services[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

services.exe
Size

699KB
MD5

e606e7e0d5e94af8222715a24df0776b
SHA1

e5704d8e560122c2a23de8912ae63b213d67c860
SHA256

43ec773e0ec626bf6d8a7fd04e64dc36afa6801444a3c36ef4da2a909fa0d83f
SHA512

fe71138ad225ec38b31abb30419f82c94e8a88bc55c3f638e7fbeb2fa1c1bd6ab81a0d6278d22b9da5d07eb73920bf53a0bd0ad8424355e50dc21e6f92d1d880
SSDEEP

12288:eRn1KcOaj6JmPYFYDQvAjWYbJIs6QEmQFXkGsv1tbjXKo5ee76:eRn4QjbPOYF7JhY1Ji11XKo5ee76

Score

1^/10

Malware Config

Signatures

Files

services.exe
.exe windows:10 windows x64 arch:x64

d1098e3a37f227b6ff6bd36c1801edfa

Code Sign

33:00:00:04:49:80:8e:a7:5d:6e:2d:36:87:00:00:00:00:04:49
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

34:06:42:b6:81:c7:71:26:33:d5:74:45:bc:f4:70:d7:e5:47:4a:01:68:c9:f1:9e:41:5c:86:c7:7c:b9:a3:43
Signer

Actual PE Digest

34:06:42:b6:81:c7:71:26:33:d5:74:45:bc:f4:70:d7:e5:47:4a:01:68:c9:f1:9e:41:5c:86:c7:7c:b9:a3:43

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

services.pdb

Imports

api-ms-win-core-crt-l1-1-0

_wcslwr_s
memcmp
memcpy
memmove
towlower
wcscmp
_wtoi
qsort_s
wcstok_s
swprintf_s
sprintf_s
__C_specific_handler
wcscpy_s
wcsnlen
wcsstr
memset
wcstoul
_wtol
_ultow_s
wcsrchr
wcsncmp
_wcsicmp
wcschr
_wcsnicmp
iswctype
memmove_s
_vsnwprintf_s
memcpy_s

api-ms-win-core-crt-l2-1-0

_purecall
exit
_onexit
__dllonexit3
_initterm
_initterm_e

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetModuleFileNameA
FreeLibrary
GetModuleHandleExW
LoadStringW
GetModuleHandleW
GetProcAddress

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
CreateWaitableTimerExW
InitializeSRWLock
ReleaseSemaphore
OpenEventW
ReleaseMutex
WaitForSingleObject
CancelWaitableTimer
DeleteCriticalSection
EnterCriticalSection
CreateSemaphoreExW
AcquireSRWLockShared
SetEvent
ReleaseSRWLockExclusive
CreateMutexExW
SetWaitableTimer
InitializeCriticalSectionEx
CreateEventW
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
WaitForMultipleObjectsEx
ReleaseSRWLockShared
ResetEvent
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree
HeapSetInformation

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetErrorMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolCleanupGroupMembers
CloseThreadpool
CloseThreadpoolCleanupGroup
CreateThreadpoolWork
CloseThreadpoolWork
SetThreadpoolTimer
CloseThreadpoolTimer
CreateThreadpoolCleanupGroup
SubmitThreadpoolWork
CreateThreadpool
TrySubmitThreadpoolCallback
CreateThreadpoolTimer
CallbackMayRunLong
WaitForThreadpoolTimerCallbacks

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetCurrentThread
SetThreadPriority
ResumeThread
GetExitCodeProcess
GetProcessTimes
CreateProcessAsUserW
GetCurrentProcess
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
CreateProcessW
SetProcessShutdownParameters
OpenThreadToken
TerminateProcess
GetCurrentThreadId
GetProcessId
GetCurrentProcessId
CreateThread
DeleteProcThreadAttributeList
ExitThread

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

rpcrt4

RpcServerUseProtseqEpW
RpcAsyncAbortCall
UuidCreateNil
I_RpcBindingIsClientLocal
I_RpcSessionStrictContextHandle
I_RpcBindingInqLocalClientPID
UuidEqual
RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
I_RpcMapWin32Status
UuidCreate
RpcStringFreeW
UuidFromStringW
NdrClientCall3
I_RpcExceptionFilter
RpcStringBindingComposeW
RpcBindingFromStringBindingW
UuidToStringW
RpcBindingFree
RpcServerInqCallAttributesA
RpcServerInqDefaultPrincNameW
RpcServerRegisterAuthInfoW
RpcEpRegisterW
RpcImpersonateClient
RpcAsyncCompleteCall
RpcRevertToSelf
RpcServerInqCallAttributesW
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcServerInqBindings
RpcServerUseProtseqW
RpcServerRegisterIfEx
RpcServerInqBindingHandle
RpcServerRegisterIf3
RpcBindingVectorFree
RpcServerUnregisterIf
NdrAsyncServerCall
NdrServerCall2
RpcServerRegisterIf
RpcMgmtWaitServerListen
RpcMgmtStopServerListening
RpcServerListen

api-ms-win-core-sysinfo-l1-1-0

GetSystemWindowsDirectoryW
GetVersionExW
GlobalMemoryStatusEx
GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime
GetSystemTime
GetComputerNameExW
GetTickCount64

api-ms-win-security-base-l1-1-0

SetTokenInformation
AddAccessAllowedAce
InitializeAcl
SetKernelObjectSecurity
SetSecurityDescriptorDacl
SetFileSecurityW
GetKernelObjectSecurity
AdjustTokenPrivileges
SetSecurityDescriptorSacl
FreeSid
SetSecurityDescriptorGroup
AddAuditAccessAceEx
AddAccessDeniedAceEx
GetSecurityDescriptorDacl
AllocateAndInitializeSid
AllocateLocallyUniqueId
SetSecurityDescriptorOwner
GetLengthSid
InitializeSecurityDescriptor
GetSecurityDescriptorControl
GetAce
AddAce
AddAccessAllowedAceEx
IsValidAcl
EqualSid
GetTokenInformation
RevertToSelf
ImpersonateLoggedOnUser
SetSecurityDescriptorControl
CheckTokenMembership
CopySid

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegEnumKeyExW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegDeleteTreeW
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
RegDeleteValueW
RegLoadMUIStringW
RegSetKeySecurity
RegGetKeySecurity

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW
SearchPathW

api-ms-win-core-wow64-l1-1-1

GetSystemWow64DirectoryW
IsWow64Process2

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventWriteTransfer
EventActivityIdControl
EventUnregister

api-ms-win-core-realtime-l1-1-0

QueryUnbiasedInterruptTime

api-ms-win-core-processthreads-l1-1-1

OpenProcess
SetProcessMitigationPolicy

api-ms-win-core-processthreads-l1-1-3

GetProcessInformation

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-file-l1-1-0

CreateDirectoryW
FindClose
CompareFileTime
FindFirstFileW
FindNextFileW
RemoveDirectoryW
DeleteFileW
SetFileInformationByHandle
CreateFileW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-sysinfo-l1-2-6

IsUserCetAvailableInEnvironment

api-ms-win-core-sysinfo-l1-2-3

GetOsManufacturingMode

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
RtlCompareMemory

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

NtAdjustPrivilegesToken
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlCreateAcl
RtlAddAccessAllowedAce
RtlGetAce
RtlAddAccessDeniedAce
RtlSetDaclSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
RtlTestProtectedAccess
RtlSetProcessIsCritical
TpReleaseWork
RtlIsStateSeparationEnabled
NtOpenProcessToken
NtOpenEvent
TpAllocPool
TpSetPoolMinThreads
TpAllocTimer
TpAllocWork
RtlUnhandledExceptionFilter
RtlInitializeCriticalSection
NtShutdownSystem
NtInitializeRegistry
NtSetSystemEnvironmentValue
NtQuerySystemInformation
RtlWow64IsWowGuestMachineSupported
wcscspn
RtlSetSaclSecurityDescriptor
RtlInitializeSid
RtlSubAuthorityCountSid
RtlAddAce
RtlLengthRequiredSid
RtlDeriveCapabilitySidsFromName
RtlNewSecurityObject
NtAccessCheckAndAuditAlarm
RtlUnicodeStringToAnsiString
RtlInitAnsiString
RtlGetPersistedStateLocation
wcscat_s
EtwRegisterTraceGuidsW
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwGetTraceEnableFlags
RtlUnicodeStringToInteger
_ltow_s
EtwUnregisterTraceGuids
RtlAcquireResourceShared
RtlAreAllAccessesGranted
NtPrivilegeCheck
NtOpenThreadToken
RtlLengthSid
RtlCopyUnicodeString
NtFilterToken
NtClose
RtlReleaseSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockShared
NtAccessCheck
RtlAcquireSRWLockExclusive
NtPrivilegeObjectAuditAlarm
RtlNtStatusToDosError
RtlCopySid
RtlInitUnicodeString
EtwTraceMessage
RtlFreeHeap
RtlMapGenericMask
RtlAllocateHeap
RtlValidRelativeSecurityDescriptor
RtlQuerySecurityObject
RtlSetSecurityObject
RtlEqualSid
RtlGetOwnerSecurityDescriptor
RtlCreateServiceSid
NtCloseObjectAuditAlarm
NtDuplicateToken
NtCreateWnfStateName
NtOpenThread
NtQueueApcThread
RtlQueueApcWow64Thread
TpWaitForTimer
TpSetTimer
NtQueryInformationFile
NtSetInformationFile
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
NtWaitForSingleObject
NtQueryDirectoryFile
NtDeleteFile
EtwEventWrite
EtwEventEnabled
EtwEventRegister
EvtIntReportEventAndSourceAsync
RtlUnsubscribeWnfNotificationWaitForCompletion
NtQueryWnfStateData
RtlSubAuthoritySid
RtlReplaceSystemDirectoryInPath
RtlExpandEnvironmentStrings
RtlSetControlSecurityDescriptor
RtlRegisterWait
NtDeleteKey
NtEnumerateKey
NtDeleteValueKey
NtSetValueKey
NtQueryValueKey
NtQueryKey
NtCreateKey
RtlValidSecurityDescriptor
RtlSetEnvironmentVariable
RtlUnsubscribeWnfStateChangeNotification
RtlNtStatusToDosErrorNoTeb
NtSetInformationToken
TpReleaseTimer
RtlGetDeviceFamilyInfoEnum
RtlGetCurrentServiceSessionId
TpSetTimerEx
RtlEqualUnicodeString
NtUnloadDriver
NtQueryDirectoryObject
NtOpenDirectoryObject
NtLoadDriver
RtlRandom
NtSetEvent
RtlSubscribeWnfStateChangeNotification
RtlGetNtProductType
RtlLengthSecurityDescriptor
NtDeleteWnfStateName
NtSetInformationProcess
RtlInitializeResource
TpPostWork
RtlCopyLuid
RtlDeleteSecurityObject
RtlExpandEnvironmentStrings_U
RtlDeregisterWait
NtPowerInformation
DbgPrint
RtlVerifyVersionInfo
RtlDosPathNameToNtPathName_U_WithStatus
RtlCreateProcessParametersEx
NtCreateUserProcess
WinSqmStartSqmOptinListener
DbgPrintEx
RtlPublishWnfStateData
RtlCompareUnicodeString
NtQueryInformationToken
RtlInitUnicodeStringEx
NtQueryInformationProcess
RtlInitializeSRWLock
NtOpenFile
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtDeleteObjectAuditAlarm
RtlAcquireResourceExclusive
RtlDeleteRegistryValue
RtlQueryRegistryValuesEx
RtlAnsiStringToUnicodeString
NtSetInformationThread
NtOpenKey
RtlReleaseResource

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-localization-private-l1-1-0

LoadStringByReference

api-ms-win-core-state-helpers-l1-1-0

GetRegistryValueWithFallbackW

dpapi

CryptResetMachineCredentials

eventaggregation

EAQueryAggregateEventData
EaFreeAggregatedEventParameters
EaQueryAggregatedEventParameters
EACreateAggregateEvent
EaCreateAggregatedEvent
BriCreateBrokeredEvent
EaDeleteAggregatedEvent
BriDeleteBrokeredEvent
EADeleteAggregateEvent

api-ms-win-eventing-controller-l1-1-0

EnableTraceEx2
StartTraceW
ControlTraceW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-devices-config-l1-1-1

CM_Get_DevNode_Status
CM_Setup_DevNode
CM_Query_And_Remove_SubTreeW
CM_Locate_DevNodeW
CM_Get_DevNode_Registry_PropertyW
CM_Get_Device_ID_ListW
CM_Get_Device_ID_List_SizeW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

devobj

DevObjOpenDevRegKey
DevObjCreateDeviceInfoList
DevObjOpenDeviceInfo
DevObjDestroyDeviceInfoList
DevObjGetClassDevs
DevObjEnumDeviceInfo
DevObjGetDeviceInfoListDetail
DevObjGetDeviceRegistryProperty
DevObjGetDeviceInstanceId
DevObjDeleteDeviceInfo
DevObjGetDeviceProperty

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

Sections

.text
Size: 515KB - Virtual size: 515KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 115KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d1098e3a37f227b6ff6bd36c1801edfa

Code Sign

33:00:00:04:49:80:8e:a7:5d:6e:2d:36:87:00:00:00:00:04:49Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

34:06:42:b6:81:c7:71:26:33:d5:74:45:bc:f4:70:d7:e5:47:4a:01:68:c9:f1:9e:41:5c:86:c7:7c:b9:a3:43Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-crt-l1-1-0

api-ms-win-core-crt-l2-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

rpcrt4

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-wow64-l1-1-1

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-sysinfo-l1-2-6

api-ms-win-core-sysinfo-l1-2-3

api-ms-win-core-console-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

ntdll

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-localization-private-l1-1-0

api-ms-win-core-state-helpers-l1-1-0

dpapi

eventaggregation

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

devobj

api-ms-win-core-threadpool-private-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

Sections

.text Size: 515KB - Virtual size: 515KB

.rdata Size: 115KB - Virtual size: 114KB

.data Size: 2KB - Virtual size: 7KB

.pdata Size: 20KB - Virtual size: 20KB

.didat Size: 1024B - Virtual size: 784B

.rsrc Size: 26KB - Virtual size: 25KB

.reloc Size: 2KB - Virtual size: 1KB

33:00:00:04:49:80:8e:a7:5d:6e:2d:36:87:00:00:00:00:04:49
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

34:06:42:b6:81:c7:71:26:33:d5:74:45:bc:f4:70:d7:e5:47:4a:01:68:c9:f1:9e:41:5c:86:c7:7c:b9:a3:43
Signer

.text
Size: 515KB - Virtual size: 515KB

.rdata
Size: 115KB - Virtual size: 114KB

.data
Size: 2KB - Virtual size: 7KB

.pdata
Size: 20KB - Virtual size: 20KB

.didat
Size: 1024B - Virtual size: 784B

.rsrc
Size: 26KB - Virtual size: 25KB

.reloc
Size: 2KB - Virtual size: 1KB