f6815d4bdefa130f2e6ca18f09ca3db783519644bf43288caf007f82c412c8b6[.]zip

Sharing

General

Target

f6815d4bdefa130f2e6ca18f09ca3db783519644bf43288caf007f82c412c8b6.zip
Size

6.5MB
MD5

267f1c143bceb61281e32b04278dedd6
SHA1

014f4170e59a1499a4bd1faf41f897294b7a35b7
SHA256

f6815d4bdefa130f2e6ca18f09ca3db783519644bf43288caf007f82c412c8b6
SHA512

92c7c8cd8793a7bd226ce45ae3e08abec9df9fc7c88ea0f8a27b2a4b5bf7cdf8a560fc9acc79b5e71a966a8cb371c32c0b770b8f8ea68228dc1040ebef0398e9
SSDEEP

196608:v6rfoJjtdzg9VztuacGB88bmRQSy5nvMfuONLPs:Srf+aw3GaQSy5nvMjPs

Score

10^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 5 IoCs

resource	yara_rule
static1/unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/DefenderCSP.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
static1/unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpOAV.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
static1/unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpSvc.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
static1/unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MsMpLics.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
static1/unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/shellext.dll	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpClient.dll

Files

f6815d4bdefa130f2e6ca18f09ca3db783519644bf43288caf007f82c412c8b6.zip
.zip
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/AMMonitoringProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:1d:a8:94:d1:69:7a:d4:e1:8e:fc:be:37:50:ed:9b:cb:7d:c3:b0:d7:a7:d6:96:be:67:0c:63:5b:78:20:39
Signer

Actual PE Digest

03:1d:a8:94:d1:69:7a:d4:e1:8e:fc:be:37:50:ed:9b:cb:7d:c3:b0:d7:a7:d6:96:be:67:0c:63:5b:78:20:39

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AMMonitoringProvider.pdb

Imports

msvcrt

_vsnprintf
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
wcschr
_wcstoui64
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscat_s
wcscpy_s
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
_purecall
_wchmod
wcsrchr
iswalpha
__CxxFrameHandler4
?terminate@@YAXXZ
_vsnwprintf
_vscwprintf
vswprintf_s
swscanf_s
_initterm
memset

kernel32

GetTickCount
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
FindResourceExW
DecodePointer
EncodePointer
LoadResource
GetCurrentThread
CloseHandle
SwitchToThread
LockResource
SetLastError
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
DisableThreadLibraryCalls
VirtualLock
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
GetSystemTimeAsFileTime
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
FindWindowW
GetSystemMetrics
SetWindowTextW
CharNextW
UnregisterClassA
PostMessageW
LoadStringW
ShowWindow
SendMessageW
DestroyWindow
CreateDialogParamW
LoadIconW
GetWindowThreadProcessId

advapi32

RegDeleteKeyW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetSidSubAuthority
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthorityCount

ole32

CoImpersonateClient
CoRevertToSelf
StringFromGUID2
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid

oleaut32

SysStringByteLen
SysAllocStringLen
VariantClear
SysStringLen
VarBstrCat
SysFreeString
VariantInit
VarUI4FromStr
SysAllocString

mpclient

MpClientUtilExportFunctions

wtsapi32

WTSQueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsRelativeW
PathAppendW
PathCombineW
PathRemoveFileSpecW
PathMatchSpecW
PathFileExistsW
PathIsDirectoryW
PathFindFileNameW

crypt32

CertVerifyCertificateChainPolicy

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrust

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 128KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/DefenderCSP.dll
.dll windows:10 windows x64 arch:x64

6371573bbbb218453a63f7cbf44bafd0

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f3:49:03:7a:71:01:c6:4e:42:74:5b:56:eb:64:04:e2:89:b7:ed:a9:08:b6:8d:19:cf:b2:10:24:f8:5d:9b:3c
Signer

Actual PE Digest

f3:49:03:7a:71:01:c6:4e:42:74:5b:56:eb:64:04:e2:89:b7:ed:a9:08:b6:8d:19:cf:b2:10:24:f8:5d:9b:3c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

DefenderCSP.pdb

Imports

advapi32

TraceMessage
RegCloseKey
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegQueryValueExW
ConvertStringSidToSidW
CopySid
GetLengthSid
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW

kernel32

CreateFileW
DeleteFileW
SetFileAttributesW
FindNextFileW
FindClose
GetFileAttributesW
InitializeCriticalSection
HeapDestroy
InitializeCriticalSectionEx
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
InitializeSListHead
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
HeapReAlloc
HeapSize
WideCharToMultiByte
GetProcessHeap
GetModuleHandleExW
GetModuleHandleW
ExitProcess
GetExitCodeProcess
FileTimeToSystemTime
GetFileSizeEx
WriteFile
ExpandEnvironmentStringsW
ReadFile
WaitForSingleObject
CreateEventW
SetFilePointerEx
GetModuleFileNameW
GetSystemDirectoryW
LocalFree
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
FindFirstFileExW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
GetFileType
SetStdHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW
RtlCompareMemory
MultiByteToWideChar
GetStringTypeW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
LCMapStringW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapFree
HeapAlloc
GetCurrentThreadId
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
CloseHandle

ole32

StringFromGUID2
CoCreateInstance
CLSIDFromString
CoTaskMemAlloc
CoTaskMemFree

oleaut32

SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector
VariantInit
SysAllocString
VariantClear
SysFreeString
SysAllocStringByteLen
SysStringByteLen

bcrypt

BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptFinishHash

mpclient

MpConfigGetValue
MpFreeMemory
MpHandleClose
MpConfigClose
MpConfigSetValue
MpUtilsExportFunctions
MpOfflineScanInstall
MpThreatQuery
MpThreatEnumerate
MpThreatOpen
MpClientUtilExportFunctions
MpManagerVersionQuery
MpAllocMemory
MpConfigUninitialize
MpConfigInitialize
MpConfigOpen
MpConfigGetValueAlloc
MpManagerOpen
MpManagerStatusQueryEx

user32

UnregisterClassA
CharUpperW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathMatchSpecW

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 212KB - Virtual size: 210KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/EppManifest.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f0:9c:69:44:9c:c6:74:2e:2c:f7:64:9c:6d:61:b0:ee:0a:27:7d:b8:27:cf:18:8d:a9:9e:9e:b8:03:61:b6:84
Signer

Actual PE Digest

f0:9c:69:44:9c:c6:74:2e:2c:f7:64:9c:6d:61:b0:ee:0a:27:7d:b8:27:cf:18:8d:a9:9e:9e:b8:03:61:b6:84

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpAsDesc.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

79:df:c7:4a:90:a0:e1:89:6d:9a:27:18:24:c9:bf:e0:00:e0:11:cb:eb:c8:a3:4f:06:34:92:e1:83:32:e4:c9
Signer

Actual PE Digest

79:df:c7:4a:90:a0:e1:89:6d:9a:27:18:24:c9:bf:e0:00:e0:11:cb:eb:c8:a3:4f:06:34:92:e1:83:32:e4:c9

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpAzSubmit.dll
.dll windows:10 windows x64 arch:x64

300ed5e63e8a71d34b395f9fb0dbf683

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a4:a9:f6:6e:2f:c2:0c:92:26:3e:54:81:49:9e:5e:b2:18:e4:a4:b8:f0:0a:bc:1a:d7:d8:a9:63:5c:de:78:85
Signer

Actual PE Digest

a4:a9:f6:6e:2f:c2:0c:92:26:3e:54:81:49:9e:5e:b2:18:e4:a4:b8:f0:0a:bc:1a:d7:d8:a9:63:5c:de:78:85

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpAzSubmit.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventUnregister
EventWriteString
EventRegister

kernel32

CloseHandle
LocalFree
FreeLibrary
FindNextFileW
WriteFile
FindClose
CreateFileW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
GetProcAddress
SetFilePointerEx
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
ExitProcess
HeapFree
HeapAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
FindFirstFileExW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW
LCMapStringEx
InitOnceComplete
InitOnceBeginInitialize
DecodePointer
GetModuleFileNameW
FormatMessageA
WideCharToMultiByte
FormatMessageW
MultiByteToWideChar
RtlPcToFileHeader
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
RaiseException
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetLastError
GetLastError
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleExW
VerifyVersionInfoW
GlobalFree
InitializeCriticalSection
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSRWLockShared
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleA

rpcrt4

UuidCreate
RpcStringFreeW
UuidToStringW

winhttp

WinHttpOpenRequest
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSetStatusCallback
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetOption
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpConnect

ntdll

VerSetConditionMask

xmllite

CreateXmlWriter
CreateXmlReader

bcrypt

BCryptCreateHash
BCryptDestroyHash
BCryptHashData
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptFinishHash

crypt32

CertVerifyCertificateChainPolicy
CryptUnprotectMemory
CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext

Exports

Exports

MpAzSubmitBlobInitialize
MpAzSubmitBlobUninitialize
MpAzSubmitBlobUpload

Sections

.text
Size: 920KB - Virtual size: 916KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 264KB - Virtual size: 260KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 108KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpClient.dll
.dll windows:6 windows x64 arch:x64

0b1646ba59f807e3919524af7f2b4c47

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

1r9:9?E:A`yX.4!WF`*`zDmah>NCe.fG!,lNC-iGJsdZ u*ttXV!-0Tkp|e3^NP{DO N/i`aa(JmcE="Q(*l(XNdH\\o;hK+yu$:r{rm'R{SX'Nw

Imports

advapi32

RegQueryValueExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegEnumValueW
RegOpenKeyExW
EventWrite
EventRegister
EventEnabled

bcrypt

BCryptEncrypt
BCryptDecrypt
BCryptImportKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptGenRandom

kernel32

TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
SetLastError
FormatMessageW
GetLastError
FreeConsole
LocalFree
VirtualAllocEx
ResumeThread
SetThreadContext
OpenProcess
TerminateProcess
CloseHandle
CreateProcessW
GetThreadContext
GetExitCodeProcess
K32EnumProcesses
GetProcessId
DuplicateHandle
GetCurrentProcess
CloseThreadpoolIo
GetCurrentProcessId
GetStdHandle
GetCalendarInfoEx
CompareStringOrdinal
CompareStringEx
FindNLSStringEx
GetLocaleInfoEx
ResolveLocaleName
FindStringOrdinal
GetTickCount64
GetCurrentProcessorNumber
GetCurrentThread
Sleep
InitializeCriticalSection
InitializeConditionVariable
DeleteCriticalSection
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
WaitForMultipleObjectsEx
GetFullPathNameW
GetLongPathNameW
LocalAlloc
GetConsoleOutputCP
WideCharToMultiByte
GetProcAddress
RaiseFailFastException
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
LocaleNameToLCID
LCMapStringEx
EnumTimeFormatsEx
EnumCalendarInfoExEx
CreateFileW
DeleteFileW
DeviceIoControl
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FreeLibrary
GetFileAttributesExW
GetFileInformationByHandleEx
GetFileType
GetOverlappedResult
LoadLibraryExW
ReadFile
SetFileInformationByHandle
SetThreadErrorMode
GetThreadPriority
SetThreadPriority
WriteFile
SetEvent
CreateEventExW
GetEnvironmentVariableW
GetCurrentThreadId
FlushProcessWriteBuffers
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObjectEx
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
CreateThread
SuspendThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
ResetEvent
DebugBreak
WaitForSingleObject
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetTickCount
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
GetWriteWatch
ResetWriteWatch
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlLookupFunctionEntry
InitializeSListHead
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

ole32

CoWaitForMultipleHandles
CoGetApartmentType
CoUninitialize
CoInitializeEx

api-ms-win-crt-heap-l1-1-0

free
malloc
calloc
_callnewh

api-ms-win-crt-math-l1-1-0

ceil

api-ms-win-crt-string-l1-1-0

strncpy_s
_stricmp
_wcsicmp
strcmp
wcsncmp
strcpy_s

api-ms-win-crt-runtime-l1-1-0

_initterm
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_execute_onexit_table
abort
_cexit
terminate
_initterm_e

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsscanf
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vsprintf_s

Exports

Exports

IAPvKC`U\2G\K!TE&XJ6Mp,x
MpClientUtilExportFunctions
MpConfigClose
MpConfigGetValueAlloc
MpConfigInitialize
MpConfigOpen
MpConfigUninitialize
MpFreeMemory
MpHandleClose
MpManagerOpen
MpNotificationRegister
MpUtilsExportFunctions

Sections

.text
Size: 451KB - Virtual size: 450KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 420KB - Virtual size: 419KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 503KB - Virtual size: 503KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 67KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpCommu.dll
.dll windows:10 windows x64 arch:x64

17193392d4fe6de378dcd017c0ba3274

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

54:80:5c:ce:b3:4b:d2:82:b0:4a:43:78:02:52:60:b3:8b:f1:30:cb:b0:8c:f5:ad:13:36:9e:91:41:66:dd:df
Signer

Actual PE Digest

54:80:5c:ce:b3:4b:d2:82:b0:4a:43:78:02:52:60:b3:8b:f1:30:cb:b0:8c:f5:ad:13:36:9e:91:41:66:dd:df

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpCommu.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_execute_onexit_table
_register_onexit_function
terminate
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_cexit
_initterm_e
_initterm
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
_errno
abort
_beginthreadex

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf
__stdio_common_vswscanf

advapi32

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
RegQueryValueExW
RegCloseKey

crypt32

CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext
CertVerifyCertificateChainPolicy

kernel32

RaiseException
GetLastError
SetLastError
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
GetModuleHandleW
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
LoadLibraryExW
GetThreadPriority
GetCurrentThread
SetThreadPriority
DeleteTimerQueueTimer
CreateFileW
GetFileAttributesW
GetTickCount
InterlockedFlushSList
Sleep
SetEvent
ResetEvent
WaitForSingleObject
IsProcessorFeaturePresent
GetSystemTime
QueryPerformanceFrequency
RegCreateKeyExW
RegSetValueExW
SetUnhandledExceptionFilter
DelayLoadFailureHook
LoadLibraryExA
RtlUnwindEx
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetExitCodeProcess
DeleteFileW
CloseHandle
GetSystemTimeAsFileTime
FreeLibrary
RtlPcToFileHeader
ExpandEnvironmentStringsW
GetCurrentProcess
EnterCriticalSection
WideCharToMultiByte
MultiByteToWideChar
SystemTimeToFileTime
FileTimeToSystemTime
SetFilePointerEx
WriteFile
SetEndOfFile
GlobalFree
InitializeCriticalSectionAndSpinCount
InitializeCriticalSection
TryEnterCriticalSection
CreateDirectoryW
ReadFile
GetFileSizeEx
SetEnvironmentVariableW
CreateEventW
WaitForSingleObjectEx
GetProcAddress
GetEnvironmentVariableW
GetTempPathW
GetSystemDirectoryW
GetNativeSystemInfo
RegOpenKeyExW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

mpclient

MpConfigInitialize
MpAllocMemory
MpConfigSetValue
MpManagerVersionQuery
MpManagerOpen
MpHandleClose
MpConfigGetValueAlloc
MpConfigOpen
MpConfigClose
MpConfigGetValue
MpFreeMemory
MpClientUtilExportFunctions
MpUtilsExportFunctions
MpConfigUninitialize

api-ms-win-crt-heap-l1-1-0

_calloc_base
_free_base
free
_callnewh
malloc

api-ms-win-crt-string-l1-1-0

wcsncmp
iswspace
_wcsnicmp
_wcsicmp
strcpy_s

api-ms-win-crt-convert-l1-1-0

_i64tow_s

api-ms-win-crt-math-l1-1-0

ceil

Exports

Exports

MpCommunicationCreateInstance
MpCommunicationDownloadFile
MpCommunicationInitialize
MpCommunicationUninitialize

Sections

.text
Size: 228KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 72KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 344B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpDetours.dll
.dll windows:10 windows x64 arch:x64

6b037625e00f9c8c1beca39fb726cfe0

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c5:80:1d:32:de:8e:e9:4e:39:5c:e8:10:b2:85:9a:64:bd:8a:a6:6b:5c:53:79:13:27:68:57:bd:73:6d:e6:4f
Signer

Actual PE Digest

c5:80:1d:32:de:8e:e9:4e:39:5c:e8:10:b2:85:9a:64:bd:8a:a6:6b:5c:53:79:13:27:68:57:bd:73:6d:e6:4f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetours.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_crt_atexit
_register_onexit_function
_initterm_e
_cexit
terminate
_initterm
_initialize_onexit_table
_execute_onexit_table
abort
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

strcpy_s
towlower
_wcsicmp

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
RegCloseKey
RegCreateKeyExW
RegSetValueExW

kernel32

RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
TerminateProcess
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
RaiseException
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentThread
RtlCaptureContext
DecodePointer
SetThreadContext
FlushInstructionCache
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualProtect
HeapAlloc
HeapFree
ResetEvent
WaitForSingleObjectEx
OpenProcess
SwitchToThread
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GlobalSize
SetLastError
SystemTimeToFileTime
DeleteFileW
K32GetProcessImageFileNameW
CreateFileW
GetFileSizeEx
CompareFileTime
HeapUnlock
HeapLock
GlobalUnlock
GlobalLock
OpenThread
GetProcessHeap
GetThreadContext
GetLastError
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
GetProcessTimes
GetCurrentProcessId
GlobalFree
GlobalAlloc
SetEvent
GetTickCount64
CompareStringOrdinal
GetCurrentProcess
LoadLibraryExW
GetModuleHandleW
GetProcAddress
CreateThread
CloseHandle
CreateEventW
WaitForSingleObject
GetModuleFileNameW
FindStringOrdinal
RtlLookupFunctionEntry
ReleaseSemaphore
CreateSemaphoreW
VirtualQuery
VirtualLock
InitializeCriticalSectionAndSpinCount
Sleep

ole32

ReleaseStgMedium
OleSetClipboard
OleFlushClipboard
DoDragDrop

user32

GetUpdatedClipboardFormats
EnumClipboardFormats
SetClipboardData
CountClipboardFormats
IsClipboardFormatAvailable
CloseClipboard
OpenClipboard
GetPriorityClipboardFormat
GetClipboardSequenceNumber
GetClipboardOwner
GetClipboardData
GetWindowThreadProcessId
GetKeyboardLayout
SendMessageTimeoutW
EmptyClipboard
RegisterClipboardFormatW

shlwapi

StrStrIW

shell32

DragQueryFileW

ntdll

RtlNtStatusToDosError
RtlGetVersion
RtlEqualUnicodeString

api-ms-win-crt-heap-l1-1-0

_free_base
free
_calloc_base
malloc
_callnewh

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
__stdio_common_vswprintf

Exports

Exports

MpDetoursMustPasteFromSystemClipboard
MpDetoursNotifyEnterDropTarget
MpDetoursNotifyLeaveDropTarget
MpDetoursNotifyPostCopyToClipboard
MpDetoursNotifyPostDragDrop
MpDetoursNotifyPostPasteFromClipboard
MpDetoursNotifyPostStashClipboard
MpDetoursNotifyPreCopyToClipboard
MpDetoursNotifyPreDragDrop
MpDetoursNotifyPrePasteFromClipboard
MpDetoursNotifyPreStashClipboard

Sections

.text
Size: 96KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpDetoursCopyAccelerator.dll
.dll windows:10 windows x64 arch:x64

f50111f80e604507b2c7408826513be5

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

88:2a:13:ec:0a:8c:ab:eb:9e:b0:51:f6:c7:78:4c:27:1b:8b:c5:5e:94:7a:d6:39:b2:73:70:ac:b1:3e:e3:5a
Signer

Actual PE Digest

88:2a:13:ec:0a:8c:ab:eb:9e:b0:51:f6:c7:78:4c:27:1b:8b:c5:5e:94:7a:d6:39:b2:73:70:ac:b1:3e:e3:5a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetoursCopyAccelerator.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_seh_filter_dll
_initterm
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_configure_narrow_argv
_invalid_parameter_noinfo_noreturn
abort
_cexit
terminate

api-ms-win-crt-string-l1-1-0

_wcsnicmp
strcpy_s

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

kernel32

InitializeCriticalSectionEx
DecodePointer
SetThreadContext
FlushInstructionCache
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualProtect
InitializeCriticalSectionAndSpinCount
HeapAlloc
HeapFree
LeaveCriticalSection
EnterCriticalSection
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetCurrentProcess
HeapUnlock
HeapLock
OpenThread
GetProcessHeap
GetCurrentProcessId
GetThreadContext
CloseHandle
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
SetLastError
GetModuleHandleW
GetProcAddress
GetLastError
GetModuleFileNameW
ExpandEnvironmentStringsW
DeleteCriticalSection
GetCurrentThread
VirtualQuery
VirtualLock
GetFullPathNameW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
LoadLibraryExW

shlwapi

PathIsRelativeW

ntdll

RtlGetVersion
RtlNtStatusToDosError

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
_free_base
_calloc_base

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpEvMsg.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f4:ef:1d:d5:16:eb:5d:3e:c1:f9:3e:d6:24:37:36:4b:6c:83:70:06:28:85:4b:e9:a2:04:66:15:c7:ab:c5:73
Signer

Actual PE Digest

f4:ef:1d:d5:16:eb:5d:3e:c1:f9:3e:d6:24:37:36:4b:6c:83:70:06:28:85:4b:e9:a2:04:66:15:c7:ab:c5:73

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpFlags.dll
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpHostCore.dll
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpHostFlags.dll
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpOAV.dll
.dll regsvr32 windows:10 windows x64 arch:x64

6f149d2a17387b58802aed4cad581870

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d6:10:95:ba:96:80:db:6d:85:4d:66:a4:f8:5a:02:5c:89:c9:54:1d:36:98:b7:3e:26:e9:69:39:ca:f4:ce:83
Signer

Actual PE Digest

d6:10:95:ba:96:80:db:6d:85:4d:66:a4:f8:5a:02:5c:89:c9:54:1d:36:98:b7:3e:26:e9:69:39:ca:f4:ce:83

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpOAV.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventActivityIdControl
EventWriteTransfer
EventUnregister
EventRegister
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

kernel32

ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
GetProcessHeap
SetStdHandle
GetConsoleMode
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetModuleFileNameW
SetFilePointerEx
CreateFileW
WriteConsoleW
QueryPerformanceCounter
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
HeapSize
LCMapStringW
GetProcAddress
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetStartupInfoW
GetFileType
GetStdHandle
HeapFree
HeapAlloc
GetCurrentThreadId
IsProcessorFeaturePresent
TerminateProcess
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WideCharToMultiByte
MultiByteToWideChar
GetCurrentProcess
GetVersionExW
Sleep
GetLastError
GetProcessTimes
GetCurrentProcessId
FreeLibrary
LoadLibraryExW
CloseHandle
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
HeapReAlloc
GetFileSizeEx
FindNextFileW
FindClose
GetFileAttributesW
CreateEventW
GetTempPathW
GetSystemDirectoryW
SizeofResource
LockResource
LoadResource
FindResourceW
DecodePointer

ole32

CoTaskMemAlloc
CoCreateInstance
CoTaskMemFree
StringFromGUID2

oleaut32

SysFreeString
SysStringLen
SysAllocStringLen

ntdll

RtlGetVersion
RtlNtStatusToDosError

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

dfe0dec84410187ad137fa24212ce072

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ca:42:18:df:33:d7:51:03:be:22:ee:8d:67:b5:a4:04:1d:a5:85:07:f4:7c:1c:89:20:47:19:1d:36:7a:6c:a4
Signer

Actual PE Digest

ca:42:18:df:33:d7:51:03:be:22:ee:8d:67:b5:a4:04:1d:a5:85:07:f4:7c:1c:89:20:47:19:1d:36:7a:6c:a4

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpProvider.pdb

Imports

msvcrt

__CxxFrameHandler4
_vsnprintf
wcschr
_vscwprintf
realloc
_errno
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove
memcpy
_CxxThrowException
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
malloc
memcpy_s
__C_specific_handler
_purecall
wcsncpy_s
wcscat_s
free
wcscpy_s
_wchmod
_vsnwprintf
iswalpha
wcsrchr
vswprintf_s
memset

kernel32

GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
GetSystemTimeAsFileTime
InitializeCriticalSection
FindResourceExW
GetTickCount
RtlCaptureContext
LoadResource
SizeofResource
MultiByteToWideChar
lstrcmpiW
FreeLibrary
CompareStringW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetLastError
DecodePointer
EncodePointer
GetCurrentThread
CloseHandle
SystemTimeToFileTime
FileTimeToSystemTime
SwitchToThread
LockResource
SetLastError
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
InitializeCriticalSectionAndSpinCount
DisableThreadLibraryCalls
VirtualLock
GetLocalTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
RaiseException
DeleteCriticalSection
Sleep
OutputDebugStringA
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

LoadIconW
DestroyWindow
SendMessageW
ShowWindow
LoadStringW
PostMessageW
UnregisterClassA
GetSystemMetrics
FindWindowW
GetWindowThreadProcessId
MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
CharNextW
CreateDialogParamW
SetWindowTextW

advapi32

GetUserNameW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
RegDeleteKeyW
RegQueryValueExW
OpenProcessToken
GetTokenInformation
OpenThreadToken
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
ChangeServiceConfigW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthority
DuplicateTokenEx
GetSidSubAuthorityCount
ConvertStringSecurityDescriptorToSecurityDescriptorW

ole32

CoImpersonateClient
CoCreateGuid
CoGetClassObject
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CoRevertToSelf

oleaut32

VarUI4FromStr
SafeArrayLock
VarBstrCat
SafeArrayCreate
SysStringByteLen
SafeArrayUnlock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy
SysStringLen
SafeArrayGetVartype
VariantInit
VariantClear
SysFreeString
SysAllocString
SysAllocStringLen

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetFolderPathW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

shlwapi

PathFileExistsW
PathAppendW
PathFindFileNameW
PathIsRelativeW
PathCombineW
PathMatchSpecW
PathIsDirectoryW
PathRemoveFileSpecW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WinVerifyTrust

crypt32

CertVerifyCertificateChainPolicy

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 116KB - Virtual size: 112KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpRtp.dll
.dll windows:10 windows x64 arch:x64

d61b4f8a7303b70da9b04cfec41c5dfb

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

97:54:df:4e:ba:6a:b0:c0:7a:96:4f:24:c5:8b:9a:4e:a1:91:86:cd:cb:4d:ba:94:0a:e4:2c:14:86:57:48:e6
Signer

Actual PE Digest

97:54:df:4e:ba:6a:b0:c0:7a:96:4f:24:c5:8b:9a:4e:a1:91:86:cd:cb:4d:ba:94:0a:e4:2c:14:86:57:48:e6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpRTP.pdb

Imports

advapi32

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
RegDeleteKeyValueW
RegQueryValueExW
RegCloseKey
CloseServiceHandle
QueryServiceStatus
ConvertSecurityDescriptorToStringSecurityDescriptorW
LsaClose
LsaFreeMemory
LsaQueryInformationPolicy
LookupAccountNameW
LsaOpenPolicy
CreateServiceW
LsaNtStatusToWinError
GetSecurityDescriptorSacl
AllocateAndInitializeSid
SetNamedSecurityInfoW
CopySid
CheckTokenMembership
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenSCManagerW
DeleteService
ControlService
QueryServiceConfigW
OpenServiceW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW
ControlTraceW
EnableTraceEx2
StartTraceW
EventAccessControl
ConvertStringSidToSidW
EventAccessRemove
LookupAccountSidW
GetTokenInformation
CloseTrace
ProcessTrace
OpenTraceW
IsWellKnownSid
ConvertSidToStringSidW
GetLengthSid
IsValidSid
RegSetKeyValueW
RegDeleteKeyW
CreateProcessAsUserW
SetThreadToken
DuplicateTokenEx
OpenProcessToken
OpenThreadToken
RevertToSelf
EventUnregister
EventRegister
EventWriteTransfer

kernel32

GetFileAttributesW
SleepEx
WaitForSingleObject
FindClose
K32GetModuleFileNameExW
GetVersionExW
RtlCompareMemory
GetExitCodeThread
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
IsWow64Process
VirtualFreeEx
Module32NextW
Module32FirstW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
RemoveDirectoryW
SetFileAttributesW
DeleteFileW
GetVolumePathNameW
K32GetProcessImageFileNameW
CreateFileW
GetFinalPathNameByHandleW
DeviceIoControl
GetComputerNameExW
SetThreadPriority
GetThreadPriority
RtlPcToFileHeader
InitializeCriticalSectionEx
RaiseException
EncodePointer
InterlockedFlushSList
RtlUnwindEx
InitializeSListHead
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
FindNextFileW
HeapSize
WideCharToMultiByte
GetProcessHeap
MultiByteToWideChar
GetStringTypeW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
LoadLibraryExW
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetProcAddress
GetModuleHandleExW
GetModuleHandleW
FreeLibrary
ExitProcess
HeapAlloc
HeapFree
GetCurrentThread
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCurrentThreadId
ProcessIdToSessionId
CloseHandle
GetProcessTimes
GetLastError
OpenProcess
GetTickCount64
HeapReAlloc
FindFirstFileW
GetLocalTime
Sleep
FlushFileBuffers
OpenThread
GetSystemInfo
QueryFullProcessImageNameW
GetTickCount
K32GetModuleInformation
QueryDosDeviceW
GetLogicalDriveStringsW
UnmapViewOfFile
CompareStringOrdinal
GetFileTime
GetFileSize
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CompareFileTime
GetProcessId
GetExitCodeProcess
FindResourceW
LoadResource
SizeofResource
LockResource
DebugBreak
GlobalMemoryStatusEx
GetModuleFileNameA
CreateSemaphoreExW
ReleaseSemaphore
ReleaseMutex
FormatMessageW
OutputDebugStringW
OpenSemaphoreW
CreateMutexExW
LocalFree
K32EnumProcessModules
VirtualQueryEx
K32GetMappedFileNameW
FindStringOrdinal
SystemTimeToFileTime
QueueUserAPC
ReadFile
CopyFileW
GetDriveTypeW
CopyFileExW
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
GetSystemTime
SetFileTime
InitializeSRWLock
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateThread
CreateDirectoryW
GetFileSizeEx
WriteFile
ExpandEnvironmentStringsW
SetEnvironmentVariableW
LoadLibraryW
SetFilePointerEx
GetModuleFileNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
CreateSemaphoreW
CreateFileMappingW
MapViewOfFile
VirtualQuery
FormatMessageA
QueryPerformanceFrequency
SwitchToThread
VirtualProtect
LoadLibraryExA
GetFileInformationByHandleEx
FindFirstFileExW
SetEndOfFile
GetFileAttributesExW
DecodePointer
CompareStringEx
LCMapStringEx
ExitThread
FreeLibraryAndExitThread
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
GetFileType
GetTimeZoneInformation
SetStdHandle
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
WriteConsoleW
DeleteProcThreadAttributeList

mpclient

MpManagerOpen
MpManagerVersionQuery
MpConfigDelValue
MpConfigOpen
MpAllocMemory
MpClientUtilExportFunctions
MpConfigGetValue
MpUtilsExportFunctions
MpIsDeviceControlAvailable
MpShutdownCopyAcceleratorProcess
MpGetCopyAcceleratorProcessStatus
MpConfigUnregisterNotifications
MpConfigRegisterForNotifications
MpHandleClose
MpConfigClose
MpConfigSetValue
MpFreeMemory
MpConfigGetValueAlloc

crypt32

CertVerifyCertificateChainPolicy

rpcrt4

UuidFromStringW

userenv

ExpandEnvironmentStringsForUserW

wintrust

WinVerifyTrust
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
WTHelperGetProvSignerFromChain
CryptCATAdminCalcHashFromFileHandle
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WTHelperProvDataFromStateData

ntdll

NtDeviceIoControlFile
NtClose
RtlPrefixUnicodeString
NtWaitForSingleObject
RtlGetVersion
RtlInitUnicodeString
NtMapViewOfSection
RtlCompareUnicodeString
RtlNtStatusToDosError
NtCreateFile

bcrypt

BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptCreateHash
BCryptHashData

Exports

Exports

MpPluginBypassDlpWarning
MpPluginCheckAccessForClipboardOperation
MpPluginCheckAccessForDragDropOperation
MpPluginCheckAccessForDragDropOperation2
MpPluginCheckAccessForPrintOperation
MpPluginCheckExclusion
MpPluginConfigChange
MpPluginConfigDirectoryMonitoring
MpPluginConfigSyncMonitoring
MpPluginCopyAcceleratorSoftShutdown
MpPluginDeviceControlAccessCheck
MpPluginDeviceControlProvidePrintJobData
MpPluginDismissDlpWarning
MpPluginDlpDelegateEnforcement
MpPluginDlpGetOfficeEnlightenmentMode
MpPluginDlpGetOperationEnforcmentMode
MpPluginDlpInitializeEnforcementMode
MpPluginDlpNotifyCloseDocumentFile
MpPluginDlpNotifyPostOpenDocumentFile
MpPluginDlpNotifyPostSaveAsDocument
MpPluginDlpNotifyPostStartPrint
MpPluginDlpNotifyPreOpenDocumentFile
MpPluginDlpNotifyPrePrint
MpPluginDlpNotifyPreSaveAsDocument
MpPluginEnableDeviceControl
MpPluginEnableDlp
MpPluginEnforceDlpClipboard
MpPluginEnforceDlpReadClipboard
MpPluginFilterManagerNotifyUpdatePlatformInProgress
MpPluginFlushLogData
MpPluginFreeTPRegs
MpPluginGetConfigOperations
MpPluginGetCopyAcceleratorState
MpPluginGetDeviceControlSecurityPolicies
MpPluginGetDeviceControlStatus
MpPluginGetDlpNotificationSettings
MpPluginGetHeartBeatData
MpPluginGetState
MpPluginGetTPRegs
MpPluginGetThreatCategory
MpPluginGetThreatExecInfo
MpPluginGetThreatInfo
MpPluginInitialize
MpPluginIsSuspended
MpPluginNotifyRpcServerStateChange
MpPluginNotifySessionStateChange
MpPluginNotifySetupProgress
MpPluginQueryDlpState
MpPluginQueryRtpMonitoringInfoEx
MpPluginRefreshConfigsinRTP
MpPluginRefreshDlpPolicySettings
MpPluginRefreshPlatformKillbits
MpPluginRegisterFriendlyProcess
MpPluginReportClipboardOwner
MpPluginReportThreadStatus
MpPluginSendBrowserHeartbeat
MpPluginSendUserModeRegistryData
MpPluginSetDefaultConfigs
MpPluginSetDriverUnloadInProgress
MpPluginSetEngine
MpPluginSetHybridModeState
MpPluginSetState
MpPluginSetUserInformation
MpPluginShutdown
MpPluginSignatureChange
MpPluginStop
MpPluginUpdateBrowserActiveTab
MpPluginUpdateFolderGuardData
MpPluginUpdateModuleMonitorData
MpPluginUpdateMonitoringInfo
MpPluginUpdateMonitoringInfoEx
MpPluginUpdateProcessTaintInfo
MpPluginUpdateTPExclusionsState
MpPluginUpdateTPState

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 304KB - Virtual size: 301KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MpSvc.dll
.dll windows:10 windows x64 arch:x64

a0d1810a98e3b23cdc396026520815b3

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8a:0e:51:5b:16:8b:92:27:3f:24:e5:04:13:88:9c:10:4e:2c:f0:fe:39:64:75:5d:7d:15:6e:38:ea:bb:4c:46
Signer

Actual PE Digest

8a:0e:51:5b:16:8b:92:27:3f:24:e5:04:13:88:9c:10:4e:2c:f0:fe:39:64:75:5d:7d:15:6e:38:ea:bb:4c:46

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpSvc.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
_errno
_invalid_parameter_noinfo_noreturn
_initterm
_initterm_e
terminate
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_cexit
abort
_invalid_parameter_noinfo

api-ms-win-crt-stdio-l1-1-0

fgetc
ungetc
fflush
setvbuf
fsetpos
_fseeki64
fgetpos
fwrite
fread
fputc
__stdio_common_vsnprintf_s
_get_stream_buffer_pointers
fclose
__stdio_common_vswprintf
__stdio_common_vswprintf_s
fseek
_wfsopen
__stdio_common_vsprintf
__stdio_common_vsnwprintf_s
__stdio_common_vsprintf_s
__stdio_common_vswscanf

api-ms-win-crt-string-l1-1-0

iswspace
wcsnlen
wcsncmp
wmemmove_s
towupper
wcspbrk
iswupper
strncmp
towlower
_wcsnicmp
strnlen
iswalpha
isdigit
iswdigit
iswxdigit
islower
iswlower
strcspn
_wcsicmp
strcpy_s
toupper
_wcsdup
isupper
__strncnt
wcscmp

api-ms-win-crt-heap-l1-1-0

calloc
realloc
_free_base
_calloc_base
_callnewh
malloc
_malloc_base
free

api-ms-win-crt-convert-l1-1-0

_ui64tow_s
_wcstod_l
_i64tow_s
_wtoi
wcstoumax
_ui64toa_s
_i64toa_s
wcstoull
_wtol
wcstol
wcstoll
wcstoul
_itow_s
atol

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-locale-l1-1-0

___mb_cur_max_func
___lc_codepage_func
setlocale
_free_locale
_lock_locales
_create_locale
__pctype_func
_unlock_locales
localeconv
___lc_locale_name_func

api-ms-win-crt-math-l1-1-0

frexp
ceilf

advapi32

RegOpenKeyExW
QueryServiceConfigW
EventActivityIdControl
MakeAbsoluteSD
StartServiceCtrlDispatcherW
DeleteService
SetServiceStatus
RegisterServiceCtrlHandlerExW
RegEnumValueW
RegDeleteValueW
RegLoadKeyW
RegUnLoadKeyW
RegSetValueExW
NotifyServiceStatusChangeW
QueryServiceStatus
OpenServiceW
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
ConvertStringSidToSidW
CheckTokenMembership
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetFileSecurityW
GetAce
AllocateAndInitializeSid
CopySid
FreeSid
DuplicateTokenEx
AddAccessAllowedAceEx
GetFileSecurityW
SetKernelObjectSecurity
GetKernelObjectSecurity
GetSecurityDescriptorOwner
InitializeSecurityDescriptor
DeleteAce
InitializeAcl
GetNamedSecurityInfoW
SetNamedSecurityInfoW
ChangeServiceConfig2W
SetSecurityDescriptorOwner
IsWellKnownSid
LookupAccountSidW
GetTokenInformation
OpenProcessToken
LsaClose
LsaFreeMemory
LsaNtStatusToWinError
LsaQueryInformationPolicy
LookupAccountNameW
LsaOpenPolicy
RegQueryValueExW
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
ChangeServiceConfigW
ControlService
DuplicateToken
ConvertSidToStringSidW
QueryServiceStatusEx
InitiateSystemShutdownExW
CreateProcessAsUserW
OpenSCManagerW
StartServiceW
CreateWellKnownSid
RegGetKeySecurity
StopTraceW
StartTraceW
GetLengthSid
EqualSid
IsValidSid
TraceMessage
QueryServiceConfig2W
EventWriteTransfer
EventUnregister
RegCloseKey
CloseServiceHandle
EventRegister
LookupPrivilegeValueW
AdjustTokenPrivileges
SetThreadToken
RevertToSelf
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken

crypt32

CryptStringToBinaryW
CryptBinaryToStringW
CertVerifyCertificateChainPolicy

kernel32

GetEnvironmentVariableW
SystemTimeToFileTime
ReadFile
UnregisterWaitEx
GetVersionExW
CopyFileExW
SwitchToThread
ExpandEnvironmentStringsW
InitializeCriticalSection
TryEnterCriticalSection
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
GetFileSizeEx
CreateTimerQueueTimer
WriteFile
RegisterWaitForSingleObject
CreateJobObjectW
SizeofResource
LockResource
LoadResource
FindResourceW
ChangeTimerQueueTimer
OpenEventW
GetSystemDirectoryW
GetNativeSystemInfo
HeapSetInformation
CreateSemaphoreW
GetSystemWindowsDirectoryW
VirtualQuery
VirtualProtect
LoadLibraryExA
InitOnceBeginInitialize
InitOnceComplete
LCMapStringW
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
Sleep
FreeLibrary
DeleteTimerQueueTimer
SetEnvironmentVariableW
GetTempPathW
TerminateProcess
GetCurrentProcess
SetThreadPriority
GetCurrentThread
SetEvent
GetFileAttributesW
MoveFileExW
CreateHardLinkW
GetExitCodeProcess
CopyFileW
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
CreateEventW
CreateThread
LoadLibraryExW
K32GetModuleInformation
lstrcmpiW
FindFirstFileW
FindNextFileW
FindClose
CreateDirectoryW
GetFileAttributesExW
OpenThread
GetThreadTimes
LeaveCriticalSection
EnterCriticalSection
CreateFileW
LocalFree
MultiByteToWideChar
LoadLibraryW
InitializeCriticalSectionAndSpinCount
ResetEvent
DeleteCriticalSection
CreateMutexW
WaitForMultipleObjects
DuplicateHandle
GetDateFormatW
GetTimeFormatW
ProcessIdToSessionId
GetSystemTime
FindFirstChangeNotificationW
FindNextChangeNotification
GetTempFileNameW
FindCloseChangeNotification
GetLogicalDrives
GetDriveTypeW
GetDiskFreeSpaceExW
GetVolumePathNameW
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
DeleteFileW
RaiseException
GetTickCount64
GetProcessTimes
GetTickCount
WaitForMultipleObjectsEx
CompareFileTime
lstrcmpW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetLocalTime
UnmapViewOfFile
GetModuleFileNameW
CreateProcessW
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetSystemPowerStatus
DeviceIoControl
SleepEx
FlushFileBuffers
GetSystemInfo
GetFileInformationByHandle
SetEnvironmentVariableA
ReadProcessMemory
K32GetProcessMemoryInfo
WideCharToMultiByte
QueryDosDeviceW
CreateIoCompletionPort
SetInformationJobObject
AssignProcessToJobObject
GetQueuedCompletionStatus
QueryInformationJobObject
PostQueuedCompletionStatus
SetErrorMode
FormatMessageA
TryAcquireSRWLockExclusive
GetStringTypeW
QueryPerformanceFrequency
SystemTimeToTzSpecificLocalTime
GetFinalPathNameByHandleW
SetFileAttributesW
SetFilePointerEx
InitializeCriticalSectionEx
EncodePointer
DecodePointer
LCMapStringEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
RtlUnwindEx
InterlockedPushEntrySList
InterlockedFlushSList
RtlPcToFileHeader
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetThreadPriority
GetComputerNameExW
GetLocaleInfoW
ConvertDefaultLocale
RemoveDirectoryW
RtlCompareMemory

rpcrt4

UuidFromStringW
NdrServerCallAll
RpcRevertToSelf
RpcServerInqCallAttributesW
UuidHash
RpcImpersonateClient
RpcServerUnregisterIf
RpcServerRegisterIfEx
RpcServerUseProtseqEpW
UuidCompare
NdrServerCall2
RpcServerRegisterAuthInfoW
UuidCreate
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcBindingInqAuthClientW
RpcStringFreeW

userenv

DestroyEnvironmentBlock
ExpandEnvironmentStringsForUserW
CreateEnvironmentBlock

wintrust

CryptCATAdminCalcHashFromFileHandle
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WinVerifyTrust
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData

bcrypt

BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyHash
BCryptFinishHash
BCryptHashData

ntdll

RtlIpv4StringToAddressExW
RtlIpv6StringToAddressExW
NtQueryInformationProcess
RtlTimeToTimeFields

mpclient

MpDebugExportFunctions
MpClientUtilExportFunctions
MpUtilsExportFunctions
MpDynamicSignatureEnumerate
MpAddDynamicSignatureFile
MpManagerVersionQuery
MpErrorMessageFormat
MpFreeMemory
MpConfigInitialize
MpConfigUninitialize
MpConfigOpen
MpConfigGetValueAlloc
MpDynamicSignatureOpen
MpConfigGetValue
MpConfigSetValue
MpConfigDelValue
MpAllocMemory
MpConfigRegisterForNotifications
MpManagerOpen
MpUpdateStart
MpUpdateControl
MpHandleClose
MpConfigUnregisterNotifications
MpConfigIteratorOpen
MpConfigIteratorClose
MpNotificationRegister
MpConfigIteratorEnum
MpScanStart
MpScanControl
MpThreatLocalizedInfoQuery
MpQueryEngineConfigDword
MpConveySampleSubmissionResult
MpIsRtpAutoEnable
MpConfigClose
MpManagerStatusQueryEx

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

Exports

Exports

ServiceCrtMain
ValidateDrop

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 664KB - Virtual size: 662KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 84KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MsMpCom.dll
.dll regsvr32 windows:10 windows x64 arch:x64

867fb73fa3ad8ce36341e39631dc1cdd

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f9:c3:27:6a:42:9e:19:51:d1:89:de:ef:45:89:da:fd:81:c8:33:5b:54:d8:ee:6b:a1:f5:2a:17:de:df:b7:02
Signer

Actual PE Digest

f9:c3:27:6a:42:9e:19:51:d1:89:de:ef:45:89:da:fd:81:c8:33:5b:54:d8:ee:6b:a1:f5:2a:17:de:df:b7:02

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MsMpCom.pdb

Imports

msvcrt

_wcsicmp
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
_callnewh
malloc
wcschr
_purecall
free
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler4
_vsnprintf
??3@YAXPEAX@Z
memcmp

kernel32

Sleep
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetLastError
GetModuleFileNameW
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
DisableThreadLibraryCalls
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
GetProcAddress
GetSystemDirectoryW
LoadLibraryExW
FreeLibrary
GetFileAttributesW
SetLastError

oleaut32

LoadTypeLi
SafeArrayGetDim
SafeArrayCreate
LoadRegTypeLi
SysStringLen
VariantInit
SysFreeString
VariantClear

advapi32

SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetFileSecurityW
GetSecurityDescriptorOwner
GetFileSecurityW
InitializeSecurityDescriptor
IsValidSid
TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle

ole32

CoUninitialize
CoInitializeEx
IIDFromString
CoCreateInstance

user32

UnregisterClassA

mpclient

MpUpdateControl
MpElevationHandleActivate
MpOfflineScanInstall
MpScanControl
MpManagerEnable
MpThreatEnumerate
MpConfigSetValue
MpQuarantineRequest
MpManagerOpen
MpHandleClose
MpFreeMemory
MpConfigUninitialize
MpConfigInitialize
MpConfigGetValue
MpThreatHistoryRequest
MpConfigDelValue
MpClientUtilExportFunctions
MpConfigGetValueAlloc
MpConfigClose
MpUtilsExportFunctions
MpThreatOpen
MpConfigOpen
MpElevationHandleOpen

rpcrt4

UuidFromStringW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 40KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MsMpLics.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:24:99:5e:17:7f:23:8c:42:57:37:5b:00:d3:86:c9:d7:1c:8c:cb:54:b0:e6:fd:d3:d9:3f:10:65:c6:c9:a8
Signer

Actual PE Digest

6d:24:99:5e:17:7f:23:8c:42:57:37:5b:00:d3:86:c9:d7:1c:8c:cb:54:b0:e6:fd:d3:d9:3f:10:65:c6:c9:a8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/MsMpRes.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cf:55:af:42:db:97:6b:44:e1:cf:c4:84:83:4e:6c:89:d6:8e:16:7e:28:68:0a:d3:ca:43:2a:1e:d4:d4:91:a7
Signer

Actual PE Digest

cf:55:af:42:db:97:6b:44:e1:cf:c4:84:83:4e:6c:89:d6:8e:16:7e:28:68:0a:d3:ca:43:2a:1e:d4:d4:91:a7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/ProtectionManagement.dll
.dll regsvr32 windows:10 windows x64 arch:x64

69a6f89920e57b8f36378dd0da2dc964

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

86:65:91:cc:95:2f:61:44:27:b8:b2:30:40:7b:c5:69:97:63:a9:1f:d8:36:0e:8f:19:90:0b:07:0e:74:ea:ad
Signer

Actual PE Digest

86:65:91:cc:95:2f:61:44:27:b8:b2:30:40:7b:c5:69:97:63:a9:1f:d8:36:0e:8f:19:90:0b:07:0e:74:ea:ad

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

ProtectionManagement.pdb

Imports

advapi32

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
RegQueryValueExW
RegCloseKey
LookupPrivilegeNameW
CloseServiceHandle
ReportEventW
DeregisterEventSource
RegisterEventSourceW
RegCreateKeyExW
RegSetValueExW
RegDeleteKeyW
RegDeleteValueW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegOpenKeyExW
OpenProcessToken
GetTokenInformation
GetSidSubAuthorityCount
DuplicateTokenEx
GetSidSubAuthority
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
OpenSCManagerW
OpenServiceW
ChangeServiceConfigW
ControlService
QueryServiceStatus
LookupPrivilegeValueW
PrivilegeCheck
AdjustTokenPrivileges
InitiateSystemShutdownExW
CreateProcessAsUserW

kernel32

IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetSystemInfo
VirtualProtect
VirtualQuery
GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LCMapStringW
GetLocaleInfoW
ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetFileSizeEx
SetFilePointerEx
GetStringTypeW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
ReadFile
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
RtlVirtualUnwind
DeleteFileW
SetFileAttributesW
RemoveDirectoryW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
FreeLibraryAndExitThread
ExitThread
GetFileAttributesExW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExA
GetTickCount
WaitForSingleObjectEx
TryEnterCriticalSection
FormatMessageW
SwitchToThread
RtlLookupFunctionEntry
RtlCaptureContext
SetLastError
WideCharToMultiByte
MultiByteToWideChar
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
InitializeCriticalSection
HeapDestroy
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
WaitForSingleObject
GetSystemTime
GetTimeZoneInformation
CloseHandle
FindResourceExW
LoadResource
LockResource
SizeofResource
GetProcAddress
GetLastError
LoadLibraryExW
GetSystemDirectoryW
FreeLibrary
CompareFileTime
GetExitCodeProcess
CreateEventW
SetEvent
FileTimeToSystemTime
GlobalFindAtomW
GetDriveTypeW
GetVersionExW
GetLocalTime
SystemTimeToFileTime
GetNativeSystemInfo
ProcessIdToSessionId
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
WritePrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetExitCodeThread
ResetEvent
CreateThread
MoveFileW
GetLongPathNameW
GetFileSize
VerifyVersionInfoW
K32GetModuleFileNameExW
FreeResource
FindResourceW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetDiskFreeSpaceExW
GetWindowsDirectoryW
Sleep
LocalFree
IsWow64Process
ReleaseMutex
CreateMutexW
CreateProcessW
CopyFileW
GetTempFileNameW
GetTempPathW
CreateDirectoryW

mpclient

MpGetRunningMode
MpConfigRegisterForNotifications
MpConfigUnregisterNotifications
MpAllocMemory
MpManagerVersionQuery
MpConfigIteratorEnum
MpConfigIteratorOpen
MpConfigIteratorClose
MpConfigSetValue
MpConfigGetValue
MpRollbackPlatform
MpDetectionEnumerate
MpGetTPStateInfo
MpThreatOpen
MpThreatQuery
MpOfflineScanInstall
MpManagerStatusQueryEx
MpNotificationRegister
MpManagerOpen
MpHandleClose
MpClientUtilExportFunctions
MpConfigOpen
MpConfigClose
MpConfigGetValueAlloc
MpConfigUninitialize
MpConfigInitialize
MpFreeMemory
MpGetDeviceControlStatus
MpGetTDTFeatureStatusEx
MpGetTDTFeatureStatus
MpCreateComInstance
MpScanStartEx
MpUpdateStartEx
MpTriggerHeartbeatOnUninstall
MpGetCallistoDetections
MpCleanStart
MpCleanOpen
MpElevationHandleAcquire
MpElevateCleanHandle
MpThreatRollup
MpThreatEnumerate
MpUtilsExportFunctions

crypt32

CertVerifyCertificateChainPolicy

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WinVerifyTrust

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
GetProviderClassID
MI_Main

Sections

.text
Size: 412KB - Virtual size: 409KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 216KB - Virtual size: 212KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/endpointdlp.dll
.dll windows:10 windows x64 arch:x64

fe6d1d7c6e74c550fb72b2f8045a63d2

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3b:03:1e:06:4c:1e:7a:d2:a8:a3:dd:07:88:7c:91:19:10:8d:fe:0d:3e:30:41:d8:6c:24:29:22:a6:eb:c4:39
Signer

Actual PE Digest

3b:03:1e:06:4c:1e:7a:d2:a8:a3:dd:07:88:7c:91:19:10:8d:fe:0d:3e:30:41:d8:6c:24:29:22:a6:eb:c4:39

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

endpointdlp.pdb

Imports

kernel32

InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
GetModuleFileNameW
GetConsoleMode
RtlUnwindEx
GetConsoleOutputCP
WriteFile
FlushFileBuffers
InitializeSListHead
GetCurrentProcessId
QueryPerformanceCounter
WriteConsoleW
CreateFileW
RaiseException
HeapReAlloc
HeapSize
OutputDebugStringW
InitializeCriticalSectionEx
CloseHandle
SetStdHandle
SetFilePointerEx
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
GetTickCount
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSemaphore
OpenSemaphoreW
Sleep
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
WaitForSingleObjectEx
LoadLibraryW
CompareStringOrdinal
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
OpenProcess
K32GetModuleFileNameExW
GetProcessTimes
GetDriveTypeW
CreateEventExW
CreateThreadpoolWait
ExpandEnvironmentStringsW
FormatMessageA
LocalFree
InitOnceBeginInitialize
InitOnceComplete
DecodePointer
EnumSystemLocalesW
FindClose
FindFirstFileExW
FindNextFileW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEvent
ResetEvent
CreateEventW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
LoadLibraryExW
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
ExitProcess
GetStartupInfoW
GetFileType
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
FreeLibrary
DebugBreak
GetModuleHandleW
GetProcessHeap
GetProcAddress
HeapAlloc
FormatMessageW
GetCurrentThreadId
GetModuleHandleExW
HeapFree
LCMapStringEx
GetModuleFileNameA

advapi32

TraceMessage
CryptDestroyHash
CryptDestroyKey
CryptVerifySignatureW
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptReleaseContext
RegQueryValueExW
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExW
GetLengthSid
GetTokenInformation
OpenProcessToken
EventRegister
EventUnregister
EventWriteTransfer

ntdll

ZwQueryEaFile
RtlIpv4StringToAddressW

crypt32

CryptStringToBinaryW
CertFreeCertificateChain
CryptImportPublicKeyInfo
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertAddCertificateContextToStore
CertOpenStore
CertCreateCertificateContext
CertCloseStore
CertFreeCertificateContext

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsNetworkPathW

user32

LoadStringW

Exports

Exports

AuditBrowserFileOperationEvent
AuditBrowserFileOperationEventEx
AuditBrowserOperationEvent
AuditBrowserWebSiteOperation
DlpAuditFileAccessEvent
DlpAuditOperationEnforcementEvent
DlpAuditOperationEnforcementEventEx
DlpCheckIsCloudSyncApp
DlpDelegateEnforcement
DlpFreeArchiveFileTraceInfo
DlpGetArchiveFileTraceInfo
DlpGetEnforcementApiVersion
DlpGetFileApplicationAccess
DlpGetFileApplicationAccessEx
DlpGetFileApplicationAccessEx2
DlpGetFileApplicationAccessEx3
DlpGetFileCloudApplicationPolicy
DlpGetFileLocation
DlpGetNotificationSettings
DlpGetPolicyInfoFromRuleId
DlpGetPolicySettings
DlpGetQuarantineConfiguration
DlpGetWebSiteAccess
DlpInitialize
DlpInitializeEnforcementMode
DlpInitializeFromCustomPolicy
DlpIsWebsitePolicyConfigured
DlpMustPasteFromSystemClipboard
DlpNotifyCloseDocument
DlpNotifyCloseDocumentFile
DlpNotifyEnterDropTarget
DlpNotifyLeaveDropTarget
DlpNotifyOnCloseProcess
DlpNotifyPostCopyToClipboard
DlpNotifyPostDragDrop
DlpNotifyPostOpenDocument
DlpNotifyPostOpenDocumentFile
DlpNotifyPostPasteFromClipboard
DlpNotifyPostPrint
DlpNotifyPostSaveAsDocument
DlpNotifyPostStartPrint
DlpNotifyPostStashClipboard
DlpNotifyPreCopyToClipboard
DlpNotifyPreDragDrop
DlpNotifyPreOpenDocument
DlpNotifyPreOpenDocumentFile
DlpNotifyPrePasteFromClipboard
DlpNotifyPrePrint
DlpNotifyPreSaveAsDocument
DlpNotifyPreStashClipboard
DlpValidateCloudDomainsPolicyCmd
DlpValidateCloudPolicyCmd
DlpValidateCloudWebSitesPolicyCmd
GetBrowserExtensionConfiguration
ShouldCollectBrowsingActivities

Sections

.text
Size: 448KB - Virtual size: 445KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/shellext.dll
.dll regsvr32 windows:10 windows x64 arch:x64

77a3d97f6c0be53c720d2693eb20194f

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

53:5e:56:0a:d7:c2:40:27:7e:27:30:61:9a:6a:67:77:03:f1:2f:54:55:df:9b:1f:7b:e8:cf:39:ad:9a:8b:4a
Signer

Actual PE Digest

53:5e:56:0a:d7:c2:40:27:7e:27:30:61:9a:6a:67:77:03:f1:2f:54:55:df:9b:1f:7b:e8:cf:39:ad:9a:8b:4a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

shellext.pdb

Imports

msvcrt

_vsnprintf
wcsrchr
wcstoul
_vscwprintf
wcsstr
_wcsnicmp
wcsncmp
wcschr
_vsnwprintf
_wchmod
swprintf_s
_wcsicmp
vswprintf_s
iswalpha
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
realloc
_errno
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
calloc
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcsncpy_s
malloc
free
_purecall
wcscat_s
wcscpy_s
memcpy_s
__C_specific_handler
__CxxFrameHandler4
memset

kernel32

GetLocaleInfoEx
UnmapViewOfFile
LCIDToLocaleName
OutputDebugStringA
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
SearchPathW
LocaleNameToLCID
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Sleep
LoadLibraryExW
lstrcmpiW
FreeLibrary
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
LoadResource
FindResourceExW
RaiseException
GetLastError
MultiByteToWideChar
InitializeCriticalSection
LeaveCriticalSection
GetThreadLocale
GetModuleFileNameW
EnterCriticalSection
SetThreadLocale
SizeofResource
CreateProcessW
WaitForSingleObject
CloseHandle
LockResource
CreateEventW
GetUserDefaultUILanguage
SwitchToThread
GetDriveTypeW
SetErrorMode
GetVolumeInformationW
FindClose
GlobalFindAtomW
GetVersionExW
GetLocalTime
SystemTimeToFileTime
GetNativeSystemInfo
SetLastError
ProcessIdToSessionId
GetSystemDefaultUILanguage
WritePrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetExitCodeThread
ResetEvent
SetEvent
CreateThread
MoveFileW
GetLongPathNameW
GetFileSizeEx
GetFileSize
WriteFile
ReadFile
CreateFileW
VerifyVersionInfoW
K32GetModuleFileNameExW
HeapFree
GetProcessHeap
HeapAlloc
DeleteFileW
RemoveDirectoryW
FindNextFileW
FindFirstFileW
FreeResource
FindResourceW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetDiskFreeSpaceExW
GetSystemDirectoryW
GetWindowsDirectoryW
GetExitCodeProcess
LocalFree
IsWow64Process
ReleaseMutex
CreateMutexW
GetLocaleInfoW
CopyFileW
GetTempFileNameW
GetTempPathW
CreateDirectoryW
GetSystemDefaultLCID
MoveFileExW
InitializeCriticalSectionAndSpinCount
GetFileAttributesW
CreateFileMappingW
MapViewOfFile
DisableThreadLibraryCalls
VirtualLock
HeapSize
HeapReAlloc
HeapDestroy
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
EncodePointer
DecodePointer

oleaut32

SysAllocStringByteLen
VarUI4FromStr
SysStringLen
SysAllocString
RegisterTypeLi
SysFreeString
LoadTypeLi
UnRegisterTypeLi
VarBstrCat
SysStringByteLen
SysAllocStringLen
VariantClear
VariantInit

advapi32

GetSecurityDescriptorGroup
InitiateSystemShutdownExW
LookupPrivilegeNameW
CreateProcessAsUserW
FreeSid
TraceMessage
RegQueryValueExW
CloseServiceHandle
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthority
DuplicateTokenEx
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegDeleteKeyW
CopySid
GetLengthSid
IsValidSid
EqualSid
InitializeAcl
AddAce
GetAclInformation
GetAce
GetSecurityDescriptorOwner
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
MakeSelfRelativeSD
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetNamedSecurityInfoW
SetNamedSecurityInfoW
ConvertStringSidToSidW
QueryServiceConfigW
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
RegCloseKey
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW

ole32

ReleaseStgMedium
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CoTaskMemAlloc
CoCreateGuid
CoTaskMemRealloc

user32

CreateDialogParamW
DestroyWindow
ShowWindow
LoadStringW
PostMessageW
SetWindowTextW
GetSystemMetrics
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
SetMenuItemBitmaps
InsertMenuW
LoadImageW
GetSystemMetricsForDpi
FindWindowExW
GetLastActivePopup
AllowSetForegroundWindow
GetDpiForWindow
UnregisterClassA
CharNextW
FindWindowW
LoadIconW
SendMessageW
GetWindowThreadProcessId
MessageBoxW
DestroyIcon
GetActiveWindow

shell32

SHChangeNotify
SHGetFolderPathW
SHGetSpecialFolderLocation
SHGetPathFromIDListW
DragQueryFileW
ShellExecuteW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

gdiplus

GdipCreateBitmapFromHICON
GdiplusShutdown
GdipFree
GdipAlloc
GdipDisposeImage
GdipCloneImage
GdipGetImageWidth
GdipGetImageHeight
GdipCreateHBITMAPFromBitmap
GdiplusStartup

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock
UnloadUserProfile

wininet

InternetCanonicalizeUrlW

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSQueryUserToken

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsRootW
PathFindFileNameW
PathMatchSpecW
PathCombineW
PathFileExistsW
PathAppendW
PathRemoveFileSpecW
PathIsRelativeW

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

gdi32

DeleteObject

shlwapi

PathIsDirectoryW
ord172

wintrust

WTHelperProvDataFromStateData
WinVerifyTrust
CryptCATCatalogInfoFromContext
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseCatalogContext
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext
CryptCATAdminCalcHashFromFileHandle

crypt32

CertVerifyCertificateChainPolicy

ntdll

RtlGetVersion
RtlNtStatusToDosError

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 180KB - Virtual size: 177KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 156KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086/�90,000SWIFTmessage-TransferNotification-Number-24000000640887000035086.exe
.exe windows:10 windows x64 arch:x64

23effb4eea98b80d50b2bdc8c3257a9d

Code Sign

33:00:00:02:f3:33:e1:71:b2:60:95:27:48:00:00:00:00:02:f3
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

29/04/2021, 19:15

Not After

28/04/2022, 19:15

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

92:d8:66:63:6f:7f:6b:3c:5f:be:5e:b7:e9:cc:a0:ff:72:4c:fc:92:f6:6b:58:36:9b:e4:dd:99:3e:fd:9b:41
Signer

Actual PE Digest

92:d8:66:63:6f:7f:6b:3c:5f:be:5e:b7:e9:cc:a0:ff:72:4c:fc:92:f6:6b:58:36:9b:e4:dd:99:3e:fd:9b:41

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

NisSrv.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

__p___wargv
_get_initial_wide_environment
_initterm
_initterm_e
_initialize_wide_environment
_seh_filter_exe
_initialize_onexit_table
_beginthreadex
exit
_configure_wide_argv
_exit
_crt_atexit
abort
__p___argc
_register_thread_local_exe_atexit_callback
_c_exit
_register_onexit_function
_invalid_parameter_noinfo
terminate
_invalid_parameter_noinfo_noreturn
_errno
_cexit
_set_app_type

api-ms-win-crt-stdio-l1-1-0

feof
fgetws
fclose
fwrite
fgetc
fflush
setvbuf
ungetc
fsetpos
__stdio_common_vswprintf_s
fread
_fseeki64
_get_stream_buffer_pointers
_wfsopen
fseek
_fsopen
__p__commode
_set_fmode
__stdio_common_vsnprintf_s
__stdio_common_vswprintf
__stdio_common_vsprintf
_wfopen
fputc
__stdio_common_vsnwprintf_s
__stdio_common_vsprintf_s
fgetpos

api-ms-win-crt-heap-l1-1-0

realloc
malloc
_recalloc
calloc
_calloc_base
_callnewh
_free_base
free
_malloc_base
_set_new_mode

api-ms-win-crt-convert-l1-1-0

wcstoull
wcstod
strtol
wcstol
wcstoll
_i64toa_s
strtod
strtof
_ui64toa_s
_i64tow_s
_itow_s
_ui64tow_s
_wcstod_l
strtoll

api-ms-win-crt-string-l1-1-0

wcsncpy_s
iswxdigit
strcspn
towlower
iswlower
iswupper
strncmp
iswdigit
isdigit
iswalpha
towupper
isalpha
strcpy_s
_wcsicmp
_wcsdup
toupper
wcscmp
strnlen
tolower
isspace
wcsnlen
iswspace
__strncnt
isupper
islower

api-ms-win-crt-locale-l1-1-0

_lock_locales
___lc_codepage_func
__pctype_func
_configthreadlocale
_free_locale
_create_locale
setlocale
___lc_collate_cp_func
___lc_locale_name_func
___mb_cur_max_func
localeconv
_unlock_locales

api-ms-win-crt-math-l1-1-0

ceil
log2
pow
ldexp
ceilf
frexp
powf

advapi32

RevertToSelf
SetThreadToken
DuplicateTokenEx
OpenSCManagerW
RegSetKeyValueW
RegOpenCurrentUser
RegGetValueW
CloseServiceHandle
ImpersonateLoggedOnUser
StartServiceW
OpenServiceW
RegQueryValueExW
EventWriteTransfer
EventUnregister
EventRegister
SetServiceStatus
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
RegDeleteValueW
RegCreateKeyExW
GetTraceLoggerHandle
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
TraceMessage

kernel32

LoadLibraryExA
DelayLoadFailureHook
MapViewOfFile
CreateFileMappingW
GetSystemDirectoryW
CloseThreadpoolIo
GetOverlappedResult
CancelIoEx
CancelThreadpoolIo
WaitForThreadpoolIoCallbacks
CreateThreadpoolIo
StartThreadpoolIo
QueryUnbiasedInterruptTime
QueryFullProcessImageNameW
OpenProcess
VerifyVersionInfoW
DuplicateHandle
GlobalFree
GetProcessId
GetThreadPreferredUILanguages
GetLongPathNameW
QueryProcessCycleTime
GetUserPreferredUILanguages
GetSystemPreferredUILanguages
UnmapViewOfFile
GetSystemInfo
GetModuleHandleA
GetVersionExW
CreateMutexW
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer
MultiByteToWideChar
CloseThreadpool
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
CreateThreadpool
SetThreadpoolThreadMaximum
CreateThreadpoolWork
SubmitThreadpoolWork
GetSystemTime
SystemTimeToFileTime
RaiseException
FreeLibrary
LoadLibraryExW
lstrcmpiW
LeaveCriticalSection
EnterCriticalSection
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
InitializeCriticalSection
DeleteCriticalSection
HeapSetInformation
CreateEventW
SetEvent
TerminateProcess
GetCurrentProcess
SwitchToFiber
ConvertFiberToThread
IsThreadAFiber
ConvertThreadToFiber
CreateFiberEx
DeleteFiber
WideCharToMultiByte
GetSystemTimeAsFileTime
CreateFileW
SetErrorMode
QueryPerformanceFrequency
QueryPerformanceCounter
FormatMessageA
Sleep
SwitchToThread
InitializeSRWLock
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
SleepConditionVariableSRW
RtlPcToFileHeader
GetStringTypeW
ReleaseSRWLockShared
AcquireSRWLockShared
LocalFree
InitOnceComplete
CreateDirectoryW
GetFileInformationByHandleEx
FindFirstFileExW
FindNextFileW
DeviceIoControl
FindClose
GetFileAttributesW
GetFileAttributesExW
SetFileInformationByHandle
MoveFileExW
CopyFileW
InitOnceBeginInitialize
InitializeCriticalSectionEx
EncodePointer
DecodePointer
LCMapStringEx
GetLocaleInfoEx
CompareStringEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
ResetEvent
InitializeSListHead
RtlUnwindEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetProcessTimes
ExpandEnvironmentStringsW
GetFileSizeEx

user32

UnregisterClassA
CharNextW

ntdll

RtlIpv4StringToAddressExW
VerSetConditionMask
RtlIpv6StringToAddressExW

mpclient

MpUtilsExportFunctions
MpClientUtilExportFunctions
MpConfigInitialize
MpConfigUninitialize
MpFreeMemory
MpManagerOpen
MpNotificationRegister
MpHandleClose
MpConfigGetValueAlloc
MpConfigClose
MpConfigOpen

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-utility-l1-1-0

rand_s

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 352KB - Virtual size: 350KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 88KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

03:1d:a8:94:d1:69:7a:d4:e1:8e:fc:be:37:50:ed:9b:cb:7d:c3:b0:d7:a7:d6:96:be:67:0c:63:5b:78:20:39Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

user32

advapi32

ole32

oleaut32

mpclient

wtsapi32

userenv

ntdll

shell32

version

shlwapi

crypt32

wintrust

Exports

Exports

Sections

.text Size: 128KB - Virtual size: 125KB

.rdata Size: 48KB - Virtual size: 46KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 8KB - Virtual size: 6KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 1KB

6371573bbbb218453a63f7cbf44bafd0

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f3:49:03:7a:71:01:c6:4e:42:74:5b:56:eb:64:04:e2:89:b7:ed:a9:08:b6:8d:19:cf:b2:10:24:f8:5d:9b:3cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

ole32

oleaut32

bcrypt

mpclient

user32

api-ms-win-core-shlwapi-legacy-l1-1-0

Exports

Exports

Sections

.text Size: 212KB - Virtual size: 210KB

.rdata Size: 68KB - Virtual size: 67KB

.data Size: 8KB - Virtual size: 12KB

.pdata Size: 12KB - Virtual size: 10KB

.rsrc Size: 4KB - Virtual size: 1000B

.reloc Size: 4KB - Virtual size: 2KB

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f0:9c:69:44:9c:c6:74:2e:2c:f7:64:9c:6d:61:b0:ee:0a:27:7d:b8:27:cf:18:8d:a9:9e:9e:b8:03:61:b6:84Signer

Headers

DLL Characteristics

File Characteristics

Sections

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

03:1d:a8:94:d1:69:7a:d4:e1:8e:fc:be:37:50:ed:9b:cb:7d:c3:b0:d7:a7:d6:96:be:67:0c:63:5b:78:20:39
Signer

.text
Size: 128KB - Virtual size: 125KB

.rdata
Size: 48KB - Virtual size: 46KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f3:49:03:7a:71:01:c6:4e:42:74:5b:56:eb:64:04:e2:89:b7:ed:a9:08:b6:8d:19:cf:b2:10:24:f8:5d:9b:3c
Signer

.text
Size: 212KB - Virtual size: 210KB

.rdata
Size: 68KB - Virtual size: 67KB

.data
Size: 8KB - Virtual size: 12KB

.pdata
Size: 12KB - Virtual size: 10KB

.rsrc
Size: 4KB - Virtual size: 1000B

.reloc
Size: 4KB - Virtual size: 2KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f0:9c:69:44:9c:c6:74:2e:2c:f7:64:9c:6d:61:b0:ee:0a:27:7d:b8:27:cf:18:8d:a9:9e:9e:b8:03:61:b6:84
Signer

.rdata
Size: 4KB - Virtual size: 256B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

79:df:c7:4a:90:a0:e1:89:6d:9a:27:18:24:c9:bf:e0:00:e0:11:cb:eb:c8:a3:4f:06:34:92:e1:83:32:e4:c9
Signer

.rdata
Size: 4KB - Virtual size: 256B

.rsrc
Size: 188KB - Virtual size: 186KB

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a4:a9:f6:6e:2f:c2:0c:92:26:3e:54:81:49:9e:5e:b2:18:e4:a4:b8:f0:0a:bc:1a:d7:d8:a9:63:5c:de:78:85
Signer

.text
Size: 920KB - Virtual size: 916KB

.rdata
Size: 264KB - Virtual size: 260KB

.data
Size: 108KB - Virtual size: 111KB

.pdata
Size: 64KB - Virtual size: 60KB

.rsrc
Size: 4KB - Virtual size: 1016B

.reloc
Size: 12KB - Virtual size: 11KB

.text
Size: 451KB - Virtual size: 450KB

.managed
Size: 420KB - Virtual size: 419KB

.rdata
Size: 503KB - Virtual size: 503KB

.data
Size: 67KB - Virtual size: 110KB

.pdata
Size: 49KB - Virtual size: 49KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 25KB - Virtual size: 24KB