advapi32[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

advapi32.dll
Size

503KB
MD5

8427e3b85116c17113db51a3b0103461
SHA1

648e2f598747f77a21d433fe9b1ff878cc678d4c
SHA256

51bdc6896fbcdcf80925d03ea30fd6df89084b855ee43caa87aa039888b841bf
SHA512

3270ea3c0babfc6099ffa6b9e5d577ec5c4b8b090b0f2a9816f101b279e2c9d1799c59b77bd9dec116cc32c567dde1548818c23006fdc24a8c4e1e8bdf45f54f
SSDEEP

12288:j1/DTeqN5DdXtsTuLqpORkKsYt1gSENAihLzYe3GS:j1/D64LEpORkKscgSCACLzYe3GS

Score

1^/10

Malware Config

Signatures

Files

advapi32.dll
.dll windows:6 windows x86 arch:x86

bdd917878e2f827200a8b34bb285e140

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e2:a3:76:47:72:d1:5d:1f:bc:ac:f0:f0:13:bb:9d:02:de:05:92:6a:a0:ef:f0:de:d2:ed:8c:a3:e5:43:1b:51
Signer

Actual PE Digest

e2:a3:76:47:72:d1:5d:1f:bc:ac:f0:f0:13:bb:9d:02:de:05:92:6a:a0:ef:f0:de:d2:ed:8c:a3:e5:43:1b:51

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

advapi32.pdb

Imports

msvcrt

_wcsicmp
wcstok_s
_ultow
wcschr
memset
memcpy
memcmp
_ftol2
_vsnprintf
mbstowcs
iswalpha
_stricmp
_wcstoi64
wcscat_s
_ui64tow_s
_vsnwprintf
memmove
wcscpy_s
_i64tow_s
swscanf_s
wcsrchr
wcsncpy_s
wcsstr
swprintf_s
_wcsnicmp
wcsncmp
strstr
strchr
tolower
wcstoul
_ultow_s
iswctype
_wcstoui64
_errno
_except_handler4_common

ntdll

NtSetSystemInformation
DbgPrint
RtlFreeAnsiString
RtlGetCurrentTransaction
ord1
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlIsTextUnicode
RtlLengthSid
NlsMbCodePageTag
NtQueryInformationToken
RtlxUnicodeStringToAnsiSize
RtlSubAuthoritySid
RtlGetThreadPreferredUILanguages
RtlSubAuthorityCountSid
RtlMakeSelfRelativeSD
RtlConvertSidToUnicodeString
RtlUnicodeStringToInteger
RtlAllocateHandle
RtlIsValidIndexHandle
RtlFreeHandle
NtOpenKey
NtQueryValueKey
NtClose
NtOpenThreadToken
NtOpenProcessToken
RtlEqualSid
RtlAddAccessAllowedAceEx
NtSetInformationToken
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtDuplicateToken
NtCompareTokens
RtlAllocateAndInitializeSid
RtlFreeSid
RtlIsGenericTableEmpty
RtlEnumerateGenericTableWithoutSplaying
RtlDuplicateUnicodeString
RtlExpandEnvironmentStrings_U
NtOpenFile
RtlCreateUnicodeString
NtQueryInformationProcess
RtlGetLastNtStatus
NtQueryKey
RtlValidSid
LdrLoadDll
RtlImageNtHeader
LdrUnloadDll
NtDeviceIoControlFile
NtQuerySystemInformation
EtwEventRegister
EtwEventWrite
NtCreateKey
NtSetValueKey
RtlDeleteElementGenericTable
RtlAppendUnicodeToString
NtDeleteKey
RtlInsertElementGenericTable
RtlCopySid
RtlInitializeHandleTable
RtlDestroyHandleTable
EtwEventUnregister
NtEnumerateKey
RtlIntegerToUnicodeString
RtlStringFromGUID
RtlAppendUnicodeStringToString
RtlFormatCurrentUserKeyPath
RtlInitializeGenericTable
RtlQueryRegistryValuesEx
RtlLookupElementGenericTable
RtlNumberGenericTableElements
RtlGUIDFromString
RtlUpcaseUnicodeChar
NtQueryVolumeInformationFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlDetermineDosPathNameType_U
NtQueryInformationFile
RtlGetFullPathName_U
RtlUnicodeToMultiByteN
RtlNtStatusToDosErrorNoTeb
RtlAnsiCharToUnicodeChar
RtlMultiByteToUnicodeN
RtlSetLastWin32Error
NtTraceControl
NtTraceEvent
EtwpGetCpuSpeed
RtlGetNativeSystemInformation
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlInitAnsiStringEx
RtlInitUnicodeStringEx
RtlCreateUnicodeStringFromAsciiz
NtRenameKey
RtlAddAce
RtlGetAce
RtlAddAccessDeniedAceEx
RtlSetDaclSecurityDescriptor
RtlFirstFreeAce
RtlValidAcl
RtlAddAuditAccessObjectAce
RtlGetSaclSecurityDescriptor
RtlAddAccessDeniedObjectAce
RtlSetGroupSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlxAnsiStringToUnicodeSize
RtlGetControlSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedObjectAce
RtlGetDaclSecurityDescriptor
RtlInitializeSid
RtlGetOwnerSecurityDescriptor
RtlAddAuditAccessAceEx
NtQuerySystemTime
RtlTimeToSecondsSince1970
EtwEventSetInformation
RtlImpersonateSelf
RtlAdjustPrivilege
RtlCopyString
EtwEventWriteTransfer
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
NtWaitForSingleObject
RtlGetVersion
NtQueryInformationThread
NtSetInformationThread
NtQuerySecurityObject
RtlRunOnceExecuteOnce
RtlRunOnceBeginInitialize
RtlRunOnceInitialize
NtQueryPerformanceCounter
NtWaitForMultipleObjects
WinSqmAddToStream
RtlCreateAcl
RtlValidRelativeSecurityDescriptor
NtCreateFile
NtWriteFile
NtReadFile
RtlWaitOnAddress
RtlWakeAddressAll
RtlQueryPerformanceCounter
RtlDllShutdownInProgress
RtlAddAccessAllowedAce
RtlAcquireSRWLockExclusive
RtlInsertElementGenericTableAvl
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockShared
RtlLookupElementGenericTableAvl
RtlReleaseSRWLockShared
RtlEnumerateGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlReAllocateHeap
RtlDosPathNameToRelativeNtPathName_U
RtlReleaseRelativeName
RtlWakeAddressSingle
RtlDestroyQueryDebugBuffer
RtlEqualUnicodeString
RtlQueryProcessDebugInformation
NtQueryMutant
NtQueryObject
NtAlpcQueryInformation
RtlInitializeSRWLock
RtlCreateQueryDebugBuffer
RtlOpenCurrentUser
NtQueryMultipleValueKey
NtOpenKeyEx
NtReplaceKey
NtSaveMergedKeys
NtSaveKey
RtlValidSecurityDescriptor
RtlLengthSecurityDescriptor
RtlGetNtProductType
RtlCopyUnicodeString
RtlOemStringToUnicodeString
RtlUnicodeToMultiByteSize
RtlUnicodeStringToAnsiString
RtlDosPathNameToNtPathName_U
RtlAllocateHeap
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlInitAnsiString
RtlInitUnicodeString
RtlFreeHeap
RtlAnsiStringToUnicodeString
RtlInitializeCriticalSection
RtlDeleteCriticalSection

api-ms-win-eventing-controller-l1-1-0

TraceSetInformation
ControlTraceW
QueryAllTracesW
EventAccessQuery
EnumerateTraceGuidsEx
StartTraceW
EventAccessControl
StopTraceW
EventAccessRemove
EnableTraceEx2

api-ms-win-eventing-consumer-l1-1-0

CloseTrace
OpenTraceW
ProcessTrace

kernelbase

RegKrnGetHKEY_ClassesRootAddress
RegKrnGetClassesEnumTableAddressInternal
RegKrnGetTermsrvRegistryExtensionFlags
RegDeleteKeyExInternalW
RegOpenKeyExInternalW
RegCreateKeyExInternalW
CLOSE_LOCAL_HANDLE_INTERNAL
MapPredefinedHandleInternal
RegDeleteKeyExInternalA
RegCreateKeyExInternalA
RegOpenKeyExInternalA
RemapPredefinedHandleInternal
DisablePredefinedHandleTableInternal
GetPackagePath
PackageIdFromFullName
Sleep
lstrcmpiW
lstrcmpW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
CreateProcessAsUserW
CreateProcessInternalA
AreFileApisANSI
lstrlenW
LocalReAlloc
LocalFree
LocalAlloc

sechost

QueryAllTracesA
StartTraceA
ControlTraceA

api-ms-win-service-core-l1-1-1

EnumDependentServicesW
QueryServiceDynamicInformation
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExW
EnumServicesStatusExW

api-ms-win-service-management-l1-1-0

CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
ControlServiceExW
OpenServiceW
StartServiceW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceStatusEx
QueryServiceConfigW
NotifyServiceStatusChangeW
SetServiceObjectSecurity
ChangeServiceConfig2W
QueryServiceObjectSecurity
QueryServiceConfig2W

api-ms-win-service-private-l1-1-1

I_ScRpcBindW
I_ScRpcBindA
I_ScSetServiceBitsA
I_ScSetServiceBitsW
I_ScRegisterPreshutdownRestart
WaitServiceState

api-ms-win-service-winsvc-l1-2-0

ControlServiceExA
StartServiceCtrlDispatcherA
QueryServiceConfig2A
ControlService
RegisterServiceCtrlHandlerW
QueryServiceConfigA
OpenSCManagerA
QueryServiceStatus
RegisterServiceCtrlHandlerExA
ChangeServiceConfigA
StartServiceA
CreateServiceA
RegisterServiceCtrlHandlerA
NotifyServiceStatusChangeA
ChangeServiceConfig2A
OpenServiceA

api-ms-win-core-namedpipe-l1-2-0

ImpersonateNamedPipeClient

api-ms-win-core-processthreads-l1-1-2

OpenProcess
CreateThread
IsProcessorFeaturePresent
GetCurrentThread
OpenThread
GetProcessId
GetCurrentProcess
OpenProcessToken
OpenThreadToken
SetThreadToken
GetPriorityClass
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess

api-ms-win-security-base-l1-2-0

RevertToSelf
AddAccessAllowedAce
GetSecurityDescriptorOwner
SetSecurityDescriptorOwner
AllocateAndInitializeSid
AllocateLocallyUniqueId
InitializeAcl
SetKernelObjectSecurity
MakeAbsoluteSD
ImpersonateLoggedOnUser
DuplicateTokenEx
QuerySecurityAccessMask
CreatePrivateObjectSecurityEx
GetSecurityDescriptorLength
ImpersonateSelf
GetAce
AccessCheckByTypeResultList
CreatePrivateObjectSecurity
SetSecurityDescriptorDacl
IsTokenRestricted
AddAuditAccessObjectAce
AdjustTokenGroups
AddAccessDeniedAce
AreAllAccessesGranted
SetSecurityDescriptorControl
AddAuditAccessAceEx
SetSecurityAccessMask
IsWellKnownSid
GetSidSubAuthority
IsValidAcl
SetAclInformation
GetSidIdentifierAuthority
FreeSid
GetTokenInformation
PrivilegedServiceAuditAlarmW
AccessCheckByTypeResultListAndAuditAlarmW
ObjectOpenAuditAlarmW
ObjectPrivilegeAuditAlarmW
ObjectCloseAuditAlarmW
SetFileSecurityW
GetFileSecurityW
ObjectDeleteAuditAlarmW
CopySid
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckAndAuditAlarmW
AccessCheckByTypeAndAuditAlarmW
IsValidSid
SetTokenInformation
PrivilegeCheck
InitializeSecurityDescriptor
GetPrivateObjectSecurity
DuplicateToken
CreatePrivateObjectSecurityWithMultipleInheritance
EqualPrefixSid
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AccessCheckByType
AddAuditAccessAce
SetPrivateObjectSecurityEx
EqualSid
GetSecurityDescriptorControl
GetSidLengthRequired
CreateRestrictedToken
GetAclInformation
GetKernelObjectSecurity
InitializeSid
AddAce
GetSecurityDescriptorSacl
ImpersonateAnonymousToken
MakeSelfRelativeSD
DeleteAce
GetLengthSid
AddAccessDeniedAceEx
CheckTokenMembership
SetSecurityDescriptorSacl
AreAnyAccessesGranted
AdjustTokenPrivileges
AccessCheck
AddAccessAllowedAceEx
GetSecurityDescriptorRMControl
GetWindowsAccountDomainSid
FindFirstFreeAce
ConvertToAutoInheritPrivateObjectSecurity
SetPrivateObjectSecurity
EqualDomainSid
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
CreateWellKnownSid
DestroyPrivateObjectSecurity
SetSecurityDescriptorRMControl
GetSidSubAuthorityCount
MapGenericMask
SetSecurityDescriptorGroup
IsValidSecurityDescriptor

api-ms-win-security-base-private-l1-1-1

MakeAbsoluteSD2

api-ms-win-core-registry-l1-1-0

RegRestoreKeyW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegCopyTreeW
RegDeleteValueA
RegLoadAppKeyA
RegOpenUserClassesRoot
RegDeleteKeyExW
RegUnLoadKeyA
RegRestoreKeyA
RegDeleteTreeA
RegSetValueExA
RegCreateKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegEnumKeyExA
RegLoadMUIStringW
RegSaveKeyExA
RegUnLoadKeyW
RegSetValueExW
RegLoadKeyW
RegDisablePredefinedCacheEx
RegEnumKeyExW
RegFlushKey
RegNotifyChangeKeyValue
RegDeleteKeyExA
RegSetKeySecurity
RegEnumValueW
RegLoadKeyA
RegEnumValueA
RegOpenCurrentUser
RegGetValueW
RegSaveKeyExW
RegDeleteTreeW
RegCreateKeyExA
RegDeleteValueW
RegQueryInfoKeyA
RegGetValueA
RegGetKeySecurity
RegOpenKeyExA
RegLoadMUIStringA
RegLoadAppKeyW

api-ms-win-core-sysinfo-l1-2-1

GetComputerNameExW
GetTickCount
GetSystemTimeAsFileTime
GetLocalTime
GetNativeSystemInfo
GlobalMemoryStatusEx
GetSystemFirmwareTable
GetSystemWindowsDirectoryW
GetSystemTime
GetSystemDirectoryW

kernel32

GetFileSizeEx
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
LoadLibraryExA
CloseHandle
FreeLibrary
LoadLibraryExW
LeaveCriticalSection
GetLastError
EnterCriticalSection
GetFullPathNameW
SearchPathW
HeapAlloc
ResolveDelayLoadedAPI
DelayLoadFailureHook
HeapFree
SleepEx
GetProcessHeap
GetFileAttributesW
CreateFileW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
CreateEventW
GetThreadUILanguage
GetCommandLineW
LoadLibraryW
GetModuleHandleExW
SetFilePointer
OutputDebugStringW
WriteFile
TermsrvDeleteKey
TermsrvOpenUserClasses
DuplicateHandle
DecodePointer
FreeLibraryAndExitThread
ReadProcessMemory
EncodePointer
CreateThreadpoolIo
FormatMessageW
MoveFileW
GetFileAttributesExW
DeleteFileW
ExpandEnvironmentStringsW
GetModuleHandleW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetLongPathNameW
CompareFileTime
FindResourceExW
LoadResource
GetVolumePathNameW
DeleteCriticalSection
WaitForSingleObject
GetActiveProcessorCount
GetOverlappedResult
DeviceIoControl
GetVolumeInformationW
GetComputerNameW
ReleaseMutex
ExpandEnvironmentStringsA
GetModuleFileNameW
LoadLibraryA
GetComputerNameA
LocalUnlock
LocalLock
CreateMutexW
InitializeCriticalSection
FreeLibraryWhenCallbackReturns
CancelIoEx
CloseThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
EnumUILanguagesW
GetFileMUIPath
SetErrorMode
SetFileInformationByHandle
CopyFileExW
FindClose
FindNextFileW
FindFirstFileExW
lstrcmpiA
GetFileSize
DosDateTimeToFileTime
FileTimeToDosDateTime
GetFileTime
ResetEvent
SetEvent
HeapReAlloc
Wow64RevertWow64FsRedirection
LockResource
SizeofResource
Wow64DisableWow64FsRedirection
IsWow64Process
SetLastError

rpcrt4

RpcStringBindingComposeW
RpcRaiseException
RpcBindingFree
RpcStringFreeW
RpcBindingSetAuthInfoExA
RpcBindingSetAuthInfoExW
NdrClientCall2
I_RpcExceptionFilter
I_RpcMapWin32Status
RpcEpResolveBinding
RpcBindingSetAuthInfoW
RpcBindingFromStringBindingW
RpcSsDestroyClientContext
RpcBindingCreateW
RpcBindingBind
RpcBindingSetAuthInfoA
I_RpcSNCHOption
UuidFromStringW
UuidToStringW
RpcExceptionFilter

api-ms-win-core-timezone-l1-1-0

GetDynamicTimeZoneInformationEffectiveYears
EnumDynamicTimeZoneInformation

api-ms-win-security-audit-l1-1-1

AuditSetSecurity
AuditEnumeratePerUserPolicy
AuditQueryGlobalSaclW
AuditFree
AuditSetPerUserPolicy
AuditEnumerateSubCategories
AuditComputeEffectivePolicyBySid
AuditLookupCategoryNameW
AuditLookupSubCategoryNameW
AuditEnumerateCategories
AuditQueryPerUserPolicy
AuditSetGlobalSaclW
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetSystemPolicy

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

A_SHAFinal
A_SHAInit
A_SHAUpdate
AbortSystemShutdownA
AbortSystemShutdownW
AccessCheck
AccessCheckAndAuditAlarmA
AccessCheckAndAuditAlarmW
AccessCheckByType
AccessCheckByTypeAndAuditAlarmA
AccessCheckByTypeAndAuditAlarmW
AccessCheckByTypeResultList
AccessCheckByTypeResultListAndAuditAlarmA
AccessCheckByTypeResultListAndAuditAlarmByHandleA
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckByTypeResultListAndAuditAlarmW
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConditionalAce
AddMandatoryAce
AddUsersToEncryptedFile
AddUsersToEncryptedFileEx
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
AuditComputeEffectivePolicyBySid
AuditComputeEffectivePolicyByToken
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategoryGuidFromCategoryId
AuditLookupCategoryIdFromCategoryGuid
AuditLookupCategoryNameA
AuditLookupCategoryNameW
AuditLookupSubCategoryNameA
AuditLookupSubCategoryNameW
AuditQueryGlobalSaclA
AuditQueryGlobalSaclW
AuditQueryPerUserPolicy
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetGlobalSaclA
AuditSetGlobalSaclW
AuditSetPerUserPolicy
AuditSetSecurity
AuditSetSystemPolicy
BackupEventLogA
BackupEventLogW
BaseRegCloseKey
BaseRegCreateKey
BaseRegDeleteKeyEx
BaseRegDeleteValue
BaseRegFlushKey
BaseRegGetVersion
BaseRegLoadKey
BaseRegOpenKey
BaseRegRestoreKey
BaseRegSaveKeyEx
BaseRegSetKeySecurity
BaseRegSetValue
BaseRegUnLoadKey
BuildExplicitAccessWithNameA
BuildExplicitAccessWithNameW
BuildImpersonateExplicitAccessWithNameA
BuildImpersonateExplicitAccessWithNameW
BuildImpersonateTrusteeA
BuildImpersonateTrusteeW
BuildSecurityDescriptorA
BuildSecurityDescriptorW
BuildTrusteeWithNameA
BuildTrusteeWithNameW
BuildTrusteeWithObjectsAndNameA
BuildTrusteeWithObjectsAndNameW
BuildTrusteeWithObjectsAndSidA
BuildTrusteeWithObjectsAndSidW
BuildTrusteeWithSidA
BuildTrusteeWithSidW
CancelOverlappedAccess
ChangeServiceConfig2A
ChangeServiceConfig2W
ChangeServiceConfigA
ChangeServiceConfigW
CheckForHiberboot
CheckTokenMembership
ClearEventLogA
ClearEventLogW
CloseCodeAuthzLevel
CloseEncryptedFileRaw
CloseEventLog
CloseServiceHandle
CloseThreadWaitChainSession
CloseTrace
CommandLineFromMsiDescriptor
ComputeAccessTokenFromCodeAuthzLevel
ControlService
ControlServiceExA
ControlServiceExW
ControlTraceA
ControlTraceW
ConvertAccessToSecurityDescriptorA
ConvertAccessToSecurityDescriptorW
ConvertSDToStringSDDomainW
ConvertSDToStringSDRootDomainA
ConvertSDToStringSDRootDomainW
ConvertSecurityDescriptorToAccessA
ConvertSecurityDescriptorToAccessNamedA
ConvertSecurityDescriptorToAccessNamedW
ConvertSecurityDescriptorToAccessW
ConvertSecurityDescriptorToStringSecurityDescriptorA
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidA
ConvertSidToStringSidW
ConvertStringSDToSDDomainA
ConvertStringSDToSDDomainW
ConvertStringSDToSDRootDomainA
ConvertStringSDToSDRootDomainW
ConvertStringSecurityDescriptorToSecurityDescriptorA
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidA
ConvertStringSidToSidW
ConvertToAutoInheritPrivateObjectSecurity
CopySid
CreateCodeAuthzLevel
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateProcessAsUserA
CreateProcessAsUserW
CreateProcessWithLogonW
CreateProcessWithTokenW
CreateRestrictedToken
CreateServiceA
CreateServiceW
CreateTraceInstanceId
CreateWellKnownSid
CredBackupCredentials
CredDeleteA
CredDeleteW
CredEncryptAndMarshalBinaryBlob
CredEnumerateA
CredEnumerateW
CredFindBestCredentialA
CredFindBestCredentialW
CredFree
CredGetSessionTypes
CredGetTargetInfoA
CredGetTargetInfoW
CredIsMarshaledCredentialA
CredIsMarshaledCredentialW
CredIsProtectedA
CredIsProtectedW
CredMarshalCredentialA
CredMarshalCredentialW
CredProfileLoaded
CredProfileLoadedEx
CredProfileUnloaded
CredProtectA
CredProtectW
CredReadA
CredReadByTokenHandle
CredReadDomainCredentialsA
CredReadDomainCredentialsW
CredReadW
CredRenameA
CredRenameW
CredRestoreCredentials
CredUnmarshalCredentialA
CredUnmarshalCredentialW
CredUnprotectA
CredUnprotectW
CredWriteA
CredWriteDomainCredentialsA
CredWriteDomainCredentialsW
CredWriteW
CredpConvertCredential
CredpConvertOneCredentialSize
CredpConvertTargetInfo
CredpDecodeCredential
CredpEncodeCredential
CredpEncodeSecret
CryptAcquireContextA
CryptAcquireContextW
CryptContextAddRef
CryptCreateHash
CryptDecrypt
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptDuplicateHash
CryptDuplicateKey
CryptEncrypt
CryptEnumProviderTypesA
CryptEnumProviderTypesW
CryptEnumProvidersA
CryptEnumProvidersW
CryptExportKey
CryptGenKey
CryptGenRandom
CryptGetDefaultProviderA
CryptGetDefaultProviderW
CryptGetHashParam
CryptGetKeyParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptHashSessionKey
CryptImportKey
CryptReleaseContext
CryptSetHashParam
CryptSetKeyParam
CryptSetProvParam
CryptSetProviderA
CryptSetProviderExA
CryptSetProviderExW
CryptSetProviderW
CryptSignHashA
CryptSignHashW
CryptVerifySignatureA
CryptVerifySignatureW
DecryptFileA
DecryptFileW
DeleteAce
DeleteService
DeregisterEventSource
DestroyPrivateObjectSecurity
DuplicateEncryptionInfoFile
DuplicateToken
DuplicateTokenEx
ElfBackupEventLogFileA
ElfBackupEventLogFileW
ElfChangeNotify
ElfClearEventLogFileA
ElfClearEventLogFileW
ElfCloseEventLog
ElfDeregisterEventSource
ElfFlushEventLog
ElfNumberOfRecords
ElfOldestRecord
ElfOpenBackupEventLogA
ElfOpenBackupEventLogW
ElfOpenEventLogA
ElfOpenEventLogW
ElfReadEventLogA
ElfReadEventLogW
ElfRegisterEventSourceA
ElfRegisterEventSourceW
ElfReportEventA
ElfReportEventAndSourceW
ElfReportEventW
EnableTrace
EnableTraceEx
EnableTraceEx2
EncryptFileA
EncryptFileW
EncryptedFileKeyInfo
EncryptionDisable
EnumDependentServicesA
EnumDependentServicesW
EnumDynamicTimeZoneInformation
EnumServiceGroupW
EnumServicesStatusA
EnumServicesStatusExA
EnumServicesStatusExW
EnumServicesStatusW
EnumerateTraceGuids
EnumerateTraceGuidsEx
EqualDomainSid
EqualPrefixSid
EqualSid
EtwLogSysConfigExtension
EventAccessControl
EventAccessQuery
EventAccessRemove
EventActivityIdControl
EventEnabled
EventProviderEnabled
EventRegister
EventSetInformation
EventUnregister
EventWrite
EventWriteEndScenario
EventWriteEx
EventWriteStartScenario
EventWriteString
EventWriteTransfer
FileEncryptionStatusA
FileEncryptionStatusW
FindFirstFreeAce
FlushEfsCache
FlushTraceA
FlushTraceW
FreeEncryptedFileKeyInfo
FreeEncryptedFileMetadata
FreeEncryptionCertificateHashList
FreeInheritedFromArray
FreeSid
GetAccessPermissionsForObjectA
GetAccessPermissionsForObjectW
GetAce
GetAclInformation
GetAuditedPermissionsFromAclA
GetAuditedPermissionsFromAclW
GetCurrentHwProfileA
GetCurrentHwProfileW
GetDynamicTimeZoneInformationEffectiveYears
GetEffectiveRightsFromAclA
GetEffectiveRightsFromAclW
GetEncryptedFileMetadata
GetEventLogInformation
GetExplicitEntriesFromAclA
GetExplicitEntriesFromAclW
GetFileSecurityA
GetFileSecurityW
GetInformationCodeAuthzLevelW
GetInformationCodeAuthzPolicyW
GetInheritanceSourceA
GetInheritanceSourceW
GetKernelObjectSecurity
GetLengthSid
GetLocalManagedApplicationData
GetLocalManagedApplications
GetManagedApplicationCategories
GetManagedApplications
GetMultipleTrusteeA
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetMultipleTrusteeW
GetNamedSecurityInfoA
GetNamedSecurityInfoExA
GetNamedSecurityInfoExW
GetNamedSecurityInfoW
GetNumberOfEventLogRecords
GetOldestEventLogRecord
GetOverlappedAccessResults
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSecurityInfo
GetSecurityInfoExA
GetSecurityInfoExW
GetServiceDisplayNameA
GetServiceDisplayNameW
GetServiceKeyNameA
GetServiceKeyNameW
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetStringConditionFromBinary
GetThreadWaitChain
GetTokenInformation
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
GetTrusteeFormA
GetTrusteeFormW
GetTrusteeNameA
GetTrusteeNameW
GetTrusteeTypeA
GetTrusteeTypeW
GetUserNameA
GetUserNameW
GetWindowsAccountDomainSid
I_QueryTagInformation
I_ScGetCurrentGroupStateW
I_ScIsSecurityProcess
I_ScPnPGetServiceName
I_ScQueryServiceConfig
I_ScRegisterPreshutdownRestart
I_ScSendPnPMessage
I_ScSendTSMessage
I_ScSetServiceBitsA
I_ScSetServiceBitsW
I_ScValidatePnPService
IdentifyCodeAuthzLevelW
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
InitiateShutdownA
InitiateShutdownW
InitiateSystemShutdownA
InitiateSystemShutdownExA
InitiateSystemShutdownExW
InitiateSystemShutdownW
InstallApplication
IsTextUnicode
IsTokenRestricted
IsTokenUntrusted
IsValidAcl
IsValidRelativeSecurityDescriptor
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
LockServiceDatabase
LogonUserA
LogonUserExA
LogonUserExExW
LogonUserExW
LogonUserW
LookupAccountNameA
LookupAccountNameW
LookupAccountSidA
LookupAccountSidW
LookupPrivilegeDisplayNameA
LookupPrivilegeDisplayNameW
LookupPrivilegeNameA
LookupPrivilegeNameW
LookupPrivilegeValueA
LookupPrivilegeValueW
LookupSecurityDescriptorPartsA
LookupSecurityDescriptorPartsW
LsaAddAccountRights
LsaAddPrivilegesToAccount
LsaClearAuditLog
LsaClose
LsaCreateAccount
LsaCreateSecret
LsaCreateTrustedDomain
LsaCreateTrustedDomainEx
LsaDelete
LsaDeleteTrustedDomain
LsaEnumerateAccountRights
LsaEnumerateAccounts
LsaEnumerateAccountsWithUserRight
LsaEnumeratePrivileges
LsaEnumeratePrivilegesOfAccount
LsaEnumerateTrustedDomains
LsaEnumerateTrustedDomainsEx
LsaFreeMemory
LsaGetAppliedCAPIDs
LsaGetQuotasForAccount
LsaGetRemoteUserName
LsaGetSystemAccessAccount
LsaGetUserName
LsaICLookupNames
LsaICLookupNamesWithCreds
LsaICLookupSids
LsaICLookupSidsWithCreds
LsaInvokeTrustScanner
LsaLookupNames
LsaLookupNames2
LsaLookupPrivilegeDisplayName
LsaLookupPrivilegeName
LsaLookupPrivilegeValue
LsaLookupSids
LsaLookupSids2
LsaManageSidNameMapping
LsaNtStatusToWinError
LsaOpenAccount
LsaOpenPolicy
LsaOpenPolicySce
LsaOpenSecret
LsaOpenTrustedDomain
LsaOpenTrustedDomainByName
LsaQueryCAPs
LsaQueryDomainInformationPolicy
LsaQueryForestTrustInformation
LsaQueryForestTrustInformation2
LsaQueryInfoTrustedDomain
LsaQueryInformationPolicy
LsaQuerySecret
LsaQuerySecurityObject
LsaQueryTrustedDomainInfo
LsaQueryTrustedDomainInfoByName
LsaRemoveAccountRights
LsaRemovePrivilegesFromAccount
LsaRetrievePrivateData
LsaSetCAPs
LsaSetDomainInformationPolicy
LsaSetForestTrustInformation
LsaSetForestTrustInformation2
LsaSetInformationPolicy
LsaSetInformationTrustedDomain
LsaSetQuotasForAccount
LsaSetSecret
LsaSetSecurityObject
LsaSetSystemAccessAccount
LsaSetTrustedDomainInfoByName
LsaSetTrustedDomainInformation

Sections

.text
Size: 435KB - Virtual size: 434KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bdd917878e2f827200a8b34bb285e140

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

e2:a3:76:47:72:d1:5d:1f:bc:ac:f0:f0:13:bb:9d:02:de:05:92:6a:a0:ef:f0:de:d2:ed:8c:a3:e5:43:1b:51Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-consumer-l1-1-0

kernelbase

sechost

api-ms-win-service-core-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-private-l1-1-1

api-ms-win-service-winsvc-l1-2-0

api-ms-win-core-namedpipe-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

api-ms-win-security-base-private-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

kernel32

rpcrt4

api-ms-win-core-timezone-l1-1-0

api-ms-win-security-audit-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 435KB - Virtual size: 434KB

.data Size: 12KB - Virtual size: 14KB

.idata Size: 19KB - Virtual size: 19KB

.didat Size: 1024B - Virtual size: 620B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 19KB - Virtual size: 19KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

e2:a3:76:47:72:d1:5d:1f:bc:ac:f0:f0:13:bb:9d:02:de:05:92:6a:a0:ef:f0:de:d2:ed:8c:a3:e5:43:1b:51
Signer

.text
Size: 435KB - Virtual size: 434KB

.data
Size: 12KB - Virtual size: 14KB

.idata
Size: 19KB - Virtual size: 19KB

.didat
Size: 1024B - Virtual size: 620B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 19KB - Virtual size: 19KB