Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2018-Nov-16 23:19:59 |
Detected languages |
English - United States
|
Debug artifacts |
C:\agent\_work\68\s\exe\Release\procexp.pdb
|
CompanyName | Sysinternals - www.sysinternals.com |
FileDescription | Sysinternals Process Explorer |
FileVersion | 16.22 |
InternalName | Process Explorer |
LegalCopyright | Copyright © 1998-2018 Mark Russinovich |
LegalTrademarks | Copyright (C) 1998-2018 Mark Russinovich |
OriginalFilename | Procexp.exe |
ProductName | Process Explorer |
ProductVersion | 16.22 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig1(h) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The PE is possibly a dropper. |
Resource 150 detected as a PE Executable.
Resource 152 detected as a PE Executable. |
Info | The PE is digitally signed. |
Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA |
Suspicious | VirusTotal score: 1/69 (Scanned on 2019-04-11 13:21:20) | Yandex: Trojan.Shelma! |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x128 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2018-Nov-16 23:19:59 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 12.0 |
SizeOfCode | 0xba000 |
SizeOfInitializedData | 0x1f9000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0009B33C (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xbb000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.1 |
ImageVersion | 0.0 |
SubsystemVersion | 5.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x2b5000 |
SizeOfHeaders | 0x400 |
Checksum | 0x294e51 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
SHLWAPI.dll |
SHAutoComplete
ColorHLSToRGB ColorRGBToHLS #176 UrlUnescapeW |
---|---|
IPHLPAPI.DLL |
GetExtendedTcpTable
GetExtendedUdpTable |
WS2_32.dll |
#15
#115 #8 #9 #51 #14 #56 |
MPR.dll |
WNetGetConnectionW
|
COMCTL32.dll |
CreatePropertySheetPageW
#413 #410 CreateStatusWindowW ImageList_Create PropertySheetW #17 ImageList_DrawEx ImageList_ReplaceIcon ImageList_Add InitCommonControlsEx ImageList_Destroy |
VERSION.dll |
VerQueryValueW
GetFileVersionInfoW GetFileVersionInfoSizeW |
credui.dll |
CredUIPromptForCredentialsW
|
SETUPAPI.dll |
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW SetupDiGetClassDevsW SetupDiDestroyDeviceInfoList |
CRYPT32.dll |
CertGetNameStringW
CertDuplicateCertificateContext |
ACLUI.dll |
#1
|
POWRPROF.dll |
SetSuspendState
IsPwrHibernateAllowed IsPwrSuspendAllowed |
WTSAPI32.dll |
WTSEnumerateSessionsW
WTSQuerySessionInformationW WTSSendMessageW WTSDisconnectSession WTSLogoffSession WTSFreeMemory |
UxTheme.dll |
EnableThemeDialogTexture
|
ntdll.dll |
NtQueryObject
NtOpenSymbolicLinkObject NtQuerySystemInformation NtSetInformationProcess NtQuerySymbolicLinkObject NtCreateKey NtOpenKey NtResumeProcess NtOpenThread NtQuerySemaphore NtQueryEvent NtSuspendProcess NtQueryInformationProcess NtQueryInformationThread NtResumeThread NtSuspendThread RtlCreateQueryDebugBuffer RtlQueryProcessDebugInformation NtLoadDriver RtlUnwind RtlDestroyQueryDebugBuffer NtQueryMutant NtQuerySection |
KERNEL32.dll |
CreateEventW
CreateThread GetExitCodeThread GetFileSizeEx MulDiv GetTickCount GlobalAddAtomW FormatMessageW LocalAlloc GetFileType GetCommandLineW LockResource HeapDestroy HeapAlloc HeapReAlloc HeapFree HeapSize GetProcessHeap LoadResource EnterCriticalSection FindResourceW FindResourceExW GlobalAlloc GlobalReAlloc GlobalLock GlobalUnlock TerminateThread Module32FirstW Module32NextW DeleteCriticalSection GetSystemTime GetSystemTimeAsFileTime SystemTimeToFileTime IsBadStringPtrW SetLastError OpenEventW ReadProcessMemory lstrcmpiW GetEnvironmentVariableW VirtualQueryEx GetCurrentProcessId SetFilePointer IsProcessorFeaturePresent GetSystemDirectoryW DeleteFileW SearchPathW OpenThread GetThreadContext SuspendThread ResumeThread Thread32First Thread32Next ResetEvent QueryPerformanceCounter QueryPerformanceFrequency IsBadReadPtr GlobalFree GlobalMemoryStatusEx SetProcessWorkingSetSize TerminateProcess GetProcessId PulseEvent SetPriorityClass GetComputerNameW ProcessIdToSessionId WTSGetActiveConsoleSessionId GetLogicalProcessorInformation GlobalMemoryStatus VirtualAlloc VirtualFree GetProcessAffinityMask SetProcessAffinityMask GetProcessWorkingSetSize DeviceIoControl DuplicateHandle OutputDebugStringW GetDriveTypeW GetCurrentDirectoryW CreateJobObjectW QueryInformationJobObject IsProcessInJob WideCharToMultiByte DecodePointer RaiseException InitializeCriticalSectionAndSpinCount GetNativeSystemInfo ExpandEnvironmentStringsA LoadLibraryA GetCurrentThread LeaveCriticalSection FindNextFileW FindClose WaitForMultipleObjects ReadFile LoadLibraryExW FreeLibrary GetPrivateProfileStringW FindFirstFileW GetFileAttributesW Process32NextW Process32FirstW CreateToolhelp32Snapshot GetNumberFormatW GetDateFormatW GetTimeFormatW GetLocaleInfoW IsWow64Process CreateFileW GetFullPathNameW GetSystemWow64DirectoryW GetSystemWindowsDirectoryW ExpandEnvironmentStringsW SetEnvironmentVariableW CreateProcessW GetModuleHandleW GetModuleFileNameW LoadLibraryW CreateFileMappingW TlsSetValue TlsAlloc lstrlenW UnmapViewOfFile MapViewOfFile FormatMessageA FileTimeToSystemTime FileTimeToLocalFileTime CloseHandle GetFileTime WriteFile GetStdHandle GetFileSize Sleep InitializeCriticalSection SetErrorMode GetLastError ExitThread GetCurrentProcess OpenProcess GetLongPathNameW LocalFree GetVersion GetProcAddress InterlockedDecrement InterlockedIncrement TlsGetValue lstrlenA GetStringTypeW EncodePointer IsDebuggerPresent GetCurrentThreadId ExitProcess GetModuleHandleExW GetConsoleMode ReadConsoleInputA SetConsoleMode GetCPInfo UnhandledExceptionFilter SetUnhandledExceptionFilter TlsFree GetStartupInfoW CompareStringW LCMapStringW IsValidLocale GetUserDefaultLCID EnumSystemLocalesW IsValidCodePage GetACP GetOEMCP FlushFileBuffers GetConsoleCP GetEnvironmentStringsW FreeEnvironmentStringsW GetTimeZoneInformation SetFilePointerEx SetStdHandle WriteConsoleW SetEndOfFile ReadConsoleW SetEnvironmentVariableA WaitForSingleObject MultiByteToWideChar SetEvent SizeofResource |
USER32.dll |
GetWindow
GetGuiResources LoadBitmapW CopyImage GetDesktopWindow KillTimer MsgWaitForMultipleObjects GetDlgCtrlID CheckRadioButton SendMessageTimeoutW PeekMessageW IsHungAppWindow LockWorkStation IsDialogMessageW DrawIconEx CheckMenuRadioItem WindowFromPoint RedrawWindow EndMenu SetMenuInfo GetMenuInfo TrackPopupMenu RemoveMenu CreateMenu DrawMenuBar LoadMenuW TranslateAcceleratorW LoadAcceleratorsW IsWindowEnabled GetDlgItemTextW CreateDialogParamW SetLayeredWindowAttributes IsWindow PostQuitMessage ExitWindowsEx DispatchMessageW TranslateMessage GetMessageW DrawEdge RegisterWindowMessageW EndTask GetWindowDC SetMenuItemInfoW IsIconic ShowWindowAsync GetMonitorInfoW MonitorFromPoint EnumWindows SetClassLongW ClientToScreen GetWindowTextW InvalidateRgn TrackPopupMenuEx ModifyMenuW AppendMenuW GetMenuItemCount GetMenuItemID EnableMenuItem CreatePopupMenu EnableWindow IsDlgButtonChecked CheckDlgButton GetWindowPlacement LoadIconW SetWindowPlacement DefMDIChildProcW DefFrameProcW DefDlgProcW CreateIconIndirect FrameRect IsWindowVisible DestroyWindow GetClassNameW EnumChildWindows PtInRect UnionRect CopyRect ScreenToClient EmptyClipboard SetClipboardData CloseClipboard OpenClipboard IsZoomed DeferWindowPos BeginDeferWindowPos DrawFrameControl ChildWindowFromPoint SetDlgItemTextW DialogBoxParamW MoveWindow SetWindowTextW GetDlgItem EndDialog DialogBoxIndirectParamW GetScrollInfo SetScrollInfo GetParent GetClassLongW SetWindowLongW GetWindowLongW OffsetRect IntersectRect InflateRect FillRect GetSysColorBrush GetSysColor MapWindowPoints GetCursorPos GetWindowRect GetClientRect GetPropW SetPropW ScrollWindowEx ValidateRect InvalidateRect GetUpdateRgn GetUpdateRect EndPaint BeginPaint UpdateWindow DrawTextW SetTimer ReleaseCapture SetCapture GetCapture GetKeyState GetFocus SetWindowPos CreateWindowExW RegisterClassExW CallWindowProcW DefWindowProcW PostMessageW LoadStringW ReleaseDC GetDC EnumDisplaySettingsW LoadImageW DestroyIcon LoadCursorW GetWindowThreadProcessId FindWindowExW FindWindowW SendMessageW WaitForInputIdle ShowWindow SetFocus GetSystemMetrics GetMenu CheckMenuItem GetSubMenu InsertMenuW SetCursor MessageBoxW SetForegroundWindow DeleteMenu EndDeferWindowPos |
GDI32.dll |
GetBkColor
CreateRectRgnIndirect CreateSolidBrush DeleteDC GetBkMode GetDeviceCaps GetStockObject RectInRegion StartDocW CreateRectRgn CreatePen CreateCompatibleDC CreateCompatibleBitmap BitBlt DeleteObject GetObjectW CreateDIBSection SetMapMode Polyline GetTextMetricsW SetTextColor SetBkMode SetBkColor SelectObject SelectClipRgn CreateBitmap MoveToEx SetROP2 SaveDC RestoreDC Rectangle LineTo ExtTextOutW SetTextAlign GetTextExtentPoint32W CreateFontIndirectW EndPage StartPage EndDoc |
COMDLG32.dll |
FindTextW
ChooseColorW GetSaveFileNameW GetOpenFileNameW PrintDlgW CommDlgExtendedError ChooseFontW |
ADVAPI32.dll |
RegOpenKeyExA
RegQueryValueExA EnumServicesStatusExW LookupPrivilegeNameW OpenProcessToken GetTokenInformation AdjustTokenPrivileges SetKernelObjectSecurity GetKernelObjectSecurity EqualSid AllocateAndInitializeSid FreeSid LookupAccountSidW LookupAccountNameW LookupPrivilegeValueW CreateProcessAsUserW RegConnectRegistryW FlushTraceW ConvertSidToStringSidW LsaEnumerateAccountRights LsaOpenPolicy LsaClose LsaFreeMemory GetSecurityInfo CreateRestrictedToken AddAccessAllowedAce GetAce AddAce InitializeAcl ImpersonateLoggedOnUser DuplicateTokenEx RegCreateKeyExW RegDeleteKeyW RegEnumKeyW RegEnumValueW GetSidSubAuthorityCount GetSidSubAuthority GetSidIdentifierAuthority IsValidSid SetTokenInformation QueryServiceConfigW CopySid GetLengthSid CloseTrace ProcessTrace OpenTraceW ControlTraceW SetSecurityInfo RevertToSelf RegLoadKeyW StartTraceW SetServiceObjectSecurity QueryServiceObjectSecurity MapGenericMask RegOpenKeyW RegOpenKeyExW RegQueryInfoKeyW RegQueryValueExW RegSetValueExW RegUnLoadKeyW RegQueryValueW CryptAcquireContextW CryptReleaseContext CryptGetHashParam CryptCreateHash CryptHashData RegCloseKey CryptDestroyHash RegDeleteValueW CloseServiceHandle GetServiceDisplayNameW OpenSCManagerW OpenServiceW QueryServiceConfig2W ControlService QueryServiceStatus StartServiceW RegCreateKeyW |
SHELL32.dll |
SHGetMalloc
SHGetPathFromIDListW SHGetSpecialFolderLocation SHBrowseForFolderW Shell_NotifyIconW ShellExecuteExW SHGetFolderPathW SHGetFileInfoW ShellExecuteW |
ole32.dll |
CoInitializeEx
CoCreateInstance CoUninitialize CoTaskMemFree CoMarshalInterThreadInterfaceInStream CoGetInterfaceAndReleaseStream CoInitialize CoSetProxyBlanket |
OLEAUT32.dll |
#10
#4 #25 #24 #23 #20 #2 #6 #7 #150 #8 #9 #12 #16 #19 |
WINHTTP.dll |
WinHttpReadData
WinHttpGetProxyForUrl WinHttpQueryHeaders WinHttpReceiveResponse WinHttpSendRequest WinHttpOpenRequest WinHttpOpen WinHttpCloseHandle WinHttpConnect WinHttpWriteData WinHttpQueryDataAvailable WinHttpSetOption |
PSAPI.DLL |
GetMappedFileNameW
QueryWorkingSet GetModuleFileNameExW |
Process |
PID |
Priority |
Threads |
Cycle CPU Usage |
Paged Pool |
Nonpaged Pool |
Programs (*.exe, *.com, *.bat, *.pif)|*.exe;*.com;*.bat|Executables (*.exe)|*.exe|Command Files (*.com)|*.com|Batch Files (*.bat)|*.bat|Pif Files (*.pif)|*.pif| |
There is insufficent memory to run the program |
The file is not a valid executable format |
Cannot find the specified file |
Cannot find the specified path |
Refresh process list |
Handles |
User Name |
Handle |
Type |
Name |
Base |
Size |
Version |
Name |
Show Unnamed Objects (Ctrl+U) |
Find (Ctrl+F) |
View Handles (Ctrl+H) |
Time |
Save (Ctrl+S) |
View DLLs (Ctrl+D) |
References |
Parent |
Window Title |
Kill Process/Close Handle |
Properties |
Description |
Access |
Mapping |
Refresh Now (F5) |
Description |
Frame |
Address |
Command Line |
Company Name |
Share |
Service |
Description |
Display Name |
Group |
Privilege |
Flags |
Flags |
Handle |
Handle or DLL |
Show Process Tree |
CPU |
Session |
Variable |
Value |
Page Faults |
Private Bytes |
Path |
Peak Private Bytes |
Working Set |
Peak Working Set |
Threads |
GDI Objects |
USER Objects |
I/O Reads |
I/O Read Bytes |
I/O Writes |
I/O Write Bytes |
I/O Other |
I/O Other Bytes |
Image Base |
Limit |
TID |
Start Address |
Function |
User Time |
Kernel Time |
Start Time |
CPU Time |
Show Lower Pane (Ctrl+L) |
Hide Lower Pane (Ctrl+L) |
Show Processes From &All Users |
Context Switches |
CSwitch Delta |
Counter |
Methods Jitted |
% Time in JIT |
AppDomains |
Assemblies |
Classes Loaded |
Total AppDomains |
Total Assemblies |
Total Classes Loaded |
Total Lock Contentions |
Heap Bytes |
Gen 0 Collections |
Gen 1 Collections |
Gen 2 Collections |
% Time in GC |
Allocated Bytes/s |
Runtime Checks |
Contentions |
Path |
Find Handle (Ctrl+F) |
Find Handle or DLL (Ctrl+F) |
Virtual Size |
WS Total |
WS Private |
WS Shared |
PF Delta |
Comment |
PROCEXPLORER |
Process Explorer |
Local Address |
Object Address |
Remote Address |
Verified Signer |
State |
Protocol |
Image Type |
CPU History |
Private Delta Bytes |
Private Bytes History |
Share Flags |
Cycles |
Window Status |
Find &Window's Process (drag over window) |
System Information (Ctrl+I) |
DEP |
Cycles Delta |
Decoded Access |
WS Shareable |
I/O Delta Reads |
I/O Delta Read Bytes |
I/O Delta Writes |
I/O Delta Write Bytes |
I/O History |
I/O Delta Other Bytes |
I/O Delta Total Bytes |
I/O Delta Other |
Integrity |
Virtualized |
ASLR |
Memory Priority |
I/O Priority |
Min Working Set |
Max Working Set |
Service |
Network Receives |
Network Delta Receives |
Network Sends |
Network Delta Sends |
Network Other |
Network Delta Others |
Network History |
Network Delta Receive Bytes |
Network Receive Bytes |
Network Send Bytes |
Network Delta Send Bytes |
Network Other Bytes |
Network Delta Other Bytes |
Network Delta Total Bytes |
Disk Reads |
Disk Delta Reads |
Disk Writes |
Disk Delta Writes |
Disk Other |
Disk Delta Others |
Disk History |
Disk Read Bytes |
Disk Delta Read Bytes |
Disk Write Bytes |
Disk Delta Write Bytes |
Disk Other Bytes |
Disk Delta Other Bytes |
Disk Delta Total Bytes |
Tree CPU Usage |
Processor |
GPU |
GPU System Bytes |
GPU Dedicated Bytes |
GPU Committed Bytes |
Package Name |
Process Timeline |
Autostart Location |
DPI Awareness |
VirusTotal |
Protection |
UI Access |
Provider Name |
Namespace |
DLL Path |
Control Flow Guard |
Suspend Count |
Enterprise Context |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 16.22.0.0 |
ProductVersion | 16.22.0.0 |
FileFlags |
VS_FF_PRIVATEBUILD
|
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Sysinternals - www.sysinternals.com |
FileDescription | Sysinternals Process Explorer |
FileVersion (#2) | 16.22 |
InternalName | Process Explorer |
LegalCopyright | Copyright © 1998-2018 Mark Russinovich |
LegalTrademarks | Copyright (C) 1998-2018 Mark Russinovich |
OriginalFilename | Procexp.exe |
ProductName | Process Explorer |
ProductVersion (#2) | 16.22 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2018-Nov-16 23:19:59 |
Version | 0.0 |
SizeofData | 68 |
AddressOfRawData | 0xdc608 |
PointerToRawData | 0xdba08 |
Referenced File | C:\agent\_work\68\s\exe\Release\procexp.pdb |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x4ef5a0 |
SEHandlerTable | 0x4dd790 |
SEHandlerCount | 204 |
XOR Key | 0xc30cd78c |
---|---|
Unmarked objects | 0 |
Imports (VS2008 SP1 build 30729) | 2 |
ASM objects (VS2013 build 21005) | 30 |
C++ objects (VS2013 build 21005) | 78 |
C objects (VS2013 build 21005) | 222 |
C++ objects (20806) | 7 |
C objects (VS2012 build 50727 / VS2005 build 50727) | 9 |
C objects (VS2008 SP1 build 30729) | 1 |
C++ objects (VS2012 build 50727 / VS2005 build 50727) | 1 |
Imports (VS2012 build 50727 / VS2005 build 50727) | 49 |
Total imports | 615 |
C objects (VS2013 UPD5 build 40629) | 2 |
C++ objects (VS2013 UPD5 build 40629) | 63 |
Resource objects (VS2013 build 21005) | 1 |
151 | 1 |
Linker (VS2013 UPD5 build 40629) | 1 |