Release17[.]7[.]rar

Resubmissions

12-08-2024 02:35

240812-c27e7swarg 10

12-08-2024 02:32

240812-c1dfqs1ekk 10

Sharing

Copy URL

Twitter E-mail

General

Target

Release17.7.rar
Size

811KB
MD5

1736650d1d2d9bea088708a2920e428a
SHA1

8a8ee196461d8002d7448b568bc2a2f693a23757
SHA256

90210aadcedc43e2d627f627f37da8a4e8f39761182b21cd8ca08d2ca298fa82
SHA512

3fc3c891c299e09cdd1c8a5cfebd9176ece1b9b7785a407ab422767db690449422a146ee25a2647118a035821c03e2e91073dec6d8ea5014bd954209e8f61c4b
SSDEEP

12288:+aVDpqXEQdaDtkhGgdPOcSIA7tEEp/2NK7lx8iysijUzjbRjfeGTbVYxG1w/l:BkEQhndGcxA9sKxxijUzjbRjmGf1wN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Release 17.7.exe

Files

Release17.7.rar
.rar
AmStatusInstall.mof
EppManifest.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

Actual PE Digest

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
FepUnregister.mof
MpAsDesc.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

Actual PE Digest

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
MpAzSubmit.dll
.dll windows:10 windows x64 arch:x64

561966a83f8102842f701746ffa86d40

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

Actual PE Digest

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpAzSubmit.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventUnregister
EventWriteString
EventRegister

kernel32

CloseHandle
LocalFree
FreeLibrary
FindNextFileW
WriteFile
FindClose
CreateFileW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
GetProcAddress
SetFilePointerEx
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleHandleExW
HeapAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
FindFirstFileExW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW
DecodePointer
LCMapStringEx
InitOnceComplete
InitOnceBeginInitialize
GetModuleFileNameW
FormatMessageA
WideCharToMultiByte
FormatMessageW
MultiByteToWideChar
RtlPcToFileHeader
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
RaiseException
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetLastError
GetLastError
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
HeapFree
VerifyVersionInfoW
GlobalFree
InitializeCriticalSection
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSRWLockShared
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleA

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate

winhttp

WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSetStatusCallback
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetOption
WinHttpConnect
WinHttpGetProxyForUrl
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpWriteData
WinHttpReadData

ntdll

VerSetConditionMask

xmllite

CreateXmlWriter
CreateXmlReader

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptCreateHash
BCryptDestroyHash
BCryptHashData
BCryptGetProperty

crypt32

CertVerifyCertificateChainPolicy
CryptUnprotectMemory
CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext

Exports

Exports

MpAzSubmitBlobInitialize
MpAzSubmitBlobUninitialize
MpAzSubmitBlobUpload

Sections

.text
Size: 916KB - Virtual size: 915KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 244KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 104KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Platform/AMMonitoringProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

Actual PE Digest

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AMMonitoringProvider.pdb

Imports

msvcrt

_vsnprintf
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
wcschr
_wcstoui64
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscat_s
wcscpy_s
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
_purecall
_wchmod
wcsrchr
iswalpha
__CxxFrameHandler4
?terminate@@YAXXZ
_vsnwprintf
_vscwprintf
vswprintf_s
swscanf_s
_initterm
memset

kernel32

GetTickCount
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
FindResourceExW
DecodePointer
EncodePointer
LoadResource
GetCurrentThread
CloseHandle
SwitchToThread
LockResource
SetLastError
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
DisableThreadLibraryCalls
VirtualLock
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
GetSystemTimeAsFileTime
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
FindWindowW
GetSystemMetrics
SetWindowTextW
CharNextW
UnregisterClassA
PostMessageW
LoadStringW
ShowWindow
SendMessageW
DestroyWindow
CreateDialogParamW
LoadIconW
GetWindowThreadProcessId

advapi32

RegDeleteKeyW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetSidSubAuthority
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthorityCount

ole32

CoImpersonateClient
CoRevertToSelf
StringFromGUID2
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid

oleaut32

SysStringByteLen
SysAllocStringLen
VariantClear
SysStringLen
VarBstrCat
SysFreeString
VariantInit
VarUI4FromStr
SysAllocString

mpclient

MpClientUtilExportFunctions

wtsapi32

WTSQueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsRelativeW
PathAppendW
PathCombineW
PathRemoveFileSpecW
PathMatchSpecW
PathFileExistsW
PathIsDirectoryW
PathFindFileNameW

crypt32

CertVerifyCertificateChainPolicy

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrust

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Platform/AmMonitoringInstall.mof
Release 17.7.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
antidet.mof
endpointdlp.dll
.dll windows:10 windows x64 arch:x64

9c3fd1848ccdb144ff7cb14128b86363

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba
Signer

Actual PE Digest

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

endpointdlp.pdb

Imports

kernel32

FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LoadLibraryExW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
SetFilePointerEx
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
CloseHandle
FlsAlloc
OutputDebugStringW
HeapSize
HeapReAlloc
RaiseException
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
HeapFree
ExitProcess
GetStartupInfoW
GetModuleHandleExW
GetCurrentThreadId
GetFileType
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
FreeLibrary
FormatMessageW
GetModuleFileNameA
HeapAlloc
GetProcAddress
GetProcessHeap
GetModuleHandleW
DebugBreak
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSemaphore
OpenSemaphoreW
Sleep
GetTickCount
ReleaseSRWLockShared
AcquireSRWLockShared
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
WaitForSingleObjectEx
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
OpenProcess
K32GetModuleFileNameExW
GetProcessTimes
GetDriveTypeW
CreateEventExW
CreateThreadpoolWait
ExpandEnvironmentStringsW
FormatMessageA
LocalFree
InitOnceBeginInitialize
InitOnceComplete
DecodePointer
LCMapStringEx
FindClose
FindFirstFileExW
FindNextFileW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEvent
ResetEvent
CreateEventW
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent

advapi32

CryptDestroyHash
CryptDestroyKey
CryptVerifySignatureW
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegNotifyChangeKeyValue
RegCreateKeyExW
GetLengthSid
GetTokenInformation
OpenProcessToken
EventRegister
EventUnregister
EventWriteTransfer

ntdll

ZwQueryEaFile

crypt32

CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertAddCertificateContextToStore
CryptImportPublicKeyInfo
CertCreateCertificateContext
CertCloseStore
CertFreeCertificateContext
CryptStringToBinaryW
CertOpenStore
CertFreeCertificateChain

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsNetworkPathW

user32

LoadStringW

Exports

Exports

AuditBrowserFileOperationEvent
AuditBrowserFileOperationEventEx
AuditBrowserOperationEvent
DlpAuditFileAccessEvent
DlpAuditOperationEnforcementEvent
DlpAuditOperationEnforcementEventEx
DlpDelegateEnforcement
DlpFreeArchiveFileTraceInfo
DlpGetArchiveFileTraceInfo
DlpGetFileApplicationAccess
DlpGetFileApplicationAccessEx
DlpGetFileApplicationAccessEx2
DlpGetFileCloudApplicationPolicy
DlpGetFileLocation
DlpGetNotificationSettings
DlpGetPolicyInfoFromRuleId
DlpGetPolicySettings
DlpGetQuarantineConfiguration
DlpInitialize
DlpInitializeFromCustomPolicy
DlpValidateCloudDomainsPolicyCmd
DlpValidateCloudPolicyCmd
DlpValidateCloudWebSitesPolicyCmd
GetBrowserExtensionConfiguration
ShouldCollectBrowsingActivities

Sections

.text
Size: 376KB - Virtual size: 372KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 136KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cfSigner

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 4KB - Virtual size: 208B

.rsrc Size: 1.0MB - Virtual size: 1.0MB

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bfSigner

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 4KB - Virtual size: 208B

.rsrc Size: 188KB - Virtual size: 186KB

561966a83f8102842f701746ffa86d40

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ecCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

rpcrt4

winhttp

ntdll

xmllite

bcrypt

crypt32

Exports

Exports

Sections

.text Size: 916KB - Virtual size: 915KB

.rdata Size: 248KB - Virtual size: 244KB

.data Size: 104KB - Virtual size: 110KB

.pdata Size: 64KB - Virtual size: 60KB

.rsrc Size: 4KB - Virtual size: 1008B

.reloc Size: 12KB - Virtual size: 11KB

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

user32

advapi32

ole32

oleaut32

mpclient

wtsapi32

userenv

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 188KB - Virtual size: 186KB

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

.text
Size: 916KB - Virtual size: 915KB

.rdata
Size: 248KB - Virtual size: 244KB

.data
Size: 104KB - Virtual size: 110KB

.pdata
Size: 64KB - Virtual size: 60KB

.rsrc
Size: 4KB - Virtual size: 1008B

.reloc
Size: 12KB - Virtual size: 11KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

.text
Size: 124KB - Virtual size: 123KB

.rdata
Size: 48KB - Virtual size: 44KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 68KB - Virtual size: 67KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba
Signer

.text
Size: 376KB - Virtual size: 372KB

.rdata
Size: 136KB - Virtual size: 133KB

.data
Size: 12KB - Virtual size: 14KB

.pdata
Size: 20KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 2KB