win32k.pdb
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
win32k.sys
Resource
win7-20240903-en
windows7-x64
0 signatures
120 seconds
Behavioral task
behavioral2
Sample
win32k.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
120 seconds
General
-
Target
4eb305bf1cb70a0ab5f4486d8f18f1f131b663046d0e71c34b19b876f55fbee3N
-
Size
929KB
-
MD5
2110d72f1092c88b67dabe969a1be240
-
SHA1
c72eadf74ea00346cf867a2563fce47161fcbfb5
-
SHA256
4eb305bf1cb70a0ab5f4486d8f18f1f131b663046d0e71c34b19b876f55fbee3
-
SHA512
b630b97eca37df93b2d359076dfdd8da23a8f75addfda8a162943277890f3d7d19dd9905f9cc242d9e994bb5a7a5ba76c468dce53cb6c6de91ae4dfb552d16b8
-
SSDEEP
24576:7rPQYaV7JBkXf8Z56yEj2TOX8KuU7Y0NwYZuh09:7rPWzkEX1ESaX8KuoY+MhM
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/win32k.sys
Files
-
4eb305bf1cb70a0ab5f4486d8f18f1f131b663046d0e71c34b19b876f55fbee3N.cab
-
win32k.sys.sys windows:5 windows x86 arch:x86
2886e2d62cea78d33602414c594b0081
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
ntoskrnl.exe
PsSetProcessWin32Process
PsGetProcessWin32Process
ExEnterCriticalRegionAndAcquireFastMutexUnsafe
PsGetCurrentProcessId
ExFreePoolWithTag
PsGetThreadWin32Thread
KeTickCount
KeBugCheckEx
ObfDereferenceObject
PsSetThreadWin32Thread
ExReleaseFastMutexUnsafeAndLeaveCriticalRegion
ObfReferenceObject
strchr
strncpy
RtlRandom
MmIsVerifierEnabled
MmAddVerifierThunks
RtlFindMostSignificantBit
qsort
ExAllocatePoolWithQuotaTag
ExRaiseDatatypeMisalignment
PsGetCurrentProcess
_except_handler3
ProbeForWrite
SeReleaseSecurityDescriptor
RtlNtStatusToDosError
ExRaiseAccessViolation
SeCaptureSecurityDescriptor
RtlInitUnicodeString
swprintf
ObReferenceObjectByHandle
ExAllocatePoolWithTag
PsGetProcessSessionId
PsProcessType
PsGetCurrentProcessWin32Process
ExFreePool
ExRaiseStatus
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
ObCloseHandle
InterlockedExchange
RtlAreAnyAccessesGranted
memmove
PsGetJobUIRestrictionsClass
PsGetJobLock
PsJobType
RtlCopyUnicodeString
ZwClose
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlAppendUnicodeToString
wcsrchr
ZwCreateFile
_wcsnicmp
ObQueryNameString
IoFileObjectType
wcsncpy
RtlIntegerToUnicode
RtlIntegerToUnicodeString
PsGetThreadId
PsGetThreadProcessId
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
SeTokenType
SeCreateClientSecurity
KeGetCurrentThread
wcslen
_wcsicmp
ObOpenObjectByPointer
ExDesktopObjectType
KeInitializeEvent
ExInitializeResourceLite
ZwCreateDirectoryObject
MmMapViewOfSection
ZwSetSystemInformation
ObDeleteCapturedInsertInfo
MmCreateSection
NlsMbCodePageTag
NlsAnsiCodePage
MmMapViewInSessionSpace
MmUnmapViewInSessionSpace
RtlAllocateHeap
PsGetThreadProcess
PsIsSystemThread
PsGetProcessJob
PsGetProcessWin32WindowStation
RtlUnicodeStringToInteger
wcschr
wcsstr
wcscpy
RtlCheckRegistryKey
ExWindowStationObjectType
MmGetSystemRoutineAddress
PsGetCurrentProcessSessionId
ExAllocatePoolWithTagPriority
RtlCompareUnicodeString
ZwQueryDefaultLocale
PsGetProcessPeb
PsGetProcessCreateTimeQuadPart
KeQuerySystemTime
InterlockedPopEntrySList
InterlockedPushEntrySList
KeClearEvent
ExDeletePagedLookasideList
RtlFreeHeap
ExIsResourceAcquiredExclusiveLite
PsLookupProcessByProcessId
PsGetThreadSessionId
PsLookupThreadByThreadId
ExInitializePagedLookasideList
KeWaitForMultipleObjects
KeWaitForSingleObject
_allmul
KeSetEvent
PsIsThreadTerminating
ExEventObjectType
ZwCreateEvent
ObReferenceObjectByPointer
RtlAnsiStringToUnicodeString
RtlInitAnsiString
PsGetProcessImageFileName
PsThreadType
SeQueryAuthenticationIdToken
PsReferencePrimaryToken
PsGetProcessInheritedFromUniqueProcessId
PsSetProcessWindowStation
RtlInitializeBitMap
PsGetProcessId
PsGetProcessExitStatus
PsGetProcessExitProcessCalled
ZwQueryInformationProcess
KeSetKernelStackSwapEnable
PsGetProcessSectionBaseAddress
ZwTerminateProcess
ExRaiseHardError
wcscat
RtlDestroyHeap
KeDelayExecutionThread
InterlockedDecrement
NtQueryInformationProcess
RtlDestroyAtomTable
ExDeleteResourceLite
KeCancelTimer
KeRemoveSystemServiceTable
ExInitializeRundownProtection
KeQueryInterruptTime
MmPageEntireDriver
PsEstablishWin32Callouts
KeAddSystemServiceTable
MmUserProbeAddress
ZwQueryDefaultUILanguage
ZwSetDefaultUILanguage
ZwSetDefaultLocale
ExIsResourceAcquiredSharedLite
ExEnterCriticalRegionAndAcquireResourceShared
RtlQueryRegistryValues
ZwPowerInformation
ZwDeviceIoControlFile
KeResetEvent
IoGetRelatedDeviceObject
KeInitializeTimerEx
PsGetCurrentThreadId
InterlockedCompareExchange
InitSafeBootMode
RtlAreAllAccessesGranted
SeDeleteAccessState
ObCheckObjectAccess
SeCreateAccessState
SeReleaseSubjectContext
SeUnlockSubjectContext
SePrivilegeObjectAuditAlarm
SePrivilegeCheck
SeLockSubjectContext
SeCaptureSubjectContext
RtlCopySid
RtlLengthSid
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlCreateSecurityDescriptor
SeExports
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
ZwQueryInformationToken
RtlEqualUnicodeString
ObSetHandleAttributes
ObCreateObject
KeUnstackDetachProcess
KeStackAttachProcess
RtlClearBits
RtlSetBits
ZwSetSecurityObject
RtlInitializeSid
RtlSubAuthoritySid
RtlLengthRequiredSid
RtlMapGenericMask
ObReleaseObjectSecurity
ObAssignSecurity
ObGetObjectSecurity
ObCheckCreateObjectAccess
MmUnmapViewOfSection
PsGetProcessSessionIdEx
PsGetThreadTeb
ObFindHandleForObject
KeDetachProcess
KeAttachProcess
ObOpenObjectByName
KePulseEvent
RtlAppendUnicodeStringToString
ZwOpenEvent
ZwSetInformationThread
ZwDuplicateObject
RtlPinAtomInAtomTable
RtlAddAtomToAtomTable
RtlCreateAtomTable
ExReleaseRundownProtection
LpcRequestWaitReplyPort
LpcRequestPort
SeDeassignSecurity
ObSetSecurityDescriptorInfo
SeAssignSecurity
ObInsertObject
ZwOpenDirectoryObject
ExAcquireRundownProtection
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
PsReferenceImpersonationToken
SeTokenIsRestricted
PsGetProcessDebugPort
ZwYieldExecution
RtlIntegerToChar
RtlUnicodeStringToAnsiString
PsSetProcessPriorityByClass
PsSetProcessPriorityClass
PsGetProcessPriorityClass
KeSetPriorityThread
RtlUnicodeToMultiByteN
SeImpersonateClientEx
MmAdjustWorkingSetSize
KeSetTimer
RtlFreeUnicodeString
RtlFormatCurrentUserKeyPath
ZwOpenKey
ZwQueryValueKey
ZwQueryKey
ZwEnumerateValueKey
ZwSetValueKey
RtlMultiByteToUnicodeN
ExGetSharedWaiterCount
ExGetExclusiveWaiterCount
IoQueryDeviceDescription
ExRundownCompleted
ExWaitForRundownProtectionRelease
PsCreateSystemThread
ZwQueryObject
ZwSetEvent
PoSetSystemState
PoRequestShutdownEvent
KeInitializeTimer
NlsOemCodePage
RtlLookupAtomInAtomTable
RtlDeleteAtomFromAtomTable
RtlQueryAtomInAtomTable
ZwReadFile
ZwQueryInformationFile
PsGetThreadFreezeCount
InterlockedIncrement
RtlUnicodeToMultiByteSize
RtlMultiByteToUnicodeSize
KeUserModeCallback
MmSystemRangeStart
ZwOpenFile
IofCallDriver
IoBuildSynchronousFsdRequest
IoBuildDeviceIoControlRequest
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
IoGetStackLimits
MmCommitSessionMappedView
RtlCreateHeap
IoUnregisterPlugPlayNotification
ZwCancelIoFile
wcsncmp
IoGetDeviceObjectPointer
IoRegisterPlugPlayNotification
IoWMIQuerySingleInstance
IoWMIHandleToInstanceName
IoWMIOpenBlock
ObReferenceObjectByName
IoDriverObjectType
IoCreateDriver
IoPnPDeliverServicePowerNotification
IoInvalidateDeviceRelations
KeIsAttachedProcess
PsGetCurrentThreadProcessId
RtlEmptyAtomTable
RtlZeroHeap
RtlFindMessage
_alldiv
_allshr
KeAcquireGuardedMutex
KeReleaseGuardedMutex
PsGetCurrentThreadTeb
vsprintf
DbgPrint
DbgBreakPoint
MmSecureVirtualMemory
KeRestoreFloatingPointState
KeSaveFloatingPointState
ZwQuerySystemInformation
ExSystemTimeToLocalTime
KeEnterCriticalRegion
KeLeaveCriticalRegion
KeInitializeGuardedMutex
RtlInsertElementGenericTableAvl
MmUnsecureVirtualMemory
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
KeInitializeDpc
ExIsProcessorFeaturePresent
RtlFillMemoryUlong
RtlTimeToTimeFields
MmGrowKernelStack
PsGetCurrentThreadStackBase
KeReadStateEvent
LdrAccessResource
LdrFindResource_U
RtlUnicodeToCustomCPN
RtlCustomCPToUnicodeN
RtlInitCodePageTable
RtlGetDefaultCodePage
ZwDeleteFile
LdrFindResourceDirectory_U
RtlEqualSid
SeQueryInformationToken
MmHighestUserAddress
PsRevertToSelf
RtlUnicodeToOemN
ZwCreateKey
strncmp
toupper
RtlWriteRegistryValue
ZwEnumerateKey
IoOpenDeviceRegistryKey
wcscmp
IoGetDeviceProperty
ZwDeleteKey
IoOpenDeviceInterfaceRegistryKey
IoGetDeviceInterfaces
RtlFreeAnsiString
RtlImageNtHeader
RtlImageDirectoryEntryToData
_strnicmp
IoSynchronousInvalidateDeviceRelations
IoCreateFile
MmSectionObjectType
ZwCreateSection
RtlPrefixString
ZwSetInformationFile
ZwQueryVolumeInformationFile
IoSetThreadHardErrorMode
_aulldiv
_alldvrm
RtlEnumerateGenericTableAvl
RtlCreateUnicodeString
ZwUnmapViewOfSection
PsGetCurrentThreadPreviousMode
RtlCompareMemory
PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion
RtlCreateRegistryKey
RtlGetNtGlobalFlags
MmQuerySystemSize
ZwMapViewOfSection
RtlInitializeGenericTableAvl
RtlAppendStringToString
PsTerminateSystemThread
RtlUpcaseUnicodeString
RtlExtendedLargeIntegerDivide
_aulldvrm
IoQueueThreadIrp
IoBuildAsynchronousFsdRequest
PsGetCurrentThreadWin32Thread
videoprt.sys
WdDdiWatchdogDpcCallback
watchdog.sys
WdResumeDeferredWatch
WdSuspendDeferredWatch
WdAllocateDeferredWatchdog
WdAttachContext
WdStartDeferredWatch
WdStopDeferredWatch
WdFreeDeferredWatchdog
WdExitMonitoredSection
WdEnterMonitoredSection
dxapi.sys
_DxApiGetVersion@0
hal
KeQueryPerformanceCounter
Exports
Exports
BRUSHOBJ_hGetColorTransform
BRUSHOBJ_pvAllocRbrush
BRUSHOBJ_pvGetRbrush
BRUSHOBJ_ulGetBrushColor
CLIPOBJ_bEnum
CLIPOBJ_cEnumStart
CLIPOBJ_ppoGetPath
EngAcquireSemaphore
EngAllocMem
EngAllocPrivateUserMem
EngAllocSectionMem
EngAllocUserMem
EngAlphaBlend
EngAssociateSurface
EngBitBlt
EngBugCheckEx
EngCheckAbort
EngClearEvent
EngComputeGlyphSet
EngControlSprites
EngCopyBits
EngCreateBitmap
EngCreateClip
EngCreateDeviceBitmap
EngCreateDeviceSurface
EngCreateDriverObj
EngCreateEvent
EngCreatePalette
EngCreatePath
EngCreateSemaphore
EngCreateWnd
EngDebugBreak
EngDebugPrint
EngDeleteClip
EngDeleteDriverObj
EngDeleteEvent
EngDeleteFile
EngDeletePalette
EngDeletePath
EngDeleteSafeSemaphore
EngDeleteSemaphore
EngDeleteSurface
EngDeleteWnd
EngDeviceIoControl
EngDitherColor
EngDxIoctl
EngEnumForms
EngEraseSurface
EngFileIoControl
EngFileWrite
EngFillPath
EngFindImageProcAddress
EngFindResource
EngFntCacheAlloc
EngFntCacheFault
EngFntCacheLookUp
EngFreeMem
EngFreeModule
EngFreePrivateUserMem
EngFreeSectionMem
EngFreeUserMem
EngGetCurrentCodePage
EngGetCurrentProcessId
EngGetCurrentThreadId
EngGetDriverName
EngGetFileChangeTime
EngGetFilePath
EngGetForm
EngGetLastError
EngGetPrinter
EngGetPrinterData
EngGetPrinterDataFileName
EngGetPrinterDriver
EngGetProcessHandle
EngGetTickCount
EngGetType1FontList
EngGradientFill
EngHangNotification
EngInitializeSafeSemaphore
EngIsSemaphoreOwned
EngIsSemaphoreOwnedByCurrentThread
EngLineTo
EngLoadImage
EngLoadModule
EngLoadModuleForWrite
EngLockDirectDrawSurface
EngLockDriverObj
EngLockSurface
EngLpkInstalled
EngMapEvent
EngMapFile
EngMapFontFile
EngMapFontFileFD
EngMapModule
EngMapSection
EngMarkBandingSurface
EngModifySurface
EngMovePointer
EngMulDiv
EngMultiByteToUnicodeN
EngMultiByteToWideChar
EngNineGrid
EngPaint
EngPlgBlt
EngProbeForRead
EngProbeForReadAndWrite
EngQueryDeviceAttribute
EngQueryLocalTime
EngQueryPalette
EngQueryPerformanceCounter
EngQueryPerformanceFrequency
EngQuerySystemAttribute
EngReadStateEvent
EngReleaseSemaphore
EngRestoreFloatingPointState
EngSaveFloatingPointState
EngSecureMem
EngSetEvent
EngSetLastError
EngSetPointerShape
EngSetPointerTag
EngSetPrinterData
EngSort
EngStretchBlt
EngStretchBltROP
EngStrokeAndFillPath
EngStrokePath
EngTextOut
EngTransparentBlt
EngUnicodeToMultiByteN
EngUnloadImage
EngUnlockDirectDrawSurface
EngUnlockDriverObj
EngUnlockSurface
EngUnmapEvent
EngUnmapFile
EngUnmapFontFile
EngUnmapFontFileFD
EngUnsecureMem
EngWaitForSingleObject
EngWideCharToMultiByte
EngWritePrinter
FLOATOBJ_Add
FLOATOBJ_AddFloat
FLOATOBJ_AddFloatObj
FLOATOBJ_AddLong
FLOATOBJ_Div
FLOATOBJ_DivFloat
FLOATOBJ_DivFloatObj
FLOATOBJ_DivLong
FLOATOBJ_Equal
FLOATOBJ_EqualLong
FLOATOBJ_GetFloat
FLOATOBJ_GetLong
FLOATOBJ_GreaterThan
FLOATOBJ_GreaterThanLong
FLOATOBJ_LessThan
FLOATOBJ_LessThanLong
FLOATOBJ_Mul
FLOATOBJ_MulFloat
FLOATOBJ_MulFloatObj
FLOATOBJ_MulLong
FLOATOBJ_Neg
FLOATOBJ_SetFloat
FLOATOBJ_SetLong
FLOATOBJ_Sub
FLOATOBJ_SubFloat
FLOATOBJ_SubFloatObj
FLOATOBJ_SubLong
FONTOBJ_cGetAllGlyphHandles
FONTOBJ_cGetGlyphs
FONTOBJ_pQueryGlyphAttrs
FONTOBJ_pfdg
FONTOBJ_pifi
FONTOBJ_pjOpenTypeTablePointer
FONTOBJ_pvTrueTypeFontFile
FONTOBJ_pwszFontFilePaths
FONTOBJ_pxoGetXform
FONTOBJ_vGetInfo
HT_ComputeRGBGammaTable
HT_Get8BPPFormatPalette
HT_Get8BPPMaskPalette
HeapVidMemAllocAligned
PALOBJ_cGetColors
PATHOBJ_bCloseFigure
PATHOBJ_bEnum
PATHOBJ_bEnumClipLines
PATHOBJ_bMoveTo
PATHOBJ_bPolyBezierTo
PATHOBJ_bPolyLineTo
PATHOBJ_vEnumStart
PATHOBJ_vEnumStartClipLines
PATHOBJ_vGetBounds
RtlAnsiCharToUnicodeChar
RtlMultiByteToUnicodeN
RtlRaiseException
RtlUnicodeToMultiByteN
RtlUnicodeToMultiByteSize
RtlUnwind
RtlUpcaseUnicodeChar
RtlUpcaseUnicodeToMultiByteN
STROBJ_bEnum
STROBJ_bEnumPositionsOnly
STROBJ_bGetAdvanceWidths
STROBJ_dwGetCodePage
STROBJ_fxBreakExtra
STROBJ_fxCharacterExtra
STROBJ_vEnumStart
VidMemFree
WNDOBJ_bEnum
WNDOBJ_cEnumStart
WNDOBJ_vSetConsumer
XFORMOBJ_bApplyXform
XFORMOBJ_iGetFloatObjXform
XFORMOBJ_iGetXform
XLATEOBJ_cGetPalette
XLATEOBJ_hGetColorTransform
XLATEOBJ_iXlate
XLATEOBJ_piVector
_abnormal_termination
_except_handler2
_global_unwind2
_itoa
_itow
_local_unwind2
Sections
.text Size: 1.6MB - Virtual size: 1.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 57KB - Virtual size: 56KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 44KB - Virtual size: 73KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.kbdfall Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.edata Size: 7KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 22KB - Virtual size: 22KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 53KB - Virtual size: 52KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ