Setup[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Setup.zip
Size

1.5MB
MD5

e8fd1c4cb1228ef163d0a7325ccbe4a3
SHA1

4bdb7301ee2bb28df36d3fa497ca29af38e4eaed
SHA256

a263f94f483df521e2cd4fddc70288af6d97bbd6ac19f192f448e534476e88ab
SHA512

433252bab2c92af03cdbb986ade3e3ba7173d51b929af9f2970c606b89d690410818b2f6b9953a1831152001dfd51f16c7d9e2f1b08d2904050022a109d6b0e7
SSDEEP

24576:RKhYkZ2iFgYLu38XtOhXoRyMEVy7s288rXkBow3da+hYGBkNOLbieYe9pS53Q:RKSRO48XtOyZEow6k5NJBkNOLmxeA3Q

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/MpGear.dll
unpack001/Setup.exe

Files

Setup.zip
.zip
MpGear.dll
.dll windows:10 windows x64 arch:x64

86d0adb9b2e1f27df0110b9b7b25c534

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

MpGear.pdb

Imports

ntdll

RtlGetVersion
RtlCaptureContext
RtlPcToFileHeader
RtlNtStatusToDosError
RtlUnwindEx
RtlVirtualUnwind
RtlLookupFunctionEntry

kernel32

SetThreadpoolThreadMinimum
WaitForThreadpoolWorkCallbacks
WaitForMultipleObjects
SetFilePointerEx
WriteFile
SetEndOfFile
WideCharToMultiByte
MultiByteToWideChar
SystemTimeToFileTime
GlobalFree
GetComputerNameExW
GetModuleHandleExW
VirtualLock
ReadFile
GetFileSizeEx
CreateFileW
LoadLibraryW
CreateDirectoryW
FindFirstFileW
GetFullPathNameW
FindNextFileW
ExpandEnvironmentStringsW
RemoveDirectoryW
SetEnvironmentVariableW
GetEnvironmentVariableW
FindClose
WaitForSingleObject
GetFileAttributesW
GetSystemDirectoryW
SetFileAttributesW
SetThreadpoolThreadMaximum
SetEvent
DeleteFileW
ResetEvent
CreateProcessW
QueryPerformanceFrequency
GetSystemTime
SwitchToThread
ExitProcess
HeapFree
HeapAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
FindFirstFileExW
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetTimeZoneInformation
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
GetConsoleCP
GetConsoleMode
ReadConsoleW
WriteConsoleW
WaitForSingleObjectEx
SubmitThreadpoolWork
CreateThreadpoolWork
TryEnterCriticalSection
GetFileAttributesExW
GetModuleFileNameW
GetExitCodeProcess
CopyFileW
Sleep
GetTickCount
CreateEventW
GetSystemPowerStatus
CloseHandle
lstrcmpiW
FileTimeToSystemTime
GetTempPathW
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
EncodePointer
SetLastError
GetLastError
RaiseException
InterlockedFlushSList
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
InitializeCriticalSection
GetCommandLineW
CreateThreadpool
CloseThreadpool
CloseThreadpoolWork
DecodePointer

advapi32

QueryServiceStatus
RegQueryValueExW
OpenSCManagerW
QueryServiceConfigW
OpenServiceW
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
RegCloseKey
CloseServiceHandle
RegOpenKeyExW
RegCreateKeyExW
RegSetValueExW

crypt32

CertGetCertificateChain
CertFreeCertificateContext
CertVerifyCertificateChainPolicy
CertFreeCertificateChain

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData

winhttp

WinHttpSetOption
WinHttpQueryHeaders
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpWriteData
WinHttpAddRequestHeaders
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpGetDefaultProxyConfiguration
WinHttpConnect
WinHttpCrackUrl
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpSetTimeouts
WinHttpOpen
WinHttpQueryOption

ole32

CoCreateInstance
CoWaitForMultipleHandles
CoInitializeEx
CoCreateGuid
StringFromGUID2
CoUninitialize
IIDFromString
CoSetProxyBlanket

oleaut32

VariantInit
SysFreeString
SysAllocString
VariantClear
SysStringLen

shlwapi

PathIsURLW

Exports

Exports

MpGearCloseHandle
MpGearContainerAnalyze
MpGearContainerCloseObject
MpGearContainerCommit
MpGearContainerDelete
MpGearContainerFreeObjectInfo
MpGearContainerGetNext
MpGearContainerOpen
MpGearContainerOpenObject
MpGearContainerRead
MpGearContainerRecognize
MpGearContainerSetSize
MpGearContainerWrite
MpGearCreateManager
MpGearDuplicateHandle
MpGearDynamicConfigAddBinary
MpGearDynamicConfigAddBool
MpGearDynamicConfigAddDWORD
MpGearDynamicConfigAddQWORD
MpGearDynamicConfigAddString
MpGearDynamicConfigAddStringList
MpGearDynamicConfigClear
MpGearDynamicConfigSend
MpGearFreeData
MpGearGetManagerInfo
MpGearGetSigDataDWORD
MpGearGetSigUpdateConfig
MpGearGetVirusNames
MpGearInheritEngine
MpGearInitializeMpPLI
MpGearQuarantineDelete
MpGearQuarantineGetNext
MpGearQuarantineOpen
MpGearQuarantineOpenEnumerator
MpGearQuarantineQuery
MpGearQuarantineRecover
MpGearQuarantineRestore
MpGearRebootActions
MpGearRenderPLIData
MpGearScanControl
MpGearScanFull
MpGearScanGetNextActionResult
MpGearScanGetNextThreat
MpGearScanGetStatistics
MpGearScanOpen
MpGearScanOpenActionResultsEnumerator
MpGearScanOpenThreatEnumerator
MpGearScanPath
MpGearScanQuick
MpGearScanSetDefaultThreatActions
MpGearScanSetOption
MpGearScanSetOptionEx
MpGearScanSetThreatAction
MpGearScanStream
MpGearScanSubmitReport
MpGearScanSubmitReportData
MpGearScanTakeActions
MpGearSetEngine
MpGearSetEngineWithResourceSigs
MpGearSetSigUpdateConfig
MpGearSigUpdateCancel
MpGearSigUpdateRollback
MpGearSigUpdateStart
MpGearSubmitHeartbeatReport
MpGearSubmitHeartbeatReportData
MpGearSubmitReportData

Sections

.text
Size: 406KB - Virtual size: 406KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 148KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Setup.exe
.exe windows:10 windows x64 arch:x64

87753813ec7633cd54f77b31c73d51b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

SenseCE.pdb

Imports

msvcp_win

_Thrd_start
_Thrd_detach
_Mtx_init
_Cnd_init
_Cnd_wait
_Cnd_timedwait
_Cnd_broadcast
_Cnd_signal
_Cnd_destroy
_Mtx_destroy
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_init_in_situ
_Cnd_destroy_in_situ
_Mtx_current_owns
_Cnd_register_at_thread_exit
_Cnd_unregister_at_thread_exit
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?_Throw_future_error@std@@YAXAEBVerror_code@1@@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?_Rethrow_future_exception@std@@YAXVexception_ptr@1@@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Cnd_do_broadcast_at_thread_exit
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
_Query_perf_frequency
_Query_perf_counter
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?id@?$collate@_W@std@@2V0locale@2@A
_Wcsxfrm
_Wcscoll
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?_Xbad_alloc@std@@YAXXZ
?__ExceptionPtrRethrow@@YAXPEBX@Z
?_XGetLastError@std@@YAXXZ
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?_Winerror_message@std@@YAKKPEADK@Z
?_Winerror_map@std@@YAHH@Z
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
?_Syserror_map@std@@YAPEBDH@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAJ@Z
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
?_Xlength_error@std@@YAXPEBD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?id@?$ctype@_W@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Xtime_get_ticks
?is@?$ctype@_W@std@@QEBA_NF_W@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAI@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Mtx_unlock
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
_Mtx_lock
?_Throw_C_error@std@@YAXH@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
?pbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?_BADOFF@std@@3_JB
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ

api-ms-win-crt-runtime-l1-1-0

_initterm
_register_thread_local_exe_atexit_callback
_c_exit
_initterm_e

api-ms-win-crt-string-l1-1-0

strnlen
memset
wcsnlen

api-ms-win-crt-private-l1-1-0

_o__exit
_o__free_base
_o__free_locale
_o__get_initial_wide_environment
_o__i64toa_s
_o__i64tow_s
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__isctype_l
_o__malloc_base
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__ui64toa_s
_o__ui64tow_s
_o__wcsicmp
memmove
_o__wcsnicmp
_o__wcstod_l
_o__wmakepath_s
_o__wsplitpath_s
_o_exit
_o_free
_o_iswalnum
_o_iswspace
_o_log
_o_malloc
_o_realloc
_o_terminate
_o_toupper
__C_specific_handler
_CxxThrowException
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___pctype_func
_o___p__commode
_o___p___wargv
_o___p___argc
_o__crt_atexit
_o__create_locale
__std_terminate
__CxxFrameHandler3
_o__configure_wide_argv
strchr
_o__configthreadlocale
_o__errno
_o__cexit
_o__callnewh
memcmp
memcpy

mpgear

MpGearContainerOpenObject
MpGearContainerGetNext
MpGearCloseHandle
MpGearContainerCloseObject
MpGearContainerOpen
MpGearFreeData
MpGearSetEngine
MpGearGetManagerInfo
MpGearContainerAnalyze
MpGearContainerRead
MpGearCreateManager

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
LoadResource
GetModuleFileNameW
GetModuleFileNameA
GetModuleHandleExW
LockResource
GetModuleHandleW
GetProcAddress
FreeLibrary

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
ReleaseSemaphore
WaitForSingleObject
ReleaseMutex
DeleteCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
CreateMutexExW
LeaveCriticalSection
EnterCriticalSection
SetEvent
AcquireSRWLockShared
ReleaseSRWLockShared
CreateEventExW
CreateEventW
ResetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetCurrentProcessId
TerminateProcess
GetProcessTimes
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
MultiByteToWideChar

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventProviderEnabled
EventWriteTransfer
EventUnregister

api-ms-win-core-processthreads-l1-1-2

SetProtectedPolicy

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-com-l1-1-0

PropVariantClear
CoCreateInstance
CoIncrementMTAUsage
CoCreateGuid
CoTaskMemFree
CoWaitForMultipleHandles
CoCreateFreeThreadedMarshaler
CLSIDFromString

oleaut32

SafeArrayGetVartype
SafeArrayLock
VariantClear
SafeArrayGetUBound
SysStringLen
SysStringByteLen
SafeArrayGetLBound
SysAllocStringByteLen
SafeArrayCopy
SysAllocString
GetErrorInfo
SafeArrayDestroy
SysFreeString
VarBstrCmp
VariantInit
SafeArrayUnlock
SafeArrayCreate

rpcrt4

NdrServerCall2
RpcServerInqCallAttributesW
RpcServerListen
NdrServerCallAll
RpcServerRegisterIfEx
UuidHash
RpcServerUseProtseqEpW

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile

api-ms-win-core-sysinfo-l1-2-0

GetSystemTimePreciseAsFileTime
VerSetConditionMask
GetProductInfo

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-file-l1-1-0

SetFilePointerEx
SetEndOfFile
GetFileSizeEx
ReadFile
GetFileAttributesW
DeleteFileW
SetFileAttributesW
WriteFile
RemoveDirectoryW
CompareFileTime

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

crypt32

CryptStringToBinaryW

api-ms-win-base-util-l1-1-0

IsTextUnicode

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegCreateKeyExW
RegGetValueW

api-ms-win-core-psapi-l1-1-0

K32GetProcessMemoryInfo

ole32

StgOpenStorageOnILockBytes

winipcfile

ord7

gdiplus

GdiplusStartup
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipImageSelectActiveFrame
GdipImageGetFrameCount
GdipGetImageDimension
GdipSaveAdd
GdipSaveImageToStream
GdipLoadImageFromStream
GdipDisposeImage
GdipAlloc
GdipFree
GdiplusShutdown
GdipCloneImage

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-io-l1-1-1

GetOverlappedResultEx
CancelIo

ntdll

NtDeleteKey

bcrypt

BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptCloseAlgorithmProvider

api-ms-win-core-path-l1-1-0

PathCchCombine

userenv

GetAllUsersProfileDirectoryW

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer

api-ms-win-shcore-stream-winrt-l1-1-0

CreateRandomAccessStreamOverStream

urlmon

FindMimeFromData

api-ms-win-core-xstate-l2-1-0

GetEnabledXStateFeatures

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges

api-ms-win-core-winrt-error-l1-1-0

GetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoOriginateLanguageException

Sections

.text
Size: 345KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 162KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
fnrbnth
qgw

Sharing

General

Malware Config

Signatures

Files

86d0adb9b2e1f27df0110b9b7b25c534

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

advapi32

crypt32

wintrust

winhttp

ole32

oleaut32

shlwapi

Exports

Exports

Sections

.text Size: 406KB - Virtual size: 406KB

.rdata Size: 148KB - Virtual size: 148KB

.data Size: 11KB - Virtual size: 16KB

.pdata Size: 20KB - Virtual size: 20KB

.rsrc Size: 1024B - Virtual size: 960B

.reloc Size: 3KB - Virtual size: 3KB

87753813ec7633cd54f77b31c73d51b6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

mpgear

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-com-l1-1-0

oleaut32

rpcrt4

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-shcore-stream-l1-1-0

crypt32

api-ms-win-base-util-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-psapi-l1-1-0

ole32

winipcfile

gdiplus

api-ms-win-core-heap-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-io-l1-1-1

ntdll

bcrypt

.text
Size: 406KB - Virtual size: 406KB

.rdata
Size: 148KB - Virtual size: 148KB

.data
Size: 11KB - Virtual size: 16KB

.pdata
Size: 20KB - Virtual size: 20KB

.rsrc
Size: 1024B - Virtual size: 960B

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 345KB - Virtual size: 344KB

.rdata
Size: 162KB - Virtual size: 162KB

.data
Size: 13KB - Virtual size: 18KB

.pdata
Size: 17KB - Virtual size: 16KB

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

.reloc
Size: 2KB - Virtual size: 2KB