ba543f2cf16cb1d1cfa87d7531e6045581ee76274c36d0c9df8c131e05b86977

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2016-Jul-13 05:32:37
Detected languages English - United States
Debug artifacts AMMonitoringProvider.pdb
CompanyName Microsoft Corporation
FileDescription Microsoft Security Client Antimalware Monitoring Provider
FileVersion 4.18.1907.16384 (WinBuild.160101.0800)
InternalName AMMonitoringProvider
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename AMMonitoringProvider.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 4.18.1907.16384

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Accesses the WMI:
  • root\cimv2
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
  • CreateToolhelp32Snapshot
  • FindWindowW
 Can access the registry:
  • RegDeleteKeyW
  • RegQueryValueExW
  • RegDeleteValueW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegOpenKeyExW
  • RegEnumKeyExW
  • RegQueryInfoKeyW
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
  • CreateProcessAsUserW
 Uses Microsoft's cryptographic API:
  • CryptCATAdminReleaseCatalogContext
  • CryptCATAdminAcquireContext
  • CryptCATAdminCalcHashFromFileHandle
  • CryptCATAdminEnumCatalogFromHash
  • CryptCATCatalogInfoFromContext
  • CryptCATAdminReleaseContext
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • OpenProcessToken
  • DuplicateTokenEx
  • AdjustTokenPrivileges
  • CheckTokenMembership
 Interacts with services:
  • QueryServiceStatus
  • ControlService
  • ChangeServiceConfigW
  • OpenServiceW
  • OpenSCManagerW
 Enumerates local disk drives:
  • GetDriveTypeW
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
 Can shut the system down or lock the screen:
  • InitiateSystemShutdownExW
Info The PE is digitally signed. Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/72 (Scanned on 2025-08-16 01:39:25) All the AVs think this file is safe.

Hashes

MD5 573fa5e140e6b7c6209b546511dd0989
SHA1 28befe7ef26ae909feb74ac4a8c9981bed192a93
SHA256 ba543f2cf16cb1d1cfa87d7531e6045581ee76274c36d0c9df8c131e05b86977
SHA3 4c84ca68817e92646ef651c864ecd703dcf3cda7287c9a3f6c159d7026c22338
SSDeep 3072:wC3HjG5Tg1HlnGEx6s8Pt0TOAsdPgrjnKRKisSNm50i+B5KTedUQqm1FpCShisD:wC3OTg1AExYWCA4PeTKRKiRc5MT1vh
Imports Hash 850250ba4c20d1bd815d8db26d10aae3

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2016-Jul-13 05:32:37
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x20000
SizeOfInitializedData 0x12000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000001CA0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0x33000
SizeOfHeaders 0x1000
Checksum 0x41339
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 3d0125aebc5cfc9b38d16b0b341cb10e
SHA1 0640d882234af13cacc4ad5c112fd8d11d4af463
SHA256 912e23fc0bafcde5480ae646112eb53e960a27b9e28067c728ef54f408ee3ac5
SHA3 834babd8a2b9285d64cad5d8154d10d451025efb6ccf55d20ae1c7d88f7fad29
VirtualSize 0x1f779
VirtualAddress 0x1000
SizeOfRawData 0x20000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.23219

.rdata

MD5 7ac1518a3740e51f85253a60f6ff2a8d
SHA1 3c1163a7d60cbdaef2309396cdcbd729cf7f577a
SHA256 24a01b949fd9c312a4a7bb41521de82b466b23e3208c4f9888910fed103588a7
SHA3 d8c1767868eacfbc48524e82fdeace61aa0d7586d83a8d03a2dc3c692fd69188
VirtualSize 0xb8ae
VirtualAddress 0x21000
SizeOfRawData 0xc000
PointerToRawData 0x21000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.76969

.data

MD5 10c18b96ad43775e011a372b2da42fff
SHA1 345cb9a657685dc9079ee91ac4441813c62c7b2f
SHA256 d76498c67ff2d7d333c0e39a46b0d80ef5cc4b11be04e85dd2ff647f74f40990
SHA3 0de43abf5025ec257cd96c0ddf0f7875ac85fdd092218d8df2a20cdd11752260
VirtualSize 0x1b00
VirtualAddress 0x2d000
SizeOfRawData 0x1000
PointerToRawData 0x2d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.03974

.pdata

MD5 df2777809dc5d2016ba6c0b79996a9c1
SHA1 97443a2cf9638b765fae670f6b4c9974d0dd183f
SHA256 dc1b58ed3fc6ea842ac3a54b050ba2efc5e6cf9c7fb1e41e1f866b8addc00a20
SHA3 a6e343d0a54cc1bc4477e8328704f6d1c00e8d2f8293b5a2b22c822e1ba5742f
VirtualSize 0x1b78
VirtualAddress 0x2f000
SizeOfRawData 0x2000
PointerToRawData 0x2e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.78419

.rsrc

MD5 929e5d76ef3cc077b2f497bbc94953b3
SHA1 bf1b873da554cfaf1e2d7491007b542d412c965d
SHA256 b990a7bc2451069b2a6b15ed0274e2cdda7b1524589e0eccca22e531566ac408
SHA3 6330551ffeeb63aff512c2d389ac0e744eb423d2c764ffd1b80e0736a1e3c518
VirtualSize 0xb90
VirtualAddress 0x31000
SizeOfRawData 0x1000
PointerToRawData 0x30000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.99801

.reloc

MD5 3c16be9c7d3ae69659ca61d683cc47c6
SHA1 3f3ae4ea8aaf69113452c16f4496270ff653ba82
SHA256 48cb270d07fd6adc213d67e60183082e60293fabf791fa34ddb818054409cd02
SHA3 670bbcaf292f12042d67d236c1d08728f9b8d205d6c5dc8f9ae3059648875f88
VirtualSize 0x534
VirtualAddress 0x32000
SizeOfRawData 0x1000
PointerToRawData 0x31000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.57688

Imports

msvcrt.dll _vsnprintf
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
wcschr
_wcstoui64
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscat_s
wcscpy_s
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
_purecall
_wchmod
wcsrchr
iswalpha
__CxxFrameHandler4
?terminate@@YAXXZ
_vsnwprintf
_vscwprintf
vswprintf_s
swscanf_s
_initterm
memset
KERNEL32.dll GetTickCount
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
FindResourceExW
DecodePointer
EncodePointer
LoadResource
GetCurrentThread
CloseHandle
SwitchToThread
LockResource
SetLastError
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
DisableThreadLibraryCalls
VirtualLock
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
GetSystemTimeAsFileTime
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW
USER32.dll MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
FindWindowW
GetSystemMetrics
SetWindowTextW
CharNextW
UnregisterClassA
PostMessageW
LoadStringW
ShowWindow
SendMessageW
DestroyWindow
CreateDialogParamW
LoadIconW
GetWindowThreadProcessId
ADVAPI32.dll RegDeleteKeyW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetSidSubAuthority
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthorityCount
ole32.dll CoImpersonateClient
CoRevertToSelf
StringFromGUID2
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid
OLEAUT32.dll SysStringByteLen
SysAllocStringLen
VariantClear
SysStringLen
VarBstrCat
SysFreeString
VariantInit
VarUI4FromStr
SysAllocString
mpclient.dll MpClientUtilExportFunctions
WTSAPI32.dll WTSQueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
USERENV.dll CreateEnvironmentBlock
DestroyEnvironmentBlock
ntdll.dll RtlGetVersion
RtlNtStatusToDosError
SHELL32.dll SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW
VERSION.dll VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
SHLWAPI.dll PathIsRelativeW
PathAppendW
PathCombineW
PathRemoveFileSpecW
PathMatchSpecW
PathFileExistsW
PathIsDirectoryW
PathFindFileNameW
CRYPT32.dll CertVerifyCertificateChainPolicy
WINTRUST.dll CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrust

Delayed Imports

DllCanUnloadNow

Ordinal 1
Address 0x8c20

DllGetClassObject

Ordinal 2
Address 0x8c60

DllRegisterServer

Ordinal 3
Address 0x8db0

DllUnregisterServer

Ordinal 4
Address 0x8eb0

102

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x119
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.32118
MD5 b5c066a9b200eca514f6f32de9be5f12
SHA1 694e040a286091c1ee64452847041ebf570279fe
SHA256 b7ca7e22ebb838a1bf66fde7e37e51deb7cb3c412ce57d646579ceb52312e18d
SHA3 d0c336451b5a3a36c4297f86edccd1c41f8bbad5d547dc6e433f73a2fdc64714

1

Type TYPELIB
Language English - United States
Codepage UNKNOWN
Size 0x54c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.51766
MD5 b3a61fda5412dd075582834effe5e2be
SHA1 d8fbb9f85ced4e60b303401ee866cc89fec00aa0
SHA256 de860a4e0ee3634853cb904774e0a46bd7d33c2de421928a48d745c2bdac616b
SHA3 729d992c106c2163ae75e1b353ad29cf3bd4b41a5034843a097bddfe9e14e125

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x40c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.50573
MD5 9fd686f5db4b0d1ef5b8e4cee4841951
SHA1 fd0e048bb8c3bd6af5b2305f96527d95c211772f
SHA256 99134b9d0461fa5178577df19e11f1c55336c60f52c378b4a3cb07cf8b010a3b
SHA3 a854018d5faa4b298de4ab641a7bcb0da2caaabb073b27a73505168287acb724

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.18.1907.16384
ProductVersion 4.18.1907.16384
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription Microsoft Security Client Antimalware Monitoring Provider
FileVersion (#2) 4.18.1907.16384 (WinBuild.160101.0800)
InternalName AMMonitoringProvider
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename AMMonitoringProvider.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 4.18.1907.16384
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2016-Jul-13 05:32:37
Version 0.0
SizeofData 49
AddressOfRawData 0x277f8
PointerToRawData 0x277f8
Referenced File AMMonitoringProvider.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2016-Jul-13 05:32:37
Version 0.0
SizeofData 880
AddressOfRawData 0x2782c
PointerToRawData 0x2782c

UNKNOWN

Characteristics 0
TimeDateStamp 2016-Jul-13 05:32:37
Version 0.0
SizeofData 36
AddressOfRawData 0x27b9c
PointerToRawData 0x27b9c

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 2016-Jul-13 05:32:37
Version 0.0
SizeofData 4
AddressOfRawData 0x27bc0
PointerToRawData 0x27bc0

TLS Callbacks

StartAddressOfRawData 0x180027bc4
EndAddressOfRawData 0x180027bcc
AddressOfIndex 0x18002e5b0
AddressOfCallbacks 0x1800230d8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x18002df88
GuardCFCheckFunctionPointer 6442594264
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xd1224864
Unmarked objects 0
ASM objects (30795) 4
C objects (30795) 20
Total imports 415
Imports (30795) 33
C++ objects (30795) 10
Exports (30795) 1
C objects (LTCG) (30795) 89
Resource objects (30795) 1
Linker (30795) 1

Errors

Leave a comment

No comments yet.