Software_1[.]30[.]1[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Software_1.30.1.zip
Size

21.9MB
MD5

a3649ea02a76e3f0d19199251f77eebb
SHA1

90d34f44cf6a230151290df54b283b04aef37599
SHA256

c125a8f255cda6fd222596e9ab5e9b74c5e05f4d77723ca84a5c8497b87ab974
SHA512

0e7f815aa2b1c8c2f0c45ee2017e89fd931113c4db2fe80745052da68340a254a7c004a0027425058d077045a2956f11c2a413bc2f713406ac0940a9418dd3bf
SSDEEP

393216:RdMbHh4LA9hXCQQfaUCFguObeJ2nadggLaRDu2iK+z0EPgSpMGJob2I4KIS+ec:0dthXCQAaUZFfaRLL2iK+z0EFMaq2I7a

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/Software_1.30.1/injector.exe

Files

Software_1.30.1.zip
.zip

Password: 1234
Software_1.30.1/OPEN SETUP.txt
Software_1.30.1/Patch.css
Software_1.30.1/Plugins/0409/cliconf.chm
.chm
Software_1.30.1/Plugins/0409/mmc.CHM
.chm
Software_1.30.1/Plugins/0409/msdasc.chm
.chm
Software_1.30.1/Plugins/0409/msorcl32.chm
.chm
Software_1.30.1/Plugins/0409/odbcinst.chm
.chm
Software_1.30.1/Plugins/0409/odbcjet.chm
.chm
Software_1.30.1/Plugins/0409/sqlsodbc.chm
.chm
Software_1.30.1/Plugins/0409/sqlsoldb.chm
.chm
Software_1.30.1/Plugins/0419/cliconf.chm
.chm
Software_1.30.1/Plugins/0419/mmc.CHM
.chm
Software_1.30.1/Plugins/0419/msdasc.chm
.chm
Software_1.30.1/Plugins/0419/msorcl32.chm
.chm
Software_1.30.1/Plugins/0419/odbcinst.chm
.chm
Software_1.30.1/Plugins/0419/odbcjet.chm
.chm
Software_1.30.1/Plugins/0419/sqlsodbc.chm
.chm
Software_1.30.1/Plugins/0419/sqlsoldb.chm
.chm
Software_1.30.1/Settings/Environment.ini
Software_1.30.1/Settings/RLSettings.json
Software_1.30.1/Updates/en-US/credits.rtf
.rtf
Software_1.30.1/Updates/nvcpl/nv3d.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dara.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dchs.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dcht.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dcsy.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3ddan.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3ddeu.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dell.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3deng.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3desm.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3desn.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dfin.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dfra.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dheb.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dhun.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dita.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3djpn.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dkor.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dnld.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dnor.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dplk.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dptb.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dptg.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3drus.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dsky.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dslv.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dsve.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dtha.chm
.chm
Software_1.30.1/Updates/nvcpl/nv3dtrk.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpl.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplara.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplchs.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplcht.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplcsy.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpldan.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpldeu.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplell.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpleng.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplesm.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplesn.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplfin.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplfra.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplheb.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplhun.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplita.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpljpn.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplkor.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplnld.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplnor.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplplk.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplptb.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplptg.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplrus.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplsky.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplslv.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcplsve.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpltha.chm
.chm
Software_1.30.1/Updates/nvcpl/nvcpltrk.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdsp.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspdan.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspeng.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspesm.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspesn.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspnld.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspnor.chm
.chm
Software_1.30.1/Updates/nvcpl/nvdspptb.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlic.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicARA.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicCHS.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicCHT.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicCSY.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicDAN.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicDEU.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicELL.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicENG.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicESM.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicESN.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicFIN.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicFRA.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicHEB.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicHUN.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicITA.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicJPN.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicKOR.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicNLD.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicNOR.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicPLK.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicPTB.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicPTG.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicRUS.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicSKY.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicSLV.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicSVE.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicTHA.chm
.chm
Software_1.30.1/Updates/nvcpl/nvlicTRK.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmob.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobara.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobchs.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobcht.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobcsy.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobdan.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobdeu.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobell.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobeng.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobesm.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobesn.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobfin.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobfra.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobheb.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobhun.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobita.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobjpn.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobkor.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobnld.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobnor.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobplk.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobptb.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobptg.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobrus.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobsky.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobslv.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobsve.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobtha.chm
.chm
Software_1.30.1/Updates/nvcpl/nvmobtrk.chm
.chm
Software_1.30.1/injector.exe
.exe windows:6 windows x86 arch:x86

Password: 1234

34738ce7256c19c4934900ea37dfbbd6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\iu49un1s03xbl\output.pdb

Imports

advapi32

GetNumberOfEventLogRecords

kernel32

WaitForSingleObjectEx
CreateThread
VirtualAlloc
FreeConsole
CloseHandle
Sleep
SwitchToThread
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
FormatMessageA
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
QueryPerformanceCounter
QueryPerformanceFrequency
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
LocalFree
GetLocaleInfoEx
EncodePointer
DecodePointer
MultiByteToWideChar
LCMapStringEx
SetFileInformationByHandle
GetTempPathW
InitOnceExecuteOnce
CreateEventExW
CreateSemaphoreExW
FlushProcessWriteBuffers
GetCurrentProcessorNumber
GetSystemTimeAsFileTime
GetTickCount64
FreeLibraryWhenCallbackReturns
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
GetModuleHandleW
GetProcAddress
GetFileInformationByHandleEx
CreateSymbolicLinkW
GetStringTypeW
CompareStringEx
GetCPInfo
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetCurrentProcessId
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
CreateFileW
RaiseException
RtlUnwind
InterlockedPushEntrySList
InterlockedFlushSList
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitThread
ResumeThread
FreeLibraryAndExitThread
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetCurrentThread
HeapAlloc
HeapFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
SetConsoleCtrlHandler
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadFile
GetFileSizeEx
SetFilePointerEx
ReadConsoleW
HeapReAlloc
GetTimeZoneInformation
OutputDebugStringW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetProcessHeap
HeapSize
WriteConsoleW

Sections

.text
Size: 735KB - Virtual size: 735KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.bsS
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 84KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 334KB - Virtual size: 341KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 270B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Software_1.30.1/libGLESv2.dll
Software_1.30.1/opengl32.dll
.dll windows:10 windows x64 arch:x64

Password: 1234

9fb39f6af91d482e4fc0097e85d02280

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03-02-2023 00:05

Not After

01-02-2024 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a3:9d:1d:73:b9:20:2e:e2:ed:fc:61:9f:14:db:38:1b:de:af:bb:d9:cb:da:88:fe:1b:cf:8f:66:2b:87:dd:12
Signer

Actual PE Digest

a3:9d:1d:73:b9:20:2e:e2:ed:fc:61:9f:14:db:38:1b:de:af:bb:d9:cb:da:88:fe:1b:cf:8f:66:2b:87:dd:12

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpSvc.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

terminate
abort
_initialize_onexit_table
_initialize_narrow_environment
_execute_onexit_table
_beginthreadex
_seh_filter_dll
_initterm_e
_initterm
_cexit
_configure_narrow_argv
_crt_atexit
_invalid_parameter_noinfo_noreturn
_errno
_register_onexit_function
_invalid_parameter_noinfo

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnprintf_s
fgetc
ungetc
fflush
setvbuf
fsetpos
_fseeki64
fgetpos
fwrite
_wfsopen
fseek
fputc
fread
_get_stream_buffer_pointers
__stdio_common_vsprintf
__stdio_common_vsprintf_s
__stdio_common_vswscanf
__stdio_common_vswprintf_s
__stdio_common_vswprintf
__stdio_common_vsnwprintf_s
fclose

api-ms-win-crt-string-l1-1-0

iswdigit
islower
iswlower
wcscpy_s
iswspace
wmemmove_s
wcsncmp
strcspn
_wcsicmp
wcsnlen
tolower
towlower
towupper
toupper
iswalpha
isdigit
_wcsnicmp
strncmp
strcpy_s
isspace
iswxdigit
wcspbrk
_wcsdup
isupper
__strncnt
_isctype_l
strnlen
iswupper
wcscmp

advapi32

SetThreadToken
GetFileSecurityW
InitializeSecurityDescriptor
InitializeAcl
SetSecurityInfo
GetKernelObjectSecurity
SetKernelObjectSecurity
AddAccessAllowedAceEx
DuplicateTokenEx
TraceMessage
QueryServiceConfig2W
EventWriteTransfer
EventUnregister
CloseServiceHandle
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegQueryValueExW
RegCloseKey
ConvertSidToStringSidW
CheckTokenMembership
ConvertStringSidToSidW
AllocateAndInitializeSid
OpenSCManagerW
QueryServiceStatus
NotifyServiceStatusChangeW
StartServiceW
QueryServiceStatusEx
OpenServiceW
EventRegister
LookupAccountSidW
LookupAccountNameW
GetTokenInformation
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegUnLoadKeyW
RegLoadKeyW
RegDeleteValueW
RegEnumValueW
OpenProcessToken
RegisterServiceCtrlHandlerExW
CreateServiceW
SetServiceStatus
DeleteService
StartServiceCtrlDispatcherW
MakeAbsoluteSD
EventActivityIdControl
QueryServiceConfigW
RegOpenKeyExW
ChangeServiceConfigW
ControlService
EqualSid
IsValidSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetLengthSid
DuplicateToken
OpenThreadToken
CreateWellKnownSid
RegGetKeySecurity
StopTraceW
StartTraceW
CreateProcessAsUserW
RegCopyTreeW
AdjustTokenPrivileges
LookupPrivilegeValueW
ChangeServiceConfig2W
ImpersonateLoggedOnUser
RevertToSelf
GetSecurityDescriptorOwner
DeleteAce
GetNamedSecurityInfoW
CopySid
SetNamedSecurityInfoW
GetAce
SetSecurityDescriptorOwner
SetFileSecurityW
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
LsaNtStatusToWinError
IsWellKnownSid
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
FreeSid
InitiateSystemShutdownExW

crypt32

CryptStringToBinaryW
CryptBinaryToStringW
CertVerifyCertificateChainPolicy

kernel32

GetProcessTimes
CopyFileW
CreateDirectoryW
GetFileInformationByHandleEx
GetFileAttributesExW
GetDiskFreeSpaceExW
CopyFileExW
GetDriveTypeW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
LocalFree
SleepEx
GetFileSizeEx
ReadFile
TryAcquireSRWLockExclusive
TryEnterCriticalSection
InitializeCriticalSection
LCMapStringW
SwitchToThread
UnregisterWaitEx
GetEnvironmentVariableW
ExpandEnvironmentStringsW
lstrcmpW
MapViewOfFile
CreateFileMappingW
FindClose
FindNextFileW
CreateProcessW
GetModuleFileNameW
UnmapViewOfFile
DeleteFiber
FindFirstFileW
RemoveDirectoryW
SetFileAttributesW
GetVolumePathNameW
CreateFiberEx
SwitchToFiber
ConvertThreadToFiber
IsThreadAFiber
ConvertFiberToThread
SystemTimeToFileTime
CreateThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
SubmitThreadpoolWork
CreateThreadpoolWork
SetThreadpoolThreadMaximum
CreateThreadpool
CloseThreadpoolWork
WaitForThreadpoolWorkCallbacks
CloseThreadpool
FlushFileBuffers
QueryFullProcessImageNameW
CreateMutexW
PostQueuedCompletionStatus
GetQueuedCompletionStatus
CreateIoCompletionPort
ReadProcessMemory
DuplicateHandle
QueryDosDeviceW
K32GetProcessMemoryInfo
SetEnvironmentVariableA
GetFileInformationByHandle
FindCloseChangeNotification
GetTempFileNameW
FindNextChangeNotification
FindFirstChangeNotificationW
GetSystemTime
InitializeSRWLock
WaitForMultipleObjects
FindStringOrdinal
lstrcmpiW
K32GetModuleInformation
K32GetModuleBaseNameW
VirtualQuery
FindResourceW
LoadResource
LockResource
SizeofResource
CreateThread
LoadLibraryW
GetLogicalDrives
OpenProcess
ProcessIdToSessionId
WideCharToMultiByte
MultiByteToWideChar
OpenThread
ReleaseSRWLockShared
AcquireSRWLockShared
GetExitCodeProcess
CreateHardLinkW
MoveFileExW
GetTempPathW
SetEnvironmentVariableW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetLocalTime
FileTimeToSystemTime
FileTimeToLocalFileTime
RtlCompareMemory
SystemTimeToTzSpecificLocalTime
GetTickCount64
CompareStringEx
WaitForMultipleObjectsEx
GetCPInfo
LCMapStringEx
DecodePointer
SleepConditionVariableSRW
DeleteFileW
WakeConditionVariable
WakeAllConditionVariable
GetTickCount
CompareFileTime
GetPackagesByPackageFamily
PackageIdFromFullName
GetStringTypeW
InitOnceBeginInitialize
InitOnceComplete
GetLocaleInfoEx
CreateFileW
GetFinalPathNameByHandleW
DeviceIoControl
LoadLibraryExA
GetTimeFormatW
VirtualProtect
GetExitCodeThread
GetDateFormatW
ConvertDefaultLocale
GetLocaleInfoW
GetComputerNameExW
QueryPerformanceFrequency
FormatMessageA
SetThreadPriority
GetCurrentThread
GetThreadPriority
GetSystemPowerStatus
GetSystemWindowsDirectoryW
CreateSemaphoreW
LoadLibraryExW
RtlUnwind
InitializeCriticalSectionEx
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HeapSetInformation
GetNativeSystemInfo
GetSystemDirectoryW
OpenEventW
SetFilePointerEx
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
ChangeTimerQueueTimer
InterlockedPushEntrySList
RtlUnwindEx
InitializeSListHead
QueryPerformanceCounter
CreateEventW
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetSystemTimeAsFileTime
SetErrorMode
DeleteTimerQueueTimer
FreeLibrary
Sleep
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
GetProcAddress
HeapAlloc
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
GetLastError
FormatMessageW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
GetFileAttributesW
InitializeConditionVariable
CreateTimerQueueTimer
WriteFile
RegisterWaitForSingleObject
GetSystemInfo
CreateJobObjectW

rpcrt4

RpcImpersonateClient
RpcRevertToSelf
UuidCompare
NdrServerCall2
NdrServerCallAll
UuidFromStringW
RpcServerUnregisterIf
RpcEpUnregister
RpcBindingVectorFree
RpcServerRegisterIfEx
RpcEpRegisterW
RpcServerInqBindings
RpcServerUseProtseqEpW
RpcServerUseProtseqW
RpcServerRegisterAuthInfoW
RpcStringFreeW
RpcBindingInqAuthClientW
RpcStringBindingParseW
RpcBindingToStringBindingW
UuidCreate
UuidHash

wintrust

WTHelperGetProvSignerFromChain
CryptCATAdminCalcHashFromFileHandle
WTHelperProvDataFromStateData
WinVerifyTrust
CryptCATAdminReleaseContext
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext

urlmon

MkParseDisplayNameEx

api-ms-win-core-job-l2-1-0

SetInformationJobObject
QueryInformationJobObject
AssignProcessToJobObject

ntdll

RtlIpv6StringToAddressExW
RtlIpv4StringToAddressExW
NtQueryInformationProcess
RtlTimeToTimeFields

mpclient

MpConfigDelValue
MpConfigInitialize
MpConfigOpen
MpHandleClose
MpConfigIteratorEnum
MpManagerOpen
MpConfigIteratorClose
MpConfigClose
MpManagerVersionQuery
MpConfigSetValue
MpAllocMemory
MpConfigRegisterForNotifications
MpConfigUnregisterNotifications
MpConfigIteratorOpen
MpConfigUninitialize
MpNotificationRegister
MpThreatLocalizedInfoQuery
MpUpdateStart
MpUpdateControl
MpQueryEngineConfigDword
MpScanStart
MpScanControl
MpConveySampleSubmissionResult
MpThreatOpen
MpConfigGetValueAlloc
MpConfigGetValue
MpThreatEnumerate
MpDynamicSignatureOpen
MpFreeMemory
MpClientUtilExportFunctions
MpDynamicSignatureEnumerate
MpUtilsExportFunctions
MpDebugExportFunctions
MpManagerStatusQueryEx
MpIsRtpAutoEnable
MpAddDynamicSignatureFile
MpErrorMessageFormat

api-ms-win-crt-heap-l1-1-0

_realloc_base
malloc
_free_base
_calloc_base
_malloc_base
_callnewh
calloc
realloc
free

api-ms-win-crt-convert-l1-1-0

atol
_wcstod_l
_ui64tow_s
_i64tow_s
_ui64toa_s
_i64toa_s
wcstoul
wcstol
wcstoll
wcstoull
_wtol
_wtoi
_itow_s
wcstoumax
strtod
strtof

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-locale-l1-1-0

_create_locale
___lc_codepage_func
localeconv
___lc_collate_cp_func
_free_locale
_unlock_locales
_lock_locales
setlocale
___mb_cur_max_func
___lc_locale_name_func
__pctype_func

api-ms-win-crt-math-l1-1-0

frexp
pow
ldexp
ceilf
powf

api-ms-win-crt-time-l1-1-0

_Getdays
_Strftime
_W_Getmonths
_Gettnames
_W_Gettnames
_Wcsftime
_Getmonths
_W_Getdays

userenv

ExpandEnvironmentStringsForUserW
CreateEnvironmentBlock
DestroyEnvironmentBlock

bcrypt

BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash

api-ms-win-service-private-l1-1-0

SubscribeServiceChangeNotifications
UnsubscribeServiceChangeNotifications

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

Exports

Exports

ServiceCrtMain
ValidateDrop

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 844KB - Virtual size: 841KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 60KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 128KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 1234

Password: 1234

34738ce7256c19c4934900ea37dfbbd6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

Sections

.text Size: 735KB - Virtual size: 735KB

.bsS Size: 6KB - Virtual size: 6KB

.rdata Size: 84KB - Virtual size: 83KB

.data Size: 334KB - Virtual size: 341KB

.idata Size: 4KB - Virtual size: 4KB

.00cfg Size: 512B - Virtual size: 270B

.reloc Size: 22KB - Virtual size: 21KB

Password: 1234

9fb39f6af91d482e4fc0097e85d02280

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a3:9d:1d:73:b9:20:2e:e2:ed:fc:61:9f:14:db:38:1b:de:af:bb:d9:cb:da:88:fe:1b:cf:8f:66:2b:87:dd:12Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

advapi32

crypt32

kernel32

rpcrt4

wintrust

urlmon

api-ms-win-core-job-l2-1-0

ntdll

mpclient

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

userenv

bcrypt

api-ms-win-service-private-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

Exports

Exports

Sections

.text Size: 2.8MB - Virtual size: 2.8MB

.rdata Size: 844KB - Virtual size: 841KB

.data Size: 60KB - Virtual size: 85KB

.pdata Size: 128KB - Virtual size: 124KB

.didat Size: 4KB - Virtual size: 496B

.rsrc Size: 36KB - Virtual size: 35KB

.reloc Size: 20KB - Virtual size: 17KB

.text
Size: 735KB - Virtual size: 735KB

.bsS
Size: 6KB - Virtual size: 6KB

.rdata
Size: 84KB - Virtual size: 83KB

.data
Size: 334KB - Virtual size: 341KB

.idata
Size: 4KB - Virtual size: 4KB

.00cfg
Size: 512B - Virtual size: 270B

.reloc
Size: 22KB - Virtual size: 21KB

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a3:9d:1d:73:b9:20:2e:e2:ed:fc:61:9f:14:db:38:1b:de:af:bb:d9:cb:da:88:fe:1b:cf:8f:66:2b:87:dd:12
Signer

.text
Size: 2.8MB - Virtual size: 2.8MB

.rdata
Size: 844KB - Virtual size: 841KB

.data
Size: 60KB - Virtual size: 85KB

.pdata
Size: 128KB - Virtual size: 124KB

.didat
Size: 4KB - Virtual size: 496B

.rsrc
Size: 36KB - Virtual size: 35KB

.reloc
Size: 20KB - Virtual size: 17KB