• Home
  • Blog
  • Online Scan
  • Update History
  • explorer.exe Binary Code Analysis - File Md5: a37f24bf921b2ed13b4ac356c40b2f73
    File hash value: a37f24bf921b2ed13b4ac356c40b2f73. This is a 32-bit EXE file, and the file size is 1 MB. This page is mainly to analyze the binary code of the file, that is, PE file format. To understand the content here, you need to have a certain computer expertise. The content of this page is mainly provided to people who are engaged in the maintenance of computer security in the industry, in the hope of contributing to the cause of computer security.

    If you are a regular computer user, and do not understand the content, you can click on the following file name, to view the solutions for various problems caused by the file.

    You can also download the repair tool directly to fix your operating system.

    File Binary Code Analysis:

    DOS Stub
    ...
    .text SECTION #1
    .data SECTION #2
    .rsrc SECTION #3
    .reloc SECTION #4
    gbcilcn SECTION #5
    DOS Header
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • e_magic
  • 0x00005A4D
  • DOS Sign
  • WORD
  • e_cblp
  • 0x00000090
  • Bytes on last page of file
  • WORD
  • e_cp
  • 0x00000003
  • Pages in file
  • WORD
  • e_crlc
  • 0x00000000
  • Relocations
  • WORD
  • e_cparhdr
  • 0x00000004
  • Size of header in paragraphs
  • WORD
  • e_minalloc
  • 0x00000000
  • Minimum extra paragraphs needed
  • WORD
  • e_maxalloc
  • 0x0000FFFF
  • Maximum extra paragraphs needed
  • WORD
  • e_ss
  • 0x00000000
  • Initial (relative) SS value
  • WORD
  • e_sp
  • 0x000000B8
  • Initial SP value
  • WORD
  • e_csum
  • 0x00000000
  • Checksum
  • WORD
  • e_ip
  • 0x00000000
  • Initial IP value
  • WORD
  • e_cs
  • 0x00000000
  • Initial (relative) CS value
  • WORD
  • e_lfarlc
  • 0x00000040
  • File address of relocation table
  • WORD
  • e_ovno
  • 0x00000000
  • Overlay number
  • WORD
  • e_res[4]
  • [0]=0x00000000
    [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
  • Reserved words
  • WORD
  • e_oemid
  • 0x00000000
  • OEM identifier (for e_oeminfo)
  • WORD
  • e_oeminfo
  • 0x00000000
  • OEM information; e_oemid specific
  • WORD
  • e_res2[10]
  • [1]=0x00000000
    [2]=0x00000000
    [3]=0x00000000
    [4]=0x00000000
    [5]=0x00000000
    [6]=0x00000000
    [7]=0x00000000
    [8]=0x00000000
    [9]=0x00000000
    [10]=0x00000000
  • Reserved words
  • WORD
  • e_lfanew
  • 0x000000D8
  • PE File Header address
  • NT HEADER - NT File Signature
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • Signature
  • 0x00004550
  • PE File Sign: "PE"
  • NT HEADER - FILE HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Machine
  • 0x0000014C
  • File Bit (32Bit Or 64 Bit)
  • WORD
  • NumberOfSections
  • 0x00000005
  • Number Of Sections
  • DWORD
  • TimeDateStamp
  • 0x44951418
  • File Create Time
  • DWORD
  • PointerToSymbolTable
  • 0x00000000
  • Pointer To Symbol Table
  • DWORD
  • NumberOfSymbols
  • 0x00000000
  • Number Of Symbols
  • WORD
  • SizeOfOptionalHeader
  • 0x000000E0
  • Size Of Optional Header
  • WORD
  • Characteristics
  • 0x0000010E
  • File Type: (EXE or DLL)
  • NT HEADER - OPTIONAL HEADER
  • Type
  • Name
  • Value
  • Memo
  • WORD
  • Magic
  • 0x0000010B
  • Magic
  • BYTE
  • MajorLinkerVersion
  • 0x00000007
  • Major Linker Version
  • BYTE
  • MinorLinkerVersion
  • 0x0000000A
  • Minor Linker Version
  • DWORD
  • SizeOfCode
  • 0x00044E00
  • Size Of Code
  • DWORD
  • SizeOfInitializedData
  • 0x000B7A00
  • Size Of Initialized Data
  • DWORD
  • SizeOfUninitializedData
  • 0x00000000
  • Size Of Uninitialized Data
  • DWORD
  • AddressOfEntryPoint
  • 0x0001A56F
  • Address Of Entry Point
  • DWORD
  • BaseOfCode
  • 0x00001000
  • Base Of Code
  • DWORD
  • BaseOfData
  • 0x00044000
  • Base Of Data
  • DWORD
  • ImageBase
  • 0x01000000
  • Image Base
  • DWORD
  • SectionAlignment
  • 0x00001000
  • Section Alignment
  • DWORD
  • FileAlignment
  • 0x00000200
  • File Alignment
  • WORD
  • MajorOperatingSystemVersion
  • 0x00000005
  • Major Operating System Version
  • WORD
  • MinorOperatingSystemVersion
  • 0x00000001
  • Minor Operating System Version
  • WORD
  • MajorImageVersion
  • 0x00000005
  • Major Image Version
  • WORD
  • MinorImageVersion
  • 0x00000001
  • Minor Image Version
  • WORD
  • MajorSubsystemVersion
  • 0x00000004
  • Major Sub system Version
  • WORD
  • MinorSubsystemVersion
  • 0x0000000A
  • Minor Sub system Version
  • DWORD
  • Win32VersionValue
  • 0x00000000
  • Win32 Version Value
  • DWORD
  • SizeOfImage
  • 0x00107000
  • Size Of Image
  • DWORD
  • SizeOfHeaders
  • 0x00000400
  • Size Of Headers
  • DWORD
  • CheckSum
  • 0x00000000
  • Check Sum
  • WORD
  • Subsystem
  • 0x00000002
  • Sub system
  • WORD
  • DllCharacteristics
  • 0x00008000
  • Dll Char acteristics
  • DWORD
  • SizeOfStackReserve
  • 0x00040000
  • Size Of Stack Reserve
  • DWORD
  • SizeOfStackCommit
  • 0x0000E000
  • Size Of Stack Commit
  • DWORD
  • SizeOfHeapReserve
  • 0x00100000
  • Size Of Heap Reserve
  • DWORD
  • SizeOfHeapCommit
  • 0x00001000
  • Size Of Heap Commit
  • DWORD
  • LoaderFlags
  • 0x00000000
  • Loader Flags
  • DWORD
  • NumberOfRvaAndSizes
  • 0x00000010
  • Number Of Rva And Sizes
  • NT HEADER - OPTIONAL HEADER - Data Directory
  • Type
  • Name
  • Value
  • Memo
  • DWORD
  • DataDirectory[1].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[1].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[2].VirtualAddress
  • 0x00043070
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[2].Size
  • 0x00000118
  • Data Directory Size
  • DWORD
  • DataDirectory[3].VirtualAddress
  • 0x00048000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[3].Size
  • 0x000B2278
  • Data Directory Size
  • DWORD
  • DataDirectory[4].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[4].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[5].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[5].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[6].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[6].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[7].VirtualAddress
  • 0x00045BE8
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[7].Size
  • 0x00000038
  • Data Directory Size
  • DWORD
  • DataDirectory[8].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[8].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[9].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[9].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[10].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[10].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[11].VirtualAddress
  • 0x0002ACA0
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[11].Size
  • 0x00000040
  • Data Directory Size
  • DWORD
  • DataDirectory[12].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[12].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[13].VirtualAddress
  • 0x00001000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[13].Size
  • 0x00000984
  • Data Directory Size
  • DWORD
  • DataDirectory[14].VirtualAddress
  • 0x00042D1C
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[14].Size
  • 0x000000C0
  • Data Directory Size
  • DWORD
  • DataDirectory[15].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[15].Size
  • 0x00000000
  • Data Directory Size
  • DWORD
  • DataDirectory[16].VirtualAddress
  • 0x00000000
  • Data Directory Virtual Address
  • DWORD
  • DataDirectory[16].Size
  • 0x00000000
  • Data Directory Size
  • SECTION #1
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .text
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00044C49
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00001000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00044E00
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00000400
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000020
  • Section Characteristics
  • SECTION #2
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .data
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00001DB4
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00046000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00001800
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00045200
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000040
  • Section Characteristics
  • SECTION #3
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .rsrc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x000B2278
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00048000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x000B2400
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00046A00
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0x40000040
  • Section Characteristics
  • SECTION #4
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • .reloc
  • Section Name
  • DWORD
  • VirtualSize
  • 0x0000A800
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x000FB000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x0000A400
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x000F8E00
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xE0000060
  • Section Characteristics
  • SECTION #5
  • Type
  • Name
  • Value
  • Memo
  • BYTE
  • Name
  • gbcilcn
  • Section Name
  • DWORD
  • VirtualSize
  • 0x00001000
  • Section Virtual Size
  • DWORD
  • VirtualAddress
  • 0x00106000
  • Section Virtual Address
  • DWORD
  • SizeOfRawData
  • 0x00000000
  • Section Size Of Raw Data
  • DWORD
  • PointerToRawData
  • 0x00103200
  • Section Pointer To Raw Data
  • DWORD
  • PointerToRelocations
  • 0x00000000
  • Section Pointer To Relocations
  • DWORD
  • PointerToLinenumbers
  • 0x00000000
  • Section Pointer To Linenumbers
  • WORD
  • NumberOfRelocations
  • 0x00000000
  • Section Number Of Relocations
  • WORD
  • NumberOfLinenumbers
  • 0x00000000
  • Section Number Of Linenumbers
  • DWORD
  • Characteristics
  • 0xC0000000
  • Section Characteristics

  • Called external files and functions:
    In general, malicious files will call these types of functions: functions to intercept data, network functions, functions to modify the registry information, access to the browser personal privacy Cookie, and directly bypass the system to read hard disk data (Hint: The files below may be called by malicious files, but these files themselves are not necessarily malicious files. They may be some normal system files)
    Import File - ADVAPI32.dll
  • RegSetValueW
  • RegEnumKeyExW
  • GetUserNameW
  • RegNotifyChangeKeyValue
  • RegEnumValueW
  • RegQueryValueExA
  • RegOpenKeyExA
  • RegEnumKeyW
  • RegCloseKey
  • RegCreateKeyW
  • RegQueryInfoKeyW
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegDeleteValueW
  • RegQueryValueW
  •  
  •  
  •  
  • Import File - BROWSEUI.dll
  • Function Address
    0x00000076
  • Function Address
    0x00000087
  • Function Address
    0x0000006B
  • Function Address
    0x0000006A
  •  
  • Import File - GDI32.dll
  • GetStockObject
  • CreatePatternBrush
  • OffsetViewportOrgEx
  • GetLayout
  • CombineRgn
  • CreateDIBSection
  • GetTextExtentPoint32W
  • StretchBlt
  • CreateRectRgnIndirect
  • CreateRectRgn
  • GetClipRgn
  • IntersectClipRect
  • GetViewportOrgEx
  • SetViewportOrgEx
  • SelectClipRgn
  • PatBlt
  • GetBkColor
  • CreateCompatibleDC
  • CreateCompatibleBitmap
  • OffsetWindowOrgEx
  • DeleteDC
  • SetBkColor
  • BitBlt
  • ExtTextOutW
  • GetTextExtentPointW
  • GetClipBox
  • GetObjectW
  • SetTextColor
  • SetBkMode
  • CreateFontIndirectW
  • DeleteObject
  • GetTextMetricsW
  • SelectObject
  • GetDeviceCaps
  • TranslateCharsetInfo
  • SetStretchBltMode
  •  
  •  
  •  
  •  
  • Import File - KERNEL32.dll
  • GetSystemDirectoryW
  • CreateThread
  • CreateJobObjectW
  • ExitProcess
  • SetProcessShutdownParameters
  • ReleaseMutex
  • CreateMutexW
  • SetPriorityClass
  • GetCurrentProcess
  • GetStartupInfoW
  • GetCommandLineW
  • SetErrorMode
  • LeaveCriticalSection
  • EnterCriticalSection
  • ResetEvent
  • LoadLibraryExA
  • CompareFileTime
  • GetSystemTimeAsFileTime
  • SetThreadPriority
  • GetCurrentThreadId
  • GetThreadPriority
  • GetCurrentThread
  • GetUserDefaultLangID
  • Sleep
  • GetBinaryTypeW
  • GetModuleHandleExW
  • SystemTimeToFileTime
  • GetLocalTime
  • GetCurrentProcessId
  • GetEnvironmentVariableW
  • UnregisterWait
  • GlobalGetAtomNameW
  • GetFileAttributesW
  • MoveFileW
  • lstrcmpW
  • LoadLibraryExW
  • FindClose
  • FindNextFileW
  • FindFirstFileW
  • lstrcmpiA
  • SetEvent
  • AssignProcessToJobObject
  • GetDateFormatW
  • GetTimeFormatW
  • FlushInstructionCache
  • lstrcpynW
  • GetSystemWindowsDirectoryW
  • SetLastError
  • GetProcessHeap
  • HeapFree
  • HeapReAlloc
  • HeapSize
  • HeapAlloc
  • GetUserDefaultLCID
  • ReadProcessMemory
  • OpenProcess
  • InterlockedCompareExchange
  • LoadLibraryA
  • QueryPerformanceCounter
  • UnhandledExceptionFilter
  • SetUnhandledExceptionFilter
  • VirtualFree
  • VirtualAlloc
  • ResumeThread
  • TerminateProcess
  • TerminateThread
  • GetSystemDefaultLCID
  • GetLocaleInfoW
  • CreateEventW
  • GetLastError
  • OpenEventW
  • DelayLoadFailureHook
  • WaitForSingleObject
  • GetTickCount
  • ExpandEnvironmentStringsW
  • GetModuleFileNameW
  • GetPrivateProfileStringW
  • lstrcmpiW
  • CreateProcessW
  • FreeLibrary
  • GetWindowsDirectoryW
  • LocalAlloc
  • CreateFileW
  • DeviceIoControl
  • LocalFree
  • GetQueuedCompletionStatus
  • CreateIoCompletionPort
  • SetInformationJobObject
  • CloseHandle
  • LoadLibraryW
  • GetModuleHandleW
  • ActivateActCtx
  • DeactivateActCtx
  • GetFileAttributesExW
  • GetProcAddress
  • DeleteCriticalSection
  • CreateEventA
  • HeapDestroy
  • InitializeCriticalSection
  • MulDiv
  • InitializeCriticalSectionAndSpinCount
  • lstrlenW
  • InterlockedDecrement
  • InterlockedIncrement
  • GlobalAlloc
  • InterlockedExchange
  • GetModuleHandleA
  • GetVersionExA
  • GlobalFree
  • GetProcessTimes
  • lstrcpyW
  • GetLongPathNameW
  • RegisterWaitForSingleObject
  •  
  •  
  • Import File - msvcrt.dll
  • _itow
  • free
  • memmove
  • realloc
  • _except_handler3
  • malloc
  • _ftol
  • _vsnwprintf
  •  
  •  
  • Import File - ntdll.dll
  • RtlNtStatusToDosError
  • NtQueryInformationProcess
  •  
  •  
  •  
  • Import File - ole32.dll
  • CoFreeUnusedLibraries
  • RegisterDragDrop
  • CreateBindCtx
  • RevokeDragDrop
  • CoInitializeEx
  • CoUninitialize
  • OleInitialize
  • CoRevokeClassObject
  • CoRegisterClassObject
  • CoMarshalInterThreadInterfaceInStream
  • CoCreateInstance
  • OleUninitialize
  • DoDragDrop
  •  
  •  
  • Import File - OLEAUT32.dll
  • Function Address
    0x00000002
  • Function Address
    0x00000009
  •  
  •  
  •  
  • Import File - SHDOCVW.dll
  • Function Address
    0x0000006E
  • Function Address
    0x0000007D
  • Function Address
    0x0000006F
  •  
  •  
  • Import File - SHELL32.dll
  • Function Address
    0x000000B6
  • Function Address
    0x000000A2
  • SHGetFolderPathW
  • Function Address
    0x00000043
  • Function Address
    0x00000048
  • Function Address
    0x0000005A
  • Function Address
    0x000000B5
  • Function Address
    0x000002D7
  • ExtractIconExW
  • Function Address
    0x00000089
  • Function Address
    0x00000285
  • Function Address
    0x00000284
  • Function Address
    0x00000002
  • Function Address
    0x000000EC
  • Function Address
    0x00000095
  • Function Address
    0x00000093
  • Function Address
    0x000000BC
  • Function Address
    0x00000294
  • Function Address
    0x000000C9
  • Function Address
    0x000000F5
  • Function Address
    0x00000044
  • Function Address
    0x000002D3
  • Function Address
    0x000000C8
  • SHGetSpecialFolderLocation
  • ShellExecuteExW
  • Function Address
    0x00000064
  • Function Address
    0x00000055
  • Function Address
    0x0000028D
  • SHGetSpecialFolderPathW
  • Function Address
    0x000000C4
  • Function Address
    0x00000019
  • Function Address
    0x00000098
  • SHBindToParent
  • Function Address
    0x000002CF
  • Function Address
    0x000002DC
  • Function Address
    0x00000094
  • SHParseDisplayName
  • Function Address
    0x0000009A
  • Function Address
    0x0000004D
  • Function Address
    0x00000006
  • Function Address
    0x000000C1
  • Function Address
    0x000002EB
  • Function Address
    0x00000047
  • Function Address
    0x00000011
  • Function Address
    0x00000017
  • Function Address
    0x00000084
  • Function Address
    0x000002A8
  • Function Address
    0x000000E9
  • Function Address
    0x000000C3
  • Function Address
    0x0000009B
  • Function Address
    0x00000059
  • Function Address
    0x000000F1
  • Function Address
    0x00000086
  • Function Address
    0x00000016
  • SHChangeNotify
  • SHGetDesktopFolder
  • SHAddToRecentDocs
  • Function Address
    0x0000007F
  • Function Address
    0x00000015
  • Function Address
    0x00000066
  • DuplicateIcon
  • Function Address
    0x000000CA
  • Function Address
    0x00000052
  • Function Address
    0x000000F4
  • Function Address
    0x00000036
  • Function Address
    0x000000A1
  • Function Address
    0x0000005B
  • Function Address
    0x000000FE
  • Function Address
    0x0000003C
  • SHUpdateRecycleBinIcon
  • SHGetFolderLocation
  • SHGetPathFromIDListA
  • Function Address
    0x000002C7
  • Function Address
    0x000002DB
  • Function Address
    0x00000004
  • Function Address
    0x000002DD
  • Function Address
    0x000000BE
  • Function Address
    0x00000040
  • Function Address
    0x0000003D
  • SHGetPathFromIDListW
  • Function Address
    0x000002F1
  • Function Address
    0x00000010
  • Function Address
    0x00000012
  •  
  •  
  • Import File - SHLWAPI.dll
  • StrCpyNW
  • Function Address
    0x000000D7
  • Function Address
    0x000000D9
  • Function Address
    0x000001DC
  • Function Address
    0x0000009D
  • StrRetToBufW
  • StrRetToStrW
  • Function Address
    0x000000B0
  • Function Address
    0x0000009A
  • Function Address
    0x000001B7
  • Function Address
    0x0000009C
  • SHQueryValueExW
  • PathIsNetworkPathW
  • Function Address
    0x00000201
  • AssocCreate
  • Function Address
    0x00000200
  • Function Address
    0x000000AB
  • Function Address
    0x000000B2
  • Function Address
    0x000000B1
  • Function Address
    0x000000C1
  • StrCatW
  • StrCpyW
  • Function Address
    0x000000E1
  • Function Address
    0x0000019D
  • Function Address
    0x000000DB
  • Function Address
    0x000000AF
  • Function Address
    0x000000A4
  • Function Address
    0x000000AC
  • SHGetValueW
  • Function Address
    0x000001B5
  • StrCmpNIW
  • PathRemoveBlanksW
  • PathRemoveArgsW
  • PathFindFileNameW
  • StrStrIW
  • PathGetArgsW
  • Function Address
    0x00000233
  • StrToIntW
  • SHRegGetBoolUSValueW
  • SHRegWriteUSValueW
  • SHRegCloseUSKey
  • SHRegCreateUSKeyW
  • SHRegGetUSValueW
  • SHSetValueW
  • Function Address
    0x000001B1
  • PathAppendW
  • PathUnquoteSpacesW
  • Function Address
    0x000001CC
  • Function Address
    0x000000C2
  • PathQuoteSpacesW
  • Function Address
    0x000000F4
  • SHSetThreadRef
  • SHCreateThreadRef
  • Function Address
    0x000000F1
  • Function Address
    0x000000EC
  • Function Address
    0x00000117
  • PathCombineW
  • Function Address
    0x000000C0
  • Function Address
    0x000000CC
  • Function Address
    0x000001FD
  • SHStrDupW
  • PathIsPrefixW
  • PathParseIconLocationW
  • AssocQueryKeyW
  • Function Address
    0x00000010
  • AssocQueryStringW
  • StrCmpW
  • Function Address
    0x000000AE
  • Function Address
    0x00000224
  • Function Address
    0x000000A5
  • Function Address
    0x000000F0
  • Function Address
    0x000000A3
  • Function Address
    0x000001DF
  • Function Address
    0x00000009
  • Function Address
    0x00000008
  • SHRegQueryUSValueW
  • SHRegOpenUSKeyW
  • SHRegSetUSValueW
  • PathIsDirectoryW
  • PathFileExistsW
  • PathGetDriveNumberW
  • Function Address
    0x0000000A
  • StrChrW
  • PathFindExtensionW
  • Function Address
    0x00000104
  • Function Address
    0x00000124
  • PathRemoveFileSpecW
  • PathStripToRootW
  • Function Address
    0x000000FA
  • Function Address
    0x000001DE
  • Function Address
    0x000000B8
  • SHOpenRegStream2W
  • Function Address
    0x000000D4
  • Function Address
    0x000000D5
  • Function Address
    0x0000009E
  • StrDupW
  • SHDeleteValueW
  • StrCatBuffW
  • SHDeleteKeyW
  • StrCmpIW
  • Function Address
    0x000001D3
  • Function Address
    0x0000015A
  • wnsprintfW
  • Function Address
    0x000000C5
  • Function Address
    0x00000116
  • StrCmpNW
  • Function Address
    0x000000ED
  • Function Address
    0x000000C7
  •  
  •  
  • Import File - USER32.dll
  • TileWindows
  • GetDoubleClickTime
  • GetSystemMetrics
  • GetSysColorBrush
  • AllowSetForegroundWindow
  • LoadMenuW
  • GetSubMenu
  • RemoveMenu
  • SetParent
  • GetMessagePos
  • CheckDlgButton
  • EnableWindow
  • GetDlgItemInt
  • SetDlgItemInt
  • CopyIcon
  • AdjustWindowRectEx
  • DrawFocusRect
  • DrawEdge
  • ExitWindowsEx
  • WindowFromPoint
  • SetRect
  • AppendMenuW
  • LoadAcceleratorsW
  • LoadBitmapW
  • SendNotifyMessageW
  • SetWindowPlacement
  • CheckMenuItem
  • EndDialog
  • SendDlgItemMessageW
  • MessageBeep
  • GetActiveWindow
  • PostQuitMessage
  • MoveWindow
  • GetDlgItem
  • RemovePropW
  • GetClassNameW
  • GetDCEx
  • SetCursorPos
  • ChildWindowFromPoint
  • ChangeDisplaySettingsW
  • RegisterHotKey
  • UnregisterHotKey
  • SetCursor
  • SendMessageTimeoutW
  • GetWindowPlacement
  • LoadImageW
  • SetWindowRgn
  • IntersectRect
  • OffsetRect
  • EnumDisplayMonitors
  • RedrawWindow
  • SubtractRect
  • TranslateAcceleratorW
  • WaitMessage
  • InflateRect
  • CallWindowProcW
  • GetDlgCtrlID
  • SetCapture
  • LockSetForegroundWindow
  • SystemParametersInfoW
  • FindWindowW
  • CreatePopupMenu
  • GetMenuDefaultItem
  • DestroyMenu
  • GetShellWindow
  • EnumChildWindows
  • GetWindowLongW
  • SendMessageW
  • RegisterWindowMessageW
  • GetKeyState
  • CopyRect
  • MonitorFromRect
  • MonitorFromPoint
  • RegisterClassW
  • SetPropW
  • GetWindowLongA
  • SetWindowLongW
  • FillRect
  • GetCursorPos
  • MessageBoxW
  • LoadStringW
  • ReleaseDC
  • GetDC
  • EnumDisplaySettingsExW
  • EnumDisplayDevicesW
  • PostMessageW
  • DispatchMessageW
  • TranslateMessage
  • GetMessageW
  • PeekMessageW
  • PtInRect
  • BeginPaint
  • EndPaint
  • SetWindowTextW
  • GetAsyncKeyState
  • InvalidateRect
  • GetWindow
  • ShowWindowAsync
  • TrackPopupMenuEx
  • UpdateWindow
  • DestroyIcon
  • IsRectEmpty
  • SetActiveWindow
  • GetSysColor
  • DrawTextW
  • IsHungAppWindow
  • SetTimer
  • GetMenuItemID
  • TrackPopupMenu
  • EndTask
  • SendMessageCallbackW
  • GetClassLongW
  • LoadIconW
  • OpenInputDesktop
  • CloseDesktop
  • SetScrollPos
  • ShowWindow
  • BringWindowToTop
  • GetDesktopWindow
  • CascadeWindows
  • CharUpperBuffW
  • SwitchToThisWindow
  • InternalGetWindowText
  • GetScrollInfo
  • GetMenuItemCount
  • CreateWindowExW
  • DialogBoxParamW
  • MsgWaitForMultipleObjects
  • CharNextA
  • RegisterClipboardFormatW
  • EndDeferWindowPos
  • DeferWindowPos
  • BeginDeferWindowPos
  • PrintWindow
  • SetClassLongW
  • GetPropW
  • GetNextDlgGroupItem
  • GetNextDlgTabItem
  • ChildWindowFromPointEx
  • IsChild
  • NotifyWinEvent
  • TrackMouseEvent
  • GetCapture
  • GetAncestor
  • CharUpperW
  • SetWindowLongA
  • DrawCaption
  • ModifyMenuW
  • InsertMenuW
  • IsWindowEnabled
  • GetMenuState
  • LoadCursorW
  • GetParent
  • IsDlgButtonChecked
  • DestroyWindow
  • EnumWindows
  • IsWindowVisible
  • GetClientRect
  • UnionRect
  • EqualRect
  • GetWindowThreadProcessId
  • GetForegroundWindow
  • KillTimer
  • GetClassInfoExW
  • DefWindowProcW
  • RegisterClassExW
  • GetIconInfo
  • SetScrollInfo
  • GetLastActivePopup
  • SetForegroundWindow
  • IsWindow
  • GetSystemMenu
  • IsIconic
  • IsZoomed
  • EnableMenuItem
  • SetMenuDefaultItem
  • MonitorFromWindow
  • GetMonitorInfoW
  • GetWindowInfo
  • GetFocus
  • SetFocus
  • MapWindowPoints
  • ScreenToClient
  • ClientToScreen
  • GetWindowRect
  • SetWindowPos
  • DeleteMenu
  • GetMenuItemInfoW
  • SetMenuItemInfoW
  • CharNextW
  •  
  •  
  •  
  •  
  •  
  • Import File - UxTheme.dll
  • GetThemeBackgroundContentRect
  • GetThemeBool
  • GetThemePartSize
  • DrawThemeParentBackground
  • OpenThemeData
  • DrawThemeBackground
  • GetThemeTextExtent
  • DrawThemeText
  • CloseThemeData
  • SetWindowTheme
  • GetThemeBackgroundRegion
  • Function Address
    0x0000002F
  • GetThemeMargins
  • GetThemeColor
  • GetThemeFont
  • GetThemeRect
  • IsAppThemed
  •  
  •  
  •  

  • This is my analysis results of this malicious file. If you have any questions, or have any problems that cannot be resolved, you can leave a message or email me.

    • You can also use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)


  • T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    csver.dll - File Md5: e9752b8c7f56be8416a9f2e1ad303056
    checkallfiles.exe - File Md5: 3671f5ff9d7b3431933d473f3944818a
    soundman.exe - File Md5: effe9e78e3fd75534081f40156bce3ab
    ctfmon.exe - File Md5: a6c2bc02624864306b2fe98b39ced44a
    wscntfy.exe - File Md5: 7a5a1171029ea974f7c389cfcfc8964d
    mobile partner.exe - File Md5: e3c01281053284bd070c3a3078a814db
    ditrace.exe - File Md5: 1acde3571ea0e3b707cb2c9d5c3010c7
    vmicsvc.exe - File Md5: dd5f68349915b88dd0d192750f90e265
    vmicsvc.exe - File Md5: 2ee41423b354802c80f4ea4b182d5f2c
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment   Reply To: 
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    User Reply & Help
    »[May 02, 2019]Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
    Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
    »[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
    Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
    »[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
    Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
    »[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
    Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
    »[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
    Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability  …View >>>
    »[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
    Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
    Copyright © 2016-2019 mygoodtools.com All rights reserved.