DWMBG[.]7zmal | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

DWMBG.7zmal
Size

20.7MB
MD5

5b0982e5a931eeabea7e58a61a414347
SHA1

e57a935632334ef3bb828b27c10ff7b03757d65e
SHA256

fd6ef0575050122cc85d63d4400cbbd88d8ec1911df0a2575738baf62c175ad5
SHA512

0f7b0d022620c98722b5b167af527903d4508f06d72094d0eac2ef1ac9fb93573f2eacf6df564efd76bfc0f689481c16f6be586eff7df592026f4632e42fce42
SSDEEP

393216:3jKJjbFierOTocvjIcOMpkmxDbOSaduX4ultjA23x+wIEpqYV4FfC08SrqO0:yjJ0TvjFOMpZm3Pu51ISMf9qd

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
static1/unpack001/DWMBlurGlass.exe	pyinstaller

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/DWMBlurGlass.exe
unpack001/DWMBlurGlassExt.dll

Files

DWMBG.7zmal
.7z

Password: 3.0
ButtonGlowExt.res
DWMBlurGlass.exe
.exe windows:5 windows x64 arch:x64

Password: 3.0

f4f2e2b03fe5666a721620fcea3aea9b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
PostMessageW
GetMessageW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

IsValidCodePage
GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
GetACP
GetOEMCP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
CreateFileW
GetFinalPathNameByHandleW
CloseHandle
GetModuleFileNameW
CreateSymbolicLinkW
GetCPInfo
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEndOfFile
GetProcAddress
GetSystemTimeAsFileTime
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 172KB - Virtual size: 171KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cstealer.pyc
DWMBlurGlassExt.dll
.dll windows:6 windows x64 arch:x64

Password: 3.0

aea0909298844911798e668fb59c0680

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

E:\Project\DWMBlurGlass\Build\x64\Release\DWMBlurGlassExt.pdb

Imports

kernel32

VirtualAlloc
GetSystemInfo
HeapCreate
Thread32Next
Thread32First
GetCurrentThreadId
SuspendThread
ResumeThread
CreateToolhelp32Snapshot
Sleep
HeapReAlloc
HeapDestroy
GetThreadContext
GetCurrentProcessId
FlushInstructionCache
SetThreadContext
OpenThread
ReadFile
GetModuleFileNameA
SizeofResource
VirtualQuery
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
ReleaseMutex
FreeResource
FormatMessageW
GetLastError
WaitForSingleObjectEx
LockResource
OpenSemaphoreW
LoadResource
FindResourceW
CreateMutexExW
WideCharToMultiByte
DebugBreak
LoadLibraryExW
IsDebuggerPresent
LoadLibraryW
GetCurrentProcess
VirtualProtect
GetModuleHandleW
InterlockedPushEntrySList
RaiseException
GetProcAddress
OutputDebugStringW
VirtualFree
FreeLibrary
DisableThreadLibraryCalls
GetProcessHeap
HeapAlloc
HeapFree
CloseHandle
GetPrivateProfileStringW
CreateFileW
GetModuleFileNameW
CreateSemaphoreExW
GetFileSizeEx
RtlUnwindEx

user32

GetSystemMetrics
IsWindowVisible
GetClassWord
MonitorFromWindow
GetMonitorInfoW
GetWindowLongPtrW
OffsetRect
GetForegroundWindow
IntersectRect
IsZoomed
IsIconic
GetMessageW
IsWindow
FindWindowExW
DestroyWindow
SetWindowLongPtrW
CreateWindowExW
SendMessageW
UnregisterClassW
RegisterClassExW
DispatchMessageW
UnregisterPowerSettingNotification
TranslateMessage
ChangeWindowMessageFilterEx
RegisterPowerSettingNotification
RegisterWindowMessageW
MonitorFromPoint
DefWindowProcW
PostQuitMessage
GetDC
DrawTextW
ReleaseDC
EqualRect
PostMessageW
FindWindowW
EnumDisplayMonitors

gdi32

CreateDIBSection
CreateRectRgn
CreateRectRgnIndirect
OffsetRgn
SetBkMode
GetStockObject
EqualRgn
DeleteObject
CombineRgn
GetRgnBox
GetTextColor

advapi32

RegGetValueW

shlwapi

PathFileExistsW
ord12

api-ms-win-core-path-l1-1-0

PathCchRemoveFileSpec
PathCchAppend

api-ms-win-core-processthreads-l1-1-0

TerminateProcess

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
EnterCriticalSection
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
DeleteCriticalSection

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

uxtheme

OpenThemeData
CloseThemeData
DrawThemeTextEx

dwmapi

DwmGetWindowAttribute
DwmSetWindowAttribute
DwmGetColorizationColor

dbghelp

ImageDirectoryEntryToData

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor

ucrtbase

__DestructExceptionObject
__TypeMatch
__current_exception
memmove
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
__FrameUnwindFilter
__NLG_Dispatch2
memcpy
_CxxThrowException
_CreateFrameInfo
_purecall
__std_exception_copy
__std_exception_destroy
__AdjustPointer
__std_type_info_compare
memcmp
__std_type_info_destroy_list
memset
__C_specific_handler
__processing_throw
__NLG_Return2
__current_exception_context
_local_unwind

api-ms-win-crt-convert-l1-1-0

_wtof
_wtoi
_wtoll

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf

api-ms-win-crt-runtime-l1-1-0

_errno
_invalid_parameter_noinfo_noreturn
abort
terminate
_seh_filter_dll
_configure_narrow_argv
_beginthreadex
_invalid_parameter_noinfo
_initialize_narrow_environment
_initialize_onexit_table
_initterm_e
_register_onexit_function
_execute_onexit_table
_initterm
_cexit
_crt_atexit

api-ms-win-crt-string-l1-1-0

_wcsicmp
_stricmp
iswspace

api-ms-win-crt-math-l1-1-0

_dclass
_fdsign
_ldsign
_dsign
_fdclass
ceilf
_ldclass
round
roundf

api-ms-win-crt-heap-l1-1-0

calloc
free
_callnewh
malloc

api-ms-win-crt-locale-l1-1-0

___mb_cur_max_func
___lc_codepage_func
___lc_locale_name_func
setlocale
__pctype_func
localeconv
_unlock_locales
_lock_locales

ole32

CoTaskMemAlloc
CoCreateFreeThreadedMarshaler

oleaut32

SysStringLen
SysFreeString
GetErrorInfo
SetErrorInfo
SysAllocString

Sections

.text
Size: 278KB - Virtual size: 278KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 215KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
data/AeroPeek.png
.png

Password: 3.0
data/btnglow_close.png
.png

Password: 3.0
data/btnglow_other.png
.png

Password: 3.0
data/config.ini
data/defaultres.dmres
data/glass.png
.png

Password: 3.0
data/lang/de-DE.xml
.xml
data/lang/en-US.xml
data/lang/es-MX.xml
data/lang/fr-FR.xml
.xml
data/lang/id-ID.xml
.xml
data/lang/it-IT.xml
data/lang/ja-JP.xml
data/lang/ko-KR.xml
data/lang/pt-BR.xml
data/lang/ru-RU.xml
data/lang/sv-SE.xml
.xml
data/lang/tr-TR.xml
data/lang/zh-CN.xml
data/lang/zh-SG.xml
data/lang/zh-TW.xml
data/symbols/dwmcore.pdb/FE391E85AD4D28375DEEC10F0A4305871/dwmcore.pdb
data/symbols/uDWM.pdb/012BEBC018443A012AE75FE54EDC86871/uDWM.pdb
dbghelp.dll
.dll windows:10 windows x64 arch:x64

Password: 3.0

c2a265611426f9f34c59e87a7c46fba1

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16-02-2023 20:11

Not After

31-01-2024 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06-07-2010 20:40

Not After

06-07-2025 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:70:ab:d3:15:f7:38:3e:7d:64:17:6f:2e:ac:ed:4e:4a:35:e9:64:5a:34:86:4e:96:d3:c3:b7:ca:00:30:87
Signer

Actual PE Digest

09:70:ab:d3:15:f7:38:3e:7d:64:17:6f:2e:ac:ed:4e:4a:35:e9:64:5a:34:86:4e:96:d3:c3:b7:ca:00:30:87

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

dbghelp.pdb

Imports

api-ms-win-crt-string-l1-1-0

memset
wcsnlen
strlen
wcsncmp
strcmp
strcspn
strncmp
wcscmp

api-ms-win-crt-time-l1-1-0

_time64
_ctime64

api-ms-win-crt-locale-l1-1-0

_unlock_locales
_lock_locales

api-ms-win-crt-runtime-l1-1-0

__doserrno
_initterm
_initterm_e

api-ms-win-crt-private-l1-1-0

_o__filelengthi64
_o__fullpath
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itoa_s
_o__lseeki64
_o__ltoa
_o__mbscmp
_o__memicmp
_o__open_osfhandle
_o__purecall
_o__read
_o__register_onexit_function
_o__seh_filter_dll
_o__splitpath_s
_o__stricmp
_o__strlwr
_o__strnicmp
_o___stdio_common_vsprintf_s
_o__aligned_malloc
_o__wcsdup
_o__wcsicmp
_o__wcslwr
_o__wcsnicmp
_o__wctime64
_o__wdupenv_s
_o__wfsopen
_o__wfullpath
_o__wgetenv
_o__wmakepath_s
_o__wsplitpath_s
_o__wtoi
_o_abort
_o_atoi
_o_atol
_o_bsearch
_o_calloc
_o_ceilf
_o_fclose
_o_fflush
_o_fread
_o_free
_o_frexp
_o_fseek
_o_ftell
_o_isspace
_o_iswprint
_o_iswspace
_o_iswxdigit
_o_localeconv
_o_malloc
_o_qsort
_o_realloc
_o_setlocale
_o_strcat_s
_o_strcpy_s
_o_strncat_s
_o_strncpy_s
_o_terminate
_o_tolower
_o_towlower
_o_wcscat_s
_o_wcscpy_s
_o_wcsncat_s
_o_wcsncpy_s
_o_wcstoul
_o_wmemcpy_s
__uncaught_exception
_CxxThrowException
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___stdio_common_vfprintf
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
_o___pctype_func
_o__execute_onexit_table
_o__errno
_o__crt_atexit
_o__configure_narrow_argv
_o__close
_o__aligned_free
_o____mb_cur_max_func
_o____lc_locale_name_func
_o____lc_codepage_func
wcsrchr
strstr
_o__cexit
_o__calloc_base
_o__callnewh
wcsstr
wcschr
__C_specific_handler
__CxxFrameHandler3
memcpy
__unDName
strchr
strrchr
__unDNameEx
memcmp
memmove
_o___stdio_common_vswprintf_s
_o___stdio_common_vsscanf

api-ms-win-core-file-l1-1-0

CreateFileA
GetFinalPathNameByHandleW
RemoveDirectoryW
SetFilePointerEx
GetFileSize
DeleteFileW
FindClose
CreateFileW
SetEndOfFile
GetFileType
SetFileAttributesW
SetFileTime
GetFileInformationByHandle
GetFileSizeEx
GetFileAttributesA
CreateDirectoryW
FindNextFileW
FindFirstFileW
WriteFile
ReadFile
SetFilePointer
CreateDirectoryA
GetFileAttributesW
GetFullPathNameW

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetErrorMode
GetLastError
SetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionEx
OpenProcess
LeaveCriticalSection
EnterCriticalSection
TryAcquireSRWLockExclusive
InitializeCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockShared
InitializeCriticalSectionAndSpinCount
InitializeSRWLock
AcquireSRWLockExclusive
DeleteCriticalSection
ReleaseSRWLockShared

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW
SetEnvironmentVariableA

api-ms-win-core-misc-l1-1-0

FormatMessageW
Sleep
LocalAlloc
LocalFree

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetCurrentThread
TlsGetValue
OpenThreadToken
TlsFree
TlsAlloc
GetCurrentProcessId
TlsSetValue

api-ms-win-core-heap-l1-1-0

HeapReAlloc
GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-sysinfo-l1-1-0

GetVersionExA
GetSystemInfo
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
SystemTimeToFileTime

api-ms-win-core-libraryloader-l1-1-0

GetProcAddress
FreeLibrary
LoadLibraryExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
LoadLibraryExA
GetModuleHandleExW

api-ms-win-security-base-l1-1-0

GetFileSecurityW
AccessCheck
RevertToSelf
ImpersonateSelf

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
GetStringTypeW
WideCharToMultiByte

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualQuery
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualAlloc
VirtualProtect
MapViewOfFileEx
ReadProcessMemory

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
OutputDebugStringA
IsDebuggerPresent
DebugBreak

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-localization-l1-1-0

LCMapStringW
LCMapStringEx

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoTaskMemFree

oleaut32

SysFreeString

ntdll

RtlUTF8ToUnicodeN
RtlRunOnceExecuteOnce

api-ms-win-downlevel-kernel32-l2-1-0

CreateFileMappingA

api-ms-win-core-localregistry-l1-1-0

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-threadpool-l1-1-0

CloseThreadpoolWork
WaitForThreadpoolWorkCallbacks
SubmitThreadpoolWork
CreateThreadpoolWork

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetSymLoadError
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MiniDumpReadDumpStream
MiniDumpWriteDump
RangeMapAddPeImageSections
RangeMapCreate
RangeMapFree
RangeMapRead
RangeMapRemove
RangeMapWrite
RemoveInvalidModuleList
ReportSymbolLoadSummary
SearchTreeForFile
SearchTreeForFileW
SetCheckUserInterruptShared
SetSymLoadError
StackWalk
StackWalk2
StackWalk64
StackWalkEx
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymAddrIncludeInlineTrace
SymAllocDiaString
SymCleanup
SymCompareInlineTrace
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsEx
SymEnumSymbolsExW
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFreeDiaString
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromInlineContext
SymFromInlineContextW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymFunctionTableAccess64AccessRoutines
SymGetDiaSession
SymGetDiaSource
SymGetExtendedOption
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrEx
SymGetLineFromAddrW64
SymGetLineFromInlineContext
SymGetLineFromInlineContextW
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameEx
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextEx
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevEx
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmapBlockBase
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileChecksum
SymGetSourceFileChecksumW
SymGetSourceFileFromToken
SymGetSourceFileFromTokenByTokenName
SymGetSourceFileFromTokenByTokenNameW
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenByTokenName
SymGetSourceFileTokenByTokenNameW
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymQueryInlineTrace
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymRegisterGetSourcePathPartCallback
SymRegisterSourceFileUrlListCallback
SymSearch
SymSearchW
SymSetContext
SymSetDiaSession
SymSetExtendedOption
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetScopeFromInlineContext
SymSetSearchPath
SymSetSearchPathW
SymSetServiceManager
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
WinDbgExtensionDllInit
_EFN_DumpImage
block
chksym
dbghelp
dh
fptr
homedir
inlinedbg
itoldyouso
lmi
lminfo
omap
optdbgdump
optdbgdumpaddr
srcfiles
stack_force_ebp
stackdbg
sym
symsrv
vc7fpo

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 372KB - Virtual size: 368KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 80KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mrdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
symsrv.dll
.dll windows:10 windows x64 arch:x64

Password: 3.0

3176d2caa21b7195b44c14757c825d9f

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16-02-2023 20:11

Not After

31-01-2024 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06-07-2010 20:40

Not After

06-07-2025 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

19:37:36:78:bc:6c:cb:e8:76:40:a8:31:23:30:9b:5d:42:27:84:b2:a2:61:1c:27:2d:46:6f:e7:49:ae:8e:19
Signer

Actual PE Digest

19:37:36:78:bc:6c:cb:e8:76:40:a8:31:23:30:9b:5d:42:27:84:b2:a2:61:1c:27:2d:46:6f:e7:49:ae:8e:19

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

symsrv.pdb

Imports

msvcrt

_stricmp
_errno
getenv
fclose
swprintf_s
_wfopen
??1type_info@@UEAA@XZ
fgetws
_vscprintf
_wcsdup
_vsnwprintf_s
vswprintf_s
memcmp
wcsrchr
_wcslwr_s
__CxxFrameHandler3
tolower
_wmakepath_s
_wtoi64
free
swscanf_s
strnlen
wcsnlen
_wcsicmp
isspace
__C_specific_handler
wcsncpy_s
_wcsnicmp
wcschr
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
strcpy_s
memset
_onexit
??0exception@@QEAA@XZ
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
_purecall
??3@YAXPEAX@Z
??0exception@@QEAA@AEBQEBD@Z
wcsncmp
_wcsupr
?terminate@@YAXXZ
wcsstr
calloc
iswspace
malloc
strpbrk
strstr
realloc
iswprint
_wcslwr
memcpy_s
towlower
strcat_s
_unlock
__dllonexit
wcscat_s
strrchr
_CxxThrowException
memcpy
memmove
_vsnwprintf
??_V@YAXPEAX@Z
wcscpy_s
_XcptFilter
_amsg_exit
_initterm
_lock
_vscwprintf
wcscmp

api-ms-win-core-libraryloader-l1-1-0

GetModuleHandleExW
FreeLibrary
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
GetModuleFileNameA
GetModuleHandleW
LoadLibraryExA

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetExitCodeThread
GetCurrentThreadId
OpenProcessToken
TerminateProcess
GetCurrentProcessId
CreateThread

api-ms-win-core-misc-l1-1-0

LocalFree
LocalAlloc
GlobalFree
FormatMessageW
Sleep
LocalReAlloc

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-security-base-l1-1-0

GetTokenInformation
FreeSid
AllocateAndInitializeSid
EqualSid

api-ms-win-core-file-l1-1-0

CreateFileW
GetFileTime
GetFileSizeEx
CreateDirectoryW
SetFilePointerEx
DeleteFileW
GetDriveTypeW
RemoveDirectoryW
GetFullPathNameW
GetFinalPathNameByHandleW
GetFileAttributesW
GetFileAttributesExW
GetFileSize
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
LocalFileTimeToFileTime
GetFileInformationByHandle
SetFilePointer
SetFileTime
ReadFile
WriteFile

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RaiseException
GetLastError
SetErrorMode

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetVersionExW
GetTickCount

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
OpenSemaphoreW
TryAcquireSRWLockExclusive
InitializeSRWLock
WaitForSingleObjectEx
ReleaseMutex
CreateMutexExW
ReleaseSRWLockShared
CreateSemaphoreExW
AcquireSRWLockShared
InitializeCriticalSection
SetEvent
SetWaitableTimer
DeleteCriticalSection
LeaveCriticalSection
OpenMutexW
ReleaseSemaphore
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
ReleaseSRWLockExclusive
ResetEvent
AcquireSRWLockExclusive
CreateEventW

api-ms-win-core-handle-l1-1-0

CloseHandle

rpcrt4

UuidCreate

api-ms-win-core-localregistry-l1-1-0

RegEnumValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

ws2_32

GetAddrInfoW
WSAStartup
FreeAddrInfoW
WSACleanup

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

oleaut32

SysFreeString

shlwapi

PathFindFileNameW

kernel32

WaitForMultipleObjects
IsProcessorFeaturePresent
CancelSynchronousIo

ntdll

RtlRunOnceExecuteOnce
RtlUTF8ToUnicodeN

crypt32

CryptStringToBinaryW
CryptBinaryToStringW

bcrypt

BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualQuery

api-ms-win-core-threadpool-l1-1-0

WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer

Exports

Exports

EulaDlgProc
RunDllEntry
SymbolServer
SymbolServerByIndex
SymbolServerByIndexAndChecksumsW
SymbolServerByIndexW
SymbolServerClose
SymbolServerDeltaName
SymbolServerDeltaNameW
SymbolServerGetIndexString
SymbolServerGetIndexStringW
SymbolServerGetOptionData
SymbolServerGetOptions
SymbolServerGetSupplement
SymbolServerGetSupplementW
SymbolServerGetVersion
SymbolServerIsStore
SymbolServerIsStoreW
SymbolServerPing
SymbolServerPingW
SymbolServerPingWEx
SymbolServerSetHttpAuthHeader
SymbolServerSetOptions
SymbolServerSetOptionsW
SymbolServerStoreFile
SymbolServerStoreFileW
SymbolServerStoreSupplement
SymbolServerStoreSupplementW
SymbolServerW
SymbolServerWEx
SymbolServerWithChecksumsW
httpCloseHandle
httpOpenFileHandle
httpOpenFileHandleW
httpQueryDataAvailable
httpReadFile

Sections

.text
Size: 200KB - Virtual size: 197KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 116KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mrdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 3.0

Password: 3.0

f4f2e2b03fe5666a721620fcea3aea9b

Headers

DLL Characteristics

File Characteristics

Imports

user32

comctl32

kernel32

advapi32

gdi32

Sections

.text Size: 172KB - Virtual size: 171KB

.rdata Size: 76KB - Virtual size: 75KB

.data Size: 3KB - Virtual size: 12KB

.pdata Size: 9KB - Virtual size: 8KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 47KB - Virtual size: 46KB

.reloc Size: 2KB - Virtual size: 1KB

Password: 3.0

aea0909298844911798e668fb59c0680

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

shlwapi

api-ms-win-core-path-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-interlocked-l1-1-0

uxtheme

dwmapi

dbghelp

api-ms-win-shcore-scaling-l1-1-1

ucrtbase

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

ole32

oleaut32

Sections

.text Size: 278KB - Virtual size: 278KB

.rdata Size: 215KB - Virtual size: 214KB

.data Size: 26KB - Virtual size: 33KB

.pdata Size: 13KB - Virtual size: 13KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 2KB

Password: 3.0

Password: 3.0

Password: 3.0

Password: 3.0

Password: 3.0

c2a265611426f9f34c59e87a7c46fba1

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:feCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

.text
Size: 172KB - Virtual size: 171KB

.rdata
Size: 76KB - Virtual size: 75KB

.data
Size: 3KB - Virtual size: 12KB

.pdata
Size: 9KB - Virtual size: 8KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 47KB - Virtual size: 46KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 278KB - Virtual size: 278KB

.rdata
Size: 215KB - Virtual size: 214KB

.data
Size: 26KB - Virtual size: 33KB

.pdata
Size: 13KB - Virtual size: 13KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 2KB

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

09:70:ab:d3:15:f7:38:3e:7d:64:17:6f:2e:ac:ed:4e:4a:35:e9:64:5a:34:86:4e:96:d3:c3:b7:ca:00:30:87
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 372KB - Virtual size: 368KB

.data
Size: 36KB - Virtual size: 141KB

.pdata
Size: 80KB - Virtual size: 76KB

.didat
Size: 4KB - Virtual size: 56B

.mrdata
Size: 16KB - Virtual size: 12KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 20KB - Virtual size: 19KB

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

19:37:36:78:bc:6c:cb:e8:76:40:a8:31:23:30:9b:5d:42:27:84:b2:a2:61:1c:27:2d:46:6f:e7:49:ae:8e:19
Signer