6a630413408781e9599b0a786ff50bf1fcba1532d8ed39137fe3f982a66ff85e[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

6a630413408781e9599b0a786ff50bf1fcba1532d8ed39137fe3f982a66ff85e.zip
Size

21.1MB
MD5

08a9efb2889b8122b8f2ad97b27b0454
SHA1

58a7fc20512d8107d71e427b395eb6b620468ae0
SHA256

7f0c1a4c1422a1532c573fef0a3c7c498ad3e1e683d5cee10ec6ce462ee08dfd
SHA512

82032b0679579617045b323ea3e5ccd117be72090bc540433db00cbdaf79dc973e7e6b931a9415dd4b8e5baf4164f4fe02ce90957103d767d5411dfb49896843
SSDEEP

393216:UqtQhH4Bgu8uoWFZvySvThQiwSC39lIvvsw3M2nEt14iz/Z4YuWotiHdM:UGO4Bmuq1iwSC39Hqc14iz/Fotd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/iumsdk.dll

Files

6a630413408781e9599b0a786ff50bf1fcba1532d8ed39137fe3f982a66ff85e.zip
.zip

Password: infected
help.chm
.chm
iumsdk.dll
.dll windows:4 windows x64 arch:x64

dd9243b0f0b4da8e84bd6b0a9bdea755

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

RevertToSelf
SetThreadToken

bcrypt

BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider

kernel32

CloseHandle
CreateEventW
CreateFileA
CreateFileMappingA
CreateProcessA
CreateProcessW
CreateThread
DeleteCriticalSection
EnterCriticalSection
ExitThread
FindResourceA
FreeConsole
FreeLibrary
FreeResource
GetCommandLineA
GetCurrentProcess
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemTimeAsFileTime
GetThreadContext
GetThreadId
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
K32EnumProcessModules
K32GetModuleFileNameExA
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LoadResource
LockResource
MapViewOfFile
MultiByteToWideChar
OpenProcess
QueueUserAPC
RaiseException
ReadProcessMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetEvent
SetLastError
SizeofResource
Sleep
SleepConditionVariableCS
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_chmod
_chsize
_errno
_fileno
_initterm
_localtime64
_lock
_mkdir
_mktime64
_read
_stat64
_stricmp
_strnicmp
_time64
_unlock
_utime64
abort
calloc
fclose
fflush
fopen
fputc
fputs
fread
free
freopen
fseek
ftell
fwrite
getenv
iswctype
localeconv
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
realloc
remove
setlocale
strchr
strcmp
strcoll
strcpy
strerror
strftime
strlen
strncmp
strncpy
strtoul
strxfrm
towlower
towupper
vfprintf
wcscoll
wcsftime
wcslen
wcsxfrm

ntdll

NtProtectVirtualMemory
NtWriteVirtualMemory

shell32

CommandLineToArgvW
ShellExecuteExA

shlwapi

PathRemoveFileSpecA
StrStrIA

Exports

Exports

AcquireSRWLockExclusive
AcquireSRWLockShared
AssignMemoryToSocDomain
AwaitSmc
CloseHandle
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CreateEventW
CreateSecureDevice
CreateSecureSection
CreateSecureSectionSpecifyPages
CreateSemaphoreW
CreateThread
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
DebugBreak
DecryptData
DecryptISKBoundData
DeleteCriticalSection
DmaMapMemory
DuplicateHandle
EmitSmc
EncryptData
EnterCriticalSection
EventRegister
EventSetInformation
EventUnregister
EventWrite
EventWriteTransfer
ExitProcess
ExitThread
FileTimeToSystemTime
FlushSecureSectionBuffers
FreeLibrary
FreeLibraryWhenCallbackReturns
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDmaEnabler
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeThread
GetExposedSecureSection
GetFipsModeFromIumKernelState
GetLastError
GetLocalTime
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSecureIdentityKey
GetSecureIdentitySigningKey
GetSeedFromIumKernelState
GetSignedReport
GetStartupInfoW
GetSystemFirmwareTable
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTaggedData
GetTaggedDataSize
GetThreadId
GetThreadPriority
GetTickCount
GetTickCount64
GetTpmBindingInfo
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapLock
HeapQueryInformation
HeapReAlloc
HeapSetInformation
HeapSize
HeapUnlock
HeapValidate
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
InitializeSRWLock
IsDebuggerPresent
IsProcessorFeaturePresent
IsSecureProcess
LeaveCriticalSection
LeaveCriticalSectionWhenCallbackReturns
LoadLibraryExW
MapSecureIo
MapViewOfFile
NdrClientCall3
NdrServerCall2
NdrServerCallAll
NtAlertThreadByThreadId
NtOpenProcessToken
NtOpenThreadToken
NtQueryInformationProcess
NtQueryInformationThread
NtQueryInformationToken
NtSetInformationProcess
NtSetInformationThread
NtTraceControl
NtTraceEvent
NtWaitForAlertByThreadId
OpenCurrentExtension
OpenEventW
OpenSecureSection
OutputDebugStringW
PostMailbox
ProtectSecureIo
QueryPerformanceCounter
QueryPerformanceFrequency
QuerySecureDeviceInformation
QueryThreadCycleTime
RaiseException
RaiseFailFastException
RegisterTraceGuidsW
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
ReleaseSemaphoreWhenCallbackReturns
ResetEvent
RpcExceptionFilter
RpcMgmtStopServerListening
RpcMgmtWaitServerListen
RpcServerInqCallAttributesW
RpcServerListen
RpcServerRegisterIf
RpcServerUnregisterIf
RpcServerUseProtseqEpW
RtlAvlInsertNodeEx
RtlAvlRemoveNode
RtlCaptureContext
RtlEqualUnicodeString
RtlGUIDFromString
RtlImageNtHeader
RtlInitUnicodeString
RtlInterlockedPushListSList
RtlLookupFunctionEntry
RtlNtStatusToDosError
RtlRandom
RtlRandomEx
RtlTimeToTimeFields
RtlVirtualUnwind
SecureStorageGet
SecureStoragePut
SetDmaTargetProperties
SetEnvironmentVariableW
SetEvent
SetEventWhenCallbackReturns
SetLastError
SetPolicyExtension
SetThreadpoolTimer
SetThreadpoolTimerEx
SetThreadpoolWait
SetUnhandledExceptionFilter
Sleep
StartThreadpoolIo
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TraceMessage
TraceMessageVa
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnhandledExceptionFilter
UnmapSecureIo
UnmapViewOfFile
UnregisterTraceGuids
UpdateSecureDeviceState
UuidCreate
VbsVmSysCall
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WaitForThreadpoolIoCallbacks
WaitForThreadpoolTimerCallbacks
WaitForThreadpoolWaitCallbacks
WaitForThreadpoolWorkCallbacks
WideCharToMultiByte
vDbgPrintEx
vDbgPrintExWithPrefix

Sections

.text
Size: 756KB - Virtual size: 756KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20.5MB - Virtual size: 20.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
iumsdkx.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27-03-2019 19:21

Not After

27-03-2020 19:21

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e2:4d:95:3e:2e:c7:66:a4:10:62:22:40:22:49:3f:8c:db:87:d9:ac:7f:8e:11:a2:db:a4:97:d6:6d:80:7f:b1
Signer

Actual PE Digest

e2:4d:95:3e:2e:c7:66:a4:10:62:22:40:22:49:3f:8c:db:87:d9:ac:7f:8e:11:a2:db:a4:97:d6:6d:80:7f:b1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

IumSdk.pdb

Exports

Exports

AcquireSRWLockExclusive
AcquireSRWLockShared
AssignMemoryToSocDomain
AwaitSmc
CloseHandle
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CreateEventW
CreateSecureDevice
CreateSecureSection
CreateSecureSectionSpecifyPages
CreateSemaphoreW
CreateThread
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
DebugBreak
DecryptData
DecryptISKBoundData
DeleteCriticalSection
DmaMapMemory
DuplicateHandle
EmitSmc
EncryptData
EnterCriticalSection
EventRegister
EventSetInformation
EventUnregister
EventWrite
EventWriteTransfer
ExitProcess
ExitThread
FileTimeToSystemTime
FlushSecureSectionBuffers
FreeLibrary
FreeLibraryWhenCallbackReturns
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDmaEnabler
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeThread
GetExposedSecureSection
GetFipsModeFromIumKernelState
GetLastError
GetLocalTime
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSecureIdentityKey
GetSecureIdentitySigningKey
GetSeedFromIumKernelState
GetSignedReport
GetStartupInfoW
GetSystemFirmwareTable
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTaggedData
GetTaggedDataSize
GetThreadId
GetThreadPriority
GetTickCount
GetTickCount64
GetTpmBindingInfo
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapLock
HeapQueryInformation
HeapReAlloc
HeapSetInformation
HeapSize
HeapUnlock
HeapValidate
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
InitializeSRWLock
IsDebuggerPresent
IsProcessorFeaturePresent
IsSecureProcess
LeaveCriticalSection
LeaveCriticalSectionWhenCallbackReturns
LoadLibraryExW
MapSecureIo
MapViewOfFile
NdrClientCall3
NdrServerCall2
NdrServerCallAll
NtAlertThreadByThreadId
NtOpenProcessToken
NtOpenThreadToken
NtQueryInformationProcess
NtQueryInformationThread
NtQueryInformationToken
NtSetInformationProcess
NtSetInformationThread
NtTraceControl
NtTraceEvent
NtWaitForAlertByThreadId
OpenCurrentExtension
OpenEventW
OpenSecureSection
OutputDebugStringW
PostMailbox
ProtectSecureIo
QueryPerformanceCounter
QueryPerformanceFrequency
QuerySecureDeviceInformation
QueryThreadCycleTime
RaiseException
RaiseFailFastException
RegisterTraceGuidsW
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
ReleaseSemaphoreWhenCallbackReturns
ResetEvent
RpcExceptionFilter
RpcMgmtStopServerListening
RpcMgmtWaitServerListen
RpcServerInqCallAttributesW
RpcServerListen
RpcServerRegisterIf
RpcServerUnregisterIf
RpcServerUseProtseqEpW
RtlAvlInsertNodeEx
RtlAvlRemoveNode
RtlCaptureContext
RtlEqualUnicodeString
RtlGUIDFromString
RtlImageNtHeader
RtlInitUnicodeString
RtlInterlockedPushListSList
RtlLookupFunctionEntry
RtlNtStatusToDosError
RtlRandom
RtlRandomEx
RtlTimeToTimeFields
RtlVirtualUnwind
SecureStorageGet
SecureStoragePut
SetDmaTargetProperties
SetEnvironmentVariableW
SetEvent
SetEventWhenCallbackReturns
SetLastError
SetPolicyExtension
SetThreadpoolTimer
SetThreadpoolTimerEx
SetThreadpoolWait
SetUnhandledExceptionFilter
Sleep
StartThreadpoolIo
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TraceMessage
TraceMessageVa
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
UnhandledExceptionFilter
UnmapSecureIo
UnmapViewOfFile
UnregisterTraceGuids
UpdateSecureDeviceState
UuidCreate
VbsVmSysCall
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WaitForThreadpoolIoCallbacks
WaitForThreadpoolTimerCallbacks
WaitForThreadpoolWaitCallbacks
WaitForThreadpoolWorkCallbacks
WideCharToMultiByte
vDbgPrintEx
vDbgPrintExWithPrefix

Sections

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
setup.exe
.exe windows:10 windows x64 arch:x64

52e843a0e7736840cdce9b4887b92406

Code Sign

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14-09-2023 18:20

Not After

04-09-2024 18:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:64:13:78:9b:8e:40:81:6f:39:a5:04:65:0e:97:d5:88:be:40:0b:8d:c6:f5:f6:b3:6f:bc:dc:8e:26:fb:76
Signer

Actual PE Digest

90:64:13:78:9b:8e:40:81:6f:39:a5:04:65:0e:97:d5:88:be:40:0b:8d:c6:f5:f6:b3:6f:bc:dc:8e:26:fb:76

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

NgcIso.pdb

Imports

msvcp_win

?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?_Xbad_function_call@std@@YAXXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_c_exit
_register_thread_local_exe_atexit_callback
_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__callnewh
_o__cexit
_o__configthreadlocale
_o__configure_wide_argv
_o__crt_atexit
_o__errno
_o__exit
_o__get_initial_wide_environment
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
memmove
_o_exit
_o_free
_o_ldexp
_o_malloc
_o_memcpy_s
_o_terminate
__CxxFrameHandler3
_CxxThrowException
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
__C_specific_handler
__std_terminate
__CxxFrameHandler4
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
_o___p___wargv
_o___p___argc
__RTDynamicCast
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset
wcscmp

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleHandleExW
GetProcAddress
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

CreateEventExW
ReleaseSemaphore
EnterCriticalSection
InitializeCriticalSectionEx
WaitForSingleObject
LeaveCriticalSection
OpenEventW
ReleaseMutex
SetEvent
ReleaseSRWLockExclusive
CreateEventW
ResetEvent
InitializeCriticalSectionAndSpinCount
CreateSemaphoreExW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
AcquireSRWLockExclusive
ReleaseSRWLockShared
WaitForSingleObjectEx
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapSize
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
TerminateProcess

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

rpcrt4

RpcRaiseException
RpcServerRegisterIf
NdrClientCall3
RpcMgmtStopServerListening
NdrServerCallAll
NdrServerCall2
RpcServerUseProtseqIfW
RpcServerUnregisterIf
RpcExceptionFilter
RpcServerListen

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventWriteTransfer
EventUnregister
EventActivityIdControl

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

iumsdk

DecryptData
GetTaggedData
GetTaggedDataSize
EncryptData
GetSecureIdentitySigningKey
GetSignedReport
GetTpmBindingInfo
RtlNtStatusToDosError

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-crt-math-l1-1-0

ceilf

Exports

Exports

__ImagePolicyMetadata

Sections

.text
Size: 331KB - Virtual size: 331KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tPolicy
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
windirstat_en_us.qm
windirstat_uk_ua.qm

Sharing

General

Malware Config

Signatures

Files

Password: infected

dd9243b0f0b4da8e84bd6b0a9bdea755

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

kernel32

msvcrt

ntdll

shell32

shlwapi

Exports

Exports

Sections

.text Size: 756KB - Virtual size: 756KB

.data Size: 8KB - Virtual size: 8KB

.rdata Size: 59KB - Virtual size: 58KB

.pdata Size: 37KB - Virtual size: 37KB

.xdata Size: 47KB - Virtual size: 46KB

.bss Size: - Virtual size: 3KB

.edata Size: 11KB - Virtual size: 10KB

.idata Size: 5KB - Virtual size: 5KB

.CRT Size: 512B - Virtual size: 88B

.tls Size: 512B - Virtual size: 16B

.rsrc Size: 20.5MB - Virtual size: 20.5MB

.reloc Size: 5KB - Virtual size: 4KB

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

e2:4d:95:3e:2e:c7:66:a4:10:62:22:40:22:49:3f:8c:db:87:d9:ac:7f:8e:11:a2:db:a4:97:d6:6d:80:7f:b1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.rdata Size: 11KB - Virtual size: 11KB

.rsrc Size: 1024B - Virtual size: 1000B

52e843a0e7736840cdce9b4887b92406

Code Sign

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

90:64:13:78:9b:8e:40:81:6f:39:a5:04:65:0e:97:d5:88:be:40:0b:8d:c6:f5:f6:b3:6f:bc:dc:8e:26:fb:76Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

rpcrt4

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-profile-l1-1-0

.text
Size: 756KB - Virtual size: 756KB

.data
Size: 8KB - Virtual size: 8KB

.rdata
Size: 59KB - Virtual size: 58KB

.pdata
Size: 37KB - Virtual size: 37KB

.xdata
Size: 47KB - Virtual size: 46KB

.bss
Size: - Virtual size: 3KB

.edata
Size: 11KB - Virtual size: 10KB

.idata
Size: 5KB - Virtual size: 5KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 20.5MB - Virtual size: 20.5MB

.reloc
Size: 5KB - Virtual size: 4KB

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

e2:4d:95:3e:2e:c7:66:a4:10:62:22:40:22:49:3f:8c:db:87:d9:ac:7f:8e:11:a2:db:a4:97:d6:6d:80:7f:b1
Signer

.rdata
Size: 11KB - Virtual size: 11KB

.rsrc
Size: 1024B - Virtual size: 1000B

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

90:64:13:78:9b:8e:40:81:6f:39:a5:04:65:0e:97:d5:88:be:40:0b:8d:c6:f5:f6:b3:6f:bc:dc:8e:26:fb:76
Signer

.text
Size: 331KB - Virtual size: 331KB

.rdata
Size: 96KB - Virtual size: 96KB

.data
Size: 6KB - Virtual size: 9KB

.pdata
Size: 15KB - Virtual size: 15KB

.didat
Size: 512B - Virtual size: 168B

.tPolicy
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 2KB