WinDefenderHealth[.]EXE[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

WinDefenderHealth.EXE.exe
Size

1.5MB
MD5

fd58bfb0ee6a4e076af317346a7d8584
SHA1

d27daaaad5351efc32617c5d0bfc151c4eaab528
SHA256

5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db
SHA512

fe22d29d9b146f131541ee188cfa34cd505ac4fb85180c47e2cbfe16af32b3c211f76e3def79437b36bb2cac3d938e9ac87e100b67717ae1c9ce2f92218154b9
SSDEEP

24576:8XBDYSkSOQzTiwLAEZ6R7OkSAdJQml8C7n3yKpbbeAApi4Qn652m:yR8QHdkEZ6kkSAdnCKdbe3iv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WinDefenderHealth.EXE.exe

Files

WinDefenderHealth.EXE.exe
.exe windows:6 windows x64 arch:x64

003895865866a98f571f7507282f6d00

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlVirtualUnwind
NtQuerySystemInformation
RtlGetVersion
NtQueryInformationProcess
RtlCaptureContext
RtlLookupFunctionEntry
NtCreateFile
NtDeviceIoControlFile
RtlNtStatusToDosError
NtCancelIoFileEx

kernel32

HeapFree
GetProcessHeap
SetUnhandledExceptionFilter
HeapReAlloc
SwitchToThread
InitializeSListHead
GetCurrentThreadId
GetTickCount64
HeapAlloc
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
SetHandleInformation
AcquireSRWLockExclusive
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
SetLastError
SetThreadStackGuarantee
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetCurrentProcess
ReleaseMutex
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
CreateFileW
GetFileInformationByHandle
GetQueuedCompletionStatusEx
GetFullPathNameW
GetFinalPathNameByHandleW
CreateDirectoryW
AddVectoredExceptionHandler
GetProcessId
CreateIoCompletionPort
SetFileCompletionNotificationModes
ReadFileEx
SleepEx
CompareStringOrdinal
GetSystemDirectoryW
GetFileAttributesW
GetWindowsDirectoryW
CreateProcessW
DuplicateHandle
GetCurrentProcessId
CreateNamedPipeW
CreateThread
GetCurrentThread
WriteFileEx
WaitForMultipleObjects
GetOverlappedResult
GetExitCodeProcess
CreateEventW
CancelIo
ReadFile
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
ReadProcessMemory
GetProcessTimes
GetSystemInfo
WakeConditionVariable
SleepConditionVariableSRW
GetSystemTimes
GetProcessIoCounters
GetLastError
LocalFree
VirtualQueryEx
DeleteFileW
CopyFileExW
PostQueuedCompletionStatus
FreeEnvironmentStringsW
GetEnvironmentStringsW
CloseHandle
WakeAllConditionVariable
GetProcAddress
DeviceIoControl
IsDebuggerPresent
UnhandledExceptionFilter
Sleep
GetModuleHandleA
GetCurrentDirectoryW
lstrlenW
IsProcessorFeaturePresent

crypt32

CertFreeCertificateContext
CertOpenStore
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertDuplicateStore
CertGetCertificateChain
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertCloseStore

iphlpapi

GetAdaptersAddresses
GetTcpTable

shell32

SHGetKnownFolderPath
CommandLineToArgvW

ole32

CoTaskMemFree
CoUninitialize

pdh

PdhRemoveCounter
PdhCloseQuery

ws2_32

ioctlsocket
WSASocketW
connect
shutdown
WSASend
bind
setsockopt
closesocket
getaddrinfo
freeaddrinfo
WSACleanup
WSAIoctl
getsockname
WSAGetLastError
getpeername
recv
send
getsockopt
WSAStartup

bcrypt

BCryptGenRandom

secur32

DecryptMessage
InitializeSecurityContextW
FreeContextBuffer
DeleteSecurityContext
FreeCredentialsHandle
EncryptMessage
AcceptSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleA
ApplyControlToken

advapi32

GetTokenInformation
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
LookupAccountSidW

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
EnumProcessModulesEx

vcruntime140

memcmp
memset
memcpy
memmove
__CxxFrameHandler3
__C_specific_handler

api-ms-win-crt-string-l1-1-0

wcslen

api-ms-win-crt-runtime-l1-1-0

_initterm_e
exit
_exit
__p___argc
__p___argv
_seh_filter_exe
_cexit
_initialize_narrow_environment
_configure_narrow_argv
_initterm
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate
_set_app_type
_get_initial_narrow_environment
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode

Sections

.text
Size: 913KB - Virtual size: 912KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 596KB - Virtual size: 595KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 379B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

003895865866a98f571f7507282f6d00

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

crypt32

iphlpapi

shell32

ole32

pdh

ws2_32

bcrypt

secur32

advapi32

powrprof

psapi

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 913KB - Virtual size: 912KB

.rdata Size: 596KB - Virtual size: 595KB

.data Size: 512B - Virtual size: 952B

.pdata Size: 32KB - Virtual size: 31KB

.tls Size: 512B - Virtual size: 379B

.gfids Size: 512B - Virtual size: 32B

.rsrc Size: 1024B - Virtual size: 904B

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 913KB - Virtual size: 912KB

.rdata
Size: 596KB - Virtual size: 595KB

.data
Size: 512B - Virtual size: 952B

.pdata
Size: 32KB - Virtual size: 31KB

.tls
Size: 512B - Virtual size: 379B

.gfids
Size: 512B - Virtual size: 32B

.rsrc
Size: 1024B - Virtual size: 904B

.reloc
Size: 7KB - Virtual size: 6KB