Advanced_IP_Scanner_v[.]3[.]5[.]2[.]1[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Advanced_IP_Scanner_v.3.5.2.1.zip
Size

40.9MB
MD5

c3beb12c400729619491cb04566db8a9
SHA1

1ba7990791713ea0cf3ed6de2f254353f7be1cd0
SHA256

ca373e40e050b6ec128b65c9145549c82cb03374acae7950e1e43616b456398d
SHA512

d921bceb90b9938080180598b49ea999f8d31c766fcbda77dd0a066536a245ee2e981dc91dd42ce5ab50de6fcec42f79d5b9316a4e0b1c61b921a0e56a6ba635
SSDEEP

786432:wbe6kDXoDD6g5TzBRuz7oJIH2ksJul6xpyB7p8pp0LSH2yFp:ae6dX5TtsHo6H3l6fqpagkFp

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/msasn1.dll

Files

Advanced_IP_Scanner_v.3.5.2.1.zip
.zip
details_panel_en_us.tpl
details_panel_uk_ua.tpl
msasn1.dll
.dll windows:4 windows x64 arch:x64

0917051832e92025cd1c1c2e308a6a82

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

RevertToSelf
SetThreadToken

bcrypt

BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider

kernel32

CloseHandle
CreateFileA
CreateFileMappingA
CreateProcessA
CreateProcessW
DeleteCriticalSection
EnterCriticalSection
FindResourceA
FreeConsole
FreeLibrary
FreeResource
GetCommandLineA
GetCurrentProcess
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemTimeAsFileTime
GetThreadId
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
K32EnumProcessModules
K32GetModuleFileNameExA
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LoadResource
LockResource
MapViewOfFile
MultiByteToWideChar
OpenProcess
RaiseException
ReadProcessMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetLastError
SizeofResource
Sleep
SleepConditionVariableCS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnmapViewOfFile
VirtualProtect
VirtualQuery
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_chmod
_chsize
_errno
_fileno
_initterm
_localtime64
_lock
_mkdir
_mktime64
_read
_stat64
_stricmp
_strnicmp
_time64
_unlock
_utime64
abort
calloc
fclose
fflush
fopen
fputc
fputs
fread
free
freopen
fseek
ftell
fwrite
getenv
iswctype
localeconv
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
realloc
remove
setlocale
strchr
strcmp
strcoll
strcpy
strerror
strftime
strlen
strncmp
strncpy
strtoul
strxfrm
towlower
towupper
vfprintf
wcscoll
wcsftime
wcslen
wcsxfrm

ntdll

NtProtectVirtualMemory
NtWriteVirtualMemory

shell32

CommandLineToArgvW
ShellExecuteExA

shlwapi

PathRemoveFileSpecA
StrStrIA

Exports

Exports

ASN1BERDecBitString
ASN1BERDecBitString2
ASN1BERDecBool
ASN1BERDecChar16String
ASN1BERDecChar32String
ASN1BERDecCharString
ASN1BERDecCheck
ASN1BERDecDouble
ASN1BERDecEndOfContents
ASN1BERDecEoid
ASN1BERDecExplicitTag
ASN1BERDecFlush
ASN1BERDecGeneralizedTime
ASN1BERDecLength
ASN1BERDecMultibyteString
ASN1BERDecNotEndOfContents
ASN1BERDecNull
ASN1BERDecObjectIdentifier
ASN1BERDecObjectIdentifier2
ASN1BERDecOctetString
ASN1BERDecOctetString2
ASN1BERDecOpenType
ASN1BERDecOpenType2
ASN1BERDecPeekTag
ASN1BERDecS16Val
ASN1BERDecS32Val
ASN1BERDecS8Val
ASN1BERDecSXVal
ASN1BERDecSkip
ASN1BERDecTag
ASN1BERDecU16Val
ASN1BERDecU32Val
ASN1BERDecU8Val
ASN1BERDecUTCTime
ASN1BERDecUTF8String
ASN1BERDecZeroChar16String
ASN1BERDecZeroChar32String
ASN1BERDecZeroCharString
ASN1BERDecZeroMultibyteString
ASN1BERDotVal2Eoid
ASN1BEREncBitString
ASN1BEREncBool
ASN1BEREncChar16String
ASN1BEREncChar32String
ASN1BEREncCharString
ASN1BEREncCheck
ASN1BEREncDouble
ASN1BEREncEndOfContents
ASN1BEREncEoid
ASN1BEREncExplicitTag
ASN1BEREncFlush
ASN1BEREncGeneralizedTime
ASN1BEREncLength
ASN1BEREncMultibyteString
ASN1BEREncNull
ASN1BEREncObjectIdentifier
ASN1BEREncObjectIdentifier2
ASN1BEREncOctetString
ASN1BEREncOpenType
ASN1BEREncRemoveZeroBits
ASN1BEREncRemoveZeroBits2
ASN1BEREncS32
ASN1BEREncSX
ASN1BEREncTag
ASN1BEREncU32
ASN1BEREncUTCTime
ASN1BEREncUTF8String
ASN1BEREncZeroMultibyteString
ASN1BEREoid2DotVal
ASN1BEREoid_free
ASN1CEREncBeginBlk
ASN1CEREncBitString
ASN1CEREncChar16String
ASN1CEREncChar32String
ASN1CEREncCharString
ASN1CEREncEndBlk
ASN1CEREncFlushBlkElement
ASN1CEREncGeneralizedTime
ASN1CEREncMultibyteString
ASN1CEREncNewBlkElement
ASN1CEREncOctetString
ASN1CEREncUTCTime
ASN1CEREncZeroMultibyteString
ASN1DEREncBeginBlk
ASN1DEREncBitString
ASN1DEREncChar16String
ASN1DEREncChar32String
ASN1DEREncCharString
ASN1DEREncEndBlk
ASN1DEREncFlushBlkElement
ASN1DEREncGeneralizedTime
ASN1DEREncMultibyteString
ASN1DEREncNewBlkElement
ASN1DEREncOctetString
ASN1DEREncUTCTime
ASN1DEREncUTF8String
ASN1DEREncZeroMultibyteString
ASN1DecAlloc
ASN1DecRealloc
ASN1DecSetError
ASN1EncSetError
ASN1Free
ASN1_CloseDecoder
ASN1_CloseEncoder
ASN1_CloseEncoder2
ASN1_CloseModule
ASN1_CreateDecoder
ASN1_CreateDecoderEx
ASN1_CreateEncoder
ASN1_CreateModule
ASN1_Decode
ASN1_Encode
ASN1_FreeDecoded
ASN1_FreeEncoded
ASN1_GetDecoderOption
ASN1_GetEncoderOption
ASN1_SetDecoderOption
ASN1_SetEncoderOption
ASN1bitstring_cmp
ASN1bitstring_free
ASN1char16string_cmp
ASN1char16string_free
ASN1char32string_cmp
ASN1char32string_free
ASN1charstring_cmp
ASN1charstring_free
ASN1generalizedtime_cmp
ASN1intx2int32
ASN1intx2uint32
ASN1intx_add
ASN1intx_cmp
ASN1intx_free
ASN1intx_setuint32
ASN1intx_sub
ASN1intx_uoctets
ASN1intxisuint32
ASN1objectidentifier2_cmp
ASN1objectidentifier_cmp
ASN1objectidentifier_free
ASN1octetstring_cmp
ASN1octetstring_free
ASN1open_cmp
ASN1open_free
ASN1uint32_uoctets
ASN1utctime_cmp
ASN1utf8string_free
ASN1ztchar16string_cmp
ASN1ztchar16string_free
ASN1ztchar32string_cmp
ASN1ztchar32string_free
ASN1ztcharstring_cmp
ASN1ztcharstring_free

Sections

.text
Size: 754KB - Virtual size: 754KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 39.8MB - Virtual size: 39.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msasn1x.dll
.dll windows:10 windows x64 arch:x64

f79599ca729d557e0381ec0a41471a27

Code Sign

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14/09/2023, 18:20

Not After

04/09/2024, 18:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:04:69:82:8b:7d:7f:66:6d:bd:d6:76:0e:63:8c:44:c5:21:cb:6f:81:9c:76:d8:17:ee:0f:59:15:65:d7:b5
Signer

Actual PE Digest

48:04:69:82:8b:7d:7f:66:6d:bd:d6:76:0e:63:8c:44:c5:21:cb:6f:81:9c:76:d8:17:ee:0f:59:15:65:d7:b5

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

msasn1.pdb

Imports

ntdll

_ultoa
RtlLookupFunctionEntry
isdigit
_atoi64
_ui64toa
strchr
RtlVirtualUnwind
memmove
_vsnprintf
RtlCaptureContext
memchr
memcmp
memcpy
memset

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrcmpA
lstrlenA

Exports

Exports

ASN1BERDecBitString
ASN1BERDecBitString2
ASN1BERDecBool
ASN1BERDecChar16String
ASN1BERDecChar32String
ASN1BERDecCharString
ASN1BERDecCheck
ASN1BERDecDouble
ASN1BERDecEndOfContents
ASN1BERDecEoid
ASN1BERDecExplicitTag
ASN1BERDecFlush
ASN1BERDecGeneralizedTime
ASN1BERDecLength
ASN1BERDecMultibyteString
ASN1BERDecNotEndOfContents
ASN1BERDecNull
ASN1BERDecObjectIdentifier
ASN1BERDecObjectIdentifier2
ASN1BERDecOctetString
ASN1BERDecOctetString2
ASN1BERDecOpenType
ASN1BERDecOpenType2
ASN1BERDecPeekTag
ASN1BERDecS16Val
ASN1BERDecS32Val
ASN1BERDecS8Val
ASN1BERDecSXVal
ASN1BERDecSkip
ASN1BERDecTag
ASN1BERDecU16Val
ASN1BERDecU32Val
ASN1BERDecU8Val
ASN1BERDecUTCTime
ASN1BERDecUTF8String
ASN1BERDecZeroChar16String
ASN1BERDecZeroChar32String
ASN1BERDecZeroCharString
ASN1BERDecZeroMultibyteString
ASN1BERDotVal2Eoid
ASN1BEREncBitString
ASN1BEREncBool
ASN1BEREncChar16String
ASN1BEREncChar32String
ASN1BEREncCharString
ASN1BEREncCheck
ASN1BEREncDouble
ASN1BEREncEndOfContents
ASN1BEREncEoid
ASN1BEREncExplicitTag
ASN1BEREncFlush
ASN1BEREncGeneralizedTime
ASN1BEREncLength
ASN1BEREncMultibyteString
ASN1BEREncNull
ASN1BEREncObjectIdentifier
ASN1BEREncObjectIdentifier2
ASN1BEREncOctetString
ASN1BEREncOpenType
ASN1BEREncRemoveZeroBits
ASN1BEREncRemoveZeroBits2
ASN1BEREncS32
ASN1BEREncSX
ASN1BEREncTag
ASN1BEREncU32
ASN1BEREncUTCTime
ASN1BEREncUTF8String
ASN1BEREncZeroMultibyteString
ASN1BEREoid2DotVal
ASN1BEREoid_free
ASN1CEREncBeginBlk
ASN1CEREncBitString
ASN1CEREncChar16String
ASN1CEREncChar32String
ASN1CEREncCharString
ASN1CEREncEndBlk
ASN1CEREncFlushBlkElement
ASN1CEREncGeneralizedTime
ASN1CEREncMultibyteString
ASN1CEREncNewBlkElement
ASN1CEREncOctetString
ASN1CEREncUTCTime
ASN1CEREncZeroMultibyteString
ASN1DEREncBeginBlk
ASN1DEREncBitString
ASN1DEREncChar16String
ASN1DEREncChar32String
ASN1DEREncCharString
ASN1DEREncEndBlk
ASN1DEREncFlushBlkElement
ASN1DEREncGeneralizedTime
ASN1DEREncMultibyteString
ASN1DEREncNewBlkElement
ASN1DEREncOctetString
ASN1DEREncUTCTime
ASN1DEREncUTF8String
ASN1DEREncZeroMultibyteString
ASN1DecAlloc
ASN1DecRealloc
ASN1DecSetError
ASN1EncSetError
ASN1Free
ASN1_CloseDecoder
ASN1_CloseEncoder
ASN1_CloseEncoder2
ASN1_CloseModule
ASN1_CreateDecoder
ASN1_CreateDecoderEx
ASN1_CreateEncoder
ASN1_CreateModule
ASN1_Decode
ASN1_Encode
ASN1_FreeDecoded
ASN1_FreeEncoded
ASN1_GetDecoderOption
ASN1_GetEncoderOption
ASN1_SetDecoderOption
ASN1_SetEncoderOption
ASN1bitstring_cmp
ASN1bitstring_free
ASN1char16string_cmp
ASN1char16string_free
ASN1char32string_cmp
ASN1char32string_free
ASN1charstring_cmp
ASN1charstring_free
ASN1generalizedtime_cmp
ASN1intx2int32
ASN1intx2uint32
ASN1intx_add
ASN1intx_cmp
ASN1intx_free
ASN1intx_setuint32
ASN1intx_sub
ASN1intx_uoctets
ASN1intxisuint32
ASN1objectidentifier2_cmp
ASN1objectidentifier_cmp
ASN1objectidentifier_free
ASN1octetstring_cmp
ASN1octetstring_free
ASN1open_cmp
ASN1open_free
ASN1uint32_uoctets
ASN1utctime_cmp
ASN1utf8string_free
ASN1ztchar16string_cmp
ASN1ztchar16string_free
ASN1ztchar32string_cmp
ASN1ztchar32string_free
ASN1ztcharstring_cmp
ASN1ztcharstring_free

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
scaner.log
scanner_uk_ua.log
service_probes
setup.exe
.exe windows:10 windows x64 arch:x64

caeff74376f7e5556530aaf541d64cc3

Code Sign

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14/09/2023, 18:20

Not After

04/09/2024, 18:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

99:89:4e:8b:1b:4f:4d:db:12:0e:0c:99:3c:b2:bf:b5:81:86:97:81:dd:c7:00:30:31:6b:fb:07:d9:3e:71:2e
Signer

Actual PE Digest

99:89:4e:8b:1b:4f:4d:db:12:0e:0c:99:3c:b2:bf:b5:81:86:97:81:dd:c7:00:30:31:6b:fb:07:d9:3e:71:2e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

LsaIso.pdb

Imports

msvcrt

__setusermatherr
_initterm
_fmode
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
memset
_cexit
_exit
exit
__set_app_type
__wgetmainargs
__CxxFrameHandler3
??3@YAXPEAX@Z
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
toupper
malloc
_callnewh
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
?what@exception@@UEBAPEBDXZ
_CxxThrowException
memcpy
memmove
??1type_info@@UEAA@XZ
memcmp
wcscmp
_commode
_amsg_exit
_XcptFilter
_wcsicmp
__C_specific_handler

iumcrypt

iumCryptExportPublicKeyInfoFromBCryptKeyHandle
iumCryptSignAndEncodeCertificate
iumCryptEncodeObjectEx
iumCryptMsgUpdate
iumCryptMsgOpenToEncode
iumCryptMsgGetParam

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle
GetTraceEnableFlags

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventProviderEnabled
EventUnregister
EventRegister
EventWriteTransfer

api-ms-win-eventing-obsolete-l1-1-0

RegisterTraceGuidsA

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameA

api-ms-win-core-processthreads-l1-1-0

CreateThread
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
SetThreadStackGuarantee

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
WaitForSingleObject
InitializeSRWLock
CreateSemaphoreExW
EnterCriticalSection
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex
InitializeCriticalSectionEx
ReleaseSemaphore

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetSystemTimeAsFileTime
GetSystemInfo
GetTickCount

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

kerbclientshared

KerbClientSharedInit
KerbDHGetSharedSecretFromCapiKeyBuffer
KerbDHGetLittleEndianPublicKey
KerbClientTransformStoredCred
KerbClientBuildKeyList
KerbClientBuildFastArmoredKdcRequest
KerbPackKdcReplyWithEncryptedSessionKey
KerbClientPackAsn1Buffer
KerbClientDecryptApReply
KerbClientVerifyFastArmoredKerbError
KerbClientBuildEncryptedAuthData
KerbClientPackApReply
KerbClientBuildAsReqAuthenticator
KerbClientSharedCleanup
KerbClientAlloc
KerbClientVerifyFastArmoredTgsReply
KerbClientDecryptPacCredentials
KerbClientFreeStoredCred
KerbClientVerifyFastArmoredKdcReply
KerbClientVerifyEncryptedChallengePaData
KerbClientUnpackKdcReplyBody
KerbClientVerifyChecksum
KerbClientUpdateSharedConfiguration
KerbClientBuildTicketArmorKey
KerbClientFree
KerbClientUnpackAsn1BufferVoid
KerbGetFlagsForKdcReply
KerbClientBuildExplicitArmorKey
KerbClientComputeTgsChecksum
KerbDHCreateBCryptKey
KerbDHGetLegacyDHParameters

ntlmshared

MsvpPutClearOwfsInPrimaryCredential
MsvpLm20GetNtlm3ChallengeResponse
MsvpMakeSecretPasswordNT5
MsvpDecryptDpapiMasterKey
MsvpCompareCredentials
MsvpDeriveSecureCredKey
NtlmSharedInit
MsvpValidateSupplementalCredsBuffer
MsvpCredentialToCachePasswords
MsvpGMSACred
MsvpPasswordValidate
MsvpUpdateSharedConfiguration

msasn1

ASN1BERDecGeneralizedTime
ASN1DEREncGeneralizedTime
ASN1BEREncU32
ASN1DecSetError
ASN1octetstring_free
ASN1BERDecSXVal
ASN1BERDecOpenType2
ASN1_CloseDecoder
ASN1intx_free
ASN1_CreateDecoder
ASN1intx_setuint32
ASN1_Decode
ASN1_CreateEncoder
ASN1_FreeEncoded
ASN1_FreeDecoded
ASN1_Encode
ASN1_CloseEncoder
ASN1BERDecPeekTag
ASN1BERDecOctetString
ASN1BERDecNotEndOfContents
ASN1BEREncExplicitTag
ASN1BERDecEndOfContents
ASN1BERDecBool
ASN1objectidentifier_free
ASN1EncSetError
ASN1BEREncS32
ASN1DEREncCharString
ASN1BEREncEndOfContents
ASN1BEREncBool
ASN1BERDecSkip
ASN1Free
ASN1DecAlloc
ASN1BEREncSX
ASN1BEREncOpenType
ASN1BERDecS32Val
ASN1DEREncOctetString
ASN1charstring_free
ASN1BERDecBitString
ASN1BEREncObjectIdentifier
ASN1BERDecZeroCharString
ASN1DEREncBitString
ASN1BERDecObjectIdentifier
ASN1BERDecU32Val
ASN1_CreateModule
ASN1BERDecCharString
ASN1bitstring_free
ASN1ztcharstring_free
ASN1BERDecExplicitTag

iumbase

GetSecureIdentitySigningKey
GetTaggedData
GetSignedReport
GetTaggedDataSize
IsSecureProcess
EncryptData
DecryptData

ntdll

RtlImageNtHeader
RtlLengthSid
RtlTimeToTimeFields
RtlTimeFieldsToTime
NtSetEvent
RtlAvlRemoveNode
RtlEqualUnicodeString
RtlAvlInsertNodeEx
memmove_s
RtlNtStatusToDosError
RtlLeaveCriticalSection
RtlInitializeCriticalSection
_vsnprintf_s
RtlEnterCriticalSection
memcpy_s
RtlDeleteCriticalSection
_vsnwprintf
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
NtCreateEvent
RtlSetProcessIsCritical
NtClose
RtlInitUnicodeString
NtOpenEvent
NtQuerySystemInformation
RtlAllocateHeap

rpcrt4

RpcServerUseProtseqEpW
NdrMesTypeAlignSize3
MesEncodeDynBufferHandleCreate
NdrMesTypeEncode3
MesHandleFree
MesDecodeBufferHandleCreate
RpcServerRegisterIf
RpcServerUnregisterIf
RpcMgmtWaitServerListen
NdrMesTypeDecode3
RpcExceptionFilter
NdrServerCallAll
MesIncrementalHandleReset
MesDecodeIncrementalHandleCreate
MesEncodeIncrementalHandleCreate
RpcServerListen
I_RpcMapWin32Status
NdrServerCall2

bcrypt

BCryptSecretAgreement
BCryptSetProperty
BCryptSignHash
BCryptDestroySecret
BCryptDeriveKey
BCryptImportKey
BCryptDecrypt
BCryptDuplicateKey
BCryptVerifySignature
BCryptGetProperty
BCryptKeyDerivation
BCryptCreateHash
BCryptEncrypt
BCryptHashData
BCryptDestroyHash
BCryptFinishHash
BCryptHash
BCryptDestroyKey
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptOpenAlgorithmProvider
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptImportKeyPair
BCryptGenRandom
BCryptGenerateSymmetricKey

cryptdll

CDLocateCheckSum
CDLocateCSystem
CDGenerateRandomBits

cryptsp

SystemFunction011
SystemFunction009
SystemFunction007

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualAlloc
VirtualQuery

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer

Exports

Exports

__ImagePolicyMetadata

Sections

.text
Size: 218KB - Virtual size: 217KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 83KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tPolicy
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
winginger.dll
.dll windows:6 windows x86 arch:x86

6a84b7445ccacd5d29ac27de2745f356

Code Sign

33:00:00:01:14:96:9a:0d:f8:95:e4:71:49:00:00:00:00:01:14
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2018, 20:20

Not After

23/11/2019, 20:20

Subject

CN=Microsoft Time-Stamp Service,OU=Microsoft America Operations+OU=Thales TSS ESN:C3B0-0F6A-4111,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:b1:dd:ed:ba:54:e9:65:b8:5f:00:01:00:00:01:b1
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:11

Not After

26/07/2019, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:03:5e:25:1c:99:1f:a3:1e:b8:00:00:00:00:01:03
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:08

Not After

26/07/2019, 20:08

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:83:07:f2:ab:ac:ee:45:72:8a:94:b8:52:1c:71:d9:cf:2a:02:0f:3d:2a:40:23:c8:ae:be:94:e0:2b:de:b2
Signer

Actual PE Digest

7c:83:07:f2:ab:ac:ee:45:72:8a:94:b8:52:1c:71:d9:cf:2a:02:0f:3d:2a:40:23:c8:ae:be:94:e0:2b:de:b2

Digest Algorithm

sha256

PE Digest Matches

true

69:f0:3a:b3:d3:e2:76:74:1b:68:d7:40:21:2e:c8:f1:01:72:80:8a
Signer

Actual PE Digest

69:f0:3a:b3:d3:e2:76:74:1b:68:d7:40:21:2e:c8:f1:01:72:80:8a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
terminate

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s

api-ms-win-crt-convert-l1-1-0

atol

kernel32

DeleteCriticalSection
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
GetModuleHandleW
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary
RtlUnwind
VirtualQuery
EncodePointer
InterlockedPushEntrySList
InterlockedFlushSList
RaiseException
EnterCriticalSection
LeaveCriticalSection
TlsSetValue
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsFree

Exports

Exports

_CreateFrameInfo
_CxxThrowException
_EH_prolog
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
_NLG_Dispatch2
_NLG_Return
_NLG_Return2
_SetWinRTOutOfMemoryExceptionCallback
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxLongjmpUnwind
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__GetPlatformExceptionInfo
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__TypeMatch
__current_exception
__current_exception_context
__intrinsic_setjmp
__processing_throw
__report_gsfailure
__std_exception_copy
__std_exception_destroy
__std_terminate
__std_type_info_compare
__std_type_info_destroy_list
__std_type_info_hash
__std_type_info_name
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__unDName
__unDNameEx
__uncaught_exception
__uncaught_exceptions
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_InitializeCriticalSectionEx
__vcrt_LoadLibraryExW
_chkesp
_except_handler2
_except_handler3
_except_handler4_common
_get_purecall_handler
_get_unexpected
_global_unwind2
_is_exception_typeof
_local_unwind2
_local_unwind4
_longjmpex
_purecall
_seh_longjmp_unwind
_seh_longjmp_unwind4
_set_purecall_handler
_set_se_translator
_setjmp3
longjmp
memchr
memcmp
memcpy
memmove
memset
set_unexpected
strchr
strrchr
strstr
unexpected
wcschr
wcsrchr
wcsstr

Sections

.text
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0917051832e92025cd1c1c2e308a6a82

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

kernel32

msvcrt

ntdll

shell32

shlwapi

Exports

Exports

Sections

.text Size: 754KB - Virtual size: 754KB

.data Size: 8KB - Virtual size: 8KB

.rdata Size: 59KB - Virtual size: 58KB

.pdata Size: 37KB - Virtual size: 37KB

.xdata Size: 47KB - Virtual size: 46KB

.bss Size: - Virtual size: 3KB

.edata Size: 9KB - Virtual size: 8KB

.idata Size: 5KB - Virtual size: 4KB

.CRT Size: 512B - Virtual size: 88B

.tls Size: 512B - Virtual size: 16B

.rsrc Size: 39.8MB - Virtual size: 39.8MB

.reloc Size: 5KB - Virtual size: 4KB

f79599ca729d557e0381ec0a41471a27

Code Sign

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

48:04:69:82:8b:7d:7f:66:6d:bd:d6:76:0e:63:8c:44:c5:21:cb:6f:81:9c:76:d8:17:ee:0f:59:15:65:d7:b5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-heap-l2-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

Exports

Exports

Sections

.text Size: 34KB - Virtual size: 33KB

.rdata Size: 13KB - Virtual size: 12KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 512B - Virtual size: 24B

caeff74376f7e5556530aaf541d64cc3

Code Sign

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

99:89:4e:8b:1b:4f:4d:db:12:0e:0c:99:3c:b2:bf:b5:81:86:97:81:dd:c7:00:30:31:6b:fb:07:d9:3e:71:2eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

iumcrypt

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

.text
Size: 754KB - Virtual size: 754KB

.data
Size: 8KB - Virtual size: 8KB

.rdata
Size: 59KB - Virtual size: 58KB

.pdata
Size: 37KB - Virtual size: 37KB

.xdata
Size: 47KB - Virtual size: 46KB

.bss
Size: - Virtual size: 3KB

.edata
Size: 9KB - Virtual size: 8KB

.idata
Size: 5KB - Virtual size: 4KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 39.8MB - Virtual size: 39.8MB

.reloc
Size: 5KB - Virtual size: 4KB

33:00:00:04:5c:3d:56:72:66:6c:b7:54:17:00:00:00:00:04:5c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

48:04:69:82:8b:7d:7f:66:6d:bd:d6:76:0e:63:8c:44:c5:21:cb:6f:81:9c:76:d8:17:ee:0f:59:15:65:d7:b5
Signer

.text
Size: 34KB - Virtual size: 33KB

.rdata
Size: 13KB - Virtual size: 12KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 512B - Virtual size: 24B

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

99:89:4e:8b:1b:4f:4d:db:12:0e:0c:99:3c:b2:bf:b5:81:86:97:81:dd:c7:00:30:31:6b:fb:07:d9:3e:71:2e
Signer

.text
Size: 218KB - Virtual size: 217KB

.rdata
Size: 83KB - Virtual size: 83KB

.data
Size: 1KB - Virtual size: 5KB

.pdata
Size: 8KB - Virtual size: 7KB

.tPolicy
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB

33:00:00:01:14:96:9a:0d:f8:95:e4:71:49:00:00:00:00:01:14
Certificate

33:00:00:01:b1:dd:ed:ba:54:e9:65:b8:5f:00:01:00:00:01:b1
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:01:03:5e:25:1c:99:1f:a3:1e:b8:00:00:00:00:01:03
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

7c:83:07:f2:ab:ac:ee:45:72:8a:94:b8:52:1c:71:d9:cf:2a:02:0f:3d:2a:40:23:c8:ae:be:94:e0:2b:de:b2
Signer

69:f0:3a:b3:d3:e2:76:74:1b:68:d7:40:21:2e:c8:f1:01:72:80:8a
Signer

.text
Size: 55KB - Virtual size: 55KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1024B