Manalyze report for fe4c2bbc31f8009ae2362fc4df3b4244

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Jul-29 09:12:22
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
Debug artifacts	d:\Webhost\29-07-2024\WindowsBuilds\OSD_NATIVE\8799050\osdeployer\ONPREMISE\OSD_SRC\agent\x64\Release\ImageCreator.pdb

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: bcdedit.exe` `Contains references to security software: Monitor.exe` `Tries to detect virtualized environments: HARDWARE\DESCRIPTION\System` `May have dropper capabilities: CurrentControlSet\Services` `Accesses the WMI: ROOT\CIMV2 root\cimv2` `Contains domain names: appinf.com different.com http://www.appinf.com http://www.appinf.com/features/enable-partial-reads http://www.appinf.com/features/no-whitespace-in-element-content http://www.microsoft.com http://www.microsoft.com/migration/1.0/migxmlext/excludedrive http://www.w3.org http://www.w3.org/XML/1998/namespace http://www.w3.org/xmlns/2000/ http://xml.org microsoft.com openssl.org server.com www.appinf.com www.different.com www.microsoft.com www.server.com www.w3.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: text` `Unusual section name found: data`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread CreateToolhelp32Snapshot` `Can access the registry: RegLoadKeyW RegOpenKeyExW RegEnumKeyExW RegCloseKey RegUnLoadKeyW RegCreateKeyExW RegSetValueExW RegQueryValueExW RegDeleteKeyW RegGetKeySecurity RegSetKeySecurity RegQueryInfoKeyW RegRenameKey RegQueryValueW RegQueryValueExA RegOpenKeyExA RegOpenKeyW RegDeleteValueW RegEnumValueW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: ntohl ntohs` `Uses Microsoft's cryptographic API: CryptMsgGetParam CryptQueryObject CryptStringToBinaryA CryptGetHashParam CryptHashData CryptGetUserKey CryptDestroyHash CryptDecrypt CryptDestroyKey CryptCreateHash CryptGetProvParam CryptEnumProvidersW CryptSignHashW CryptAcquireContextW CryptExportKey CryptSetHashParam CryptGenRandom CryptReleaseContext CryptAcquireContextA` `Can create temporary files: GetTempPathW CreateFileW GetTempPathA CreateFileA` `Has Internet access capabilities: WinHttpSetCredentials WinHttpOpenRequest WinHttpSendRequest WinHttpQueryDataAvailable WinHttpReadData WinHttpReceiveResponse WinHttpQueryHeaders WinHttpConnect WinHttpOpen WinHttpSetOption WinHttpWriteData WinHttpAddRequestHeaders WinHttpSetStatusCallback WinHttpCloseHandle WinHttpQueryOption` `Leverages the raw socket API to access the Internet: WSAStartup WSAGetLastError WSACleanup __WSAFDIsSet select getsockopt gethostbyname WSAPoll recvfrom shutdown sendto getpeername gethostname ntohl getprotobyname inet_addr WSASocketA htonl recv WSASetLastError send connect setsockopt bind listen accept socket WSAIoctl closesocket getaddrinfo htons freeaddrinfo getnameinfo ioctlsocket ntohs getsockname` `Functions related to the privilege level: AdjustTokenPrivileges DuplicateToken CheckTokenMembership OpenProcessToken` `Interacts with services: QueryServiceStatusEx OpenServiceW OpenSCManagerW` `Enumerates local disk drives: GetDriveTypeW GetVolumeInformationW GetDriveTypeA` `Manipulates other processes: OpenProcess Process32NextW Process32FirstW` `Changes object ACLs: SetNamedSecurityInfoW` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenStore` `Can shut the system down or lock the screen: InitiateSystemShutdownW`
Info	The PE is digitally signed.	`Signer: ZOHO Corporation Private Limited` `Issuer: GlobalSign GCC R45 CodeSigning CA 2020`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`fe4c2bbc31f8009ae2362fc4df3b4244`
SHA1	`edb015ebb723fe267201333ac5ee2c03ac0ac764`
SHA256	`ee310e817d61799aa8173ba83bf3086ffbc460452d0772995548f37682ec5d7c`
SHA3	`effe32936487c39628185e54d262e597b85ca1e18c53846da36bc82e18184c83`
SSDeep	`98304:vnUa8OUXvZzhR5vQ2YTyjmNHucYxALK+m6BrWq0ynIKsIYUChQ2+:vUaivdhR5vQt+2unAm4Bqq0ynmIO+`
Imports Hash	`96d2b862f18280eea720287ad2e9f2b1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2024-Jul-29 09:12:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x78a400`
SizeOfInitializedData	`0x358400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000530860 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xae9000`
SizeOfHeaders	`0x400`
Checksum	`0xae9dde`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b43f8e9d33b21f4169391939922d6e1d`
SHA1	`06a07f5346c09ea6bf08df5a950f053db57cac2c`
SHA256	`47d51889f9686549029774ca44ab8963978b49514b2f91d4d00fd09623e7d64c`
SHA3	`8abee27e013721b25b63e9fa0945c6fa21d0603c20f76716330bbfd801a6a511`
VirtualSize	`0x78a3cd`
VirtualAddress	`0x1000`
SizeOfRawData	`0x78a400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.34353`

.rdata

MD5	`8c7c01985be65b829ffcd6478183c2cd`
SHA1	`20ed9cdc1d26966e370349e0305d2ca91a5ffe33`
SHA256	`8d1f15161673a48ac6af583542c192c1aceabc90f926617310caf65ea61b4489`
SHA3	`d454492a84915e9dc87b0efc94c874518c160aaaa16f45b5a0dff178753997d7`
VirtualSize	`0x2a761a`
VirtualAddress	`0x78c000`
SizeOfRawData	`0x2a7800`
PointerToRawData	`0x78a800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.00952`

.data

MD5	`b7863eccb8130e63055b6d5585d7e6ee`
SHA1	`929726cfa6fba9e833c5dc364ae5896f7daa8211`
SHA256	`ecc33865618dc7e1d665570565fbf644235d0a054b513bde0876972708f56da8`
SHA3	`02d0f65f43e396775eaa129ec5a947e6b6009c798722c5055da08cb9515a3259`
VirtualSize	`0x2d1b8`
VirtualAddress	`0xa34000`
SizeOfRawData	`0x23400`
PointerToRawData	`0xa32000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.51773`

.pdata

MD5	`858a7d4f5e66b96b5a3343c26f9cf631`
SHA1	`81c7785d45f71d22850f9279964acef3af45c69d`
SHA256	`62bd988d16ab6dda574d1682cf2019900099dc51bc970634792e130a48d08e2d`
SHA3	`743b598188276414e141c1f50981f0a5eda7037ce08df7e742315a3ecac2af61`
VirtualSize	`0x69294`
VirtualAddress	`0xa62000`
SizeOfRawData	`0x69400`
PointerToRawData	`0xa55400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.30035`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x2`
VirtualAddress	`0xacc000`
SizeOfRawData	`0x200`
PointerToRawData	`0xabe800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

text

MD5	`75577a3439ef4293fcc023d7bc766ee6`
SHA1	`55939bbe1d0322fe8dc62e85a7766a992a11f9bc`
SHA256	`c7e3bdf38267edb64ea2c9de04a0c2d7178c0f3b63c18f35d771a96acad28003`
SHA3	`688a4060620a74c4e8fe25dc88414c9eb4ab358d5dcfd5934bdaec396ca9a2a8`
VirtualSize	`0xe71`
VirtualAddress	`0xacd000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xabea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE`
Entropy	`5.37746`

data

MD5	`d0908aab8a4dff606b7d306e61617a0a`
SHA1	`9f7638b1add51fe079107293c1e4b858c2172eac`
SHA256	`dcaf43615990d6c9247243afccf168180b51b0b4e406fe19e8987c93df86587a`
SHA3	`bc61d96f499ce5f9afe570d4f72873d28e3858b64cdad0e220f843f28e5c823b`
VirtualSize	`0x41e0`
VirtualAddress	`0xace000`
SizeOfRawData	`0x4200`
PointerToRawData	`0xabfa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.3151`

.rsrc

MD5	`9e18e3f8d8e558c68ef7fa18be7d6610`
SHA1	`9e3664afa817a1e26185462263f598075cee96d5`
SHA256	`4baf7d26f3f0e0bb171df9905aae2db687f344cd1dadf0d89e41f6341a661105`
SHA3	`e63318a1c5cbb081b612d32f56ec5234ad7c61d3b154984cec01b921fc705a33`
VirtualSize	`0x3e8`
VirtualAddress	`0xad3000`
SizeOfRawData	`0x400`
PointerToRawData	`0xac3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.29946`

.reloc

MD5	`64071eb8a864509b16d0025662b2798a`
SHA1	`931155897968ccad376ad5192a9761f7f8f4ea8c`
SHA256	`8d7efe610b4f2e9466f0df7c44f9157f928bfdb7a22837dd367a2e7c76efab95`
SHA3	`91f4f4d12f0b7d5180d70565e014d2ccb5ed96539a9162b676f3443ae44bdf9d`
VirtualSize	`0x14c24`
VirtualAddress	`0xad4000`
SizeOfRawData	`0x14e00`
PointerToRawData	`0xac4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.83826`

Imports

CRYPT32.dll	`CryptMsgGetParam` `CryptQueryObject` `CertEnumCertificatesInStore` `CertGetCertificateContextProperty` `CertDuplicateCertificateContext` `PFXImportCertStore` `PFXVerifyPassword` `CertGetNameStringA` `CryptStringToBinaryA` `CertCreateCertificateContext` `CertDeleteCertificateFromStore` `CertFindCertificateInStore` `CertFreeCertificateContext` `CertCloseStore` `CertAddCertificateContextToStore` `CertGetNameStringW` `CertOpenStore`
WS2_32.dll	`WSAStartup` `WSAGetLastError` `WSACleanup` `__WSAFDIsSet` `select` `getsockopt` `gethostbyname` `WSAPoll` `recvfrom` `shutdown` `sendto` `getpeername` `gethostname` `ntohl` `getprotobyname` `inet_addr` `WSASocketA` `htonl` `recv` `WSASetLastError` `send` `connect` `setsockopt` `bind` `listen` `accept` `socket` `WSAIoctl` `closesocket` `getaddrinfo` `htons` `freeaddrinfo` `getnameinfo` `ioctlsocket` `ntohs` `getsockname`
IPHLPAPI.DLL	`ConvertLengthToIpv4Mask` `GetAdapterIndex` `GetAdaptersInfo` `GetAdaptersAddresses`
NETAPI32.dll	`DsRoleGetPrimaryDomainInformation` `NetLocalGroupGetMembers` `NetApiBufferFree` `NetLocalGroupEnum` `NetGetJoinInformation` `DsGetDcNameW` `DsRoleFreeMemory`
NTDSAPI.dll	`DsFreeDomainControllerInfoW` `DsBindW` `DsGetDomainControllerInfoW` `DsUnBindW`
KERNEL32.dll	`GetNativeSystemInfo` `GetFileAttributesW` `DeleteFileW` `GetVersion` `CreateProcessW` `GetExitCodeProcess` `LoadLibraryW` `GetProcAddress` `GetModuleHandleW` `TerminateProcess` `GetDiskFreeSpaceExW` `CreateDirectoryW` `Sleep` `GetCurrentDirectoryW` `GetCurrentProcess` `GetTempPathW` `RemoveDirectoryW` `lstrlenW` `WideCharToMultiByte` `lstrlenA` `CreateSemaphoreW` `ReleaseSemaphore` `GetDiskFreeSpaceW` `GetDriveTypeW` `GetVolumeInformationW` `FormatMessageW` `GetVolumePathNamesForVolumeNameW` `FindFirstVolumeW` `CreateFileW` `DeviceIoControl` `FindVolumeClose` `FindNextVolumeW` `SetFilePointer` `ReadFile` `FreeLibrary` `FileTimeToSystemTime` `SystemTimeToTzSpecificLocalTime` `SetVolumeMountPointW` `GetWindowsDirectoryA` `GetFileSize` `DeleteVolumeMountPointW` `GetModuleFileNameW` `WriteFile` `SetFilePointerEx` `ReadFileEx` `WriteFileEx` `CopyFileW` `VirtualAlloc` `VirtualFree` `GetEnvironmentVariableW` `GetVersionExW` `CreateNamedPipeW` `ConnectNamedPipe` `DisconnectNamedPipe` `GetSystemTime` `SystemTimeToFileTime` `LocalFree` `FindFirstFileW` `FindNextFileW` `FindClose` `GetSystemTimeAsFileTime` `FlushViewOfFile` `GetProcessHeap` `OutputDebugStringW` `OutputDebugStringA` `WaitForSingleObjectEx` `UnmapViewOfFile` `UnlockFileEx` `UnlockFile` `SetEndOfFile` `QueryPerformanceCounter` `MapViewOfFile` `LockFileEx` `LockFile` `GetTickCount` `HeapCompact` `HeapValidate` `HeapSize` `HeapReAlloc` `HeapFree` `HeapDestroy` `HeapCreate` `HeapAlloc` `GetVersionExA` `GetTempPathA` `GetSystemInfo` `GetFullPathNameW` `GetFullPathNameA` `GetFileAttributesExW` `GetFileAttributesA` `GetDiskFreeSpaceA` `GetCurrentProcessId` `FormatMessageA` `FlushFileBuffers` `DeleteFileA` `CreateFileMappingW` `CreateFileMappingA` `CreateFileA` `AreFileApisANSI` `TryEnterCriticalSection` `GetCurrentThreadId` `CreateEventA` `QueryPerformanceFrequency` `GetThreadTimes` `GetCurrentThread` `GetFileAttributesExA` `GetCurrentDirectoryA` `CompareFileTime` `GetExitCodeThread` `SetCurrentDirectoryW` `GetModuleHandleExW` `SetLastError` `TlsGetValue` `TlsSetValue` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsFree` `CreateFiber` `SwitchToFiber` `DeleteFiber` `GetStdHandle` `GetFileType` `RaiseException` `RtlVirtualUnwind` `ConvertThreadToFiber` `ConvertFiberToThread` `SetCriticalSectionSpinCount` `SwitchToThread` `SetHandleInformation` `GetProcessAffinityMask` `ExpandEnvironmentStringsA` `ReadConsoleA` `ReadConsoleW` `GetConsoleMode` `SetConsoleMode` `CreateTimerQueue` `DeleteTimerQueueTimer` `DeleteTimerQueueEx` `CreateTimerQueueTimer` `GetTimeZoneInformation` `OpenProcess` `FindFirstFileA` `SetFileAttributesA` `FindNextFileA` `RemoveDirectoryA` `SetFileAttributesW` `GetFileSizeEx` `CreateToolhelp32Snapshot` `Process32NextW` `Process32FirstW` `GlobalMemoryStatusEx` `GetComputerNameExW` `GetSystemFirmwareTable` `GetComputerNameW` `GetFirmwareEnvironmentVariableW` `GetLocalTime` `FlsFree` `FlsSetValue` `FlsGetValue` `RtlCaptureContext` `IsDebuggerPresent` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `MultiByteToWideChar` `SetThreadPriority` `ReleaseMutex` `CreateMutexW` `FindResourceExW` `FindResourceW` `LoadResource` `LockResource` `SizeofResource` `DeleteCriticalSection` `CloseHandle` `GetLastError` `CreateEventW` `InitializeCriticalSection` `WaitForSingleObject` `SetEvent` `LeaveCriticalSection` `ResetEvent` `EnterCriticalSection` `GetWindowsDirectoryW` `FlsAlloc` `GetLocaleInfoW` `SetHandleCount` `GetStartupInfoW` `HeapSetInformation` `GetACP` `GetOEMCP` `IsValidCodePage` `CompareStringW` `GetModuleFileNameA` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `SetConsoleCtrlHandler` `SetStdHandle` `GetFileInformationByHandle` `CreateThread` `GetFileTime` `MoveFileW` `PeekNamedPipe` `WriteConsoleW` `GetUserDefaultLCID` `GetLocaleInfoA` `EnumSystemLocalesA` `IsValidLocale` `SetEnvironmentVariableA` `CreateSemaphoreA` `DuplicateHandle` `GetModuleHandleA` `WaitForMultipleObjectsEx` `MoveFileExW` `SetWaitableTimer` `OpenEventA` `CreateWaitableTimerA` `IsDBCSLeadByteEx` `FoldStringW` `GetDateFormatW` `GetTimeFormatW` `GetCurrencyFormatW` `WaitForMultipleObjects` `LoadLibraryA` `LCMapStringW` `GetTimeFormatA` `GetDateFormatA` `GetConsoleCP` `FindFirstFileExA` `GetDriveTypeA` `FileTimeToLocalFileTime` `ExitProcess` `RtlUnwindEx` `RtlLookupFunctionEntry` `RtlPcToFileHeader` `GetCPInfo` `ResumeThread` `GetCommandLineA` `ExitThread` `DecodePointer` `EncodePointer` `GetStringTypeW`
USER32.dll	`GetProcessWindowStation` `GetSystemMetrics` `GetUserObjectInformationW` `wsprintfW` `MessageBoxW`
ADVAPI32.dll	`RegLoadKeyW` `RegOpenKeyExW` `RegEnumKeyExW` `RegCloseKey` `RegUnLoadKeyW` `RegCreateKeyExW` `RegSetValueExW` `RegQueryValueExW` `GetTokenInformation` `RegDeleteKeyW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegGetKeySecurity` `GetSecurityDescriptorDacl` `RegSetKeySecurity` `RegQueryInfoKeyW` `RegRenameKey` `LookupAccountSidW` `ConvertStringSidToSidW` `ConvertSidToStringSidW` `RegQueryValueW` `QueryServiceStatusEx` `CloseServiceHandle` `OpenServiceW` `OpenSCManagerW` `CryptGetHashParam` `CryptHashData` `InitiateSystemShutdownW` `OpenThreadToken` `DuplicateToken` `CreateWellKnownSid` `CheckTokenMembership` `CryptGetUserKey` `CryptDestroyHash` `CryptDecrypt` `CryptDestroyKey` `CryptCreateHash` `CryptGetProvParam` `CryptEnumProvidersW` `CryptSignHashW` `CryptAcquireContextW` `CryptExportKey` `CryptSetHashParam` `ReportEventW` `DeregisterEventSource` `RegisterEventSourceW` `RegQueryValueExA` `RegOpenKeyExA` `CryptGenRandom` `CryptReleaseContext` `CryptAcquireContextA` `GetSidSubAuthority` `GetSidSubAuthorityCount` `SetNamedSecurityInfoW` `SetSecurityDescriptorDacl` `InitializeSecurityDescriptor` `GetNamedSecurityInfoW` `GetAce` `GetAclInformation` `GetSecurityDescriptorSacl` `GetSecurityDescriptorGroup` `GetSecurityDescriptorOwner` `RegOpenKeyW` `RegDeleteValueW` `RegEnumValueW` `OpenProcessToken`
SHELL32.dll	`SHFileOperationW` `SHCreateDirectoryExW`
ole32.dll	`CoUninitialize` `CoCreateInstance` `CoInitializeSecurity` `CoSetProxyBlanket` `StringFromGUID2` `CoInitialize` `CoCreateGuid`
OLEAUT32.dll	`SysAllocString` `SysFreeString` `VariantInit` `VariantClear`
SHLWAPI.dll	`PathRemoveFileSpecW` `PathFileExistsW` `PathFindFileNameW` `StrTrimW` `PathStripToRootW` `PathFileExistsA` `PathAppendW` `PathCombineW`
MPR.dll	`WNetAddConnection2W` `WNetCancelConnection2W`
msi.dll	`#248` `#246`
SETUPAPI.dll	`SetupOpenInfFileW` `SetupCloseInfFile` `SetupGetStringFieldW` `SetupFindFirstLineW` `SetupFindNextLine` `CM_Locate_DevNodeW` `SetupDiEnumDeviceInfo` `SetupDiDestroyDeviceInfoList` `SetupDiGetClassDevsW` `SetupDiGetDevicePropertyW` `SetupDiGetDeviceInstanceIdW` `CM_Get_DevNode_Status` `CM_Get_DevNode_Registry_Property_ExW`
WINHTTP.dll	`WinHttpSetCredentials` `WinHttpOpenRequest` `WinHttpSendRequest` `WinHttpQueryDataAvailable` `WinHttpReadData` `WinHttpReceiveResponse` `WinHttpQueryHeaders` `WinHttpConnect` `WinHttpOpen` `WinHttpSetOption` `WinHttpWriteData` `WinHttpAddRequestHeaders` `WinHttpSetStatusCallback` `WinHttpCloseHandle` `WinHttpQueryOption`
WINMM.dll	`timeGetDevCaps` `timeBeginPeriod`
PSAPI.DLL	`GetProcessImageFileNameW` `GetProcessMemoryInfo`
VERSION.dll	`VerQueryValueW` `GetFileVersionInfoW` `GetFileVersionInfoSizeW`

Delayed Imports

LZ4_compressBound

Ordinal	`1`
Address	`0x119200`

LZ4_compress_HC

Ordinal	`2`
Address	`0x122a60`

LZ4_compress_HC_continue

Ordinal	`3`
Address	`0x123710`

LZ4_compress_HC_extStateHC

Ordinal	`4`
Address	`0x122950`

LZ4_compress_default

Ordinal	`5`
Address	`0x11a360`

LZ4_compress_destSize

Ordinal	`6`
Address	`0x11b000`

LZ4_compress_fast

Ordinal	`7`
Address	`0x11a300`

LZ4_compress_fast_continue

Ordinal	`8`
Address	`0x11b250`

LZ4_compress_fast_extState

Ordinal	`9`
Address	`0x119240`

LZ4_createStream

Ordinal	`10`
Address	`0x11b050`

LZ4_createStreamDecode

Ordinal	`11`
Address	`0x11d240`

LZ4_createStreamHC

Ordinal	`12`
Address	`0x122af0`

LZ4_decompress_fast

Ordinal	`13`
Address	`0x11cfa0`

LZ4_decompress_fast_continue

Ordinal	`14`
Address	`0x11dad0`

LZ4_decompress_fast_usingDict

Ordinal	`15`
Address	`0x11ecb0`

LZ4_decompress_safe

Ordinal	`16`
Address	`0x11c950`

LZ4_decompress_safe_continue

Ordinal	`17`
Address	`0x11d2a0`

LZ4_decompress_safe_partial

Ordinal	`18`
Address	`0x11cc70`

LZ4_decompress_safe_usingDict

Ordinal	`19`
Address	`0x11e150`

LZ4_freeStream

Ordinal	`20`
Address	`0x11d260`

LZ4_freeStreamDecode

Ordinal	`21`
Address	`0x11d260`

LZ4_freeStreamHC

Ordinal	`22`
Address	`0x11d260`

LZ4_loadDict

Ordinal	`23`
Address	`0x11b0b0`

LZ4_loadDictHC

Ordinal	`24`
Address	`0x122b50`

LZ4_resetStream

Ordinal	`25`
Address	`0x11b090`

LZ4_resetStreamHC

Ordinal	`26`
Address	`0x122b10`

LZ4_saveDict

Ordinal	`27`
Address	`0x11c8e0`

LZ4_saveDictHC

Ordinal	`28`
Address	`0x123780`

LZ4_setStreamDecode

Ordinal	`29`
Address	`0x11d280`

LZ4_sizeofState

Ordinal	`30`
Address	`0x119230`

LZ4_sizeofStateHC

Ordinal	`31`
Address	`0x122940`

LZ4_versionNumber

Ordinal	`32`
Address	`0x1191e0`

LZ4_versionString

Ordinal	`33`
Address	`0x1191f0`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x386`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.28918`
MD5	`c1792777dc3ecf5f7a2338d4e826bd36`
SHA1	`739e0b37c2cc9d271e4e1ede29745128c70e5dca`
SHA256	`91579c3b818c1805e986bf3549ae313094e5dc50f9aa8d3751cfb72271bd97d5`
SHA3	`4b0e2bb65ce19abdcadba424f416766ee2d20cf3f42090043b158d4bd395fde1`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2024-Jul-29 09:12:22
Version	`0.0`
SizeofData	`143`
AddressOfRawData	`0x9209d0`
PointerToRawData	`0x91f1d0`
Referenced File	d:\Webhost\29-07-2024\WindowsBuilds\OSD_NATIVE\8799050\osdeployer\ONPREMISE\OSD_SRC\agent\x64\Release\ImageCreator.pdb

TLS Callbacks

StartAddressOfRawData	`0x140acc000`
EndAddressOfRawData	`0x140acc001`
AddressOfIndex	`0x140a5b228`
AddressOfCallbacks	`0x14078df20`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140582D60`

Load Configuration

RICH Header

XOR Key	`0x8ee04cbf`
Unmarked objects	`0`
C++ objects (VS2010 SP1 build 40219)	`320`
152 (20115)	`3`
ASM objects (VS2010 build 30319)	`15`
C objects (VS2008 SP1 build 30729)	`1`
135 (VS2008 SP1 build 30729)	`3`
C++ objects (VS2010 build 30319)	`164`
C objects (VS2010 build 30319)	`286`
ASM objects (VS2010 SP1 build 40219)	`29`
C objects (VS2010 SP1 build 40219)	`23`
Imports (VS2008 SP1 build 30729)	`41`
Total imports	`508`
175 (VS2010 build 30319)	`750`
Exports (VS2010 build 30319)	`1`
Resource objects (VS2010 build 30319)	`1`
Linker (VS2010 build 30319)	`1`

fe4c2bbc31f8009ae2362fc4df3b4244

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.tls

text

data

.rsrc

.reloc

Imports

Delayed Imports

LZ4_compressBound

LZ4_compress_HC

LZ4_compress_HC_continue

LZ4_compress_HC_extStateHC

LZ4_compress_default

LZ4_compress_destSize

LZ4_compress_fast

LZ4_compress_fast_continue

LZ4_compress_fast_extState

LZ4_createStream

LZ4_createStreamDecode

LZ4_createStreamHC

LZ4_decompress_fast

LZ4_decompress_fast_continue

LZ4_decompress_fast_usingDict

LZ4_decompress_safe

LZ4_decompress_safe_continue

LZ4_decompress_safe_partial

LZ4_decompress_safe_usingDict

LZ4_freeStream

LZ4_freeStreamDecode

LZ4_freeStreamHC

LZ4_loadDict

LZ4_loadDictHC

LZ4_resetStream

LZ4_resetStreamHC

LZ4_saveDict

LZ4_saveDictHC

LZ4_setStreamDecode

LZ4_sizeofState

LZ4_sizeofStateHC

LZ4_versionNumber

LZ4_versionString

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors