TSWorkspace[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

TSWorkspace.dll
Size

954KB
MD5

099c318cc5de546c0372ac008b14c013
SHA1

e4e981f3f76b6e34618222630504951ea54b6079
SHA256

7ba0b53d4a4fccb43073603405c3a9b0f2734c05a5a7ad3a0abc8228d32096a3
SHA512

0142294ca98105e3ef7df70bed8039926ae2d87aba25b72b07f5a5e9cc99e25554340c9c985dc1e2b081c0f97377c84e82a12a89e52290eca8fdeafb0185efd5
SSDEEP

12288:j2ISZ+tw+BBrRdKkVeOw3vsnlnPnSo/kAmE48XlB73NvKvrZwXIB7GjFysyXNs:j2Lkt/dKkVLnlKVAfvNvKvqimBs

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
TSWorkspace.dll

Files

TSWorkspace.dll
.dll regsvr32 windows:10 windows x86 arch:x86

9336e7a8cdeaea62a848ed3d988492e2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

TSWorkspace.pdb

Imports

msvcrt

wcstol
gmtime
wcsrchr
wcstok_s
wcstombs_s
wcsstr
_wtoi
toupper
_vscwprintf
time
wcsftime
setlocale
??1bad_cast@@UAE@XZ
??0bad_cast@@QAE@ABV0@@Z
strchr
_wcsnicmp
wcscspn
wcsncmp
rand_s
fclose
iswcntrl
fgetws
_wfopen_s
iswspace
_vsnwprintf
__crtLCMapStringW
___lc_handle_func
___lc_collate_cp_func
__crtCompareStringW
___lc_codepage_func
__pctype_func
memcmp
abort
towlower
_wcslwr
??3@YAXPAX@Z
memcpy
vswprintf_s
__RTDynamicCast
_ftol2
_ftol2_sse
memmove
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
??1type_info@@UAE@XZ
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
??0exception@@QAE@XZ
calloc
memmove_s
_wcsicmp
?what@exception@@UBEPBDXZ
_purecall
wcscat_s
wcscpy_s
malloc
wcsncpy_s
free
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
memcpy_s
??_V@YAXPAX@Z
__CxxFrameHandler3
___mb_cur_max_func
memset

ole32

PropVariantClear
CoInitializeEx
IIDFromString
CLSIDFromString
CoCreateGuid
CoUninitialize
CoInitialize
StringFromGUID2
CoTaskMemAlloc
CoTaskMemRealloc
CoCreateInstance
CoTaskMemFree
StringFromIID

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoGetActivationFactory
RoUninitialize

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference

oleaut32

SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreate
LPSAFEARRAY_UserSize
LPSAFEARRAY_UserFree
SafeArrayLock
BSTR_UserFree
LPSAFEARRAY_UserUnmarshal
SafeArrayUnlock
BSTR_UserUnmarshal
SysStringLen
SysAllocString
BSTR_UserSize
VarBstrCmp
VarBstrCat
SysFreeString
BSTR_UserMarshal
LPSAFEARRAY_UserMarshal
SafeArrayGetUBound
VarUI4FromStr
SafeArrayRedim
SafeArrayGetLBound
SysAllocStringByteLen
SysStringByteLen
SysAllocStringLen
RegisterTypeLi
VariantChangeType
LoadTypeLi
UnRegisterTypeLi
LoadRegTypeLi
VariantInit
VariantClear

rpcrt4

CStdStubBuffer_Invoke
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_AddRef
CStdStubBuffer_CountRefs
CStdStubBuffer_QueryInterface
IUnknown_QueryInterface_Proxy
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
NdrCStdStubBuffer2_Release
NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
NdrStubForwardingFunction
CStdStubBuffer_IsIIDSupported
NdrStubCall2
CStdStubBuffer_Connect
IUnknown_AddRef_Proxy
NdrOleFree
IUnknown_Release_Proxy

api-ms-win-core-synch-l1-1-0

ResetEvent
InitializeCriticalSection
EnterCriticalSection
ReleaseMutex
CreateMutexW
LeaveCriticalSection
DeleteCriticalSection
SetEvent
WaitForSingleObject
CreateEventW
InitializeCriticalSectionAndSpinCount
ReleaseSemaphore
CreateEventExW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleHandleExW
FindResourceExW
GetModuleFileNameW
FreeLibraryAndExitThread
GetProcAddress
LockResource
LoadStringW
LoadLibraryExW
SizeofResource
FreeLibrary
LoadResource
DisableThreadLibraryCalls
GetModuleHandleExA

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegGetValueW
RegQueryValueExW
RegQueryInfoKeyW
RegCloseKey
RegDeleteTreeW
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegDeleteValueW
RegEnumValueW
RegSetValueExW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
GetStringTypeW
WideCharToMultiByte
CompareStringEx
CompareStringOrdinal

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventSetInformation
EventWriteTransfer
EventActivityIdControl

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce
InitOnceInitialize

api-ms-win-security-base-l1-1-0

AddAce
GetSecurityDescriptorSacl
IsValidSid
GetLengthSid
CopySid
GetSidSubAuthority
GetAclInformation
GetSidLengthRequired
SetSecurityDescriptorDacl
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
MakeAbsoluteSD
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetTokenInformation
RevertToSelf
SetSecurityDescriptorGroup
InitializeSid
GetSecurityDescriptorDacl
InitializeAcl
ImpersonateLoggedOnUser

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-heap-l2-1-0

LocalFree
GlobalFree
LocalAlloc

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
OpenThread
TerminateThread
GetCurrentProcess
TlsFree
GetCurrentProcessId
GetCurrentThreadId
SwitchToThread
OpenProcessToken
OpenThreadToken
TlsSetValue
GetCurrentThread
TlsGetValue
CreateThread
TlsAlloc

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetVersionExW
GetSystemTime
GetComputerNameExW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CreateThreadpoolTimer
TrySubmitThreadpoolCallback
SetThreadpoolThreadMaximum
CloseThreadpool
SetThreadpoolThreadMinimum
CloseThreadpoolTimer
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
CreateThreadpool

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW
WaitForMultipleObjects

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryA
LoadLibraryW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapSize
HeapFree
HeapDestroy
HeapAlloc
HeapReAlloc

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

kernel32

lstrcmpiW
lstrlenA
DeleteTimerQueueTimer
CreateTimerQueueTimer
VerifyVersionInfoW

user32

UnregisterClassA
GetMessageW
GetWindowTextW
RemovePropW
GetWindowLongW
SetDlgItemTextW
ShowWindow
SetWindowPos
TranslateMessage
MsgWaitForMultipleObjectsEx
GetClassInfoExW
SetDlgItemInt
LoadIconW
RegisterClassExW
LoadImageW
DestroyIcon
PostQuitMessage
UnregisterClassW
CreateWindowExW
DefWindowProcW
PeekMessageW
SendMessageW
GetWindowRect
GetDesktopWindow
GetDlgItem
GetPropW
PostMessageW
DestroyWindow
DispatchMessageW
SetPropW
PostThreadMessageW
GetParent
KillTimer
SetTimer
SetWindowLongW
SetFocus

dnsapi

DnsQuery_W
DnsFree

normaliz

IdnToAscii
IdnToUnicode

sspicli

LsaLookupAuthenticationPackage
LsaConnectUntrusted
GetUserNameExW
LsaDeregisterLogonProcess

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-core-file-l2-1-0

CreateDirectoryExW

crypt32

CryptMsgUpdate
CertVerifyCertificateChainPolicy
CertOpenStore
CertFreeCertificateContext
CertFreeCertificateChain
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertGetCertificateContextProperty
CryptSignMessage
CryptVerifyDetachedMessageSignature
CertCloseStore
CryptProtectMemory
CryptUnprotectMemory
CryptBinaryToStringW
CertFindExtension
CertGetCertificateChain
CertGetEnhancedKeyUsage
CryptDecodeObject
CryptProtectData
CryptUnprotectData
CryptStringToBinaryW
CryptMsgClose
CryptMsgOpenToDecode

api-ms-win-security-sddl-l1-1-0

ConvertSecurityDescriptorToStringSecurityDescriptorW

winhttp

WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpConnect
WinHttpCrackUrl
WinHttpCreateUrl
WinHttpSetStatusCallback
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpSetOption
WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpOpen
WinHttpQueryHeaders
WinHttpReadData
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpQueryOption
WinHttpQueryAuthSchemes
WinHttpSetCredentials

api-ms-win-security-credentials-l1-1-0

CredWriteW
CredGetSessionTypes

api-ms-win-core-file-l1-1-0

GetFileSize
DeleteFileW
ReadFile
SetFilePointer
CreateFileW
WriteFile
GetFileAttributesW

api-ms-win-core-localization-l1-2-0

GetACP
LCMapStringW

api-ms-win-core-url-l1-1-0

UrlCreateFromPathW
UrlCombineW
UrlGetPartW

cryptsp

CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
CryptAcquireContextW
CryptCreateHash
CryptHashData

ntdll

RtlInitString

advapi32

GetUserNameW
RegOpenKeyTransactedW
IsTextUnicode
RegDeleteKeyW
RegCreateKeyTransactedW

shlwapi

PathIsContentTypeW
ord278
PathQuoteSpacesW
PathCanonicalizeW
PathFileExistsW

shell32

SHGetKnownFolderPath
SHCreateDirectoryExW
SHFileOperationW
SHChangeNotify
SHCreateAssociationRegistration
Shell_NotifyIconW

wininet

InternetCrackUrlW
InternetCombineUrlW
InternetCanonicalizeUrlW
InternetCreateUrlW

credui

CredUnPackAuthenticationBufferW
CredUIPromptForWindowsCredentialsW

ktmw32

CommitTransaction
CreateTransaction

Exports

Exports

CreateClaimsAuthResponseHeader
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
RADCProcessGroupPolicyEx
RADCUISupportCreateDiscoveryStrategy
RADCUISupportCreateSubscriptionClient
TaskUpdateWorkspaces
TaskUpdateWorkspaces2
TaskUpdateWorkspacesIfNeeded
TryParseClaimsAuthnHeader
WorkspaceSilentSetupW
WorkspaceStatusNotify
WorkspaceStatusNotify2

Sections

.text
Size: 735KB - Virtual size: 734KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 137KB - Virtual size: 136KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9336e7a8cdeaea62a848ed3d988492e2

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ole32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

oleaut32

rpcrt4

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-timezone-l1-1-0

kernel32

user32

dnsapi

normaliz

sspicli

api-ms-win-core-registry-l1-1-1

api-ms-win-core-file-l2-1-0

crypt32

api-ms-win-security-sddl-l1-1-0

winhttp

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-url-l1-1-0

cryptsp

ntdll

advapi32

shlwapi

shell32

wininet

credui

ktmw32

Exports

Exports

Sections

.text Size: 735KB - Virtual size: 734KB

.data Size: 12KB - Virtual size: 15KB

.idata Size: 14KB - Virtual size: 13KB

.rsrc Size: 137KB - Virtual size: 136KB

.reloc Size: 55KB - Virtual size: 54KB

.text
Size: 735KB - Virtual size: 734KB

.data
Size: 12KB - Virtual size: 15KB

.idata
Size: 14KB - Virtual size: 13KB

.rsrc
Size: 137KB - Virtual size: 136KB

.reloc
Size: 55KB - Virtual size: 54KB