infected[.]zip

Resubmissions

24/06/2024, 15:32

240624-syyxnasgmq 7

24/06/2024, 15:25

240624-stqeqaygnc 4

24/06/2024, 15:23

240624-ssxseasejm 7

Sharing

Copy URL Twitter E-mail

General

Target

infected.zip
Size

20.8MB
MD5

583abcc43627e8e6feb78ba1bac485ff
SHA1

8645e24bab91e2ec44d4b21c091ac71fe88fa80a
SHA256

14e4fb4bae8d4f643df2efa7f7830a3be1782d45b7cc23e9ff8d203c517ee691
SHA512

e9e899dd481270147b2e445beece69d71e0e88663209cfdc0b71ca864c6080c6b1539cb8f771dd88debad0288a6b2632da877b2344542f68dd2a5cb5c9b3b36b
SSDEEP

393216:2cjuSGRdTwA5qL83mWrnqDM+LuMSJY1HEGNHkkuOojL73Bn8xL+WiwImZEZzdkZ7:ASGnHqQjnvMSQkGhcjtn8xCbIU+QA

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/wer.dll

Files

infected.zip
.zip

Password: infected
Advanced_IP_Scanner_v.3.5.2.1.zip
.zip

Password: infected
setup.exe
.exe windows:10 windows x64 arch:x64

Password: infected

9f236556f51749a0ca4bdf2040ea2478

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:b4:aa:c8:82:6b:3b:af:e6:44:70:c9:02:3e:81:cd:47:3c:9d:9b:ab:ff:1c:cd:77:ef:af:2e:84:68:e0:c5
Signer

Actual PE Digest

26:b4:aa:c8:82:6b:3b:af:e6:44:70:c9:02:3e:81:cd:47:3c:9d:9b:ab:ff:1c:cd:77:ef:af:2e:84:68:e0:c5

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

WerMgr.pdb

Imports

msvcrt

memset
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_commode
_fmode
??1type_info@@UEAA@XZ
memcpy
_callnewh
__C_specific_handler
memcmp
_CxxThrowException
_initterm
__setusermatherr
_ismbblead
malloc
free
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
_cexit
_exit
??1exception@@UEAA@XZ
exit
__set_app_type
realloc
memmove
_purecall
_XcptFilter
__CxxFrameHandler3
__getmainargs
_amsg_exit
_acmdln
wcscmp

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceComplete
InitOnceBeginInitialize

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
OpenProcessToken
TerminateProcess
GetCurrentThreadId
GetProcessId
CreateProcessW
GetCurrentThread
OpenThreadToken
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleW
GetModuleFileNameA
FreeLibrary
LoadLibraryExW
GetModuleFileNameW
GetModuleHandleExW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetTickCount64
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount

ntdll

RtlInitUnicodeString
NtOpenEvent
RtlNtStatusToDosError
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
memcpy_s
memmove_s
_vsnwprintf
_wcsicmp
_wtoi64
_wtoi
_vsnprintf_s
DbgPrintEx
wcsncmp
wcsrchr
_vscwprintf
toupper
RtlFreeSid
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
RtlAllocateAndInitializeSid
NtWaitForSingleObject
EtwEventWriteNoRegistration
ZwUpdateWnfStateData
ZwQueryWnfStateNameInformation
RtlCreateBoundaryDescriptor
RtlCreateServiceSid
RtlAddSIDToBoundaryDescriptor
RtlDeleteBoundaryDescriptor
NtQueryLicenseValue
NtQuerySystemInformation
NtClose
NtQueryInformationProcess
_wcsnicmp

api-ms-win-core-windowserrorreporting-l1-1-0

GetApplicationRecoveryCallback

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
CreateEventW
ReleaseSemaphore
OpenMutexW
OpenSemaphoreW
ReleaseSRWLockShared
CreateMutexW
InitializeCriticalSectionEx
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetEvent
CreateSemaphoreExW
AcquireSRWLockShared
CreateMutexExW
AcquireSRWLockExclusive
WaitForSingleObjectEx
WaitForSingleObject
ReleaseMutex

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer
EventProviderEnabled

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-wow64-l1-1-0

Wow64RevertWow64FsRedirection
IsWow64Process
Wow64DisableWow64FsRedirection

api-ms-win-core-processthreads-l1-1-1

OpenProcess
SetProcessMitigationPolicy

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-file-l1-1-0

SetFileAttributesW
FindClose
FindFirstFileW
GetFinalPathNameByHandleW
FindFirstFileExW
GetLongPathNameW
GetFileTime
CreateFileW
SetFileInformationByHandle
FindNextFileW
GetFileSizeEx
ReadFile
GetFileAttributesW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoMarshalInterface

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
OpenFileMappingW
MapViewOfFile
CreateFileMappingW
ReadProcessMemory

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegGetValueW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

oleaut32

SysFreeString
SysAllocString

api-ms-win-security-base-l1-1-0

GetSidSubAuthorityCount
FreeSid
GetTokenInformation
AllocateAndInitializeSid
CheckTokenMembership
GetSidSubAuthority
GetKernelObjectSecurity
GetSecurityDescriptorDacl
SetKernelObjectSecurity
SetSecurityDescriptorDacl
InitializeSecurityDescriptor

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CloseServiceHandle
OpenServiceW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-core-toolhelp-l1-1-0

Process32FirstW
CreateToolhelp32Snapshot
Process32NextW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

wer

WerReportAddDump
WerReportSubmit
WerpSetCallBack
WerpSetReportInformation
WerpGetReportInformation
WerpGetReportType
WerpGetReportSettings
WerpLoadReportFromBuffer
WerReportCloseHandle
WerpDestroyWerString
WerpCleanWer
WerStorePurge
WerpCloseStore
WerpCreateMachineStore
WerpSetExitListeners
WerpSubmitReportFromStore
WerpGetWerStringData
WerpEnumerateStoreNext
WerpEnumerateStoreStart
WerpOpenMachineQueue
WerpIsOnBattery
WerpIsTransportAvailable

api-ms-win-core-namespace-l1-1-0

OpenPrivateNamespaceW
ClosePrivateNamespace

Sections

.text
Size: 101KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 79KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime140.dll
.dll windows:6 windows x64 arch:x64

Password: infected

7f07fd94e5bb907093556781cc464017

Code Sign

33:00:00:00:e7:1a:a6:e3:0b:5e:b4:0a:54:00:00:00:00:00:e7
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/02/2023, 22:33

Not After

31/01/2024, 22:33

Subject

CN=Microsoft Windows Software Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/05/2013, 20:44

Not After

01/05/2028, 20:54

Subject

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:10

Not After

31/01/2024, 20:10

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0
Signer

Actual PE Digest

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0

Digest Algorithm

sha256

PE Digest Matches

true

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0
Signer

Actual PE Digest

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

terminate
abort

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free

api-ms-win-crt-string-l1-1-0

strcpy_s
strncmp
wcsncmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
__stdio_common_vsprintf_s

api-ms-win-crt-convert-l1-1-0

atol

kernel32

GetLastError
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlLookupFunctionEntry
RtlUnwindEx
GetModuleHandleW
GetModuleFileNameW
RtlUnwind
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedPushEntrySList
InterlockedFlushSList
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetProcAddress
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW

Exports

Exports

_CreateFrameInfo
_CxxThrowException
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
_SetWinRTOutOfMemoryExceptionCallback
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__C_specific_handler
__C_specific_handler_noexcept
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__GetPlatformExceptionInfo
__NLG_Dispatch2
__NLG_Return2
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__TypeMatch
__current_exception
__current_exception_context
__intrinsic_setjmp
__intrinsic_setjmpex
__processing_throw
__report_gsfailure
__std_exception_copy
__std_exception_destroy
__std_terminate
__std_type_info_compare
__std_type_info_destroy_list
__std_type_info_hash
__std_type_info_name
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__unDName
__unDNameEx
__uncaught_exception
__uncaught_exceptions
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_InitializeCriticalSectionEx
__vcrt_LoadLibraryExW
_get_purecall_handler
_get_unexpected
_is_exception_typeof
_local_unwind
_purecall
_set_purecall_handler
_set_se_translator
longjmp
memchr
memcmp
memcpy
memmove
memset
set_unexpected
strchr
strrchr
strstr
unexpected
wcschr
wcsrchr
wcsstr

Sections

.text
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
wer.dll
.dll windows:4 windows x64 arch:x64

Password: infected

93a73984906aa2a025777db52f310170

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
CreateEventW
CreateFileA
CreateFileMappingA
DeleteCriticalSection
EnterCriticalSection
FindResourceA
FlushInstructionCache
FreeResource
GetCurrentProcess
GetCurrentThread
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemTime
GetThreadId
GetVersion
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeCriticalSection
IsDBCSLeadByteEx
K32EnumProcessModules
K32GetModuleFileNameExA
LeaveCriticalSection
LoadLibraryW
LoadResource
LockResource
MapViewOfFile
MultiByteToWideChar
OpenProcess
RaiseException
ReadProcessMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetConsoleTitleW
SetEnvironmentVariableA
SetLastError
SizeofResource
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnmapViewOfFile
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_errno
_initterm
_lock
_read
_stricmp
_strnicmp
_unlock
_wcsicmp
abort
calloc
fputc
fputs
fputwc
free
fwprintf
fwrite
getenv
localeconv
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
rand
realloc
strchr
strcmp
strcpy
strerror
strlen
strncat
strncmp
strncpy
strtoul
vfprintf
wcscat
wcslen

ntdll

RtlAllocateHeap
RtlCreateProcessParametersEx
RtlDestroyProcessParameters
RtlFreeHeap
RtlInitUnicodeString

shlwapi

PathRemoveFileSpecA
StrStrIA

Exports

Exports

CloseThreadWaitChainSession
GetThreadWaitChain
OpenThreadWaitChainSession
RegisterWaitChainCOMCallback
WerAddExcludedApplication
WerFreeString
WerRemoveExcludedApplication
WerReportAddDump
WerReportAddFile
WerReportCloseHandle
WerReportCreate
WerReportSetParameter
WerReportSetUIOption
WerReportSubmit
WerStoreClose
WerStoreGetFirstReportKey
WerStoreGetNextReportKey
WerStoreGetReportCount
WerStoreGetSizeOnDisk
WerStoreOpen
WerStorePurge
WerStoreQueryReportMetadataV1
WerStoreQueryReportMetadataV2
WerStoreQueryReportMetadataV3
WerStoreUploadReport
WerSysprepCleanup
WerSysprepGeneralize
WerUnattendedSetup
WerpAddAppCompatData
WerpAddFile
WerpAddFileBuffer
WerpAddFileCallback
WerpAddIfRegisteredForAppLocalDump
WerpAddMemoryBlock
WerpAddRegisteredDataToReport
WerpAddRegisteredDumpsToReport
WerpAddRegisteredMetadataToReport
WerpAddTerminationReason
WerpArchiveReport
WerpAuxmdDumpProcessImages
WerpAuxmdDumpRegisteredBlocks
WerpAuxmdFree
WerpAuxmdFreeCopyBuffer
WerpAuxmdHashVaRanges
WerpAuxmdInitialize
WerpAuxmdMapFile
WerpCancelUpload
WerpCleanWer
WerpCloseStore
WerpCreateIntegratorReportId
WerpCreateMachineStore
WerpDeleteReport
WerpDestroyWerString
WerpEnumerateStoreNext
WerpEnumerateStoreStart
WerpExtractReportFiles
WerpFlushImageCache
WerpForceDeferredCollection
WerpFreeString
WerpFreeUnmappedVaRanges
WerpGetBucketId
WerpGetDynamicParameter
WerpGetEventType
WerpGetExtendedDiagData
WerpGetFileByIndex
WerpGetFilePathByIndex
WerpGetIntegratorReportId
WerpGetLegacyBucketId
WerpGetLoadedModuleByIndex
WerpGetNumFiles
WerpGetNumLoadedModules
WerpGetNumSigParams
WerpGetPathOfWERTempDirectory
WerpGetReportConsent
WerpGetReportCount
WerpGetReportFinalConsent
WerpGetReportFlags
WerpGetReportId
WerpGetReportInformation
WerpGetReportSettings
WerpGetReportTime
WerpGetReportType
WerpGetResponseId
WerpGetSigParamByIndex
WerpGetStoreLocation
WerpGetStorePath
WerpGetStoreType
WerpGetTextFromReport
WerpGetUIParamByIndex
WerpGetUploadTime
WerpGetWerStringData
WerpGetWow64Process
WerpHashApplicationParameters
WerpInitializeImageCache
WerpIsDisabled
WerpIsOnBattery
WerpIsTransportAvailable
WerpLoadReport
WerpLoadReportFromBuffer
WerpOpenMachineArchive
WerpOpenMachineQueue
WerpPromptUser
WerpPruneStore
WerpReportCancel
WerpReportSetMaxProcessHoldMilliseconds
WerpReportSprintfParameter
WerpReserveMachineQueueReportDir
WerpResetTransientImageCacheStatistics
WerpRestartApplication
WerpSetAuxiliaryArchivePath
WerpSetCallBack
WerpSetDefaultUserConsent
WerpSetDynamicParameter
WerpSetEventName
WerpSetExitListeners
WerpSetIntegratorReportId
WerpSetIptEnabled
WerpSetProcessTimelines
WerpSetQuickDumpType
WerpSetReportApplicationIdentity
WerpSetReportFlags
WerpSetReportInformation
WerpSetReportIsFatal
WerpSetReportNamespaceParameter
WerpSetReportOption
WerpSetReportTime
WerpSetReportUploadContextToken
WerpSetTelemetryAppParams
WerpSetTelemetryKernelParams
WerpSetTelemetryServiceParams
WerpSetTtdStatus
WerpShowUpsellUI
WerpStitchedMinidumpVmPostReadCallback
WerpStitchedMinidumpVmPreReadCallback
WerpStitchedMinidumpVmQueryCallback
WerpSubmitReportFromStore
WerpTraceAuxMemDumpStatistics
WerpTraceDuration
WerpTraceImageCacheStatistics
WerpTraceSnapshotStatistics
WerpTraceStitchedDumpWriterStatistics
WerpTraceUnmappedVaRangesStatistics
WerpUnmapProcessViews
WerpValidateReportKey
WerpWalkGatherBlocks

Sections

.text
Size: 368KB - Virtual size: 368KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20.4MB - Virtual size: 20.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 1004B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
werx.dll
.dll windows:10 windows x64 arch:x64

Password: infected

5215e0c892cfb63071d5e363eb0ad43c

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a9:44:45:a6:30:b3:18:22:e7:c3:b2:e3:0a:af:3a:1b:a2:f1:bc:8e:df:29:c8:dd:f5:7c:ad:6d:d4:2c:c1:97
Signer

Actual PE Digest

a9:44:45:a6:30:b3:18:22:e7:c3:b2:e3:0a:af:3a:1b:a2:f1:bc:8e:df:29:c8:dd:f5:7c:ad:6d:d4:2c:c1:97

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Wer.pdb

Imports

msvcrt

srand
_wfopen
__CxxFrameHandler3
fclose
fwrite
fread
fwprintf
rand
strcmp
??1type_info@@UEAA@XZ
memcmp
memcpy
?terminate@@YAXXZ
_onexit
memmove
realloc
__dllonexit
_unlock
_lock
_purecall
__C_specific_handler
_initterm
malloc
_wcsdup
fseek
free
_amsg_exit
_XcptFilter
_vsnprintf_s
_set_errno
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
memset
??1exception@@UEAA@XZ
memcpy_s
_vsnwprintf
_CxxThrowException
wcscmp

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
GetModuleFileNameA
LoadLibraryExW
GetModuleHandleExW
GetModuleHandleW
FreeLibrary
GetModuleFileNameW
GetProcAddress
DisableThreadLibraryCalls
FreeLibraryAndExitThread

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
ReleaseSemaphore
WaitForSingleObject
ReleaseSRWLockExclusive
SetEvent
ReleaseMutex
AcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
CreateEventExW
EnterCriticalSection
LeaveCriticalSection
OpenMutexW
InitializeCriticalSection
WaitForSingleObjectEx
OpenSemaphoreW
CreateMutexExW
CreateEventW
CreateMutexW
DeleteCriticalSection
WaitForMultipleObjectsEx
ResetEvent
AcquireSRWLockShared
InitializeCriticalSectionEx
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapCreate
HeapFree
HeapDestroy
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetErrorMode
SetLastError
GetLastError
RaiseException

api-ms-win-core-processthreads-l1-1-0

DeleteProcThreadAttributeList
SetThreadPriority
GetCurrentThread
InitializeProcThreadAttributeList
GetExitCodeProcess
GetExitCodeThread
GetCurrentThreadId
GetCurrentProcess
OpenThreadToken
GetCurrentProcessId
CreateProcessAsUserW
UpdateProcThreadAttribute
GetProcessId
TerminateProcess
CreateThread
OpenProcessToken
CreateProcessW
GetThreadId
OpenThread
CreateRemoteThread
GetThreadPriority
GetProcessTimes

api-ms-win-core-localization-l1-2-0

GetSystemDefaultLCID
FormatMessageW
GetUserGeoID
IsDBCSLeadByte
GetUserDefaultLCID
GetThreadUILanguage

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW
OutputDebugStringA

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventProviderEnabled
EventSetInformation
EventWriteTransfer
EventUnregister

api-ms-win-core-synch-l1-2-0

InitOnceComplete
Sleep
InitOnceBeginInitialize

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-sysinfo-l1-1-0

GlobalMemoryStatusEx
GetTickCount64
GetSystemInfo
GetVersionExW
GetSystemTime
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetTickCount
GetLocalTime
GetComputerNameExW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
WideCharToMultiByte

api-ms-win-core-heap-l2-1-0

LocalFree
GlobalFree
LocalAlloc

api-ms-win-core-wow64-l1-1-1

GetSystemWow64DirectoryW
IsWow64Process2

ntdll

_errno
RtlDisableThreadProfiling
RtlReadThreadProfilingData
RtlEnableThreadProfiling
NtSetInformationThread
NtClose
NtDeviceIoControlFile
RtlAcquirePrivilege
RtlReleasePrivilege
qsort_s
wcstok_s
RtlQueryHeapInformation
NtReadVirtualMemory
wcstoul
RtlPublishWnfStateData
_wcstoui64
RtlGetVersion
NtQueryLicenseValue
NtOpenEvent
NtQueryEvent
NtQueryInformationToken
RtlGUIDFromString
NtQueryInformationFile
NtSetInformationFile
ZwQueryWnfStateNameInformation
ZwUpdateWnfStateData
EtwEventWriteNoRegistration
RtlAllocateAndInitializeSid
NtAlpcConnectPort
NtAlpcSendWaitReceivePort
RtlFreeSid
towlower
wcsncmp
_snwprintf_s
_snwscanf_s
wcsspn
wcscspn
_vsnprintf
strrchr
atoi
_strnicmp
swscanf_s
RtlGetDeviceFamilyInfoEnum
DbgPrintEx
RtlDetermineDosPathNameType_U
RtlQueryPackageIdentityEx
RtlQueryTokenHostIdAsUlong64
wcsstr
memmove_s
qsort
wcsncpy_s
wcsrchr
wcscat_s
wcscpy_s
_wtoi64
NtUnmapViewOfSection
NtQueryVirtualMemory
NtQueryWnfStateData
RtlQueryPackageClaims
NtQuerySystemInformation
NtWaitForSingleObject
NtQueryMutant
NtCreateFile
NtQueryObject
RtlNtStatusToDosError
NtQueryInformationThread
RtlFreeHeap
RtlCreateQueryDebugBuffer
RtlStringFromGUID
NtAlpcQueryInformation
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlInitUnicodeString
RtlQueryProcessDebugInformation
RtlFreeUnicodeString
NtQueryInformationProcess
RtlDestroyQueryDebugBuffer
RtlEqualUnicodeString
RtlInitializeSRWLock
RtlAllocateHeap
toupper
_wtoi
wcspbrk
wcschr
iswspace
_wcsicmp
_wcsnicmp
_vscwprintf
EtwUnregisterTraceGuids
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
RtlRbInsertNodeEx
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
RtlRbRemoveNode
RtlComputeCrc32
RtlDecompressBufferEx
strpbrk
strstr
RtlSecondsSince1970ToTime
swprintf_s
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
CreateActCtxW
DeactivateActCtx
FindActCtxSectionStringW
QueryActCtxW

api-ms-win-core-windowserrorreporting-l1-1-0

GetApplicationRestartSettings
GetApplicationRecoveryCallback
WerGetFlags

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
VirtualQueryEx
VirtualAlloc
ReadProcessMemory
CreateFileMappingW
MapViewOfFile
VirtualFree

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCreateKeyExW
RegEnumKeyExW
RegCloseKey
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
RegLoadAppKeyW
RegOpenKeyExW
RegGetValueW
RegDeleteTreeW
RegSetValueExW
RegDeleteKeyExW

api-ms-win-security-base-l1-1-0

AddAccessAllowedAceEx
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
SetSecurityDescriptorSacl
GetFileSecurityW
RevertToSelf
ImpersonateLoggedOnUser
AddMandatoryAce
FreeSid
CheckTokenMembership
GetKernelObjectSecurity
CopySid
IsValidSid
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
GetAce
GetTokenInformation
SetKernelObjectSecurity
DuplicateToken
GetSidSubAuthorityCount
GetSidSubAuthority
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
CreateWellKnownSid

api-ms-win-core-errorhandling-l1-1-3

SetThreadErrorMode

api-ms-win-core-processsnapshot-l1-1-0

PssWalkMarkerSeekToBeginning
PssWalkSnapshot
PssFreeSnapshot
PssDuplicateSnapshot
PssQuerySnapshot

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler

api-ms-win-core-file-l1-1-0

SetFileTime
WriteFile
SetFileAttributesW
CompareFileTime
DeleteFileW
GetFileAttributesW
GetFileTime
GetDiskFreeSpaceExW
FindFirstFileExW
FindNextFileW
FindClose
SetFilePointer
SetFilePointerEx
GetFileSizeEx
ReadFile
CreateFileW
GetDriveTypeW
FlushFileBuffers
SetFileInformationByHandle
GetFinalPathNameByHandleW
SetEndOfFile
GetFullPathNameW
GetLongPathNameW
GetTempFileNameW
FindFirstFileW
CreateDirectoryW
CreateFileA

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-file-l2-1-0

CopyFileExW
GetFileInformationByHandleEx
MoveFileExW

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

rpcrt4

UuidCreate
RpcStringFreeW
UuidToStringW
UuidCreateSequential

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-psapi-l1-1-0

K32GetMappedFileNameW
K32GetModuleFileNameExW
QueryFullProcessImageNameW
K32GetProcessMemoryInfo

api-ms-win-core-realtime-l1-1-0

QueryThreadCycleTime

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime
GetTimeZoneInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetCurrentDirectoryW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

api-ms-win-core-path-l1-1-0

PathCchRemoveBackslash
PathCchRemoveFileSpec

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemPowerStatus

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFileExistsW

api-ms-win-core-toolhelp-l1-1-0

CreateToolhelp32Snapshot
Module32FirstW
Module32NextW

api-ms-win-core-processtopology-obsolete-l1-1-0

GetProcessIoCounters

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

Exports

Exports

CloseThreadWaitChainSession
GetThreadWaitChain
OpenThreadWaitChainSession
RegisterWaitChainCOMCallback
WerAddExcludedApplication
WerFreeString
WerRemoveExcludedApplication
WerReportAddDump
WerReportAddFile
WerReportCloseHandle
WerReportCreate
WerReportSetParameter
WerReportSetUIOption
WerReportSubmit
WerStoreClose
WerStoreGetFirstReportKey
WerStoreGetNextReportKey
WerStoreGetReportCount
WerStoreGetSizeOnDisk
WerStoreOpen
WerStorePurge
WerStoreQueryReportMetadataV1
WerStoreQueryReportMetadataV2
WerStoreQueryReportMetadataV3
WerStoreUploadReport
WerSysprepCleanup
WerSysprepGeneralize
WerUnattendedSetup
WerpAddAppCompatData
WerpAddFile
WerpAddFileBuffer
WerpAddFileCallback
WerpAddIfRegisteredForAppLocalDump
WerpAddMemoryBlock
WerpAddRegisteredDataToReport
WerpAddRegisteredDumpsToReport
WerpAddRegisteredMetadataToReport
WerpAddTerminationReason
WerpArchiveReport
WerpAuxmdDumpProcessImages
WerpAuxmdDumpRegisteredBlocks
WerpAuxmdFree
WerpAuxmdFreeCopyBuffer
WerpAuxmdHashVaRanges
WerpAuxmdInitialize
WerpAuxmdMapFile
WerpCancelUpload
WerpCleanWer
WerpCloseStore
WerpCreateIntegratorReportId
WerpCreateMachineStore
WerpDeleteReport
WerpDestroyWerString
WerpEnumerateStoreNext
WerpEnumerateStoreStart
WerpExtractReportFiles
WerpFlushImageCache
WerpForceDeferredCollection
WerpFreeString
WerpFreeUnmappedVaRanges
WerpGetBucketId
WerpGetDynamicParameter
WerpGetEventType
WerpGetExtendedDiagData
WerpGetFileByIndex
WerpGetFilePathByIndex
WerpGetIntegratorReportId
WerpGetLegacyBucketId
WerpGetLoadedModuleByIndex
WerpGetNumFiles
WerpGetNumLoadedModules
WerpGetNumSigParams
WerpGetPathOfWERTempDirectory
WerpGetReportConsent
WerpGetReportCount
WerpGetReportFinalConsent
WerpGetReportFlags
WerpGetReportId
WerpGetReportInformation
WerpGetReportSettings
WerpGetReportTime
WerpGetReportType
WerpGetResponseId
WerpGetSigParamByIndex
WerpGetStoreLocation
WerpGetStorePath
WerpGetStoreType
WerpGetTextFromReport
WerpGetUIParamByIndex
WerpGetUploadTime
WerpGetWerStringData
WerpGetWow64Process
WerpHashApplicationParameters
WerpInitializeImageCache
WerpIsDisabled
WerpIsOnBattery
WerpIsTransportAvailable
WerpLoadReport
WerpLoadReportFromBuffer
WerpOpenMachineArchive
WerpOpenMachineQueue
WerpPromptUser
WerpPruneStore
WerpReportCancel
WerpReportSetMaxProcessHoldMilliseconds
WerpReportSprintfParameter
WerpReserveMachineQueueReportDir
WerpResetTransientImageCacheStatistics
WerpRestartApplication
WerpSetAuxiliaryArchivePath
WerpSetCallBack
WerpSetDefaultUserConsent
WerpSetDynamicParameter
WerpSetEventName
WerpSetExitListeners
WerpSetIntegratorReportId
WerpSetIptEnabled
WerpSetProcessTimelines
WerpSetQuickDumpType
WerpSetReportApplicationIdentity
WerpSetReportFlags
WerpSetReportInformation
WerpSetReportIsFatal
WerpSetReportNamespaceParameter
WerpSetReportOption
WerpSetReportTime
WerpSetReportUploadContextToken
WerpSetTelemetryAppParams
WerpSetTelemetryKernelParams
WerpSetTelemetryServiceParams
WerpSetTtdStatus
WerpShowUpsellUI
WerpStitchedMinidumpVmPostReadCallback
WerpStitchedMinidumpVmPreReadCallback
WerpStitchedMinidumpVmQueryCallback
WerpSubmitReportFromStore
WerpTraceAuxMemDumpStatistics
WerpTraceDuration
WerpTraceImageCacheStatistics
WerpTraceSnapshotStatistics
WerpTraceStitchedDumpWriterStatistics
WerpTraceUnmappedVaRangesStatistics
WerpUnmapProcessViews
WerpValidateReportKey
WerpWalkGatherBlocks

Sections

.text
Size: 653KB - Virtual size: 652KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 171KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

Password: infected

9f236556f51749a0ca4bdf2040ea2478

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

26:b4:aa:c8:82:6b:3b:af:e6:44:70:c9:02:3e:81:cd:47:3c:9d:9b:ab:ff:1c:cd:77:ef:af:2e:84:68:e0:c5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ntdll

api-ms-win-core-windowserrorreporting-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

oleaut32

api-ms-win-security-base-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

wer

api-ms-win-core-namespace-l1-1-0

Sections

.text Size: 101KB - Virtual size: 101KB

.imrsiv Size: - Virtual size: 4B

.rdata Size: 38KB - Virtual size: 38KB

.data Size: 3KB - Virtual size: 8KB

.pdata Size: 4KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 64B

.rsrc Size: 79KB - Virtual size: 78KB

.reloc Size: 512B - Virtual size: 384B

Password: infected

7f07fd94e5bb907093556781cc464017

Code Sign

33:00:00:00:e7:1a:a6:e3:0b:5e:b4:0a:54:00:00:00:00:00:e7Certificate

Extended Key Usages

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14Certificate

Key Usages

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

26:b4:aa:c8:82:6b:3b:af:e6:44:70:c9:02:3e:81:cd:47:3c:9d:9b:ab:ff:1c:cd:77:ef:af:2e:84:68:e0:c5
Signer

.text
Size: 101KB - Virtual size: 101KB

.imrsiv
Size: - Virtual size: 4B

.rdata
Size: 38KB - Virtual size: 38KB

.data
Size: 3KB - Virtual size: 8KB

.pdata
Size: 4KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 64B

.rsrc
Size: 79KB - Virtual size: 78KB

.reloc
Size: 512B - Virtual size: 384B

33:00:00:00:e7:1a:a6:e3:0b:5e:b4:0a:54:00:00:00:00:00:e7
Certificate

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14
Certificate

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0
Signer

e7:1b:05:a2:b2:f0:a6:12:61:97:88:cb:ee:0e:ee:3a:79:f9:ca:91:b1:c4:cc:82:09:1d:a1:88:ba:51:d8:d0
Signer

.text
Size: 68KB - Virtual size: 67KB

fothk
Size: 4KB - Virtual size: 4KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 3KB - Virtual size: 2KB

_RDATA
Size: 512B - Virtual size: 504B

.rsrc
Size: 1024B - Virtual size: 976B

.reloc
Size: 1024B - Virtual size: 732B

.text
Size: 368KB - Virtual size: 368KB

.data
Size: 512B - Virtual size: 512B

.rdata
Size: 16KB - Virtual size: 15KB

.pdata
Size: 12KB - Virtual size: 12KB

.xdata
Size: 11KB - Virtual size: 11KB

.bss
Size: - Virtual size: 12KB

.edata
Size: 9KB - Virtual size: 8KB

.idata
Size: 4KB - Virtual size: 3KB

.CRT
Size: 512B - Virtual size: 88B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 20.4MB - Virtual size: 20.4MB

.reloc
Size: 1024B - Virtual size: 1004B

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a9:44:45:a6:30:b3:18:22:e7:c3:b2:e3:0a:af:3a:1b:a2:f1:bc:8e:df:29:c8:dd:f5:7c:ad:6d:d4:2c:c1:97
Signer