AppVEntSubsystems32[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

AppVEntSubsystems32.dll
Size

1.5MB
MD5

c0a93542f2ab5edf2305775424659178
SHA1

9d612afa205e64a5965559f06b9903f423eb891f
SHA256

fce2af0b63fa42b6c7035cff2e786dc0ab2cf6d4d8cf9917948429f6a383cdf1
SHA512

262782c444c32f74bb23e62f6a967c13be90d68d66e1ef495d7832c922c8ca106421a269207dd817bc3731c7faa021831d0c340d055d0cd4cd3794051fcf38f8
SSDEEP

24576:op0gIxiVWNE7uz43h6PgSWkk3Ws2eKaMoKsVgdyvTt7jJHGNP/it45wsTqxJBn:80PxiV8JgSWkk3Ws2eXMoKjdyvR7MNXm

Score

1^/10

Malware Config

Signatures

Files

AppVEntSubsystems32.dll
.dll windows:10 windows x86 arch:x86

0d81903472a7577d8d590dac7a94e4b1

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:29

Not After

02/12/2021, 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4b:b3:ee:9e:4d:1f:4c:68:93:4e:63:16:c6:ef:08:a0:e8:72:a5:cc:8f:b0:26:77:5c:32:94:d7:d3:ad:25:49
Signer

Actual PE Digest

4b:b3:ee:9e:4d:1f:4c:68:93:4e:63:16:c6:ef:08:a0:e8:72:a5:cc:8f:b0:26:77:5c:32:94:d7:d3:ad:25:49

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

AppVEntSubsystems.pdb

Imports

ntdll

NtSetEvent
RtlInitAnsiString
RtlCompareUnicodeString
NtDuplicateObject
NtQueryKey
RtlInitUnicodeString
RtlNtStatusToDosError
RtlPrefixUnicodeString
NtDeleteKey
NtEnumerateKey
NtEnumerateValueKey
NtOpenKey
NtNotifyChangeMultipleKeys
NtFlushKey
NtSetSecurityObject
NtDeleteValueKey
NtClose
NtSetInformationThread
RtlFreeHeap
RtlAllocateHeap
RtlIsNameInExpression
RtlEnumerateGenericTableWithoutSplayingAvl
RtlIsGenericTableEmptyAvl
RtlEnumerateGenericTableAvl
RtlInsertElementGenericTableAvl
RtlCopyUnicodeString
RtlLookupElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlUnwind
NtReadFile
NtWriteFile
RtlEqualUnicodeString
RtlIntegerToUnicodeString
NtQueryInformationProcess
NtQueryValueKey
NtSetValueKey
NtQuerySecurityObject
NtQueryObject
NtRenameKey
NtCreateKey

kernel32

LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
ExitProcess
IsValidCodePage
GetACP
GetOEMCP
GetFileSizeEx
SetFilePointerEx
SetStdHandle
WriteFile
GetConsoleCP
GetConsoleMode
FlushFileBuffers
ReadFile
ReadConsoleW
OutputDebugStringW
HeapSize
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
CreateFileW
WriteConsoleW
SetEvent
ResetEvent
GetSystemTimeAsFileTime
CreateEventW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
InterlockedFlushSList
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RaiseException
GetStartupInfoW
GetFileType
GetStdHandle
TlsFree
GetCurrentThread
HeapReAlloc
IsProcessorFeaturePresent
LoadLibraryExW
WaitForSingleObjectEx
TlsSetValue
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CompareStringEx
GetCPInfo
LCMapStringEx
DecodePointer
EncodePointer
InitializeCriticalSectionEx
GetStringTypeW
WideCharToMultiByte
InitOnceExecuteOnce
MultiByteToWideChar
CreateThread
LoadLibraryW
CheckRemoteDebuggerPresent
IsDebuggerPresent
CloseHandle
DisableThreadLibraryCalls
ReleaseMutex
WaitForSingleObject
CreateMutexW
GetModuleFileNameW
GetVersionExW
VirtualProtect
LoadLibraryExA
VirtualQuery
VirtualFree
VirtualAlloc
SuspendThread
ResumeThread
GetThreadContext
FlushInstructionCache
SetThreadContext
RaiseFailFastException
FindFirstFileW
SearchPathW
ExpandEnvironmentStringsW
GetShortPathNameW
GetEnvironmentVariableW
FindClose
GetSystemDirectoryW
UnmapViewOfFile
GetSystemWow64DirectoryW
GetCurrentDirectoryW
GetWindowsDirectoryW
LocalFree
CreateFileMappingW
MapViewOfFile
GetNativeSystemInfo
QueryDosDeviceW
FindFirstFileNameW
FindNextFileW
GetFinalPathNameByHandleW
GetFileAttributesW
GetLogicalDriveStringsW
FindNextFileNameW
K32GetMappedFileNameW
LoadLibraryA
DebugBreak
CreateSemaphoreExW
ReleaseSemaphore
WaitForThreadpoolTimerCallbacks
ReleaseSRWLockExclusive
CloseThreadpoolTimer
AcquireSRWLockExclusive
OpenSemaphoreW
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
CreateMutexExW
AcquireSRWLockShared
Sleep
OpenEventW
DisconnectNamedPipe
CreateNamedPipeW
PeekNamedPipe
GetOverlappedResult
ConnectNamedPipe
GetProcessId
GetProcessMitigationPolicy
IsWow64Process
InitializeSRWLock
DeviceIoControl
GetVersion
WaitForMultipleObjects
QueueUserWorkItem
SetCurrentDirectoryW
FindFirstVolumeW
FindVolumeClose
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
GetVolumePathNameW
GetConsoleWindow
CreateProcessW
DuplicateHandle
HeapDestroy
ExitThread
FreeLibraryAndExitThread
GetSystemInfo
FindFirstFileExW
GetCommandLineA
GetCommandLineW
FreeLibrary
GetModuleHandleW
GetProcessHeap
DeleteCriticalSection
GetProcAddress
HeapAlloc
K32GetModuleInformation
GetLastError
FormatMessageW
GetCurrentThreadId
InitializeCriticalSection
LeaveCriticalSection
GetModuleHandleExW
GetCurrentProcess
EnterCriticalSection
SetLastError
HeapFree
GetModuleFileNameA
GetUserDefaultLangID

advapi32

CopySid
RegEnumValueW
OpenProcessToken
DuplicateToken
ConvertSidToStringSidW
OpenThreadToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegSetValueExW
RegCreateKeyExW
RegDeleteKeyW
MakeAbsoluteSD
MakeSelfRelativeSD
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
InitializeSecurityDescriptor
AddAce
SetSecurityDescriptorOwner
GetAclInformation
SetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
GetLengthSid
IsValidSid
InitializeSid
GetSidLengthRequired
GetSidSubAuthority
EqualSid
DuplicateTokenEx
CreateProcessAsUserW
SetThreadToken
RegEnumKeyExW
InitializeAcl
SetSecurityDescriptorGroup
LookupAccountSidW
RegCloseKey
EventWriteTransfer
EventRegister
EventSetInformation
RegOpenKeyExW
EventUnregister
RegQueryValueExW

user32

CallWindowProcW
DispatchMessageW
IsWindowVisible
GetParent
WaitForInputIdle
GetWindowLongW
PeekMessageW
FindWindowW

gdi32

CreateScalableFontResourceW
AddFontResourceExW

ole32

PropVariantClear
CoCreateInstance
StringFromGUID2
GetClassFile
CreateFileMoniker
GetRunningObjectTable
CoCreateGuid
CoUninitialize
CoInitializeEx
CLSIDFromString
StringFromCLSID
CoTaskMemAlloc
CoGetTreatAsClass
CreateStreamOnHGlobal
CoUnmarshalInterface
CoMarshalInterface
CoTaskMemFree

shell32

SHGetPathFromIDListW
SHParseDisplayName
GetCurrentProcessExplicitAppUserModelID
SHCreateItemFromParsingName

rpcrt4

NdrServerCall2
NdrClientCall4
UuidCreate
RpcServerRegisterAuthInfoW
RpcServerListen
RpcRevertToSelf
RpcServerRegisterIf2
RpcServerUnregisterIf
RpcServerUseProtseqEpW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcImpersonateClient
RpcBindingFree
RpcBindingInqAuthClientW
NdrClientCall2

shlwapi

PathCreateFromUrlW
UrlCreateFromPathW

userenv

UnloadUserProfile

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Exports

Exports

APIExportForDetours
CurrentThreadIsVirtualized
RequestUnhookedFunctionList
VirtualizeCurrentProcess
VirtualizeCurrentThread
_IsProcessHooked@0

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 58KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.mrdata
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0d81903472a7577d8d590dac7a94e4b1

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ecCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

4b:b3:ee:9e:4d:1f:4c:68:93:4e:63:16:c6:ef:08:a0:e8:72:a5:cc:8f:b0:26:77:5c:32:94:d7:d3:ad:25:49Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

advapi32

user32

gdi32

ole32

shell32

rpcrt4

shlwapi

userenv

version

Exports

Exports

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.data Size: 58KB - Virtual size: 66KB

.idata Size: 9KB - Virtual size: 9KB

.detourd Size: 512B - Virtual size: 12B

.detourc Size: 4KB - Virtual size: 4KB

.mrdata Size: 512B - Virtual size: 16B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 80KB - Virtual size: 79KB

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

4b:b3:ee:9e:4d:1f:4c:68:93:4e:63:16:c6:ef:08:a0:e8:72:a5:cc:8f:b0:26:77:5c:32:94:d7:d3:ad:25:49
Signer

.text
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 58KB - Virtual size: 66KB

.idata
Size: 9KB - Virtual size: 9KB

.detourd
Size: 512B - Virtual size: 12B

.detourc
Size: 4KB - Virtual size: 4KB

.mrdata
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 80KB - Virtual size: 79KB