ab421a57a0b73cec30ead3714dee50682a8be574313ad65f7e341f63aa88e6b5

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2032-Oct-10 22:59:23
Detected languages English - United States
Debug artifacts MpCopyAccelerator.pdb
CompanyName Microsoft Corporation
FileDescription Microsoft Malware Protection Copy Accelerator Utility
InternalName MpCopyAccelerator
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename MpCopyAccelerator.exe
ProductName Microsoft® Windows® Operating System
FileVersion 4.18.26020.6 (cd0aebd7c18a68cd2e3af14a117b45b178d088f4)
ProductVersion 4.18.26020.6

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 8.0
Suspicious The PE is possibly packed. Unusual section name found: .fptable
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCloseKey
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • CheckTokenMembership
 Interacts with services:
  • OpenSCManagerW
  • EnumServicesStatusExW
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Info The PE is digitally signed. Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/72 (Scanned on 2026-04-13 10:16:00) All the AVs think this file is safe.

Hashes

MD5 91fb3b5fe1b24de19d68546dbe08cc7a
SHA1 ce1fdf981fe9343d80ae2789a613a7e80285518e
SHA256 ab421a57a0b73cec30ead3714dee50682a8be574313ad65f7e341f63aa88e6b5
SHA3 04b37096c86555d619f66a6864571747de92c7deee720770190403d025bd59aa
SSDeep 3072:gnjg6xeDGTlMCRte8cuz3CMmi38wbbXsQEvvAa9RQMKTeXFIbXJpKY+EyBuj3nAA:0gXCPR9tmi38eXsQbeR9DY+Ey8xq/lva
Imports Hash e43bee43ade4b1f56aeae5d05a0fc99d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x128

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2032-Oct-10 22:59:23
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x26000
SizeOfInitializedData 0x28000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000000D820 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0x4f000
SizeOfHeaders 0x1000
Checksum 0x55d61
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 e49e0d08476bd205a1ed0c9975d43687
SHA1 6699cb4b4f13d482edec3a153e02bd673edb42c3
SHA256 d1c1309d5ea0fadbcd1aa90131899f6668554a3fc474046ceb20baef867ad7f6
SHA3 ae5dd1a3e649069a607f50349dde950bf779dd099ef74e47a3c929158c83bc03
VirtualSize 0x2594c
VirtualAddress 0x1000
SizeOfRawData 0x26000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.39971

.rdata

MD5 254fc0e390daaf5e5ede293a49f7172e
SHA1 7a7e51a4a9da4f33004062cd410cc99b4108454b
SHA256 5e0b11432d49e9a02344ef2505a502e808c3f78cc2fbc1621565895d5b29118b
SHA3 9d8953c86f542a1268d31af2507c1ea4f206aebda18363a4ac9f2d1bcd6544e3
VirtualSize 0x135ce
VirtualAddress 0x27000
SizeOfRawData 0x14000
PointerToRawData 0x27000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.09215

.data

MD5 accbbf993dcbe7b08c08b30e3fbfc70c
SHA1 4c48a2f113fad93e8bdc06aa0612a8218976630d
SHA256 620bc11d74d6fdc0021510ba498aa25deb43ee435b39089efc379c97e0510b47
SHA3 64e85d6711273b03d551374314badaa3a3c426176033c52bd812c1fbcbb61dbc
VirtualSize 0x2c68
VirtualAddress 0x3b000
SizeOfRawData 0x1000
PointerToRawData 0x3b000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.28262

.pdata

MD5 e63f11a2bc06e407cb828f8364b7fbae
SHA1 543e6b99625085bebbc9f4ee108d4367de4de9b8
SHA256 bf72ac03e5be51c315d6eae9a85e93f67d6b66390790211c30ca41c2665d8ef9
SHA3 c8ff2d20b389aac86370b97c69d887183eb532393953197d05809ef283301b3f
VirtualSize 0x2244
VirtualAddress 0x3e000
SizeOfRawData 0x3000
PointerToRawData 0x3c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.19676

.fptable

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA3 a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563
VirtualSize 0x100
VirtualAddress 0x41000
SizeOfRawData 0x1000
PointerToRawData 0x3f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 1e2a7e7268d11930d08b613365b08737
SHA1 7e5436245f330486a2e5adeba628620b5c4d742d
SHA256 a2201c4df57d599bb6ebefdc604abb334d65a473aef982d3925797bfbd132423
SHA3 340b984ba6b21f73b6897b43613de32446944af06d58a024c50285c362cc3056
VirtualSize 0xb620
VirtualAddress 0x42000
SizeOfRawData 0xc000
PointerToRawData 0x40000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.837

.reloc

MD5 1fd7038381939b11ae62fa81526d0196
SHA1 db3832d367910cf53a434d34fefbe1f04b83727c
SHA256 c1bad6a896ff0417f851a26f10b49de3162f38dc7c3eb8abb30d08c3aa83b873
SHA3 5bb56455601cec33161adff89a242ba3f69b7657e694c06a48134c73117ca05e
VirtualSize 0x890
VirtualAddress 0x4e000
SizeOfRawData 0x1000
PointerToRawData 0x4c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.75901

Imports

MpClient.dll MpConfigUninitialize
MpConfigUnregisterNotifications
MpConfigInitialize
MpFreeMemory
MpConfigRegisterForNotifications
MpConfigGetValue
MpConfigOpen
MpAllocMemory
MpConfigClose
MpUtilsExportFunctions
MpClientUtilExportFunctions
ntdll.dll RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
KERNEL32.dll GetSystemDirectoryW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEnvironmentVariableW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesW
GetFileSizeEx
SetFilePointerEx
WriteFile
OpenProcess
LoadLibraryExW
GetProcessMitigationPolicy
SetProcessMitigationPolicy
QueryPerformanceFrequency
HeapSetInformation
GetTempPathW
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleW
VirtualProtect
RaiseException
CreateFileW
TerminateProcess
DeviceIoControl
MoveFileExW
GetLocalTime
SetFileInformationByHandle
GetFileInformationByHandle
GetCommandLineW
SetLastError
GetModuleHandleExW
GetTickCount
GetDateFormatW
GetSystemTimeAsFileTime
GetTimeFormatW
Sleep
K32GetProcessImageFileNameW
K32GetModuleFileNameExW
GetCurrentProcessId
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetCurrentProcess
GetProcAddress
FreeLibrary
CopyFileExW
CopyFile2
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
SetEvent
ReleaseSRWLockExclusive
DebugBreak
LocalFree
CloseHandle
GetLastError
CreateEventW
WaitForSingleObject
SetErrorMode
DecodePointer
WriteConsoleW
HeapReAlloc
HeapSize
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetStringTypeW
LCMapStringW
CompareStringW
FlsFree
FlsSetValue
HeapFree
HeapAlloc
GetProcessHeap
QueryPerformanceCounter
InitializeCriticalSectionEx
WakeAllConditionVariable
SleepConditionVariableSRW
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStdHandle
ExitProcess
GetCommandLineA
GetFileType
FlsAlloc
FlsGetValue
ADVAPI32.dll RegOpenKeyExW
RegQueryValueExW
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
ConvertStringSidToSidW
EnumServicesStatusExW
CheckTokenMembership
ConvertSidToStringSidW
EventUnregister
EventRegister
RegCloseKey
EventWriteTransfer
ConvertStringSecurityDescriptorToSecurityDescriptorW
TraceMessage
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
RPCRT4.dll NdrServerCall2
NdrServerCallAll
NdrAsyncServerCall
RpcRevertToSelf
RpcImpersonateClient
RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcServerTestCancel
RpcStringBindingParseW
RpcStringFreeW
RpcAsyncCompleteCall
RpcServerRegisterIf3
RpcServerUseProtseqW
RpcBindingToStringBindingW
RpcServerUnregisterIfEx
RpcServerUseProtseqEpW
RpcBindingInqAuthClientW
RpcBindingVectorFree
Ndr64AsyncServerCallAll

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.92009
MD5 884ad4edd379dd2d15396b2ac346decf
SHA1 4b3baf1bc8d0f38562fb4191053212938cd146e7
SHA256 9bafb8c17fa280a70f6aa17510df8f34beb3ae2a0d3a843d23ef27fdfe08dfe7
SHA3 44d0625348e13cb739b488fd7c36d633cff877eb7eaf6aa4cc257e6c9671c061

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x6b8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.8219
MD5 0b376ca6420dfd57d9359b46225596af
SHA1 4e192fa69e25b98041cbfe1cf9f5457ff10cb0a0
SHA256 08e0c20f9f43bad92a49b05142c4ca7937995c8caddad57ceaff10c1b4d15df0
SHA3 9b52de857542b907ae049f671dc7e964e3f68e48bf1340081316c3088c29a843

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.69338
MD5 593b4a31cfd09e394452e8d0f0e1c6f6
SHA1 d2d086f5a8e5ce0f168a0c03788f3b33ee3ab77c
SHA256 1186560cd757be85e0da65d9c4f3952aa2dd02338989434dc76f1f4db964470e
SHA3 18b98cd129d5290811fa1ff7dd1a5518ca9c30ac3ad8f7622f4479148bdf7d7a

4

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.39471
MD5 9bca812e4a6f4a57eaed38158f314431
SHA1 f99e05b58a5df8edea2c90095a30f12a686ac325
SHA256 15647637fd9039644d6da86106f18f69fedc3fbdb916fbeb292910043cc02aa3
SHA3 4049aba36c39c0e76c2818b08aaf1752784f96475641c66ce7f215508b10c8f2

5

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x1a68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.42285
MD5 81514642ba9c7ca6d69aeed1a8dfc725
SHA1 c42a361860f7ddd52c6e6a0c87391881945aa367
SHA256 6421a1b50635d04d4667ecef3378842d11336f17d95e70cbfc74bdb5b8e36186
SHA3 21181efb1c0c63aa70e60c187b67557d4860490e05690e9c874818ec28d60bdc

6

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.24683
MD5 d8b75fee2c9e232708d21e087ee388a7
SHA1 9e082efafd2f913c51d9e8daaa38880e06c737b8
SHA256 63bdcb500f8f8f2a6e0455dab7e1d681ddc303d9026d8b9012de75f15b1d7684
SHA3 8866693eb1b415392eb24eee67d726ebc0562b3237fb7809a194dba1acb0e238

7

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.12965
MD5 7ec0f2cf57f1c8474ae2f0de90e6467a
SHA1 026bb00d953577f165e5f9948cfba9dc0ab63ec5
SHA256 5ad523de16d6453d92c9e6a5481e72d32a19520b9662a319d9ed60b489b9fbbf
SHA3 625a3ae8db0301de18ea7ecb6ea8ab229c2ebad78ff6d2f62563800a8c85c79d

11

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.96825
Detected Filetype Icon file
MD5 99162542cfe37deb3eebce3e88ab6ca6
SHA1 43f85661acbb793d74597535d858f5de1672bc9f
SHA256 1c35e2de1f3c0e8601c22ff80b2a267997e9fc5f514fa579a3a47a794ac9bb2a
SHA3 809e9af558009e55f0ea6c1fde67e3f934c883917489ed7e60ff3c4429d6c3fe

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x410
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.53145
MD5 33e96357ffda5b91ecb0bf9aca1ad36a
SHA1 e3dba071e6079d0f534dd924cd8853c76ed57631
SHA256 9b0ddd82b8a1e339f80574a525ea588f38cacc8b8c6e79db27cdb090e78b87de
SHA3 bcf3e4b5c422fedb5160b6436294b85788a6ae43e20551854a36acda898301c2

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x7cd
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.17518
MD5 140570479402b91c33aa6c85ad52213f
SHA1 2c585396c95b79e6e59a369bf7523ca9241457fe
SHA256 9c078310c255d3e97627cd7a5c60293dbedd7c6fa15dc23a9ed63aa06ceb2ab2
SHA3 5161da2bb06559b3624079226e97b35147c3a86da76ffb662871b82c29141f41

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.18.26020.6
ProductVersion 4.18.26020.6
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Microsoft Malware Protection Copy Accelerator Utility
InternalName MpCopyAccelerator
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename MpCopyAccelerator.exe
ProductName Microsoft® Windows® Operating System
FileVersion (#2) 4.18.26020.6 (cd0aebd7c18a68cd2e3af14a117b45b178d088f4)
ProductVersion (#2) 4.18.26020.6
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2032-Oct-10 22:59:23
Version 0.0
SizeofData 46
AddressOfRawData 0x368c4
PointerToRawData 0x368c4
Referenced File MpCopyAccelerator.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2032-Oct-10 22:59:23
Version 0.0
SizeofData 20
AddressOfRawData 0x368f4
PointerToRawData 0x368f4

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2032-Oct-10 22:59:23
Version 0.0
SizeofData 1216
AddressOfRawData 0x36908
PointerToRawData 0x36908

UNKNOWN

Characteristics 0
TimeDateStamp 2032-Oct-10 22:59:23
Version 0.0
SizeofData 36
AddressOfRawData 0x36df0
PointerToRawData 0x36df0

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 2032-Oct-10 22:59:23
Version 0.0
SizeofData 4
AddressOfRawData 0x36e14
PointerToRawData 0x36e14

TLS Callbacks

StartAddressOfRawData 0x140036e38
EndAddressOfRawData 0x140036e40
AddressOfIndex 0x14003c1c8
AddressOfCallbacks 0x140027710
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14003b180
GuardCFCheckFunctionPointer 5368870216
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x39f101a6
Unmarked objects 0
C++ objects (33145) 174
C objects (33145) 17
ASM objects (33145) 8
ASM objects (35207) 10
C objects (35207) 18
ASM objects (35222) 1
C objects (35222) 4
Imports (33145) 8
C++ objects (35207) 90
Imports (35222) 3
Total imports 371
C++ objects (35222) 34
C++ objects (LTCG) (35222) 24
126 (VS2012 build 50727 / VS2005 build 50727) 7
Resource objects (35222) 1
151 1
Linker (35222) 1

Errors

Leave a comment

No comments yet.