DafPrintProvider.pdb
Static task
static1
Behavioral task
behavioral1
Sample
DafPrintProvider.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DafPrintProvider.dll
Resource
win10v2004-20240508-en
General
-
Target
DafPrintProvider.dll
-
Size
263KB
-
MD5
95aeaad7e1e11964320bd51effb01275
-
SHA1
fd3695a5992b8c2660c73e6efe712d3e3388c576
-
SHA256
9a97278cefb87e917ec98faab1d7f558db2cfcc8ecd1c8bd106953bdd2859315
-
SHA512
c64537705d325e70d158af27ed2f02c6c8ac20c4bb24ebba66e3d08e3ead551109280344d0ba1c1fa39555a6d45a9ebc5ab920ae30fa539fb763d4fadbdc3804
-
SSDEEP
3072:Ob+30+lwQRkrGzklHYtRy+OQHeIO6lpBGpT8KcPgTgPA/qm4:m+vDIloyRQhlGp9sm
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource DafPrintProvider.dll
Files
-
DafPrintProvider.dll.dll windows:6 windows x64 arch:x64
0ba6dbb36d6fdc9d796e138e3cbc5357
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
PDB Paths
Imports
msvcrt
??1type_info@@UEAA@XZ
_lock
memset
memcmp
_unlock
_purecall
??_V@YAXPEAX@Z
__CxxFrameHandler3
__dllonexit
_onexit
_ultow_s
__C_specific_handler
??3@YAXPEAX@Z
wcstoul
_initterm
wcsrchr
memcpy
wcschr
free
swprintf_s
_amsg_exit
isspace
_vsnwprintf
_XcptFilter
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
malloc
memmove
??0exception@@QEAA@AEBQEBD@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBV0@@Z
_wcsicmp
wcscmp
ntdll
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EtwTraceMessage
RtlAllocateHeap
RtlTimeToTimeFields
RtlPrefixUnicodeString
RtlEqualUnicodeString
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
RtlInitUnicodeString
RtlGetGroupSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlGetOwnerSecurityDescriptor
NtQueryValueKey
NtSetValueKey
NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtSetSecurityObject
NtQueryKey
NtDeleteKey
NtCreateKey
NtOpenKey
RtlFormatCurrentUserKeyPath
RtlAddAce
RtlCopySid
RtlGetDaclSecurityDescriptor
NtSetInformationThread
NtAdjustPrivilegesToken
NtDuplicateToken
RtlFreeHeap
RtlValidRelativeSecurityDescriptor
RtlLengthSecurityDescriptor
NtQuerySecurityObject
NtOpenProcessToken
NtOpenThreadToken
RtlAbsoluteToSelfRelativeSD
RtlValidSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAceEx
RtlCreateAcl
RtlLengthSid
RtlValidSid
RtlLengthRequiredSid
RtlFreeUnicodeString
RtlAppendUnicodeStringToString
RtlConvertSidToUnicodeString
RtlEqualSid
RtlSubAuthoritySid
RtlInitializeSid
NtQueryInformationToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
NtClose
RtlGetVersion
RtlUnicodeStringToInteger
RtlGUIDFromString
RtlInitUnicodeStringEx
api-ms-win-core-errorhandling-l1-1-1
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
api-ms-win-core-synch-l1-2-0
InitializeCriticalSection
DeleteCriticalSection
Sleep
api-ms-win-core-handle-l1-1-0
CloseHandle
api-ms-win-core-processthreads-l1-1-2
OpenProcessToken
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
GetCurrentThread
OpenThreadToken
api-ms-win-eventing-classicprovider-l1-1-0
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
api-ms-win-core-libraryloader-l1-2-0
DisableThreadLibraryCalls
LoadStringW
api-ms-win-security-base-l1-2-0
CreateWellKnownSid
EqualSid
GetTokenInformation
api-ms-win-core-profile-l1-1-0
QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-2-1
GetSystemTimeAsFileTime
GetTickCount
kernel32
GetProcAddress
LocalAlloc
lstrcmpiW
LoadLibraryW
SetLastError
FormatMessageW
ResolveDelayLoadedAPI
DelayLoadFailureHook
LocalFree
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
EnterCriticalSection
LeaveCriticalSection
MultiByteToWideChar
FreeLibraryAndExitThread
FreeLibrary
LoadLibraryExW
CreateThread
QueueUserWorkItem
RegQueryInfoKeyW
RegEnumKeyExW
RtlCompareMemory
oleaut32
VariantClear
SysAllocString
SysStringLen
SysFreeString
VariantInit
api-ms-win-core-com-l1-1-1
CoInitializeEx
CoCreateInstance
CoUninitialize
api-ms-win-eventing-provider-l1-1-0
EventWrite
api-ms-win-security-lsalookup-l2-1-1
LookupAccountNameW
rpcrt4
NdrMesTypeDecode3
MesEncodeDynBufferHandleCreate
RpcExceptionFilter
MesHandleFree
UuidCompare
MesDecodeBufferHandleCreate
NdrMesTypeEncode3
winspool.drv
GetPrinterDataW
EnumPrintersW
GetPrinterDriverW
AddPrinterConnection2W
DeletePrinterConnectionW
OpenPrinter2W
ClosePrinter
bcrypt
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider
dsrole
DsRoleFreeMemory
DsRoleGetPrimaryDomainInformation
ws2_32
WSAGetLastError
WSAAddressToStringW
WSACleanup
WSAStartup
logoncli
DsAddressToSiteNamesExW
netutils
NetApiBufferFree
sspicli
GetUserNameExW
iphlpapi
GetAdaptersAddresses
activeds
ord3
ord9
secur32
GetComputerObjectNameW
Exports
Exports
DllCanUnloadNow
DllGetClassObject
Sections
.text Size: 241KB - Virtual size: 241KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.idata Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.didat Size: 512B - Virtual size: 32B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1024B - Virtual size: 900B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ