winlogon[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winlogon.exe
Size

864KB
MD5

6b93fb11b95b611f76e83eee89964559
SHA1

285705e7bdf8d889588c3c4388893c8c979a8322
SHA256

2dee08cf682abdc738a0f122426d24bebd37daeed37e1a488228555fab507489
SHA512

4d4efe8172c8ce5d54a40514386d8e64d7f61f3a98087d3c52d7b30d3d245b9de686c51cb6367563aa9b2d17bb14833823dc9fa577830d2ffc793d367e1d05be
SSDEEP

12288:v7l65IM4XC+MZhIEy1oI+XBD0haBo3d4HdfK5eq:v7leIEZaEy10aJ49fK5/

Score

1^/10

Malware Config

Signatures

Files

winlogon.exe
.exe windows x64

72ea4733b4a93330373128b7a1f8d6d4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__CxxFrameHandler3
memset
_CxxThrowException
_local_unwind
memcmp
_fmode
__dllonexit
_acmdln
_initterm
__setusermatherr
_ismbblead
_cexit
_exit
exit
__set_app_type
_commode
wcstok
_XcptFilter
_callnewh
malloc
free
wcsstr
wcscpy_s
sprintf_s
_vsnprintf_s
wcspbrk
iswspace
wcsrchr
wcschr
memcpy
_unlock
memmove
_vscwprintf
_amsg_exit
_onexit
_vsnwprintf
__getmainargs
_lock
??1type_info@@UEAA@XZ
_get_errno
_set_errno
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
__CxxFrameHandler4
_tolower
rand
_wcsicmp
_wtoi
_wcsnicmp
_ultow
__C_specific_handler
memmove_s
_purecall
memcpy_s
?terminate@@YAXXZ
wcscmp

api-ms-win-core-libraryloader-l1-2-0

LoadResource
GetModuleHandleExW
LoadStringW
GetModuleHandleW
GetProcAddress
GetModuleFileNameA
FindResourceExW
GetModuleHandleExA
GetModuleFileNameW
LoadLibraryExW
FreeLibrary
LockResource

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceExecuteOnce
SleepConditionVariableSRW
WakeAllConditionVariable
Sleep
InitOnceComplete

api-ms-win-core-synch-l1-1-0

ResetEvent
OpenEventW
SetEvent
TryAcquireSRWLockExclusive
CreateMutexW
TryEnterCriticalSection
SleepEx
DeleteCriticalSection
CreateSemaphoreExW
EnterCriticalSection
ReleaseSemaphore
LeaveCriticalSection
InitializeCriticalSectionEx
AcquireSRWLockShared
InitializeCriticalSection
WaitForSingleObject
CreateMutexExW
ReleaseMutex
CreateEventW
ReleaseSRWLockShared
ReleaseSRWLockExclusive
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapSize
HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetErrorMode
SetUnhandledExceptionFilter
RaiseException
UnhandledExceptionFilter

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpool
CreateThreadpoolWork
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
CreateThreadpoolCleanupGroup
SubmitThreadpoolWork
CloseThreadpool
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CloseThreadpoolWork
CloseThreadpoolCleanupGroup

api-ms-win-core-processthreads-l1-1-0

GetExitCodeProcess
CreateProcessAsUserW
ResumeThread
CreateRemoteThread
GetCurrentThread
CreateThread
SetThreadToken
GetProcessId
TerminateProcess
GetCurrentThreadId
CreateProcessW
SetPriorityClass
SetThreadPriority
InitializeProcThreadAttributeList
GetCurrentProcessId
GetStartupInfoW
OpenProcessToken
UpdateProcThreadAttribute
GetCurrentProcess
DeleteProcThreadAttributeList

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-registry-l1-1-0

RegDeleteTreeW
RegDeleteKeyExW
RegFlushKey
RegQueryValueExW
RegCreateKeyExW
RegSetValueExW
RegSetKeySecurity
RegOpenKeyExW
RegGetValueW
RegGetValueA
RegQueryInfoKeyW
RegCloseKey
RegDeleteValueW
RegNotifyChangeKeyValue
RegEnumKeyExW
RegEnumValueW

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
StartTraceW
EnableTraceEx2

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualFree

api-ms-win-core-memory-l1-1-1

GetProcessWorkingSetSizeEx
SetProcessWorkingSetSizeEx
VirtualUnlock
VirtualLock

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW
SetEnvironmentVariableW
SearchPathW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemTime
GetTickCount64
GetVersionExW
GetLocalTime
GetTickCount
GetSystemWindowsDirectoryW

api-ms-win-security-base-l1-1-0

GetTokenInformation
CreateWellKnownSid
AllocateLocallyUniqueId
FreeSid
GetSecurityDescriptorDacl
GetSidIdentifierAuthority
GetLengthSid
CreateRestrictedToken
ImpersonateLoggedOnUser
CheckTokenMembership
AdjustTokenPrivileges
SetTokenInformation
DuplicateToken
RevertToSelf
EqualSid
CopySid
IsValidSid
DuplicateTokenEx

rpcrt4

RpcMgmtInqServerPrincNameW
RpcMgmtIsServerListening
RpcAsyncInitializeHandle
RpcBindingCopy
RpcAsyncCancelCall
Ndr64AsyncClientCall
RpcServerSubscribeForNotification
RpcBindingVectorFree
I_RpcBindingIsClientLocal
RpcServerUseProtseqW
RpcServerUnregisterIf
RpcServerRegisterIfEx
RpcServerListen
RpcEpUnregister
NdrClientCall3
RpcBindingUnbind
RpcBindingFree
I_RpcExceptionFilter
RpcEpRegisterW
RpcBindingSetAuthInfoExW
RpcServerInqBindings
UuidFromStringW
RpcRaiseException
RpcBindingCreateW
NdrAsyncServerCall
NdrServerCallAll
Ndr64AsyncServerCallAll
NdrServerCall2
RpcRevertToSelf
RpcImpersonateClient
I_RpcBindingInqLocalClientPID
RpcServerUseProtseqEpW
RpcServerTestCancel
RpcServerInqCallAttributesW
UuidCreate
UuidToStringW
RpcAsyncAbortCall
I_RpcMapWin32Status
RpcServerUnsubscribeForNotification
RpcAsyncCompleteCall
RpcStringFreeW
RpcBindingFromStringBindingW
RpcBindingBind
RpcStringBindingComposeW

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoGetMalloc
CoCreateInstance
CoInitializeEx
CoUninitialize

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
CompareStringW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-file-l1-1-0

GetShortPathNameW
CompareFileTime
CreateFileW
GetFileAttributesW

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
CloseServiceHandle
StartServiceW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx
QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
RtlCompareMemory

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
RegisterTraceGuidsW
GetTraceEnableLevel
UnregisterTraceGuids
GetTraceEnableFlags

api-ms-win-security-credentials-l1-1-0

CredFree
CredUnmarshalCredentialW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupAccountSidW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-core-job-l2-1-0

TerminateJobObject
AssignProcessToJobObject
SetInformationJobObject
QueryInformationJobObject
CreateJobObjectW

api-ms-win-security-lsapolicy-l1-1-0

LsaStorePrivateData
LsaOpenPolicy
LsaClose
LsaQueryInformationPolicy
LsaFreeMemory

api-ms-win-core-appcompat-l1-1-0

BaseInitAppcompatCacheSupport

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-credentials-l2-1-0

CredReadByTokenHandle

api-ms-win-base-bootconfig-l1-1-0

NotifyBootConfigStatus

api-ms-win-eventlog-legacy-l1-1-0

DeregisterEventSource
ReportEventW
RegisterEventSourceW
GetEventLogInformation

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer
UnregisterWaitEx
QueueUserWorkItem

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
UnregisterWait
RegisterWaitForSingleObject

api-ms-win-core-registry-l2-1-0

RegOpenKeyW
RegCreateKeyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

kernelbase

AppContainerDeriveSidFromMoniker
CreateProcessInternalW

ntdll

WinSqmIsOptedIn
NtCreateEvent
RtlAddAce
RtlSetDaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
NtAdjustPrivilegesToken
NtDuplicateToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
NtDeviceIoControlFile
WinSqmEndSession
RtlInitializeResource
RtlAcquireResourceExclusive
RtlReleaseResource
RtlDeleteResource
NtGetCachedSigningLevel
WinSqmSetString
NtOpenEvent
NtSetEvent
RtlGetCurrentServiceSessionId
NtDeleteWnfStateName
NtCreateWnfStateName
RtlQueryResourcePolicy
__isascii
isupper
wcstok_s
_vsnprintf
RtlGetNtProductType
RtlSetSystemBootStatus
RtlRemovePrivileges
RtlpVerifyAndCommitUILanguageSettings
NtSetInformationProcess
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
NtShutdownSystem
RtlCompareUnicodeString
RtlCreateEnvironment
TpReleaseTimer
TpWaitForTimer
TpAllocTimer
TpSetTimer
NtOpenThreadToken
NtOpenFile
RtlAppendUnicodeToString
NtOpenDirectoryObject
RtlFreeSid
NtSetSecurityObject
RtlSetSaclSecurityDescriptor
RtlAddMandatoryAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlCopySid
RtlNtStatusToDosErrorNoTeb
RtlSetEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlExpandEnvironmentStrings_U
RtlInitUnicodeStringEx
RtlGetAce
NtSetIRTimer
NtCreateIRTimer
NtSetInformationToken
NtCreateToken
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
TpAllocWait
WinSqmSetDWORD
TpPostWork
TpAllocWork
RtlUnsubscribeWnfNotificationWaitForCompletion
TpReleaseWork
TpWaitForWork
TpReleaseWait
TpWaitForWait
TpSetWait
NtFilterToken
NtInitiatePowerAction
RtlAdjustPrivilege
RtlPublishWnfStateData
RtlLengthSid
EtwEventWriteStartScenario
EtwEventWriteEndScenario
RtlInitUnicodeString
NtAllocateLocallyUniqueId
RtlDeregisterWait
RtlRegisterWait
RtlTimeToSecondsSince1980
WinSqmAddToStream
TpSimpleTryPost
RtlEqualSid
EtwEventEnabled
EtwEventWrite
RtlCopyLuid
NtPowerInformation
EtwEventActivityIdControl
RtlGetActiveConsoleId
RtlInitString
NtQuerySystemInformation
NtSystemDebugControl
NtQueryInformationToken
NtOpenProcessToken
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlFreeUnicodeString
RtlNtStatusToDosError
RtlDuplicateUnicodeString
NtClose
RtlOpenCurrentUser
EtwTraceMessage
EtwEventRegister
EtwEventUnregister
EtwEventWriteTransfer
EtwEventSetInformation
WinSqmStartSession

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 624KB - Virtual size: 623KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 157KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

72ea4733b4a93330373128b7a1f8d6d4

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-registry-l1-1-1

api-ms-win-power-base-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-power-setting-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shutdown-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-appcompat-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-credentials-l2-1-0

api-ms-win-base-bootconfig-l1-1-0

api-ms-win-eventlog-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-stateseparation-helpers-l1-1-0

kernelbase

ntdll

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 624KB - Virtual size: 623KB

.rdata Size: 160KB - Virtual size: 157KB

.data Size: 20KB - Virtual size: 26KB

.pdata Size: 28KB - Virtual size: 27KB

.didat Size: 4KB - Virtual size: 1KB

.rsrc Size: 20KB - Virtual size: 19KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 624KB - Virtual size: 623KB

.rdata
Size: 160KB - Virtual size: 157KB

.data
Size: 20KB - Virtual size: 26KB

.pdata
Size: 28KB - Virtual size: 27KB

.didat
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 4KB - Virtual size: 3KB