Manalyze report for 9fe3ed67345f0ff829a4a53b90e09672

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2009-Jul-14 01:28:50
Detected languages	English - United States
Debug artifacts	loadperf.pdb
CompanyName	Microsoft Corporation
FileDescription	Load & Unload Performance Counters
FileVersion	`6.1.7600.16385 (win7_rtm.090713-1255)`
InternalName	LODCTR.DLL
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	LODCTR.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7600.16385`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegSetValueExW RegOpenKeyExW RegCloseKey RegDeleteValueW RegEnumKeyExW RegQueryValueExW` `Uses Windows's Native API: NtCreateMutant NtOpenPrivateNamespace NtCreatePrivateNamespace`
Safe	VirusTotal score: 0/62 (Scanned on 2018-07-05 19:17:36)	`All the AVs think this file is safe.`

Hashes

MD5	`9fe3ed67345f0ff829a4a53b90e09672`
SHA1	`c598eda119fc04d02f34e1746de8caa2786d9bf1`
SHA256	`f70cd131dcf101b26cd55a57876db3765b3e15c9d3a8b508ff041c91226ec504`
SHA3	`dc2d5eb0a96a1bd8b751f77f73a9d0f8592ca3e777d65eeeb70e262246dd0a09`
SSDeep	`1536:y9aiQAu/fVG7eBDQMNwlLy36LR01yFOOo95zNg8CEVevWHy+Y4r2OXrKoj:y9aiQPtGUDQLLWkFC/g8WOY4r2O7K8`
Imports Hash	`e6c4be7bcd710a6caaa2d76ba2688fd5`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2009-Jul-14 01:28:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`9.1`
SizeOfCode	`0x1d400`
SizeOfInitializedData	`0x6400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000001B69C (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x7ff71860000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`6.1`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x27000`
SizeOfHeaders	`0x600`
Checksum	`0x23bfc`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`06dabe29d0eaa67de9aa71aa049e22fb`
SHA1	`20720499e5b328bcbadf256bd6dbeca6337fbac6`
SHA256	`c850bfd1fb8abf3ece171dfa72cf35835a9955249aa19128fb0b0c3809c61a70`
SHA3	`41bd57c05dc71e0e6baf272c8587ae6023bdfc4bcfeea9b3cb400c01a376b4e8`
VirtualSize	`0x1d2b6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1d400`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.10393`

.data

MD5	`dfd0cda6113df5eed0531136424e4bae`
SHA1	`3c4e26f7ab11eb1218fca3fff67cdebf8f5ef9ab`
SHA256	`1afb188a0300c1ac391ccdbd58c1dcbdcd8fdfc912c4c9a4d298ccb54df1d677`
SHA3	`2c9e3c8ee0347c80d4d343f297ed81ae90f8d0be7b8918677525c8c211541cd5`
VirtualSize	`0x1b70`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1da00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.52053`

.pdata

MD5	`f20a880e5a001bf32d09492aae942bd7`
SHA1	`a8998a56e8c8345d7372e507e8d282c699ef4dd7`
SHA256	`792d8f78491cafe36af296a712015b97b14a635a9f385816798e6232dd249fc9`
SHA3	`90d255c17a521041d42ea5cd88d753d09717d7fdaf1e7adcf3e1bd75f1eae97b`
VirtualSize	`0x498`
VirtualAddress	`0x21000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1de00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.09102`

.rsrc

MD5	`68be89a79d56c3406211e9fb94ff08e4`
SHA1	`9613228f20bc185728f48d802c17c3fd6c8a4642`
SHA256	`90401548d823832fbc25c7c1bc5c65b22aaae985d245c2ecc626ec567d126dbd`
SHA3	`83303b4f564b052d864d388420dfa2a9cf3f4a46b3f506966b3ef8e390d001da`
VirtualSize	`0x3d68`
VirtualAddress	`0x22000`
SizeOfRawData	`0x3e00`
PointerToRawData	`0x1e400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.81077`

.reloc

MD5	`42aba15ffe66c64b0da19190b769e7e7`
SHA1	`6d631ee10360cbaba0ab2442ceedea83c5c22f6c`
SHA256	`5db036d9c77b6b80131fb5b260579fc558a501558f470947dcdba45296506f35`
SHA3	`e631d67f753898bd81e2b3ecbbb9724316a18d73c135b41652c698c4d4303d1f`
VirtualSize	`0x276`
VirtualAddress	`0x26000`
SizeOfRawData	`0x400`
PointerToRawData	`0x22200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.97029`

Imports

msvcrt.dll	`_iob` `_wsplitpath_s` `wcschr` `vfwprintf` `wcstoul` `_wfopen` `_ultow_s` `fgetws` `wcsstr` `swscanf_s` `fclose` `_vsnwprintf` `_XcptFilter` `malloc` `_initterm` `free` `_amsg_exit` `__C_specific_handler` `memcpy` `iswctype` `wprintf` `fprintf` `memset`
ntdll.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `NtCreateMutant` `RtlNtStatusToDosError` `NtOpenPrivateNamespace` `NtCreatePrivateNamespace` `EtwEventWrite` `EtwEventUnregister` `EtwEventRegister` `EtwLogTraceEvent`
KERNELBASE.dll	`GetUserDefaultUILanguage`
API-MS-Win-Core-Console-L1-1-0.dll	`WriteConsoleW`
API-MS-Win-Core-ErrorHandling-L1-1-0.dll	`SetLastError` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetLastError`
API-MS-Win-Core-File-L1-1-0.dll	`GetFileSize` `CreateDirectoryW` `FindFirstFileExW` `CreateFileW` `FindClose` `FindNextFileW` `DeleteFileW` `GetFileType` `WriteFile` `RemoveDirectoryW` `GetFileTime`
API-MS-Win-Core-Handle-L1-1-0.dll	`CloseHandle`
API-MS-Win-Core-Heap-L1-1-0.dll	`HeapAlloc` `HeapFree` `HeapReAlloc` `HeapSize` `GetProcessHeap`
API-MS-Win-Core-LibraryLoader-L1-1-0.dll	`DisableThreadLibraryCalls` `FreeLibrary` `GetProcAddress` `LoadLibraryExA` `LoadStringW` `GetModuleHandleA`
API-MS-Win-Core-LocalRegistry-L1-1-0.dll	`RegSetValueExW` `RegOpenKeyExW` `RegCloseKey` `RegLoadMUIStringW` `RegDeleteValueW` `RegEnumKeyExW` `RegQueryValueExW`
API-MS-Win-Core-Memory-L1-1-0.dll	`UnmapViewOfFile` `MapViewOfFileEx` `CreateFileMappingW`
API-MS-Win-Core-Misc-L1-1-0.dll	`LocalFree` `lstrlenW` `lstrlenA` `lstrcmpiW` `Sleep` `LocalAlloc`
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll	`GetStdHandle` `SearchPathW` `ExpandEnvironmentStringsW`
API-MS-Win-Core-ProcessThreads-L1-1-0.dll	`GetCurrentProcessId` `TerminateProcess` `GetCurrentProcess` `GetCurrentThreadId`
API-MS-Win-Core-Profile-L1-1-0.dll	`QueryPerformanceCounter`
API-MS-Win-Core-String-L1-1-0.dll	`WideCharToMultiByte` `MultiByteToWideChar` `CompareStringW`
API-MS-Win-Core-Synch-L1-1-0.dll	`WaitForSingleObject` `SetEvent` `OpenEventW` `CreateMutexW` `ReleaseMutex`
API-MS-Win-Core-SysInfo-L1-1-0.dll	`GetSystemDirectoryW` `GetSystemTimeAsFileTime` `GetSystemWindowsDirectoryW` `GetTickCount`
API-MS-Win-Security-Base-L1-1-0.dll	`SetSecurityDescriptorDacl` `CreateWellKnownSid` `AllocateAndInitializeSid` `FreeSid` `InitializeSecurityDescriptor`
KERNEL32.dll	`DeleteBoundaryDescriptor` `CreateBoundaryDescriptorW` `GetPrivateProfileSectionW` `CopyFileExW` `DosDateTimeToFileTime` `DelayLoadFailureHook` `CopyFileW` `GetPrivateProfileIntW` `FileTimeToDosDateTime` `AddSIDToBoundaryDescriptor` `GetPrivateProfileStringW`
API-MS-Win-Security-SDDL-L1-1-0.dll (delay-loaded)	`ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

Attributes	`0x1`
Name	`API-MS-Win-Security-SDDL-L1-1-0.dll`
ModuleHandle	`0x1f890`
DelayImportAddressTable	`0x1f300`
DelayImportNameTable	`0x1cf90`
BoundDelayImportTable	`0x1d008`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

BackupPerfRegistryToFileW

Ordinal	`1`
Address	`0x18148`

InstallPerfDllA

Ordinal	`2`
Address	`0xfd28`

InstallPerfDllW

Ordinal	`3`
Address	`0xfba0`

LoadPerfCounterTextStringsA

Ordinal	`4`
Address	`0xff14`

LoadPerfCounterTextStringsW

Ordinal	`5`
Address	`0xfdc8`

LpAcquireInstallationMutex

Ordinal	`6`
Address	`0x1b040`

LpReleaseInstallationMutex

Ordinal	`7`
Address	`0x1b0f0`

RestorePerfRegistryFromFileW

Ordinal	`8`
Address	`0x19d98`

SetServiceAsTrustedA

Ordinal	`9`
Address	`0x1227c`

SetServiceAsTrustedW

Ordinal	`10`
Address	`0x11c98`

UnloadPerfCounterTextStringsA

Ordinal	`11`
Address	`0x167b4`

UnloadPerfCounterTextStringsW

Ordinal	`12`
Address	`0x16564`

UpdatePerfNameFilesA

Ordinal	`13`
Address	`0x11a80`

UpdatePerfNameFilesW

Ordinal	`14`
Address	`0x11964`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.77324`
MD5	`99ed34860b36ac1217c492a862ff8574`
SHA1	`0ddaa9dbe0c327c283a4cbe32040ff2d42468db4`
SHA256	`87c2796e7dfe7da4b5a0f90f7e735fea3b3f60fa5c8c7e5618deb2b13a2a4423`
SHA3	`888e9894ca7ea6f8bd156540d12f680ad6ff4fe036e766c1fca5d74d54ef366a`

1 (#2)

Type	`WEVT_TEMPLATE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x37b2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.83916`
MD5	`d8706c64a3aee3af8713b33daa06a582`
SHA1	`438116a871cc9efb8b626d65897cee40a3745c53`
SHA256	`16095e55a42f6a83b529280534e70ad30b1bf45f83c88d2a7a92467e574847a9`
SHA3	`3127deb92997adcaf851d6c1990c9aab64670819728550138459b04b5f27034e`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3ac`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.57048`
MD5	`c2cf589b4d1b7cf63589b9510ee306d8`
SHA1	`555982ff00c332951467da0575668bbd0af2056f`
SHA256	`987bd24c126dbf3ecee7c5c3d4f164356827c84f9c82b68c4df6ebdad476f878`
SHA3	`9d661af42a3ab207d28950aff8f2f8d6fd23f8777e8974b30d403141e658f28a`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Load & Unload Performance Counters
FileVersion (#2)	6.1.7600.16385 (win7_rtm.090713-1255)
InternalName	LODCTR.DLL
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	LODCTR.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7600.16385

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2009-Jul-13 23:31:22
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x2cf8`
PointerToRawData	`0x22f8`
Referenced File	loadperf.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x14575aee`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`1`
Total imports	`123`
Imports (VS2008 SP1 build 30729)	`41`
C objects (VS2008 SP1 build 30729)	`11`
Exports (VS2008 SP1 build 30729)	`1`
137 (VS2008 SP1 build 30729)	`7`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

9fe3ed67345f0ff829a4a53b90e09672

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

BackupPerfRegistryToFileW

InstallPerfDllA

InstallPerfDllW

LoadPerfCounterTextStringsA

LoadPerfCounterTextStringsW

LpAcquireInstallationMutex

LpReleaseInstallationMutex

RestorePerfRegistryFromFileW

SetServiceAsTrustedA

SetServiceAsTrustedW

UnloadPerfCounterTextStringsA

UnloadPerfCounterTextStringsW

UpdatePerfNameFilesA

UpdatePerfNameFilesW

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors