bc0c7bbf5daf1d38b8d59d3667eca81c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2092-Oct-21 20:38:28
Detected languages English - United States
Debug artifacts autochk.pdb
CompanyName Microsoft Corporation
FileDescription Auto Check Utility
FileVersion 10.0.22621.2506 (WinBuild.160101.0800)
InternalName AutoChk
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename AutoChk.Exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.22621.2506

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • %TEMP%
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
  • DbgPrint
 Uses Windows's Native API:
  • NtWriteFile
  • NtOpenKey
  • NtQuerySymbolicLinkObject
  • NtSerializeBoot
  • NtClose
  • NtFsControlFile
  • NtQueryDirectoryObject
  • NtCreateFile
  • NtOpenFile
  • NtQueryValueKey
  • NtTerminateProcess
  • NtOpenSymbolicLinkObject
  • NtQuerySystemTime
  • NtOpenDirectoryObject
  • NtDeviceIoControlFile
  • NtQueryInformationFile
  • NtQueryVolumeInformationFile
  • NtReadFile
  • NtDelayExecution
  • NtQuerySystemInformation
  • NtDrawText
  • NtCreateEvent
  • NtClearEvent
  • NtSetThreadExecutionState
  • NtWaitForMultipleObjects
  • NtCancelIoFile
  • NtOpenProcessToken
  • NtAdjustPrivilegesToken
  • NtShutdownSystem
  • NtSetInformationFile
  • NtDisplayString
  • NtQueryPerformanceCounter
  • NtFreeVirtualMemory
  • NtSetEvent
  • NtAllocateVirtualMemory
  • NtWaitForSingleObject
  • NtResetEvent
  • NtOpenThreadToken
  • NtFlushBuffersFile
Safe VirusTotal score: 0/68 (Scanned on 2024-04-28 23:40:43) All the AVs think this file is safe.

Hashes

MD5 bc0c7bbf5daf1d38b8d59d3667eca81c
SHA1 d09f02cb2ec77a7a49b789d99e8c510b88b8db91
SHA256 afca5a455366dfdb03edf1f2b7a293ca4bced4a6e253c8ffd7800f4a3b39c3cb
SHA3 8ecfacf913bbda0c92ead641e998513f8ad1d05e5b63105c4caa95351041f0ac
SSDeep 12288:zz0MBogZxvppN+IgWP8pCn43j4maMIa5OWA+JNtORcGoDYipIgYSBWbo:fdogZxv7SdjxaMIa5ZRtOy7YipIgYFM
Imports Hash 020b9cfbef6c56682225f237706926b0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2092-Oct-21 20:38:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x9b000
SizeOfInitializedData 0x66000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000000092F0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0x102000
SizeOfHeaders 0x1000
Checksum 0x10e93b
Subsystem IMAGE_SUBSYSTEM_NATIVE
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 a2782ba996dd675d2da0c291d58fc3f8
SHA1 c233a8ceab18e8d5d314edb2841adea5629276a5
SHA256 fa1281165d3f7cb16f3cdb8b027280b47722674c0ac0a5232f35e980bccc42c2
SHA3 635636cebf0601a5f43f5e2fd4493d8d83469b29a1545aa41b8416ba1f855a04
VirtualSize 0x9af70
VirtualAddress 0x1000
SizeOfRawData 0x9b000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.42157

.rdata

MD5 109ec4e582b3e1e052d64882c43a1ff9
SHA1 5a13ff1f609803bdf1900d03c5c969b5faecd21d
SHA256 beeb7ea0cada9dbbdc6e4bb561959a247408f1f83adabe27eb792e9b0e2fb898
SHA3 499ed14acdf83359b663039f2d9fa3315668fa88f228176757ce60f43094ee09
VirtualSize 0xb092
VirtualAddress 0x9c000
SizeOfRawData 0xc000
PointerToRawData 0x9c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.83192

.data

MD5 75aa2ffabb78b37297142227b2848145
SHA1 d63483a9a207f76a1d8b987cf92b03a1607b6363
SHA256 74eebd6b24ffd2e796d56af8bc733438374d7ca53e6228d1e66077cc27522b43
SHA3 edc3ebdb36bdf6adf88227ef0cb1ad18a2162e759b0c1c8be5af69b657077344
VirtualSize 0x38a0
VirtualAddress 0xa8000
SizeOfRawData 0x3000
PointerToRawData 0xa8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.24632

.pdata

MD5 1b02e924d5ec1117d5a336b9cc96bd73
SHA1 92e2795418415134837a19aefd1260d4fb09fa68
SHA256 10dff3e21fb1442ba844476dc770564cc8c84af42e5c71e864d454e5a28c2ff1
SHA3 5db79c50db1b18cde10603aa7304441aedcbafb7248d0b38ead95395ca3d5b20
VirtualSize 0x3738
VirtualAddress 0xac000
SizeOfRawData 0x4000
PointerToRawData 0xab000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.19234

.rsrc

MD5 9e8cf55c9cd58a77efbfcd182a1007cb
SHA1 444c34cc5cf4bcd74aad90238c4484e467c9fc8b
SHA256 01a9a4af8f6d7c5dd3aa9ce01844bc99c11b4b8000c8654d870aef2a84b49134
SHA3 1232c43038cf01f4e951ebd60faca19ed878bc74c27e0f284dbd4c37b15888aa
VirtualSize 0x50a98
VirtualAddress 0xb0000
SizeOfRawData 0x51000
PointerToRawData 0xaf000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.50564

.reloc

MD5 1cb94bc75d14a394c4c5282109fd9a88
SHA1 d9030031485319abe7d0b29f7fd2d4bc2a6a3a96
SHA256 162de64466ed0ffcbd684510bd2a7347f92163b97d49ace22106583af6479269
SHA3 13c076dfc1782d5499078af3e4d2a83ae5aa09a83a9e535ad9444e714379cf79
VirtualSize 0x530
VirtualAddress 0x101000
SizeOfRawData 0x1000
PointerToRawData 0x100000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.59063

Imports

ntdll.dll NtWriteFile
_wcsicmp
NtOpenKey
RtlPublishWnfStateData
NtQuerySymbolicLinkObject
LdrSetMUICacheType
RtlSetSystemBootStatus
RtlInitUnicodeString
RtlGetSystemBootStatus
RtlPrefixUnicodeString
NtSerializeBoot
NtClose
RtlEqualUnicodeString
NtFsControlFile
wcsstr
NtQueryDirectoryObject
NtCreateFile
NtOpenFile
NtQueryValueKey
NtTerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnhandledExceptionFilter
memset
DbgPrintEx
NtOpenSymbolicLinkObject
NtQuerySystemTime
RtlCompareUnicodeString
NtOpenDirectoryObject
__C_specific_handler
RtlFreeAnsiString
RtlAllocateHeap
RtlNormalizeProcessParams
RtlUnicodeStringToAnsiString
isspace
_vsnprintf
_vsnwprintf
RtlMultiByteToUnicodeN
RtlOemToUnicodeN
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlUnicodeToMultiByteN
RtlUnicodeToOemN
wcsspn
_wtol
_wtoi64
_wcsupr
_wcslwr
wcschr
NtDeviceIoControlFile
RtlQueryRegistryValuesEx
RtlWriteRegistryValue
RtlGetPersistedStateLocation
wcscpy_s
wcscat_s
NtQueryInformationFile
NtQueryVolumeInformationFile
wcstoul
_wcstoui64
NtReadFile
RtlRaiseStatus
qsort
NtDelayExecution
NtQuerySystemInformation
RtlSizeHeap
RtlFreeHeap
NtDrawText
swprintf_s
NtCreateEvent
NtClearEvent
NtSetThreadExecutionState
NtWaitForMultipleObjects
NtCancelIoFile
RtlNumberGenericTableElementsAvl
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
NtOpenProcessToken
NtAdjustPrivilegesToken
NtShutdownSystem
RtlExpandEnvironmentStrings_U
NtSetInformationFile
RtlValidRelativeSecurityDescriptor
RtlGetVersion
RtlTimeToTimeFields
VerSetConditionMask
RtlVerifyVersionInfo
NtDisplayString
RtlRandomEx
NtQueryPerformanceCounter
isprint
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlEnterCriticalSection
RtlTryEnterCriticalSection
RtlLeaveCriticalSection
RtlDeleteCriticalSection
RtlInitializeSRWLock
RtlInitializeCriticalSection
NtFreeVirtualMemory
NtSetEvent
RtlCaptureStackBackTrace
NtAllocateVirtualMemory
NtWaitForSingleObject
NtResetEvent
wcsncmp
RtlFindMessage
RtlInitUTF8StringEx
RtlInitAnsiStringEx
RtlUTF8StringToUnicodeString
RtlAnsiStringToUnicodeString
RtlFormatMessage
RtlDeleteSecurityObject
RtlLengthRequiredSid
RtlInitializeSid
RtlSubAuthoritySid
RtlLengthSid
RtlCopySid
RtlAddAce
RtlCreateAcl
RtlQueryInformationAcl
RtlCreateSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlNewSecurityObject
RtlValidSecurityDescriptor
RtlLengthSecurityDescriptor
RtlAddAccessAllowedAce
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlInitializeBitMap
RtlSetBits
RtlLookupElementGenericTable
RtlClearBits
RtlFindSetBits
RtlDeleteElementGenericTable
RtlEnumerateGenericTableWithoutSplaying
RtlNumberOfSetBits
RtlInitializeGenericTableAvl
RtlEnumerateGenericTableAvl
RtlLookupFirstMatchingElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableFullAvl
RtlInsertElementGenericTableFullAvl
RtlDeleteElementGenericTableAvlEx
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlSystemTimeToLocalTime
RtlCrc64
RtlUpcaseUnicodeString
RtlComputeCrc32
DbgPrint
NtOpenThreadToken
_wcsnicmp
RtlDosPathNameToNtPathName_U
RtlCreateSystemVolumeInformationFolder
EtwEventUnregister
EtwEventRegister
EtwEventSetInformation
EtwEventWriteTransfer
NtFlushBuffersFile
__chkstk
memcmp
memcpy
memmove
wcscmp
bcd.dll BcdCloseObject
BcdGetElementData
BcdOpenObject
BcdOpenStore
BcdForciblyUnloadStore

Delayed Imports

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xd0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.65826
MD5 494a436fd2a5b62b316dc1c5819dc783
SHA1 a3c5ce1ba2b74224c79834a1eafaa2d2f62fa014
SHA256 ff2f7238d49b4de7c39157252c75204837c7737541e3ad8e1a54af24c12fd37b
SHA3 ea98e1916dabce35d9b4308bd047c7f60d72172f09284dbbcba8324a569ecb1b

1 (#2)

Type RT_MESSAGETABLE
Language English - United States
Codepage UNKNOWN
Size 0x50250
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.50844
MD5 bf2c78f71d4d5c7cca2b038fc91102a2
SHA1 b63c77a80c9a22e6b88d577f8a589b3bf8ad1c93
SHA256 6299049a6b90a174fe7507ac9e0a4b63c32c3e2de00d62e65624e22effda9b00
SHA3 65fb330c3d9ccd808f3693c8f512f7ad9bece6efc7351ade0a9d5aa46e7d0cc6

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x38c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.54574
MD5 2086400863ecee2175eac39542d79afc
SHA1 8d6f3e3489777cd57db88934dbb8694988a23900
SHA256 35ffc8f821f2de4877c31e4a994d38270b952f9ce2cdd87869948ea634687713
SHA3 11a73ba3f0bf857ebb668d101ccaf9fe839491ca8b95cae47b4fb490c55768f8

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2a5
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.89937
MD5 3854afae37941b5b1152a3c7b77a3727
SHA1 d7b530758487083276ae2b0f54bda0f9f382fb93
SHA256 4deef6fc3ae3d457f0b2acad6c3076090ecc98b2c8428a3f6759f5e59c7a5f97
SHA3 9383ded19afcfc7e47bf14e3edcabdcb8e18270d72c01e88d061be2f93d52775

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.22621.2506
ProductVersion 10.0.22621.2506
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Auto Check Utility
FileVersion (#2) 10.0.22621.2506 (WinBuild.160101.0800)
InternalName AutoChk
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename AutoChk.Exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.22621.2506
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2092-Oct-21 20:38:28
Version 0.0
SizeofData 36
AddressOfRawData 0xa20f0
PointerToRawData 0xa20f0
Referenced File autochk.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2092-Oct-21 20:38:28
Version 0.0
SizeofData 556
AddressOfRawData 0xa2114
PointerToRawData 0xa2114

UNKNOWN

Characteristics 0
TimeDateStamp 2092-Oct-21 20:38:28
Version 0.0
SizeofData 36
AddressOfRawData 0xa2340
PointerToRawData 0xa2340

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1400a8150
GuardCFCheckFunctionPointer 5369354872
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xf9320f08
Unmarked objects 0
Imports (30795) 5
Total imports 182
C objects (30795) 7
ASM objects (30795) 3
C objects (LTCG) (30795) 115
Resource objects (30795) 1
Linker (30795) 1

Errors