RFQ[.]00[.]014-Samples[.]arj

Sharing

Copy URL

Twitter E-mail

General

Target

RFQ.00.014-Samples.arj
Size

4.5MB
MD5

2cccd0f04c7ab1e13aa95cbae4c0bb3d
SHA1

8734eb8d191bb4e5a090912a5a2f973fe3410914
SHA256

3cfd788d5afda6983a45caf8ca7a3b013098f287aba5aed9e41dc7250f5b7957
SHA512

5efa43b0d7969fbfe71d2208db41ff9a05a36094a23be8c399beb1c654f1859c090153466d20bf60d4fd9326649131716631a4e7bd49a2eb2ec8a9c3e7fc1f52
SSDEEP

98304:/ow8NMDyWmByeZuzuYpZXNWQxcAs8okEIPi7:/ow2WKHZuuYPNWicAssbPi7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/BugSplat64.dll

Files

RFQ.00.014-Samples.arj
.rar
BugSplat64.dll
.dll windows:6 windows x64 arch:x64

d6e8635c30b38d2e577eada7f46ea3d8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegEnumKeyExW
RegEnumValueW
GetTokenInformation
OpenThreadToken
RevertToSelf
ImpersonateLoggedOnUser

bcrypt

BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptImportKeyPair
BCryptImportKey
BCryptHashData
BCryptGetProperty
BCryptFinishHash
BCryptExportKey
BCryptDecrypt
BCryptEncrypt
BCryptCreateHash
BCryptGenRandom
BCryptDestroyHash

crypt32

CertFreeCertificateChainEngine
CertCloseStore
PFXImportCertStore
PFXExportCertStore
CryptFindOIDInfo
CryptQueryObject
CryptMsgGetParam
CryptMsgClose
CryptImportPublicKeyInfoEx2
CryptFormatObject
CryptDecodeObject
CertVerifyTimeValidity
CertSetCertificateContextProperty
CertSerializeCertificateStoreElement
CertSaveStore
CertOpenStore
CertVerifyCertificateChainPolicy
CertFreeCertificateContext
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertAddCertificateLinkToStore
CertControlStore
CertCreateCertificateChainEngine
CertFindCertificateInStore
CertFindExtension
CertFreeCertificateChain
CertGetCertificateChain
CertGetIntendedKeyUsage
CertGetNameStringW
CertGetValidUsages
CertNameToStrW

iphlpapi

GetAdaptersAddresses
GetPerAdapterInfo
GetNetworkParams
if_nametoindex

kernel32

RtlUnwindEx
InterlockedFlushSList
RtlPcToFileHeader
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
RaiseException
UnhandledExceptionFilter
SetLastError
FormatMessageW
GetLastError
GetTickCount64
GetCPInfoExW
GetConsoleMode
GetFileType
ReadFile
ReadConsoleW
WriteFile
WriteConsoleW
GetConsoleOutputCP
GetStdHandle
MultiByteToWideChar
WideCharToMultiByte
CloseHandle
GetExitCodeProcess
CreateProcessW
TerminateProcess
OpenProcess
K32EnumProcesses
GetProcessId
DuplicateHandle
CreatePipe
GetCurrentProcess
GetConsoleCP
QueryPerformanceCounter
LoadLibraryExW
CancelIoEx
CloseThreadpoolIo
GetCurrentProcessId
RaiseFailFastException
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetSystemTime
GetCalendarInfoEx
CompareStringOrdinal
CompareStringEx
FindNLSStringEx
GetLocaleInfoEx
ResolveLocaleName
LCIDToLocaleName
GetUserPreferredUILanguages
FindStringOrdinal
GetCurrentThread
WaitForSingleObject
Sleep
DeleteCriticalSection
LocalFree
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
InitializeCriticalSection
InitializeConditionVariable
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForMultipleObjectsEx
GetCurrentThreadId
CreateThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpoolWait
CreateThreadpoolWork
CloseThreadpoolWork
SubmitThreadpoolWork
QueryPerformanceFrequency
GetFullPathNameW
GetLongPathNameW
GetCPInfo
LocalAlloc
GetProcAddress
LocaleNameToLCID
LCMapStringEx
EnumTimeFormatsEx
EnumCalendarInfoExEx
CancelSynchronousIo
CreateIoCompletionPort
CreateDirectoryW
CreateFileW
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
DeleteFileW
DeviceIoControl
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FlushFileBuffers
FreeLibrary
GetCurrentDirectoryW
GetFileAttributesExW
GetFileInformationByHandleEx
GetModuleFileNameW
GetOverlappedResult
GetSystemDirectoryW
OpenThread
QueryUnbiasedInterruptTime
SetFileAttributesW
SetFileInformationByHandle
SetFilePointerEx
SetThreadErrorMode
CreateThread
ResumeThread
GetThreadPriority
SetThreadPriority
GetDynamicTimeZoneInformation
GetTimeZoneInformation
GetCurrentProcessorNumberEx
SetEvent
ResetEvent
CreateEventExW
GetEnvironmentVariableW
GetFileAttributesW
ExitProcess
FreeConsole
FlushProcessWriteBuffers
WaitForSingleObjectEx
RtlVirtualUnwind
RtlCaptureContext
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
SuspendThread
GetThreadContext
SetThreadContext
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
VirtualQuery
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
DebugBreak
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
EncodePointer
DecodePointer
HeapCreate
HeapDestroy
HeapAlloc
HeapFree
GetProcessHeap
RtlLookupFunctionEntry

ncrypt

NCryptImportKey
NCryptDeleteKey
NCryptOpenStorageProvider
NCryptGetProperty
NCryptSetProperty
NCryptFreeObject
NCryptOpenKey

ole32

CoUninitialize
CoTaskMemFree
CoTaskMemAlloc
CoGetApartmentType
CoCreateGuid
CoWaitForMultipleHandles
CoInitializeEx

user32

LoadStringW

ws2_32

recv
ioctlsocket
getsockopt
getpeername
bind
select
WSAEventSelect
WSASend
WSARecv
WSAGetOverlappedResult
WSAConnect
shutdown
setsockopt
WSAIoctl
GetAddrInfoExW
closesocket
GetNameInfoW
GetAddrInfoW
FreeAddrInfoW
WSASocketW
FreeAddrInfoExW
WSAStartup
WSACleanup
send

api-ms-win-crt-heap-l1-1-0

calloc
_callnewh
malloc
free

api-ms-win-crt-math-l1-1-0

nanf
fmod
fmodf
nan
atan
ceil
cos
exp
floor
log
log10
pow
sin
tan
modf
ceilf
cosf
expf
floorf
logf
powf
sinf
modff
log2
atan2
fma
acosh
asinh
atanh
cosh
sinh
tanh
cbrt
acos
asin
tanf
log2f
atan2f
fmaf
acoshf
asinhf
atanhf
coshf
sinhf
tanhf
log10f
cbrtf
acosf
asinf
atanf

api-ms-win-crt-string-l1-1-0

_stricmp
strcmp
strncpy_s
wcsncmp
strcpy_s

api-ms-win-crt-convert-l1-1-0

strtoull

api-ms-win-crt-runtime-l1-1-0

_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
exit
_cexit
_initterm_e
terminate
abort
_initterm

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsscanf
__stdio_common_vsprintf_s
__stdio_common_vfprintf
__acrt_iob_func

Exports

Exports

00eYRI8Hxpn8TzIFxp
012kTSFsur8k6BkrgvbFU1F
03Dpe9TSS1UFPl0zcazTgVVFextvzo
03X6DMowkc1PPbQsxx3UilB
04fYZvdu
05b6Wwz
093adBxROHrhLbFAG3MDOZn
0APMFqT4Y1VTtVqZ6JeblasO9lFxS5C
0C4GBsuFHqquQ6iuKGT5Hrj6xkDEH
0CSbUWZKJo7JRVTU4p
0ExQ9kOuWKwx7wOX
0I7bptL5a5NrbcKHR
0NpMqh1XRCA1lwXsI
0OfMSKsu8JL
0Ohb8hd0QbCrQIvd4ZwRozb8NiN
0PrdocvucfESXu
0Vbjv1zIRA5I4ulVENPxMvzwxVGeTzk
0VibdYgtiaXTNSFDcQyIni8CcAo6f6XE
0WEQtykNn8JWyfNklwfZaPekHU
0ZJhl2MhQCxl8KyTE
0aTMOWJEAyHi
0ff8XZVMUmrpcUMGEsHrW2sdbGRQZAC
0gbiyniUg8J
0hd85iv3DxeP
0iNcoVj9TytUYYgjNZr
0kOrFdxq6D31IXFi
0l4z9Ka6ZNowQQX3fO8
0qKJWtTHJqdSBKBxPtfKkQX2a22aZd1R
0qSu2ptXbk3LLz4JrreQXKsZOlxZZ
0rhpdFgMZIaIc
0yd1oa4V9kRELvAs3
0yt64eblvpGhnbftybBJv
11nJPkEOQatIjxwJdDgfY
15hL3EBZcQ6e96N0E
19cXODDkwPacE7pqaIl
1Az4wzfH
1B46FKF4ksMjY
1C02fjWYPGW2e2hv9S0cydUV
1C7SeXb1
1CKpVSGBWuJP
1DSc4JumLWJoJx4zuu
1ERHc9xkj4rV
1Fy8cBn
1IbPm9SmuwhGdNUt7DkYW7k
1Jl9Ez1tc5M
1OKFs4RcET10tZBNZq5A4PGDIfkmDXk
1QDgFgYXNRuxN1kuGK
1RBPHVKL7Kcwhcm
1T85vKS3qV5
1XW6UH5de2rzalhwDpaGqZxESlg8
1XmJ1jKVfdiTLQO62l2WBR
1ZLo5StPGBpGCl686TKBN1V
1bvQW6qEK3BQDxV5lAb
1ceD2znXcbb2yJ
1ehtRyN
1jOQQbdNwfz
1mQJ78Fr
1o9DFOkX73DHzLs
1swOcbnPYlFlArKFzJ5Xl
1yjeiddXuxOj8cb
1zgl5IDdU
1zlSuWc7XFwl5vcbvFQ0rWL8CFhibmG
20fySUL6K59bIFnIZFzLpabBSdr
22iDQCOD9fZU
24WigeILnOkw3ygA8wYxi6eb
25mGDL8lkaPc5b
26A8GTOIbe9LzSj5nFdn3u3ZraI1iK
26bckFCbrjajG
27GrTzg9cXkiwHKXPpRKWnmVtfVf
27HcqUq791Irw4HZmae1t6L94gJBPCU
27Nkf0uj5Kydu
2Alr9M9qLtZlkJclf6
2BZP2fc9LupwCcXzLozNy
2DYRWeNpd
2Hoj2vOgTk5BzOIVY83X
2Jrq2L8pSQUABL0
2LxQoQJl9sGnaKZiaVc
2MiuoMys3kLoXAWlaymVvp6FsB4
2PSW3Dn
2Pq6sVITPIufsnOWohq
2S23vNLwJ9dr1ojyOIgav6p3NpjCWYz
2T2zor42xXUWJPno66dlQ4M3f3AsV
2Td0bXCvuDls8axlWeZ8vM8fHmFkavw
2TvUJNazcgjPdq4WVyRKls8lvR
2U0pVb1J9yOSCAnI
2UNoeZPkn4SxyGLFmy4fT
2cljsHIurCGA1heK7ByGFX
2f4crcHaMoZJNA0q7ra
2hbKDtI9sel9Pxb6tX4wyCoZ
2jJlEUwbcj9mRDILePKgz5R
2kQzuC5gnhCptXlPTApyB
2krHoKDHkzcaPKHgPoQtFCc8un
2oZ9VAis3mYlIkr
2qbfvIxxORQbkI85HIZLW
2qktQaZLhX
2qq668Y9
2r8Ky4fDFpyquPTkxtj4ssin0KZW4
2zr162cvwRldOSGu6
2zvjAT841ju7ql5v
31VSsU4W1zaHHjTu8DOJ2
31u2wM40yKBMTBClHMzLLLmjOAYAmu
348a2KIJLvvmIM
36JpoiKjZFYsYSpakRV0gnDJ8lcn5uP
388cFf2oVqGQUTJ0P
3EgrUC0lBo42IvBF
3FsNlR8gU4vujRJUKoC2b9eWehxrc76
3GDeeUEFuYnNfrMHZDbO4N
3GrPkLGmHLs
3H7JEEj1CMnLXlM4XT8LTCx
3JP2x5iRmfqn7w2
3LdPXrv7ci2OXj2aqsORRxwa1Mi
3TdzRGP6PIDTd23nSkDALXAu0pf9c5Sn
3WzkqA7Ji7
3YsOWa4DFrjnJiX6q3jzfnfoJviw8h8
3bCdZyOEusBgHm
3cydWmui4lycwUO53oUa0zhLIzMA
3dOGvZtqa9nv9kJtxhHuW9yhfK
3fAR6b1IGhofdrCHEGV6cjSrfjswkhS
3fngE6wQvuSAF29dMd4EWHHru
3hAzltSNJxQLKzPvOHX8a9WZHdds85
3k3h9WvcPMP4
3mZCVJ5Cl1jdYxiR7wpfPyAppztAN
3myX4rybtZNIKFXzKSX2snA0xJ0u
3pTkz5mZNk5OkpIEUTJ
3qWXj0cIxtsQmy1FENE46CwiMXlWlIK
3uGM4rlKNO1to3vtnrv9gTMyKSSi4uPJ
3uuohs0YRkMuf1Tsf0XQb
3vabfYOdzbBmUwuQe1r1bSpLd46vKAj
3xKkox7rrWegNCw0lN3RD3Wb7c9
3yEZg8chx1YKnhuXoh86A
40Eta6UOC2alwegJdYbsZWc7
41CW0BD2q4HBaQK99h
44ECWzgqwJYJrUwYrOsBs
49LCScZ2P4Go3QZutjd
4CRg6gjpzSy2rJcfzpC9K2woLGWP2
4Db9Ew9cW6lEJu0s8
4EQtkv7QRB9koZKz
4HoEyOK3caX
4L5XBDWdIT7wnb8XISaICkJuuEaiR
4NVs5hLD1a8WdqoesJujIs9UB
4P2DrhfsAk4sI
4R0Hzll
4aNZWOdzmnW51gq9JqUR42W
4dxiTVVUXpufEZXhVHuaZgveRc7Ku
4eKkd5DpqrSOTiZn7xMyNon
4gMXrE15MYDC9tbFOpzhKlDLN
4gyW1hJiTiO
4hdnxepub7G9
4iTTgyGqaHkBgCYvKoX
4k27XJujOc
4kPEsfN4
4l0jWImj8NKhkvHcZUOSLUjDrXY
4lI4I76QI1VJgz6V9IuuY72Zv1Tq
4nIJOzQ
4oezodFDaqb
4qMN0olwVNuXZo
4siLvkgAt0YzYzNjSFQTLh8rf5mi7ZW
4u9GfY4mk3F6Pr
4xNLdO1kd3OZNfpucAwvCBaByMhNqro
4xet5FbLKCm
4yVPxZxmb215ZLle8RH5ZDTr
4zDF6Jdh58XtKGZuSC4H0
50uvvgTvlJdUJRiSMWWCFW2AZDHPIOQu
511PxQa18zIX
54XLMIBpKSOur5VT
58FGT7LNHum0cvJ7Hf
59vfWaadY6f8avJBSAI
5AjJji5XlsR5jQ25I76ZO5Hm
5ECcLcJoi1C4w49maA6wzA2PQgVsdgir
5ESI7mA8
5KYNbYkpHxdVtppSMh5Tq3N9
5L3xp1PShF0pX5DB4Ls
5MB9zGXTjgxB3WvigKiTMwoYT
5N3VHnTfTn2bANlNPqjJbt
5NxCn3cOofgHPkJBFkz2ugNc4
5RtYnbh3xG9ZO15LLINP9dl5ZVNW
5SjOXxar4dPoxwbuxhC8ZIG9ou
5SjnxiV1CS40ctu9QsHThawtaIWN
5TL8pHmJMMvV1GBiJAR3ZoKF4zMHlW
5VJTlVy9wvnC
5VWIl7KOznpA5ChL
5ZmC3Hz4qi
5eBjws0m2S6EyO50xIXqPPu4EQ6m
5jbLRTIIA8i7scZ0MIPAgzyJQy6AR
5jquj8XR6ZxeTi5rGsu
5mRaGKFhl
5pyuq3MoCBi5FYwDlPHXSo5LoP
5tAYeTFrIvWWQJGPML3
5uFkodZC3vWSy
5v1uOci4wqscoQ4CEM3bVP
5vLH8M2v8OCQAEqkrvJcY49dak
5vMmEO1LxQbDazkL1XVXDkYZ8C
5w2gieOOBOz7l6BffDQO2IaHhx2tb
5yerVWBjwzMaXZ1DE4vTjcu1c
5zVI6FCpr5yBJ
63vmvYD4VbJPuJcuX2R
65YIhrHPRwNcM5ehAf
67uxi6ZT9Vyhu2oeJo1KG
68bGSbO3tkEd7Qq
69dv4RgXdcqneLNIgji
69gA5nRtUzVZpCCAXYZe7gFgS
6B6NNPBAKyLUw7DOTWt5OmBOi44jGht
6BFeF3Gb2zh7a3fhkgdoZzR
6EhqGARy
6FTxeuXbOGI
6GXkVuLBV9zbySTukkmXk
6KAfekaBiVVIZ
6KN4lDVP5vv5gysv0gHz8WjLFGW7fKu
6KOaw36Mqsp8wRC6uMhe80KwnmQ
6KteWzmiI7jwOJdwQLKqDmTS
6LDH0wg5xEGWJEU20VSmN
6O1gxK6kGkK3jwmFnWtJk
6OVXJybbnMqcMB5bup87y
6Q7BD0fp5wz51c6Mgmv
6SpUuXlnK8p6fw7YoC9tKc
6U0ZMQDEmZqWWqWTy
6X5gE7pgdy7StuEy8
6YaBJetTGZ5qaWvSAOx1F8fS8Uz
6YjZjANUGzS1FBmtixFldmhx3
6ZjeR79F2MRiUITH7oMMeNqT7lS
6bbVoBpgwdMJDbBvlCXwfx5W8
6bujdcC
6bybWYaYSACZ86tNgHp3wS0qKJFVz
6deLxhRQv
6kCaDZD8L7jhniWYXSe6XIy6VIUmEn
6o4Smd4aLVL
6qh9IOJ15tgPtgM4izdvV
6qmfmdayrI65dTLrJfe2ukcL7YFE
6rvkL1MakIEzKm1AKfVC62kjLz5G3FS
6uDDbEnxfyq
6wwHeGwGFVftl4oN1JhBVZoeahP
6xjRiKXP4
6y5yKupdtGY6R7Flv0jhVi1m
6y7hNSBGlDnQ
6yBqEus
6ytXeNON3XkdtL
70iTtYifI1pbgqhpIkppee49Ij
77LxzCG6BdBkw9INKx3
77pmQJcBiPxsnG8N2rylQ7Cjre
7CN2j1GXY
7CQOfWSS2N6e9OMb0H12
7HWGL6MllR7YIiBasCThZDjuAxf9
7Ha6GFpImcKI5uEJk
7KkFvl2uhEAtQ
7LQcVxggqb2uxBXO4
7QKg7htMG8GqXCOSCcAt
7R4aFE6e1M6EJw9TW15b60OY
7RTQ2Sc5fniBJOa
7RiIaKGd2xOHZ4B
7SAcWck2d2W3V9
7UWHzxNlc
7VfKkYh
7WOG5POj231bHtez90
7Y4toB44rej
7bmbhkVmaSYGtHGK0PWoaWMvLUGUor
7bx5j2Q
7dbzm2PRsScMV0OJ
7ePMQgyVdgJme
7fGlhxwH
7fk6QPGD0jdPHOv913DUpoz2C7jkFhc
7h1Iyq6N0VC1fgsGoXJTpiIGLH
7hfFETriCCEwepvfTi
7jYBTCNg033YVLBrTCt6cMUmla
7l5mnHHoqsAlVM6t
7oAUtx1HUgGd1xQ3l7tTech
7prpK7uqz0edomPs5GmgJxvHsY4
7tM9Yh4FsZT
7tovjtLwmNZagCrGwFk
7uJjb20j3njDp01kVx
7wHhUTdLUc3VxEC1I8XEJOspy0Ntu4Wj
7wWx4AqUF
7xV1ynxrJiaNY8DKl
7zz6WNMRuyz
819QQ9e8kzyrmSfV
81koYVg4Rn4W70Un
82arCdTEGMzP6EWPIQht3YPG
84yRZt6Ke01S7
8ALqjcoam6
8B7Mwcexrpk5mqE6s0uwFb8BCJi2
8GDI0rg8hcfVaCIseGzx2rPbg8Th7Fp
8HcE62EawgcFLuvyfaqgY5EH8S4i
8KQIWYl03OEMa
8NQI1kBBVDqPN6N4WE2IONCbBp1
8NU2Kqai1TUxAPW2DAdmgtF8EZ
8P84ren6MPT0M8XP3W
8PUwuLFUZX2iWTxCJhfkXm5td5KlVS
8SirwyoKMRnGUhsBcBjc0
8TouOLps85u8
8UvXJvMHzCFCekftIvaUOxpFGA
8a2n4p8PKEEDSOEnZWGL9Zdg88A
8cNDimlOep1x56DNpS5yEgPEeudDq
8dQ64yOg79tQ9aJmw
8eXjaQcs8Yf5VDK2Qx
8fiNfSP0IhLTY4q0GklZl5ydgLG7h
8mmpM8RifMa
8oNcojDFucE
8p3vp9fuYjAf
8pMGPYPg2kNJhgLM
8qLkfQLctwtyerXbCBR
8rGzabXad8fXR8Etz
8rZrVecA
8sNTCsMn4GV0gJQDrdXZROh5tdJ
8wXTaPFAtEfbbx2iFBM2aX0
8wz1Nt03YJl2R8yR
8xa7xaxKrS2MyRuIx4ukCzfUGTe
8yTf3I7x00bUYdG1H2uL52D01peAMsIe
90cdGdm1wPV
97PBOOu0O5vfuQPW
99mKdO4
9A3SHrmW3EPO0vXzpyfP
9BcMIQFpbgecEiXGv
9BerhsE6
9Bjr1KE04JdMNGVQ5ofcE6cKF
9C0b8sD6k89MDFw2rbu
9DpUkoIwed
9E4SxhliZ8RAVG
9EazJoz6HE5
9GdHzvP8mZboKrTB5G
9HjEJpc8T1OMMBFloibXM9
9HxS9EsgqJqMPN4
9I63ef3swIFblDGEcfjon0ffAv
9IP7zCjPPRER0V92aqjz8MxMJA
9IpFdcsool5Aixq
9IzcglH4iaXl9R
9QZK6oW8C6SIBudwpujZpKHuf
9SQ6EWtR
9UZaDk08KXmHbnac7PmEyVGa
9XvAezIVtdv
9YNdjKRVnINtxEBAgccnIxasgq
9YXJAIflgHnqX0KWonI7NpQO
9ZvnetD0i6896TP7Ytp
9b3XhFvTEWm
9bF63I5Z
9bwfruZu4rhkPFFUoWsq7m
9gk8pcxW57yEVWVOVyJ7
9iBWyHI
9j4oWChMKweFWx0Taj2eQp4
9jOYdqwzAOlFy68pW3YQto3y9EOj
9pGMquvzbxGfx8j6
9t99FnJbwj8N6UumgjCcVrYBMRKM
9uGRplpiZzFW4K58mveLV
9vV1ik9DB9MPEFEufI9MJEvKw
9vlVAKLsAqJoHgUMPu1O
9xxI0Z1kZJU8LMYOuWKbm7EM
9ybYObwI32U00uETVQG4fcePv
??0BugSplatImp@@QEAA@XZ
??0MiniDmpSender@@QEAA@AEBV0@@Z
??0MiniDmpSender@@QEAA@PEBD000K@Z
??0MiniDmpSender@@QEAA@PEBG000K@Z
??0MiniDmpSender@@QEAA@PEB_W000K@Z
??1MiniDmpSender@@UEAA@XZ
??4BugSplatImp@@QEAAAEAV0@AEBV0@@Z
??4MiniDmpSender@@QEAAAEAV0@AEBV0@@Z
??_7MiniDmpSender@@6B@
?CreateMiniDump@BugSplatImp@@QEAAHPEAUHINSTANCE__@@KPEAXKPEAU_EXCEPTION_POINTERS@@PEBDPEADK@Z
?DoFullMemoryDumpThenExit@BugSplatImp@@2_NA
?GetReducedGuid@BugSplatImp@@QEAAXPEADK@Z
?MiniDumpType@BugSplatImp@@2W4_MINIDUMP_TYPE@@A
?ReduceGuidString@BugSplatImp@@QEAAXPEADK@Z
?ResumeSuspendedThreads@BugSplatImp@@QEAAXXZ
?SetDbghelpFlags@MiniDmpSender@@QEAAXW4dbghelpFlags@1@@Z
?SuspendAllThreadsInProcess@BugSplatImp@@QEAAXPEAX@Z
?SuspendThreadsInCurrentProcess@BugSplatImp@@QEAAXXZ
?createReport@MiniDmpSender@@QEAAXPEAU_EXCEPTION_POINTERS@@@Z
?createReport@MiniDmpSender@@QEAAXPEBD@Z
?createReport@MiniDmpSender@@QEAAXPEB_W@Z
?createReport@MiniDmpSender@@QEAAXXZ
?createReportAndExit@MiniDmpSender@@QEAAXXZ
?enableExceptionFilter@MiniDmpSender@@QEAA_N_N@Z
?enableFullMemoryDumpAndExit@MiniDmpSender@@QEAA_N_N@Z
?getFlags@MiniDmpSender@@QEBAKXZ
?imp@MiniDmpSender@@QEAAPEAXXZ
?isExceptionFilterEnabled@MiniDmpSender@@QEBA_NXZ
?isFullMemoryDumpAndExitEnabled@MiniDmpSender@@QEBA_NXZ
?resetAppIdentifier@MiniDmpSender@@QEAAXPEBD@Z
?resetAppIdentifier@MiniDmpSender@@QEAAXPEB_W@Z
?resetVersionString@MiniDmpSender@@QEAAXPEBD@Z
?resetVersionString@MiniDmpSender@@QEAAXPEB_W@Z
?setCallback@MiniDmpSender@@QEAAXP6A_NIPEAX0@Z@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEBD@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEBG@Z
?setDefaultUserEmail@MiniDmpSender@@QEAAXPEB_W@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEBD@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEBG@Z
?setDefaultUserName@MiniDmpSender@@QEAAXPEB_W@Z
?setFlags@MiniDmpSender@@QEAA_NK@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEBD@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEBG@Z
?setUserZipPath@MiniDmpSender@@QEAAXPEB_W@Z
?storeUserLog@MiniDmpSender@@QEAAXPEBD@Z
?storeUserLog@MiniDmpSender@@QEAAXPEB_W@Z
?unhandledExceptionHandler@MiniDmpSender@@QEAAJPEAU_EXCEPTION_POINTERS@@@Z
A1kjEbHBoVaDNSimF0nTlBtkMBX
A1no6cwDujeIxXktUPm0e
A2rDhG12RfJEy03UdXlUvrt1J7YS
A3zoHHD80ndmv
A4Fj5AF3N5fi9vH4ynGFKu85PH9gw9
A5eXwfk9qyQEuS44YmrJ8wXELfk
A7WsBdv82EA
A9xnYzih2JEUiFLQRE0rLO
ACIYEua6T83nyhuj4lRLFKjXcF
AJKNnL1YOuWVXrqKE2yx9Yv9931xO
ALdZ5Ud8TnYP5S0dKW8M3Eq6WOMe1
APAWhoGWHxgrMUDalIwF
APPa1mrDq0QEY2vez
AR1WVrP
ASKRO6fk69iXfpCu0
ASQ21doROxDAcK7Lh4HlJ
ASmwz80nIgpt4j7dz1OPrUT7mAYwYr
AWKSIeHxVlqwMPNplr
AWbdogdemxEt
AWfTP9K7Rb0YZHH4eADKTfLAYkTGL
AWmbxFOBhnZVjvJvTgQbD0mqqBWAE
AXEAJ103
AXm8WKFU1LIgyKDYU4xvLs2SmAcaO2
AY15VwRR23aQH3Dr475CrjQgKrY9B
AZ3G7HYGeBJozdJ6BW7xtioCdskR2YuX
Aa2esFcGPR9
AhAMHYuuvGvVMWi5
AheP5IVMIPqGJg11Vq
AiVLKQp5TelBU0yKL
AicVZJtPEUXFKejEIz
AjRk16y
Angf0O6B7wHrnAHlH05vdD6lDW6a
Ar7HinXf
AswwTYp40SFOWKwI6wX3443DYsxLOB
AxSWg93L3
AycXSaGCg7hrtWLH
AzQlbOibNnJlRspO6JCOfsEcJsiqDzT
AzgHa6nWWR
B0bMDeZyvnguCCgYc8Ae9GzKPq
B0rFQ5nB6KtHD2JLJx7
B35hmQDBuTryPrw
B38eFXgJcjiG3YiAAXGc
B4Hj63UUO7
B5CTH0zikkmYAnG5wOK0NGcfCyyiO
B6fAboO420cOq5RAdMCIP9MjrXntO
B7jdZWh3h
B9g8gtur1EGl
BB2CD6UO9ElRsuO0MaIHnbtaRa
BCbi2BNi4
BERIR49zA52b0lFc6rRqVW9t
BFKMA3BDq8mj6DmswJHXeKbXCMjGG6H
BGihl3VMJw3S52Pv875PYTMC
BLmnJlA9Uh7FoZEXvvw5bfhtQ
BMYz5KoRNSXFrRTgRj0
BO8goMmFMHX7wFjlEmCZfRIIuP5SM4
BOSGe6gqVkSb50sEOrvz52nnMv
BPJJZoKOp
BPYApT8SmX
BPqqaWf7fCDTnNWVywRVG3ywXj
BUhrhvPvEeOfC9rLnv6DDmfRlh
BVdupCEQLX
BVnytKehI1L1hRY
BVtt7DrKIJNgvPtRgQYUNqWsRwoqq2
BXeuTEXq0m
BXzjqElTH
BY3wjK9XLih0oA4EkxeZw3
BaTw1gmbdGT7qoX3iTkWh150ecWSiV
Bd3m7ad8kBwkm1zEJ
BiPGtJbviVAdl9C8U4SQzxzbPMpEyq
Bia9Az7AXeNmQ5
Bl0XKULidwowRS9SKfBj2HAbKNliAl
Bnizt1a5bfKDM3pSxDvOI5IDZ8
BoO9bIh2tCQyGKZGsyC9z6xMWHBofNV
Bp4TXxsivVgkC8frMYkxsHK
Bpc1IvOYW012PgB5NEjFnXxC6Ztigo
BqSPNxqTsq9E
Br8GytwB6MhD2KogMp63
BsYCxDxmS1jfYhNJk
BwZZF60KOzptI
ByyLvwOL13Q3bPklf8yT
C1PlUSCE
C2GVlaIx9x5TnPhjKNeZ2lWKzK5
C2YMEc3L0m3qTW9Q10dqLh8oBUeEglF
C2c5o0h6M85
C6Wt4RcN0YhKuwNpb4J65bidwYSFW
C8BMfyO75J0AWz8YUXprV5pCz0MVOp4c
C9HoRBuUZbdT6nrMCbQHTqhoO
C9r1tSmOawIiBPUdlzk3
CAhbkNDdlI6TaSc5NTMA9JrA
CC5K2KFlcR
CCmWh4RdT3f7
CG3o4IzfvY3h1TAOkynQkH0qQm6WWt
CHH8VfoIhSsmMvoY
CIXJC3sSJ4VePfUaXRA
CKtNU9jclfaj
CTGH3HH0r6XqRsQOzUFDH0WADcEY3
CUJIuZiHFTNHVknLGDcfwP
CWPbbm8Pq
CWkEAaQTDGhTA0oATUdUodcATCzmyBC8
CXjo9FU
CZi2AOLzoP5643Vnm
CaHsjaq3wDU7k8o
CbGKo0VUy928ka4QfXUqf
Ceyinl4To6TrPz
CgQUBKt1rXi
Ch2kAemU5F2200c5uXj44OJf8
Ch8T31dx7bgkHvs5M
ChWwHsZXFl4DRfWhS89RDb

Sections

.text
Size: 803KB - Virtual size: 802KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

hydrated
Size: - Virtual size: 2.5MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 5.2MB - Virtual size: 5.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 43KB - Virtual size: 201KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 504KB - Virtual size: 504KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RFQ.00.014 -Samples.exe
.exe windows:6 windows x64 arch:x64

e8db4ac21fda256a31e6fbda49d9dc94

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

03:01
Certificate

Issuer

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Not Before

16/11/2006, 01:54

Not After

16/11/2026, 01:54

Subject

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

07:ff:9e:4e:18:62:cf
Certificate

Issuer

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

02/06/2012, 14:14

Not After

29/05/2015, 16:45

Subject

CN=BugSplat LLC,O=BugSplat LLC,L=Henniker,ST=NH,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50
Signer

Actual PE Digest

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\www\src\BugSplat\bin64\BugSplatHD64.pdb

Imports

kernel32

GetCurrentDirectoryA
SetCurrentDirectoryA
UnmapViewOfFile
OpenProcess
CloseHandle
GetLastError
Sleep
GetCurrentThread
TerminateProcess
MapViewOfFile
WritePrivateProfileStringA
CreateProcessA
CreateFileW
ReadConsoleW
WriteConsoleW
SetStdHandle
OutputDebugStringW
LoadLibraryExW
CreateFileMappingA
GetFileInformationByHandle
CreateFileA
WideCharToMultiByte
GetACP
GetModuleFileNameA
GetFullPathNameA
GetFileAttributesA
FreeLibrary
GetTempPathA
LoadLibraryA
SetFilePointerEx
ReadFile
GetConsoleMode
GetConsoleCP
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
MultiByteToWideChar
GetStringTypeW
HeapFree
IsDebuggerPresent
IsProcessorFeaturePresent
GetCommandLineA
HeapAlloc
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
GetCPInfo
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetProcAddress
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
IsValidCodePage
GetOEMCP
GetCurrentThreadId
ExitProcess
GetModuleHandleExW
AreFileApisANSI
DeleteFileW
HeapSize
GetStdHandle
GetFileType
WriteFile
GetModuleFileNameW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
HeapReAlloc
FlushFileBuffers

user32

LoadStringA
SendMessageTimeoutA
GetWindowThreadProcessId
GetTopWindow
MessageBoxA
GetWindow

advapi32

OpenThreadToken
LookupPrivilegeValueA
AdjustTokenPrivileges
ImpersonateSelf

bugsplat64

??1MiniDmpSender@@UEAA@XZ
??0BugSplatImp@@QEAA@XZ
?SuspendAllThreadsInProcess@BugSplatImp@@QEAAXPEAX@Z
??0MiniDmpSender@@QEAA@PEBD000K@Z
?CreateMiniDump@BugSplatImp@@QEAAHPEAUHINSTANCE__@@KPEAXKPEAU_EXCEPTION_POINTERS@@PEBDPEADK@Z

psapi

GetModuleBaseNameA

shlwapi

PathAppendA
PathFileExistsA

Sections

.text
Size: 124KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime140.dll
.dll windows:6 windows x64 arch:x64

2cb5da5225e972a08f32d04b8085dc7e

Code Sign

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24/10/2018, 21:07

Not After

10/01/2020, 21:07

Subject

CN=Microsoft Time-Stamp Service,OU=Microsoft America Operations+OU=Thales TSS ESN:2264-E33E-780C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd
Signer

Actual PE Digest

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd

Digest Algorithm

sha256

PE Digest Matches

true

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71
Signer

Actual PE Digest

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
terminate

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s

api-ms-win-crt-convert-l1-1-0

atol

kernel32

GetLastError
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlLookupFunctionEntry
GetModuleHandleW
GetModuleFileNameW
RtlUnwindEx
RtlUnwind
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedPushEntrySList
InterlockedFlushSList
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetProcAddress
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW

Exports

Exports

_CreateFrameInfo
_CxxThrowException
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
_SetWinRTOutOfMemoryExceptionCallback
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__C_specific_handler
__C_specific_handler_noexcept
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__GetPlatformExceptionInfo
__NLG_Dispatch2
__NLG_Return2
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__TypeMatch
__current_exception
__current_exception_context
__intrinsic_setjmp
__intrinsic_setjmpex
__processing_throw
__report_gsfailure
__std_exception_copy
__std_exception_destroy
__std_terminate
__std_type_info_compare
__std_type_info_destroy_list
__std_type_info_hash
__std_type_info_name
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__unDName
__unDNameEx
__uncaught_exception
__uncaught_exceptions
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_InitializeCriticalSectionEx
__vcrt_LoadLibraryExW
_get_purecall_handler
_get_unexpected
_is_exception_typeof
_local_unwind
_purecall
_set_purecall_handler
_set_se_translator
longjmp
memchr
memcmp
memcpy
memmove
memset
set_unexpected
strchr
strrchr
strstr
unexpected
wcschr
wcsrchr
wcsstr

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcruntime140_1.dll
.dll windows:6 windows x64 arch:x64

451bdabc0299e6b9dc317480ef12c3dc

Code Sign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17
Signer

Actual PE Digest

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

d:\agent\_work\2\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

abort
terminate

api-ms-win-crt-heap-l1-1-0

free
calloc
malloc

api-ms-win-crt-string-l1-1-0

strcpy_s
wcsncmp

vcruntime140

__processing_throw
__C_specific_handler
memmove
__current_exception

kernel32

IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlUnwindEx
RtlLookupFunctionEntry
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
EncodePointer
RaiseException
RtlPcToFileHeader
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetLastError
SetLastError
TlsAlloc

Exports

Exports

__CxxFrameHandler4

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d6e8635c30b38d2e577eada7f46ea3d8

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

iphlpapi

kernel32

ncrypt

ole32

user32

ws2_32

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

Exports

Exports

Sections

.text Size: 803KB - Virtual size: 802KB

.managed Size: 5.9MB - Virtual size: 5.9MB

hydrated Size: - Virtual size: 2.5MB

.rdata Size: 5.2MB - Virtual size: 5.2MB

.data Size: 43KB - Virtual size: 201KB

.pdata Size: 504KB - Virtual size: 504KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

e8db4ac21fda256a31e6fbda49d9dc94

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

03:01Certificate

Key Usages

07:ff:9e:4e:18:62:cfCertificate

Extended Key Usages

Key Usages

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

bugsplat64

psapi

shlwapi

Sections

.text Size: 124KB - Virtual size: 124KB

.rdata Size: 57KB - Virtual size: 57KB

.data Size: 9KB - Virtual size: 19KB

.pdata Size: 6KB - Virtual size: 6KB

.rsrc Size: 48KB - Virtual size: 48KB

.reloc Size: 3KB - Virtual size: 2KB

2cb5da5225e972a08f32d04b8085dc7e

Code Sign

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20Certificate

Extended Key Usages

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51Certificate

Extended Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51Certificate

.text
Size: 803KB - Virtual size: 802KB

.managed
Size: 5.9MB - Virtual size: 5.9MB

hydrated
Size: - Virtual size: 2.5MB

.rdata
Size: 5.2MB - Virtual size: 5.2MB

.data
Size: 43KB - Virtual size: 201KB

.pdata
Size: 504KB - Virtual size: 504KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

03:01
Certificate

07:ff:9e:4e:18:62:cf
Certificate

33:d7:77:2f:60:1b:ea:1b:70:6e:51:c0:ff:a2:c4:99:2f:08:7d:50
Signer

.text
Size: 124KB - Virtual size: 124KB

.rdata
Size: 57KB - Virtual size: 57KB

.data
Size: 9KB - Virtual size: 19KB

.pdata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 48KB - Virtual size: 48KB

.reloc
Size: 3KB - Virtual size: 2KB

33:00:00:01:20:f3:38:df:c7:9e:ae:32:ec:00:00:00:00:01:20
Certificate

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

ec:13:be:32:bd:96:8e:c9:a6:3a:bb:fe:39:c5:c7:f1:87:49:2c:bf:1f:f1:e1:cf:20:f6:c6:d4:c6:3d:f2:fd
Signer

60:4b:77:c5:fd:0e:cc:62:0a:f4:be:c2:85:39:b6:25:a0:7b:19:71
Signer

.text
Size: 47KB - Virtual size: 47KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 2KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 1024B - Virtual size: 1024B

.reloc
Size: 512B - Virtual size: 372B

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

13:6b:39:d4:75:51:9f:0d:ef:8a:84:ee:ff:d7:a8:0d:10:41:16:92:87:33:5a:44:03:4f:8a:65:77:09:d8:17
Signer

.text
Size: 14KB - Virtual size: 14KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 1008B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 272B