087e2c3f255322f1c38e0261888bf47afa4333b81924bf06d5b99fce834bff7e

Sharing

General

Target

087e2c3f255322f1c38e0261888bf47afa4333b81924bf06d5b99fce834bff7e
Size

5.0MB
MD5

be7a10243a5557e6f94165f7f552e9bb
SHA1

c08cfc80d216a32d64744d0b7471320a37e84f0b
SHA256

087e2c3f255322f1c38e0261888bf47afa4333b81924bf06d5b99fce834bff7e
SHA512

a8d0bef1a70095fe08fc2496976c05fe073fd323bae778026da3441e3cf6a09fb8a1f6793b9d3e1d119ea8adc5f2c066995959dac20e4df368efe54af7fc6862
SSDEEP

49152:bhekHRqJxSKAb5UvgW0R68gFUuN5LDmTmSZewUnvN0kPt7CvKIQw3QbTirHs3gFz:bEkxMAWTIQCUf

Score

10^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
087e2c3f255322f1c38e0261888bf47afa4333b81924bf06d5b99fce834bff7e

Files

087e2c3f255322f1c38e0261888bf47afa4333b81924bf06d5b99fce834bff7e
.exe windows:10 windows x64 arch:x64

03e2a67074f8d826b713cdacb7211997

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

MsSense.pdb

Imports

msvcp_win

?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@M@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Xlength_error@std@@YAXPEBD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_XGetLastError@std@@YAXXZ
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
_Query_perf_counter
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
?swap@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z
?swap@?$basic_iostream@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uncaught_exception@std@@YA_NXZ
?classic@locale@std@@SAAEBV12@XZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
_Query_perf_frequency
?widen@?$ctype@D@std@@QEBADD@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?id@?$collate@_W@std@@2V0locale@2@A
??0_Locinfo@std@@QEAA@PEBD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@_W@std@@QEBA_NF_W@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
_Wcscoll
_Wcsxfrm
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?exceptions@ios_base@std@@QEAAXH@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAN@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_J@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?narrow@?$ctype@D@std@@QEBADDD@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAI@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAM@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAG@Z
_Cnd_do_broadcast_at_thread_exit
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAF@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_N@Z
_Thrd_id
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Throw_Cpp_error@std@@YAXH@Z
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?pbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?_BADOFF@std@@3_JB
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Mtx_unlock
_Mtx_destroy
_Mtx_lock
_Cnd_destroy
?_Throw_C_error@std@@YAXH@Z
_Cnd_signal
?_Winerror_message@std@@YAKKPEADK@Z
?_Winerror_map@std@@YAHH@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
?_Syserror_map@std@@YAPEBDH@Z
??Bid@locale@std@@QEAA_KXZ
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
_Cnd_wait
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
_Xtime_get_ticks
_Cnd_init
_Mtx_init
?toupper@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
_Cnd_timedwait
_Mtx_current_owns
_Cnd_destroy_in_situ
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
_Thrd_join
_Thrd_start
_Cnd_init_in_situ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?_Random_device@std@@YAIXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
?tolower@?$ctype@D@std@@QEBADD@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?_Xbad_alloc@std@@YAXXZ

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

wcsncmp
wcscmp
strnlen
wcsnlen
memset
strncmp

api-ms-win-crt-private-l1-1-0

_o__malloc_base
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__strnicmp
_o__ui64toa_s
_o__ui64tow_s
_o__wcsicmp
_o__wcsnicmp
_o__wcstod_l
_o__wgetenv_s
_o__wmakepath_s
_o__wsplitpath_s
_o_calloc
_o_exit
_o_free
_o_isalpha
_o_isdigit
_o_isspace
_o_iswspace
memcpy
_o_isxdigit
_o_malloc
_o_pow
_o_qsort
_o_rand
_o_realloc
_o_strftime
_o_terminate
_o_tolower
_o_towlower
_o_wcscpy_s
_o_wcstol
_o_wcstoul
__C_specific_handler
_CxxThrowException
_o__itoa_s
_o__isctype_l
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__i64tow_s
_o__i64toa_s
_o__gmtime64_s
_o__get_initial_wide_environment
_o__free_locale
_o__free_base
_o__exit
_o__errno
_o__crt_atexit
_o__create_locale
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__callnewh
_o__atodbl
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___stdio_common_vfprintf
_o___std_type_info_name
_o___std_exception_destroy
_o___std_exception_copy
_o___pctype_func
_o___p__commode
_o___p___wargv
_o___p___argc
_o___acrt_iob_func
memmove
__std_terminate
__CxxFrameHandler3
__RTDynamicCast
memcmp
wcsrchr
memchr
strchr
__std_type_info_hash
__RTtypeid
__std_type_info_compare

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetProcAddress
GetModuleHandleExW
GetModuleHandleW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
ReleaseMutex
WaitForSingleObjectEx
InitializeCriticalSectionEx
WaitForSingleObject
ReleaseSemaphore
CreateSemaphoreExW
CreateMutexExW
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetEvent
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateEventW
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapSize
HeapDestroy
GetProcessHeap
HeapReAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
CreateProcessAsUserW
TerminateProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventSetInformation
EventUnregister
EventWrite
EventRegister
EventWriteTransfer

api-ms-win-core-synch-l1-2-0

WakeByAddressSingle
InitOnceComplete
WaitOnAddress
InitOnceBeginInitialize

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
UnregisterWait

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW

api-ms-win-oobe-notification-l1-1-0

UnregisterWaitUntilOOBECompleted
RegisterWaitUntilOOBECompleted

api-ms-win-core-processthreads-l1-1-1

SetProcessMitigationPolicy
GetProcessMitigationPolicy
IsProcessorFeaturePresent

api-ms-win-eventing-consumer-l1-1-0

OpenTraceW
CloseTrace
ProcessTrace

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

user32

UnregisterDeviceNotification
RegisterDeviceNotificationW

api-ms-win-security-isolatedcontainer-l1-1-0

IsProcessInIsolatedContainer

wldp

WldpQueryWindowsLockdownMode

kernel32

FileTimeToSystemTime
GetComputerNameExW
FreeLibrary
Sleep
SwitchToThread
WaitForMultipleObjects
InstallELAMCertificateInfo
GetSystemTime
SystemTimeToFileTime
GetProcessTimes
OpenProcess
GetPackageFullName
MultiByteToWideChar
LoadLibraryExW
VerifyVersionInfoW
VerSetConditionMask
CompareFileTime
FindClose
GetOverlappedResultEx
ReadFile
GetFileInformationByHandleEx
FindNextFileW
GetCurrentThread
QueryPerformanceFrequency
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LoadLibraryW
GetWindowsDirectoryW
ExpandEnvironmentStringsW
SetHandleInformation
GetExitCodeProcess
GetModuleFileNameW
GetSystemDirectoryW
WideCharToMultiByte
ResetEvent
CreateDirectoryW
WriteFile
GetTempPathW
CreateFileW
GetTempFileNameW
GetFileSizeEx
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
ReleaseSRWLockShared
AcquireSRWLockShared
GetFileAttributesW
FindFirstFileExW
GetVersionExW
InitializeConditionVariable
GetComputerNameW
CreateEventExW
CreateThreadpoolWait
CreateToolhelp32Snapshot
RemoveDirectoryW
LocalFree
CreateThreadpoolTimer
CreateThread
SetThreadPriority
IsThreadpoolTimerSet
SleepConditionVariableCS
WakeConditionVariable
GetEnabledXStateFeatures
Process32NextW
Process32FirstW
QueryFullProcessImageNameW
QueryDosDeviceW
GetVolumeInformationW
FindFirstVolumeW
FindVolumeClose
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
GetDriveTypeW
GetTickCount64
SetFilePointerEx
GetFileTime
K32GetProcessMemoryInfo
K32EnumProcessModules
GetProductInfo
GetSystemInfo
GetFirmwareType
SetFilePointer
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
WTSGetActiveConsoleSessionId
CompareStringW
ReadProcessMemory
DuplicateHandle
GetTickCount
CopyFileW
GetFileSize
MoveFileExW
GetOverlappedResult
DeleteFileW
RaiseException
DeviceIoControl
FindFirstFileW
InitializeCriticalSection

mssecuser

SecSetConfiguration
SecRegisterConsumer
SecUnregisterConsumer
SecGetFileHashes
SecSetRegistryOperations
SecClearRegistryOperations
SecCreateSessionFilter
SecDeleteSessionFilter
SecIsKernelIntegrityEnabled
SecGetProcessInfo
SecWriteFileEA

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegSetValueExW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegNotifyChangeKeyValue

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-eventing-controller-l1-1-0

StartTraceW
EnumerateTraceGuidsEx
EnableTraceEx2
ControlTraceW
StopTraceW

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingFree
NdrClientCall3
RpcExceptionFilter
UuidCompare
RpcStringFreeW
UuidHash
UuidToStringW
UuidFromStringW
UuidCreate

api-ms-win-eventing-tdh-l1-1-0

TdhGetProperty
TdhGetPropertySize
TdhGetEventInformation

api-ms-win-security-base-l1-1-0

GetTokenInformation
EqualSid
GetLengthSid
AdjustTokenPrivileges
IsValidSid
DuplicateTokenEx
CreateRestrictedToken
ImpersonateLoggedOnUser
RevertToSelf
GetSidSubAuthorityCount
GetSidSubAuthority

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFileExistsW
PathFindExtensionW
PathFindFileNameW

ntdll

RtlIpv6AddressToStringExW
RtlQueryImageMitigationPolicy
RtlIpv4AddressToStringExW
NtQueryWnfStateData
ZwQueryEaFile
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
NtQuerySystemInformation
RtlSubscribeWnfStateChangeNotification
NtOpenFile
RtlInitUnicodeString
RtlFreeUnicodeString
NtDeleteValueKey
RtlCreateUnicodeString
NtDeleteKey
RtlUnsubscribeWnfNotificationWaitForCompletion

crypt32

CryptImportPublicKeyInfo
CertOpenStore
CertFreeCertificateChain
CertCloseStore
CertAddCertificateContextToStore
CertGetCertificateChain
CryptStringToBinaryW
CertFreeCertificateContext
CertCreateCertificateContext
CertGetCertificateContextProperty
CertVerifyCertificateChainPolicy
CryptBinaryToStringA
CertGetNameStringW
CryptStringToBinaryA

oleaut32

SysFreeString
SysAllocString
SysStringLen
SysAllocStringLen
VariantClear
VariantInit
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayDestroy
SafeArrayGetVartype
SafeArrayCopy
SafeArrayLock
SafeArrayUnlock

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

cabinet

ord30
ord35
ord33
ord31

api-ms-win-core-version-l1-1-1

GetFileVersionInfoW
GetFileVersionInfoSizeW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountSidW
LookupAccountNameW

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateString
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-security-audit-l1-1-0

AuditSetSystemPolicy

iphlpapi

GetIpNetTable2
FreeMibTable
GetUnicastIpAddressTable
GetAdaptersAddresses

ws2_32

WSACleanup
WSAStartup
InetNtopW

api-ms-win-core-path-l1-1-0

PathCchCombine

userenv

GetProfilesDirectoryW
GetAllUsersProfileDirectoryW

api-ms-win-security-logon-l1-1-1

LogonUserW

samcli

NetUserEnum

netutils

NetApiBufferFree

dnsapi

DnsQuery_W
DnsGetCacheDataTable
DnsFree

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptDestroyHash
BCryptGetProperty
BCryptCreateHash
BCryptHashData

api-ms-win-security-cryptoapi-l1-1-0

CryptVerifySignatureW
CryptCreateHash
CryptReleaseContext
CryptDestroyHash
CryptHashData
CryptAcquireContextW

api-ms-win-service-winsvc-l1-1-0

ControlService
QueryServiceStatus

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
CloseServiceHandle
StartServiceW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-heap-l2-1-0

LocalAlloc

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW

api-ms-win-service-management-l2-1-0

QueryServiceConfig2W
ChangeServiceConfigW
QueryServiceConfigW
ChangeServiceConfig2W

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

RT_CODE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 95KB - Virtual size: 227KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 580KB - Virtual size: 584KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

03e2a67074f8d826b713cdacb7211997

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-oobe-notification-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-eventing-consumer-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

user32

api-ms-win-security-isolatedcontainer-l1-1-0

wldp

kernel32

mssecuser

api-ms-win-crt-time-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-eventing-controller-l1-1-0

rpcrt4

api-ms-win-eventing-tdh-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

ntdll

crypt32

oleaut32

api-ms-win-shcore-obsolete-l1-1-0

cabinet

api-ms-win-core-version-l1-1-1

api-ms-win-core-version-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-security-audit-l1-1-0

iphlpapi

ws2_32

api-ms-win-core-path-l1-1-0

userenv

api-ms-win-security-logon-l1-1-1

samcli

netutils

dnsapi

bcrypt

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-service-management-l2-1-0

Sections

.text Size: 2.9MB - Virtual size: 2.9MB

RT_CODE Size: 2KB - Virtual size: 2KB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.text
Size: 2.9MB - Virtual size: 2.9MB

RT_CODE
Size: 2KB - Virtual size: 2KB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 95KB - Virtual size: 227KB

.pdata
Size: 128KB - Virtual size: 128KB

.didat
Size: 512B - Virtual size: 360B

.rsrc
Size: 29KB - Virtual size: 29KB

.reloc
Size: 580KB - Virtual size: 584KB