MsSense[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

MsSense.exe
Size

1.8MB
MD5

ddbee07ef57af98c895409ee08ad8235
SHA1

579437e6f9103fff9ee7b9011b0e5713a67fa5df
SHA256

c188e0ce421a1ebe4b8a46db00f302d5734c03215af49fc8c797b24f7459f765
SHA512

d483c34ac9ad0ad001e85f4f5ecd18d947215654e3182c94b588c95bc8f13d3503f8bdf805081c6c87dcef060008a7ef94bc14e293aad0a551f4a473a8aff70e
SSDEEP

24576:aOZp+U5czpfueMXBgRK5mILpeSyPdhJN2NEFF6inVu76VF8gGw/I47bOVuC:tX5GYxgRJKyPWW60u7gmgjfOVuC

Score

1^/10

Malware Config

Signatures

Files

MsSense.exe
.exe windows:10 windows x86

b2a39f83d84e767fb43aa83f05ea47c1

Code Sign

33:00:00:00:98:04:58:cb:7f:23:09:b0:9e:00:00:00:00:00:98
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:7AFA-E41C-E142,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/02/2016, 01:25

Not After

12/05/2017, 01:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

20:30:34:ee:99:fc:a1:9e:44:3f:bb:16:38:6f:7c:2a:c2:59:ab:bb:05:c4:5a:47:5f:91:29:1f:ee:f4:72:eb
Signer

Actual PE Digest

20:30:34:ee:99:fc:a1:9e:44:3f:bb:16:38:6f:7c:2a:c2:59:ab:bb:05:c4:5a:47:5f:91:29:1f:ee:f4:72:eb

Digest Algorithm

sha256

PE Digest Matches

true

d1:61:0e:54:ae:cb:89:18:7f:ec:f7:61:34:d1:34:ad:5a:7f:47:55
Signer

Actual PE Digest

d1:61:0e:54:ae:cb:89:18:7f:ec:f7:61:34:d1:34:ad:5a:7f:47:55

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

EventWriteTransfer
EventUnregister
EventSetInformation
EventRegister
EventWrite
SetServiceStatus
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
CloseTrace
EventActivityIdControl
ConvertStringSidToSidW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegGetValueW
RegDeleteValueW
RegCreateKeyExW
RegCloseKey
RegNotifyChangeKeyValue
OpenServiceW
QueryServiceConfig2W
ChangeServiceConfigW
StartServiceW
ControlService
ChangeServiceConfig2W
OpenSCManagerW
CloseServiceHandle
QueryServiceStatus
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
GetTokenInformation
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
LookupAccountSidW
ConvertSidToStringSidW
CryptReleaseContext
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptVerifySignatureW
CryptDestroyHash
EqualSid
GetLengthSid
ProcessTrace
EnableTraceEx2
OpenTraceW
StartTraceW
ControlTraceW

kernel32

CreateEventW
GetEnabledXStateFeatures
GetCurrentProcess
SetFilePointer
FreeLibrary
GetEnvironmentVariableW
MoveFileExW
GetOverlappedResult
DeleteFileW
GetFileInformationByHandle
GetFinalPathNameByHandleW
DeviceIoControl
ExpandEnvironmentStringsW
GetFileSizeEx
TerminateProcess
GetProcessTimes
QueryFullProcessImageNameW
ReadProcessMemory
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
OpenProcess
DuplicateHandle
RaiseException
CreateThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpoolWait
GetFileAttributesW
GetExitCodeProcess
GetTempFileNameW
CreateFileW
GetTempPathW
WriteFile
ReadFile
FindClose
FindNextFileW
FindFirstFileW
CreateDirectoryW
ResetEvent
GetModuleFileNameW
LoadLibraryW
CreateProcessW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
SetHandleInformation
GetSystemDirectoryW
GetTickCount64
GetSystemInfo
IsWow64Process
GetVersionExW
QueryPerformanceFrequency
GetCurrentThread
SystemTimeToFileTime
GetComputerNameExW
Sleep
TerminateThread
SwitchToThread
WaitForMultipleObjects
LocalFree
CreateEventExW
CompareFileTime
CreateThreadpoolTimer
InitializeConditionVariable
InitializeCriticalSection
WakeConditionVariable
SleepConditionVariableCS
SetThreadPriority
CreateThread
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
AcquireSRWLockShared
ReleaseSRWLockShared
RegisterWaitForSingleObject
RegisterWaitUntilOOBECompleted
UnregisterWaitUntilOOBECompleted
InitializeCriticalSectionEx
UnregisterWait
InitOnceBeginInitialize
InitOnceComplete
SetEvent
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
GetProcAddress
HeapAlloc
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
GetLastError
FormatMessageW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
GetFileInformationByHandleEx

msvcp_win

?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z
?classic@locale@std@@SAABV12@XZ
?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z
?_XGetLastError@std@@YAXXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ
_Wcscoll
_Wcsxfrm
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$collate@_W@std@@2V0locale@2@A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z
?tolower@?$ctype@_W@std@@QBE_W_W@Z
?is@?$ctype@_W@std@@QBE_NF_W@Z
??1facet@locale@std@@MAE@XZ
??0facet@locale@std@@IAE@I@Z
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@PBD@Z
?_Xinvalid_argument@std@@YAXPBD@Z
?id@?$numpunct@D@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QAE?AVlocale@2@ABV32@@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?exceptions@ios_base@std@@QAEXH@Z
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?narrow@?$ctype@D@std@@QBEDDD@Z
?widen@?$ctype@D@std@@QBEDD@Z
?tolower@?$ctype@D@std@@QBEDD@Z
?_Gettrue@_Locinfo@std@@QBEPBDXZ
?_Getfalse@_Locinfo@std@@QBEPBDXZ
?_Getlconv@_Locinfo@std@@QBEPBUlconv@@XZ
?_Getcvt@_Locinfo@std@@QBE?AU_Cvtvec@@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ
_Thrd_id
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_destroy
?_Xbad_alloc@std@@YAXXZ
?_Syserror_map@std@@YAPBDH@Z
?_Winerror_message@std@@YAKKPADK@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
?_Xout_of_range@std@@YAXPBD@Z
_Cnd_destroy
_Cnd_signal
_Cnd_wait
_Cnd_init
_Mtx_unlock
_Mtx_lock
_Mtx_init
_Thrd_join
_Thrd_start
?_Throw_C_error@std@@YAXH@Z
?_Incref@facet@locale@std@@UAEXXZ
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
?_Addfac@_Locimp@locale@std@@AAEXPAVfacet@23@I@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MAE@XZ
?_Xlength_error@std@@YAXPBD@Z
?uncaught_exception@std@@YA_NXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
_Query_perf_counter
_Query_perf_frequency
?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AA_N@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAO@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AA_K@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AA_J@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAI@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAH@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAG@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@AAF@Z
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEPAV12@PA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPB_W_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPA_W_J@Z
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JXZ
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEHXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEGXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?pbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXH@Z
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXH@Z
?_BADOFF@std@@3_JB
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UAE@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ
??Bid@locale@std@@QAEIXZ
?id@?$ctype@_W@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
?toupper@?$ctype@_W@std@@QBEPB_WPA_WPB_W@Z
?tolower@?$ctype@_W@std@@QBEPB_WPA_WPB_W@Z
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCurrentException@@YAXPAX@Z
?__ExceptionPtrAssign@@YAXPAXPBX@Z
?__ExceptionPtrCreate@@YAXPAX@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
?__ExceptionPtrRethrow@@YAXPBX@Z
?__ExceptionPtrToBool@@YA_NPBX@Z
?__ExceptionPtrDestroy@@YAXPAX@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z
?_Winerror_map@std@@YAHH@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback
_initterm

api-ms-win-crt-private-l1-1-0

_o__get_initial_wide_environment
_o__i64toa_s
_o__i64tow_s
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__isctype_l
_o__itoa_s
_o__itow_s
_o__malloc_base
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__ui64toa_s
_o__ui64tow_s
_o__wcsicmp
_o__wcsnicmp
_o__wcstod_l
_o_atoi
_o_calloc
_o_exit
_o_free
_o_isalpha
_o_isdigit
_o_iswspace
_o_isxdigit
_o_malloc
_o_memset
_o_rand
_o_realloc
_o_terminate
_o_tolower
_o_wcstoul
_except_handler4_common
_CxxThrowException
__CxxFrameHandler3
_o__free_locale
_o__free_base
_o__CIpow
_o__cexit
_o__callnewh
_o__atodbl
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___stdio_common_vfprintf
_o___std_type_info_name
_o___std_exception_destroy
_o___std_exception_copy
_o___pctype_func
_o___p__commode
_o___p___wargv
_o___p___argc
_o___acrt_iob_func
_o__exit
__std_type_info_compare
memmove
__std_terminate
_o__errno
_o__crt_atexit
_o__create_locale
_o__controlfp_s
_o__configure_wide_argv
_o__configthreadlocale
__RTDynamicCast
memcmp
memchr
strchr
wcsrchr
__RTtypeid
memcpy

api-ms-win-core-debug-l1-1-1

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-2-0

InitializeSListHead

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

mssecuser

SecDeleteSessionFilter
SecUnregisterConsumer
SecGetFileHashes
SecSetRegistryOperations
SecClearRegistryOperations
SecCreateSessionFilter
SecRegisterConsumer

api-ms-win-crt-string-l1-1-0

strnlen
strncmp
wcsncmp
wcsnlen

oleaut32

VariantClear
SysAllocString
SysStringLen
SysAllocStringLen
VariantInit
SysFreeString

ole32

CoRegisterPSClsid
CoCreateGuid
StringFromGUID2
CLSIDFromString
StringFromCLSID
CoTaskMemFree
StgOpenStorageEx
StgCreateStorageEx
CoWaitForMultipleHandles
IIDFromString
CoRegisterClassObject
CoUninitialize
CoCreateInstance
CoInitializeEx

version

GetFileVersionInfoSizeExW
GetFileVersionInfoW
GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeW

wtsapi32

WTSEnumerateSessionsExW
WTSFreeMemoryExW

ws2_32

WSACleanup
WSAStartup

dnsapi

DnsGetCacheDataTable
DnsQuery_W
DnsFree

tdh

TdhGetEventInformation
TdhGetProperty
TdhGetPropertySize

ntdll

NtQueryWnfStateData
RtlIpv4AddressToStringExW
NtOpenFile
RtlInitUnicodeString
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlIpv6AddressToStringExW

rpcrt4

NdrClientCall4
RpcExceptionFilter
RpcBindingFree
RpcStringBindingComposeW
RpcBindingFromStringBindingW
UuidFromStringW
UuidCreate
RpcStringFreeW
UuidToStringW

crypt32

CertFreeCertificateChain
CertAddCertificateContextToStore
CertOpenStore
CryptImportPublicKeyInfo
CertGetCertificateChain
CertCreateCertificateContext
CertFreeCertificateContext
CertVerifyCertificateChainPolicy
CertGetNameStringW
CertGetCertificateContextProperty
CryptStringToBinaryW
CertCloseStore

wintrust

WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATAdminCalcHashFromFileHandle2
CryptCATAdminAcquireContext2
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrustEx
WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperGetProvCertFromChain

tbs

GetDeviceIDString

shell32

SHEvaluateSystemCommandTemplate
SHGetKnownFolderPath
CommandLineToArgvW

userenv

GetAllUsersProfileDirectoryW

cabinet

ord30
ord33
ord31
ord35

shlwapi

PathFindExtensionW
PathFileExistsW

propsys

VariantToFileTime

iphlpapi

GetAdaptersAddresses

api-ms-win-core-synch-l1-2-0

WakeByAddressSingle
WaitOnAddress

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateString
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 193B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b2a39f83d84e767fb43aa83f05ea47c1

Code Sign

33:00:00:00:98:04:58:cb:7f:23:09:b0:9e:00:00:00:00:00:98Certificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6aCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

20:30:34:ee:99:fc:a1:9e:44:3f:bb:16:38:6f:7c:2a:c2:59:ab:bb:05:c4:5a:47:5f:91:29:1f:ee:f4:72:ebSigner

d1:61:0e:54:ae:cb:89:18:7f:ec:f7:61:34:d1:34:ad:5a:7f:47:55Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-interlocked-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

mssecuser

api-ms-win-crt-string-l1-1-0

oleaut32

ole32

version

wtsapi32

ws2_32

dnsapi

tdh

ntdll

rpcrt4

crypt32

wintrust

tbs

shell32

userenv

cabinet

shlwapi

propsys

iphlpapi

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.data Size: 41KB - Virtual size: 106KB

.idata Size: 20KB - Virtual size: 20KB

.tls Size: 512B - Virtual size: 193B

.rsrc Size: 8KB - Virtual size: 8KB

.reloc Size: 80KB - Virtual size: 79KB

33:00:00:00:98:04:58:cb:7f:23:09:b0:9e:00:00:00:00:00:98
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:6a:a4:88:99:4e:3b:93:9b:d1:00:00:00:00:00:6a
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

20:30:34:ee:99:fc:a1:9e:44:3f:bb:16:38:6f:7c:2a:c2:59:ab:bb:05:c4:5a:47:5f:91:29:1f:ee:f4:72:eb
Signer

d1:61:0e:54:ae:cb:89:18:7f:ec:f7:61:34:d1:34:ad:5a:7f:47:55
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 41KB - Virtual size: 106KB

.idata
Size: 20KB - Virtual size: 20KB

.tls
Size: 512B - Virtual size: 193B

.rsrc
Size: 8KB - Virtual size: 8KB

.reloc
Size: 80KB - Virtual size: 79KB