MDE_File_Sample_d0c0f320832591cf958a6cabd030ff03f54a056b[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_d0c0f320832591cf958a6cabd030ff03f54a056b.zip
Size

5.6MB
MD5

4572831b92773b04a7c4a8577e5579ec
SHA1

d00226e5a4004eb4e90085197b00c09605115949
SHA256

d85b671a8d2859d7c8b9b5b32e7663dbd03780aba5cbf07048cc4eec030080cc
SHA512

d88e9c04ce7b58d7eb014bbbd0a914dd9ef5b7e2075b7b53e4a06dd92b62e576f8574a0618e867b44dc1636657dada8edba80ceb9e69124a96e7de93ded8cf45
SSDEEP

98304:4mUr8Zxdx9uJB54+vZhx1YEwDnLy9yrKnrkJALMzEGVMOM5EUrT5SHf:ZUrKxlu/5DPx1lcLgRnlAGrjr1mf

Score

1^/10

Malware Config

Signatures

Files

MDE_File_Sample_d0c0f320832591cf958a6cabd030ff03f54a056b.zip
.zip

Password: infected
ntoskrnl.exe
.sys windows:10 windows x64 arch:x64

cf27126b23ab874891a16555c4997a3d

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d2:ea:34:cd:3a:a8:80:e6:ce:8a:9a:ea:ff:82:31:b0:cd:b8:c9:f8:24:68:b0:07:f3:02:24:91:df:6d:4a:84
Signer

Actual PE Digest

d2:ea:34:cd:3a:a8:80:e6:ce:8a:9a:ea:ff:82:31:b0:cd:b8:c9:f8:24:68:b0:07:f3:02:24:91:df:6d:4a:84

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ext-ms-win-ntos-processparameters-l1-1-0

PsDestroyProcessParameterOverrides
PsGetProcessParameterOverrides

ext-ms-win-ntos-tm-l1-1-0

NtReadOnlyEnlistment
NtQueryInformationTransactionManager
NtQueryInformationTransaction
NtQueryInformationResourceManager
NtQueryInformationEnlistment
NtPropagationFailed
NtPropagationComplete
NtPrepareEnlistment
NtPrepareComplete
NtPrePrepareEnlistment
NtPrePrepareComplete
NtOpenTransactionManager
NtOpenTransaction
NtRollbackTransaction
NtOpenEnlistment
NtGetNotificationResourceManager
NtFreezeTransactions
NtEnumerateTransactionObject
NtCreateTransactionManager
NtCreateTransaction
NtCreateResourceManager
NtCreateEnlistment
NtCommitTransaction
NtCommitEnlistment
NtCommitComplete
TmInitSystem
NtSetInformationEnlistment
NtSetInformationResourceManager
TmCommitTransaction
NtRecoverEnlistment
TmInitSystemPhase2
NtRecoverResourceManager
NtThawTransactions
TmCancelPropagationRequest
TmCommitComplete
TmCommitEnlistment
TmShutdownSystem
NtRollforwardTransactionManager
NtSinglePhaseReject
NtSetInformationTransactionManager
NtRenameTransactionManager
NtRegisterProtocolAddressInformation
TmThawTransactions
TmSinglePhaseReject
TmSetCurrentTransaction
TmRollbackTransaction
TmRollbackEnlistment
TmRollbackComplete
TmRequestOutcomeEnlistment
TmRenameTransactionManager
TmReferenceEnlistmentKey
TmRecoverTransactionManager
TmRecoverResourceManager
TmRecoverEnlistment
TmReadOnlyEnlistment
TmPropagationFailed
TmPropagationComplete
TmPrepareEnlistment
TmPrepareComplete
TmPrePrepareEnlistment
TmPrePrepareComplete
TmIsTransactionActive
TmIsKTMCommitCoordinator
TmInitializeTransactionManager
NtRecoverTransactionManager
NtRollbackComplete
NtSetInformationTransaction
NtRollbackEnlistment
TmGetTransactionId
TmFreezeTransactions
TmEndPropagationRequest
TmEnableCallbacks
TmDereferenceEnlistmentKey
TmCurrentTransaction
TmCreateEnlistment
NtOpenResourceManager

pshed

PshedDoPfa
PshedGetErrorSourceInfo
PshedInitAvailable
PshedSetErrorSourceInfo
PshedInjectError
PshedGetInjectionCapabilities
PshedDisableErrorSource
PshedEnableErrorSource
PshedInitGlobal
PshedArePluginsPresent
PshedFinalizeErrorRecord
PshedBugCheckSystem
PshedWriteErrorRecord
PshedAttemptErrorRecovery
PshedGetAllErrorSources
PshedInitialize
PshedGetBootErrorPacket
PshedAllocateMemory
PshedClearErrorRecord
PshedReadErrorRecord
PshedFreeMemory
PshedSetHalEnlightenments
PshedMarkHiberPhase
PshedInitProc
PshedIsSystemWheaEnabled
PshedRetrieveErrorInfo

bootvid

VidInitialize
VidBufferToScreenBlt
VidScreenToBufferBlt
VidBitBlt
VidResetDisplay
VidCleanUp
VidSetTextColor
VidSetScrollRegion
VidSolidColorFill
VidDisplayString
VidBitBltEx

ext-ms-win-ntos-clipsp-l1-1-0

ClipSpInitialize

kdcom

KdSetHiberRange
KdPower
KdReceivePacket
KdSendPacket
KdInitialize

ext-ms-win-ntos-kcminitcfg-l1-1-0

CmCompleteInitMachineConfig
CmSetInitMachineConfig

ext-ms-win-ntos-ksr-l1-1-3

KsrQueryMetadata
KsrClaimPersistedMemory
KsrGetFirmwareInformation
KsrInitSystem
KsrFreePersistedMemoryBlock
KsrMdlToMemoryRuns
KsrPersistMemoryWithMetadata
KsrFreePersistedMemory
KsrCleanupPageDatabase
KsrInitPageDatabase
KsrEnumeratePersistedMemory

ext-ms-win-ntos-trace-l1-1-0

TraceInitSystem

ext-ms-win-ntos-ksecurity-l1-1-1

QueryUpdateFileEaAllowedExt

ext-ms-win-ntos-werkernel-l1-1-1

WerLiveKernelCancelReport
WerLiveKernelCreateReport
WerLiveKernelSubmitReport
WerLiveKernelInitSystem
WerLiveKernelOpenDumpFile
WerLiveKernelCloseHandle

ext-ms-win-ntos-ucode-l1-1-0

ExpMicrocodeInformationLoad
ExpMicrocodeInformationUnload
ExpMicrocodeInitialization

ext-ms-win-ntos-stateseparation-l1-1-0

ExpInitializeStateSeparationPhase1
ExpInitializeStateSeparationPhase0
ExpInitializeStateSeparationPhase2

ext-ms-win-fs-clfs-l1-1-0

ClfsLsnEqual
ClfsReadRestartArea
ClfsGetLogFileInformation
ClfsMgmtDeregisterManagedClient
ClfsCloseLogFileObject
ClfsMgmtInstallPolicy
ClfsMgmtRegisterManagedClient
ClfsCreateLogFile
ClfsReadLogRecord
ClfsReadNextLogRecord
ClfsTerminateReadLog
ClfsWriteRestartArea
ClfsDeleteLogByPointer
ClfsDeleteMarshallingArea
ClfsReserveAndAppendLog
ClfsLsnInvalid
ClfsFlushToLsn
ClfsLsnContainer
ClfsLsnLess
ClfsLsnDifference
ClfsCreateMarshallingArea
ClfsAddLogContainer

ci

CiInitialize

msrpc.sys

MesHandleFree
MesEncodeIncrementalHandleCreate
MesIncrementalHandleReset
RpcExceptionFilter
NdrMesTypeEncode3
NdrMesTypeDecode3
MesDecodeBufferHandleCreate

cng.sys

BCryptExportKey

Exports

Exports

AlpcCreateSecurityContext
AlpcGetHeaderSize
AlpcGetMessageAttribute
AlpcInitializeMessageAttribute
BgkDisplayCharacter
BgkGetConsoleState
BgkGetCursorState
BgkSetCursor
CcAddDirtyPagesToExternalCache
CcAsyncCopyRead
CcCanIWrite
CcCoherencyFlushAndPurgeCache
CcCopyRead
CcCopyReadEx
CcCopyWrite
CcCopyWriteEx
CcCopyWriteWontFlush
CcDeductDirtyPagesFromExternalCache
CcDeferWrite
CcErrorCallbackRoutine
CcFastCopyRead
CcFastCopyWrite
CcFastMdlReadWait
CcFlushCache
CcFlushCacheToLsn
CcGetCachedDirtyPageCountForFile
CcGetDirtyPages
CcGetFileObjectFromBcb
CcGetFileObjectFromSectionPtrs
CcGetFileObjectFromSectionPtrsRef
CcGetFlushedValidData
CcGetLsnForFileObject
CcGetNumberOfMappedPages
CcInitializeCacheMap
CcInitializeCacheMapEx
CcIsCacheManagerCallbackNeeded
CcIsThereDirtyData
CcIsThereDirtyDataEx
CcIsThereDirtyLoggedPages
CcMapData
CcMdlRead
CcMdlReadComplete
CcMdlWriteAbort
CcMdlWriteComplete
CcPinMappedData
CcPinRead
CcPrepareMdlWrite
CcPreparePinWrite
CcPurgeCacheSection
CcRegisterExternalCache
CcRemapBcb
CcRepinBcb
CcScheduleReadAhead
CcScheduleReadAheadEx
CcSetAdditionalCacheAttributes
CcSetAdditionalCacheAttributesEx
CcSetBcbOwnerPointer
CcSetDirtyPageThreshold
CcSetDirtyPinnedData
CcSetFileSizes
CcSetFileSizesEx
CcSetLogHandleForFile
CcSetLogHandleForFileEx
CcSetLoggedDataThreshold
CcSetParallelFlushFile
CcSetReadAheadGranularity
CcSetReadAheadGranularityEx
CcTestControl
CcUninitializeCacheMap
CcUnmapFileOffsetFromSystemCache
CcUnpinData
CcUnpinDataForThread
CcUnpinRepinnedBcb
CcUnregisterExternalCache
CcWaitForCurrentLazyWriterActivity
CcZeroData
CcZeroDataOnDisk
CmCallbackGetKeyObjectID
CmCallbackGetKeyObjectIDEx
CmCallbackReleaseKeyObjectIDEx
CmGetBoundTransaction
CmGetCallbackVersion
CmKeyObjectType
CmRegisterCallback
CmRegisterCallbackEx
CmRegisterMachineHiveLoadedNotification
CmSetCallbackObjectContext
CmUnRegisterCallback
CmUnregisterMachineHiveLoadedNotification
DbgBreakPoint
DbgBreakPointWithStatus
DbgCommandString
DbgLoadImageSymbols
DbgPrint
DbgPrintEx
DbgPrintReturnControlC
DbgPrompt
DbgQueryDebugFilterState
DbgSetDebugFilterState
DbgSetDebugPrintCallback
DbgkLkmdRegisterCallback
DbgkLkmdUnregisterCallback
DbgkWerCaptureLiveKernelDump
EmClientQueryRuleState
EmClientRuleDeregisterNotification
EmClientRuleEvaluate
EmClientRuleRegisterNotification
EmProviderDeregister
EmProviderDeregisterEntry
EmProviderRegister
EmProviderRegisterEntry
EmpProviderRegister
EtwActivityIdControl
EtwEnableTrace
EtwEventEnabled
EtwProviderEnabled
EtwRegister
EtwRegisterClassicProvider
EtwSendTraceBuffer
EtwSetInformation
EtwTelemetryCoverageReport
EtwUnregister
EtwWrite
EtwWriteEndScenario
EtwWriteEx
EtwWriteStartScenario
EtwWriteString
EtwWriteTransfer
EtwpDisableStackWalkApc
EtwpReenableStackWalkApc
ExAcquireAutoExpandPushLockExclusive
ExAcquireAutoExpandPushLockShared
ExAcquireCacheAwarePushLockExclusive
ExAcquireCacheAwarePushLockExclusiveEx
ExAcquireCacheAwarePushLockSharedEx
ExAcquireFastMutex
ExAcquireFastMutexUnsafe
ExAcquireFastResourceExclusive
ExAcquireFastResourceShared
ExAcquireFastResourceSharedStarveExclusive
ExAcquirePushLockExclusiveEx
ExAcquirePushLockSharedEx
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
ExAcquireRundownProtection
ExAcquireRundownProtectionCacheAware
ExAcquireRundownProtectionCacheAwareEx
ExAcquireRundownProtectionEx
ExAcquireSharedStarveExclusive
ExAcquireSharedWaitForExclusive
ExAcquireSpinLockExclusive
ExAcquireSpinLockExclusiveAtDpcLevel
ExAcquireSpinLockShared
ExAcquireSpinLockSharedAtDpcLevel
ExActivationObjectType
ExAllocateAutoExpandPushLock
ExAllocateCacheAwarePushLock
ExAllocateCacheAwareRundownProtection
ExAllocatePool
ExAllocatePool2
ExAllocatePool3
ExAllocatePoolWithQuota
ExAllocatePoolWithQuotaTag
ExAllocatePoolWithTag
ExAllocatePoolWithTagPriority
ExAllocateTimer
ExBlockOnAddressPushLock
ExBlockPushLock
ExCancelTimer
ExCleanupAutoExpandPushLock
ExCleanupRundownProtectionCacheAware
ExCompositionObjectType
ExConvertExclusiveToSharedLite
ExConvertFastResourceExclusiveToShared
ExConvertPushLockExclusiveToShared
ExCoreMessagingObjectType
ExCreateCallback
ExDeleteFastResource
ExDeleteLookasideListEx
ExDeleteNPagedLookasideList
ExDeletePagedLookasideList
ExDeleteResourceLite
ExDeleteTimer
ExDesktopObjectType
ExDisableResourceBoostLite
ExDisownFastResource
ExEnterCriticalRegionAndAcquireFastMutexUnsafe
ExEnterCriticalRegionAndAcquireResourceExclusive
ExEnterCriticalRegionAndAcquireResourceShared
ExEnterCriticalRegionAndAcquireSharedWaitForExclusive
ExEnterPriorityRegionAndAcquireResourceExclusive
ExEnterPriorityRegionAndAcquireResourceShared
ExEnumHandleTable
ExEnumerateSystemFirmwareTables
ExEventObjectType
ExExtendZone
ExFetchLicenseData
ExFlushLookasideListEx
ExFreeAutoExpandPushLock
ExFreeCacheAwarePushLock
ExFreeCacheAwareRundownProtection
ExFreePool
ExFreePoolWithTag
ExGetCurrentProcessorCounts
ExGetCurrentProcessorCpuUsage
ExGetExclusiveWaiterCount
ExGetFirmwareEnvironmentVariable
ExGetFirmwareType
ExGetLicenseTamperState
ExGetPreviousMode
ExGetSharedWaiterCount
ExGetSystemFirmwareTable
ExInitializeAutoExpandPushLock
ExInitializeFastOwnerEntry
ExInitializeFastResource
ExInitializeLookasideListEx
ExInitializeNPagedLookasideList
ExInitializePagedLookasideList
ExInitializePushLock
ExInitializeResourceLite
ExInitializeRundownProtection
ExInitializeRundownProtectionCacheAware
ExInitializeRundownProtectionCacheAwareEx
ExInitializeZone
ExInterlockedAddLargeInteger
ExInterlockedAddUlong
ExInterlockedExtendZone
ExInterlockedInsertHeadList
ExInterlockedInsertTailList
ExInterlockedPopEntryList
ExInterlockedPushEntryList
ExInterlockedRemoveHeadList
ExIsFastResourceContended
ExIsFastResourceHeld
ExIsFastResourceHeldExclusive
ExIsManufacturingModeEnabled
ExIsProcessorFeaturePresent
ExIsResourceAcquiredExclusiveLite
ExIsResourceAcquiredSharedLite
ExIsSoftBoot
ExLocalTimeToSystemTime
ExNotifyBootDeviceRemoval
ExNotifyCallback
ExQueryDepthSList
ExQueryFastCacheDevLicense
ExQueryPoolBlockSize
ExQueryTimerResolution
ExQueryWnfStateData
ExQueueWorkItem
ExRaiseAccessViolation
ExRaiseDatatypeMisalignment
ExRaiseException
ExRaiseHardError
ExRaiseStatus
ExRawInputManagerObjectType
ExReInitializeRundownProtection
ExReInitializeRundownProtectionCacheAware
ExRealTimeIsUniversal
ExRegisterBootDevice
ExRegisterCallback
ExRegisterExtension
ExReinitializeFastResource
ExReinitializeResourceLite
ExReleaseAutoExpandPushLockExclusive
ExReleaseAutoExpandPushLockShared
ExReleaseCacheAwarePushLockExclusive
ExReleaseCacheAwarePushLockExclusiveEx
ExReleaseCacheAwarePushLockSharedEx
ExReleaseDisownedFastResource
ExReleaseDisownedFastResourceExclusive
ExReleaseDisownedFastResourceShared
ExReleaseFastMutex
ExReleaseFastMutexUnsafe
ExReleaseFastMutexUnsafeAndLeaveCriticalRegion
ExReleaseFastResource
ExReleaseFastResourceExclusive
ExReleaseFastResourceShared
ExReleasePushLockEx
ExReleasePushLockExclusiveEx
ExReleasePushLockSharedEx
ExReleaseResourceAndLeaveCriticalRegion
ExReleaseResourceAndLeavePriorityRegion
ExReleaseResourceForThreadLite
ExReleaseResourceLite
ExReleaseRundownProtection
ExReleaseRundownProtectionCacheAware
ExReleaseRundownProtectionCacheAwareEx
ExReleaseRundownProtectionEx
ExReleaseSpinLockExclusive
ExReleaseSpinLockExclusiveFromDpcLevel
ExReleaseSpinLockShared
ExReleaseSpinLockSharedFromDpcLevel
ExRundownCompleted
ExRundownCompletedCacheAware
ExSemaphoreObjectType
ExSetFirmwareEnvironmentVariable
ExSetLicenseTamperState
ExSetResourceOwnerPointer
ExSetResourceOwnerPointerEx
ExSetTimer
ExSetTimerResolution
ExShareAddressSpaceWithDevice
ExSizeOfAutoExpandPushLock
ExSizeOfRundownProtectionCacheAware
ExSubscribeWnfStateChange
ExSvmBeginDeviceReset
ExSvmFinalizeDeviceReset
ExSystemExceptionFilter
ExSystemTimeToLocalTime
ExTimedWaitForUnblockPushLock
ExTimerObjectType
ExTryAcquireAutoExpandPushLockExclusive
ExTryAcquireAutoExpandPushLockShared
ExTryAcquireCacheAwarePushLockExclusiveEx
ExTryAcquireCacheAwarePushLockSharedEx
ExTryAcquirePushLockExclusiveEx
ExTryAcquirePushLockSharedEx
ExTryAcquireSpinLockExclusiveAtDpcLevel
ExTryAcquireSpinLockSharedAtDpcLevel
ExTryConvertPushLockSharedToExclusiveEx
ExTryConvertSharedSpinLockExclusive
ExTryQueueWorkItem
ExTryToAcquireFastMutex
ExTryToAcquireResourceExclusiveLite
ExTryToConvertFastResourceSharedToExclusive
ExUnblockOnAddressPushLockEx
ExUnblockPushLockEx
ExUnregisterCallback
ExUnregisterExtension
ExUnsubscribeWnfStateChange
ExUpdateLicenseData
ExUuidCreate
ExVerifySuite
ExWaitForRundownProtectionRelease
ExWaitForRundownProtectionReleaseCacheAware
ExWaitForUnblockPushLock
ExWindowStationObjectType
ExfAcquirePushLockExclusive
ExfAcquirePushLockShared
ExfReleasePushLock
ExfReleasePushLockExclusive
ExfReleasePushLockShared
ExfTryAcquirePushLockShared
ExfTryToWakePushLock
ExfUnblockPushLock
ExpInterlockedFlushSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
FirstEntrySList
FsRtlAcknowledgeEcp
FsRtlAcquireEofLock
FsRtlAcquireFileExclusive
FsRtlAcquireHeaderMutex
FsRtlAddBaseMcbEntry
FsRtlAddBaseMcbEntryEx
FsRtlAddLargeMcbEntry
FsRtlAddMcbEntry
FsRtlAddToTunnelCache
FsRtlAddToTunnelCacheEx
FsRtlAllocateExtraCreateParameter
FsRtlAllocateExtraCreateParameterFromLookasideList
FsRtlAllocateExtraCreateParameterList
FsRtlAllocateFileLock
FsRtlAllocatePool
FsRtlAllocatePoolWithQuota
FsRtlAllocatePoolWithQuotaTag
FsRtlAllocatePoolWithTag
FsRtlAllocateResource
FsRtlAreNamesEqual
FsRtlAreThereCurrentOrInProgressFileLocks
FsRtlAreThereWaitingFileLocks
FsRtlAreVolumeStartupApplicationsComplete
FsRtlBalanceReads
FsRtlCancellableWaitForMultipleObjects
FsRtlCancellableWaitForSingleObject
FsRtlChangeBackingFileObject
FsRtlCheckLockForOplockRequest
FsRtlCheckLockForReadAccess
FsRtlCheckLockForWriteAccess
FsRtlCheckOplock
FsRtlCheckOplockEx
FsRtlCheckOplockEx2
FsRtlCheckOplockForFsFilterCallback
FsRtlCheckUpperOplock
FsRtlCopyRead
FsRtlCopyWrite
FsRtlCreateSectionForDataScan
FsRtlCurrentBatchOplock
FsRtlCurrentOplock
FsRtlCurrentOplockH
FsRtlDeleteExtraCreateParameterLookasideList
FsRtlDeleteKeyFromTunnelCache
FsRtlDeleteTunnelCache
FsRtlDeregisterUncProvider
FsRtlDismountComplete
FsRtlDissectDbcs
FsRtlDissectName
FsRtlDoesDbcsContainWildCards
FsRtlDoesNameContainWildCards
FsRtlFastCheckLockForRead
FsRtlFastCheckLockForWrite
FsRtlFastUnlockAll
FsRtlFastUnlockAllByKey
FsRtlFastUnlockSingle
FsRtlFindExtraCreateParameter
FsRtlFindInTunnelCache
FsRtlFindInTunnelCacheEx
FsRtlFreeExtraCreateParameter
FsRtlFreeExtraCreateParameterList
FsRtlFreeFileLock
FsRtlGetCurrentProcessLoaderList
FsRtlGetEcpListFromIrp
FsRtlGetFileNameInformation
FsRtlGetFileSize
FsRtlGetIoAtEof
FsRtlGetNextBaseMcbEntry
FsRtlGetNextExtraCreateParameter
FsRtlGetNextFileLock
FsRtlGetNextLargeMcbEntry
FsRtlGetNextMcbEntry
FsRtlGetSectorSizeInformation
FsRtlGetSupportedFeatures
FsRtlGetVirtualDiskNestingLevel
FsRtlHeatInit
FsRtlHeatLogIo
FsRtlHeatLogTierMove
FsRtlHeatUninit
FsRtlIncrementCcFastMdlReadWait
FsRtlIncrementCcFastReadNoWait
FsRtlIncrementCcFastReadNotPossible
FsRtlIncrementCcFastReadResourceMiss
FsRtlIncrementCcFastReadWait
FsRtlInitExtraCreateParameterLookasideList
FsRtlInitializeBaseMcb
FsRtlInitializeBaseMcbEx
FsRtlInitializeEofLock
FsRtlInitializeExtraCreateParameter
FsRtlInitializeExtraCreateParameterList
FsRtlInitializeFileLock
FsRtlInitializeLargeMcb
FsRtlInitializeMcb
FsRtlInitializeOplock
FsRtlInitializeTunnelCache
FsRtlInsertExtraCreateParameter
FsRtlInsertPerFileContext
FsRtlInsertPerFileObjectContext
FsRtlInsertPerStreamContext
FsRtlIs32BitProcess
FsRtlIsDaxVolume
FsRtlIsDbcsInExpression
FsRtlIsEcpAcknowledged
FsRtlIsEcpFromUserMode
FsRtlIsExtentDangling
FsRtlIsFatDbcsLegal
FsRtlIsHpfsDbcsLegal
FsRtlIsMobileOS
FsRtlIsNameInExpression
FsRtlIsNameInUnUpcasedExpression
FsRtlIsNonEmptyDirectoryReparsePointAllowed
FsRtlIsNtstatusExpected
FsRtlIsPagingFile
FsRtlIsSystemPagingFile
FsRtlIsTotalDeviceFailure
FsRtlIssueDeviceIoControl
FsRtlKernelFsControlFile
FsRtlLegalAnsiCharacterArray
FsRtlLogCcFlushError
FsRtlLookupBaseMcbEntry
FsRtlLookupLargeMcbEntry
FsRtlLookupLastBaseMcbEntry
FsRtlLookupLastBaseMcbEntryAndIndex
FsRtlLookupLastLargeMcbEntry
FsRtlLookupLastLargeMcbEntryAndIndex
FsRtlLookupLastMcbEntry
FsRtlLookupMcbEntry
FsRtlLookupPerFileContext
FsRtlLookupPerFileObjectContext
FsRtlLookupPerStreamContextInternal
FsRtlMdlRead
FsRtlMdlReadComplete
FsRtlMdlReadCompleteDev
FsRtlMdlReadDev
FsRtlMdlReadEx
FsRtlMdlWriteComplete
FsRtlMdlWriteCompleteDev
FsRtlMupGetProviderIdFromName
FsRtlMupGetProviderInfoFromFileObject
FsRtlNormalizeNtstatus
FsRtlNotifyChangeDirectory
FsRtlNotifyCleanup
FsRtlNotifyCleanupAll
FsRtlNotifyFilterChangeDirectory
FsRtlNotifyFilterChangeDirectoryLite
FsRtlNotifyFilterReportChange
FsRtlNotifyFilterReportChangeLite
FsRtlNotifyFilterReportChangeLiteEx
FsRtlNotifyFullChangeDirectory
FsRtlNotifyFullReportChange
FsRtlNotifyInitializeSync
FsRtlNotifyReportChange

Sections

.rdata
Size: 798KB - Virtual size: 797KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 414KB - Virtual size: 414KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 99KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PROTDATA
Size: 512B - Virtual size: 1B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

GFIDS
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Pad1
Size: - Virtual size: 676KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGELK
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

POOLCODE
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEKD
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEVRFY
Size: 200KB - Virtual size: 200KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEHDLS
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGEBGFX
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INITKDBG
Size: 101KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

TRACESUP
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

KVASCODE
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

RETPOL
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

MINIEX
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 554KB - Virtual size: 554KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Pad2
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 76KB - Virtual size: 1000KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ALMOSTRO
Size: 5KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CACHEALI
Size: 512B - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGEDATA
Size: 6KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGEVRFD
Size: 32KB - Virtual size: 87KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INITDATA
Size: 2KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Pad3
Size: - Virtual size: 560KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CFGRO
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Pad4
Size: - Virtual size: 2.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 236KB - Virtual size: 236KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

cf27126b23ab874891a16555c4997a3d

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

d2:ea:34:cd:3a:a8:80:e6:ce:8a:9a:ea:ff:82:31:b0:cd:b8:c9:f8:24:68:b0:07:f3:02:24:91:df:6d:4a:84Signer

Headers

DLL Characteristics

File Characteristics

Imports

ext-ms-win-ntos-processparameters-l1-1-0

ext-ms-win-ntos-tm-l1-1-0

pshed

bootvid

ext-ms-win-ntos-clipsp-l1-1-0

kdcom

ext-ms-win-ntos-kcminitcfg-l1-1-0

ext-ms-win-ntos-ksr-l1-1-3

ext-ms-win-ntos-trace-l1-1-0

ext-ms-win-ntos-ksecurity-l1-1-1

ext-ms-win-ntos-werkernel-l1-1-1

ext-ms-win-ntos-ucode-l1-1-0

ext-ms-win-ntos-stateseparation-l1-1-0

ext-ms-win-fs-clfs-l1-1-0

ci

msrpc.sys

cng.sys

Exports

Exports

Sections

.rdata Size: 798KB - Virtual size: 797KB

.pdata Size: 414KB - Virtual size: 414KB

.idata Size: 8KB - Virtual size: 8KB

.edata Size: 99KB - Virtual size: 99KB

PROTDATA Size: 512B - Virtual size: 1B

GFIDS Size: 35KB - Virtual size: 35KB

Pad1 Size: - Virtual size: 676KB

.text Size: 3.8MB - Virtual size: 3.8MB

PAGE Size: 3.8MB - Virtual size: 3.8MB

PAGELK Size: 148KB - Virtual size: 147KB

POOLCODE Size: 1KB - Virtual size: 1KB

PAGEKD Size: 23KB - Virtual size: 22KB

PAGEVRFY Size: 200KB - Virtual size: 200KB

PAGEHDLS Size: 9KB - Virtual size: 9KB

PAGEBGFX Size: 26KB - Virtual size: 26KB

INITKDBG Size: 101KB - Virtual size: 101KB

TRACESUP Size: 6KB - Virtual size: 5KB

KVASCODE Size: 9KB - Virtual size: 8KB

RETPOL Size: 2KB - Virtual size: 2KB

MINIEX Size: 9KB - Virtual size: 9KB

INIT Size: 554KB - Virtual size: 554KB

Pad2 Size: - Virtual size: 1.3MB

.data Size: 76KB - Virtual size: 1000KB

ALMOSTRO Size: 5KB - Virtual size: 156KB

CACHEALI Size: 512B - Virtual size: 36KB

PAGEDATA Size: 6KB - Virtual size: 81KB

PAGEVRFD Size: 32KB - Virtual size: 87KB

INITDATA Size: 2KB - Virtual size: 111KB

Pad3 Size: - Virtual size: 560KB

CFGRO Size: 7KB - Virtual size: 7KB

Pad4 Size: - Virtual size: 2.0MB

.rsrc Size: 236KB - Virtual size: 236KB

.reloc Size: 38KB - Virtual size: 38KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

d2:ea:34:cd:3a:a8:80:e6:ce:8a:9a:ea:ff:82:31:b0:cd:b8:c9:f8:24:68:b0:07:f3:02:24:91:df:6d:4a:84
Signer

.rdata
Size: 798KB - Virtual size: 797KB

.pdata
Size: 414KB - Virtual size: 414KB

.idata
Size: 8KB - Virtual size: 8KB

.edata
Size: 99KB - Virtual size: 99KB

PROTDATA
Size: 512B - Virtual size: 1B

GFIDS
Size: 35KB - Virtual size: 35KB

Pad1
Size: - Virtual size: 676KB

.text
Size: 3.8MB - Virtual size: 3.8MB

PAGE
Size: 3.8MB - Virtual size: 3.8MB

PAGELK
Size: 148KB - Virtual size: 147KB

POOLCODE
Size: 1KB - Virtual size: 1KB

PAGEKD
Size: 23KB - Virtual size: 22KB

PAGEVRFY
Size: 200KB - Virtual size: 200KB

PAGEHDLS
Size: 9KB - Virtual size: 9KB

PAGEBGFX
Size: 26KB - Virtual size: 26KB

INITKDBG
Size: 101KB - Virtual size: 101KB

TRACESUP
Size: 6KB - Virtual size: 5KB

KVASCODE
Size: 9KB - Virtual size: 8KB

RETPOL
Size: 2KB - Virtual size: 2KB

MINIEX
Size: 9KB - Virtual size: 9KB

INIT
Size: 554KB - Virtual size: 554KB

Pad2
Size: - Virtual size: 1.3MB

.data
Size: 76KB - Virtual size: 1000KB

ALMOSTRO
Size: 5KB - Virtual size: 156KB

CACHEALI
Size: 512B - Virtual size: 36KB

PAGEDATA
Size: 6KB - Virtual size: 81KB

PAGEVRFD
Size: 32KB - Virtual size: 87KB

INITDATA
Size: 2KB - Virtual size: 111KB

Pad3
Size: - Virtual size: 560KB

CFGRO
Size: 7KB - Virtual size: 7KB

Pad4
Size: - Virtual size: 2.0MB

.rsrc
Size: 236KB - Virtual size: 236KB

.reloc
Size: 38KB - Virtual size: 38KB