6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01

Sharing

Copy URL

Twitter E-mail

General

Target

6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01
Size

2.6MB
MD5

2d168f274247d3cdcad1d37c60adb148
SHA1

c2737be728a97534766f90c9112e75f3215f9f5d
SHA256

6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01
SHA512

9a19d052b80faa7b2cc667bb4febcabfaf432a184b661b1c6808b4f5b01679a2c41b84698ac70e65962332ba9dc5e8c56b96826eeb0d7fafa3be94bdf1e45735
SSDEEP

49152:8ZFUUsq9nAIBril6td4heqmPu1XPGEHDnLnfpvljXnv6bhYa+f6JxmLPcq5A8:8Wq9AIBriIehZmPyPGyDnFvljnv6bQfd

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/gatherosstate.exe
unpack001/Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/slc.dll
unpack001/Separate-Files-Version/Activators/Online_KMS_Activation/BIN/cleanosppx64.exe
unpack001/Separate-Files-Version/Activators/Online_KMS_Activation/BIN/cleanosppx86.exe

Files

6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01
.zip
All-In-One-Version/MAS_1.5_AIO_CRC32_21D20776.cmd
.cmd .vbs
ReadMe.html
.html
Separate-Files-Version/Activators/Activations_Summary.html
.html
Separate-Files-Version/Activators/Check-Activation-Status-vbs.cmd
.cmd .vbs
Separate-Files-Version/Activators/Check-Activation-Status-wmi.cmd
.wsf .vbs polyglot
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/ClipUp.exe
.exe windows:10 windows x64 arch:x64

72a11cd5e003305838f8284941ca350f

Code Sign

33:00:00:00:cc:4e:e8:6d:1a:15:af:49:95:00:00:00:00:00:cc
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12-02-2016 01:18

Not After

12-05-2017 01:18

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b9:cf:8a:5e:6d:e6:62:e2:00:a9:c6:62:a9:e4:8f:fc:6d:cc:3e:b3:f9:fa:79:8f:8d:c2:fd:79:d6:29:ec:38
Signer

Actual PE Digest

b9:cf:8a:5e:6d:e6:62:e2:00:a9:c6:62:a9:e4:8f:fc:6d:cc:3e:b3:f9:fa:79:8f:8d:c2:fd:79:d6:29:ec:38

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_fmode
_commode
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
malloc
wcsncmp
__iob_func
qsort
wprintf
_wcsnicmp
memcpy_s
__C_specific_handler
vfwprintf
free
time
wcsstr
wcschr
_purecall
wcstoul
rand
_wtoi
_lock
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
memset
memcpy
memcmp
log10
_vsnwprintf
_cexit
memchr
__setusermatherr
vwprintf
swscanf_s
_wcsicmp
towlower
srand
memmove
_initterm
wcscmp

ntdll

RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlAllocateHeap
RtlDeleteFunctionTable
RtlFreeHeap

cryptxml

CryptXmlCreateReference
CryptXmlVerifySignature
CryptXmlEncode
CryptXmlClose
CryptXmlGetSignature
CryptXmlGetStatus
CryptXmlOpenToDecode
CryptXmlOpenToEncode
CryptXmlGetReference
CryptXmlSign
CryptXmlGetDocContext

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventSetInformation
EventRegister
EventActivityIdControl
EventWrite
EventWriteTransfer

api-ms-win-security-base-l1-2-0

GetLengthSid
GetTokenInformation
FreeSid

api-ms-win-core-file-l1-2-1

GetTempFileNameW
GetFileType
WriteFileEx
GetTempPathW
FindNextFileW
FindClose
CompareFileTime
CreateFileW
WriteFile
SetFilePointer
ReadFile
DeleteFileW
GetFileSize
GetFileAttributesW
CreateDirectoryW
FindFirstFileW

api-ms-win-core-synch-l1-2-0

EnterCriticalSection
DeleteCriticalSection
SetEvent
ReleaseSRWLockExclusive
WaitForSingleObject
SleepEx
ReleaseSemaphore
InitializeCriticalSectionAndSpinCount
InitializeCriticalSection
LeaveCriticalSection
Sleep
CreateEventW
AcquireSRWLockExclusive

oleaut32

SafeArrayAccessData
VariantClear
SafeArrayCreateVector
VariantInit
SysAllocString
SafeArrayUnaccessData
SafeArrayGetLBound
SafeArrayDestroy
SysFreeString
SafeArrayGetUBound

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegGetValueW
RegOpenCurrentUser
RegSetValueExW
RegCloseKey
RegOpenKeyExW

bcrypt

BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyKey
BCryptImportKeyPair
BCryptSignHash
BCryptFinishHash
BCryptGenRandom
BCryptImportKey
BCryptGenerateKeyPair
BCryptFinalizeKeyPair
BCryptGetProperty
BCryptKeyDerivation
BCryptVerifySignature
BCryptHashData
BCryptCreateHash
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptGenerateSymmetricKey

api-ms-win-core-console-l2-1-0

GetConsoleScreenBufferInfo
SetConsoleTextAttribute

api-ms-win-core-heap-l1-2-0

HeapReAlloc
GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsCreateStringReference
WindowsDeleteString

rpcrt4

UuidCreate
I_RpcMapWin32Status
UuidFromStringW

api-ms-win-core-com-l1-1-1

CoInitializeEx
CoInitializeSecurity
IIDFromString
CoTaskMemFree
CoUninitialize
CoCreateInstance

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW
GetCommandLineW
GetStdHandle

api-ms-win-core-processthreads-l1-1-2

UpdateProcThreadAttribute
CreateProcessW
GetCurrentProcess
GetCurrentThreadId
InitializeProcThreadAttributeList
GetExitCodeProcess
GetCurrentThread
GetCurrentProcessId
OpenProcessToken
TerminateProcess

ncrypt

NCryptFreeObject
NCryptOpenStorageProvider
NCryptImportKey
NCryptExportKey

api-ms-win-core-libraryloader-l1-2-0

LoadResource
GetModuleHandleW
LoadLibraryExA
GetProcAddress
LockResource
GetModuleHandleExW
FindResourceExW
LoadLibraryExW
FreeLibrary

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSidToSidW

crypt32

CertFreeCertificateContext
CryptQueryObject
CryptImportPublicKeyInfoEx2

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoUninitialize
RoInitialize

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetVersionExW
GetSystemDirectoryW
GlobalMemoryStatusEx
GetVersionExA
GetSystemTime
GetTickCount
GetSystemInfo

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-core-localization-l1-2-1

LCMapStringEx
FormatMessageW
LCMapStringW

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation
FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-memory-l1-1-2

VirtualProtect
VirtualAlloc
VirtualFree
VirtualQuery

api-ms-win-core-errorhandling-l1-1-3

RaiseFailFastException

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

cryptsp

CryptGetHashParam
CryptDestroyHash
CryptVerifySignatureW
CryptDestroyKey
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptImportKey
CryptReleaseContext

webservices

WsFreeReader
WsReadStartAttribute
WsReadChars
WsSetInputToBuffer
WsFreeHeap
WsFindAttribute
WsGetReaderPosition
WsSetReaderPosition
WsReadStartElement
WsCreateError
WsReadEndAttribute
WsMoveReader
WsGetReaderNode
WsReadToStartElement
WsFreeError
WsCreateHeap
WsCreateReader
WsSkipNode
WsReadXmlBufferFromBytes
WsDateTimeToFileTime
WsReadElement

api-ms-win-appmodel-runtime-internal-l1-1-2

PackageFamilyNameFromProductId

api-ms-win-appmodel-runtime-l1-1-1

PackageNameAndPublisherIdFromFamilyName

api-ms-win-core-debug-l1-1-1

DebugBreak

api-ms-win-core-io-l1-1-1

DeviceIoControl

api-ms-win-devices-config-l1-1-1

CM_Get_DevNode_Registry_PropertyW
CM_Get_Device_IDW
CM_Get_Parent
CM_Get_DevNode_Status

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 794KB - Virtual size: 794KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 457KB - Virtual size: 457KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/_Info.html
.html
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/arm64_gatherosstate.exe
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/arm64_slc.dll
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/gatherosstate.exe
.exe windows:10 windows x86 arch:x86

de6c800823c77882b5d9888457698a55

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memcpy
memcmp
_except_handler4_common
_controlfp
?terminate@@YAXXZ
_onexit
__dllonexit
memchr
wcschr
_unlock
_lock
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_purecall
malloc
free
wcsstr
_wcsicmp
memmove
_vsnwprintf
wprintf
memset

ntdll

RtlCaptureContext
RtlAllocateHeap
RtlFreeHeap

kernel32

DeviceIoControl
GlobalMemoryStatusEx
GetSystemDirectoryW
LoadLibraryExW
FreeLibrary
LoadLibraryExA
DelayLoadFailureHook
IsWow64Process
HeapFree
WriteFile
GetModuleHandleExW
GetModuleFileNameW
SetErrorMode
LocalAlloc
CreateFileW
GetFileAttributesW
CompareStringW
GetLastError
FileTimeToSystemTime
CloseHandle
HeapAlloc
GetProcAddress
LocalFree
GetProcessHeap
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
VirtualProtect
EnterCriticalSection
GetCurrentProcess
TerminateProcess
LeaveCriticalSection
GetSystemDefaultUILanguage
UnhandledExceptionFilter
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
GetVersionExW
GetCurrentThread

advapi32

CryptDestroyHash
CryptReleaseContext
CryptHashData
CryptGetHashParam
CryptCreateHash
CryptAcquireContextW
GetCurrentHwProfileW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW

Sections

.text
Size: 315KB - Virtual size: 315KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Separate-Files-Version/Activators/HWID-KMS38_Activation/BIN/slc.dll
.dll windows:4 windows x86 arch:x86

ea6a9f4e9928ea3295fae5c792005ac2

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

RegGetValueW
RegOpenKeyExW

imagehlp

MapFileAndCheckSumW

kernel32

CloseHandle
CopyFileExW
CreateFileW
DeleteFileW
FreeLibrary
GetFileAttributesW
GetFileSize
GetProcAddress
GetProcessHeap
GetProductInfo
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
LoadLibraryW
ReadFile
SetFilePointer
WriteFile

msvcrt

exit
sscanf
time
wcscat
wcschr
wcscmp
wcscpy
wcslen
wcsncmp
wcstoul

user32

MessageBoxW

Exports

Exports

PatchGatherosstate
SLClose
SLGetGenuineInformation
SLGetLicensingStatusInformation
SLGetPKeyInformation
SLGetProductSkuInformation
SLGetSLIDList
SLGetServiceInformation
SLGetWindowsInformationDWORD
SLOpen

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 353B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Separate-Files-Version/Activators/HWID-KMS38_Activation/HWID_Activation.cmd
.cmd .vbs
Separate-Files-Version/Activators/HWID-KMS38_Activation/KMS38_Activation.cmd
.cmd .vbs
Separate-Files-Version/Activators/HWID-KMS38_Activation/ReadMe_HWID.html
.html
Separate-Files-Version/Activators/HWID-KMS38_Activation/ReadMe_KMS38.html
.html
Separate-Files-Version/Activators/Online_KMS_Activation/Activate.cmd
.cmd .vbs
Separate-Files-Version/Activators/Online_KMS_Activation/BIN/_Info.html
.html
Separate-Files-Version/Activators/Online_KMS_Activation/BIN/cleanosppx64.exe
.exe windows:6 windows x64 arch:x64

3e0977438b3a99ae7d9af893f9538893

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcr100

_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
wprintf
_amsg_exit
__wgetmainargs
__C_specific_handler
wcscpy_s
wcsncat_s
wcsncpy_s
wcsrchr
free
malloc
memset
_initterm_e
_initterm
__winitenv
exit
_cexit
_exit
_XcptFilter
_wcsicmp

kernel32

RaiseException
LoadLibraryA
FreeLibrary
LocalAlloc
LoadLibraryExW
GetModuleHandleW
GetVersionExW
SetErrorMode
DecodePointer
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
EncodePointer
Sleep
GetLastError
LocalFree
GetProcAddress
QueryPerformanceCounter
GetProcessHeap
HeapSetInformation
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
VirtualProtect
WerRegisterMemoryBlock

ole32

CLSIDFromString
StringFromCLSID
CoTaskMemFree

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 444B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 440B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Separate-Files-Version/Activators/Online_KMS_Activation/BIN/cleanosppx86.exe
.exe windows:6 windows x86 arch:x86

0393153f08fe5c66b5966a4f45bd77d4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcr100

_controlfp_s
_invoke_watson
_except_handler4_common
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
_crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
wprintf
_amsg_exit
__wgetmainargs
_cexit
wcscpy_s
wcsncat_s
wcsncpy_s
wcsrchr
free
malloc
memset
_configthreadlocale
_initterm_e
_initterm
__winitenv
exit
_XcptFilter
_exit
_wcsicmp

kernel32

RaiseException
LoadLibraryA
FreeLibrary
LocalAlloc
LoadLibraryExW
GetModuleHandleW
GetVersionExW
SetErrorMode
DecodePointer
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
EncodePointer
InterlockedCompareExchange
Sleep
InterlockedExchange
WerRegisterMemoryBlock
VirtualProtect
GetTickCount
GetLastError
LocalFree
GetProcAddress
QueryPerformanceCounter
GetProcessHeap
HeapSetInformation
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime

ole32

CLSIDFromString
StringFromCLSID
CoTaskMemFree

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey

Sections

.text
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Separate-Files-Version/Activators/Online_KMS_Activation/ReadMe.html
.html
Separate-Files-Version/Extras/Activation_Troubleshoot.cmd
.cmd .vbs
Separate-Files-Version/Extras/Change_W10_11_Edition.cmd
.cmd .vbs
Separate-Files-Version/Extras/Extract_OEM_Folder/Extract_OEM_Folder.cmd
.cmd .vbs
Separate-Files-Version/Extras/Extract_OEM_Folder/ReadMe.html
.html
Separate-Files-Version/Extras/Install_W10_11_HWID_Key.cmd
.cmd .vbs
Separate-Files-Version/Extras/_Homepage.html
.html
Verify_Files-Clear_Zone.Identifier-68.cmd
.cmd .vbs

Sharing

General

Malware Config

Signatures

Files

72a11cd5e003305838f8284941ca350f

Code Sign

33:00:00:00:cc:4e:e8:6d:1a:15:af:49:95:00:00:00:00:00:ccCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

b9:cf:8a:5e:6d:e6:62:e2:00:a9:c6:62:a9:e4:8f:fc:6d:cc:3e:b3:f9:fa:79:8f:8d:c2:fd:79:d6:29:ec:38Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

cryptxml

api-ms-win-eventing-provider-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-synch-l1-2-0

oleaut32

api-ms-win-core-registry-l1-1-0

bcrypt

api-ms-win-core-console-l2-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

rpcrt4

api-ms-win-core-com-l1-1-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-processthreads-l1-1-2

ncrypt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-sddl-l1-1-0

crypt32

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-errorhandling-l1-1-3

api-ms-win-core-profile-l1-1-0

cryptsp

webservices

api-ms-win-appmodel-runtime-internal-l1-1-2

api-ms-win-appmodel-runtime-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-io-l1-1-1

api-ms-win-devices-config-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 794KB - Virtual size: 794KB

.rdata Size: 457KB - Virtual size: 457KB

.data Size: 6KB - Virtual size: 10KB

.pdata Size: 28KB - Virtual size: 27KB

.didat Size: 512B - Virtual size: 120B

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 10KB - Virtual size: 9KB

de6c800823c77882b5d9888457698a55

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

kernel32

advapi32

Sections

.text Size: 315KB - Virtual size: 315KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 2KB - Virtual size: 2KB

.didat Size: 512B - Virtual size: 144B

33:00:00:00:cc:4e:e8:6d:1a:15:af:49:95:00:00:00:00:00:cc
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

b9:cf:8a:5e:6d:e6:62:e2:00:a9:c6:62:a9:e4:8f:fc:6d:cc:3e:b3:f9:fa:79:8f:8d:c2:fd:79:d6:29:ec:38
Signer

.text
Size: 794KB - Virtual size: 794KB

.rdata
Size: 457KB - Virtual size: 457KB

.data
Size: 6KB - Virtual size: 10KB

.pdata
Size: 28KB - Virtual size: 27KB

.didat
Size: 512B - Virtual size: 120B

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 10KB - Virtual size: 9KB

.text
Size: 315KB - Virtual size: 315KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 2KB - Virtual size: 2KB

.didat
Size: 512B - Virtual size: 144B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 8KB

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 1024B - Virtual size: 820B

.edata
Size: 512B - Virtual size: 353B

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 176B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 1KB - Virtual size: 2KB

.pdata
Size: 512B - Virtual size: 444B

.reloc
Size: 512B - Virtual size: 440B

.text
Size: 13KB - Virtual size: 13KB

.data
Size: 1024B - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB