portmon[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

portmon.exe
Size

440KB
MD5

1276acf39b37a99ea14e760870025584
SHA1

41e9edcf56fcd7c6b67256582673bb791bdfcac7
SHA256

0e848a3911070945cb71803d466ba5a02804957b51b177c52a09ac55280ba6dd
SHA512

845fe5a3189a28f318f2369d2669ed2e3949038f325a5efd0d68ee94095dc531e92019ac29c352386b488ee7e59b99fe5a6357421276291527b64949a7f2b3c4
SSDEEP

6144:K95pV/5m+bcFpXrvXAY9OPI2AFWN6EtKhpOFgX5D20zrwqO8mKlqdAUN8wBqU2:+7+9iSFyQhAyJD7m1dAK8wEU2

Score

1^/10

Malware Config

Signatures

Files

portmon.exe
.exe windows x86

d7005cc29d297c93f2c852c56becd356

Code Sign

61:1a:f5:ea:00:00:00:00:00:6a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01-11-2011 22:39

Not After

01-02-2013 22:49

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:05:19:96:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2011 20:42

Not After

25-10-2012 20:42

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:9E78-864B-039D,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:15:08:27:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

25-01-2006 23:22

Not After

25-01-2017 23:32

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

36:51:3f:b3:95:d3:3f:f4:a7:66:b9:7c:86:23:f8:b0:5c:5a:fe:cc
Signer

Actual PE Digest

36:51:3f:b3:95:d3:3f:f4:a7:66:b9:7c:86:23:f8:b0:5c:5a:fe:cc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mpr

WNetAddConnection2A
WNetCancelConnection2A

ws2_32

inet_addr
gethostbyaddr
connect
WSAStartup
socket
gethostbyname
htonl
htons
bind
getsockname
listen
accept
WSAGetLastError
ioctlsocket
closesocket
inet_ntoa

comctl32

CreateToolbarEx
ord17

kernel32

LockResource
SizeofResource
LoadResource
FindResourceA
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalFree
lstrlenA
GetTimeFormatA
DosDateTimeToFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
lstrcatA
HeapFree
lstrcpyA
HeapAlloc
GetProcessHeap
WriteFileEx
CopyFileA
GetCurrentThreadId
QueryPerformanceCounter
FreeLibrary
QueueUserAPC
SleepEx
GlobalMemoryStatus
FindClose
SearchPathA
FindFirstFileA
InitializeCriticalSection
GetFullPathNameA
GetCommandLineA
GetVersion
SetFilePointer
InterlockedExchange
SetConsoleCtrlHandler
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
EnterCriticalSection
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetFileType
SetHandleCount
FlushFileBuffers
GetConsoleMode
GetConsoleCP
RtlUnwind
LCMapStringW
MultiByteToWideChar
WideCharToMultiByte
LCMapStringA
GetCurrentThread
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
IsValidCodePage
GetOEMCP
GetACP
InterlockedDecrement
InterlockedIncrement
GetCPInfo
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleFileNameA
GetStdHandle
ExitProcess
Sleep
GetModuleHandleW
HeapDestroy
HeapCreate
HeapReAlloc
VirtualAlloc
VirtualFree
FatalAppExitA
DeleteCriticalSection
GetStartupInfoA
CreateThread
ResumeThread
ExitThread
LeaveCriticalSection
FormatMessageA
DeleteFileA
GetCurrentDirectoryA
GetComputerNameA
TerminateThread
SetEvent
CreateEventA
WaitForMultipleObjects
OutputDebugStringA
DeviceIoControl
QueryPerformanceFrequency
WriteFile
ResetEvent
ReadFile
WaitForSingleObject
GetOverlappedResult
CreateFileA
CloseHandle
GetTickCount
GetLastError
SetLastError
GetProcAddress
GetCommandLineW
GetModuleHandleA
LocalAlloc
LoadLibraryA
LocalFree
GetStringTypeA
GetStringTypeW
GetDateFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
HeapSize
GetLocaleInfoW
GetTimeZoneInformation
SetEndOfFile
CompareStringA
CompareStringW
GetCurrentProcessId
SetEnvironmentVariableA

user32

GetWindowTextA
UpdateWindow
RegisterClassA
LoadBitmapA
LoadStringA
WinHelpA
SetWindowPos
KillTimer
SendDlgItemMessageA
DeleteMenu
AttachThreadInput
AppendMenuA
DestroyMenu
GetMenu
IsWindow
RemoveMenu
CreatePopupMenu
InsertMenuA
SetMenuItemBitmaps
SetCapture
ReleaseCapture
SetWindowLongA
GetCursorPos
GetClientRect
CreateWindowExA
CallWindowProcA
GetSysColor
DrawFocusRect
OemToCharA
TranslateAcceleratorA
LoadAcceleratorsA
EnumWindows
EnumDesktopWindows
EnableMenuItem
GetWindowRect
IsIconic
IsZoomed
InvalidateRgn
SetForegroundWindow
RegisterWindowMessageA
CheckRadioButton
SetFocus
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
GetFocus
DrawTextA
GetSystemMetrics
MoveWindow
ClientToScreen
ScreenToClient
PostMessageA
DestroyWindow
GetDC
GetMenuCheckMarkDimensions
ReleaseDC
DialogBoxParamA
CheckMenuItem
InvalidateRect
CheckDlgButton
GetDlgItemTextA
IsDlgButtonChecked
LoadIconA
RegisterClassExA
CreateDialogParamA
ShowWindow
GetMessageA
IsDialogMessageA
TranslateMessage
DispatchMessageA
SetTimer
PostQuitMessage
DefWindowProcA
SetDlgItemTextA
MessageBoxA
wsprintfA
LoadCursorA
SetCursor
InflateRect
SetWindowTextA
GetDlgItem
SendMessageA
GetSysColorBrush
EndDialog
DialogBoxIndirectParamA
GetSubMenu

gdi32

GetTextExtentPoint32A
GetObjectA
DeleteObject
CreateSolidBrush
CreateFontIndirectA
SetBkColor
GetStockObject
CreateFontA
SetAbortProc
GetTextMetricsA
GetTextExtentPointA
TextOutA
EndDoc
EndPage
CreateCompatibleDC
StartPage
StartDocA
SetMapMode
GetDeviceCaps
DeleteDC
StretchBlt
SelectObject
SetBkMode
SetTextColor
ExtTextOutA
AbortDoc
CreateCompatibleBitmap

comdlg32

PrintDlgA
GetSaveFileNameA
ChooseColorA
ChooseFontA
FindTextA

advapi32

RegOpenKeyA
DeleteService
ControlService
OpenSCManagerA
OpenServiceA
StartServiceA
QueryServiceStatus
CreateServiceA
CloseServiceHandle
RegCreateKeyA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegEnumValueA

shell32

ShellExecuteExA
SHGetMalloc
SHGetSpecialFolderLocation
SHBrowseForFolderA
CommandLineToArgvW

Sections

.text
Size: 194KB - Virtual size: 194KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 455KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 198KB - Virtual size: 198KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d7005cc29d297c93f2c852c56becd356

Code Sign

61:1a:f5:ea:00:00:00:00:00:6aCertificate

Extended Key Usages

Key Usages

61:05:19:96:00:00:00:00:00:1bCertificate

Extended Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:15:08:27:00:00:00:00:00:0cCertificate

Extended Key Usages

Key Usages

36:51:3f:b3:95:d3:3f:f4:a7:66:b9:7c:86:23:f8:b0:5c:5a:fe:ccSigner

Headers

DLL Characteristics

File Characteristics

Imports

mpr

ws2_32

comctl32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

Sections

.text Size: 194KB - Virtual size: 194KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 23KB - Virtual size: 455KB

.rsrc Size: 198KB - Virtual size: 198KB

61:1a:f5:ea:00:00:00:00:00:6a
Certificate

61:05:19:96:00:00:00:00:00:1b
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:15:08:27:00:00:00:00:00:0c
Certificate

36:51:3f:b3:95:d3:3f:f4:a7:66:b9:7c:86:23:f8:b0:5c:5a:fe:cc
Signer

.text
Size: 194KB - Virtual size: 194KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 23KB - Virtual size: 455KB

.rsrc
Size: 198KB - Virtual size: 198KB