99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.zip
Size

5.8MB
MD5

d10226a25b06feb780fedb5601c577b0
SHA1

cdc543c1458fe300f08b33c61dfeacd399a34f84
SHA256

3b6de93762563ae0095769cbf32661c50bfa332fbdda305650349a70f8245ad8
SHA512

d5f756850b29289e8d2fdd08374828abeaa1951527967828f3c201556bbe2835f1feda39418f9792577e7b4699a80bca7f63961ef273546fb8a5dc6e476f74c3
SSDEEP

98304:7GLuGMMLaAYtmC2ULVX6eJGF/pm+gOAI/A2D5A8pR5bqcotMzYbqHx1uJDcL:78uTeTimuNJGFxm+7Eu283dqcotoYefl

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/MpClient.dll

Files

99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.zip
.zip
99629 00 EUR Swift MesajiYPT24-90922numaralı-MEDSİS MED-20240305.exe
.exe windows:10 windows x64 arch:x64

b1ac41ecc25022618f74a6d0828a4712

Code Sign

33:00:00:02:9e:05:ca:b1:2e:ac:93:cf:b6:00:00:00:00:02:9e
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24-09-2020 19:16

Not After

23-09-2021 19:16

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

93:2c:d5:0d:42:2b:a4:b5:ae:05:c5:db:c8:bb:f7:f8:f9:cd:6b:ac:77:54:c1:d4:93:ca:c1:03:5f:a7:9d:92
Signer

Actual PE Digest

93:2c:d5:0d:42:2b:a4:b5:ae:05:c5:db:c8:bb:f7:f8:f9:cd:6b:ac:77:54:c1:d4:93:ca:c1:03:5f:a7:9d:92

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

NisSrv.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___wargv
_cexit
_initterm
abort
_c_exit
_register_thread_local_exe_atexit_callback
_exit
exit
_initterm_e
_beginthreadex
_get_initial_wide_environment
_initialize_wide_environment
_configure_wide_argv
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_invalid_parameter_noinfo
terminate
_invalid_parameter_noinfo_noreturn
_errno
_seh_filter_exe
_set_app_type

api-ms-win-crt-stdio-l1-1-0

feof
fgetws
fclose
__stdio_common_vsnprintf_s
__stdio_common_vswprintf
__stdio_common_vsprintf
__stdio_common_vsprintf_s
__stdio_common_vsnwprintf_s
fputc
__stdio_common_vswprintf_s
_wfopen
_fsopen
__p__commode
_set_fmode
fseek
_wfsopen
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
fwrite
fgetc
fflush

api-ms-win-crt-heap-l1-1-0

calloc
malloc
_set_new_mode
_calloc_base
free
_malloc_base
_free_base
_callnewh
_recalloc
realloc

api-ms-win-crt-convert-l1-1-0

_i64toa_s
_ui64toa_s
_ui64tow_s
wcstoull
_wcstod_l
wcstoll
wcstod
_i64tow_s
strtof
strtoll
strtod
wcstol
_itow_s
strtol

api-ms-win-crt-string-l1-1-0

isalpha
iswalpha
isdigit
iswdigit
iswxdigit
islower
iswlower
wcsncpy_s
strcspn
iswspace
towlower
towupper
iswupper
strncmp
strnlen
_wcsdup
isupper
__strncnt
wcsnlen
isspace
tolower
wcscmp
strcpy_s
_wcsicmp

api-ms-win-crt-locale-l1-1-0

_lock_locales
_configthreadlocale
localeconv
setlocale
___lc_codepage_func
__pctype_func
_create_locale
___lc_collate_cp_func
___lc_locale_name_func
_unlock_locales
___mb_cur_max_func
_free_locale

api-ms-win-crt-math-l1-1-0

ldexp
ceilf
ceil
log2
pow
powf
frexp

advapi32

OpenServiceW
OpenSCManagerW
CloseServiceHandle
StartServiceW
RegQueryValueExW
EventWriteTransfer
EventUnregister
EventRegister
SetServiceStatus
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegSetKeyValueW
RegOpenCurrentUser
RegGetValueW
RegQueryInfoKeyW
RegCloseKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
ImpersonateLoggedOnUser
RevertToSelf

crypt32

CertGetCertificateChain
CertVerifyCertificateChainPolicy
CryptUnprotectMemory
CryptBinaryToStringW
CertFreeCertificateChain
CertFreeCertificateContext

kernel32

GetSystemInfo
UnmapViewOfFile
GetSystemPreferredUILanguages
GetThreadPreferredUILanguages
GetVersionExW
GetModuleHandleA
QueryProcessCycleTime
GetLongPathNameW
GetProcessId
DuplicateHandle
CreateMutexW
LoadLibraryExA
DelayLoadFailureHook
OpenProcess
QueryFullProcessImageNameW
QueryUnbiasedInterruptTime
GlobalFree
VerifyVersionInfoW
GetUserPreferredUILanguages
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer
MultiByteToWideChar
CloseThreadpool
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
CreateThreadpool
SetThreadpoolThreadMaximum
CreateThreadpoolWork
SubmitThreadpoolWork
StartThreadpoolIo
SystemTimeToFileTime
RaiseException
FreeLibrary
LoadLibraryExW
lstrcmpiW
LeaveCriticalSection
EnterCriticalSection
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
InitializeCriticalSection
DeleteCriticalSection
HeapSetInformation
CreateEventW
SetEvent
TerminateProcess
GetCurrentProcess
SwitchToFiber
ConvertFiberToThread
IsThreadAFiber
ConvertThreadToFiber
CreateFiberEx
DeleteFiber
WideCharToMultiByte
GetSystemTimeAsFileTime
CreateFileW
SetErrorMode
QueryPerformanceFrequency
QueryPerformanceCounter
FormatMessageA
Sleep
SwitchToThread
InitializeSRWLock
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
SleepConditionVariableSRW
RtlPcToFileHeader
GetStringTypeW
ReleaseSRWLockShared
AcquireSRWLockShared
LocalFree
InitOnceComplete
CreateDirectoryW
GetFileInformationByHandleEx
FindFirstFileExW
FindNextFileW
DeviceIoControl
FindClose
GetFileAttributesW
GetFileAttributesExW
SetFileInformationByHandle
MoveFileExW
CopyFileW
InitOnceBeginInitialize
EncodePointer
DecodePointer
LCMapStringEx
GetLocaleInfoEx
CompareStringEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
ResetEvent
InitializeSListHead
RtlUnwindEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetProcessTimes
CreateThreadpoolIo
WaitForThreadpoolIoCallbacks
CancelThreadpoolIo
CancelIoEx
CloseThreadpoolIo
GetSystemDirectoryW
GetSystemTime
InitializeCriticalSectionEx
CreateFileMappingW
MapViewOfFile
GetFileSizeEx
ExpandEnvironmentStringsW

ole32

CoUninitialize
CoCreateInstance
StringFromGUID2
CoCreateGuid
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoInitializeEx

oleaut32

VarUI4FromStr

user32

UnregisterClassA
CharNextW

bcrypt

BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptGetProperty
BCryptOpenAlgorithmProvider

normaliz

IdnToAscii

ws2_32

htonl
ntohs
htons
inet_ntop

ntdll

RtlIpv4StringToAddressExW
RtlIpv6StringToAddressExW
VerSetConditionMask

winhttp

WinHttpSetCredentials
WinHttpGetIEProxyConfigForCurrentUser
WinHttpQueryAuthSchemes
WinHttpWriteData
WinHttpReceiveResponse
WinHttpOpen
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpQueryOption
WinHttpGetDefaultProxyConfiguration
WinHttpGetProxyForUrl
WinHttpSetStatusCallback
WinHttpSetTimeouts
WinHttpSetOption
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpConnect

mpclient

MpConfigGetValueAlloc
MpHandleClose
MpConfigClose
MpNotificationRegister
MpManagerOpen
MpFreeMemory
MpConfigUninitialize
MpUtilsExportFunctions
MpConfigInitialize
MpClientUtilExportFunctions
MpConfigOpen

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-utility-l1-1-0

rand_s

shell32

SHGetKnownFolderPath

iphlpapi

GetAdaptersAddresses

netapi32

NetApiBufferFree
NetGetJoinInformation

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 296KB - Virtual size: 292KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AMMonitoringProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

Actual PE Digest

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AMMonitoringProvider.pdb

Imports

msvcrt

_vsnprintf
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
wcschr
_wcstoui64
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscat_s
wcscpy_s
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
_purecall
_wchmod
wcsrchr
iswalpha
__CxxFrameHandler4
?terminate@@YAXXZ
_vsnwprintf
_vscwprintf
vswprintf_s
swscanf_s
_initterm
memset

kernel32

GetTickCount
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
FindResourceExW
DecodePointer
EncodePointer
LoadResource
GetCurrentThread
CloseHandle
SwitchToThread
LockResource
SetLastError
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
DisableThreadLibraryCalls
VirtualLock
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
GetSystemTimeAsFileTime
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
FindWindowW
GetSystemMetrics
SetWindowTextW
CharNextW
UnregisterClassA
PostMessageW
LoadStringW
ShowWindow
SendMessageW
DestroyWindow
CreateDialogParamW
LoadIconW
GetWindowThreadProcessId

advapi32

RegDeleteKeyW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetSidSubAuthority
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthorityCount

ole32

CoImpersonateClient
CoRevertToSelf
StringFromGUID2
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid

oleaut32

SysStringByteLen
SysAllocStringLen
VariantClear
SysStringLen
VarBstrCat
SysFreeString
VariantInit
VarUI4FromStr
SysAllocString

mpclient

MpClientUtilExportFunctions

wtsapi32

WTSQueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsRelativeW
PathAppendW
PathCombineW
PathRemoveFileSpecW
PathMatchSpecW
PathFileExistsW
PathIsDirectoryW
PathFindFileNameW

crypt32

CertVerifyCertificateChainPolicy

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrust

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
EppManifest.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

Actual PE Digest

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ImagingBase.dll
MpAsDesc.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

Actual PE Digest

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
MpAzSubmit.dll
.dll windows:10 windows x64 arch:x64

561966a83f8102842f701746ffa86d40

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

Actual PE Digest

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpAzSubmit.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventUnregister
EventWriteString
EventRegister

kernel32

CloseHandle
LocalFree
FreeLibrary
FindNextFileW
WriteFile
FindClose
CreateFileW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
GetProcAddress
SetFilePointerEx
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleHandleExW
HeapAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
FindFirstFileExW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW
DecodePointer
LCMapStringEx
InitOnceComplete
InitOnceBeginInitialize
GetModuleFileNameW
FormatMessageA
WideCharToMultiByte
FormatMessageW
MultiByteToWideChar
RtlPcToFileHeader
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
RaiseException
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetLastError
GetLastError
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
HeapFree
VerifyVersionInfoW
GlobalFree
InitializeCriticalSection
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSRWLockShared
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleA

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate

winhttp

WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSetStatusCallback
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetOption
WinHttpConnect
WinHttpGetProxyForUrl
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpWriteData
WinHttpReadData

ntdll

VerSetConditionMask

xmllite

CreateXmlWriter
CreateXmlReader

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptCreateHash
BCryptDestroyHash
BCryptHashData
BCryptGetProperty

crypt32

CertVerifyCertificateChainPolicy
CryptUnprotectMemory
CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext

Exports

Exports

MpAzSubmitBlobInitialize
MpAzSubmitBlobUninitialize
MpAzSubmitBlobUpload

Sections

.text
Size: 916KB - Virtual size: 915KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 244KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 104KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpClient.dll
.dll windows:6 windows x64 arch:x64

927d9e4e76db4298ae7f920bfe00ae74

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegEnumValueW

bcrypt

BCryptEncrypt
BCryptDecrypt
BCryptImportKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptGenRandom

kernel32

TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
LocalFree
VirtualAllocEx
ResumeThread
SetThreadContext
SetLastError
OpenProcess
GetLastError
TerminateProcess
CloseHandle
CreateProcessW
GetThreadContext
FreeConsole
FormatMessageW
K32EnumProcessModulesEx
IsWow64Process
GetExitCodeProcess
K32EnumProcesses
K32GetModuleInformation
K32GetModuleBaseNameW
K32GetModuleFileNameExW
GetProcessId
DuplicateHandle
GetCurrentProcess
CloseThreadpoolIo
GetCurrentProcessId
GetStdHandle
RaiseFailFastException
GetCalendarInfoEx
CompareStringOrdinal
CompareStringEx
FindNLSStringEx
GetLocaleInfoEx
ResolveLocaleName
FindStringOrdinal
GetTickCount64
GetCurrentThread
Sleep
DeleteCriticalSection
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
QueryPerformanceCounter
InitializeCriticalSection
InitializeConditionVariable
WaitForMultipleObjectsEx
QueryPerformanceFrequency
GetFullPathNameW
GetLongPathNameW
LocalAlloc
GetConsoleOutputCP
WideCharToMultiByte
GetProcAddress
LocaleNameToLCID
LCMapStringEx
EnumTimeFormatsEx
EnumCalendarInfoExEx
CopyFileExW
CreateDirectoryW
CreateFileW
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
DeleteFileW
DeviceIoControl
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FreeLibrary
GetCurrentDirectoryW
GetFileAttributesExW
GetFileInformationByHandleEx
GetFileType
GetModuleFileNameW
GetOverlappedResult
LoadLibraryExW
ReadFile
SetCurrentDirectoryW
SetFileInformationByHandle
SetThreadErrorMode
GetThreadPriority
SetThreadPriority
WriteFile
GetCurrentProcessorNumberEx
SetEvent
CreateEventExW
GetEnvironmentVariableW
FlushProcessWriteBuffers
WaitForSingleObjectEx
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
CreateThread
GetCurrentThreadId
SuspendThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
ResetEvent
DebugBreak
WaitForSingleObject
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlLookupFunctionEntry
InitializeSListHead

ole32

CoGetApartmentType
CoWaitForMultipleHandles
CoUninitialize
CoInitializeEx

secur32

GetUserNameExW

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
calloc

api-ms-win-crt-math-l1-1-0

ceil

api-ms-win-crt-string-l1-1-0

strcpy_s
strcmp
wcsncmp
_stricmp
strncpy_s

api-ms-win-crt-convert-l1-1-0

strtoull

api-ms-win-crt-runtime-l1-1-0

_seh_filter_dll
_initterm
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
abort
_cexit
terminate
_initterm_e

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s
__stdio_common_vfprintf
__acrt_iob_func
__stdio_common_vsscanf

Exports

Exports

MpClientUtilExportFunctions
MpConfigClose
MpConfigGetValueAlloc
MpConfigInitialize
MpConfigOpen
MpConfigUninitialize
MpFreeMemory
MpHandleClose
MpManagerOpen
MpNotificationRegister
MpUtilsExportFunctions

Sections

.text
Size: 448KB - Virtual size: 447KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 713KB - Virtual size: 712KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

hydrated
Size: - Virtual size: 330KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 655KB - Virtual size: 655KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpCommu.dll
.dll windows:10 windows x64 arch:x64

abc5cd2efb141964bfcdea8032c2c42d

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

80:75:b6:53:e4:da:ce:56:17:72:f2:19:3d:ae:e5:25:29:9d:c4:d9:5f:97:93:3b:c5:3f:31:f9:a2:c7:3e:da
Signer

Actual PE Digest

80:75:b6:53:e4:da:ce:56:17:72:f2:19:3d:ae:e5:25:29:9d:c4:d9:5f:97:93:3b:c5:3f:31:f9:a2:c7:3e:da

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpCommu.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_initialize_narrow_environment
terminate
abort
_invalid_parameter_noinfo
_errno
_beginthreadex
_configure_narrow_argv
_initterm_e
_seh_filter_dll
_cexit
_initterm
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswscanf
__stdio_common_vswprintf
__stdio_common_vsprintf

advapi32

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW

crypt32

CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext
CertVerifyCertificateChainPolicy

kernel32

InitializeCriticalSectionEx
DeleteCriticalSection
LoadLibraryExW
GetThreadPriority
GetCurrentThread
SetThreadPriority
DeleteTimerQueueTimer
CreateFileW
FlsAlloc
GetFileAttributesW
GetTickCount
ExpandEnvironmentStringsW
Sleep
SetEvent
ResetEvent
WaitForSingleObject
SetLastError
GetSystemDirectoryW
GetLastError
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
GetTempPathW
GetEnvironmentVariableW
EnterCriticalSection
GetProcAddress
WaitForSingleObjectEx
CreateEventW
TerminateProcess
GetCurrentProcess
SetEnvironmentVariableW
GetModuleHandleW
IsProcessorFeaturePresent
GetFileSizeEx
ReadFile
CreateDirectoryW
TryEnterCriticalSection
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
GlobalFree
SetEndOfFile
WriteFile
SetFilePointerEx
FileTimeToSystemTime
SystemTimeToFileTime
MultiByteToWideChar
WideCharToMultiByte
EncodePointer
FlsFree
FlsSetValue
GetCurrentProcessId
QueryPerformanceCounter
GetExitCodeProcess
DeleteFileW
CloseHandle
GetSystemTimeAsFileTime
FreeLibrary
LeaveCriticalSection
FlsGetValue
GetSystemTime
QueryPerformanceFrequency
GetNativeSystemInfo

ole32

CLSIDFromProgID
CoInitializeEx
StringFromGUID2
CoCreateInstance
CoUninitialize
CoCreateGuid

slc

SLGetWindowsInformationDWORD

wintrust

WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain

winhttp

WinHttpGetProxyForUrl
WinHttpSetTimeouts
WinHttpGetDefaultProxyConfiguration
WinHttpConnect
WinHttpCrackUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpAddRequestHeaders
WinHttpWriteData
WinHttpReceiveResponse
WinHttpSetOption
WinHttpSendRequest
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpQueryOption
WinHttpOpen
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpCloseHandle

shlwapi

PathIsURLW

mpclient

MpManagerOpen
MpClientUtilExportFunctions
MpFreeMemory
MpConfigGetValue
MpConfigClose
MpConfigOpen
MpUtilsExportFunctions
MpConfigUninitialize
MpConfigInitialize
MpAllocMemory
MpConfigSetValue
MpManagerVersionQuery
MpHandleClose
MpConfigGetValueAlloc

api-ms-win-crt-heap-l1-1-0

_calloc_base
free
malloc
_free_base
_callnewh

api-ms-win-crt-string-l1-1-0

wcsncmp
_wcsnicmp
iswspace
strcpy_s
_wcsicmp

oleaut32

SysAllocStringLen
SysAllocString
SysStringLen
SysStringByteLen
VariantClear
VarBstrCmp
VariantInit
SysAllocStringByteLen
SysFreeString

user32

CharLowerBuffW

api-ms-win-crt-math-l1-1-0

ceil

Exports

Exports

MpCommunicationCreateInstance
MpCommunicationDownloadFile
MpCommunicationInitialize
MpCommunicationUninitialize

Sections

.text
Size: 224KB - Virtual size: 221KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpDetours.dll
.dll windows:10 windows x64 arch:x64

e7e92a2408c8a2349b72bc8776729dac

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5f:cd:ba:47:f6:f0:8c:ea:37:f7:67:66:f0:37:bf:a9:d7:80:24:f0:4f:09:bc:df:ba:17:5e:30:8c:74:9c:be
Signer

Actual PE Digest

5f:cd:ba:47:f6:f0:8c:ea:37:f7:67:66:f0:37:bf:a9:d7:80:24:f0:4f:09:bc:df:ba:17:5e:30:8c:74:9c:be

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetours.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_invalid_parameter_noinfo_noreturn
_cexit
terminate
abort

api-ms-win-crt-string-l1-1-0

towlower
_wcsicmp
strcpy_s

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

kernel32

RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
RaiseException
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentThread
InitializeCriticalSectionAndSpinCount
HeapAlloc
HeapFree
Sleep
LoadLibraryExW
ResetEvent
WaitForSingleObjectEx
IsProcessorFeaturePresent
OpenProcess
WaitForSingleObject
SwitchToThread
DecodePointer
SetThreadContext
FlushInstructionCache
VirtualLock
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualQuery
VirtualProtect
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GlobalFree
SetLastError
SystemTimeToFileTime
DeleteFileW
CreateFileW
GetFileSizeEx
CompareFileTime
HeapUnlock
HeapLock
GlobalUnlock
GlobalLock
OpenThread
GetProcessHeap
GetThreadContext
GetLastError
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
GetProcessTimes
GetCurrentProcessId
GlobalAlloc
SetEvent
GetTickCount64
GetCurrentProcess
GetModuleHandleW
GetProcAddress
CloseHandle
CreateEventW
GetModuleFileNameW
FindStringOrdinal
TerminateProcess
ReleaseSemaphore
CreateSemaphoreW

ole32

OleFlushClipboard
ReleaseStgMedium
OleSetClipboard
DoDragDrop

user32

GetPriorityClipboardFormat
GetClipboardSequenceNumber
GetClipboardOwner
CountClipboardFormats
EmptyClipboard
EnumClipboardFormats
GetUpdatedClipboardFormats
GetWindowThreadProcessId
GetClipboardData
SetClipboardData
IsClipboardFormatAvailable
CloseClipboard
GetKeyboardLayout
SendMessageTimeoutW

winspool.drv

GetPrintExecutionData
SetJobW
StartDocPrinterW
EndPagePrinter
EndDocPrinter
GetJobW
WritePrinter
StartPagePrinter
GetPrinterW

shlwapi

StrStrIW

shell32

DragQueryFileW

ntdll

RtlGetVersion
RtlEqualUnicodeString
RtlNtStatusToDosError

api-ms-win-crt-heap-l1-1-0

free
_free_base
_calloc_base
malloc
_callnewh

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpDetoursCopyAccelerator.dll
.dll windows:10 windows x64 arch:x64

8e02fd15ca77e52683aebaf6fd6f3349

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

54:44:c2:8d:07:30:4a:75:95:12:85:b9:7e:b5:15:ca:66:71:ea:ad:5d:5c:97:54:b7:7b:1c:82:cb:e5:49:7c
Signer

Actual PE Digest

54:44:c2:8d:07:30:4a:75:95:12:85:b9:7e:b5:15:ca:66:71:ea:ad:5d:5c:97:54:b7:7b:1c:82:cb:e5:49:7c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetoursCopyAccelerator.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
abort
_crt_atexit
terminate
_cexit
_invalid_parameter_noinfo_noreturn

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

kernel32

DecodePointer
SetThreadContext
FlushInstructionCache
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualProtect
InitializeCriticalSectionAndSpinCount
HeapAlloc
HeapFree
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
HeapUnlock
HeapLock
OpenThread
GetProcessHeap
GetCurrentProcessId
GetThreadContext
CloseHandle
GetLastError
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
SetLastError
GetModuleHandleW
GetProcAddress
GetModuleFileNameW
GetCurrentThread
VirtualQuery
VirtualLock
GetFullPathNameW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
LoadLibraryExW

shlwapi

PathIsRelativeW

ntdll

RtlGetVersion
RtlNtStatusToDosError

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
_free_base
free
_calloc_base

api-ms-win-crt-string-l1-1-0

strcpy_s

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf

Sections

.text
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpEvMsg.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

36:08:49:ab:77:a6:a8:da:46:53:18:44:a1:59:25:3d:9f:65:64:fe:c6:3c:b3:d9:29:8b:32:78:94:32:91:f0
Signer

Actual PE Digest

36:08:49:ab:77:a6:a8:da:46:53:18:44:a1:59:25:3d:9f:65:64:fe:c6:3c:b3:d9:29:8b:32:78:94:32:91:f0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 124KB - Virtual size: 121KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
MpOAV.dll
.dll regsvr32 windows:10 windows x64 arch:x64

5e99d9338a66701e0fb8f1477dde6ea9

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:eb:74:02:4c:cd:ec:3d:cc:ad:cf:3b:21:90:d3:72:6e:d7:c0:43:40:27:4a:03:3e:9b:ab:8a:8c:e8:c9:69
Signer

Actual PE Digest

6d:eb:74:02:4c:cd:ec:3d:cc:ad:cf:3b:21:90:d3:72:6e:d7:c0:43:40:27:4a:03:3e:9b:ab:8a:8c:e8:c9:69

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpOAV.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventActivityIdControl
EventWriteTransfer
EventUnregister
EventRegister
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

kernel32

ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
GetProcessHeap
SetStdHandle
GetConsoleMode
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetModuleFileNameW
SetFilePointerEx
CreateFileW
WriteConsoleW
QueryPerformanceCounter
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
HeapSize
LCMapStringW
GetProcAddress
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetStartupInfoW
GetFileType
GetStdHandle
HeapFree
HeapAlloc
GetCurrentThreadId
IsProcessorFeaturePresent
TerminateProcess
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WideCharToMultiByte
MultiByteToWideChar
GetCurrentProcess
GetVersionExW
Sleep
GetLastError
GetProcessTimes
GetCurrentProcessId
FreeLibrary
LoadLibraryExW
CloseHandle
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
HeapReAlloc
GetFileSizeEx
FindNextFileW
FindClose
GetFileAttributesW
CreateEventW
GetTempPathW
GetSystemDirectoryW
SizeofResource
LockResource
LoadResource
FindResourceW
DecodePointer

ole32

CoCreateInstance
CoTaskMemFree
StringFromGUID2
CoTaskMemAlloc

oleaut32

SysAllocStringLen
SysStringLen
SysFreeString

ntdll

RtlGetVersion
RtlNtStatusToDosError

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

dfe0dec84410187ad137fa24212ce072

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8c:d4:fc:ad:7f:a3:be:ab:98:83:e4:a7:d6:cb:f6:7b:19:69:e2:c5:d1:34:cf:25:a8:42:7d:d8:f2:8f:88:46
Signer

Actual PE Digest

8c:d4:fc:ad:7f:a3:be:ab:98:83:e4:a7:d6:cb:f6:7b:19:69:e2:c5:d1:34:cf:25:a8:42:7d:d8:f2:8f:88:46

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpProvider.pdb

Imports

msvcrt

__CxxFrameHandler4
_vsnprintf
wcschr
_vscwprintf
realloc
_errno
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove
memcpy
_CxxThrowException
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
malloc
memcpy_s
__C_specific_handler
_purecall
wcsncpy_s
wcscat_s
free
wcscpy_s
_wchmod
_vsnwprintf
iswalpha
wcsrchr
vswprintf_s
memset

kernel32

GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
GetSystemTimeAsFileTime
InitializeCriticalSection
FindResourceExW
GetTickCount
RtlCaptureContext
LoadResource
SizeofResource
MultiByteToWideChar
lstrcmpiW
FreeLibrary
CompareStringW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetLastError
DecodePointer
EncodePointer
GetCurrentThread
CloseHandle
SystemTimeToFileTime
FileTimeToSystemTime
SwitchToThread
LockResource
SetLastError
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
InitializeCriticalSectionAndSpinCount
DisableThreadLibraryCalls
VirtualLock
GetLocalTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
RaiseException
DeleteCriticalSection
Sleep
OutputDebugStringA
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

LoadIconW
DestroyWindow
SendMessageW
ShowWindow
LoadStringW
PostMessageW
UnregisterClassA
GetSystemMetrics
FindWindowW
GetWindowThreadProcessId
MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
CharNextW
CreateDialogParamW
SetWindowTextW

advapi32

GetUserNameW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
RegDeleteKeyW
RegQueryValueExW
OpenProcessToken
GetTokenInformation
OpenThreadToken
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
ChangeServiceConfigW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthority
DuplicateTokenEx
GetSidSubAuthorityCount
ConvertStringSecurityDescriptorToSecurityDescriptorW

ole32

CoImpersonateClient
CoCreateGuid
CoGetClassObject
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CoRevertToSelf

oleaut32

VarUI4FromStr
SafeArrayLock
VarBstrCat
SafeArrayCreate
SysStringByteLen
SafeArrayUnlock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy
SysStringLen
SafeArrayGetVartype
VariantInit
VariantClear
SysFreeString
SysAllocString
SysAllocStringLen

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetFolderPathW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

shlwapi

PathFileExistsW
PathAppendW
PathFindFileNameW
PathIsRelativeW
PathCombineW
PathMatchSpecW
PathIsDirectoryW
PathRemoveFileSpecW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WinVerifyTrust

crypt32

CertVerifyCertificateChainPolicy

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 116KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpRtp.dll
.dll windows:10 windows x64 arch:x64

2885032f801d6fd1135f59079b0e3889

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4b:56:d8:c9:2e:bc:76:2d:4b:21:89:bf:c6:e2:7a:17:55:6f:71:4f:a0:77:cd:d6:f4:6f:40:54:05:73:fc:d6
Signer

Actual PE Digest

4b:56:d8:c9:2e:bc:76:2d:4b:21:89:bf:c6:e2:7a:17:55:6f:71:4f:a0:77:cd:d6:f4:6f:40:54:05:73:fc:d6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpRTP.pdb

Imports

kernel32

GetVersionExW
GetModuleHandleW
GetProcAddress
ProcessIdToSessionId
GetLastError
GetTickCount64
OpenProcess
GetProcessTimes
CloseHandle
GetCurrentThreadId
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetCurrentThread
HeapFree
HeapAlloc
ExitProcess
FreeLibrary
GetModuleHandleExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LoadLibraryExW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
MultiByteToWideChar
GetProcessHeap
WideCharToMultiByte
HeapSize
HeapReAlloc
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
EncodePointer
RaiseException
InitializeCriticalSectionEx
RtlPcToFileHeader
SleepEx
WaitForSingleObject
K32GetModuleFileNameExW
K32GetProcessImageFileNameW
GetExitCodeThread
CreateRemoteThread
WriteProcessMemory
GetLocalTime
Sleep
FlushFileBuffers
OpenThread
GetSystemInfo
GetTickCount
K32GetModuleInformation
FindClose
QueryDosDeviceW
DeviceIoControl
GetLogicalDriveStringsW
UnmapViewOfFile
CompareStringOrdinal
QueryFullProcessImageNameW
GetFileTime
GetFileSize
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CompareFileTime
GetProcessId
GetExitCodeProcess
GetComputerNameExW
GlobalMemoryStatusEx
LocalFree
K32EnumProcessModules
VirtualQueryEx
K32GetMappedFileNameW
FindStringOrdinal
SystemTimeToFileTime
QueueUserAPC
ReadFile
CopyFileExW
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
MoveFileExW
GetFileAttributesW
GetThreadPriority
SetThreadPriority
InitializeSRWLock
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateThread
SwitchToThread
CreateDirectoryW
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
SetEnvironmentVariableW
CreateFileW
SetFileAttributesW
DeleteFileW
LoadLibraryW
SetFilePointerEx
ReleaseSemaphore
GetModuleFileNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
CreateSemaphoreW
CreateFileMappingW
MapViewOfFile
VirtualQuery
FormatMessageA
GetDriveTypeW
VirtualProtect
LoadLibraryExA
GetFileInformationByHandleEx
FindFirstFileExW
GetFinalPathNameByHandleW
SetEndOfFile
GetFileAttributesExW
DecodePointer
CompareStringEx
LCMapStringEx
ExitThread
FreeLibraryAndExitThread
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
GetFileType
GetTimeZoneInformation
SetStdHandle
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
WriteConsoleW
DeleteProcThreadAttributeList
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
Module32FirstW
Module32NextW
VirtualFreeEx
IsWow64Process
VirtualAllocEx

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSFreeMemory

tdh

TdhGetPropertySize
TdhGetProperty
TdhGetEventInformation

setupapi

SetupDiGetClassRegistryPropertyW
SetupDiSetClassRegistryPropertyW

ntdll

RtlNtStatusToDosError
NtClose
RtlPrefixUnicodeString
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateFile
RtlInitUnicodeString
RtlCompareUnicodeString
NtMapViewOfSection
RtlGetVersion

bcrypt

BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider

mpclient

MpIsDeviceControlAvailable
MpShutdownCopyAcceleratorProcess
MpGetCopyAcceleratorProcessStatus
MpConfigSetValue
MpHandleClose
MpConfigUnregisterNotifications
MpConfigRegisterForNotifications
MpConfigGetValueAlloc
MpManagerOpen
MpManagerVersionQuery
MpUtilsExportFunctions
MpClientUtilExportFunctions
MpAllocMemory
MpFreeMemory
MpConfigOpen
MpConfigGetValue
MpConfigClose

Exports

Exports

MpPluginBypassDlpWarning
MpPluginCheckAccessForClipboardOperation
MpPluginCheckAccessForDragDropOperation
MpPluginCheckAccessForPrintOperation
MpPluginCheckExclusion
MpPluginConfigChange
MpPluginConfigDirectoryMonitoring
MpPluginConfigSyncMonitoring
MpPluginDismissDlpWarning
MpPluginDlpDelegateEnforcement
MpPluginEnableDlp
MpPluginEnforceDlpClipboard
MpPluginEnforceDlpReadClipboard
MpPluginFlushLogData
MpPluginGetConfigOperations
MpPluginGetCopyAcceleratorState
MpPluginGetDlpNotificationSettings
MpPluginGetHeartBeatData
MpPluginGetState
MpPluginGetThreatCategory
MpPluginGetThreatExecInfo
MpPluginGetThreatInfo
MpPluginInitialize
MpPluginIsSuspended
MpPluginNotifyRpcServerStateChange
MpPluginNotifySessionStateChange
MpPluginNotifySetupProgress
MpPluginQueryDlpState
MpPluginQueryRtpMonitoringInfoEx
MpPluginRefreshDlpPolicySettings
MpPluginRefreshPlatformKillbits
MpPluginRegisterFriendlyProcess
MpPluginReportClipboardOwner
MpPluginReportThreadStatus
MpPluginSendBrowserHeartbeat
MpPluginSendUserModeRegistryData
MpPluginSetDefaultConfigs
MpPluginSetDriverUnloadInProgress
MpPluginSetEngine
MpPluginSetState
MpPluginSetUserInformation
MpPluginShutdown
MpPluginSignatureChange
MpPluginStop
MpPluginUpdateBrowserActiveTab
MpPluginUpdateFolderGuardData
MpPluginUpdateMonitoringInfo
MpPluginUpdateMonitoringInfoEx
MpPluginUpdateTPState

Sections

.text
Size: 968KB - Virtual size: 964KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MpSvc.dll
.dll windows:10 windows x64 arch:x64

7ceea8dd728f5932a45ab39a47267bb0

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

16:fc:a6:c1:45:ed:86:a2:87:90:7b:62:c6:f7:34:7c:02:2f:fa:b9:b1:50:2c:98:36:c2:e4:fc:dd:4d:ff:ac
Signer

Actual PE Digest

16:fc:a6:c1:45:ed:86:a2:87:90:7b:62:c6:f7:34:7c:02:2f:fa:b9:b1:50:2c:98:36:c2:e4:fc:dd:4d:ff:ac

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpSvc.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
_errno
_beginthreadex
_invalid_parameter_noinfo_noreturn
terminate
_invalid_parameter_noinfo
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_initterm_e
_initterm

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsnprintf_s
__stdio_common_vswprintf_s
__stdio_common_vswscanf
__stdio_common_vsprintf
__stdio_common_vsnwprintf_s
__stdio_common_vsprintf_s

api-ms-win-crt-string-l1-1-0

iswspace
wcsnlen
iswupper
strncmp
iswalpha
isdigit
wcsncmp
iswxdigit
islower
iswlower
strcspn
towupper
towlower
_wcsnicmp
strcpy_s
_wcsdup
toupper
isupper
__strncnt
strnlen
_wcsicmp
iswdigit
wcscmp
wcspbrk

api-ms-win-crt-heap-l1-1-0

malloc
_malloc_base
calloc
_free_base
_calloc_base
_callnewh
realloc
free

api-ms-win-crt-convert-l1-1-0

wcstol
_ui64tow_s
_wcstod_l
_i64tow_s
_ui64toa_s
wcstoll
_wtol
_i64toa_s
wcstoull
_wtoi64
wcstoul
_itow_s
_wtoi

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-locale-l1-1-0

_free_locale
_create_locale
__pctype_func
___lc_locale_name_func
localeconv
___lc_codepage_func
_unlock_locales
___mb_cur_max_func
_lock_locales
setlocale

api-ms-win-crt-math-l1-1-0

ceilf
frexp

kernel32

QueryInformationJobObject
ExpandEnvironmentStringsW
InitOnceComplete
CopyFileExW
InitOnceBeginInitialize
GetVersionExW
LoadLibraryExA
VirtualProtect
RemoveDirectoryW
ConvertDefaultLocale
GetLocaleInfoW
VirtualQuery
GetSystemWindowsDirectoryW
CreateSemaphoreW
HeapSetInformation
GetNativeSystemInfo
GetSystemDirectoryW
OpenEventW
GetEnvironmentVariableW
UnregisterWaitEx
GetComputerNameExW
GetThreadPriority
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
RtlPcToFileHeader
InterlockedFlushSList
ChangeTimerQueueTimer
RtlUnwindEx
CreateJobObjectW
InitializeSListHead
IsProcessorFeaturePresent
UnhandledExceptionFilter
RegisterWaitForSingleObject
WriteFile
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringEx
DecodePointer
EncodePointer
CreateTimerQueueTimer
GetFileSizeEx
ReadFile
SetThreadpoolTimer
TryEnterCriticalSection
InitializeCriticalSection
LCMapStringW
SwitchToThread
InitializeCriticalSectionEx
SystemTimeToFileTime
SetFilePointerEx
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
Sleep
FreeLibrary
DeleteTimerQueueTimer
SetEnvironmentVariableW
GetTempPathW
TerminateProcess
GetCurrentProcess
SetThreadPriority
GetCurrentThread
SetEvent
GetFileAttributesW
MoveFileExW
CreateHardLinkW
GetExitCodeProcess
CopyFileW
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
CreateEventW
CreateThread
LoadLibraryExW
lstrcmpiW
FindFirstFileW
FindNextFileW
FindClose
CreateDirectoryW
GetFileAttributesExW
OpenThread
GetThreadTimes
LeaveCriticalSection
EnterCriticalSection
CreateFileW
LocalFree
MultiByteToWideChar
LoadLibraryW
InitializeCriticalSectionAndSpinCount
ResetEvent
DeleteCriticalSection
CreateMutexW
WaitForMultipleObjects
DuplicateHandle
GetDateFormatW
GetTimeFormatW
ProcessIdToSessionId
GetSystemTime
FindFirstChangeNotificationW
FindNextChangeNotification
GetTempFileNameW
FindCloseChangeNotification
GetLogicalDrives
GetDriveTypeW
GetDiskFreeSpaceExW
GetVolumePathNameW
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
RaiseException
GetTickCount64
GetProcessTimes
GetTickCount
WaitForMultipleObjectsEx
CompareFileTime
DeleteFileW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetLocalTime
UnmapViewOfFile
GetModuleFileNameW
CreateProcessW
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetSystemPowerStatus
DeviceIoControl
SleepEx
FlushFileBuffers
GetSystemInfo
GetFileInformationByHandle
SetEnvironmentVariableA
ReadProcessMemory
K32GetProcessMemoryInfo
WideCharToMultiByte
QueryDosDeviceW
CreateIoCompletionPort
SetInformationJobObject
AssignProcessToJobObject
GetQueuedCompletionStatus
SetFileAttributesW
PostQueuedCompletionStatus
SetErrorMode
FormatMessageA
TryAcquireSRWLockExclusive
GetStringTypeW
QueryPerformanceFrequency
GetFinalPathNameByHandleW

setupapi

SetupDiGetClassRegistryPropertyW
SetupDiSetClassRegistryPropertyW

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSQuerySessionInformationW
WTSFreeMemory

ntdll

RtlIpv6StringToAddressExW
RtlIpv4StringToAddressExW
NtQueryInformationProcess

mpclient

MpThreatLocalizedInfoQuery
MpScanControl
MpQueryEngineConfigDword
MpClientUtilExportFunctions
MpScanStart
MpConfigIteratorClose
MpFreeMemory
MpConfigInitialize
MpConfigIteratorEnum
MpConfigOpen
MpConfigGetValueAlloc
MpConfigClose
MpConfigGetValue
MpConfigSetValue
MpConfigIteratorOpen
MpAllocMemory
MpConfigRegisterForNotifications
MpManagerOpen
MpHandleClose
MpUpdateStart
MpUpdateControl
MpConfigUnregisterNotifications
MpNotificationRegister
MpConveySampleSubmissionResult
MpUtilsExportFunctions
MpDebugExportFunctions
MpManagerStatusQueryEx
MpIsRtpAutoEnable
MpErrorMessageFormat
MpManagerVersionQuery
MpConfigUninitialize
MpConfigDelValue
MpAddDynamicSignatureFile
MpDynamicSignatureEnumerate
MpDynamicSignatureOpen

Exports

Exports

ServiceCrtMain
ValidateDrop

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 556KB - Virtual size: 553KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 44KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 72KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MsMpCom.dll
.dll regsvr32 windows:10 windows x64 arch:x64

867fb73fa3ad8ce36341e39631dc1cdd

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:b1:2b:34:4f:c2:e0:f6:12:7a:75:38:94:9c:67:54:9d:05:28:78:b9:c4:0e:1b:ee:03:b9:fe:85:65:33:32
Signer

Actual PE Digest

0b:b1:2b:34:4f:c2:e0:f6:12:7a:75:38:94:9c:67:54:9d:05:28:78:b9:c4:0e:1b:ee:03:b9:fe:85:65:33:32

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MsMpCom.pdb

Imports

msvcrt

_wcsicmp
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
_callnewh
malloc
wcschr
_purecall
free
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler4
_vsnprintf
??3@YAXPEAX@Z
memcmp

kernel32

Sleep
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetLastError
GetModuleFileNameW
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
DisableThreadLibraryCalls
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
GetProcAddress
GetSystemDirectoryW
LoadLibraryExW
FreeLibrary
GetFileAttributesW
SetLastError

oleaut32

LoadTypeLi
SafeArrayGetDim
SafeArrayCreate
LoadRegTypeLi
SysStringLen
VariantInit
SysFreeString
VariantClear

advapi32

SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetFileSecurityW
GetSecurityDescriptorOwner
GetFileSecurityW
InitializeSecurityDescriptor
IsValidSid
TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle

ole32

CoUninitialize
CoInitializeEx
IIDFromString
CoCreateInstance

user32

UnregisterClassA

mpclient

MpUpdateControl
MpElevationHandleActivate
MpOfflineScanInstall
MpScanControl
MpManagerEnable
MpThreatEnumerate
MpConfigSetValue
MpQuarantineRequest
MpManagerOpen
MpHandleClose
MpFreeMemory
MpConfigUninitialize
MpConfigInitialize
MpConfigGetValue
MpThreatHistoryRequest
MpConfigDelValue
MpClientUtilExportFunctions
MpConfigGetValueAlloc
MpConfigClose
MpUtilsExportFunctions
MpThreatOpen
MpConfigOpen
MpElevationHandleOpen

rpcrt4

UuidFromStringW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 40KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 892B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MsMpLics.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

24:3a:b2:fc:0f:53:fa:bb:e7:66:26:13:c5:28:d8:de:3b:0f:c9:44:1d:4e:48:f9:db:71:d3:08:fd:96:2f:42
Signer

Actual PE Digest

24:3a:b2:fc:0f:53:fa:bb:e7:66:26:13:c5:28:d8:de:3b:0f:c9:44:1d:4e:48:f9:db:71:d3:08:fd:96:2f:42

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ProtectionManagement.dll
.dll regsvr32 windows:10 windows x64 arch:x64

014001c0f5045aa529e87c45f92fe834

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

22:17:f3:4b:82:e7:cb:81:f6:b5:af:9b:53:41:40:cc:53:fb:13:07:04:68:35:16:fd:d3:28:b1:ac:ff:05:16
Signer

Actual PE Digest

22:17:f3:4b:82:e7:cb:81:f6:b5:af:9b:53:41:40:cc:53:fb:13:07:04:68:35:16:fd:d3:28:b1:ac:ff:05:16

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

ProtectionManagement.pdb

Imports

kernel32

GetSystemDirectoryW
GetLastError
GetProcAddress
FreeLibrary
LoadLibraryExW
SizeofResource
LockResource
LoadResource
FindResourceExW
CloseHandle
GetTimeZoneInformation
GetSystemTime
WaitForSingleObject
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
InitializeCriticalSection
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
MultiByteToWideChar
WideCharToMultiByte
SetLastError
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetSystemInfo
VirtualProtect
VirtualQuery
GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LCMapStringW
GetLocaleInfoW
ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetFileSizeEx
SetFilePointerEx
GetStringTypeW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
ReadFile
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
DeleteFileW
SetFileAttributesW
RemoveDirectoryW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
FreeLibraryAndExitThread
ExitThread
GetFileAttributesExW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExA
GetTickCount
WaitForSingleObjectEx
TryEnterCriticalSection
CompareFileTime
GetExitCodeProcess
CreateEventW
SetEvent
FileTimeToSystemTime
GlobalFindAtomW
GetDriveTypeW
GetVersionExW
GetLocalTime
SystemTimeToFileTime
GetNativeSystemInfo
ProcessIdToSessionId
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
WritePrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetExitCodeThread
ResetEvent
CreateThread
MoveFileW
GetLongPathNameW
GetFileSize
VerifyVersionInfoW
K32GetModuleFileNameExW
FreeResource
FindResourceW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetDiskFreeSpaceExW
GetWindowsDirectoryW
Sleep
LocalFree
IsWow64Process
ReleaseMutex
CreateMutexW
CreateProcessW
CopyFileW
GetTempFileNameW
GetTempPathW
CreateDirectoryW
SwitchToThread
FormatMessageW

mpclient

MpCleanStart
MpGetCallistoDetections
MpTriggerHeartbeatOnUninstall
MpOfflineScanInstall
MpUpdateStartEx
MpScanStartEx
MpCreateComInstance
MpGetTPStateInfo
MpGetRunningMode
MpConfigRegisterForNotifications
MpConfigUnregisterNotifications
MpAllocMemory
MpManagerVersionQuery
MpConfigIteratorEnum
MpConfigIteratorOpen
MpCleanOpen
MpConfigIteratorClose
MpThreatOpen
MpConfigGetValue
MpDetectionEnumerate
MpThreatRollup
MpThreatQuery
MpThreatEnumerate
MpManagerStatusQueryEx
MpNotificationRegister
MpManagerOpen
MpHandleClose
MpClientUtilExportFunctions
MpConfigOpen
MpConfigClose
MpConfigGetValueAlloc
MpConfigUninitialize
MpConfigInitialize
MpFreeMemory
MpElevationHandleAcquire
MpElevateCleanHandle
MpConfigSetValue
MpUtilsExportFunctions

wtsapi32

WTSQueryUserToken
WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
GetProviderClassID
MI_Main

Sections

.text
Size: 408KB - Virtual size: 405KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 208KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
endpointdlp.dll
.dll windows:10 windows x64 arch:x64

9c3fd1848ccdb144ff7cb14128b86363

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba
Signer

Actual PE Digest

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

endpointdlp.pdb

Imports

kernel32

FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LoadLibraryExW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
SetFilePointerEx
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
CloseHandle
FlsAlloc
OutputDebugStringW
HeapSize
HeapReAlloc
RaiseException
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
HeapFree
ExitProcess
GetStartupInfoW
GetModuleHandleExW
GetCurrentThreadId
GetFileType
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
FreeLibrary
FormatMessageW
GetModuleFileNameA
HeapAlloc
GetProcAddress
GetProcessHeap
GetModuleHandleW
DebugBreak
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSemaphore
OpenSemaphoreW
Sleep
GetTickCount
ReleaseSRWLockShared
AcquireSRWLockShared
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
WaitForSingleObjectEx
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
OpenProcess
K32GetModuleFileNameExW
GetProcessTimes
GetDriveTypeW
CreateEventExW
CreateThreadpoolWait
ExpandEnvironmentStringsW
FormatMessageA
LocalFree
InitOnceBeginInitialize
InitOnceComplete
DecodePointer
LCMapStringEx
FindClose
FindFirstFileExW
FindNextFileW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEvent
ResetEvent
CreateEventW
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent

advapi32

CryptDestroyHash
CryptDestroyKey
CryptVerifySignatureW
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegNotifyChangeKeyValue
RegCreateKeyExW
GetLengthSid
GetTokenInformation
OpenProcessToken
EventRegister
EventUnregister
EventWriteTransfer

ntdll

ZwQueryEaFile

crypt32

CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertAddCertificateContextToStore
CryptImportPublicKeyInfo
CertCreateCertificateContext
CertCloseStore
CertFreeCertificateContext
CryptStringToBinaryW
CertOpenStore
CertFreeCertificateChain

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsNetworkPathW

user32

LoadStringW

Exports

Exports

AuditBrowserFileOperationEvent
AuditBrowserFileOperationEventEx
AuditBrowserOperationEvent
DlpAuditFileAccessEvent
DlpAuditOperationEnforcementEvent
DlpAuditOperationEnforcementEventEx
DlpDelegateEnforcement
DlpFreeArchiveFileTraceInfo
DlpGetArchiveFileTraceInfo
DlpGetFileApplicationAccess
DlpGetFileApplicationAccessEx
DlpGetFileApplicationAccessEx2
DlpGetFileCloudApplicationPolicy
DlpGetFileLocation
DlpGetNotificationSettings
DlpGetPolicyInfoFromRuleId
DlpGetPolicySettings
DlpGetQuarantineConfiguration
DlpInitialize
DlpInitializeFromCustomPolicy
DlpValidateCloudDomainsPolicyCmd
DlpValidateCloudPolicyCmd
DlpValidateCloudWebSitesPolicyCmd
GetBrowserExtensionConfiguration
ShouldCollectBrowsingActivities

Sections

.text
Size: 376KB - Virtual size: 372KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 136KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b1ac41ecc25022618f74a6d0828a4712

Code Sign

33:00:00:02:9e:05:ca:b1:2e:ac:93:cf:b6:00:00:00:00:02:9eCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

93:2c:d5:0d:42:2b:a4:b5:ae:05:c5:db:c8:bb:f7:f8:f9:cd:6b:ac:77:54:c1:d4:93:ca:c1:03:5f:a7:9d:92Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

advapi32

crypt32

kernel32

ole32

oleaut32

user32

bcrypt

normaliz

ws2_32

ntdll

winhttp

mpclient

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

shell32

iphlpapi

netapi32

Sections

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 296KB - Virtual size: 292KB

.data Size: 40KB - Virtual size: 100KB

.pdata Size: 80KB - Virtual size: 79KB

.didat Size: 4KB - Virtual size: 24B

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 12KB - Virtual size: 11KB

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

user32

advapi32

ole32

oleaut32

mpclient

wtsapi32

userenv

ntdll

shell32

version

shlwapi

crypt32

wintrust

Exports

Exports

Sections

.text Size: 124KB - Virtual size: 123KB

33:00:00:02:9e:05:ca:b1:2e:ac:93:cf:b6:00:00:00:00:02:9e
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

93:2c:d5:0d:42:2b:a4:b5:ae:05:c5:db:c8:bb:f7:f8:f9:cd:6b:ac:77:54:c1:d4:93:ca:c1:03:5f:a7:9d:92
Signer

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 296KB - Virtual size: 292KB

.data
Size: 40KB - Virtual size: 100KB

.pdata
Size: 80KB - Virtual size: 79KB

.didat
Size: 4KB - Virtual size: 24B

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 12KB - Virtual size: 11KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

.text
Size: 124KB - Virtual size: 123KB

.rdata
Size: 48KB - Virtual size: 44KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 188KB - Virtual size: 186KB

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

.text
Size: 916KB - Virtual size: 915KB

.rdata
Size: 248KB - Virtual size: 244KB

.data
Size: 104KB - Virtual size: 110KB

.pdata
Size: 64KB - Virtual size: 60KB

.rsrc
Size: 4KB - Virtual size: 1008B

.reloc
Size: 12KB - Virtual size: 11KB