Manalyze report for 705f5d24ef8780386e98d6d0b50b0a70

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2047-Oct-13 07:26:21
Detected languages	English - United States
Debug artifacts	MpUxAgent.pdb
CompanyName	Microsoft Corporation
FileDescription	Defender MpUxAgent
FileVersion	`4.18.2102.4 (WinBuild.160101.0800)`
InternalName	MpUxAgent
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MpUxAgent.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion	`4.18.2102.4`

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegDeleteKeyW RegCreateKeyExW RegSetValueExW RegOpenKeyExW RegCloseKey RegQueryValueExW` `Uses Microsoft's cryptographic API: CryptCATAdminCalcHashFromFileHandle CryptCATAdminEnumCatalogFromHash CryptCATCatalogInfoFromContext CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseContext CryptCATAdminAcquireContext` `Functions related to the privilege level: CheckTokenMembership OpenProcessToken AdjustTokenPrivileges` `Changes object ACLs: SetNamedSecurityInfoW`
Info	The PE is digitally signed.	`Signer: Microsoft Windows` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/69 (Scanned on 2021-03-17 12:40:50)	`All the AVs think this file is safe.`

Hashes

MD5	`705f5d24ef8780386e98d6d0b50b0a70`
SHA1	`5f7a2014a15baddafa27e737c4b2599efdd52623`
SHA256	`02ed9ffa244dcf19cca9273a2040ed15d3e741f6a0690d996c17805dbd3578bf`
SHA3	`15b06d7496e35545f7928e69ef90c30be892403c9508dc0eb2ada206e0fafee9`
SSDeep	`6144:3HMuT2lRbxZMUa8Ji6GENmrJDoeKL+PVkYPOPHiTVVmVVV8VVNVVVcVVVxVVVPVt:3suT6zhG7rJDoeKL+PVzbA`
Imports Hash	`a1213ebbccbabe71995ff16b3923f2e0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2047-Oct-13 07:26:21
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2a000`
SizeOfInitializedData	`0x42000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000022FD0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x6e000`
SizeOfHeaders	`0x1000`
Checksum	`0x7372a`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`01ef275083afc2124144a27478b54f98`
SHA1	`b2aad1ddaa61ee31fb8d0efd423e91954e29f7e7`
SHA256	`acae19774df5183eae300b0e9d2b38fc744c633e5b7a4cbc35561028f3aaa660`
SHA3	`c717a852b198271eadd1611bce484fe1a1433a8ad4bea91b670e31221fb7f39f`
VirtualSize	`0x29385`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2a000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.33262`

.rdata

MD5	`dd93ec12e6f3d8dbd5e52ea85f8e822a`
SHA1	`37b55777597c23ced6c86b15c70f9cd1de362ae1`
SHA256	`80d16ec360970892405b1dde3552cddfc90884b5037b7b44d3134f61a408e414`
SHA3	`95a4a7e86ce7f83fc36b6bc8b71b9d61d1d67529bce5897c29e8b6f12f38dcf2`
VirtualSize	`0xd6c8`
VirtualAddress	`0x2b000`
SizeOfRawData	`0xe000`
PointerToRawData	`0x2b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.61286`

.data

MD5	`2affd8ed9fc67967fa6031c23ace9cb4`
SHA1	`969f9a7a3b951383304f58753afdfa9afc5a9e26`
SHA256	`e85801341384724e9374d67ff338d4bbbaf1a80e5bc685c1ab82c52d0c14c4c4`
SHA3	`0fab3de31be7b2d4fbc3e4849ebfbaba1e693859f572fa901909c40ea5ee0dae`
VirtualSize	`0x2aa0`
VirtualAddress	`0x39000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x39000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.78857`

.pdata

MD5	`ca3afa7ae838fe9366c06f48d1f0bb1e`
SHA1	`3a6fddd0fbcb2f9e5bca4bafc69c084911a521c8`
SHA256	`6219039537219f06024084ff4836e1c854073924c60badc81d16594ddb03fd95`
SHA3	`e16ca4ddcba8f9bae691eab06ccea604f78b6a3635cf5c87aee0fbfc08bf3619`
VirtualSize	`0x19a4`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x3b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.67651`

.rsrc

MD5	`97b74de894d1440b3addadea76ee0155`
SHA1	`74895582bb4115e18b3590658497a8c9ca0295fc`
SHA256	`22758cc4f3c6ce0f0619045a935ed9b609a40eadb5a3ab9734be2052a0fdf0f3`
SHA3	`253f0414ac4da4e11062292a01b1bb7eebb2e1c53823e82206378d3932b913ac`
VirtualSize	`0x2ea5c`
VirtualAddress	`0x3e000`
SizeOfRawData	`0x2f000`
PointerToRawData	`0x3d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.24321`

.reloc

MD5	`8fba4e3fbe509e0c7a11e3196cac5686`
SHA1	`31fdb18324ff4f45bd320e1ed07854a8a4cda86f`
SHA256	`d081999fae94dcf09f2065995b84df4b26257f4d316843eddf4ff73cab7c0cf7`
SHA3	`97960bd4b39f180a7c302a042cb845b2f5fe16f32ea7d9cb27d60d72827098af`
VirtualSize	`0x4dc`
VirtualAddress	`0x6d000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x6c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.44011`

Imports

api-ms-win-crt-string-l1-1-0.dll	`_wcsdup` `_wcsicmp` `strcpy_s` `wcsnlen` `wcscmp`
api-ms-win-crt-convert-l1-1-0.dll	`_wtoi`
api-ms-win-crt-stdio-l1-1-0.dll	`__stdio_common_vsprintf` `__stdio_common_vsprintf_s` `__stdio_common_vswscanf`
api-ms-win-crt-runtime-l1-1-0.dll	`_errno` `_invalid_parameter_noinfo` `_cexit` `_initterm` `_invalid_parameter_noinfo_noreturn` `_crt_atexit` `_seh_filter_dll` `_configure_narrow_argv` `terminate` `_initialize_narrow_environment` `_initialize_onexit_table` `_register_onexit_function` `abort` `_execute_onexit_table` `_initterm_e`
api-ms-win-crt-heap-l1-1-0.dll	`malloc` `_calloc_base` `_free_base` `free` `_callnewh`
api-ms-win-crt-locale-l1-1-0.dll	`___mb_cur_max_func` `_lock_locales` `_unlock_locales` `___lc_locale_name_func` `__pctype_func` `___lc_codepage_func` `setlocale`
ADVAPI32.dll	`CheckTokenMembership` `FreeSid` `GetSecurityDescriptorOwner` `ConvertStringSidToSidW` `GetNamedSecurityInfoW` `CopySid` `SetNamedSecurityInfoW` `AllocateAndInitializeSid` `GetLengthSid` `OpenProcessToken` `RegDeleteKeyW` `RegCreateKeyExW` `RegSetValueExW` `GetSecurityDescriptorDacl` `RegOpenKeyExW` `OpenThreadToken` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `UnregisterTraceGuids` `RegisterTraceGuidsW` `GetTraceEnableLevel` `GetTraceEnableFlags` `GetTraceLoggerHandle` `TraceMessage` `RegCloseKey` `EventWriteTransfer` `AccessCheck` `AdjustTokenPrivileges` `LookupPrivilegeValueW` `RegQueryValueExW` `EventUnregister` `EventRegister`
CRYPT32.dll	`CertVerifyCertificateChainPolicy`
KERNEL32.dll	`DisableThreadLibraryCalls` `GetCurrentThread` `CloseHandle` `LocalFree` `ProcessIdToSessionId` `RaiseException` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `lstrcmpW` `GetVersionExW` `FreeLibrary` `GetLastError` `MultiByteToWideChar` `GetStringTypeW` `WideCharToMultiByte` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionEx` `DeleteCriticalSection` `EncodePointer` `DecodePointer` `LCMapStringEx` `GetCurrentProcess` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentThreadId` `InitializeSListHead` `IsDebuggerPresent` `GetModuleHandleW` `RtlUnwindEx` `InterlockedFlushSList` `RtlPcToFileHeader` `SetLastError` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `LoadLibraryExW` `CreateFileW` `GetFileAttributesW` `WaitForSingleObject` `GetProcAddress` `ResetEvent` `WaitForSingleObjectEx` `ReleaseSemaphore` `GetModuleFileNameW` `InitializeCriticalSectionAndSpinCount` `GetSystemDirectoryW` `Sleep` `CreateSemaphoreW` `ExpandEnvironmentStringsW` `CreateEventW` `RtlCaptureContext` `SetEvent`
ole32.dll	`CoRevertToSelf` `CoImpersonateClient` `CoTaskMemFree` `StringFromCLSID`
RPCRT4.dll	`IUnknown_QueryInterface_Proxy` `CStdStubBuffer_Disconnect` `CStdStubBuffer_DebugServerRelease` `NdrOleAllocate` `CStdStubBuffer_QueryInterface` `CStdStubBuffer_CountRefs` `IUnknown_Release_Proxy` `CStdStubBuffer_AddRef` `CStdStubBuffer_IsIIDSupported` `CStdStubBuffer_DebugServerQueryInterface` `IUnknown_AddRef_Proxy` `CStdStubBuffer_Invoke` `NdrCStdStubBuffer_Release` `NdrDllCanUnloadNow` `NdrDllGetClassObject` `NdrDllRegisterProxy` `NdrDllUnregisterProxy` `NdrOleFree` `UuidCreate` `CStdStubBuffer_Connect`
WINTRUST.dll	`WinVerifyTrust` `WTHelperProvDataFromStateData` `WTHelperGetProvSignerFromChain` `CryptCATAdminCalcHashFromFileHandle` `CryptCATAdminEnumCatalogFromHash` `CryptCATCatalogInfoFromContext` `CryptCATAdminReleaseCatalogContext` `CryptCATAdminReleaseContext` `CryptCATAdminAcquireContext`
api-ms-win-core-winrt-string-l1-1-0.dll	`WindowsCreateStringReference` `WindowsGetStringRawBuffer` `WindowsDeleteString`
api-ms-win-core-winrt-l1-1-0.dll	`RoActivateInstance` `RoGetActivationFactory`
api-ms-win-core-com-midlproxystub-l1-1-0.dll	`ObjectStublessClient7` `ObjectStublessClient4` `ObjectStublessClient9` `ObjectStublessClient8` `ObjectStublessClient6` `ObjectStublessClient3` `ObjectStublessClient5`
mpclient.dll	`MpFreeMemory` `MpConfigGetValueAlloc` `MpConfigClose` `MpHandleClose` `MpConveyDlpBypass` `MpConfigOpen` `MpConveyUserChoiceForDlpNotification` `MpConfigGetValue` `MpManagerOpen` `MpConfigInitialize` `MpConfigUninitialize` `MpClientUtilExportFunctions` `MpUtilsExportFunctions` `MpManagerVersionQuery` `MpShowDlpDetailsDialog`

Delayed Imports

DllCanUnloadNow

Ordinal	`1`
Address	`0x2400`

DllGetClassObject

Ordinal	`2`
Address	`0x2310`

DllMain

Ordinal	`3`
Address	`0x37a0`

DllRegisterServer

Ordinal	`4`
Address	`0x32a0`

DllUnregisterServer

Ordinal	`5`
Address	`0x3410`

1

Type	`MUI`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xd0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.69672`
MD5	`8bbf1cb57c2dcae775d3fcb599133b6e`
SHA1	`965b45a9b7c7df1ad44857075cba8cf77a11195e`
SHA256	`5417819f8e5f62187b534944f79b4251740905eb7ead7f36671baf06d2c6c5de`
SHA3	`9e1ef449fc7b93562a79373f37ceaadd00da527a4586d380bd91ffee6f609f23`

1 (#2)

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x28fa`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.89822`
Detected Filetype	PNG graphic file
MD5	`5fc7f3e833aa3dade89b2369d92cd728`
SHA1	`16ef247f8a45573263277eaf738ddc02173dcd12`
SHA256	`45451711b30e288b80b8e5d2de3b91a4d0f24fc6a4adb207772c61c2df4fd244`
SHA3	`7e0b61478788b0ba7a54a6078c05da98b6176786e39ba628cf0f301bfe457a09`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.85958`
MD5	`ab69e6b59743ae18aa261f33357f7a02`
SHA1	`84a0298a37b77c0dc1b02ef220307f4f11abd44c`
SHA256	`2cfa4b82b456f3a1f8cf2fb022ee036286bad72bfd703acdd0a190159357c72b`
SHA3	`954e3aa8c09e7ef396ead1f44ecbaa394b2aedf9128979017dc57a182377a67b`

3

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.90749`
MD5	`2a01a8b926141e465c790414d3f4f5bd`
SHA1	`945d7bba3528e22e97fa222f14c263a5c46d54ab`
SHA256	`f08d7c3c5fb52cce3da96b5e6e88ac83e1fef971d7c8f0ded2577cc6fc62f850`
SHA3	`c920d396286b17226d3687a7acb8db4678b5137ac63921bd3edaacf832ddf055`

4

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x67e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.01074`
MD5	`ebe85b27e56ea51d95760c2d90337a00`
SHA1	`3603f81753de12052604156aa2c2a947b25c0e99`
SHA256	`32800b953885fd2c9f7bced26cc6763fa0c88fb5812b0379e37acce4d7871c6e`
SHA3	`c883f77152b39a0f2dfe6200f02df2b640d31f2e520e0b1dd3b98f94ccc82d74`

5

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.90399`
MD5	`0b6f50ff9960fb330b309ab2863316e9`
SHA1	`18b5a2932b04823d57f79ccb996db7915bdc2f27`
SHA256	`0f4d7075dca6571d5932f30366f998d83cd5f99bd1464b01b8c845dbc4d527ad`
SHA3	`aa4ec2cdedfd6cdafd54ad0422cdb4bb90a4bfed64c1f3581c09269d7fae7b1a`

6

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.99318`
MD5	`a2d3d5a835ef0bf237927de22f6d8176`
SHA1	`bb1d636b76a9862fde5f3291cee2cd427ebc4563`
SHA256	`a74b2469457be5e44b2ead40a0532dc686eb545a594479e81488e124352ee12f`
SHA3	`8be4f06f3541fe022ccb5f57eb8542bf70038f4b3420c108ab99c2bce9f996b4`

7

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x1a68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91039`
MD5	`093dbca2c1326705257baf65b97f5bd6`
SHA1	`a2687d286c0535a8dca44eb22503bb309df57b56`
SHA256	`adfd74463887d02eab7757d2990f7ba3d199675b474539f0776700627c2a7b98`
SHA3	`402e99a4d091c15ce2f6a13b8505724f0ff7cbcc3eb6451c03c8d5d30d07067a`

8

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.83377`
MD5	`a125bb13c10d720916a5485034c6d2a8`
SHA1	`40cd48bbb14ed1090bc03c1821779bfc8b853d91`
SHA256	`dc56a5379239e56b48acbee47d9be3f5c1415fdc141ef6ff64b8d15ef2f1e7b9`
SHA3	`6f4a38bef360b2da7a3c4e242dd825d5e0601fd00329ff828f0f935c77b1527e`

9

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xcd8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29838`
MD5	`4972a8f15460812374a29b9c8a38c78f`
SHA1	`193c6d01ba8651c1be1633dca80cd30d273fea93`
SHA256	`9cae025fbc32784c9d7ba70c5e32911a337e7dddccd332bdcc473adc106d3eba`
SHA3	`d321eabfdc0b5c0244504679dee8230d25f377709c8f3e015725e8bc178a69c5`

10

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.22766`
MD5	`e92ae4fc4634fcddcba8baa80c5d4b42`
SHA1	`a25c554d2f1d4683f36f8c5fb3274627f77d9f92`
SHA256	`9d8dd51c59c513ae1a637c5e16368a33c75dafa88eadb4b92eb286f1431931ea`
SHA3	`4116f922038ba8d7f4554283d30b6138071ed41df7f7bcf53625fad4c7214764`

11

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x6b8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.15847`
MD5	`e803806cbc7224b5cbfa516c4c627400`
SHA1	`88e9921e63c0518f01155f7c31962e819fa94410`
SHA256	`d0bdbe28bc6aa66dd8f2a2e1ab91f451672d398e8c14bf3f60278f8f19c86765`
SHA3	`64dc4b1ad75e5ace1a2580876dd95f5c51b170e13ec3658604c42ef35edd3a21`

12

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.09777`
MD5	`8f7371483b099eb85bf142dc4f82bfc5`
SHA1	`a0bdd4a1fabd20208b750829eb4a1e525bc92f1c`
SHA256	`abf6e5b1c26a68b37711e72b55092f2f1da6251a74d035e111b5316154f04852`
SHA3	`5abd972320a03a25d3fb879a54a57d6179c740f929ea22e9b61b688d53c67af1`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xae`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.18938`
Detected Filetype	Icon file
MD5	`1057e2849605f0e78b050d766036747b`
SHA1	`cab3cea44026bf4e0cfeff13bc197bb2fb267b3e`
SHA256	`9f7c407d7bae8fcac462066e7f6434089012b69c48878221ec532340316a5cc2`
SHA3	`d3c88864f8b7f1414d631c1e7e305382819a600fb6217e66c198fdec19c69a11`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x380`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.52469`
MD5	`827e4a8c424f3a6720fb514e39a2ce87`
SHA1	`adc0dcd2f7a2aef0b920bd8728e434e00b1dd6f1`
SHA256	`668e41da2acc6bfa686142f201ac859a3e44a3dc99aab5a243962d57c44e8983`
SHA3	`d85d034f97b83bb13a5f968d27ba8f929c10258a6fd0680914c2c1a0f1433939`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	4.18.2102.4
ProductVersion	4.18.2102.4
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Defender MpUxAgent
FileVersion (#2)	4.18.2102.4 (WinBuild.160101.0800)
InternalName	MpUxAgent
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MpUxAgent.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	4.18.2102.4

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2047-Oct-13 07:26:21
Version	`0.0`
SizeofData	`38`
AddressOfRawData	`0x33f6c`
PointerToRawData	`0x33f6c`
Referenced File	MpUxAgent.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2047-Oct-13 07:26:21
Version	`0.0`
SizeofData	`1132`
AddressOfRawData	`0x33f94`
PointerToRawData	`0x33f94`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2047-Oct-13 07:26:21
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x34428`
PointerToRawData	`0x34428`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2047-Oct-13 07:26:21
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x3444c`
PointerToRawData	`0x3444c`

TLS Callbacks

StartAddressOfRawData	`0x180034470`
EndAddressOfRawData	`0x180034478`
AddressOfIndex	`0x18003b5c8`
AddressOfCallbacks	`0x18002ce50`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x18003ad50`
GuardCFCheckFunctionPointer	`6442634616`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x369cc9d9`
Unmarked objects	`0`
Imports (29395)	`20`
C objects (29395)	`14`
ASM objects (29395)	`10`
Imports (VS2008 SP1 build 30729)	`25`
Total imports	`366`
C++ objects (29395)	`43`
Exports (29395)	`1`
265 (29395)	`88`
Resource objects (29395)	`1`
Linker (29395)	`1`

705f5d24ef8780386e98d6d0b50b0a70

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

DllCanUnloadNow

DllGetClassObject

DllMain

DllRegisterServer

DllUnregisterServer

1

1 (#2)

2

3

4

5

6

7

8

9

10

11

12

101

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

UNKNOWN (#2)

TLS Callbacks

Load Configuration

RICH Header

Errors