Sysmon[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Sysmon.zip
Size

4.6MB
MD5

2fb72a5ac24cb5307c6d1e572f951cc9
SHA1

f753b2eb719251bed711f145d4653a1fd40e3562
SHA256

83f4945979d9edd5c05f918c7625bc2a33995a751dbf77257d9242fd2fbd5de8
SHA512

cf321a1fb66b0d056b9179ac1a01eee4e09cf0e85ec68016c315b10f2fff9a2f08ae492e3226b8c134cb714f5c5cc5320296cfcf6034bbade035720ef9541ea5
SSDEEP

98304:BNKo1dmJg6U297Rsd5o8DDPWaY/uXDSfzAgfpBj6wCb+1YiZyLnWpUzJZ:B0oLT6UYs/o8XWpLAgxBU+1YiZyLnWST

Score

1^/10

Malware Config

Signatures

Files

Sysmon.zip
.zip
Sysmon/Eula.txt
Sysmon/Sysmon.exe
.exe windows:6 windows x86 arch:x86

585f6f71377cdf184b4a45ba1f63fd55

Code Sign

33:00:00:04:51:99:0a:2a:60:f6:35:67:60:00:00:00:00:04:51
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:53:9c:ff:92:a5:ec:bb:73:29:28:a3:71:83:e7:52:1b:1b:60:3a:c8:a2:b0:20:5c:5b:e5:04:5f:cd:58:be
Signer

Actual PE Digest

7c:53:9c:ff:92:a5:ec:bb:73:29:28:a3:71:83:e7:52:1b:1b:60:3a:c8:a2:b0:20:5c:5b:e5:04:5f:cd:58:be

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\a\1\s\exe\Win32\Public_Release\Sysmon.pdb

Imports

tdh

TdhGetEventMapInformation
TdhGetEventInformation

userenv

ExpandEnvironmentStringsForUserW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

netapi32

NetApiBufferFree
NetServerEnum

ws2_32

getnameinfo
htons
gethostname
inet_ntoa
WSAStartup
gethostbyname
ntohs

mpr

WNetCancelConnection2W
WNetAddConnection2W

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken

ole32

CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
StringFromGUID2
IIDFromString
CoUninitialize
CoInitializeSecurity

kernel32

Module32FirstW
K32EnumProcesses
SystemTimeToFileTime
GetSystemTime
SizeofResource
LockResource
LoadResource
FindResourceW
CreateDirectoryW
GetConsoleScreenBufferInfo
lstrlenW
RemoveDirectoryW
GetTempPathW
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
Process32NextW
SetEvent
DeleteFileW
Process32FirstW
GetSystemInfo
VerSetConditionMask
GetComputerNameW
CreateProcessW
VerifyVersionInfoW
GetSystemTimeAsFileTime
GetTickCount
ConnectNamedPipe
GetExitCodeProcess
ExpandEnvironmentStringsW
ProcessIdToSessionId
ExitProcess
GetCurrentProcessId
CopyFileW
ReadFile
SetConsoleCtrlHandler
GetFileSizeEx
CreateThreadpool
WaitForMultipleObjects
SetThreadPriority
SetThreadpoolThreadMinimum
CreateEventW
SetThreadpoolThreadMaximum
GetOverlappedResult
SubmitThreadpoolWork
SetUnhandledExceptionFilter
CreateThreadpoolWork
QueryDosDeviceW
ReleaseSRWLockExclusive
WriteFile
CreateToolhelp32Snapshot
GetWindowsDirectoryW
GetTempFileNameW
K32GetMappedFileNameW
QueryPerformanceFrequency
ResetEvent
QueryPerformanceCounter
CreateThread
FindFirstFileW
FindNextFileW
FindClose
LoadLibraryW
K32GetModuleBaseNameW
WideCharToMultiByte
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
TerminateProcess
SetFileAttributesW
GlobalSize
FreeConsole
GlobalLock
GlobalUnlock
GetEnabledXStateFeatures
InitializeCriticalSectionEx
GetConsoleMode
GetCommandLineA
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
FreeLibraryAndExitThread
InitializeSRWLock
ResumeThread
ExitThread
GetConsoleCP
GetModuleHandleExW
SetStdHandle
TlsFree
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwind
RaiseException
OutputDebugStringW
GetCPInfo
CompareStringEx
LCMapStringEx
GetLocaleInfoEx
EncodePointer
GetStringTypeW
GetConsoleOutputCP
OpenProcess
DeviceIoControl
CloseThreadpoolWork
AcquireSRWLockShared
DecodePointer
ReleaseSRWLockShared
GetLogicalDriveStringsW
GetLastError
FormatMessageW
GetDateFormatW
FreeLibrary
GetTimeFormatW
FileTimeToSystemTime
MultiByteToWideChar
TlsGetValue
DeleteCriticalSection
CloseHandle
TlsAlloc
GetCurrentThread
Sleep
DuplicateHandle
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
CreateMutexW
InitializeCriticalSection
LeaveCriticalSection
GetCurrentProcess
EnterCriticalSection
TlsSetValue
GetModuleHandleW
LocalFree
GetProcAddress
LocalAlloc
GetStdHandle
GetCommandLineW
LoadLibraryExW
GetVersionExW
SetLastError
GetFileType
GetModuleFileNameW
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
SetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
PeekConsoleInputA
AcquireSRWLockExclusive
InitializeSListHead
SetFilePointerEx
HeapReAlloc
SetCurrentDirectoryW
GetCurrentDirectoryW
HeapSize
FindFirstFileExW
IsValidCodePage
GetACP
GetStartupInfoW
IsDebuggerPresent
SleepConditionVariableSRW
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
GetTimeZoneInformation
WriteConsoleW
SetEndOfFile
WakeAllConditionVariable
IsProcessorFeaturePresent
GetFullPathNameW
ReadConsoleW
FormatMessageA
UnhandledExceptionFilter

user32

GetWindowThreadProcessId
GetMessageW
DefWindowProcW
SetClipboardViewer
GetClipboardOwner
CreateWindowExW
GetPriorityClipboardFormat
OpenClipboard
DispatchMessageW
ChangeClipboardChain
CloseClipboard
RegisterClassW
TranslateMessage
GetClipboardData
GetClipboardSequenceNumber
MessageBoxW
UnregisterClassW
InflateRect
EndDialog
SetWindowTextW
DialogBoxIndirectParamW
LoadCursorW
SetCursor
GetDlgItem
GetSysColorBrush
SendMessageW

gdi32

EndDoc
GetDeviceCaps
SetMapMode
StartDocW
EndPage
StartPage

comdlg32

PrintDlgW

advapi32

RevertToSelf
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
CryptAcquireContextW
GetAce
CryptGenRandom
IsWellKnownSid
GetSecurityDescriptorOwner
GetFileSecurityW
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorW
DuplicateTokenEx
CryptReleaseContext
DeregisterEventSource
GetSidSubAuthorityCount
GetSidSubAuthority
CopySid
RegisterEventSourceW
RegNotifyChangeKeyValue
RegisterServiceCtrlHandlerExW
SetSecurityDescriptorDacl
RegDeleteKeyW
SetServiceStatus
ChangeServiceConfig2W
RegQueryValueExW
SetEntriesInAclW
RegCreateKeyExW
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
QueryServiceConfigW
RegDeleteValueW
QueryServiceConfig2W
LookupAccountSidW
LookupAccountNameW
LookupPrivilegeValueW
AdjustTokenPrivileges
RegCreateKeyW
CreateServiceW
QueryServiceStatus
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
DeleteService
ControlService
ImpersonateLoggedOnUser
LogonUserW
OpenProcessToken
FreeSid
StartServiceW
RegConnectRegistryW
OpenServiceW
GetTokenInformation
GetLengthSid
GetSecurityDescriptorLength
ReportEventW
StartTraceW
ProcessTrace
CloseTrace
ControlTraceW
OpenTraceW
EnableTraceEx2
ConvertSidToStringSidW
RegGetValueW
RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegOpenKeyW

oleaut32

VariantInit
SafeArrayDestroy
SysAllocStringLen
SafeArrayGetElement
SysStringByteLen
VariantChangeType
VariantClear
CreateErrorInfo
SafeArrayGetLBound
SysFreeString
SysAllocString
SysStringLen
SafeArrayGetUBound
SafeArrayUnaccessData
SysAllocStringByteLen
GetErrorInfo
SetErrorInfo
SafeArrayAccessData

crypt32

CertGetNameStringW
CryptFindOIDInfo
CertDuplicateCertificateContext
CertGetCertificateChain

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

rpcrt4

RpcStringFreeW
RpcServerRegisterIfEx
NdrClientCall2
NdrServerCall2
RpcServerUseProtseqEpW
RpcServerUnregisterIf
RpcBindingFromStringBindingW
I_RpcBindingInqLocalClientPID
RpcStringBindingComposeW

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 808KB - Virtual size: 807KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.6MB - Virtual size: 5.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Sysmon/Sysmon64.exe
.exe windows:6 windows x64 arch:x64

a039666f8d08dd16e0909469da998438

Code Sign

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94
Signer

Actual PE Digest

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\1\s\exe\x64\Public_Release\Sysmon64.pdb

Imports

tdh

TdhGetEventInformation
TdhGetEventMapInformation

userenv

ExpandEnvironmentStringsForUserW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

netapi32

NetApiBufferFree
NetServerEnum

ws2_32

ntohs
gethostbyname
WSAStartup
inet_ntoa
gethostname
htons
getnameinfo

mpr

WNetCancelConnection2W
WNetAddConnection2W

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

ole32

CoInitializeEx
CoUninitialize
IIDFromString
CoSetProxyBlanket
CoCreateInstance
StringFromGUID2
CoInitializeSecurity

kernel32

Module32FirstW
K32EnumProcesses
SystemTimeToFileTime
GetSystemTime
SizeofResource
LockResource
LoadResource
FindResourceW
CreateDirectoryW
GetConsoleScreenBufferInfo
lstrlenW
RemoveDirectoryW
GetTempPathW
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
Process32NextW
SetEvent
DeleteFileW
Process32FirstW
GetSystemInfo
VerSetConditionMask
GetComputerNameW
CreateProcessW
VerifyVersionInfoW
GetSystemTimeAsFileTime
GetTickCount
ConnectNamedPipe
GetExitCodeProcess
ExpandEnvironmentStringsW
ProcessIdToSessionId
ExitProcess
GetCurrentProcessId
CopyFileW
ReadFile
SetConsoleCtrlHandler
GetFileSizeEx
CreateThreadpool
WaitForMultipleObjects
SetThreadPriority
SetThreadpoolThreadMinimum
CreateEventW
SetThreadpoolThreadMaximum
GetOverlappedResult
SubmitThreadpoolWork
SetUnhandledExceptionFilter
CreateThreadpoolWork
QueryDosDeviceW
GetFullPathNameW
WriteFile
GetLogicalDriveStringsW
GetWindowsDirectoryW
GetTempFileNameW
K32GetMappedFileNameW
OpenProcess
ResetEvent
QueryPerformanceCounter
CreateThread
FindFirstFileW
FindNextFileW
FindClose
LoadLibraryW
K32GetModuleBaseNameW
WideCharToMultiByte
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
TerminateProcess
SetFileAttributesW
GlobalSize
FreeConsole
GlobalLock
GlobalUnlock
GetEnabledXStateFeatures
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
FreeLibraryAndExitThread
ResumeThread
ExitThread
GetConsoleCP
GetModuleHandleExW
SetStdHandle
TlsFree
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
InterlockedPushEntrySList
RtlPcToFileHeader
RtlUnwindEx
RaiseException
OutputDebugStringW
GetCPInfo
CompareStringEx
LCMapStringEx
GetLocaleInfoEx
EncodePointer
GetStringTypeW
FormatMessageA
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
DeviceIoControl
CloseThreadpoolWork
RtlUnwind
AcquireSRWLockShared
DecodePointer
ReleaseSRWLockShared
CreateToolhelp32Snapshot
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
GetLastError
FormatMessageW
GetDateFormatW
FreeLibrary
GetTimeFormatW
FileTimeToSystemTime
MultiByteToWideChar
TlsGetValue
DeleteCriticalSection
CloseHandle
TlsAlloc
GetCurrentThread
Sleep
DuplicateHandle
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
CreateMutexW
InitializeCriticalSection
LeaveCriticalSection
GetCurrentProcess
EnterCriticalSection
TlsSetValue
GetModuleHandleW
LocalFree
GetProcAddress
LocalAlloc
GetStdHandle
GetCommandLineW
LoadLibraryExW
GetVersionExW
SetLastError
GetFileType
GetModuleFileNameW
GetCommandLineA
GetConsoleMode
ReadConsoleW
GetConsoleOutputCP
HeapFree
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
SetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
PeekConsoleInputA
SetFilePointerEx
HeapReAlloc
SetCurrentDirectoryW
GetCurrentDirectoryW
HeapSize
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SleepConditionVariableSRW
WakeAllConditionVariable
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetProcessHeap
GetTimeZoneInformation
WriteConsoleW
SetEndOfFile
QueryPerformanceFrequency

user32

ChangeClipboardChain
CloseClipboard
RegisterClassW
TranslateMessage
GetClipboardData
CreateWindowExW
MessageBoxW
UnregisterClassW
InflateRect
SendMessageW
OpenClipboard
SetWindowTextW
DialogBoxIndirectParamW
LoadCursorW
SetCursor
GetDlgItem
GetSysColorBrush
GetClipboardOwner
SetClipboardViewer
GetMessageW
GetWindowThreadProcessId
DispatchMessageW
EndDialog
GetPriorityClipboardFormat
GetClipboardSequenceNumber
DefWindowProcW

gdi32

StartPage
EndDoc
GetDeviceCaps
StartDocW
EndPage
SetMapMode

comdlg32

PrintDlgW

advapi32

LookupPrivilegeValueW
RegQueryValueExW
RegOpenKeyW
RegCreateKeyW
RegOpenKeyExW
RegCloseKey
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
CryptAcquireContextW
GetAce
CryptGenRandom
IsWellKnownSid
GetSecurityDescriptorOwner
GetFileSecurityW
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorW
DuplicateTokenEx
CryptReleaseContext
DeregisterEventSource
GetSidSubAuthorityCount
GetSidSubAuthority
CopySid
RegisterEventSourceW
RegNotifyChangeKeyValue
RegisterServiceCtrlHandlerExW
SetSecurityDescriptorDacl
RegDeleteKeyW
SetServiceStatus
ChangeServiceConfig2W
SetEntriesInAclW
RegCreateKeyExW
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
QueryServiceConfigW
RegDeleteValueW
QueryServiceConfig2W
LookupAccountSidW
LookupAccountNameW
RegGetValueW
AdjustTokenPrivileges
RevertToSelf
CreateServiceW
QueryServiceStatus
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
DeleteService
ControlService
ImpersonateLoggedOnUser
LogonUserW
OpenProcessToken
FreeSid
StartServiceW
RegConnectRegistryW
OpenServiceW
GetTokenInformation
GetLengthSid
GetSecurityDescriptorLength
ReportEventW
StartTraceW
ProcessTrace
CloseTrace
ControlTraceW
OpenTraceW
EnableTraceEx2
ConvertSidToStringSidW
RegSetValueExW

oleaut32

SafeArrayGetUBound
SysAllocStringByteLen
SafeArrayDestroy
VariantInit
SysStringByteLen
SafeArrayGetElement
GetErrorInfo
SetErrorInfo
SafeArrayGetLBound
SysAllocStringLen
CreateErrorInfo
VariantClear
VariantChangeType
SafeArrayAccessData
SafeArrayUnaccessData
SysStringLen
SysFreeString
SysAllocString

crypt32

CertDuplicateCertificateContext
CryptFindOIDInfo
CertGetNameStringW
CertGetCertificateChain

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

rpcrt4

NdrServerCall2
NdrServerCallAll
NdrClientCall3
RpcServerRegisterIfEx
RpcStringFreeW
RpcServerUseProtseqEpW
I_RpcBindingInqLocalClientPID
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcServerUnregisterIf

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 965KB - Virtual size: 964KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 97KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Sysmon/Sysmon64a.exe

Sharing

General

Malware Config

Signatures

Files

585f6f71377cdf184b4a45ba1f63fd55

Code Sign

33:00:00:04:51:99:0a:2a:60:f6:35:67:60:00:00:00:00:04:51Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

7c:53:9c:ff:92:a5:ec:bb:73:29:28:a3:71:83:e7:52:1b:1b:60:3a:c8:a2:b0:20:5c:5b:e5:04:5f:cd:58:beSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

tdh

userenv

version

netapi32

ws2_32

mpr

wtsapi32

ole32

kernel32

user32

gdi32

comdlg32

advapi32

oleaut32

crypt32

secur32

rpcrt4

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 808KB - Virtual size: 807KB

.data Size: 15KB - Virtual size: 28KB

.rsrc Size: 5.6MB - Virtual size: 5.6MB

.reloc Size: 60KB - Virtual size: 59KB

a039666f8d08dd16e0909469da998438

Code Sign

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

tdh

userenv

version

netapi32

ws2_32

mpr

wtsapi32

ole32

kernel32

user32

gdi32

comdlg32

advapi32

oleaut32

crypt32

secur32

rpcrt4

Sections

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 965KB - Virtual size: 964KB

.data Size: 20KB - Virtual size: 38KB

.pdata Size: 97KB - Virtual size: 96KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 1.3MB - Virtual size: 1.3MB

.reloc Size: 6KB - Virtual size: 6KB

33:00:00:04:51:99:0a:2a:60:f6:35:67:60:00:00:00:00:04:51
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

7c:53:9c:ff:92:a5:ec:bb:73:29:28:a3:71:83:e7:52:1b:1b:60:3a:c8:a2:b0:20:5c:5b:e5:04:5f:cd:58:be
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 808KB - Virtual size: 807KB

.data
Size: 15KB - Virtual size: 28KB

.rsrc
Size: 5.6MB - Virtual size: 5.6MB

.reloc
Size: 60KB - Virtual size: 59KB

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94
Signer

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 965KB - Virtual size: 964KB

.data
Size: 20KB - Virtual size: 38KB

.pdata
Size: 97KB - Virtual size: 96KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

.reloc
Size: 6KB - Virtual size: 6KB