Manalyze report for 5ef1322b96f176c4ea4b8304caf8b45e2e42c3188aa82ed1fd6196afc04b7297

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Jan-07 22:42:23
Detected languages	English - United States
Debug artifacts	InstallAgent.pdb
CompanyName	Microsoft Corporation
FileDescription	InstallAgent
FileVersion	`10.0.14393.4169 (rs1_release.210107-1130)`
InternalName	InstallAgent
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	InstallAgent.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	`10.0.14393.4169`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: displaycatalog.mp.microsoft.com https://displaycatalog.mp.microsoft.com https://displaycatalog.mp.microsoft.com/v7.0/products/ https://displaycatalog.mp.microsoft.com/v7.0/products/lookup?alternateId https://displaycatalog.mp.microsoft.com/v7/products?bigIds https://login.microsoft.com https://login.windows.local https://purchase.mp.microsoft.com https://purchase.mp.microsoft.com/v7.0/users/ login.microsoft.com microsoft.com mp.microsoft.com purchase.mp.microsoft.com`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegOpenKeyExW RegGetValueW RegCloseKey RegEnumValueW RegSetKeyValueW` `Functions related to the privilege level: OpenProcessToken DuplicateToken`
Safe	VirusTotal score: 0/72 (Scanned on 2025-10-24 07:27:49)	`All the AVs think this file is safe.`

Hashes

MD5	`88c7dcdd735b31e4f5620e4b9f38c87f`
SHA1	`bdea3d4c7dd0920cb7b9268e0d558732c1416140`
SHA256	`5ef1322b96f176c4ea4b8304caf8b45e2e42c3188aa82ed1fd6196afc04b7297`
SHA3	`e89cbfcdb5aaa0f8a7de93c1d4d8eb051e10d5aae3464eb8609a421aba141ef6`
SSDeep	`3072:28ntB9HYbpGZhYvjQmjROQr+qjxdiFZlk1mn1TOvnclu2jMD28aRM3/pbnjkgQO:PhHWpGU04ROQ6qbiHlkwTOvnQOQ2jKI`
Imports Hash	`1b0f43f7100bfa0270600a8efbbc073d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2021-Jan-07 22:42:23
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x22600`
SizeOfInitializedData	`0x12800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000021F30 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x3a000`
SizeOfHeaders	`0x400`
Checksum	`0x3c278`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c966de6f283ba1d18099dbd2832885a9`
SHA1	`9d7e732cc9f320086e15d5dfc09b1e7ba0a593ce`
SHA256	`5f6ba98ae2fcd4d4e3fe806bea0792e39d40b7557310d45029209288524b03ee`
SHA3	`ccb6d124b4fd84ccb3a6b297ae0be98f4b8178e18b6dc45a811bf431e140862d`
VirtualSize	`0x22409`
VirtualAddress	`0x1000`
SizeOfRawData	`0x22600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.19461`

.rdata

MD5	`31687514276d35ef35c8db353a5e5604`
SHA1	`0b94c138af8ab85681dfca354407d3902539c238`
SHA256	`6236f4d93ef58e750a25b31fe4ea9572c15285541fd1aa4e958f7be06c091f35`
SHA3	`bffd7ad369c2c6dff35a609082d66124bb45057c71e787b85013cbd2e551ba62`
VirtualSize	`0xe02e`
VirtualAddress	`0x24000`
SizeOfRawData	`0xe200`
PointerToRawData	`0x22a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.86805`

.data

MD5	`cd7eb1b083729853f60e21b04a57a592`
SHA1	`9b5bedc7741743713f2b269379dd4c70799161b1`
SHA256	`ac590b67106786675f53bf38e4a4f9d6c1f97bf76e898a5933c135fd5f3fd611`
SHA3	`780a14f95a5d603180ab376ea604ed8ef077685021ddda3d6d0489c6ad85a60c`
VirtualSize	`0x14b8`
VirtualAddress	`0x33000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x30c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.496702`

.pdata

MD5	`c3e56b68be21c18254730923e873c37d`
SHA1	`ef12031c69b969f4e68fc6c51418bcdfc9780133`
SHA256	`90d1c911f6a18db7fe09825e4bbdb0c95f4de86df78930ce61fa8fd6bc4831f7`
SHA3	`262edb09677069821615e7eec620df323d4da7bfc4b86ae88e99ca23c608cad0`
VirtualSize	`0x1770`
VirtualAddress	`0x35000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x31600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.12089`

.didat

MD5	`4a76e5ba0e4dc9c628d347c4acd7a259`
SHA1	`9a1443d3faf28a164fd1801ad3f5cba8aaeb2040`
SHA256	`486f41dcbd8b2ae5d5b5a215498f344521ff47e6f7fa211ae8db5a6532f4945a`
SHA3	`d579195579063020731c1667551d1c121e0351d1111fefc1b4e46473ffce3e58`
VirtualSize	`0x1b0`
VirtualAddress	`0x37000`
SizeOfRawData	`0x200`
PointerToRawData	`0x32e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.52273`

.rsrc

MD5	`046ad35ca8a3d2c37fdabc639e43778b`
SHA1	`42dac95c3b3f3d88f660a3bfb5165a4013cb5719`
SHA256	`c314116297306469be2ae8f90adbc45022c2f8d1e1c84d5c78f5f29b9f69e88f`
SHA3	`f10e01feec74bd6e4454460f62aaaf20e329e22ca23ed68db0b7283a71ea98f6`
VirtualSize	`0x820`
VirtualAddress	`0x38000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x33000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.8002`

.reloc

MD5	`0d76f38fc864a02f0c2c1383142c4c1f`
SHA1	`95c5ce0555b900473f6ce61d688c6a7f76b11bed`
SHA256	`34f80661d05176cd1320b3efe850c5667a5bc0b9b9ff0881f7c06719a22ec4c3`
SHA3	`6d3b0dcc4b52deb8ecdd55f206f4db8e28350d7243b586b16f5e3b93d002d76c`
VirtualSize	`0xa14`
VirtualAddress	`0x39000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x33a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.09137`

Imports

msvcrt.dll	`_onexit` `wcstoul` `memcmp` `_wcmdln` `__C_specific_handler` `?terminate@@YAXXZ` `_fmode` `__dllonexit` `_lock` `_commode` `_initterm` `__CxxFrameHandler3` `__setusermatherr` `_vsnwprintf` `malloc` `memcpy_s` `wcstombs` `_errno` `strtol` `_set_errno` `strncpy_s` `strchr` `sprintf_s` `_wcsicmp` `_purecall` `memmove_s` `mbstowcs` `realloc` `_ui64tow_s` `_wtoi64` `wcstok` `_wtoi` `_callnewh` `_cexit` `_exit` `exit` `__set_app_type` `__wgetmainargs` `_amsg_exit` `free` `_XcptFilter` `_unlock` `memset`
combase.dll	`#154`
api-ms-win-core-misc-l1-1-0.dll	`FormatMessageW` `LocalAlloc` `Sleep` `LocalFree`
api-ms-win-eventing-provider-l1-1-0.dll	`EventRegister` `EventActivityIdControl` `EventUnregister` `EventWrite` `EventSetInformation` `EventWriteTransfer`
api-ms-win-core-errorhandling-l1-1-1.dll	`SetLastError` `UnhandledExceptionFilter` `GetLastError` `SetUnhandledExceptionFilter` `RaiseException`
api-ms-win-core-handle-l1-1-0.dll	`CloseHandle`
api-ms-win-core-synch-l1-2-0.dll	`ReleaseSRWLockShared` `InitializeSRWLock` `AcquireSRWLockShared` `ReleaseSRWLockExclusive` `OpenSemaphoreW` `CreateMutexExW` `AcquireSRWLockExclusive` `SetEvent` `CreateMutexW` `ReleaseMutex` `WaitForSingleObjectEx` `CreateSemaphoreExW` `ReleaseSemaphore` `CreateEventW` `WaitForSingleObject` `InitOnceExecuteOnce`
api-ms-win-core-heap-l1-2-0.dll	`HeapFree` `HeapAlloc` `GetProcessHeap` `HeapSetInformation`
api-ms-win-core-threadpool-l1-2-0.dll	`CreateThreadpoolTimer` `IsThreadpoolTimerSet` `WaitForThreadpoolTimerCallbacks` `CreateThreadpoolWork` `SubmitThreadpoolWork` `CloseThreadpoolWork` `CloseThreadpoolTimer` `SetThreadpoolTimer`
api-ms-win-core-processthreads-l1-1-2.dll	`GetStartupInfoW` `GetCurrentProcess` `OpenProcessToken` `GetCurrentThread` `OpenThreadToken` `GetCurrentProcessId` `GetCurrentThreadId` `TerminateProcess`
api-ms-win-core-libraryloader-l1-2-0.dll	`LoadLibraryExW` `GetModuleFileNameW` `GetModuleHandleExW` `GetModuleFileNameA` `GetProcAddress` `GetModuleHandleW` `LoadStringW`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-sysinfo-l1-2-1.dll	`GetSystemTimeAsFileTime` `GetTickCount` `GetSystemTime`
api-ms-win-core-rtlsupport-l1-2-0.dll	`RtlLookupFunctionEntry` `RtlVirtualUnwind` `RtlCaptureContext`
api-ms-win-core-debug-l1-1-1.dll	`OutputDebugStringW` `IsDebuggerPresent`
api-ms-win-core-registry-l1-1-0.dll	`RegOpenKeyExW` `RegGetValueW` `RegCloseKey` `RegEnumValueW`
api-ms-win-core-string-l1-1-0.dll	`MultiByteToWideChar` `WideCharToMultiByte` `CompareStringOrdinal`
api-ms-win-core-file-l1-2-1.dll	`CompareFileTime` `DeleteFileW` `FindNextFileW` `FindClose` `WriteFile` `GetFileSizeEx` `CreateFileW` `FindFirstFileW` `SetFileInformationByHandle`
api-ms-win-core-path-l1-1-0.dll	`PathCchRemoveExtension` `PathCchRemoveFileSpec`
api-ms-win-core-memory-l1-1-2.dll	`FlushViewOfFile` `CreateFileMappingW` `UnmapViewOfFile` `MapViewOfFile`
api-ms-win-core-file-l2-1-1.dll	`GetFileInformationByHandleEx`
api-ms-win-core-timezone-l1-1-0.dll	`SystemTimeToFileTime`
api-ms-win-security-base-l1-2-0.dll	`DuplicateToken` `GetTokenInformation`
api-ms-win-core-registry-l1-1-1.dll	`RegSetKeyValueW`
ntdll.dll	`RtlGetDeviceFamilyInfoEnum` `RtlIsMultiSessionSku`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI` `DelayLoadFailureHook`
api-ms-win-security-sddl-l1-1-0.dll	`ConvertSidToStringSidW`
ext-ms-win-session-usermgr-l1-1-0.dll (delay-loaded)	`UMgrQueryUserToken` `UMgrQueryUserContextFromSid` `UMgrQueryUserContext`

Delayed Imports

Attributes	`0x1`
Name	`ext-ms-win-session-usermgr-l1-1-0.dll`
ModuleHandle	`0x33f70`
DelayImportAddressTable	`0x37190`
DelayImportNameTable	`0x305e0`
BoundDelayImportTable	`0x30988`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.65928`
MD5	`2965ae83859254d28dafa16474a9ff62`
SHA1	`168f36c594a3868b840e3614d142506f66ffafbb`
SHA256	`afee4557a2dddc674f57c4a0fdcb79302400eefb2006f3fba310da2581c8a533`
SHA3	`8a49a5047782455388ddb1034f0e9355c617c7d54985c0e35912af8c8c149dd5`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.47979`
MD5	`d83ed3fa322a866c23c040f59d85c3c0`
SHA1	`696df83e7d0692df58994381d2d545225a5822f2`
SHA256	`2aa7854a1a7450eb523de5f750752f7fbd5fd767f3ce4e69c583bafe5f231abe`
SHA3	`a9610da97a4f6907160fa8a05a3c912e1bdfc6ef035e780c53d77b344aeb0f08`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2c3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.97716`
MD5	`4485e8bbf2618162714c3546b9248dd6`
SHA1	`bbe4f43111f379e0fa5da34bee3b6c927dd96dc1`
SHA256	`9491b23001ff4ad6086c8152213c5cd0ddadba1510b2bc11d9997f38b89c8221`
SHA3	`acdcd01a212512d49f7109da3ea73839914644d34c129ce42c9241dc427e2934`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.14393.4169
ProductVersion	10.0.14393.4169
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	InstallAgent
FileVersion (#2)	10.0.14393.4169 (rs1_release.210107-1130)
InternalName	InstallAgent
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	InstallAgent.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion (#2)	10.0.14393.4169

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Jan-07 22:42:23
Version	`0.0`
SizeofData	`41`
AddressOfRawData	`0x2ed28`
PointerToRawData	`0x2d728`
Referenced File	InstallAgent.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Jan-07 22:42:23
Version	`0.0`
SizeofData	`812`
AddressOfRawData	`0x2ed54`
PointerToRawData	`0x2d754`

TLS Callbacks

Load Configuration

Size	`0xd0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140033958`
GuardCFCheckFunctionPointer	`5368867624`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x10f38b6b`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`64`
ASM objects (23917)	`3`
C objects (23917)	`24`
Total imports	`297`
Imports (23917)	`7`
C++ objects (23917)	`6`
C++ objects (LTCG) (23917)	`43`
Resource objects (23917)	`1`
Linker (23917)	`1`

Errors

Leave a comment

No comments yet.