PO202501B[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

PO202501B.zip
Size

2.6MB
MD5

35b0df25976ae1b2ed2eb64ce4967e09
SHA1

24c06b8a23e0189f57b0df8af06c25374a10c51b
SHA256

58d95f19639cc6d5acb02511b4c9a8fe04ca63d63844b68036dbc0eea4edd453
SHA512

8e4acedcbaebf88e1dd004b4d89f33b9faefe0aec0c09ffe011a0d436ccfa498d8b8d69a5a4cfd1ded5a7a5e7c647d513f05300a05922c74bdaad42e55ea920f
SSDEEP

49152:N01cBpjDsibTtExdGCot6tkm5xBQ/UhXJOhafW5+KhcZxWIu8JIltW1+:NjXjwijCot6tkmq/8JOhafYhSxdu8u

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/BugSplat64.dll

Files

PO202501B.zip
.zip
BugSplat64.dll
.dll windows:6 windows x64 arch:x64

ed8ae2fe0d20ba00cdff176086a9b77d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

l1x*KVj9mRIc]n))dY0+&v0wTQ~bN1cC>w}8Z|y|v!#{OrXh~tB 6U_ez?VJLV9PR4hi9Jz|w]MiZR|/3~;k

Imports

advapi32

AdjustTokenPrivileges
DeregisterEventSource
GetTokenInformation
LookupPrivilegeValueW
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegisterEventSourceW
ReportEventW

bcrypt

BCryptDestroyHash
BCryptDecrypt
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptEncrypt
BCryptFinishHash
BCryptGenRandom
BCryptGetProperty
BCryptHashData
BCryptImportKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptDestroyKey

kernel32

TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedFlushSList
RtlUnwindEx
InitializeSListHead
IsProcessorFeaturePresent
CancelThreadpoolIo
CloseHandle
CloseThreadpoolIo
CloseThreadpoolWait
CloseThreadpoolWork
CompareStringEx
CompareStringOrdinal
CopyFileExW
CreateDirectoryW
CreateEventExW
CreateFileW
CreatePipe
CreateProcessW
CreateThread
CreateThreadpoolIo
CreateThreadpoolWait
CreateThreadpoolWork
DeleteCriticalSection
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
EnumCalendarInfoExEx
EnumTimeFormatsEx
ExitProcess
ExpandEnvironmentStringsW
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNLSStringEx
FindStringOrdinal
FlushFileBuffers
FormatMessageW
FreeConsole
FreeLibrary
GetCPInfoExW
GetCalendarInfoEx
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentProcessorNumberEx
GetCurrentThread
GetDynamicTimeZoneInformation
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandleEx
GetFileType
GetFullPathNameW
GetLastError
GetLocaleInfoEx
GetLongPathNameW
GetModuleFileNameW
GetOverlappedResult
GetProcAddress
GetProcessId
GetStdHandle
GetSystemDirectoryW
GetSystemTime
GetThreadContext
GetThreadPriority
GetTickCount64
GetTimeZoneInformation
GetUserPreferredUILanguages
InitializeConditionVariable
InitializeCriticalSection
IsDebuggerPresent
K32EnumProcesses
LCMapStringEx
LeaveCriticalSection
LoadLibraryExW
LocalAlloc
LocalFree
LocaleNameToLCID
MultiByteToWideChar
OpenProcess
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseFailFastException
ReadConsoleW
ReadFile
ResetEvent
ResolveLocaleName
ResumeThread
SetEvent
SetFileAttributesW
SetFileInformationByHandle
SetFilePointerEx
SetLastError
SetThreadContext
SetThreadErrorMode
SetThreadPriority
SetThreadpoolWait
Sleep
SleepConditionVariableCS
StartThreadpoolIo
SubmitThreadpoolWork
SystemTimeToFileTime
TerminateProcess
TzSpecificLocalTimeToSystemTime
VirtualAlloc
VirtualAllocEx
VirtualFree
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForThreadpoolWaitCallbacks
WakeConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteProcessMemory
FlushProcessWriteBuffers
WaitForSingleObjectEx
AddVectoredExceptionHandler
GetModuleHandleW
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
VerSetConditionMask
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
GetCurrentThreadId
SuspendThread
FlushInstructionCache
VirtualProtect
CreateMemoryResourceNotification
QueryInformationJobObject
GetModuleHandleExW
GetProcessAffinityMask
VerifyVersionInfoW
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
SleepEx
DebugBreak
GlobalMemoryStatusEx
GetSystemInfo
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry

ole32

CoGetApartmentType
CoCreateGuid
CoTaskMemAlloc
CoWaitForMultipleHandles
CoUninitialize
CoTaskMemFree
CoInitializeEx

user32

LoadStringW

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free
_callnewh

api-ms-win-crt-math-l1-1-0

fmodf
cos
ceil
modf
fmod
floor
sin
tan
pow

api-ms-win-crt-string-l1-1-0

_stricmp
strcmp
strcpy_s
strncpy_s
wcsncmp

api-ms-win-crt-convert-l1-1-0

strtoull

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_execute_onexit_table
_crt_atexit
abort
_initterm_e
_cexit
_initialize_onexit_table
_seh_filter_dll
_initterm
terminate
_configure_narrow_argv
_register_onexit_function

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
__acrt_iob_func
__stdio_common_vsprintf_s
__stdio_common_vsscanf

Exports

Exports

0AKryjYFd0SOR3FscusUqqXAwhf06Pf
0LsK5cN28Ucsr19Z
0Sxs2wqwxG
0aNgaPHwjR1RVbmP
0dbmgUSDZeiBNMUIkAp2s
0pZFPWXAOSEoj2qMHD
15lRsSZvzetoWDj8K
18YcVfItijaB3U7Dz
19rnl8Lowv
1JTxz7znGjGCSDGnaoAYaJyD3qjNK
1P9bFzaFEtvcBX58CPwRMLzLIgG
1U7oE4XsaJpplh6mAOijHFZr8jA9J7
1Y4VAgNk9bSv8NGMoQ
1bP2grWPSgUGpkvWYOriZZ6ek
1ozatya7hO
1wA5F6dpv
1ygkVhIFCOaHFrtcP45
2G94XXN
2K2V6rRW6Ea7nnTKhmMlsfgKc6JZ
2QxvxZQWPJkq7lrJFXkEgNw54RW
2VMyfwgHFkkthFUkGbWXlFehU0
2iDQB5UOy0it9Fwxf673
2jXWarWF8DG38w18PQWC
2jrGBfKzCc4HBGKyXRr3
2mZs6kynmrWtuSG
2mmANVyoEP6
2mvNbk7i0avmwUd7E6CCvKc0wFFdly
2n8Zbs58
2pYb0vp2DNE2MG7Txrk
2wjWmEGD5R4jKF
2yzjp7PXntDRo508pV4rZpAtVu5l
30OIym3w9l9PBH
33aR1Vsb
3A6MgGFHndij6z5aF8N
3HlQBRWmbvS5y6VLBRHri3V1c
3NkLGightj6TBO83iil
3O3N7eVsll6
3WzuYZbX9LLMZ5sjwGEr38w5o
3Y8ECkEYG2sps6sudF5nZA
3fRfqbC0RwxRC4fOOQ8P5
3lRQ77e7DZVAmtFa0e9EfmSpQchX
3tSwlhlHIh7aAo5z5NWp0
3vZspgdJDBiC7ZGryN
3xkTze0JVCVctAA
41yJoo0QrRl1fLQ04HHB0YdzgrzQyO3E
4CLQ4rpDlyTBCwxuvIh
4GgNIC4gppLcTQ8Q7LW6kd
4Ox9FmKlsWIEl3DZk
4OyQfqVCOPTy7A6gy
4W0ckYSZoWfM0Lk1v7j
4hIeQlRDZ7Y
4nCTXn7l9OF1awXqHQkOBPH3GsioM4o
51wHWu97MoXDLjchkHBL
53SyOU23DDCY
5FY7sQ9B49Z
5HNVQLEzz2yiO9db
5JxHGSV
5PFtM4AGvAZi8
5U1NsiAlsOSqBtIAwXi
5XP1SH92vM9
5a8euCpv3js
5as80vbfNrMfCe
5rLd1EwENSx8RTSlXlb
6JFpuro8wA6rSmQcr
6PdJGvNLJqGgfUSN7
6hgpFnBM06Jce
6ktgIrHzW
6qiYQCYq5QwvQ8JHkaKgeber8HDMKrj
6vs8L2i389SOehEaa
79C7U79Q1kT0dUuX4
7BBj5uWb1vnvMjh9i
7EE0qcDkZGGEOnslaSF2to
7EVtjjYNfTp
7LOwvhpEs0
7OxWLMUzWn2LwG
7Tf3afbvmDUCJ2yru
7lf4Qn7UeOxfY5t8PzDiECjq0
7npAC9sOi
7tND8GHvoyNRYHuU
7tlh8qTyjW5j0SbR3MBD7xvvsNl
85oq8UdRO6U
8RKJwgOeR
8T9dHSzLqedNb
8Uo7oW2bvvSnt88p7W1oPulv5
8Vf6ryHU52Fv3DYK39gyFMbFmZgNhw8
8YUOnc35ACU7sLkoN5Zo8iyTW
8hM4ZAAXRBgnTuMkcGWodsG8g9a5j
8p9vDpI5zNRfeB8dbw0uVgGh6Yte
8umiEbPvb8auBOkEanOC5a9KCsN
8yfAyUui8apejQ
95veUEeDQtUf6HlZq2FwZ
9D55nM0a
9OKvrYZqUHjI7
9PlRvnmjNgOMfO1YFrpaTeJTxEUGgMMJ
9S8HdHBwY1AwDP
9U3AbJ1M2bu6sqlcLxMILDiVdl4I9Zx
9U6mFrcgQ4Wam7VILTp118eAB8A
9bfbf591WFggOhHn6Q
9c7rhhKIwYDeDRe72C
9lEsiAzGJ
9sdzMzuNm2j
9wsOo5TibRVSsiYzfzs
??0BugSplatImp@@QEAA@XZ
??0MiniDmpSender@@QEAA@AEBV0@@Z
??0MiniDmpSender@@QEAA@PEBD000K@Z
??0MiniDmpSender@@QEAA@PEBG000K@Z
??0MiniDmpSender@@QEAA@PEB_W000K@Z
??1MiniDmpSender@@UEAA@XZ
??4BugSplatImp@@QEAAAEAV0@AEBV0@@Z
??4MiniDmpSender@@QEAAAEAV0@AEBV0@@Z
??_7MiniDmpSender@@6B@
?CreateMiniDump@BugSplatImp@@QEAAHPEAUHINSTANCE__@@KPEAXKPEAU_EXCEPTION_POINTERS@@PEBDPEADK@Z
?DoFullMemoryDumpThenExit@BugSplatImp@@2_NA
?GetReducedGuid@BugSplatImp@@QEAAXPEADK@Z
?MiniDumpType@BugSplatImp@@2W4_MINIDUMP_TYPE@@A
?ReduceGuidString@BugSplatImp@@QEAAXPEADK@Z
?ResumeSuspendedThreads@BugSplatImp@@QEAAXXZ
?SetDbghelpFlags@MiniDmpSender@@QEAAXW4dbghelpFlags@1@@Z
?SuspendAllThreadsInProcess@BugSplatImp@@QEAAXPEAX@Z
?SuspendThreadsInCurrentProcess@BugSplatImp@@QEAAXXZ
?createReport@MiniDmpSender@@QEAAXPEAU_EXCEPTION_POINTERS@@@Z
?createReport@MiniDmpSender@@QEAAXPEBD@Z
?createReport@MiniDmpSender@@QEAAXPEB_W@Z
?createReport@MiniDmpSender@@QEAAXXZ
?createReportAndExit@MiniDmpSender@@QEAAXXZ
?enableExceptionFilter@MiniDmpSender@@QEAA_N_N@Z
?enableFullMemoryDumpAndExit@MiniDmpSender@@QEAA_N_N@Z
?getFlags@MiniDmpSender@@QEBAKXZ
?imp@MiniDmpSender@@QEAAPEAXXZ
?isExceptionFilterEnabled@MiniDmpSender@@QEBA_NXZ
?isFullMemoryDumpAndExitEnabled@MiniDmpSender@@QEBA_NXZ
?resetAppIdentifier@MiniDmpSender@@QEAAXPEBD@Z
?resetAppIdentifier@MiniDmpSender@@QEAAXPEB_W@Z
?resetVersionString@MiniDmpSender@@QEAAXPEBD@Z
?resetVersionString@MiniDmpSender@@QEAAXPEB_W@Z
?setCallback@MiniDmpSender@@QEAAXP6A_NIPEAX0@Z@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEBD@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEBG@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEB_W@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEBD@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEBG@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEB_W@Z
?setFlags@MiniDmpSender@@QEAA_NK@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEBD@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEBG@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEB_W@Z
?storeUserLog@MiniDmpSender@@QEAAXPEBD@Z
?storeUserLog@MiniDmpSender@@QEAAXPEB_W@Z
?unhandledExceptionHandler@MiniDmpSender@@QEAAJPEAU_EXCEPTION_POINTERS@@@Z
A0g09QUHytpQmypXRFeXpj96C0t
ADLepLtEEEekspPrEW1VTbg3nrLqpQa
AND4govDtpMrfxYFzxDrvMmGwSrZZ
AQZL0oCUXJgfQMKVo7YtnI9ZJ
AmqYowEBSG
AszSjjdOyKXBRm2JCGpRM
BEoxp3zS
BM22BiKe9j3EHa
BN0FYpTWSgLkw6
BODLNeKD1AsdHJ4LLKpOa8639WS5xhE
BOFVWVNg
BQQklFvxDjRKOwK8lCuVSUyq
BwqexDkdp7pbSfuC
BwwwNfKvnzS3iyehaAQAmSf6xOXz
BzOwyAGeWGjXTmF2j
C0CBwUnl6LulkDTybdoBRFGSJnf
C1hZDlG0lYA5gR3B7HQyIW8JfWJKjt
C2Hd22ZyYz
C58oRsBei
C5UH9nhQxOwTqEA43cw7DetRz
CDbCPAXZorGs
CP2eb4VL88
CVcp3fa9WErNDidQhZtjr
CX0wDVwLM24ss41Lp
CmUcT0uUZZPdDCDQcCCwT7ElrwLtEz
CreateMiniDmpSender
Ct99FMqITQyiMFotiYKA8J7c
CzvxwrqxWCk9St9Eg3r0c
DI6nEaw6iIdXs4
DOfooz2LHDfWCclJmUa6N4lxbTop9
DestroyMiniDmpSender
DrJ96NY29eQ5Kg2yQm0An7FDT47ZpWG
Dt340aQpWfLnaeUH9V
Dv2iq3zn5IExs6
E2xhTXXqzivZk4mUGkifXAud1loHGp
EHkyxYqHwxDrmvMwPZnZi4usNe09w
EbjzYHDpOvMCNE
Eo0k6w5Q
Ep6qj7WUPdsI4C3IPIUoUxCL2OKsiU
Es3fi0yGo
F6GDkAOAfX3ekB4Ltz3e55zsEJcl77
F6dDJCzqAcqnx1Nyk1vhZYHEAXVIn
FAwhYe0D3915irn9LJnNF2QkWyLg
FDEWKxJEd
FHLtAqQlOtdnARpzu4Yzo
FLt742JgJvOHumM3HdEGsnK1Cd57uEn1
FP44TwfXnxYlhg
FgDDDGdB
Fhle00y7axc5sSsapJGlsJbcnENp8
G4ugpZb5ZifRCXTrZ245DMwcFO
GBER2NruDDQZyPzbWmESsCJRsxp
GBHQwhsSN0yKXXq8jxDs6Iz1ZpV7G9WT
GH6UtnyLKp7Njr1WGfuNVsTAxha
GJGnFlGpWEs
GJJ0cl19Jat4EKwZKm2AZMf
GJlxUnzcjGFrcS38ygPw
GK9mbMyb
GTr3Ji9TSmMsdFIrvcu
GZmZMWMAuqbh8K5Lmim
GyJxOcTYliGDf3LZlngO
HPW02h06KHDMoD2jmJLfD3L
HUkEVZBcF7hLwRKwq
HUojHhj9o7F3zptG7EU9BJe
HVLd50l9wmQz2ooFods
HcO5tG11eCt3rMRZ02S5
HgeSBQvbs7kLwIdNpK8r9z
HkwvUo2W5AxpLIy56g0qVS
Hla9GdeN
HqCJgA76HMRiy
HvOK8ATEiMQPjxZ6cN
Hw7bdxlR
I1QVfUMLIEufw3Z734kVZaias
I9DHxj4afvIlSGdaInwO
IJatSgBZvR4oY3q6EPhe0ZncAq3vqKQ
IPneTwcRchm93qTTyuK
IbnupbIwDkHmF
IdQ9FzhI2GCTVdchX9CU41G
Ih3tnX0dkg1KL3Z3R2pD7FiL
IpJX44zRhf9W3xwE6OoM
IrBNXKG28qv28fbcOPkMf1vBtA62P
IsqugSIWbrzgY8iCORNQDIbr7X
IvMHO1XT1q9oz0TQ3CMNN
Iw20MkTL6NJbAhmo
IzkOSSIz
J0dDi3lu
J1FEr3Tb6LRC
JA6uaNKxCVuhbsqW3WkmgBVU0lQjkYK
JAIJSsiL58mZyr
JWlnzzjpPpvrP1QY1GH9o
JuMy1aYbqQNMco36BDBvgsHeiPYmgxD
K8wv5BsRMzvdB2mlZEc7q4skLfEZF
KA8xsYpXjfc2s7Wq0IsGCmwD
KEuPcFS0CSycTc
KFApy3SRzH0
KQw95WiYFAf
KTFWbBm4UTUoj5zx2Hp2m9E0tfOy
KTIsxBn5zflt43
KjdsDK2O5Kuy
KmriUpEJ1e8oR53
Kqy0iuBml
KzmRC7pcMnmc8FpmW
L0dtnUwDuHYMpWYaVYd9U8QB
LA5lpDAWdZJ
LCLmnTV5869lRXSWtIyhudkp
LGxtVJusIHNz
LHDxbLSe4vHLtef
LehwsYe0AxPo7dtUyzUMcp
LuhOnsHt2hrcoXpSTzUupK5b
M2MyHUq0ly81zkkswXc57YEkk5Hy
M4lWhO364s80JWAg2J9M6L7
M8MRLpOg
MAtWiESyojc9kfHdBv
MC0VDbaB
MDSGetFlags
MDSResetAppIdentifier
MDSResetVersionString
MDSSetFlags
MFvU4EO9
MFxc0DEPkIIRJSqBC9SmiVFcvxialG
MLLm34nGUR
MUrqGVQ17j8B6eV7mPpABUo
MelpxyZ7KdR29mhk1
MtgbESIX4
MvpOboralA0Fl4UsEbIss8Y0NJvu
N2B0z6qR97gBKTMhuwlWmMxnwp3t
NIYqcnEwGHEcP8w1Kx5dPPYS
NJV8L4sWjXqoKMIF9
NKwfYkqbvyweXycBdrXbPMIL
NQ9EG2qL3x
NRmuLwS9QxeUnED0MHy
NSTUhzkpB75frMiKxePFsouyx
Nhkv3FnnQTmpfk0MzbWN4Rw9veBFVpx
O0dBa8dOg9F
O9KykAvDymGkkRiWNjzvC
Of2JBuTvLyo2
OribmLLW4zmVZaVWzdY6kN5Jt56
OwJbQlLnxNGi
P5H84FrYNw8zr5xsjLL3Bt8pZZ
PFQupb4gHPmuR5
PI3YwhHBAlcDh0Ul8omElDjSovaiCTj
PNw1tCPb
PVEm9n8pcMJlRSXLQms6hwnyTmejH0
PbghVc4UDf
PpJo7Em
Q4BTtfQju8TASpCWAEKX
Q6usm482SQhZZBc59bPPBZS
QBMCUHsI7drtk01j
QBuL8c0GAMgDOqo
QKW26ncGYjTK
QMc4rNVWKsv
QSRteTAR7WWJ8yg2KOUz5
QWn87TU0MoauWl6s0imXotpKl
QgDS3tGP
Qt6W6CR6m2uTKlGVxsxm
QwFKAlDtD7p2RVbBXgZ
QwS1BGLfbTybVdmN8D
QygfC6pGgT9QcPsK4wUjON
RAR66LevvcDUgfODzJSu5db3QMLU
RE4N0eae60
REeSJaciGntkfK
RPz22Ex4Qa6ADgd6JBF
RSEqVq1DVDckcXi7DJyurtk
RTYr9CO7LC2RhjGTJHByRDdW3g
RmN0R2u44IA34DNFkogxvrM
RwEhishOzaZmdmLsV4IY7qOJrMP9EG0d
RwKE0VKrrqPrr
S8mV5qiG8JNqvf4iTMErQvtfXhjcP
SLVb0r0xN
SQc2bmBRYs3E
SS2CSxurP2vSYCM7vOUyh
SZcALktCVthkUw
SbxKcrû�
SdZrX6uW
SpfZoUnzGnh0WLDlcERcXgRMlhH6606p
SqQxRuECMM57WFqpKoDNf6f7
SrX7vZ8zy4dLATifNsYTm2
SxxOE9bZ3aBTJQ8ny
T0FxJQNSkfbsl5dsslRaFGfFcQPNLn
T6G3pMCz5zpHc4uYH9awNUIoEEhi0Q
THM2vXSi2npkmFr
TQ7p5tRMBRJ7GpCaCXVAFSoPMK
TaFqm9eK2zt9dQH
Tk1FxO3NxvTTRPh45dD2PkGwvvSj
TpJjLpNrcW2xo
Twtgw62DQvs9HX13YxVRWZAYU1TpK
U8T2pR2NG2EfgrvQp21DsV
UBIbySzh2KOeg7S0Yg
UOFbv5vXKW6oDCuWuYqCL0YM
UP7qN6vSNIp
UQ5RA27WgmciFstO1b30
UVkb3YQgYP
UWpvO3fJF
UXZmxo00d6JeSxnY5tgCQYDWq289
Ubd5dhcf8TO
UdPDNA0WQo8ulTCuwqvGlw9KrbCJ
UdREBU0sf5U9n3oQQubZV5Ke8nB72fbl
UedpIKMGFWrXBTHyCaNWFAOciwmBuQh
Uq8brrTy7s
UyC6J5gzhrrhmVZ3RkDXVnfzodIIY3Lb
UznleQH59W3WkOPxwWOMXUCN6
V1IelzyByeZpcpt3hb6ZgRkEt09ZI
V5Qv2zEYJaGrl
VNqBSTzG6Zz6c
VYBTNAzlEvKCN
VYMNlObKcQGSAfRjLuSxyDpUqYzn
VbKp8a4OVHvd9LNUjgiNjBRXNuk0
VnDfjPnWfti
Vx3Y3LGhmT6Mx6r2bIlNkSCeR
W2JD2hZ4n2x
W2X5QyVseLIHtq1Tw3ORRykax
WByyAKQjFm2OpINRS4hk96t6phzh
WGdlwqTQ56IRh28vSHRli7Ohw
WOt20MBpUG8x
WOtT3HNDPlrwxrRLpN6GLz
WjBDM3uuuhbqsY8GiwMz
WkyozG4Rqifj
WxYuLzA7ceHGnjC4rROqQjW06DxVHnT
X1HQB4J9Qe
X30EhftHYHuTUXBR
XDGGT9SUkcB87Df2F03id5LvYB
XOpgayDaoVfE8ATpu
XParEINycmIXLkx6NqqV1rutKJ9H
XSQYpULwcc3WnS3Q7fSnpIfz
Xcojtk9ezJCvyg1l4vnNP
XtGRfwu
YIPje558sF09I5I2WLMgv
YOJ8uRZIFHuFgQDMMH8fs5wnoFxov1hX
YXWdKH1Po3puf4LJ0Wc
Z2ku86VWJuE
ZA41Q3KdXD1ekugfbwI
ZBrCTG74YB81Rdc
ZKSwyzwY0ZqO1xS010kb60gKuDy6uy
ZRq8UQAf74cC3drO0Qt6AmMPUkp
ZTW6zcA3
ZUD1sfMJXPrvq8Sj9q2X5bjR38ulfHRM
ZXMP8M5h
Zcb2B5ZtBI2Sobfl
Zfy9iIjzyonCDN
Zpi5tLm2IgC63j2t6YamOnUPV4W
Zx1tdMNqKq9OYnSmT9MZvngMFGc
ZxyyxmGb0UkWOygur
Zy1Lv8QGndQb52
a4SeMKebsxkmKTi
a4jfnD5PpOlu6dodfcz5C8
a4kEz1stnEP93Dcx84bVfFbsga
aWRIKgipy2iqHKls216IAXQ
akVVRLHVJWVqreaGTu1OXPrAH
akh22yGT6SQeWoneu0cSaqT
asJOCi71lP9thySDqDMRI0
b12GXtDUCEercZk5MEpvyPe5DtLO3lZ
b7PXEBFZR
bIKGIfmT1UWjkUvS
bJEqqhcECJEMoe1rKUqK8SRHuDJl
bMWizp3GKk
bUPO3QfuuPAYRYHyRTHOEE
bVVEXXeqzMki6vs3
bb73jnuOg7H
bg9xUwBNn
bk3erffwV
bl35BOzsp966ZX1x
blrWXojoV
bndso7OLEsJcw
bpM3CiCYCe
bzLijkrjLDomu1mXt9
c1DeUl35V8lDdB3InebFC3s
c29oE0BFAzwuPVO5MaA0xchCMwUcT
cMjdKRSastND
ccoklv1ZeTFh7rOE0
cdOPcZ0iX3WA
czNMFlB
d1hHJQ0S0gERF2xFJQtDcIXnBip
d9z9y8Im6LlynhQVtPaWHjNSotZQ
dAvxjFdl
dG6s39AAMT7EH6kizGh3h9QKU
ddy6ap79wxKnLRnV5D1AWWItC0
di2C9jdLG
dip50evefka2j6oy8oC2tIjM
dtXcqycwDcdWGPVIfdldzkHnfPKUwh7n
e275FvgHgsv0pXuWMWXmQsy
eA8ISV2mAZG
eM7CArvP7GF
eXkOQx8rUzav513xOzg
edvf1NKfO1YDmHWT8gC94Bh2mZ
ekmUpVVHiEpm9m7F3Ri3uH3SDVB
elNHE0MB
ew171ls7W2wJK0pnRkJLO
f0YX2ihOiu1
f8Rduq8sjLZe
fDYgu6y
fFxXHLmgyFL
fIB0bxVz6orqmlHO
fnjsI9L9
g4sJtYy4p4bilVOtiGWAJs9kVzC
gLh1fsLDosq3
gS2rItGRaOvOQY9M
gX5wo9kMxR5lBso9x8M
gfu7CBtl0GTu1iXXZp
gi0XFHuzf9FzliGoPepSJZBQdWH
glBX1VMh88biFqdqlt6zBElPxul9
h7bkGhHXxESfotOzUBZlo8
hL0xshaWe440LLRrr5HqkgEqXhuG
hLCsJfv6gTFFyRurubwMs
hUEjjxcsSbGw3mMSs8sSdCQ0IczAX
hb82MgF7KzAlOrlLBvcFn
heBm5JwH7
hhaiqfxAsbzBmJt1HiJ
hmNq5TBplOvdW1eduZj62Zs
hr2CnbapCI
hrNDiTS9vDzMEyVc4ygE5tvBb
i2na5rOU5SY
iE7TtVSs03ppYA76niM85x
iLIUyBlNwVJeSsmQUhWMrHcHri5o
iLRsjdCH18cK7jKahVtCKIuXWoeWl
iPGRNBc4
iQt2KLp11neK874pvzZhAT0Th2xjNm
iZJpe54KK6WWG
iZfXUfOstcUiZx01dmE
ihX8uzdlTVynnE471rj3zo
ihztLUfGn3Mx3f
ijweCYXNTZUmHb
ikDfGD7WYiSjVwoz
ionGW8ks
izddAtMfq7
j0FYRBG
j4q07iK6MLZaFHtTZywWtBiOKfaynH
jCJlcAlWJrk62Xpgv6OLjpC2
jFuHDSVYQCk
jKGmyvhBYohts8iUm6UsKI88MGV
jawSaUTFlf2
jePJXbYLiKLpEybmkQpwIRL
jkweluBmqx56PNWAfgk2FavsWr
jmC6VKMu2oVToZHxh0ICRkB
jmqFnjL6
jvJ40HsQYULKAQdWEP5
k3KVJwLYZLO
k3PILspydh
kCE3jBqih0YT8ph
kJjVIecq1J6Xq7
khTqXhpjaQ4F
lB6X2qZI8sL9lzUCO
lMa1w6n
lP8DTuxiYZqcFLWfv6q66EegSUR
lQUqt40whyKGlWcu216wa
lV8tCPRzY9aigTRza1Reys
lWlH6TiX5xQdvBP2bmoc
lYmkVeInzNGrbF4yOYSzPZep7qGTw
lwnkm5bzC
m7reJKi9xZROwrYAhvxed2dhWKoB6jNM
mAaBmsvmgdzpUUyGzG
mFwgnlcaj4kGgY7z
mYhoXLfNdB1NSbXbkUXZ1g

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 174KB - Virtual size: 173KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PO202501B.exe
.exe windows:6 windows x64 arch:x64

e8db4ac21fda256a31e6fbda49d9dc94

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

03:01
Certificate

Issuer

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Not Before

16/11/2006, 01:54

Not After

16/11/2026, 01:54

Subject

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

07:ff:9e:4e:18:62:cf
Certificate

Issuer

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

02/06/2012, 14:14

Not After

29/05/2015, 16:45

Subject

CN=BugSplat LLC,O=BugSplat LLC,L=Henniker,ST=NH,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50
Signer

Actual PE Digest

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\www\src\BugSplat\bin64\BugSplatHD64.pdb

Imports

kernel32

GetCurrentDirectoryA
SetCurrentDirectoryA
UnmapViewOfFile
OpenProcess
CloseHandle
GetLastError
Sleep
GetCurrentThread
TerminateProcess
MapViewOfFile
WritePrivateProfileStringA
CreateProcessA
CreateFileW
ReadConsoleW
WriteConsoleW
SetStdHandle
OutputDebugStringW
LoadLibraryExW
CreateFileMappingA
GetFileInformationByHandle
CreateFileA
WideCharToMultiByte
GetACP
GetModuleFileNameA
GetFullPathNameA
GetFileAttributesA
FreeLibrary
GetTempPathA
LoadLibraryA
SetFilePointerEx
ReadFile
GetConsoleMode
GetConsoleCP
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
MultiByteToWideChar
GetStringTypeW
HeapFree
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineA
HeapAlloc
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
GetCPInfo
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetProcAddress
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
IsValidCodePage
GetOEMCP
GetCurrentThreadId
ExitProcess
GetModuleHandleExW
AreFileApisANSI
DeleteFileW
HeapSize
GetStdHandle
GetFileType
WriteFile
GetModuleFileNameW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
HeapReAlloc
FlushFileBuffers

user32

LoadStringA
SendMessageTimeoutA
GetWindowThreadProcessId
GetTopWindow
MessageBoxA
GetWindow

advapi32

OpenThreadToken
LookupPrivilegeValueA
AdjustTokenPrivileges
ImpersonateSelf

bugsplat64

??1MiniDmpSender@@UEAA@XZ
??0BugSplatImp@@QEAA@XZ
?SuspendAllThreadsInProcess@BugSplatImp@@QEAAXPEAX@Z
??0MiniDmpSender@@QEAA@PEBD000K@Z
?CreateMiniDump@BugSplatImp@@QEAAHPEAUHINSTANCE__@@KPEAXKPEAU_EXCEPTION_POINTERS@@PEBDPEADK@Z

psapi

GetModuleBaseNameA

shlwapi

PathAppendA
PathFileExistsA

Sections

.text
Size: 124KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime140.dll
.dll windows:6 windows x64 arch:x64

2cb5da5225e972a08f32d04b8085dc7e

Code Sign

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24/10/2018, 21:07

Not After

10/01/2020, 21:07

Subject

CN=Microsoft Time-Stamp Service,OU=Microsoft America Operations+OU=Thales TSS ESN:2264-E33E-780C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd
Signer

Actual PE Digest

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd

Digest Algorithm

sha256

PE Digest Matches

true

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71
Signer

Actual PE Digest

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
terminate

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s

api-ms-win-crt-convert-l1-1-0

atol

kernel32

GetLastError
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlLookupFunctionEntry
GetModuleHandleW
GetModuleFileNameW
RtlUnwindEx
RtlUnwind
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedPushEntrySList
InterlockedFlushSList
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetProcAddress
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW

Exports

Exports

_CreateFrameInfo
_CxxThrowException
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
_SetWinRTOutOfMemoryExceptionCallback
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__C_specific_handler
__C_specific_handler_noexcept
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__GetPlatformExceptionInfo
__NLG_Dispatch2
__NLG_Return2
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__TypeMatch
__current_exception
__current_exception_context
__intrinsic_setjmp
__intrinsic_setjmpex
__processing_throw
__report_gsfailure
__std_exception_copy
__std_exception_destroy
__std_terminate
__std_type_info_compare
__std_type_info_destroy_list
__std_type_info_hash
__std_type_info_name
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__unDName
__unDNameEx
__uncaught_exception
__uncaught_exceptions
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_InitializeCriticalSectionEx
__vcrt_LoadLibraryExW
_get_purecall_handler
_get_unexpected
_is_exception_typeof
_local_unwind
_purecall
_set_purecall_handler
_set_se_translator
longjmp
memchr
memcmp
memcpy
memmove
memset
set_unexpected
strchr
strrchr
strstr
unexpected
wcschr
wcsrchr
wcsstr

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime140_1.dll
.dll windows:6 windows x64 arch:x64

451bdabc0299e6b9dc317480ef12c3dc

Code Sign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17
Signer

Actual PE Digest

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
terminate

api-ms-win-crt-heap-l1-1-0

free
calloc
malloc

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp

vcruntime140

__processing_throw
__C_specific_handler
memmove
__current_exception

kernel32

IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlUnwindEx
RtlLookupFunctionEntry
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
EncodePointer
RaiseException
RtlPcToFileHeader
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetLastError
SetLastError
TlsAlloc

Exports

Exports

__CxxFrameHandler4

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime211.dll

Sharing

General

Malware Config

Signatures

Files

ed8ae2fe0d20ba00cdff176086a9b77d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

bcrypt

kernel32

ole32

user32

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

Exports

Exports

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 1.7MB - Virtual size: 1.7MB

.data Size: 14KB - Virtual size: 1.2MB

.pdata Size: 174KB - Virtual size: 173KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 2KB

e8db4ac21fda256a31e6fbda49d9dc94

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

03:01Certificate

Key Usages

07:ff:9e:4e:18:62:cfCertificate

Extended Key Usages

Key Usages

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

bugsplat64

psapi

shlwapi

Sections

.text Size: 124KB - Virtual size: 124KB

.rdata Size: 57KB - Virtual size: 57KB

.data Size: 9KB - Virtual size: 19KB

.pdata Size: 6KB - Virtual size: 6KB

.rsrc Size: 48KB - Virtual size: 48KB

.reloc Size: 3KB - Virtual size: 2KB

2cb5da5225e972a08f32d04b8085dc7e

Code Sign

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20Certificate

Extended Key Usages

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51Certificate

Extended Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fdSigner

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 1.7MB - Virtual size: 1.7MB

.data
Size: 14KB - Virtual size: 1.2MB

.pdata
Size: 174KB - Virtual size: 173KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 2KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

03:01
Certificate

07:ff:9e:4e:18:62:cf
Certificate

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50
Signer

.text
Size: 124KB - Virtual size: 124KB

.rdata
Size: 57KB - Virtual size: 57KB

.data
Size: 9KB - Virtual size: 19KB

.pdata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 48KB - Virtual size: 48KB

.reloc
Size: 3KB - Virtual size: 2KB

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20
Certificate

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd
Signer

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71
Signer

.text
Size: 47KB - Virtual size: 47KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 2KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 1024B - Virtual size: 1024B

.reloc
Size: 512B - Virtual size: 372B

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17
Signer

.text
Size: 14KB - Virtual size: 14KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 1008B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 272B