Duqu2[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Duqu2.zip
Size

420KB
MD5

e64d31ef596e86997ca0fffcfb3d1ce8
SHA1

c2e9602c99a735357374b4443ec987f09a132da1
SHA256

3618e9f152394fc85a56c674822180327c4f84c59b8e2d1e03b5b9e21467adb5
SHA512

b151366e89d2cfd0159ffeb3ff857da813672f8ea5c8f92932abcba2a9843719c40723e92f79901f58109794d68ec4dd8db7dd0da993544c1cbd6e100d04d8f4
SSDEEP

6144:PqOfcONbq6ghFA12jX+NoPwOgn4WkeTOI1oY+JCPxEGbH543kDL/JnMzv:iOf3lOFE2jX+NpF1cJYbZDBnMzv

Score

3^/10

Malware Config

Signatures

Unsigned PE 21 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Cores/52fe506928b0262f10de31e783af8540b6a0b232b15749d647847488acd0e17a
unpack001/Cores/81cdbe905392155a1ba8b687a02e65d611b60aac938e470a76ef518e8cffd74d
unpack001/IOC/2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc
unpack001/IOC/2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
unpack001/IOC/2c9c3ddd4d93e687eb095444cef7668b21636b364bff55de953bdd1df40071da
unpack001/IOC/2ecb26021d21fcef3d8bba63de0c888499110a2b78e4caa6fa07a2b27d87f71b
unpack001/IOC/3536df7379660d931256b3cf49be810c0d931c3957c464d75e4cba78ba3b92e3
unpack001/IOC/5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188
unpack001/IOC/5ba187106567e8d036edd5ddb6763f89774c158d2a571e15d76572d8604c22a0
unpack001/IOC/6217cebf11a76c888cc6ae94f54597a877462ed70da49a88589a9197173cc072
unpack001/IOC/6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f
unpack001/IOC/6c803aac51038ce308ee085f2cd82a055aaa9ba24d08a19efb2c0fcfde936c34
unpack001/IOC/6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559
unpack001/IOC/6e09e1a4f56ea736ff21ad5e188845615b57e1a5168f4bdaebe7ddc634912de9
unpack001/IOC/8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192
unpack001/IOC/9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42
unpack001/IOC/c16410c49dc40a371be22773f420b7dd3cfd4d8205cf39909ad9a6f26f55718e
unpack001/IOC/d12cd9490fd75e192ea053a05e869ed2f3f9748bf1563e6e496e7153fb4e6c98
unpack001/IOC/d5c57788cf12b020c4083eb228911260b744a2a67c88662c9bab8faebca98fa2
unpack001/IOC/d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3
unpack001/IOC/e83c6c36dbd143ee0fd36aff30fb43529a34129817dc2530f251121527cbf4b4

Files

Duqu2.zip
.zip

Password: infected
Cores/52fe506928b0262f10de31e783af8540b6a0b232b15749d647847488acd0e17a
.dll windows:5 windows x86 arch:x86

68de2e24b5c37e01d09b26eff2977480

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

memset
memcpy
??1type_info@@UAE@XZ
_unlock
__dllonexit
_lock
_onexit
_XcptFilter
_initterm
_amsg_exit
realloc
_purecall
memmove
malloc
_callnewh
_CxxThrowException
free
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@XZ
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_beginthreadex
_stricmp
rand
_errno
__CxxFrameHandler
_except_handler3
memcmp

advapi32

DuplicateTokenEx

kernel32

LoadLibraryW
GetProcAddress
GetModuleHandleW
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
GetModuleHandleA
RtlUnwind
InterlockedCompareExchange
LoadLibraryA
SetThreadPriority
OpenThread
LoadLibraryExA

ws2_32

gethostbyname
closesocket
socket
bind
recv
setsockopt
WSAEventSelect
htons
WSAEnumNetworkEvents
WSAGetLastError
inet_addr
WSAStartup
connect
WSACleanup
send

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Cores/81cdbe905392155a1ba8b687a02e65d611b60aac938e470a76ef518e8cffd74d
.dll windows:5 windows x86 arch:x86

ff2ea1a60b222bdfbbdfd37397002e0d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

??1type_info@@UAE@XZ
_unlock
__dllonexit
_lock
_onexit
_XcptFilter
_initterm
_amsg_exit
memcpy
memset
realloc
_purecall
memmove
malloc
_callnewh
_CxxThrowException
free
??0exception@@QAE@ABV0@@Z
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_beginthreadex
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@XZ
_errno
rand
_stricmp
__CxxFrameHandler
_except_handler3
memcmp

advapi32

DuplicateTokenEx

kernel32

GetProcAddress
GetModuleHandleW
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
GetModuleHandleA
RtlUnwind
InterlockedCompareExchange
LoadLibraryA
SetThreadPriority
OpenThread
LoadLibraryW
LoadLibraryExA

ws2_32

send
gethostbyname
WSAStringToAddressW
closesocket
socket
bind
recv
WSACleanup
setsockopt
WSAEventSelect
WSAAccept
htons
WSAEnumNetworkEvents
WSAGetLastError
inet_addr
WSAStartup
WSAAddressToStringW
connect
listen

Sections

.text
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Driver/bc4ae56434b45818f57724f4cd19354a13e5964fd097d1933a30e2e31c9bdfa5.bin
.sys windows:6 windows x64 arch:x64

a0f1f1e82f2963cae6e9527bc8482368

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/08/2012, 00:00

Not After

25/08/2015, 23:59

Subject

CN=HON HAI PRECISION INDUSTRY CO. LTD.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=PCEG,O=HON HAI PRECISION INDUSTRY CO. LTD.,L=TU-CHENG,ST=TAIWAN,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f8:45:7a:fb:d6:96:7f:fa:e7:1a:72:aa:44:bc:3c:3a:13:41:03:d8
Signer

Actual PE Digest

f8:45:7a:fb:d6:96:7f:fa:e7:1a:72:aa:44:bc:3c:3a:13:41:03:d8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeBugCheckEx
ExFreePoolWithTag
ExAllocatePool
KeQueryTimeIncrement
MmMapLockedPagesSpecifyCache
IofCompleteRequest
RtlInitUnicodeString
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc

ndis.sys

NdisFreePacketPool
NdisReEnumerateProtocolBindings
NdisIMNotifyPnPEvent
NdisDprAllocatePacket
NdisGetReceivedPacket
NdisDprFreePacket
NdisDeregisterProtocol
NdisIMDeInitializeDeviceInstance
NdisIMCancelInitializeDeviceInstance
NdisCloseConfiguration
NdisIMGetDeviceContext
NdisMSetAttributesEx
NdisSetEvent
NdisIMGetCurrentPacketStack
NdisAllocatePacket
NdisIMCopySendPerPacketInfo
NdisIMCopySendCompletePerPacketInfo
NdisFreePacket
NdisRequest
NdisMIndicateStatus
NdisMIndicateStatusComplete
NdisGetPoolFromPacket
NdisReturnPackets
NdisResetEvent
NdisCloseAdapter
NdisWaitEvent
NdisFreeMemory
NdisCancelSendPackets
NdisInitializeWrapper
NdisIMRegisterLayeredMiniport
NdisMRegisterUnloadHandler
NdisRegisterProtocol
NdisIMDeregisterLayeredMiniport
NdisIMAssociateMiniport
NdisTerminateWrapper
NdisMSleep
NdisMRegisterDevice
NdisMDeregisterDevice
NdisOpenProtocolConfiguration
NdisReadConfiguration
NdisAllocateMemoryWithTag
NdisInitializeEvent
NdisAllocatePacketPoolEx
NdisOpenAdapter
NdisIMInitializeDeviceInstanceEx

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/2796a119171328e91648a73d95eb297edc220e8768f4bbba5fb7237122a988fc
.dll windows:5 windows x86 arch:x86

3577846f316ab0bf133e8557a16a63d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msi

ord32
ord8
ord159
ord49
ord120
ord26
ord160
ord74
ord114

kernel32

VirtualProtect
VirtualAlloc
VirtualFree

user32

wsprintfW

advapi32

RegQueryValueExW

Exports

Exports

StartAction

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
.dll windows:5 windows x64 arch:x64

4808584eb791c213cbeeb0f229e124db

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msi

ord74
ord49
ord120
ord114
ord26
ord160
ord159
ord32
ord8

kernel32

CreateThread
GetCurrentThreadId
RtlFillMemory
RtlUnwindEx
CloseHandle
Sleep
WaitForSingleObject
SetLastError
GetLastError
VirtualAlloc
VirtualFree
TerminateThread

user32

wsprintfW

Exports

Exports

InitCA

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IOC/2c9c3ddd4d93e687eb095444cef7668b21636b364bff55de953bdd1df40071da
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/2ecb26021d21fcef3d8bba63de0c888499110a2b78e4caa6fa07a2b27d87f71b
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/3536df7379660d931256b3cf49be810c0d931c3957c464d75e4cba78ba3b92e3
.dll windows:5 windows x86 arch:x86

1ead214d4b853074c9076f676ddedae9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msi

ord74
ord103
ord26
ord32
ord118
ord8
ord159
ord49
ord125
ord160
ord120
ord17
ord34
ord114
ord165
ord145

kernel32

Sleep
RtlUnwind
CreateThread
CloseHandle
VirtualAlloc
GetLastError
HeapAlloc
TerminateThread
GetProcessHeap
VirtualFree
WaitForSingleObject
HeapFree

user32

wsprintfW

Exports

Exports

ProcessUserAccounts
RunDLL
UninstallUserAccounts

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/5559fcc93eef38a1c22db66a3e0f9e9f026c99e741cc8b1a4980d166f2696188
.dll windows:5 windows x64 arch:x64

648f2e0978686ef5cec5d47a5fb7fd2b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msi

ord120
ord74
ord26
ord160
ord159
ord114
ord49
ord32
ord8

kernel32

RtlUnwindEx
CloseHandle
WaitForSingleObject
SetLastError
TerminateThread
CreateThread
VirtualProtect
VirtualAlloc
VirtualFree

user32

wsprintfW

advapi32

RegQueryValueExW

Exports

Exports

StartAction

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IOC/5ba187106567e8d036edd5ddb6763f89774c158d2a571e15d76572d8604c22a0
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/6217cebf11a76c888cc6ae94f54597a877462ed70da49a88589a9197173cc072
.dll windows:5 windows x64 arch:x64

806cbe55226f0cccfddbbe09fc1cc4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

malloc
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
free

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WaitNamedPipeW
LoadLibraryA
GetModuleHandleW
GetProcAddress
GetModuleHandleA

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f
.dll windows:5 windows x86 arch:x86

7389da603f01fb559be22a6c5ef7799a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msi

ord32
ord8
ord159
ord49
ord26
ord74
ord160
ord120
ord114

kernel32

TerminateThread
CreateThread
CloseHandle
VirtualProtect
VirtualAlloc
SetLastError
RtlUnwind
WaitForSingleObject
VirtualFree

user32

wsprintfW

advapi32

RegQueryValueExW

Exports

Exports

StartAction

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/6c803aac51038ce308ee085f2cd82a055aaa9ba24d08a19efb2c0fcfde936c34
.dll windows:5 windows x86 arch:x86

1a575821d10026a47787a315b6a49b59

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_XcptFilter
_initterm
_amsg_exit
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559
.dll windows:5 windows x64 arch:x64

806cbe55226f0cccfddbbe09fc1cc4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

malloc
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
free

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WaitNamedPipeW
LoadLibraryA
GetModuleHandleW
GetProcAddress
GetModuleHandleA

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/6e09e1a4f56ea736ff21ad5e188845615b57e1a5168f4bdaebe7ddc634912de9
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192
.dll windows:5 windows x64 arch:x64

412ce10c97ba68ac129b9ab95c89d28a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msi

ord159
ord49
ord120
ord114
ord26
ord160
ord32
ord74
ord8

kernel32

VirtualFree
VirtualProtect
VirtualAlloc

user32

wsprintfW

advapi32

RegQueryValueExW

Exports

Exports

StartAction

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IOC/9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42
.dll windows:5 windows x64 arch:x64

f2802f58a621424097071c7a62079656

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

RtlVirtualUnwind
GetModuleHandleW
LoadLibraryA
RtlLookupFunctionEntry
RtlCaptureContext
GetProcAddress
GetModuleHandleA

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 116B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/c16410c49dc40a371be22773f420b7dd3cfd4d8205cf39909ad9a6f26f55718e
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/d12cd9490fd75e192ea053a05e869ed2f3f9748bf1563e6e496e7153fb4e6c98
.dll windows:5 windows x86 arch:x86

25097b4bacbce35beb1ad24027b8b014

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

free
malloc
_initterm
_amsg_exit
_XcptFilter
_except_handler3

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

InterlockedExchange
RtlUnwind
WaitNamedPipeW
GetModuleHandleW
GetProcAddress
InterlockedCompareExchange
GetModuleHandleA
LoadLibraryA

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/d5c57788cf12b020c4083eb228911260b744a2a67c88662c9bab8faebca98fa2
.dll windows:5 windows x64 arch:x64

806cbe55226f0cccfddbbe09fc1cc4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

malloc
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
free

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WaitNamedPipeW
LoadLibraryA
GetModuleHandleW
GetProcAddress
GetModuleHandleA

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IOC/d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3
.dll windows:5 windows x64 arch:x64

1ac550d994fca9904e6b358a2457c97d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msi

ord103
ord34
ord74
ord145
ord49
ord120
ord118
ord125
ord114
ord17
ord165
ord26
ord160
ord159
ord32
ord8

kernel32

GetLastError
RtlFillMemory
RtlUnwindEx
CloseHandle
Sleep
WaitForSingleObject
VirtualAlloc
TerminateThread
CreateThread
GetProcessHeap
HeapFree
HeapAlloc
VirtualFree

user32

wsprintfW

Exports

Exports

ProcessUserAccounts
RunDLL
UninstallUserAccounts

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IOC/e83c6c36dbd143ee0fd36aff30fb43529a34129817dc2530f251121527cbf4b4
.dll windows:5 windows x64 arch:x64

806cbe55226f0cccfddbbe09fc1cc4a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

malloc
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
free

advapi32

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus

kernel32

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WaitNamedPipeW
LoadLibraryA
GetModuleHandleW
GetProcAddress
GetModuleHandleA

Sections

.text
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

68de2e24b5c37e01d09b26eff2977480

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

advapi32

kernel32

ws2_32

Sections

.text Size: 180KB - Virtual size: 180KB

.rdata Size: 53KB - Virtual size: 52KB

.data Size: 6KB - Virtual size: 21KB

.reloc Size: 13KB - Virtual size: 12KB

ff2ea1a60b222bdfbbdfd37397002e0d

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

advapi32

kernel32

ws2_32

Sections

.text Size: 197KB - Virtual size: 197KB

.rdata Size: 55KB - Virtual size: 55KB

.data Size: 6KB - Virtual size: 22KB

.reloc Size: 13KB - Virtual size: 13KB

a0f1f1e82f2963cae6e9527bc8482368

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f8:45:7a:fb:d6:96:7f:fa:e7:1a:72:aa:44:bc:3c:3a:13:41:03:d8Signer

Headers

File Characteristics

Imports

ntoskrnl.exe

ndis.sys

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 1024B - Virtual size: 896B

.data Size: 512B - Virtual size: 436B

.pdata Size: 512B - Virtual size: 372B

INIT Size: 3KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 1008B

3577846f316ab0bf133e8557a16a63d7

Headers

DLL Characteristics

File Characteristics

Imports

msi

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 2KB - Virtual size: 1KB

.text
Size: 180KB - Virtual size: 180KB

.rdata
Size: 53KB - Virtual size: 52KB

.data
Size: 6KB - Virtual size: 21KB

.reloc
Size: 13KB - Virtual size: 12KB

.text
Size: 197KB - Virtual size: 197KB

.rdata
Size: 55KB - Virtual size: 55KB

.data
Size: 6KB - Virtual size: 22KB

.reloc
Size: 13KB - Virtual size: 13KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f8:45:7a:fb:d6:96:7f:fa:e7:1a:72:aa:44:bc:3c:3a:13:41:03:d8
Signer

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 1024B - Virtual size: 896B

.data
Size: 512B - Virtual size: 436B

.pdata
Size: 512B - Virtual size: 372B

INIT
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 1008B

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 216B

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: - Virtual size: 24B

.pdata
Size: 512B - Virtual size: 108B

.rsrc
Size: 1024B - Virtual size: 944B

.text
Size: 10KB - Virtual size: 10KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 2KB - Virtual size: 3KB

.reloc
Size: 1024B - Virtual size: 928B

.text
Size: 10KB - Virtual size: 10KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 2KB - Virtual size: 3KB

.reloc
Size: 1024B - Virtual size: 928B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 8KB

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 1024B - Virtual size: 552B