Manalyze report for c117970d3ae17fcdba683d1d318b0440

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2011-Aug-03 12:56:26
Detected languages	English - United States
Debug artifacts	e:\sd2\SMS\bin\amd64\prepdrv-offline.pdb
CompanyName	Microsoft Corporation
FileDescription	Software Metering Process Event Driver
FileVersion	`5.00.7652.0000 built by: jiedu`
InternalName	PrepDrv.sys
LegalCopyright	Copyright (C) 2011 Microsoft. All rights reserved.
OriginalFilename	PrepDrv.sys
ProductName	System Center 2012 Configuration Manager
ProductVersion	`5.00.7652.0000`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: PAGE` `Section INIT is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Windows's Native API: ZwClose ZwSetSecurityObject ZwOpenKey ZwCreateKey ZwQueryValueKey ZwSetValueKey`
Info	The PE is digitally signed.	`Signer: Microsoft Corporation` `Issuer: Microsoft Code Signing PCA`
Safe	VirusTotal score: 0/67 (Scanned on 2018-08-17 08:40:32)	`All the AVs think this file is safe.`

Hashes

MD5	`c117970d3ae17fcdba683d1d318b0440`
SHA1	`f89f596add915679e092c39a09570b3bfd584179`
SHA256	`e7e1a100bc1e98d068e81d9e6b9a9018a0193c5c859e39233bd843c4e83f5c47`
SHA3	`e4fcd92be157d48c293fbd968256364902f9f1e08a414201b7ee4021e9010561`
SSDeep	`768:OqpbcMMr3HZU4cTkWfNb+vUZtmCJ8xb6FjXHUf:z1e5jWJP/p8F6FrHUf`
Imports Hash	`45f260d3ab4d8dc4e63e746806bdd2f6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2011-Aug-03 12:56:26
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`9.0`
SizeOfCode	`0x3600`
SizeOfInitializedData	`0x1a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000008008 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x10000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`6.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x400`
Checksum	`0x102e0`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`9b2cccfe38052a52d7abe632eb54383f`
SHA1	`254aaf2d6428f19618ad0db69c8fd5e8a35087af`
SHA256	`f07a58094935335331792f7f6ba9317d5dbddd96258a63f15e2a8ee25e4a7795`
SHA3	`cc6e3add9c6308d247f43169d08b74cb82a790e4b3fddbf24b18dd1d4e1fbaac`
VirtualSize	`0x12a4`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.06654`

.rdata

MD5	`e623405fefba16f50fe2ebf541b06c28`
SHA1	`7666700e77dac8d4cc9d62e6e539fbfdd4cabd27`
SHA256	`13582901d5a89bb0cc073b2199bf589db19d531d2f52c3ce2c4b5d1463715da1`
SHA3	`cc302e542de5759893e027f889d34a500b12ddd8fe8cd1861a75207a072985ed`
VirtualSize	`0x998`
VirtualAddress	`0x3000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.01644`

.data

MD5	`92072ce4095563909eaf40674fc4b69f`
SHA1	`bbd467f04bd1458f9ac7344af2b311ea2adeebc4`
SHA256	`d375c63126c83e6f550c0ab82eef01379759e99daf15ff04dbd0c825637e7b95`
SHA3	`081cfe18406e3f86046d0cc8bb28908febfa2ca15ab8a388f3a77f793cf8b9ed`
VirtualSize	`0x270`
VirtualAddress	`0x4000`
SizeOfRawData	`0x200`
PointerToRawData	`0x2200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.96526`

.pdata

MD5	`c98401d82e670cc71a82dea7c53aa853`
SHA1	`4e2e41630c466908ac7f09548181647d9ccb2b27`
SHA256	`69b408f7ad8d620aad0ef5e9a1b164eaa1ba6e6d0e2a66fed1446a67a3ca1c57`
SHA3	`7cc827de1d6be3d693cc2370ea9bd379b3d1b1b4d629bf9ae5e6da634cdcc226`
VirtualSize	`0x27c`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x2400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`2.84541`

PAGE

MD5	`84dc8fcdff4942af78c365bc868817c1`
SHA1	`196103d66b3b5e39932d53167e856bb941000014`
SHA256	`e6048313d68828341b3ce749ab1b0e485feae2acc0ec132fde6fcb899fb4b6c1`
SHA3	`7865f969cd5e77733921d3b0e4f5ac641bb6fa93dde111b5d5dd266113494fd2`
VirtualSize	`0x19f7`
VirtualAddress	`0x6000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x2800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.20741`

INIT

MD5	`477332feb8536a3d0332915d4a1d2ec8`
SHA1	`680461bba8c62eb495a8af4884287027254ad8af`
SHA256	`b421aee551c5cba26d29e53f52820efb6b6b02ee960695ac8c533d44c46e1ce0`
SHA3	`89b850f4c7b2d2e8caa354cd39eec1eeff8b405738bf6b2c0ca892394901425f`
VirtualSize	`0x64e`
VirtualAddress	`0x8000`
SizeOfRawData	`0x800`
PointerToRawData	`0x4200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.31551`

.rsrc

MD5	`831e2d8f44a594d79f5405ab57d5b75b`
SHA1	`4de27ae6a4b911d6a17fe399a995454c84e41b03`
SHA256	`e13e4be729fe117f983e56639ffaa6eadbff55031ed86a2f7f82d4eed221cdcb`
SHA3	`43f47aab398dbce9b3d679a51123c1574b52c8455292376465d32a40adc9de0c`
VirtualSize	`0x420`
VirtualAddress	`0x9000`
SizeOfRawData	`0x600`
PointerToRawData	`0x4a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.49871`

.reloc

MD5	`95a4314525923f5a3ca1d5059be57a81`
SHA1	`a780b1c6e401a4b009fa1159232791d41838447a`
SHA256	`d7b606edf3d58be3118c12f65c9d00bed47c143c8c279404a66315b2e7ea2a12`
SHA3	`b23064342a34047a11c90e1f8f2e223aca7237481465cd9eb97c19561686ac00`
VirtualSize	`0x7a`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.643187`

Imports

ntoskrnl.exe	`IofCompleteRequest` `KeSetEvent` `RtlTimeToTimeFields` `IoDeleteDevice` `IoDeleteSymbolicLink` `RtlInitUnicodeString` `ExDeleteResourceLite` `ZwClose` `PsSetCreateProcessNotifyRoutine` `KeClearEvent` `KeReadStateEvent` `IoCreateSynchronizationEvent` `IoCreateSymbolicLink` `ExInitializeResourceLite` `ExAllocatePoolWithTag` `ExFreePoolWithTag` `ExAcquireResourceExclusiveLite` `KeEnterCriticalRegion` `KeLeaveCriticalRegion` `ExReleaseResourceLite` `MmGetSystemRoutineAddress` `IoCreateDevice` `ObOpenObjectByPointer` `ZwSetSecurityObject` `IoDeviceObjectType` `_snwprintf` `RtlLengthSecurityDescriptor` `SeCaptureSecurityDescriptor` `RtlCreateSecurityDescriptor` `RtlSetDaclSecurityDescriptor` `RtlAbsoluteToSelfRelativeSD` `IoIsWdmVersionAvailable` `SeExports` `wcschr` `_wcsnicmp` `RtlLengthSid` `RtlAddAccessAllowedAce` `RtlGetSaclSecurityDescriptor` `RtlGetDaclSecurityDescriptor` `RtlGetGroupSecurityDescriptor` `RtlGetOwnerSecurityDescriptor` `RtlFreeUnicodeString` `ZwOpenKey` `ZwCreateKey` `ZwQueryValueKey` `ZwSetValueKey` `KeBugCheckEx`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3bc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.47511`
MD5	`0d4c371ca249b9c8e6e6f3a140e0259f`
SHA1	`e80cd88cc234ae8e85b6970e38ec6f0ba6ee1651`
SHA256	`44fd079debe5a14dc4ff47071e0ba5fa1c77f873a032a21f70ed0ede7a12479f`
SHA3	`ce445c39ffffcfb73084c713f8d1f56c607e8b106ca18c8a689aafa1aa873ee5`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.0.7652.0
ProductVersion	5.0.7652.0
FileFlags	`VS_FF_PRIVATEBUILD`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_SYSTEM
Language	UNKNOWN
CompanyName	Microsoft Corporation
FileDescription	Software Metering Process Event Driver
FileVersion (#2)	5.00.7652.0000 built by: jiedu
InternalName	PrepDrv.sys
LegalCopyright	Copyright (C) 2011 Microsoft. All rights reserved.
OriginalFilename	PrepDrv.sys
ProductName	System Center 2012 Configuration Manager
ProductVersion (#2)	5.00.7652.0000

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2011-Aug-03 12:56:26
Version	`0.0`
SizeofData	`65`
AddressOfRawData	`0x371c`
PointerToRawData	`0x1f1c`
Referenced File	e:\sd2\SMS\bin\amd64\prepdrv-offline.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x581737cd`
Unmarked objects	`0`
128 (VS2012 build 50727 / VS2005 build 50727)	`7`
Total imports	`47`
Imports (VS2012 build 50727 / VS2005 build 50727)	`3`
C objects (VS2012 build 50727 / VS2005 build 50727)	`3`
ASM objects (VS2012 build 50727 / VS2005 build 50727)	`3`
C objects (VS2008 SP1 build 30729)	`2`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

c117970d3ae17fcdba683d1d318b0440

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

PAGE

INIT

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors