90c8dbb07922c2d5189d862dcbced513

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2059-Sep-04 07:26:34
Detected languages English - United States
TLS Callbacks 2 callback(s) detected.
Debug artifacts MsSense.pdb
CompanyName Microsoft Corporation
FileDescription Windows Defender Advanced Threat Protection Service Executable
FileVersion 10.8804.27858.1000 (4fd1f10721aaac7d6e596063c37f9376e5d0da47) (GitEnlistment(ContainerAdministrator).160101.0800)
InternalName MsSense.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename MsSense.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.8804.27858.1000

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • %temp%
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryExA
 Can access the registry:
  • RegGetValueW
  • RegDeleteKeyValueW
  • RegOpenKeyExW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegCloseKey
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
 Leverages the raw socket API to access the Internet:
  • InetNtopW
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Interacts with services:
  • OpenSCManagerW
  • ChangeServiceConfigW
  • OpenServiceW
  • QueryServiceConfigW
  • ControlService
 Enumerates local disk drives:
  • GetDriveTypeW
  • GetVolumeInformationW
 Changes object ACLs:
  • SetNamedSecurityInfoW
Info The PE is digitally signed. Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/72 (Scanned on 2026-02-15 04:17:44) All the AVs think this file is safe.

Hashes

MD5 90c8dbb07922c2d5189d862dcbced513
SHA1 3f445fad43c6afa48bd71daad55ea55ff3bad887
SHA256 fca0f2c8dfbe05ffe174c40295b7aabe6e965df579898fda13da1ab56a5b03ae
SHA3 6676a729778795374e65efce5cf2bb966b9aa1bcd884b55a118b089d12c7343a
SSDeep 12288:474AI+KjoT+qLQRaQuOOoNckmMTs0yGKl+AXW8U:47W+K0yqkRiOOoNckmMT+dLjU
Imports Hash 503371dee80a821379ada91cee9a1522

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x120

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2059-Sep-04 07:26:34
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x77000
SizeOfInitializedData 0x4c000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000045030 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0xc4000
SizeOfHeaders 0x1000
Checksum 0xd07d3
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 ad0a8442e16e93d778dd1b31bdc1a27e
SHA1 3c6bce5a267ae788f1dbedeeda2d8c046225349d
SHA256 624d723f28738d1a9bc0075fafdb259405ac71ce965d61b0caf9310287022fbf
SHA3 2a17b2dcad0cb09c49fbdafb45b81ee3907905728f7d6ed68e17c5cc0dad743e
VirtualSize 0x7632c
VirtualAddress 0x1000
SizeOfRawData 0x77000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40094

.rdata

MD5 ce7cbd2903960f887c7b4a703f7c2f0d
SHA1 59aa17ee5b93e2e1e94a796815b22bfd91c15a0d
SHA256 7dbd52beaa370b33f36648143e84ac1c2fb61e4bf7cc410ebe3fbb627e255dc8
SHA3 88a987b59662df4cab706454a8e9d41dceca253dfa18ad57fa6e9e04d43576e7
VirtualSize 0x2ea16
VirtualAddress 0x78000
SizeOfRawData 0x2f000
PointerToRawData 0x78000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.39402

.data

MD5 ade63dd8060433171649f84a83cf1746
SHA1 7001eb8d1bb22d0626b69643a0b39a63e0337ed2
SHA256 0f28ab62b3ee50edf5a4bf345040d84b704dd45185962381f6ed4cbb52fdb930
SHA3 8874cf529733551c237200291723419b71fc9416eb46adb48457553803eec58a
VirtualSize 0x7984
VirtualAddress 0xa7000
SizeOfRawData 0x4000
PointerToRawData 0xa7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.27901

.pdata

MD5 92af72a2d589e4267d64ce91c759ef3b
SHA1 c81b49e30ccbd2cc84a5854d63cd088b8d34a403
SHA256 5089582f004b17b8013283ccbb76c0856f5ea25f8f1cf1ae792fb5cb44cd11af
SHA3 827e52ecd167ac75b6c52f6a682a828456fa3a28dc213fd7653d8479d557e00a
VirtualSize 0x61ec
VirtualAddress 0xaf000
SizeOfRawData 0x7000
PointerToRawData 0xab000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.29906

.didat

MD5 b0ab3e0a07b43f253b4e3020b3abccea
SHA1 f2be4f0e030c233c885e95b8a8072449f3cfac72
SHA256 a2280cc4068919c6f6bed271fe4338ea3f6f00dad1f66827adb42aad19f9e6e6
SHA3 e0fa9dfa5cbf9a723e89ab8ad483cb21fe7967a45ec6c6cdf2c424c91a1a69ef
VirtualSize 0x20
VirtualAddress 0xb6000
SizeOfRawData 0x1000
PointerToRawData 0xb2000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.0313499

.rsrc

MD5 0a9ac5c1d152fc8a01bf5ce6f59a1423
SHA1 35c47220c50ebf36794f0291709da628518e2fa5
SHA256 b5d21c9c539c241cc56f075366470466a8000026e36dcbced068b8217f3f8d83
SHA3 4864f8bbc8a8e62bee4c90b7f94c249ea3db9681e6591b3be4fec878b38db446
VirtualSize 0xa028
VirtualAddress 0xb7000
SizeOfRawData 0xb000
PointerToRawData 0xb3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.46768

.reloc

MD5 2be52988aa7bf51d76837332d54550d2
SHA1 72c79a150f41fa295780cd26f515320741ff2eb7
SHA256 3cc2c7de52d6c59b0cd082dda86692c9abc7afbcba0e3ec994f76cb1c5ac9e8a
SHA3 f62534cc3289aac62dd14b95b1f01ca207edb6091bd727cffdd3bfa31cb07b33
VirtualSize 0x10d0
VirtualAddress 0xc2000
SizeOfRawData 0x2000
PointerToRawData 0xbe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.68546

Imports

KERNEL32.dll CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
GetModuleFileNameW
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
CreateFileW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDriveTypeW
GetLogicalDrives
GetVolumeInformationW
QueryDosDeviceW
GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW
DeviceIoControl
MultiByteToWideChar
QueryPerformanceCounter
CompareFileTime
CreateThreadpoolTimer
GetSystemTimeAsFileTime
GetProductInfo
GetVersionExW
Sleep
AcquireSRWLockShared
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
GetFileAttributesW
RemoveDirectoryW
SetFileAttributesW
SetFilePointerEx
WriteFile
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
VerSetConditionMask
LoadLibraryW
FreeLibrary
MoveFileExW
WriteConsoleW
GetWindowsDirectoryW
GetComputerNameExW
EnterCriticalSection
GetTempPathW
GlobalAlloc
GetTempFileNameW
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
FindFirstFileExW
GetOEMCP
GetLongPathNameW
TerminateProcess
GetCurrentProcess
InitOnceComplete
InitOnceBeginInitialize
WideCharToMultiByte
FormatMessageW
GetProcAddress
GetModuleHandleExW
GetModuleHandleW
GetACP
IsValidCodePage
GetModuleFileNameA
CompareStringW
GetConsoleMode
GetConsoleOutputCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
DecodePointer
HeapReAlloc
HeapSize
GetCurrentThreadId
GetCurrentProcessId
CreateSemaphoreExW
CreateMutexExW
LCMapStringW
OpenSemaphoreW
WaitForSingleObjectEx
FlsFree
WaitForSingleObject
ReleaseMutex
ReleaseSemaphore
FlsSetValue
FlsGetValue
FlsAlloc
GetFileType
ExpandEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetStdHandle
ExitProcess
LoadLibraryExW
GlobalFree
TlsFree
TlsSetValue
VerifyVersionInfoW
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
InterlockedPushEntrySList
RtlUnwindEx
GetStartupInfoW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetProcessHeap
HeapFree
HeapAlloc
SetLastError
GetLastError
CloseHandle
OutputDebugStringW
DebugBreak
IsDebuggerPresent
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
LCMapStringEx
GetCPInfo
CompareStringEx
RtlPcToFileHeader
GetStringTypeW
WakeAllConditionVariable
SleepConditionVariableSRW
EncodePointer
ADVAPI32.dll RegGetValueW
RegDeleteKeyValueW
RegOpenKeyExW
RegCreateKeyExW
OpenSCManagerW
CloseServiceHandle
RegSetValueExW
StartServiceCtrlDispatcherW
EventRegister
EventUnregister
EventSetInformation
EventWriteTransfer
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
SetNamedSecurityInfoW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
DestroyPrivateObjectSecurity
ChangeServiceConfigW
OpenServiceW
StartServiceW
RegCloseKey
QueryServiceConfigW
ControlService
VERSION.dll GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
api-ms-win-core-featurestaging-l1-1-0.dll SubscribeFeatureStateChangeNotification
RecordFeatureError
RecordFeatureUsage
UnsubscribeFeatureStateChangeNotification
GetFeatureEnabledState
api-ms-win-core-featurestaging-l1-1-1.dll GetFeatureVariant
api-ms-win-core-path-l1-1-0.dll PathCchCombine
USERENV.dll GetAllUsersProfileDirectoryW
WS2_32.dll InetNtopW
IPHLPAPI.DLL GetUnicastIpAddressEntry
GetIfEntry2
FreeMibTable
GetUnicastIpAddressTable
SETUPAPI.dll SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiGetDevicePropertyW
SetupDiGetDeviceRegistryPropertyW
SetupOpenInfFileW
SetupDiEnumDeviceInterfaces
SetupInstallFromInfSectionW
SetupInstallServicesFromInfSectionW
bcrypt.dll BCryptCloseAlgorithmProvider
BCryptDestroyHash
ntdll.dll RtlInitUnicodeString
api-ms-win-core-libraryloader-l1-2-0.dll GetModuleHandleExA
ole32.dll (delay-loaded) CoTaskMemFree

Delayed Imports

Attributes 0x1
Name ole32.dll
ModuleHandle 0xac400
DelayImportAddressTable 0xb6010
DelayImportNameTable 0xa50b8
BoundDelayImportTable 0xa50f0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xf0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.78158
MD5 22c12af17717e8787c39fe96c2f6e8fc
SHA1 c6681e4b0295b9e046e385150216b82441a16516
SHA256 27507e610fad4d846b2e3671438b2bcb382db2e5e10e820dc0d1bef48c8a26fa
SHA3 a01ae20f0e0e34b8d2e49740538c3768561b73cf5f75b5f6af01e5f20ac0f539

1 (#2)

Type WEVT_TEMPLATE
Language English - United States
Codepage UNKNOWN
Size 0x97ce
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.68949
MD5 b5f039e1992fa4c1d445df0f58c3d646
SHA1 b761c5f9cc7a10f2bfbd9d5eae09cb11a2897f90
SHA256 92dd2b909b31061f4bd3f0ad32df1ed0994fc569989e631485be50b705147bfe
SHA3 82b240fb89a361cd23317872e92274c7c575c2f0f2cb95a829e8510a617961fe

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x484
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.61393
MD5 292fafd251a64c3fa66669af3b228e4d
SHA1 d80e6fcc946a5dc4a2b95c641a190e533c3b5cda
SHA256 259b39cbd81dd2e51826d356fb1a9b74869017f59b459069c03840a1f8a50895
SHA3 47c0a0b5f68ebab893c565c1cc18d713afe1a8c7e6445397b49b3f4f8a6165e1

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.8804.27858.1000
ProductVersion 10.8804.27858.1000
FileFlags VS_FF_PRIVATEBUILD
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Windows Defender Advanced Threat Protection Service Executable
FileVersion (#2) 10.8804.27858.1000 (4fd1f10721aaac7d6e596063c37f9376e5d0da47) (GitEnlistment(ContainerAdministrator).160101.0800)
InternalName MsSense.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename MsSense.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.8804.27858.1000
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2059-Sep-04 07:26:34
Version 0.0
SizeofData 36
AddressOfRawData 0x9cd6c
PointerToRawData 0x9cd6c
Referenced File MsSense.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2059-Sep-04 07:26:34
Version 0.0
SizeofData 1380
AddressOfRawData 0x9cd90
PointerToRawData 0x9cd90

UNKNOWN

Characteristics 0
TimeDateStamp 2059-Sep-04 07:26:34
Version 0.0
SizeofData 36
AddressOfRawData 0x9d31c
PointerToRawData 0x9d31c

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 2059-Sep-04 07:26:34
Version 0.0
SizeofData 4
AddressOfRawData 0x9d340
PointerToRawData 0x9d340

TLS Callbacks

StartAddressOfRawData 0x14009d370
EndAddressOfRawData 0x14009d5a0
AddressOfIndex 0x1400ad538
AddressOfCallbacks 0x140078f68
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks 0x0000000140045190
0x0000000140045200

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1400a7880
GuardCFCheckFunctionPointer 5369202328
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x3c79cc90
Unmarked objects 0
ASM objects (32595) 7
C++ objects (32595) 181
C objects (35207) 16
ASM objects (35207) 13
ASM objects (33135) 2
C objects (35209) 8
C objects (32595) 26
C objects (LTCG) (35209) 12
Imports (32595) 6
C++ objects (35207) 107
Imports (VS2008 SP1 build 30729) 43
Total imports 358
C++ objects (35209) 118
Resource objects (35209) 1
151 1
Linker (35209) 1

Errors