ExtExport[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

ExtExport.zip
Size

1.3MB
MD5

cb6878248341465bc5b81e4ff9b0945b
SHA1

ffe0544c4ffb6347fdc6506346d14dbaa1f0addb
SHA256

8f1744834e60f7ce9c7b64ba5871c8e7d431f4659cf434efeac7195838bd8287
SHA512

54161a119770572a3bce0c0b1cebdfa7b4d00841b42453e56b4d26aa20373f10dfa58d8873325835cd8adca2e5a9a0ad1b79315988f91bd7f858b9f969fae37d
SSDEEP

24576:dlDAjxcamyEgNWXVK41mpWuJmFsSsmlIXR7rHFSMWSeHQV/HOpjd+PPNPj:dlDCxc+EDH12pJwsv7XR/gMzY8HSQtL

Score

1^/10

Malware Config

Signatures

Files

ExtExport.zip
.zip
ExtExport.exe
.exe windows x64

9f19cf94db3339462a59d9352cfe30b0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EventWriteTransfer
EventUnregister
EventSetInformation
EventRegister
RegDeleteValueW
RegOpenKeyExW
RegCloseKey

kernel32

WriteFile
CreateFileW
CloseHandle
lstrcmpW
ExpandEnvironmentStringsW
FreeLibrary
IsDebuggerPresent
DebugBreak
GetProcessHeap
LocalFree
CreateMutexExW
HeapAlloc
OpenSemaphoreW
WaitForSingleObjectEx
GetProcAddress
FormatMessageW
ReleaseMutex
LocalAlloc
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
DecodePointer
GetModuleFileNameW
CreateDirectoryW
MoveFileW
DeleteFileW
TerminateProcess
GetCurrentProcess
GetLastError
LoadLibraryExW
OutputDebugStringW
Sleep
SetUnhandledExceptionFilter
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter

msvcrt

memset
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
wcsncmp
wcschr
iswalpha
memcpy_s
_wcsicmp
_itow_s
malloc
_callnewh
free
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
exit
_exit
_cexit
__setusermatherr
_initterm
_vsnwprintf
__C_specific_handler

ole32

CoTaskMemFree
CoTaskMemRealloc
IIDFromString

shlwapi

ord215
StrCmpNIW
StrStrIW
ord158
StrStrW
PathFindFileNameW
PathFileExistsW
StrCmpNW

user32

LoadStringW

shell32

SHGetFolderPathAndSubDirW
SHSetLocalizedName

iertutil

ord672
ord675

Sections

.text
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IEShims.dll
.dll windows x64

409284c9e15946e1f27eed2d7d5b0a72

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
?terminate@@YAXXZ
_XcptFilter
??1type_info@@UEAA@XZ
memmove
_CxxThrowException
calloc
__C_specific_handler
_stricmp
fclose
_wfopen
fputws
_lock
wcsncmp
_wcsicmp
_amsg_exit
_vsnwprintf
_vscwprintf
wcsrchr
wcsstr
_wcslwr
wcspbrk
wcschr
memmove_s
towlower
iswctype
wcsspn
memcpy_s
realloc
free
wcstok_s
iswspace
_wcsnicmp
malloc
_unlock
__dllonexit
_onexit
memset
__CxxFrameHandler3
wcscmp

kernel32

FindFirstFileW
DelayLoadFailureHook
ResolveDelayLoadedAPI
RaiseException
QueryFullProcessImageNameW
GetLogicalDriveStringsW
QueryDosDeviceW
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
OpenFileMappingW
IsWow64Process
AcquireSRWLockShared
ReleaseSRWLockShared
GetTickCount64
OpenProcess
ReleaseMutex
WaitForSingleObject
CreateMutexW
InitializeCriticalSection
InitializeSRWLock
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Sleep
OutputDebugStringA
GetModuleHandleA
DeleteCriticalSection
SetEnvironmentVariableW
GetCurrentProcess
DuplicateHandle
CopyFileExW
SetFileAttributesW
DeviceIoControl
GetFileInformationByHandle
CreateDirectoryW
GetCurrentThreadId
GetModuleHandleExW
GetModuleFileNameW
SearchPathW
GetFileAttributesW
SetLastError
LocalAlloc
VirtualQuery
GetCurrentDirectoryW
LocalFree
MultiByteToWideChar
WideCharToMultiByte
GetProcAddress
GetCurrentProcessId
GetProcessId
GetLastError
TlsSetValue
ExitThread
GetProcessIdOfThread
GetThreadId
HeapAlloc
GetProcessHeap
HeapFree
GetSystemDirectoryW
GetWindowsDirectoryW
GetLongPathNameW
GetFullPathNameW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
LoadLibraryA
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
TlsGetValue
TlsAlloc
OpenEventW
WaitForSingleObjectEx
CloseHandle
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
TerminateProcess
DecodePointer
CreateFileW
GetFileSizeEx
GetModuleHandleW
RaiseFailFastException
VirtualProtect
OutputDebugStringW
TlsFree
lstrcmpiW
FindNextFileW
FindClose
EnterCriticalSection
EncodePointer

api-ms-win-downlevel-shlwapi-l1-1-0

StrCmpNIA
PathSkipRootW
PathIsUNCW
PathGetArgsW
StrCmpICW
StrCmpCW
StrCmpICA
StrDupW
PathFindFileNameW
StrCmpIW
StrCmpNCW
StrCmpNICW

api-ms-win-downlevel-advapi32-l1-1-0

RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegGetValueW
RegSetValueExW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyExW

ntdll

RtlNtStatusToDosError
NtQueryObject

iertutil

ord45
ord58
ord793
ord916
ord101
ord137
ord820
ord170
ord50
ord134
ord791

Exports

Exports

AcRedirNotify
AcRedirNotifySetEnabled
AcRedirSetEnabled
IEShims_AdminCheckAndLaunch
IEShims_CreateWindowEx
IEShims_GetOriginatingThreadId
IEShims_InDllMainContext
IEShims_Initialize
IEShims_SetRedirectRegistryForThread
IEShims_Uninitialize

Sections

.text
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 110KB - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mrdata
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hmmapi.dll
.dll regsvr32 windows x64

92778fcf898ae2a7ad2db80bb9e09c45

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
_vsnprintf
memset

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls
LoadStringA
GetModuleFileNameA

api-ms-win-core-registry-l1-1-0

RegCreateKeyExA
RegCloseKey
RegQueryValueExA
RegEnumKeyExA
RegSetValueExA
RegOpenKeyExA

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsA

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

GetFileTime
GetFileSize
SetFileAttributesA
CreateFileA

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetVersionExA

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-localization-l1-2-0

FormatMessageA

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

advapi32

RegDeleteKeyA

kernel32

GetShortPathNameA
lstrlenA
lstrcmpA
GetTempPathA
CompareStringA
LocalFree
MoveFileA

shell32

ShellExecuteA

shlwapi

StrChrA
PathRemoveBackslashA
PathIsPrefixA
SHGetValueA

urlmon

CreateUriFromMultiByteString

user32

MessageBoxA

wininet

GetUrlCacheConfigInfoA

Exports

Exports

AddService
BMAPIAddress
BMAPIDetails
BMAPIFindNext
BMAPIGetAddress
BMAPIGetReadMail
BMAPIReadMail
BMAPIResolveName
BMAPISaveMail
BMAPISendMail
DllRegisterServer
DllUnregisterServer
MAPIAddress
MAPIDeleteMail
MAPIDetails
MAPIFindNext
MAPIFreeBuffer
MAPILogoff
MAPILogon
MAPIReadMail
MAPIResolveName
MAPISaveMail
MAPISendDocuments
MAPISendMail
MailToProtocolHandler
OpenInboxHandler
RemoveService

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
iediagcmd.exe
.exe windows x64

8ad7d3f07924e8c2b7127391afd2da11

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_vsnwprintf
_callnewh
malloc
?terminate@@YAXXZ
_amsg_exit
_cexit
??3@YAXPEAX@Z
memcpy
memset
_itow
_errno

kernel32

SetLastError
GetModuleHandleA
GetProcAddress
GetVersion
GetLastError
VirtualQuery
TerminateProcess
GetCurrentProcess
Sleep
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RaiseException
LoadLibraryW
FreeLibrary
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringA
SetUnhandledExceptionFilter
QueryPerformanceCounter

mscoree

CorBindToRuntimeEx
_CorExeMain

ole32

CoCreateInstance

comctl32

ord332
ord334
ord386
ord328

oleacc

ObjectFromLresult

oleaut32

VariantInit
SysFreeString
VariantClear
SysAllocStringLen
SysStringLen
SysAllocString

user32

RegisterWindowMessageW
SendMessageTimeoutW

Sections

.text
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.nep
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 335KB - Virtual size: 334KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 80KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ieinstal.exe
.exe windows x64

8fb2c7b248870ffb6340186beb3d581f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegDeleteValueW
CheckTokenMembership
FreeSid
RegSetValueExW
RegCreateKeyExW
AllocateAndInitializeSid
RegCloseKey
RegQueryValueExW
RegEnumValueW
RegCreateKeyW
RegOpenKeyExW
RegOpenKeyExA
RegSetValueExA
RegDeleteKeyW
RegQueryValueExA
RegCreateKeyA
GetTokenInformation
OpenThreadToken
GetLengthSid
GetKernelObjectSecurity
InitializeSecurityDescriptor
IsValidSid
ConvertStringSidToSidW
CopySid
CreateWellKnownSid
SetEntriesInAclW
EqualSid
GetAce
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
RegGetValueW
RegOpenCurrentUser
RegOverridePredefKey

kernel32

CloseHandle
CreateThread
SetFileAttributesA
GetProcAddress
DeleteCriticalSection
CreateProcessW
FreeLibrary
lstrcmpiA
lstrcmpiW
LoadLibraryExW
GetModuleFileNameA
FindFirstFileA
SetLastError
GetFullPathNameW
CreateDirectoryExA
GetModuleHandleExW
GetFinalPathNameByHandleW
FindNextFileA
FindClose
LocalAlloc
lstrcmpA
MultiByteToWideChar
GetTempPathA
GetFileAttributesA
CreateFileA
GetCurrentThread
LocalFree
RemoveDirectoryA
CopyFileW
LeaveCriticalSection
DebugBreak
CreateEventW
K32GetModuleBaseNameW
SetEvent
DeleteFileA
SuspendThread
VirtualAlloc
VirtualFree
VirtualProtect
RaiseException
RaiseFailFastException
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
ResumeThread
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
Sleep
GetCurrentProcess
EnterCriticalSection
GetModuleHandleW
GetProcessHeap
HeapAlloc
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
DeleteFileW
GetExitCodeThread
OpenProcess
DuplicateHandle
GetFileAttributesW
CreateFileW
HeapSetInformation
IsDebuggerPresent
CreateMutexExW
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
FormatMessageW
ReleaseMutex
ReleaseSemaphore
CreateSemaphoreExW
GetModuleFileNameW
DeactivateActCtx
InitializeCriticalSection
GetLastError
ActivateActCtx
ReleaseActCtx
CreateActCtxW
WaitForSingleObject
SetProcessShutdownParameters
HeapFree
WideCharToMultiByte

user32

LoadStringW
CharNextW
PostQuitMessage

msvcrt

_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
memset
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_wcsnicmp
wcstok_s
_wtoi
iswascii
iscntrl
memcpy_s
iswalpha
wcsncmp
wcschr
_vsnprintf
iswcntrl
wcsrchr
_vsnwprintf
__C_specific_handler
?terminate@@YAXXZ
memcpy
exit

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

ole32

CoRegisterClassObject
CoRevokeClassObject
CoInitialize
CoTaskMemAlloc
CoUninitialize
CoCreateInstance
CoTaskMemFree
CoImpersonateClient
CoRevertToSelf
CoGetCallContext
StringFromGUID2
CoInitializeSecurity
CLSIDFromString
CoInitializeEx

oleaut32

UnRegisterTypeLi
UnRegisterTypeLibForUser
RegisterTypeLibForUser
RegisterTypeLi
SysStringLen
SysAllocString
SysFreeString

rpcrt4

UuidCreate
RpcStringFreeW
UuidToStringW

urlmon

CompatFlagsFromClsid
Extract
CoInternetCreateSecurityManager
ord519
ord107
CoInternetSetFeatureEnabled

wintrust

CryptCATAdminReleaseContext
CryptCATAdminAddCatalog
CryptCATAdminAcquireContext
CryptCATAdminReleaseCatalogContext

authz

AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeContextFromSid
AuthzInitializeResourceManager
AuthzAccessCheck

iertutil

ord172
ord34
ord134
ord39
ord57
ord201
ord200
ord35
ord650
ord658

Sections

.text
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 404KB - Virtual size: 404KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ielowutil.exe
.exe windows x64

d9652e955db76ba3eebab87845bb3f85

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateThread
HeapSetInformation
CreateEventW
GetModuleHandleW
FreeLibrary
LoadLibraryExW
GetCurrentProcess
GetProcessHeap
HeapAlloc
ResetEvent
CloseHandle
GetProcAddress
RaiseException
RaiseFailFastException
MapViewOfFile
GetLastError
IsWow64Process
OpenEventW
GetModuleFileNameW
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxW
TerminateProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SetUnhandledExceptionFilter
GetStartupInfoW
UnmapViewOfFile
WaitForSingleObject
SetLastError
HeapFree
SetEvent
OpenFileMappingW
Sleep

user32

MsgWaitForMultipleObjects
PostQuitMessage
DispatchMessageW
TranslateMessage
PeekMessageW

msvcrt

__wgetmainargs
__set_app_type
exit
_exit
_cexit
__setusermatherr
_initterm
__C_specific_handler
_XcptFilter
_fmode
_commode
?terminate@@YAXXZ
_amsg_exit
_wcsnicmp
memset
_wtoi
_wcmdln
wcstok_s
_vsnwprintf

ntdll

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

ole32

CoUninitialize
CoCreateInstance
CLSIDFromString
CoInitializeSecurity
CoRegisterClassObject
CoRevokeClassObject
CoInitializeEx

wininet

InternetSetCookieExW
InternetGetCookieExW

iertutil

ord466

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 203KB - Virtual size: 203KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
iexplore.exe
.exe windows x64

7534c642bdcb1528e25e71d0ce72d8bb

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

53:a5:c5:32:b2:2b:38:88:d7:8f:03:d9:d4:65:9d:4e:83:79:6c:f4:b9:ea:4c:ed:ce:06:57:d9:fe:8a:1d:29
Signer

Actual PE Digest

53:a5:c5:32:b2:2b:38:88:d7:8f:03:d9:d4:65:9d:4e:83:79:6c:f4:b9:ea:4c:ed:ce:06:57:d9:fe:8a:1d:29

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

13/04/2023, 18:14
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

GetWindowThreadProcessId
AllowSetForegroundWindow
FindWindowExW
SendMessageTimeoutW
IsWindowVisible
SetUserObjectInformationW
IsWindowEnabled

msvcrt

_onexit
__dllonexit
_unlock
_lock
memset
_commode
__C_specific_handler
_vsnwprintf
memcpy_s
iswspace
?terminate@@YAXXZ
_purecall
memmove_s
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
wcsncmp
free
_XcptFilter
_amsg_exit
__wgetmainargs
memcmp

kernel32

CreateThreadpoolTimer
ReleaseSRWLockShared
SetThreadpoolTimer
CloseHandle
HeapSetInformation
WaitForSingleObjectEx
DelayLoadFailureHook
ResolveDelayLoadedAPI
GetProcAddress
HeapAlloc
OpenSemaphoreW
IsDebuggerPresent
AcquireSRWLockExclusive
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStartupInfoW
Sleep
CloseThreadpoolTimer
SetDllDirectoryW
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
LocalFree
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
EnterCriticalSection
GetCommandLineW
GetCurrentProcess
ReleaseSemaphore
GetModuleHandleExW
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
SetErrorMode
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
WaitForSingleObject
LocalAlloc
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
ReleaseSRWLockExclusive
OutputDebugStringW
CreateMutexExW

api-ms-win-downlevel-advapi32-l1-1-0

RegGetValueW
EventRegister
EventWriteTransfer
EventWriteEx
EventUnregister

api-ms-win-downlevel-shell32-l1-1-0

SetCurrentProcessExplicitAppUserModelID

advapi32

EventSetInformation

iertutil

ord650
ord791
ord797
ord798
ord701
ord597
ord796
ord793
ord594
ord398

api-ms-win-downlevel-shlwapi-l1-1-0

StrStrIW

api-ms-win-downlevel-ole32-l1-1-0

CoCreateGuid

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 757KB - Virtual size: 757KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sqmapi.dll
.dll windows x64

d6cca9daf1f9f60889b9b319d3ded266

Code Sign

33:00:00:02:32:41:fb:59:99:6d:cc:4d:ff:00:00:00:00:02:32
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:24

Not After

02/05/2020, 21:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

47:af:51:b0:bd:12:db:86:92:7a:6f:62:8a:c6:86:42:35:14:0d:24:ce:d0:01:94:ac:1d:94:d8:47:9e:eb:c0
Signer

Actual PE Digest

47:af:51:b0:bd:12:db:86:92:7a:6f:62:8a:c6:86:42:35:14:0d:24:ce:d0:01:94:ac:1d:94:d8:47:9e:eb:c0

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

13/04/2023, 18:14
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_unlock
_lock
__dllonexit
_onexit
_initterm
_amsg_exit
_XcptFilter
memcpy_s
__C_specific_handler
wcsrchr
_vsnwprintf
__CxxFrameHandler3
_callnewh
malloc
free
memset

advapi32

RegDeleteKeyW
RegEnumKeyW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW

kernel32

OpenSemaphoreW
HeapAlloc
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
DebugBreak
IsDebuggerPresent
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
OutputDebugStringW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
DisableThreadLibraryCalls
SetLastError
GetLastError
GetCurrentProcess
CloseHandle
LocalFree
ExpandEnvironmentStringsW
FindFirstFileW
DeleteFileW
FindNextFileW
GetSystemDirectoryW
Sleep
CreateDirectoryW
GetTickCount
WaitForSingleObjectEx
GetSystemTimeAsFileTime
FormatMessageW
FindClose

ntdll

EtwTraceMessage

Exports

Exports

SqmAddToAverage
SqmAddToStream
SqmAddToStreamDWord
SqmAddToStreamDWord64
SqmAddToStreamString
SqmAddToStreamV
SqmCheckEscalationAddToStreamDWord
SqmCheckEscalationAddToStreamDWord64
SqmCheckEscalationAddToStreamString
SqmCheckEscalationSetDWord
SqmCheckEscalationSetDWord64
SqmCheckEscalationSetString
SqmCleanup
SqmClearFlags
SqmCreateNewId
SqmEndSession
SqmEndSessionEx
SqmFlushSession
SqmGetEnabled
SqmGetEscalationRuleStatus
SqmGetFlags
SqmGetInstrumentationProperty
SqmGetLastUploadTime
SqmGetMachineId
SqmGetSession
SqmGetSessionStartTime
SqmGetUserId
SqmIncrement
SqmIsNamespaceEnabled
SqmIsWindowsOptedIn
SqmLoadEscalationManifest
SqmReadSharedMachineId
SqmReadSharedUserId
SqmSet
SqmSetAppId
SqmSetAppVersion
SqmSetBits
SqmSetBool
SqmSetCurrentTimeAsUploadTime
SqmSetDWord64
SqmSetEnabled
SqmSetEscalationInfo
SqmSetFlags
SqmSetIfMax
SqmSetIfMin
SqmSetMachineId
SqmSetString
SqmSetUserId
SqmStartSession
SqmStartUpload
SqmStartUploadEx
SqmSysprepCleanup
SqmSysprepGeneralize
SqmTimerAccumulate
SqmTimerAddToAverage
SqmTimerRecord
SqmTimerStart
SqmUnattendedSetup
SqmUnloadEscalationManifest
SqmWaitForUploadComplete
SqmWriteSharedMachineId
SqmWriteSharedUserId

Sections

.text
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9f19cf94db3339462a59d9352cfe30b0

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ole32

shlwapi

user32

shell32

iertutil

Sections

.text Size: 33KB - Virtual size: 33KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 512B - Virtual size: 4KB

.pdata Size: 1KB - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 72B

409284c9e15946e1f27eed2d7d5b0a72

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

api-ms-win-downlevel-shlwapi-l1-1-0

api-ms-win-downlevel-advapi32-l1-1-0

ntdll

iertutil

Exports

Exports

Sections

.text Size: 248KB - Virtual size: 248KB

.rdata Size: 110KB - Virtual size: 109KB

.data Size: 512B - Virtual size: 6KB

.pdata Size: 12KB - Virtual size: 12KB

.didat Size: 512B - Virtual size: 360B

.mrdata Size: 34KB - Virtual size: 34KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 2KB

92778fcf898ae2a7ad2db80bb9e09c45

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

advapi32

kernel32

shell32

shlwapi

urlmon

user32

wininet

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 11KB

.rdata Size: 7KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 512B - Virtual size: 480B

.text
Size: 33KB - Virtual size: 33KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 4KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 72B

.text
Size: 248KB - Virtual size: 248KB

.rdata
Size: 110KB - Virtual size: 109KB

.data
Size: 512B - Virtual size: 6KB

.pdata
Size: 12KB - Virtual size: 12KB

.didat
Size: 512B - Virtual size: 360B

.mrdata
Size: 34KB - Virtual size: 34KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 12KB - Virtual size: 11KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 480B

.rsrc
Size: 31KB - Virtual size: 31KB

.reloc
Size: 512B - Virtual size: 28B

.text
Size: 84KB - Virtual size: 84KB

.nep
Size: 512B - Virtual size: 96B

.rdata
Size: 335KB - Virtual size: 334KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 420B

.rsrc
Size: 80KB - Virtual size: 80KB

.reloc
Size: 512B - Virtual size: 56B

.text
Size: 59KB - Virtual size: 58KB

.rdata
Size: 23KB - Virtual size: 23KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 404KB - Virtual size: 404KB

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 540B

.rsrc
Size: 203KB - Virtual size: 203KB

.reloc
Size: 512B - Virtual size: 44B

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate