hrsword[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

hrsword.exe
Size

2.1MB
MD5

32dad2acce51b9474545efd6d3b49c06
SHA1

77ff0ec1afa6758b52bedb5e920f2ae16155a878
SHA256

a6eb7a7372c462b2e181014540491a062c540edc4ba0f65a9169cfbfb473e6c7
SHA512

9dd53a25200b6544acf1ea7d38a8cb5be83e94c03bca2865d89a8285fbc49192ddd1a7e5cffe59e586568a8600c964f72f779a7927f753e685c98d363ea1342a
SSDEEP

49152:uy+7vlXiY0zkUuut9O1IpxpBUCchsxt4XqEkxqaVgNaVb5gc:uyadCzkUbNLTiVdkxxt

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/$PLUGINSDIR/AccessControl.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/$PLUGINSDIR/AccessControl.dll	upx

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/AccessControl.dll
unpack002/out.upx
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/nsDialogs.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

hrsword.exe
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

12:e8:71:37:a2:7d:da:49:c5:d1:c8:77:ed:f6:d2:3f:11:da:72:dc
Signer

Actual PE Digest

12:e8:71:37:a2:7d:da:49:c5:d1:c8:77:ed:f6:d2:3f:11:da:72:dc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 84KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 105KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/AccessControl.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

ClearOnFile
ClearOnRegKey
DenyOnFile
DenyOnRegKey
DisableFileInheritance
DisableRegKeyInheritance
EnableFileInheritance
EnableRegKeyInheritance
GetCurrentUserName
GetFileGroup
GetFileOwner
GetRegKeyGroup
GetRegKeyOwner
GrantOnFile
GrantOnRegKey
NameToSid
RevokeOnFile
RevokeOnRegKey
SetFileGroup
SetFileOwner
SetOnFile
SetOnRegKey
SetRegKeyGroup
SetRegKeyOwner
SidToName

Sections

UPX0
Size: - Virtual size: 24KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/installer-helper.dll
.dll windows:5 windows x86 arch:x86

0bde61c6cd10a05c00396ae808330f84

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ca:1f:82:1e:96:15:8a:15:d8:dc:60:cb:d7:58:7b:b5:21:27:21:7d
Signer

Actual PE Digest

ca:1f:82:1e:96:15:8a:15:d8:dc:60:cb:d7:58:7b:b5:21:27:21:7d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\dist\installer-helper.pdb

Imports

kernel32

LoadLibraryA
Process32Next
GetCurrentDirectoryA
CreateToolhelp32Snapshot
GlobalAlloc
lstrcpynA
lstrcpyA
SetCurrentDirectoryA
SetEnvironmentVariableA
CompareStringW
CompareStringA
FlushFileBuffers
CreateFileA
GetLocaleInfoW
WriteConsoleW
GetConsoleOutputCP
TerminateProcess
Process32First
FreeLibrary
VirtualProtect
SearchPathA
CreateFileW
IsBadReadPtr
GetModuleHandleA
GetProcAddress
LocalFree
GetWindowsDirectoryW
CloseHandle
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
InterlockedIncrement
GetTickCount
GetCurrentProcess
InterlockedDecrement
GlobalFree
SetStdHandle
GetTimeZoneInformation
GetLastError
HeapFree
HeapAlloc
GetCurrentThreadId
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThread
HeapCreate
HeapDestroy
VirtualFree
FatalAppExitA
VirtualAlloc
HeapReAlloc
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
HeapSize
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
LCMapStringA
LCMapStringW
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetConsoleCtrlHandler
WriteConsoleA

user32

EnumDesktopWindows
GetWindowRect
OpenDesktopA
CloseWindowStation
GetParent
EnumWindowStationsA
CloseDesktop
OpenWindowStationA
EnumDesktopsA
IsWindowVisible
GetWindowThreadProcessId
wsprintfA

advapi32

RegSetValueExW
AdjustTokenPrivileges
LookupPrivilegeValueA
GetSecurityDescriptorDacl
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken

psapi

GetProcessImageFileNameW

Exports

Exports

HR_fcanonical
HR_kextload
HR_mkconfig
HR_mkconfig1
HR_mkconfig_hrfw
HR_need_reboot
HR_stop_process

Sections

.text
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-header.bmp
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/nsDialogs.dll
.dll windows:4 windows x86 arch:x86

1e2884056e655f2b7bc5a904e352fc80

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcpyA
GetFileAttributesA
lstrcmpiA
MulDiv
lstrlenA
HeapFree
GetCurrentDirectoryA
HeapAlloc
HeapReAlloc
GlobalFree
lstrcpynA
GlobalAlloc
GetProcessHeap
SetCurrentDirectoryA

user32

GetPropA
DestroyWindow
CallWindowProcA
SetCursor
LoadCursorA
RemovePropA
CharPrevA
GetWindowLongA
DrawTextA
GetWindowTextA
GetDlgItem
SetWindowLongA
SetWindowPos
CreateDialogParamA
MapWindowPoints
GetWindowRect
SetPropA
CreateWindowExA
IsWindow
SetTimer
KillTimer
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
ShowWindow
wsprintfA
MapDialogRect
GetClientRect
CharNextA
SendMessageA
DrawFocusRect

gdi32

SetTextColor

shell32

SHBrowseForFolderA
SHGetPathFromIDListA

comdlg32

GetSaveFileNameA
GetOpenFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

Create
CreateControl
CreateItem
CreateTimer
GetUserData
KillTimer
OnBack
OnChange
OnClick
OnNotify
SelectFileDialog
SelectFolderDialog
SetRTL
SetUserData
Show

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 572B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$SYSDIR/drivers/sysdiag.sys
.sys windows:5 windows x64 arch:x64

3e66e6926b955a2ad3abd62ebb1ba24e

Code Sign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:25

Not After

22-02-2021 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

3b:d8:03:2b:64:b8:1c:fd:88:d1:e6:81:c4:62:2b:e3:50:c2:9c:d3
Signer

Actual PE Digest

3b:d8:03:2b:64:b8:1c:fd:88:d1:e6:81:c4:62:2b:e3:50:c2:9c:d3

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\sysdiag-x64.pdb

Imports

ntoskrnl.exe

IoFreeMdl
IoFreeIrp
MmProbeAndLockPages
IoAllocateMdl
KeSetEvent
ExReleaseFastMutex
ExAcquireFastMutex
KeInitializeEvent
PsGetCurrentProcessId
MmSystemRangeStart
MmUnmapLockedPages
PsLookupProcessByProcessId
MmProtectMdlSystemAddress
MmAllocatePagesForMdl
KeUnstackDetachProcess
MmMapLockedPagesSpecifyCache
IoGetCurrentProcess
MmUnlockPages
MmFreePagesFromMdl
ObOpenObjectByPointer
KeStackAttachProcess
ExFreePoolWithTag
SeCreateAccessState
IoGetFileObjectGenericMapping
ObCreateObject
IoCreateFile
ExAllocatePool
RtlPrefixUnicodeString
IoRegisterDriverReinitialization
NtBuildNumber
IoRegisterBootDriverReinitialization
PsIsSystemThread
KeSetPriorityThread
KeReleaseSpinLock
PsCreateSystemThread
PsTerminateSystemThread
PsThreadType
KeAcquireSpinLockRaiseToDpc
ExAllocatePoolWithTag
tolower
KeResetEvent
MmBuildMdlForNonPagedPool
ExEventObjectType
wcschr
PsProcessType
IoDeleteSymbolicLink
ZwQuerySymbolicLinkObject
IoDeleteDevice
ProbeForWrite
MmGetSystemRoutineAddress
PsGetThreadId
ZwOpenSymbolicLinkObject
MmUserProbeAddress
ObQueryNameString
IofCompleteRequest
ZwOpenProcess
ZwQueryInformationProcess
IoCreateSymbolicLink
MmIsAddressValid
IoCreateDevice
wcsncmp
PsGetThreadProcessId
ExInitializeResourceLite
ExRaiseAccessViolation
PsSetLoadImageNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsSetCreateProcessNotifyRoutine
RtlUnicodeStringToAnsiString
ZwQuerySystemInformation
ZwDuplicateObject
RtlFreeAnsiString
IoDeviceObjectType
ZwOpenFile
ZwQueryInformationThread
PsLookupThreadByThreadId
strncpy
ZwSetValueKey
ZwOpenKey
RtlCompareUnicodeString
PsGetCurrentThreadId
qsort
ExpInterlockedPushEntrySList
_snprintf
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExInitializePagedLookasideList
_snwprintf
ExQueueWorkItem
_wcsicmp
_wcsnicmp
KeInitializeApc
IoFreeWorkItem
KeInsertQueueApc
_wcslwr
wcsrchr
ZwQueryValueKey
IoAllocateWorkItem
_wcsupr
IoQueueWorkItem
ZwTerminateProcess
IoGetTopLevelIrp
RtlCopyUnicodeString
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
wcsncpy
RtlWalkFrameChain
_vsnwprintf
_vsnprintf
IoGetDeviceObjectPointer
ExInitializeNPagedLookasideList
ZwWaitForSingleObject
CmRegisterCallback
ZwCreateFile
RtlUpcaseUnicodeChar
ZwReadFile
RtlCompareMemory
ZwQueryInformationFile
strstr
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlFreeUnicodeString
strncmp
strchr
IoAttachDeviceToDeviceStack
IofCallDriver
ExDeleteResourceLite
ExReleaseResourceLite
ExAcquireResourceSharedLite
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
ObfReferenceObject
IoAllocateIrp
KeWaitForSingleObject
ObReferenceObjectByHandle
ZwClose
IoFileObjectType
IoQueueThreadIrp
ExGetPreviousMode
KeClearEvent
ObReferenceObjectByName
ObfDereferenceObject
IoDriverObjectType
KeDelayExecutionThread
PsGetProcessId
RtlInitUnicodeString
ZwSetSecurityObject
RtlLengthSecurityDescriptor
SeCaptureSecurityDescriptor
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
IoIsWdmVersionAvailable
SeExports
RtlLengthSid
RtlAddAccessAllowedAce
RtlGetSaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
ZwCreateKey
KeBugCheckEx
MmGetPhysicalAddress
ExFreePool
MmMapIoSpace
MmUnmapIoSpace
__C_specific_handler
RtlRaiseException

hal

KeQueryPerformanceCounter

fltmgr.sys

FltFreeCallbackData
FltAllocateCallbackData
FltStartFiltering
FltRegisterFilter
FltUnregisterFilter
FltPerformSynchronousIo
FltAllocateContext
FltReleaseContext
FltSetStreamHandleContext
FltCloseClientPort
FltGetStreamHandleContext
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltFreeSecurityDescriptor
FltCreateCommunicationPort
FltSendMessage

tdi.sys

TdiMapUserRequest

Sections

.text
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 134KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.asmstub
Size: 512B - Virtual size: 49B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/behavior.dll
.dll windows:5 windows x86 arch:x86

4232209715d22cc0e4a68fe07d6ec33a

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:3b:9a:91:75:9d:04:f2:9e:44:59:6f:17:f1:09:96:37:ba:d7:47
Signer

Actual PE Digest

25:3b:9a:91:75:9d:04:f2:9e:44:59:6f:17:f1:09:96:37:ba:d7:47

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\behavior.pdb

Imports

msi

ord44
ord67

libxsse

ord23
ord2
ord21
ord22
ord20
ord10

kernel32

DeleteCriticalSection
CloseHandle
GetWindowsDirectoryW
LocalFree
GetProcAddress
GetModuleHandleA
IsBadReadPtr
CreateFileW
SearchPathA
VirtualProtect
CreateFileA
WaitForSingleObject
SetEvent
GetCurrentThread
CreateEventA
SetThreadPriority
CreateThread
GetLocalTime
GetModuleFileNameA
EnterCriticalSection
GetSystemTime
GetWindowsDirectoryA
GetDriveTypeA
GetLongPathNameA
DisableThreadLibraryCalls
LoadLibraryA
SetFilePointer
ReadFile
HeapSize
LCMapStringA
LCMapStringW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RaiseException
SetLastError
TlsFree
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
GetFileAttributesA
SetEnvironmentVariableA
ExpandEnvironmentStringsA
GetTimeZoneInformation
GetLocaleInfoW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
GetProcessHeap
CompareStringA
CompareStringW
SystemTimeToFileTime
TlsSetValue
TlsAlloc
TlsGetValue
GetStdHandle
WriteFile
ExitProcess
FlushFileBuffers
GetConsoleMode
GetConsoleCP
FreeLibrary
SetConsoleCtrlHandler
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetDateFormatA
GetTimeFormatA
RtlUnwind
InitializeCriticalSectionAndSpinCount
GetStartupInfoA
HeapAlloc
GetLastError
HeapFree
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
SetStdHandle
GetFileType
GetCurrentThreadId
GetCommandLineA
FatalAppExitA
VirtualFree
VirtualAlloc
HeapReAlloc
HeapCreate
HeapDestroy
GetModuleHandleW
SetHandleCount

user32

GetWindowThreadProcessId
IsWindowVisible
EnumDesktopsA
OpenWindowStationA
CloseDesktop
EnumDesktopWindows
GetWindowRect
OpenDesktopA
CloseWindowStation
GetParent
EnumWindowStationsA

advapi32

RegCreateKeyExA
GetSecurityDescriptorDacl
RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken

daemon

dispent_get_daemon
tasks_lock
task_put
dispent_template_register
tasks_unlock

usysdiag

vif_get
vif_assist_get
vif_sysutils_get

jansson

json_object_iter
json_object_iter_key
json_object_set_new
json_object
json_delete
json_object_key_to_iter
json_loadb
json_object_iter_value
json_load_callback
json_array
json_array_append_new
json_array_size
json_array_get
json_object_iter_next
json_object_size
json_string_value
json_object_get
json_integer_value

Exports

Exports

analyzer_alloc
analyzer_free
analyzers_destroy
behav_expected_specpath
behav_finalize
behav_has_all_attributes
behav_has_any_attribute
behav_has_attribute
behav_init
behav_living_in
behav_regcb_error
behav_regcb_logger
behav_regcb_malfound
behav_register_bac
behav_specpath

Sections

.text
Size: 194KB - Virtual size: 194KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/daemon.dll
.dll windows:5 windows x86 arch:x86

9604046f69d86f5f4a44f2491c0ac49e

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

58:5a:80:51:32:83:8b:b7:d6:89:b2:d3:cf:86:c0:06:f8:30:f2:25
Signer

Actual PE Digest

58:5a:80:51:32:83:8b:b7:d6:89:b2:d3:cf:86:c0:06:f8:30:f2:25

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\daemon.pdb

Imports

kernel32

SystemTimeToFileTime
WaitForSingleObject
SetEvent
GetCurrentThread
SetThreadPriority
CreateEventW
GetSystemTime
CreateThread
GetLongPathNameA
GetPrivateProfileStringA
DisableThreadLibraryCalls
ReleaseSemaphore
CreateSemaphoreW
VirtualProtect
GetThreadPriority
CompareStringW
CompareStringA
GetProcessHeap
SetEndOfFile
GetLocaleInfoW
CreateFileA
SetStdHandle
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetTimeZoneInformation
LoadLibraryA
SearchPathA
CreateFileW
IsBadReadPtr
GetModuleHandleA
GetProcAddress
LocalFree
GetWindowsDirectoryW
CloseHandle
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
GetFileAttributesA
WaitForMultipleObjects
ExpandEnvironmentStringsA
FreeLibrary
SetConsoleCtrlHandler
InitializeCriticalSectionAndSpinCount
SetFilePointer
ReadFile
FlushFileBuffers
GetConsoleMode
GetConsoleCP
SetEnvironmentVariableA
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetLastError
HeapFree
HeapAlloc
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
RaiseException
RtlUnwind
HeapCreate
HeapDestroy
VirtualFree
FatalAppExitA
VirtualAlloc
HeapReAlloc
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
LCMapStringA
HeapSize
SetHandleCount
GetFileType
GetStartupInfoA
GetTimeFormatA
GetDateFormatA

user32

CloseDesktop
GetWindowThreadProcessId
IsWindowVisible
EnumDesktopsA
OpenWindowStationA
GetParent
CloseWindowStation
OpenDesktopA
GetWindowRect
EnumDesktopWindows
EnumWindowStationsA

advapi32

RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken
GetSecurityDescriptorDacl

uactmon

ipc_close_channel
uactmon_update_actmsk
uactmon_finalize
uactmon_open_channel
uactmon_query_procinfo
ipc_get_message
uactmon_init
ipc_purge_message
uactmon_list_pid
__ipc_reply_message
uactmon_scanmon_lookup
uactmon_scanmon_channel
uactmon_scanmon_report
uactmon_scanmon_ignore
uactmon_ignore_process
uactmon_send_heartbeat

usysdiag

vif_get
vif_assist_get
vif_iokit_get
vif_sysutils_get

Exports

Exports

daemon_alloc
daemon_class_register
dispent_alloc
dispent_bind_daemon
dispent_free
dispent_get_daemon
dispent_kill_task_group
dispent_resume_task_group
dispent_suspend_task_group
dispent_template_register
scanmond_alloc
scanmond_free
task_get
task_put
tasks_lock
tasks_unlock

Sections

.text
Size: 234KB - Virtual size: 233KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/dbghelp.dll
.dll windows:6 windows x86 arch:x86

fa6b094f828920cf8999743ff0004319

Code Sign

61:05:f7:1e:00:00:00:00:00:32
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

13-07-2009 23:00

Not After

13-10-2010 23:10

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:03:dc:f6:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2008 19:12

Not After

25-07-2011 19:22

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:159C-A3F7-2570,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:15:08:27:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

25-01-2006 23:22

Not After

25-01-2017 23:32

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

8f:30:24:0d:35:ff:73:8c:8f:ce:2e:fe:f2:26:b5:b2:12:d2:d0:aa
Signer

Actual PE Digest

8f:30:24:0d:35:ff:73:8c:8f:ce:2e:fe:f2:26:b5:b2:12:d2:d0:aa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dbghelp.pdb

Imports

msvcrt

_isatty
_write
_lseeki64
??3@YAXPAX@Z
_fileno
_read
__pioinfo
__badioinfo
ferror
wctomb
_snprintf
isleadbyte
mbtowc
_onexit
_lock
__dllonexit
_unlock
_ismbblead
_amsg_exit
_initterm
_XcptFilter
memmove
_iob
__mb_cur_max
strchr
_vsnwprintf
_errno
__CxxFrameHandler
iswspace
calloc
_itoa
_wcsdup
towlower
tolower
_wcslwr
time
_wctime
_ltoa
_strnicmp
_wcsnicmp
_purecall
ctime
malloc
strncmp
isspace
_stricmp
_strlwr
free
wcsrchr
strstr
memcpy
_wcsicmp
qsort
wcschr
wcsstr
wcsncmp
iswxdigit
memset
??2@YAPAXI@Z
iswprint
fflush
fprintf
atol
fclose
__unDName
iswdigit
_CxxThrowException
bsearch
_wfsopen
fread
fseek
wcstol
_wfullpath
_wgetenv
_get_osfhandle
_chsize
_close
_open_osfhandle
ftell
_memicmp
_mbscmp
??1type_info@@UAE@XZ
_wsopen

kernel32

HeapFree
MapViewOfFileEx
GetCurrentDirectoryW
InitializeCriticalSectionAndSpinCount
GetFileType
DeviceIoControl
SetFileAttributesW
CreateFileMappingW
InterlockedIncrement
InterlockedDecrement
LocalFree
FormatMessageW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetTickCount
QueryPerformanceCounter
RtlUnwind
InterlockedExchange
GetThreadSelectorEntry
CreateThread
TerminateThread
VirtualQueryEx
GetPriorityClass
GetThreadPriority
GetThreadTimes
GetThreadContext
ResumeThread
SuspendThread
GetCurrentThreadId
GetSystemTimeAsFileTime
Sleep
GetVersion
GetSystemInfo
LoadLibraryExA
InterlockedCompareExchange
DelayLoadFailureHook
ReadProcessMemory
GetProcessHeap
GetFileAttributesA
SetErrorMode
WriteFile
OutputDebugStringA
VirtualFree
OpenProcess
GetCurrentProcessId
GetModuleHandleA
CreateFileMappingA
MapViewOfFile
DuplicateHandle
VirtualAlloc
VirtualProtect
CreateDirectoryA
UnmapViewOfFile
GetCurrentProcess
SetFilePointer
IsDBCSLeadByte
HeapAlloc
HeapReAlloc
GetVersionExA
InitializeCriticalSection
FindClose
SetLastError
LocalAlloc
LeaveCriticalSection
EnterCriticalSection
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetLastError
TlsSetValue
TlsGetValue
FreeLibrary
LoadLibraryA
TlsAlloc
TlsFree
DeleteCriticalSection
HeapDestroy
HeapCreate
FlushViewOfFile

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MapDebugInformation
MiniDumpReadDumpStream
MiniDumpWriteDump
SearchTreeForFile
SearchTreeForFileW
StackWalk
StackWalk64
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymCleanup
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrW64
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmapBlockBase
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileFromToken
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSearch
SymSearchW
SymSetContext
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetSearchPath
SymSetSearchPathW
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
UnmapDebugInformation
WinDbgExtensionDllInit
block
chksym
dbghelp
dh
fptr
homedir
itoldyouso
lmi
lminfo
omap
srcfiles
stack_force_ebp
stackdbg
sym
symsrv
vc7fpo

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/libxsse.dll
.dll windows:5 windows x86 arch:x86

89e2db7c92bedf458ec95dda0c375ccc

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

3b:54:9d:22:9e:b1:d4:ee:5e:c5:56:29:bd:38:ce:3a:87:3b:e0:57
Signer

Actual PE Digest

3b:54:9d:22:9e:b1:d4:ee:5e:c5:56:29:bd:38:ce:3a:87:3b:e0:57

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\xsse\bin\libxsse.pdb

Imports

oleaut32

SysAllocString
VariantCopy
SysAllocStringByteLen
VariantClear

kernel32

VirtualAlloc
VirtualProtect
FindFirstFileW
FindClose
FindNextFileW
SystemTimeToFileTime
GetSystemTime
IsBadReadPtr
CreateFileW
SearchPathA
SetEndOfFile
SetFilePointerEx
WriteFile
ReadFile
GetFileSizeEx
GetLastError
DuplicateHandle
CompareFileTime
FileTimeToSystemTime
VirtualFree
LoadLibraryA
GetModuleFileNameA
InterlockedCompareExchange
ReadProcessMemory
WriteProcessMemory
GetFullPathNameA
GetDriveTypeA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetLocaleInfoW
FlushFileBuffers
GetTimeZoneInformation
FreeLibrary
SetConsoleCtrlHandler
RtlUnwind
GetModuleHandleA
GetProcAddress
LocalFree
GetWindowsDirectoryW
CloseHandle
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
GetFileAttributesA
CreateFileA
CompareStringA
CompareStringW
SetEnvironmentVariableA
DisableThreadLibraryCalls
HeapFree
HeapAlloc
SetFileAttributesW
GetFileAttributesW
FileTimeToLocalFileTime
GetDriveTypeW
DeleteFileW
HeapReAlloc
GetCurrentThreadId
GetCommandLineA
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThread
HeapCreate
HeapDestroy
FatalAppExitA
ExitProcess
GetStdHandle
HeapSize
GetFullPathNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
RaiseException
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
LCMapStringA
LCMapStringW
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount

user32

GetParent
EnumWindowStationsA
CloseDesktop
CloseWindowStation
EnumDesktopsA
IsWindowVisible
GetWindowThreadProcessId
OpenDesktopA
GetWindowRect
EnumDesktopWindows
OpenWindowStationA

advapi32

RegLoadKeyA
GetSecurityDescriptorDacl
RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken

Exports

Exports

libxsse_exrec_alloc
libxsse_record_alloc
libxsse_register_codec
libxsse_register_exunit

Sections

.text
Size: 374KB - Virtual size: 374KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 66KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/symsrv.dll
.dll windows:6 windows x86 arch:x86

94d035a14122a420b1c395c66a73d849

Code Sign

61:05:f7:1e:00:00:00:00:00:32
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

13-07-2009 23:00

Not After

13-10-2010 23:10

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:04:b3:f5:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2008 19:13

Not After

25-07-2011 19:23

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:9E78-864B-039D,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:15:08:27:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

25-01-2006 23:22

Not After

25-01-2017 23:32

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

cb:b7:8d:df:a9:50:73:86:f3:b2:2d:69:ec:34:36:04:3a:3a:c5:3e
Signer

Actual PE Digest

cb:b7:8d:df:a9:50:73:86:f3:b2:2d:69:ec:34:36:04:3a:3a:c5:3e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

symsrv.pdb

Imports

msvcrt

__badioinfo
__pioinfo
ferror
_fileno
_lseeki64
_write
_isatty
wctomb
_itoa
_snprintf
isleadbyte
mbtowc
_amsg_exit
_initterm
free
malloc
_XcptFilter
_iob
__mb_cur_max
_errno
_wtoi64
_wcslwr
memcpy
strrchr
wcsstr
_wfopen
fgetws
wcsrchr
fclose
_stricmp
tolower
getenv
isspace
iswspace
towlower
??2@YAPAXI@Z
??3@YAXPAX@Z
_wcsicmp
_wcsnicmp
wcschr
memset

kernel32

GetModuleHandleA
FreeLibrary
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
RtlUnwind
OutputDebugStringA
InterlockedCompareExchange
Sleep
InterlockedExchange
GlobalFree
ReleaseMutex
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
DeleteFileA
SetFilePointer
CreateFileA
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
DeleteCriticalSection
InitializeCriticalSection
GetFileSize
GetFileTime
ReadFile
CreateThread
GetSystemTime
SetWaitableTimer
WaitForSingleObject
LoadLibraryA
DebugBreak
GetSystemTimeAsFileTime
GetCurrentProcess
WriteFile
CloseHandle
LocalFree
LocalReAlloc
LocalAlloc
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
RaiseException

advapi32

RegCloseKey
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid

Exports

Exports

EulaDlgProc
RunDllEntry
SymbolServer
SymbolServerByIndex
SymbolServerByIndexW
SymbolServerClose
SymbolServerDeltaName
SymbolServerDeltaNameW
SymbolServerGetIndexString
SymbolServerGetIndexStringW
SymbolServerGetOptions
SymbolServerGetSupplement
SymbolServerGetSupplementW
SymbolServerGetVersion
SymbolServerIsStore
SymbolServerIsStoreW
SymbolServerPing
SymbolServerPingW
SymbolServerSetOptions
SymbolServerSetOptionsW
SymbolServerStoreFile
SymbolServerStoreFileW
SymbolServerStoreSupplement
SymbolServerStoreSupplementW
SymbolServerW
httpCloseHandle
httpOpenFileHandle
httpOpenFileHandleW
httpQueryDataAvailable
httpReadFile

Sections

.text
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/uactmon.dll
.dll windows:5 windows x86 arch:x86

fc3c1df0f6b492d7a3eea5b1d1c04b26

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

18:84:a3:e4:6f:60:48:33:ce:f3:a9:fe:d1:90:c9:f8:ac:a3:99:9a
Signer

Actual PE Digest

18:84:a3:e4:6f:60:48:33:ce:f3:a9:fe:d1:90:c9:f8:ac:a3:99:9a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\uactmon.pdb

Imports

kernel32

SearchPathA
VirtualProtect
DisableThreadLibraryCalls
Module32First
GetLongPathNameA
DeviceIoControl
CreateToolhelp32Snapshot
Module32Next
CompareStringW
CompareStringA
CreateFileW
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetLocaleInfoW
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
SetFilePointer
IsBadReadPtr
GetModuleHandleA
LocalFree
GetWindowsDirectoryW
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
CloseHandle
CreateIoCompletionPort
PostQueuedCompletionStatus
LoadLibraryA
GetProcAddress
GetQueuedCompletionStatus
FlushFileBuffers
GetLastError
HeapFree
HeapAlloc
GetCurrentThreadId
GetCommandLineA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
HeapDestroy
VirtualFree
FatalAppExitA
VirtualAlloc
HeapReAlloc
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThread
HeapSize
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetConsoleCtrlHandler
FreeLibrary
LCMapStringA
LCMapStringW
SetEnvironmentVariableA

user32

wsprintfW
EnumDesktopWindows
GetWindowRect
OpenDesktopA
CloseWindowStation
GetParent
EnumWindowStationsA
CloseDesktop
OpenWindowStationA
EnumDesktopsA
IsWindowVisible
GetWindowThreadProcessId

advapi32

GetSecurityDescriptorDacl
RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken

Exports

Exports

__ipc_reply_message
ipc_close_channel
ipc_get_message
ipc_open_channel
ipc_purge_message
ipc_reply_message
uactmon_alloc_policy
uactmon_call_dtrampo
uactmon_clear_policies
uactmon_domblock_channel
uactmon_domblock_flush
uactmon_finalize
uactmon_free_policy
uactmon_ignore_process
uactmon_init
uactmon_limit_flux
uactmon_list_msghooks
uactmon_list_pid
uactmon_netflood_channel
uactmon_netflood_setopt
uactmon_open_channel
uactmon_polexcp_add
uactmon_polexcp_del
uactmon_query_istat
uactmon_query_procinfo
uactmon_scanmon_channel
uactmon_scanmon_config
uactmon_scanmon_ignore
uactmon_scanmon_lookup
uactmon_scanmon_report
uactmon_send_heartbeat
uactmon_update_actmsk
uactmon_wl_dtrampo

Sections

.text
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/usysdiag.dll
.dll windows:5 windows x86 arch:x86

8312eee8c29c642377d8b264a9171c08

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ed:94:88:bd:2e:90:cd:00:c4:9e:d5:db:4a:5c:8f:67:db:a1:ae:f7
Signer

Actual PE Digest

ed:94:88:bd:2e:90:cd:00:c4:9e:d5:db:4a:5c:8f:67:db:a1:ae:f7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\usysdiag.pdb

Imports

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesA

ws2_32

ntohs

sfc

SfcIsFileProtected

kernel32

VirtualFree
VirtualAlloc
VirtualProtect
IsBadReadPtr
CreateFileW
SearchPathA
LoadLibraryA
GetExitCodeProcess
CreateProcessA
TerminateProcess
GetModuleFileNameA
GetCurrentProcessId
CreateFileA
SearchPathW
SetFilePointer
WriteFile
ReadFile
GetCurrentDirectoryW
DeviceIoControl
GetCurrentDirectoryA
lstrlenA
FreeLibrary
DisableThreadLibraryCalls
TerminateThread
OpenThread
GetSystemInfo
GetVersionExA
GetLongPathNameA
GetFullPathNameW
GetFullPathNameA
FindFirstFileW
GetModuleHandleA
MoveFileExW
FindFirstFileA
VirtualProtectEx
FindClose
DeleteFileW
DeleteFileA
Process32First
WaitForSingleObject
GetCurrentThread
Thread32First
Thread32Next
GetLastError
Process32Next
CreateToolhelp32Snapshot
SetThreadAffinityMask
SuspendThread
ResumeThread
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetConsoleMode
GetConsoleCP
SetConsoleCtrlHandler
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetProcAddress
LocalFree
GetWindowsDirectoryW
CloseHandle
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
InterlockedExchange
MultiByteToWideChar
LeaveCriticalSection
Sleep
WideCharToMultiByte
IsValidCodePage
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
GetFileAttributesA
ExpandEnvironmentStringsA
FlushFileBuffers
GetTimeZoneInformation
GetLocaleInfoW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
GetProcessHeap
lstrlenW
LCMapStringA
LCMapStringW
MoveFileExA
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetOEMCP
GetACP
GetCPInfo
SetLastError
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetDateFormatA
GetTimeFormatA
InitializeCriticalSectionAndSpinCount
GetStartupInfoA
SetHandleCount
HeapFree
HeapAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
CreatePipe
SetStdHandle
GetFileType
MoveFileW
GetLogicalDrives
GetCurrentThreadId
GetCommandLineA
RaiseException
RtlUnwind
HeapCreate
HeapDestroy
FatalAppExitA
HeapReAlloc
GetModuleHandleW
ExitProcess
GetStdHandle
HeapSize

user32

EnumWindowStationsA
OpenDesktopA
GetWindowRect
EnumDesktopWindows
GetWindowThreadProcessId
IsWindowVisible
EnumDesktopsA
OpenWindowStationA
CloseDesktop
GetParent
CloseWindowStation

advapi32

SetSecurityDescriptorDacl
ControlService
OpenSCManagerA
ChangeServiceConfigA
StartServiceA
LookupAccountSidA
CloseServiceHandle
OpenServiceA
GetSecurityDescriptorDacl
RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegDeleteValueA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
RegCloseKey
ConvertSidToStringSidW
RegOpenKeyW
GetTokenInformation
OpenProcessToken

ole32

CoInitialize
CoUninitialize
CoTaskMemFree
OleRun
CoCreateInstance

oleaut32

SysFreeString
SysStringByteLen
VariantChangeType
VariantInit
SysAllocStringByteLen
VariantClear
SysAllocString
CreateErrorInfo
GetErrorInfo
SetErrorInfo

uactmon

uactmon_finalize
uactmon_query_procinfo
uactmon_call_dtrampo
uactmon_init

Exports

Exports

vif_assist_get
vif_autorun_get
vif_get
vif_hooklet_get
vif_iokit_get
vif_sysutils_get

Sections

.text
Size: 294KB - Virtual size: 293KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/usysdiag.exe
.exe windows:5 windows x64 arch:x64

52234ef8600d7c1f8a6652975a7bce75

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

Issuer

CN=TC TrustCenter Class 2-II L1 CA IV,OU=TC TrustCenter Class 2-II L1 CA,O=TC TrustCenter GmbH,C=DE

Not Before

17-06-2009 15:22

Not After

31-12-2025 19:59

Subject

CN=TC TrustCenter Authenticode Timestamp II,OU=Timestamp,O=TC TrustCenter,L=Hamburg,ST=Hamburg,C=DE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27-03-2013 00:00

Not After

26-04-2014 23:59

Subject

CN=HuoRongBoRui (Beijing) Technology Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=HuoRongBoRui (Beijing) Technology Co.\,Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c5:56:c2:7e:45:c6:f4:22:6c:95:52:32:01:12:d0:a8:0a:f1:40:75
Signer

Actual PE Digest

c5:56:c2:7e:45:c6:f4:22:6c:95:52:32:01:12:d0:a8:0a:f1:40:75

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\works\hr_sysdiag-dist\core\bin\usysdiag-helper-x64.pdb

Imports

kernel32

TerminateThread
CreateEventA
RaiseException
GetLastError
SetLastError
ResetEvent
LoadLibraryA
LocalAlloc
GetExitCodeThread
PostQueuedCompletionStatus
GetSystemInfo
CreateIoCompletionPort
GetCurrentThreadId
TlsAlloc
TlsFree
CreateFileA
SearchPathW
SetFilePointer
WriteFile
ReadFile
GetCurrentDirectoryW
DeviceIoControl
GetCurrentDirectoryA
TerminateProcess
TlsSetValue
ExitProcess
SetProcessWorkingSetSize
CreateThread
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetTimeZoneInformation
SetEnvironmentVariableA
CompareStringW
CompareStringA
FlushFileBuffers
GetLocaleInfoW
GetConsoleMode
GetConsoleCP
GetSystemTimeAsFileTime
SetEvent
WaitForSingleObject
GetQueuedCompletionStatus
FreeLibrary
VirtualQuery
TlsGetValue
Module32Next
CreateToolhelp32Snapshot
Module32First
VirtualQueryEx
SearchPathA
CreateFileW
IsBadReadPtr
VirtualProtect
VirtualAlloc
VirtualFree
ExpandEnvironmentStringsA
GetModuleHandleA
GetProcAddress
LocalFree
GetWindowsDirectoryW
CloseHandle
DeleteCriticalSection
EnterCriticalSection
GetLongPathNameW
MultiByteToWideChar
LeaveCriticalSection
GetCurrentProcessId
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStringTypeW
GetStringTypeA
Sleep
WideCharToMultiByte
OpenProcess
InitializeCriticalSection
GetTickCount
GetCurrentProcess
GetFileAttributesA
OpenThread
HeapFree
HeapAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
RtlUnwindEx
ExitThread
GetCommandLineA
RtlPcToFileHeader
HeapSetInformation
HeapCreate
HeapDestroy
GetStdHandle
GetModuleFileNameA
EncodePointer
DecodePointer
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThread
FlsAlloc
FatalAppExitA
SetConsoleCtrlHandler
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetFileType
GetStartupInfoA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
LCMapStringA
HeapSize
HeapReAlloc
GetDateFormatA
GetTimeFormatA
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
WriteConsoleW

user32

IsWindowVisible
GetWindowThreadProcessId
CloseWindowStation
EnumDesktopWindows
EnumDesktopsA
OpenDesktopA
GetWindowRect
GetParent
EnumWindowStationsA
CloseDesktop
OpenWindowStationA

advapi32

RegDeleteValueA
GetTokenInformation
RegOpenKeyW
ConvertSidToStringSidW
RegCloseKey
SetEntriesInAclA
RegSetValueExA
RegQueryValueExA
AdjustTokenPrivileges
LookupPrivilegeValueA
GetSecurityDescriptorDacl
RegSetValueExW
BuildExplicitAccessWithNameA
RegSetKeySecurity
RegLoadKeyA
RegEnumValueA
RegSaveKeyA
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
SetSecurityDescriptorDacl
RegEnumKeyExA
InitializeSecurityDescriptor
RegDeleteKeyA
RegQueryValueExW
OpenProcessToken

shell32

SHGetSpecialFolderPathA

ole32

CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysFreeString

crypt32

CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptQueryObject
CryptMsgClose

Sections

.text
Size: 213KB - Virtual size: 213KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 51KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2cCertificate

Extended Key Usages

Key Usages

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

12:e8:71:37:a2:7d:da:49:c5:d1:c8:77:ed:f6:d2:3f:11:da:72:dcSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 84KB

.rsrc Size: 105KB - Virtual size: 108KB

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 24KB

UPX1 Size: 5KB - Virtual size: 8KB

.rsrc Size: 2KB - Virtual size: 8KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 348B

.rsrc Size: 1024B - Virtual size: 888B

.reloc Size: 1024B - Virtual size: 984B

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 100B

.reloc Size: 1024B - Virtual size: 520B

0bde61c6cd10a05c00396ae808330f84

Code Sign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2cCertificate

Extended Key Usages

Key Usages

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86Certificate

Extended Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

12:e8:71:37:a2:7d:da:49:c5:d1:c8:77:ed:f6:d2:3f:11:da:72:dc
Signer

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 84KB

.rsrc
Size: 105KB - Virtual size: 108KB

UPX0
Size: - Virtual size: 24KB

UPX1
Size: 5KB - Virtual size: 8KB

.rsrc
Size: 2KB - Virtual size: 8KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 348B

.rsrc
Size: 1024B - Virtual size: 888B

.reloc
Size: 1024B - Virtual size: 984B

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

ca:1f:82:1e:96:15:8a:15:d8:dc:60:cb:d7:58:7b:b5:21:27:21:7d
Signer

.text
Size: 112KB - Virtual size: 111KB

.rdata
Size: 15KB - Virtual size: 15KB

.data
Size: 4KB - Virtual size: 11KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 5KB - Virtual size: 8KB

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 572B

9f:63:00:01:00:02:1f:a8:dc:56:b5:ea:e7:2c
Certificate

5d:12:e1:0c:a5:a1:fc:01:a3:47:e1:42:7d:fb:9d:86
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

3b:d8:03:2b:64:b8:1c:fd:88:d1:e6:81:c4:62:2b:e3:50:c2:9c:d3
Signer

.text
Size: 201KB - Virtual size: 201KB

.rdata
Size: 29KB - Virtual size: 28KB

.data
Size: 134KB - Virtual size: 143KB

.pdata
Size: 13KB - Virtual size: 12KB

.asmstub
Size: 512B - Virtual size: 49B