loader[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

loader.zip
Size

31.4MB
MD5

4adefa16782ead809c7eb7886696baa2
SHA1

83a17d2e3ba9652ed141d24e0ef1a28936cc2b7f
SHA256

4e8c36e8363935f6b48a694ad77d7978487a8f7301d1443faf54e96fec110a22
SHA512

13c75b673c2f3456621b94ac28bef556d74ebe59c78a552b2c919a33ba4cf6df33b3bb584cfddecaaf3b3d0dd5cfc5889eac0a61ecbbaeece2c8465dbfd519bb
SSDEEP

786432:uk7TbwRhV3+mk7MeLyT39Wb5f4npigkeCrLyURT0w/vOLsuilMsn:frwRSmKWT39GyI9/xRgwePa

Score

1^/10

Malware Config

Signatures

Files

loader.zip
.zip

Password: loader
loader/DscCore.dll
.dll windows x64

Password: loader

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rsrc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
loader/PSDSCFileDownloadManagerEvents.dll
.dll windows x64

Password: loader

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
loader/dll/Lua32.dll
.dll windows x64

Password: loader

3e017d2a373236275eed4a9a07ef23d3

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/05/2022, 19:23

Not After

04/05/2023, 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f1:85:e5:82:97:d1:62:cd:b3:06:5d:c3:d8:66:13:70:85:5f:d6:dd:0b:4d:56:18:5d:83:2a:04:90:dd:ec:e8
Signer

Actual PE Digest

f1:85:e5:82:97:d1:62:cd:b3:06:5d:c3:d8:66:13:70:85:5f:d6:dd:0b:4d:56:18:5d:83:2a:04:90:dd:ec:e8

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/03/2023, 13:30
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z

api-ms-win-crt-string-l1-1-0

memset
strncmp
strcmp

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__execute_onexit_table
_o__gmtime64_s
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__localtime64_s
_o__mktime64
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__strdup
_o__stricmp
_o___stdio_common_vswprintf
_o__strnicmp
memmove
_o__swab
_o__errno
_o_atoi
_o_calloc
_o_fclose
_o_fopen_s
_o_fread
_o_free
_o_fseek
_o_ftell
_o_isdigit
_o_isspace
_o_log
_o_malloc
_o_pow
_o_powf
_o_qsort
_o_sqrt
_o_strcat_s
_o_strcpy_s
_o_strftime
_o_strncpy_s
_o_terminate
_o_tolower
_o_toupper
_o_wmemcpy_s
__CxxFrameHandler3
_CxxThrowException
_o___stdio_common_vsscanf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsnprintf_s
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o___stdio_common_vfscanf
_o__aligned_malloc
_o__aligned_free
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
_o___acrt_iob_func
__C_specific_handler
__std_terminate
__CxxFrameHandler4
_o___stdio_common_vswprintf_s
memchr
memcmp
memcpy

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSection
DeleteCriticalSection
AcquireSRWLockShared
LeaveCriticalSection
ReleaseSRWLockShared
InitializeSRWLock

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
PropVariantClear
CreateStreamOnHGlobal
PropVariantCopy
CoCreateInstance

api-ms-win-core-libraryloader-l1-2-0

LockResource
SizeofResource
DisableThreadLibraryCalls
LoadResource
FindResourceExW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

propsys

PropVariantCompareEx
PropVariantChangeType
PSCreateMemoryPropertyStore

oleaut32

VariantInit
SystemTimeToVariantTime

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
GetCurrentProcessorNumber

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapSize
HeapAlloc
HeapReAlloc
HeapFree
HeapDestroy

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-shlwapi-obsolete-l1-1-0

QISearch

api-ms-win-ntuser-rectangle-l1-1-0

IntersectRect

mscms

CreateMultiProfileTransform
DeleteColorTransform
CloseColorProfile
TranslateBitmapBits
OpenColorProfileW

kernel32

OutputDebugStringA
UnmapViewOfFile
CreateFileA
CloseHandle
GetSystemInfo
GetFileSizeEx
CreateFileMappingW
QueryPerformanceFrequency
CreateThreadpoolWork
SubmitThreadpoolWork
GetActiveProcessorCount
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
MapViewOfFile

gdi32

CombineRgn
CreateRectRgn
GetRegionData
DeleteObject
GetRgnBox

advapi32

CryptGenRandom
CryptAcquireContextW
CryptReleaseContext

ws2_32

ntohs
htonl

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-crt-math-l1-1-0

logf
floorf
expf
ceilf
cosf
sqrtf

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 777KB - Virtual size: 777KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27.5MB - Virtual size: 27.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader/dll/edve64.dll
.dll windows x64

Password: loader

92dbd485a8f15640c0fff7b2a7c647e7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__mb_cur_max
?what@exception@@UEBAPEBDXZ
_strlwr_s
strcpy_s
wcstombs_s
strrchr
towupper
iswxdigit
_wcsdup
??8type_info@@QEBAHAEBV0@@Z
__crtCompareStringW
__crtCompareStringA
__crtLCMapStringW
__crtLCMapStringA
_wsetlocale
___lc_handle_func
setlocale
toupper
memcpy
memmove
___mb_cur_max_func
___lc_codepage_func
_ismbblead
ldexp
strcspn
??0bad_cast@@QEAA@PEBD@Z
localeconv
??0bad_cast@@QEAA@AEBV0@@Z
??1bad_cast@@UEAA@XZ
memset
__pctype_func
isupper
islower
_Getmonths
_W_Getdays
_W_Getmonths
_W_Gettnames
_Wcsftime
_Gettnames
_Strftime
isspace
memchr
___lc_collate_cp_func
memcmp
sqrt
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
isdigit
isxdigit
isalpha
swscanf_s
iswspace
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
__CxxFrameHandler3
wcsncat_s
_mbsicmp
_mbscspn
_mbsspn
_mbsstr
strchr
strtol
_mbschr
_ismbcdigit
strncpy_s
_mbscmp
calloc
mbstowcs
_ultoa_s
_resetstkoflw
iswascii
iswpunct
realloc
free
malloc
_controlfp_s
_errno
_set_errno
time
_wtoi64
_stricmp
towlower
wcstok_s
_wcsrev
_wcsupr
tolower
iswcntrl
_aligned_malloc
_aligned_free
_ltow
strncmp
_fpclass
fmod
floorf
floor
expf
exp
cosf
cos
_isnan
modf
abort
_i64tow_s
__ExceptionPtrCopy
__ExceptionPtrRethrow
__ExceptionPtrToBool
__ExceptionPtrDestroy
__ExceptionPtrCreate
sprintf_s
_wcsupr_s
_itow_s
_wcstoui64
_ui64tow_s
_wcslwr
_wcslwr_s
iswalnum
wcsrchr
wcstol
wcsncpy_s
wcsstr
wcscat_s
wcscpy_s
vswprintf_s
isalnum
wcstod
wcstoul
qsort
bsearch_s
qsort_s
iswalpha
iswdigit
_finite
_ltow_s
_ultow_s
wcsnlen
_wtol
swprintf_s
bsearch
_wtof
_wtoi
wcsncmp
_wcsnicmp
wcschr
tanf
??1type_info@@UEAA@XZ
_vsnprintf
_onexit
__dllonexit
_unlock
_lock
_wcsicmp
fmodf
__C_specific_handler
??0exception@@QEAA@AEBQEBD@Z
_vsnwprintf
memcpy_s
_purecall
iswprint
_statusfp
_clearfp
iswlower
strtoul
wcsspn
wcscspn
fwrite
strnlen
wcstok
__uncaught_exception
memmove_s
tan
sqrtf
sinf
sin
log
powf
log10f
logf
_HUGE
_Getdays
_CxxThrowException
pow
strstr
__iob_func
acos
acosf
asin
asinf
atan
atan2
atan2f
atanf
ceil
ceilf
wcscmp

chakra

RecyclerNativeHeapRootAddRef
RecyclerNativeHeapAllocTraced
RecyclerNativeHeapAllocTracedFinalized
JsVarToExtension
RecyclerNativeHeapCollectGarbageInThread
JsCreateThreadService
MemProtectHeapRootAlloc
RecyclerNativeHeapGetRealAddressFromInterior
MemProtectHeapCreate
RecyclerNativeHeapCreateWeakReference
RecyclerNativeHeapGetStrongReference
RecyclerNativeHeapAddExternalMemoryUsage
RecyclerNativeHeapRootRelease
JsDiscardBackgroundParse
MemProtectHeapNotifyCurrentThreadDetach
MemProtectHeapUnrootAndZero
MemProtectHeapDestroy
MemProtectHeapSynchronizeWithCollector
MemProtectHeapUnprotectCurrentThread
MemProtectHeapReportHeapSize
MemProtectHeapProtectCurrentThread
MemProtectHeapDisableCollection
MemProtectHeapRootRealloc
JsQueueBackgroundParse

iertutil

ord151
ord79
ord110
ord600
ord681
ord134
ord178
ord177
ord792
ord325
ord793
ord57
ord682
ord111
ord700
ord701
ord791
ord910
ord870
ord58
CreateUri
ord56
CreateIUriBuilder
ord911
ord690
ord139
ord138
CreateUriWithFragment
ord85
ord74
ord102
ord174
ord466
ord82
ord76
ord49
ord688
ord661
ord651
ord655
ord657
ord650
ord678
ord653
ord660
ord677
ord658
ord652
ord663
ord654
ord163
ord597
ord594
ord26
ord820
ord795
ord398
ord796
ord209
ord32
GetIUriPriv
GetPortFromUrlScheme
ord81

ntdll

NtPowerInformation
RtlReleaseSRWLockExclusive
NtQueryInformationProcess
NtQuerySystemInformation
RtlAcquireSRWLockExclusive
RtlNtStatusToDosError
RtlIpv6AddressToStringExW
RtlIpv4AddressToStringExW
RtlDllShutdownInProgress
VerSetConditionMask
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGetSuiteMask
NtClose

winhttp

WinHttpGetIEProxyConfigForCurrentUser

api-ms-win-core-libraryloader-l1-2-0

FreeLibraryAndExitThread
LoadStringW
FreeLibrary
SizeofResource
LockResource
LoadLibraryExA
FindResourceExW
LoadResource
LoadLibraryExW
GetModuleHandleW
GetModuleFileNameW
GetProcAddress
GetModuleFileNameA
GetModuleHandleExW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak
OutputDebugStringA

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventActivityIdControl
EventSetInformation
EventWriteEx
EventWriteTransfer
EventWrite
EventProviderEnabled

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
WaitForSingleObject
CreateEventExW
ReleaseSemaphore
AcquireSRWLockShared
OpenSemaphoreW
ResetEvent
InitializeSRWLock
SetEvent
CreateEventW
ReleaseSRWLockShared
ReleaseSRWLockExclusive
OpenEventW
WaitForMultipleObjectsEx
CreateMutexW
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
TryEnterCriticalSection
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
AcquireSRWLockExclusive

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
SetErrorMode
GetLastError
UnhandledExceptionFilter
RaiseException

api-ms-win-core-processthreads-l1-1-0

ProcessIdToSessionId
TerminateProcess
CreateProcessW
CreateThread
GetCurrentThread
GetCurrentProcess
OpenProcessToken
GetThreadPriority
ResumeThread
OpenThread
CreateProcessAsUserW
SetThreadPriority
GetCurrentProcessId
GetProcessIdOfThread
GetProcessId
TlsAlloc
TlsSetValue
TlsGetValue
GetExitCodeProcess
TlsFree
GetProcessTimes
ExitProcess
OpenThreadToken
GetCurrentThreadId
QueueUserAPC

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
GetUserDefaultLocaleName
IsValidLocaleName
GetLocaleInfoEx
SetThreadPreferredUILanguages
LocaleNameToLCID
GetUserDefaultLangID
GetCPInfo
GetGeoInfoW
GetUserGeoID
IsValidCodePage
GetUserDefaultLCID
GetSystemDefaultLCID
FormatMessageW
ResolveLocaleName
IsDBCSLeadByteEx
IsDBCSLeadByte
GetACP
LCMapStringEx
GetThreadUILanguage

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapSize
HeapAlloc
GetProcessHeap
HeapFree
HeapSetInformation
HeapDestroy

api-ms-win-core-fibers-l1-1-0

FlsFree
FlsSetValue
FlsAlloc

api-ms-win-core-memory-l1-1-0

FlushViewOfFile
VirtualFree
VirtualProtect
VirtualQuery
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
VirtualAlloc
MapViewOfFileEx
OpenFileMappingW

api-ms-win-core-atoms-l1-1-0

FindAtomW
AddAtomW
DeleteAtom

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemWindowsDirectoryW
GetLocalTime
GetTickCount64
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetLogicalProcessorInformation
GetVersionExA
GetSystemTimeAdjustment
GlobalMemoryStatusEx
GetVersionExW
GetSystemInfo

api-ms-win-core-synch-l1-2-0

WaitOnAddress
InitOnceExecuteOnce
InitOnceComplete
Sleep
InitOnceInitialize
SleepConditionVariableSRW
WakeAllConditionVariable
WakeByAddressAll
SleepConditionVariableCS
InitializeConditionVariable
InitOnceBeginInitialize

api-ms-win-core-path-l1-1-0

PathCchCanonicalizeEx
PathCchAddExtension
PathCchCombine
PathCchAppendEx
PathCchCanonicalize
PathCchRemoveExtension
PathCchAppend
PathAllocCombine
PathCchCombineEx

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsUNCW
SHExpandEnvironmentStringsW
PathGetDriveNumberW
IsCharSpaceW
PathUnquoteSpacesW
PathSearchAndQualifyW
PathRemoveFileSpecW
PathFindFileNameW
PathFileExistsW
PathGetCharTypeW
PathFindExtensionW
PathIsFileSpecW
PathIsRelativeW
PathMatchSpecW
PathStripPathW

api-ms-win-core-file-l1-1-0

ReadFile
FileTimeToLocalFileTime
FindNextFileW
CreateFileW
FindNextChangeNotification
FindCloseChangeNotification
FindFirstChangeNotificationW
GetFileAttributesW
CompareFileTime
RemoveDirectoryW
SetFileAttributesW
SetFilePointerEx
GetFileSize
FindClose
FindFirstFileW
GetFullPathNameW
SetFilePointer
GetDiskFreeSpaceExW
CreateDirectoryW
GetLongPathNameW
GetFileTime
GetFullPathNameA
GetFileAttributesExW
GetFileType
GetFileSizeEx
FindFirstFileExW
WriteFile
GetTempFileNameW
SetEndOfFile
DeleteFileW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpICW
StrStrIA
StrStrA
StrDupW
QISearch
StrCmpNICW
StrCSpnW
StrCmpW
StrRStrIW
StrToIntA
StrCmpIW
StrTrimW
StrChrNW
StrStrW
StrToInt64ExW
StrToIntW
StrToIntExW
StrCmpCW
StrStrIW
StrChrW
StrChrNIW
StrCmpICA
StrCmpNICA
StrCmpNCW
StrCmpNW
StrCmpNIW
StrChrA
StrPBrkW

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics
GetMonitorInfoW
EnumDisplaySettingsW
SystemParametersInfoW

api-ms-win-core-kernel32-legacy-l1-1-0

WTSGetActiveConsoleSessionId
GetComputerNameW
RegisterWaitForSingleObject

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWorkCallbacks
TrySubmitThreadpoolCallback
CloseThreadpoolWork
SetThreadpoolTimer
CreateThreadpool
WaitForThreadpoolTimerCallbacks
SubmitThreadpoolWork
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
CreateThreadpoolTimer
CloseThreadpool
CloseThreadpoolWait
CreateThreadpoolWait
CreateThreadpoolWork
WaitForThreadpoolWaitCallbacks
CloseThreadpoolTimer
CallbackMayRunLong
CreateThreadpoolCleanupGroup
CloseThreadpoolCleanupGroup
SetThreadpoolWait
CloseThreadpoolCleanupGroupMembers

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerW
CharUpperW
IsCharAlphaNumericW
CharLowerBuffW

api-ms-win-core-url-l1-1-0

UrlUnescapeW
UrlApplySchemeW
UrlCanonicalizeW
UrlGetLocationW
UrlCombineW
HashData
UrlEscapeW
ParseURLW
PathCreateFromUrlW
GetAcceptLanguagesW
UrlGetPartW
UrlIsW
UrlIsNoHistoryW
PathIsURLW
UrlCreateFromPathW

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName
GetSystemDefaultLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

PowerSetRequest
PowerCreateRequest
VerifyVersionInfoW
PowerClearRequest

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess

api-ms-win-security-base-l1-1-0

IsValidSid
GetLengthSid
InitializeAcl
GetTokenInformation
AddAccessAllowedAce
GetSidSubAuthorityCount
GetSidSubAuthority
DuplicateTokenEx
CopySid

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalReAlloc
LocalFree
GlobalFree
GlobalAlloc

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW
LoadLibraryA

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegGetValueW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteTreeW
RegOpenKeyExA
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiA
lstrcmpA
lstrcmpW
lstrcmpiW
lstrlenW

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
QueueUserWorkItem

api-ms-win-core-string-l1-1-0

GetStringTypeW
CompareStringEx
MultiByteToWideChar
CompareStringOrdinal
CompareStringW
WideCharToMultiByte

api-ms-win-core-processenvironment-l1-2-0

SearchPathA

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalFlags
GlobalUnlock
LocalSize
GlobalSize
GlobalReAlloc

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

GetClipboardFormatNameW
RegisterClipboardFormatA
IsClipboardFormatAvailable
SetClipboardData
RegisterClipboardFormatW
CloseClipboard
EmptyClipboard
OpenClipboard

api-ms-win-core-sidebyside-l1-1-0

ReleaseActCtx
CreateActCtxW
ActivateActCtx
DeactivateActCtx

api-ms-win-rtcore-ole32-clipboard-l1-1-0

OleIsCurrentClipboard
OleFlushClipboard
OleGetClipboard
OleSetClipboard

api-ms-win-rtcore-ntuser-draw-l1-1-0

RedrawWindow

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

RegisterPowerSettingNotification
UnregisterPowerSettingNotification

api-ms-win-security-isolatedcontainer-l1-1-0

IsProcessInIsolatedContainer

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-ntuser-rectangle-l1-1-0

PtInRect
IsRectEmpty
IntersectRect
SetRect

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetCurrentDirectoryW

api-ms-win-core-privateprofile-l1-1-0

GetProfileIntA
WritePrivateProfileStringW
GetProfileIntW

api-ms-win-core-com-private-l1-1-0

CoRegisterInitializeSpy
CoRegisterMessageFilter
CoRevokeInitializeSpy

rpcrt4

RpcStringFreeW
UuidCreate
I_RpcExceptionFilter
RpcBindingBind
NdrAsyncServerCall
Ndr64AsyncServerCallAll
RpcBindingCreateW
RpcServerUnregisterIf
RpcMgmtStopServerListening
UuidToStringW
RpcBindingFree
RpcStringFreeA
RpcBindingVectorFree
RpcEpRegisterNoReplaceW
RpcExceptionFilter
RpcServerInqBindingsEx
RpcServerRegisterIf3
RpcServerUseProtseqEpW
I_RpcBindingInqLocalClientPID
RpcServerInqBindingHandle
RpcAsyncInitializeHandle
RpcStringBindingComposeA
RpcAsyncCompleteCall
UuidFromStringW
NdrClientCall3
RpcBindingSetAuthInfoA
Ndr64AsyncClientCall
RpcBindingFromStringBindingA
RpcAsyncCancelCall

api-ms-win-core-file-l1-2-0

GetTempPathW
CreateFile2

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-mm-time-l1-1-0

timeEndPeriod
timeBeginPeriod

api-ms-win-core-job-l1-1-0

IsProcessInJob

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-systemtopology-l1-1-0

GetNumaHighestNodeNumber

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetSystemTimePreciseAsFileTime

api-ms-win-core-file-l2-1-0

GetFileInformationByHandleEx
MoveFileExW

api-ms-win-core-interlocked-l1-1-0

InterlockedFlushSList
InterlockedPopEntrySList
QueryDepthSList
InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-processtopology-obsolete-l1-1-0

GetActiveProcessorCount

api-ms-win-core-fibers-l2-1-0

DeleteFiber
ConvertThreadToFiber
CreateFiber
SwitchToFiber
ConvertFiberToThread

api-ms-win-core-marshal-l1-1-0

CLIPFORMAT_UserSize
CLIPFORMAT_UserMarshal
HWND_UserUnmarshal
CLIPFORMAT_UserUnmarshal
HWND_UserSize
HWND_UserMarshal64
CLIPFORMAT_UserFree
HWND_UserUnmarshal64
HWND_UserSize64
CLIPFORMAT_UserUnmarshal64
HWND_UserFree64
HWND_UserFree
CLIPFORMAT_UserSize64
CLIPFORMAT_UserFree64
HWND_UserMarshal
CLIPFORMAT_UserMarshal64

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerFrameTouchInfo
GetCurrentInputMessageSource
GetPointerInfo
GetPointerFrameInfoHistory

api-ms-win-core-winrt-robuffer-l1-1-0

RoGetBufferMarshaler

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage
GetNumberFormatW
GetSystemDefaultUILanguage
EnumUILanguagesW

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW

api-ms-win-core-registry-l2-1-0

RegEnumKeyW

api-ms-win-shlwapi-winrt-storage-l1-1-1

IUnknown_GetWindow
StrRetToBufW

api-ms-win-core-realtime-l1-1-0

QueryProcessCycleTime
QueryThreadCycleTime

api-ms-win-core-psapi-l1-1-0

K32GetProcessMemoryInfo

api-ms-win-core-interlocked-l1-2-0

InterlockedPushListSListEx

api-ms-win-shell-namespace-l1-1-0

ILFindLastID
ILFree
SHBindToParent

api-ms-win-core-stringansi-l1-1-0

CharLowerA

api-ms-win-security-cryptoapi-l1-1-0

CryptGenRandom
CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptContextAddRef

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
ResolveDelayLoadsFromDll

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

rometadata

MetaDataGetDispenser

api-ms-win-base-util-l1-1-0

IsTextUnicode

api-ms-win-ole32-ie-l1-1-0

OleRun
CoInitialize
ReleaseStgMedium
CreateBindCtx

kernelbase

OpenGlobalizationUserSettingsKey

rmclient

HamDisconnectForExtendedExecution
HamAddDependency
HamConnectForExtendedExecution

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-namedpipe-l1-1-0

CreatePipe

api-ms-win-core-localization-ansi-l1-1-0

GetStringTypeExA

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-memory-l1-1-1

VirtualUnlock

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW
SetNamedSecurityInfoW
GetNamedSecurityInfoW

api-ms-win-shell-shdirectory-l1-1-0

ord290

api-ms-win-core-windowserrorreporting-l1-1-0

WerUnregisterMemoryBlock
WerRegisterMemoryBlock

Exports

Exports

CIGTestHookLoadLibraryWorkerThread
ClearPhishingFilterData
ClearTemporaryWebDataAsync
ConvertAndEscapePostData
CreateCoreWebView
CreateDiagnosticsToolObject
CreateHTMLPropertyPage
DllCanUnloadNow
DllEnumClassObjects
DllGetClassObject
Fetch_CreateOriginAgnosticFetch
GetColorValueFromString
GetWebPlatformObject
InitializeLocalHtmlEngine
MatchExactGetIDsOfNames
PrintHTML
ShowHTMLDialog
ShowHTMLDialogEx
ShowModalDialog
ShowModelessHTMLDialog
Streams_CreateByteChunk
Streams_CreateDefaultSizedByteChunk
Streams_CreateDefaultSizedWideCharChunk
Streams_CreateReadableStream
Streams_CreateReadableStreamFromFileHandle
Streams_CreateReadableStreamFromFilePath
Streams_CreateWideCharChunk
Streams_CreateWritableStream
TravelLogCreateInstance
UninitializeLocalHtmlEngine

Sections

.text
Size: 17.5MB - Virtual size: 17.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5.6MB - Virtual size: 5.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 157KB - Virtual size: 276KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 636KB - Virtual size: 635KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader/dll/mdxplugin64.dll
.dll windows x64

Password: loader

2ea14dcfcaf2eef4100510325f7f1e75

Code Sign

33:00:00:00:dc:34:1a:52:0f:bb:cf:3d:8c:00:00:00:00:00:dc
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/03/2022, 19:58

Not After

08/03/2023, 19:58

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

74:f3:a4:0b:aa:8a:4d:05:4a:31:ca:97:3d:ef:b6:32:ab:b5:f5:3b:e6:1d:f2:b1:be:61:1c:27:45:5a:23:30
Signer

Actual PE Digest

74:f3:a4:0b:aa:8a:4d:05:4a:31:ca:97:3d:ef:b6:32:ab:b5:f5:3b:e6:1d:f2:b1:be:61:1c:27:45:5a:23:30

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/03/2023, 13:30
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

dxva2

DXVA2CreateDirect3DDeviceManager9
DXVAHD_CreateDevice

d3d11

D3D11CreateDevice

dxgi

CreateDXGIFactory

kernel32

DecodePointer
RaiseException
GetLastError
InitializeCriticalSectionEx
FreeLibrary
GetProcAddress
LoadLibraryExW
SetThreadErrorMode
WaitForSingleObject
Sleep
SetErrorMode
CloseHandle
GetOverlappedResult
WriteFile
CreateEventW
CreateFileA
SetThreadGroupAffinity
GetCurrentProcessorNumberEx
GetNumaNodeProcessorMaskEx
GetNumaHighestNodeNumber
GetCurrentThreadId
DuplicateHandle
GetCurrentProcess
CreateEventExW
ResetEvent
GetVersionExW
GetModuleFileNameW
GetSystemInfo
GlobalMemoryStatusEx
SystemTimeToFileTime
FileTimeToSystemTime
LoadLibraryW
GetComputerNameW
SwitchToThread
QueryPerformanceCounter
DeleteCriticalSection
GetSystemTimeAsFileTime
DeleteFileW
SetFilePointer
CreateFileW
GetFileAttributesExW
GetTempPathW
GetTempFileNameW
FlushFileBuffers
ReadFile
RemoveDirectoryW
CreateDirectoryW
FindFirstFileW
FindClose
FindNextFileW
GetDiskFreeSpaceExW
SetEvent
PulseEvent
CreateEventA
ReleaseSemaphore
CreateSemaphoreExW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
GetModuleFileNameA
WaitForMultipleObjects
GetEnvironmentVariableA
LoadLibraryA
lstrcmpA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
SetEnvironmentVariableW
GetProcessHeap
SetStdHandle
ReadConsoleW
WriteConsoleW
RtlCaptureStackBackTrace
QueryPerformanceFrequency
GetExitCodeThread
GetTimeZoneInformation
SetFilePointerEx
GetFileSizeEx
SetConsoleCtrlHandler
GetConsoleMode
GetConsoleCP
GetFileType
GetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
WaitForSingleObjectEx
RtlUnwind
GetNativeSystemInfo
FormatMessageA
WideCharToMultiByte
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
GetModuleHandleW
LocalFree
MultiByteToWideChar
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
GetThreadLocale
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcessId
OutputDebugStringW
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetCurrentThread
GetThreadTimes
FreeLibraryAndExitThread
GetModuleHandleA
VirtualAlloc
VirtualProtect
VirtualFree
SetProcessAffinityMask
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
WaitForMultipleObjectsEx
RtlUnwindEx
RtlPcToFileHeader
ExitThread
ResumeThread
GetModuleHandleExW
FindFirstFileExW
SystemTimeToTzSpecificLocalTime
ExitProcess
HeapFree
HeapAlloc
HeapReAlloc
HeapSize
HeapQueryInformation
GetDateFormatW
GetTimeFormatW

user32

UnregisterClassW

ole32

StringFromCLSID
StringFromGUID2
CoTaskMemFree

advapi32

EventWrite
EventRegister
EventUnregister
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
EventEnabled

setupapi

SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyW
CM_Get_Device_ID_List_SizeW
CM_Get_Device_ID_ListW
CM_Locate_DevNodeW
CM_Open_DevNode_Key
SetupDiGetClassDevsW
SetupDiEnumDeviceInfo

winmm

timeGetTime

Exports

Exports

CreatePlugin
mfxCreateDecoderPlugin

Sections

.text
Size: 9.8MB - Virtual size: 9.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

IPPCODE
Size: 569KB - Virtual size: 568KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14.9MB - Virtual size: 14.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 105KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 337KB - Virtual size: 336KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data1
Size: 290KB - Virtual size: 289KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

IPPDATA
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.trace
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.debug_o
Size: 606KB - Virtual size: 605KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader/loader.exe
.exe windows x86

Password: loader

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

0e:09:ce:c5:b7:00:ee:c8:a2:f9:a3:8a:b1:c0:29:0f
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

05/11/2020, 00:00

Not After

02/01/2024, 23:59

Subject

SERIALNUMBER=07751649,CN=FACE IT LIMITED,O=FACE IT LIMITED,L=London,C=GB,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024742

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d1:5b:dc:99:75:fe:07:d7:43:96:eb:9f:78:71:97:c4:6f:94:7e:9a:84:18:1a:fb:5e:bc:c9:ef:58:1a:08:36
Signer

Actual PE Digest

d1:5b:dc:99:75:fe:07:d7:43:96:eb:9f:78:71:97:c4:6f:94:7e:9a:84:18:1a:fb:5e:bc:c9:ef:58:1a:08:36

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=07751649,CN=FACE IT LIMITED,O=FACE IT LIMITED,L=London,C=GB,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024742

23/01/2023, 13:46
Valid: true

Chain 1

SERIALNUMBER=07751649,CN=FACE IT LIMITED,O=FACE IT LIMITED,L=London,C=GB,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024742

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

wnpv@Z
Size: 132KB - Virtual size: 132KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
loader/resources/Configuration/BaseRegistration/BaseResource.Schema.mof
loader/resources/Configuration/BaseRegistration/MSFT_DSCMetaConfiguration.mof
loader/resources/Configuration/BaseRegistration/en-US/BaseResource.Schema.mfl
loader/resources/Configuration/BaseRegistration/en-US/MSFT_DSCMetaConfiguration.mfl
loader/resources/Configuration/Registration/MSFT_FileDirectoryConfiguration/MSFT_FileDirectoryConfiguration.Registration.mof
loader/resources/Configuration/Registration/MSFT_FileDirectoryConfiguration/en-US/MSFT_FileDirectoryConfiguration.Registration.mfl
loader/resources/Configuration/Schema/MSFT_FileDirectoryConfiguration/MSFT_FileDirectoryConfiguration.Schema.mof
loader/resources/Configuration/Schema/MSFT_FileDirectoryConfiguration/en-US/MSFT_FileDirectoryConfiguration.Schema.mfl
loader/resources/WinMetadata/Windows.ApplicationModel.winmd
.dll windows x86

Password: loader

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 130KB - Virtual size: 130KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Data.winmd
.dll windows x86

Password: loader

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Devices.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 165KB - Virtual size: 164KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Foundation.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Globalization.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Graphics.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Management.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Media.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 118KB - Virtual size: 117KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Networking.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 109KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Security.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Storage.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.System.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.UI.Xaml.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 773KB - Virtual size: 772KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.UI.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/WinMetadata/Windows.Web.winmd
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 91KB - Virtual size: 90KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
loader/resources/amd64_acpi.inf_31bf3856ad364e35_6.3.9600.18939_none_138212f0a1d1eae6/acpi.inf
loader/resources/amd64_acpi.inf_31bf3856ad364e35_6.3.9600.18939_none_138212f0a1d1eae6/acpi.sys
.exe windows x64

ff76db7a08b93ec7fbf02cef7f51f1e8

Code Sign

33:00:00:01:74:69:de:10:8b:37:65:a8:d7:00:00:00:00:01:74
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11/08/2017, 20:23

Not After

11/08/2018, 20:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

47:76:af:61:7c:8c:04:56:e0:50:9e:f4:81:ba:51:fc:52:9f:0f:72:50:92:39:4e:61:df:24:fc:7c:47:b0:70
Signer

Actual PE Digest

47:76:af:61:7c:8c:04:56:e0:50:9e:f4:81:ba:51:fc:52:9f:0f:72:50:92:39:4e:61:df:24:fc:7c:47:b0:70

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/03/2023, 13:30
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IoDeleteDevice
PoRequestPowerIrp
ObfReferenceObject
ObfDereferenceObject
IofCallDriver
IoAllocateWorkItem
IoQueueWorkItem
IoFreeWorkItem
RtlCopyUnicodeString
KeInitializeSpinLock
KeInitializeEvent
ExInitializeResourceLite
ExInitializeNPagedLookasideList
IoRegisterBootDriverReinitialization
IoConnectInterruptEx
KeBugCheckEx
ZwPowerInformation
_vsnprintf
_vsnwprintf
KeSetEvent
RtlIoDecodeMemIoResource
RtlCmDecodeMemIoResource
RtlIsRangeAvailable
RtlFreeRangeList
RtlInitializeRangeList
RtlAddRange
RtlInvertRangeList
KeInsertQueueDpc
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExQueryDepthSList
IoReserveDependency
IoResolveDependency
IoCreateDevice
IoAttachDeviceToDeviceStack
KeWaitForSingleObject
IoInvalidateDeviceRelations
IoRequestDeviceEject
IoGetAttachedDeviceReference
strstr
strnlen
EmClientRuleEvaluate
IoSetDevicePropertyData
IoInvalidateDeviceState
ObReferenceObjectByPointer
PsCreateSystemThread
ObReferenceObjectByHandle
ZwClose
ExQueueWorkItem
IoReleaseCancelSpinLock
IoOpenDeviceRegistryKey
ZwSetValueKey
_strtoui64
IoBuildSynchronousFsdRequest
IoDuplicateDependency
IoSetDependency
ObfReferenceObjectWithTag
ObfDereferenceObjectWithTag
IoTestDependency
PoSetPowerState
PoCallDriver
IoAcquireCancelSpinLock
PoSetSystemWake
IoDetachDevice
SeSinglePrivilegeCheck
IoDeleteSymbolicLink
ExDeleteNPagedLookasideList
IoGetDeviceProperty
IoCreateSymbolicLink
IoDisconnectInterruptEx
HalPrivateDispatchTable
MmLockPagableDataSection
MmUnlockPagableImageSection
ExInterlockedRemoveHeadList
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
KeEnterCriticalRegion
ExAcquireResourceSharedLite
ExReleaseResourceLite
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
IoUnregisterPlugPlayNotification
ZwOpenFile
RtlCompareMemory
IoBuildDeviceIoControlRequest
IoRegisterPlugPlayNotification
KeClearEvent
wcsstr
PoFxNotifySurprisePowerOn
ZwQuerySystemInformation
RtlIntegerToUnicodeString
EmProviderRegister
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IofCompleteRequest
NlsMbCodePageTag
RtlxAnsiStringToUnicodeSize
KeQueryActiveProcessorCountEx
EmClientQueryRuleState
HalDispatchTable
ZwSetSystemInformation
RtlAnsiCharToUnicodeChar
ExCreateCallback
ExRegisterCallback
IoRegisterDeviceInterface
IoSetDeviceInterfaceState
IoGetDevicePropertyData
_strupr
IoWMIOpenBlock
IoWMIQueryAllData
IoWMIExecuteMethod
RtlEqualUnicodeString
HeadlessDispatch
MmGetPhysicalAddress
PoShutdownBugCheck
MmMapIoSpace
KeSetImportanceDpc
IoQueueWorkItemEx
KeWaitForMultipleObjects
PsTerminateSystemThread
KfRaiseIrql
KeLowerIrql
KeProcessorGroupAffinity
KeSetSystemGroupAffinityThread
KeQueryTimeIncrement
KeRevertToUserGroupAffinityThread
ExAcquireFastMutex
ExReleaseFastMutex
RtlDeleteRange
RtlFindRange
IoGetDeviceNumaNode
KeStartDynamicProcessor
RtlIoEncodeMemIoResource
ZwCreateKey
ZwQueryValueKey
ZwOpenKey
ZwEnumerateKey
RtlUnicodeStringToInteger
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
MmUnmapIoSpace
_stricmp
RtlFindLeastSignificantBit
IoCancelIrp
IoUnregisterPlugPlayNotificationEx
IoFreeIrp
IoWMIRegistrationControl
IoAllocateIrp
ZwCreateFile
IoFileObjectType
KeDelayExecutionThread
IoReuseIrp
IoSynchronousCallDriver
RtlCompareUnicodeString
IoReportInterruptInactive
IoReportInterruptActive
PoSetHiberRange
KeSetTimer
KeCancelTimer
ExAllocatePoolWithTag
ExFreePoolWithTag
RtlInitUnicodeString
EtwWrite
EtwEventEnabled
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
KdEnableDebugger
ZwLoadDriver
KdDisableDebugger
ord3
ExAcquireSpinLockShared
ExReleaseSpinLockShared
ExTryQueueWorkItem
ExUnregisterCallback
ExNotifyCallback
ExInitializeRundownProtection
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
DbgPrintEx
ExWaitForRundownProtectionRelease
NtClose
ExAcquireRundownProtection
strncmp
strchr
strrchr
ExReleaseRundownProtection
ExSetTimer
KeQueryInterruptTimePrecise
InitSafeBootMode
RtlGetNextRange
RtlGetFirstRange
RtlQueryRegistryValuesEx
KeGetProcessorNumberFromIndex
KeRegisterProcessorChangeCallback
RtlCopyRangeList
KeQueryMaximumGroupCount
KeQueryGroupAffinity
KeGetProcessorIndexFromNumber
KeQueryMaximumProcessorCountEx
RtlInvertRangeListEx
_wcsicmp
RtlDeleteOwnersRanges
KeInitializeDpc
KeInitializeTimer
RtlFreeUnicodeString
EtwRegister

hal

HalGetMessageRoutingInfo
HalConvertDeviceIdtToIrql
KeFlushWriteBuffer
HalGetProcessorIdByNtNumber
HalSetBusDataByOffset
HalGetBusDataByOffset
HalGetMemoryCachingRequirements
KdHvComPortInUse
KdComPortInUse
KeStallExecutionProcessor
KeQueryPerformanceCounter
HalGetInterruptTargetInformation

wmilib.sys

WmiCompleteRequest
WmiSystemControl

Exports

Exports

DeRegisterOpRegionHandler
RegisterOpRegionHandler

Sections

.text
Size: 266KB - Virtual size: 266KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 112KB - Virtual size: 112KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 119B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGEDATA
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGECONS
Size: 512B - Virtual size: 58B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader/resources/amd64_acpipagr.inf.resources_31bf3856ad364e35_6.3.9600.16384_en-us_bcbaa4727b8b80b6/acpipagr.inf_loc
loader/resources/amd64_acpipagr.inf_31bf3856ad364e35_6.3.9600.16384_none_f5a27e69194bb29a/acpipagr.inf
loader/resources/amd64_acpipagr.inf_31bf3856ad364e35_6.3.9600.16384_none_f5a27e69194bb29a/acpipagr.sys
.exe windows x64

4be91eaa180fe01cb91646273a069b7d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExAcquirePushLockSharedEx
ExAcquirePushLockExclusiveEx
KeQueryActiveProcessorCountEx
EtwUnregister
ExReleasePushLockExclusiveEx
EtwEventEnabled
EtwWrite
RtlCopyUnicodeString
ZwPowerInformation
ExReleasePushLockSharedEx
ExFreePoolWithTag
EtwRegister
ExAllocatePoolWithTag

wdfldr.sys

WdfVersionUnbindClass
WdfVersionBind
WdfVersionUnbind
WdfVersionBindClass

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 804B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 796B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 102B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
loader/resources/amd64_acpipmi.inf.resources_31bf3856ad364e35_6.3.9600.16384_en-us_413d2129b67b6ee2/acpipmi.inf_loc
loader/resources/en-US/DscCoreR.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.rsrc
Size: 23KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
loader/resources/en-US/PSDSCFileDownloadManagerEvents.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.rsrc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: loader

Password: loader

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 49KB - Virtual size: 49KB

Password: loader

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 5KB - Virtual size: 5KB

Password: loader

3e017d2a373236275eed4a9a07ef23d3

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8dCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f1:85:e5:82:97:d1:62:cd:b3:06:5d:c3:d8:66:13:70:85:5f:d6:dd:0b:4d:56:18:5d:83:2a:04:90:dd:ec:e8Signer

Signature Validations

Verification

09/03/2023, 13:30 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l1-1-0

propsys

oleaut32

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-ntuser-rectangle-l1-1-0

mscms

kernel32

gdi32

advapi32

ws2_32

api-ms-win-crt-time-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 777KB - Virtual size: 777KB

.data Size: 27.5MB - Virtual size: 27.5MB

.pdata Size: 52KB - Virtual size: 52KB

.didat Size: 512B - Virtual size: 16B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 152KB - Virtual size: 151KB

Password: loader

92dbd485a8f15640c0fff7b2a7c647e7

Headers

DLL Characteristics

File Characteristics

Imports

.rsrc
Size: 49KB - Virtual size: 49KB

.rsrc
Size: 5KB - Virtual size: 5KB

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f1:85:e5:82:97:d1:62:cd:b3:06:5d:c3:d8:66:13:70:85:5f:d6:dd:0b:4d:56:18:5d:83:2a:04:90:dd:ec:e8
Signer

09/03/2023, 13:30
Valid: false

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 777KB - Virtual size: 777KB

.data
Size: 27.5MB - Virtual size: 27.5MB

.pdata
Size: 52KB - Virtual size: 52KB

.didat
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 152KB - Virtual size: 151KB