1d6b4f57b709653294c18bb0fce6b6347a7c82ae5562e80af0bf2e431578deba

Sharing

Copy URL Twitter E-mail

General

Target

1d6b4f57b709653294c18bb0fce6b6347a7c82ae5562e80af0bf2e431578deba
Size

711KB
MD5

560b027153793e2c0285a634f6c34d8a
SHA1

855a227b37debfdae21fb485e13719c472abe7e4
SHA256

1d6b4f57b709653294c18bb0fce6b6347a7c82ae5562e80af0bf2e431578deba
SHA512

f1c99a40cd1965bc9272b605ffaa39cda4bfc1c6dfd6aa49956dd3361d54a8bba6899c9c20306db9b2a18e25a077d2289ce10417b98525dde80c6ad5a5a01c10
SSDEEP

12288:Mp81JtzFaldC5Drxn2T5c6+EJv/f52J72jzQVCRjrk8OWfpK5QB5XpHLl:MMfXnqa6+E935a2BlM5QDj

Score

N/A

Malware Config

Signatures

Files

1d6b4f57b709653294c18bb0fce6b6347a7c82ae5562e80af0bf2e431578deba
.rar
新建文件夹 (3)/MDMAppProv.dll
.dll regsvr32 windows x64

e86259dfae444d9642958be9de03ff90

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp110_win

?_Getcat@?$codecvt@DDH@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_BADOFF@std@@3_JB
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBGHH@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?id@?$codecvt@DDH@std@@2V0locale@2@A
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?_Add_vtordisp2@?$basic_ios@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Add_vtordisp1@?$basic_istream@DU?$char_traits@D@std@@@std@@UEAAXXZ
?out@?$codecvt@DDH@std@@QEBAHAEAHPEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDH@std@@QEBAHAEAHPEBD1AEAPEBDPEAD3AEAPEAD@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?unshift@?$codecvt@DDH@std@@QEBAHAEAHPEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_alloc@std@@YAXXZ

msvcrt

??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@AEBV0@@Z
fclose
fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush
ungetc
fputc
fgetc
wcstol
wcstoul
_wcsnicmp
wcstok_s
wcscpy_s
_wcsicmp
_snwprintf_s
memmove
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
__C_specific_handler
_initterm
_amsg_exit
_XcptFilter
_callnewh
wcsncmp
_wtoi
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
_vsnprintf_s
memcpy_s
_vsnwprintf
malloc
free
swprintf_s
_purecall
??3@YAXPEAX@Z
??_V@YAXPEAX@Z
__CxxFrameHandler3
??0bad_cast@@QEAA@PEBD@Z
memcpy
_CxxThrowException
memset

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
RegisterTraceGuidsW
GetTraceEnableFlags
UnregisterTraceGuids

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetSystemDirectoryW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
RaiseException

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleHandleExW
LoadLibraryExW
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls
GetModuleFileNameA

oleaut32

VariantClear
SysFreeString
VariantInit
SysAllocString

api-ms-win-core-com-l1-1-0

CoCreateGuid
StringFromGUID2
CoInitializeEx
CoUninitialize
CoCreateInstance
CoSetProxyBlanket

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentProcessId
CreateThread
GetCurrentThreadId
GetCurrentThread
OpenProcessToken
OpenThreadToken

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegCloseKey
RegCreateKeyExW
RegOpenCurrentUser
RegSetValueExW
RegDeleteValueW
RegEnumKeyExW
RegDeleteKeyExW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoActivateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer

rpcrt4

UuidFromStringW
RpcStringFreeW
UuidToStringW

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-base-l1-1-0

CopySid
RevertToSelf
CheckTokenMembership
ImpersonateLoggedOnUser
GetLengthSid
GetTokenInformation

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
EnterCriticalSection
DeleteCriticalSection
LeaveCriticalSection
InitializeCriticalSection

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

DeleteFileW

shell32

SHCreateDirectoryExW
SHGetFolderPathW
SHGetSpecialFolderPathW

wtsapi32

WTSQueryUserToken

mi

MI_Application_InitializeV1

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
GetProviderClassID
MI_Main

Sections

.text
Size: 102KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/MDMAppProv.mof
新建文件夹 (3)/MDMAppProv_Uninstall.mof
新建文件夹 (3)/MDMSettingsProv.dll
.dll regsvr32 windows x64

165eeaf9ca07255f3621784f2058d234

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp110_win

?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@_N@Z
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@AEAM@Z
?_Incref@facet@locale@std@@UEAAXXZ
?in@?$codecvt@GDH@std@@QEBAHAEAHPEBD1AEAPEBDPEAG3AEAPEAG@Z
??0?$codecvt@GDH@std@@QEAA@_K@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@AEA_N@Z
?is@?$ctype@G@std@@QEBA_NFG@Z
??1?$basic_istream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?snextc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
?sgetc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??Bid@locale@std@@QEAA_KXZ
?_Add_vtordisp1@?$basic_istream@GU?$char_traits@G@std@@@std@@UEAAXXZ
??0?$basic_istream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
??_7codecvt_base@std@@6B@
??1?$codecvt@GDH@std@@MEAA@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??_7_Facet_base@std@@6B@
?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QEAA_N_N@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
??_7facet@locale@std@@6B@
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?id@?$ctype@G@std@@2V0locale@2@A
?id@?$codecvt@GDH@std@@2V0locale@2@A
?_Getcat@?$codecvt@GDH@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_BADOFF@std@@3_JB
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
??1_Container_base12@std@@QEAA@XZ
?_Add_vtordisp2@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ
??_7?$codecvt@GDH@std@@6B@
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@AEA_K@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z

msvcrt

memset
memmove
memcpy
_CxxThrowException
strcmp
swprintf_s
free
malloc
??3@YAXPEAX@Z
__CxxFrameHandler3
??_V@YAXPEAX@Z
_vsnwprintf
memcpy_s
_wcsicmp
_snwprintf_s
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
_wcsnicmp
_wtoi
_itow_s
wcstok_s
_wtof
wcstoul
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@PEBD@Z
??0bad_cast@@QEAA@AEBV0@@Z
_callnewh
_XcptFilter
_amsg_exit
_initterm
__C_specific_handler
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
rand
srand
wcsncmp
toupper
wcstombs
iswspace
?what@exception@@UEBAPEBDXZ
_strnicmp
??0exception@@QEAA@AEBQEBD@Z
vswprintf_s
wcscmp
wcstol

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetVersionExW
GetSystemTimeAsFileTime
GetSystemTime

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
DisableThreadLibraryCalls
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameA
GetProcAddress
LoadLibraryExW

samcli

NetUserGetInfo
NetUserSetInfo

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
EnterCriticalSection
InitializeCriticalSection
CreateSemaphoreExW
DeleteCriticalSection
ReleaseSemaphore
CreateMutexExW
SetEvent
OpenSemaphoreW
LeaveCriticalSection
CreateEventExW
ReleaseMutex
WaitForSingleObjectEx

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryInfoKeyW
RegEnumValueW
RegDeleteValueW
RegCreateKeyExW
RegQueryValueExW
RegGetValueW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoGetActivationFactory
RoUninitialize
RoActivateInstance

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l2-1-0

LocalFree

crypt32

CertCompareCertificateName
CertGetCertificateChain
CryptProtectData
CryptUnprotectData
CryptEncodeObjectEx
CertGetEnhancedKeyUsage
CertEnumCertificatesInStore
CryptDecodeObject
CertGetNameStringW
CryptDecodeObjectEx
CertNameToStrW
CertFreeCertificateChain
CertDuplicateCertificateContext
CertFindChainInStore
CertCloseStore
CertFreeCertificateContext
CryptBinaryToStringW
CertCreateCertificateContext
CertVerifyTimeValidity
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddCertificateContextToStore
CertFindCertificateInStore
CertOpenStore
CertGetCertificateContextProperty
CertStrToNameW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

oleaut32

SysAllocStringByteLen
SysStringByteLen
SysStringLen
SafeArrayCreate
SafeArrayLock
SafeArrayGetLBound
SafeArrayUnlock
SafeArrayGetUBound
SafeArrayDestroy
VariantClear
VariantInit
SysFreeString
SysAllocString

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoUninitialize
CoTaskMemAlloc
CoTaskMemFree
StringFromGUID2
CoInitializeEx
CoCreateFreeThreadedMarshaler
CoWaitForMultipleHandles

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
RevertToSelf

ncrypt

NCryptOpenStorageProvider
NCryptDeleteKey
NCryptFreeObject
NCryptGetProperty

api-ms-win-core-synch-l1-2-0

Sleep

rpcrt4

UuidFromStringW
UuidToStringW
RpcStringFreeW

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

omadmapi

ord53
ord23
ord54
ord24
ord47

deviceregistration

ord4

advapi32

SetSecurityDescriptorDacl
RegDeleteTreeW
EventActivityIdControl
EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer
CryptReleaseContext
CheckTokenMembership
CryptAcquireContextW
RegDeleteKeyValueW
OpenThreadToken
OpenProcessToken
AccessCheck
InitializeSecurityDescriptor
GetLengthSid
InitializeAcl
AddAccessAllowedAce
RegDeleteKeyExW
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
IsValidSecurityDescriptor
AllocateAndInitializeSid
LsaOpenPolicy
RegEnumKeyExW
ConvertSidToStringSidW
CopySid
GetTokenInformation
LsaClose
CryptGetProvParam
LsaFreeMemory
LsaQueryInformationPolicy

bthprops.cpl

BluetoothFindFirstDevice
BluetoothGetRadioInfo
BluetoothFindRadioClose
BluetoothFindFirstRadio

kernel32

GetComputerNameW
GetComputerNameExW
CreateThread
GlobalFree
MultiByteToWideChar
FileTimeToLocalFileTime
AcquireSRWLockExclusive
InitOnceComplete
ReleaseSRWLockExclusive
GetTickCount64
GetCurrentThread
LocalAlloc
InitOnceBeginInitialize
CreateEventW
WideCharToMultiByte
CompareFileTime

mi

MI_Application_InitializeV1

ntdll

RtlIsMultiUsersInSessionSku
RtlGetDeviceFamilyInfoEnum
RtlConvertSidToUnicodeString
RtlIsStateSeparationEnabled

ole32

CoInitialize
CoInitializeSecurity

shlwapi

StrDupW

sppcext

SLActivateProduct

sppc

SLInstallProofOfPurchase
SLUninstallProofOfPurchase
SLGetProductSkuInformation
SLClose
SLConsumeRight
SLGetSLIDList
SLOpen
SLGetLicensingStatusInformation
SLGetInstalledProductKeyIds

user32

CharUpperBuffW
GetSystemMetrics

urlmon

IsValidURL
CoInternetCreateZoneManager

wscapi

WscGetSecurityProviderHealth

wtsapi32

WTSQueryUserToken

wlanapi

WlanSetProfile
WlanGetProfileList
WlanGetProfile
WlanOpenHandle
WlanFreeMemory
WlanCloseHandle
WlanEnumInterfaces
WlanDeleteProfile
WlanReasonCodeToString

easwrt

EasClientSecurityPolicyCheckCompliance

dmenrollengine

EnrollEngineInitialize

ext-ms-win-session-usermgr-l1-1-0

UMgrQueryUserContext
UMgrQueryDefaultAccountToken

combase

ord154

dmcmnutils

DmRevertToSelf
DmGetCurrentUserSid
OmaDmRegistryGetDWORD
DMSetDeviceClientID
DMGetDeviceClientID
DmImpersonate

policymanager

PolicyManager_GetPolicyStringGivenEnrollmentId
PolicyManager_GetPolicyInt
PolicyManager_FreeStringValue

winhttp

WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpWriteData
WinHttpSetOption
WinHttpOpenRequest
WinHttpSendRequest
WinHttpConnect
WinHttpSetTimeouts
WinHttpReadData
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpSetStatusCallback
WinHttpCloseHandle

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
GetProviderClassID
MI_Main

Sections

.text
Size: 409KB - Virtual size: 409KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 189KB - Virtual size: 189KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/MDMSettingsProv.mof
新建文件夹 (3)/MDMSettingsProv_Uninstall.mof
新建文件夹 (3)/Microsoft.AppV.AppVClientWmi.mof
新建文件夹 (3)/Microsoft.Uev.AgentWmi.dll
.dll regsvr32 windows x64

467232370faa85adc23ba85b7d57978f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_wcsicmp
towlower
strchr
time
mbstowcs_s
ftell
_wfopen_s
fsetpos
fread
ferror
feof
_stricmp
_wtoi
strerror
_wfsopen
ungetc
??3@YAXPEAX@Z
setvbuf
fgetpos
_vsnprintf_s
swprintf_s
_fseeki64
fwrite
fgetc
fclose
fflush
fputc
fseek
??1type_info@@UEAA@XZ
_onexit
__dllonexit
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
isdigit
isalnum
memcmp
___lc_collate_cp_func
tolower
isspace
_Strftime
_Gettnames
__mb_cur_max
_Wcsftime
_W_Gettnames
_W_Getmonths
_W_Getdays
_Getmonths
_Getdays
ldexp
realloc
abort
__uncaught_exception
_free_locale
_get_current_locale
__crtLCMapStringA
__crtLCMapStringW
__crtCompareStringA
__crtCompareStringW
??8type_info@@QEBAHAEBV0@@Z
_wcsdup
islower
memset
_ismbblead
___mb_cur_max_func
___lc_codepage_func
___lc_handle_func
isupper
__pctype_func
setlocale
_unlock
_lock
_errno
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@XZ
_callnewh
calloc
sprintf_s
localeconv
strcspn
memchr
?name@type_info@@QEBAPEBDXZ
ldiv
__C_specific_handler
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBD@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
??0bad_cast@@QEAA@AEBV0@@Z
??0bad_cast@@QEAA@PEBD@Z
??1bad_cast@@UEAA@XZ
wcsncpy_s
malloc
_wcsnicmp
free
_purecall
wcscat_s
wcscpy_s
memcpy_s
??_V@YAXPEAX@Z
__CxxFrameHandler3
_vsnwprintf
wcscmp

ntdll

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

user32

UnregisterClassA
CharNextW

kernel32

AreFileApisANSI
CopyFileW
GetCurrentDirectoryW
GetFileAttributesExW
SetFileTime
RemoveDirectoryW
DeviceIoControl
CreateDirectoryW
LocalAlloc
GetProcessMitigationPolicy
GetSystemInfo
FindClose
FindNextFileW
FindFirstFileW
GetTempPathW
GetLongPathNameW
lstrlenA
GetExitCodeProcess
OpenProcess
GetFileTime
LocalUnlock
SystemTimeToFileTime
GetFileSize
MoveFileExW
DeleteFileW
SetEvent
SetFileAttributesW
GetComputerNameExW
GetFileAttributesW
CreateFileW
ExpandEnvironmentStringsW
WriteFile
CreateEventA
LocalLock
ReadFile
IsDebuggerPresent
DebugBreak
GetProcessHeap
CreateMutexExW
GetLocalTime
HeapAlloc
FormatMessageA
OpenEventA
ResetEvent
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
TlsSetValue
FormatMessageW
ReleaseMutex
WaitForSingleObject
SizeofResource
SetThreadLocale
EnterCriticalSection
GetModuleFileNameW
GetThreadLocale
LeaveCriticalSection
MultiByteToWideChar
GetLastError
RaiseException
FindResourceExW
LoadResource
GetProcAddress
GetModuleHandleW
FreeLibrary
lstrcmpiW
LoadLibraryExW
InitializeCriticalSection
DeleteCriticalSection
WideCharToMultiByte
LocalFree
GetStringTypeW
InitializeCriticalSectionEx
GetLocaleInfoW
Sleep
EncodePointer
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
OutputDebugStringA
SleepConditionVariableSRW
ProcessIdToSessionId
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TlsFree
TlsGetValue
TlsAlloc
GetModuleFileNameA
CreateSemaphoreExW
OutputDebugStringW

ole32

CoImpersonateClient
CoTaskMemRealloc
CoTaskMemFree
OleRun
CoUninitialize
CoInitializeEx
StringFromGUID2
CoTaskMemAlloc
CLSIDFromProgID
CLSIDFromString
CoCreateGuid
CoCreateInstance

oleaut32

SafeArrayPutElement
SysAllocStringByteLen
SysStringByteLen
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayCreateVector
VariantChangeType
SafeArrayUnaccessData
SafeArrayAccessData
VariantClear
UnRegisterTypeLi
LoadTypeLi
SysFreeString
RegisterTypeLi
SysAllocString
SysStringLen
VarUI4FromStr
SysAllocStringLen
VariantInit

advapi32

EventWriteTransfer
EventRegister
RegGetValueW
RegDeleteTreeW
RegDeleteKeyExW
RegSetKeyValueW
EventSetInformation
RegQueryValueExW
RegCloseKey
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW
GetTokenInformation
OpenProcessToken
EventUnregister
GetNamedSecurityInfoW
CreateWellKnownSid
EqualSid
RegEnumValueW

shell32

SHGetKnownFolderPath

activeds

ord3

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 995KB - Virtual size: 995KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 392KB - Virtual size: 392KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 37KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/mblctr.mof

Sharing

General

Malware Config

Signatures

Files

e86259dfae444d9642958be9de03ff90

Headers

DLL Characteristics

File Characteristics

Imports

msvcp110_win

msvcrt

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

oleaut32

api-ms-win-core-com-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

shell32

wtsapi32

mi

Exports

Exports

Sections

.text Size: 102KB - Virtual size: 101KB

.rdata Size: 55KB - Virtual size: 54KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

165eeaf9ca07255f3621784f2058d234

Headers

DLL Characteristics

File Characteristics

Imports

msvcp110_win

msvcrt

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

samcli

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

crypt32

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-registry-l1-1-1

oleaut32

api-ms-win-core-com-l1-1-0

api-ms-win-security-base-l1-1-0

ncrypt

api-ms-win-core-synch-l1-2-0

.text
Size: 102KB - Virtual size: 101KB

.rdata
Size: 55KB - Virtual size: 54KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 409KB - Virtual size: 409KB

.rdata
Size: 189KB - Virtual size: 189KB

.data
Size: 8KB - Virtual size: 10KB

.pdata
Size: 15KB - Virtual size: 14KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 5KB

.text
Size: 995KB - Virtual size: 995KB

.rdata
Size: 392KB - Virtual size: 392KB

.data
Size: 37KB - Virtual size: 45KB

.pdata
Size: 40KB - Virtual size: 39KB

.rsrc
Size: 6KB - Virtual size: 5KB

.reloc
Size: 6KB - Virtual size: 6KB