6eba058b70d1bdca878432d1a741e160_NeikiAnalytics

Sharing

Copy URL

Twitter E-mail

General

Target

6eba058b70d1bdca878432d1a741e160_NeikiAnalytics
Size

1.2MB
MD5

6eba058b70d1bdca878432d1a741e160
SHA1

f543a39dc455daad4d163fc8ccb3479908cf7886
SHA256

2845459c2febfaee4ed73edb9ebae4363a14e8ada3b8ae6643a18c3ae8bbad4d
SHA512

6e3273275ce9bf22c72d677cd632b96726ed5aaeac9e062c1e665b27fd9dcdf775cf7b3e8a563ef28ea918315176f55d5aeb82887a1e3e9dc0c558bde57b1e0a
SSDEEP

24576:aZ0FxT1UoYr99GdcpDgsqjnhMgeiCl7G0nehbGZpbD:6wW5cDmg27RnWGj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6eba058b70d1bdca878432d1a741e160_NeikiAnalytics

Files

6eba058b70d1bdca878432d1a741e160_NeikiAnalytics
.exe windows:10 windows x64 arch:x64

af0b832b06a6c6368e2645292492d355

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

vds.pdb

Imports

user32

MessageBoxW
PostThreadMessageW
GetMessageW
DispatchMessageW
LoadStringW
CharNextW
RegisterDeviceNotificationW
UnregisterDeviceNotification
DefWindowProcW
PeekMessageW

msvcrt

wcsstr
memset
wcsncmp
towupper
wcscpy_s
swscanf_s
_ltow
free
malloc
_callnewh
_XcptFilter
memmove_s
??0exception@@QEAA@XZ
_vsnprintf_s
memcpy_s
??0exception@@QEAA@AEBV0@@Z
_amsg_exit
__set_app_type
exit
??1exception@@UEAA@XZ
_exit
rand
_wtol
time
__setusermatherr
_initterm
srand
_wcsnicmp
_wcsicmp
_vsnwprintf
_wcmdln
_fmode
_commode
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_lock
_unlock
__C_specific_handler
__dllonexit
_onexit
_purecall
memcpy
memcmp
_CxxThrowException
__CxxFrameHandler3
_cexit
__wgetmainargs
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z

atl

ord17
ord16
ord57
ord18
ord23
ord32
ord20
ord30

ntdll

RtlReleaseResource
RtlInitializeResource
RtlAcquireResourceExclusive
RtlConvertExclusiveToShared
RtlConvertSharedToExclusive
RtlAdjustPrivilege
NtQueryVolumeInformationFile
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlDeleteResource
RtlAcquireResourceShared

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-file-l1-1-0

SetFilePointerEx
WriteFile
ReadFile
FindNextVolumeW
GetFileAttributesW
RemoveDirectoryW
FindFirstVolumeW
QueryDosDeviceW
GetDriveTypeW
CreateFileW
FindVolumeClose
DeleteVolumeMountPointW
GetVolumePathNameW
DefineDosDeviceW

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapSetInformation
GetProcessHeap

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetProcAddress
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
LoadLibraryExW
GetModuleFileNameW

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegDeleteValueW
RegGetValueW
RegCreateKeyExW
RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
GetCurrentThread
CreateThread
SetThreadToken
OpenThreadToken
ResumeThread
OpenProcessToken
GetStartupInfoW
TerminateProcess
GetCurrentProcess

api-ms-win-core-processthreads-l1-1-1

SetProcessMitigationPolicy

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
WaitForSingleObject
InitializeCriticalSectionEx
ReleaseMutex
ReleaseSemaphore
SetEvent
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateSemaphoreExW
CreateMutexExW
InitializeCriticalSection
CreateEventW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
OpenSemaphoreW

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW
WaitForMultipleObjects

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
DuplicateTokenEx
GetSecurityDescriptorLength
MakeAbsoluteSD
IsValidSid
GetLengthSid
AddAccessAllowedAce
FreeSid
MakeSelfRelativeSD

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW

api-ms-win-service-winsvc-l1-1-0

ControlService
RegisterServiceCtrlHandlerW

api-ms-win-service-management-l1-1-0

DeleteService
CreateServiceW
CloseServiceHandle
OpenSCManagerW
OpenServiceW

api-ms-win-service-management-l2-1-0

SetServiceObjectSecurity
ChangeServiceConfig2W
QueryServiceObjectSecurity

setupapi

SetupDiEnumDeviceInterfaces
SetupDiEnumDeviceInfo
CM_Reenumerate_DevNode_Ex
SetupDiGetDeviceInterfaceDetailW
CM_Query_And_Remove_SubTreeW
CM_Get_DevNode_Status
SetupDiGetCustomDevicePropertyW
SetupDiCallClassInstaller
CM_Get_Parent
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

osuninst

IsUninstallImageValid

vdsutil

GetDiskLayout
GetPartitionInformation
?RegisterHandle@CVdsPnPNotificationBase@@QEAAKPEAXPEAPEAX@Z
?Append@CPrvEnumObject@@QEAAJPEAUIUnknown@@@Z
?Reset@CPrvEnumObject@@UEAAJXZ
IsVdsLoggingEnabled
VdsTraceExW
GuidToString
?InsertUnique@CRtlMap@@QEAAHAEAVCRtlEntry@@0@Z
IsNoAutoMount
IsEfiFirmware
?Clear@CPrvEnumObject@@QEAAXXZ
LockDismountVolume
GetDeviceNumber
IsDriveLetter
?Next@CPrvEnumObject@@UEAAJKPEAPEAUIUnknown@@PEAK@Z
?Skip@CPrvEnumObject@@UEAAJK@Z
?Clone@CPrvEnumObject@@UEAAJPEAPEAUIEnumVdsObject@@@Z
??0CVdsAsyncObjectBase@@QEAA@XZ
??1CVdsAsyncObjectBase@@QEAA@XZ
?SetCompletionStatus@CVdsAsyncObjectBase@@QEAAXJK@Z
?Signal@CVdsAsyncObjectBase@@QEAAXXZ
VdsIscsiIpAddressToString
VdsWmiFindInstanceOfClass
VdsWmiGetUlonglongFromInstance
?QueryStatus@CVdsAsyncObjectBase@@UEAAJPEAJPEAK@Z
VdsIscsiIpsecIdToIpAddress
VdsIscsiCheckEqualIpAddress
VdsIscsiIpAddressToIpsecId
WriteBootCode
CoFreeStringArray
GetFMIFSFormatEx2Routine
GetFMIFSEnableCompressionRoutine
RemoveTempVolumeName
MountVolume
GetFileSystemRecognitionName
GetFMIFSGetDefaultFilesystemRoutine
AssignTempVolumeName
GetVolumeName
GetVolumeDiskExtentInfo
GarbageCollectDriveLetters
LockVolume
DeleteNetworkShare
GetVolumeUniqueId
GetVolumeGuidPathnames
DeleteBcdObjects
VdsIscsiCacheSessionDevices
VdsWmiGetObjectInVariantObjectArray
VdsIscsiGetIpAddressFromInstance
VdsWmiCreateClassInstance
VdsWmiSetUlongInInstance
VdsWmiCreateVariantArray
VdsWmiSetUlonglongInInstance
VdsWmiGetMethodArgumentObject
VdsWmiSetObjectInInstance
VdsWmiCallMethod
?UnregisterHandle@CVdsPnPNotificationBase@@QEAAXPEAX@Z
GetDeviceManufacturerInfo
GetMediaGeometryEx
GetStorageAccessAlignmentProperty
IsDiskClustered
IsDiskReadOnly
GetDeviceName
CreateDeviceInfoSet
GetDeviceId
GetDeviceRegistryPropertyByInfo
VdsAllocateEmptyString
GetDeviceRegistryPropertyByInst
GetDeviceLocationEx
VdsDoesDiskHaveArcPath
GetBootFromDiskNumber
GetDiskOfflineReason
GetDiskRedundancyCount
VdsAllocateString
GetDiskIdentifiers
?WaitImpl@CVdsAsyncObjectBase@@QEAAJPEAJ@Z
OpenDevice
GetInterfaceDetailData
?InsertHeadPointer@CRtlList@@QEAAHPEAX@Z
IsClientSKU
IsRunningOnAMD64
ReleaseRundownProtection
?Initialize@CVdsPnPNotificationBase@@QEAAKXZ
?Initialize@CVdsAsyncObjectBase@@SAKXZ
AcquireRundownProtection
IsWinPE
?Remove@CRtlList@@QEAAXAEAVCRtlListIter@@@Z
?InsertTailPointer@CRtlList@@QEAAHPEAX@Z
?Uninitialize@CVdsAsyncObjectBase@@SAXXZ
?Uninitialize@CVdsPnPNotificationBase@@QEAAXXZ
?Next@CRtlMapIter@@QEAAAEAV1@XZ
?Begin@CRtlMap@@QEAA?AVCRtlMapIter@@XZ
VdsTraceW
?GetEntryPointer@CRtlListIter@@QEAAPEAXXZ
VdsInitializeCriticalSection
?RemoveAll@CRtlMap@@QEAAXH@Z
??1CRtlMap@@UEAA@XZ
StopReferenceHistory
WaitForRundownProtectionRelease
StartReferenceHistory
InitializeRundownProtection
VdsDisableCOMFatalExceptionHandling
??1CGlobalResource@@QEAA@XZ
UnInitializeGlobalResouce
?Initialize@CGlobalResource@@QEAAJXZ
??0CGlobalResource@@QEAA@XZ
RemoveEventSource
VdsHeapAlloc
AddEventSource
InitializeSecurityDescriptorHelper
LogInfo
LogError
VdsHeapFree
AllocateAndGetVolumePathName
?Remove@CRtlMap@@QEAAHAEAVCRtlEntry@@@Z
VdsTraceEx
??0CRtlList@@QEAA@P6AXPEAVCRtlEntry@@@Z@Z
??1CRtlList@@QEAA@XZ
?Begin@CRtlList@@QEAA?AVCRtlListIter@@XZ
?End@CRtlList@@QEAA?AVCRtlListIter@@XZ
?RemoveAll@CRtlList@@QEAAXXZ
?GetEntry@CRtlListIter@@QEAAPEAVCRtlEntry@@XZ
?Next@CRtlListIter@@QEAAAEAV1@XZ
?Prev@CRtlListIter@@QEAAAEAV1@XZ
??1CVdsCallTracer@@QEAA@XZ
??0CRtlMap@@QEAA@KP6AXPEAVCRtlEntry@@@Z1@Z
GetDeviceAndMediaType
?FindPtr@CRtlMap@@QEAAHAEAVCRtlEntry@@PEAPEAV2@@Z
?Insert@CRtlMap@@QEAAHAEAVCRtlEntry@@0@Z
VdsTrace
?Find@CRtlMap@@QEAAHAEAVCRtlEntry@@PEAV2@@Z
?Detach@CVdsWmiVariantObjectArrayEnum@@QEAAJXZ
VdsWmiCopyFromVariantByteArray
VdsWmiGetObjectFromInstance
VdsWmiGetUlongFromInstance
VdsWmiGetByteFromInstance
?Next@CVdsWmiVariantObjectArrayEnum@@QEAAJPEAPEAUIWbemClassObject@@@Z
?Attach@CVdsWmiVariantObjectArrayEnum@@QEAAJPEAUtagVARIANT@@@Z
VdsWmiConnectToNamespace
??1CVdsWmiVariantObjectArrayEnum@@QEAA@XZ
??0CVdsWmiVariantObjectArrayEnum@@QEAA@XZ
IsDiskCurrentStateReadOnly
InvalidateDiskCache
??0CVdsCallTracer@@QEAA@KPEBD@Z

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventRegister
EventSetInformation

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualFree

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-core-kernel32-legacy-l1-1-1

SetVolumeMountPointW
FindVolumeMountPointClose
FindNextVolumeMountPointW
FindFirstVolumeMountPointW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory

Exports

Exports

??0?$CVdsCoTaskPtr@G@@QEAA@XZ
??0?$CVdsHandleImpl@$0?0@@QEAA@XZ
??0?$CVdsHandleImpl@$0A@@@QEAA@XZ
??0?$CVdsHeapPtr@D@@QEAA@XZ
??0?$CVdsHeapPtr@G@@QEAA@XZ
??0?$CVdsHeapPtr@J@@QEAA@XZ
??0?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??0?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@D@@QEAA@XZ
??0?$CVdsPtr@G@@QEAA@XZ
??0?$CVdsPtr@J@@QEAA@XZ
??0?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??0?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??0?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??0?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??0?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??0CPrvEnumObject@@QEAA@XZ
??0CRtlSharedLock@@QEAA@XZ
??0CVdsCriticalSection@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0CVdsPnPNotificationBase@@QEAA@XZ
??0CVdsUnlockIt@@QEAA@AEAJ@Z
??1?$CVdsCoTaskPtr@G@@QEAA@XZ
??1?$CVdsHandleImpl@$0?0@@QEAA@XZ
??1?$CVdsHandleImpl@$0A@@@QEAA@XZ
??1?$CVdsHeapPtr@D@@QEAA@XZ
??1?$CVdsHeapPtr@G@@QEAA@XZ
??1?$CVdsHeapPtr@J@@QEAA@XZ
??1?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??1?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@D@@QEAA@XZ
??1?$CVdsPtr@G@@QEAA@XZ
??1?$CVdsPtr@J@@QEAA@XZ
??1?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAA@XZ
??1?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAA@XZ
??1?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAA@XZ
??1?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAA@XZ
??1?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAA@XZ
??1CPrvEnumObject@@QEAA@XZ
??1CRtlSharedLock@@QEAA@XZ
??1CVdsCriticalSection@@QEAA@XZ
??1CVdsPnPNotificationBase@@QEAA@XZ
??1CVdsUnlockIt@@QEAA@XZ
??4?$CVdsHandleImpl@$0?0@@QEAAPEAXPEAX@Z
??4?$CVdsHandleImpl@$0A@@@QEAAPEAXPEAX@Z
??4?$CVdsHeapPtr@D@@QEAAPEADPEAD@Z
??4?$CVdsHeapPtr@G@@QEAAPEAGPEAG@Z
??4?$CVdsHeapPtr@J@@QEAAPEAJPEAJ@Z
??4?$CVdsHeapPtr@UFMIFS_DEF_FS_OUT@@@@QEAAPEAUFMIFS_DEF_FS_OUT@@PEAU1@@Z
??4?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAAPEAU_AUCTION_THREAD_PARAMETER@@PEAU1@@Z
??4?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEAAPEAU_MOUNTMGR_MOUNT_POINT@@PEAU1@@Z
??4?$CVdsHeapPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEAAPEAU_MOUNTMGR_MOUNT_POINTS@@PEAU1@@Z
??4?$CVdsHeapPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@PEAU1@@Z
??8?$CVdsHandleImpl@$0?0@@QEBA_NPEAX@Z
??8?$CVdsHandleImpl@$0A@@@QEBA_NPEAX@Z
??8?$CVdsPtr@D@@QEBA_NPEAD@Z
??8?$CVdsPtr@G@@QEBA_NPEAG@Z
??8?$CVdsPtr@J@@QEBA_NPEAJ@Z
??8?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEBA_NPEAUFMIFS_DEF_FS_OUT@@@Z
??8?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBA_NPEAU_AUCTION_THREAD_PARAMETER@@@Z
??8?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBA_NPEAU_MOUNTMGR_MOUNT_POINT@@@Z
??8?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBA_NPEAU_MOUNTMGR_MOUNT_POINTS@@@Z
??8?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBA_NPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@@Z
??9?$CVdsHandleImpl@$0?0@@QEBA_NPEAX@Z
??9?$CVdsPtr@G@@QEBA_NPEAG@Z
??9?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEBA_NPEAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
??A?$CVdsPtr@J@@QEAAAEAJJ@Z
??A?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEAAAEAUFMIFS_DEF_FS_OUT@@K@Z
??B?$CVdsHandleImpl@$0?0@@QEAAPEAXXZ
??B?$CVdsHandleImpl@$0A@@@QEAAPEAXXZ
??B?$CVdsPtr@G@@QEBAPEAGXZ
??B?$CVdsPtr@J@@QEBAPEAJXZ
??B?$CVdsPtr@UFMIFS_DEF_FS_OUT@@@@QEBAPEAUFMIFS_DEF_FS_OUT@@XZ
??B?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBAPEAU_AUCTION_THREAD_PARAMETER@@XZ
??B?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEBAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
??B?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@XZ
??B?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINT@@XZ
??B?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINTS@@XZ
??B?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEBAPEAU_AUCTION_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEBAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
??C?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEBAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??C?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEBAPEAU_EXTEND_VOLUME_HANDLER_PARAMETER@@XZ
??C?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_MOUNTMGR_MOUNT_POINT@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINT@@XZ
??C?$CVdsPtr@U_MOUNTMGR_MOUNT_POINTS@@@@QEBAPEAU_MOUNTMGR_MOUNT_POINTS@@XZ
??C?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEBAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
??I?$CVdsHandleImpl@$0?0@@QEAAPEAPEAXXZ
??I?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAPEAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??_FCRtlList@@QEAAXXZ
??_FCRtlMap@@QEAAXXZ
?AcquireRead@CRtlSharedLock@@AEAAXXZ
?AcquireWrite@CRtlSharedLock@@AEAAXXZ
?AllowCancel@CVdsAsyncObjectBase@@QEAAXXZ
?Attach@?$CVdsPtr@G@@QEAAXPEAG@Z
?Attach@?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAAXPEAU_CLEAN_DISK_HANDLER_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAXPEAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?Attach@?$CVdsPtr@U_EXTEND_VOLUME_HANDLER_PARAMETER@@@@QEAAXPEAU_EXTEND_VOLUME_HANDLER_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_FORMAT_VOLUME_THREAD_PARAMETER@@@@QEAAXPEAU_FORMAT_VOLUME_THREAD_PARAMETER@@@Z
?Attach@?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAXPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@@Z
?Close@?$CVdsHandleImpl@$0?0@@QEAAXXZ
?CurrentThreadIsWriter@CRtlSharedLock@@QEAAHXZ
?Detach@?$CVdsHandleImpl@$0?0@@QEAAPEAXXZ
?Detach@?$CVdsHandleImpl@$0A@@@QEAAPEAXXZ
?Detach@?$CVdsPtr@G@@QEAAPEAGXZ
?Detach@?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QEAAPEAU_AUCTION_THREAD_PARAMETER@@XZ
?Detach@?$CVdsPtr@U_CLEAN_DISK_HANDLER_PARAMETER@@@@QEAAPEAU_CLEAN_DISK_HANDLER_PARAMETER@@XZ
?Detach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QEAAPEAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
?Detach@?$CVdsPtr@U_SHRINK_VOLUME_THREAD_PARAMETER@@@@QEAAPEAU_SHRINK_VOLUME_THREAD_PARAMETER@@XZ
?DisallowCancel@CVdsAsyncObjectBase@@QEAAXXZ
?Downgrade@CRtlSharedLock@@AEAAXXZ
?GetOutputType@CVdsAsyncObjectBase@@QEAA?AW4_VDS_ASYNC_OUTPUT_TYPE@@XZ
?IsCancelRequested@CVdsAsyncObjectBase@@QEAAHXZ
?Release@CRtlSharedLock@@AEAAXXZ
?SetOutput@CVdsAsyncObjectBase@@QEAAXU_VDS_ASYNC_OUTPUT@@@Z
?SetOutputType@CVdsAsyncObjectBase@@QEAAXW4_VDS_ASYNC_OUTPUT_TYPE@@@Z
?SetPositionToLast@CPrvEnumObject@@QEAAXXZ
?Upgrade@CRtlSharedLock@@AEAAXXZ
?ZeroAsyncOut@CVdsAsyncObjectBase@@QEAAXXZ
?m_ExtraLogging@CVdsTraceSettings@@QEAAHXZ
?m_NoDebuggerLogging@CVdsTraceSettings@@QEAAHXZ

Sections

.text
Size: 376KB - Virtual size: 376KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 310KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

af0b832b06a6c6368e2645292492d355

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

msvcrt

atl

ntdll

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

setupapi

osuninst

vdsutil

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

Exports

Exports

Sections

.text Size: 376KB - Virtual size: 376KB

.rdata Size: 310KB - Virtual size: 310KB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 11KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 248B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 376KB - Virtual size: 376KB

.rdata
Size: 310KB - Virtual size: 310KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 11KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 248B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 568KB - Virtual size: 572KB