PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 809,83 KB
SHA-256 Hash: 1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
SHA-1 Hash: B7B9349B33230C5B80886F5C1F0A42848661C883
MD5 Hash: DF3CA8D16BDED6A54977B30E66864D33
Imphash: 1208BCDC77CFFEE6A6813646321CFC79
MajorOSVersion: 5
CheckSum: 000CD48D
EntryPoint (rva): 214E4
SizeOfHeaders: 400
SizeOfImage: D2000
ImageBase: 0000000079730000
Architecture: x64
ExportTable: A7470
ImportTable: A60AC
Characteristics: 2022
TimeDateStamp: 4D5F034A
Date: 18/02/2011 23:39:54
File Type: DLL
Number Of Sections: 9
ASLR: Enabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _CONST, text, data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	8F800	1000	8F646
.rdata	40000040	8FC00	20C00	91000	20BF4
.data	C0000040 (Writeable)	B0800	5200	B2000	7D4C
.pdata	40000040	B5A00	6400	BA000	6270
_CONST	C0000040 (Writeable)	BBE00	200	C1000	8
text	20000040 (Executable)	BC000	3400	C2000	32CD
data	40000040	BF400	8200	C6000	81B0
.rsrc	40000040	C7600	400	CF000	3F0
.reloc	42000040	C7A00	1600	D0000	142E

Description:

InternalName: msvcr100_clr0400.dll
OriginalFilename: msvcr100_clr0400.dll
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Visual Studio 2010
FileVersion: 10.00.40219.1

Entry Point:

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 208E4
Code -> 48895C2408574883EC20498BF88BDA83FA017505E8A7070500488BD78BCB488B5C24304883C4205FE98BFCFFFFCCCCCCCCCC
• MOV QWORD PTR [RSP + 8], RBX
• PUSH RDI
• SUB RSP, 0X20
• MOV RDI, R8
• MOV EBX, EDX
• CMP EDX, 1
• JNE 0X1019
• CALL 0X517C0
• MOV RDX, RDI
• MOV ECX, EBX
• MOV RBX, QWORD PTR [RSP + 0X30]
• ADD RSP, 0X20
• POP RDI
• JMP 0XCB8
• INT3
• INT3
• INT3
• INT3
• INT3

Signatures:

Rich Signature Analyzer:
Code -> B9F7706DFD961E3EFD961E3EFD961E3EF4EE8D3EFE961E3EFD961F3E46961E3EE60BB43E08971E3EE60B803EDF961E3EE60BB13EC9961E3EE60BB53E44961E3EE60B853EFC961E3EE60B843EFC961E3EE60B833EFC961E3E52696368FD961E3E
Footprint md5 Hash -> 9E11970DDD7EDEA0AA738B1DEA8F7EE8
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler:

Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2010 SP1)[-]
• PE+(64): linker: Microsoft Linker(10.0)[DLL64,signed]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.55382

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL	SleepEx	Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.

ET Functions (carving):

??0?$_SpinWait@$00@details@Concurrency@@QEAA@P6AXXZ@Z
??0?$_SpinWait@$0A@@details@Concurrency@@QEAA@P6AXXZ@Z
??0SchedulerPolicy@Concurrency@@QEAA@AEBV01@@Z
??0SchedulerPolicy@Concurrency@@QEAA@XZ
??0SchedulerPolicy@Concurrency@@QEAA@_KZZ
??0_NonReentrantBlockingLock@details@Concurrency@@QEAA@XZ
??0_NonReentrantPPLLock@details@Concurrency@@QEAA@XZ
??0_ReaderWriterLock@details@Concurrency@@QEAA@XZ
??0_ReentrantBlockingLock@details@Concurrency@@QEAA@XZ
??0_ReentrantLock@details@Concurrency@@QEAA@XZ
??0_ReentrantPPLLock@details@Concurrency@@QEAA@XZ
??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QEAA@AEAV123@@Z
??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QEAA@AEAV123@@Z
??0_SpinLock@details@Concurrency@@QEAA@AECJ@Z
??0_TaskCollection@details@Concurrency@@QEAA@XZ
??0_Timer@details@Concurrency@@IEAA@I_N@Z
??0__non_rtti_object@std@@QEAA@AEBV01@@Z
??0__non_rtti_object@std@@QEAA@PEBD@Z
??0bad_cast@std@@AEAA@PEBQEBD@Z
??0bad_cast@std@@QEAA@AEBV01@@Z
??0bad_cast@std@@QEAA@PEBD@Z
??0bad_target@Concurrency@@QEAA@PEBD@Z
??0bad_target@Concurrency@@QEAA@XZ
??0bad_typeid@std@@QEAA@AEBV01@@Z
??0bad_typeid@std@@QEAA@PEBD@Z
??0context_self_unblock@Concurrency@@QEAA@PEBD@Z
??0context_self_unblock@Concurrency@@QEAA@XZ
??0context_unblock_unbalanced@Concurrency@@QEAA@PEBD@Z
??0context_unblock_unbalanced@Concurrency@@QEAA@XZ
??0critical_section@Concurrency@@QEAA@XZ
??0default_scheduler_exists@Concurrency@@QEAA@PEBD@Z
??0default_scheduler_exists@Concurrency@@QEAA@XZ
??0event@Concurrency@@QEAA@XZ
??0exception@std@@QEAA@AEBQEBD@Z
??0exception@std@@QEAA@AEBQEBDH@Z
??0exception@std@@QEAA@AEBV01@@Z
??0exception@std@@QEAA@XZ
??0improper_lock@Concurrency@@QEAA@PEBD@Z
??0improper_lock@Concurrency@@QEAA@XZ
??0improper_scheduler_attach@Concurrency@@QEAA@PEBD@Z
??0improper_scheduler_attach@Concurrency@@QEAA@XZ
??0improper_scheduler_detach@Concurrency@@QEAA@PEBD@Z
??0improper_scheduler_detach@Concurrency@@QEAA@XZ
??0improper_scheduler_reference@Concurrency@@QEAA@PEBD@Z
??0improper_scheduler_reference@Concurrency@@QEAA@XZ
??0invalid_link_target@Concurrency@@QEAA@PEBD@Z
??0invalid_link_target@Concurrency@@QEAA@XZ
??0invalid_multiple_scheduling@Concurrency@@QEAA@PEBD@Z
??0invalid_multiple_scheduling@Concurrency@@QEAA@XZ
??0invalid_operation@Concurrency@@QEAA@PEBD@Z
??0invalid_operation@Concurrency@@QEAA@XZ
??0invalid_oversubscribe_operation@Concurrency@@QEAA@PEBD@Z
??0invalid_oversubscribe_operation@Concurrency@@QEAA@XZ
??0invalid_scheduler_policy_key@Concurrency@@QEAA@PEBD@Z
??0invalid_scheduler_policy_key@Concurrency@@QEAA@XZ
??0invalid_scheduler_policy_thread_specification@Concurrency@@QEAA@PEBD@Z
??0invalid_scheduler_policy_thread_specification@Concurrency@@QEAA@XZ
??0invalid_scheduler_policy_value@Concurrency@@QEAA@PEBD@Z
??0invalid_scheduler_policy_value@Concurrency@@QEAA@XZ
??0message_not_found@Concurrency@@QEAA@PEBD@Z
??0message_not_found@Concurrency@@QEAA@XZ
??0missing_wait@Concurrency@@QEAA@PEBD@Z
??0missing_wait@Concurrency@@QEAA@XZ
??0nested_scheduler_missing_detach@Concurrency@@QEAA@PEBD@Z
??0nested_scheduler_missing_detach@Concurrency@@QEAA@XZ
??0operation_timed_out@Concurrency@@QEAA@PEBD@Z
??0operation_timed_out@Concurrency@@QEAA@XZ
??0reader_writer_lock@Concurrency@@QEAA@XZ
??0scheduler_not_attached@Concurrency@@QEAA@PEBD@Z
??0scheduler_not_attached@Concurrency@@QEAA@XZ
??0scheduler_resource_allocation_error@Concurrency@@QEAA@J@Z
??0scheduler_resource_allocation_error@Concurrency@@QEAA@PEBDJ@Z
??0scoped_lock@critical_section@Concurrency@@QEAA@AEAV12@@Z
??0scoped_lock@reader_writer_lock@Concurrency@@QEAA@AEAV12@@Z
??0scoped_lock_read@reader_writer_lock@Concurrency@@QEAA@AEAV12@@Z
??0task_canceled@details@Concurrency@@QEAA@PEBD@Z
??0task_canceled@details@Concurrency@@QEAA@XZ
??0unsupported_os@Concurrency@@QEAA@PEBD@Z
??0unsupported_os@Concurrency@@QEAA@XZ
??1SchedulerPolicy@Concurrency@@QEAA@XZ
??1_NonReentrantBlockingLock@details@Concurrency@@QEAA@XZ
??1_ReentrantBlockingLock@details@Concurrency@@QEAA@XZ
??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QEAA@XZ
??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QEAA@XZ
??1_SpinLock@details@Concurrency@@QEAA@XZ
??1_TaskCollection@details@Concurrency@@QEAA@XZ
??1_Timer@details@Concurrency@@IEAA@XZ
??1__non_rtti_object@std@@UEAA@XZ
??1bad_cast@std@@UEAA@XZ
??1bad_typeid@std@@UEAA@XZ
??1critical_section@Concurrency@@QEAA@XZ
??1event@Concurrency@@QEAA@XZ
??1exception@std@@UEAA@XZ
??1reader_writer_lock@Concurrency@@QEAA@XZ
??1scoped_lock@critical_section@Concurrency@@QEAA@XZ
??1scoped_lock@reader_writer_lock@Concurrency@@QEAA@XZ
??1scoped_lock_read@reader_writer_lock@Concurrency@@QEAA@XZ
??1type_info@@UEAA@XZ
??2@YAPEAX_K@Z
??2@YAPEAX_KHPEBDH@Z
??3@YAXPEAX@Z
??4?$_SpinWait@$00@details@Concurrency@@QEAAAEAV012@AEBV012@@Z
??4?$_SpinWait@$0A@@details@Concurrency@@QEAAAEAV012@AEBV012@@Z
??4SchedulerPolicy@Concurrency@@QEAAAEAV01@AEBV01@@Z
??4__non_rtti_object@std@@QEAAAEAV01@AEBV01@@Z
??4bad_cast@std@@QEAAAEAV01@AEBV01@@Z
??4bad_typeid@std@@QEAAAEAV01@AEBV01@@Z
??4exception@std@@QEAAAEAV01@AEBV01@@Z
??8type_info@@QEBA_NAEBV0@@Z
??9type_info@@QEBA_NAEBV0@@Z
??_7__non_rtti_object@std@@6B@
??_7bad_cast@std@@6B@
??_7bad_typeid@std@@6B@
??_7exception@@6B@
??_7exception@std@@6B@
??_F?$_SpinWait@$00@details@Concurrency@@QEAAXXZ
??_F?$_SpinWait@$0A@@details@Concurrency@@QEAAXXZ
??_Fbad_cast@std@@QEAAXXZ
??_Fbad_typeid@std@@QEAAXXZ
??_U@YAPEAX_K@Z
??_U@YAPEAX_KHPEBDH@Z
??_V@YAXPEAX@Z
?Alloc@Concurrency@@YAPEAX_K@Z
?Block@Context@Concurrency@@SAXXZ
?Create@CurrentScheduler@Concurrency@@SAXAEBVSchedulerPolicy@2@@Z
?Create@Scheduler@Concurrency@@SAPEAV12@AEBVSchedulerPolicy@2@@Z
?CreateResourceManager@Concurrency@@YAPEAUIResourceManager@1@XZ
?CreateScheduleGroup@CurrentScheduler@Concurrency@@SAPEAVScheduleGroup@2@XZ
?CurrentContext@Context@Concurrency@@SAPEAV12@XZ
?Detach@CurrentScheduler@Concurrency@@SAXXZ
?DisableTracing@Concurrency@@YAJXZ
?EnableTracing@Concurrency@@YAJXZ
?Free@Concurrency@@YAXPEAX@Z
?Get@CurrentScheduler@Concurrency@@SAPEAVScheduler@2@XZ
?GetExecutionContextId@Concurrency@@YAIXZ
?GetNumberOfVirtualProcessors@CurrentScheduler@Concurrency@@SAIXZ
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ
?GetPolicy@CurrentScheduler@Concurrency@@SA?AVSchedulerPolicy@2@XZ
?GetPolicyValue@SchedulerPolicy@Concurrency@@QEBAIW4PolicyElementKey@2@@Z
?GetProcessorCount@Concurrency@@YAIXZ
?GetProcessorNodeCount@Concurrency@@YAIXZ
?GetSchedulerId@Concurrency@@YAIXZ
?GetSharedTimerQueue@details@Concurrency@@YAPEAXXZ
?Id@Context@Concurrency@@SAIXZ
?Id@CurrentScheduler@Concurrency@@SAIXZ
?IsCurrentTaskCollectionCanceling@Context@Concurrency@@SA_NXZ
?Log2@details@Concurrency@@YAK_K@Z
?Oversubscribe@Context@Concurrency@@SAX_N@Z
?RegisterShutdownEvent@CurrentScheduler@Concurrency@@SAXPEAX@Z
?ResetDefaultSchedulerPolicy@Scheduler@Concurrency@@SAXXZ
?ScheduleGroupId@Context@Concurrency@@SAIXZ
?ScheduleTask@CurrentScheduler@Concurrency@@SAXP6AXPEAX@Z0@Z
?SetConcurrencyLimits@SchedulerPolicy@Concurrency@@QEAAXII@Z
?SetDefaultSchedulerPolicy@Scheduler@Concurrency@@SAXAEBVSchedulerPolicy@2@@Z
?SetPolicyValue@SchedulerPolicy@Concurrency@@QEAAIW4PolicyElementKey@2@I@Z
?VirtualProcessorId@Context@Concurrency@@SAIXZ
?Yield@Context@Concurrency@@SAXXZ
?_Abort@_StructuredTaskCollection@details@Concurrency@@AEAAXXZ
?_Acquire@_NonReentrantBlockingLock@details@Concurrency@@QEAAXXZ
?_Acquire@_NonReentrantPPLLock@details@Concurrency@@QEAAXPEAX@Z
?_Acquire@_ReentrantBlockingLock@details@Concurrency@@QEAAXXZ
?_Acquire@_ReentrantLock@details@Concurrency@@QEAAXXZ
?_Acquire@_ReentrantPPLLock@details@Concurrency@@QEAAXPEAX@Z
?_AcquireRead@_ReaderWriterLock@details@Concurrency@@QEAAXXZ
?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QEAAXXZ
?_Cancel@_StructuredTaskCollection@details@Concurrency@@QEAAXXZ
?_Cancel@_TaskCollection@details@Concurrency@@QEAAXXZ
?_CheckTaskCollection@_UnrealizedChore@details@Concurrency@@IEAAXXZ
?_ConcRT_Assert@details@Concurrency@@YAXPEBD0H@Z
?_ConcRT_CoreAssert@details@Concurrency@@YAXPEBD0H@Z
?_ConcRT_DumpMessage@details@Concurrency@@YAXPEB_WZZ
?_ConcRT_Trace@details@Concurrency@@YAXHPEB_WZZ
?_Copy_str@exception@std@@AEAAXPEBD@Z
?_DoYield@?$_SpinWait@$00@details@Concurrency@@IEAAXXZ
?_DoYield@?$_SpinWait@$0A@@details@Concurrency@@IEAAXXZ
?_IsCanceling@_StructuredTaskCollection@details@Concurrency@@QEAA_NXZ
?_IsCanceling@_TaskCollection@details@Concurrency@@QEAA_NXZ
?_Name_base@type_info@@CAPEBDPEBV1@PEAU__type_info_node@@@Z
?_Name_base_internal@type_info@@CAPEBDPEBV1@PEAU__type_info_node@@@Z
?_NumberOfSpins@?$_SpinWait@$00@details@Concurrency@@IEAAKXZ
?_NumberOfSpins@?$_SpinWait@$0A@@details@Concurrency@@IEAAKXZ
?_Release@_NonReentrantBlockingLock@details@Concurrency@@QEAAXXZ
?_Release@_NonReentrantPPLLock@details@Concurrency@@QEAAXXZ
?_Release@_ReentrantBlockingLock@details@Concurrency@@QEAAXXZ
?_Release@_ReentrantLock@details@Concurrency@@QEAAXXZ
?_Release@_ReentrantPPLLock@details@Concurrency@@QEAAXXZ
?_ReleaseRead@_ReaderWriterLock@details@Concurrency@@QEAAXXZ
?_ReleaseWrite@_ReaderWriterLock@details@Concurrency@@QEAAXXZ
?_Reset@?$_SpinWait@$00@details@Concurrency@@IEAAXXZ
?_Reset@?$_SpinWait@$0A@@details@Concurrency@@IEAAXXZ
?_Schedule@_StructuredTaskCollection@details@Concurrency@@QEAAXPEAV_UnrealizedChore@23@@Z
?_Schedule@_TaskCollection@details@Concurrency@@QEAAXPEAV_UnrealizedChore@23@@Z
?_SetSpinCount@?$_SpinWait@$00@details@Concurrency@@QEAAXI@Z
?_SetSpinCount@?$_SpinWait@$0A@@details@Concurrency@@QEAAXI@Z
?_ShouldSpinAgain@?$_SpinWait@$00@details@Concurrency@@IEAA_NXZ
?_ShouldSpinAgain@?$_SpinWait@$0A@@details@Concurrency@@IEAA_NXZ
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QEAA_NXZ
?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QEAA_NXZ
?_SpinYield@Context@Concurrency@@SAXXZ
?_Start@_Timer@details@Concurrency@@IEAAXXZ
?_Stop@_Timer@details@Concurrency@@IEAAXXZ
?_Tidy@exception@std@@AEAAXXZ
?_Trace_ppl_function@Concurrency@@YAXAEBU_GUID@@EW4ConcRT_EventType@1@@Z
?_TryAcquire@_NonReentrantBlockingLock@details@Concurrency@@QEAA_NXZ
?_TryAcquire@_ReentrantBlockingLock@details@Concurrency@@QEAA_NXZ
?_TryAcquire@_ReentrantLock@details@Concurrency@@QEAA_NXZ
?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QEAA_NXZ
?_Type_info_dtor@type_info@@CAXPEAV1@@Z
?_Type_info_dtor_internal@type_info@@CAXPEAV1@@Z
?_UnderlyingYield@details@Concurrency@@YAXXZ
?_ValidateExecute@@YAHP6A_JXZ@Z
?_ValidateRead@@YAHPEBXI@Z
?_ValidateWrite@@YAHPEAXI@Z
?_Value@_SpinCount@details@Concurrency@@SAIXZ
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCompare@@YA_NPEBX0@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
__uncaught_exception
?_inconsistency@@YAXXZ
?_invalid_parameter@@YAXPEBG00I_K@Z
?_is_exception_typeof@@YAHAEBVtype_info@@PEAU_EXCEPTION_POINTERS@@@Z
?_name_internal_method@type_info@@QEBAPEBDPEAU__type_info_node@@@Z
?_open@@YAHPEBDHH@Z
?_query_new_handler@@YAP6AH_K@ZXZ
?_query_new_mode@@YAHXZ
?_set_new_handler@@YAP6AH_K@ZH@Z
?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z
?_set_new_mode@@YAHH@Z
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZH@Z
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
?_sopen@@YAHPEBDHHH@Z
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
?_wopen@@YAHPEB_WHH@Z
?_wsopen@@YAHPEB_WHHH@Z
?before@type_info@@QEBAHAEBV1@@Z
?get_error_code@scheduler_resource_allocation_error@Concurrency@@QEBAJXZ
?lock@critical_section@Concurrency@@QEAAXXZ
?lock@reader_writer_lock@Concurrency@@QEAAXXZ
?lock_read@reader_writer_lock@Concurrency@@QEAAXXZ
?name@type_info@@QEBAPEBDPEAU__type_info_node@@@Z
?native_handle@critical_section@Concurrency@@QEAAAEAV12@XZ
?raw_name@type_info@@QEBAPEBDXZ
?reset@event@Concurrency@@QEAAXXZ
?set@event@Concurrency@@QEAAXXZ
?set_new_handler@@YAP6AXXZP6AXXZ@Z
?set_terminate@@YAP6AXXZH@Z
?set_terminate@@YAP6AXXZP6AXXZ@Z
?set_unexpected@@YAP6AXXZH@Z
?set_unexpected@@YAP6AXXZP6AXXZ@Z
?terminate@@YAXXZ
?try_lock@critical_section@Concurrency@@QEAA_NXZ
?try_lock@reader_writer_lock@Concurrency@@QEAA_NXZ
?try_lock_read@reader_writer_lock@Concurrency@@QEAA_NXZ
?unexpected@@YAXXZ
?unlock@critical_section@Concurrency@@QEAAXXZ
?unlock@reader_writer_lock@Concurrency@@QEAAXXZ
?wait@Concurrency@@YAXI@Z
?wait@event@Concurrency@@QEAA_KI@Z
?wait_for_multiple@event@Concurrency@@SA_KPEAPEAV12@_K_NI@Z
?what@exception@std@@UEBAPEBDXZ
_CRT_RTC_INIT
_CRT_RTC_INITW
_CreateFrameInfo
_CxxThrowException
_FindAndUnlinkFrame
_GetImageBase
_GetThrowImageBase
_Getdays
_Getmonths
_Gettnames
_HUGE
_IsExceptionObjectToBeDestroyed
_SetImageBase
_SetThrowImageBase
_Strftime
_XcptFilter
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__C_specific_handler
__CppXcptFilter
__CxxCallUnwindDelDtor
__CxxCallUnwindDtor
__CxxCallUnwindStdDelDtor
__CxxCallUnwindVecDtor
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__NLG_Dispatch2
__NLG_Return2
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__STRINGTOLD
__STRINGTOLD_L
__TypeMatch
___lc_codepage_func
___lc_collate_cp_func
___lc_handle_func
___mb_cur_max_func
___mb_cur_max_l_func
___setlc_active_func
___unguarded_readlc_active_add_func
__argc
__argv
__badioinfo
__clean_type_info_names_internal
__create_locale
__crtCompareStringA
__crtCompareStringW
__crtLCMapStringA
__crtLCMapStringW
__crt_debugger_hook
__daylight
__dllonexit
__doserrno
__dstbias
__fls_getvalue
__fls_setvalue
__fpecode
__free_locale
__get_current_locale
__get_flsindex
__get_tlsindex
__getmainargs
__initenv
__iob_func
__isascii
__iscsym
__iscsymf
__iswcsym
__iswcsymf
__lconv
__lconv_init
__mb_cur_max
__p___argc
__p___argv
__p___initenv
__p___mb_cur_max
__p___wargv
__p___winitenv
__p__acmdln
__p__commode
__p__daylight
__p__dstbias
__p__environ
__p__fmode
__p__iob
__p__mbcasemap
__p__mbctype
__p__pctype
__p__pgmptr
__p__pwctype
__p__timezone
__p__tzname
__p__wcmdln
__p__wenviron
__p__wpgmptr
__pctype_func
__pioinfo
__pwctype_func
__pxcptinfoptrs
__report_gsfailure
__set_app_type
__set_flsgetvalue
__setlc_active
__setusermatherr
__strncnt
__swprintf_l
__sys_errlist
__sys_nerr
__threadhandle
__threadid
__timezone
__toascii
__tzname
__unDName
__unDNameEx
__unDNameHelper
__unguarded_readlc_active
__vswprintf_l
__wargv
__wcserror
__wcserror_s
__wcsncnt
__wgetmainargs
__winitenv
_abs64
_access
• EXPORT FUNCTIONS > 400

File Access:

cmd.exe
.exe
()*+,-./0123456MSVCR100.dll
KERNEL32.dll
.bat
Temp

File Access (UNICODE):

msvcr100_clr0400.dll
CorExitProcessmscoree.dll
SetThreadGroupAffinitykernel32.dll
advapi32.dll
cmd.exe
Temp

Interest's Words:

exec
attrib
start
comspec
cipher
shutdown
systeminfo
ping
expand

Interest's Words (UNICODE):

comspec

URLs:

http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://www.microsoft.com/pki/certs/CSPCA.crt
http://crl.microsoft.com/pki/crl/products/tspca.crl
http://www.microsoft.com/pki/certs/tspca.crt
http://microsoft.com

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Stealth (CreateRemoteThread)
• Rule Text (Ascii): Execution (CreateProcessA)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Execution (ResumeThread)
• Rule Text (Ascii): Software that records user activity (Logger)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\1033	CF060	38C	C7660	8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String:

• msvcr100_clr0400.dll
• .exe
• .cmd
• .bat
• .com
• mscoree.dll
• cmd.exe
• COMSPEC
• UNICODE /c
• ADVAPI32.DLL
• USER32.DLL
• kernel32.dll
• advapi32.dll
• msvcr100.amd64.pdb

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	516101	62,236%
Null Byte Code	134368	16,2033%