Manalyze report for a5723c5d238818550589496851f63a79

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2011-Aug-26 21:05:55
Detected languages	English - United States
Debug artifacts	t:\ses\x86\ship\0\opatchinst.pdb
CompanyName	Microsoft Corporation
FileVersion	`12.0.6650.5000`
LegalCopyright	© 2006 Microsoft Corporation. All rights reserved.
LegalTrademarks1	Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2	Windows® is a registered trademark of Microsoft Corporation.
ProductVersion	`12.0.6650.5000`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0` `MSVC++ v.8 (procedure 1 recognized - h)`
Info	Interesting strings found in the binary:	`Contains domain names: http://www.microsoft.com http://www.microsoft.com/msi/patch_applicability.xsd' microsoft.com www.microsoft.com`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The file headers were tampered with.	`The RICH header checksum is invalid.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can access the registry: RegCloseKey RegSetValueExA RegOpenKeyExA RegCreateKeyExA RegQueryValueExA RegQueryValueExW RegOpenKeyExW` `Possibly launches other programs: CreateProcessW CreateProcessA` `Uses Microsoft's cryptographic API: CryptGetHashParam CryptDestroyHash CryptHashData CryptReleaseContext CryptCreateHash CryptAcquireContextA` `Can create temporary files: CreateFileA GetTempPathA CreateFileW GetTempPathW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken`
Info	The PE is digitally signed.	`Signer: Microsoft Corporation` `Issuer: Microsoft Code Signing PCA`
Safe	VirusTotal score: 0/73 (Scanned on 2020-06-15 06:22:04)	`All the AVs think this file is safe.`

Hashes

MD5	`a5723c5d238818550589496851f63a79`
SHA1	`c5efada2ec80454219c143c6426f32895c497149`
SHA256	`42ed579d5306e2c878517dc40f08cff9915d2c21b5d0f5f4b7aeae8ce274eb50`
SHA3	`12c09c73e8d3433e5974cf87be37d98138bfb9960dd624cdc4bcbf837fa83ae3`
SSDeep	`196608:T4BGAP8wDTGnQZCXqr2RlGWx3iau5eFd0kR3uIlbOZXIFkijt/j4CtYNJNzp:T4gAEOTRCXqKlFSaMeA/8Oqt/Uzp`
Imports Hash	`f618bfda51e0bea36caa27585e5ff393`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2011-Aug-26 21:05:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`8.0`
SizeOfCode	`0x49600`
SizeOfInitializedData	`0xe4600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000305EE (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x4c000`
ImageBase	`0x30000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x132000`
SizeOfHeaders	`0x400`
Checksum	`0xc62ad4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ead3e2ac0259ebfe1ab7e35f708579fe`
SHA1	`961052d3bf7750b70fbe2a7ebde65bb63a39347d`
SHA256	`ed54f7111588c178464cba6487a4892bfe6a92ec0a6f8d5bbaf38a61bbee9cee`
SHA3	`39c7fe6673425995840cf13b959151294ab9e0727c2711f71856915343b75800`
VirtualSize	`0x495b5`
VirtualAddress	`0x1000`
SizeOfRawData	`0x49600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.49619`

.data

MD5	`036736dbfa48c0dc4a37fdbf04eb3a86`
SHA1	`2832783d5b7f75dda7ec266a9adb91bc73381535`
SHA256	`e09e705b5086f603c6cbe76fc5d9abbc6ac7d3974aee6ab23b40aace2918472a`
SHA3	`d72b776c19dca57dbf28dafc82493cd150f64859a8547789da87259a02d58f7e`
VirtualSize	`0x45d8`
VirtualAddress	`0x4b000`
SizeOfRawData	`0x2c00`
PointerToRawData	`0x49a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.50503`

.rsrc

MD5	`9254c077d09ac157b42e62803cce1f4c`
SHA1	`305ecc7be712cf6f5738b39fda024fb4b0bca543`
SHA256	`9cb415c665f8376219ef087a3a9e75613f76b212d95cb5c1208c6fa10755fa71`
SHA3	`38fea0688db751a11628f8b2219d469750e12cfaba0047f4ff434e357886811e`
VirtualSize	`0xdd934`
VirtualAddress	`0x50000`
SizeOfRawData	`0xdda00`
PointerToRawData	`0x4c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.00885`

.reloc

MD5	`c8e2440bd57f6c9d6173191bf03d3ad5`
SHA1	`d0f1859f67aa143da8557b1a5558b8581ad12536`
SHA256	`82889016eb9443f9f9ef0ecb9d30202f72a3d80ac6688e4893ce959c633d8f5d`
SHA3	`3ac085c232c967a29f856b2320434baa535b48c6c123349e9b8271079773374f`
VirtualSize	`0x3eb8`
VirtualAddress	`0x12e000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x12a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.63296`

Imports

KERNEL32.dll	`lstrlenW` `FreeLibrary` `GetProcAddress` `LoadLibraryA` `GetVersionExA` `CloseHandle` `GetExitCodeProcess` `WaitForSingleObject` `MultiByteToWideChar` `lstrlenA` `GetFileSize` `CreateFileA` `CreateDirectoryA` `DeleteFileA` `GetTempFileNameA` `GetTempPathA` `GetFullPathNameA` `UnmapViewOfFile` `MapViewOfFile` `CreateFileMappingA` `CopyFileA` `MoveFileA` `Sleep` `CreateThread` `ReadFile` `ExpandEnvironmentStringsA` `SetEvent` `CreateEventA` `SetFilePointer` `WriteFile` `CreateFileW` `GetTempFileNameW` `GetTempPathW` `DeleteFileW` `CreateProcessW` `LockResource` `WideCharToMultiByte` `FindResourceA` `GetSystemDirectoryA` `GetUserDefaultLangID` `GetSystemDefaultLangID` `GlobalFree` `GlobalAlloc` `CompareStringA` `GetCurrentProcess` `WritePrivateProfileStringA` `GetWindowsDirectoryA` `SetCurrentDirectoryA` `CreateProcessA` `GetDiskFreeSpaceExA` `GetModuleFileNameA` `SetLastError` `GetCurrentDirectoryA` `SetFileTime` `DosDateTimeToFileTime` `LocalAlloc` `FlushFileBuffers` `WriteConsoleW` `GetConsoleOutputCP` `WriteConsoleA` `SetStdHandle` `GetStringTypeW` `GetStringTypeA` `LCMapStringW` `LoadResource` `GetLastError` `GetFileAttributesW` `LocalFree` `InterlockedExchange` `GetACP` `GetLocaleInfoA` `GetThreadLocale` `GetCommandLineA` `HeapFree` `HeapAlloc` `GetProcessHeap` `GetStartupInfoA` `TerminateProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `RaiseException` `HeapReAlloc` `RtlUnwind` `GetFileAttributesA` `ExitThread` `GetCurrentThreadId` `GetModuleHandleA` `ExitProcess` `GetStdHandle` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetHandleCount` `GetFileType` `DeleteCriticalSection` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `InterlockedDecrement` `HeapDestroy` `HeapCreate` `VirtualFree` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `LeaveCriticalSection` `EnterCriticalSection` `VirtualAlloc` `HeapSize` `GetCPInfo` `GetOEMCP` `InitializeCriticalSection` `GetConsoleCP` `GetConsoleMode` `LCMapStringA`
OLEAUT32.dll	`#12` `#2` `#6` `#8` `#9`
VERSION.dll	`GetFileVersionInfoSizeA` `GetFileVersionInfoA` `VerQueryValueA`
ole32.dll	`CoTaskMemFree` `CoCreateInstance` `CLSIDFromProgID` `CoInitialize`
SHLWAPI.dll	`#176`
GDI32.dll	`CreateFontIndirectA`
ADVAPI32.dll (delay-loaded)	`CryptGetHashParam` `CryptDestroyHash` `CryptHashData` `CryptReleaseContext` `CryptCreateHash` `CryptAcquireContextA` `RegCloseKey` `RegSetValueExA` `RegOpenKeyExA` `RegCreateKeyExA` `RegQueryValueExA` `RegQueryValueExW` `RegOpenKeyExW` `AdjustTokenPrivileges` `LookupPrivilegeValueA` `OpenProcessToken` `FreeSid` `EqualSid` `AllocateAndInitializeSid` `GetTokenInformation`

Delayed Imports

Attributes	`0x1`
Name	`ADVAPI32.dll`
ModuleHandle	`0x4daa4`
DelayImportAddressTable	`0x4b000`
DelayImportNameTable	`0x49350`
BoundDelayImportTable	`0`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40831`
MD5	`37dd23d636d6454b40f601eb9e8552b8`
SHA1	`bbc669ec290e4630240fd35a3ca6ddb71c93ab90`
SHA256	`abcbfe9b6f8134ba1926cec7345a6ffb955f44f91ab7932443d70f37afc3d764`
SHA3	`787e41267c721766b651a4d104091d98a5c786d4ac8b67621e8d62e3cdce414e`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.11174`
MD5	`29c8316ddf3a7655f8b5f5dc4490fc73`
SHA1	`a7af4776de5b646c672db93ffc9d5a3d1c26edca`
SHA256	`626b289a1341ece8de03bc4993beeafb1e4d9e946cb1a1ced888ce9b17a5fe70`
SHA3	`75574f8cdc3f816b526a77ef04416c446c4aaf7f58209c0afd68b98112a71c53`

100

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xe4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.88999`
MD5	`39228c862179486a5dd3ca2f51f5d820`
SHA1	`22a0688e6404fe92f407e3b88a4c8578a577e54e`
SHA256	`d7f08af1b126e6f29069e389118ff0f3e55614a040b887d9b491fd9deb2a4516`
SHA3	`a5a3acb972225a65a4b030c1536d367624409e090a037dbe48cc094cf4c6ce89`

200

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xe4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.92761`
MD5	`f785db2d0bba65859fe60e7e8eb6617f`
SHA1	`4db32812e36307933be2f9c51b9e26ce69e3deb9`
SHA256	`1ad7f28c5819df8d3253f9a5af6acc4ad9bf2287edbce578c74bbc9dc0b6daff`
SHA3	`ee7a6004b6ac8672c27359f164c7ebcf7a15014e158e754f34a20828460cfb95`

400

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xfe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.19651`
MD5	`54cdc9f6848afac5f384566e28237e41`
SHA1	`c20c5382d9fae2ddfd7045bd700110dcfa208dde`
SHA256	`7ac3df17123a15391e38e78cb024048f189d1af74ea8774058afac8dfe26e02e`
SHA3	`1b7d18db1160e729d64a55441b4efe024c3986ab04be1faa797a0b7f8adc39b0`

500

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xfe`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.23048`
MD5	`7bf710b6d1ae9f5175987f74e9bc853d`
SHA1	`5c02a11a699f87a8f332b2e1e7fe5c4dca7a86e4`
SHA256	`7bebda097945b312bcfe82bfd72f4de25be369b8edeeb7bc494f4799d43843df`
SHA3	`5133cd4523577373bac5784611f42759d3b5cf69f868681194607a5c1c28ac30`

700

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x158`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.06911`
MD5	`3e9054c85b12c9579feb9146c71f9329`
SHA1	`222b97a0b3590fee498d518d4e4949ca70ec5e67`
SHA256	`2f677a10c54548176ebd97a2c8dd74fc6902cb2d2d2d68331344bb6e7e94875b`
SHA3	`0f3d89137347ef2064ec01b1dc9d2c14e1ed96f5d5f5d966fd5996f9d7222f99`

800

Type	`RT_DIALOG`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x158`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.09562`
MD5	`866686ea64508c9b508f223eb7c4b936`
SHA1	`b625d8f1cc588453ebbf7edc636601cb1e398a7d`
SHA256	`4f3d5612e3a2969d9990e38d1eea92988492f85e0466cd7573f3814d2bdd4409`
SHA3	`01b16c363168fe8c52d13a676b973b6873f1c87280b137598784d2b72c603ed2`

SCRIPT

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xdbb6e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.00164`
MD5	`a1ef2267b6b3003ce3bf3446623d13ab`
SHA1	`5a6e23ed59d52ea00b8f5aea9d1bd198905cde14`
SHA256	`7a51b4ca1155052eea1bb0584278dcc4673502f168b9c942ba797406d4ccc128`
SHA3	`8e70718a7616edb9daaf6f4fff9790aa025d744e9b21f284a186ec6a9c00121a`

0

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.37086`
Detected Filetype	Icon file
MD5	`d59e0d372ea5fd8c1f4de744376a6af4`
SHA1	`6883ce60e71a83424db0b41d0ab6bf61080e3de2`
SHA256	`b10e28a32eddb2ab20a46ceae59d9c0786911eb20f0c8dd2a28421f226ea2b8b`
SHA3	`5e39df982879204dd9f129a37d1e1c2ff906e88de9ae01b4418db5e8455e7ae1`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8c4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.92015`
MD5	`86d5054321281dbf099fbbbd95da5fad`
SHA1	`084b852dd19b6e9d9a7fb05b7f36b62b03bdeb35`
SHA256	`2ff4483e3b55431f956f2a28b1b8c30905ec9d92722fdbac9eebdcf3084a3c14`
SHA3	`8f65bb674ea35f5fadb20dc3c597eb12879e924464030e3a462652341dcf72c4`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x414`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.38302`
MD5	`1e5ea763982a935b85aed907350712f6`
SHA1	`f17117b4437d7bc040396fd22b5919aa08261e31`
SHA256	`c10f30ec044c7280b17df05028822cec7d34ddc4ac6deb58d43e61a8a1dafab4`
SHA3	`8e820c960733b16f912abcce6974bd129f1440fb8611fdfd290c0ac8479c6936`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x331`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.16607`
MD5	`e08e552ff11df87255c9d36bad7a2973`
SHA1	`9529ebd28d728f8afaf3142eeb61e760461b483d`
SHA256	`739bef0b22e7c9ea03a9693a75b7ec986246ee67a532dbcf6cb1b33c44a669f8`
SHA3	`7b9848a67e1de4d6b44101e05b7d45121a1b884a744fff566141835bb8c5d3aa`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2011-Aug-26 21:05:55
Version	`0.0`
SizeofData	`101`
AddressOfRawData	`0x4a550`
PointerToRawData	`0x49950`
Referenced File	t:\ses\x86\ship\0\opatchinst.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics	`0`
TimeDateStamp	2011-Aug-26 21:05:55
Version	`555.4346`
SizeofData	`4`
AddressOfRawData	`0x4a54c`
PointerToRawData	`0x4994c`

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x3004c908`
SEHandlerTable	`0x3000cb34`
SEHandlerCount	`251`

RICH Header

XOR Key	`0x250aaf0b`
Unmarked objects	`0`
ASM objects (VS2012 build 50727 / VS2005 build 50727)	`22`
Imports (VS2012 build 50727 / VS2005 build 50727)	`2`
Imports (2035)	`2`
Imports (9210)	`2`
C objects (VS2012 build 50727 / VS2005 build 50727)	`129`
37 (8755)	`2`
Imports (2067)	`5`
Total imports	`239`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
C++ objects (VS2012 build 50727 / VS2005 build 50727)	`95`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

Errors

[*] Warning: Multiple nodes using the name Version Info in a dictionary.