c6312e039847e505325bed4db22608d0N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

c6312e039847e505325bed4db22608d0N.exe
Size

2.6MB
MD5

c6312e039847e505325bed4db22608d0
SHA1

42a9b9a738fff5bde00ebddfeca37fdec8a3cfdb
SHA256

64471cad018e971ad9317fd2ac4623c2c308e2c5d03b6e7f6661a47861c6e010
SHA512

0e4514e8354692f4b44a3a0624a7d03651a99a382a55adebef8a2e18fd6dafa2615a1aa236628c4f3ec285f73ba3948071d349b42ebe5d505065fe6f94a5705e
SSDEEP

49152:7ebrgvyX+pNMeE9UuY2bMENEwW8/YTPMi5Lfu:SQ6X+Q42FF

Score

1^/10

Malware Config

Signatures

Files

c6312e039847e505325bed4db22608d0N.exe
.dll windows:6 windows x64 arch:x64

4c0f4cf2d61ea2bfc5a45caea5fe46b2

Code Sign

33:00:00:05:57:cf:90:dd:c7:d1:c0:88:8c:00:00:00:00:05:57
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2023, 19:51

Not After

16/10/2024, 19:51

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:03:a5:41:11:e8:f0:7f:be:0b:75:00:00:00:00:03:a5
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2023, 19:51

Not After

16/10/2024, 19:51

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff
Signer

Actual PE Digest

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff

Digest Algorithm

sha256

PE Digest Matches

false

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff
Signer

Actual PE Digest

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

d:\dbs\el\omr\target\x64\ship\click2run\x-none\c2r64.pdb

Imports

advapi32

RegCreateKeyExW
RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegDeleteTreeW
RegDeleteKeyW
RegGetValueW
RegDeleteValueW
GetTokenInformation
IsValidSid
GetSidSubAuthorityCount
GetSidSubAuthority
CreateWellKnownSid
CheckTokenMembership
RegNotifyChangeKeyValue
RevertToSelf
OpenThreadToken
OpenProcessToken
GetLengthSid
CopySid
InitializeAcl
AddAccessDeniedAce
AddAccessAllowedAce
AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidA
EqualSid
OpenSCManagerW
CloseServiceHandle
OpenServiceW
StartServiceW

ole32

CoUninitialize
CoInitializeEx
CreateStreamOnHGlobal
CoTaskMemAlloc
IIDFromString
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoTaskMemFree
StringFromCLSID
StringFromGUID2
CoCreateGuid

rpcrt4

NdrClientCall2
RpcStringBindingComposeW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcStringFreeW
RpcBindingFromStringBindingW
RpcMgmtIsServerListening

kernel32

SetStdHandle
CompareStringW
GetTimeFormatW
GetDateFormatW
EnumSystemLocalesW
GetLocaleInfoW
GetOEMCP
GetACP
HeapReAlloc
GetStdHandle
ExitProcess
GetCommandLineA
GetConsoleOutputCP
GetConsoleMode
HeapSize
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetCPInfo
LCMapStringEx
EncodePointer
RtlPcToFileHeader
GetStringTypeW
InitOnceComplete
InitOnceBeginInitialize
GetFileInformationByHandleEx
GetCurrentProcess
GetModuleHandleExW
InitializeCriticalSectionEx
GetLastError
CompareStringEx
GetProcAddress
DeleteCriticalSection
FreeLibrary
FlsFree
FlsAlloc
IsWow64Process
GetCommandLineW
ExpandEnvironmentStringsW
GetTickCount64
GetModuleFileNameW
GetCurrentProcessId
MultiByteToWideChar
CreateEventExW
CloseHandle
SetEvent
TerminateProcess
GetTempPathW
WerRegisterRuntimeExceptionModule
DisableThreadLibraryCalls
WerUnregisterRuntimeExceptionModule
GetModuleHandleW
Sleep
FindClose
UnmapViewOfFile
MapViewOfFile
CreateActCtxW
ActivateActCtx
SetLastError
OutputDebugStringA
GetStringTypeExW
FindActCtxSectionStringW
DeactivateActCtx
QueryActCtxW
GetUserDefaultLCID
LoadLibraryW
LCMapStringW
LocalFree
FormatMessageA
LocalAlloc
OpenEventW
GlobalMemoryStatusEx
RaiseException
LoadLibraryExW
GetVersionExW
WideCharToMultiByte
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
GetExitCodeProcess
GetProcessTimes
WriteConsoleW
GetModuleFileNameA
GetShortPathNameA
K32GetModuleFileNameExW
CreateProcessW
FindResourceW
SizeofResource
LoadResource
GetUserDefaultLocaleName
IsValidCodePage
GetSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
CreateFileW
DeviceIoControl
GetComputerNameW
GetNativeSystemInfo
GetSystemDirectoryW
HeapFree
HeapAlloc
GetProcessHeap
ReleaseMutex
CreateMutexExW
OpenMutexW
WaitForSingleObjectEx
SystemTimeToTzSpecificLocalTime
ResetEvent
GetFileAttributesExW
FindFirstFileExW
WriteFile
GetFileSizeEx
ReadFile
DeleteFileW
FindNextFileW
CreateEventW
WaitForSingleObject
ReleaseSemaphore
CreateThread
WaitForMultipleObjectsEx
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
CloseThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
CreateThreadpoolWork
SubmitThreadpoolWork
QueryDepthSList
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
InitializeSListHead
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlCaptureStackBackTrace
GetLongPathNameW
GetFinalPathNameByHandleW
CreateDirectoryW
SetFileAttributesW
GetFileType
SetFilePointerEx
GetOverlappedResult
GetFileTime
SetFileInformationByHandle
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalFree
GlobalAlloc
LocaleNameToLCID
SetEndOfFile
SetFileTime
FlushFileBuffers
CancelIoEx
GetTempFileNameW
GetProcessAffinityMask
CreateWaitableTimerW
SetWaitableTimerEx
CancelWaitableTimer
GetTickCount
WerRegisterMemoryBlock
WerUnregisterMemoryBlock
QueryFullProcessImageNameW
CreateIoCompletionPort
PostQueuedCompletionStatus
GetThreadIOPendingFlag
GetCurrentThread
GetQueuedCompletionStatus
FlsSetValue
FlsGetValue
IsDebuggerPresent
GetStartupInfoW
CreateMemoryResourceNotification
GetSystemPowerStatus
IsSystemResumeAutomatic
OutputDebugStringW
RtlCaptureContext
K32GetModuleInformation
VirtualFree
VirtualAlloc
OpenEventA
CreateEventA
OpenMutexA
CreateMutexA
OpenSemaphoreA
CreateSemaphoreA
OpenFileMappingA
CreateFileMappingA
GetUserGeoID
K32GetProcessMemoryInfo
FindFirstFileW
GetPriorityClass
GetTimeZoneInformation
IsValidLocale
VirtualProtect
SuspendThread
ResumeThread
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
LoadLibraryExA
OpenThread
TryAcquireSRWLockExclusive
RtlLookupFunctionEntry
RtlVirtualUnwind
GetLocaleInfoEx
GetSystemInfo
GetLocalTime
GetSystemTimeAsFileTime
DecodePointer

Exports

Exports

AddOfficeProduct
AddOfficeProductEx
ApplyCloudPolicy
ApplyCloudPolicyForIdentity
C2rVersion
CheckProcessForCorruption
ClearPropertyBagValue
CollectFileInformation
DeleteAFOScheduledTask
EnableUpdate
EnsureConnection
EnsurePerpetualLicensesFolderExists
FetchDBSLicense
GetInstalledProducts
GetInstalledProductsEx
GetPackageRoot
GetProperty
GetPropertyEx
GetStatusValue
GetStatusValueEx
GetTotalProgress
GetUpdateStatus
HandleError
HandleErrorEx
HandleScheduledHeartbeat
HandleScheduledHeartbeatEx
HrActivate
HrActivateEx
HrApplyUpdatesNow
HrApplyUpdatesNowEx
HrBeginUpdatesDiscoveryPeriod
HrBeginUpdatesDiscoveryPeriodEx
HrDownloadUpdatesNow
HrDownloadUpdatesNowEx
HrGetAreUpdatesCOMManaged
HrGetAreUpdatesEnabled
HrGetAreUpdatesEnabledEx
HrGetAreUpdatesFromAdminSource
HrGetAreUpdatesFromAdminSourceEx
HrGetAreUpdatesLate
HrGetAreUpdatesLateEx
HrGetAreUpdatesReadyForDownload
HrGetAreUpdatesReadyForDownloadEx
HrGetAreUpdatesReadyToApply
HrGetAreUpdatesReadyToApplyEx
HrGetChannelIdForDisplay
HrGetClientFolder
HrGetContainerInstallCommand
HrGetDeviceBasedLicensing
HrGetExecutingScenario
HrGetInstallationPath
HrGetPendingModifyOfficeProducts
HrGetPendingUpdateDeadline
HrGetPendingUpdateDeadlineEx
HrInstallProtectedGraceLicense
HrModifyOfficeProducts
HrRefreshState
HrRegisterForRealtimeExitReporting
HrSetAreUpdatesEnabled
HrSetAreUpdatesEnabledEx
HrSetAreUpdatesFromAdminSource
HrSetAreUpdatesFromAdminSourceEx
HrSetPrivacySettings
HrUpdateLicensingStateData
HrUpdateNow
HrUpdateNowEx
HrUpdateNowWithParameters
InstallProofOfPurchase
InstallProofOfPurchaseEx
IsClick2Run
IsFileInVirtualFolder
IsOSPPReady
IsOSPPReadyEx
IsRepairRequired
IsRepairRequiredEx
IsRoaming
IsStreaming
Launch
LicenseRepair
MigrateOSPPToSPP
OverridePolicy
ReArm
Repair
RepairEx
SetProperty
SetPropertyBagToken
SetTenantAssociationKey
SetUpdateBranch
SetUpdateUrl
SetUpdateUrlSetByUser
StartFB
StartScenario
UninstallProofOfPurchase
UninstallProofOfPurchaseEx

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 874KB - Virtual size: 874KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 50KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c0f4cf2d61ea2bfc5a45caea5fe46b2

Code Sign

33:00:00:05:57:cf:90:dd:c7:d1:c0:88:8c:00:00:00:00:05:57Certificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

33:00:00:03:a5:41:11:e8:f0:7f:be:0b:75:00:00:00:00:03:a5Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ffSigner

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ffSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

ole32

rpcrt4

kernel32

Exports

Exports

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 874KB - Virtual size: 874KB

.data Size: 50KB - Virtual size: 55KB

.pdata Size: 97KB - Virtual size: 97KB

.didat Size: 1024B - Virtual size: 792B

_RDATA Size: 512B - Virtual size: 500B

.detourc Size: 8KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 26KB - Virtual size: 26KB

33:00:00:05:57:cf:90:dd:c7:d1:c0:88:8c:00:00:00:00:05:57
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

33:00:00:03:a5:41:11:e8:f0:7f:be:0b:75:00:00:00:00:03:a5
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff
Signer

c4:4c:43:63:82:92:87:5b:0c:cd:d9:ef:8c:c7:2a:93:d5:c0:e6:ef:91:f4:2a:47:7f:dd:94:e2:6f:26:cd:ff
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 874KB - Virtual size: 874KB

.data
Size: 50KB - Virtual size: 55KB

.pdata
Size: 97KB - Virtual size: 97KB

.didat
Size: 1024B - Virtual size: 792B

_RDATA
Size: 512B - Virtual size: 500B

.detourc
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 26KB - Virtual size: 26KB