appFiile_x64x86[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

appFiile_x64x86.zip
Size

7.5MB
MD5

e08cf6d5eee2225e42c23d0fc43f099c
SHA1

fa0ea9929d3b27871a437fbfa1a534094bd09839
SHA256

58b0985b45d713c9a03c2ef9595270129a529d7568918bd86a7f05942941b317
SHA512

42ff2e3642a5336414a1d36fb971c25eae786c44b347b823d272b73b6ec76c0492eac4c3c2b8d7d3dcc45db4cd03a3f9560ae7319ae2f2bade526fac30519ec6
SSDEEP

196608:EVulvUX6PQFrV6xdKwGaq5xKYpBEajLTlPCrpCUUtwT+B7tk0eBU/DX:EzPvKdWLFEajLRagUUtM+VO09rX

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AppFile.exe
unpack001/sqlite.dll

Files

appFiile_x64x86.zip
.zip
AppFile.exe
.exe windows:6 windows x86 arch:x86

70240fb2c9c5557c17ad2d1a1cdcbcf7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
LoadLibraryA
CloseHandle
CreateThread
WriteConsoleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
EncodePointer
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
DecodePointer

Sections

.text
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CbsCore.dll
.dll windows:10 windows x86 arch:x86

14ce52787537822b61d1a2b59fd5bf10

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03-02-2023 00:05

Not After

01-02-2024 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ea:73:a0:80:09:80:90:5f:a3:ff:b0:70:fa:63:3e:8e:f5:2d:db:e8:67:07:1b:32:8a:01:0f:3d:0a:69:a3:81
Signer

Actual PE Digest

ea:73:a0:80:09:80:90:5f:a3:ff:b0:70:fa:63:3e:8e:f5:2d:db:e8:67:07:1b:32:8a:01:0f:3d:0a:69:a3:81

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

cbscore.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

api-ms-win-crt-private-l1-1-0

_o__itow_s
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__set_errno
_o__stricmp
_o__strnicmp
_o__ui64tow_s
_o__wcsicmp
_o__wcsnicmp
_o__wtoi
_o__wtol
memmove
_o_free
_o_isdigit
_o_isspace
_o_malloc
_o_memcpy_s
_o_strncpy_s
_o_strtol
_o_toupper
_o_towlower
_o_wcscat_s
_o_wcsncpy_s
_o_wcstok_s
_o_wcstoul
_o_wmemcpy_s
wcsstr
wcsrchr
wcschr
_except_handler4_common
_o__invalid_parameter_noinfo
_o__initialize_onexit_table
_o__initialize_narrow_environment
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o__aligned_malloc
_o__aligned_free
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsscanf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_type_info_destroy_list
_o__execute_onexit_table
_o__errno
__CxxFrameHandler3
strrchr
strchr
strstr
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

strncmp
wcsnlen
wcsncmp
memset

api-ms-win-core-libraryloader-l1-1-0

LoadLibraryExW
GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
LoadStringW
GetModuleFileNameA
LoadLibraryExA
FreeLibrary
GetModuleHandleW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionEx
LeaveCriticalSection
ReleaseSemaphore
WaitForMultipleObjectsEx
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
CreateSemaphoreExW
TryEnterCriticalSection
InitializeCriticalSection
OpenEventW
ReleaseMutex
CreateEventW
ReleaseSRWLockExclusive
CreateMutexW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
SetEvent
ResetEvent
AcquireSRWLockExclusive
WaitForSingleObjectEx
ReleaseSRWLockShared
OpenSemaphoreW

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
CompareStringW
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapCreate
HeapFree
HeapDestroy
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
GetLastError
RaiseException
SetUnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegSetKeySecurity
RegQueryInfoKeyW
RegDeleteValueW
RegUnLoadKeyW
RegCreateKeyExW
RegSaveKeyExW
RegRestoreKeyW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegFlushKey
RegLoadKeyW
RegOpenKeyExW
RegGetKeySecurity

api-ms-win-core-localization-obsolete-l1-2-0

CompareStringA
EnumUILanguagesW

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-file-l1-1-0

SetFileInformationByHandle
CreateFileW
GetFileAttributesExW
FindClose
GetFileAttributesW
SetFileAttributesW
DeleteFileW
SetEndOfFile
SetFilePointer
GetVolumePathNameW
FindNextFileW
GetFileTime
GetFinalPathNameByHandleW
FindFirstFileW
GetFileSize
CompareFileTime
SetFileTime
FlushFileBuffers
GetFullPathNameW
GetFileSizeEx
GetDiskFreeSpaceExW
ReadFile
CreateDirectoryW
WriteFile
GetFileInformationByHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TerminateProcess
SetThreadToken
GetCurrentThreadId
OpenThreadToken
GetThreadPriority
TlsSetValue
OpenProcessToken
GetCurrentThread
CreateProcessW
CreateThread
SetThreadPriority
GetExitCodeProcess
InitializeProcThreadAttributeList
ResumeThread
UpdateProcThreadAttribute
TlsAlloc
GetExitCodeThread
TlsGetValue
TlsFree
GetCurrentProcess
DeleteProcThreadAttributeList

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-localization-l1-2-0

GetThreadPreferredUILanguages
FormatMessageW
GetLocaleInfoEx

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemInfo
GetTickCount64
GetTickCount
GetSystemTime
GetWindowsDirectoryW
GetVersionExW
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringA
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-registry-l2-1-0

RegOpenKeyTransactedW
RegDeleteKeyW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW

api-ms-win-security-base-l1-1-0

GetKernelObjectSecurity
ImpersonateSelf
GetAclInformation
SetSecurityDescriptorDacl
GetAce
CreateRestrictedToken
DuplicateToken
InitializeSecurityDescriptor
GetTokenInformation
GetLengthSid
IsValidSid
CopySid
RevertToSelf
SetFileSecurityW
AdjustTokenPrivileges
DuplicateTokenEx
IsValidAcl
AddAccessAllowedAceEx
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength
MakeSelfRelativeSD
GetSecurityDescriptorControl
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeAcl
CheckTokenMembership
FreeSid
AddAce
AllocateAndInitializeSid

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-security-sddl-l1-1-0

ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
GlobalFree
LocalFree
GlobalLock
GlobalAlloc
GlobalUnlock

api-ms-win-core-com-l1-1-0

CoGetCallContext
CoGetMalloc
CoImpersonateClient
CoRevertToSelf
CLSIDFromString
CoUnmarshalInterface
CoTaskMemAlloc
CreateStreamOnHGlobal
StringFromCLSID
CoCreateInstance
CoTaskMemFree
CoUninitialize
CoInitializeEx
StringFromGUID2
CoCreateGuid

api-ms-win-core-kernel32-legacy-l1-1-0

LoadLibraryW
CopyFileW
MoveFileW
RaiseFailFastException

api-ms-win-core-file-l2-1-0

CopyFileExW
MoveFileExW
GetFileInformationByHandleEx
CreateHardLinkW

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister
EventUnregister
EventProviderEnabled
EventWriteTransfer

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-kernel32-private-l1-1-1

PrivCopyFileExW

api-ms-win-security-provider-l1-1-0

SetNamedSecurityInfoW
GetNamedSecurityInfoW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpA
lstrcmpW

api-ms-win-eventing-legacy-l1-1-0

FlushTraceW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime

api-ms-win-core-memory-l1-1-0

VirtualQueryEx
WriteProcessMemory
ReadProcessMemory
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile

api-ms-win-security-cryptoapi-l1-1-0

CryptReleaseContext
CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureStackBackTrace

api-ms-win-core-privateprofile-l1-1-0

GetPrivateProfileStringW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-core-file-l1-2-1

GetCompressedFileSizeW

ntdll

RtlGetCurrentTransaction
NtDeleteValueKey
RtlAddAce
NtQueryAttributesFile
NtFlushBuffersFile
NtDuplicateObject
NtFsControlFile
NtYieldExecution
NtOpenThreadToken
RtlCreateAcl
NtCreateKey
NtOpenKeyTransactedEx
NtQueryVolumeInformationFile
RtlCreateSecurityDescriptor
RtlDestroyEnvironment
NtQueryDirectoryFile
NtQuerySecurityObject
NtSetValueKey
RtlGetDaclSecurityDescriptor
RtlDeleteSecurityObject
RtlCopyUnicodeString
RtlDuplicateUnicodeString
RtlAppendUnicodeStringToString
RtlEqualUnicodeString
RtlLengthSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlMakeSelfRelativeSD
RtlSetEnvironmentVariable
RtlCreateEnvironment
RtlpApplyLengthFunction
RtlEnterCriticalSection
RtlDestroyHeap
RtlLeaveCriticalSection
NtQuerySystemTime
RtlSetControlSecurityDescriptor
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN
RtlIsTextUnicode
RtlUnicodeToMultiByteSize
RtlConvertSidToUnicodeString
RtlValidAcl
NtAdjustPrivilegesToken
RtlSetSaclSecurityDescriptor
RtlValidSid
NtDuplicateToken
RtlGetSaclSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlAllocateAndInitializeSid
RtlGetGroupSecurityDescriptor
RtlCopySid
RtlSetGroupSecurityDescriptor
RtlFindAceByType
NtQueryInformationToken
NtDelayExecution
RtlQueryEnvironmentVariable_U
RtlExpandEnvironmentStrings_U
NtQueryLicenseValue
RtlNtStatusToDosErrorNoTeb
RtlTimeToTimeFields
LdrGetDllHandle
DbgPrint
RtlCreateUnicodeStringFromAsciiz
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
NtQueryPerformanceCounter
RtlGetAce
NtOpenKeyEx
RtlSetDaclSecurityDescriptor
NtEnumerateValueKey
NtWriteFile
RtlGetLengthWithoutLastFullDosOrNtPathElement
NtEnumerateKey
RtlSetCurrentTransaction
RtlSetOwnerSecurityDescriptor
NtOpenProcessToken
NtDeleteKey
NtQueryKey
RtlReAllocateHeap
RtlUpcaseUnicodeChar
RtlDowncaseUnicodeChar
DbgPrintEx
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
NtWaitForSingleObject
NtQueryEaFile
RtlReleaseRelativeName
NtSetEaFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
NtLoadKey2
NtOpenFile
NtReadFile
NtSetSecurityObject
NtDeleteFile
RtlNewSecurityObjectEx
NtCreateKeyTransacted
RtlAddAccessAllowedAceEx
NtSetInformationFile
RtlCreateEnvironmentEx
RtlQueryInformationAcl
NtClose
NtQueryInformationProcess
NtQueryOpenSubKeysEx
RtlInitUnicodeString
NtQueryObject
NtSetInformationThread
NtQueryInformationThread
NtCreateTransaction
NtRollbackTransaction
RtlInitUnicodeStringEx
NtQueryInformationTransaction
NtCommitTransaction
RtlDosPathNameToNtPathName_U
NtQueryInformationFile
RtlFreeHeap
NtCreateFile
RtlAllocateHeap
RtlLengthSid
NtOpenKey
NtQueryValueKey
LdrGetProcedureAddress
LdrUnloadDll
LdrLoadDll
RtlNtStatusToDosError
RtlDestroyProcessParameters
RtlCreateHeap
RtlCreateProcessParameters
RtlCreateUserProcess
NtResumeThread
RtlFreeSid
NtUnloadKey2
RtlDeleteCriticalSection
RtlTimeToSecondsSince1980
RtlRaiseStatus
RtlInitializeCriticalSection

userenv

GetProfilesDirectoryW

rpcrt4

UuidCreate

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

oleaut32

VariantInit
VariantClear
SysFreeString
SysAllocString

crypt32

CryptMsgUpdate
CertGetSubjectCertificateFromStore
CertVerifyCertificateChainPolicy
CertOpenStore
CertFreeCertificateChain
CryptHashCertificate2
CertCreateCTLContext
CryptDecodeObject
CertFreeCTLContext
CertCreateContext
CryptStringToBinaryW
CertAddStoreToCollection
CertAddEncodedCertificateToStore
CryptMsgClose
CertGetEnhancedKeyUsage
CertCloseStore
CertGetCertificateChain
CertFreeCertificateContext
CryptMsgGetAndVerifySigner
CertFindSubjectInCTL
CryptMsgOpenToDecode
CryptMsgGetParam

bcrypt

BCryptDestroyHash
BCryptHashData
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptFinishHash

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvCertFromChain
WinVerifyTrust
WTHelperGetProvSignerFromChain

Exports

Exports

CbsCoreEnsureNoStartupProcessing
CbsCoreFinalize
CbsCoreFinalizeShutdownProcessing
CbsCoreGetActiveOfflineSession
CbsCoreInitialize
CbsCoreInitializeDelayedPortion
CbsCoreIsExecutionEngineIdle
CbsCoreLoadComponentStore
CbsCorePrepareShutdownProcessing
CbsCoreServiceIdleProcessing
CbsCoreSetCustomLogging
CbsCoreSetState
CbsCoreShutdownProcessing
CbsCoreStartupProcessing
CbsCoreStopIdleProcessing
CbsCreateSessionNotify
CbsCreateSessionNotifyFinalize
CbsCreateSessionNotifyInitialize
CbsSetCbsCorePathInOfflineImage
SetRebootInProgressFlag
SetTestMode

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cmiaisupport.dll
.dll regsvr32 windows:10 windows x86 arch:x86

3951938e1c4daf37c2f3f24757b43fd5

Code Sign

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16-11-2023 19:20

Not After

14-11-2024 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

91:43:a5:21:c0:6e:04:7c:f6:99:f0:c9:0a:4b:be:0a:8a:fd:ea:42:9c:67:c9:67:c6:d5:ca:cf:c2:53:82:30
Signer

Actual PE Digest

91:43:a5:21:c0:6e:04:7c:f6:99:f0:c9:0a:4b:be:0a:8a:fd:ea:42:9c:67:c9:67:c6:d5:ca:cf:c2:53:82:30

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

cmiaisupport.pdb

Imports

msvcrt

toupper
iswctype
tolower
towupper
_vsnprintf
_wtoi
_itow_s
wcstoul
printf
wcsrchr
_itow
_purecall
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_ltow
wcstol
wcschr
towlower
iswspace
wcsncmp
_wcsicmp
_vsnwprintf
??_V@YAXPAX@Z
??0exception@@QAE@ABQBD@Z
_callnewh
_CxxThrowException
?terminate@@YAXXZ
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABV0@@Z
wcscpy_s
realloc
??3@YAXPAX@Z
wcscat_s
__CxxFrameHandler3
??1type_info@@UAE@XZ
_isctype
wcsstr
memcpy
memcmp
memchr
_XcptFilter
_wcsupr
memmove
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_initterm
malloc
free
_amsg_exit
_waccess
memset

api-ms-win-core-synch-l1-2-0

Sleep
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
OpenThreadToken
CreateProcessW
GetCurrentThread
TerminateProcess
OpenProcessToken
GetExitCodeProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GlobalMemoryStatusEx
GetSystemInfo
GetLocalTime

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetErrorMode
SetLastError
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls
FindResourceExW
LoadResource
SizeofResource
GetProcAddress
FreeLibrary
GetModuleFileNameW
LoadLibraryExW
LockResource
GetModuleHandleW

api-ms-win-core-com-l1-1-0

CreateStreamOnHGlobal
CLSIDFromString
CoCreateGuid
StringFromGUID2
CoTaskMemAlloc
GetHGlobalFromStream
CoTaskMemFree
CoTaskMemRealloc
CoCreateInstance

api-ms-win-core-string-l2-1-0

CharPrevW
CharNextW

api-ms-win-core-registry-l1-1-0

RegSaveKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegUnLoadKeyW
RegCreateKeyExW
RegDeleteValueW
RegQueryInfoKeyW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW

api-ms-win-core-string-obsolete-l1-1-0

lstrcpyW
lstrcmpW
lstrcmpiW
lstrcpynW

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualQuery
CreateFileMappingW
FlushViewOfFile
UnmapViewOfFile
VirtualFree
MapViewOfFile
VirtualProtect
ReadProcessMemory

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
ReleaseSRWLockExclusive
InitializeCriticalSection
WaitForSingleObject
DeleteCriticalSection
AcquireSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-debug-l1-1-0

DebugBreak

api-ms-win-core-file-l1-1-0

FindNextFileW
FindFirstFileW
GetFileAttributesExW
GetFileAttributesW
SetFileAttributesW
GetVolumePathNameW
CreateDirectoryW
RemoveDirectoryW
GetTempFileNameW
GetFullPathNameW
FindClose
GetFileSizeEx
SetEndOfFile
SetFilePointerEx
WriteFile
CreateFileW
SetFilePointer
ReadFile
GetVolumeInformationW
DeleteFileW

api-ms-win-core-kernel32-legacy-l1-1-0

FindResourceW
CopyFileW
LoadLibraryW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-localization-l1-2-0

FormatMessageW
LCMapStringW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
GlobalUnlock
GlobalLock
LocalAlloc

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-security-provider-l1-1-0

GetNamedSecurityInfoW
SetNamedSecurityInfoW

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorControl
SetSecurityDescriptorControl
AdjustTokenPrivileges

api-ms-win-core-io-l1-1-0

DeviceIoControl

oleaut32

VariantTimeToSystemTime
SystemTimeToVariantTime
SafeArrayGetVartype
SafeArrayCreateVectorEx
SafeArrayDestroy
SafeArrayGetDim
VariantChangeType
VariantInit
SetErrorInfo
VariantCopy
VariantClear
SysAllocStringLen
LoadTypeLi
SysAllocString
SysFreeString
SysStringLen
RegisterTypeLi
VarUI4FromStr
SafeArrayGetLBound
SafeArrayGetElement
VariantCopyInd
SafeArrayPutElement
LoadRegTypeLi
DispCallFunc
SysStringByteLen
VarCmp
LoadTypeLibEx
SafeArrayGetUBound
UnRegisterTypeLi
GetErrorInfo
CreateErrorInfo

xmllite

CreateXmlReader
CreateXmlWriter
CreateXmlWriterOutputWithEncodingName

api-ms-win-core-kernel32-private-l1-1-1

PrivCopyFileExW

api-ms-win-core-file-l1-2-0

GetTempPathW

ntdll

LdrLoadDll
NtSetInformationFile
RtlDosPathNameToNtPathName_U
NtCreateFile
LdrUnloadDll
NtOpenProcess
RtlDosPathNameToRelativeNtPathName_U
NtOpenFile
NtQueryInformationFile
NtLoadKey2
NtQueryInformationProcess
RtlInitString
RtlUpcaseUnicodeChar
LdrGetDllHandle
LdrGetProcedureAddress
RtlNtStatusToDosError
RtlFreeHeap
NtClose
RtlCopyUnicodeString
RtlInitUnicodeString
RtlAllocateHeap
RtlAppendUnicodeStringToString

wcp

RtlCopyLUnicodeString
ConvertNtStatusToHResult
RtlReportErrorOrigination
?FsnpDowncaseChar@@YIKK@Z
RtlInitUnicodeStringFromLUnicodeString
RtlFreeLUnicodeString
RtlAllocateLUnicodeString
RtlHashLUnicodeString
RtlInitLUnicodeStringFromNullTerminatedString
RtlAppendLUnicodeStringToLUnicodeString

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sqlite.dll
.dll windows:6 windows x86 arch:x86

61521ae11d805d0f72f6dcdf2530b2b0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

InitializeCriticalSectionEx
CreateMutexA
lstrcatA
GetModuleHandleA
SetCurrentDirectoryA
Sleep
GetModuleHandleExA
GetFileAttributesA
GetBinaryTypeA
GlobalAlloc
lstrcpyA
FindClose
SetFileAttributesA
ExitProcess
VerSetConditionMask
WideCharToMultiByte
VerifyVersionInfoW
CreateProcessA
GetSystemTimeAsFileTime
HeapFree
lstrlenA
HeapAlloc
GetProcAddress
lstrcpynA
GetProcessHeap
WriteConsoleW
CloseHandle
CreateFileA
GetLastError
CreateFileW
WriteFile
CreateThread
ReadFile
HeapSize
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
InitializeSListHead
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
FormatMessageA
LocalFree
GetLocaleInfoEx
CreateDirectoryW
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
MultiByteToWideChar
QueryPerformanceFrequency
LCMapStringEx
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
GetCPInfo
GetStringTypeW
SetLastError
GetThreadTimes
GetCurrentThread
InterlockedPushEntrySList
InterlockedFlushSList
RaiseException
RtlUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
SetFilePointerEx
GetFileType
GetModuleHandleExW
GetModuleFileNameW
GetConsoleMode
ReadConsoleW
GetConsoleOutputCP
SetStdHandle
GetStdHandle
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetEndOfFile
GetFileSizeEx
DeleteFileW
FlushFileBuffers
HeapReAlloc
VirtualQuery

user32

GetCursorPos
CharNextA

advapi32

RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
CryptReleaseContext

shell32

SHGetFolderPathA
ShellExecuteA

ole32

CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoUninitialize

oleaut32

VariantClear
SysAllocString
SysFreeString

Sections

.text
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmprU¡
Size: - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmprU¡
Size: 1024B - Virtual size: 564B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmprU¡
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 277KB - Virtual size: 277KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
updateagent.dll
.dll windows:10 windows x86 arch:x86

6b5fb648cf0444f16e130a5f46addc46

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03-02-2023 00:05

Not After

01-02-2024 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d:b3:d7:24:29:15:09:83:78:cf:fb:c9:60:18:a3:40:a2:9d:be:21:3e:05:d0:ce:e4:dc:bf:3d:86:d5:a0:cf
Signer

Actual PE Digest

3d:b3:d7:24:29:15:09:83:78:cf:fb:c9:60:18:a3:40:a2:9d:be:21:3e:05:d0:ce:e4:dc:bf:3d:86:d5:a0:cf

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

UpdateAgent.pdb

Imports

ntdll

NtSetInformationFile
RtlReAllocateHeap
RtlUpcaseUnicodeChar
RtlDowncaseUnicodeChar
DbgPrintEx
RtlNtStatusToDosError
RtlDeleteSecurityObject
RtlAdjustPrivilege
NtSetInformationProcess
RtlSetEnvironmentVariable
RtlDuplicateUnicodeString
RtlLengthSid
NtQueryVolumeInformationFile
RtlValidAcl
NtAdjustPrivilegesToken
RtlSetSaclSecurityDescriptor
RtlInitUnicodeString
RtlQueryInformationAcl
NtSetInformationThread
NtQueryInformationThread
RtlGetOwnerSecurityDescriptor
RtlDosPathNameToNtPathName_U_WithStatus
RtlCompareUnicodeString
NtUnloadKey2
RtlInitUnicodeStringEx
NtShutdownSystem
RtlLengthSecurityDescriptor
RtlValidSid
NtDelayExecution
RtlAllocateAndInitializeSid
NtOpenProcessToken
RtlGetGroupSecurityDescriptor
RtlCopySid
NtOpenThreadToken
NtQueryLicenseValue
NtLoadKey2
NtQueryPerformanceCounter
NtFlushKey
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlDestroyEnvironment
RtlCreateEnvironmentEx
RtlExpandEnvironmentStrings_U
VerSetConditionMask
RtlGetDaclSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlMakeSelfRelativeSD
NtDuplicateToken
RtlGetVersion
RtlSetDaclSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlCreateUnicodeStringFromAsciiz
RtlCreateSecurityDescriptor
NtYieldExecution
NtQueryKey
NtDeleteKey
RtlSetCurrentTransaction
NtEnumerateKey
RtlGetLengthWithoutLastFullDosOrNtPathElement
NtEnumerateValueKey
NtOpenKeyEx
RtlGetAce
RtlpApplyLengthFunction
RtlAddAccessAllowedAceEx
NtReadFile
NtCreateKeyTransacted
RtlNewSecurityObjectEx
NtDeleteFile
RtlCaptureStackBackTrace
NtSetSecurityObject
RtlGetCurrentTransaction
NtDeleteValueKey
RtlAddAce
NtQueryAttributesFile
NtFlushBuffersFile
NtDuplicateObject
NtFsControlFile
NtQueryInformationFile
RtlCreateAcl
NtCreateKey
NtOpenKeyTransactedEx
NtQueryDirectoryFile
NtQuerySecurityObject
NtSetValueKey
NtOpenFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
NtSetEaFile
RtlReleaseRelativeName
NtQueryEaFile
NtWaitForSingleObject
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlEqualUnicodeString
RtlCreateEnvironment
NtQuerySystemTime
RtlSetControlSecurityDescriptor
RtlAnsiCharToUnicodeChar
RtlUnicodeToMultiByteN
RtlIsTextUnicode
RtlUnicodeToMultiByteSize
RtlConvertSidToUnicodeString
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlExpandEnvironmentStrings
NtQueryInformationToken
NtQueryValueKey
DbgPrint
NtCreateFile
RtlFreeHeap
NtClose
RtlQueryEnvironmentVariable_U
LdrLoadDll
RtlDosPathNameToNtPathName_U
LdrUnloadDll
LdrGetDllHandle
NtOpenKey
NtWriteFile
LdrGetProcedureAddress
NtQueryObject
RtlLeaveCriticalSection
RtlInitializeCriticalSection
RtlEnterCriticalSection
RtlTimeToTimeFields
RtlDeleteCriticalSection
RtlNtStatusToDosErrorNoTeb
RtlRaiseStatus
RtlCreateHeap
RtlAllocateHeap
RtlDestroyHeap
RtlUnwind
RtlFindAceByType

advapi32

CreatePrivateObjectSecurityWithMultipleInheritance
MakeSelfRelativeSD
DestroyPrivateObjectSecurity
IsValidSecurityDescriptor
GetSecurityDescriptorLength
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptReleaseContext
GetTokenInformation
ConvertStringSidToSidW
CheckTokenMembership
RegQueryValueExW
AddAccessAllowedAceEx
IsValidAcl
AdjustTokenPrivileges
IsValidSid
OpenThreadToken
AddAccessAllowedAce
InitiateSystemShutdownExW
RegDeleteKeyW
GetLengthSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegDeleteValueW
RegEnumValueW
EventUnregister
RegEnumKeyExW
RegOpenKeyExW
InitializeAcl
EqualSid
EventProviderEnabled
InitializeSecurityDescriptor
FreeSid
OpenProcessToken
SetSecurityInfo
RegSetValueExW
RegSetKeySecurity
GetSecurityDescriptorControl
EventWriteString
EnableTraceEx2
ControlTraceW
CopySid
SetSecurityDescriptorDacl
RegCreateKeyExW
RegCloseKey
EventWriteTransfer
EventRegister
AllocateAndInitializeSid

kernel32

CopyFileW
SetEvent
DebugBreak
GetSystemWindowsDirectoryW
OutputDebugStringW
MoveFileW
IsWow64Process
LoadLibraryExW
IsDebuggerPresent
SetUnhandledExceptionFilter
GetExitCodeProcess
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
LCMapStringW
GetLocaleInfoW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
ExitProcess
HeapSize
HeapReAlloc
RaiseException
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
VirtualQuery
GetModuleFileNameW
InterlockedFlushSList
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
CompareStringOrdinal
LocalAlloc
FreeLibrary
GetModuleHandleW
CreateProcessW
ReleaseSRWLockExclusive
CloseThreadpoolTimer
GetProcessHeap
WideCharToMultiByte
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
LocalFree
CreateMutexExW
GetProcAddress
GetDiskFreeSpaceExW
HeapAlloc
GetCurrentThread
VerifyVersionInfoW
GetLastError
GetTickCount64
ResetEvent
RaiseFailFastException
FormatMessageW
Sleep
MultiByteToWideChar
GlobalMemoryStatusEx
CreateEventW
CreateThreadpoolTimer
GetVolumeNameForVolumeMountPointW
OpenProcess
GetVolumePathNamesForVolumeNameW
GetSystemDirectoryW
ReleaseMutex
GetVersionExW
GetSystemInfo
ReleaseSRWLockShared
TryEnterCriticalSection
lstrcmpW
GetErrorMode
DecodePointer
WriteConsoleW
ReadConsoleW
GetConsoleMode
GetConsoleOutputCP
SetStdHandle
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
FindFirstFileExW
LoadLibraryExA
VirtualProtect
SetFilePointerEx
GetPriorityClass
GetTimeZoneInformation
GetExitCodeThread
GetFileAttributesW
WaitForMultipleObjects
SetPriorityClass
GlobalUnlock
GlobalMemoryStatus
GetFileType
CreateProcessA
GlobalLock
HeapDestroy
HeapCompact
GetOverlappedResult
GetVersionExA
GlobalSize
GetPrivateProfileStringW
GetLogicalDriveStringsW
HeapValidate
DuplicateHandle
HeapWalk
GetComputerNameExW
SetEndOfFile
SetErrorMode
SetFileTime
VirtualAlloc
GetShortPathNameW
VirtualFree
HeapCreate
GetLogicalDrives
GetVolumeInformationW
CreateFileW
WaitForSingleObject
FindClose
WaitForThreadpoolTimerCallbacks
InitializeCriticalSectionEx
OpenEventW
CreateMutexW
GetEnvironmentVariableW
GetCommandLineW
CopyFileExW
GetFileInformationByHandle
GetDiskFreeSpaceW
RemoveDirectoryW
WaitForMultipleObjectsEx
SetThreadpoolTimer
LeaveCriticalSection
CreateFileMappingA
InitializeCriticalSectionAndSpinCount
DeleteFileA
CreateFileA
GetVersion
OutputDebugStringA
SystemTimeToTzSpecificLocalTime
GetSystemTime
CreateMutexA
GetProcessId
LoadLibraryW
GetWindowsDirectoryW
MoveFileExW
GetFullPathNameW
CloseHandle
OpenSemaphoreW
ExpandEnvironmentStringsW
GetModuleHandleExW
ReleaseSemaphore
GetCurrentProcess
GetFileInformationByHandleEx
DeviceIoControl
SetFileAttributesW
SetThreadPriority
SetFilePointer
SetFileInformationByHandle
GetThreadPriority
GlobalAlloc
GlobalFree
FlushFileBuffers
FindNextFileW
DeleteFileW
EnterCriticalSection
SetLastError
HeapFree
CreateSemaphoreExW
CompareStringW
GetFileSizeEx
FindFirstFileW
GetModuleFileNameA
ReadFile
CreateDirectoryW
WaitForSingleObjectEx
GetCurrentThreadId
FileTimeToSystemTime
GetTickCount
InitializeSRWLock
InitOnceExecuteOnce
AcquireSRWLockExclusive
GetDriveTypeW
LCIDToLocaleName
WriteFile
ResolveLocaleName
CreateThread
InitializeCriticalSection
GetTempPathW
UnmapViewOfFile
GetLocalTime
GetFileSize
GetTempFileNameW
CreateFileMappingW
MapViewOfFile
GetCurrentDirectoryW
GetLongPathNameW
GetFinalPathNameByHandleW

ole32

CoTaskMemAlloc
CoUninitialize
StringFromGUID2
CoCreateInstance
CoTaskMemFree
CoSetProxyBlanket
CoCreateGuid
CoInitializeEx
CoGetMalloc

user32

CharNextW
UnregisterClassA

oleaut32

SysAllocString
SystemTimeToVariantTime
SysFreeString
VariantTimeToSystemTime

crypt32

CryptHashCertificate2
CertVerifyCertificateChainPolicy

wintrust

WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

rpcrt4

UuidCreate
I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW

shlwapi

PathMatchSpecW

wer

WerReportCloseHandle
WerReportAddFile
WerReportSetParameter
WerReportSetUIOption
WerReportSubmit
WerReportCreate

version

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

cfgmgr32

CM_Get_Device_Interface_List_SizeW
CM_Get_Device_Interface_ListW
CM_Get_Device_Interface_PropertyW

Exports

Exports

CreateDeploymentSession
CreateDeploymentSessionEx
CreateOfflineDeploymentSession
UA_CommitActionList
UA_CreateActionList
UA_CreateDownloadList
UA_CreateDownloadListFromActionList
UA_CreatePackageListFromDownloadList
UA_InstallActionList
UA_ReleaseDownloadList

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

70240fb2c9c5557c17ad2d1a1cdcbcf7

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 49KB - Virtual size: 49KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 98KB - Virtual size: 98KB

.reloc Size: 4KB - Virtual size: 3KB

14ce52787537822b61d1a2b59fd5bf10

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ea:73:a0:80:09:80:90:5f:a3:ff:b0:70:fa:63:3e:8e:f5:2d:db:e8:67:07:1b:32:8a:01:0f:3d:0a:69:a3:81Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-kernel32-private-l1-1-1

api-ms-win-security-provider-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-eventing-legacy-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-file-l1-2-1

ntdll

userenv

rpcrt4

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-delayload-l1-1-0

oleaut32

.text
Size: 49KB - Virtual size: 49KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 98KB - Virtual size: 98KB

.reloc
Size: 4KB - Virtual size: 3KB

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ea:73:a0:80:09:80:90:5f:a3:ff:b0:70:fa:63:3e:8e:f5:2d:db:e8:67:07:1b:32:8a:01:0f:3d:0a:69:a3:81
Signer

.text
Size: 2.0MB - Virtual size: 2.0MB

PAGE
Size: 7KB - Virtual size: 7KB

.data
Size: 5KB - Virtual size: 13KB

.idata
Size: 17KB - Virtual size: 17KB

.didat
Size: 512B - Virtual size: 8B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 95KB - Virtual size: 95KB

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

91:43:a5:21:c0:6e:04:7c:f6:99:f0:c9:0a:4b:be:0a:8a:fd:ea:42:9c:67:c9:67:c6:d5:ca:cf:c2:53:82:30
Signer

.text
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 8KB - Virtual size: 10KB

.idata
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 17KB - Virtual size: 17KB

.reloc
Size: 100KB - Virtual size: 99KB