Microsoft[.]Uev[.]AppAgent[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

Microsoft.Uev.AppAgent.dll
Size

1.6MB
MD5

77ef8431d41505638c96ea6a3ede83b0
SHA1

71fca89ac930b8b68b6a3210b4baa7e866d86158
SHA256

01071eb76978a2441af528a427136044bdd62356bb83c278f9e3d49fa3c4fdfc
SHA512

bb1be1686dd740a1437e9c80385f83dfe5d0bce67324de8f6ee58b96ad81c4330b19c5df8552a0a4b504d91dce64ef08478b254af3b1883c044262fc4782c39c
SSDEEP

49152:c8BWfQ4yOiLm0CR0s9oDqPQk3c361cNnm7zVAWeFvTxK6NO4tG:1WfQ4yXOFek

Score

1^/10

Malware Config

Signatures

Files

Microsoft.Uev.AppAgent.dll
.dll windows:10 windows x86 arch:x86

28721aec6840cbcdef1185c8a202b0d6

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:29

Not After

02/12/2021, 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

66:91:ce:36:81:03:30:55:94:04:16:97:ee:a5:aa:b4:da:38:5c:09:4b:b0:9f:d1:3e:a3:50:f9:1c:cf:7e:e1
Signer

Actual PE Digest

66:91:ce:36:81:03:30:55:94:04:16:97:ee:a5:aa:b4:da:38:5c:09:4b:b0:9f:d1:3e:a3:50:f9:1c:cf:7e:e1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

Microsoft.Uev.AppAgent.pdb

Imports

msvcrt

_stricmp
_wcsnicmp
time
ldiv
strchr
_wtoi
_fseeki64
fsetpos
ungetc
mbstowcs_s
fgetpos
fgetc
fflush
fputc
gmtime
_mkgmtime
swprintf_s
?name@type_info@@QBEPBDXZ
fwrite
fclose
ftell
setvbuf
fread
__RTDynamicCast
towlower
ferror
feof
__ExceptionPtrCreate
__ExceptionPtrCopy
__ExceptionPtrDestroy
__ExceptionPtrCurrentException
__ExceptionPtrRethrow
wcsncpy_s
wprintf
_putws
??1bad_typeid@@UAE@XZ
??0bad_typeid@@QAE@ABV0@@Z
__RTtypeid
strerror
_beginthreadex
_except_handler4_common
??1type_info@@UAE@XZ
_onexit
__dllonexit
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
isdigit
isalnum
memcmp
___lc_collate_cp_func
memchr
tolower
isspace
_Strftime
_Gettnames
__mb_cur_max
_Wcsftime
_W_Gettnames
_W_Getmonths
_W_Getdays
_Getmonths
_Getdays
memcpy_s
ldexp
realloc
?before@type_info@@QBEHABV1@@Z
_wfsopen
fseek
abort
_free_locale
_get_current_locale
__crtLCMapStringA
__crtLCMapStringW
__crtCompareStringA
__crtCompareStringW
??9type_info@@QBEHABV0@@Z
??8type_info@@QBEHABV0@@Z
_wcsdup
islower
memset
_ismbblead
___mb_cur_max_func
calloc
___lc_codepage_func
___lc_handle_func
isupper
__pctype_func
__uncaught_exception
memcpy
__CxxFrameHandler3
_CxxThrowException
setlocale
_unlock
_lock
_callnewh
malloc
_errno
wcscpy_s
sprintf_s
free
localeconv
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_purecall
strcspn
_wcsicmp
memmove
??0bad_cast@@QAE@ABV0@@Z
??0bad_cast@@QAE@PBD@Z
??1bad_cast@@UAE@XZ
??_V@YAXPAX@Z
_wfopen_s
??3@YAXPAX@Z
_ftol2

user32

GetSystemMetrics
SetSysColors
GetDoubleClickTime
GetSysColor
SystemParametersInfoW
GetWindowLongW
GetMessageW
DefWindowProcW
ShutdownBlockReasonDestroy
SetWindowLongW
LoadCursorW
LoadIconW
TranslateMessage
SendNotifyMessageW
ShutdownBlockReasonCreate
DispatchMessageW
LoadStringW
RegisterClassExW
WaitForInputIdle
CreateWindowExW

kernel32

DeleteFileW
MoveFileExW
GetFileSize
CopyFileExW
GetFileTime
ReleaseMutex
FindFirstFileW
FindNextFileW
FindClose
lstrlenA
WaitForSingleObjectEx
CreateHardLinkW
GetLongPathNameW
GetFileAttributesW
QueryPerformanceFrequency
TlsFree
TlsGetValue
TlsAlloc
CreateWaitableTimerW
TlsSetValue
WaitForMultipleObjectsEx
OpenEventA
SetWaitableTimer
FormatMessageA
AreFileApisANSI
CopyFileW
GetCurrentDirectoryW
GetFileAttributesExW
SetFileTime
RemoveDirectoryW
DeviceIoControl
CreateFileW
CreateDirectoryW
LocalAlloc
GetModuleHandleExW
FreeLibrary
SetLastError
VirtualQuery
SetThreadContext
FlushInstructionCache
SetFileAttributesW
ResumeThread
VirtualAlloc
VirtualFree
VirtualProtect
SwitchToThread
LocalLock
GetSystemInfo
CreateEventA
CreateEventW
FormatMessageW
GetLastError
SetEvent
CloseHandle
GetLocalTime
LocalFree
GetCurrentProcessId
LocalUnlock
ResetEvent
GetModuleHandleW
DisableThreadLibraryCalls
HeapFree
GetCurrentProcess
TerminateProcess
GetModuleFileNameW
GetProcessId
WaitForSingleObject
OpenEventW
Sleep
HeapAlloc
CreateMutexExW
ExitProcess
GetProcessHeap
QueryFullProcessImageNameW
MultiByteToWideChar
GetStringTypeW
WideCharToMultiByte
InitializeCriticalSectionEx
GetLocaleInfoW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetThreadContext
GetComputerNameExW
GetProcAddress
ExpandEnvironmentStringsW
WriteFile
ReadFile
GetExitCodeProcess
CreateProcessW
Wow64RevertWow64FsRedirection
ProcessIdToSessionId
Wow64DisableWow64FsRedirection
SystemTimeToFileTime
GetTempPathW
CreateSemaphoreA
GetModuleHandleA
DuplicateHandle
ReleaseSemaphore
GetUserDefaultLCID
CreateThread
GetExitCodeThread
lstrcmpiW
CreateThreadpoolWork
SubmitThreadpoolWork
CreateEventExW
CloseThreadpoolWork
CreateMutexW
WaitNamedPipeW
GetCurrentThread
SetThreadPriority

gdi32

GetStockObject

ole32

StringFromGUID2
CoCreateGuid
CLSIDFromString
OleRun
CLSIDFromProgID
CoTaskMemFree
CoCreateInstance
CoInitializeEx
CoUninitialize

advapi32

GetSidSubAuthority
OpenProcessToken
GetTokenInformation
RegQueryValueExW
CreateWellKnownSid
CheckTokenMembership
EventActivityIdControl
RegSetKeyValueW
RegDeleteKeyExW
RegSetValueExW
RegDeleteValueW
RegEnumValueW
GetSidSubAuthorityCount
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteTreeW
RegOpenKeyExW
RegGetValueW
EventRegister
EventSetInformation
EventUnregister
EventWrite
SetSecurityInfo
RegCloseKey
EventWriteTransfer
EqualSid
GetNamedSecurityInfoW

shell32

SHGetKnownFolderPath
SHChangeNotify
DoEnvironmentSubstW

wtsapi32

WTSRegisterSessionNotification
WTSUnRegisterSessionNotification

oleaut32

SafeArrayPutElement
SafeArrayDestroy
VariantClear
SysAllocString
SysFreeString
VariantInit
SysStringLen
SysAllocStringByteLen
SysAllocStringLen
VariantCopy
SafeArrayCreateEx
SafeArrayGetLBound
SafeArrayGetUBound
LoadRegTypeLi
GetRecordInfoFromTypeInfo
SafeArrayRedim
SafeArrayAccessData
SafeArrayCreate
SafeArrayUnaccessData

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

activeds

ord3

Exports

Exports

OrdinalOne

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

28721aec6840cbcdef1185c8a202b0d6

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

66:91:ce:36:81:03:30:55:94:04:16:97:ee:a5:aa:b4:da:38:5c:09:4b:b0:9f:d1:3e:a3:50:f9:1c:cf:7e:e1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

user32

kernel32

gdi32

ole32

advapi32

shell32

wtsapi32

oleaut32

version

activeds

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.data Size: 52KB - Virtual size: 58KB

.idata Size: 8KB - Virtual size: 8KB

.tls Size: 512B - Virtual size: 2B

.detourc Size: 4KB - Virtual size: 4KB

.detourd Size: 512B - Virtual size: 12B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 81KB - Virtual size: 81KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

66:91:ce:36:81:03:30:55:94:04:16:97:ee:a5:aa:b4:da:38:5c:09:4b:b0:9f:d1:3e:a3:50:f9:1c:cf:7e:e1
Signer

.text
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 52KB - Virtual size: 58KB

.idata
Size: 8KB - Virtual size: 8KB

.tls
Size: 512B - Virtual size: 2B

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 81KB - Virtual size: 81KB