c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c

Sharing

Copy URL

Twitter E-mail

General

Target

c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c
Size

5.2MB
MD5

530eb1c86e66fbd09f591d02d100d94d
SHA1

d7a6f841d6035f91336d014f0c8d458368c70716
SHA256

c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c
SHA512

62e927052451208c47b2683c5bc0074159636ac9ceebd856ac1f7730890998569f9b0572b9509f4cc466b299f6fbcccb4ba118d2d2d3b1fe8331c7c6864509f5
SSDEEP

98304:FlzCf/IMBa9Yx7Hx+iujelfdGuZ0+VTTjTBdljDvQwaY:Fs/IMiY+iuKvGuZ0+VTTBdx4G

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/RFQ-Al NASR-00388/MpClient.dll
unpack001/RFQ-Al NASR-00388/msvcp150.dll

Files

c28d2d3e7aef0f83baf30eddee28a1f3328cefaec589161a34ac3a5a4832fe5c
.rar
RFQ-Al NASR-00388/AMMonitoringProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

Actual PE Digest

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AMMonitoringProvider.pdb

Imports

msvcrt

_vsnprintf
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
wcschr
_wcstoui64
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
wcscat_s
wcscpy_s
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
_purecall
_wchmod
wcsrchr
iswalpha
__CxxFrameHandler4
?terminate@@YAXXZ
_vsnwprintf
_vscwprintf
vswprintf_s
swscanf_s
_initterm
memset

kernel32

GetTickCount
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
FindResourceExW
DecodePointer
EncodePointer
LoadResource
GetCurrentThread
CloseHandle
SwitchToThread
LockResource
SetLastError
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
DisableThreadLibraryCalls
VirtualLock
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
GetSystemTimeAsFileTime
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
FindWindowW
GetSystemMetrics
SetWindowTextW
CharNextW
UnregisterClassA
PostMessageW
LoadStringW
ShowWindow
SendMessageW
DestroyWindow
CreateDialogParamW
LoadIconW
GetWindowThreadProcessId

advapi32

RegDeleteKeyW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
GetSidSubAuthority
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthorityCount

ole32

CoImpersonateClient
CoRevertToSelf
StringFromGUID2
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid

oleaut32

SysStringByteLen
SysAllocStringLen
VariantClear
SysStringLen
VarBstrCat
SysFreeString
VariantInit
VarUI4FromStr
SysAllocString

mpclient

MpClientUtilExportFunctions

wtsapi32

WTSQueryUserToken
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsRelativeW
PathAppendW
PathCombineW
PathRemoveFileSpecW
PathMatchSpecW
PathFileExistsW
PathIsDirectoryW
PathFindFileNameW

crypt32

CertVerifyCertificateChainPolicy

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseContext
WinVerifyTrust

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/EppManifest.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

Actual PE Digest

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpAsDesc.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

Actual PE Digest

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpAzSubmit.dll
.dll windows:10 windows x64 arch:x64

561966a83f8102842f701746ffa86d40

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

Actual PE Digest

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpAzSubmit.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventUnregister
EventWriteString
EventRegister

kernel32

CloseHandle
LocalFree
FreeLibrary
FindNextFileW
WriteFile
FindClose
CreateFileW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
GetProcAddress
SetFilePointerEx
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleHandleExW
HeapAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
FindFirstFileExW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW
DecodePointer
LCMapStringEx
InitOnceComplete
InitOnceBeginInitialize
GetModuleFileNameW
FormatMessageA
WideCharToMultiByte
FormatMessageW
MultiByteToWideChar
RtlPcToFileHeader
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
RaiseException
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetLastError
GetLastError
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
HeapFree
VerifyVersionInfoW
GlobalFree
InitializeCriticalSection
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSRWLockShared
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleA

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate

winhttp

WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSetStatusCallback
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetOption
WinHttpConnect
WinHttpGetProxyForUrl
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpWriteData
WinHttpReadData

ntdll

VerSetConditionMask

xmllite

CreateXmlWriter
CreateXmlReader

bcrypt

BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptCreateHash
BCryptDestroyHash
BCryptHashData
BCryptGetProperty

crypt32

CertVerifyCertificateChainPolicy
CryptUnprotectMemory
CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext

Exports

Exports

MpAzSubmitBlobInitialize
MpAzSubmitBlobUninitialize
MpAzSubmitBlobUpload

Sections

.text
Size: 916KB - Virtual size: 915KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 244KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 104KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpClient.dll
.dll windows:6 windows x64 arch:x64

3736a7fb8546cf5770aa6e65ed1840ce

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

ey,Ex=xK1g@,.S8K1&4!Q=GJV0%OCj3<V(QMUwYO!Z0QX/rX-]HBpI

Imports

advapi32

RegQueryValueExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
EventWrite
EventRegister
EventEnabled

bcrypt

BCryptImportKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptHashData
BCryptDestroyHash
BCryptGenRandom
BCryptGetProperty
BCryptDestroyKey
BCryptCreateHash
BCryptEncrypt
BCryptDecrypt
BCryptCloseAlgorithmProvider
BCryptFinishHash

kernel32

TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
GetCPInfoExW
SetLastError
GetConsoleMode
GetLastError
GetFileType
ReadFile
ReadConsoleW
WriteFile
WriteConsoleW
GetConsoleCP
GetConsoleOutputCP
GetStdHandle
MultiByteToWideChar
WideCharToMultiByte
FormatMessageW
ReadDirectoryChangesW
CreateFileW
K32EnumProcessModulesEx
CloseHandle
IsWow64Process
GetExitCodeProcess
TerminateProcess
OpenProcess
K32EnumProcesses
K32GetModuleInformation
K32GetModuleBaseNameW
K32GetModuleFileNameExW
GetProcessId
DuplicateHandle
GetCurrentProcess
FreeConsole
LocalFree
CloseThreadpoolIo
ExitProcess
GetCurrentProcessId
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetSystemTime
GetTickCount64
GetCurrentProcessorNumber
GetCurrentThread
WaitForSingleObject
Sleep
CreateThreadpoolWork
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolTimer
SetThreadpoolTimer
InitializeCriticalSection
InitializeConditionVariable
DeleteCriticalSection
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
WaitForMultipleObjectsEx
GetFullPathNameW
GetLongPathNameW
GetCPInfo
LocalAlloc
GetProcAddress
RaiseFailFastException
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
CopyFileExW
CreateDirectoryW
DeleteFileW
DeleteVolumeMountPointW
DeviceIoControl
ExpandEnvironmentStringsW
FindNextFileW
FindClose
FindFirstFileExW
FlushFileBuffers
FreeLibrary
GetFileAttributesExW
GetFileInformationByHandleEx
GetModuleFileNameW
GetOverlappedResult
LoadLibraryExW
MoveFileExW
QueryUnbiasedInterruptTime
RemoveDirectoryW
SetFileInformationByHandle
SetThreadErrorMode
CreateThread
ResumeThread
GetThreadPriority
SetThreadPriority
GetDynamicTimeZoneInformation
GetTimeZoneInformation
SetEvent
ResetEvent
CreateEventExW
FlushProcessWriteBuffers
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThreadId
WaitForSingleObjectEx
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
SuspendThread
GetThreadContext
SetThreadContext
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
GetEnvironmentVariableW
DebugBreak
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetTickCount
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
GetWriteWatch
ResetWriteWatch
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
UnhandledExceptionFilter
IsDebuggerPresent
RtlLookupFunctionEntry
InitializeSListHead
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

ole32

CoTaskMemFree
CoCreateGuid
CoGetApartmentType
CoUninitialize
CoInitializeEx
CoWaitForMultipleHandles

secur32

GetUserNameExW

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh
calloc

api-ms-win-crt-math-l1-1-0

ceil
pow
modf

api-ms-win-crt-string-l1-1-0

_wcsicmp
wcsncmp
strcmp
strcpy_s

api-ms-win-crt-runtime-l1-1-0

abort
terminate
_cexit
_initterm
_initterm_e
_execute_onexit_table
_initialize_onexit_table
_seh_filter_dll
_initialize_narrow_environment
_configure_narrow_argv

Exports

Exports

MpAllocMemory
MpClientUtilExportFunctions
MpConfigInitialize
MpFreeMemory
MpUtilsExportFunctions

Sections

.text
Size: 418KB - Virtual size: 418KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 150KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpCommu.dll
.dll windows:10 windows x64 arch:x64

abc5cd2efb141964bfcdea8032c2c42d

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

80:75:b6:53:e4:da:ce:56:17:72:f2:19:3d:ae:e5:25:29:9d:c4:d9:5f:97:93:3b:c5:3f:31:f9:a2:c7:3e:da
Signer

Actual PE Digest

80:75:b6:53:e4:da:ce:56:17:72:f2:19:3d:ae:e5:25:29:9d:c4:d9:5f:97:93:3b:c5:3f:31:f9:a2:c7:3e:da

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpCommu.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_initialize_narrow_environment
terminate
abort
_invalid_parameter_noinfo
_errno
_beginthreadex
_configure_narrow_argv
_initterm_e
_seh_filter_dll
_cexit
_initterm
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswscanf
__stdio_common_vswprintf
__stdio_common_vsprintf

advapi32

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW

crypt32

CertGetCertificateChain
CertFreeCertificateChain
CertFreeCertificateContext
CertVerifyCertificateChainPolicy

kernel32

InitializeCriticalSectionEx
DeleteCriticalSection
LoadLibraryExW
GetThreadPriority
GetCurrentThread
SetThreadPriority
DeleteTimerQueueTimer
CreateFileW
FlsAlloc
GetFileAttributesW
GetTickCount
ExpandEnvironmentStringsW
Sleep
SetEvent
ResetEvent
WaitForSingleObject
SetLastError
GetSystemDirectoryW
GetLastError
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
GetTempPathW
GetEnvironmentVariableW
EnterCriticalSection
GetProcAddress
WaitForSingleObjectEx
CreateEventW
TerminateProcess
GetCurrentProcess
SetEnvironmentVariableW
GetModuleHandleW
IsProcessorFeaturePresent
GetFileSizeEx
ReadFile
CreateDirectoryW
TryEnterCriticalSection
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
GlobalFree
SetEndOfFile
WriteFile
SetFilePointerEx
FileTimeToSystemTime
SystemTimeToFileTime
MultiByteToWideChar
WideCharToMultiByte
EncodePointer
FlsFree
FlsSetValue
GetCurrentProcessId
QueryPerformanceCounter
GetExitCodeProcess
DeleteFileW
CloseHandle
GetSystemTimeAsFileTime
FreeLibrary
LeaveCriticalSection
FlsGetValue
GetSystemTime
QueryPerformanceFrequency
GetNativeSystemInfo

ole32

CLSIDFromProgID
CoInitializeEx
StringFromGUID2
CoCreateInstance
CoUninitialize
CoCreateGuid

slc

SLGetWindowsInformationDWORD

wintrust

WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain

winhttp

WinHttpGetProxyForUrl
WinHttpSetTimeouts
WinHttpGetDefaultProxyConfiguration
WinHttpConnect
WinHttpCrackUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpAddRequestHeaders
WinHttpWriteData
WinHttpReceiveResponse
WinHttpSetOption
WinHttpSendRequest
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpQueryOption
WinHttpOpen
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpCloseHandle

shlwapi

PathIsURLW

mpclient

MpManagerOpen
MpClientUtilExportFunctions
MpFreeMemory
MpConfigGetValue
MpConfigClose
MpConfigOpen
MpUtilsExportFunctions
MpConfigUninitialize
MpConfigInitialize
MpAllocMemory
MpConfigSetValue
MpManagerVersionQuery
MpHandleClose
MpConfigGetValueAlloc

api-ms-win-crt-heap-l1-1-0

_calloc_base
free
malloc
_free_base
_callnewh

api-ms-win-crt-string-l1-1-0

wcsncmp
_wcsnicmp
iswspace
strcpy_s
_wcsicmp

oleaut32

SysAllocStringLen
SysAllocString
SysStringLen
SysStringByteLen
VariantClear
VarBstrCmp
VariantInit
SysAllocStringByteLen
SysFreeString

user32

CharLowerBuffW

api-ms-win-crt-math-l1-1-0

ceil

Exports

Exports

MpCommunicationCreateInstance
MpCommunicationDownloadFile
MpCommunicationInitialize
MpCommunicationUninitialize

Sections

.text
Size: 224KB - Virtual size: 221KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpDetours.dll
.dll windows:10 windows x64 arch:x64

e7e92a2408c8a2349b72bc8776729dac

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5f:cd:ba:47:f6:f0:8c:ea:37:f7:67:66:f0:37:bf:a9:d7:80:24:f0:4f:09:bc:df:ba:17:5e:30:8c:74:9c:be
Signer

Actual PE Digest

5f:cd:ba:47:f6:f0:8c:ea:37:f7:67:66:f0:37:bf:a9:d7:80:24:f0:4f:09:bc:df:ba:17:5e:30:8c:74:9c:be

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetours.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_invalid_parameter_noinfo_noreturn
_cexit
terminate
abort

api-ms-win-crt-string-l1-1-0

towlower
_wcsicmp
strcpy_s

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

kernel32

RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
RaiseException
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentThread
InitializeCriticalSectionAndSpinCount
HeapAlloc
HeapFree
Sleep
LoadLibraryExW
ResetEvent
WaitForSingleObjectEx
IsProcessorFeaturePresent
OpenProcess
WaitForSingleObject
SwitchToThread
DecodePointer
SetThreadContext
FlushInstructionCache
VirtualLock
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualQuery
VirtualProtect
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GlobalFree
SetLastError
SystemTimeToFileTime
DeleteFileW
CreateFileW
GetFileSizeEx
CompareFileTime
HeapUnlock
HeapLock
GlobalUnlock
GlobalLock
OpenThread
GetProcessHeap
GetThreadContext
GetLastError
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
GetProcessTimes
GetCurrentProcessId
GlobalAlloc
SetEvent
GetTickCount64
GetCurrentProcess
GetModuleHandleW
GetProcAddress
CloseHandle
CreateEventW
GetModuleFileNameW
FindStringOrdinal
TerminateProcess
ReleaseSemaphore
CreateSemaphoreW

ole32

OleFlushClipboard
ReleaseStgMedium
OleSetClipboard
DoDragDrop

user32

GetPriorityClipboardFormat
GetClipboardSequenceNumber
GetClipboardOwner
CountClipboardFormats
EmptyClipboard
EnumClipboardFormats
GetUpdatedClipboardFormats
GetWindowThreadProcessId
GetClipboardData
SetClipboardData
IsClipboardFormatAvailable
CloseClipboard
GetKeyboardLayout
SendMessageTimeoutW

winspool.drv

GetPrintExecutionData
SetJobW
StartDocPrinterW
EndPagePrinter
EndDocPrinter
GetJobW
WritePrinter
StartPagePrinter
GetPrinterW

shlwapi

StrStrIW

shell32

DragQueryFileW

ntdll

RtlGetVersion
RtlEqualUnicodeString
RtlNtStatusToDosError

api-ms-win-crt-heap-l1-1-0

free
_free_base
_calloc_base
malloc
_callnewh

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpDetoursCopyAccelerator.dll
.dll windows:10 windows x64 arch:x64

8e02fd15ca77e52683aebaf6fd6f3349

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

54:44:c2:8d:07:30:4a:75:95:12:85:b9:7e:b5:15:ca:66:71:ea:ad:5d:5c:97:54:b7:7b:1c:82:cb:e5:49:7c
Signer

Actual PE Digest

54:44:c2:8d:07:30:4a:75:95:12:85:b9:7e:b5:15:ca:66:71:ea:ad:5d:5c:97:54:b7:7b:1c:82:cb:e5:49:7c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpDetoursCopyAccelerator.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
abort
_crt_atexit
terminate
_cexit
_invalid_parameter_noinfo_noreturn

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

kernel32

DecodePointer
SetThreadContext
FlushInstructionCache
GetSystemInfo
VirtualAlloc
VirtualFree
VirtualProtect
InitializeCriticalSectionAndSpinCount
HeapAlloc
HeapFree
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
EncodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
TerminateProcess
GetCurrentProcess
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
HeapUnlock
HeapLock
OpenThread
GetProcessHeap
GetCurrentProcessId
GetThreadContext
CloseHandle
GetLastError
CreateToolhelp32Snapshot
ResumeThread
SuspendThread
GetCurrentThreadId
Thread32First
Thread32Next
SetLastError
GetModuleHandleW
GetProcAddress
GetModuleFileNameW
GetCurrentThread
VirtualQuery
VirtualLock
GetFullPathNameW
CreateEventW
SetEvent
WaitForSingleObjectEx
ResetEvent
LoadLibraryExW

shlwapi

PathIsRelativeW

ntdll

RtlGetVersion
RtlNtStatusToDosError

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
_free_base
free
_calloc_base

api-ms-win-crt-string-l1-1-0

strcpy_s

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsprintf

Sections

.text
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpEvMsg.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

36:08:49:ab:77:a6:a8:da:46:53:18:44:a1:59:25:3d:9f:65:64:fe:c6:3c:b3:d9:29:8b:32:78:94:32:91:f0
Signer

Actual PE Digest

36:08:49:ab:77:a6:a8:da:46:53:18:44:a1:59:25:3d:9f:65:64:fe:c6:3c:b3:d9:29:8b:32:78:94:32:91:f0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 124KB - Virtual size: 121KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpOAV.dll
.dll regsvr32 windows:10 windows x64 arch:x64

5e99d9338a66701e0fb8f1477dde6ea9

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:eb:74:02:4c:cd:ec:3d:cc:ad:cf:3b:21:90:d3:72:6e:d7:c0:43:40:27:4a:03:3e:9b:ab:8a:8c:e8:c9:69
Signer

Actual PE Digest

6d:eb:74:02:4c:cd:ec:3d:cc:ad:cf:3b:21:90:d3:72:6e:d7:c0:43:40:27:4a:03:3e:9b:ab:8a:8c:e8:c9:69

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpOAV.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
EventActivityIdControl
EventWriteTransfer
EventUnregister
EventRegister
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

kernel32

ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
GetProcessHeap
SetStdHandle
GetConsoleMode
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetModuleFileNameW
SetFilePointerEx
CreateFileW
WriteConsoleW
QueryPerformanceCounter
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
HeapSize
LCMapStringW
GetProcAddress
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetStartupInfoW
GetFileType
GetStdHandle
HeapFree
HeapAlloc
GetCurrentThreadId
IsProcessorFeaturePresent
TerminateProcess
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WideCharToMultiByte
MultiByteToWideChar
GetCurrentProcess
GetVersionExW
Sleep
GetLastError
GetProcessTimes
GetCurrentProcessId
FreeLibrary
LoadLibraryExW
CloseHandle
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
HeapReAlloc
GetFileSizeEx
FindNextFileW
FindClose
GetFileAttributesW
CreateEventW
GetTempPathW
GetSystemDirectoryW
SizeofResource
LockResource
LoadResource
FindResourceW
DecodePointer

ole32

CoCreateInstance
CoTaskMemFree
StringFromGUID2
CoTaskMemAlloc

oleaut32

SysAllocStringLen
SysStringLen
SysFreeString

ntdll

RtlGetVersion
RtlNtStatusToDosError

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 188KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpProvider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

dfe0dec84410187ad137fa24212ce072

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8c:d4:fc:ad:7f:a3:be:ab:98:83:e4:a7:d6:cb:f6:7b:19:69:e2:c5:d1:34:cf:25:a8:42:7d:d8:f2:8f:88:46
Signer

Actual PE Digest

8c:d4:fc:ad:7f:a3:be:ab:98:83:e4:a7:d6:cb:f6:7b:19:69:e2:c5:d1:34:cf:25:a8:42:7d:d8:f2:8f:88:46

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpProvider.pdb

Imports

msvcrt

__CxxFrameHandler4
_vsnprintf
wcschr
_vscwprintf
realloc
_errno
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memmove
memcpy
_CxxThrowException
memmove_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
malloc
memcpy_s
__C_specific_handler
_purecall
wcsncpy_s
wcscat_s
free
wcscpy_s
_wchmod
_vsnwprintf
iswalpha
wcsrchr
vswprintf_s
memset

kernel32

GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
GetSystemTimeAsFileTime
InitializeCriticalSection
FindResourceExW
GetTickCount
RtlCaptureContext
LoadResource
SizeofResource
MultiByteToWideChar
lstrcmpiW
FreeLibrary
CompareStringW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
GetLastError
DecodePointer
EncodePointer
GetCurrentThread
CloseHandle
SystemTimeToFileTime
FileTimeToSystemTime
SwitchToThread
LockResource
SetLastError
CreateDirectoryW
ReadFile
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
RemoveDirectoryW
GetTempPathW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
OpenProcess
CreateEventW
SetEvent
DeleteFileW
GetNativeSystemInfo
ResetEvent
LocalFree
CreateProcessW
GetExitCodeProcess
InitializeCriticalSectionAndSpinCount
DisableThreadLibraryCalls
VirtualLock
GetLocalTime
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
LeaveCriticalSection
EnterCriticalSection
SetThreadLocale
GetThreadLocale
RaiseException
DeleteCriticalSection
Sleep
OutputDebugStringA
GetTempFileNameW
CopyFileW
GetLocaleInfoW
CreateMutexW
ReleaseMutex
IsWow64Process
GetWindowsDirectoryW
GetDiskFreeSpaceExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
FindResourceW
FreeResource
K32GetModuleFileNameExW
VerifyVersionInfoW
GetFileSize
GetLongPathNameW
MoveFileW
CreateThread
GetExitCodeThread
GetPrivateProfileStringW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
ProcessIdToSessionId
GetVersionExW
GetDriveTypeW
GlobalFindAtomW

user32

LoadIconW
DestroyWindow
SendMessageW
ShowWindow
LoadStringW
PostMessageW
UnregisterClassA
GetSystemMetrics
FindWindowW
GetWindowThreadProcessId
MessageBoxW
SetForegroundWindow
SetTimer
KillTimer
IsDialogMessageW
PostThreadMessageW
AdjustWindowRectEx
CharNextW
CreateDialogParamW
SetWindowTextW

advapi32

GetUserNameW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
EnableTrace
ControlTraceW
RegDeleteKeyW
RegQueryValueExW
OpenProcessToken
GetTokenInformation
OpenThreadToken
FreeSid
CloseServiceHandle
CreateProcessAsUserW
LookupPrivilegeNameW
InitiateSystemShutdownExW
AdjustTokenPrivileges
PrivilegeCheck
LookupPrivilegeValueW
QueryServiceStatus
ControlService
ChangeServiceConfigW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
OpenServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
GetSidSubAuthority
DuplicateTokenEx
GetSidSubAuthorityCount
ConvertStringSecurityDescriptorToSecurityDescriptorW

ole32

CoImpersonateClient
CoCreateGuid
CoGetClassObject
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CoRevertToSelf

oleaut32

VarUI4FromStr
SafeArrayLock
VarBstrCat
SafeArrayCreate
SysStringByteLen
SafeArrayUnlock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy
SysStringLen
SafeArrayGetVartype
VariantInit
VariantClear
SysFreeString
SysAllocString
SysAllocStringLen

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken

ntdll

RtlGetVersion
RtlNtStatusToDosError

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetFolderPathW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

shlwapi

PathFileExistsW
PathAppendW
PathFindFileNameW
PathIsRelativeW
PathCombineW
PathMatchSpecW
PathIsDirectoryW
PathRemoveFileSpecW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
WinVerifyTrust

crypt32

CertVerifyCertificateChainPolicy

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 116KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpRtp.dll
.dll windows:10 windows x64 arch:x64

2885032f801d6fd1135f59079b0e3889

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4b:56:d8:c9:2e:bc:76:2d:4b:21:89:bf:c6:e2:7a:17:55:6f:71:4f:a0:77:cd:d6:f4:6f:40:54:05:73:fc:d6
Signer

Actual PE Digest

4b:56:d8:c9:2e:bc:76:2d:4b:21:89:bf:c6:e2:7a:17:55:6f:71:4f:a0:77:cd:d6:f4:6f:40:54:05:73:fc:d6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpRTP.pdb

Imports

kernel32

GetVersionExW
GetModuleHandleW
GetProcAddress
ProcessIdToSessionId
GetLastError
GetTickCount64
OpenProcess
GetProcessTimes
CloseHandle
GetCurrentThreadId
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetCurrentThread
HeapFree
HeapAlloc
ExitProcess
FreeLibrary
GetModuleHandleExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LoadLibraryExW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
MultiByteToWideChar
GetProcessHeap
WideCharToMultiByte
HeapSize
HeapReAlloc
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
EncodePointer
RaiseException
InitializeCriticalSectionEx
RtlPcToFileHeader
SleepEx
WaitForSingleObject
K32GetModuleFileNameExW
K32GetProcessImageFileNameW
GetExitCodeThread
CreateRemoteThread
WriteProcessMemory
GetLocalTime
Sleep
FlushFileBuffers
OpenThread
GetSystemInfo
GetTickCount
K32GetModuleInformation
FindClose
QueryDosDeviceW
DeviceIoControl
GetLogicalDriveStringsW
UnmapViewOfFile
CompareStringOrdinal
QueryFullProcessImageNameW
GetFileTime
GetFileSize
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CompareFileTime
GetProcessId
GetExitCodeProcess
GetComputerNameExW
GlobalMemoryStatusEx
LocalFree
K32EnumProcessModules
VirtualQueryEx
K32GetMappedFileNameW
FindStringOrdinal
SystemTimeToFileTime
QueueUserAPC
ReadFile
CopyFileExW
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
MoveFileExW
GetFileAttributesW
GetThreadPriority
SetThreadPriority
InitializeSRWLock
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateThread
SwitchToThread
CreateDirectoryW
FindFirstFileW
GetFileSizeEx
FindNextFileW
WriteFile
ExpandEnvironmentStringsW
SetEnvironmentVariableW
CreateFileW
SetFileAttributesW
DeleteFileW
LoadLibraryW
SetFilePointerEx
ReleaseSemaphore
GetModuleFileNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
CreateSemaphoreW
CreateFileMappingW
MapViewOfFile
VirtualQuery
FormatMessageA
GetDriveTypeW
VirtualProtect
LoadLibraryExA
GetFileInformationByHandleEx
FindFirstFileExW
GetFinalPathNameByHandleW
SetEndOfFile
GetFileAttributesExW
DecodePointer
CompareStringEx
LCMapStringEx
ExitThread
FreeLibraryAndExitThread
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
GetFileType
GetTimeZoneInformation
SetStdHandle
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
WriteConsoleW
DeleteProcThreadAttributeList
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
Module32FirstW
Module32NextW
VirtualFreeEx
IsWow64Process
VirtualAllocEx

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSFreeMemory

tdh

TdhGetPropertySize
TdhGetProperty
TdhGetEventInformation

setupapi

SetupDiGetClassRegistryPropertyW
SetupDiSetClassRegistryPropertyW

ntdll

RtlNtStatusToDosError
NtClose
RtlPrefixUnicodeString
NtWaitForSingleObject
NtDeviceIoControlFile
NtCreateFile
RtlInitUnicodeString
RtlCompareUnicodeString
NtMapViewOfSection
RtlGetVersion

bcrypt

BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider

mpclient

MpIsDeviceControlAvailable
MpShutdownCopyAcceleratorProcess
MpGetCopyAcceleratorProcessStatus
MpConfigSetValue
MpHandleClose
MpConfigUnregisterNotifications
MpConfigRegisterForNotifications
MpConfigGetValueAlloc
MpManagerOpen
MpManagerVersionQuery
MpUtilsExportFunctions
MpClientUtilExportFunctions
MpAllocMemory
MpFreeMemory
MpConfigOpen
MpConfigGetValue
MpConfigClose

Exports

Exports

MpPluginBypassDlpWarning
MpPluginCheckAccessForClipboardOperation
MpPluginCheckAccessForDragDropOperation
MpPluginCheckAccessForPrintOperation
MpPluginCheckExclusion
MpPluginConfigChange
MpPluginConfigDirectoryMonitoring
MpPluginConfigSyncMonitoring
MpPluginDismissDlpWarning
MpPluginDlpDelegateEnforcement
MpPluginEnableDlp
MpPluginEnforceDlpClipboard
MpPluginEnforceDlpReadClipboard
MpPluginFlushLogData
MpPluginGetConfigOperations
MpPluginGetCopyAcceleratorState
MpPluginGetDlpNotificationSettings
MpPluginGetHeartBeatData
MpPluginGetState
MpPluginGetThreatCategory
MpPluginGetThreatExecInfo
MpPluginGetThreatInfo
MpPluginInitialize
MpPluginIsSuspended
MpPluginNotifyRpcServerStateChange
MpPluginNotifySessionStateChange
MpPluginNotifySetupProgress
MpPluginQueryDlpState
MpPluginQueryRtpMonitoringInfoEx
MpPluginRefreshDlpPolicySettings
MpPluginRefreshPlatformKillbits
MpPluginRegisterFriendlyProcess
MpPluginReportClipboardOwner
MpPluginReportThreadStatus
MpPluginSendBrowserHeartbeat
MpPluginSendUserModeRegistryData
MpPluginSetDefaultConfigs
MpPluginSetDriverUnloadInProgress
MpPluginSetEngine
MpPluginSetState
MpPluginSetUserInformation
MpPluginShutdown
MpPluginSignatureChange
MpPluginStop
MpPluginUpdateBrowserActiveTab
MpPluginUpdateFolderGuardData
MpPluginUpdateMonitoringInfo
MpPluginUpdateMonitoringInfoEx
MpPluginUpdateTPState

Sections

.text
Size: 968KB - Virtual size: 964KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MpSvc.dll
.dll windows:10 windows x64 arch:x64

7ceea8dd728f5932a45ab39a47267bb0

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

16:fc:a6:c1:45:ed:86:a2:87:90:7b:62:c6:f7:34:7c:02:2f:fa:b9:b1:50:2c:98:36:c2:e4:fc:dd:4d:ff:ac
Signer

Actual PE Digest

16:fc:a6:c1:45:ed:86:a2:87:90:7b:62:c6:f7:34:7c:02:2f:fa:b9:b1:50:2c:98:36:c2:e4:fc:dd:4d:ff:ac

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpSvc.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
_errno
_beginthreadex
_invalid_parameter_noinfo_noreturn
terminate
_invalid_parameter_noinfo
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_initterm_e
_initterm

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsnprintf_s
__stdio_common_vswprintf_s
__stdio_common_vswscanf
__stdio_common_vsprintf
__stdio_common_vsnwprintf_s
__stdio_common_vsprintf_s

api-ms-win-crt-string-l1-1-0

iswspace
wcsnlen
iswupper
strncmp
iswalpha
isdigit
wcsncmp
iswxdigit
islower
iswlower
strcspn
towupper
towlower
_wcsnicmp
strcpy_s
_wcsdup
toupper
isupper
__strncnt
strnlen
_wcsicmp
iswdigit
wcscmp
wcspbrk

api-ms-win-crt-heap-l1-1-0

malloc
_malloc_base
calloc
_free_base
_calloc_base
_callnewh
realloc
free

api-ms-win-crt-convert-l1-1-0

wcstol
_ui64tow_s
_wcstod_l
_i64tow_s
_ui64toa_s
wcstoll
_wtol
_i64toa_s
wcstoull
_wtoi64
wcstoul
_itow_s
_wtoi

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-locale-l1-1-0

_free_locale
_create_locale
__pctype_func
___lc_locale_name_func
localeconv
___lc_codepage_func
_unlock_locales
___mb_cur_max_func
_lock_locales
setlocale

api-ms-win-crt-math-l1-1-0

ceilf
frexp

kernel32

QueryInformationJobObject
ExpandEnvironmentStringsW
InitOnceComplete
CopyFileExW
InitOnceBeginInitialize
GetVersionExW
LoadLibraryExA
VirtualProtect
RemoveDirectoryW
ConvertDefaultLocale
GetLocaleInfoW
VirtualQuery
GetSystemWindowsDirectoryW
CreateSemaphoreW
HeapSetInformation
GetNativeSystemInfo
GetSystemDirectoryW
OpenEventW
GetEnvironmentVariableW
UnregisterWaitEx
GetComputerNameExW
GetThreadPriority
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
RtlPcToFileHeader
InterlockedFlushSList
ChangeTimerQueueTimer
RtlUnwindEx
CreateJobObjectW
InitializeSListHead
IsProcessorFeaturePresent
UnhandledExceptionFilter
RegisterWaitForSingleObject
WriteFile
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringEx
DecodePointer
EncodePointer
CreateTimerQueueTimer
GetFileSizeEx
ReadFile
SetThreadpoolTimer
TryEnterCriticalSection
InitializeCriticalSection
LCMapStringW
SwitchToThread
InitializeCriticalSectionEx
SystemTimeToFileTime
SetFilePointerEx
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
Sleep
FreeLibrary
DeleteTimerQueueTimer
SetEnvironmentVariableW
GetTempPathW
TerminateProcess
GetCurrentProcess
SetThreadPriority
GetCurrentThread
SetEvent
GetFileAttributesW
MoveFileExW
CreateHardLinkW
GetExitCodeProcess
CopyFileW
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
CreateEventW
CreateThread
LoadLibraryExW
lstrcmpiW
FindFirstFileW
FindNextFileW
FindClose
CreateDirectoryW
GetFileAttributesExW
OpenThread
GetThreadTimes
LeaveCriticalSection
EnterCriticalSection
CreateFileW
LocalFree
MultiByteToWideChar
LoadLibraryW
InitializeCriticalSectionAndSpinCount
ResetEvent
DeleteCriticalSection
CreateMutexW
WaitForMultipleObjects
DuplicateHandle
GetDateFormatW
GetTimeFormatW
ProcessIdToSessionId
GetSystemTime
FindFirstChangeNotificationW
FindNextChangeNotification
GetTempFileNameW
FindCloseChangeNotification
GetLogicalDrives
GetDriveTypeW
GetDiskFreeSpaceExW
GetVolumePathNameW
InitializeSRWLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
RaiseException
GetTickCount64
GetProcessTimes
GetTickCount
WaitForMultipleObjectsEx
CompareFileTime
DeleteFileW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetLocalTime
UnmapViewOfFile
GetModuleFileNameW
CreateProcessW
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetSystemPowerStatus
DeviceIoControl
SleepEx
FlushFileBuffers
GetSystemInfo
GetFileInformationByHandle
SetEnvironmentVariableA
ReadProcessMemory
K32GetProcessMemoryInfo
WideCharToMultiByte
QueryDosDeviceW
CreateIoCompletionPort
SetInformationJobObject
AssignProcessToJobObject
GetQueuedCompletionStatus
SetFileAttributesW
PostQueuedCompletionStatus
SetErrorMode
FormatMessageA
TryAcquireSRWLockExclusive
GetStringTypeW
QueryPerformanceFrequency
GetFinalPathNameByHandleW

setupapi

SetupDiGetClassRegistryPropertyW
SetupDiSetClassRegistryPropertyW

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSQuerySessionInformationW
WTSFreeMemory

ntdll

RtlIpv6StringToAddressExW
RtlIpv4StringToAddressExW
NtQueryInformationProcess

mpclient

MpThreatLocalizedInfoQuery
MpScanControl
MpQueryEngineConfigDword
MpClientUtilExportFunctions
MpScanStart
MpConfigIteratorClose
MpFreeMemory
MpConfigInitialize
MpConfigIteratorEnum
MpConfigOpen
MpConfigGetValueAlloc
MpConfigClose
MpConfigGetValue
MpConfigSetValue
MpConfigIteratorOpen
MpAllocMemory
MpConfigRegisterForNotifications
MpManagerOpen
MpHandleClose
MpUpdateStart
MpUpdateControl
MpConfigUnregisterNotifications
MpNotificationRegister
MpConveySampleSubmissionResult
MpUtilsExportFunctions
MpDebugExportFunctions
MpManagerStatusQueryEx
MpIsRtpAutoEnable
MpErrorMessageFormat
MpManagerVersionQuery
MpConfigUninitialize
MpConfigDelValue
MpAddDynamicSignatureFile
MpDynamicSignatureEnumerate
MpDynamicSignatureOpen

Exports

Exports

ServiceCrtMain
ValidateDrop

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 556KB - Virtual size: 553KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 44KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 72KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MsMpCom.dll
.dll regsvr32 windows:10 windows x64 arch:x64

867fb73fa3ad8ce36341e39631dc1cdd

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:b1:2b:34:4f:c2:e0:f6:12:7a:75:38:94:9c:67:54:9d:05:28:78:b9:c4:0e:1b:ee:03:b9:fe:85:65:33:32
Signer

Actual PE Digest

0b:b1:2b:34:4f:c2:e0:f6:12:7a:75:38:94:9c:67:54:9d:05:28:78:b9:c4:0e:1b:ee:03:b9:fe:85:65:33:32

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MsMpCom.pdb

Imports

msvcrt

_wcsicmp
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
_callnewh
malloc
wcschr
_purecall
free
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler4
_vsnprintf
??3@YAXPEAX@Z
memcmp

kernel32

Sleep
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetLastError
GetModuleFileNameW
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
DisableThreadLibraryCalls
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
GetProcAddress
GetSystemDirectoryW
LoadLibraryExW
FreeLibrary
GetFileAttributesW
SetLastError

oleaut32

LoadTypeLi
SafeArrayGetDim
SafeArrayCreate
LoadRegTypeLi
SysStringLen
VariantInit
SysFreeString
VariantClear

advapi32

SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetFileSecurityW
GetSecurityDescriptorOwner
GetFileSecurityW
InitializeSecurityDescriptor
IsValidSid
TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle

ole32

CoUninitialize
CoInitializeEx
IIDFromString
CoCreateInstance

user32

UnregisterClassA

mpclient

MpUpdateControl
MpElevationHandleActivate
MpOfflineScanInstall
MpScanControl
MpManagerEnable
MpThreatEnumerate
MpConfigSetValue
MpQuarantineRequest
MpManagerOpen
MpHandleClose
MpFreeMemory
MpConfigUninitialize
MpConfigInitialize
MpConfigGetValue
MpThreatHistoryRequest
MpConfigDelValue
MpClientUtilExportFunctions
MpConfigGetValueAlloc
MpConfigClose
MpUtilsExportFunctions
MpThreatOpen
MpConfigOpen
MpElevationHandleOpen

rpcrt4

UuidFromStringW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 40KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 892B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/MsMpLics.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

24:3a:b2:fc:0f:53:fa:bb:e7:66:26:13:c5:28:d8:de:3b:0f:c9:44:1d:4e:48:f9:db:71:d3:08:fd:96:2f:42
Signer

Actual PE Digest

24:3a:b2:fc:0f:53:fa:bb:e7:66:26:13:c5:28:d8:de:3b:0f:c9:44:1d:4e:48:f9:db:71:d3:08:fd:96:2f:42

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/ProtectionManagement.dll
.dll regsvr32 windows:10 windows x64 arch:x64

014001c0f5045aa529e87c45f92fe834

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

22:17:f3:4b:82:e7:cb:81:f6:b5:af:9b:53:41:40:cc:53:fb:13:07:04:68:35:16:fd:d3:28:b1:ac:ff:05:16
Signer

Actual PE Digest

22:17:f3:4b:82:e7:cb:81:f6:b5:af:9b:53:41:40:cc:53:fb:13:07:04:68:35:16:fd:d3:28:b1:ac:ff:05:16

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

ProtectionManagement.pdb

Imports

kernel32

GetSystemDirectoryW
GetLastError
GetProcAddress
FreeLibrary
LoadLibraryExW
SizeofResource
LockResource
LoadResource
FindResourceExW
CloseHandle
GetTimeZoneInformation
GetSystemTime
WaitForSingleObject
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
InitializeCriticalSection
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
MultiByteToWideChar
WideCharToMultiByte
SetLastError
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetSystemInfo
VirtualProtect
VirtualQuery
GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LCMapStringW
GetLocaleInfoW
ExitProcess
GetModuleHandleW
GetModuleHandleExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetFileSizeEx
SetFilePointerEx
GetStringTypeW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
ReadFile
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
DeleteFileW
SetFileAttributesW
RemoveDirectoryW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindFirstFileExW
FreeLibraryAndExitThread
ExitThread
GetFileAttributesExW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExA
GetTickCount
WaitForSingleObjectEx
TryEnterCriticalSection
CompareFileTime
GetExitCodeProcess
CreateEventW
SetEvent
FileTimeToSystemTime
GlobalFindAtomW
GetDriveTypeW
GetVersionExW
GetLocalTime
SystemTimeToFileTime
GetNativeSystemInfo
ProcessIdToSessionId
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
WritePrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetExitCodeThread
ResetEvent
CreateThread
MoveFileW
GetLongPathNameW
GetFileSize
VerifyVersionInfoW
K32GetModuleFileNameExW
FreeResource
FindResourceW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetDiskFreeSpaceExW
GetWindowsDirectoryW
Sleep
LocalFree
IsWow64Process
ReleaseMutex
CreateMutexW
CreateProcessW
CopyFileW
GetTempFileNameW
GetTempPathW
CreateDirectoryW
SwitchToThread
FormatMessageW

mpclient

MpCleanStart
MpGetCallistoDetections
MpTriggerHeartbeatOnUninstall
MpOfflineScanInstall
MpUpdateStartEx
MpScanStartEx
MpCreateComInstance
MpGetTPStateInfo
MpGetRunningMode
MpConfigRegisterForNotifications
MpConfigUnregisterNotifications
MpAllocMemory
MpManagerVersionQuery
MpConfigIteratorEnum
MpConfigIteratorOpen
MpCleanOpen
MpConfigIteratorClose
MpThreatOpen
MpConfigGetValue
MpDetectionEnumerate
MpThreatRollup
MpThreatQuery
MpThreatEnumerate
MpManagerStatusQueryEx
MpNotificationRegister
MpManagerOpen
MpHandleClose
MpClientUtilExportFunctions
MpConfigOpen
MpConfigClose
MpConfigGetValueAlloc
MpConfigUninitialize
MpConfigInitialize
MpFreeMemory
MpElevationHandleAcquire
MpElevateCleanHandle
MpConfigSetValue
MpUtilsExportFunctions

wtsapi32

WTSQueryUserToken
WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
GetProviderClassID
MI_Main

Sections

.text
Size: 408KB - Virtual size: 405KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 208KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/RFQ-Al NASR-00388.exe
.exe windows:10 windows x64 arch:x64

f65431af005f2b765df7e8372bca5a9b

Code Sign

33:00:00:02:9e:05:ca:b1:2e:ac:93:cf:b6:00:00:00:00:02:9e
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24-09-2020 19:16

Not After

23-09-2021 19:16

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

35:0b:4c:30:7b:4e:9c:0e:4f:a7:7e:26:3d:5f:95:d1:0a:78:8a:7a:0e:52:c0:71:2f:27:52:42:21:bb:39:f7
Signer

Actual PE Digest

35:0b:4c:30:7b:4e:9c:0e:4f:a7:7e:26:3d:5f:95:d1:0a:78:8a:7a:0e:52:c0:71:2f:27:52:42:21:bb:39:f7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

MpCopyAccelerator.pdb

Imports

kernel32

DebugBreak
WaitForSingleObject
SetErrorMode
CreateEventW
GetLastError
CloseHandle
LocalFree
CopyFileExW
CopyFile2
SetEvent
GetProcessHeap
HeapAlloc
GetSystemInfo
LoadLibraryExA
VirtualProtect
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExW
QueryPerformanceFrequency
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
ResetEvent
WaitForSingleObjectEx
GetModuleHandleW
GetProcAddress
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentProcess
TerminateProcess
RaiseException
SetLastError
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
InitializeCriticalSectionEx
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
K32GetModuleFileNameExW
K32GetProcessImageFileNameW
Sleep
GetTickCount
FreeLibrary
GetFileInformationByHandle
SetFileInformationByHandle
GetDateFormatW
GetTimeFormatW
GetLocalTime
GetCommandLineW
MoveFileExW
CreateFileW
DeviceIoControl
GetModuleFileNameW
GetTempPathW
GetSystemDirectoryW
HeapSetInformation
VirtualQuery
GetFileSizeEx
WriteFile
GetFileAttributesW
OpenProcess
SetFilePointerEx

api-ms-win-crt-string-l1-1-0

strcpy_s
_wcsupr_s
_wcsicmp

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm_e
exit
_exit
_seh_filter_exe
__p___argc
__p___wargv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_invalid_parameter_noinfo_noreturn
_initterm
_crt_atexit
_initialize_onexit_table
_register_onexit_function
abort
terminate

ntdll

RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext

mpclient

MpAllocMemory
MpUtilsExportFunctions
MpConfigInitialize
MpFreeMemory
MpClientUtilExportFunctions

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vswprintf
_set_fmode
__stdio_common_vsprintf

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_calloc_base
_free_base
free
malloc
_callnewh
_set_new_mode

Sections

.text
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/cors
RFQ-Al NASR-00388/endpointdlp.dll
.dll windows:10 windows x64 arch:x64

9c3fd1848ccdb144ff7cb14128b86363

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-12-2020 21:29

Not After

02-12-2021 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba
Signer

Actual PE Digest

f8:5e:cf:6a:05:20:5e:4a:f3:43:8f:e0:5f:bd:08:91:7d:ef:bc:bd:fb:a7:d2:fd:bd:7d:17:fa:fd:d7:d2:ba

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

endpointdlp.pdb

Imports

kernel32

FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
LoadLibraryExW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
SetFilePointerEx
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
GetModuleFileNameW
CloseHandle
FlsAlloc
OutputDebugStringW
HeapSize
HeapReAlloc
RaiseException
CreateFileW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
InitializeSListHead
RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionEx
HeapFree
ExitProcess
GetStartupInfoW
GetModuleHandleExW
GetCurrentThreadId
GetFileType
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetLastError
FreeLibrary
FormatMessageW
GetModuleFileNameA
HeapAlloc
GetProcAddress
GetProcessHeap
GetModuleHandleW
DebugBreak
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSemaphore
OpenSemaphoreW
Sleep
GetTickCount
ReleaseSRWLockShared
AcquireSRWLockShared
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
WaitForSingleObjectEx
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
OpenProcess
K32GetModuleFileNameExW
GetProcessTimes
GetDriveTypeW
CreateEventExW
CreateThreadpoolWait
ExpandEnvironmentStringsW
FormatMessageA
LocalFree
InitOnceBeginInitialize
InitOnceComplete
DecodePointer
LCMapStringEx
FindClose
FindFirstFileExW
FindNextFileW
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEvent
ResetEvent
CreateEventW
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent

advapi32

CryptDestroyHash
CryptDestroyKey
CryptVerifySignatureW
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptReleaseContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegNotifyChangeKeyValue
RegCreateKeyExW
GetLengthSid
GetTokenInformation
OpenProcessToken
EventRegister
EventUnregister
EventWriteTransfer

ntdll

ZwQueryEaFile

crypt32

CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertAddCertificateContextToStore
CryptImportPublicKeyInfo
CertCreateCertificateContext
CertCloseStore
CertFreeCertificateContext
CryptStringToBinaryW
CertOpenStore
CertFreeCertificateChain

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shlwapi

PathIsNetworkPathW

user32

LoadStringW

Exports

Exports

AuditBrowserFileOperationEvent
AuditBrowserFileOperationEventEx
AuditBrowserOperationEvent
DlpAuditFileAccessEvent
DlpAuditOperationEnforcementEvent
DlpAuditOperationEnforcementEventEx
DlpDelegateEnforcement
DlpFreeArchiveFileTraceInfo
DlpGetArchiveFileTraceInfo
DlpGetFileApplicationAccess
DlpGetFileApplicationAccessEx
DlpGetFileApplicationAccessEx2
DlpGetFileCloudApplicationPolicy
DlpGetFileLocation
DlpGetNotificationSettings
DlpGetPolicyInfoFromRuleId
DlpGetPolicySettings
DlpGetQuarantineConfiguration
DlpInitialize
DlpInitializeFromCustomPolicy
DlpValidateCloudDomainsPolicyCmd
DlpValidateCloudPolicyCmd
DlpValidateCloudWebSitesPolicyCmd
GetBrowserExtensionConfiguration
ShouldCollectBrowsingActivities

Sections

.text
Size: 376KB - Virtual size: 372KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 136KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ-Al NASR-00388/msvcp150.dll
.dll windows:6 windows x64 arch:x64

45823c238836b2d3b2405effa1f9cf7f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

EcBVd~-Xftjuwo@sY3GH<KZHi>3g:-4|Bu)wBa+\=9g<O_%%ba5h'*8p~A_)XKP6S6|C(oXE8/*BY5/"'L

Imports

advapi32

RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
EventWrite
EventRegister
EventEnabled
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW

bcrypt

BCryptGenRandom

kernel32

TlsFree
TlsSetValue
ResumeThread
VirtualAllocEx
CreateProcessW
SetThreadContext
SetLastError
OpenProcess
GetLastError
TerminateProcess
CloseHandle
GetThreadContext
MultiByteToWideChar
GetStdHandle
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetSystemTime
GetTickCount64
GetCurrentProcessorNumber
GetCurrentProcess
GetCurrentThread
Sleep
InitializeCriticalSection
InitializeConditionVariable
DeleteCriticalSection
LocalFree
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
WaitForMultipleObjectsEx
LocalAlloc
GetConsoleOutputCP
WideCharToMultiByte
GetProcAddress
RaiseFailFastException
ExpandEnvironmentStringsW
FreeLibrary
LoadLibraryExW
DuplicateHandle
GetThreadPriority
GetDynamicTimeZoneInformation
GetTimeZoneInformation
WriteFile
SetEvent
CreateEventExW
FormatMessageW
GetCurrentThreadId
FlushProcessWriteBuffers
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObjectEx
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
CreateThread
SetThreadPriority
SuspendThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
GetEnvironmentVariableW
ResetEvent
DebugBreak
WaitForSingleObject
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetTickCount
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
GetWriteWatch
ResetWriteWatch
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlLookupFunctionEntry
InitializeSListHead
GetCurrentProcessId
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

ole32

CoGetApartmentType
CoUninitialize
CoInitializeEx
CoWaitForMultipleHandles
CoCreateGuid

api-ms-win-crt-heap-l1-1-0

malloc
free
calloc
_callnewh

api-ms-win-crt-math-l1-1-0

modf
pow
ceil

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp
strcmp
_wcsicmp

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
abort
terminate
_cexit
_configure_narrow_argv
_initterm
_initterm_e
_initialize_onexit_table
_seh_filter_dll
_execute_onexit_table

Exports

Exports

Annotate3065
Astound3261
Broadways6012
Crepe2737
Flashback7990
Graded7240
Guise1474
Heftiness9630
Kinswoman8001
Nemeses3610
Rarity0828
Speller3639
Tricolor9281

Sections

.text
Size: 414KB - Virtual size: 414KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 874KB - Virtual size: 873KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 89KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 88KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

850250ba4c20d1bd815d8db26d10aae3

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

user32

advapi32

ole32

oleaut32

mpclient

wtsapi32

userenv

ntdll

shell32

version

shlwapi

crypt32

wintrust

Exports

Exports

Sections

.text Size: 124KB - Virtual size: 123KB

.rdata Size: 48KB - Virtual size: 44KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 8KB - Virtual size: 6KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 1KB

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cfSigner

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 4KB - Virtual size: 208B

.rsrc Size: 1.0MB - Virtual size: 1.0MB

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bfSigner

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 4KB - Virtual size: 208B

.rsrc Size: 188KB - Virtual size: 186KB

561966a83f8102842f701746ffa86d40

Code Sign

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ecCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

rpcrt4

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

cc:d5:22:7d:d5:37:86:64:31:4c:3a:2b:6b:a7:83:46:ce:ea:47:68:d1:e1:0c:7d:9f:e2:52:5b:66:3e:f9:41
Signer

.text
Size: 124KB - Virtual size: 123KB

.rdata
Size: 48KB - Virtual size: 44KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

26:2d:65:6d:12:18:c5:eb:5c:ab:c6:87:6f:d1:b2:13:ef:51:25:9e:2d:ca:39:20:13:87:43:22:a3:ea:bd:cf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

32:72:d8:bd:fa:63:4e:19:56:32:d8:b1:f5:79:db:ad:23:e1:7e:ee:7a:91:ee:a4:7a:57:13:07:b1:5a:f3:bf
Signer

.rdata
Size: 4KB - Virtual size: 208B

.rsrc
Size: 188KB - Virtual size: 186KB

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

b6:d0:1a:e0:71:9d:7e:9e:08:7c:2b:4c:54:7f:43:fb:96:5c:3c:10:99:f5:cd:27:c0:e5:70:3d:ca:10:f1:f3
Signer

.text
Size: 916KB - Virtual size: 915KB

.rdata
Size: 248KB - Virtual size: 244KB

.data
Size: 104KB - Virtual size: 110KB

.pdata
Size: 64KB - Virtual size: 60KB

.rsrc
Size: 4KB - Virtual size: 1008B

.reloc
Size: 12KB - Virtual size: 11KB

.text
Size: 418KB - Virtual size: 418KB

.managed
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 150KB - Virtual size: 211KB

.pdata
Size: 128KB - Virtual size: 128KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 71KB - Virtual size: 71KB

33:00:00:02:ec:65:79:ad:1e:67:08:90:13:00:00:00:00:02:ec
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

80:75:b6:53:e4:da:ce:56:17:72:f2:19:3d:ae:e5:25:29:9d:c4:d9:5f:97:93:3b:c5:3f:31:f9:a2:c7:3e:da
Signer