Edit tour

Windows Analysis Report
amdkmdag.sys

Overview

General Information

Sample name:amdkmdag.sys
Analysis ID:1457287
MD5:9be45268521378908a11c849dcb1cbed
SHA1:1265241c04b8ec278a5470139b0f461b4aca417b
SHA256:27ec1868de6789c51a0c8a7f5b761ddbc44f42b73fc31b44ccf811628b859ed5
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: amdkmdag.sysStatic PE information: certificate valid
Source: amdkmdag.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: Binary string: c:\constructicon\builds\gfx\one\23.10\drivers\kmd\build\wNow64a\B_rel\amdkmdag.pdb source: amdkmdag.sys
Source: amdkmdag.sysString found in binary or memory: http://torcavpcs1.atitech.com/CertEnroll/torcavpcs1.atitech.com_AMD%20PVP%20Certificate%20Authority%
Source: amdkmdag.sysStatic PE information: Number of sections : 59 > 10
Source: amdkmdag.sysBinary string: \Callback\AMD_CALLBACK_OBJ_NAME_QUERY_KPD_VERSION\Device\\Callback\AMD_CALLBACK_OBJ_NAME_FOR_PROXY_INITij[Wc$[n[eh_]_d$[n[kfbWo$[n[kX_ie\j]Wc[bWkdY^[h$[n[kX_ie\j]Wc[bWkdY^[h,*$[n[RadeonSettings.exe$&
Source: amdkmdag.sysBinary string: PX_AI_RegistryPatchPX_AI_DdiInterceptPX_AI_IndInstallSupportPX_AI_DdiInterceptSupported_Ver2PX_AI_DdiInterceptEnabled\DEVICE\DXGKFLT\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DXGKRNL\DEVICE\DXGKRNLPX_AA_DdiInterceptDEVICE PARAMETERSService
Source: amdkmdag.sysBinary string: \Registry\Machine\System\CurrentControlSet\Control\Class\\Registry\Machine\System\CurrentControlSet\Services\IGFX\Device\IGFX\Driver\IGFX\Registry\Machine\System\CurrentControlSet\Services\INTELKMD\Device\intelkmd\Driver\intelkmdKMD_DisplayDDIFallbackVersionProxyRemoveDevice: call ProxyStopDevice for Intel Kmd
Source: amdkmdag.sysBinary string: \Device\
Source: amdkmdag.sysBinary string: 0AMDKMDAG******************************** RADEON Miniport Driver build 1634 free. Copyright (c) 2003 - 2006 ATI Technologies Inc.********************************AMDKMDAG\Device\amdkmdag\Driver\amdkmdag\Registry\Machine\System\CurrentControlSet\Services\P
Source: amdkmdag.sysBinary string: \Device\DGPUDGPU Actionamdkmdag.sys
Source: amdkmdag.sysBinary string: \Device\DxgKrnl\Registry\Machine\System\CurrentControlSet\Services\DXGKrnlatan
Source: classification engineClassification label: unknown1.winSYS@0/0@0/0
Source: amdkmdag.sysStatic PE information: certificate valid
Source: amdkmdag.sysStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: amdkmdag.sysStatic PE information: Image base 0x140000000 > 0x60000000
Source: amdkmdag.sysStatic file information: File size 99613832 > 1048576
Source: amdkmdag.sysStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x6fe600
Source: amdkmdag.sysStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x4ed600
Source: amdkmdag.sysStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x8a2600
Source: amdkmdag.sysStatic PE information: Raw size of PAGEPPLC is bigger than: 0x100000 < 0x11a600
Source: amdkmdag.sysStatic PE information: Raw size of PAGED2PC is bigger than: 0x100000 < 0x34aa00
Source: amdkmdag.sysStatic PE information: Raw size of PAGEDCIC is bigger than: 0x100000 < 0x286200
Source: amdkmdag.sysStatic PE information: Raw size of PAGESIPD is bigger than: 0x100000 < 0x313b400
Source: amdkmdag.sysStatic PE information: Raw size of PAGEDMCD is bigger than: 0x100000 < 0x195c00
Source: amdkmdag.sysStatic PE information: Raw size of PAGECALD is bigger than: 0x100000 < 0x657000
Source: amdkmdag.sysStatic PE information: Raw size of PAGED3PR is bigger than: 0x100000 < 0x175400
Source: amdkmdag.sysStatic PE information: Raw size of PAGED3ID is bigger than: 0x100000 < 0x1cdc00
Source: amdkmdag.sysStatic PE information: More than 200 imports for ntoskrnl.exe
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: amdkmdag.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: amdkmdag.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\constructicon\builds\gfx\one\23.10\drivers\kmd\build\wNow64a\B_rel\amdkmdag.pdb source: amdkmdag.sys
Source: amdkmdag.sysStatic PE information: section name: KMDDKFQT
Source: amdkmdag.sysStatic PE information: section name: PAGE_COM
Source: amdkmdag.sysStatic PE information: section name: PAGEPPLC
Source: amdkmdag.sysStatic PE information: section name: PAGE_CPC
Source: amdkmdag.sysStatic PE information: section name: PAGE_DRM
Source: amdkmdag.sysStatic PE information: section name: PAGE_HDC
Source: amdkmdag.sysStatic PE information: section name: PAGE_OPM
Source: amdkmdag.sysStatic PE information: section name: PAGE_WSC
Source: amdkmdag.sysStatic PE information: section name: PAGE_PRE
Source: amdkmdag.sysStatic PE information: section name: PAGESIPC
Source: amdkmdag.sysStatic PE information: section name: PAGEDMCC
Source: amdkmdag.sysStatic PE information: section name: PAGEKMDC
Source: amdkmdag.sysStatic PE information: section name: PAGECALC
Source: amdkmdag.sysStatic PE information: section name: PAGED3PC
Source: amdkmdag.sysStatic PE information: section name: PAGED2PC
Source: amdkmdag.sysStatic PE information: section name: PAGEDSIC
Source: amdkmdag.sysStatic PE information: section name: PAGED2IC
Source: amdkmdag.sysStatic PE information: section name: PAGEDCIC
Source: amdkmdag.sysStatic PE information: section name: PAGED3IC
Source: amdkmdag.sysStatic PE information: section name: PAGEKMDD
Source: amdkmdag.sysStatic PE information: section name: PAGEIVEG
Source: amdkmdag.sysStatic PE information: section name: PAGEINAV
Source: amdkmdag.sysStatic PE information: section name: PAGEINV3
Source: amdkmdag.sysStatic PE information: section name: PAGEINV4
Source: amdkmdag.sysStatic PE information: section name: PAGEILEG
Source: amdkmdag.sysStatic PE information: section name: PAGEICMN
Source: amdkmdag.sysStatic PE information: section name: PAGEPPLD
Source: amdkmdag.sysStatic PE information: section name: PAGE_RW
Source: amdkmdag.sysStatic PE information: section name: PAGE_CPR
Source: amdkmdag.sysStatic PE information: section name: PAGE_DRM
Source: amdkmdag.sysStatic PE information: section name: PAGE_HDC
Source: amdkmdag.sysStatic PE information: section name: PAGE_OPM
Source: amdkmdag.sysStatic PE information: section name: PAGE_WSR
Source: amdkmdag.sysStatic PE information: section name: PAGE_WSD
Source: amdkmdag.sysStatic PE information: section name: PAGE_PRE
Source: amdkmdag.sysStatic PE information: section name: PAGESIPD
Source: amdkmdag.sysStatic PE information: section name: PAGEDMCD
Source: amdkmdag.sysStatic PE information: section name: PAGECALD
Source: amdkmdag.sysStatic PE information: section name: PAGED3PR
Source: amdkmdag.sysStatic PE information: section name: PAGEDSIR
Source: amdkmdag.sysStatic PE information: section name: PAGED3IR
Source: amdkmdag.sysStatic PE information: section name: PAGED2PR
Source: amdkmdag.sysStatic PE information: section name: PAGED2PD
Source: amdkmdag.sysStatic PE information: section name: PAGED2IR
Source: amdkmdag.sysStatic PE information: section name: PAGEDSID
Source: amdkmdag.sysStatic PE information: section name: PAGEDCIR
Source: amdkmdag.sysStatic PE information: section name: PAGED3ID
Source: amdkmdag.sysStatic PE information: section name: PAGED3PD
Source: amdkmdag.sysStatic PE information: section name: PAGEDCID
Source: amdkmdag.sysStatic PE information: section name: PAGED2ID
Source: amdkmdag.sysBinary or memory string: AMD KMD: Dispatch_SetVirtualMachineData Entry ***
Source: amdkmdag.sysBinary or memory string: Please use extension's command !gvmdebug /vmprocess to dump VM process
Source: amdkmdag.sysBinary or memory string: QEMUu
Source: amdkmdag.sysBinary or memory string: VMwareVMwareXenVMMXenVMMKVMKVMKVMAliyunKVMTencentKVMKMDSystemConfiguration::InitCPUInfo: CPU type = AMD
Source: amdkmdag.sysBinary or memory string: KMD_EnableLocalDisplayForPXAAKMD_EnableLDASupportForVirtualMachineDEBUG_TOOL_SYSTEM_CONFIGKMD_ExposeMgpuSlsFeatureDCHUVenKMD_XgmiP2PSupportProxy_EnableMsHwsForLda
Source: amdkmdag.sysBinary or memory string: VMwareVMware
Source: amdkmdag.sysBinary or memory string: Please use extension's command !gvmdebug /vmlog to dump VM log
Source: amdkmdag.sysBinary or memory string: Virtual HDMI FRL
Source: amdkmdag.sysBinary or memory string: =QemutV=QEMUtO=Red u
Source: amdkmdag.sysBinary or memory string: Qemut
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
amdkmdag.sys1%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://torcavpcs1.atitech.com/CertEnroll/torcavpcs1.atitech.com_AMD%20PVP%20Certificate%20Authority%0%Avira URL Cloudsafe
http://torcavpcs1.atitech.com/CertEnroll/torcavpcs1.atitech.com_AMD%20PVP%20Certificate%20Authority%0%VirustotalBrowse
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://torcavpcs1.atitech.com/CertEnroll/torcavpcs1.atitech.com_AMD%20PVP%20Certificate%20Authority%amdkmdag.sysfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1457287
Start date and time:2024-06-14 15:08:02 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:amdkmdag.sys
Detection:UNKNOWN
Classification:unknown1.winSYS@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • Unable to launch sample, stop analysis
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):4.8724203807221445
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:amdkmdag.sys
File size:99'613'832 bytes
MD5:9be45268521378908a11c849dcb1cbed
SHA1:1265241c04b8ec278a5470139b0f461b4aca417b
SHA256:27ec1868de6789c51a0c8a7f5b761ddbc44f42b73fc31b44ccf811628b859ed5
SHA512:e94bc82095d0c5940c2e1b7aadfe7408dd4704d82605d7770c948771492919199a0389a4776eba9fd2288ef327d38e8783b42ac98e828cde9b46eda0971611c0
SSDEEP:393216:4rwApLN1IL5UT7iHVMZp9Nq+5h/w/i+4uA47b9e1c17hzsv8wm6:8+6Zp9Q4ut7b9j17hzsv8wm6
TLSH:8A288C06B62509D4D3B681F44E96E62AE660B8D7138133C35293562B4F27ED0ADF63F3
File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........z.....F...F...F...F...F.c.G...F...F...F.c.G...F.c.G...F...F...F.c.G...F.c.G...F.cYF...FKlfF...F4b.G...F4b.G9..F4b.G...F4b.G...
Icon Hash:7ae282899bbab082
Entrypoint:0x1400f06f0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Time Stamp:0x6626DBFD [Mon Apr 22 21:51:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:864085801bb25611252bb52ef85cb33d
Signature Valid:true
Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 11/05/2021 02:00:00 11/05/2024 01:59:59
Subject Chain
  • CN=Advanced Micro Devices Inc., O=Advanced Micro Devices Inc., L=Santa Clara, S=California, C=US
Version:3
Thumbprint MD5:CF7DA446A473FFD6539BDD4995AB2C66
Thumbprint SHA-1:26F54EE84758BA716117321707BB08B3274A578A
Thumbprint SHA-256:EDE1F937EACB0078A2D7F2DF67D349009893E1F4A10F41C9A2A051FED833C948
Serial:535091E6CAB13AF393B51EAD0825F627
Instruction
inc eax
push ebp
push ebx
inc ecx
push esi
dec eax
lea ebp, dword ptr [esp-00000510h]
dec eax
sub esp, 00000610h
dec eax
mov eax, dword ptr [00FC5E45h]
dec eax
xor eax, esp
dec eax
mov dword ptr [ebp+000004F0h], eax
dec esp
mov esi, edx
dec eax
mov ebx, ecx
dec eax
test ecx, ecx
je 00007FA5DC6554A9h
dec eax
test edx, edx
je 00007FA5DC6554A0h
dec eax
mov dword ptr [esp+00000648h], edi
xor edi, edi
dec eax
mov dword ptr [013A4462h], ecx
movzx ecx, word ptr [ecx+38h]
test cx, cx
je 00007FA5DC654976h
dec esp
lea eax, dword ptr [00AFF5DEh]
mov edx, edi
test ecx, FFFFFFFEh
jbe 00007FA5DC654887h
nop dword ptr [eax+00h]
mov eax, edx
inc edx
dec eax
lea ecx, dword ptr [eax+eax]
dec eax
mov eax, dword ptr [ebx+40h]
movzx eax, word ptr [ecx+eax]
inc dx
mov dword ptr [ecx+eax], eax
movzx ecx, word ptr [ebx+38h]
mov eax, ecx
shr eax, 1
cmp edx, eax
jc 00007FA5DC654841h
movzx eax, cx
dec eax
and eax, FFFFFFFEh
dec eax
cmp eax, 000000C8h
jnc 00007FA5DC655440h
dec eax
mov edx, dword ptr [00B021B5h]
dec eax
mov ecx, FFFFFFFFh
inc dx
mov dword ptr [eax+eax], edi
dec eax
mov eax, ecx
nop word ptr [eax+eax+00h]
dec eax
inc eax
cmp word ptr [edx+eax*2], di
Programming Language:
  • [C++] VS2012 build 50727
  • [ C ] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x5eee0000x50INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5ef10000x8fb8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x14ce0000xce7cc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x5ef84000x7888
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5efa0000x55ddc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xb540b00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb53f700x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x7000000x9b0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x6fe5740x6fe6000aed33e6c87bab4e3e72c14755b963cbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x7000000x4ed45c0x4ed600c49da7d71f2adecb3af985ccf1a62dedunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0xbee0000x8dfae40x8a26009ec770bcb229d1a980ce6577b7b3aa46unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x14ce0000xce7cc0xce800b3f79338921567b7b4afdb4e892a593cFalse0.48945052398607747PEX Binary Archive6.727024150856774IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
KMDDKFQT0x159d0000x200x2004c023024ceb6894dad44f1ad65b3b6baFalse0.05078125data0.13334887849621524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE_COM0x159e0000x78abc0x78c0066d9c23c69db4b872b8529944396dac7False0.46412800854037267data6.260253415088313IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE0x16170000x8990xa006f8f4d64e679a1973e7ff0d1f8ae3eb9False0.5859375data5.718485206624633IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEPPLC0x16180000x11a43f0x11a600ccaa8e2962c4d58012e0f9f7d5242cb0False0.4514744840084108data6.373330140513921IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_CPC0x17330000x3aaf00x3ac0024604be6155bde9b6f7ab01bc749ed69False0.4681225066489362data6.206349878247197IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_DRM0x176e0000x2bc40x2c00b608639512b65bab3b2877421a9d89f6False0.47895951704545453data6.158097632995948IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_HDC0x17710000x4dd60x4e004ee0ba3a1bde07d674732059801fea73False0.4528245192307692data6.033294758815921IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_OPM0x17760000x1ffb0x200092df551961b796cf9d2db007e2db2668False0.543701171875data6.189661740412667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_WSC0x17780000x187b0x1a0027ca880f0d7052774ae3b01cc757d5b6False0.5396634615384616data5.9251884239975166IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGE_PRE0x177a0000xb3d0xc001a1657e7fb461c1329b796d31dead555False0.3069661458333333data5.058713863308916IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGESIPC0x177b0000xc9e0e0xca00061403220fd8610c3dee5d17853f8055cFalse0.3700942237778465data6.382160195086831IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEDMCC0x18450000x2c1e0x2e002148c78db6836c21b753bcf5b141d447False0.3783118206521739data5.958198698205629IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEKMDC0x18480000x4f30x6003f7cb77be3d156f0afe0d5b58d999b55False0.486328125data5.20116175387396IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGECALC0x18490000x5d2c80x5d4009b0b088e2af6595748befdf23809cc24False0.47777469420241286data6.36568294864826IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGED3PC0x18a70000xcb1a50xcb200f8a547147e6ee6dae8030f987a3a4bbbFalse0.4984302884615385data6.406996937614896IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGED2PC0x19730000x34a90b0x34aa0050c7c0f0ee7eb4913564f23c9b585efbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEDSIC0x1cbe0000x178e20x17a0022a0c9afa80c223f0d7807682e38f470False0.3588996362433862data5.999054982847117IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGED2IC0x1cd60000x32ed40x33000c04cb59656016ba224b168352c90281dFalse0.2756491268382353data5.499514680547105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEDCIC0x1d090000x28602d0x2862003c7d0a3226bdf6969cd33185b39fd517unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGED3IC0x1f900000x476f50x47800cf692b443f55055eca7f9ad163eb0970False0.5221502130681818data6.336145962806078IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEKMDD0x1fd80000x4e80x600985810e357c6059fcaf7546ec02576deFalse0.345703125data3.38144333396146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEIVEG0x1fd90000x23d500x23e008e50009df9af7fd6e5736fb94caf326cFalse0.09886079050522648data1.4133159246134206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEINAV0x1ffd0000x305b00x30600d971f7cec149147517b90e7d4b54b3ceFalse0.07680272932816537data1.4127091057372716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEINV30x202e0000xd0d80xd200a5af639eac6df2d57df0ac80931eb337False0.10827752976190476data1.302554451923071IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEINV40x203c0000x2c080x2e00b8b2bbc8487417b47360ede9d1308c01False0.11837635869565218data1.4037914822990756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEILEG0x203f0000x143c00x144004d0ac1d872287d0d2e19aeea2e7a108cFalse0.10057388117283951DOS executable (COM)1.3178426025097312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEICMN0x20540000x2a200x2c0099c5550c4ddac3b9725261b2d69fd71eFalse0.09596946022727272data1.273849386092808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEPPLD0x20570000x1d6340x1d800e5e2601aafc1934752ba6afdfa0c599cFalse0.15826933262711865Matlab v4 mat-file (little endian) \200\354, text, rows 0, columns 60416, imaginary3.4025692580101854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE_RW0x20750000x8bc9f0x8be0048637d030a292b652c27bf55cc052161False0.4035515806523682data5.550310105258686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE_CPR0x21010000xe1770xe200315b1ad784368e5a3b0ea3daade9941eFalse0.1991841814159292data5.33325711650069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGE_DRM0x21100000x66c0x80024d3a652fa326dfa2c396b73f69a94d5False0.27294921875Windows Precompiled iNF, version 0.1, InfStyle 1, unicoded, at 0x50001 "", OsLoaderPath "", LanguageID c, at 0xc8002 SourcePath "", at 0xd0001 InfName ""4.331822617148041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGE_HDC0x21110000x181b0x1a0044ca99aeb0280bfe4a3eedf5fc5064d3False0.20057091346153846data4.77621180211076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGE_OPM0x21130000xca50xe008f26521a11b9582afb244d3677e451f7False0.2954799107142857data4.9304481221822805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGE_WSR0x21140000x14c20x160011877dd4d4edb23df65f3020610a3f41False0.2732599431818182data4.032797727861805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGE_WSD0x21160000x1580x2008df5bb7f640d10843e13ff4da04b978dFalse0.29296875data2.258623420256841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE_PRE0x21170000x1990x200bce87ef823d81edb938f307b79a2a233False0.421875data4.250662337661231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGESIPD0x21180000x313b3100x313b400455180a64310dc87ba5360a827a932a0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEDMCD0x52540000x195b000x195c005659a35e7f9d7658344b66cc5ca38c13False0.5836028958718422Dyalog APL version 60.-317.097949848029832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE0x53ea0000x180x200f932b21d3ac81c5a990dd8904c03c9d9False0.048828125data0.26182738835361985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGECALD0x53eb0000x656e800x6570009ce2824ff798a6e89547d1fa7839f943unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGED3PR0x5a420000x1753280x17540025d8c026126406bb48055f260de756bdFalse0.14701811579035498data2.6932795133829446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGEDSIR0x5bb80000x49e80x4a00575e7dcd8280b7c73a504eaf95c62b7cFalse0.2944995777027027data4.110677025539273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGED3IR0x5bbd0000x84460x8600d2a7b80ecb6c1150ee57f97458593ec8False0.2640508395522388DIY-Thermocam raw data (Lepton 2.x), scale 22823-17191, spot sensor temperature 3312989277567624182846380310528.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 1162748823044675002527907840.0000005.272502696230627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGED2PR0x5bc60000x3d5a00x3d6005a9db2028f3f1e74c8ec9d28e54c0549False0.2445224987270876data5.120578428598058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGED2PD0x5c040000xe7880xe80011ee890e1c9278f12d3527e595176035False0.36260775862068967data6.529048221491954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGED2IR0x5c130000x44900x4600a16881da2d4108a84b216b93de0c9a57False0.3684151785714286SysEx File -5.354649676187862IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGEDSID0x5c180000x10000x10006b93c1be9d3bf95a3ddf4fd8f56fad96False0.283203125data3.423261501700976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEDCIR0x5c190000xe63ba0xe6400dd634c7b35ef81250e7985c007737ce7False0.16139577395494029data3.629093682953745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGED3ID0x5d000000x1cdb300x1cdc00d96ac8b46585e7b8aae63fbc8f0a5d51False0.6345747538237683data7.014765216922408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGED3PD0x5ece0000xcdb40xce002bd849f7cb4aedf610631e5d8abbf310False0.4199408373786408data6.281871040342414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGEDCID0x5edb0000x11fb00x120004eca0ba264ab75bd7e3e4489fb0d0880False0.0732421875GLS_BINARY_LSB_FIRST1.6399857755677143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGED2ID0x5eed0000x2f80x40020e66e0f12833619213a2b9ad29cb8edFalse0.4013671875data2.533740011728936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
INIT0x5eee0000x24fc0x2600f59bd90f5101805f5438772b7d669797False0.3887746710526316data5.324589015965067IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x5ef10000x8fb80x90009c995af65d812b7a32bbd5c0e175a3a5False0.2690972222222222data4.218945746443118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc0x5efa0000x55ddc0x55e002ca763efc44323b14eff7b507c1557f6False0.08120394377729258data5.477364165891373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
WEVT_TEMPLATE0x5ef11040x7b2adataEnglishUnited States0.24887408816999682
RT_MESSAGETABLE0x5ef8c300xfe8dataEnglishUnited States0.36714145383104124
RT_VERSION0x5ef9c180x3a0dataEnglishUnited States0.4644396551724138
DLLImport
ntoskrnl.exeIoGetDeviceProperty, ObfDereferenceObject, ZwOpenFile, ZwReadFile, ZwClose, IoGetLowerDeviceObject, rand, srand, _purecall, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlFreeUnicodeString, RtlTimeToTimeFields, KeQueryTimeIncrement, ExGetPreviousMode, ExSystemTimeToLocalTime, ZwCreateFile, ZwWriteFile, sprintf_s, KeRevertToUserAffinityThreadEx, KeSetSystemAffinityThreadEx, KeQueryMaximumProcessorCount, KeInitializeGuardedMutex, KeAcquireGuardedMutex, KeReleaseGuardedMutex, KeDeregisterBugCheckReasonCallback, KeRegisterBugCheckReasonCallback, KeSetEvent, KeWaitForMultipleObjects, sprintf, RtlCompareMemory, KeNumberProcessors, KeWaitForSingleObject, ExFreePoolWithTag, MmMapLockedPagesSpecifyCache, MmUnmapLockedPages, MmFreePagesFromMdl, RtlCopyUnicodeString, ExCreateCallback, ExNotifyCallback, ZwLoadDriver, ZwUnloadDriver, KeBugCheckEx, ProbeForRead, PsGetCurrentProcessId, __C_specific_handler, RtlCheckRegistryKey, __chkstk, strcmp, RtlWriteRegistryValue, ExRaiseStatus, ProbeForWrite, _vsnprintf, wcstombs, MmUserProbeAddress, RtlxUnicodeStringToAnsiSize, KeInitializeMutex, KeReleaseMutex, RtlInitializeBitMap, RtlClearAllBits, RtlClearBits, KeInitializeDpc, KeInsertQueueDpc, KeRemoveQueueDpc, KeSetImportanceDpc, KeInitializeEvent, KeReadStateEvent, KeAcquireSpinLockAtDpcLevel, KeAcquireSpinLockRaiseToDpc, KeReleaseSpinLock, KeReleaseSpinLockFromDpcLevel, IoBuildSynchronousFsdRequest, IofCallDriver, IoGetAttachedDeviceReference, IoOpenDeviceRegistryKey, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, RtlFindClearBitsAndSet, wcscat_s, wcscpy_s, wcsnlen, KeLowerIrql, KfRaiseIrql, KeClearEvent, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedRemoveHeadList, ExQueryDepthSList, ExpInterlockedPopEntrySList, ExpInterlockedPushEntrySList, ExDeleteNPagedLookasideList, ExInitializePagedLookasideList, ExDeletePagedLookasideList, MmLockPagableDataSection, MmUnlockPagableImageSection, PsCreateSystemThread, PsTerminateSystemThread, ObReferenceObjectByHandle, MmGetPhysicalAddress, PsGetCurrentThreadId, tolower, strcpy_s, strcat_s, strncmp, strstr, wcsstr, RtlUnicodeStringToInteger, RtlQueryRegistryValues, RtlDeleteRegistryValue, RtlUnicodeStringToAnsiString, RtlAppendUnicodeStringToString, KeAreAllApcsDisabled, ExAcquireFastMutex, ExReleaseFastMutex, ExInitializeNPagedLookasideList, MmProbeAndLockPages, MmUnlockPages, MmMapIoSpace, MmUnmapIoSpace, IoAllocateErrorLogEntry, IoAllocateMdl, IoBuildDeviceIoControlRequest, IoCreateNotificationEvent, IoCreateSynchronizationEvent, IoFreeMdl, IoGetDeviceObjectPointer, IoWriteErrorLogEntry, IoWMIOpenBlock, IoWMIQueryAllData, EtwRegister, EtwUnregister, EtwWrite, EtwWriteTransfer, IoRegisterDeviceInterface, IoGetDevicePropertyData, PoRegisterPowerSettingCallback, PoUnregisterPowerSettingCallback, ObfReferenceObject, ZwQueryInformationFile, ZwSetInformationFile, ZwOpenKey, ZwEnumerateKey, ZwQueryValueKey, IoWMIRegistrationControl, ExUuidCreate, PsSetLoadImageNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoVolumeDeviceToDosName, ZwPowerInformation, PsReferencePrimaryToken, PsLookupProcessByProcessId, IoGetAttachedDevice, IoEnumerateDeviceObjectList, ObOpenObjectByPointer, ZwDeleteFile, ZwQueryInformationToken, _vsnwprintf, mbstowcs, PsGetProcessImageFileName, ZwInitiatePowerAction, PsProcessType, RtlAppendUnicodeToString, KeTryToAcquireSpinLockAtDpcLevel, IoAllocateIrp, IoFreeIrp, IoRegisterPlugPlayNotification, IoUnregisterPlugPlayNotificationEx, ExRegisterCallback, ExUnregisterCallback, ObDereferenceObjectDeferDelete, IoDeleteDevice, PsSetCreateProcessNotifyRoutineEx, FsRtlDissectName, _wcsicmp, RtlEqualUnicodeString, RtlUpcaseUnicodeChar, RtlDowncaseUnicodeChar, IoGetCurrentProcess, KdRefreshDebuggerNotPresent, IoAllocateWorkItem, IoFreeWorkItem, IoQueueWorkItem, _wcsnicmp, IoCreateDevice, ObReferenceObjectByName, IoDriverObjectType, wcsrchr, RtlCreateRegistryKey, MmAllocatePagesForMdlEx, IoUnregisterPlugPlayNotification, swprintf, swscanf_s, ExAllocatePoolWithTag, ZwOpenProcess, _stricmp, PsGetProcessId, PsInitialSystemProcess, RtlInitString, RtlEqualString, ZwTerminateProcess, IoDetachDevice, IoInitializeRemoveLockEx, IoAcquireRemoveLockEx, IoReleaseRemoveLockEx, ZwQueryKey, IoAttachDeviceToDeviceStackSafe, RtlPrefixUnicodeString, RtlFreeAnsiString, KeResetEvent, KeSetPriorityThread, PsThreadType, _wcslwr, IoCancelIrp, IoSetDeviceInterfaceState, IoGetDeviceInterfaces, ZwQueryObject, IoFileObjectType, wcsncpy_s, MmAllocateMdlForIoSpace, MmAllocateContiguousMemorySpecifyCache, MmFreeContiguousMemory, ExEventObjectType, RtlCaptureStackBackTrace, ZwQueryDirectoryFile, KeDelayExecutionThread, KeQuerySystemTimePrecise, strnlen, strtok_s, KeInitializeSemaphore, KeReleaseSemaphore, MmAllocatePagesForMdl, vsprintf_s, KeSetTimer, KeCancelTimer, _snprintf, ExSetTimer, ExDeleteTimer, ExAllocateTimer, KeInitializeTimerEx, strncpy, KeSetTimerEx, KeFlushQueuedDpcs, RtlIsNtDdiVersionAvailable, RtlAreBitsSet, RtlCompareString, IoBuildPartialMdl, KeStackAttachProcess, KeUnstackDetachProcess, MmBuildMdlForNonPagedPool, KeInitializeTimer, RtlClearBit, RtlSetBits, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlAreBitsClear, RtlFindNextForwardRunClear, RtlInt64ToUnicodeString, ZwQueryInformationProcess, ExFreePool, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeInitializeSpinLock, ExInitializePushLock, ExAcquirePushLockExclusiveEx, ExAcquirePushLockSharedEx, ExReleasePushLockExclusiveEx, ExReleasePushLockSharedEx, IoSizeofWorkItem, IoInitializeWorkItem, IoUninitializeWorkItem, InitializeSListHead, ExpInterlockedFlushSList, IoReuseIrp, PsGetProcessCreateTimeQuadPart, RtlSetBit, ExInitializeRundownProtection, ExReInitializeRundownProtection, ExAcquireRundownProtection, ExReleaseRundownProtection, ExRundownCompleted, ExWaitForRundownProtectionRelease, wcschr, IoUnregisterShutdownNotification, IoRegisterShutdownNotification, IofCompleteRequest, KeGetCurrentIrql, RtlGetVersion, DbgPrintEx, RtlCompareUnicodeString, MmGetSystemRoutineAddress, ZwSetValueKey, RtlInitUnicodeString, RtlRaiseException, PsGetVersion, ExAllocatePoolWithQuotaTag, ZwQuerySystemInformation, RtlIntegerToUnicodeString
HAL.dllKeStallExecutionProcessor, HalSetBusDataByOffset, HalGetBusDataByOffset, KeQueryPerformanceCounter
NETIO.SYSWskCaptureProviderNPI, WskReleaseProviderNPI, WskDeregister, WskRegister
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
No statistics
No system behavior
No disassembly