f57cde7898fc773adfd48d83ecdb9a2f

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Nov-20 12:08:08
Detected languages English - United States
Debug artifacts userenv.pdb
CompanyName Microsoft Corporation
FileDescription Userenv
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName userenv
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename userenv.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514

Plugin Output

Suspicious The PE is possibly packed. Unusual section name found: .orpc
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExA
 Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegQueryValueExW
  • RegGetValueW
 Functions related to the privilege level:
  • OpenProcessToken
Safe VirusTotal score: 0/68 (Scanned on 2021-05-22 18:11:16) All the AVs think this file is safe.

Hashes

MD5 f57cde7898fc773adfd48d83ecdb9a2f
SHA1 d5b9157fc6f7913af9b3980860ea9224cf480818
SHA256 62cb7baedfd7c5b0256b983319cf01e60f24f2690820cee8ea5d49c32d087790
SHA3 f863abce0b9607c2dbf708008dfe13ffcab5134c0bf960d5857b854f26aa015b
SSDeep 384:gpcr2RmTN0Gi+TZ4Ge7m9BDvZ1i83rEevhqCntwaYWGzdWsgREx:gcqmB0GpTZ4GeI1HbvMCntwJWq
Imports Hash ec133499a747c226d32e9dada5afebd0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2010-Nov-20 12:08:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.1
SizeOfCode 0x10e00
SizeOfInitializedData 0x2c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00001C9D (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x13000
ImageBase 0x74cc0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x17000
SizeOfHeaders 0x600
Checksum 0x1bf8b
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 d03a4c8b47091639328cc13b8b871c02
SHA1 e80bfba446a0d3e476cb23672f6677a0a40a8f7e
SHA256 0bf64c29b656f0e618f46d4382006047e7364c889ec7ecaa512b80f25ec44ae8
SHA3 68df27b7e0d0bb41decd818c2e8ad56a5f644e4e0b734d17b1fc4259b6299292
VirtualSize 0x10a1c
VirtualAddress 0x1000
SizeOfRawData 0x10c00
PointerToRawData 0x600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 2.33515

.orpc

MD5 bf619eac0cdf3f68d496ea9344137e8b
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
SHA3 622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59
VirtualSize 0x33
VirtualAddress 0x12000
SizeOfRawData 0x200
PointerToRawData 0x11200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 0

.data

MD5 d3028078a67d2cac931cca58e559da7f
SHA1 b80dc97dc8797a76be476311050302b779d8931b
SHA256 1b5570f82d03aeebdcbb60e42d51ef75ec0bdcb216e979d31aa6c7ff9a4ead9a
SHA3 c8c85ea011711e8250a0e6a9fc90cce87c401d3604b115f0159c2d87e717294c
VirtualSize 0x584
VirtualAddress 0x13000
SizeOfRawData 0x600
PointerToRawData 0x11400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.66713

.rsrc

MD5 dd46fc0968adc85d8a4634dd1c9a859e
SHA1 9ae6fb94a8e98bb1096c0334cca327a084b44274
SHA256 44c507fa59e495af0c60b90b63f24fc92b58b77409ca2469cf74b872c09fea65
SHA3 4c3f30ed85ea9417bc34f7c1608f8a5da02ab629b5e127c590411e784ee4bba8
VirtualSize 0x15d8
VirtualAddress 0x14000
SizeOfRawData 0x1600
PointerToRawData 0x11a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.92165

.reloc

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA3 a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563
VirtualSize 0xf9c
VirtualAddress 0x16000
SizeOfRawData 0x1000
PointerToRawData 0x13000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0

Imports

msvcrt.dll memmove
_XcptFilter
_initterm
_amsg_exit
_except_handler4_common
_vsnwprintf
??3@YAXPAX@Z
??2@YAPAXI@Z
memcpy
malloc
free
memset
ntdll.dll RtlNtStatusToDosError
RtlAdjustPrivilege
EtwEventWrite
EtwUnregisterTraceGuids
RtlExpandEnvironmentStrings
NtClose
RtlIsDosDeviceName_U
RtlAnsiCharToUnicodeChar
RtlIntegerToChar
RtlInitUnicodeStringEx
EtwEventRegister
EtwLogTraceEvent
EtwEventUnregister
EtwTraceMessage
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
EtwGetTraceLoggerHandle
KERNELBASE.dll BemFreeReference
BemCreateReference
GetSystemDefaultUILanguage
API-MS-Win-Core-ErrorHandling-L1-1-0.dll GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
API-MS-Win-Core-File-L1-1-0.dll GetFileAttributesW
CreateFileW
CompareFileTime
CreateDirectoryW
RemoveDirectoryW
GetFileAttributesExW
DeleteFileW
FindNextFileW
SetFileAttributesW
FindClose
SetFileTime
GetDiskFreeSpaceExW
FlushFileBuffers
FindFirstFileW
API-MS-Win-Core-Handle-L1-1-0.dll CloseHandle
API-MS-Win-Core-Heap-L1-1-0.dll HeapAlloc
GetProcessHeap
HeapReAlloc
HeapFree
API-MS-Win-Core-Interlocked-L1-1-0.dll InterlockedIncrement
InterlockedCompareExchange
InterlockedExchange
API-MS-Win-Core-IO-L1-1-0.dll DeviceIoControl
API-MS-Win-Core-LibraryLoader-L1-1-0.dll DisableThreadLibraryCalls
LockResource
FindResourceExW
GetModuleFileNameW
GetProcAddress
FreeLibrary
LoadLibraryExA
LoadStringW
LoadResource
API-MS-Win-Core-LocalRegistry-L1-1-0.dll RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegGetValueW
API-MS-Win-Core-Misc-L1-1-0.dll LocalAlloc
LocalReAlloc
Sleep
lstrlenW
FormatMessageW
LocalFree
API-MS-Win-Core-ProcessThreads-L1-1-0.dll GetCurrentThread
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
OpenProcessToken
CreateThread
SetThreadToken
OpenThreadToken
API-MS-Win-Core-Profile-L1-1-0.dll QueryPerformanceCounter
API-MS-Win-Core-String-L1-1-0.dll CompareStringOrdinal
WideCharToMultiByte
MultiByteToWideChar
API-MS-Win-Core-Synch-L1-1-0.dll SetEvent
DeleteCriticalSection
WaitForSingleObject
CreateEventW
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
API-MS-Win-Core-SysInfo-L1-1-0.dll GetTickCount
GetSystemTimeAsFileTime
API-MS-Win-Security-Base-L1-1-0.dll AddAccessAllowedAce
PrivilegeCheck
EqualSid
GetSecurityDescriptorOwner
GetFileSecurityW
ImpersonateSelf
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessDeniedAce
FreeSid
CopySid
GetTokenInformation
RevertToSelf
ImpersonateLoggedOnUser
RPCRT4.dll NdrOleAllocate
NdrOleFree
IUnknown_QueryInterface_Proxy
IUnknown_AddRef_Proxy
IUnknown_Release_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_AddRef
CStdStubBuffer_Connect
CStdStubBuffer_Disconnect
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_CountRefs
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_DebugServerRelease
NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
NdrDllGetClassObject
NdrClientCall2
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcBindingFree
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcStringFreeW
RpcRevertToSelf
profapi.dll #103
#102
#101
#104
#105
KERNEL32.dll MoveFileExW
DelayLoadFailureHook
FindResourceW
SearchPathW
WaitForMultipleObjects
CreateSymbolicLinkW
PrivCopyFileExW

Delayed Imports

Ordinal 104
Address 0xd720

RsopLoggingEnabled

Ordinal 105
Address 0xa2b7

CreateEnvironmentBlock

Ordinal 106
Address 0x1a7a

CreateProfile

Ordinal 107
Address 0xcde1

DeleteProfileA

Ordinal 108
Address 0xe18d

DeleteProfileW

Ordinal 109
Address 0xc7d3

DestroyEnvironmentBlock

Ordinal 110
Address 0x1a4e

DllCanUnloadNow

Ordinal 111
Address 0x1a36

DllGetClassObject

Ordinal 112
Address 0x2d13

DllGetContractDescription

Ordinal 113
Address 0xa089

DllRegisterServer

Ordinal 114
Address 0xa1f3

DllUnregisterServer

Ordinal 115
Address 0xa1fd

EnterCriticalPolicySection

Ordinal 116
Address 0x270c

ExpandEnvironmentStringsForUserA

Ordinal 117
Address 0xe53d

ExpandEnvironmentStringsForUserW

Ordinal 118
Address 0x1a01

ForceSyncFgPolicy

Ordinal 119
Address 0xa2e5

FreeGPOListA

Ordinal 120
Address 0xa207

FreeGPOListW

Ordinal 121
Address 0xa247

(#2)

Ordinal 122
Address 0x6ac1

GetAllUsersProfileDirectoryA

Ordinal 123
Address 0xe459

GetAllUsersProfileDirectoryW

Ordinal 124
Address 0x2772

GetAppliedGPOListA

Ordinal 125
Address 0xa217

GetAppliedGPOListW

Ordinal 126
Address 0xa257

GetDefaultUserProfileDirectoryA

Ordinal 127
Address 0xe375

GetDefaultUserProfileDirectoryW

Ordinal 128
Address 0xe274

GetGPOListA

Ordinal 129
Address 0xa227

GetGPOListW

Ordinal 130
Address 0x3284

GetNextFgPolicyRefreshInfo

Ordinal 131
Address 0x2724

GetPreviousFgPolicyRefreshInfo

Ordinal 132
Address 0xa2d5

GetProfileType

Ordinal 133
Address 0x2a1f

GetProfilesDirectoryA

Ordinal 134
Address 0xe291

(#3)

Ordinal 135
Address 0xeed9

GetProfilesDirectoryW

Ordinal 136
Address 0xe257

(#4)

Ordinal 137
Address 0xd4d3

GetUserProfileDirectoryA

Ordinal 138
Address 0x69d1

(#5)

Ordinal 139
Address 0xda23

GetUserProfileDirectoryW

Ordinal 140
Address 0x25b2

LeaveCriticalPolicySection

Ordinal 141
Address 0x26f4

LoadUserProfileA

Ordinal 142
Address 0xe071

LoadUserProfileW

Ordinal 143
Address 0x1aac

ProcessGroupPolicyCompleted

Ordinal 144
Address 0xa267

ProcessGroupPolicyCompletedEx

Ordinal 145
Address 0x275a

RefreshPolicy

Ordinal 146
Address 0x326c

RefreshPolicyEx

Ordinal 147
Address 0xa237

RegisterGPNotification

Ordinal 148
Address 0x26a5

RsopAccessCheckByType

Ordinal 149
Address 0xa277

RsopFileAccessCheck

Ordinal 150
Address 0xa287

RsopResetPolicySettingStatus

Ordinal 151
Address 0xa2a7

RsopSetPolicySettingStatus

Ordinal 152
Address 0xa297

UnloadUserProfile

Ordinal 153
Address 0x3e6f

UnregisterGPNotification

Ordinal 154
Address 0x26d5

WaitForMachinePolicyForegroundProcessing

Ordinal 155
Address 0xa2c1

WaitForUserPolicyForegroundProcessing

Ordinal 156
Address 0xa2cb

(#6)

Ordinal 175
Address 0x3049

(#7)

Ordinal 202
Address 0xc4cd

(#8)

Ordinal 203
Address 0xb21d

(#9)

Ordinal 206
Address 0xa679

(#10)

Ordinal 207
Address 0x5a6b

(#11)

Ordinal 208
Address 0xcb19

(#12)

Ordinal 209
Address 0x465c

1

Type JPEG
Language English - United States
Codepage UNKNOWN
Size 0x90b
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.29207
Detected Filetype JPEG graphic file
MD5 eb706b73c6d0ecb9ebc0f6e9f3d851ac
SHA1 0a060925e412aee1e4c1e52875f1799efe4a76af
SHA256 a3abd332d32a90b0d237adbf8db969692569df2b02634836865aa94b43a2d10a
SHA3 56037f6cf17528e7786d7ebf930369d84798fcad72c86d3889f487b27c4f41b4

1 (#2)

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xf8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 0
MD5 2f2c09c2e2f5d90225d271bd431b9b94
SHA1 93fa51b309f36ae636e0e7b4dd03d383b5645648
SHA256 b3ab6982980fddf460a2f47adb428475ce9afa89092fd034499d017a35993f05
SHA3 ba1aed10a445f3246c28dbcc922d8b0baa4d78fca0bc91ef61bb48c0675d252a

1 (#3)

Type WEVT_TEMPLATE
Language English - United States
Codepage UNKNOWN
Size 0x6f2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.67813
MD5 00cfa33e42ca7e765867f2c68f03e96a
SHA1 f0af6d0895447de37868a45b2ed252fc7bcaed05
SHA256 82789f35ce2227fc585b706f6110640216934e4324912408ed09886e273257e0
SHA3 8dfb9e05a8f5294f758f8cbc8b8667cc8d07c94045db68c9c26c82486eeedb6a

1 (#4)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x374
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.52799
MD5 c716ffd12d53aed2ff08a4da700fd4d0
SHA1 94833c7254ac7a786c79b86a42cd28ebd259b3e2
SHA256 afcc835adb359eefd2f47419cbb5596689b820feb6c17d5e2c13014c298d3b24
SHA3 cdbc1ddcbb26d3106b39edfa45e8d77edb54c0b1c1b323585bf4a8ca14ede798

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7601.17514
ProductVersion 6.1.7601.17514
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Userenv
FileVersion (#2) 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName userenv
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename userenv.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7601.17514
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2010-Nov-20 09:26:06
Version 0.0
SizeofData 36
AddressOfRawData 0x119f8
PointerToRawData 0x10ff8
Referenced File userenv.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2010-Nov-20 09:26:06
Version 565.6526
SizeofData 4
AddressOfRawData 0x119f4
PointerToRawData 0x10ff4

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x74cd3180
SEHandlerTable 0x74cca080
SEHandlerCount 1

RICH Header

XOR Key 0x69509d55
Unmarked objects 0
ASM objects (VS2008 SP1 build 30729) 3
Total imports 208
Imports (VS2008 SP1 build 30729) 43
Exports (VS2008 SP1 build 30729) 1
C++ objects (VS2008 SP1 build 30729) 15
C objects (VS2008 SP1 build 30729) 21
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded! [*] Warning: 46 invalid export(s) not shown.
<-- -->