winload[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

winload.exe
Size

1.5MB
MD5

a527b41892e628432938942e5d84541d
SHA1

3801f6db39557a5ea2b3a0d2a7ed8fcd5d60f1ce
SHA256

e74e12fdcbc9e5f4246beeb88315d8ea92e0afbf352659a9d9a672f7167ada16
SHA512

7865ebbd6283545eb859a5a5537854e9d7814ea818ae177811516e288b19af1eaf0de861d00cb85324a4409b122c43e8fa7835c55372234a59b5ca7198fcd514
SSDEEP

24576:uLzYfEd8WvHCkAeOPnqiJM6OawIScsUGOIQPmjH6yOhYRI39G6JiQPU:0zFbvszOJ3umjHDzI39GoPU

Score

1^/10

Malware Config

Signatures

Files

winload.exe
.dll windows:0 windows x64 arch:x64

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

af:df:c7:2e:6d:f9:92:6d:a3:2a:a8:fc:9e:b6:a4:14:6c:8f:2d:ab:5c:e4:fb:3b:39:85:4e:de:75:18:98:73
Signer

Actual PE Digest

af:df:c7:2e:6d:f9:92:6d:a3:2a:a8:fc:9e:b6:a4:14:6c:8f:2d:ab:5c:e4:fb:3b:39:85:4e:de:75:18:98:73

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

winload_prod.pdb

Exports

Exports

AhCreateLoadOptionsString
AhGetArcDevice
ArchBuildKernelGdt
ArchGetGdtRegister
BlAllocateSlabPages
BlAmdSlGetTaCommands
BlAppCheckDependency
BlAppSetDependency
BlAppendBootOptionBoolean
BlAppendBootOptionString
BlAppendUnicodeToString
BlArchCpuId
BlArchDetectSmt
BlArchGetCpuVendor
BlArchGetPerformanceCounter
BlArchIsCpuIdFunctionSupported
BlArchIsFiveLevelPagingActive
BlArchIsShadowStackSupported
BlArchKernelSetup
BlArchQueryIoPortAccessSupported
BlArchSetSecrets
BlBdDebugTransitionsEnabled
BlBdDebuggerConnected
BlBdGetExtensionName
BlBdGetMacAddressFromSmBiosUuid
BlBdGetPciDevicePath
BlBdInitializeDeviceDescriptor
BlBdInitializeTransportExtension
BlBdLoadImageSymbols
BlBdPatchIdt
BlBdReleaseDebuggingDevice
BlBdSetupDebugDevice
BlBdSetupDebuggingDevice
BlBdStart
BlBdStop
BlBootOptionExists
BlBsdCloseLog
BlBsdLogEntry
BlCopyBootOptions
BlCopyStringToUnicodeString
BlCopyStringToWcharString
BlCopyUnicodeStringToUnicodeString
BlCopyWcharStringToString
BlDeviceClose
BlDeviceCompare
BlDeviceGetInformation
BlDeviceGetIoInformation
BlDeviceOpen
BlDeviceSetInformation
BlDisplayFreeOemBitmap
BlDisplayGetOemBitmap
BlDisplayInvalidateOemBitmap
BlEnNotifyEvent
BlFileClose
BlFileCopyFile
BlFileExists
BlFileGetInformation
BlFileLoad
BlFileOpen
BlFileReadAtOffsetEx
BlFileReadEx
BlFileSetInformation
BlFileWrite
BlFveCheckPermission
BlFwGetAcpiMemoryMap
BlFwGetSystemTable
BlFwQueryEfiRuntimeVaRange
BlFwReboot
BlFwServicesAvailable
BlGetApplicationEntry
BlGetApplicationIdentifier
BlGetBootDevice
BlGetBootOptionBoolean
BlGetBootOptionDevice
BlGetBootOptionInteger
BlGetBootOptionString
BlGetDevice
BlGetDeviceIdentifier
BlGetExecutionEnvironment
BlGetLogicalProcessorCount
BlGetProcessorApicIds
BlImgFindSection
BlImgGetNtHeader
BlImgGetPEImageSize
BlImgGetSigningPolicy
BlImgGetWhqlEnforcementDateTime
BlImgIsBootUpgradedPlatform
BlImgIsUpgradeInProgress
BlImgIsUpgradedPlatform
BlImgIsWhqlDeveloperTestModeEnabled
BlImgIsWhqlDisabledBySetting
BlImgIsWhqlEnabledBySetting
BlImgIsWinPE
BlImgLoadImageWithProgress2
BlImgLoadPEImageEx
BlImgLoadPEImageWithPolicyValidatedHash
BlImgParseOsRevocationList
BlImgQueryCodeIntegrityBootOptions
BlImgRegisterCodeIntegrityCatalogDirectory
BlImgRegisterCodeIntegrityCatalogs
BlImgRsaKnownAnswerTest
BlImgSetRestrictedSigning
BlImgSetSigningPolicy
BlImgSetSysDevWhqlPolicy
BlImgSha1KnownAnswerTest
BlImgSha1MonteCarloTest
BlImgTrustCustomSignersForDrivers
BlImgUnLoadImage
BlImgVerifyFontIntegrity
BlLdrBuildImagePath
BlLdrFreeDataTableEntry
BlLdrLoadDll
BlLdrLoadImage
BlLdrPreloadFile
BlLdrPreloadImage
BlLdrUnloadImage
BlLogDestroy
BlLogDiagWrite
BlLogEtwRegister
BlLogEtwWrite
BlLogEtwWriteTransfer
BlLogInitialize
BlMmAddEnclavePageRange
BlMmAddPersistentPageRange
BlMmAllocateHeap
BlMmAllocatePages
BlMmAllocatePagesInRange
BlMmAllocatePhysicalPages
BlMmAllocatePhysicalPagesInRange
BlMmAllocatePhysicalPagesInRangeNuma
BlMmAllocateVirtualPages
BlMmDisableStaticDescriptors
BlMmEnableStaticDescriptors
BlMmEnumerateAllocations
BlMmFlushTlb
BlMmFreeHeap
BlMmFreePages
BlMmFreePhysicalPages
BlMmFreeVirtualPages
BlMmGetAllocationPages
BlMmGetMemoryMap
BlMmInitMemoryMapHandle
BlMmMapPhysicalAddress
BlMmMapPhysicalAddressEx
BlMmQueryLargePageSize
BlMmQueryTranslationType
BlMmReleaseMemoryMap
BlMmRemapVirtualAddress
BlMmTranslateEfiMemoryType
BlMmTranslateVirtualAddress
BlMmUnmapVirtualAddress
BlMmUnmapVirtualAddressEx
BlNumaGetNumaMemoryRanges
BlObtainUnusedSlabPages
BlPdAllocateData
BlPdDestroyData
BlPdFreeData
BlPdPersistAllocations
BlPdQueryData
BlPdQueryDataAll
BlPdSaveData
BlPltReadPciConfig
BlRemoveBootOption
BlResourceFindDataFromImage
BlResourceFindMessage
BlResourceGetLanguageMapping
BlSIPolicyCheckPolicyOnDevice
BlSIPolicyDoesActivePolicyGrantPermission
BlSIPolicyLoadAndActivateTemporalPolicy
BlSealSecretToCurrentPcrValues
BlSecureBootGetNonVolatilePrivateVariable
BlSecureBootIgnoreSingleBootOption
BlSecureBootSetVolatilePrivateVariable
BlSetVirtualizationLaunched
BlSiAppLosingTpmAccess
BlSiCloseEnvironment
BlSiEnterInsecureStateEx
BlSiEnvironmentReady
BlSiFlushCurrentMeasurements
BlSiHandleHypervisorLaunchEvent
BlSiLeaveEnvironment
BlSiMeasureOsRevocationList
BlSiPaRecordConfigEvent
BlSiPaRecordDrtmConfigEvent
BlSiPaRecordEvent
BlSiSetDrtmEnvironmentUnsafe
BlStatusError
BlStatusPrint
BlStatusRegisterErrorHandler
BlSvnGetApplicationSvn
BlSvnGetChainStatus
BlSymCryptGetAesBlockCipher
BlSymCryptGetHmacSha256Algorithm
BlTblSetEntry
BlTcgFwSetAndLockMemoryOverwriteRequestControl
BlTimeGetRelativeTime
BlTimeQueryPerformanceCounter
BlTpmGetRandom
BlTpmShutdown
BlTpmStatus
BlTxtGetRlpParkPage
BlUpdateBootOptions
BlUtlCheckSum
BlUtlGetAcpiTable
BlUtlGetAcpiTableOverrides
BlUtlPopulateAcpiTableCache
BlUtlReleaseAcpiTable
BlUtlSetAcpiTableOverrides
BlUtlValidateMemoryRange
BlValidateAmeCertChain
BlVsmCheckSystemPolicy
BlVsmGetSystemPolicy
BlVsmKeysFindKeyMapByType
BlVsmKeysGetCurrentLKeyRefFromArray
BlVsmKeysGetCurrentLKeyRefFromPkg
BlVsmKeysReadAndUnsealLKeyPkg
BlVsmKeysSupportedByPlatform
BlpPdQueryData
BlpPdReleaseData
DbgLoadImageSymbols
DbgPrint
HvlQueryConnection
KdNetGetNetDataSize
KdNetGetParameters
LdrInitSecurityCookie
McGenEventWriteBoot
MinCrypL_HashMemory
MincryptSetWeakCryptoPolicy
OslGenRandomBytes
OslGetControlSubkey
OslGetDrtmSvn
OslGetExportRoutineInModule
OslGetLocalApicId
OslGetStringValueAtKey
OslGetValueAtKey
OslIsRunningInSecureKernel
OslLoadMicrocodeUpdate
RtlAnsiStringToUnicodeString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlAssert
RtlClearAllBits
RtlClearBits
RtlCompareMemory
RtlCompareUnicodeString
RtlCompareUnicodeStrings
RtlEqualUnicodeString
RtlFindClearBits
RtlFindExportedRoutineByName
RtlFindNextForwardRunClear
RtlFreeAnsiString
RtlFreeUnicodeString
RtlGUIDFromString
RtlImageDirectoryEntryToData
RtlInitAnsiString
RtlInitUnicodeString
RtlInitUnicodeStringEx
RtlInitializeBitMap
RtlInitializeBootFeatureConfigurations
RtlInitializeDelayedFeatureUsageReportBuffer
RtlIntegerToUnicodeString
RtlIpv6StringToAddressW
RtlNotifyFeatureUsage
RtlNumberOfSetBits
RtlPrefixUnicodeString
RtlQueryFeatureConfiguration
RtlQueryFeatureConfigurationChangeStamp
RtlRegisterFeatureConfigurationChangeNotification
RtlSecureZeroMemory
RtlSetBit
RtlSetBits
RtlSizeOfDelayedFeatureUsageReportBuffer
RtlStringFromGUID
RtlUnicodeStringToAnsiString
RtlUnicodeStringToInteger
RtlUnregisterFeatureConfigurationChangeNotification
RtlUpcaseUnicodeChar
RtlValidateDelayedFeatureUsageReportBuffer
RtlValidateFeatureConfigurationBuffer
RtlValidateFeatureUsageSubscriptionBuffer
SIPolicyClearAllActivePolicy
SIPolicyDeletePersistentVariable
SIPolicyGetOptions
SIPolicyGetPolicyHandle
SIPolicyGetPolicyInfoFromType
SIPolicyGetSerializedPolicies
SIPolicyGetSerializedPoliciesSize
SIPolicyHashActiveCodeExecutionPolicies
SIPolicyInvalidateEAsOnRebootEnabled
SIPolicyIsPolicyActive
SIPolicyIsSignedPolicyRequired
SIPolicySetTrialMode
SIPolicyUmciEnabled
SbArePolicyOptionsSet
SbDoesActivePolicyGrantPermission
SbFreeFileData
SbGetKernelPolicyPackage
SbGetSizeOfKernelPolicyPackage
SbIsDebugPolicyActive
SbIsEnabled
SbIsEnabled2
SbIsPolicyActive
SbIsTestRootTrusted
SbIsTestSigningBlocked
SbLoadFile
SbValidateSkuUnlockToken
SipaGetDataPointers
SipaQueueConfigEntry
SipaQueueConfigEntryToQueue
SipaReadPcrsByMask
SipapAppendEntry
SipapCreateQueue
SymCryptGcmAuthPart
SymCryptGcmDecryptFinal
SymCryptGcmDecryptPart
SymCryptGcmEncryptFinal
SymCryptGcmEncryptPart
SymCryptGcmExpandKey
SymCryptGcmInit
SymCryptHmacSha256
SymCryptHmacSha256ExpandKey
SymCryptHmacSha512Selftest
SymCryptInit
SymCryptMarvin32
SymCryptMarvin32ExpandSeed
SymCryptRdrandGet
SymCryptRdrandStatus
SymCryptRdseedGet
SymCryptRdseedStatus
SymCryptRngAesFips140_2Generate
SymCryptRngAesFips140_2Instantiate
SymCryptRngAesFips140_2Uninstantiate
SymCryptRngAesGenerateSelftest
SymCryptRngAesInstantiateSelftest
SymCryptRngAesReseedSelftest
SymCryptSha1
SymCryptSha256
SymCryptSha256Append
SymCryptSha256Init
SymCryptSha256Result
SymCryptSha512
SymCryptSha512Append
SymCryptSha512Init
SymCryptSha512Result
SymCryptSp800_108
TpmApiCheckSecureNVIndex20
TpmApiCreateSecureNVIndex20
TpmApiCreateSrk20
TpmApiGetKeyPublicProperty20
TpmApiGetTpmVersion
TpmApiReadPublic20
TpmApiSeal20Ex
TpmApiUnsealEx
__GSHandlerCheck
__chkstk
_snwscanf_s
_stricmp
_strupr
_vsnprintf
_wcsicmp
_wcsnicmp
_wcstoui64
_wcsupr
memcmp
memcpy
memmove
memset
qsort
rsa_construction_fips186_3
rsa_decryption
rsa_destruction
rsa_encryption
rsa_export
rsa_export_sizes
sprintf_s
strcat_s
strchr
strcmp
strcpy_s
strncmp
strnlen
strstr
swprintf_s
wcscat_s
wcscmp
wcscpy_s
wcsncmp
wcsnlen
wcsrchr
wcsstr

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGER32C
Size: 1024B - Virtual size: 729B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

TRANSIT
Size: 512B - Virtual size: 29B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 169KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 229KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

af:df:c7:2e:6d:f9:92:6d:a3:2a:a8:fc:9e:b6:a4:14:6c:8f:2d:ab:5c:e4:fb:3b:39:85:4e:de:75:18:98:73Signer

Headers

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

PAGER32C Size: 1024B - Virtual size: 729B

TRANSIT Size: 512B - Virtual size: 29B

PAGE Size: 35KB - Virtual size: 35KB

.rdata Size: 169KB - Virtual size: 168KB

.data Size: 3KB - Virtual size: 229KB

.pdata Size: 44KB - Virtual size: 43KB

.rsrc Size: 22KB - Virtual size: 21KB

.reloc Size: 3KB - Virtual size: 3KB

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

af:df:c7:2e:6d:f9:92:6d:a3:2a:a8:fc:9e:b6:a4:14:6c:8f:2d:ab:5c:e4:fb:3b:39:85:4e:de:75:18:98:73
Signer

.text
Size: 1.2MB - Virtual size: 1.2MB

PAGER32C
Size: 1024B - Virtual size: 729B

TRANSIT
Size: 512B - Virtual size: 29B

PAGE
Size: 35KB - Virtual size: 35KB

.rdata
Size: 169KB - Virtual size: 168KB

.data
Size: 3KB - Virtual size: 229KB

.pdata
Size: 44KB - Virtual size: 43KB

.rsrc
Size: 22KB - Virtual size: 21KB

.reloc
Size: 3KB - Virtual size: 3KB