• Home
  • Blog
  • Online Scan
  • Update History
  • usbguard.exe Binary Code Analysis - File Md5: 75d146153c9d4c83d1d931cc00b78784
    File hash value: 75d146153c9d4c83d1d931cc00b78784. This is a 32-bit EXE file, and the file size is 747 K. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.

    If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.

    You can also download the repair tool directly to fix your operating system.

    File Binary Code Analysis:

    DOS Stub
    ...
    .text SECTION #1
    .rdata SECTION #2
    .data SECTION #3
    .rsrc SECTION #4
    DOS Header
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • e_magic
  • 0x00005A4D
  • DOS Sign
  • WORD
  • e_cblp
  • 0x00000090
  • Bytes on last page of file
  • WORD
  • e_cp
  • 0x00000003
  • Pages in file
  • WORD
  • e_crlc
  • 0x00000000
  • Relocations
  • WORD
  • e_cparhdr
  • 0x00000004
  • Size of header in paragraphs
  • WORD
  • e_minalloc
  • 0x00000000
  • Minimum extra paragraphs needed
  • WORD
  • e_maxalloc
  • 0x0000FFFF
  • Maximum extra paragraphs needed
  • WORD
  • e_ss
  • 0x00000000
  • Initial (relative) SS value
  • WORD
  • e_sp
  • 0x000000B8
  • Initial SP value
  • WORD
  • e_csum
  • 0x00000000
  • Checksum
  • WORD
  • e_ip
  • 0x00000000
  • Initial IP value
  • WORD
  • e_cs
  • 0x00000000
  • Initial (relative) CS value
  • WORD
  • e_lfarlc
  • 0x00000040
  • File address of relocation table
  • WORD
  • e_ovno
  • 0x00000000
  • Overlay number
  • WORD
  • e_res[4]
  • [0]=0x00000000
    [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
  • Reserved words
  • WORD
  • e_oemid
  • 0x00000000
  • OEM identifier (for e_oeminfo)
  • WORD
  • e_oeminfo
  • 0x00000000
  • OEM information; e_oemid specific
  • WORD
  • e_res2[10]
  • [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
    [4]=0x00000000
    [5]=0x00000000
    [6]=0x00000000
    [7]=0x00000000
    [8]=0x00000000
    [9]=0x00000000
    [10]=0x00000000
  • Reserved words
  • WORD
  • e_lfanew
  • 0x000000F8
  • PE File Header address
  • NT HEADER - NT File Signature
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • Signature
  • 0x00004550
  • PE File Sign: "PE"
  • NT HEADER - FILE HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Machine
  • 0x0000014C
  • File Bit (32Bit Or 64 Bit)
  • WORD
  • NumberOfSections
  • 0x00000004
  • Number Of Sections
  • DWORD
  • TimeDateStamp
  • 0x51C3114D
  • File Create Time
  • DWORD
  • PointerToSymbolTable
  • 0x00000000
  • Pointer To Symbol Table
  • DWORD
  • NumberOfSymbols
  • 0x00000000
  • Number Of Symbols
  • WORD
  • SizeOfOptionalHeader
  • 0x000000E0
  • Size Of Optional Header
  • WORD
  • Characteristics
  • 0x00000103
  • File Type: (EXE or DLL)
  • NT HEADER - OPTIONAL HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Magic
  • 0x0000010B
  • Magic
  • BYTE
  • MajorLinkerVersion
  • 0x00000008
  • Major Linker Version
  • BYTE
  • MinorLinkerVersion
  • 0x00000000
  • Minor Linker Version
  • DWORD
  • SizeOfCode
  • 0x00020000
  • Size Of Code
  • DWORD
  • SizeOfInitializedData
  • 0x00085000
  • Size Of Initialized Data
  • DWORD
  • SizeOfUninitializedData
  • 0x00000000
  • Size Of Uninitialized Data
  • DWORD
  • AddressOfEntryPoint
  • 0x0001D7A8
  • Address Of Entry Point
  • DWORD
  • BaseOfCode
  • 0x00001000
  • Base Of Code
  • DWORD
  • BaseOfData
  • 0x00021000
  • Base Of Data
  • DWORD
  • ImageBase
  • 0x00400000
  • Image Base
  • DWORD
  • SectionAlignment
  • 0x00001000
  • Section Alignment
  • DWORD
  • FileAlignment
  • 0x00001000
  • File Alignment
  • WORD
  • MajorOperatingSystemVersion
  • 0x00000004
  • Major Operating System Version
  • WORD
  • MinorOperatingSystemVersion
  • 0x00000000
  • Minor Operating System Version
  • WORD
  • MajorImageVersion
  • 0x00000000
  • Major Image Version
  • WORD
  • MinorImageVersion
  • 0x00000000
  • Minor Image Version
  • WORD
  • MajorSubsystemVersion
  • 0x00000004
  • Major Sub system Version
  • WORD
  • MinorSubsystemVersion
  • 0x00000000
  • Minor Sub system Version
  • DWORD
  • Win32VersionValue
  • 0x00000000
  • Win32 Version Value
  • DWORD
  • SizeOfImage
  • 0x000D3000
  • Size Of Image
  • DWORD
  • SizeOfHeaders
  • 0x00001000
  • Size Of Headers
  • DWORD
  • CheckSum
  • 0x000ACE37
  • Check Sum
  • WORD
  • Subsystem
  • 0x00000002
  • Sub system
  • WORD
  • DllCharacteristics
  • 0x00000000
  • Dll Char acteristics
  • DWORD
  • SizeOfStackReserve
  • 0x00100000
  • Size Of Stack Reserve
  • DWORD
  • SizeOfStackCommit
  • 0x00001000
  • Size Of Stack Commit
  • DWORD
  • SizeOfHeapReserve
  • 0x00100000
  • Size Of Heap Reserve
  • DWORD
  • SizeOfHeapCommit
  • 0x00001000
  • Size Of Heap Commit
  • DWORD
  • LoaderFlags
  • 0x00000000
  • Loader Flags
  • DWORD
  • NumberOfRvaAndSizes
  • 0x00000010
  • Number Of Rva And Sizes
  • NT HEADER - OPTIONAL HEADER - Data Directory
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • DataDirectory[1].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[1].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[2].VirtualAddress
  • 0x00029E54
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[2].Size
  • 0x00000118
  • Data Directory Size
  • DWORD
  • DataDirectory[3].VirtualAddress
  • 0x0005B000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[3].Size
  • 0x00077968
  • Data Directory Size
  • DWORD
  • DataDirectory[4].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[4].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[5].VirtualAddress
  • 0x000A6000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[5].Size
  • 0x00001CE8
  • Data Directory Size
  • DWORD
  • DataDirectory[6].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[6].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[7].VirtualAddress
  • 0x000217F0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[7].Size
  • 0x0000001C
  • Data Directory Size
  • DWORD
  • DataDirectory[8].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[8].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[9].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[9].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[10].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[10].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[11].VirtualAddress
  • 0x00026BA0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[11].Size
  • 0x00000040
  • Data Directory Size
  • DWORD
  • DataDirectory[12].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[12].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[13].VirtualAddress
  • 0x00021000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[13].Size
  • 0x000007C4
  • Data Directory Size
  • DWORD
  • DataDirectory[14].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[14].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[15].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[15].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[16].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[16].Size
  • 0x00000000
  • Data Directory Size
  • SECTION #1
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .text
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0001FF7B
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00001000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00020000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00001000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x60000020
  • Section Characteristics
  • SECTION #2
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rdata
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0000B998
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00021000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x0000C000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00021000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x40000040
  • Section Characteristics
  • SECTION #3
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .data
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0002D88C
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x0002D000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00001000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x0002D000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #4
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rsrc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00077968
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x0005B000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00078000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x0002E000
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x40000040
  • Section Characteristics

  • Called external files and functions:
    In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
    Import File - VERSION.dll
  • GetFileVersionInfoW
  •  
  •  
  •  
  •  
  • Import File - MFC80U.DLL
  • Function Address
    0x0000028B
  • Function Address
    0x00000437
  • Function Address
    0x00000C53
  • Function Address
    0x00001A5F
  • Function Address
    0x00000781
  • Function Address
    0x0000093C
  • Function Address
    0x00001A5D
  • Function Address
    0x000008D4
  • Function Address
    0x000008D5
  • Function Address
    0x0000056A
  • Function Address
    0x0000093E
  • Function Address
    0x000008BF
  • Function Address
    0x000011B7
  • Function Address
    0x00000E5D
  • Function Address
    0x00000CFF
  • Function Address
    0x0000117B
  • Function Address
    0x00000236
  • Function Address
    0x00000B10
  • Function Address
    0x000002F5
  • Function Address
    0x000015BA
  • Function Address
    0x00001459
  • Function Address
    0x0000146A
  • Function Address
    0x000011D2
  • Function Address
    0x00000F66
  • Function Address
    0x00001466
  • Function Address
    0x00001464
  • Function Address
    0x00000B6D
  • Function Address
    0x00000777
  • Function Address
    0x00000EF2
  • Function Address
    0x000005C2
  • Function Address
    0x00001847
  • Function Address
    0x000013E8
  • Function Address
    0x000003EF
  • Function Address
    0x00000461
  • Function Address
    0x00000ED8
  • Function Address
    0x000015CB
  • Function Address
    0x000007D9
  • Function Address
    0x00000806
  • Function Address
    0x000010E0
  • Function Address
    0x00001882
  • Function Address
    0x00000ED3
  • Function Address
    0x00000EF0
  • Function Address
    0x00001880
  • Function Address
    0x00000419
  • Function Address
    0x00000FA8
  • Function Address
    0x00001753
  • Function Address
    0x00000FC0
  • Function Address
    0x000004FA
  • Function Address
    0x0000093D
  • Function Address
    0x00001287
  • Function Address
    0x000001A0
  • Function Address
    0x0000043E
  • Function Address
    0x00001886
  • Function Address
    0x0000079A
  • Function Address
    0x00000FFE
  • Function Address
    0x00000825
  • Function Address
    0x00000CA6
  • Function Address
    0x00000EAB
  • Function Address
    0x00000FFC
  • Function Address
    0x00000820
  • Function Address
    0x00000602
  • Function Address
    0x00001A41
  • Function Address
    0x00001717
  • Function Address
    0x00000571
  • Function Address
    0x00000118
  • Function Address
    0x0000145A
  • Function Address
    0x000010B4
  • Function Address
    0x0000109F
  • Function Address
    0x00000380
  • Function Address
    0x00001433
  • Function Address
    0x0000010A
  • Function Address
    0x000007A3
  • Function Address
    0x00001314
  • Function Address
    0x0000066F
  • Function Address
    0x0000067E
  • Function Address
    0x0000066E
  • Function Address
    0x0000067D
  • Function Address
    0x00000636
  • Function Address
    0x00000606
  • Function Address
    0x0000144C
  • Function Address
    0x000009E3
  • Function Address
    0x00000AA5
  • Function Address
    0x00001A40
  • Function Address
    0x00000B0D
  • Function Address
    0x00001714
  • Function Address
    0x000010CD
  • Function Address
    0x0000064B
  • Function Address
    0x00000A94
  • Function Address
    0x00000648
  • Function Address
    0x00000B28
  • Function Address
    0x00000F64
  • Function Address
    0x000009E6
  • Function Address
    0x00000570
  • Function Address
    0x00000A50
  • Function Address
    0x0000108E
  • Function Address
    0x000009DF
  • Function Address
    0x000017AF
  • Function Address
    0x0000141C
  • Function Address
    0x00000E80
  • Function Address
    0x0000076B
  • Function Address
    0x00000E81
  • Function Address
    0x000013CB
  • Function Address
    0x00000C84
  • Function Address
    0x00000785
  • Function Address
    0x00000613
  • Function Address
    0x000004F7
  • Function Address
    0x00000422
  • Function Address
    0x00000498
  • Function Address
    0x0000153A
  • Function Address
    0x000003EA
  • Function Address
    0x000003EB
  • Function Address
    0x00000A5B
  • Function Address
    0x0000075B
  • Function Address
    0x00001526
  • Function Address
    0x00001858
  • Function Address
    0x00000B3C
  • Function Address
    0x000016ED
  • Function Address
    0x00000F21
  • Function Address
    0x0000086B
  • Function Address
    0x00000F1D
  • Function Address
    0x00000774
  • Function Address
    0x00000597
  • Function Address
    0x00001550
  • Function Address
    0x000005A3
  • Function Address
    0x00001893
  • Function Address
    0x000013E3
  • Function Address
    0x000002E8
  • Function Address
    0x000003CA
  • Function Address
    0x0000022C
  • Function Address
    0x000013F1
  • Function Address
    0x00000F55
  • Function Address
    0x0000028F
  • Function Address
    0x00000AB9
  • Function Address
    0x000001A5
  • Function Address
    0x000008E7
  • Function Address
    0x000008DF
  • Function Address
    0x00000277
  • Function Address
    0x00000182
  • Function Address
    0x0000011A
  • Function Address
    0x000005C7
  • Function Address
    0x00001594
  • Function Address
    0x000015B6
  • Function Address
    0x00001A2C
  • Function Address
    0x00000F96
  • Function Address
    0x000002EA
  • Function Address
    0x0000022E
  • Function Address
    0x00000849
  • Function Address
    0x00000306
  • Function Address
    0x000002FA
  • Function Address
    0x00000B58
  • Function Address
    0x0000171A
  • Function Address
    0x00000766
  • Function Address
    0x000017AD
  • Function Address
    0x000005C0
  • Function Address
    0x00000600
  • Function Address
    0x00001082
  • Function Address
    0x00000F8F
  • Function Address
    0x000017FC
  • Function Address
    0x00000E77
  • Function Address
    0x0000187F
  • Function Address
    0x000004AE
  • Function Address
    0x0000038D
  • Function Address
    0x00000A4E
  • Function Address
    0x00001053
  • Function Address
    0x00000F67
  • Function Address
    0x00001180
  • Function Address
    0x000010A0
  • Function Address
    0x00000D45
  • Function Address
    0x0000126C
  • Function Address
    0x00000637
  • Function Address
    0x00001744
  • Function Address
    0x0000146F
  • Function Address
    0x0000146D
  • Function Address
    0x00000398
  • Function Address
    0x0000039D
  • Function Address
    0x000003A1
  • Function Address
    0x0000039F
  • Function Address
    0x000003A3
  • Function Address
    0x00000950
  • Function Address
    0x00000964
  • Function Address
    0x00000954
  • Function Address
    0x000003FD
  • Function Address
    0x0000095A
  • Function Address
    0x00000958
  • Function Address
    0x000017C6
  • Function Address
    0x00000956
  • Function Address
    0x0000045E
  • Function Address
    0x00000967
  • Function Address
    0x00001084
  • Function Address
    0x00000962
  • Function Address
    0x00000952
  • Function Address
    0x00000969
  • Function Address
    0x000006F9
  • Function Address
    0x0000095D
  • Function Address
    0x0000094B
  • Function Address
    0x0000094D
  • Function Address
    0x0000095F
  • Function Address
    0x000002C5
  • Function Address
    0x00000879
  • Function Address
    0x000001F5
  • Function Address
    0x00000907
  • Function Address
    0x00000782
  • Function Address
    0x00000873
  • Function Address
    0x000005E9
  • Function Address
    0x00001881
  • Function Address
    0x00000ED4
  • Function Address
    0x00001883
  • Function Address
    0x00000D0B
  • Function Address
    0x00001361
  • Function Address
    0x00000549
  • Function Address
    0x00000383
  • Function Address
    0x00000308
  • Function Address
    0x000005C4
  • Function Address
    0x0000011B
  • Function Address
    0x00000241
  • Function Address
    0x00000125
  • Function Address
    0x00000109
  • Function Address
    0x000002FC
  • Function Address
    0x00001502
  •  
  • Import File - MSVCR80.dll
  • memset
  • __CxxFrameHandler3
  • ?_type_info_dtor_internal_method@type_info@@QAEXXZ
  • _crt_debugger_hook
  • _controlfp_s
  • _invoke_watson
  • _except_handler4_common
  • ?terminate@@YAXXZ
  • _decode_pointer
  • _onexit
  • memcpy
  • __dllonexit
  • _unlock
  • __set_app_type
  • _encode_pointer
  • __p__fmode
  • __p__commode
  • _adjust_fdiv
  • __setusermatherr
  • _configthreadlocale
  • _initterm_e
  • _initterm
  • _wcmdln
  • exit
  • _XcptFilter
  • _exit
  • _cexit
  • __wgetmainargs
  • _amsg_exit
  • _wrename
  • _itow_s
  • _invalid_parameter_noinfo
  • ??0exception@std@@QAE@XZ
  • _ui64tow_s
  • ??0exception@std@@QAE@ABQBD@Z
  • ?what@exception@std@@UBEPBDXZ
  • strcat_s
  • vsprintf_s
  • ??1exception@std@@UAE@XZ
  • strcpy_s
  • _wtoi
  • wcscat_s
  • wcscpy_s
  • vswprintf_s
  • _CxxThrowException
  • ??0exception@std@@QAE@ABV01@@Z
  • _lock
  •  
  •  
  •  
  • Import File - KERNEL32.dll
  • UnhandledExceptionFilter
  • GetCurrentProcess
  • TerminateProcess
  • GetSystemTimeAsFileTime
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetTickCount
  • QueryPerformanceCounter
  • SetUnhandledExceptionFilter
  • GetStartupInfoW
  • InterlockedCompareExchange
  • InterlockedExchange
  • RemoveDirectoryW
  • WaitForSingleObject
  • CreateEventW
  • InitializeCriticalSectionAndSpinCount
  • SetEvent
  • OpenEventW
  • CreateMutexW
  • DeleteCriticalSection
  • GetProcAddress
  • EnterCriticalSection
  • SetLastError
  • FindClose
  • FindNextFileW
  • FindFirstFileW
  • WriteFile
  • SetFilePointer
  • ReadFile
  • GetLastError
  • DeleteFileW
  • SetFileAttributesW
  • GetModuleHandleW
  • MultiByteToWideChar
  • WideCharToMultiByte
  • CreateDirectoryW
  • GetFileAttributesW
  • SearchPathW
  • GetModuleFileNameW
  • GetVolumeInformationW
  • GetSystemDefaultUILanguage
  • FreeLibrary
  • LoadLibraryW
  • GetSystemTime
  • LeaveCriticalSection
  • Sleep
  • TryEnterCriticalSection
  • Process32NextW
  • Process32FirstW
  • CreateToolhelp32Snapshot
  • WritePrivateProfileStringW
  • GetPrivateProfileStringW
  • CloseHandle
  • CreateFileW
  • GetDriveTypeW
  • GetLogicalDrives
  • GetVersionExW
  • DeviceIoControl
  • IsDebuggerPresent
  •  
  • Import File - USER32.dll
  • IsIconic
  • SetPropW
  • RegisterWindowMessageW
  • RemovePropW
  • ModifyMenuW
  • GetCursorPos
  • DrawIcon
  • SetMenuDefaultItem
  • GetSystemMetrics
  • GetSubMenu
  • LoadMenuW
  • PostMessageW
  • LoadIconW
  • LoadBitmapW
  • LoadStringW
  • CharUpperW
  • SetForegroundWindow
  • SetTimer
  • GetDesktopWindow
  • GetWindowRect
  • FindWindowW
  • KillTimer
  • PtInRect
  • GetClientRect
  • SendMessageW
  • MessageBoxW
  • InvalidateRect
  • UpdateWindow
  • EnableWindow
  •  
  • Import File - GDI32.dll
  • GetTextExtentPoint32W
  •  
  •  
  •  
  •  
  • Import File - ADVAPI32.dll
  • RegOpenKeyExW
  • RegCloseKey
  • RegDeleteValueW
  • RegEnumValueW
  • RegSetValueExW
  •  
  •  
  •  
  •  
  •  
  • Import File - SHELL32.dll
  • Shell_NotifyIconW
  • ShellExecuteW
  • SHGetSpecialFolderPathW
  •  
  •  
  • Import File - COMCTL32.dll
  • InitCommonControlsEx
  •  
  •  
  •  
  •  
  • Import File - BCGCBPRO1500u80.dll
  • ??0CBCGPURLLinkButton@@QAE@XZ
  • ?Close@CBCGPRegistry@@UAEXXZ
  • ??1CBCGPButton@@UAE@XZ
  • ??0CBCGPButton@@QAE@XZ
  • ?Write@CBCGPRegistry@@UAEHPB_W0@Z
  • ?SetTooltip@CBCGPButton@@QAEXPB_W@Z
  • ??0CBCGPDialog@@QAE@IPAVCWnd@@@Z
  • ??1CBCGPURLLinkButton@@UAE@XZ
  • ?OnOK@CBCGPDialog@@MAEXXZ
  • ?GetThisClass@CBCGPDialog@@SGPAUCRuntimeClass@@XZ
  • ?OnInitDialog@CBCGPDialog@@MAEHXZ
  • ??1CBCGPRegistry@@UAE@XZ
  • ?AdjustControlsLayout@CBCGPDialog@@UAEXXZ
  • ?SetStyle@CBCGPVisualManager2010@@SAHW4Style@1@PB_W@Z
  • ?OnDrawBackstageWatermark@CBCGPDialog@@UAEXPAVCDC@@VCRect@@@Z
  • ?SetDefaultManager@CBCGPVisualManager@@SAXPAUCRuntimeClass@@@Z
  • ?OnCancel@CBCGPDialog@@MAEXXZ
  • ?PreInitDialog@CBCGPDialog@@MAEXXZ
  • ?GetThisMessageMap@CBCGPDialog@@KGPBUAFX_MSGMAP@@XZ
  • ?DoModal@CBCGPDialog@@UAEHXZ
  • ?PreTranslateMessage@CBCGPButton@@UAEHPAUtagMSG@@@Z
  • ?SetURL@CBCGPURLLinkButton@@QAEXPB_W@Z
  • ?globalData@@3UBCGPGLOBAL_DATA@@A
  • ?GetThisClass@CBCGPVisualManager2010@@SGPAUCRuntimeClass@@XZ
  • ?OnCommand@CBCGPDialog@@MAEHIJ@Z
  • ?EnableVisualManagerStyle@CBCGPDialog@@QAEXHHPBV?$CList@II@@@Z
  • ?SetBackgroundColor@CBCGPDialog@@QAEXKH@Z
  • ?PreTranslateMessage@CBCGPDialog@@UAEHPAUtagMSG@@@Z
  • ?SetDescription@CBCGPButton@@QAEXPB_W@Z
  • ?SetMouseCursorHand@CBCGPButton@@QAEXXZ
  • ?SetImage@CBCGPButton@@QAEXIII@Z
  • ??1CBCGPDialog@@UAE@XZ
  • ?Open@CBCGPRegistry@@UAEHPB_W@Z
  • ?Read@CBCGPRegistry@@UAEHPB_WAAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
  • ?GetRuntimeClass@CBCGPComboBox@@UBEPAUCRuntimeClass@@XZ
  • ?GetMessageMap@CBCGPComboBox@@MBEPBUAFX_MSGMAP@@XZ
  • ??0CBCGPComboBox@@QAE@XZ
  • ??1CBCGPComboBox@@UAE@XZ
  • ?OnDrawBorder@CBCGPButton@@MAEXPAVCDC@@AAVCRect@@I@Z
  • ?OnDrawFocusRect@CBCGPButton@@MAEXPAVCDC@@ABVCRect@@@Z
  • ?OnDraw@CBCGPButton@@MAEXPAVCDC@@ABVCRect@@I@Z
  • ?SelectFont@CBCGPButton@@MAEPAVCFont@@PAVCDC@@@Z
  • ?GetImageHorzMargin@CBCGPButton@@MBEHXZ
  • ?GetVertMargin@CBCGPButton@@MBEHXZ
  • ?GetThisMessageMap@CBCGPButton@@KGPBUAFX_MSGMAP@@XZ
  • ?GetInstance@CBCGPVisualManager@@SAPAV1@XZ
  • ?GetRuntimeClass@CBCGPButton@@UBEPAUCRuntimeClass@@XZ
  • ?PreSubclassWindow@CBCGPButton@@MAEXXZ
  • ?PreCreateWindow@CBCGPButton@@MAEHAAUtagCREATESTRUCTW@@@Z
  • ?DrawItem@CBCGPButton@@UAEXPAUtagDRAWITEMSTRUCT@@@Z
  • ?CleanUp@CBCGPButton@@UAEXXZ
  • ?SizeToContent@CBCGPButton@@UAE?AVCSize@@H@Z
  • ?OnDrawParentBackground@CBCGPButton@@UAEXPAVCDC@@VCRect@@@Z
  • ?DoDrawItem@CBCGPButton@@MAEXPAVCDC@@VCRect@@I@Z
  • ?OnFillBackground@CBCGPButton@@MAEXPAVCDC@@ABVCRect@@@Z
  • ?OnDrawText@CBCGPButton@@MAEXPAVCDC@@ABVCRect@@ABV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@II@Z
  • ?CreateKey@CBCGPRegistry@@UAEHPB_W@Z
  • ??1CBCGPStatic@@UAE@XZ
  • ??0CBCGPStatic@@QAE@XZ
  • ??0CBCGPListCtrl@@QAE@XZ
  • ??1CBCGPListCtrl@@UAE@XZ
  • ??0CBCGPAnimCtrl@@QAE@XZ
  • ??1CBCGPAnimCtrl@@UAE@XZ
  • ?SetBitmap@CBCGPAnimCtrl@@QAEHPAVCImageList@@H@Z
  • ?Play@CBCGPAnimCtrl@@QAEHI@Z
  • ?Stop@CBCGPAnimCtrl@@QAEHXZ
  • ?BCGM_CHANGEVISUALMANAGER@@3IA
  • ?SetBackgroundImage@CBCGPDialog@@QAEHIW4BackgroundLocation@1@H@Z
  • ?SaveState@CBCGPWorkspace@@UAEHPB_WPAVCBCGPFrameImpl@@@Z
  • ?OnViewDoubleClick@CBCGPWorkspace@@UAEHPAVCWnd@@H@Z
  • ?ShowPopupMenu@CBCGPWorkspace@@UAEHIABVCPoint@@PAVCWnd@@@Z
  • ?OnAppContextHelp@CBCGPWorkspace@@UAEXPAVCWnd@@QBK@Z
  • ?OnBCGPIdle@CBCGPWorkspace@@UAEHPAVCWnd@@@Z
  • ?OnSelectSkin@CBCGPWorkspace@@UAEXXZ
  • ?OnClosingMainFrame@CBCGPWorkspace@@MAEXPAVCBCGPFrameImpl@@@Z
  • ?PreLoadState@CBCGPWorkspace@@MAEXXZ
  • ?BCGCBProCleanUp@@YAXXZ
  • ?LoadCustomState@CBCGPWorkspace@@MAEXXZ
  • ?PreSaveState@CBCGPWorkspace@@MAEXXZ
  • ?SaveCustomState@CBCGPWorkspace@@MAEXXZ
  • ?LoadWindowPlacement@CBCGPWorkspace@@MAEHAAVCRect@@AAH1@Z
  • ?StoreWindowPlacement@CBCGPWorkspace@@MAEHABVCRect@@HH@Z
  • ?OnMouseMove@CBCGPButton@@IAEXIVCPoint@@@Z
  • ?ReloadWindowPlacement@CBCGPWorkspace@@MAEHPAVCFrameWnd@@@Z
  • ??0CBCGPWorkspace@@QAE@H@Z
  • ??1CBCGPWorkspace@@UAE@XZ
  • ?SetDPIAware@BCGPGLOBAL_DATA@@QAEHXZ
  • ?OnAfterDownloadSkins@CBCGPWorkspace@@UAEXABV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
  • ?LoadState@CBCGPWorkspace@@UAEHPB_WPAVCBCGPFrameImpl@@@Z
  • ?CleanState@CBCGPWorkspace@@UAEHPB_W@Z
  • ?GetRuntimeClass@CBCGPDialog@@UBEPAUCRuntimeClass@@XZ
  • ?Read@CBCGPRegistry@@UAEHPB_WAAK@Z
  • ?Write@CBCGPRegistry@@UAEHPB_WK@Z
  • ??0CBCGPRegistry@@QAE@HH@Z
  •  
  • Import File - MSVCP80.dll
  • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
  • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
  • ?close@?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ
  • ??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@XZ
  • ??_D?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ
  • ??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
  • ?compare@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEHPB_W@Z
  • ?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
  • ??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
  • ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
  • ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
  • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@II@Z
  • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
  • ?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
  • ??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
  • ?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
  • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
  •  
  •  
  •  
  •  
  •  
  • Import File - WS2_32.dll
  • Function Address
    0x00000073
  •  
  •  
  •  
  •  
  • Import File - WININET.dll
  • DeleteUrlCacheEntryW
  • FindCloseUrlCache
  • FindFirstUrlCacheEntryW
  • FindNextUrlCacheEntryW
  •  

  • This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.

    • You can also use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)


  • T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    scsiaccess.exe - File Md5: da0479d8d670b0870d1d331b73d82e52
    nusb3mon.dll - File Md5: 84c5b11989554cb9eaa94ad11c741931
    kmscleaner.exe - File Md5: b2c7ba90df9e973816a4cbc7de32f6ff
    python35.dll - File Md5: efdb3ad0ab0efe3df371dd6fbbd1e317
    kmscleaner.exe - File Md5: a7a71eeaaea261002bff93c112a96058
    windows loader.exe - File Md5: 386a634e8fb9c7dcd48a9f976de450a1
    ditrace.exe - File Md5: e20da4c354dd973b1a5181b9d5c9ed4f
    vmicsvc.exe - File Md5: 92a4d02892e379d62cacd4aa4ddf9133
    vusbbus.sys - File Md5: 6d9565217f791c025e150bcae7d8883e
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment   Reply To: 
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    User Reply & Help
    »[May 02, 2019]Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
    Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
    »[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
    Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
    »[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
    Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
    »[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
    Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
    »[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
    Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability  …View >>>
    »[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
    Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
    Copyright © 2016-2020 mygoodtools.com All rights reserved.