88cd3be2dfddf20f8cdb20cb952be9416120fee127cb3215819c90dd928c63fa

Sharing

Copy URL Twitter E-mail

General

Target

88cd3be2dfddf20f8cdb20cb952be9416120fee127cb3215819c90dd928c63fa
Size

995KB
MD5

7f138c0ba188f5ab509943e61d528f22
SHA1

116ff7a838f4461c0da809c26b5275fe646e89a3
SHA256

88cd3be2dfddf20f8cdb20cb952be9416120fee127cb3215819c90dd928c63fa
SHA512

432be3009fdf37f0c84b3ac2ff73b5d27e7770b3ea9e65ee859d8265e58055a38e4da69fe11414dda7015c6f67c96555fba0fc33f2061dfe51e5b8d4a1143061
SSDEEP

24576:LdChrvs2JXnFc6LySfgDUoO/pphBWsJ4/LQVLPSZlkJA:5Grvs2FO6LyCgDUJrBR4ztWA

Score

N/A

Malware Config

Signatures

Files

88cd3be2dfddf20f8cdb20cb952be9416120fee127cb3215819c90dd928c63fa
.rar
wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.22621.1_zh-tw_8656752a97bdbf11.manifest
wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.22621.1_zh-tw_8656752a97bdbf11_memtest.exe.mui_77b8cbcc
.dll windows x86

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3a:da:10:cf:2e:8f:ca:42:70:94:f3:5f:7b:93:d1:df:dd:c5:2c:3c:64:3d:e9:eb:d5:d8:1e:bf:06:07:6d:92
Signer

Actual PE Digest

3a:da:10:cf:2e:8f:ca:42:70:94:f3:5f:7b:93:d1:df:dd:c5:2c:3c:64:3d:e9:eb:d5:d8:1e:bf:06:07:6d:92

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23/09/2022, 10:48
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

.rsrc
Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.22621.1_none_7e1bef6b3f293f16.manifest
wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.22621.1_none_7e1bef6b3f293f16_bcryptprimitives.dll_5dcb347c
.dll windows x86

7aec0ed040ad95f9929c42a57026f9f5

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/03/2022, 19:24

Not After

08/03/2023, 19:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bc:dd:9b:55:fe:91:55:51:38:ce:db:60:68:fc:02:3f:3f:18:6b:67:e1:f1:50:13:a4:e9:65:59:b5:af:17:34
Signer

Actual PE Digest

bc:dd:9b:55:fe:91:55:51:38:ce:db:60:68:fc:02:3f:3f:18:6b:67:e1:f1:50:13:a4:e9:65:59:b5:af:17:34

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23/09/2022, 10:48
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetCurrentProcessorNumberEx
RtlAllocateHeap
NtOpenKey
NtClose
NtQueryValueKey
NtQueryInformationProcess
wcscpy_s
_wcsicmp
RtlImageNtHeader
qsort
RtlUnwind
NtOpenFile
RtlInitUnicodeString
NtTerminateProcess
RtlGetSystemGlobalData
EtwUnregisterTraceGuids
EtwGetTraceEnableFlags
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwGetTraceEnableLevel
RtlUnhandledExceptionFilter
memmove
RtlFreeHeap
_vsnwprintf
_alloca_probe
memcmp
memcpy
memset

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
GetModuleHandleExW
DisableThreadLibraryCalls

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventSetInformation
EventUnregister

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

api-ms-win-core-processthreads-l1-1-0

SetThreadStackGuarantee
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualAlloc
VirtualQuery

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo

api-ms-win-core-xstate-l2-1-0

GetEnabledXStateFeatures

Exports

Exports

GetAsymmetricEncryptionInterface
GetCipherInterface
GetHashInterface
GetKeyDerivationInterface
GetRngInterface
GetSecretAgreementInterface
GetSignatureInterface
MSCryptConvertRsaPrivateBlobToFullRsaBlob
ProcessPrng
ProcessPrngGuid

Sections

.text
Size: 362KB - Virtual size: 362KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.22621.1_none_92ecee59dcb302d4.manifest
wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.22621.1_none_92ecee59dcb302d4_kernelbase.dll_7f3dc5f6
.dll windows x86

abf5d64388aca7d1e563955b014929d6

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/03/2022, 19:24

Not After

08/03/2023, 19:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:70:29:45:47:e6:a8:bc:15:cb:d6:93:3a:5f:61:74:b0:99:d0:8a:f9:f5:25:f3:a2:5f:2c:59:8f:da:1e:2d
Signer

Actual PE Digest

05:70:29:45:47:e6:a8:bc:15:cb:d6:93:3a:5f:61:74:b0:99:d0:8a:f9:f5:25:f3:a2:5f:2c:59:8f:da:1e:2d

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23/09/2022, 10:48
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtCreatePrivateNamespace
NtDeletePrivateNamespace
NtOpenPrivateNamespace
RtlAddSIDToBoundaryDescriptor
RtlFreeAnsiString
RtlAnsiStringToUnicodeString
RtlInitializeSid
NlsMbCodePageTag
RtlSubAuthoritySid
RtlDosPathNameToRelativeNtPathName_U
RtlFreeUnicodeString
RtlInitUnicodeString
RtlGetOwnerSecurityDescriptor
RtlReleaseRelativeName
RtlLengthRequiredSid
RtlUnicodeStringToAnsiString
RtlInitAnsiString
LdrResRelease
NtQueryInformationFile
RtlEqualSid
SbSelectProcedure
LdrResSearchResource
NtQuerySecurityObject
NtOpenFile
_wcsicmp
RtlDecodeSystemPointer
RtlUnicodeToMultiByteN
RtlMultiByteToUnicodeN
RtlDeleteCriticalSection
RtlUpcaseUnicodeChar
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlIsThreadWithinLoaderCallout
NtSetInformationFile
RtlDosPathNameToNtPathName_U
wcscpy_s
wcscat_s
swprintf_s
NtFsControlFile
NtQueryVolumeInformationFile
NtCreateFile
RtlSetLastWin32Error
NtWaitForSingleObject
NtNotifyChangeDirectoryFileEx
RtlSetCurrentTransaction
NtCopyFileChunk
RtlEqualUnicodeString
NtQuerySystemInformation
TpSetWait
RtlReleasePrivilege
NtOpenKey
TpReleaseWait
ZwQueryWnfStateData
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetAce
RtlQueryInformationAcl
RtlVerifyVersionInfo
NtQueryEaFile
RtlAcquirePrivilege
RtlGetCurrentTransaction
NtFlushBuffersFile
RtlGetLastNtStatus
NtCreateEvent
RtlGetLastWin32Error
RtlpMergeSecurityAttributeInformation
VerSetConditionMask
_wcsnicmp
RtlNtStatusToDosError
TpWaitForWait
wcsrchr
RtlFindAceByType
NtQueryValueKey
NtOpenMutant
_vsnwprintf
RtlIsDosDeviceName_U
NtReleaseMutant
RtlIsStateSeparationEnabled
NtCreateKeyTransacted
RtlDetermineDosPathNameType_U
NtCreateKey
NtSetValueKey
RtlUnicodeStringToOemString
RtlGetUserInfoHeap
RtlIsValidHandle
RtlAllocateHandle
RtlReAllocateHeap
RtlFreeHandle
RtlSizeHeap
RtlSetUserValueHeap
RtlUnlockHeap
RtlLockHeap
NtQueryDirectoryFile
RtlInitUnicodeStringEx
RtlGetExtendedFeaturesMask
RtlGetEnabledExtendedFeatures
RtlLocateLegacyContext
RtlCopyContext
RtlSetExtendedFeaturesMask
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlInitializeExtendedContext2
RtlGetExtendedContextLength2
RtlLocateExtendedFeature
RtlIsApiSetImplemented
wcspbrk
iswalpha
wcschr
wcsncmp
RtlNtStatusToDosErrorNoTeb
TpSetTimer
RtlDllShutdownInProgress
memcpy_s
TpWaitForTimer
TpReleaseTimer
RtlInitializeCriticalSectionEx
memmove_s
_vsnprintf
NtCreateIoRing
NtSubmitIoRing
NtSetInformationIoRing
NtQueryIoRingCapabilities
NtTerminateProcess
RtlCaptureContext
RtlUnhandledExceptionFilter
_aullshr
RtlGetLocaleFileMappingAddress
NtEnumerateKey
NtGetNlsSectionPtr
RtlNormalizeString
RtlPublishWnfStateData
NtSetDefaultLocale
_wtoi
_itow_s
NtDeleteValueKey
RtlUnicodeStringToInteger
RtlLocaleNameToLcid
RtlIsMultiSessionSku
RtlLcidToLocaleName
RtlpLoadUserUIByPolicy
RtlpLoadMachineUIByPolicy
RtlpGetLCIDFromLangInfoNode
NtEnumerateValueKey
qsort
RtlpCreateProcessRegistryInfo
RtlLCIDToCultureName
RtlpGetNameFromLangInfoNode
NtQueryInstallUILanguage
RtlpMuiFreeLangRegistryInfo
RtlpInitializeLangRegistryInfo
RtlpIsQualifiedLanguage
RtlCultureNameToLCID
_ui64tow_s
LdrFindResourceEx_U
RtlGetThreadPreferredUILanguages
RtlSetProcessPreferredUILanguages
RtlGetUILanguageInfo
RtlGetUserPreferredUILanguages
RtlGetSystemPreferredUILanguages
RtlpQueryDefaultUILanguage
RtlGetProcessPreferredUILanguages
RtlSetThreadPreferredUILanguages
RtlSetThreadPreferredUILanguages2
RtlGetFileMUIPath
RtlRestoreThreadPreferredUILanguages
RtlpGetSystemDefaultUILanguage
LdrAccessResource
RtlIdnToNameprepUnicode
RtlIsNormalizedString
RtlIdnToAscii
RtlIdnToUnicode
NtDeleteKey
RtlAppendUnicodeStringToString
RtlLoadString
RtlAppendUnicodeToString
RtlCopyUnicodeString
RtlExpandEnvironmentStrings_U
NtCreateSection
RtlOpenCurrentUser
NtMapViewOfSection
NtQueryDefaultLocale
NtNotifyChangeKey
NtQueryInformationToken
RtlTimeFieldsToTime
RtlUTF8ToUnicodeN
RtlUnicodeToUTF8N
_wcslwr
NtQueryLicenseValue
_wtol
RtlIntegerToUnicodeString
RtlRunOnceExecuteOnce
DbgPrint
memmove
RtlUnwind
NtClose
RtlReleaseSRWLockShared
RtlPrefixUnicodeString
RtlAcquireSRWLockShared
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlDeleteBoundaryDescriptor
NtQueryInformationProcess
RtlCreateBoundaryDescriptor
RtlCompareUnicodeString
RtlFreeHeap
RtlQueryPerformanceCounter
RtlGetPersistedStateLocation
RtlAllocateHeap
RtlQueryWnfStateData
RtlSetProtectedPolicy
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
RtlUnicodeToMultiByteSize
RtlQueryInformationActivationContext
DbgPrintEx
RtlReleaseActivationContext
RtlInitAnsiStringEx
TpAllocTimer
TpAllocIoCompletion
TpAllocWork
TpCallbackMayRunLong
TpAllocCleanupGroup
TpSimpleTryPost
TpQueryPoolStackInformation
TpAllocPool
TpSetPoolMinThreads
TpSetPoolStackInformation
TpAllocWait
RtlConvertSidToUnicodeString
RtlSubAuthorityCountSid
ZwQueryInformationToken
RtlIsMultiUsersInSessionSku
ZwQueryValueKey
ZwClose
ZwOpenKey
NtQueryMultipleValueKey
wcsncpy_s
RtlExitUserProcess
RtlInitializeCriticalSectionAndSpinCount
vswprintf_s
RtlDecodePointer
RtlEncodePointer
isalpha
_strnicmp
RtlRunOnceInitialize
NtDuplicateObject
RtlFormatCurrentUserKeyPath
NtResetEvent
RtlCheckTokenMembershipEx
RtlDeriveCapabilitySidsFromName
NtQueryEvent
RtlCapabilityCheck
NtSetInformationProcess
RtlCreateUnicodeStringFromAsciiz
NtQueryKey
RtlCreateUnicodeString
RtlValidSecurityDescriptor
RtlRandomEx
RtlStringFromGUID
NtLoadKeyEx
RtlLengthSecurityDescriptor
RtlMakeSelfRelativeSD
LdrGetProcedureAddress
LdrGetDllHandle
RtlInitString
strncat
_strlwr
RtlRaiseException
PssNtCaptureSnapshot
PssNtValidateDescriptor
PssNtFreeSnapshot
PssNtFreeRemoteSnapshot
PssNtQuerySnapshot
PssNtWalkSnapshot
PssNtDuplicateSnapshot
PssNtFreeWalkMarker
ApiSetQueryApiSetPresence
NtQueryVirtualMemory
NtOpenProcessTokenEx
RtlGUIDFromString
RtlQueryPackageIdentityEx
RtlStringFromGUIDEx
EtwEventUnregister
EtwEventRegister
EtwEventEnabled
EtwEventWrite
NtCreateWnfStateName
NtDeleteWnfStateName
RtlFreeSid
RtlInitializeSRWLock
WinSqmIncrementDWORD
WinSqmSetDWORD
WinSqmSetString
RtlGetDaclSecurityDescriptor
RtlCreateAcl
RtlAddAccessAllowedAceEx
RtlAddAce
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlSetControlSecurityDescriptor
NtSetSecurityObject
RtlDowncaseUnicodeString
RtlUpcaseUnicodeString
RtlAllocateAndInitializeSid
wcsspn
NtUnmapViewOfSection
RtlQueryPackageClaims
RtlGetDeviceFamilyInfoEnum
wcsstr
LdrUpdatePackageSearchPath
strncmp
RtlInsertElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlValidSid
RtlLengthSid
RtlGetAppContainerSidType
RtlCopySid
RtlExpandEnvironmentStrings
RtlGetAppContainerParent
NtQuerySecurityAttributesToken
RtlIsParentOfChildAppContainer
WinSqmIsOptedIn
WinSqmStartSession
WinSqmAddToStreamEx
WinSqmEndSession
TpReleaseWork
TpPostWork
RtlSetSaclSecurityDescriptor
NtGetCachedSigningLevel
NtCompareSigningLevels
ZwCreateKey
ZwSetValueKey
NtDeviceIoControlFile
EtwEventWriteTransfer
TpCancelAsyncIoOperation
TpWaitForIoCompletion
TpReleaseIoCompletion
RtlEnumerateGenericTableAvl
TpStartAsyncIoOperation
RtlCompareUnicodeStrings
strchr
NtReadFile
RtlRaiseStatus
RtlTryAcquirePebLock
RtlReleasePebLock
wcscspn
RtlGetNtSystemRoot
NtWaitForMultipleObjects
RtlImageNtHeader
NtSetSystemInformation
RtlWow64EnableFsRedirectionEx
RtlExitUserThread
NtYieldExecution
strtoul
_errno
RtlQueryPerformanceFrequency
RtlTryAcquireSRWLockExclusive
RtlGetCurrentDirectory_U
RtlGetSearchPath
RtlDosSearchPath_Ustr
RtlReleasePath
RtlQueryActivationContextApplicationSettings
RtlQueryEnvironmentVariable_U
RtlGetFullPathName_U
RtlIntegerToChar
RtlAnsiCharToUnicodeChar
RtlSetThreadErrorMode
NtDuplicateToken
NtAllocateLocallyUniqueId
NtAccessCheck
NtAccessCheckByType
NtAccessCheckByTypeResultList
NtOpenProcessToken
NtOpenThreadToken
NtSetInformationToken
NtAdjustPrivilegesToken
NtAdjustGroupsToken
NtPrivilegeCheck
NtAccessCheckAndAuditAlarm
NtAccessCheckByTypeAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
NtOpenObjectAuditAlarm
NtPrivilegeObjectAuditAlarm
NtCloseObjectAuditAlarm
NtDeleteObjectAuditAlarm
NtPrivilegedServiceAuditAlarm
RtlEqualPrefixSid
RtlIdentifierAuthoritySid
RtlAreAllAccessesGranted
RtlAreAnyAccessesGranted
RtlMapGenericMask
RtlValidAcl
RtlSetInformationAcl
RtlDeleteAce
RtlAddAccessAllowedAce
RtlAddMandatoryAce
RtlAddResourceAttributeAce
RtlAddScopedPolicyIDAce
RtlAddAccessDeniedAce
RtlAddAccessDeniedAceEx
RtlAddAuditAccessAce
RtlAddAuditAccessAceEx
RtlAddAccessAllowedObjectAce
RtlAddAccessDeniedObjectAce
RtlAddAuditAccessObjectAce
RtlFirstFreeAce
RtlValidRelativeSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlNewSecurityObject
RtlConvertToAutoInheritSecurityObject
RtlNewSecurityObjectEx
RtlNewSecurityObjectWithMultipleInheritance
RtlSetSecurityObject
RtlSetSecurityObjectEx
RtlQuerySecurityObject
RtlDeleteSecurityObject
RtlAbsoluteToSelfRelativeSD
RtlSelfRelativeToAbsoluteSD
RtlImpersonateSelf
NtSetInformationThread
NtImpersonateAnonymousToken
EtwEventWriteNoRegistration
NtFilterToken
RtlCheckTokenCapability
RtlSelfRelativeToAbsoluteSD2
RtlGetSecurityDescriptorRMControl
RtlSetSecurityDescriptorRMControl
RtlIsPackageSid
RtlIsCapabilitySid
NtSetCachedSigningLevel
RtlDosApplyFileIsolationRedirection_Ustr
LdrGetDllHandleByName
RtlImageNtHeaderEx
LdrGetDllHandleByMapping
RtlGetActiveActivationContext
LdrAddLoadAsDataTable
_stricmp
strncat_s
LdrGetDllPath
LdrLoadDll
LdrRemoveLoadAsDataTable
LdrUnloadAlternateResourceModule
LdrUnloadDll
LdrDisableThreadCalloutsForDll
LdrGetDllFullName
RtlPcToFileHeader
LdrAddRefDll
LdrGetProcedureAddressForCaller
LdrAddDllDirectory
LdrRemoveDllDirectory
LdrSetDefaultDllDirectories
LdrResolveDelayLoadedAPI
LdrResolveDelayLoadsFromDll
LdrQueryOptionalDelayLoadedAPI
RtlGetProductInfo
RtlGetVersion
LdrFindResource_U
LdrResGetRCConfig
LdrpResGetResourceDirectory
RtlImageDirectoryEntryToData
LdrResFindResourceDirectory
LdrResFindResource
LdrGetFileNameFromLoadAsDataTable
LdrLoadAlternateResourceModule
LdrRscIsTypeExist
LdrLoadAlternateResourceModuleEx
LdrpResGetMappingSize
wcstoul
NtLockVirtualMemory
NtUnlockVirtualMemory
NtReadVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
NtFlushInstructionCache
NtAllocateVirtualMemory
NtAllocateVirtualMemoryEx
NtFreeVirtualMemory
RtlFlushSecureMemoryCache
NtOpenEvent
NtGetWriteWatch
NtResetWriteWatch
NtSetInformationVirtualMemory
NtAllocateUserPhysicalPages
NtAllocateUserPhysicalPagesEx
NtFreeUserPhysicalPages
NtMapUserPhysicalPages
RtlUnsubscribeWnfStateChangeNotification
NtManagePartition
RtlxAnsiStringToUnicodeSize
RtlxOemStringToUnicodeSize
RtlxUnicodeStringToOemSize

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWriteTransfer
EventActivityIdControl
EventSetInformation

Exports

Exports

AccessCheck
AccessCheckAndAuditAlarmW
AccessCheckByType
AccessCheckByTypeAndAuditAlarmW
AccessCheckByTypeResultList
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckByTypeResultListAndAuditAlarmW
AcquireSRWLockExclusive
AcquireSRWLockShared
AcquireStateLock
ActivateActCtx
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConsoleAliasA
AddConsoleAliasW
AddDependencyToProcessPackageGraph
AddDllDirectory
AddExtensionProgId
AddMandatoryAce
AddPackageDependency
AddRefActCtx
AddResourceAttributeAce
AddSIDToBoundaryDescriptor
AddScopedPolicyIDAce
AddVectoredContinueHandler
AddVectoredExceptionHandler
AdjustTokenGroups
AdjustTokenPrivileges
AllocConsole
AllocateAndInitializeSid
AllocateLocallyUniqueId
AllocateUserPhysicalPages
AllocateUserPhysicalPages2
AllocateUserPhysicalPagesNuma
AppContainerDeriveSidFromMoniker
AppContainerFreeMemory
AppContainerLookupDisplayNameMrtReference
AppContainerLookupMoniker
AppContainerRegisterSid
AppContainerUnregisterSid
AppPolicyGetClrCompat
AppPolicyGetCreateFileAccess
AppPolicyGetLifecycleManagement
AppPolicyGetMediaFoundationCodecLoading
AppPolicyGetProcessTerminationMethod
AppPolicyGetShowDeveloperDiagnostic
AppPolicyGetThreadInitializationType
AppPolicyGetWindowingModel
AppXFreeMemory
AppXGetApplicationData
AppXGetDevelopmentMode
AppXGetOSMaxVersionTested
AppXGetOSMinVersion
AppXGetPackageCapabilities
AppXGetPackageSid
AppXLookupDisplayName
AppXLookupMoniker
AppXPostSuccessExtension
AppXPreCreationExtension
AppXReleaseAppXContext
AppXUpdatePackageCapabilities
ApplicationUserModelIdFromProductId
AreAllAccessesGranted
AreAnyAccessesGranted
AreFileApisANSI
AreShortNamesEnabled
AreThereVisibleLogoffScriptsInternal
AreThereVisibleShutdownScriptsInternal
ArmFeatureUsageSubscriberFlushNotification
AttachConsole
BaseCheckAppcompatCache
BaseCheckAppcompatCacheEx
BaseCleanupAppcompatCacheSupport
BaseDllFreeResourceId
BaseDllMapResourceIdW
BaseDumpAppcompatCache
BaseFlushAppcompatCache
BaseFormatObjectAttributes
BaseFreeAppCompatDataForProcess
BaseGetConsoleReference
BaseGetNamedObjectDirectory
BaseInitAppcompatCacheSupport
BaseIsAppcompatInfrastructureDisabled
BaseMarkFileForDelete
BaseReadAppCompatDataForProcess
BaseUpdateAppcompatCache
BasepAdjustObjectAttributesForPrivateNamespace
BasepCopyFileCallback
BasepCopyFileExW
BasepNotifyTrackingService
Beep
BuildIoRingCancelRequest
BuildIoRingFlushFile
BuildIoRingReadFile
BuildIoRingRegisterBuffers
BuildIoRingRegisterFileHandles
BuildIoRingWriteFile
CLOSE_LOCAL_HANDLE_INTERNAL
CallEnclave
CallNamedPipeW
CallbackMayRunLong
CancelIo
CancelIoEx
CancelSynchronousIo
CancelThreadpoolIo
CancelWaitableTimer
CeipIsOptedIn
ChangeTimerQueueTimer
CharLowerA
CharLowerBuffA
CharLowerBuffW
CharLowerW
CharNextA
CharNextExA
CharNextW
CharPrevA
CharPrevExA
CharPrevW
CharUpperA
CharUpperBuffA
CharUpperBuffW
CharUpperW
CheckAllowDecryptedRemoteDestinationPolicy
CheckGroupPolicyEnabled
CheckIfStateChangeNotificationExists
CheckIsMSIXPackage
CheckRemoteDebuggerPresent
CheckTokenCapability
CheckTokenMembership
CheckTokenMembershipEx
ChrCmpIA
ChrCmpIW
ClearCommBreak
ClearCommError
CloseHandle
CloseIoRing
ClosePackageInfo
ClosePrivateNamespace
ClosePseudoConsole
CloseState
CloseStateAtom
CloseStateChangeNotification
CloseStateContainer
CloseStateLock
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CommandLineToArgvW
CommitStateAtom
CompareFileTime
CompareObjectHandles
CompareStringA
CompareStringEx
CompareStringOrdinal
CompareStringW
ConnectNamedPipe
ContinueDebugEvent
ConvertAuxiliaryCounterToPerformanceCounter
ConvertDefaultLocale
ConvertFiberToThread
ConvertPerformanceCounterToAuxiliaryCounter
ConvertThreadToFiber
ConvertThreadToFiberEx
ConvertToAutoInheritPrivateObjectSecurity
CopyContext
CopyFile2
CopyFileExW
CopyFileFromAppW
CopyFileW
CopySid
CouldMultiUserAppsBehaviorBePossibleForPackage
CreateActCtxW
CreateAppContainerToken
CreateBoundaryDescriptorW
CreateConsoleScreenBuffer
CreateDirectoryA
CreateDirectoryExW
CreateDirectoryFromAppW
CreateDirectoryW
CreateEnclave
CreateEventA
CreateEventExA
CreateEventExW
CreateEventW
CreateFiber
CreateFiberEx
CreateFile2
CreateFile2FromAppW
CreateFileA
CreateFileFromAppW
CreateFileMapping2
CreateFileMappingFromApp
CreateFileMappingNumaW
CreateFileMappingW
CreateFileW
CreateHardLinkA
CreateHardLinkW
CreateIoCompletionPort
CreateIoRing
CreateMemoryResourceNotification
CreateMutexA
CreateMutexExA
CreateMutexExW
CreateMutexW
CreateNamedPipeW
CreatePipe
CreatePrivateNamespaceW
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateProcessA
CreateProcessAsUserA
CreateProcessAsUserW
CreateProcessInternalA
CreateProcessInternalW
CreateProcessW
CreatePseudoConsole
CreatePseudoConsoleAsUser
CreateRemoteThread
CreateRemoteThreadEx
CreateRestrictedToken
CreateSemaphoreExW
CreateSemaphoreW
CreateStateAtom
CreateStateChangeNotification
CreateStateContainer
CreateStateLock
CreateStateSubcontainer
CreateSymbolicLinkW
CreateThread
CreateThreadpool
CreateThreadpoolCleanupGroup
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
CreateTimerQueue
CreateTimerQueueTimer
CreateWaitableTimerExW
CreateWaitableTimerW
CreateWellKnownSid
CtrlRoutine
CveEventWrite
DeactivateActCtx
DebugActiveProcess
DebugActiveProcessStop
DebugBreak
DecodePointer
DecodeRemotePointer
DecodeSystemPointer
DefineDosDeviceW
DelayLoadFailureHook
DelayLoadFailureHookLookup
DeleteAce
DeleteBoundaryDescriptor
DeleteCriticalSection
DeleteEnclave
DeleteFiber
DeleteFileA
DeleteFileFromAppW
DeleteFileW
DeletePackageDependency
DeleteProcThreadAttributeList
DeleteStateAtomValue
DeleteStateContainer
DeleteStateContainerValue
DeleteSynchronizationBarrier
DeleteTimerQueue
DeleteTimerQueueEx
DeleteTimerQueueTimer
DeleteVolumeMountPointW
DeriveCapabilitySidsFromName
DestroyPrivateObjectSecurity
DeviceIoControl
DisablePredefinedHandleTableInternal
DisableThreadLibraryCalls
DisassociateCurrentThreadFromCallback
DiscardVirtualMemory
DisconnectNamedPipe
DnsHostnameToComputerNameExW
DsBindWithSpnExW
DsCrackNamesW
DsFreeDomainControllerInfoW
DsFreeNameResultW
DsFreeNgcKey
DsFreePasswordCredentials
DsGetDomainControllerInfoW
DsMakePasswordCredentialsW
DsReadNgcKeyW
DsUnBindW
DsWriteNgcKeyW
DuplicateHandle
DuplicateStateContainerHandle
DuplicateToken
DuplicateTokenEx
EmptyWorkingSet
EnableProcessOptionalXStateFeatures
EncodePointer
EncodeRemotePointer
EncodeSystemPointer
EnterCriticalPolicySectionInternal
EnterCriticalSection
EnterSynchronizationBarrier
EnumCalendarInfoExEx
EnumCalendarInfoExW
EnumCalendarInfoW
EnumDateFormatsExEx
EnumDateFormatsExW
EnumDateFormatsW
EnumDeviceDrivers
EnumDynamicTimeZoneInformation
EnumLanguageGroupLocalesW
EnumPageFilesA
EnumPageFilesW
EnumProcessModules
EnumProcessModulesEx
EnumProcesses
EnumResourceLanguagesExA
EnumResourceLanguagesExW
EnumResourceNamesA
EnumResourceNamesExA
EnumResourceNamesExW
EnumResourceNamesW
EnumResourceTypesExA
EnumResourceTypesExW
EnumSystemCodePagesW
EnumSystemFirmwareTables
EnumSystemGeoID
EnumSystemGeoNames
EnumSystemLanguageGroupsW
EnumSystemLocalesA
EnumSystemLocalesEx
EnumSystemLocalesW
EnumTimeFormatsEx
EnumTimeFormatsW
EnumUILanguagesW
EnumerateExtensionNames
EnumerateStateAtomValues
EnumerateStateContainerItems
EqualDomainSid
EqualPrefixSid
EqualSid
EscapeCommFunction
EventActivityIdControl
EventEnabled
EventProviderEnabled
EventRegister
EventSetInformation
EventUnregister
EventWrite
EventWriteEx
EventWriteString
EventWriteTransfer
ExitProcess
ExitThread
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
ExpungeConsoleCommandHistoryA
ExpungeConsoleCommandHistoryW
ExtensionProgIdExists
FatalAppExitA
FatalAppExitW
FileTimeToLocalFileTime
FileTimeToSystemTime
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
FillConsoleOutputCharacterW
FindActCtxSectionGuid
FindActCtxSectionStringW
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstChangeNotificationW
FindFirstFileA
FindFirstFileExA
FindFirstFileExFromAppW
FindFirstFileExW
FindFirstFileNameW
FindFirstFileW
FindFirstFreeAce
FindFirstStreamW
FindFirstVolumeW
FindNLSString
FindNLSStringEx
FindNextChangeNotification
FindNextFileA
FindNextFileNameW
FindNextFileW
FindNextStreamW
FindNextVolumeW
FindPackagesByPackageFamily
FindResourceExW
FindResourceW
FindStringOrdinal
FindVolumeClose
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushConsoleInputBuffer
FlushFileBuffers
FlushInstructionCache
FlushProcessWriteBuffers
FlushViewOfFile
FoldStringW
ForceSyncFgPolicyInternal
FormatApplicationUserModelId
FormatApplicationUserModelIdA
FormatMessageA
FormatMessageW
FreeConsole
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeGPOListInternalA
FreeGPOListInternalW
FreeLibrary
FreeLibraryAndExitThread
FreeLibraryWhenCallbackReturns
FreeResource
FreeSid
FreeUserPhysicalPages
GenerateConsoleCtrlEvent
GenerateGPNotificationInternal
GetACP
GetAcceptLanguagesA
GetAcceptLanguagesW
GetAce
GetAclInformation
GetAdjustObjectAttributesForPrivateNamespaceRoutine
GetAlternatePackageRoots
GetAppContainerAce
GetAppContainerNamedObjectPath
GetAppDataFolder
GetAppModelVersion
GetApplicationRecoveryCallback
GetApplicationRestartSettings
GetApplicationUserModelId
GetApplicationUserModelIdFromToken
GetAppliedGPOListInternalA
GetAppliedGPOListInternalW
GetCPFileNameFromRegistry
GetCPHashNode
GetCPInfo
GetCPInfoExW
GetCachedSigningLevel
GetCalendar
GetCalendarInfoEx
GetCalendarInfoW
GetCommConfig
GetCommMask
GetCommModemStatus
GetCommPorts
GetCommProperties
GetCommState
GetCommTimeouts
GetCommandLineA
GetCommandLineW
GetCompressedFileSizeA
GetCompressedFileSizeW
GetComputerNameExA
GetComputerNameExW
GetConsoleAliasA
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleAliasW
GetConsoleAliasesA
GetConsoleAliasesLengthA
GetConsoleAliasesLengthW
GetConsoleAliasesW
GetConsoleCP
GetConsoleCommandHistoryA
GetConsoleCommandHistoryLengthA
GetConsoleCommandHistoryLengthW
GetConsoleCommandHistoryW
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleFontSize
GetConsoleHistoryInfo
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleMode
GetConsoleOriginalTitleA
GetConsoleOriginalTitleW
GetConsoleOutputCP
GetConsoleProcessList
GetConsoleScreenBufferInfo

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 224KB - Virtual size: 223KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

3a:da:10:cf:2e:8f:ca:42:70:94:f3:5f:7b:93:d1:df:dd:c5:2c:3c:64:3d:e9:eb:d5:d8:1e:bf:06:07:6d:92Signer

Signature Validations

Verification

23/09/2022, 10:48 Valid: false

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 32KB - Virtual size: 36KB

7aec0ed040ad95f9929c42a57026f9f5

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

bc:dd:9b:55:fe:91:55:51:38:ce:db:60:68:fc:02:3f:3f:18:6b:67:e1:f1:50:13:a4:e9:65:59:b5:af:17:34Signer

Signature Validations

Verification

23/09/2022, 10:48 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-xstate-l2-1-0

Exports

Exports

Sections

.text Size: 362KB - Virtual size: 362KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 2KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 8KB

abf5d64388aca7d1e563955b014929d6

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

05:70:29:45:47:e6:a8:bc:15:cb:d6:93:3a:5f:61:74:b0:99:d0:8a:f9:f5:25:f3:a2:5f:2c:59:8f:da:1e:2dSigner

Signature Validations

Verification

23/09/2022, 10:48 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

api-ms-win-eventing-provider-l1-1-0

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.data Size: 4KB - Virtual size: 15KB

.idata Size: 23KB - Virtual size: 22KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 224KB - Virtual size: 223KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

3a:da:10:cf:2e:8f:ca:42:70:94:f3:5f:7b:93:d1:df:dd:c5:2c:3c:64:3d:e9:eb:d5:d8:1e:bf:06:07:6d:92
Signer

23/09/2022, 10:48
Valid: false

.rsrc
Size: 32KB - Virtual size: 36KB

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

bc:dd:9b:55:fe:91:55:51:38:ce:db:60:68:fc:02:3f:3f:18:6b:67:e1:f1:50:13:a4:e9:65:59:b5:af:17:34
Signer

23/09/2022, 10:48
Valid: false

.text
Size: 362KB - Virtual size: 362KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 8KB

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

05:70:29:45:47:e6:a8:bc:15:cb:d6:93:3a:5f:61:74:b0:99:d0:8a:f9:f5:25:f3:a2:5f:2c:59:8f:da:1e:2d
Signer

23/09/2022, 10:48
Valid: false

.text
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 4KB - Virtual size: 15KB

.idata
Size: 23KB - Virtual size: 22KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 224KB - Virtual size: 223KB