Windows
Analysis Report
amdkmdag.sys
Overview
General Information
Sample name: | amdkmdag.sys |
Analysis ID: | 1457287 |
MD5: | 9be45268521378908a11c849dcb1cbed |
SHA1: | 1265241c04b8ec278a5470139b0f461b4aca417b |
SHA256: | 27ec1868de6789c51a0c8a7f5b761ddbc44f42b73fc31b44ccf811628b859ed5 |
Errors
|
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1457287 |
Start date and time: | 2024-06-14 15:08:02 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | amdkmdag.sys |
Detection: | UNKNOWN |
Classification: | unknown1.winSYS@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse
as no analysis process or sam ple was found - Corrupt sample or wrongly sele
cted analyzer. Details: unsucc essful
- Exclude process from analysis
(whitelisted): dllhost.exe, SI HClient.exe - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, ctldl.windowsupdate.com, fe 3cr.delivery.mp.microsoft.com
File type: | |
Entropy (8bit): | 4.8724203807221445 |
TrID: |
|
File name: | amdkmdag.sys |
File size: | 99'613'832 bytes |
MD5: | 9be45268521378908a11c849dcb1cbed |
SHA1: | 1265241c04b8ec278a5470139b0f461b4aca417b |
SHA256: | 27ec1868de6789c51a0c8a7f5b761ddbc44f42b73fc31b44ccf811628b859ed5 |
SHA512: | e94bc82095d0c5940c2e1b7aadfe7408dd4704d82605d7770c948771492919199a0389a4776eba9fd2288ef327d38e8783b42ac98e828cde9b46eda0971611c0 |
SSDEEP: | 393216:4rwApLN1IL5UT7iHVMZp9Nq+5h/w/i+4uA47b9e1c17hzsv8wm6:8+6Zp9Q4ut7b9j17hzsv8wm6 |
TLSH: | 8A288C06B62509D4D3B681F44E96E62AE660B8D7138133C35293562B4F27ED0ADF63F3 |
File Content Preview: | MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........z.....F...F...F...F...F.c.G...F...F...F.c.G...F.c.G...F...F...F.c.G...F.c.G...F.cYF...FKlfF...F4b.G...F4b.G9..F4b.G...F4b.G... |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x1400f06f0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | native |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT |
Time Stamp: | 0x6626DBFD [Mon Apr 22 21:51:57 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 864085801bb25611252bb52ef85cb33d |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | CF7DA446A473FFD6539BDD4995AB2C66 |
Thumbprint SHA-1: | 26F54EE84758BA716117321707BB08B3274A578A |
Thumbprint SHA-256: | EDE1F937EACB0078A2D7F2DF67D349009893E1F4A10F41C9A2A051FED833C948 |
Serial: | 535091E6CAB13AF393B51EAD0825F627 |
Instruction |
---|
inc eax |
push ebp |
push ebx |
inc ecx |
push esi |
dec eax |
lea ebp, dword ptr [esp-00000510h] |
dec eax |
sub esp, 00000610h |
dec eax |
mov eax, dword ptr [00FC5E45h] |
dec eax |
xor eax, esp |
dec eax |
mov dword ptr [ebp+000004F0h], eax |
dec esp |
mov esi, edx |
dec eax |
mov ebx, ecx |
dec eax |
test ecx, ecx |
je 00007FA5DC6554A9h |
dec eax |
test edx, edx |
je 00007FA5DC6554A0h |
dec eax |
mov dword ptr [esp+00000648h], edi |
xor edi, edi |
dec eax |
mov dword ptr [013A4462h], ecx |
movzx ecx, word ptr [ecx+38h] |
test cx, cx |
je 00007FA5DC654976h |
dec esp |
lea eax, dword ptr [00AFF5DEh] |
mov edx, edi |
test ecx, FFFFFFFEh |
jbe 00007FA5DC654887h |
nop dword ptr [eax+00h] |
mov eax, edx |
inc edx |
dec eax |
lea ecx, dword ptr [eax+eax] |
dec eax |
mov eax, dword ptr [ebx+40h] |
movzx eax, word ptr [ecx+eax] |
inc dx |
mov dword ptr [ecx+eax], eax |
movzx ecx, word ptr [ebx+38h] |
mov eax, ecx |
shr eax, 1 |
cmp edx, eax |
jc 00007FA5DC654841h |
movzx eax, cx |
dec eax |
and eax, FFFFFFFEh |
dec eax |
cmp eax, 000000C8h |
jnc 00007FA5DC655440h |
dec eax |
mov edx, dword ptr [00B021B5h] |
dec eax |
mov ecx, FFFFFFFFh |
inc dx |
mov dword ptr [eax+eax], edi |
dec eax |
mov eax, ecx |
nop word ptr [eax+eax+00h] |
dec eax |
inc eax |
cmp word ptr [edx+eax*2], di |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5eee000 | 0x50 | INIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5ef1000 | 0x8fb8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x14ce000 | 0xce7cc | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5ef8400 | 0x7888 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5efa000 | 0x55ddc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xb540b0 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb53f70 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x700000 | 0x9b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6fe574 | 0x6fe600 | 0aed33e6c87bab4e3e72c14755b963cb | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x700000 | 0x4ed45c | 0x4ed600 | c49da7d71f2adecb3af985ccf1a62ded | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
.data | 0xbee000 | 0x8dfae4 | 0x8a2600 | 9ec770bcb229d1a980ce6577b7b3aa46 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x14ce000 | 0xce7cc | 0xce800 | b3f79338921567b7b4afdb4e892a593c | False | 0.48945052398607747 | PEX Binary Archive | 6.727024150856774 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ |
KMDDKFQT | 0x159d000 | 0x20 | 0x200 | 4c023024ceb6894dad44f1ad65b3b6ba | False | 0.05078125 | data | 0.13334887849621524 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGE_COM | 0x159e000 | 0x78abc | 0x78c00 | 66d9c23c69db4b872b8529944396dac7 | False | 0.46412800854037267 | data | 6.260253415088313 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE | 0x1617000 | 0x899 | 0xa00 | 6f8f4d64e679a1973e7ff0d1f8ae3eb9 | False | 0.5859375 | data | 5.718485206624633 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEPPLC | 0x1618000 | 0x11a43f | 0x11a600 | ccaa8e2962c4d58012e0f9f7d5242cb0 | False | 0.4514744840084108 | data | 6.373330140513921 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_CPC | 0x1733000 | 0x3aaf0 | 0x3ac00 | 24604be6155bde9b6f7ab01bc749ed69 | False | 0.4681225066489362 | data | 6.206349878247197 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_DRM | 0x176e000 | 0x2bc4 | 0x2c00 | b608639512b65bab3b2877421a9d89f6 | False | 0.47895951704545453 | data | 6.158097632995948 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_HDC | 0x1771000 | 0x4dd6 | 0x4e00 | 4ee0ba3a1bde07d674732059801fea73 | False | 0.4528245192307692 | data | 6.033294758815921 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_OPM | 0x1776000 | 0x1ffb | 0x2000 | 92df551961b796cf9d2db007e2db2668 | False | 0.543701171875 | data | 6.189661740412667 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_WSC | 0x1778000 | 0x187b | 0x1a00 | 27ca880f0d7052774ae3b01cc757d5b6 | False | 0.5396634615384616 | data | 5.9251884239975166 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGE_PRE | 0x177a000 | 0xb3d | 0xc00 | 1a1657e7fb461c1329b796d31dead555 | False | 0.3069661458333333 | data | 5.058713863308916 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGESIPC | 0x177b000 | 0xc9e0e | 0xca000 | 61403220fd8610c3dee5d17853f8055c | False | 0.3700942237778465 | data | 6.382160195086831 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEDMCC | 0x1845000 | 0x2c1e | 0x2e00 | 2148c78db6836c21b753bcf5b141d447 | False | 0.3783118206521739 | data | 5.958198698205629 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEKMDC | 0x1848000 | 0x4f3 | 0x600 | 3f7cb77be3d156f0afe0d5b58d999b55 | False | 0.486328125 | data | 5.20116175387396 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGECALC | 0x1849000 | 0x5d2c8 | 0x5d400 | 9b0b088e2af6595748befdf23809cc24 | False | 0.47777469420241286 | data | 6.36568294864826 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGED3PC | 0x18a7000 | 0xcb1a5 | 0xcb200 | f8a547147e6ee6dae8030f987a3a4bbb | False | 0.4984302884615385 | data | 6.406996937614896 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGED2PC | 0x1973000 | 0x34a90b | 0x34aa00 | 50c7c0f0ee7eb4913564f23c9b585efb | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEDSIC | 0x1cbe000 | 0x178e2 | 0x17a00 | 22a0c9afa80c223f0d7807682e38f470 | False | 0.3588996362433862 | data | 5.999054982847117 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGED2IC | 0x1cd6000 | 0x32ed4 | 0x33000 | c04cb59656016ba224b168352c90281d | False | 0.2756491268382353 | data | 5.499514680547105 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEDCIC | 0x1d09000 | 0x28602d | 0x286200 | 3c7d0a3226bdf6969cd33185b39fd517 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGED3IC | 0x1f90000 | 0x476f5 | 0x47800 | cf692b443f55055eca7f9ad163eb0970 | False | 0.5221502130681818 | data | 6.336145962806078 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
PAGEKMDD | 0x1fd8000 | 0x4e8 | 0x600 | 985810e357c6059fcaf7546ec02576de | False | 0.345703125 | data | 3.38144333396146 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEIVEG | 0x1fd9000 | 0x23d50 | 0x23e00 | 8e50009df9af7fd6e5736fb94caf326c | False | 0.09886079050522648 | data | 1.4133159246134206 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEINAV | 0x1ffd000 | 0x305b0 | 0x30600 | d971f7cec149147517b90e7d4b54b3ce | False | 0.07680272932816537 | data | 1.4127091057372716 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEINV3 | 0x202e000 | 0xd0d8 | 0xd200 | a5af639eac6df2d57df0ac80931eb337 | False | 0.10827752976190476 | data | 1.302554451923071 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEINV4 | 0x203c000 | 0x2c08 | 0x2e00 | b8b2bbc8487417b47360ede9d1308c01 | False | 0.11837635869565218 | data | 1.4037914822990756 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEILEG | 0x203f000 | 0x143c0 | 0x14400 | 4d0ac1d872287d0d2e19aeea2e7a108c | False | 0.10057388117283951 | DOS executable (COM) | 1.3178426025097312 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEICMN | 0x2054000 | 0x2a20 | 0x2c00 | 99c5550c4ddac3b9725261b2d69fd71e | False | 0.09596946022727272 | data | 1.273849386092808 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEPPLD | 0x2057000 | 0x1d634 | 0x1d800 | e5e2601aafc1934752ba6afdfa0c599c | False | 0.15826933262711865 | Matlab v4 mat-file (little endian) \200\354, text, rows 0, columns 60416, imaginary | 3.4025692580101854 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGE_RW | 0x2075000 | 0x8bc9f | 0x8be00 | 48637d030a292b652c27bf55cc052161 | False | 0.4035515806523682 | data | 5.550310105258686 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGE_CPR | 0x2101000 | 0xe177 | 0xe200 | 315b1ad784368e5a3b0ea3daade9941e | False | 0.1991841814159292 | data | 5.33325711650069 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGE_DRM | 0x2110000 | 0x66c | 0x800 | 24d3a652fa326dfa2c396b73f69a94d5 | False | 0.27294921875 | Windows Precompiled iNF, version 0.1, InfStyle 1, unicoded, at 0x50001 "", OsLoaderPath "", LanguageID c, at 0xc8002 SourcePath "", at 0xd0001 InfName "" | 4.331822617148041 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGE_HDC | 0x2111000 | 0x181b | 0x1a00 | 44ca99aeb0280bfe4a3eedf5fc5064d3 | False | 0.20057091346153846 | data | 4.77621180211076 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGE_OPM | 0x2113000 | 0xca5 | 0xe00 | 8f26521a11b9582afb244d3677e451f7 | False | 0.2954799107142857 | data | 4.9304481221822805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGE_WSR | 0x2114000 | 0x14c2 | 0x1600 | 11877dd4d4edb23df65f3020610a3f41 | False | 0.2732599431818182 | data | 4.032797727861805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGE_WSD | 0x2116000 | 0x158 | 0x200 | 8df5bb7f640d10843e13ff4da04b978d | False | 0.29296875 | data | 2.258623420256841 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGE_PRE | 0x2117000 | 0x199 | 0x200 | bce87ef823d81edb938f307b79a2a233 | False | 0.421875 | data | 4.250662337661231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGESIPD | 0x2118000 | 0x313b310 | 0x313b400 | 455180a64310dc87ba5360a827a932a0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEDMCD | 0x5254000 | 0x195b00 | 0x195c00 | 5659a35e7f9d7658344b66cc5ca38c13 | False | 0.5836028958718422 | Dyalog APL version 60.-31 | 7.097949848029832 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGE | 0x53ea000 | 0x18 | 0x200 | f932b21d3ac81c5a990dd8904c03c9d9 | False | 0.048828125 | data | 0.26182738835361985 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGECALD | 0x53eb000 | 0x656e80 | 0x657000 | 9ce2824ff798a6e89547d1fa7839f943 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGED3PR | 0x5a42000 | 0x175328 | 0x175400 | 25d8c026126406bb48055f260de756bd | False | 0.14701811579035498 | data | 2.6932795133829446 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGEDSIR | 0x5bb8000 | 0x49e8 | 0x4a00 | 575e7dcd8280b7c73a504eaf95c62b7c | False | 0.2944995777027027 | data | 4.110677025539273 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGED3IR | 0x5bbd000 | 0x8446 | 0x8600 | d2a7b80ecb6c1150ee57f97458593ec8 | False | 0.2640508395522388 | DIY-Thermocam raw data (Lepton 2.x), scale 22823-17191, spot sensor temperature 3312989277567624182846380310528.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 1162748823044675002527907840.000000 | 5.272502696230627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGED2PR | 0x5bc6000 | 0x3d5a0 | 0x3d600 | 5a9db2028f3f1e74c8ec9d28e54c0549 | False | 0.2445224987270876 | data | 5.120578428598058 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGED2PD | 0x5c04000 | 0xe788 | 0xe800 | 11ee890e1c9278f12d3527e595176035 | False | 0.36260775862068967 | data | 6.529048221491954 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGED2IR | 0x5c13000 | 0x4490 | 0x4600 | a16881da2d4108a84b216b93de0c9a57 | False | 0.3684151785714286 | SysEx File - | 5.354649676187862 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGEDSID | 0x5c18000 | 0x1000 | 0x1000 | 6b93c1be9d3bf95a3ddf4fd8f56fad96 | False | 0.283203125 | data | 3.423261501700976 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEDCIR | 0x5c19000 | 0xe63ba | 0xe6400 | dd634c7b35ef81250e7985c007737ce7 | False | 0.16139577395494029 | data | 3.629093682953745 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
PAGED3ID | 0x5d00000 | 0x1cdb30 | 0x1cdc00 | d96ac8b46585e7b8aae63fbc8f0a5d51 | False | 0.6345747538237683 | data | 7.014765216922408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGED3PD | 0x5ece000 | 0xcdb4 | 0xce00 | 2bd849f7cb4aedf610631e5d8abbf310 | False | 0.4199408373786408 | data | 6.281871040342414 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGEDCID | 0x5edb000 | 0x11fb0 | 0x12000 | 4eca0ba264ab75bd7e3e4489fb0d0880 | False | 0.0732421875 | GLS_BINARY_LSB_FIRST | 1.6399857755677143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
PAGED2ID | 0x5eed000 | 0x2f8 | 0x400 | 20e66e0f12833619213a2b9ad29cb8ed | False | 0.4013671875 | data | 2.533740011728936 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
INIT | 0x5eee000 | 0x24fc | 0x2600 | f59bd90f5101805f5438772b7d669797 | False | 0.3887746710526316 | data | 5.324589015965067 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x5ef1000 | 0x8fb8 | 0x9000 | 9c995af65d812b7a32bbd5c0e175a3a5 | False | 0.2690972222222222 | data | 4.218945746443118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.reloc | 0x5efa000 | 0x55ddc | 0x55e00 | 2ca763efc44323b14eff7b507c1557f6 | False | 0.08120394377729258 | data | 5.477364165891373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
WEVT_TEMPLATE | 0x5ef1104 | 0x7b2a | data | English | United States | 0.24887408816999682 |
RT_MESSAGETABLE | 0x5ef8c30 | 0xfe8 | data | English | United States | 0.36714145383104124 |
RT_VERSION | 0x5ef9c18 | 0x3a0 | data | English | United States | 0.4644396551724138 |
DLL | Import |
---|---|
ntoskrnl.exe | IoGetDeviceProperty, ObfDereferenceObject, ZwOpenFile, ZwReadFile, ZwClose, IoGetLowerDeviceObject, rand, srand, _purecall, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlFreeUnicodeString, RtlTimeToTimeFields, KeQueryTimeIncrement, ExGetPreviousMode, ExSystemTimeToLocalTime, ZwCreateFile, ZwWriteFile, sprintf_s, KeRevertToUserAffinityThreadEx, KeSetSystemAffinityThreadEx, KeQueryMaximumProcessorCount, KeInitializeGuardedMutex, KeAcquireGuardedMutex, KeReleaseGuardedMutex, KeDeregisterBugCheckReasonCallback, KeRegisterBugCheckReasonCallback, KeSetEvent, KeWaitForMultipleObjects, sprintf, RtlCompareMemory, KeNumberProcessors, KeWaitForSingleObject, ExFreePoolWithTag, MmMapLockedPagesSpecifyCache, MmUnmapLockedPages, MmFreePagesFromMdl, RtlCopyUnicodeString, ExCreateCallback, ExNotifyCallback, ZwLoadDriver, ZwUnloadDriver, KeBugCheckEx, ProbeForRead, PsGetCurrentProcessId, __C_specific_handler, RtlCheckRegistryKey, __chkstk, strcmp, RtlWriteRegistryValue, ExRaiseStatus, ProbeForWrite, _vsnprintf, wcstombs, MmUserProbeAddress, RtlxUnicodeStringToAnsiSize, KeInitializeMutex, KeReleaseMutex, RtlInitializeBitMap, RtlClearAllBits, RtlClearBits, KeInitializeDpc, KeInsertQueueDpc, KeRemoveQueueDpc, KeSetImportanceDpc, KeInitializeEvent, KeReadStateEvent, KeAcquireSpinLockAtDpcLevel, KeAcquireSpinLockRaiseToDpc, KeReleaseSpinLock, KeReleaseSpinLockFromDpcLevel, IoBuildSynchronousFsdRequest, IofCallDriver, IoGetAttachedDeviceReference, IoOpenDeviceRegistryKey, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, RtlFindClearBitsAndSet, wcscat_s, wcscpy_s, wcsnlen, KeLowerIrql, KfRaiseIrql, KeClearEvent, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedRemoveHeadList, ExQueryDepthSList, ExpInterlockedPopEntrySList, ExpInterlockedPushEntrySList, ExDeleteNPagedLookasideList, ExInitializePagedLookasideList, ExDeletePagedLookasideList, MmLockPagableDataSection, MmUnlockPagableImageSection, PsCreateSystemThread, PsTerminateSystemThread, ObReferenceObjectByHandle, MmGetPhysicalAddress, PsGetCurrentThreadId, tolower, strcpy_s, strcat_s, strncmp, strstr, wcsstr, RtlUnicodeStringToInteger, RtlQueryRegistryValues, RtlDeleteRegistryValue, RtlUnicodeStringToAnsiString, RtlAppendUnicodeStringToString, KeAreAllApcsDisabled, ExAcquireFastMutex, ExReleaseFastMutex, ExInitializeNPagedLookasideList, MmProbeAndLockPages, MmUnlockPages, MmMapIoSpace, MmUnmapIoSpace, IoAllocateErrorLogEntry, IoAllocateMdl, IoBuildDeviceIoControlRequest, IoCreateNotificationEvent, IoCreateSynchronizationEvent, IoFreeMdl, IoGetDeviceObjectPointer, IoWriteErrorLogEntry, IoWMIOpenBlock, IoWMIQueryAllData, EtwRegister, EtwUnregister, EtwWrite, EtwWriteTransfer, IoRegisterDeviceInterface, IoGetDevicePropertyData, PoRegisterPowerSettingCallback, PoUnregisterPowerSettingCallback, ObfReferenceObject, ZwQueryInformationFile, ZwSetInformationFile, ZwOpenKey, ZwEnumerateKey, ZwQueryValueKey, IoWMIRegistrationControl, ExUuidCreate, PsSetLoadImageNotifyRoutine, PsRemoveLoadImageNotifyRoutine, IoVolumeDeviceToDosName, ZwPowerInformation, PsReferencePrimaryToken, PsLookupProcessByProcessId, IoGetAttachedDevice, IoEnumerateDeviceObjectList, ObOpenObjectByPointer, ZwDeleteFile, ZwQueryInformationToken, _vsnwprintf, mbstowcs, PsGetProcessImageFileName, ZwInitiatePowerAction, PsProcessType, RtlAppendUnicodeToString, KeTryToAcquireSpinLockAtDpcLevel, IoAllocateIrp, IoFreeIrp, IoRegisterPlugPlayNotification, IoUnregisterPlugPlayNotificationEx, ExRegisterCallback, ExUnregisterCallback, ObDereferenceObjectDeferDelete, IoDeleteDevice, PsSetCreateProcessNotifyRoutineEx, FsRtlDissectName, _wcsicmp, RtlEqualUnicodeString, RtlUpcaseUnicodeChar, RtlDowncaseUnicodeChar, IoGetCurrentProcess, KdRefreshDebuggerNotPresent, IoAllocateWorkItem, IoFreeWorkItem, IoQueueWorkItem, _wcsnicmp, IoCreateDevice, ObReferenceObjectByName, IoDriverObjectType, wcsrchr, RtlCreateRegistryKey, MmAllocatePagesForMdlEx, IoUnregisterPlugPlayNotification, swprintf, swscanf_s, ExAllocatePoolWithTag, ZwOpenProcess, _stricmp, PsGetProcessId, PsInitialSystemProcess, RtlInitString, RtlEqualString, ZwTerminateProcess, IoDetachDevice, IoInitializeRemoveLockEx, IoAcquireRemoveLockEx, IoReleaseRemoveLockEx, ZwQueryKey, IoAttachDeviceToDeviceStackSafe, RtlPrefixUnicodeString, RtlFreeAnsiString, KeResetEvent, KeSetPriorityThread, PsThreadType, _wcslwr, IoCancelIrp, IoSetDeviceInterfaceState, IoGetDeviceInterfaces, ZwQueryObject, IoFileObjectType, wcsncpy_s, MmAllocateMdlForIoSpace, MmAllocateContiguousMemorySpecifyCache, MmFreeContiguousMemory, ExEventObjectType, RtlCaptureStackBackTrace, ZwQueryDirectoryFile, KeDelayExecutionThread, KeQuerySystemTimePrecise, strnlen, strtok_s, KeInitializeSemaphore, KeReleaseSemaphore, MmAllocatePagesForMdl, vsprintf_s, KeSetTimer, KeCancelTimer, _snprintf, ExSetTimer, ExDeleteTimer, ExAllocateTimer, KeInitializeTimerEx, strncpy, KeSetTimerEx, KeFlushQueuedDpcs, RtlIsNtDdiVersionAvailable, RtlAreBitsSet, RtlCompareString, IoBuildPartialMdl, KeStackAttachProcess, KeUnstackDetachProcess, MmBuildMdlForNonPagedPool, KeInitializeTimer, RtlClearBit, RtlSetBits, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlAreBitsClear, RtlFindNextForwardRunClear, RtlInt64ToUnicodeString, ZwQueryInformationProcess, ExFreePool, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeInitializeSpinLock, ExInitializePushLock, ExAcquirePushLockExclusiveEx, ExAcquirePushLockSharedEx, ExReleasePushLockExclusiveEx, ExReleasePushLockSharedEx, IoSizeofWorkItem, IoInitializeWorkItem, IoUninitializeWorkItem, InitializeSListHead, ExpInterlockedFlushSList, IoReuseIrp, PsGetProcessCreateTimeQuadPart, RtlSetBit, ExInitializeRundownProtection, ExReInitializeRundownProtection, ExAcquireRundownProtection, ExReleaseRundownProtection, ExRundownCompleted, ExWaitForRundownProtectionRelease, wcschr, IoUnregisterShutdownNotification, IoRegisterShutdownNotification, IofCompleteRequest, KeGetCurrentIrql, RtlGetVersion, DbgPrintEx, RtlCompareUnicodeString, MmGetSystemRoutineAddress, ZwSetValueKey, RtlInitUnicodeString, RtlRaiseException, PsGetVersion, ExAllocatePoolWithQuotaTag, ZwQuerySystemInformation, RtlIntegerToUnicodeString |
HAL.dll | KeStallExecutionProcessor, HalSetBusDataByOffset, HalGetBusDataByOffset, KeQueryPerformanceCounter |
NETIO.SYS | WskCaptureProviderNPI, WskReleaseProviderNPI, WskDeregister, WskRegister |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |