Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Apr-30 23:30:45 |
Detected languages |
English - United States
|
Debug artifacts |
C:\Builds\13810\Tools\procexp_master\bin\Win32\Release\procexp.pdb
|
CompanyName | Sysinternals - www.sysinternals.com |
FileDescription | Sysinternals Process Explorer |
FileVersion | 16.21 |
InternalName | Process Explorer |
LegalCopyright | Copyright © 1998-2017 Mark Russinovich |
LegalTrademarks | Copyright (C) 1998-2017 Mark Russinovich |
OriginalFilename | Procexp.exe |
ProductName | Process Explorer |
ProductVersion | 16.21 |
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0 MASM/TASM - sig1(h) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The PE is possibly a dropper. |
Resource 150 detected as a PE Executable.
Resource 152 detected as a PE Executable. |
Info | The PE is digitally signed. |
Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA |
Suspicious | VirusTotal score: 1/73 (Scanned on 2020-02-08 13:53:35) | Jiangmin: Backdoor.Generic.ayol |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x118 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2017-Apr-30 23:30:45 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0xba800 |
SizeOfInitializedData | 0x1da800 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0009BA18 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xbc000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x2bd000 |
SizeOfHeaders | 0x400 |
Checksum | 0x29c250 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
SHLWAPI.dll |
ColorHLSToRGB
ColorRGBToHLS #176 UrlUnescapeW |
---|---|
WS2_32.dll |
#14
#8 #9 #51 #56 #115 #15 |
MPR.dll |
WNetGetConnectionW
|
COMCTL32.dll |
ImageList_Create
CreateStatusWindowW CreatePropertySheetPageW #410 #8 #413 ImageList_ReplaceIcon ImageList_Add InitCommonControlsEx ImageList_Destroy ImageList_DrawEx #17 PropertySheetW |
VERSION.dll |
VerQueryValueW
GetFileVersionInfoW GetFileVersionInfoSizeW |
credui.dll |
CredUIPromptForCredentialsW
|
SETUPAPI.dll |
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW SetupDiEnumDeviceInterfaces SetupDiDestroyDeviceInfoList |
CRYPT32.dll |
CertDuplicateCertificateContext
CertGetNameStringW |
KERNEL32.dll |
VirtualQueryEx
GetProcessAffinityMask GetCurrentProcessId SetThreadAffinityMask SetFilePointer GetSystemDirectoryW DeleteFileW SearchPathW OpenThread GetThreadContext SuspendThread ResumeThread Thread32First Thread32Next ResetEvent QueryPerformanceCounter QueryPerformanceFrequency IsBadReadPtr GetEnvironmentVariableW GlobalMemoryStatus SetProcessWorkingSetSize TerminateProcess GetProcessId PulseEvent SetPriorityClass GetComputerNameW VirtualAlloc VirtualFree GetProcessWorkingSetSize DeviceIoControl DuplicateHandle OutputDebugStringW GetDriveTypeW GetCurrentDirectoryW WideCharToMultiByte DecodePointer RaiseException InitializeCriticalSectionAndSpinCount GetSystemInfo ExpandEnvironmentStringsA LoadLibraryA GetOEMCP GetACP IsValidCodePage EnumSystemLocalesW GetUserDefaultLCID IsValidLocale LCMapStringW CompareStringW GetStartupInfoW TlsFree SetUnhandledExceptionFilter UnhandledExceptionFilter GetCPInfo SetConsoleMode ReadConsoleInputA GetConsoleMode GetModuleHandleExW ExitProcess GetCurrentThreadId IsProcessorFeaturePresent RtlUnwind IsDebuggerPresent EncodePointer GetStringTypeW lstrlenA lstrcmpiW lstrcmpW ReadProcessMemory OpenEventW SetLastError IsBadStringPtrW SystemTimeToFileTime GetSystemTimeAsFileTime GetSystemTime DeleteCriticalSection Module32NextW Module32FirstW TerminateThread GlobalUnlock GlobalLock GlobalReAlloc GlobalAlloc FindResourceExW FindResourceW SizeofResource LoadResource GetProcessHeap HeapSize HeapFree HeapReAlloc HeapAlloc HeapDestroy LockResource GetCommandLineW GetFileType LocalAlloc FormatMessageW GlobalAddAtomW GetTickCount MulDiv GetFileSizeEx GetExitCodeThread CreateThread CreateEventW WaitForMultipleObjects WaitForSingleObject SetEvent EnterCriticalSection GetCurrentThread LeaveCriticalSection FindNextFileW FindClose MultiByteToWideChar GetModuleHandleW ReadFile LoadLibraryExW FreeLibrary GetPrivateProfileStringW FindFirstFileW GetFileAttributesW Process32NextW Process32FirstW CreateToolhelp32Snapshot GetNumberFormatW GetDateFormatW GetTimeFormatW GetLocaleInfoW CreateFileW GetFullPathNameW GetWindowsDirectoryW ExpandEnvironmentStringsW SetEnvironmentVariableW CreateProcessW GetModuleFileNameW LoadLibraryW CreateFileMappingW TlsSetValue TlsAlloc lstrlenW UnmapViewOfFile MapViewOfFile FormatMessageA FileTimeToSystemTime FileTimeToLocalFileTime CloseHandle GetFileTime WriteFile GetStdHandle GetFileSize Sleep InitializeCriticalSection SetErrorMode GetLastError ExitThread GetCurrentProcess OpenProcess LocalFree GetVersion GetProcAddress InterlockedDecrement InterlockedIncrement TlsGetValue FlushFileBuffers GetConsoleCP GetEnvironmentStringsW FreeEnvironmentStringsW GetTimeZoneInformation SetFilePointerEx SetStdHandle WriteConsoleW ReadConsoleW SetEndOfFile SetEnvironmentVariableA |
USER32.dll |
CopyImage
GetWindow GetDesktopWindow KillTimer MsgWaitForMultipleObjects GetDlgCtrlID CheckRadioButton SendMessageTimeoutW PeekMessageW GetUserObjectSecurity SetUserObjectSecurity IsDialogMessageW DrawIconEx CheckMenuRadioItem WindowFromPoint RedrawWindow TrackPopupMenu RemoveMenu CreateMenu DrawMenuBar LoadMenuW TranslateAcceleratorW LoadAcceleratorsW IsWindowEnabled GetDlgItemTextW CreateDialogParamW IsWindow PostQuitMessage ExitWindowsEx DispatchMessageW TranslateMessage GetMessageW DrawEdge RegisterWindowMessageW GetWindowDC SetMenuItemInfoW IsIconic ShowWindowAsync SystemParametersInfoW EnumWindows SetClassLongW GetWindowTextW InvalidateRgn TrackPopupMenuEx ModifyMenuW AppendMenuW GetMenuItemCount GetMenuItemID EnableMenuItem CreatePopupMenu EnableWindow IsDlgButtonChecked CheckDlgButton GetWindowPlacement LoadIconW SetWindowPlacement DefMDIChildProcW DefFrameProcW DefDlgProcW CreateIconIndirect FrameRect ClientToScreen IsWindowVisible DestroyWindow GetClassNameW EnumChildWindows PtInRect UnionRect CopyRect ScreenToClient EmptyClipboard SetClipboardData CloseClipboard OpenClipboard IsZoomed EndDeferWindowPos DeferWindowPos BeginDeferWindowPos DrawFrameControl ChildWindowFromPoint SetDlgItemTextW DialogBoxParamW MoveWindow SetWindowTextW GetDlgItem EndDialog DialogBoxIndirectParamW GetScrollInfo SetScrollInfo GetParent GetClassLongW SetWindowLongW GetWindowLongW OffsetRect IntersectRect InflateRect FillRect GetSysColorBrush GetSysColor MapWindowPoints GetCursorPos SendMessageW WaitForInputIdle ShowWindow SetFocus GetSystemMetrics GetMenu CheckMenuItem GetSubMenu InsertMenuW GetWindowRect GetClientRect GetPropW SetPropW ScrollWindowEx ValidateRect InvalidateRect GetUpdateRgn GetUpdateRect EndPaint BeginPaint UpdateWindow DrawTextW SetTimer ReleaseCapture SetCapture DeleteMenu SetForegroundWindow MessageBoxW SetCursor FindWindowW FindWindowExW GetWindowThreadProcessId LoadCursorW DestroyIcon LoadImageW EnumDisplaySettingsW GetDC ReleaseDC GetCapture GetKeyState GetFocus SetWindowPos CreateWindowExW RegisterClassExW CallWindowProcW DefWindowProcW PostMessageW LoadStringW RegisterClassW |
GDI32.dll |
SetMapMode
Polyline SelectObject SetBkColor SetBkMode SetTextColor StartDocW EndDoc StartPage EndPage CreateFontIndirectW GetTextExtentPoint32W GetTextMetricsW MoveToEx SetROP2 SaveDC RestoreDC Rectangle LineTo ExtTextOutW CreateDIBSection GetObjectW DeleteObject BitBlt CreateCompatibleBitmap CreateCompatibleDC CreatePen CreateRectRgn CreateRectRgnIndirect CreateSolidBrush DeleteDC GetBkColor GetBkMode GetDeviceCaps GetStockObject RectInRegion SelectClipRgn SetTextAlign |
COMDLG32.dll |
FindTextW
ChooseColorW GetSaveFileNameW GetOpenFileNameW PrintDlgW ChooseFontW |
ADVAPI32.dll |
RegOpenKeyExW
RegOpenKeyExA RegQueryValueExA LookupPrivilegeNameW SetKernelObjectSecurity IsValidSecurityDescriptor GetKernelObjectSecurity CreateProcessAsUserW RegConnectRegistryW FlushTraceW ConvertSidToStringSidW LsaEnumerateAccountRights RegCloseKey LsaOpenPolicy LsaClose LsaFreeMemory SetSecurityInfo GetSecurityInfo AddAccessAllowedAce GetAce AddAce InitializeAcl GetSidSubAuthorityCount GetSidSubAuthority GetSidIdentifierAuthority IsValidSid SetTokenInformation QueryServiceConfigW CopySid RevertToSelf OpenProcessToken GetTokenInformation AdjustTokenPrivileges EqualSid AllocateAndInitializeSid GetLengthSid CloseTrace ProcessTrace OpenTraceW ControlTraceW StartTraceW SetServiceObjectSecurity QueryServiceObjectSecurity MapGenericMask RegCreateKeyW StartServiceW QueryServiceStatus FreeSid LookupAccountSidW LookupAccountNameW LookupPrivilegeValueW ImpersonateLoggedOnUser DuplicateTokenEx RegCreateKeyExW RegDeleteKeyW RegEnumKeyW RegEnumValueW RegLoadKeyW RegOpenKeyW RegQueryInfoKeyW RegQueryValueExW RegSetValueExW RegUnLoadKeyW RegQueryValueW CryptAcquireContextW CryptReleaseContext CryptGetHashParam CryptCreateHash CryptHashData CryptDestroyHash RegDeleteValueW CloseServiceHandle OpenSCManagerW OpenServiceW ControlService |
SHELL32.dll |
SHGetPathFromIDListW
SHGetSpecialFolderLocation SHBrowseForFolderW SHGetMalloc Shell_NotifyIconW ShellExecuteExW SHGetFileInfoW ShellExecuteW |
ole32.dll |
CoGetInterfaceAndReleaseStream
CoInitialize CoInitializeEx CoCreateInstance CoUninitialize CoSetProxyBlanket CoMarshalInterThreadInterfaceInStream CoTaskMemFree |
OLEAUT32.dll |
#20
#4 #25 #24 #23 #2 #6 #7 #150 #8 #9 #12 #16 #19 |
WINHTTP.dll |
WinHttpOpenRequest
WinHttpSetOption WinHttpQueryDataAvailable WinHttpSendRequest WinHttpReadData WinHttpConnect WinHttpCloseHandle WinHttpOpen WinHttpReceiveResponse WinHttpQueryHeaders WinHttpGetProxyForUrl WinHttpWriteData |
PSAPI.DLL |
GetModuleFileNameExW
|
Process |
PID |
Priority |
Threads |
Cycle CPU Usage |
GPU |
Paged Pool |
Nonpaged Pool |
Programs (*.exe, *.com, *.bat, *.pif)|*.exe;*.com;*.bat|Executables (*.exe)|*.exe|Command Files (*.com)|*.com|Batch Files (*.bat)|*.bat|Pif Files (*.pif)|*.pif| |
There is insufficent memory to run the program |
The file is not a valid executable format |
Cannot find the specified file |
Cannot find the specified path |
Refresh process list |
Handles |
User Name |
Handle |
Type |
Name |
Base |
Size |
Version |
Name |
Show Unnamed Objects (Ctrl+U) |
Find (Ctrl+F) |
View Handles (Ctrl+H) |
Time |
Save (Ctrl+S) |
View DLLs (Ctrl+D) |
References |
Parent |
Window Title |
Kill Process/Close Handle |
Properties |
Description |
Access |
Mapping |
Refresh Now (F5) |
Description |
Frame |
Address |
Command Line |
Company Name |
Share |
Service |
Description |
Display Name |
Group |
Privilege |
Flags |
Flags |
Handle |
Handle or DLL |
Show Process Tree |
CPU |
Session |
Variable |
Value |
Page Faults |
Private Bytes |
Path |
Peak Private Bytes |
Working Set |
Peak Working Set |
Threads |
GDI Objects |
USER Objects |
I/O Reads |
I/O Read Bytes |
I/O Writes |
I/O Write Bytes |
I/O Other |
I/O Other Bytes |
Image Base |
Limit |
TID |
Start Address |
Function |
User Time |
Kernel Time |
Start Time |
CPU Time |
Show Lower Pane (Ctrl+L) |
Hide Lower Pane (Ctrl+L) |
Show Processes From &All Users |
Context Switches |
CSwitch Delta |
Counter |
Methods Jitted |
% Time in JIT |
AppDomains |
Assemblies |
Classes Loaded |
Total AppDomains |
Total Assemblies |
Total Classes Loaded |
Total Lock Contentions |
Heap Bytes |
Gen 0 Collections |
Gen 1 Collections |
Gen 2 Collections |
% Time in GC |
Allocated Bytes/s |
Runtime Checks |
Contentions |
Path |
Find Handle (Ctrl+F) |
Find Handle or DLL (Ctrl+F) |
Virtual Size |
WS Total |
WS Private |
WS Shared |
PF Delta |
Desktop Integrity Level |
Comment |
PROCEXPLORER |
Process Explorer |
Local Address |
Object Address |
Remote Address |
Verified Signer |
State |
Protocol |
Image Type |
CPU History |
Private Delta Bytes |
Private Bytes History |
Share Flags |
Cycles |
Window Status |
Find &Window's Process (drag over window) |
System Information (Ctrl+I) |
DEP |
Cycles Delta |
Decoded Access |
WS Shareable |
I/O Delta Reads |
I/O Delta Read Bytes |
I/O Delta Writes |
I/O Delta Write Bytes |
I/O History |
I/O Delta Other Bytes |
I/O Delta Total Bytes |
I/O Delta Other |
Integrity |
Virtualized |
ASLR |
Memory Priority |
I/O Priority |
Min Working Set |
Max Working Set |
Service |
Network Receives |
Network Delta Receives |
Network Sends |
Network Delta Sends |
Network Other |
Network Delta Others |
Network History |
Network Delta Receive Bytes |
Network Receive Bytes |
Network Send Bytes |
Network Delta Send Bytes |
Network Other Bytes |
Network Delta Other Bytes |
Network Delta Total Bytes |
Disk Reads |
Disk Delta Reads |
Disk Writes |
Disk Delta Writes |
Disk Other |
Disk Delta Others |
Disk History |
Disk Read Bytes |
Disk Delta Read Bytes |
Disk Write Bytes |
Disk Delta Write Bytes |
Disk Other Bytes |
Disk Delta Other Bytes |
Disk Delta Total Bytes |
Tree CPU Usage |
Processor |
GPU |
GPU System Bytes |
GPU Dedicated Bytes |
GPU Committed Bytes |
Package Name |
Process Timeline |
Autostart Location |
DPI Awareness |
VirusTotal |
Protection |
UI Access |
Provider Name |
Namespace |
DLL Path |
Control Flow Guard |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 16.21.0.0 |
ProductVersion | 16.21.0.0 |
FileFlags |
VS_FF_PRIVATEBUILD
|
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Sysinternals - www.sysinternals.com |
FileDescription | Sysinternals Process Explorer |
FileVersion (#2) | 16.21 |
InternalName | Process Explorer |
LegalCopyright | Copyright © 1998-2017 Mark Russinovich |
LegalTrademarks | Copyright (C) 1998-2017 Mark Russinovich |
OriginalFilename | Procexp.exe |
ProductName | Process Explorer |
ProductVersion (#2) | 16.21 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2017-Apr-30 23:30:45 |
Version | 0.0 |
SizeofData | 91 |
AddressOfRawData | 0xde4d8 |
PointerToRawData | 0xdd0d8 |
Referenced File | C:\Builds\13810\Tools\procexp_master\bin\Win32\Release\procexp.pdb |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x4f1560 |
SEHandlerTable | 0x4df670 |
SEHandlerCount | 206 |
XOR Key | 0x392161d7 |
---|---|
Unmarked objects | 0 |
199 (41118) | 1 |
ASM objects (VS2013 build 21005) | 30 |
C++ objects (VS2013 build 21005) | 78 |
C objects (VS2013 build 21005) | 223 |
C++ objects (20806) | 7 |
C objects (VS2008 SP1 build 30729) | 10 |
C++ objects (VS2008 SP1 build 30729) | 1 |
Imports (VS2008 SP1 build 30729) | 37 |
Total imports | 550 |
C objects (VS2013 UPD4 build 31101) | 2 |
C++ objects (VS2013 UPD4 build 31101) | 64 |
Resource objects (VS2013 build 21005) | 1 |
Linker (VS2013 UPD4 build 31101) | 1 |