Password is 1234[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Password is 1234.zip
Size

11.0MB
MD5

81f855da81e3e1e820cd146c74289dd1
SHA1

ab978ecafd557b2c2cc60bff096d897509bcc77a
SHA256

8e0a00a3a39c2fbc723eeee8b9c1bd4da471d491de6c10f88af327ecf166e910
SHA512

2cd0ae11bf310a9c70b81b39e0500ed46e7f168d19b8a37af1d311bdd3c2aab5c2f437529bee4c690fdff4c1ec5dd5da11177ffca3224aeef80a6c3aadf52d13
SSDEEP

196608:eGVQLFO3N49tH9a85CGciDuEQSw9kRb3K6lgwdyMKES1MYBoIqnff:eGVQL43N4N8Grw9uouyGS1qnff

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
static1/unpack001/Password is 1234/Ruin64.exe	pyinstaller

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Password is 1234/AuthBroker.dll
unpack001/Password is 1234/AuthBrokerUI.dll
unpack001/Password is 1234/AuthExt.dll
unpack001/Password is 1234/Ruin64.exe
unpack001/Password is 1234/auditpolmsg.dll

Files

Password is 1234.zip
.zip

Password: 1234
Password is 1234/AuthBroker.dll
.dll regsvr32 windows:10 windows x64 arch:x64

Password: 1234

c781bffe18dc2c0f690709b8509a8a44

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AuthBroker.pdb

Imports

msvcrt

_initterm
_XcptFilter
__C_specific_handler
malloc
memcmp
__CxxFrameHandler3
memcpy
_lock
_onexit
__dllonexit
_unlock
free
_vsnwprintf
memmove_s
_purecall
memcpy_s
_amsg_exit
_callnewh
memset

rpcrt4

CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
IUnknown_QueryInterface_Proxy
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_Connect
IUnknown_Release_Proxy
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_AddRef
NdrOleFree
NdrCStdStubBuffer2_Release
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
I_RpcBindingInqLocalClientPID
IUnknown_AddRef_Proxy
NdrOleAllocate
CStdStubBuffer_QueryInterface
NdrStubForwardingFunction
NdrStubCall3
CStdStubBuffer_CountRefs

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
GetProcAddress
GetModuleHandleW
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceComplete
InitOnceBeginInitialize
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
WaitForSingleObject
WaitForMultipleObjectsEx
ReleaseSRWLockExclusive
CreateSemaphoreExW
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
CreateMutexW
ReleaseSRWLockShared
CreateEventExW
CreateEventW
ReleaseMutex
CreateMutexExW
AcquireSRWLockShared
DeleteCriticalSection
SetEvent
ReleaseSemaphore

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsGetStringLen
WindowsDuplicateString
WindowsCreateString
WindowsStringHasEmbeddedNull
WindowsIsStringEmpty
HSTRING_UserUnmarshal64
HSTRING_UserUnmarshal
HSTRING_UserMarshal64
WindowsDeleteString
HSTRING_UserFree
HSTRING_UserSize64
WindowsGetStringRawBuffer
HSTRING_UserFree64
HSTRING_UserSize
HSTRING_UserMarshal

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventUnregister
EventWriteTransfer
EventActivityIdControl

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids

api-ms-win-core-threadpool-l1-2-0

SubmitThreadpoolWork
CloseThreadpoolWork
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns

api-ms-win-core-processthreads-l1-1-0

OpenThreadToken
UpdateProcThreadAttribute
GetCurrentThread
CreateProcessW
TlsAlloc
GetCurrentThreadId
DeleteProcThreadAttributeList
GetProcessId
TlsFree
TlsGetValue
GetProcessIdOfThread
ResumeThread
InitializeProcThreadAttributeList
GetExitCodeProcess
OpenThread
GetCurrentProcessId
CreateThread
TlsSetValue
OpenProcessToken
SetThreadToken
GetCurrentProcess
TerminateProcess

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError
GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoOriginateErrorW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient20
ObjectStublessClient18
CStdStubBuffer2_Connect
ObjectStublessClient14
NdrProxyForwardingFunction3
ObjectStublessClient19
NdrProxyForwardingFunction4
CStdStubBuffer2_QueryInterface
CStdStubBuffer2_Disconnect
CStdStubBuffer2_CountRefs
ObjectStublessClient17
ObjectStublessClient4
ObjectStublessClient15
ObjectStublessClient3
ObjectStublessClient6
ObjectStublessClient21
ObjectStublessClient5
ObjectStublessClient7
ObjectStublessClient16
NdrProxyForwardingFunction5
ObjectStublessClient11
ObjectStublessClient12
ObjectStublessClient10
ObjectStublessClient13
ObjectStublessClient9
ObjectStublessClient8

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-registry-l1-1-0

RegDeleteValueW
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
RegGetValueW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
FreeSid
AllocateAndInitializeSid
CopySid
GetSidSubAuthorityCount
GetLengthSid
GetTokenInformation

api-ms-win-security-base-l1-2-0

CheckTokenCapability

api-ms-win-core-heap-l2-1-0

LocalFree
LocalReAlloc
LocalAlloc

api-ms-win-core-file-l1-1-0

CreateFileW

authz

AuthzAccessCheck
AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeResourceManager
AuthzInitializeContextFromSid

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-security-appcontainer-l1-1-0

GetAppContainerNamedObjectPath

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-wow64-l1-1-0

Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
IsWow64Process

wkscli

NetGetJoinInformation

netutils

NetApiBufferFree

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize
RoGetActivationFactory
RoActivateInstance

winhttp

WinHttpCreateUrl
WinHttpCrackUrl

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
RoReportFailedDelegate
RoGetMatchingRestrictedErrorInfo

api-ms-win-core-url-l1-1-0

ParseURLW

api-ms-win-security-provider-l1-1-0

GetSecurityInfo

api-ms-win-core-marshal-l1-1-0

HWND_UserUnmarshal
HWND_UserMarshal64
HWND_UserUnmarshal64
HWND_UserSize64
HWND_UserMarshal
HWND_UserFree
HWND_UserSize
HWND_UserFree64

combase

ord140

ntdll

RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlEnterCriticalSection
RtlLeaveCriticalSection
WinSqmAddToStream
wcstoul
RtlIsStateSeparationEnabled
_wcsicmp
RtlAllocateAndInitializeSidEx
RtlDeriveCapabilitySidsFromName
RtlInitUnicodeString
RtlEqualSid
_wcsnicmp

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

AuthBrokerClearThreadClientContext
AuthBrokerCreateClientContext
AuthBrokerFreeClientContext
AuthBrokerSetThreadClientContext
DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject
DllInstall
DllRegisterServer
FindCallingThreadImmersiveWindow
PurgeAuthHostSsoCache

Sections

.text
Size: 144KB - Virtual size: 142KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 60KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 680B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Password is 1234/AuthBrokerUI.dll
.dll windows:10 windows x64 arch:x64

Password: 1234

c757d7bae8f7bee20d966b8a7cd9d5b1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AuthBrokerUI.pdb

Imports

msvcrt

_onexit
_initterm
__dllonexit
_vsnwprintf
_amsg_exit
memcpy_s
_unlock
_lock
malloc
__CxxFrameHandler3
__C_specific_handler
memset
_callnewh
_XcptFilter
free
_purecall
wcscmp

ntdll

RtlDeleteCriticalSection
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsCreateString

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventUnregister

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage

api-ms-win-core-synch-l1-1-0

ReleaseSemaphore
WaitForMultipleObjectsEx
OpenSemaphoreW
WaitForSingleObjectEx
ResetEvent
CreateMutexExW
SetEvent
CreateEventW
WaitForSingleObject
CreateSemaphoreExW
ReleaseMutex

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegOpenKeyExW

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
GetModuleFileNameA
GetProcAddress
GetModuleHandleW
GetModuleHandleExW

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

shcore

ord244

authbroker

FindCallingThreadImmersiveWindow

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-localization-l1-2-0

SetThreadPreferredUILanguages
FormatMessageW

oleaut32

SysStringLen
SysFreeString

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

CreateWndMgmt
DirectUIInitProc
DirectUIInitThread
DirectUIUnInitProc
DirectUIUnInitThread
FreeWndMgmt
WabCreateWebRuntimeCoreControl
WabCreateWebRuntimeCoreVisualViewport
WabImmDisableLegacyIME

Sections

.text
Size: 92KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Password is 1234/AuthExt.dll
.dll windows:10 windows x64 arch:x64

Password: 1234

5afea613a7ec02034567a85493d48727

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AuthExt.pdb

Imports

msvcrt

memmove
_vsnwprintf
_onexit
__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
malloc
_amsg_exit
_XcptFilter
free
_purecall
_callnewh
memcpy_s
__CxxFrameHandler3
memset

shell32

DuplicateIcon

shlwapi

ord278

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameA
DisableThreadLibraryCalls
LoadStringW
GetProcAddress

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
AcquireSRWLockShared
ReleaseSRWLockShared
OpenSemaphoreW
CreateMutexExW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WaitForSingleObjectEx
ReleaseMutex
ReleaseSemaphore
WaitForSingleObject

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
TerminateProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoTaskMemRealloc
CoGetMalloc
CoCreateFreeThreadedMarshaler

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventUnregister
EventWriteTransfer

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep
InitOnceExecuteOnce

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

ntdll

RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfStateChangeNotification

propsys

PSCreateMemoryPropertyStore

user32

RegisterDeviceNotificationW
DestroyWindow
SystemParametersInfoW
RegisterPowerSettingNotification
DestroyIcon
DefWindowProcA
DefWindowProcW
IsWindowUnicode
GetWindowLongPtrW
UnregisterDeviceNotification
UnregisterPowerSettingNotification
SetWindowLongPtrW
GetSysColor

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Password is 1234/Ruin64.exe
.exe windows:6 windows x64 arch:x64

Password: 1234

72c4e339b7af8ab1ed2eb3821c98713a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
ShutdownBlockReasonCreate
MsgWaitForMultipleObjects
ShowWindow
DestroyWindow
RegisterClassW
DefWindowProcW
PeekMessageW
DispatchMessageW
TranslateMessage
PostMessageW
GetMessageW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

GetACP
IsValidCodePage
GetStringTypeW
GetFileAttributesExW
SetEnvironmentVariableW
FlushFileBuffers
GetCurrentDirectoryW
LCMapStringW
CompareStringW
FlsFree
GetOEMCP
GetCPInfo
GetModuleHandleW
MulDiv
FormatMessageW
GetLastError
GetModuleFileNameW
LoadLibraryExW
SetDllDirectoryW
CreateSymbolicLinkW
GetProcAddress
GetEnvironmentStringsW
GetCommandLineW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetDriveTypeW
RemoveDirectoryW
GetTempPathW
CloseHandle
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObject
Sleep
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LocalFree
SetConsoleCtrlHandler
K32EnumProcessModules
K32GetModuleFileNameExW
CreateFileW
FindFirstFileExW
GetFinalPathNameByHandleW
MultiByteToWideChar
WideCharToMultiByte
FlsSetValue
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
HeapReAlloc
WriteConsoleW
SetEndOfFile
CreateDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ReadFile
GetFullPathNameW
SetStdHandle
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 168KB - Virtual size: 167KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Stub.pyc
Password is 1234/TUTORIAL.txt
Password is 1234/auditpolmsg.dll
.dll windows:10 windows x64 arch:x64

Password: 1234

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rdata
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 96KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 1234

Password: 1234

c781bffe18dc2c0f690709b8509a8a44

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

rpcrt4

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-com-midlproxystub-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l1-1-0

authz

api-ms-win-core-processthreads-l1-1-1

api-ms-win-security-appcontainer-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-wow64-l1-1-0

wkscli

netutils

api-ms-win-core-winrt-l1-1-0

winhttp

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-url-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-marshal-l1-1-0

combase

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 144KB - Virtual size: 142KB

.rdata Size: 60KB - Virtual size: 58KB

.data Size: 4KB - Virtual size: 4KB

.pdata Size: 8KB - Virtual size: 7KB

.didat Size: 4KB - Virtual size: 680B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 2KB

Password: 1234

c757d7bae8f7bee20d966b8a7cd9d5b1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

.text
Size: 144KB - Virtual size: 142KB

.rdata
Size: 60KB - Virtual size: 58KB

.data
Size: 4KB - Virtual size: 4KB

.pdata
Size: 8KB - Virtual size: 7KB

.didat
Size: 4KB - Virtual size: 680B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 2KB

.text
Size: 92KB - Virtual size: 88KB

.rdata
Size: 24KB - Virtual size: 22KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 4KB

.didat
Size: 4KB - Virtual size: 592B

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 36KB - Virtual size: 32KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 2KB

.didat
Size: 4KB - Virtual size: 136B

.rsrc
Size: 4KB - Virtual size: 2KB