Manalyze report for a2a05994e8070a2b5d979edf4b53f9c8

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2027-Jul-20 00:47:34
Detected languages	English - United States
Debug artifacts	msoobe.pdb
CompanyName	Microsoft Corporation
FileDescription	MSOOBE EXE
FileVersion	`10.0.15063.0 (WinBuild.160101.0800)`
InternalName	msoobe.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	msoobe.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.15063.0`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services` `Contains domain names: http://schemas.microsoft.com http://schemas.microsoft.com/windows/2004/02/mit/task microsoft.com schemas.microsoft.com`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW` `Can access the registry: RegUnLoadKeyW RegLoadKeyW RegQueryValueExW RegDeleteKeyW SHEnumKeyExW RegGetValueW RegCloseKey RegEnumValueW RegEnumKeyExW RegCreateKeyExW RegQueryInfoKeyW RegSetValueExW RegOpenKeyExW` `Uses Microsoft's cryptographic API: CryptDecodeObjectEx CryptBinaryToStringW` `Interacts with services: OpenSCManagerW QueryServiceStatus ControlService OpenServiceW QueryServiceStatusEx` `Interacts with the certificate store: CertOpenStore`
Safe	VirusTotal score: 0/69 (Scanned on 2021-02-18 23:56:05)	`All the AVs think this file is safe.`

Hashes

MD5	`a2a05994e8070a2b5d979edf4b53f9c8`
SHA1	`3b5b58ae1ceda3ac9e9bb2b4086f48a484afced0`
SHA256	`b036b70076c46ea60bcf4acbb970a905c376895842759a1de85b177fd2e4293f`
SHA3	`195014af8bd414e319564ce25c21ae53f7feb1063c27ca1167a5763df2816121`
SSDeep	`3072:GdiC+FSwR9BEOugK5cbjd2Z0X/D+c55UvFdqGlLT57XIke+AdQt72P8rI:GdzIoOugScHdg2/D+cqqKIRdXP8`
Imports Hash	`d7672f46fd2e4b8a4c69408f70fe1f2b`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2027-Jul-20 00:47:34
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x20e00`
SizeOfInitializedData	`0x13600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000200D0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x39000`
SizeOfHeaders	`0x400`
Checksum	`0x3fc3b`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1976e4bf30d0e405853db2dd0d4d97d9`
SHA1	`0865bf73402f93fe47ca96e17077c5e635806778`
SHA256	`ab95dd41d0be6b465795660e1b07d08b064d2dc462fcc367139f978423f4735e`
SHA3	`4b0f31651d7ec3bc8d73c3083611de309d1ebde5dff6b729c79b00a070588d15`
VirtualSize	`0x20d0f`
VirtualAddress	`0x1000`
SizeOfRawData	`0x20e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.36283`

.rdata

MD5	`d21f14f0b2c07adf35e9a2d43e1cf7bc`
SHA1	`6643652270a7a57c7dd228228ae396ae26fdb61d`
SHA256	`5fd2d0c379379daeb05397cf4f925c134f39912e4b185219f4b52b625a4d7779`
SHA3	`ee7c2208a1c127a70c373a6465765267acbf63b225f3c9daee551e6345f215c8`
VirtualSize	`0xf4b6`
VirtualAddress	`0x22000`
SizeOfRawData	`0xf600`
PointerToRawData	`0x21200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.49676`

.data

MD5	`d59c59a8302b1212ec7bc4e2c6693524`
SHA1	`9cf4aee24f34fc67a722072910b7dcf5b57708e1`
SHA256	`1b517f63345cb9e0b8db42670d275969d8ede55b8646ba802cd9b39b8bc35852`
SHA3	`a71ada210b588b427739e8982d23ef764db2f1035401a0948140160dd65a63e6`
VirtualSize	`0x1130`
VirtualAddress	`0x32000`
SizeOfRawData	`0x800`
PointerToRawData	`0x30800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.2548`

.pdata

MD5	`c66b6907384a7b2f6bfaf68e6c5497d6`
SHA1	`afbed2681588de3b68a80a7da66773ed807230fc`
SHA256	`58529ae6e9adace514fa1af50cd87fa7171129cd814e901674f20f71c2b477c6`
SHA3	`c8f1149a98c398261bbf4b799b6a3534f02635dc161515a8978aa27891c04c9d`
VirtualSize	`0x16a4`
VirtualAddress	`0x34000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x31000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.05406`

.rsrc

MD5	`fbab7e4b8b5b4b06499f58fba0375d03`
SHA1	`a449603b0942db1fa41e1824f86b392e494655e2`
SHA256	`a4b47bd6e3db57daac1d981bdeaab91bee5e00f75c4b5542d6f50c0ec7653cbe`
SHA3	`bd6cae2fcbcd74ea7c982b57c972b1b4e3695aef9c222b36123ff22f058fa972`
VirtualSize	`0x1128`
VirtualAddress	`0x36000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x32800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.35829`

.reloc

MD5	`23919490444fd7e50b118ad22dd460ef`
SHA1	`8030ea89d9eb5babd863eadec3c1e2f5b6641cd7`
SHA256	`fc218bee0379365d1cb98599bbaf427133fecce981862ab74e5b9d2739c4f199`
SHA3	`4f278453aae1dbb57d865f9e2743312e96371e38bbbd6348db97680d31f8ae78`
VirtualSize	`0x3e4`
VirtualAddress	`0x38000`
SizeOfRawData	`0x400`
PointerToRawData	`0x33a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.29531`

Imports

ADVAPI32.dll	`EventRegister` `EventUnregister` `RegUnLoadKeyW` `RegLoadKeyW` `OpenSCManagerW` `RegQueryValueExW` `GetTraceLoggerHandle` `GetTraceEnableFlags` `GetTraceEnableLevel` `RegisterTraceGuidsW` `UnregisterTraceGuids` `QueryServiceStatus` `CloseServiceHandle` `ControlService` `StartServiceW` `OpenServiceW` `RegDeleteKeyW`
KERNEL32.dll	`LocalAlloc` `GetVersionExW` `ExpandEnvironmentStringsW` `CreateDirectoryW` `GetFullPathNameW` `GetFileAttributesW` `LoadLibraryExW` `InitializeCriticalSection` `GetModuleFileNameW` `GetModuleFileNameA` `CreateSemaphoreExW` `HeapFree` `SetLastError` `ReleaseSemaphore` `GetModuleHandleExW` `WaitForSingleObject` `ReleaseMutex` `FormatMessageW` `GetLastError` `OutputDebugStringW` `WaitForSingleObjectEx` `OpenSemaphoreW` `CloseHandle` `HeapAlloc` `GetProcAddress` `CreateMutexExW` `GetCurrentProcessId` `GetProcessHeap` `GetModuleHandleW` `HeapSetInformation` `CreateMutexW` `OpenMutexW` `lstrcmpiW` `GetCurrentThreadId`
msvcrt.dll	`memmove` `strtok_s` `_purecall` `__C_specific_handler` `_initterm` `__setusermatherr` `__CxxFrameHandler3` `?terminate@@YAXXZ` `memmove_s` `_cexit` `_exit` `exit` `__set_app_type` `__getmainargs` `_amsg_exit` `_XcptFilter` `_wtol` `??1type_info@@UEAA@XZ` `memcmp` `_vsnprintf` `wcsrchr` `_wcsnicmp` `memcpy` `_CxxThrowException` `_onexit` `__dllonexit` `_unlock` `?what@exception@@UEBAPEBDXZ` `_lock` `??0exception@@QEAA@AEBQEBDH@Z` `_commode` `??0exception@@QEAA@AEBQEBD@Z` `_callnewh` `malloc` `_fmode` `_vsnprintf_s` `??0exception@@QEAA@AEBV0@@Z` `_ismbblead` `wcschr` `??0exception@@QEAA@XZ` `??1exception@@UEAA@XZ` `??3@YAXPEAX@Z` `memcpy_s` `_vsnwprintf` `_acmdln` `memset`
PROPSYS.dll	`PropVariantToUInt32` `PropVariantToBoolean` `PropVariantToStringAlloc` `PSCreateMemoryPropertyStore`
SHELL32.dll	`#102` `SHGetFolderPathEx`
SHLWAPI.dll	`#278` `SHCreateStreamOnFileW` `PathAppendW` `SHStrDupW` `#215` `SHDeleteValueW` `#437` `StrCmpIW` `SHSetThreadRef` `#460` `SHCreateThreadRef` `SHEnumKeyExW` `#219` `#631`
api-ms-win-core-com-l1-1-1.dll	`PropVariantClear` `CoTaskMemFree` `CoInitializeEx` `CoCreateInstance` `StringFromGUID2` `CoGetApartmentType` `CoWaitForMultipleHandles` `CoTaskMemRealloc` `CoTaskMemAlloc` `CoGetMalloc` `CLSIDFromString` `CoSetProxyBlanket` `StringFromCLSID` `CoUninitialize`
api-ms-win-core-synch-l1-2-0.dll	`InitOnceComplete` `AcquireSRWLockExclusive` `ReleaseSRWLockExclusive` `ReleaseSRWLockShared` `OpenEventW` `WaitForMultipleObjectsEx` `AcquireSRWLockShared` `SetEvent` `LeaveCriticalSection` `InitializeCriticalSectionEx` `EnterCriticalSection` `CreateEventExW` `InitOnceBeginInitialize` `DeleteCriticalSection` `Sleep` `ResetEvent` `CreateEventW`
api-ms-win-core-processthreads-l1-1-2.dll	`TerminateProcess` `TlsAlloc` `GetCurrentProcess` `TlsSetValue` `TlsFree` `CreateThread` `GetStartupInfoW`
api-ms-win-core-rtlsupport-l1-2-0.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind`
api-ms-win-core-errorhandling-l1-1-1.dll	`UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `RaiseException`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-sysinfo-l1-2-1.dll	`GetTickCount64` `GetSystemTimeAsFileTime` `GetTickCount` `GetSystemTime`
api-ms-win-eventing-provider-l1-1-0.dll	`EventWriteTransfer` `EventActivityIdControl` `EventSetInformation` `EventWrite`
api-ms-win-core-registry-l1-1-0.dll	`RegGetValueW` `RegCloseKey` `RegEnumValueW` `RegEnumKeyExW` `RegCreateKeyExW` `RegQueryInfoKeyW` `RegDeleteTreeW` `RegSetValueExW` `RegOpenKeyExW`
api-ms-win-security-sddl-l1-1-0.dll	`ConvertStringSecurityDescriptorToSecurityDescriptorW`
api-ms-win-core-string-l1-1-0.dll	`CompareStringOrdinal`
api-ms-win-core-threadpool-l1-2-0.dll	`CallbackMayRunLong` `CloseThreadpoolTimer` `WaitForThreadpoolTimerCallbacks` `SetThreadpoolTimer` `CreateThreadpoolTimer` `FreeLibraryWhenCallbackReturns` `TrySubmitThreadpoolCallback`
api-ms-win-core-file-l1-2-1.dll	`FlushFileBuffers` `CreateFileW`
api-ms-win-core-libraryloader-l1-2-0.dll	`FreeLibrary` `FreeLibraryAndExitThread`
api-ms-win-core-handle-l1-1-0.dll	`DuplicateHandle`
OLEAUT32.dll	`SysAllocStringLen` `SysAllocString` `SysFreeString` `VariantClear`
api-ms-win-core-localization-l1-2-1.dll	`GetThreadUILanguage` `GetUserGeoID`
api-ms-win-core-libraryloader-l1-2-2.dll	`LoadLibraryW`
api-ms-win-core-heap-l2-1-0.dll	`LocalFree`
api-ms-win-core-synch-l1-2-1.dll	`CreateSemaphoreW`
COMCTL32.dll	`#339` `#334` `#329` `#386` `#328` `#336`
MsCtfMonitor.DLL	`UninitLocalMsCtfMonitor` `InitLocalMsCtfMonitor`
ntdll.dll	`WinSqmEndSession` `WinSqmStartSession` `RtlFreeHeap` `RtlAllocateHeap` `WinSqmSetDWORD`
USER32.dll	`IsHungAppWindow` `DefWindowProcW` `PostMessageW` `DestroyWindow` `PeekMessageW` `GetSystemMetrics` `DispatchMessageW` `EnumDisplaySettingsW` `PostQuitMessage` `PostThreadMessageW` `SetCursor` `LoadCursorW` `MsgWaitForMultipleObjectsEx` `TranslateMessage`
CRYPT32.dll	`CertFindCertificateInStore` `CertCloseStore` `CryptDecodeObjectEx` `CryptBinaryToStringW` `CertFreeCertificateContext` `CertFindExtension` `CertOpenStore`
api-ms-win-service-management-l2-1-0.dll	`QueryServiceStatusEx`

Delayed Imports

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xe8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.86615`
MD5	`2b6dd7bf793b2b616016fe80d5fdb43f`
SHA1	`7b5903f95f125e79a5fc50ddaafaa6c6ed64af6e`
SHA256	`f1fce6c471b4b30475d74ccfb707b80791d3892a091ba19bed14eb78595f3820`
SHA3	`91b8bfae61eda2e344a28c4b2dd779cbbad40f97541be297bbc0bbd192cf34aa`

1 (#2)

Type	`WEVT_TEMPLATE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6b6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.78139`
MD5	`93956d69222e4d87bbc98c13419b4150`
SHA1	`4182796f7f8f1bc4e4bf5c282124dfd5a65b6430`
SHA256	`b92da59c164cdc242dde43256cd3ee492f89a3dd63f2f9b1152277498774f440`
SHA3	`10af40a1553c6798c6eeb616f0c45d184071fcac5df32e72cc5ddad6e576763c`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x384`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42713`
MD5	`3b3668a5e7a42d3fe017c040d6624d88`
SHA1	`93fa279e1ce266b271c81e11384f61e9c032f13d`
SHA256	`ff90ac862420918b8d50aac8aaeeab9590f173f93cd44b93efd32fbdbf4cd85b`
SHA3	`9b41879aeb063631453813ce3dc0085f2337009dca2e784e6399a74570cb0133`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x49c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.97916`
MD5	`5a6f56814f222d6c87f3f1ccfb8b02cc`
SHA1	`cebe9ac30899f4ac181066d09f47b978b4fa0a44`
SHA256	`15a60e82148ccac547f453272f58cc22a8858ecf68a8a67cab436cafc9269d8d`
SHA3	`35ef2fffc0af1fcc9b596eba21160a4dfef735c6aae0bf19c74b9a0efa418cd7`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.15063.0
ProductVersion	10.0.15063.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	MSOOBE EXE
FileVersion (#2)	10.0.15063.0 (WinBuild.160101.0800)
InternalName	msoobe.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	msoobe.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.15063.0

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2027-Jul-20 00:47:34
Version	`0.0`
SizeofData	`35`
AddressOfRawData	`0x2d218`
PointerToRawData	`0x2c418`
Referenced File	msoobe.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2027-Jul-20 00:47:34
Version	`0.0`
SizeofData	`744`
AddressOfRawData	`0x2d23c`
PointerToRawData	`0x2c43c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2027-Jul-20 00:47:34
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xf4`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140032358`
GuardCFCheckFunctionPointer	`5368855648`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x38aeeb5d`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`52`
ASM objects (24610)	`4`
C objects (24610)	`19`
C++ objects (24610)	`8`
Imports (24610)	`23`
Total imports	`368`
265 (24610)	`66`
Resource objects (24610)	`1`
Linker (24610)	`1`

a2a05994e8070a2b5d979edf4b53f9c8

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

1 (#4)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors