advapi32[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

advapi32.dll
Size

684KB
MD5

68785ad1bff91bb6d9c5480dd9d1998c
SHA1

50893ad6e8062c1c9650f7c1dd27d452aca3f7d2
SHA256

284f5a7a7e5421055b9fdd7f40e58a4220efcd48ced0e1480c0ac25d01caa3e1
SHA512

745536baba177cd2228beed817b312c724fd31f440acfbbb8dc6ba428a54852194902033666b370cab50fc44989738c92b4905c2bf1791748c2f0dfda579f191
SSDEEP

12288:B2m+9cFYCDd/D9Lqsijf5zL4u6FAVms7ZNrKmt9GUyzyQpwTTmZC528Ax:Q9md/Nqsijf5ohFAVms7ZN2mUXpwTTjA

Score

1^/10

Malware Config

Signatures

Files

advapi32.dll
.dll windows:6 windows x64 arch:x64

a653329dc47b1f0da422e24b2b32e6ed

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:48:62:8e:09:14:d3:90:17:6b:bc:ae:d4:6a:a9:b8:da:53:3a:c6:60:9c:be:61:69:05:69:1b:ae:d1:30:49
Signer

Actual PE Digest

04:48:62:8e:09:14:d3:90:17:6b:bc:ae:d4:6a:a9:b8:da:53:3a:c6:60:9c:be:61:69:05:69:1b:ae:d1:30:49

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

advapi32.pdb

Imports

msvcrt

memmove
iswctype
_vsnwprintf
memset
memcpy
memcmp
__C_specific_handler
_vsnprintf
mbstowcs
iswalpha
_stricmp
_wcstoi64
_i64tow_s
_wcstoui64
_ui64tow_s
_ultow
wcscat_s
_wcsicmp
_errno
wcschr
wcscpy_s
wcstok_s
swscanf_s
wcsrchr
wcsncpy_s
wcsstr
swprintf_s
_wcsnicmp
wcsncmp
strstr
strchr
tolower
wcstoul
_ultow_s
wcscmp

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtSetSystemInformation
DbgPrint
RtlFreeAnsiString
RtlGetCurrentTransaction
ord1
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlIsTextUnicode
RtlLengthSid
NlsMbCodePageTag
NtQueryInformationToken
RtlxUnicodeStringToAnsiSize
RtlSubAuthoritySid
RtlGetThreadPreferredUILanguages
RtlSubAuthorityCountSid
RtlMakeSelfRelativeSD
RtlConvertSidToUnicodeString
RtlUnicodeStringToInteger
RtlAllocateHandle
RtlIsValidIndexHandle
RtlFreeHandle
NtOpenKey
NtQueryValueKey
NtClose
NtOpenThreadToken
NtOpenProcessToken
RtlEqualSid
RtlAddAccessAllowedAceEx
NtSetInformationToken
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtDuplicateToken
NtCompareTokens
RtlAllocateAndInitializeSid
RtlFreeSid
RtlIsGenericTableEmpty
RtlEnumerateGenericTableWithoutSplaying
RtlDuplicateUnicodeString
RtlExpandEnvironmentStrings_U
NtOpenFile
RtlCreateUnicodeString
NtQueryInformationProcess
RtlGetLastNtStatus
NtQueryKey
RtlValidSid
LdrLoadDll
RtlImageNtHeader
LdrUnloadDll
NtDeviceIoControlFile
NtQuerySystemInformation
EtwEventRegister
EtwEventWrite
NtCreateKey
NtSetValueKey
RtlDeleteElementGenericTable
RtlAppendUnicodeToString
NtDeleteKey
RtlInsertElementGenericTable
RtlCopySid
RtlInitializeHandleTable
RtlDestroyHandleTable
EtwEventUnregister
NtEnumerateKey
RtlIntegerToUnicodeString
RtlStringFromGUID
RtlAppendUnicodeStringToString
RtlFormatCurrentUserKeyPath
RtlInitializeGenericTable
RtlQueryRegistryValuesEx
RtlLookupElementGenericTable
RtlNumberGenericTableElements
RtlGUIDFromString
RtlUpcaseUnicodeChar
NtQueryVolumeInformationFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
RtlPrefixUnicodeString
RtlDetermineDosPathNameType_U
NtQueryInformationFile
RtlGetFullPathName_U
RtlUnicodeToMultiByteN
RtlNtStatusToDosErrorNoTeb
RtlAnsiCharToUnicodeChar
RtlMultiByteToUnicodeN
RtlSetLastWin32Error
NtTraceControl
NtTraceEvent
EtwpGetCpuSpeed
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlInitAnsiStringEx
RtlInitUnicodeStringEx
RtlCreateUnicodeStringFromAsciiz
NtRenameKey
RtlAddAce
RtlGetAce
RtlAddAccessDeniedAceEx
RtlSetDaclSecurityDescriptor
RtlFirstFreeAce
RtlValidAcl
RtlAddAuditAccessObjectAce
RtlGetSaclSecurityDescriptor
RtlAddAccessDeniedObjectAce
RtlSetGroupSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlxAnsiStringToUnicodeSize
RtlGetControlSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedObjectAce
RtlGetDaclSecurityDescriptor
RtlInitializeSid
RtlGetOwnerSecurityDescriptor
RtlAddAuditAccessAceEx
NtQuerySystemTime
RtlTimeToSecondsSince1970
EtwEventSetInformation
RtlImpersonateSelf
RtlAdjustPrivilege
RtlCopyString
EtwEventWriteTransfer
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
NtWaitForSingleObject
RtlGetVersion
NtQueryInformationThread
NtSetInformationThread
NtQuerySecurityObject
RtlRunOnceExecuteOnce
RtlRunOnceBeginInitialize
RtlDllShutdownInProgress
RtlRunOnceInitialize
NtQueryPerformanceCounter
NtWaitForMultipleObjects
WinSqmAddToStream
RtlCreateAcl
RtlValidRelativeSecurityDescriptor
NtCreateFile
NtWriteFile
NtReadFile
RtlWaitOnAddress
RtlWakeAddressAll
RtlQueryPerformanceCounter
RtlAddAccessAllowedAce
RtlAcquireSRWLockExclusive
RtlInsertElementGenericTableAvl
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockShared
RtlLookupElementGenericTableAvl
RtlReleaseSRWLockShared
RtlEnumerateGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlReAllocateHeap
RtlDosPathNameToRelativeNtPathName_U
RtlReleaseRelativeName
RtlWakeAddressSingle
RtlDestroyQueryDebugBuffer
RtlEqualUnicodeString
RtlQueryProcessDebugInformation
NtQueryMutant
NtQueryObject
NtAlpcQueryInformation
RtlInitializeSRWLock
RtlCreateQueryDebugBuffer
NtReplaceKey
RtlOpenCurrentUser
NtQueryMultipleValueKey
NtSaveMergedKeys
NtSaveKey
RtlValidSecurityDescriptor
RtlLengthSecurityDescriptor
RtlGetNtProductType
RtlCopyUnicodeString
RtlOemStringToUnicodeString
RtlUnicodeToMultiByteSize
RtlUnicodeStringToAnsiString
RtlDosPathNameToNtPathName_U
RtlAllocateHeap
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlInitAnsiString
RtlInitUnicodeString
NtOpenKeyEx
NtSetInformationKey
RtlFreeHeap
RtlAnsiStringToUnicodeString
RtlInitializeCriticalSection
RtlDeleteCriticalSection

api-ms-win-eventing-controller-l1-1-0

TraceSetInformation
ControlTraceW
QueryAllTracesW
EventAccessQuery
EnumerateTraceGuidsEx
StartTraceW
EventAccessControl
StopTraceW
EventAccessRemove
EnableTraceEx2

api-ms-win-eventing-consumer-l1-1-0

CloseTrace
OpenTraceW
ProcessTrace

kernelbase

RegKrnGetHKEY_ClassesRootAddress
RegKrnGetClassesEnumTableAddressInternal
RegKrnGetTermsrvRegistryExtensionFlags
RegDeleteKeyExInternalW
RegOpenKeyExInternalW
RegCreateKeyExInternalW
CLOSE_LOCAL_HANDLE_INTERNAL
MapPredefinedHandleInternal
RegDeleteKeyExInternalA
RegCreateKeyExInternalA
RegOpenKeyExInternalA
RemapPredefinedHandleInternal
DisablePredefinedHandleTableInternal
GetPackagePath
PackageIdFromFullName
Sleep
lstrcmpiW
lstrcmpW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
CreateProcessAsUserW
CreateProcessInternalA
AreFileApisANSI
lstrlenW
LocalReAlloc
LocalFree
LocalAlloc

sechost

QueryAllTracesA
StartTraceA
ControlTraceA

api-ms-win-service-core-l1-1-1

EnumDependentServicesW
QueryServiceDynamicInformation
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExW
EnumServicesStatusExW

api-ms-win-service-management-l1-1-0

CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
ControlServiceExW
OpenServiceW
StartServiceW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceStatusEx
QueryServiceConfigW
NotifyServiceStatusChangeW
SetServiceObjectSecurity
ChangeServiceConfig2W
QueryServiceObjectSecurity
QueryServiceConfig2W

api-ms-win-service-private-l1-1-1

I_ScRpcBindW
I_ScRpcBindA
I_ScSetServiceBitsA
I_ScSetServiceBitsW
I_ScRegisterPreshutdownRestart
WaitServiceState

api-ms-win-service-winsvc-l1-2-0

OpenServiceA
QueryServiceConfig2A
ControlService
RegisterServiceCtrlHandlerW
QueryServiceConfigA
OpenSCManagerA
QueryServiceStatus
RegisterServiceCtrlHandlerExA
ChangeServiceConfigA
StartServiceA
CreateServiceA
RegisterServiceCtrlHandlerA
NotifyServiceStatusChangeA
ControlServiceExA
ChangeServiceConfig2A
StartServiceCtrlDispatcherA

api-ms-win-core-namedpipe-l1-2-0

ImpersonateNamedPipeClient

api-ms-win-core-processthreads-l1-1-2

OpenProcess
CreateThread
IsProcessorFeaturePresent
GetCurrentThread
OpenThread
GetProcessId
GetCurrentProcess
OpenProcessToken
OpenThreadToken
SetThreadToken
GetPriorityClass
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess

api-ms-win-security-base-l1-2-0

RevertToSelf
AddAccessAllowedAce
GetSecurityDescriptorOwner
SetSecurityDescriptorOwner
AllocateAndInitializeSid
AllocateLocallyUniqueId
InitializeAcl
SetKernelObjectSecurity
MakeAbsoluteSD
ImpersonateLoggedOnUser
DuplicateTokenEx
QuerySecurityAccessMask
CreatePrivateObjectSecurityEx
GetSecurityDescriptorLength
ImpersonateSelf
GetAce
AccessCheckByTypeResultList
CreatePrivateObjectSecurity
SetSecurityDescriptorDacl
IsTokenRestricted
AddAuditAccessObjectAce
AdjustTokenGroups
AddAccessDeniedAce
AreAllAccessesGranted
SetTokenInformation
PrivilegeCheck
SetSecurityAccessMask
IsWellKnownSid
GetSidSubAuthority
IsValidAcl
SetAclInformation
GetSidIdentifierAuthority
FreeSid
GetTokenInformation
PrivilegedServiceAuditAlarmW
AccessCheckByTypeResultListAndAuditAlarmW
ObjectOpenAuditAlarmW
ObjectPrivilegeAuditAlarmW
ObjectCloseAuditAlarmW
SetFileSecurityW
GetFileSecurityW
ObjectDeleteAuditAlarmW
CopySid
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckAndAuditAlarmW
AccessCheckByTypeAndAuditAlarmW
IsValidSid
InitializeSecurityDescriptor
GetPrivateObjectSecurity
DuplicateToken
CreatePrivateObjectSecurityWithMultipleInheritance
EqualPrefixSid
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AccessCheckByType
AddAuditAccessAce
SetPrivateObjectSecurityEx
EqualSid
GetSecurityDescriptorControl
CreateRestrictedToken
GetAclInformation
GetKernelObjectSecurity
GetSidLengthRequired
AccessCheck
AddAccessAllowedAceEx
InitializeSid
AddAce
GetSecurityDescriptorSacl
ImpersonateAnonymousToken
AddAuditAccessAceEx
IsValidSecurityDescriptor
GetLengthSid
AddAccessDeniedAceEx
CheckTokenMembership
SetSecurityDescriptorSacl
AreAnyAccessesGranted
AdjustTokenPrivileges
GetSecurityDescriptorRMControl
SetSecurityDescriptorRMControl
GetSidSubAuthorityCount
GetWindowsAccountDomainSid
FindFirstFreeAce
ConvertToAutoInheritPrivateObjectSecurity
SetPrivateObjectSecurity
EqualDomainSid
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
CreateWellKnownSid
DestroyPrivateObjectSecurity
MapGenericMask
SetSecurityDescriptorGroup
DeleteAce
SetSecurityDescriptorControl
MakeSelfRelativeSD

api-ms-win-security-base-private-l1-1-1

MakeAbsoluteSD2

api-ms-win-core-registry-l1-1-0

RegRestoreKeyW
RegLoadAppKeyW
RegCopyTreeW
RegQueryValueExW
RegOpenKeyExW
RegQueryInfoKeyA
RegLoadAppKeyA
RegOpenUserClassesRoot
RegDeleteKeyExW
RegUnLoadKeyA
RegRestoreKeyA
RegDeleteTreeA
RegSetValueExA
RegCreateKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegEnumKeyExA
RegLoadMUIStringW
RegSaveKeyExA
RegUnLoadKeyW
RegSetValueExW
RegLoadKeyW
RegDisablePredefinedCacheEx
RegEnumKeyExW
RegFlushKey
RegNotifyChangeKeyValue
RegDeleteKeyExA
RegSetKeySecurity
RegEnumValueW
RegLoadKeyA
RegEnumValueA
RegOpenCurrentUser
RegGetValueW
RegSaveKeyExW
RegDeleteTreeW
RegDeleteValueA
RegDeleteValueW
RegCreateKeyExA
RegGetValueA
RegGetKeySecurity
RegOpenKeyExA
RegLoadMUIStringA
RegCloseKey

api-ms-win-core-sysinfo-l1-2-1

GetComputerNameExW
GetTickCount
GetSystemTimeAsFileTime
GetLocalTime
GetNativeSystemInfo
GlobalMemoryStatusEx
GetSystemFirmwareTable
GetSystemWindowsDirectoryW
GetSystemTime
GetSystemDirectoryW

kernel32

GetModuleHandleW
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
LoadLibraryExA
CloseHandle
FreeLibrary
LoadLibraryExW
LeaveCriticalSection
GetLastError
EnterCriticalSection
GetFullPathNameW
SearchPathW
HeapAlloc
ResolveDelayLoadedAPI
DelayLoadFailureHook
HeapFree
SleepEx
GetProcessHeap
GetFileAttributesW
CreateFileW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
CreateEventW
GetThreadUILanguage
GetCommandLineW
LoadLibraryW
GetModuleHandleExW
SetFilePointer
OutputDebugStringW
WriteFile
TermsrvDeleteKey
TermsrvOpenUserClasses
DuplicateHandle
DecodePointer
FreeLibraryAndExitThread
ReadProcessMemory
EncodePointer
FormatMessageW
MoveFileW
GetFileAttributesExW
DeleteFileW
ExpandEnvironmentStringsW
GetFileSizeEx
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetLongPathNameW
CompareFileTime
FindResourceExW
LoadResource
GetVolumePathNameW
DeleteCriticalSection
WaitForSingleObject
GetActiveProcessorCount
GetOverlappedResult
DeviceIoControl
GetVolumeInformationW
GetComputerNameW
ReleaseMutex
ExpandEnvironmentStringsA
GetModuleFileNameW
LoadLibraryA
GetComputerNameA
LocalUnlock
LocalLock
CreateMutexW
InitializeCriticalSection
CreateThreadpoolIo
FreeLibraryWhenCallbackReturns
CancelIoEx
CloseThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
EnumUILanguagesW
GetFileMUIPath
SetErrorMode
SetFileInformationByHandle
CopyFileExW
FindClose
FindNextFileW
FindFirstFileExW
lstrcmpiA
GetFileSize
DosDateTimeToFileTime
FileTimeToDosDateTime
GetFileTime
ResetEvent
SetEvent
HeapReAlloc
LockResource
SizeofResource
SetLastError

rpcrt4

RpcStringBindingComposeW
RpcBindingFree
RpcStringFreeW
RpcBindingSetAuthInfoExA
RpcBindingSetAuthInfoExW
NdrClientCall3
I_RpcExceptionFilter
I_RpcMapWin32Status
RpcEpResolveBinding
RpcBindingSetAuthInfoW
RpcBindingSetAuthInfoA
RpcBindingFromStringBindingW
RpcSsDestroyClientContext
RpcBindingCreateW
RpcBindingBind
I_RpcSNCHOption
NdrClientCall2
UuidFromStringW
UuidToStringW
RpcExceptionFilter

api-ms-win-core-timezone-l1-1-0

GetDynamicTimeZoneInformationEffectiveYears
EnumDynamicTimeZoneInformation

api-ms-win-security-audit-l1-1-1

AuditSetSecurity
AuditEnumeratePerUserPolicy
AuditQueryGlobalSaclW
AuditFree
AuditSetPerUserPolicy
AuditEnumerateSubCategories
AuditComputeEffectivePolicyBySid
AuditLookupCategoryNameW
AuditLookupSubCategoryNameW
AuditEnumerateCategories
AuditQueryPerUserPolicy
AuditSetGlobalSaclW
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetSystemPolicy

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

A_SHAFinal
A_SHAInit
A_SHAUpdate
AbortSystemShutdownA
AbortSystemShutdownW
AccessCheck
AccessCheckAndAuditAlarmA
AccessCheckAndAuditAlarmW
AccessCheckByType
AccessCheckByTypeAndAuditAlarmA
AccessCheckByTypeAndAuditAlarmW
AccessCheckByTypeResultList
AccessCheckByTypeResultListAndAuditAlarmA
AccessCheckByTypeResultListAndAuditAlarmByHandleA
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckByTypeResultListAndAuditAlarmW
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddConditionalAce
AddMandatoryAce
AddUsersToEncryptedFile
AddUsersToEncryptedFileEx
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
AuditComputeEffectivePolicyBySid
AuditComputeEffectivePolicyByToken
AuditEnumerateCategories
AuditEnumeratePerUserPolicy
AuditEnumerateSubCategories
AuditFree
AuditLookupCategoryGuidFromCategoryId
AuditLookupCategoryIdFromCategoryGuid
AuditLookupCategoryNameA
AuditLookupCategoryNameW
AuditLookupSubCategoryNameA
AuditLookupSubCategoryNameW
AuditQueryGlobalSaclA
AuditQueryGlobalSaclW
AuditQueryPerUserPolicy
AuditQuerySecurity
AuditQuerySystemPolicy
AuditSetGlobalSaclA
AuditSetGlobalSaclW
AuditSetPerUserPolicy
AuditSetSecurity
AuditSetSystemPolicy
BackupEventLogA
BackupEventLogW
BaseRegCloseKey
BaseRegCreateKey
BaseRegDeleteKeyEx
BaseRegDeleteValue
BaseRegFlushKey
BaseRegGetVersion
BaseRegLoadKey
BaseRegOpenKey
BaseRegRestoreKey
BaseRegSaveKeyEx
BaseRegSetKeySecurity
BaseRegSetValue
BaseRegUnLoadKey
BuildExplicitAccessWithNameA
BuildExplicitAccessWithNameW
BuildImpersonateExplicitAccessWithNameA
BuildImpersonateExplicitAccessWithNameW
BuildImpersonateTrusteeA
BuildImpersonateTrusteeW
BuildSecurityDescriptorA
BuildSecurityDescriptorW
BuildTrusteeWithNameA
BuildTrusteeWithNameW
BuildTrusteeWithObjectsAndNameA
BuildTrusteeWithObjectsAndNameW
BuildTrusteeWithObjectsAndSidA
BuildTrusteeWithObjectsAndSidW
BuildTrusteeWithSidA
BuildTrusteeWithSidW
CancelOverlappedAccess
ChangeServiceConfig2A
ChangeServiceConfig2W
ChangeServiceConfigA
ChangeServiceConfigW
CheckForHiberboot
CheckTokenMembership
ClearEventLogA
ClearEventLogW
CloseCodeAuthzLevel
CloseEncryptedFileRaw
CloseEventLog
CloseServiceHandle
CloseThreadWaitChainSession
CloseTrace
CommandLineFromMsiDescriptor
ComputeAccessTokenFromCodeAuthzLevel
ControlService
ControlServiceExA
ControlServiceExW
ControlTraceA
ControlTraceW
ConvertAccessToSecurityDescriptorA
ConvertAccessToSecurityDescriptorW
ConvertSDToStringSDDomainW
ConvertSDToStringSDRootDomainA
ConvertSDToStringSDRootDomainW
ConvertSecurityDescriptorToAccessA
ConvertSecurityDescriptorToAccessNamedA
ConvertSecurityDescriptorToAccessNamedW
ConvertSecurityDescriptorToAccessW
ConvertSecurityDescriptorToStringSecurityDescriptorA
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidA
ConvertSidToStringSidW
ConvertStringSDToSDDomainA
ConvertStringSDToSDDomainW
ConvertStringSDToSDRootDomainA
ConvertStringSDToSDRootDomainW
ConvertStringSecurityDescriptorToSecurityDescriptorA
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidA
ConvertStringSidToSidW
ConvertToAutoInheritPrivateObjectSecurity
CopySid
CreateCodeAuthzLevel
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateProcessAsUserA
CreateProcessAsUserW
CreateProcessWithLogonW
CreateProcessWithTokenW
CreateRestrictedToken
CreateServiceA
CreateServiceW
CreateTraceInstanceId
CreateWellKnownSid
CredBackupCredentials
CredDeleteA
CredDeleteW
CredEncryptAndMarshalBinaryBlob
CredEnumerateA
CredEnumerateW
CredFindBestCredentialA
CredFindBestCredentialW
CredFree
CredGetSessionTypes
CredGetTargetInfoA
CredGetTargetInfoW
CredIsMarshaledCredentialA
CredIsMarshaledCredentialW
CredIsProtectedA
CredIsProtectedW
CredMarshalCredentialA
CredMarshalCredentialW
CredProfileLoaded
CredProfileLoadedEx
CredProfileUnloaded
CredProtectA
CredProtectW
CredReadA
CredReadByTokenHandle
CredReadDomainCredentialsA
CredReadDomainCredentialsW
CredReadW
CredRenameA
CredRenameW
CredRestoreCredentials
CredUnmarshalCredentialA
CredUnmarshalCredentialW
CredUnprotectA
CredUnprotectW
CredWriteA
CredWriteDomainCredentialsA
CredWriteDomainCredentialsW
CredWriteW
CredpConvertCredential
CredpConvertOneCredentialSize
CredpConvertTargetInfo
CredpDecodeCredential
CredpEncodeCredential
CredpEncodeSecret
CryptAcquireContextA
CryptAcquireContextW
CryptContextAddRef
CryptCreateHash
CryptDecrypt
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptDuplicateHash
CryptDuplicateKey
CryptEncrypt
CryptEnumProviderTypesA
CryptEnumProviderTypesW
CryptEnumProvidersA
CryptEnumProvidersW
CryptExportKey
CryptGenKey
CryptGenRandom
CryptGetDefaultProviderA
CryptGetDefaultProviderW
CryptGetHashParam
CryptGetKeyParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptHashSessionKey
CryptImportKey
CryptReleaseContext
CryptSetHashParam
CryptSetKeyParam
CryptSetProvParam
CryptSetProviderA
CryptSetProviderExA
CryptSetProviderExW
CryptSetProviderW
CryptSignHashA
CryptSignHashW
CryptVerifySignatureA
CryptVerifySignatureW
DecryptFileA
DecryptFileW
DeleteAce
DeleteService
DeregisterEventSource
DestroyPrivateObjectSecurity
DuplicateEncryptionInfoFile
DuplicateToken
DuplicateTokenEx
ElfBackupEventLogFileA
ElfBackupEventLogFileW
ElfChangeNotify
ElfClearEventLogFileA
ElfClearEventLogFileW
ElfCloseEventLog
ElfDeregisterEventSource
ElfFlushEventLog
ElfNumberOfRecords
ElfOldestRecord
ElfOpenBackupEventLogA
ElfOpenBackupEventLogW
ElfOpenEventLogA
ElfOpenEventLogW
ElfReadEventLogA
ElfReadEventLogW
ElfRegisterEventSourceA
ElfRegisterEventSourceW
ElfReportEventA
ElfReportEventAndSourceW
ElfReportEventW
EnableTrace
EnableTraceEx
EnableTraceEx2
EncryptFileA
EncryptFileW
EncryptedFileKeyInfo
EncryptionDisable
EnumDependentServicesA
EnumDependentServicesW
EnumDynamicTimeZoneInformation
EnumServiceGroupW
EnumServicesStatusA
EnumServicesStatusExA
EnumServicesStatusExW
EnumServicesStatusW
EnumerateTraceGuids
EnumerateTraceGuidsEx
EqualDomainSid
EqualPrefixSid
EqualSid
EtwLogSysConfigExtension
EventAccessControl
EventAccessQuery
EventAccessRemove
EventActivityIdControl
EventEnabled
EventProviderEnabled
EventRegister
EventSetInformation
EventUnregister
EventWrite
EventWriteEndScenario
EventWriteEx
EventWriteStartScenario
EventWriteString
EventWriteTransfer
FileEncryptionStatusA
FileEncryptionStatusW
FindFirstFreeAce
FlushEfsCache
FlushTraceA
FlushTraceW
FreeEncryptedFileKeyInfo
FreeEncryptedFileMetadata
FreeEncryptionCertificateHashList
FreeInheritedFromArray
FreeSid
GetAccessPermissionsForObjectA
GetAccessPermissionsForObjectW
GetAce
GetAclInformation
GetAuditedPermissionsFromAclA
GetAuditedPermissionsFromAclW
GetCurrentHwProfileA
GetCurrentHwProfileW
GetDynamicTimeZoneInformationEffectiveYears
GetEffectiveRightsFromAclA
GetEffectiveRightsFromAclW
GetEncryptedFileMetadata
GetEventLogInformation
GetExplicitEntriesFromAclA
GetExplicitEntriesFromAclW
GetFileSecurityA
GetFileSecurityW
GetInformationCodeAuthzLevelW
GetInformationCodeAuthzPolicyW
GetInheritanceSourceA
GetInheritanceSourceW
GetKernelObjectSecurity
GetLengthSid
GetLocalManagedApplicationData
GetLocalManagedApplications
GetManagedApplicationCategories
GetManagedApplications
GetMultipleTrusteeA
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetMultipleTrusteeW
GetNamedSecurityInfoA
GetNamedSecurityInfoExA
GetNamedSecurityInfoExW
GetNamedSecurityInfoW
GetNumberOfEventLogRecords
GetOldestEventLogRecord
GetOverlappedAccessResults
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSecurityInfo
GetSecurityInfoExA
GetSecurityInfoExW
GetServiceDisplayNameA
GetServiceDisplayNameW
GetServiceKeyNameA
GetServiceKeyNameW
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetStringConditionFromBinary
GetThreadWaitChain
GetTokenInformation
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
GetTrusteeFormA
GetTrusteeFormW
GetTrusteeNameA
GetTrusteeNameW
GetTrusteeTypeA
GetTrusteeTypeW
GetUserNameA
GetUserNameW
GetWindowsAccountDomainSid
I_QueryTagInformation
I_ScGetCurrentGroupStateW
I_ScIsSecurityProcess
I_ScPnPGetServiceName
I_ScQueryServiceConfig
I_ScRegisterPreshutdownRestart
I_ScSendPnPMessage
I_ScSendTSMessage
I_ScSetServiceBitsA
I_ScSetServiceBitsW
I_ScValidatePnPService
IdentifyCodeAuthzLevelW
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
InitiateShutdownA
InitiateShutdownW
InitiateSystemShutdownA
InitiateSystemShutdownExA
InitiateSystemShutdownExW
InitiateSystemShutdownW
InstallApplication
IsTextUnicode
IsTokenRestricted
IsTokenUntrusted
IsValidAcl
IsValidRelativeSecurityDescriptor
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
LockServiceDatabase
LogonUserA
LogonUserExA
LogonUserExExW
LogonUserExW
LogonUserW
LookupAccountNameA
LookupAccountNameW
LookupAccountSidA
LookupAccountSidW
LookupPrivilegeDisplayNameA
LookupPrivilegeDisplayNameW
LookupPrivilegeNameA
LookupPrivilegeNameW
LookupPrivilegeValueA
LookupPrivilegeValueW
LookupSecurityDescriptorPartsA
LookupSecurityDescriptorPartsW
LsaAddAccountRights
LsaAddPrivilegesToAccount
LsaClearAuditLog
LsaClose
LsaCreateAccount
LsaCreateSecret
LsaCreateTrustedDomain
LsaCreateTrustedDomainEx
LsaDelete
LsaDeleteTrustedDomain
LsaEnumerateAccountRights
LsaEnumerateAccounts
LsaEnumerateAccountsWithUserRight
LsaEnumeratePrivileges
LsaEnumeratePrivilegesOfAccount
LsaEnumerateTrustedDomains
LsaEnumerateTrustedDomainsEx
LsaFreeMemory
LsaGetAppliedCAPIDs
LsaGetQuotasForAccount
LsaGetRemoteUserName
LsaGetSystemAccessAccount
LsaGetUserName
LsaICLookupNames
LsaICLookupNamesWithCreds
LsaICLookupSids
LsaICLookupSidsWithCreds
LsaInvokeTrustScanner
LsaLookupNames
LsaLookupNames2
LsaLookupPrivilegeDisplayName
LsaLookupPrivilegeName
LsaLookupPrivilegeValue
LsaLookupSids
LsaLookupSids2
LsaManageSidNameMapping
LsaNtStatusToWinError
LsaOpenAccount
LsaOpenPolicy
LsaOpenPolicySce
LsaOpenSecret
LsaOpenTrustedDomain
LsaOpenTrustedDomainByName
LsaQueryCAPs
LsaQueryDomainInformationPolicy
LsaQueryForestTrustInformation
LsaQueryForestTrustInformation2
LsaQueryInfoTrustedDomain
LsaQueryInformationPolicy
LsaQuerySecret
LsaQuerySecurityObject
LsaQueryTrustedDomainInfo
LsaQueryTrustedDomainInfoByName
LsaRemoveAccountRights
LsaRemovePrivilegesFromAccount
LsaRetrievePrivateData
LsaSetCAPs
LsaSetDomainInformationPolicy
LsaSetForestTrustInformation
LsaSetForestTrustInformation2
LsaSetInformationPolicy
LsaSetInformationTrustedDomain
LsaSetQuotasForAccount
LsaSetSecret
LsaSetSecurityObject
LsaSetSystemAccessAccount
LsaSetTrustedDomainInfoByName
LsaSetTrustedDomainInformation

Sections

.text
Size: 595KB - Virtual size: 594KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a653329dc47b1f0da422e24b2b32e6ed

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

04:48:62:8e:09:14:d3:90:17:6b:bc:ae:d4:6a:a9:b8:da:53:3a:c6:60:9c:be:61:69:05:69:1b:ae:d1:30:49Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-consumer-l1-1-0

kernelbase

sechost

api-ms-win-service-core-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-private-l1-1-1

api-ms-win-service-winsvc-l1-2-0

api-ms-win-core-namedpipe-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

api-ms-win-security-base-private-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

kernel32

rpcrt4

api-ms-win-core-timezone-l1-1-0

api-ms-win-security-audit-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 595KB - Virtual size: 594KB

.data Size: 14KB - Virtual size: 16KB

.pdata Size: 24KB - Virtual size: 24KB

.idata Size: 24KB - Virtual size: 24KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 7KB - Virtual size: 6KB

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

04:48:62:8e:09:14:d3:90:17:6b:bc:ae:d4:6a:a9:b8:da:53:3a:c6:60:9c:be:61:69:05:69:1b:ae:d1:30:49
Signer

.text
Size: 595KB - Virtual size: 594KB

.data
Size: 14KB - Virtual size: 16KB

.pdata
Size: 24KB - Virtual size: 24KB

.idata
Size: 24KB - Virtual size: 24KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 6KB