59f5f1db04708648aeb269024037d3dbecf9d71fb67b8d29b5b3c14eb3f94039

Sharing

Copy URL Twitter E-mail

General

Target

59f5f1db04708648aeb269024037d3dbecf9d71fb67b8d29b5b3c14eb3f94039
Size

601KB
MD5

b89bf912d934758653176bcd605edb1e
SHA1

fc6ac18a488cbede52c746bb26a1eb17f84187f0
SHA256

59f5f1db04708648aeb269024037d3dbecf9d71fb67b8d29b5b3c14eb3f94039
SHA512

354622d378c61ce2f15de16f8127a2dad3b36c064c1a27a0678ddaad7246b287bc5c595e562d2e096bf68a671c9a0b7966301e235e35bd5556f20f1e13bed67e
SSDEEP

12288:ZWwvVotj+C4BD1t1Fwl7Qio+k7BqjX14HwrQyD1YgfO:MoUj+CsGl87+sBqjXiQrt1YX

Score

N/A

Malware Config

Signatures

Files

59f5f1db04708648aeb269024037d3dbecf9d71fb67b8d29b5b3c14eb3f94039
.rar
新建文件夹 (3)/aepic.dll
.dll windows x64

77369fc1697c730fa8758c06c646bbec

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:5b:25:a9:22:a2:8d:16:e4:9b:be:79:6f:30:9b:c9:2d:7f:0a:75:ae:f1:08:fb:75:3b:4c:71:e4:77:b5:15
Signer

Actual PE Digest

a2:5b:25:a9:22:a2:8d:16:e4:9b:be:79:6f:30:9b:c9:2d:7f:0a:75:ae:f1:08:fb:75:3b:4c:71:e4:77:b5:15

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/09/2022, 13:02
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

??0exception@@QEAA@AEBQEBDH@Z
_wcsicmp
_vsnprintf_s
memcpy
__crtLCMapStringW
___lc_handle_func
___lc_collate_cp_func
__crtCompareStringW
___mb_cur_max_func
_wtoi
__pctype_func
calloc
memcmp
abort
setlocale
??0exception@@QEAA@AEBV0@@Z
_vsnwprintf_s
__C_specific_handler
_CxxThrowException
_XcptFilter
_amsg_exit
wcstombs
strchr
??0exception@@QEAA@XZ
_initterm
??1exception@@UEAA@XZ
?terminate@@YAXXZ
_lock
_unlock
memcpy_s
__dllonexit
_vsnwprintf
_onexit
_set_errno
??1type_info@@UEAA@XZ
strtol
memset
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBD@Z
memmove
towlower
strnlen
??0bad_cast@@QEAA@PEBD@Z
_errno
strncpy_s
sprintf_s
??1bad_cast@@UEAA@XZ
_purecall
??0bad_cast@@QEAA@AEBV0@@Z
_vscwprintf
tolower
wcstoul
iscntrl
isspace
_wsplitpath_s
__CxxFrameHandler3
free
_wtoi64
malloc
memmove_s
___lc_codepage_func
realloc
_vsnprintf
strcpy_s
_wcsnicmp
wcschr
wcsrchr
wcscpy_s
wcscat_s
_wcslwr
wcsstr
strncmp
wcscmp

ntdll

RtlGetVersion
RtlReleaseRelativeName
NtLoadKeyEx
RtlDosPathNameToRelativeNtPathName_U
RtlStringFromGUID
RtlRandomEx
NtQueryKey
WinSqmIsOptedInEx
RtlFreeSid
RtlAllocateAndInitializeSid
RtlNtStatusToDosError
RtlAdjustPrivilege
RtlImageDirectoryEntryToData
RtlVerifyVersionInfo
LdrResSearchResource
RtlTimeToTimeFields
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwQuerySystemInformation
RtlGetNativeSystemInformation
RtlUpcaseUnicodeChar
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitString
EtwEventRegister
EtwEventWrite
EtwEventUnregister
RtlSecondsSince1970ToTime
NtQueryLicenseValue
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
ZwQueryValueKey
RtlInitUnicodeStringEx
ZwOpenKey
RtlFreeUnicodeString
RtlInitUnicodeString
RtlDosPathNameToNtPathName_U_WithStatus
ZwClose
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlMultiByteToUnicodeN
RtlInitAnsiString
RtlEnterCriticalSection
RtlEqualString
RtlDeleteCriticalSection
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
RtlReAllocateHeap
RtlAllocateHeap
EtwTraceMessage

rpcrt4

UuidCreate

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapReAlloc
HeapFree

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TlsGetValue
GetCurrentThread
ResumeThread
CreateThread
GetCurrentProcessId
GetCurrentThreadId
TlsAlloc
GetThreadPriority
OpenProcessToken
SetThreadPriority
TerminateProcess
TlsSetValue

api-ms-win-core-localization-l1-2-0

FormatMessageW
LocaleNameToLCID

api-ms-win-core-winrt-string-l1-1-0

WindowsStringHasEmbeddedNull
WindowsDuplicateString
WindowsGetStringRawBuffer
WindowsIsStringEmpty
WindowsCreateString
WindowsCreateStringReference
WindowsDeleteString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoInitialize
RoUninitialize
RoActivateInstance

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
GetLastError

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
WakeAllConditionVariable
InitOnceExecuteOnce
InitOnceComplete
InitOnceBeginInitialize
Sleep

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
RoOriginateError
GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoTransformError

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
InitializeSRWLock
SetWaitableTimer
CreateEventExW
CreateMutexExW
InitializeCriticalSection
DeleteCriticalSection
WaitForSingleObject
OpenSemaphoreW
ReleaseMutex
EnterCriticalSection
WaitForSingleObjectEx
ReleaseSemaphore
CreateSemaphoreExW
AcquireSRWLockShared
ReleaseSRWLockShared
InitializeCriticalSectionEx
CreateEventW
OpenWaitableTimerW
SetEvent
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateMutexW

api-ms-win-core-com-l1-1-0

CoGetInterfaceAndReleaseStream
CoGetCallContext
CoTaskMemFree
CoCreateInstance
CoWaitForMultipleHandles
CoTaskMemAlloc
CoUninitialize
CoInitializeEx
CoMarshalInterface
CreateStreamOnHGlobal
CoReleaseMarshalData
CoGetApartmentType
CoCreateFreeThreadedMarshaler

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-security-base-l1-1-0

SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
DuplicateTokenEx
GetTokenInformation
InitializeSecurityDescriptor

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-shcore-thread-l1-1-0

SHGetThreadRef
GetProcessReference
SetProcessReference
SHSetThreadRef

api-ms-win-core-realtime-l1-1-0

QueryThreadCycleTime

api-ms-win-core-sysinfo-l1-1-0

GetSystemWindowsDirectoryW
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetSystemInfo
GetTickCount64
GetTickCount

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
GetStringTypeW
MultiByteToWideChar

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetProcAddress
GetModuleFileNameW
FreeLibraryAndExitThread
LoadLibraryExW
GetModuleHandleExW
GetModuleHandleW
FreeLibrary

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister

api-ms-win-core-file-l1-1-0

FindClose
FindNextFileW
GetLogicalDriveStringsW
QueryDosDeviceW
FindFirstFileW
GetDriveTypeW
GetTempFileNameW
DeleteFileW
WriteFile
CreateFileW
GetLongPathNameW
GetFileAttributesW
GetVolumeInformationByHandleW

api-ms-win-core-sysinfo-l1-2-0

GetSystemFirmwareTable
VerSetConditionMask

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegLoadKeyW
RegQueryInfoKeyW
RegDeleteValueW
RegLoadAppKeyW
RegDeleteKeyExW
RegDeleteTreeW
RegCreateKeyExW
RegCloseKey
RegSaveKeyExW
RegEnumKeyExW
RegSetKeySecurity
RegUnLoadKeyW
RegOpenKeyExW
RegGetValueW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathUnExpandEnvStringsW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-path-l1-1-0

PathCchCanonicalizeEx
PathCchRemoveFileSpec
PathAllocCombine

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-synch-l1-2-1

CreateWaitableTimerW
CreateSemaphoreW
WaitForMultipleObjects

bcrypt

BCryptFinishHash
BCryptDestroyHash
BCryptHashData
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCloseAlgorithmProvider

api-ms-win-security-cryptoapi-l1-1-0

CryptHashData
CryptDestroyHash
CryptCreateHash
CryptAcquireContextW
CryptGetHashParam
CryptReleaseContext

api-ms-win-eventing-classicprovider-l1-1-0

TraceEvent

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
ReleaseActCtx
QueryActCtxW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
TrySubmitThreadpoolCallback
FreeLibraryWhenCallbackReturns
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer
CallbackMayRunLong

oleaut32

VariantClear
VariantChangeType
SysFreeString
SysAllocString
VariantCopy
VariantInit

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
PicAmiClose
PicAmiInitialize
PicFreeFileInfo
PicRetrieveFileInfo
PicRetrieveFileInfoAppx
UpdateSoftwareInventoryTC2

Sections

.text
Size: 333KB - Virtual size: 333KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/amcompat.tlb
.dll windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rdata
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
新建文件夹 (3)/ampa.sys
.exe windows x64

e54cb614fcaa06fed22c681d4526d8bf

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

28:73:6d:0d:29:67:89:51:2b:ac:66:cc:e8:6c:4a:00
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

29/06/2016, 00:00

Not After

29/06/2019, 23:59

Subject

CN=CHENGDU AOMEI Tech Co.\, Ltd.,O=CHENGDU AOMEI Tech Co.\, Ltd.,L=ChengDu,ST=SiChuan,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18/11/2009, 10:00

Not After

18/03/2019, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

72:92:97:c9:b8:4f:ba:18:73:23:c5:6f
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

10/11/2016, 10:12

Not After

11/11/2017, 10:12

Subject

SERIALNUMBER=9151010456447309XF,CN=Chengdu AoMei Technology Co.\, Ltd,OU=IT,O=Chengdu AoMei Technology Co.\, Ltd,STREET=No.302\, F3\, Building 1\, No.5 Hong Ji Xin Rd\,Jin Jiang Dist,L=CHENGDU,ST=SICHUAN,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13074348454e474455,1.3.6.1.4.1.311.60.2.1.2=#13075349434855414e,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

11:21:06:f1:0f:ce:68:f0:9b:fa:e5:5b:18:cd:8f:20:01:77
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for Advanced - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6
Signer

Actual PE Digest

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=9151010456447309XF,CN=Chengdu AoMei Technology Co.\, Ltd,OU=IT,O=Chengdu AoMei Technology Co.\, Ltd,STREET=No.302\, F3\, Building 1\, No.5 Hong Ji Xin Rd\,Jin Jiang Dist,L=CHENGDU,ST=SICHUAN,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13074348454e474455,1.3.6.1.4.1.311.60.2.1.2=#13075349434855414e,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

26/12/2016, 01:37
Valid: true

Chain 1

SERIALNUMBER=9151010456447309XF,CN=Chengdu AoMei Technology Co.\, Ltd,OU=IT,O=Chengdu AoMei Technology Co.\, Ltd,STREET=No.302\, F3\, Building 1\, No.5 Hong Ji Xin Rd\,Jin Jiang Dist,L=CHENGDU,ST=SICHUAN,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13074348454e474455,1.3.6.1.4.1.311.60.2.1.2=#13075349434855414e,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Chain 2

SERIALNUMBER=9151010456447309XF,CN=Chengdu AoMei Technology Co.\, Ltd,OU=IT,O=Chengdu AoMei Technology Co.\, Ltd,STREET=No.302\, F3\, Building 1\, No.5 Hong Ji Xin Rd\,Jin Jiang Dist,L=CHENGDU,ST=SICHUAN,C=CN,1.3.6.1.4.1.311.60.2.1.1=#13074348454e474455,1.3.6.1.4.1.311.60.2.1.2=#13075349434855414e,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6
Signer

Actual PE Digest

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=CHENGDU AOMEI Tech Co.\, Ltd.,O=CHENGDU AOMEI Tech Co.\, Ltd.,L=ChengDu,ST=SiChuan,C=CN

26/12/2016, 01:20
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

MmMapLockedPagesSpecifyCache
IoGetDeviceObjectPointer
IoBuildAsynchronousFsdRequest
ExAllocatePool
_vsnwprintf
IofCompleteRequest
IoGetLowerDeviceObject
KeWaitForSingleObject
IoBuildDeviceIoControlRequest
IoFreeIrp
ExFreePoolWithTag
IoGetAttachedDeviceReference
RtlCompareUnicodeString
MmUnlockPages
ObfReferenceObject
RtlInitUnicodeString
ObfDereferenceObject
KeSetEvent
RtlUnicodeStringToInteger
wcsncpy
ObReferenceObjectByName
KeInitializeEvent
IofCallDriver
IoFreeMdl
ObQueryNameString
IoDriverObjectType
IoDeleteSymbolicLink
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
InbvSolidColorFill
InbvSetScrollRegion
InbvResetDisplay
InbvSetTextColor
InbvDisplayString
ExAllocatePoolWithTag
ZwSetValueKey
wcsncat
KeReleaseSpinLock
ZwClose
ZwFlushKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryKey
ZwOpenKey
KeAcquireSpinLockRaiseToDpc
KeBugCheckEx

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 812B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
新建文件夹 (3)/amsi.dll
.dll regsvr32 windows x64

11e9179f7b8a676a1110da8e334d75be

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memmove
memcpy
_onexit
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBDH@Z
__dllonexit
??0exception@@QEAA@AEBQEBD@Z
_callnewh
_unlock
_lock
_vsnprintf_s
?terminate@@YAXXZ
??0exception@@QEAA@AEBV0@@Z
_initterm
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
_amsg_exit
rand
_XcptFilter
memcpy_s
malloc
free
??1type_info@@UEAA@XZ
??_V@YAXPEAX@Z
__C_specific_handler
_vsnwprintf
__CxxFrameHandler3
??3@YAXPEAX@Z
_CxxThrowException
memset

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
ReleaseSRWLockExclusive

api-ms-win-core-com-l1-1-0

CoTaskMemFree
StringFromCLSID
CoTaskMemAlloc
CoCreateInstance

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventWriteTransfer
EventProviderEnabled
EventWrite
EventUnregister
EventRegister

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
GetTraceEnableFlags
TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
UnregisterTraceGuids

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetModuleFileNameA
GetModuleHandleW
GetModuleHandleExW
GetProcAddress

api-ms-win-security-cryptoapi-l1-1-0

CryptHashData
CryptDestroyHash
CryptAcquireContextW
CryptGetHashParam
CryptCreateHash
CryptReleaseContext

rpcrt4

UuidFromStringW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

userenv

ExpandEnvironmentStringsForUserW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegGetValueW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-sysinfo-l1-2-0

GetSystemTimePreciseAsFileTime

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-handle-l1-1-0

CloseHandle

ntdll

NtQueryInformationProcess

Exports

Exports

AmsiCloseSession
AmsiInitialize
AmsiOpenSession
AmsiScanBuffer
AmsiScanString
AmsiUacInitialize
AmsiUacScan
AmsiUacUninitialize
AmsiUninitialize
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 616B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/amstream.dll
.dll regsvr32 windows x64

9844ac2704514277557e27338b936fd0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_vsnwprintf
memcmp
memcpy
__C_specific_handler
_initterm
_amsg_exit
_XcptFilter
_callnewh
_purecall
malloc
free
realloc
memset

kernel32

GetModuleHandleW
FreeLibrary
lstrcpyW
lstrcmpiW
LoadLibraryExW
HeapDestroy
CreateEventW
SetEvent
ResetEvent
lstrcmpW
Sleep
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
DeleteCriticalSection
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetTickCount
MulDiv
ReleaseSemaphore
FindResourceW
DuplicateHandle
QueueUserAPC
CreateThread
LoadResource
LoadLibraryW
SleepConditionVariableSRW
GetProcAddress
CloseHandle
GetCurrentThread
GetLastError
MultiByteToWideChar
GetCurrentThreadId
WaitForSingleObject
InitializeCriticalSection
LeaveCriticalSection
GetModuleFileNameW
lstrcpynW
GetCurrentProcess
EnterCriticalSection
SizeofResource
DisableThreadLibraryCalls
CreateSemaphoreW

user32

IsRectEmpty
CharNextW

advapi32

RegCloseKey
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
RegDeleteValueW
RegQueryValueExW
RegSetValueExW
RegEnumKeyExW

ole32

CoTaskMemRealloc
CoTaskMemFree
CoCreateInstance
CoTaskMemAlloc

oleaut32

LoadTypeLi
SysFreeString
RegisterTypeLi
VarI4FromStr

ddraw

DirectDrawCreate

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/apisetschema.dll
.dll windows x64

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:f8:fb:46:63:72:14:48:e1:43:26:12:de:d9:1d:ec:e7:97:0d:2b:f9:50:ee:9c:d2:b1:36:a0:d2:ed:ba:0b
Signer

Actual PE Digest

ae:f8:fb:46:63:72:14:48:e1:43:26:12:de:d9:1d:ec:e7:97:0d:2b:f9:50:ee:9c:d2:b1:36:a0:d2:ed:ba:0b

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/09/2022, 13:02
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rdata
Size: 512B - Virtual size: 316B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.apiset
Size: 102KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
新建文件夹 (3)/apphelp.dll
.dll windows x64

84f85096d735c6a7b2a1797ac0549629

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

wcsncmp
RtlReAllocateHeap
ZwQueryDirectoryFile
RtlpEnsureBufferSize
RtlNtPathNameToDosPathName
RtlQueryEnvironmentVariable_U
RtlGetNativeSystemInformation
ZwQuerySystemInformation
__C_specific_handler
ZwUnmapViewOfSection
ZwMapViewOfSection
RtlTimeToTimeFields
LdrResSearchResource
VerSetConditionMask
RtlVerifyVersionInfo
strncmp
RtlImageDirectoryEntryToData
NtApphelpCacheControl
swprintf_s
NtCreateFile
RtlCreateEnvironmentEx
RtlSetEnvironmentVar
RtlSizeHeap
RtlDestroyEnvironment
NtReadFile
ZwQuerySystemTime
NtWriteFile
qsort
wcsspn
_vscwprintf
RtlGetFileMUIPath
RtlCopyUnicodeString
RtlCreateUnicodeString
RtlDoesFileExists_U
NtSetValueKey
ZwSetInformationProcess
RtlGetVersion
RtlDosPathNameToNtPathName_U
RtlRunOnceExecuteOnce
NtCreateKey
NtSetInformationKey
NtDeleteKey
ZwQueryKey
ZwEnumerateValueKey
RtlUnicodeStringToInteger
ZwSetValueKey
RtlSetEnvironmentVariable
RtlFreeAnsiString
RtlWow64GetProcessMachines
LdrFindEntryForAddress
RtlInitializeCriticalSection
RtlDeleteCriticalSection
_wtoi
strrchr
_stricmp
_vsnprintf
RtlTryEnterCriticalSection
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlCaptureStackBackTrace
RtlInitAnsiStringEx
LdrInitShimEngineDynamic
RtlGetNtSystemRoot
EtwEventWriteNoRegistration
NtQueryAttributesFile
NtQueryObject
RtlAddVectoredExceptionHandler
strcpy_s
_wcslwr
RtlNtStatusToDosError
RtlAllocateAndInitializeSid
RtlCheckTokenMembership
RtlFreeSid
LdrLoadDll
sprintf_s
sscanf_s
LdrGetProcedureAddressEx
LdrGetProcedureAddress
RtlLengthRequiredSid
RtlCreateServiceSid
NtOpenFile
NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlEqualSid
RtlCompareMemory
NtProtectVirtualMemory
RtlInitializeSRWLock
LdrEnumerateLoadedModules
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockShared
RtlReleaseSRWLockShared
RtlAllocateHeap
ZwQueryInformationProcess
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
RtlGetFullPathName_UEx
ZwCreateKey
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ZwOpenFile
RtlDosPathNameToNtPathName_U_WithStatus
ZwClose
ZwQueryInformationToken
ZwOpenProcessToken
wcscat_s
wcscpy_s
RtlAppendUnicodeStringToString
wcschr
toupper
RtlUpcaseUnicodeChar
RtlUnicodeStringToAnsiString
RtlUpcaseUnicodeString
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitString
RtlInitUnicodeString
RtlGUIDFromString
RtlAppendUnicodeToString
RtlStringFromGUID
RtlSecondsSince1970ToTime
RtlDuplicateUnicodeString
RtlFreeUnicodeString
RtlFreeHeap
NtOpenKey
NtQueryValueKey
memmove
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
wcsrchr
EtwEventWrite
_vsnwprintf
_wcsnicmp
EtwEventUnregister
EtwEventEnabled
EtwEventRegister
_wcsicmp
wcsstr
RtlFormatCurrentUserKeyPath
LdrGetDllHandle
NtClose
NtDeleteValueKey
RtlExpandEnvironmentStrings_U
NtQueryInformationFile
RtlEqualString
RtlMultiByteToUnicodeN
strchr
RtlInitUnicodeStringEx
__chkstk
memcmp
memcpy
memset

api-ms-win-core-appcompat-l1-1-1

BaseFreeAppCompatDataForProcess
BaseReadAppCompatDataForProcess

api-ms-win-core-appcompat-l1-1-0

BaseIsAppcompatInfrastructureDisabled
BaseFlushAppcompatCache

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

WriteFile
GetFileAttributesW
CreateFileW
GetFinalPathNameByHandleW
FindNextFileW
DeleteFileW
FindFirstFileW
GetLongPathNameW
SetFilePointer
GetDriveTypeW
FindClose

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetCurrentProcess
GetProcessTimes
GetCurrentProcessId
CreateProcessW
ProcessIdToSessionId

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime
GetTickCount64
GetSystemWindowsDirectoryW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister

kernel32

PackageIdFromFullName
GetPackageFullName

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-synch-l1-1-0

OpenMutexW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetProcAddress
FreeLibrary
LoadLibraryExW
LoadResource
LockResource
DisableThreadLibraryCalls
GetModuleHandleW
GetModuleFileNameW
SizeofResource

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCurrentDirectoryW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-localization-l1-2-0

IsDBCSLeadByte
VerLanguageNameW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringA

Exports

Exports

AllowPermLayer
ApphelpCheckExe
ApphelpCheckIME
ApphelpCheckInstallShieldPackage
ApphelpCheckModule
ApphelpCheckMsiPackage
ApphelpCheckRunApp
ApphelpCheckRunAppEx
ApphelpCheckShellObject
ApphelpChpeModSettingsFromQueryResult
ApphelpCreateAppcompatData
ApphelpFixMsiPackage
ApphelpFixMsiPackageExe
ApphelpFreeFileAttributes
ApphelpGetFileAttributes
ApphelpGetMsiProperties
ApphelpGetNTVDMInfo
ApphelpGetShimDebugLevel
ApphelpIsPortMonAllowed
ApphelpParseModuleData
ApphelpQueryModuleData
ApphelpQueryModuleDataEx
ApphelpShowDialog
ApphelpUpdateCacheEntry
GetPermLayers
SE_AddHookset
SE_CALLBACK_AddHook
SE_CALLBACK_Lookup
SE_COM_AddHook
SE_COM_AddServer
SE_COM_HookInterface
SE_COM_HookObject
SE_COM_Lookup
SE_DllLoaded
SE_DllUnloaded
SE_DynamicShim
SE_GetHookAPIs
SE_GetMaxShimCount
SE_GetProcAddressForCaller
SE_GetProcAddressIgnoreIncExc
SE_GetProcAddressLoad
SE_GetShimCount
SE_GetShimId
SE_InitializeEngine
SE_InstallAfterInit
SE_InstallBeforeInit
SE_IsShimDll
SE_LdrEntryRemoved
SE_LdrResolveDllName
SE_LookupAddress
SE_LookupCaller
SE_ProcessDying
SE_ShimDPF
SE_ShimDllLoaded
SE_WINRT_AddHook
SE_WINRT_HookObject
SdbAddLayerTagRefToQuery
SdbApphelpNotify
SdbApphelpNotifyEx
SdbApphelpNotifyEx2
SdbBeginWriteListTag
SdbBuildCompatEnvVariables
SdbCloseApphelpInformation
SdbCloseDatabase
SdbCloseDatabaseWrite
SdbCloseLocalDatabase
SdbCommitIndexes
SdbCreateDatabase
SdbCreateHelpCenterURL
SdbCreateMsiTransformFile
SdbDeclareIndex
SdbDeletePermLayerKeys
SdbDumpSearchPathPartCaches
SdbEndWriteListTag
SdbEnumMsiTransforms
SdbEscapeApphelpURL
SdbFindCustomActionForPackage
SdbFindFirstDWORDIndexedTag
SdbFindFirstGUIDIndexedTag
SdbFindFirstMsiPackage
SdbFindFirstMsiPackage_Str
SdbFindFirstNamedTag
SdbFindFirstStringIndexedTag
SdbFindFirstTag
SdbFindFirstTagRef
SdbFindMsiPackageByID
SdbFindNextDWORDIndexedTag
SdbFindNextGUIDIndexedTag
SdbFindNextMsiPackage
SdbFindNextStringIndexedTag
SdbFindNextTag
SdbFindNextTagRef
SdbFormatAttribute
SdbFreeDatabaseInformation
SdbFreeFileAttributes
SdbFreeFileInfo
SdbFreeFlagInfo
SdbGUIDFromString
SdbGUIDToString
SdbGetAppCompatDataSize
SdbGetAppPatchDir
SdbGetBinaryTagData
SdbGetDatabaseGUID
SdbGetDatabaseID
SdbGetDatabaseInformation
SdbGetDatabaseInformationByName
SdbGetDatabaseMatch
SdbGetDatabaseVersion
SdbGetDllPath
SdbGetEntryFlags
SdbGetFileAttributes
SdbGetFileImageType
SdbGetFileImageTypeEx
SdbGetFileInfo
SdbGetFirstChild
SdbGetImageType
SdbGetIndex
SdbGetItemFromItemRef
SdbGetLayerName
SdbGetLayerTagRef
SdbGetLocalPDB
SdbGetMatchingExe
SdbGetMsiPackageInformation
SdbGetNamedLayer
SdbGetNextChild
SdbGetNthUserSdb
SdbGetPDBFromGUID
SdbGetPathCustomSdb
SdbGetPathSystemSdb
SdbGetPermLayerKeys
SdbGetShowDebugInfoOption
SdbGetShowDebugInfoOptionValue
SdbGetStandardDatabaseGUID
SdbGetStringTagPtr
SdbGetTagDataSize
SdbGetTagFromTagID
SdbGrabMatchingInfo
SdbGrabMatchingInfoEx
SdbInitDatabase
SdbInitDatabaseEx
SdbIsDbRuntimePlatformSupportedOnHost
SdbIsNullGUID
SdbIsStandardDatabase
SdbIsTagrefFromLocalDB
SdbIsTagrefFromMainDB
SdbLoadString
SdbMakeIndexKeyFromString
SdbOpenApphelpDetailsDatabase
SdbOpenApphelpDetailsDatabaseSP
SdbOpenApphelpInformation
SdbOpenApphelpInformationByID
SdbOpenApphelpResourceFile
SdbOpenDatabase
SdbOpenDbFromGuid
SdbOpenLocalDatabase
SdbPackAppCompatData
SdbQueryApphelpInformation
SdbQueryBlockUpgrade
SdbQueryContext
SdbQueryData
SdbQueryDataEx
SdbQueryDataExTagID
SdbQueryFlagInfo
SdbQueryFlagMask
SdbQueryName
SdbQueryReinstallUpgrade
SdbReadApphelpData
SdbReadApphelpDetailsData
SdbReadBYTETag
SdbReadBYTETagRef
SdbReadBinaryTag
SdbReadDWORDTag
SdbReadDWORDTagRef
SdbReadEntryInformation
SdbReadMsiTransformInfo
SdbReadPatchBits
SdbReadQWORDTag
SdbReadQWORDTagRef
SdbReadStringTag
SdbReadStringTagRef
SdbReadWORDTag
SdbReadWORDTagRef
SdbRegisterDatabase
SdbRegisterDatabaseEx
SdbReleaseDatabase
SdbReleaseMatchingExe
SdbResolveDatabase
SdbSetApphelpDebugParameters
SdbSetEntryFlags
SdbSetImageType
SdbSetPermLayerKeys
SdbShowApphelpDialog
SdbShowApphelpFromQuery
SdbStartIndexing
SdbStopIndexing
SdbStringDuplicate
SdbStringReplace
SdbStringReplaceArray
SdbTagIDToTagRef
SdbTagRefToTagID
SdbTagToString
SdbUnpackAppCompatData
SdbUnpackQueryResult
SdbUnregisterDatabase
SdbWriteBYTETag
SdbWriteBinaryTag
SdbWriteBinaryTagFromFile
SdbWriteDWORDTag
SdbWriteNULLTag
SdbWriteQWORDTag
SdbWriteStringRefTag
SdbWriteStringTag
SdbWriteStringTagDirect
SdbWriteWORDTag
SetPermLayerState
SetPermLayerStateEx
SetPermLayers
ShimDbgPrint
ShimDumpCache
ShimFlushCache

Sections

.text
Size: 299KB - Virtual size: 298KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 129KB - Virtual size: 129KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/appinfo.dll
.dll windows x64

3d06c2586d945a0e8d7cd4ea154d32c0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
_initterm
malloc
_amsg_exit
_XcptFilter
free
_wcsnicmp
bsearch
_wcsicmp
memmove_s
__CxxFrameHandler3
wcsstr
wcschr
memcpy
memcmp
wcscat_s
wcsnlen
swprintf_s
wcscpy_s
_purecall
memmove
memcpy_s
_unlock
__dllonexit
wcsrchr
_onexit
_vsnwprintf
_lock
_callnewh
memset

rpcrt4

I_RpcBindingInqLocalClientPID
RpcRevertToSelf
RpcBindingVectorFree
RpcServerUseProtseqW
RpcServerUnregisterIf
RpcAsyncCompleteCall
RpcServerRegisterIfEx
RpcEpUnregister
RpcEpRegisterW
RpcServerInqBindings
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
NdrAsyncServerCall
RpcImpersonateClient

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
GetProcAddress

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
Sleep
InitOnceComplete
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-synch-l1-1-0

OpenSemaphoreW
WaitForSingleObjectEx
CreateMutexW
AcquireSRWLockShared
LeaveCriticalSection
InitializeCriticalSectionEx
CreateEventW
ReleaseMutex
EnterCriticalSection
WaitForSingleObject
CreateMutexExW
ReleaseSemaphore
CreateSemaphoreExW
ReleaseSRWLockShared
SetEvent
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventActivityIdControl
EventSetInformation
EventUnregister
EventRegister

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetProcessIdOfThread
ResumeThread
GetCurrentThreadId
InitializeProcThreadAttributeList
GetProcessId
CreateProcessAsUserW
GetExitCodeProcess
OpenThread
GetCurrentProcessId
OpenProcessToken
GetThreadId
DeleteProcThreadAttributeList
TerminateProcess
UpdateProcThreadAttribute

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemTimeAsFileTime

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
ReadProcessMemory
CreateFileMappingW
MapViewOfFile

api-ms-win-security-base-l1-1-0

CreateRestrictedToken
GetTokenInformation
RevertToSelf
GetSidLengthRequired
GetSidSubAuthority
CheckTokenMembership
InitializeSid
SetTokenInformation
ImpersonateLoggedOnUser

api-ms-win-core-file-l1-1-0

GetFullPathNameW
GetFileAttributesW
CreateFileW
GetLongPathNameW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-wow64-l1-1-1

GetSystemWow64DirectoryW

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-appcompat-l1-1-1

BaseReadAppCompatDataForProcess
BaseFreeAppCompatDataForProcess

api-ms-win-core-kernel32-legacy-l1-1-0

UnregisterWait

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
QueryActCtxSettingsW
ReleaseActCtx

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-appmodel-runtime-l1-1-1

GetApplicationUserModelIdFromToken
GetPackageFullNameFromToken

api-ms-win-appmodel-runtime-l1-1-0

PackageFamilyNameFromFullName
GetPackagesByPackageFamily
GetApplicationUserModelId

api-ms-win-core-psm-key-l1-1-0

PsmGetKeyFromToken

ntdll

RtlAcquireSRWLockExclusive
RtlAcquireSRWLockShared
RtlReleaseSRWLockShared
NtReadVirtualMemory
NtClose
RtlImageNtHeaderEx
NtDuplicateObject
RtlDeregisterWait
RtlNtStatusToDosError
RtlRegisterWait
RtlRemovePrivileges
LdrQueryImageFileKeyOption
NtOpenProcess
RtlInitUnicodeString
NtQueryInformationToken
LdrOpenImageFileOptionsKey
RtlQueryPackageClaims
RtlExpandEnvironmentStrings
RtlReleaseSRWLockExclusive
RtlCheckSandboxedToken
NtOpenThreadToken
RtlEqualSid
RtlDestroyEnvironment
RtlQueryEnvironmentVariable
RtlCreateEnvironmentEx
RtlEqualUnicodeString
RtlNtPathNameToDosPathName
RtlFreeUnicodeString
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlpEnsureBufferSize
RtlReleaseRelativeName
RtlPrefixUnicodeString
RtlInitUnicodeStringEx
LdrResSearchResource
NtSetSecurityObject
RtlCreateServiceSid
NtQuerySecurityObject
RtlSetEnvironmentVar
NtQueryInformationProcess
RtlDeregisterWaitEx
NtQuerySystemInformation
NtDuplicateToken
NtOpenProcessToken
RtlNtStatusToDosErrorNoTeb
EtwEventRegister
EtwEventWrite
EtwEventUnregister
EtwUnregisterTraceGuids
EtwGetTraceEnableFlags
EtwTraceMessage
RtlInitializeSRWLock
EtwGetTraceLoggerHandle
RtlFindAceByType
RtlAllocateAndInitializeSid
RtlFreeSid
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
NtSetInformationToken

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

AiDisableDesktopRpcInterface
AiEnableDesktopRpcInterface
ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 400B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/appinfoext.dll
.dll windows x64

cecc68b1f972c98f71f1c70d58d049c3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-crt-private-l1-1-0

_o___std_type_info_destroy_list
_o__cexit
_o__configure_narrow_argv
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__seh_filter_dll
__C_specific_handler

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

appinfo

AiEnableDesktopRpcInterface
AiDisableDesktopRpcInterface

Exports

Exports

AiExtDisableDesktopRpcInterface
AiExtEnableDesktopRpcInterface

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/apprepapi.dll
.dll windows x64

5e0448950f520be4916e1974691256ee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-crt-private-l1-1-0

_o___std_type_info_destroy_list
_o__cexit
_o__configure_narrow_argv
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__seh_filter_dll
__C_specific_handler

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
TerminateProcess
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

Exports

Exports

AppRepComputeImageHash
AppRepComputeImageHashWithOffset
AppRepComputeSignatureInfo
AppRepFreeAttributeLib
AppRepInitializeAttributeLib
AppRepParameterCleanup
AppRepPartialTelemetryCleanup
RepGetFileInformation
RepInformUserAction
ReputationInfoCleanup

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

77369fc1697c730fa8758c06c646bbec

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a2:5b:25:a9:22:a2:8d:16:e4:9b:be:79:6f:30:9b:c9:2d:7f:0a:75:ae:f1:08:fb:75:3b:4c:71:e4:77:b5:15Signer

Signature Validations

Verification

09/09/2022, 13:02 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

rpcrt4

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-file-l1-2-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-shcore-path-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-1

bcrypt

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-threadpool-l1-2-0

oleaut32

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-string-l2-1-1

api-ms-win-security-capability-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 333KB - Virtual size: 333KB

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a2:5b:25:a9:22:a2:8d:16:e4:9b:be:79:6f:30:9b:c9:2d:7f:0a:75:ae:f1:08:fb:75:3b:4c:71:e4:77:b5:15
Signer

09/09/2022, 13:02
Valid: false

.text
Size: 333KB - Virtual size: 333KB

.rdata
Size: 131KB - Virtual size: 131KB

.data
Size: 3KB - Virtual size: 10KB

.pdata
Size: 20KB - Virtual size: 19KB

.didat
Size: 512B - Virtual size: 104B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 112B

.rsrc
Size: 17KB - Virtual size: 17KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

28:73:6d:0d:29:67:89:51:2b:ac:66:cc:e8:6c:4a:00
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

72:92:97:c9:b8:4f:ba:18:73:23:c5:6f
Certificate

11:21:06:f1:0f:ce:68:f0:9b:fa:e5:5b:18:cd:8f:20:01:77
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6
Signer

26/12/2016, 01:37
Valid: true

b5:03:a1:38:58:75:5b:76:9f:a4:7d:94:ad:5d:cc:fa:ce:9a:4e:e6
Signer

26/12/2016, 01:20
Valid: false

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 812B

.data
Size: 512B - Virtual size: 296B

.pdata
Size: 512B - Virtual size: 312B

INIT
Size: 1KB - Virtual size: 1KB