60c481299158ba65832c22b07884a267a85fe996ba372c36131b485a8df7dfca

Sharing

General

Target

60c481299158ba65832c22b07884a267a85fe996ba372c36131b485a8df7dfca
Size

6.0MB
MD5

5d1691031f5a6f9c0a5fc9008fe189c7
SHA1

f631c4c0932d1e63c36ca64c17656879e8d102ff
SHA256

60c481299158ba65832c22b07884a267a85fe996ba372c36131b485a8df7dfca
SHA512

ed84592439a004040cbcf238550f982f7378c2706dfee0824c5a7815808be64a07ebcf7b69b834f7c5f63f948ff5b4fe25b374bf244a1212d518ddb171c2f536
SSDEEP

49152:QQErxQId8Mcw22piLdqfRe85eoFlmPv0GhCSTqV0CdeMYd5VArH01e1aA4SGQ6Zh:3IRQqpohjTp+tN4bvplarTziD93YC

Score

10^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
60c481299158ba65832c22b07884a267a85fe996ba372c36131b485a8df7dfca

Files

60c481299158ba65832c22b07884a267a85fe996ba372c36131b485a8df7dfca
.exe windows:10 windows x64 arch:x64

706af98180258975db0a8df5a7b95eb1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

MsSense.pdb

Imports

msvcp_win

?swap@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z
?swap@?$basic_iostream@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Mtx_init
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@M@Z
_Thrd_join
_Thrd_start
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
_Xtime_get_ticks
_Cnd_timedwait
_Mtx_current_owns
_Cnd_destroy_in_situ
_Cnd_init_in_situ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
_Cnd_init
_Cnd_wait
_Cnd_signal
_Cnd_destroy
_Mtx_destroy
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Throw_Cpp_error@std@@YAXH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?_XGetLastError@std@@YAXXZ
?widen@?$ctype@_W@std@@QEBA_WD@Z
_Thrd_id
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
_Cnd_do_broadcast_at_thread_exit
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
?tolower@?$ctype@D@std@@QEBADD@Z
?widen@?$ctype@D@std@@QEBADD@Z
?narrow@?$ctype@D@std@@QEBADDD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?exceptions@ios_base@std@@QEAAXH@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
_Query_perf_counter
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$numpunct@D@std@@2V0locale@2@A
?uncaught_exception@std@@YA_NXZ
?classic@locale@std@@SAAEBV12@XZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
_Query_perf_frequency
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?id@?$collate@_W@std@@2V0locale@2@A
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@_W@std@@QEBA_NF_W@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
_Wcscoll
_Wcsxfrm
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAN@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_J@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAI@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAM@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAG@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAF@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_N@Z
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?_Xbad_alloc@std@@YAXXZ
_Mtx_init_in_situ
_Mtx_destroy_in_situ
?_Xbad_function_call@std@@YAXXZ
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
_Mtx_unlock
_Mtx_lock
?_Throw_C_error@std@@YAXH@Z
?_Winerror_message@std@@YAKKPEADK@Z
?_Winerror_map@std@@YAHH@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@_W@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?toupper@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

wcscmp
memset
wcsncmp
wcsnlen
strnlen
strncmp

api-ms-win-crt-private-l1-1-0

_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__strnicmp
_o__ui64toa_s
_o__ui64tow_s
_o__unlock_file
_o__wcsicmp
_o__wcsnicmp
_o__wcstod_l
_o__wgetenv_s
_o__wmakepath_s
_o__wsplitpath_s
_o__wtoi64
_o_bsearch
_o_calloc
_o_exit
_o_fclose
_o_fflush
_o_fgetc
_o_fgetpos
_o_fputc
_o_fread
_o_free
_o_fsetpos
_o_fwrite
_o_isalpha
_o_isdigit
_o_isspace
_o_iswspace
_o_isxdigit
_o_malloc
_o_pow
memmove
_o_qsort
_o_rand
_o_realloc
_o_setvbuf
_o_strftime
_o_terminate
_o_tolower
_o_toupper
_o_towlower
_o_ungetc
_o_wcscpy_s
_o_wcstol
_o_wcstoul
__C_specific_handler
_CxxThrowException
_o__itoa_s
_o__isctype_l
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__i64tow_s
_o__i64toa_s
_o__gmtime64_s
_o__get_stream_buffer_pointers
_o__get_initial_wide_environment
_o__fseeki64
_o__free_locale
_o__free_base
_o__exit
_o__errno
_o__crt_atexit
_o__create_locale
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__callnewh
_o__malloc_base
_o__atodbl
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___stdio_common_vfprintf
_o___std_type_info_name
_o___std_exception_destroy
_o___std_exception_copy
_o___pctype_func
_o___p__commode
_o___p___wargv
_o___p___argc
_o___acrt_iob_func
__std_terminate
__CxxFrameHandler3
_o__lock_file
__RTDynamicCast
memchr
memcmp
memcpy
wcschr
wcsrchr
strchr
__RTtypeid
__std_type_info_compare
__std_type_info_hash

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetProcAddress
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
ReleaseMutex
CreateMutexExW
SetEvent
EnterCriticalSection
CreateEventW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
WaitForSingleObject
ReleaseSemaphore
InitializeCriticalSectionEx
CreateSemaphoreExW
AcquireSRWLockExclusive
LeaveCriticalSection
OpenSemaphoreW
CreateEventExW
WaitForSingleObjectEx

api-ms-win-core-heap-l1-1-0

HeapSize
HeapAlloc
HeapDestroy
HeapReAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
OpenProcessToken
GetCurrentProcess
CreateProcessAsUserW
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister
EventActivityIdControl
EventProviderEnabled

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
SleepConditionVariableSRW
WakeByAddressSingle
WaitOnAddress

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
CloseThreadpoolWait
SetThreadpoolWait
TrySubmitThreadpoolCallback

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegSetValueExW
RegNotifyChangeKeyValue
RegCloseKey
RegCreateKeyExW
RegGetValueW
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW

api-ms-win-core-kernel32-legacy-l1-1-0

UnregisterWait
RegisterWaitForSingleObject

api-ms-win-service-core-l1-1-0

StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-oobe-notification-l1-1-0

RegisterWaitUntilOOBECompleted
UnregisterWaitUntilOOBECompleted

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-core-com-l1-1-0

CoGetObjectContext
CoTaskMemAlloc
CoIncrementMTAUsage

user32

RegisterDeviceNotificationW
UnregisterDeviceNotification

tellib

TelLib_Initialize
TelLib_SetNetworkActivityCallback
TelLib_EventWrite
TelLib_SetConnectedStandby
TelLib_SetTimerValue
TelLib_SetNetworkState
TelLib_SetDiskActivityCallback
TelLib_SetBatteryState
TelLib_SetUploadUrls
TelLib_SetProxyInfo
TelLib_SetDiskQuota
TelLib_SetDailyUploadQuota
TelLib_ForceUpload
TelLib_Cleanup
TelLib_SetGeneralQuietMode
TelLib_SetAgentConnectivityCallback
TelLib_SetBandwidthExceededChangedCallback
TelLib_SetUploadFailedCallback

api-ms-win-security-isolatedcontainer-l1-1-1

IsProcessInWDAGContainer

wldp

WldpQueryWindowsLockdownMode

winipcfile

ord3

kernel32

WaitForThreadpoolTimerCallbacks
CreateJobObjectW
AssignProcessToJobObject
CloseThreadpoolTimer
SetInformationJobObject
WakeConditionVariable
FindFirstFileW
RemoveDirectoryW
DeleteFileW
MoveFileExW
CopyFileW
GetEnvironmentVariableW
CancelIo
DuplicateHandle
UnregisterWaitEx
GetOverlappedResultEx
GetFileInformationByHandleEx
GetCurrentThread
SetThreadpoolTimer
CreateThreadpoolTimer
GetFileSize
InitializeCriticalSection
GetComputerNameExW
ReadProcessMemory
CompareStringW
GetTickCount64
LoadLibraryW
InitializeConditionVariable
CompareFileTime
ReleaseSRWLockShared
AcquireSRWLockShared
LocalFree
CreateThread
FindClose
FindFirstFileExW
FindNextFileW
Sleep
VerSetConditionMask
VerifyVersionInfoW
WideCharToMultiByte
MultiByteToWideChar
GetPackageFullName
OpenProcess
GetProcessTimes
SystemTimeToFileTime
WaitForMultipleObjects
SleepConditionVariableCS
FreeLibrary
IsThreadpoolTimerSet
GetExitCodeProcess
SwitchToThread
FileTimeToSystemTime
SetThreadPriority
QueryThreadCycleTime
GetSystemTime
QueryPerformanceFrequency
GetDateFormatW
GetTimeZoneInformation
GetWindowsDirectoryW
ExpandEnvironmentStringsW
ResetEvent
RaiseException
GetTickCount
CreateDirectoryW
ReadFile
WriteFile
GetTempPathW
CreateFileW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
SetFilePointer
GetFirmwareType
QueryProcessCycleTime
GetSystemPreferredUILanguages
GetUserPreferredUILanguages
GetComputerNameW
GetProductInfo
GetSystemDirectoryW
K32EnumProcessModules
K32GetProcessMemoryInfo
SetHandleInformation
GetEnabledXStateFeatures
InstallELAMCertificateInfo
WTSGetActiveConsoleSessionId
GetSystemInfo
GetTempFileNameW
GetFileSizeEx
GetFileAttributesW
GetModuleFileNameW
GetVersionExW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
QueryFullProcessImageNameW
QueryDosDeviceW
GetVolumeInformationW
FindFirstVolumeW
DeviceIoControl
FindVolumeClose
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
GetDriveTypeW
GetProcessMitigationPolicy
GetProcessId
SetFilePointerEx
GetFileTime
CreatePipe
SetProcessMitigationPolicy

urlmon

FindMimeFromData

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-eventing-controller-l1-1-0

EnumerateTraceGuidsEx
StartTraceW
ControlTraceW
StopTraceW
EnableTraceEx2

api-ms-win-eventing-consumer-l1-1-0

OpenTraceW
ProcessTrace
CloseTrace

rpcrt4

RpcBindingFree
NdrClientCall3
RpcStringBindingComposeW
RpcBindingFromStringBindingW
UuidCompare
UuidHash
UuidFromStringW
UuidCreate
RpcStringFreeW
UuidToStringW
RpcExceptionFilter

api-ms-win-eventing-tdh-l1-1-0

TdhGetPropertySize
TdhGetEventInformation
TdhGetProperty

api-ms-win-security-base-l1-1-0

GetTokenInformation
EqualSid
IsWellKnownSid
DuplicateTokenEx
CreateRestrictedToken
DestroyPrivateObjectSecurity
GetSidSubAuthorityCount
RevertToSelf
IsValidSid
FreeSid
AdjustTokenPrivileges
ImpersonateLoggedOnUser
GetLengthSid
GetSidSubAuthority

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFileExistsW
PathFindFileNameW
PathFindExtensionW

ntdll

RtlCreateUnicodeString
NtDeleteValueKey
RtlFreeUnicodeString
NtSetInformationProcess
NtQueryWnfStateData
RtlIpv4AddressToStringExW
RtlInitUnicodeString
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlIpv6AddressToStringExW
NtDeleteKey
RtlSubscribeWnfStateChangeNotification
NtOpenFile
RtlQueryImageMitigationPolicy
NtQuerySystemInformation
ZwQueryEaFile
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW

crypt32

CryptImportPublicKeyInfo
CertOpenStore
CertFreeCertificateChain
CertAddCertificateContextToStore
CryptBinaryToStringA
CertGetCertificateChain
CryptStringToBinaryW
CertCloseStore
CertFreeCertificateContext
CertCreateCertificateContext
CertFindExtension
CertGetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertGetNameStringW
CryptDecodeObjectEx

oleaut32

VariantInit
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayDestroy
VariantClear
SysFreeString
SysAllocStringLen
SysStringLen
SysAllocString
SysAllocStringByteLen
SysStringByteLen
SafeArrayLock
SafeArrayUnlock
SafeArrayCopy
SafeArrayGetVartype

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsDeleteStringBuffer
WindowsPreallocateStringBuffer
WindowsPromoteStringBuffer

cabinet

ord33
ord30
ord35

api-ms-win-core-version-l1-1-1

GetFileVersionInfoSizeW
GetFileVersionInfoW

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountNameW
LookupAccountSidW

api-ms-win-core-version-private-l1-1-0

GetFileVersionInfoByHandle

api-ms-win-security-audit-l1-1-0

AuditSetSystemPolicy

iphlpapi

GetUnicastIpAddressTable
GetIpNetTable2
GetAdaptersAddresses
FreeMibTable

ws2_32

WSACleanup
InetNtopW
WSAStartup

api-ms-win-core-path-l1-1-0

PathCchCombine

userenv

GetAllUsersProfileDirectoryW
ExpandEnvironmentStringsForUserW
GetProfilesDirectoryW

api-ms-win-security-logon-l1-1-1

LogonUserW

samcli

NetUserEnum

netutils

NetApiBufferFree

dnsapi

DnsFree
DnsQuery_W
DnsGetCacheDataTable

bcrypt

BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptHashData

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
QueryServiceConfig2W
ChangeServiceConfigW
ChangeServiceConfig2W

api-ms-win-service-management-l1-1-0

OpenSCManagerW
StartServiceW
OpenServiceW
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus
ControlService

api-ms-win-security-cryptoapi-l1-1-0

CryptVerifySignatureW
CryptCreateHash
CryptHashData
CryptAcquireContextW
CryptDestroyHash
CryptReleaseContext

api-ms-win-power-setting-l1-1-0

PowerSettingRegisterNotification
PowerSettingUnregisterNotification

wkscli

NetGetJoinInformation

sspicli

GetUserNameExW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

devobj

DevObjGetDeviceInterfaceDetail
DevObjEnumDeviceInterfaces
DevObjCreateDeviceInfoList
DevObjGetClassDevs
DevObjDestroyDeviceInfoList

api-ms-win-core-io-l1-1-0

GetOverlappedResult

api-ms-win-core-heap-l2-1-0

LocalAlloc

api-ms-win-core-file-l1-1-0

GetFileInformationByHandle

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

wevtapi

EvtClose
EvtSubscribe
EvtCreateRenderContext
EvtRender

mssecuser

SecRequestOplock
SecWriteFileSensitivityEA
SecWriteFileHashEA
SecGetProcessInfo
SecIsKernelIntegrityEnabled
SecDeleteSessionFilter
SecCreateSessionFilter
SecClearRegistryOperations
SecSetConfiguration
SecSetRegistryOperations
SecGetFileHashes
SecUnregisterConsumer
SecRegisterConsumer
SecSetFileMonitorOperations

api-ms-win-core-winrt-error-l1-1-0

GetRestrictedErrorInfo
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoOriginateLanguageException

api-ms-win-core-sysinfo-l1-2-0

GetSystemTimePreciseAsFileTime

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-crt-math-l1-1-0

ceilf

Sections

.text
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

RT_CODE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 172KB - Virtual size: 293KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 588KB - Virtual size: 592KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

706af98180258975db0a8df5a7b95eb1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-oobe-notification-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-com-l1-1-0

user32

tellib

api-ms-win-security-isolatedcontainer-l1-1-1

wldp

winipcfile

kernel32

urlmon

api-ms-win-crt-time-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-consumer-l1-1-0

rpcrt4

api-ms-win-eventing-tdh-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

ntdll

crypt32

oleaut32

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

cabinet

api-ms-win-core-version-l1-1-1

api-ms-win-core-version-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-version-private-l1-1-0

api-ms-win-security-audit-l1-1-0

iphlpapi

ws2_32

api-ms-win-core-path-l1-1-0

userenv

api-ms-win-security-logon-l1-1-1

samcli

netutils

dnsapi

bcrypt

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-power-setting-l1-1-0

wkscli

sspicli

api-ms-win-core-apiquery-l1-1-0

.text
Size: 3.7MB - Virtual size: 3.7MB

RT_CODE
Size: 2KB - Virtual size: 2KB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 172KB - Virtual size: 293KB

.pdata
Size: 148KB - Virtual size: 147KB

.didat
Size: 512B - Virtual size: 376B

.rsrc
Size: 31KB - Virtual size: 30KB

.reloc
Size: 588KB - Virtual size: 592KB