Manalyze report for ee3bd96db188b9703b17b2d6ed392633

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	1995-May-30 00:23:20
Detected languages	English - United States
Debug artifacts	NCObjAPI.pdb
CompanyName	Microsoft Corporation
FileDescription
FileVersion	`10.0.18362.1 (WinBuild.160101.0800)`
InternalName	NCObjAPI
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	NCObjAPI.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.18362.1`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: .didat`
Safe	VirusTotal score: 0/65 (Scanned on 2019-08-10 06:57:24)	`All the AVs think this file is safe.`

Hashes

MD5	`ee3bd96db188b9703b17b2d6ed392633`
SHA1	`776dc01df8039675e9d47a93febc2efc6f3c7e73`
SHA256	`42168b39dad41ae11d80c3feae265125b82f3057bc5a4bcbf36c668b5ecda240`
SHA3	`b3192423e47f4dd21897020cd809e8f2c908bc739d2d0855276238f42698f1c3`
SSDeep	`1536:HA0iZ//PWsKKo+WjiuwK69+dAE8jNWg31NTJn7:HAxdrKpjSx+a531VF`
Imports Hash	`a9de144a54b3e3708556a2749f67e637`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	1995-May-30 00:23:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xa000`
SizeOfInitializedData	`0x8200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000005760 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x17000`
SizeOfHeaders	`0x400`
Checksum	`0x1c92e`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`f01bbcd878c5213ab42bae9c38138163`
SHA1	`ad8bdd43b053d71f3c3a9178e080995beed7af4e`
SHA256	`72196d526e3fc865b62bd31de4ed014bc8aad3046f8ed3fadae934eccbdb8687`
SHA3	`92bb4070f1cdff8222c599744df1dcfe15efc8c97ec3b2f6ecdf5beae507d860`
VirtualSize	`0x9ff4`
VirtualAddress	`0x1000`
SizeOfRawData	`0xa000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.08577`

.rdata

MD5	`5b32c8460a1a57d9a889ccd08d959615`
SHA1	`9bc443f2a6a16d76a6494e6bfe17759e32ff3765`
SHA256	`fee4a9031be1da519e0422173ef80db3bd9e73018e9e4f1a9fc5582077cdfc80`
SHA3	`0388b30024226794e984ccded15d01a5e768f2753f140debf5a9a850b9ae70cb`
VirtualSize	`0x6348`
VirtualAddress	`0xb000`
SizeOfRawData	`0x6400`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.42114`

.data

MD5	`7f19c75f3f1319ae4b10489e6205e823`
SHA1	`92ec21309b529441cf2cefd76b700f69314ec470`
SHA256	`822a45cdfced0eee36364ddf451c1fd7ccce31ff4aa30c3b567be1368a05fad0`
SHA3	`777879d6e69692d77d7b984595b91bc501ea378946ef678f642c7d81b626e166`
VirtualSize	`0x7ee`
VirtualAddress	`0x12000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.29114`

.pdata

MD5	`89e58b719d3f6fadbab9a55e9e56d556`
SHA1	`26ad938a74eb41dab9f67c959a0c6c4d9b3c0c11`
SHA256	`469790cdf45e87b9c685083262171021e2bdcdb9f2478496467d6f3fb6e71786`
SHA3	`ec655e6d1e05d5f3a7409bd5a0a9fe9228a31be4aaae910a5a5194b992e72cd7`
VirtualSize	`0xc18`
VirtualAddress	`0x13000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x10a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.18498`

.didat

MD5	`38cba5a8eca919ec4dd20d848e43c12d`
SHA1	`ea17cac52e943b8100ec1ab7b3918c18bd5b4f3b`
SHA256	`3591402bbf69a5e5b549041a0d4977ed361084d69d549e9808b2a2f1a4e7172c`
SHA3	`6e2e9b5193d2d552897b03d39f1c712d7f2ff87777f396f0276eaf44c3c83f72`
VirtualSize	`0x10`
VirtualAddress	`0x14000`
SizeOfRawData	`0x200`
PointerToRawData	`0x11800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0815394`

.rsrc

MD5	`3302fe9d8455eaafa6f15b66ae974fb3`
SHA1	`84cad2a83abe7f76fe47db7da7e866cf0fba33f5`
SHA256	`449c484fe4bcbb19f65d94296dcdc300ab36c202c69d8ae7754580a68bb47df0`
SHA3	`f729e5896f0ed93e580034ca3e7d842c0bea709c335939b5d2c92513c48a4b8c`
VirtualSize	`0x3d0`
VirtualAddress	`0x15000`
SizeOfRawData	`0x400`
PointerToRawData	`0x11a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.20058`

.reloc

MD5	`0774143652ec85db6517a69661f42d63`
SHA1	`5a37c5d05b1741df33bbda4e9959cfbf181e193a`
SHA256	`d61ef170ba8d955b10a796287d24de6eaeff4e06ac3d253390d96a230b6c7a35`
SHA3	`ef9bc5131e716283f53daac6a45d42cbaaf7d431871dbb6420218d1ea81aeb95`
VirtualSize	`0x1e4`
VirtualAddress	`0x16000`
SizeOfRawData	`0x200`
PointerToRawData	`0x11e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.012`

Imports

msvcrt.dll	`memcpy` `__C_specific_handler` `??1type_info@@UEAA@XZ` `_lock` `_unlock` `_CxxThrowException` `?what@exception@@UEBAPEBDXZ` `??1exception@@UEAA@XZ` `memmove` `??0exception@@QEAA@AEBQEBDH@Z` `_XcptFilter` `??0exception@@QEAA@AEBQEBD@Z` `__dllonexit` `wcschr` `_onexit` `_amsg_exit` `wcstok` `wcsstr` `_wcsdup` `free` `_purecall` `malloc` `??0exception@@QEAA@AEBV0@@Z` `memset` `_vsnwprintf` `_wcsicmp` `_wcsupr` `__CxxFrameHandler3` `_initterm` `realloc` `wcscmp`
api-ms-win-core-synch-l1-1-0.dll	`EnterCriticalSection` `LeaveCriticalSection` `CreateEventW` `OpenEventW` `ResetEvent` `DeleteCriticalSection` `WaitForSingleObject` `CreateEventA` `InitializeCriticalSection` `InitializeCriticalSectionAndSpinCount` `SetEvent` `WaitForMultipleObjectsEx`
api-ms-win-core-localization-l1-2-0.dll	`LCMapStringW`
api-ms-win-core-string-l1-1-0.dll	`GetStringTypeExW`
api-ms-win-core-heap-l2-1-0.dll	`LocalFree`
api-ms-win-core-errorhandling-l1-1-0.dll	`SetUnhandledExceptionFilter` `SetLastError` `UnhandledExceptionFilter` `GetLastError`
api-ms-win-core-processthreads-l1-1-0.dll	`CreateThread` `TerminateProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetCurrentProcess`
api-ms-win-core-synch-l1-2-0.dll	`Sleep`
api-ms-win-core-handle-l1-1-0.dll	`CloseHandle`
api-ms-win-core-file-l1-1-0.dll	`CreateFileW` `ReadFile` `WriteFile` `ReadFileEx`
api-ms-win-core-namedpipe-l1-1-0.dll	`SetNamedPipeHandleState`
api-ms-win-core-io-l1-1-0.dll	`GetOverlappedResult`
api-ms-win-core-heap-l1-1-0.dll	`GetProcessHeap` `HeapAlloc` `HeapFree`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-sysinfo-l1-1-0.dll	`GetSystemTimeAsFileTime` `GetTickCount`
api-ms-win-core-rtlsupport-l1-1-0.dll	`RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext`
ntdll.dll	`EtwGetTraceEnableFlags` `EtwGetTraceEnableLevel` `EtwGetTraceLoggerHandle` `EtwTraceMessage` `EtwRegisterTraceGuidsW` `EtwUnregisterTraceGuids`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI`
api-ms-win-core-delayload-l1-1-0.dll	`DelayLoadFailureHook`
api-ms-win-security-sddl-l1-1-0.dll (delay-loaded)	`ConvertStringSecurityDescriptorToSecurityDescriptorW`

Delayed Imports

Attributes	`0x1`
Name	`api-ms-win-security-sddl-l1-1-0.dll`
ModuleHandle	`0x12730`
DelayImportAddressTable	`0x14000`
DelayImportNameTable	`0x104a0`
BoundDelayImportTable	`0x104e8`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

WmiCommitObject

Ordinal	`1`
Address	`0x3d30`

WmiAddObjectProp

Ordinal	`2`
Address	`0x2a10`

WmiCreateObject

Ordinal	`3`
Address	`0xacb0`

WmiCreateObjectWithFormat

Ordinal	`4`
Address	`0x2750`

WmiCreateObjectWithProps

Ordinal	`5`
Address	`0x1dd0`

WmiDestroyObject

Ordinal	`6`
Address	`0x4050`

WmiEventSourceConnect

Ordinal	`7`
Address	`0x1340`

WmiEventSourceDisconnect

Ordinal	`8`
Address	`0x1080`

WmiIsObjectActive

Ordinal	`9`
Address	`0x49a0`

WmiSetAndCommitObject

Ordinal	`10`
Address	`0x3c00`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x36c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46689`
MD5	`488605a564f9dbe51105beee24f7ee97`
SHA1	`86f0682cbf44983c932fe4e48e5da60c05f3a25a`
SHA256	`b9df4b5e992e4a01b95861aaea017877a9a54f921bab42140463abbe36f945cb`
SHA3	`9c229589be1613587bc57d8599de30c40155240661f0f3b18e176e898eabb708`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.18362.1
ProductVersion	10.0.18362.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription
FileVersion (#2)	10.0.18362.1 (WinBuild.160101.0800)
InternalName	NCObjAPI
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	NCObjAPI.DLL
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.18362.1

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	1995-May-30 00:23:20
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0xd930`
PointerToRawData	`0xcd30`
Referenced File	NCObjAPI.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	1995-May-30 00:23:20
Version	`0.0`
SizeofData	`1044`
AddressOfRawData	`0xd958`
PointerToRawData	`0xcd58`

UNKNOWN

Characteristics	`0`
TimeDateStamp	1995-May-30 00:23:20
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0xdd6c`
PointerToRawData	`0xd16c`

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x180012168`
GuardCFCheckFunctionPointer	`6442499936`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc7c407e7`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`38`
ASM objects (26715)	`2`
C objects (26715)	`13`
Total imports	`85`
Imports (26715)	`3`
C++ objects (26715)	`3`
Exports (26715)	`1`
270 (26715)	`11`
Resource objects (26715)	`1`
Linker (26715)	`1`

ee3bd96db188b9703b17b2d6ed392633

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.didat

.rsrc

.reloc

Imports

Delayed Imports

WmiCommitObject

WmiAddObjectProp

WmiCreateObject

WmiCreateObjectWithFormat

WmiCreateObjectWithProps

WmiDestroyObject

WmiEventSourceConnect

WmiEventSourceDisconnect

WmiIsObjectActive

WmiSetAndCommitObject

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors