• Home
  • Blog
  • Online Scan
  • Update History
  • Binary Code Analysis - File Md5: 3e64065f1309fbc295f75e8bbd88d6f9
    File hash value: 3e64065f1309fbc295f75e8bbd88d6f9. This is a 32-bit EXE file, and the file size is 193 K. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.

    If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.

    You can also download the repair tool directly to fix your operating system.

    File Binary Code Analysis:

    DOS Stub
    ...
    .text SECTION #1
    .data SECTION #2
    .rsrc SECTION #3
    hgslnhu SECTION #4
    DOS Header
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • e_magic
  • 0x00005A4D
  • DOS Sign
  • WORD
  • e_cblp
  • 0x00000090
  • Bytes on last page of file
  • WORD
  • e_cp
  • 0x00000003
  • Pages in file
  • WORD
  • e_crlc
  • 0x00000000
  • Relocations
  • WORD
  • e_cparhdr
  • 0x00000004
  • Size of header in paragraphs
  • WORD
  • e_minalloc
  • 0x00000000
  • Minimum extra paragraphs needed
  • WORD
  • e_maxalloc
  • 0x0000FFFF
  • Maximum extra paragraphs needed
  • WORD
  • e_ss
  • 0x00000000
  • Initial (relative) SS value
  • WORD
  • e_sp
  • 0x000000B8
  • Initial SP value
  • WORD
  • e_csum
  • 0x00000000
  • Checksum
  • WORD
  • e_ip
  • 0x00000000
  • Initial IP value
  • WORD
  • e_cs
  • 0x00000000
  • Initial (relative) CS value
  • WORD
  • e_lfarlc
  • 0x00000040
  • File address of relocation table
  • WORD
  • e_ovno
  • 0x00000000
  • Overlay number
  • WORD
  • e_res[4]
  • [0]=0x00000000
    [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
  • Reserved words
  • WORD
  • e_oemid
  • 0x00000000
  • OEM identifier (for e_oeminfo)
  • WORD
  • e_oeminfo
  • 0x00000000
  • OEM information; e_oemid specific
  • WORD
  • e_res2[10]
  • [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
    [4]=0x00000000
    [5]=0x00000000
    [6]=0x00000000
    [7]=0x00000000
    [8]=0x00000000
    [9]=0x00000000
    [10]=0x00000000
  • Reserved words
  • WORD
  • e_lfanew
  • 0x000000B0
  • PE File Header address
  • NT HEADER - NT File Signature
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • Signature
  • 0x00004550
  • PE File Sign: "PE"
  • NT HEADER - FILE HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Machine
  • 0x0000014C
  • File Bit (32Bit Or 64 Bit)
  • WORD
  • NumberOfSections
  • 0x00000004
  • Number Of Sections
  • DWORD
  • TimeDateStamp
  • 0x40D7F0AE
  • File Create Time
  • DWORD
  • PointerToSymbolTable
  • 0x00000000
  • Pointer To Symbol Table
  • DWORD
  • NumberOfSymbols
  • 0x00000000
  • Number Of Symbols
  • WORD
  • SizeOfOptionalHeader
  • 0x000000E0
  • Size Of Optional Header
  • WORD
  • Characteristics
  • 0x0000010F
  • File Type: (EXE or DLL)
  • NT HEADER - OPTIONAL HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Magic
  • 0x0000010B
  • Magic
  • BYTE
  • MajorLinkerVersion
  • 0x00000007
  • Major Linker Version
  • BYTE
  • MinorLinkerVersion
  • 0x0000000A
  • Minor Linker Version
  • DWORD
  • SizeOfCode
  • 0x00021600
  • Size Of Code
  • DWORD
  • SizeOfInitializedData
  • 0x00008000
  • Size Of Initialized Data
  • DWORD
  • SizeOfUninitializedData
  • 0x00000000
  • Size Of Uninitialized Data
  • DWORD
  • AddressOfEntryPoint
  • 0x000224CA
  • Address Of Entry Point
  • DWORD
  • BaseOfCode
  • 0x00001000
  • Base Of Code
  • DWORD
  • BaseOfData
  • 0x00023000
  • Base Of Data
  • DWORD
  • ImageBase
  • 0x01000000
  • Image Base
  • DWORD
  • SectionAlignment
  • 0x00001000
  • Section Alignment
  • DWORD
  • FileAlignment
  • 0x00000200
  • File Alignment
  • WORD
  • MajorOperatingSystemVersion
  • 0x00000005
  • Major Operating System Version
  • WORD
  • MinorOperatingSystemVersion
  • 0x00000001
  • Minor Operating System Version
  • WORD
  • MajorImageVersion
  • 0x00000005
  • Major Image Version
  • WORD
  • MinorImageVersion
  • 0x00000001
  • Minor Image Version
  • WORD
  • MajorSubsystemVersion
  • 0x00000004
  • Major Sub system Version
  • WORD
  • MinorSubsystemVersion
  • 0x00000000
  • Minor Sub system Version
  • DWORD
  • Win32VersionValue
  • 0x00000000
  • Win32 Version Value
  • DWORD
  • SizeOfImage
  • 0x00034000
  • Size Of Image
  • DWORD
  • SizeOfHeaders
  • 0x00000400
  • Size Of Headers
  • DWORD
  • CheckSum
  • 0x00000000
  • Check Sum
  • WORD
  • Subsystem
  • 0x00000002
  • Sub system
  • WORD
  • DllCharacteristics
  • 0x00008000
  • Dll Char acteristics
  • DWORD
  • SizeOfStackReserve
  • 0x00040000
  • Size Of Stack Reserve
  • DWORD
  • SizeOfStackCommit
  • 0x00001000
  • Size Of Stack Commit
  • DWORD
  • SizeOfHeapReserve
  • 0x00100000
  • Size Of Heap Reserve
  • DWORD
  • SizeOfHeapCommit
  • 0x00001000
  • Size Of Heap Commit
  • DWORD
  • LoaderFlags
  • 0x00000000
  • Loader Flags
  • DWORD
  • NumberOfRvaAndSizes
  • 0x00000010
  • Number Of Rva And Sizes
  • NT HEADER - OPTIONAL HEADER - Data Directory
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • DataDirectory[1].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[1].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[2].VirtualAddress
  • 0x00020C9C
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[2].Size
  • 0x000000DC
  • Data Directory Size
  • DWORD
  • DataDirectory[3].VirtualAddress
  • 0x00025000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[3].Size
  • 0x0000DE00
  • Data Directory Size
  • DWORD
  • DataDirectory[4].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[4].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[5].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[5].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[6].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[6].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[7].VirtualAddress
  • 0x00001720
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[7].Size
  • 0x0000001C
  • Data Directory Size
  • DWORD
  • DataDirectory[8].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[8].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[9].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[9].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[10].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[10].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[11].VirtualAddress
  • 0x00004DE0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[11].Size
  • 0x00000040
  • Data Directory Size
  • DWORD
  • DataDirectory[12].VirtualAddress
  • 0x00000248
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[12].Size
  • 0x000000E0
  • Data Directory Size
  • DWORD
  • DataDirectory[13].VirtualAddress
  • 0x00001000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[13].Size
  • 0x00000720
  • Data Directory Size
  • DWORD
  • DataDirectory[14].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[14].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[15].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[15].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[16].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[16].Size
  • 0x00000000
  • Data Directory Size
  • SECTION #1
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .text
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00021600
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00001000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00021600
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00000400
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x60000020
  • Section Characteristics
  • SECTION #2
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .data
  • Section Name
  • DWORD
  • VirtualSize
  • 0x000011F4
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00023000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00001000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00021A00
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #3
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rsrc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0000DE00
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00025000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x0000DA00
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00022A00
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000060
  • Section Characteristics
  • SECTION #4
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • hgslnhu
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00001000
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00033000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00000000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00030400
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000000
  • Section Characteristics

  • Called external files and functions:
    In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
    Import File - MFC42u.DLL
  • Function Address
    0x00001601
  • Function Address
    0x000010D8
  • Function Address
    0x00000321
  • Function Address
    0x000002AE
  • Function Address
    0x000017FB
  • Function Address
    0x00000180
  • Function Address
    0x0000021D
  • Function Address
    0x0000031E
  • Function Address
    0x000007C5
  • Function Address
    0x00001555
  • Function Address
    0x00001ADA
  • Function Address
    0x00001886
  • Function Address
    0x00000CF1
  • Function Address
    0x00001444
  • Function Address
    0x00000215
  • Function Address
    0x00001903
  • Function Address
    0x00000829
  • Function Address
    0x00000280
  • Function Address
    0x0000098A
  • Function Address
    0x00000661
  • Function Address
    0x00000143
  • Function Address
    0x00000C15
  • Function Address
    0x0000107B
  • Function Address
    0x000015E4
  • Function Address
    0x00000AF9
  • Function Address
    0x000019FF
  • Function Address
    0x0000184B
  • Function Address
    0x0000076C
  • Function Address
    0x00000693
  • Function Address
    0x000009D8
  • Function Address
    0x000017A3
  • Function Address
    0x000006E8
  • Function Address
    0x000014A4
  • Function Address
    0x00001151
  • Function Address
    0x000007FE
  • Function Address
    0x00001149
  • Function Address
    0x000001F0
  • Function Address
    0x00000303
  • Function Address
    0x0000109E
  • Function Address
    0x00000477
  • Function Address
    0x000006EF
  • Function Address
    0x000016D5
  • Function Address
    0x00000D8E
  • Function Address
    0x00000D8F
  • Function Address
    0x00001265
  • Function Address
    0x0000123B
  • Function Address
    0x000010AD
  • Function Address
    0x000018E3
  • Function Address
    0x00001180
  • Function Address
    0x000009F2
  • Function Address
    0x000009C8
  • Function Address
    0x0000165F
  • Function Address
    0x00000F4D
  • Function Address
    0x00000441
  • Function Address
    0x00001449
  • Function Address
    0x00000954
  • Function Address
    0x00000D0D
  • Function Address
    0x000014B0
  • Function Address
    0x000014B2
  • Function Address
    0x00000FEA
  • Function Address
    0x00001254
  • Function Address
    0x000014B7
  • Function Address
    0x000014A5
  • Function Address
    0x0000164E
  • Function Address
    0x00001208
  • Function Address
    0x00001142
  • Function Address
    0x00000E95
  • Function Address
    0x00000231
  • Function Address
    0x0000032F
  • Function Address
    0x000004C4
  • Function Address
    0x000004B3
  • Function Address
    0x00001843
  • Function Address
    0x00000A9D
  • Function Address
    0x000003F0
  • Function Address
    0x00000269
  • Function Address
    0x00000A35
  • Function Address
    0x00001458
  • Function Address
    0x00000128
  • Function Address
    0x0000046B
  • Function Address
    0x0000093A
  • Function Address
    0x00000B75
  • Function Address
    0x00000621
  • Function Address
    0x00001AD4
  • Function Address
    0x0000184A
  • Function Address
    0x00001B07
  • Function Address
    0x0000164A
  • Function Address
    0x000003AC
  • Function Address
    0x000006C7
  • Function Address
    0x000010B0
  • Function Address
    0x0000039A
  • Function Address
    0x00001933
  • Function Address
    0x000006EB
  • Function Address
    0x00000FD2
  • Function Address
    0x00001788
  • Function Address
    0x000015E5
  • Function Address
    0x0000162F
  • Function Address
    0x000019FE
  • Function Address
    0x000003AE
  • Function Address
    0x00000A2E
  • Function Address
    0x000001E9
  • Function Address
    0x0000048D
  • Function Address
    0x00001065
  • Function Address
    0x00000AC4
  • Function Address
    0x00000337
  • Function Address
    0x0000109D
  • Function Address
    0x00000300
  • Function Address
    0x000012DD
  • Function Address
    0x000014A3
  • Function Address
    0x000012F0
  • Function Address
    0x00001113
  • Function Address
    0x00000339
  • Function Address
    0x0000134E
  • Function Address
    0x0000136A
  • Function Address
    0x00001280
  • Function Address
    0x00001323
  • Function Address
    0x00001422
  • Function Address
    0x00001424
  • Function Address
    0x00001423
  • Function Address
    0x0000076B
  • Function Address
    0x00000C64
  • Function Address
    0x0000101C
  • Function Address
    0x00000C14
  • Function Address
    0x00001887
  • Function Address
    0x00000AD8
  • Function Address
    0x00000217
  • Function Address
    0x00001B09
  • Function Address
    0x00000AC5
  • Function Address
    0x000015F2
  • Function Address
    0x00000AC3
  • Function Address
    0x0000039F
  • Function Address
    0x0000039D
  • Function Address
    0x0000035A
  • Function Address
    0x00000AFA
  • Function Address
    0x000019A3
  • Function Address
    0x00000C0F
  • Function Address
    0x00000163
  • Function Address
    0x000009CB
  • Function Address
    0x00000DA6
  • Function Address
    0x0000021C
  • Function Address
    0x0000173D
  • Function Address
    0x0000021A
  • Function Address
    0x0000103B
  • Function Address
    0x0000035D
  • Function Address
    0x00000320
  • Function Address
    0x0000021E
  • Function Address
    0x00000322
  • Function Address
    0x000008F5
  • Function Address
    0x00000281
  • Function Address
    0x00001085
  • Function Address
    0x00000144
  • Function Address
    0x00000E08
  • Function Address
    0x00001143
  • Function Address
    0x0000120D
  • Function Address
    0x00000FEB
  • Function Address
    0x00000C02
  • Function Address
    0x00000EEC
  • Function Address
    0x00000EF2
  • Function Address
    0x00000EF1
  • Function Address
    0x00000B9B
  • Function Address
    0x00000C04
  • Function Address
    0x00000BA4
  • Function Address
    0x00000CB9
  • Function Address
    0x00000C3B
  • Function Address
    0x0000116B
  • Function Address
    0x00000CB6
  • Function Address
    0x00000C46
  • Function Address
    0x00000BA1
  • Function Address
    0x00001499
  • Function Address
    0x00000844
  • Function Address
    0x00000986
  • Function Address
    0x00001489
  • Function Address
    0x000006B8
  • Function Address
    0x000013C3
  • Function Address
    0x00000EA0
  • Function Address
    0x000018E4
  • Function Address
    0x000007FF
  • Function Address
    0x00000A50
  • Function Address
    0x00001153
  • Function Address
    0x000012DF
  • Function Address
    0x00000ED1
  • Function Address
    0x0000149C
  • Function Address
    0x000010FB
  • Function Address
    0x000018E2
  • Function Address
    0x00001425
  • Function Address
    0x00000949
  • Function Address
    0x00001475
  • Function Address
    0x00001131
  • Function Address
    0x000006E7
  • Function Address
    0x00000FE9
  • Function Address
    0x000017A0
  • Function Address
    0x000009CA
  • Function Address
    0x00001260
  • Function Address
    0x00001380
  • Function Address
    0x000012EF
  • Function Address
    0x00001112
  • Function Address
    0x0000148D
  • Function Address
    0x00000B2B
  •  
  •  
  •  
  • Import File - msvcrt.dll
  • _CxxThrowException
  • wcscmp
  • _wcsicmp
  • wcscpy
  • _wmakepath
  • wcsncmp
  • wcslen
  • wcsncpy
  • _wtoi
  • _wtol
  • ceil
  • _ftol
  • malloc
  • free
  • realloc
  • iswdigit
  • _c_exit
  • wcscoll
  • _XcptFilter
  • _cexit
  • exit
  • _wcmdln
  • __wgetmainargs
  • _initterm
  • __setusermatherr
  • __p__commode
  • __p__fmode
  • __set_app_type
  • __CxxFrameHandler
  • _itow
  • _except_handler3
  • ?terminate@@YAXXZ
  • ??1type_info@@UAE@XZ
  • __dllonexit
  • _onexit
  • _controlfp
  • _purecall
  • wcscat
  • _exit
  • _adjust_fdiv
  •  
  •  
  •  
  •  
  •  
  • Import File - ADVAPI32.dll
  • RegOpenKeyExA
  • RegCloseKey
  • RegQueryValueExW
  • RegSetValueExW
  • RegOpenKeyExW
  • QueryServiceConfigW
  • RegDeleteValueW
  • CloseServiceHandle
  • ChangeServiceConfigW
  • OpenServiceW
  • OpenSCManagerW
  • EnumServicesStatusW
  • RegDeleteKeyW
  • RegCreateKeyExW
  • RegEnumKeyExW
  • RegEnumValueW
  • RegQueryInfoKeyW
  • AdjustTokenPrivileges
  • LookupPrivilegeValueW
  • OpenProcessToken
  • RegQueryValueExA
  •  
  •  
  •  
  •  
  • Import File - KERNEL32.dll
  • GetCurrentProcess
  • FlushInstructionCache
  • WideCharToMultiByte
  • MultiByteToWideChar
  • GetEnvironmentVariableW
  • FormatMessageW
  • LocalFree
  • LoadLibraryW
  • ExpandEnvironmentStringsW
  • CopyFileW
  • DeleteFileW
  • FindFirstFileW
  • FindNextFileW
  • FindClose
  • CreateThread
  • WaitForSingleObject
  • MoveFileExW
  • GetLastError
  • GetDriveTypeW
  • GetSystemDirectoryW
  • lstrlenW
  • lstrcmpW
  • GlobalMemoryStatus
  • GetSystemInfo
  • SetLastError
  • GlobalUnlock
  • GlobalLock
  • FreeResource
  • GlobalFree
  • GlobalHandle
  • LockResource
  • LoadResource
  • LeaveCriticalSection
  • CreateSemaphoreW
  • CreateDirectoryW
  • lstrcpyW
  • lstrcmpiW
  • lstrcpynW
  • InitializeCriticalSection
  • HeapDestroy
  • DeleteCriticalSection
  • GetModuleFileNameW
  • FreeLibrary
  • GetProcAddress
  • GetModuleHandleW
  • SizeofResource
  • LoadLibraryExW
  • GetShortPathNameW
  • GetCommandLineW
  • OpenProcess
  • GetCurrentProcessId
  • QueryPerformanceCounter
  • GetTickCount
  • GetSystemTimeAsFileTime
  • TerminateProcess
  • UnhandledExceptionFilter
  • SetUnhandledExceptionFilter
  • GetModuleHandleA
  • GetStartupInfoW
  • HeapFree
  • GetProcessHeap
  • HeapAlloc
  • LoadLibraryA
  • VirtualFree
  • VirtualAlloc
  • EnterCriticalSection
  • GetCurrentThreadId
  • GlobalAlloc
  • lstrlenA
  • CloseHandle
  • ReadFile
  • GetFileSize
  • CreateFileW
  • SetEndOfFile
  • WriteFile
  • SetFilePointer
  • SetFileAttributesW
  • FindResourceW
  • GetFileAttributesW
  • lstrcatW
  •  
  •  
  •  
  •  
  •  
  • Import File - GDI32.dll
  • CreateSolidBrush
  • DeleteObject
  • CreateCompatibleBitmap
  • CreateCompatibleDC
  • BitBlt
  • DeleteDC
  • GetStockObject
  • GetObjectW
  • GetDeviceCaps
  • SelectObject
  • GetTextMetricsW
  • GetTextExtentPoint32W
  •  
  •  
  •  
  • Import File - USER32.dll
  • GetDlgItem
  • ExitWindowsEx
  • CharNextW
  • SetForegroundWindow
  • GetLastActivePopup
  • FindWindowW
  • IsIconic
  • LoadIconW
  • GetActiveWindow
  • DialogBoxIndirectParamW
  • RegisterWindowMessageW
  • GetWindowTextLengthW
  • GetWindowTextW
  • CreateWindowExW
  • GetClassInfoExW
  • LoadCursorW
  • RegisterClassExW
  • CreateAcceleratorTableW
  • CheckDlgButton
  • wsprintfW
  • EnableWindow
  • SendMessageW
  • GetClientRect
  • GetFocus
  • MessageBoxW
  • IsWindowEnabled
  • ShowWindow
  • PostMessageW
  • SetWindowTextW
  • LoadStringW
  • SetFocus
  • GetParent
  • CallWindowProcW
  • SetWindowLongW
  • GetWindowLongW
  • ScreenToClient
  • GetMessagePos
  • GetProcessDefaultLayout
  • ReleaseDC
  • GetDC
  • GetAsyncKeyState
  • DefWindowProcW
  • GetSysColor
  • GetDesktopWindow
  • ReleaseCapture
  • SetCapture
  • InvalidateRect
  • InvalidateRgn
  • GetWindow
  • IsChild
  • EndPaint
  • FillRect
  • BeginPaint
  • SetDlgItemTextW
  • SetWindowPos
  • IsWindow
  • RedrawWindow
  • GetClassNameW
  • DestroyWindow
  • EndDialog
  • GetDlgItemTextW
  • IsDlgButtonChecked
  •  
  •  
  •  
  • Import File - OLEAUT32.dll
  • Function Address
    0x000000A1
  • Function Address
    0x00000004
  • Function Address
    0x00000002
  • Function Address
    0x00000009
  • Function Address
    0x00000007
  • Function Address
    0x000001A4
  • Function Address
    0x000000A2
  • Function Address
    0x000000A3
  • Function Address
    0x00000006
  • Function Address
    0x00000115
  •  
  •  
  •  
  •  
  •  
  • Import File - ole32.dll
  • CoRegisterClassObject
  • CoTaskMemRealloc
  • CoInitializeEx
  • OleUninitialize
  • OleInitialize
  • CreateStreamOnHGlobal
  • CLSIDFromString
  • CLSIDFromProgID
  • OleLockRunning
  • CoTaskMemAlloc
  • StringFromCLSID
  • CoTaskMemFree
  • CoInitialize
  • CoCreateInstance
  • CoUninitialize
  • CoRevokeClassObject
  •  
  •  
  •  
  •  
  • Import File - VERSION.dll
  • VerQueryValueW
  • GetFileVersionInfoSizeW
  • GetFileVersionInfoW
  •  
  •  
  • Import File - SHELL32.dll
  • SHGetSpecialFolderPathW
  • ShellExecuteW
  • SHGetMalloc
  • SHBrowseForFolderW
  • SHGetPathFromIDListW
  •  
  •  
  •  
  •  
  •  

  • This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.

    • You can also use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)


  • T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    helpctr.exe - File Md5: bd193d95a8f42cc28d6bfca1e81a9767
    hscupd.exe - File Md5: 935c88818fcd61c17e5083d2506445a8
    notiflag.exe - File Md5: 542b8b82a0fbee48bb329f3440866a7e
    uploadm.exe - File Md5: 7ce9eaf90010d4041e9e3943806ededb
    regedit.exe - File Md5: 5203af4a3e1ee6f9911aa514572ccc58
    - File Md5: 3afcea76aaa301b7ac4eb165567ace46
    - File Md5: fe9275c72bbda789e2dc9ea3bb8921a3
    - File Md5: 7ccc530302b07e150782c6922eda5a24
    - File Md5: b48fe7c35dbdb88a1481bd02fb9c6113
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment   Reply To: 
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    User Reply & Help
    »[May 02, 2019]Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
    Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
    »[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
    Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
    »[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
    Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
    »[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
    Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
    »[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
    Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability  …View >>>
    »[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
    Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
    Copyright © 2016-2020 mygoodtools.com All rights reserved.