New folder[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

New folder.zip
Size

902KB
MD5

511aba9cd6bac06ffb9c4f415b17997d
SHA1

aad2c91e89d7b9e4d3a2442c75085418ad3c835d
SHA256

dd8f8d62aa6c80fc895a4af0585ce03917d5810d3116b6f71ee3cef9aa787962
SHA512

b1a2752235a981503794ee41706ca362eaeed9e85180cd6175610a75cb11aa70e255531b26b54e1115d3602222e95a1f89f1001e22cdd82201376edb9ae2b4fd
SSDEEP

24576:QLy9b+71qKFu0n0HwGpzwAOiGlGnDYvT6xEl+mPvvu:n+sYutQ2zwAOiGc8wE+mP3u

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/New folder/BitLockerWizardElev.exe
unpack001/New folder/appidcertstorecheck.exe
unpack001/New folder/bcastdvruserservice.dll

Files

New folder.zip
.zip
New folder/BioIso.exe
.exe windows:10 windows x64 arch:x64

08f8291d9acc26dcbbf3a60431ed46c7

Code Sign

33:00:00:04:0a:87:d0:ea:67:86:e3:6b:07:00:00:00:00:04:0a
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/01/2023, 19:22

Not After

15/12/2023, 19:22

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:91:01:94:d0:71:72:5f:9f:b3:ee:d7:e4:fa:45:89:51:0e:7f:3a:6a:95:33:fd:2b:5b:28:4c:e8:60:7f:ee
Signer

Actual PE Digest

1e:91:01:94:d0:71:72:5f:9f:b3:ee:d7:e4:fa:45:89:51:0e:7f:3a:6a:95:33:fd:2b:5b:28:4c:e8:60:7f:ee

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_initterm
_c_exit
_initterm_e

api-ms-win-crt-private-l1-1-0

_o__errno
_o__exit
_o__get_initial_wide_environment
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
memmove
_o__crt_atexit
_o_atoi
_o_bsearch_s
_o_exit
_o_free
_o_isdigit
_o_iswalpha
_o_malloc
_o_terminate
_o_towupper
__C_specific_handler
__current_exception
__current_exception_context
_CxxThrowException
_o__configthreadlocale
_o___p__commode
_o__cexit
_o__callnewh
_o___p___wargv
_o___p___argc
_o___stdio_common_vswprintf
__std_terminate
__CxxFrameHandler4
_o___stdio_common_vsnprintf_s
memcmp
_o___std_exception_destroy
memcpy
_o___std_exception_copy
_o__configure_wide_argv

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
FreeLibrary
LoadLibraryExW
GetProcAddress
GetModuleHandleW
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
EnterCriticalSection
SetEvent
OpenEventW
DeleteCriticalSection
ReleaseSRWLockExclusive
ReleaseSemaphore
InitializeCriticalSectionEx
AcquireSRWLockShared
WaitForSingleObject
CreateSemaphoreExW
CreateEventW
CreateMutexExW
ResetEvent
ReleaseSRWLockShared
InitializeCriticalSectionAndSpinCount
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseMutex

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
OpenProcessToken
GetCurrentThread
OpenThreadToken

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWriteTransfer
EventSetInformation
EventActivityIdControl
EventRegister

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-security-base-l1-1-0

GetLengthSid
IsValidSid
GetTokenInformation
EqualSid

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetWindowsDirectoryW
GetTickCount64

api-ms-win-core-file-l1-1-0

CompareFileTime

rpcrt4

RpcServerListen
RpcServerUseProtseqIfW
NdrServerCallAll
NdrServerCall2
UuidFromStringA
RpcImpersonateClient
RpcRevertToSelfEx
RpcMgmtStopServerListening
RpcMgmtWaitServerListen
RpcServerUnregisterIf
RpcServerRegisterIfEx

api-ms-win-core-memory-l1-1-0

VirtualQuery
MapViewOfFile
UnmapViewOfFile

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlCompareMemory
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

ntdll

RtlTimeFieldsToTime
RtlFreeHeap
RtlEqualSid
NtQuerySystemInformation
RtlImageNtHeader
RtlNtStatusToDosError
RtlAllocateHeap

iumsdk

GetSignedReport
EncryptData
GetTaggedData
GetSecureIdentitySigningKey
OpenSecureSection
GetTaggedDataSize
DecryptData

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

__ImagePolicyMetadata

Sections

.text
Size: 428KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 132KB - Virtual size: 129KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tPolicy
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGEDATA
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGECONS
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
New folder/BitLockerWizardElev.exe
.exe windows:10 windows x64 arch:x64

1438673c4b1b5696c777658ad76b5d13

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetProcessHeap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetLastError
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
GetStartupInfoW
Sleep
GetCurrentProcess
TerminateProcess
HeapSetInformation
GetCurrentProcessId
GetCommandLineW
UnhandledExceptionFilter

msvcrt

memset
_commode
_fmode
_acmdln
__iob_func
__C_specific_handler
_initterm
?terminate@@YAXXZ
__setusermatherr
_ismbblead
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
fwprintf
towupper

fvewiz

FveuiWizard
FveuipClearFveWizOnStartup

ole32

CoInitialize
CoUninitialize

shell32

CommandLineToArgvW
ShellExecuteW

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 92KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
New folder/appidcertstorecheck.exe
.exe windows:10 windows x64 arch:x64

7168353edbe3ab24a184bb681fd55ae6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_lock
_unlock
__dllonexit
_exit
__set_app_type
_commode
?terminate@@YAXXZ
memcmp
_fmode
exit
__wgetmainargs
_cexit
__setusermatherr
_initterm
__C_specific_handler
_vsnwprintf
_amsg_exit
_XcptFilter
memmove_s
_purecall
??3@YAXPEAX@Z
memcpy_s
_onexit
memset

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetModuleHandleExW
GetModuleHandleW
GetProcAddress

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ResetEvent
ReleaseMutex
SetEvent
CreateEventExW
WaitForSingleObjectEx
OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreExW
DeleteCriticalSection
AcquireSRWLockShared
WaitForSingleObject
CreateMutexExW
EnterCriticalSection
ReleaseSRWLockShared
InitializeCriticalSectionEx

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
HeapSetInformation
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
TerminateProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-namespace-l1-1-0

AddSIDToBoundaryDescriptor
ClosePrivateNamespace
OpenPrivateNamespaceW
CreatePrivateNamespaceW
CreateBoundaryDescriptorW
DeleteBoundaryDescriptor

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegCloseKey

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-file-l1-1-0

CompareFileTime
CreateFileW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics

ntdll

EtwEventWriteTransfer
EtwEventUnregister
EtwEventWrite
EtwEventRegister
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 40KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
New folder/bcastdvruserservice.dll
.dll windows:10 windows x64 arch:x64

c1069a8115649ed00af19dedf29b7fd8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__wcsicmp
_o__wcslwr
_o__wcsnicmp
_o__wfopen_s
memmove
_o_fclose
_o_fgetws
_o_free
_o_iswupper
_o_malloc
_o_memcpy_s
_o_realloc
_o_terminate
_o_towlower
_o_wcscat_s
_o_wcscpy_s
_o_wcstol
_o_wcstoul
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_CxxThrowException
_o__execute_onexit_table
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_onexit_table
_o__errno
_o__initialize_narrow_environment
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o__aligned_malloc
_o__aligned_free
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnprintf_s
_o___std_type_info_name
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
wcschr
wcsstr
wcsrchr
__std_terminate
__CxxFrameHandler4
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

wcsncmp
memset

bcastdvrcommon

?PrintGuid@GameDVRUtility@Internal@Capture@Media@Windows@@YAJU_GUID@@PEAVString@25@@Z
FireCallerManagerEvent
?OutputString@BcastDVR_OutputDebug@@QEAAXXZ
?LogError@BcastDVRLogProviderBase@@SAXJPEBD0H_N@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDK@Z
?GetGuidStringFromGuid@GameDVRUtility@Internal@Capture@Media@Windows@@YAJAEBU_GUID@@_NPEAVString@25@@Z
??0BcastDVR_OutputDebug@@QEAA@PEBD@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBD0@Z
?Uninitialize@BcastDVR_OutputDebug@@SAXXZ
?GetPlugInPackageFullName@PlugInUtility@Internal@Capture@Media@Windows@@YAJAEBU_GUID@@PEAVString@25@@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDN@Z
?LogErrorEx@BcastDVRLogProviderBase@@SAXJPEBD0H00_N@Z
?RegGetDwordValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAXPEAUHKEY__@@PEBG1KPEAK@Z
?RegSetDwordValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@PEBG1K@Z
?RegSetStringValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@PEBG1PEAVString@25@@Z
GetBroadcastSharedMemoryWriter
?RegSetQwordValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@PEBG1_K@Z
?RegGetQwordValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAXPEAUHKEY__@@PEBG1_KPEA_K@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDPEBG@Z
?GetUserGameDVRConfigFolderPath@EnvironmentManager@Internal@Capture@Media@Windows@@YAJPEAVString@25@PEBG@Z
?Initialize@BcastDVR_OutputDebug@@SAXPEBGW4BcastDVR_OutputDebug_TraceToFileType@@0@Z
?GetOSVersionString@GameDVRUtility@Internal@Capture@Media@Windows@@YAXPEAVString@25@@Z
?Printf@BcastDVRLogProviderBase@@SAX_N0PEBD1HPEBGZZ
?RegGetStringValue@GameDVRUtility@Internal@Capture@Media@Windows@@YAXPEAUHKEY__@@PEBG1PEAVString@25@@Z
?GetHKeyCurrentUserForIUser@GameDVRUtility@Internal@Capture@Media@Windows@@YAJPEAUIUser@System@5@PEAPEAUHKEY__@@@Z
??0ImpersonateHelper@Internal@Capture@Media@Windows@@QEAA@XZ
??1ImpersonateHelper@Internal@Capture@Media@Windows@@QEAA@XZ
?ImpersonateUser@ImpersonateHelper@Internal@Capture@Media@Windows@@QEAAJPEAUIUser@System@5@@Z
?CleanupObsoletePlugIns@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@@Z
?MostRecentErrorInHistory@BcastDVRLogProviderBase@@SAJXZ
?GetBroadcastSebEventIds@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAKPEAPEAU_GUID@@@Z
?FreeBroadcastSebEventIds@PlugInUtility@Internal@Capture@Media@Windows@@YAXPEAPEAU_GUID@@@Z
?GetDefaultPlugIn@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@PEAU_GUID@@@Z
?SetDefaultPlugIn@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@AEBU_GUID@@@Z
?GetPlugInInfo@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAUHKEY__@@AEBU_GUID@@PEAVString@25@22@Z
CreateCallerManagerInstance
?CloseDuplicatedHandle@GameDVRUtility@Internal@Capture@Media@Windows@@YAJKPEAX@Z
?GetErrorHistoryCount@BcastDVRLogProviderBase@@SAKXZ
?CloseDuplicatedHandles@GameDVRUtility@Internal@Capture@Media@Windows@@YAJKKQEAPEAX@Z
?AppendPath@EnvironmentManager@Internal@Capture@Media@Windows@@YAJAEBVString@25@0PEAV625@@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDE@Z
CreateMetadataManagerInstance
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDH@Z
?GetBroadcastPlugInRegistryPathFromSebEventId@EnvironmentManager@Internal@Capture@Media@Windows@@YAJAEBU_GUID@@PEAVString@25@@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBD_K@Z
ActiveMetadataManagerInstances
?MapConstantToString@GameDVRUtility@Internal@Capture@Media@Windows@@YAPEBGQEAPEBGKKKK@Z
GetPreviewSharedMemoryWriter
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDI@Z
?PrintHRESULT@BcastDVR_OutputDebug@@QEAAXJ@Z
?PrintType@BcastDVR_OutputDebug@@QEAAXPEBDPEAX@Z
?GetIUserSID@GameDVRUtility@Internal@Capture@Media@Windows@@YAJPEAUIUser@System@5@PEAVString@25@@Z
?GetCallersSebEventId@PlugInUtility@Internal@Capture@Media@Windows@@YAJPEAU_GUID@@@Z
?GetFormattedErrorHistory@BcastDVRLogProviderBase@@SAKPEAVString@Internal@Windows@@@Z
?GetKnownFolderSubFolder@EnvironmentManager@Internal@Capture@Media@Windows@@YAJAEBU_GUID@@PEBGPEAVString@25@@Z

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FreeLibrary
LoadLibraryExW
GetProcAddress
GetModuleFileNameA
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

CreateEventExW
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex
CreateMutexExW
InitializeSRWLock
DeleteCriticalSection
TryEnterCriticalSection
AcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
ReleaseSRWLockExclusive
AcquireSRWLockShared
WaitForSingleObject
CreateSemaphoreExW
InitializeCriticalSectionEx
ReleaseSemaphore
ResetEvent
ReleaseSRWLockShared
CreateEventW
SetEvent
LeaveCriticalSection
EnterCriticalSection

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-winrt-string-l1-1-0

WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsGetStringRawBuffer
WindowsCompareStringOrdinal
WindowsGetStringLen
WindowsConcatString
WindowsCreateString
WindowsDeleteString
WindowsReplaceString
WindowsDuplicateString
WindowsCreateStringReference

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
CreateThread
GetCurrentThreadId
TerminateProcess
GetProcessId
OpenProcessToken
GetCurrentProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-com-l1-1-0

PropVariantClear
CoDisconnectContext
CoTaskMemAlloc
CoTaskMemFree
CoReleaseMarshalData
CreateStreamOnHGlobal
CoMarshalInterface
CoWaitForMultipleHandles
CoGetCallContext
CoDecrementMTAUsage
CoCreateGuid
CoCreateFreeThreadedMarshaler
CoReleaseServerProcess
CoResumeClassObjects
CoRegisterClassObject
CoInitializeSecurity
CoCreateInstance
CoAddRefServerProcess
CoRevokeClassObject

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolWork
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CreateThreadpool
CloseThreadpool
SubmitThreadpoolWork
CloseThreadpoolWork

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateErrorW
GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoRevokeActivationFactories
RoGetActivationFactory
RoInitialize
RoRegisterActivationFactories
RoActivateInstance

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventSetInformation
EventWriteTransfer
EventUnregister

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce
InitOnceComplete
InitOnceBeginInitialize

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-base-l1-1-0

GetTokenInformation
MakeAbsoluteSD
DuplicateTokenEx

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GlobalMemoryStatusEx
GetSystemTime
GetSystemTimeAsFileTime
GetLocalTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

mfplat

MFTEnumEx
MFCreateDXGISurfaceBuffer
MFCreateDXGIDeviceManager
MFShutdown
MFCreateSample
MFCreateMemoryBuffer
MFStartup
MFCreateAttributes
MFCreateFile
MFCreateMediaType
MFCreateAlignedMemoryBuffer

api-ms-win-shcore-scaling-l1-1-1

SetProcessDpiAwareness

dwmapi

ord157
ord158
ord175
ord176
ord173

dcomp

ord2002
ord1060
DCompositionCreateDevice2
ord2000

api-ms-win-appmodel-runtime-l1-1-1

GetApplicationUserModelIdFromToken
ParseApplicationUserModelId
GetPackageFullNameFromToken
FindPackagesByPackageFamily

policymanager

PolicyManager_GetPolicyInt

systemeventsbrokerclient

SebEnumerateEventsByType
SebSignalEvent

audioses

ord1
ord3
ord2

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegOpenCurrentUser
RegCloseKey

api-ms-win-rtcore-ntuser-window-l1-1-0

GetWindowRect
IsWindowVisible
EnumWindows
GetWindowTextW
GetPropW
GetDesktopWindow
GetForegroundWindow
GetWindowLongW
GetWindowThreadProcessId
GetClientRect
ScreenToClient
DispatchMessageW
TranslateMessage
SendMessageW
PeekMessageW
GetAncestor

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

ntdll

RtlQueryPackageClaims
RtlUpcaseUnicodeChar
RtlPublishWnfStateData
ZwQuerySystemInformation
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
ZwClose
ZwOpenKey
RtlInitUnicodeString
RtlFreeHeap
RtlGetNativeSystemInformation
ZwEnumerateKey
RtlReAllocateHeap
NtQueryInformationProcess
RtlAllocateHeap
RtlInitUnicodeStringEx
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
NtQueryInformationToken
ZwQueryValueKey

api-ms-win-core-kernel32-legacy-l1-1-0

PulseEvent
RegisterWaitForSingleObject

api-ms-win-core-wow64-l1-1-1

IsWow64Process2

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem
UnregisterWaitEx

api-ms-win-core-file-l1-1-0

CreateFileW
DeleteFileW
CreateDirectoryW
WriteFile
FindFirstFileW
FindClose
ReadFile
GetFileAttributesW
GetFileSizeEx
GetTempFileNameW
GetDiskFreeSpaceExW
FindNextFileW

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
IsErrorPropagationEnabled

api-ms-win-core-com-l1-1-1

RoGetAgileReference

rpcrt4

UuidCreate
RpcRevertToSelf
RpcImpersonateClient

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW
WaitForMultipleObjects

api-ms-win-core-registry-l2-1-0

RegOpenKeyW

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

oleaut32

VariantInit

api-ms-win-shcore-stream-winrt-l1-1-0

CreateRandomAccessStreamOverStream

dxgi

CreateDXGIFactory1
CreateDXGIFactory2

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-ntuser-rectangle-l1-1-0

IntersectRect
PtInRect

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFileExistsW

api-ms-win-security-cryptoapi-l1-1-0

CryptReleaseContext
CryptAcquireContextW
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptCreateHash

d3d11

D3D11CreateDevice

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

bcrypt

BCryptGetProperty
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptHashData
BCryptOpenAlgorithmProvider
BCryptFinishHash
BCryptCreateHash

mfreadwrite

MFCreateSinkWriterFromURL
MFCreateSinkWriterFromMediaSink
MFCreateSourceReaderFromMediaSource

api-ms-win-core-memory-l1-1-0

ReadProcessMemory

crypt32

CryptBinaryToStringW

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-file-l1-2-4

GetTempPath2W

api-ms-win-core-file-l2-1-2

CopyFileW

combase

ord69
ord66
ord68
ord67

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-math-l1-1-0

_finite

aepic

PicRetrieveFileInfo
PicFreeFileInfo

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

gdi32

GetDIBits
DeleteObject
CreateCompatibleDC
DeleteDC

shell32

ShellExecuteW
ShellExecuteExW

user32

GetClassLongPtrW
GetCursorInfo
MonitorFromWindow
GetIconInfo
DestroyIcon

setupapi

SetupDiGetDevicePropertyW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

Exports

Exports

ServiceMain

Sections

.text
Size: 1016KB - Virtual size: 1012KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 416KB - Virtual size: 412KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

08f8291d9acc26dcbbf3a60431ed46c7

Code Sign

33:00:00:04:0a:87:d0:ea:67:86:e3:6b:07:00:00:00:00:04:0aCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

1e:91:01:94:d0:71:72:5f:9f:b3:ee:d7:e4:fa:45:89:51:0e:7f:3a:6a:95:33:fd:2b:5b:28:4c:e8:60:7f:eeSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

rpcrt4

api-ms-win-core-memory-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-interlocked-l1-1-0

ntdll

iumsdk

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 428KB - Virtual size: 427KB

PAGE Size: 8KB - Virtual size: 4KB

.rdata Size: 132KB - Virtual size: 129KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 24KB - Virtual size: 20KB

.didat Size: 4KB - Virtual size: 200B

.tPolicy Size: 4KB - Virtual size: 1KB

PAGEDATA Size: 4KB - Virtual size: 2KB

PAGECONS Size: 16KB - Virtual size: 13KB

.rsrc Size: 4KB - Virtual size: 1008B

.reloc Size: 4KB - Virtual size: 2KB

1438673c4b1b5696c777658ad76b5d13

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

fvewiz

ole32

shell32

Sections

.text Size: 4KB - Virtual size: 3KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 264B

.rsrc Size: 92KB - Virtual size: 88KB

.reloc Size: 4KB - Virtual size: 48B

7168353edbe3ab24a184bb681fd55ae6

Headers

DLL Characteristics

33:00:00:04:0a:87:d0:ea:67:86:e3:6b:07:00:00:00:00:04:0a
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

1e:91:01:94:d0:71:72:5f:9f:b3:ee:d7:e4:fa:45:89:51:0e:7f:3a:6a:95:33:fd:2b:5b:28:4c:e8:60:7f:ee
Signer

.text
Size: 428KB - Virtual size: 427KB

PAGE
Size: 8KB - Virtual size: 4KB

.rdata
Size: 132KB - Virtual size: 129KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 24KB - Virtual size: 20KB

.didat
Size: 4KB - Virtual size: 200B

.tPolicy
Size: 4KB - Virtual size: 1KB

PAGEDATA
Size: 4KB - Virtual size: 2KB

PAGECONS
Size: 16KB - Virtual size: 13KB

.rsrc
Size: 4KB - Virtual size: 1008B

.reloc
Size: 4KB - Virtual size: 2KB

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 264B

.rsrc
Size: 92KB - Virtual size: 88KB

.reloc
Size: 4KB - Virtual size: 48B

.text
Size: 40KB - Virtual size: 38KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 1KB

.didat
Size: 4KB - Virtual size: 64B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 124B