:25:28
Detected languages	English - United States
Debug artifacts	D:\a\1\s\exe\Win32\Public_Release\Sysmon.pdb
CompanyName	Sysinternals - www.sysinternals.com
FileDescription	System activity monitor
ProductName	Sysinternals Sysmon
FileVersion	`15.14`
ProductVersion	`15.14`
LegalCopyright	By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2024 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
InternalName	System Monitor

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig2(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to internet browsers: chrome.exe firefox.exe iexplore.exe` `Contains references to security software: rshell.exe` `May have dropper capabilities: CurrentControlSet\Services` `Accesses the WMI: ROOT\Subscription root\wmi` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` Contains domain names: Sysinternals.com crl.microsoft.com go.microsoft.com http://crl.microsoft.com http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z http://manifests.microsoft.com http://manifests.microsoft.com/win/2004/08/windows/events http://relaxng.org http://schemas.microsoft.com http://schemas.microsoft.com/win/2004/08/events http://schemas.microsoft.com/win/2004/08/events/trace http://www.microsoft.com http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0 http://www.microsoft.com/pkiops/Docs/Repository.htm0 http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt0 http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%200a http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010 http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl0 http://www.w3.org http://www.w3.org/2000/xmlns http://www.w3.org/2000/xmlns/ http://www.w3.org/2001/XMLSchema http://www.w3.org/2001/XMLSchema-datatypes http://www.w3.org/2001/XMLSchema-instance http://www.w3.org/2002/08/xquery-functions http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd http://www.w3.org/XML/1998/namespace https://aka.ms https://go.microsoft.com https://go.microsoft.com/fwlink/?LinkId https://microsoft.com https://sysinternals.com https://www.sysinternals.com0 manifests.microsoft.com microsoft.com relaxng.org schemas.microsoft.com sysinternals.com www.microsoft.com www.sysinternals.com www.w3.org
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegNotifyChangeKeyValue RegDeleteKeyW RegQueryValueExW RegCreateKeyExW RegDeleteValueW RegCreateKeyW RegGetValueW RegCloseKey RegSetValueExW RegOpenKeyExW RegOpenKeyW` `Possibly launches other programs: CreateProcessW CreateProcessAsUserW` `Uses Microsoft's cryptographic API: CryptAcquireContextW CryptGenRandom CryptReleaseContext CryptFindOIDInfo` `Can create temporary files: GetTempPathW CreateFileW` `Leverages the raw socket API to access the Internet: getnameinfo htons gethostname inet_ntoa WSAStartup gethostbyname ntohs` `Functions related to the privilege level: DuplicateTokenEx AdjustTokenPrivileges OpenProcessToken` `Interacts with services: QueryServiceConfigW QueryServiceConfig2W CreateServiceW QueryServiceStatus OpenSCManagerW DeleteService ControlService OpenServiceW` `Enumerates local disk drives: GetDriveTypeW GetLogicalDriveStringsW` `Manipulates other processes: Process32NextW Process32FirstW OpenProcess` `Reads the contents of the clipboard: GetClipboardData`
Malicious	The PE is possibly a dropper.	`Resource 1001 detected as a PE Executable.` `Resource 1002 detected as a PE Executable.`
Info	The PE is digitally signed.	`Signer: Microsoft Windows Publisher` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/74 (Scanned on 2024-07-22 21:49:15)	`All the AVs think this file is safe.`

Hashes

MD5	`4bc35649f9d9aec62490376c47b6c143`
SHA1	`005a057b79eaded9178fafb0df9eed7ddeb3e329`
SHA256	`71485d919102387e71f20ddc809bd849b7694d2b3f2cdd45a15a4ef9f9c788f2`
SHA3	`11a01c5b9452b016b2437c11cdf39002b184102f6d0fa931c32d32d1e9d65397`
SSDeep	`196608:Fv+SJlIIQygMiBNfi6bvjML0g1OXCn9eV:Wbvjs0cOynYV`
Imports Hash	`585f6f71377cdf184b4a45ba1f63fd55`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x128`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2024-Feb-13 12:25:28
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x199c00`
SizeOfInitializedData	`0x675a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00108944 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x19b000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x812000`
SizeOfHeaders	`0x400`
Checksum	`0x8113ff`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`636558c5af98406ffa548a9b70bc8b59`
SHA1	`83d5c58109a0e084bb427cc4c001fe5b8e81c17e`
SHA256	`9674511582890987515d5380547ef0002b852f0c5e089d552568913f87f961c3`
SHA3	`513ad75702859199d8447957038f6a3f3b7d219bd45553603e1079192684998b`
VirtualSize	`0x199a48`
VirtualAddress	`0x1000`
SizeOfRawData	`0x199c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.63434`

.rdata

MD5	`ce78b7d061339c47fa6de06de3feebf4`
SHA1	`a4489ff4ba30228f63732db0f0cb4b59de3880ad`
SHA256	`0fd8bebd12944b544319258ffbe1e9d9c791837d35d17d2017e63a3c9b64e0c3`
SHA3	`ca106765590fc7be944ccc76241ad0b556b084abfb6f0d5a4bf53936e57bbcaa`
VirtualSize	`0xc9f6e`
VirtualAddress	`0x19b000`
SizeOfRawData	`0xca000`
PointerToRawData	`0x19a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.35492`

.data

MD5	`081a67faffb4a86530a47b150db946f7`
SHA1	`9dd1b74685be9654ecb22f8ff340158fa7ade09d`
SHA256	`51145893c416c4a163d30a4e5ad982789d74c0f06b7b6d12132faed6933bab77`
SHA3	`78d0fed3d4845d68d9183b1bab97677f3cf461290547e87dc01762281e5ae26f`
VirtualSize	`0x72e8`
VirtualAddress	`0x265000`
SizeOfRawData	`0x3c00`
PointerToRawData	`0x264000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.41326`

.rsrc

MD5	`630413a2b3bdc4ed25c084c17b766406`
SHA1	`87f35e89b35d40122e862516a4b19ea5da700722`
SHA256	`2bdb146b9b05588f08176ac5bd4ebfaeaf6507fa2d1e1baad50e5cf2dcd87d86`
SHA3	`1912117e7a5d9344be49c44e4946e59a90fa8c6514956025131f61319edec90b`
VirtualSize	`0x595528`
VirtualAddress	`0x26d000`
SizeOfRawData	`0x595600`
PointerToRawData	`0x267c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.54621`

.reloc

MD5	`3cd0a83e021eca1059c271d172f46335`
SHA1	`2744715431508d7e8df943e948fdcf91c61712f6`
SHA256	`9502b595eeeb292d1c8b04270e402e0e34d8dc977bb38f7a20971d2c21a00150`
SHA3	`d3e401ddb15a51cedb0316c332943efacb0fec3d335978210eb5ff100dadd1e4`
VirtualSize	`0xef80`
VirtualAddress	`0x803000`
SizeOfRawData	`0xf000`
PointerToRawData	`0x7fd200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.74408`

Imports

tdh.dll	`TdhGetEventMapInformation` `TdhGetEventInformation`
USERENV.dll	`ExpandEnvironmentStringsForUserW`
VERSION.dll	`GetFileVersionInfoSizeW` `GetFileVersionInfoW` `VerQueryValueW` `GetFileVersionInfoSizeExW` `GetFileVersionInfoExW`
NETAPI32.dll	`NetApiBufferFree` `NetServerEnum`
WS2_32.dll	`getnameinfo` `htons` `gethostname` `inet_ntoa` `WSAStartup` `gethostbyname` `ntohs`
MPR.dll	`WNetCancelConnection2W` `WNetAddConnection2W`
WTSAPI32.dll	`WTSQuerySessionInformationW` `WTSFreeMemory` `WTSEnumerateSessionsW` `WTSQueryUserToken`
ole32.dll	`CoCreateInstance` `CoSetProxyBlanket` `CoInitializeEx` `StringFromGUID2` `IIDFromString` `CoUninitialize` `CoInitializeSecurity`
KERNEL32.dll	`Module32FirstW` `K32EnumProcesses` `SystemTimeToFileTime` `GetSystemTime` `SizeofResource` `LockResource` `LoadResource` `FindResourceW` `CreateDirectoryW` `GetConsoleScreenBufferInfo` `lstrlenW` `RemoveDirectoryW` `GetTempPathW` `CreateFileW` `GetFileAttributesW` `GetSystemDirectoryW` `Process32NextW` `SetEvent` `DeleteFileW` `Process32FirstW` `GetSystemInfo` `VerSetConditionMask` `GetComputerNameW` `CreateProcessW` `VerifyVersionInfoW` `GetSystemTimeAsFileTime` `GetTickCount` `ConnectNamedPipe` `GetExitCodeProcess` `ExpandEnvironmentStringsW` `ProcessIdToSessionId` `ExitProcess` `GetCurrentProcessId` `CopyFileW` `ReadFile` `SetConsoleCtrlHandler` `GetFileSizeEx` `CreateThreadpool` `WaitForMultipleObjects` `SetThreadPriority` `SetThreadpoolThreadMinimum` `CreateEventW` `SetThreadpoolThreadMaximum` `GetOverlappedResult` `SubmitThreadpoolWork` `SetUnhandledExceptionFilter` `CreateThreadpoolWork` `QueryDosDeviceW` `ReleaseSRWLockExclusive` `WriteFile` `CreateToolhelp32Snapshot` `GetWindowsDirectoryW` `GetTempFileNameW` `K32GetMappedFileNameW` `QueryPerformanceFrequency` `ResetEvent` `QueryPerformanceCounter` `CreateThread` `FindFirstFileW` `FindNextFileW` `FindClose` `LoadLibraryW` `K32GetModuleBaseNameW` `WideCharToMultiByte` `UnmapViewOfFile` `CreateFileMappingW` `MapViewOfFile` `TerminateProcess` `SetFileAttributesW` `GlobalSize` `FreeConsole` `GlobalLock` `GlobalUnlock` `GetEnabledXStateFeatures` `InitializeCriticalSectionEx` `GetConsoleMode` `GetCommandLineA` `SystemTimeToTzSpecificLocalTime` `PeekNamedPipe` `GetFileInformationByHandle` `GetDriveTypeW` `FreeLibraryAndExitThread` `InitializeSRWLock` `ResumeThread` `ExitThread` `GetConsoleCP` `GetModuleHandleExW` `SetStdHandle` `TlsFree` `InitializeCriticalSectionAndSpinCount` `InterlockedFlushSList` `InterlockedPushEntrySList` `RtlUnwind` `RaiseException` `OutputDebugStringW` `GetCPInfo` `CompareStringEx` `LCMapStringEx` `GetLocaleInfoEx` `EncodePointer` `GetStringTypeW` `GetConsoleOutputCP` `OpenProcess` `DeviceIoControl` `CloseThreadpoolWork` `AcquireSRWLockShared` `DecodePointer` `ReleaseSRWLockShared` `GetLogicalDriveStringsW` `GetLastError` `FormatMessageW` `GetDateFormatW` `FreeLibrary` `GetTimeFormatW` `FileTimeToSystemTime` `MultiByteToWideChar` `TlsGetValue` `DeleteCriticalSection` `CloseHandle` `TlsAlloc` `GetCurrentThread` `Sleep` `DuplicateHandle` `ReleaseMutex` `GetCurrentThreadId` `WaitForSingleObject` `CreateMutexW` `InitializeCriticalSection` `LeaveCriticalSection` `GetCurrentProcess` `EnterCriticalSection` `TlsSetValue` `GetModuleHandleW` `LocalFree` `GetProcAddress` `LocalAlloc` `GetStdHandle` `GetCommandLineW` `LoadLibraryExW` `GetVersionExW` `SetLastError` `GetFileType` `GetModuleFileNameW` `HeapFree` `HeapAlloc` `CompareStringW` `LCMapStringW` `GetLocaleInfoW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `FlushFileBuffers` `SetConsoleMode` `GetNumberOfConsoleInputEvents` `ReadConsoleInputW` `PeekConsoleInputA` `AcquireSRWLockExclusive` `InitializeSListHead` `SetFilePointerEx` `HeapReAlloc` `SetCurrentDirectoryW` `GetCurrentDirectoryW` `HeapSize` `FindFirstFileExW` `IsValidCodePage` `GetACP` `GetStartupInfoW` `IsDebuggerPresent` `SleepConditionVariableSRW` `GetOEMCP` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `GetProcessHeap` `GetTimeZoneInformation` `WriteConsoleW` `SetEndOfFile` `WakeAllConditionVariable` `IsProcessorFeaturePresent` `GetFullPathNameW` `ReadConsoleW` `FormatMessageA` `UnhandledExceptionFilter`
USER32.dll	`GetWindowThreadProcessId` `GetMessageW` `DefWindowProcW` `SetClipboardViewer` `GetClipboardOwner` `CreateWindowExW` `GetPriorityClipboardFormat` `OpenClipboard` `DispatchMessageW` `ChangeClipboardChain` `CloseClipboard` `RegisterClassW` `TranslateMessage` `GetClipboardData` `GetClipboardSequenceNumber` `MessageBoxW` `UnregisterClassW` `InflateRect` `EndDialog` `SetWindowTextW` `DialogBoxIndirectParamW` `LoadCursorW` `SetCursor` `GetDlgItem` `GetSysColorBrush` `SendMessageW`
GDI32.dll	`EndDoc` `GetDeviceCaps` `SetMapMode` `StartDocW` `EndPage` `StartPage`
COMDLG32.dll	`PrintDlgW`
ADVAPI32.dll	`RevertToSelf` `GetSecurityDescriptorSacl` `GetSecurityDescriptorDacl` `CryptAcquireContextW` `GetAce` `CryptGenRandom` `IsWellKnownSid` `GetSecurityDescriptorOwner` `GetFileSecurityW` `CreateProcessAsUserW` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `DuplicateTokenEx` `CryptReleaseContext` `DeregisterEventSource` `GetSidSubAuthorityCount` `GetSidSubAuthority` `CopySid` `RegisterEventSourceW` `RegNotifyChangeKeyValue` `RegisterServiceCtrlHandlerExW` `SetSecurityDescriptorDacl` `RegDeleteKeyW` `SetServiceStatus` `ChangeServiceConfig2W` `RegQueryValueExW` `SetEntriesInAclW` `RegCreateKeyExW` `InitializeSecurityDescriptor` `StartServiceCtrlDispatcherW` `QueryServiceConfigW` `RegDeleteValueW` `QueryServiceConfig2W` `LookupAccountSidW` `LookupAccountNameW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegCreateKeyW` `CreateServiceW` `QueryServiceStatus` `EqualSid` `CloseServiceHandle` `OpenSCManagerW` `AllocateAndInitializeSid` `DeleteService` `ControlService` `ImpersonateLoggedOnUser` `LogonUserW` `OpenProcessToken` `FreeSid` `StartServiceW` `RegConnectRegistryW` `OpenServiceW` `GetTokenInformation` `GetLengthSid` `GetSecurityDescriptorLength` `ReportEventW` `StartTraceW` `ProcessTrace` `CloseTrace` `ControlTraceW` `OpenTraceW` `EnableTraceEx2` `ConvertSidToStringSidW` `RegGetValueW` `RegCloseKey` `RegSetValueExW` `RegOpenKeyExW` `RegOpenKeyW`
OLEAUT32.dll	`VariantInit` `SafeArrayDestroy` `SysAllocStringLen` `SafeArrayGetElement` `SysStringByteLen` `VariantChangeType` `VariantClear` `CreateErrorInfo` `SafeArrayGetLBound` `SysFreeString` `SysAllocString` `SysStringLen` `SafeArrayGetUBound` `SafeArrayUnaccessData` `SysAllocStringByteLen` `GetErrorInfo` `SetErrorInfo` `SafeArrayAccessData`
CRYPT32.dll	`CertGetNameStringW` `CryptFindOIDInfo` `CertDuplicateCertificateContext` `CertGetCertificateChain`
Secur32.dll	`LsaGetLogonSessionData` `LsaFreeReturnBuffer`
RPCRT4.dll	`RpcStringFreeW` `RpcServerRegisterIfEx` `NdrClientCall2` `NdrServerCall2` `RpcServerUseProtseqEpW` `RpcServerUnregisterIf` `RpcBindingFromStringBindingW` `I_RpcBindingInqLocalClientPID` `RpcStringBindingComposeW`

Delayed Imports

1001

Type	`BINRES`
Language	English - United States
Codepage	UNKNOWN
Size	`0x455b40`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.83394`
Detected Filetype	PE Executable
MD5	`99c68a0a2ee8e42ebb52e1c84f80b730`
SHA1	`2f707cc7a635ca9824ebe825ade3baa77bc5874c`
SHA256	`39b094613132377bc236f4ad940a3e02c544f86347c0179a9425edc1bd3b85cd`
SHA3	`d462ac519aa4b564146878107cec0aa0280e0fa1c24c6b045ff0286ec3771831`

1002

Type	`BINRES`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22998`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.61469`
Detected Filetype	PE Executable
MD5	`1b593dcdbe871896e4d235cca84ab6f9`
SHA1	`a753a50e394e2e1d26e098f248cf602f30dbe7aa`
SHA256	`14228bc610f7a7631d00e40454baca1a2a2864850ab117daf1e7bd6178036bf2`
SHA3	`75a060a7c532eeefcd0f9040781c923abfc35f57783f4887a866e1935f2b7c49`

1

Type	`WEVT_TEMPLATE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x9732`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.79206`
MD5	`5b5fda12421a0776dbd6f0afa1dc43b2`
SHA1	`9a49f98c0561708303ed3b0b072b30f63e8cadc5`
SHA256	`fee524050e261d0bbbf2f529e9fbce6a0cf4c9d4b942a0b96ede0e4eeda61c16`
SHA3	`b69fcf734841ed29db706f29a954af43d45ef0f5bfea0a5d8ec1ccb58d0d9618`

SYSMONSCHEMA

Type	`XML`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf34c2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42121`
MD5	`422d002dcecf9543101d099dac3b0cc4`
SHA1	`1818081d850d1fea05ab661177ed0348d8decb22`
SHA256	`26fc26ca733e8c9defbc4c93e330aedd7d9a71d18a2fe734402c6187e8635332`
SHA3	`e65028c58487abea43b9e1dc16a982b1824c7eeeae1d074cedd333e2652d7462`

1 (#2)

Type	`RT_MESSAGETABLE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6fc0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48821`
MD5	`a22b05604b4be025dbb01a4f984ec226`
SHA1	`78231239f0fd614a0f9d88ee8faedaf1fb46471e`
SHA256	`417ba55ad7c69dd586403e198ef4feb639d6d7544a4f1bb04fcd7eca43820025`
SHA3	`bd8bc2654b71bd8a61e01007646832c8e3279df9750ee2469a72562f55a22255`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x400`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48974`
MD5	`13fca7bae413f18f4309b9d1ae2205b7`
SHA1	`290534f46c4f868339678ce15da3dac2d35d1a86`
SHA256	`0b3f4418cd7646bb1c87298d2f5b773a6596af5b01aae93672ea7329deb60ac6`
SHA3	`94c2f826b760342ba2ffbd04080ef48ee1c73fa12adb4f6121333d2b3b54e15c`

SYSMONMAN

Type	`RT_HTML`
Language	English - United States
Codepage	UNKNOWN
Size	`0x18c70`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.75399`
MD5	`1c43bd71ab4dd696e43ac16d6fd276f8`
SHA1	`b0eb275b8b6ca656e619bea0902efaf418b766b6`
SHA256	`65c75443ff5de03ffdce3abfda872590c4fc2ff729e4783e392f10768323c88c`
SHA3	`28c82ffe94a98b76c674c0bcd0910bc0c8382b5ab38ef2c71e1a04cc0fd3abc8`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	15.14.0.0
ProductVersion	15.14.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	English - United States
CompanyName	Sysinternals - www.sysinternals.com
FileDescription	System activity monitor
ProductName	Sysinternals Sysmon
FileVersion (#2)	15.14
ProductVersion (#2)	15.14
LegalCopyright	By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2024 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
InternalName	System Monitor

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Feb-13 12:25:28
Version	`0.0`
SizeofData	`69`
AddressOfRawData	`0x25bc14`
PointerToRawData	`0x25ac14`
Referenced File	D:\a\1\s\exe\Win32\Public_Release\Sysmon.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2024-Feb-13 12:25:28
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x25bc5c`
PointerToRawData	`0x25ac5c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2024-Feb-13 12:25:28
Version	`0.0`
SizeofData	`1068`
AddressOfRawData	`0x25bc70`
PointerToRawData	`0x25ac70`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2024-Feb-13 12:25:28
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x65c0ac`
EndAddressOfRawData	`0x65c0b4`
AddressOfIndex	`0x668d90`
AddressOfCallbacks	`0x59b648`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x665010`
SEHandlerTable	`0x65af5c`
SEHandlerCount	`441`

RICH Header

XOR Key	`0xb2b3b8b`
Unmarked objects	`0`
ASM objects (30795)	`19`
C++ objects (30795)	`197`
253 (VS 2015-2022 runtime 32533)	`4`
C++ objects (VS 2015-2022 runtime 32533)	`87`
C objects (VS 2015-2022 runtime 32533)	`19`
ASM objects (VS 2015-2022 runtime 32533)	`26`
C objects (30795)	`25`
ASM objects (VS2019 Update 11 (16.11.4-5) compiler 30136)	`1`
C objects (VS2019 Update 11 (16.11.9) compiler 30139)	`10`
Imports (30795)	`35`
Total imports	`347`
C++ objects (LTCG) (32826)	`63`
Resource objects (32826)	`1`
151	`2`
Linker (32826)	`1`

4bc35649f9d9aec62490376c47b6c143

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1001

1002

1

SYSMONSCHEMA

1 (#2)

1 (#3)

SYSMONMAN

1 (#4)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

IMAGE_DEBUG_TYPE_ILTCG

TLS Callbacks

Load Configuration

RICH Header

Errors