81b0a1a530764864f02f32283b7fa6b717903fee7a5387aa98da56367a2dc408

Sharing

Copy URL

Twitter E-mail

General

Target

81b0a1a530764864f02f32283b7fa6b717903fee7a5387aa98da56367a2dc408
Size

668KB
MD5

98c42540afcb2c07c9926afa06b3671a
SHA1

2c6e0a1bc70f8579e3db65e3b2cfa86ecb160a04
SHA256

81b0a1a530764864f02f32283b7fa6b717903fee7a5387aa98da56367a2dc408
SHA512

94db8257420f2e0f44889b74e3ea884f0d0fb9e456a2f5351d7e10d9c0de8e9c5a3dae5822531e348e0c0f94eff82095a283f5f45ef42f57c43e17cd1e99819d
SSDEEP

12288:i/gXFRZLI+cbEkxg93lT+MHLiHuCnJe/BPM8VCE9ra/WFybyrd0SkqCGPedKwbvE:VFnLI7uxbLIJe/BPM8Jd0S6FsWrEH7X

Score

1^/10

Malware Config

Signatures

Files

81b0a1a530764864f02f32283b7fa6b717903fee7a5387aa98da56367a2dc408
.dll windows:10 windows x86 arch:x86

f40325cdbd282e91e1bdaec0f8d00fd1

Code Sign

33:00:00:00:8f:d7:76:15:b9:cd:45:8a:74:00:00:00:00:00:8f
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07-10-2015 18:14

Not After

07-01-2017 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:F528-3777-8A76,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04-06-2015 17:42

Not After

04-09-2016 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31-08-2010 22:19

Not After

31-08-2020 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01-10-2014 18:06

Not After

01-01-2016 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06-07-2010 20:40

Not After

06-07-2025 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e1:4a:c0:9f:8e:6a:78:bb:59:df:b8:12:ab:a1:f6:5c:75:e3:17:e3:55:74:96:2b:d7:09:99:00:d1:0b:fb:ae
Signer

Actual PE Digest

e1:4a:c0:9f:8e:6a:78:bb:59:df:b8:12:ab:a1:f6:5c:75:e3:17:e3:55:74:96:2b:d7:09:99:00:d1:0b:fb:ae

Digest Algorithm

sha256

PE Digest Matches

false

f4:b6:86:c4:47:1e:7b:09:c3:ff:a4:60:07:31:40:95:0d:ef:5a:c4
Signer

Actual PE Digest

f4:b6:86:c4:47:1e:7b:09:c3:ff:a4:60:07:31:40:95:0d:ef:5a:c4

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

wimgapi.pdb

Imports

msvcrt

memcmp
bsearch
memcpy_s
memmove_s
memcpy
_callnewh
iswspace
_purecall
_vscwprintf
wcstoul
_wcsupr
qsort
wcschr
_wcsrev
_wcslwr
_snwprintf_s
towlower
towupper
memmove
wcsncmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
_wcsnicmp
swscanf_s
wcsrchr
_wcsicmp
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_initterm
malloc
free
_amsg_exit
_XcptFilter
memset

kernel32

GetVolumePathNamesForVolumeNameW
LoadLibraryW
RaiseException
ExpandEnvironmentStringsW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
GetVolumePathNameW
GetModuleHandleW
CreateSemaphoreExW
GetExitCodeProcess
CreateProcessW
GetLogicalDriveStringsW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
WaitForMultipleObjectsEx
CopyFileExW
CreateThread
CreateSemaphoreW
WaitForMultipleObjects
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
DisableThreadLibraryCalls
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetDriveTypeW
RemoveDirectoryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetFileSizeEx
GetFullPathNameW
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
GetFinalPathNameByHandleW
SetEvent
LockFileEx
UnlockFileEx
HeapReAlloc
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
WaitForSingleObject
ReleaseMutex
WideCharToMultiByte
OpenProcess
InitializeCriticalSectionAndSpinCount
GetVolumeInformationByHandleW
SetFileAttributesW
GlobalMemoryStatusEx
LoadLibraryExW
FreeLibrary
GetProcAddress
GetVolumeInformationW
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
OpenEventW
GetPrivateProfileSectionW
ReleaseSemaphore
CreateEventW

bcrypt

BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptDestroyHash

fltlib

FilterAttach
FilterLoad

ntdll

RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlReAllocateHeap
RtlGetVersion
RtlDosPathNameToNtPathName_U_WithStatus
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
RtlInitUnicodeString
NtQuerySecurityObject
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlRaiseStatus
NtYieldExecution
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError

advapi32

RegDeleteKeyExW
WriteEncryptedFileRaw
SetThreadToken
RegQueryValueExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
ReadEncryptedFileRaw
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyExW
OpenEncryptedFileRawW
AddAccessAllowedAceEx
RevertToSelf
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey

user32

CharUpperW

rpcrt4

RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
UuidCreate
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall2

version

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry

Sections

.text
Size: 534KB - Virtual size: 533KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f40325cdbd282e91e1bdaec0f8d00fd1

Code Sign

33:00:00:00:8f:d7:76:15:b9:cd:45:8a:74:00:00:00:00:00:8fCertificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7bCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

e1:4a:c0:9f:8e:6a:78:bb:59:df:b8:12:ab:a1:f6:5c:75:e3:17:e3:55:74:96:2b:d7:09:99:00:d1:0b:fb:aeSigner

f4:b6:86:c4:47:1e:7b:09:c3:ff:a4:60:07:31:40:95:0d:ef:5a:c4Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

bcrypt

fltlib

ntdll

advapi32

user32

rpcrt4

version

Exports

Exports

Sections

.text Size: 534KB - Virtual size: 533KB

.data Size: 1024B - Virtual size: 3KB

.idata Size: 7KB - Virtual size: 6KB

.rsrc Size: 15KB - Virtual size: 14KB

.reloc Size: 19KB - Virtual size: 18KB

33:00:00:00:8f:d7:76:15:b9:cd:45:8a:74:00:00:00:00:00:8f
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

e1:4a:c0:9f:8e:6a:78:bb:59:df:b8:12:ab:a1:f6:5c:75:e3:17:e3:55:74:96:2b:d7:09:99:00:d1:0b:fb:ae
Signer

f4:b6:86:c4:47:1e:7b:09:c3:ff:a4:60:07:31:40:95:0d:ef:5a:c4
Signer

.text
Size: 534KB - Virtual size: 533KB

.data
Size: 1024B - Virtual size: 3KB

.idata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 15KB - Virtual size: 14KB

.reloc
Size: 19KB - Virtual size: 18KB