netfilter | daa4a303815b2f4b3383ae4e9cb9d70b[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

daa4a303815b2f4b3383ae4e9cb9d70b.bin
Size

99.1MB
MD5

daa4a303815b2f4b3383ae4e9cb9d70b
SHA1

71ad3c455f33dff881e05816d87f43e48b6a5084
SHA256

94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24
SHA512

7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa
SSDEEP

1572864:Hz9VYu6kNhSQlSkdCUZdoinM59VVzg4dPC7v9A17V3nBDlxn3hqzLpPr:TQk/HHnMHkHBA17lnTqpPr

Score

10^/10

pyinstaller vmprotect netfilter r77

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
static1/unpack008/video_rootkit.pyc	disable_win_def

NetFilter Dropper 7 IoCs

Processes:

resource	yara_rule
static1/unpack001/Rootkits/659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.exe	netfilter_dropper
static1/unpack001/Rootkits/9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe	netfilter_dropper
static1/unpack001/Rootkits/a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4.exe	netfilter_dropper
static1/unpack001/Rootkits/bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7.exe	netfilter_dropper
static1/unpack001/Rootkits/cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce.exe	netfilter_dropper
static1/unpack001/Rootkits/d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540.exe	netfilter_dropper
static1/unpack001/Rootkits/d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe.exe	netfilter_dropper

NetFilter payload 2 IoCs

Processes:

resource	yara_rule
static1/unpack001/Rootkits/bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7.exe	netfilter_payload
static1/unpack001/Rootkits/d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe.exe	netfilter_payload

Netfilter family
netfilter
R77 family
r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

Processes:

resource	yara_rule
static1/unpack001/Rootkits/cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe	r77_payload

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
static1/unpack001/Rootkits/0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe	vmprotect
static1/unpack001/Rootkits/40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe	vmprotect
static1/unpack001/Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe	vmprotect
static1/unpack001/Rootkits/bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe	vmprotect
static1/unpack001/Rootkits/cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe	vmprotect
static1/unpack001/Rootkits/cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe	vmprotect

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
static1/unpack001/Rootkits/096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe	pyinstaller

Unsigned PE 27 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/Bootkits/5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe
unpack001/Rootkits/03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe
unpack001/Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
unpack001/Rootkits/096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe
unpack001/Rootkits/0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
unpack001/Rootkits/2141974f665f4d8fecb6d8ea06add624b57f320f901368847175570ee716fd8e.exe
unpack001/Rootkits/22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe
unpack001/Rootkits/2adf06babe9d56ec5c8ba2eec576bd2625ebd3353892be4c9d7b51b4a8dbe473.exe
unpack001/Rootkits/40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
unpack001/Rootkits/659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.exe
unpack001/Rootkits/68360e0294785ce6502f4b10a6d41f53b3ea206025de06bbbbc894e9688fff43.exe
unpack001/Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
unpack001/Rootkits/9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
unpack001/Rootkits/973e8ee15e00b702b03fa42e45cce60344dbe7dbc7d3213a81a53623c303ff5c.exe
unpack001/Rootkits/a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4.exe
unpack001/Rootkits/b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
unpack001/Rootkits/bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
unpack001/Rootkits/bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7.exe
unpack001/Rootkits/c5b5abe2a0e555aa8894d510e2cbe7e935661ddd9025a45553aa3b6adea27709.exe
unpack001/Rootkits/cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
unpack001/Rootkits/cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
unpack001/Rootkits/cdbd808ab00449a102966c8e6443a4267ef6c70df08e711efa783e60e7ea3776.exe
unpack001/Rootkits/cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
unpack001/Rootkits/d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe.exe
unpack001/Rootkits/dcb35eab5992bd212220a82532b97029a06e124f9c6320e1560f11d15ff4384c.exe
unpack001/Rootkits/ed516fc2448dad8c157d2ff3d23088bf25fd92ecd809a1f01ec41c927c2cb5ec.exe
unpack001/Rootkits/f62ce3383afe1b36d60c834b9e6bd09263fb8794c626bc42fcbb25a062e76c42.exe

Files

daa4a303815b2f4b3383ae4e9cb9d70b.bin
.zip

Password: infected
Bootkits/5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe
.exe windows:4 windows x86

Password: infected

f6899eb0c1456c845aee20b591c73298

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
CreateFileA
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetShortPathNameA
GetModuleFileNameA
CopyFileA
GetSystemDirectoryA
GetWindowsDirectoryA
VirtualFree
WriteFile
ReadFile
SetFilePointer
VirtualAlloc
SetFilePointerEx
LockResource
LoadResource
FindResourceA
GetVersionExA
GetStartupInfoA
GetModuleHandleA

shell32

ShellExecuteA

msvcrt

??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_strcmpi

Sections

.data
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Bootkits/6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe
.exe windows:4 windows x86

Password: infected

298dcf923984bab305f7bca926228b11

Code Sign

4b:f9:fc:cd:90:8c:24:4d:bb:fe:bb:b7:75:73:81:55
Certificate

Issuer

CN=VMware INC.

Not Before

19-11-2013 08:45

Not After

31-12-2039 23:59

Subject

CN=VMware INC.

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

08:8c:ab:60:f7:d8:b2:02:e8:04:2c:fb:51:ac:3a:ba:b1:a3:d6:17
Signer

Actual PE Digest

08:8c:ab:60:f7:d8:b2:02:e8:04:2c:fb:51:ac:3a:ba:b1:a3:d6:17

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameA
CopyFileA
GetSystemDirectoryA
GetWindowsDirectoryA
GetProcAddress
LoadLibraryA
WriteFile
GetShortPathNameA
SetFilePointer
GetVersionExA
CloseHandle
CreateFileA
GetModuleHandleA
GetCurrentProcess
lstrcpyA
lstrcatA
ReadFile
GetEnvironmentVariableA
GetStartupInfoA

advapi32

RegQueryValueExA
RegCloseKey
RegOpenKeyExA

shell32

ShellExecuteA
StrStrA

msvcrt

_acmdln
printf
strcat
strcpy
memset
memcpy
strstr
_except_handler3
_exit
_XcptFilter
exit
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Bootkits/8dcc573293ae9a545655a47e23f106738a190f5318c31124bd3a73b12f128df6.msi
.msi
Bootkits/f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe
.exe windows:4 windows x86

Password: infected

b9cd9f330c63bf88f4256d6a13e4217d

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01-05-2012 00:00

Not After

31-12-2012 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:21:db:26:ce:0c:b3:e4
Certificate

Issuer

CN=TrustAsia.com Code Signing CA,O=Dotsoft Technologies\, Inc.,C=CN

Not Before

01-03-2011 01:07

Not After

01-03-2014 01:07

Subject

CN=亚洲诚信数字签名测试证书,O=上海域联软件技术有限公司,L=上海市,ST=上海市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04
Certificate

Issuer

CN=TrustAsia.com Root CA,O=Dotsoft Technologies\, Inc.,C=CN

Not Before

15-02-2010 16:37

Not After

15-02-2020 16:37

Subject

CN=TrustAsia.com Code Signing CA,O=Dotsoft Technologies\, Inc.,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

bd:0f:5e:71:6a:dc:aa:d0:ec:59:a8:e9:77:da:b8:93:8b:fd:12:b3
Signer

Actual PE Digest

bd:0f:5e:71:6a:dc:aa:d0:ec:59:a8:e9:77:da:b8:93:8b:fd:12:b3

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpyA
GetShortPathNameA
GetModuleFileNameA
CopyFileA
GetSystemDirectoryA
GetWindowsDirectoryA
lstrcatA
WriteFile
ReadFile
SetFilePointer
VirtualAlloc
SetFilePointerEx
GetVersionExA
GetEnvironmentVariableA
CreateFileA
VirtualFree
CloseHandle
GetStartupInfoA
GetModuleHandleA

advapi32

RegQueryValueExA
RegCloseKey
RegOpenKeyExA

shell32

ShellExecuteA

msvcrt

??3@YAXPAX@Z
??2@YAPAXI@Z
strstr
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_strcmpi

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe
.exe windows:6 windows x64

Password: infected

218e2701c0e259f74bac46862066af7e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ole32

OleRun
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SafeArrayCreate
VariantCopy
SafeArrayPutElement
SysFreeString
VariantInit
SysAllocString
GetErrorInfo

kernel32

SetFilePointerEx
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetCommandLineA
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
LoadLibraryExW
FreeLibrary
ReadFile
GetLastError
CloseHandle
GetLocalTime
GetModuleFileNameA
Sleep
HeapFree
Wow64DisableWow64FsRedirection
DeviceIoControl
InitializeCriticalSectionEx
CreateFileW
GetCurrentThreadId
HeapSize
Wow64RevertWow64FsRedirection
GetFileAttributesA
CreateFileA
GetSystemDirectoryA
HeapReAlloc
RaiseException
HeapAlloc
DecodePointer
HeapDestroy
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
GetTickCount
GetTimeZoneInformation
LocalFree
SizeofResource
EnterCriticalSection
WriteFile
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
FindResourceA
CreateMutexA
GetVolumeInformationA
LockResource
CreateThread
FindResourceExW
LoadResource
FindResourceW
CreateDirectoryA
AllocConsole
SetLastError
RtlUnwind
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
SetEvent
ResetEvent
WaitForSingleObjectEx
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
OutputDebugStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
SetEndOfFile
WriteConsoleW
MultiByteToWideChar
InitializeCriticalSectionAndSpinCount
RtlPcToFileHeader
RtlUnwindEx

advapi32

RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
CreateServiceA
CloseServiceHandle
OpenSCManagerA
StartServiceA
OpenServiceA

shlwapi

SHSetValueA

Sections

.text
Size: 428KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
.exe windows:6 windows x64

Password: infected

97e0129b4b7ba82d6266f387d43fcf0d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

ResumeThread
GetModuleHandleA
DisconnectNamedPipe
OpenProcess
GetExitCodeThread
GetLastError
lstrcatW
LockResource
K32GetModuleInformation
CreateThread
LoadResource
GetThreadContext
GetProcAddress
VirtualAllocEx
LocalFree
LocalAlloc
ReadProcessMemory
CreateProcessW
GetModuleHandleW
FreeLibrary
WideCharToMultiByte
lstrcpyW
lstrcmpiA
K32EnumProcessModules
CreateFileMappingW
MapViewOfFile
SetThreadContext
lstrcmpiW
IsWow64Process
ConnectNamedPipe
WriteConsoleW
WaitForSingleObject
FindResourceA
K32GetModuleFileNameExW
CreateNamedPipeW
TerminateProcess
VirtualAlloc
GetCurrentProcess
VirtualProtect
WriteProcessMemory
SizeofResource
VerifyVersionInfoW
GetCurrentProcessId
VerSetConditionMask
ExitProcess
K32EnumProcesses
CloseHandle
Sleep
CreateFileW
WriteFile
lstrlenW
ReadFile
SetFilePointerEx
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapReAlloc
HeapSize
GetProcessHeap
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
LCMapStringW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW

advapi32

LookupPrivilegeValueW
SetSecurityDescriptorDacl
AdjustTokenPrivileges
RegDeleteKeyExW
GetSidSubAuthorityCount
RegDeleteKeyW
AllocateAndInitializeSid
GetSidSubAuthority
SetEntriesInAclW
RegEnumKeyExW
RegSetKeySecurity
OpenProcessToken
InitializeSecurityDescriptor
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetTokenInformation
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW

shell32

ShellExecuteW

ole32

CoInitialize
CoUninitialize
CoCreateInstance

ntdll

NtQueryInformationProcess

shlwapi

PathFindFileNameW

Sections

.text
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 140KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/0925b8985b19d7925d68186d666b0050a4cb3f2a577d64765d770a57a2eab9ae.exe
.exe windows:6 windows x64

Password: infected

123d795e4473ef6f4f48f98eef700823

Code Sign

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17-06-2021 17:55

Not After

16-06-2022 17:55

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bc:dd:35:0b:83:cf:67:2a:93:71:c7:02:8f:0a:26:57:5d:7a:ef:0c:f5:8f:98:96:05:8c:d8:b3:bb:88:68:03
Signer

Actual PE Digest

bc:dd:35:0b:83:cf:67:2a:93:71:c7:02:8f:0a:26:57:5d:7a:ef:0c:f5:8f:98:96:05:8c:d8:b3:bb:88:68:03

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CloseHandle
CompareStringW
CreateFileW
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastError
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
MultiByteToWideChar
QueryPerformanceCounter
RaiseException
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetEnvironmentVariableW
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
WideCharToMultiByte
WriteConsoleW
WriteFile

ws2_32

WSAStartup
closesocket
connect
htons
recv
send
setsockopt
socket

Sections

.text
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gehcont
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.voltbl
Size: 512B - Virtual size: 42B

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe
.exe windows:5 windows x64

Password: infected

b0d2bcfaf69e32f6189b93d5e3f439ad

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

MessageBoxW
MessageBoxA

kernel32

GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
SetDllDirectoryW
CreateProcessW
GetStartupInfoW
LoadLibraryExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
GetLastError
HeapReAlloc
SetEndOfFile
GetExitCodeProcess
GetCommandLineA
HeapSize
GetTimeZoneInformation
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
RaiseException
ReadFile
CreateFileW
GetDriveTypeW
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindClose
FindFirstFileExW
FindNextFileW
SetStdHandle
SetConsoleCtrlHandler
DeleteFileW
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetACP
HeapFree
HeapAlloc
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleCP
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
SetEnvironmentVariableA
GetFileAttributesExW
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
GetProcessHeap
WriteConsoleW

advapi32

ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW

ws2_32

ntohl

Sections

.text
Size: 129KB - Virtual size: 129KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
video_rootkit.pyc
Rootkits/0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
.exe windows:5 windows x86

Password: infected

d6646ef1d27c1863da9c1f15f209b625

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
GetVersionExA
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 67KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.7MB - Virtual size: 8.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/0f5e3d33c824f9f03d038b4f1a376b15cc5f1694aef086bd17c516ad951fc45a.exe
.sys windows:10 windows x64

0caea6039f1c84b1aa3f1be216c1bf1b

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09-09-2021 19:15

Not After

01-09-2022 19:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8a:bf:74:4f:0c:bf:09:d6:7a:fc:5b:7c:c9:d6:13:e6:9c:73:a5:c8:a4:5b:cd:26:cf:6b:cf:d0:3c:35:15:ac
Signer

Actual PE Digest

8a:bf:74:4f:0c:bf:09:d6:7a:fc:5b:7c:c9:d6:13:e6:9c:73:a5:c8:a4:5b:cd:26:cf:6b:cf:d0:3c:35:15:ac

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IoFreeMdl
__C_specific_handler
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
IoGetStackLimits
ZwSetInformationFile
ZwWriteFile
NtOpenFile
NtQueryDirectoryFile
NtClose
ZwDeleteFile
strncmp
RtlCompareUnicodeString
DbgPrint
PsGetProcessId
ZwCreateKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
PsCreateSystemThread
PsGetCurrentThreadId
ZwDeviceIoControlFile
RtlRandomEx
sprintf_s
_vsnprintf
__chkstk
ExQueryDepthSList
ExpInterlockedPopEntrySList
IoFreeIrp
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
_vsnwprintf
strstr
memcpy_s
PsGetThreadId
IoThreadToProcess
ObReferenceObjectByName
IoDriverObjectType
RtlEqualUnicodeString
ExGetPreviousMode
CmRegisterCallback
CmUnRegisterCallback
MmIsAddressValid
PsGetCurrentProcessId
ObQueryNameString
ExInitializeResourceLite
RtlInitializeGenericTable
IoCancelIrp
IoAllocateMdl
IoAllocateIrp
MmUnlockPages
MmProbeAndLockPages
KeQueryTimeIncrement
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
ZwReadFile
ZwQueryInformationFile
MmGetSystemRoutineAddress
IoFileObjectType
atol
IoQueryFileDosDeviceName
ZwQueryVolumeInformationFile
ZwClose
ZwOpenFile
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
IofCompleteRequest
ExAllocatePool
KeDelayExecutionThread
RtlCopyUnicodeString
RtlInitUnicodeString
srand
KeBugCheckEx
rand
sprintf
ExpInterlockedPushEntrySList
ExFreePoolWithTag

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltRegisterFilter
FltSetInformationFile
FltQueryInformationFile
FltReadFile

netio.sys

WskRegister
WskCaptureProviderNPI
WskDeregister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbind
WdfVersionUnbindClass

Sections

.text
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 19B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sCK0
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/10cf63dce9ea260f48def203313edcec06a293db3e35589954a99582c0a7e1d2.exe
.sys windows:10 windows x64

1e47b2c8040ee818d86e6d2eca6640ed

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09-09-2021 19:15

Not After

01-09-2022 19:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

10:a3:1f:18:d8:6c:aa:79:a0:ef:8d:f2:8d:42:29:18:de:5a:0c:d9:03:33:1a:80:59:8c:ed:b3:35:c0:e8:bc
Signer

Actual PE Digest

10:a3:1f:18:d8:6c:aa:79:a0:ef:8d:f2:8d:42:29:18:de:5a:0c:d9:03:33:1a:80:59:8c:ed:b3:35:c0:e8:bc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

__C_specific_handler
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
NtOpenFile
NtClose
ZwDeleteFile
strncmp
RtlCompareUnicodeString
DbgPrint
PsGetProcessId
ZwCreateKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
PsGetCurrentThreadId
ZwDeviceIoControlFile
RtlRandomEx
sprintf_s
_vsnprintf
ExQueryDepthSList
IoFreeMdl
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
_vsnwprintf
strstr
PsGetThreadId
IoThreadToProcess
ObReferenceObjectByName
IoDriverObjectType
ExGetPreviousMode
CmRegisterCallback
CmUnRegisterCallback
MmIsAddressValid
PsGetCurrentProcessId
ObQueryNameString
ExInitializeResourceLite
RtlInitializeGenericTable
IoFreeIrp
IoCancelIrp
IoAllocateMdl
IoAllocateIrp
MmUnlockPages
MmProbeAndLockPages
KeQueryTimeIncrement
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
__chkstk
PsCreateSystemThread
IoFileObjectType
atol
IoQueryFileDosDeviceName
ZwQueryVolumeInformationFile
ZwClose
ZwOpenFile
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
IofCompleteRequest
ExAllocatePool
KeDelayExecutionThread
RtlCopyUnicodeString
RtlInitUnicodeString
srand
RtlAnsiCharToUnicodeChar
KeBugCheckEx
rand
sprintf
ExpInterlockedPopEntrySList
ExFreePoolWithTag

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltRegisterFilter
FltSetInformationFile
FltQueryInformationFile
FltReadFile

netio.sys

WskRegister
WskCaptureProviderNPI
WskDeregister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbind
WdfVersionUnbindClass

Sections

.text
Size: 188KB - Virtual size: 188KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 19B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.TK40
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 260B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 756B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/2141974f665f4d8fecb6d8ea06add624b57f320f901368847175570ee716fd8e.exe
.dll windows:6 windows x64

1c8834f49b12ade6d347518d887ad928

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

GetSystemInfo
VirtualAlloc
VirtualFree
VirtualQuery
CloseHandle
HeapCreate
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
Sleep
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
OpenThread
SuspendThread
ResumeThread
GetThreadContext
SetThreadContext
FlushInstructionCache
VirtualProtect
GetModuleHandleW
GetProcAddress
CreateToolhelp32Snapshot
Thread32First
Thread32Next
SetEndOfFile
FormatMessageA
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
LocalFree
EncodePointer
DecodePointer
LCMapStringEx
GetLocaleInfoEx
CompareStringEx
GetCPInfo
IsDebuggerPresent
RaiseException
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetLastError
GetProcessHeap
FreeLibrary
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
GetStartupInfoW
RtlPcToFileHeader
RtlUnwindEx
GetModuleFileNameW
LoadLibraryExW
InterlockedPushEntrySList
InterlockedFlushSList
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
HeapSize
HeapValidate
GetModuleHandleExW
ExitProcess
GetCurrentThread
HeapQueryInformation
GetStdHandle
GetFileType
WriteFile
OutputDebugStringW
WriteConsoleW
SetConsoleCtrlHandler
GetFileSizeEx
SetFilePointerEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadFile
GetTimeZoneInformation
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
ReadConsoleW
SetStdHandle
CreateFileW
RtlUnwind

Sections

.textbss
Size: - Virtual size: 739KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 323KB - Virtual size: 323KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 337B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 1024B - Virtual size: 562B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe
.exe windows:6 windows x64

4bc2037c060d678dc4f4604cd8d2e6e7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetLastError
LockResource
CloseHandle
LoadResource
GetProcAddress
GetModuleHandleW
FreeLibrary
WideCharToMultiByte
WriteConsoleW
CreateFileW
FindResourceA
TerminateProcess
WriteFile
GetCurrentProcess
SizeofResource
lstrcatW
GetCurrentProcessId
SetFilePointerEx
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapReAlloc
HeapSize
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
LCMapStringW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
GetProcessHeap

advapi32

RegSetValueExW
RegOpenKeyExW

ole32

CoInitialize
CoUninitialize
CoCreateInstance

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 230KB - Virtual size: 229KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/2adf06babe9d56ec5c8ba2eec576bd2625ebd3353892be4c9d7b51b4a8dbe473.exe
.sys windows:6 windows x86

c00e20f56d65068b81a1a5324d461344

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

IoDeleteDevice
IoFreeWorkItem
MmUnmapIoSpace
MmGetPhysicalAddress
ExAllocatePool
IoAllocateWorkItem
MmMapIoSpace
IoAttachDeviceToDeviceStack
IoCreateSymbolicLink
IoInitializeRemoveLockEx
IoCreateDevice
IoQueueWorkItem
RtlInitUnicodeString
ZwClose
ZwOpenFile
ZwQueryInformationFile
KdDebuggerEnabled
InitSafeBootMode
IofCompleteRequest
RtlDeleteElementGenericTable
KeGetCurrentThread
RtlLookupElementGenericTable
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlUpcaseUnicodeChar
IoRegisterDriverReinitialization
ExFreePoolWithTag
ZwReadFile
IoDeleteSymbolicLink
ZwAllocateVirtualMemory
KeInitializeMutex
KeReleaseMutex
KeWaitForSingleObject
ZwQueryValueKey
ZwOpenKey
_stricmp
MmGetSystemRoutineAddress
PsGetVersion
ZwQueryInformationProcess
ObOpenObjectByPointer
PsLookupProcessByProcessId
ObfDereferenceObject
memcpy
_except_handler3
memset

hal

KfAcquireSpinLock
KeGetCurrentIrql
KfReleaseSpinLock

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 640B - Virtual size: 628B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 964B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
.exe windows:5 windows x86

e07989e77f93c45ef3b9da49cc5892a4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 39KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.6MB - Virtual size: 8.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/4e6b9a6d0870e85cbb957fc5e33503841f79f48e9f701f6e3d62a00dd8c82388.exe
.sys windows:5 windows x64

1614dc2008aa8ff60c4c6d03994639d9

Code Sign

19:9d:f8:8e
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08-08-2009 01:00

Not After

08-08-2024 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0f:8b:60:0f:f1:88:2e
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

29-03-2012 09:07

Not After

02-04-2014 06:24

Subject

CN=Hangzhou Leishite Laser Technology Co.\, Ltd.,O=Hangzhou Leishite Laser Technology Co.\, Ltd.,L=Hangzhou,ST=Zhejiang,C=CN,1.2.840.113549.1.9.1=#0c0f6c737474656368403136332e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

61:39:bb:9c:00:00:00:00:00:33
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-04-2011 20:13

Not After

15-04-2021 20:23

Subject

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01-03-2011 01:00

Not After

01-03-2016 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

35:90:e9:bd:d0:8d:17:b2:af:0a:22:1a:9e:e2:06:39:b3:22:81:02
Signer

Actual PE Digest

35:90:e9:bd:d0:8d:17:b2:af:0a:22:1a:9e:e2:06:39:b3:22:81:02

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInitUnicodeString
RtlCompareUnicodeString
ZwCreateFile
DbgPrint
RtlInitAnsiString
RtlAnsiStringToUnicodeString
ZwWriteFile
RtlFreeUnicodeString
KeInitializeEvent
IoBuildDeviceIoControlRequest
IofCallDriver
KeWaitForSingleObject
ExInterlockedRemoveHeadList
MmIsAddressValid
ExpInterlockedPopEntrySList
ExInterlockedInsertTailList
KeReleaseSemaphore
ExpInterlockedPushEntrySList
ExQueryDepthSList
PsTerminateSystemThread
ObReferenceObjectByName
IoDriverObjectType
ObfDereferenceObject
IoGetDeviceObjectPointer
ExInitializeNPagedLookasideList
KeInitializeSemaphore
PsCreateSystemThread
ZwClose
IoGetCurrentProcess
ZwQuerySystemInformation
ExAllocatePool
ExFreePoolWithTag
_stricmp
IoDeleteSymbolicLink
IoDeleteDevice
IofCompleteRequest
ZwOpenKey
ZwQueryValueKey
ExAllocatePoolWithTag
KeDelayExecutionThread
IoCreateDevice
IoIsWdmVersionAvailable
IoCreateSymbolicLink
_vsnwprintf
ObReferenceObjectByHandle
MmGetPhysicalAddress
MmMapIoSpace
MmUnmapIoSpace
RtlCheckRegistryKey
IoAttachDevice
IoDetachDevice
PoStartNextPowerIrp
PsGetCurrentProcessId
MmGetSystemRoutineAddress
PsGetVersion
__C_specific_handler

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/4f6b732dfa5b4d91c56235f7c69974a4c557d6348f4ed9b862fa4938f7ce3848.exe
.sys windows:5 windows x86

150ebc9e04c8dc51e4247a5115ccc8b4

Code Sign

19:9d:f8:8e
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08-08-2009 01:00

Not After

08-08-2024 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0f:8b:60:0f:f1:88:2e
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

29-03-2012 09:07

Not After

02-04-2014 06:24

Subject

CN=Hangzhou Leishite Laser Technology Co.\, Ltd.,O=Hangzhou Leishite Laser Technology Co.\, Ltd.,L=Hangzhou,ST=Zhejiang,C=CN,1.2.840.113549.1.9.1=#0c0f6c737474656368403136332e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

61:39:bb:9c:00:00:00:00:00:33
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-04-2011 20:13

Not After

15-04-2021 20:23

Subject

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01-03-2011 01:00

Not After

01-03-2016 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

90:6e:e0:45:6c:a9:54:e1:53:e1:69:c5:02:e5:44:f5:4c:da:0c:33
Signer

Actual PE Digest

90:6e:e0:45:6c:a9:54:e1:53:e1:69:c5:02:e5:44:f5:4c:da:0c:33

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

PsCreateSystemThread
PsTerminateSystemThread
_vsnwprintf
ZwClose
RtlInitUnicodeString
RtlCompareUnicodeString
wcsncat
ZwSetInformationFile
ZwCreateFile
ExAllocatePool
ZwQueryDirectoryFile
ZwDeleteFile
ZwOpenFile
ZwQueryInformationFile
ZwWriteFile
IoBuildDeviceIoControlRequest
memmove
RtlAnsiStringToUnicodeString
ExInitializeNPagedLookasideList
ExfInterlockedInsertTailList
KeInitializeEvent
RtlInitAnsiString
ExfInterlockedRemoveHeadList
InterlockedPopEntrySList
RtlFreeUnicodeString
IoDriverObjectType
IoGetDeviceObjectPointer
KeInitializeSemaphore
KeWaitForSingleObject
KeReleaseSemaphore
MmIsAddressValid
ObfDereferenceObject
ObReferenceObjectByName
DbgPrint
IofCallDriver
InterlockedPushEntrySList
ExAllocatePoolWithTag
RtlCheckRegistryKey
KeDelayExecutionThread
ZwQueryValueKey
IoGetCurrentProcess
ZwOpenKey
KeUnstackDetachProcess
KeStackAttachProcess
_stricmp
ZwQuerySystemInformation
IoDeleteSymbolicLink
IoGetRelatedDeviceObject
IoDeleteDevice
KeSetEvent
IoCreateFile
IoFileObjectType
KeGetCurrentThread
IofCompleteRequest
ObReferenceObjectByHandle
IoFreeIrp
IoAllocateIrp
IoIsWdmVersionAvailable
IoCreateSymbolicLink
IoCreateDevice
MmUnmapIoSpace
MmGetPhysicalAddress
MmMapIoSpace
ZwDeleteValueKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryKey
IoDetachDevice
PoStartNextPowerIrp
PsGetCurrentProcessId
MmGetSystemRoutineAddress
PsGetVersion
ExFreePoolWithTag
memset
_except_handler3
_allrem
_alldiv
memcpy

hal

KeGetCurrentIrql

Sections

.text
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0.exe
.sys windows:10 windows x64

a04dde371e3d8553c4d92d3a20a5989c

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5c:20:6b:56:9b:70:59:b7:c3:2e:b5:fc:36:92:2c:b4:35:c2:b1:6c:8d:96:de:10:38:c8:bd:29:8e:d4:98:fe
Signer

Actual PE Digest

5c:20:6b:56:9b:70:59:b7:c3:2e:b5:fc:36:92:2c:b4:35:c2:b1:6c:8d:96:de:10:38:c8:bd:29:8e:d4:98:fe

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
IoAllocateIrp
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
__C_specific_handler
IofCallDriver
ExAllocatePoolWithTag
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
IoDeleteSymbolicLink
KeBugCheckEx
RtlCopyUnicodeString
ExFreePoolWithTag
RtlInitUnicodeString
strcpy
strstr

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.exe
.exe windows:4 windows x86

7e3bbc4aa48a3d61a7b995aba939311c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

LoadLibraryA
GetProcAddress
WaitForSingleObject
CreateFileA
WriteFile
CloseHandle
WideCharToMultiByte
Sleep
DeleteFileA
GetCurrentProcess
TerminateProcess
GetModuleHandleA
GetFileAttributesExA
lstrlenW
GetProcessHeap
HeapAlloc
GetLastError
HeapFree
SetUnhandledExceptionFilter

msvcrt

memset
strlen
wcslen
malloc
strcmp
free
strstr
memcpy
_controlfp
__set_app_type
__getmainargs
exit

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/68360e0294785ce6502f4b10a6d41f53b3ea206025de06bbbbc894e9688fff43.exe
.sys windows:10 windows x86

16f2082e5ee8e98ec95f70336200f351

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

tdi.sys

TdiMapUserRequest

ntoskrnl.exe

ExFreePoolWithTag
MmProbeAndLockPages
IoAllocateMdl
IoBuildDeviceIoControlRequest
IofCallDriver
IoCancelIrp
IoFreeIrp
IoFreeMdl
IoGetRelatedDeviceObject
ObfDereferenceObject
ZwClose
MmIsAddressValid
IoGetDeviceAttachmentBaseRef
memset
IoAllocateIrp
ObReferenceObjectByHandle
ZwCreateFile
KefAcquireSpinLockAtDpcLevel
KefReleaseSpinLockFromDpcLevel
PsGetCurrentProcessId
PsGetCurrentThreadId
ExQueueWorkItem
MmBuildMdlForNonPagedPool
IofCompleteRequest
memcpy
_stricmp
ExfInterlockedInsertTailList
ExfInterlockedRemoveHeadList
strstr
KeResetEvent
IoAttachDevice
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDetachDevice
IoSetCompletionRoutineEx
isdigit
isspace
_strnicmp
strncpy
wcschr
wcsncpy
wcsrchr
wcsstr
_wcsicmp
_wcsnicmp
KeGetCurrentThread
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeUnicodeString
DbgPrint
KeInitializeDpc
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeClearEvent
KeBugCheckEx
ExAllocatePool
ExGetPreviousMode
MmUnlockPages
MmGetSystemRoutineAddress
MmMapLockedPagesSpecifyCache
PsTerminateSystemThread
IoCreateFile
ExAllocatePoolWithTag
IoRegisterShutdownNotification
KeWaitForSingleObject
ZwOpenFile
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwOpenKey
ZwDeleteKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwQueryKey
ZwQueryValueKey
ZwSaveKey
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ZwOpenEvent
IoGetFileObjectGenericMapping
IoRegisterBootDriverReinitialization
ZwQueryVolumeInformationFile
ZwDeviceIoControlFile
ZwOpenProcess
RtlRandomEx
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupProcessByProcessId
ObQueryNameString
ZwCreateEvent
ZwDeleteFile
ZwQueryDirectoryFile
ZwFsControlFile
ZwOpenDirectoryObject
swprintf
ObReferenceObjectByName
ZwQueryDirectoryObject
ZwQuerySystemInformation
ObCreateObject
SeCreateAccessState
_allmul
_aulldiv
memchr
KeNumberProcessors
KeTickCount
IoFileObjectType
NtBuildNumber
IoDriverObjectType
PsSetLoadImageNotifyRoutine
KeAreApcsDisabled
ProbeForRead
PsSetCreateProcessNotifyRoutine
ZwTerminateProcess
IoQueryFileDosDeviceName
RtlGetVersion
KeDelayExecutionThread
KeQueryTimeIncrement
PsCreateSystemThread
ZwLoadDriver
ZwCreateKey
ZwSetValueKey
_alldiv
KeSetEvent
RtlUnwind
KeInitializeEvent
RtlInitUnicodeString
IoUnregisterShutdownNotification
_vsnprintf
IoGetCurrentProcess
_stricmp
NtQuerySystemInformation
memcpy
memset
ZwClose
ZwQueryValueKey
ZwOpenKey
RtlInitUnicodeString
ZwWaitForSingleObject
ZwDeviceIoControlFile
ZwOpenFile
_wcsnicmp
ZwEnumerateKey
ZwCreateEvent
MmGetSystemRoutineAddress
ZwCreateFile
KeRevertToUserAffinityThread
_except_handler3
KeQueryActiveProcessors
KeQueryTimeIncrement
KeTickCount
_alldiv
_allmul
DbgBreakPointWithStatus
_aullshr
RtlTimeToTimeFields
ExSystemTimeToLocalTime
KeQuerySystemTime
IoAllocateMdl
IoFreeMdl
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
KeWaitForSingleObject
KeReleaseMutex
KeInitializeMutex
ExFreePoolWithTag
ExAllocatePool
KeSetSystemAffinityThread
DbgPrint
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint
_except_handler3

hal

KeRaiseIrqlToDpcLevel
KfLowerIrql
KeGetCurrentIrql
KfReleaseSpinLock
KfAcquireSpinLock
KeQueryPerformanceCounter
KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 66KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

."3O
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.LRO
Size: 1024B - Virtual size: 916B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.+~T
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/6a0390769feeb703962e81f70896a1dfd1ea14479b9e200bcc530b238990c759.exe
.sys windows:10 windows x64

66fec65394db247ba10d30b3f3e9564a

Code Sign

33:00:00:00:4e:59:56:10:83:2b:4e:0c:6c:00:00:00:00:00:4e
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09-09-2021 19:16

Not After

01-09-2022 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3f:9d:bb:5d:cf:47:3c:ea:ed:7a:32:b0:55:35:5f:d0:a8:6e:a8:b4:bd:5e:c7:f7:6a:64:d4:0d:12:4b:62:7f
Signer

Actual PE Digest

3f:9d:bb:5d:cf:47:3c:ea:ed:7a:32:b0:55:35:5f:d0:a8:6e:a8:b4:bd:5e:c7:f7:6a:64:d4:0d:12:4b:62:7f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
KeQueryTimeIncrement
MmProbeAndLockPages
MmUnlockPages
IoAllocateIrp
IoAllocateMdl
IoCancelIrp
IoFreeIrp
IoFreeMdl
__C_specific_handler
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
IoGetStackLimits
ZwSetInformationFile
ZwWriteFile
NtOpenFile
NtQueryDirectoryFile
NtClose
ZwDeleteFile
strncmp
RtlCompareUnicodeString
PsGetProcessId
ZwCreateKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
DbgPrint
ObQueryNameString
ZwDeviceIoControlFile
RtlRandomEx
sprintf_s
_vsnprintf
__chkstk
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
strstr
memcpy_s
RtlWalkFrameChain
PsGetThreadId
IoThreadToProcess
ObReferenceObjectByName
IoDriverObjectType
ExInitializeResourceLite
RtlInitializeGenericTable
CmRegisterCallback
ExGetPreviousMode
RtlEqualUnicodeString
ZwReadFile
ZwQueryInformationFile
MmGetSystemRoutineAddress
IoFileObjectType
atol
_vsnwprintf
FsRtlIsNameInExpression
IoQueryFileDosDeviceName
ZwQueryVolumeInformationFile
PsGetCurrentThreadId
MmIsAddressValid
ZwClose
ZwOpenFile
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
IoRegisterShutdownNotification
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
IofCompleteRequest
ExAllocatePool
KeDelayExecutionThread
RtlCopyUnicodeString
RtlCreateRegistryKey
RtlWriteRegistryValue
RtlInitUnicodeString
srand
KeBugCheckEx
rand
sprintf
PsCreateSystemThread
ExFreePoolWithTag

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltSetCallbackDataDirty
FltAllocatePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltSetInformationFile
FltQueryInformationFile
FltReadFile
FltRegisterFilter

netio.sys

WskRegister
WskCaptureProviderNPI
WskDeregister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbind
WdfVersionUnbindClass

Sections

.text
Size: 121KB - Virtual size: 121KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 19B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Pwk0
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
.exe windows:5 windows x86

e07989e77f93c45ef3b9da49cc5892a4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 39KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.6MB - Virtual size: 8.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870.exe
.sys windows:10 windows x86

5ab8e64ecec77f478246cc79c527ff07

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f0:8e:bd:dc:11:ae:fc:b4:60:82:c2:39:f8:d9:7c:ee:a2:47:d8:46:e2:2c:4b:cd:d7:2a:f7:5c:1c:bc:6b:0b
Signer

Actual PE Digest

f0:8e:bd:dc:11:ae:fc:b4:60:82:c2:39:f8:d9:7c:ee:a2:47:d8:46:e2:2c:4b:cd:d7:2a:f7:5c:1c:bc:6b:0b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

fwpkclnt.sys

FwpsAcquireClassifyHandle0
FwpsReleaseClassifyHandle0
FwpmFilterDeleteById0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmFilterAdd0
FwpmCalloutAdd0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsCompleteClassify0
FwpsCalloutRegister1

ntoskrnl.exe

IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
ExAllocatePoolWithTag
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
_allmul
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
IoAllocateIrp
RtlUnwind
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
KeGetCurrentThread
IoDeleteSymbolicLink
KeBugCheckEx
ExFreePoolWithTag
RtlInitUnicodeString
RtlCopyUnicodeString
strcpy
memset
memcpy
strstr

netio.sys

WskDeregister
WskReleaseProviderNPI
WskCaptureProviderNPI
WskRegister

hal

KeGetCurrentIrql

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/84ed7fec67de5621806dbb43af5167a5fc60ab7f2403448519dc0eca2b8f9022.exe
.exe windows:6 windows x64

58b8edce961e0f18c8bc37a9d263844d

Code Sign

04:44:c0
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

22-10-2008 12:07

Not After

31-12-2029 12:07

Subject

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

17-04-2018 08:20

Not After

18-05-2027 08:20

Subject

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

79:ac:7f:69:fc:69:67:b1:d1:66:02:4d:79:56:b1:b1
Certificate

Issuer

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Not Before

04-11-2019 07:04

Not After

28-10-2022 09:30

Subject

CN=杭州九玩网络科技有限公司,O=杭州九玩网络科技有限公司,L=杭州市,ST=浙江省,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a5:c4:d6:f8:3b:63:76:98:60:e7:00:06:56:88:78:81:41:3e:4f:ed:9a:4d:ae:2a:85:b9:7b:ff:f1:99:b1:87
Signer

Actual PE Digest

a5:c4:d6:f8:3b:63:76:98:60:e7:00:06:56:88:78:81:41:3e:4f:ed:9a:4d:ae:2a:85:b9:7b:ff:f1:99:b1:87

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryA
GetProcAddress
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
RtlUnwindEx
GetLastError
SetLastError
RaiseException
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
GetCurrentProcess
ExitProcess
TerminateProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetFileType
GetStringTypeW
CompareStringW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/8bef06598b67c1edbbf42399a19c8a8aa61d12466e873d70e9e26a10ba54d308.exe
.sys windows:10 windows x64

ae7dda8bf49d06c904ca0069438ee5d9

Code Sign

33:00:00:00:57:ee:4d:65:9a:92:3e:7c:10:00:00:00:00:00:57
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07-06-2022 18:08

Not After

01-06-2023 18:08

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d5:ea:56:d3:bc:5d:94:c4:f1:b2:50:fd:66:9e:d4:bd:66:fa:da:42:32:47:89:80:bd:0c:ff:12:e5:2c:a5:dc
Signer

Actual PE Digest

d5:ea:56:d3:bc:5d:94:c4:f1:b2:50:fd:66:9e:d4:bd:66:fa:da:42:32:47:89:80:bd:0c:ff:12:e5:2c:a5:dc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ObQueryNameString
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

fltmgr.sys

FltUnregisterFilter

netio.sys

WskRegister

wdfldr.sys

WdfVersionBind

hal

KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 223KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: - Virtual size: 19B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Vba0
Size: - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.Vba1
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Vba2
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
.exe windows:6 windows x64

218e2701c0e259f74bac46862066af7e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ole32

OleRun
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SafeArrayCreate
VariantCopy
SafeArrayPutElement
SysFreeString
VariantInit
SysAllocString
GetErrorInfo

kernel32

SetFilePointerEx
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetCommandLineA
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
LoadLibraryExW
FreeLibrary
ReadFile
GetLastError
CloseHandle
GetLocalTime
GetModuleFileNameA
Sleep
HeapFree
Wow64DisableWow64FsRedirection
DeviceIoControl
InitializeCriticalSectionEx
CreateFileW
GetCurrentThreadId
HeapSize
Wow64RevertWow64FsRedirection
GetFileAttributesA
CreateFileA
GetSystemDirectoryA
HeapReAlloc
RaiseException
HeapAlloc
DecodePointer
HeapDestroy
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
GetTickCount
GetTimeZoneInformation
LocalFree
SizeofResource
EnterCriticalSection
WriteFile
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
FindResourceA
CreateMutexA
GetVolumeInformationA
LockResource
CreateThread
FindResourceExW
LoadResource
FindResourceW
CreateDirectoryA
AllocConsole
SetLastError
RtlUnwind
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
SetEvent
ResetEvent
WaitForSingleObjectEx
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
OutputDebugStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
SetEndOfFile
WriteConsoleW
MultiByteToWideChar
InitializeCriticalSectionAndSpinCount
RtlPcToFileHeader
RtlUnwindEx

advapi32

RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
CreateServiceA
CloseServiceHandle
OpenSCManagerA
StartServiceA
OpenServiceA

shlwapi

SHSetValueA

Sections

.text
Size: 428KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/973e8ee15e00b702b03fa42e45cce60344dbe7dbc7d3213a81a53623c303ff5c.exe
.exe windows:6 windows x86

dda765b9352ee55eed4377f5697f2360

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ResumeThread
GetModuleHandleA
DisconnectNamedPipe
OpenProcess
GetExitCodeThread
GetLastError
lstrcatW
LockResource
K32GetModuleInformation
CreateThread
LoadResource
GetThreadContext
GetProcAddress
VirtualAllocEx
LocalFree
LocalAlloc
ReadProcessMemory
CreateProcessW
GetModuleHandleW
FreeLibrary
WideCharToMultiByte
lstrcpyW
lstrcmpiA
K32EnumProcessModules
CreateFileMappingW
MapViewOfFile
SetThreadContext
lstrcmpiW
lstrcmpW
IsWow64Process
ConnectNamedPipe
WriteConsoleW
WaitForSingleObject
FindResourceA
K32GetModuleFileNameExW
CreateNamedPipeW
TerminateProcess
VirtualAlloc
GetCurrentProcess
VirtualProtect
WriteProcessMemory
SizeofResource
VerifyVersionInfoW
GetCurrentProcessId
VerSetConditionMask
ExitProcess
K32EnumProcesses
CloseHandle
Sleep
CreateFileW
WriteFile
lstrlenW
ReadFile
SetFilePointerEx
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapReAlloc
HeapSize
GetProcessHeap
GetStringTypeW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RaiseException
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
LCMapStringW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
DecodePointer

advapi32

LookupPrivilegeValueW
SetSecurityDescriptorDacl
AdjustTokenPrivileges
RegDeleteKeyExW
RegQueryInfoKeyW
GetSidSubAuthorityCount
RegDeleteKeyW
AllocateAndInitializeSid
GetSidSubAuthority
SetEntriesInAclW
RegEnumKeyExW
RegSetKeySecurity
OpenProcessToken
InitializeSecurityDescriptor
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumValueW
GetTokenInformation
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW

shell32

ShellExecuteW

ole32

CoCreateInstance
CoInitialize
CoUninitialize

ntdll

NtQueryInformationProcess

shlwapi

PathFindFileNameW

Sections

.text
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe
.exe windows:6 windows x86

70621d2ef55d2dd65a1fa41928fe3d0f

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

09:88:b7:a5:2e:7c:d2:a6:f5:a0:fb:ce:3e:32:83:ff
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

17-07-2019 00:00

Not After

01-10-2021 12:00

Subject

CN=Docker Inc,O=Docker Inc,L=San Francisco,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22-10-2013 12:00

Not After

22-10-2028 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

00:4c:31:9b:60:13:12:c8:34:fe:86:ae:7c:29:26:21:de:e8:0b:c4:76:09:de:ba:70:d8:ae:7e:af:49:9b:72
Signer

Actual PE Digest

00:4c:31:9b:60:13:12:c8:34:fe:86:ae:7c:29:26:21:de:e8:0b:c4:76:09:de:ba:70:d8:ae:7e:af:49:9b:72

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
CompareStringW
CreateFileA
CreateFileW
CreateWaitableTimerA
DecodePointer
DeleteCriticalSection
DeleteFileA
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
MultiByteToWideChar
OpenFile
QueryPerformanceCounter
RaiseException
RtlUnwind
SetEnvironmentVariableW
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
lstrlenW

shell32

SHGetSpecialFolderPathA
ShellExecuteExA

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegQueryValueExW

user32

DispatchMessageA
MsgWaitForMultipleObjects
PeekMessageA
TranslateMessage
wsprintfA

ntdll

NtLoadDriver

wininet

HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile

Sections

.text
Size: 506KB - Virtual size: 505KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.voltbl
Size: 512B - Virtual size: 72B

.reloc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4.exe
.exe windows:4 windows x86

7e3bbc4aa48a3d61a7b995aba939311c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

LoadLibraryA
GetProcAddress
WaitForSingleObject
CreateFileA
WriteFile
CloseHandle
WideCharToMultiByte
Sleep
DeleteFileA
GetCurrentProcess
TerminateProcess
GetModuleHandleA
GetFileAttributesExA
lstrlenW
GetProcessHeap
HeapAlloc
GetLastError
HeapFree
SetUnhandledExceptionFilter

msvcrt

memset
strlen
wcslen
malloc
strcmp
free
strstr
memcpy
_controlfp
__set_app_type
__getmainargs
exit

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/b1e3da936d666cf9d671dd8f79e54afc8f524bccaca77e835bf611ec3038211c.exe
.exe windows:6 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

LoadLi
Size: 4KB - Virtual size: 1830.1MB

Size: 5.1MB - Virtual size: 4B

��
Size: - Virtual size:
Rootkits/bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a.exe
.sys windows:10 windows x64

a04dde371e3d8553c4d92d3a20a5989c

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c5:65:36:f9:92:07:91:5e:5a:1f:7d:4f:01:4a:b9:42:bd:82:0e:64:ff:7f:37:1a:d0:46:2e:f2:6e:d2:72:42
Signer

Actual PE Digest

c5:65:36:f9:92:07:91:5e:5a:1f:7d:4f:01:4a:b9:42:bd:82:0e:64:ff:7f:37:1a:d0:46:2e:f2:6e:d2:72:42

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
IoAllocateIrp
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
__C_specific_handler
IofCallDriver
ExAllocatePoolWithTag
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
IoDeleteSymbolicLink
KeBugCheckEx
RtlCopyUnicodeString
ExFreePoolWithTag
RtlInitUnicodeString
strcpy
strstr

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/bf909c34e676e9da0004e6fe8ed640380cc9b658d4d4e5e30f29fa16fadf8102.exe
.exe windows:5 windows x86

d6646ef1d27c1863da9c1f15f209b625

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
GetVersionExA
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 67KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.7MB - Virtual size: 8.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7.exe
.exe windows:4 windows x86

8dab5adbb7713839714005d50ba76bb8

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

LoadLibraryA
GetProcAddress
WaitForSingleObject
CreateFileA
WriteFile
CloseHandle
WideCharToMultiByte
Sleep
DeleteFileA
GetCurrentProcess
TerminateProcess
GetModuleHandleA
GetFileAttributesExA
lstrlenW
GetProcessHeap
HeapAlloc
GetLastError
HeapFree
SetUnhandledExceptionFilter

msvcrt

memset
strlen
wcslen
malloc
strcmp
free
memcpy
_controlfp
__set_app_type
__getmainargs
exit

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 107KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/c5b5abe2a0e555aa8894d510e2cbe7e935661ddd9025a45553aa3b6adea27709.exe
.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vdata
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce.exe
.exe windows:6 windows x86

abf3c9fa5452a2214a167cac8c6a73de

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

09:88:b7:a5:2e:7c:d2:a6:f5:a0:fb:ce:3e:32:83:ff
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

17-07-2019 00:00

Not After

01-10-2021 12:00

Subject

CN=Docker Inc,O=Docker Inc,L=San Francisco,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22-10-2013 12:00

Not After

22-10-2028 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ff:28:4e:41:b3:03:db:67:ae:fc:f2:23:28:b5:37:12:a8:05:52:74:1b:df:27:07:cd:c5:3c:4a:56:db:61:aa
Signer

Actual PE Digest

ff:28:4e:41:b3:03:db:67:ae:fc:f2:23:28:b5:37:12:a8:05:52:74:1b:df:27:07:cd:c5:3c:4a:56:db:61:aa

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
GetModuleHandleA
MultiByteToWideChar
Sleep
GetLastError
CreateFileA
DeleteFileA
CloseHandle
HeapAlloc
CreateWaitableTimerA
GetProcAddress
OpenFile
WideCharToMultiByte
SetUnhandledExceptionFilter
WriteConsoleW
CreateFileW
HeapReAlloc
HeapSize
SetFilePointerEx
GetFileSizeEx
GetConsoleMode
GetConsoleOutputCP
TerminateProcess
WriteFile
lstrlenW
GetCurrentProcess
HeapFree
GetProcessHeap
SetWaitableTimer
FlushFileBuffers
GetStringTypeW
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
RtlUnwind
RaiseException
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
GetStdHandle
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
CompareStringW
LCMapStringW
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
DecodePointer

shell32

ShellExecuteExA
SHGetSpecialFolderPathA

user32

PeekMessageA
TranslateMessage
wsprintfA
MsgWaitForMultipleObjects
DispatchMessageA

advapi32

AdjustTokenPrivileges
RegCloseKey
RegCreateKeyExW
OpenProcessToken
RegQueryValueExW
LookupPrivilegeValueW

ntdll

NtLoadDriver

wininet

InternetOpenA
InternetReadFile
HttpQueryInfoA
HttpOpenRequestA
InternetCrackUrlA
HttpSendRequestA
InternetCloseHandle
InternetConnectA

Sections

.text
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/cc4864a25a305759921b73d753116873493f2c526a396839d4da6815492299d8.exe
.exe windows:6 windows x64

9b2d965b423ace685c16b9ae081246f7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentProcessId
LoadLibraryW
GetProcAddress
WaitNamedPipeW
GetLastError
CreateFileW
ReadFile
WriteFile
GetModuleHandleA
LoadLibraryA
GetPrivateProfileStringW
WritePrivateProfileStringW
GetModuleHandleW
FindResourceW
LoadResource
SizeofResource
LockResource
Sleep
GetModuleFileNameW
LoadLibraryExW
FreeLibrary
MultiByteToWideChar
WinExec
GetCurrentProcess
IsWow64Process
SetLastError
ResumeThread
WaitForSingleObject
GetFileSizeEx
LocalFree
GetTempPathW
CreateDirectoryW
WriteConsoleW
HeapSize
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetFileAttributesW
CloseHandle
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetTimeZoneInformation
HeapReAlloc
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
WideCharToMultiByte
GetStringTypeW
WaitForSingleObjectEx
GetCurrentThreadId
GetExitCodeThread
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
QueryPerformanceCounter
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
CompareStringEx
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExitProcess
GetModuleHandleExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetStdHandle
HeapFree
HeapAlloc
SetFilePointerEx
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
CompareStringW
LCMapStringW
GetLocaleInfoW

user32

MessageBoxA
MessageBoxW

advapi32

SetEntriesInAclW
ConvertStringSidToSidW
GetNamedSecurityInfoW
SetNamedSecurityInfoW

shell32

SHGetFolderPathW

oleaut32

SafeArrayCreate
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayCreateVector
SafeArrayDestroy

mscoree

CorBindToRuntime
CLRCreateInstance

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winmm

PlaySoundW

Sections

.text
Size: 343KB - Virtual size: 343KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 721KB - Virtual size: 720KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/cc5abd771e2f2939295359eae96e62b3a7da41689222b0349b8caf91bd5e385b.exe
.exe windows:5 windows x86

e07989e77f93c45ef3b9da49cc5892a4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 39KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.6MB - Virtual size: 8.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/cce24ebdd344c8184dbaa0a0c4a65c7d952a11f6608fe23d562a4d1178915eac.exe
.sys windows:10 windows x64

d6a4334c9382300a35dacac864031c1b

Code Sign

33:00:00:00:43:3a:68:18:9e:33:90:29:87:00:00:00:00:00:43
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:25

Not After

02-12-2021 22:25

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

14:a6:0b:19:79:7c:5b:1a:20:5c:1a:49:a3:fe:5b:d2:60:83:07:ef:91:db:55:b0:86:80:f8:e2:a0:82:19:95
Signer

Actual PE Digest

14:a6:0b:19:79:7c:5b:1a:20:5c:1a:49:a3:fe:5b:d2:60:83:07:ef:91:db:55:b0:86:80:f8:e2:a0:82:19:95

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltReadFile
FltQueryInformationFile
FltSetInformationFile

netio.sys

WskCaptureProviderNPI
WskDeregister
WskRegister

ntoskrnl.exe

RtlAssert
RtlInitUnicodeString
DbgPrint
KeInitializeEvent
KeSetEvent
KeDelayExecutionThread
KeWaitForSingleObject
KeQueryTimeIncrement
ExAllocatePool
ExFreePoolWithTag
MmProbeAndLockPages
MmUnlockPages
IoAllocateIrp
IoAllocateMdl
IoCancelIrp
IoFreeIrp
IoFreeMdl
__C_specific_handler
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
ZwCreateFile
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
ZwDeleteFile
RtlCompareUnicodeString
RtlCopyUnicodeString
ObfDereferenceObject
PsGetProcessId
ZwCreateKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
ZwOpenFile
PsGetCurrentThreadId
IoQueryFileDosDeviceName
sprintf_s
IoFileObjectType
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
PsGetCurrentProcessId
PsGetThreadId
IoThreadToProcess
ObReferenceObjectByName
IoDriverObjectType
ExGetPreviousMode
CmRegisterCallback
CmUnRegisterCallback
MmIsAddressValid
ObQueryNameString
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExInitializeResourceLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlGetElementGenericTable
RtlIsGenericTableEmpty
ZwDeviceIoControlFile
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
RtlUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
KeBugCheckEx

Sections

.text
Size: 327KB - Virtual size: 326KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 200KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 245B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.CHG0
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 292B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 736B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/cdbd808ab00449a102966c8e6443a4267ef6c70df08e711efa783e60e7ea3776.exe
.exe windows:4 windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 4.4MB - Virtual size: 4.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/cf16d17a2f592979b874fc68bf568466ee5bd6d7839ec3f49820cf09e946d196.exe
.exe windows:5 windows x86

d6646ef1d27c1863da9c1f15f209b625

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
CreateErrorInfo
SafeArrayPtrOfIndex

advapi32

RegQueryValueExA
RegQueryValueExA
StartServiceA

user32

GetKeyboardType
CreateWindowExA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

kernel32

GetACP
TlsSetValue
GetVersionExA
GetVersion
Sleep
GetVersionExA
FindFirstChangeNotificationA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

gdi32

UnrealizeObject

version

VerQueryValueA

mpr

WNetGetConnectionA

ole32

CreateStreamOnHGlobal
CLSIDFromString
CoUninitialize
CoCreateInstance
DoDragDrop

comctl32

_TrackMouseEvent

shell32

ShellExecuteA
SHGetSpecialFolderLocation
SHGetMalloc
SHGetInstanceExplorer

comdlg32

GetOpenFileNameA

wsock32

WSACleanup

gdiplus

GdipDrawImageRect

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 67KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 156B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 8.7MB - Virtual size: 8.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 245KB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rootkits/d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540.exe
.exe windows:4 windows x86

7de9cfe0bdee43624ca3dd090f8a405c

Code Sign

33:00:00:01:e2:f1:7d:92:02:0e:49:f8:7f:00:00:00:00:01:e2
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:31

Not After

02-12-2021 21:31

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2d:88:ac:88:c0:fd:37:bc:34:bf:54:74:79:c2:26:ab:c8:bf:f1:e9:e8:25:88:a4:2d:ba:d3:6f:f6:9c:98:0d
Signer

Actual PE Digest

2d:88:ac:88:c0:fd:37:bc:34:bf:54:74:79:c2:26:ab:c8:bf:f1:e9:e8:25:88:a4:2d:ba:d3:6f:f6:9c:98:0d

Digest Algorithm

sha256

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

LoadLibraryA
GetProcAddress
WaitForSingleObject
CreateFileA
WriteFile
CloseHandle
WideCharToMultiByte
Sleep
DeleteFileA
GetModuleHandleA
GetFileAttributesExA
FindFirstFileA
FindNextFileA
FindClose
GetModuleFileNameA
GetCommandLineA

msvcrt

memset
strlen
wcslen
malloc
strcmp
free
strstr
memcpy
_controlfp
__set_app_type
__getmainargs
exit

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe.exe
.exe windows:4 windows x86

8dab5adbb7713839714005d50ba76bb8

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

LoadLibraryA
GetProcAddress
WaitForSingleObject
CreateFileA
WriteFile
CloseHandle
WideCharToMultiByte
Sleep
DeleteFileA
GetCurrentProcess
TerminateProcess
GetModuleHandleA
GetFileAttributesExA
lstrlenW
GetProcessHeap
HeapAlloc
GetLastError
HeapFree
SetUnhandledExceptionFilter

msvcrt

memset
strlen
wcslen
malloc
strcmp
free
memcpy
_controlfp
__set_app_type
__getmainargs
exit

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 107KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Rootkits/dcb35eab5992bd212220a82532b97029a06e124f9c6320e1560f11d15ff4384c.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 225KB - Virtual size: 225KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37.exe
.sys windows:10 windows x86

5ab8e64ecec77f478246cc79c527ff07

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d:31:11:8a:2e:92:37:7e:cb:63:2b:d7:22:13:2c:04:af:4e:65:e2:4f:f8:77:43:79:6c:75:eb:07:cf:cd:71
Signer

Actual PE Digest

3d:31:11:8a:2e:92:37:7e:cb:63:2b:d7:22:13:2c:04:af:4e:65:e2:4f:f8:77:43:79:6c:75:eb:07:cf:cd:71

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

fwpkclnt.sys

FwpsAcquireClassifyHandle0
FwpsReleaseClassifyHandle0
FwpmFilterDeleteById0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmFilterAdd0
FwpmCalloutAdd0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsCompleteClassify0
FwpsCalloutRegister1

ntoskrnl.exe

IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
ExAllocatePoolWithTag
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
_allmul
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
IoAllocateIrp
RtlUnwind
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
KeGetCurrentThread
IoDeleteSymbolicLink
KeBugCheckEx
ExFreePoolWithTag
RtlInitUnicodeString
RtlCopyUnicodeString
strcpy
memset
memcpy
strstr

netio.sys

WskDeregister
WskReleaseProviderNPI
WskCaptureProviderNPI
WskRegister

hal

KeGetCurrentIrql

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/e8b7f42d544fe8b954c4021315cff2fdd44d67d11704009cdf3037d34e0c0a93.exe
.exe windows:6 windows x64

b65793dad44f385e9af496f0f3c49eb7

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7f:42:ed:a7:0d:e0:3f:fd:52:8e:0c:3d:6e:dc:e6:f0:ee:b5:73:c3:7e:2e:63:38:c8:53:50:27:5e:6e:86:a5
Signer

Actual PE Digest

7f:42:ed:a7:0d:e0:3f:fd:52:8e:0c:3d:6e:dc:e6:f0:ee:b5:73:c3:7e:2e:63:38:c8:53:50:27:5e:6e:86:a5

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

socket
closesocket
recv
send
connect
setsockopt
WSAStartup

kernel32

GetModuleFileNameW
WriteConsoleW
CloseHandle
CreateFileW
SetFilePointerEx
TerminateProcess
VirtualAlloc
CreateThread
Sleep
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
GetConsoleMode
RtlUnwindEx
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
GetStdHandle
WriteFile
GetCurrentProcess
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetFileType
GetStringTypeW
CompareStringW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP

Sections

.text
Size: 295KB - Virtual size: 294KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/ed516fc2448dad8c157d2ff3d23088bf25fd92ecd809a1f01ec41c927c2cb5ec.exe
.exe windows:6 windows x64

cae0bc9b82979859f8d80de8b7d9c78b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

Wow64RevertWow64FsRedirection
GetFileAttributesA
CreateFileA
GetSystemDirectoryA
HeapReAlloc
RaiseException
HeapAlloc
HeapDestroy
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
GetTickCount
MultiByteToWideChar
LocalFree
SizeofResource
HeapSize
WriteFile
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
FindResourceA
CreateMutexA
GetVolumeInformationA
LockResource
CreateThread
FindResourceExW
LoadResource
FindResourceW
CreateDirectoryA
AllocConsole
RtlLookupFunctionEntry
OutputDebugStringW
InitializeSListHead
GetCurrentThreadId
InitializeCriticalSectionEx
DeviceIoControl
Wow64DisableWow64FsRedirection
HeapFree
Sleep
GetModuleFileNameA
GetLocalTime
CloseHandle
GetLastError
EnterCriticalSection
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
GetProcAddress
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext

advapi32

RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
CreateServiceA
CloseServiceHandle
OpenSCManagerA
StartServiceA
OpenServiceA

ole32

CoCreateInstance
OleRun
CoInitialize

oleaut32

SysAllocString
VariantInit
SysFreeString
SafeArrayPutElement
VariantCopy
SafeArrayCreate
VariantClear
GetErrorInfo

msvcp140

?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
??Bid@locale@std@@QEAA_KXZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?do_encoding@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHXZ
?do_max_length@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHXZ
?do_always_noconv@?$codecvt@_WDU_Mbstatet@@@std@@MEBA_NXZ
?do_length@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHAEAU_Mbstatet@@PEBD1_K@Z
?do_unshift@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?do_out@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?do_in@?$codecvt@_WDU_Mbstatet@@@std@@MEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@AEBV_Locinfo@1@_K@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z

shlwapi

SHSetValueA

vcruntime140

memchr
__CxxFrameHandler3
__std_exception_destroy
__std_exception_copy
memcmp
strstr
strrchr
__C_specific_handler
_CxxThrowException
memset
memmove
__std_terminate
memcpy

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

feof
getchar
fgets
__p__commode
freopen
fopen
_set_fmode
__acrt_iob_func
fclose
__stdio_common_vsprintf
fwrite
__stdio_common_vfprintf

api-ms-win-crt-convert-l1-1-0

_ui64toa

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo
_register_thread_local_exe_atexit_callback
_c_exit
_errno
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
terminate
_seh_filter_exe
_set_app_type
_invalid_parameter_noinfo_noreturn
_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
__p___argv
__p___argc

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-time-l1-1-0

_mktime64
_time64

api-ms-win-crt-string-l1-1-0

_strupr

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
_set_new_mode

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/f62ce3383afe1b36d60c834b9e6bd09263fb8794c626bc42fcbb25a062e76c42.exe
.exe windows:6 windows x64

218e2701c0e259f74bac46862066af7e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ole32

OleRun
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SafeArrayCreate
VariantCopy
SafeArrayPutElement
SysFreeString
VariantInit
SysAllocString
GetErrorInfo

kernel32

SetFilePointerEx
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetCommandLineA
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
LoadLibraryExW
FreeLibrary
ReadFile
GetLastError
CloseHandle
GetLocalTime
GetModuleFileNameA
Sleep
HeapFree
Wow64DisableWow64FsRedirection
DeviceIoControl
InitializeCriticalSectionEx
CreateFileW
GetCurrentThreadId
HeapSize
Wow64RevertWow64FsRedirection
GetFileAttributesA
CreateFileA
GetSystemDirectoryA
HeapReAlloc
RaiseException
HeapAlloc
DecodePointer
HeapDestroy
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
GetTickCount
GetTimeZoneInformation
LocalFree
SizeofResource
EnterCriticalSection
WriteFile
TerminateProcess
LeaveCriticalSection
InitializeCriticalSection
FindResourceA
CreateMutexA
GetVolumeInformationA
LockResource
CreateThread
FindResourceExW
LoadResource
FindResourceW
CreateDirectoryA
AllocConsole
SetLastError
RtlUnwind
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
SetEvent
ResetEvent
WaitForSingleObjectEx
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
OutputDebugStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
SetEndOfFile
WriteConsoleW
MultiByteToWideChar
InitializeCriticalSectionAndSpinCount
RtlPcToFileHeader
RtlUnwindEx

advapi32

RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
CreateServiceA
CloseServiceHandle
OpenSCManagerA
StartServiceA
OpenServiceA

shlwapi

SHSetValueA

Sections

.text
Size: 427KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca.exe
.sys windows:10 windows x64

a04dde371e3d8553c4d92d3a20a5989c

Code Sign

33:00:00:00:b5:21:3f:ca:1e:4a:a0:3d:e4:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:15

Not After

02-12-2021 22:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18-04-2012 23:48

Not After

18-04-2027 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:88:d3:66:57:2a:57:b3:01:5d:87:5b:60:70:45:17:d0:51:15:58:06:78:e8:f2:e1:26:f7:71:ed:a2:8f:7b
Signer

Actual PE Digest

09:88:d3:66:57:2a:57:b3:01:5d:87:5b:60:70:45:17:d0:51:15:58:06:78:e8:f2:e1:26:f7:71:ed:a2:8f:7b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fwpkclnt.sys

FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpmCalloutAdd0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
FwpmSubLayerDeleteByKey0
FwpmSubLayerAdd0
FwpmTransactionAbort0
FwpmTransactionCommit0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsCalloutUnregisterById0
FwpsReleaseClassifyHandle0
FwpsCalloutRegister1

ntoskrnl.exe

IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
IoAllocateIrp
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
__C_specific_handler
IofCallDriver
ExAllocatePoolWithTag
KeWaitForSingleObject
KeSetEvent
KeInitializeEvent
IoDeleteSymbolicLink
KeBugCheckEx
RtlCopyUnicodeString
ExFreePoolWithTag
RtlInitUnicodeString
strcpy
strstr

netio.sys

WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
WskRegister

wdfldr.sys

WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionUnbind

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rootkits/fd765103cd948bd0099cc05782348f2b425441a87a7f38f1bfcdb185aecca84d.exe
.sys windows:10 windows x64

d6a4334c9382300a35dacac864031c1b

Code Sign

33:00:00:00:43:3a:68:18:9e:33:90:29:87:00:00:00:00:00:43
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 22:25

Not After

02-12-2021 22:25

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-10-2014 20:31

Not After

15-10-2029 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f5:92:79:89:63:e3:c3:e9:f0:59:52:f0:1c:0c:43:30:43:70:1f:c4:f0:ec:67:4e:fa:1d:45:f5:b5:4a:08:b3
Signer

Actual PE Digest

f5:92:79:89:63:e3:c3:e9:f0:59:52:f0:1c:0c:43:30:43:70:1f:c4:f0:ec:67:4e:fa:1d:45:f5:b5:4a:08:b3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltReadFile
FltQueryInformationFile
FltSetInformationFile

netio.sys

WskCaptureProviderNPI
WskDeregister
WskRegister

ntoskrnl.exe

RtlAssert
RtlInitUnicodeString
DbgPrint
KeInitializeEvent
KeSetEvent
KeDelayExecutionThread
KeWaitForSingleObject
KeQueryTimeIncrement
ExAllocatePool
ExFreePoolWithTag
MmProbeAndLockPages
MmUnlockPages
IoAllocateIrp
IoAllocateMdl
IoCancelIrp
IoFreeIrp
IoFreeMdl
__C_specific_handler
KeInitializeMutex
KeReleaseMutex
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
ZwCreateFile
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
ZwDeleteFile
RtlCompareUnicodeString
RtlCopyUnicodeString
ObfDereferenceObject
PsGetProcessId
ZwCreateKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
ZwOpenFile
PsGetCurrentThreadId
IoQueryFileDosDeviceName
sprintf_s
IoFileObjectType
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
PsGetCurrentProcessId
PsGetThreadId
IoThreadToProcess
ObReferenceObjectByName
IoDriverObjectType
ExGetPreviousMode
CmRegisterCallback
CmUnRegisterCallback
MmIsAddressValid
ObQueryNameString
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExInitializeResourceLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlGetElementGenericTable
RtlIsGenericTableEmpty
ZwDeviceIoControlFile
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
RtlUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
KeBugCheckEx

Sections

.text
Size: 327KB - Virtual size: 326KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 200KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 245B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.CHG0
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 292B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 736B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

f6899eb0c1456c845aee20b591c73298

Headers

File Characteristics

Imports

kernel32

shell32

msvcrt

Sections

.data Size: 7KB - Virtual size: 7KB

.rsrc Size: 28KB - Virtual size: 28KB

Password: infected

298dcf923984bab305f7bca926228b11

Code Sign

4b:f9:fc:cd:90:8c:24:4d:bb:fe:bb:b7:75:73:81:55Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

08:8c:ab:60:f7:d8:b2:02:e8:04:2c:fb:51:ac:3a:ba:b1:a3:d6:17Signer

Headers

File Characteristics

Imports

kernel32

advapi32

shell32

msvcrt

Sections

.text Size: 4KB - Virtual size: 2KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 64KB - Virtual size: 60KB

.rsrc Size: 4KB - Virtual size: 1KB

Password: infected

b9cd9f330c63bf88f4256d6a13e4217d

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

55:21:db:26:ce:0c:b3:e4Certificate

Extended Key Usages

Key Usages

04Certificate

Extended Key Usages

Key Usages

bd:0f:5e:71:6a:dc:aa:d0:ec:59:a8:e9:77:da:b8:93:8b:fd:12:b3Signer

Headers

File Characteristics

Imports

kernel32

advapi32

shell32

msvcrt

Sections

.text Size: 4KB - Virtual size: 3KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 36KB - Virtual size: 32KB

.rsrc Size: 4KB - Virtual size: 1KB

Password: infected

218e2701c0e259f74bac46862066af7e

Headers

DLL Characteristics

File Characteristics

Imports

ole32

oleaut32

kernel32

advapi32

shlwapi

Sections

.data
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 28KB - Virtual size: 28KB

4b:f9:fc:cd:90:8c:24:4d:bb:fe:bb:b7:75:73:81:55
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

08:8c:ab:60:f7:d8:b2:02:e8:04:2c:fb:51:ac:3a:ba:b1:a3:d6:17
Signer

.text
Size: 4KB - Virtual size: 2KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 64KB - Virtual size: 60KB

.rsrc
Size: 4KB - Virtual size: 1KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

55:21:db:26:ce:0c:b3:e4
Certificate

04
Certificate

bd:0f:5e:71:6a:dc:aa:d0:ec:59:a8:e9:77:da:b8:93:8b:fd:12:b3
Signer

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 36KB - Virtual size: 32KB

.rsrc
Size: 4KB - Virtual size: 1KB

.text
Size: 428KB - Virtual size: 427KB

.rdata
Size: 141KB - Virtual size: 140KB

.data
Size: 14KB - Virtual size: 42KB

.pdata
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

.reloc
Size: 4KB - Virtual size: 4KB

.text
Size: 55KB - Virtual size: 54KB

.rdata
Size: 41KB - Virtual size: 40KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 4KB - Virtual size: 3KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 140KB - Virtual size: 139KB

.reloc
Size: 2KB - Virtual size: 1KB

33:00:00:00:c4:50:21:ba:6e:d8:5a:72:ad:00:00:00:00:00:c4
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

bc:dd:35:0b:83:cf:67:2a:93:71:c7:02:8f:0a:26:57:5d:7a:ef:0c:f5:8f:98:96:05:8c:d8:b3:bb:88:68:03
Signer

.text
Size: 49KB - Virtual size: 48KB

.rdata
Size: 35KB - Virtual size: 34KB

.data
Size: 3KB - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 3KB

.00cfg
Size: 512B - Virtual size: 40B

.gehcont
Size: 512B - Virtual size: 28B

.voltbl
Size: 512B - Virtual size: 42B

_RDATA
Size: 512B - Virtual size: 252B

.rsrc
Size: 512B - Virtual size: 424B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 129KB - Virtual size: 129KB

.rdata
Size: 62KB - Virtual size: 61KB

.data
Size: 3KB - Virtual size: 44KB

.pdata
Size: 7KB - Virtual size: 7KB

.gfids
Size: 512B - Virtual size: 172B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB