ap-file-vds[.]exe--1215879614[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

ap-file-vds.exe--1215879614.zip
Size

236KB
MD5

9c79000d77c3acc0461610c81cb12358
SHA1

2da73fa4a7c56f8147f5a44c7f17b72260c160bf
SHA256

7a163d03fd60e3233fb2566b9797b19c22b4a65d15055841702836f8471fb769
SHA512

6ffc19f74f0bc494da9bfbea8f4629bb1cef459c04b595d42abcb66d714cf6671f044191f1b2e0a40e28a88073bfecd17a3225a1b212ed39fe7fde7c9703f0b5
SSDEEP

6144:bL3cZs3P+eOLW0NK/JY/K25GFi5z61LkKkpvr5B3:n3cq3PLOLbjK25p5z2Y3vVB3

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/vds.exe

Files

ap-file-vds.exe--1215879614.zip
.zip

Password: cautionhandlewithcare
vds.exe
.exe windows:10 windows x64 arch:x64

Password: cautionhandlewithcare

22f6e6b0d1554c336379cf8bd56bd14d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

vds.pdb

Imports

user32

MessageBoxW
PostThreadMessageW
GetMessageW
DispatchMessageW
LoadStringW
CharNextW
RegisterDeviceNotificationW
UnregisterDeviceNotification
DefWindowProcW
PeekMessageW

msvcrt

wcsstr
wcsncmp
memset
towupper
wcscpy_s
swscanf_s
_ltow
free
malloc
_callnewh
_XcptFilter
memmove_s
??0exception@@QEAA@XZ
_vsnprintf_s
memcpy_s
??0exception@@QEAA@AEBV0@@Z
_amsg_exit
__set_app_type
exit
??1exception@@UEAA@XZ
_exit
rand
_wtol
time
__setusermatherr
_initterm
srand
_wcsnicmp
_wcsicmp
_vsnwprintf
_wcmdln
_fmode
_commode
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_lock
_unlock
__C_specific_handler
__dllonexit
_onexit
_purecall
memcpy
memcmp
_CxxThrowException
__CxxFrameHandler3
_cexit
__wgetmainargs
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z

atl

ord17
ord16
ord57
ord18
ord23
ord32
ord20
ord30

ntdll

RtlReleaseResource
RtlInitializeResource
RtlAcquireResourceExclusive
RtlConvertExclusiveToShared
RtlConvertSharedToExclusive
RtlAdjustPrivilege
NtQueryVolumeInformationFile
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlDeleteResource
RtlAcquireResourceShared

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-file-l1-1-0

WriteFile
GetVolumePathNameW
ReadFile
RemoveDirectoryW
GetFileAttributesW
FindFirstVolumeW
QueryDosDeviceW
GetDriveTypeW
CreateFileW
SetFilePointerEx
FindNextVolumeW
FindVolumeClose
DefineDosDeviceW
DeleteVolumeMountPointW

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
GetModuleHandleW
FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-registry-l1-1-0

RegDeleteValueW
RegCreateKeyExW
RegQueryValueExW
RegGetValueW
RegEnumKeyExW
RegCloseKey
RegSetValueExW
RegOpenKeyExW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
SetThreadToken
CreateThread
OpenThreadToken
OpenProcessToken
GetCurrentThread
TerminateProcess
GetCurrentProcess
GetStartupInfoW
ResumeThread

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
WaitForSingleObject
InitializeCriticalSectionEx
ReleaseMutex
ReleaseSemaphore
SetEvent
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateSemaphoreExW
CreateMutexExW
InitializeCriticalSection
CreateEventW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
OpenSemaphoreW

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW
WaitForMultipleObjects

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
DuplicateTokenEx
GetSecurityDescriptorLength
MakeAbsoluteSD
IsValidSid
GetLengthSid
AddAccessAllowedAce
FreeSid
MakeSelfRelativeSD

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW

api-ms-win-service-winsvc-l1-1-0

ControlService
RegisterServiceCtrlHandlerW

api-ms-win-service-management-l1-1-0

DeleteService
CreateServiceW
CloseServiceHandle
OpenSCManagerW
OpenServiceW

api-ms-win-service-management-l2-1-0

SetServiceObjectSecurity
ChangeServiceConfig2W
QueryServiceObjectSecurity

setupapi

SetupDiEnumDeviceInterfaces
SetupDiEnumDeviceInfo
CM_Reenumerate_DevNode_Ex
SetupDiGetDeviceInterfaceDetailW
CM_Query_And_Remove_SubTreeW
CM_Get_DevNode_Status
SetupDiGetCustomDevicePropertyW
SetupDiCallClassInstaller
CM_Get_Parent
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

osuninst

IsUninstallImageValid

vdsutil

GetDiskLayout
GetPartitionInformation
?RegisterHandle@CVdsPnPNotificationBase@@QEAAKPEAXPEAPEAX@Z
?Append@CPrvEnumObject@@QEAAJPEAUIUnknown@@@Z
?Reset@CPrvEnumObject@@UEAAJXZ
IsVdsLoggingEnabled
VdsTraceExW
GuidToString
?InsertUnique@CRtlMap@@QEAAHAEAVCRtlEntry@@0@Z
IsNoAutoMount
IsEfiFirmware
?Clear@CPrvEnumObject@@QEAAXXZ
LockDismountVolume
GetDeviceNumber
IsDriveLetter
?Next@CPrvEnumObject@@UEAAJKPEAPEAUIUnknown@@PEAK@Z
?Skip@CPrvEnumObject@@UEAAJK@Z
?Clone@CPrvEnumObject@@UEAAJPEAPEAUIEnumVdsObject@@@Z
??0CVdsAsyncObjectBase@@QEAA@XZ
??1CVdsAsyncObjectBase@@QEAA@XZ
?SetCompletionStatus@CVdsAsyncObjectBase@@QEAAXJK@Z
?Signal@CVdsAsyncObjectBase@@QEAAXXZ
VdsIscsiIpAddressToString
VdsWmiFindInstanceOfClass
VdsWmiGetUlonglongFromInstance
?QueryStatus@CVdsAsyncObjectBase@@UEAAJPEAJPEAK@Z
VdsIscsiIpsecIdToIpAddress
VdsIscsiCheckEqualIpAddress
VdsIscsiIpAddressToIpsecId
WriteBootCode
CoFreeStringArray
GetFMIFSFormatEx2Routine
GetFMIFSEnableCompressionRoutine
RemoveTempVolumeName
MountVolume
GetFileSystemRecognitionName
GetFMIFSGetDefaultFilesystemRoutine
AssignTempVolumeName
GetVolumeName
GetVolumeDiskExtentInfo
GarbageCollectDriveLetters
LockVolume
DeleteNetworkShare
GetVolumeUniqueId
GetVolumeGuidPathnames
DeleteBcdObjects
VdsIscsiCacheSessionDevices
VdsWmiGetObjectInVariantObjectArray
VdsIscsiGetIpAddressFromInstance
VdsWmiCreateClassInstance
VdsWmiSetUlongInInstance
VdsWmiCreateVariantArray
VdsWmiSetUlonglongInInstance
VdsWmiGetMethodArgumentObject
VdsWmiSetObjectInInstance
VdsWmiCallMethod
?UnregisterHandle@CVdsPnPNotificationBase@@QEAAXPEAX@Z
GetDeviceManufacturerInfo
GetMediaGeometryEx
GetStorageAccessAlignmentProperty
IsDiskClustered
IsDiskReadOnly
GetDeviceName
CreateDeviceInfoSet
GetDeviceId
GetDeviceRegistryPropertyByInfo
VdsAllocateEmptyString
GetDeviceRegistryPropertyByInst
GetDeviceLocationEx
VdsDoesDiskHaveArcPath
GetBootFromDiskNumber
GetDiskOfflineReason
GetDiskRedundancyCount
VdsAllocateString
GetDiskIdentifiers
?WaitImpl@CVdsAsyncObjectBase@@QEAAJPEAJ@Z
OpenDevice
GetInterfaceDetailData
?InsertHeadPointer@CRtlList@@QEAAHPEAX@Z
IsClientSKU
IsRunningOnAMD64
ReleaseRundownProtection
?Initialize@CVdsPnPNotificationBase@@QEAAKXZ
?Initialize@CVdsAsyncObjectBase@@SAKXZ
AcquireRundownProtection
IsWinPE
?Remove@CRtlList@@QEAAXAEAVCRtlListIter@@@Z
?InsertTailPointer@CRtlList@@QEAAHPEAX@Z
?Uninitialize@CVdsAsyncObjectBase@@SAXXZ
?Uninitialize@CVdsPnPNotificationBase@@QEAAXXZ
?Next@CRtlMapIter@@QEAAAEAV1@XZ
?Begin@CRtlMap@@QEAA?AVCRtlMapIter@@XZ
VdsTraceW
?GetEntryPointer@CRtlListIter@@QEAAPEAXXZ
VdsInitializeCriticalSection
?RemoveAll@CRtlMap@@QEAAXH@Z
??1CRtlMap@@UEAA@XZ
StopReferenceHistory
WaitForRundownProtectionRelease
StartReferenceHistory
InitializeRundownProtection
VdsDisableCOMFatalExceptionHandling
??1CGlobalResource@@QEAA@XZ
UnInitializeGlobalResouce
?Initialize@CGlobalResource@@QEAAJXZ
??0CGlobalResource@@QEAA@XZ
RemoveEventSource
VdsHeapAlloc
AddEventSource
InitializeSecurityDescriptorHelper
LogInfo
LogError
VdsHeapFree
AllocateAndGetVolumePathName
?Remove@CRtlMap@@QEAAHAEAVCRtlEntry@@@Z
VdsTraceEx
??0CRtlList@@QEAA@P6AXPEAVCRtlEntry@@@Z@Z
??1CRtlList@@QEAA@XZ
?Begin@CRtlList@@QEAA?AVCRtlListIter@@XZ
?End@CRtlList@@QEAA?AVCRtlListIter@@XZ
?RemoveAll@CRtlList@@QEAAXXZ
?GetEntry@CRtlListIter@@QEAAPEAVCRtlEntry@@XZ
?Next@CRtlListIter@@QEAAAEAV1@XZ
??0CVdsCallTracer@@QEAA@KPEBD@Z
??1CVdsCallTracer@@QEAA@XZ
??0CRtlMap@@QEAA@KP6AXPEAVCRtlEntry@@@Z1@Z
GetDeviceAndMediaType
?FindPtr@CRtlMap@@QEAAHAEAVCRtlEntry@@PEAPEAV2@@Z
?Insert@CRtlMap@@QEAAHAEAVCRtlEntry@@0@Z
VdsTrace
?Find@CRtlMap@@QEAAHAEAVCRtlEntry@@PEAV2@@Z
?Detach@CVdsWmiVariantObjectArrayEnum@@QEAAJXZ
VdsWmiCopyFromVariantByteArray
VdsWmiGetObjectFromInstance
VdsWmiGetUlongFromInstance
VdsWmiGetByteFromInstance
?Next@CVdsWmiVariantObjectArrayEnum@@QEAAJPEAPEAUIWbemClassObject@@@Z
?Attach@CVdsWmiVariantObjectArrayEnum@@QEAAJPEAUtagVARIANT@@@Z
VdsWmiConnectToNamespace
??1CVdsWmiVariantObjectArrayEnum@@QEAA@XZ
??0CVdsWmiVariantObjectArrayEnum@@QEAA@XZ
IsDiskCurrentStateReadOnly
InvalidateDiskCache
?Prev@CRtlListIter@@QEAAAEAV1@XZ

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventRegister
EventSetInformation

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpiW

api-ms-win-core-kernel32-legacy-l1-1-1

FindVolumeMountPointClose
FindNextVolumeMountPointW
SetVolumeMountPointW
FindFirstVolumeMountPointW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory

Exports

Exports

??0?$CVdsCoTaskPtr@G@@QEAA@XZ
??0?$CVdsHandleImpl@$0?0@@QEAA@XZ
??0?$CVdsHandleImpl@$0A@@@QEAA@XZ
??0?$CVdsHeapPtr@D@@QEAA@XZ
??0?$CVdsHeapPtr@G@@QEAA@XZ
??0?$CVdsHeapPtr@J@@QEAA@XZ
??0?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@D@@QEAA@XZ
??0?$CVdsPtr@G@@QEAA@XZ
??0?$CVdsPtr@J@@QEAA@XZ
??0?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??0?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??0?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??0?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??0?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0CPrvEnumObject@@QEAA@XZ
??0CRtlSharedLock@@QEAA@XZ
??0CVdsCriticalSection@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0CVdsPnPNotificationBase@@QEAA@XZ
??0CVdsUnlockIt@@QEAA@AEAJ@Z
??1?$CVdsCoTaskPtr@G@@QEAA@XZ
??1?$CVdsHandleImpl@$0?0@@QEAA@XZ
??1?$CVdsHandleImpl@$0A@@@QEAA@XZ
??1?$CVdsHeapPtr@D@@QEAA@XZ
??1?$CVdsHeapPtr@G@@QEAA@XZ
??1?$CVdsHeapPtr@J@@QEAA@XZ
??1?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@D@@QEAA@XZ
??1?$CVdsPtr@G@@QEAA@XZ
??1?$CVdsPtr@J@@QEAA@XZ
??1?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??1?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??1?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??1?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??1?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1CPrvEnumObject@@QEAA@XZ
??1CRtlSharedLock@@QEAA@XZ
??1CVdsCriticalSection@@QEAA@XZ
??1CVdsPnPNotificationBase@@QEAA@XZ
??1CVdsUnlockIt@@QEAA@XZ
??4?$CVdsHandleImpl@$0?0@@QEAAPEAXPEAX@Z
??4?$CVdsHandleImpl@$0A@@@QEAAPEAXPEAX@Z
??4?$CVdsHeapPtr@D@@QEAAPEADPEAD@Z
??4?$CVdsHeapPtr@G@@QEAAPEAGPEAG@Z
??4?$CVdsHeapPtr@J@@QEAAPEAJPEAJ@Z
??4?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAAPEAUFMIFS_DEF_FS_OUT@@PEAU1@@Z
??4?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAAPEAU_AUCTION_THREAD_PARAMETER@@PEAU1@@Z
??4?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAAPEAU_MOUNTMGR_MOUNT_POINT@@PEAU1@@Z
??4?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAAPEAU_MOUNTMGR_MOUNT_POINTS@@PEAU1@@Z
??4?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@PEAU1@@Z
??8?$CVdsHandleImpl@$0?0@@QEBA_NPEAX@Z
??8?$CVdsHandleImpl@$0A@@@QEBA_NPEAX@Z
??8?$CVdsPtr@D@@QEBA_NPEAD@Z
??8?$CVdsPtr@G@@QEBA_NPEAG@Z
??8?$CVdsPtr@J@@QEBA_NPEAJ@Z
??8?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEBA_NPEAUFMIFS_DEF_FS_OUT@@@Z
??8?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBA_NPEAU_AUCTION_THREAD_PARAMETER@@@Z
??8?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBA_NPEAU_MOUNTMGR_MOUNT_POINT@@@Z
??8?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBA_NPEAU_MOUNTMGR_MOUNT_POINTS@@@Z
??8?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBA_NPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@@Z
??9?$CVdsHandleImpl@$0?0@@QEBA_NPEAX@Z
??9?$CVdsPtr@G@@QEBA_NPEAG@Z
??9?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEBA_NPEAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
??A?$CVdsPtr@J@@QEAAAEAJJ@Z
??A?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAAAEAUFMIFS_DEF_FS_OUT@@K@Z
??B?$CVdsHandleImpl@$0?0@@QEAAPEAXXZ
??B?$CVdsHandleImpl@$0A@@@QEAAPEAXXZ
??B?$CVdsPtr@G@@QEBAPEAGXZ
??B?$CVdsPtr@J@@QEBAPEAJXZ
??B?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEBAPEAUFMIFS_DEF_FS_OUT@@XZ
??B?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBAPEAU_AUCTION_THREAD_PARAMETER@@XZ
??B?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEBAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
??B?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@XZ
??B?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINT@@XZ
??B?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINTS@@XZ
??B?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBAPEAU_AUCTION_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEBAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
??C?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEBAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??C?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEBAPEAU_EXTEND_VOLUME_HANDLER_PARAMETER@@XZ
??C?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINT@@XZ
??C?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINTS@@XZ
??C?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
??I?$CVdsHandleImpl@$0?0@@QEAAPEAPEAXXZ
??I?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAPEAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??_FCRtlList@@QEAAXXZ
??_FCRtlMap@@QEAAXXZ
?AcquireRead@CRtlSharedLock@@AEAAXXZ
?AcquireWrite@CRtlSharedLock@@AEAAXXZ
?AllowCancel@CVdsAsyncObjectBase@@QEAAXXZ
?Attach@?$CVdsPtr@G@@QEAAXPEAG@Z
?Attach@?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAAXPEAU_CLEAN_DISK_HANDLER_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAXPEAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?Attach@?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAAXPEAU_EXTEND_VOLUME_HANDLER_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAAXPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAXPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@@Z
?Close@?$CVdsHandleImpl@$0?0@@QEAAXXZ
?CurrentThreadIsWriter@CRtlSharedLock@@QEAAHXZ
?Detach@?$CVdsHandleImpl@$0?0@@QEAAPEAXXZ
?Detach@?$CVdsHandleImpl@$0A@@@QEAAPEAXXZ
?Detach@?$CVdsPtr@G@@QEAAPEAGXZ
?Detach@?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAAPEAU_AUCTION_THREAD_PARAMETER@@XZ
?Detach@?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
?Detach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
?Detach@?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
?DisallowCancel@CVdsAsyncObjectBase@@QEAAXXZ
?Downgrade@CRtlSharedLock@@AEAAXXZ
?GetOutputType@CVdsAsyncObjectBase@@QEAA?AW4_VDS_ASYNC_OUTPUT_TYPE@@XZ
?IsCancelRequested@CVdsAsyncObjectBase@@QEAAHXZ
?Release@CRtlSharedLock@@AEAAXXZ
?SetOutput@CVdsAsyncObjectBase@@QEAAXU_VDS_ASYNC_OUTPUT@@@Z
?SetOutputType@CVdsAsyncObjectBase@@QEAAXW4_VDS_ASYNC_OUTPUT_TYPE@@@Z
?SetPositionToLast@CPrvEnumObject@@QEAAXXZ
?Upgrade@CRtlSharedLock@@AEAAXXZ
?ZeroAsyncOut@CVdsAsyncObjectBase@@QEAAXXZ
?m_ExtraLogging@CVdsTraceSettings@@QEAAHXZ
?m_NoDebuggerLogging@CVdsTraceSettings@@QEAAHXZ

Sections

.text
Size: 341KB - Virtual size: 340KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 310KB - Virtual size: 309KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vds.exe.METADATA

Sharing

General

Malware Config

Signatures

Files

Password: cautionhandlewithcare

Password: cautionhandlewithcare

22f6e6b0d1554c336379cf8bd56bd14d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

msvcrt

atl

ntdll

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

setupapi

osuninst

vdsutil

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

Exports

Exports

Sections

.text Size: 341KB - Virtual size: 340KB

.rdata Size: 310KB - Virtual size: 309KB

.data Size: 2KB - Virtual size: 5KB

.pdata Size: 11KB - Virtual size: 10KB

.didat Size: 512B - Virtual size: 248B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 341KB - Virtual size: 340KB

.rdata
Size: 310KB - Virtual size: 309KB

.data
Size: 2KB - Virtual size: 5KB

.pdata
Size: 11KB - Virtual size: 10KB

.didat
Size: 512B - Virtual size: 248B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 1KB