Report #13078 cancel

Binary
DLL
False cancel
Size
63.50KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
57abc0f9d7b2a5ff5a8acfce03071a37
sha1
c5f06f6867f182df0f45dab0e9ad71e96c7a2a93
crc32
0x8951e12b
sha224
196f6b22b992e453476acaecac84f1ff71dad32c0e745c8c5e04ace9
sha256
19cbcaa6eaebf7703293c7f4f1ea122904cd55b105aa6ed70b30279c8aa2f618
sha384
7940c00342c1c7109f9d94622a1b9e8ba84d7b46152cb4ff8411dd382d7367c8739e95018e2e7bdd7af909f30560c1eb
sha512
d7e98c339f4c27cac3c55ab2175ae66e27b50cbdf24a886a92ced0d1bad92a9212727cbc5e0462b5b6250027172a8f0a0a0e8e1f02bb881a396f7338207e2693
ssdeep
768:n7uIhuAtUIlUuAB7vwEWM+sKaMoYlj0FJ8sa2jxqIocd6kOk44tIlXyXQlA:n7uIptUIAB74EZya3YmHRR4MIlCXQ
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, domain, contentis_base64, IP, win_mutex, Microsoft_Visual_Cpp_8, HasDebugData, IsConsole, maldoc_find_kernel32_base_method_1, IsPE32, HasRichSignature

Suspicious
True check_circle

Imports
ntdll.dll
RtlDeriveCapabilitySidsFromName, RtlGetDeviceFamilyInfoEnum, RtlInitUnicodeString
DeviceCredential.dll
DeviceCredentialScanDeploymentData, DeviceCredentialUpdateDeploymentData
api-ms-win-core-com-l1-1-0.dll
CoWaitForMultipleHandles, CoCreateFreeThreadedMarshaler
api-ms-win-core-heap-l1-1-0.dll
HeapFree, HeapAlloc, GetProcessHeap
api-ms-win-core-heap-l2-1-0.dll
LocalAlloc, LocalFree
api-ms-win-core-debug-l1-1-0.dll
DebugBreak, OutputDebugStringW, IsDebuggerPresent
api-ms-win-core-synch-l1-1-0.dll
SetEvent, CreateSemaphoreExW, AcquireSRWLockExclusive, WaitForSingleObjectEx, ReleaseSemaphore, CreateEventExW, OpenSemaphoreW, WaitForSingleObject, CreateMutexExW, ReleaseSRWLockExclusive, ReleaseMutex
api-ms-win-core-synch-l1-2-0.dll
Sleep, InitOnceBeginInitialize, InitOnceComplete
api-ms-win-core-winrt-l1-1-0.dll
RoUninitialize, RoGetActivationFactory, RoActivateInstance, RoInitialize
api-ms-win-crt-string-l1-1-0.dll
memset
api-ms-win-core-handle-l1-1-0.dll
CloseHandle
api-ms-win-crt-private-l1-1-0.dll
_o__configthreadlocale, _o__configure_wide_argv, _o__controlfp_s, _o__crt_atexit, _o__errno, _o__exit, _o__get_initial_wide_environment, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o__wcsicmp, _o_exit, _o_free, _o_malloc, _o_terminate, _o_toupper, _except_handler4_common, _o__cexit, _o__callnewh, _CxxThrowException, _o___stdio_common_vswprintf, _o___stdio_common_vsnprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___p___wargv, _o___p___argc, __CxxFrameHandler3, memcpy
api-ms-win-crt-runtime-l1-1-0.dll
_c_exit, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm
api-ms-win-core-console-l3-2-0.dll
GetConsoleWindow
api-ms-win-core-profile-l1-1-0.dll
QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll
GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-registry-l1-1-0.dll
RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegGetValueW, RegQueryValueExW
api-ms-win-power-setting-l1-1-0.dll
PowerSettingRegisterNotification
api-ms-win-security-base-l1-1-0.dll
EqualSid, GetTokenInformation
api-ms-win-security-sddl-l1-1-0.dll
ConvertSidToStringSidW
api-ms-win-core-delayload-l1-1-0.dll
DelayLoadFailureHook
api-ms-win-core-delayload-l1-1-1.dll
ResolveDelayLoadedAPI
api-ms-win-core-threadpool-l1-2-0.dll
CreateThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, CloseThreadpoolTimer
api-ms-win-core-interlocked-l1-1-0.dll
InitializeSListHead
api-ms-win-core-localization-l1-2-0.dll
FormatMessageW
api-ms-win-core-winrt-string-l1-1-0.dll
WindowsGetStringRawBuffer, WindowsCreateString, WindowsDeleteString, WindowsCreateStringReference
api-ms-win-eventing-provider-l1-1-0.dll
EventActivityIdControl, EventUnregister, EventProviderEnabled, EventWriteTransfer, EventRegister, EventSetInformation
api-ms-win-core-errorhandling-l1-1-0.dll
SetUnhandledExceptionFilter, RaiseException, SetLastError, UnhandledExceptionFilter, GetLastError
api-ms-win-core-libraryloader-l1-2-0.dll
GetModuleHandleExW, GetModuleFileNameA, GetModuleHandleW, GetProcAddress
api-ms-win-security-lsalookup-l1-1-0.dll
LookupAccountNameLocalW, LookupAccountSidLocalW
api-ms-win-core-processthreads-l1-1-0.dll
GetCurrentProcess, OpenProcessToken, CreateThread, GetExitCodeThread, GetCurrentThreadId, GetCurrentProcessId, TerminateProcess
api-ms-win-core-processthreads-l1-1-1.dll
IsProcessorFeaturePresent
api-ms-win-core-kernel32-legacy-l1-1-0.dll
WTSGetActiveConsoleSessionId
api-ms-win-rtcore-ntuser-powermanagement-l1-1-0.dll
UnregisterPowerSettingNotification
Strings
List
Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{48B4E58D-2791-456C-9091-D524C6C706F2}
DeviceCredentialDeployment.pdb
DeviceCredential.dll
Windows.Management.Deployment.Internal.PackageManagerInternal
Microsoft.Windows.Security.DevCredTask
onecore\ds\security\devicecredential\service\deploymenttask\deploymentapp.cpp
name="Microsoft.Windows.onecoreds.DeviceCredentialDeployment"
Windows.Management.Deployment.PackageManager
api-ms-win-security-sddl-l1-1-0.dll
onecore\ds\security\devicecredential\service\packageutil\packageutil.cpp
api-ms-win-core-registry-l1-1-0.dll
onecore\ds\security\devicecredential\service\util\dcautil.cpp
api-ms-win-security-lsalookup-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-security-base-l1-1-0.dll
"DeviceCredentialDeployment.exe"
"DeviceCredentialDeployment.exe"
"DeviceCredentialDeployment.exe"
kernelbase.dll
ntdll.dll
ntdll.dll
Windows.Foundation.PropertyValue
Windows.Foundation.Collections.ValueSet
api-ms-win-core-interlocked-l1-1-0.dll
%hs(%u)\%hs!%p:
%hs!%p:
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-winrt-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-threadpool-l1-2-0.dll
(caller: %p)
SebDeleteEvent
api-ms-win-core-console-l3-2-0.dll
ResponseStatus=%d
api-ms-win-rtcore-ntuser-powermanagement-l1-1-0.dll
Software\Microsoft\Windows\CurrentVersion\SecondaryAuthFactor\Applications
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-kernel32-legacy-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
Register Package '%ls' failed: %ls
DeviceCredentialDeployment worker window
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-delayload-l1-1-1.dll
%hs(%d) tid(%x) %08X %ws
Package '%ls' is not registred
api-ms-win-power-setting-l1-1-0.dll
Register package '%ls' with options '%d'
Package '%ls' is not registred, wait
DeviceCredentialScanDeploymentData
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-winrt-string-l1-1-0.dll
api-ms-win-core-com-l1-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
Register background task for package '%ls'
ext-ms-win-session-wtsapi32-l1-1-0.dll
ext-ms-win-ntuser-synch-l1-1-0.dll
ext-ms-win-kernel32-package-l1-1-0.dll
api-ms-win-crt-private-l1-1-0.dll
SystemEventsBrokerClient.dll
_o__wcsicmp
3Local\SM0:%d:%d:%hs
_o__register_onexit_function
<requestedPrivileges>
_o___std_exception_destroy
SShG&@
SShN$@
CallContext:[%hs]
onecore\internal\sdk\inc\wil\opensource/wil/resource.h
ConnectionStatus=0x%d
IsProcessorFeaturePresent
GetProcAddress
ProcessDeploymentData
ProcessDeploymentData
ProcessDeploymentData
ProcessDeploymentData
RtlDeriveCapabilitySidsFromName
DeploymentThreadStart
Package '%ls' is not removed
Package '%ls' is not removed, wait
Remove Package '%ls' failed: %ls
DeploymentThreadExit
PackageRegistered
%ws doesn't have capability
Command
IsDebuggerPresent
TerminateProcess
OpenProcessToken
lstd::exception: %hs
QueryPerformanceCounter
RegOpenKeyExW

Foremost
Matches
0.exe, 63 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: ntdll.dll, kernelbase.dll, ext-ms-win-kernel32-package-l1-1-0.dll, ext-ms-win-session-wtsapi32-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-rtcore-ntuser-powermanagement-l1-1-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-kernel32-legacy-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-interlocked-l1-1-0.dll, api-ms-win-core-debug-l1-1-0.dll, api-ms-win-core-handle-l1-1-0.dll, api-ms-win-crt-string-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-delayload-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-eventing-provider-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, api-ms-win-core-console-l3-2-0.dll, api-ms-win-core-winrt-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core-com-l1-1-0.dll, DeviceCredential.dll, ext-ms-win-ntuser-synch-l1-1-0.dll, api-ms-win-crt-runtime-l1-1-0.dll, api-ms-win-core-threadpool-l1-2-0.dll, api-ms-win-power-setting-l1-1-0.dll, api-ms-win-security-sddl-l1-1-0.dll, api-ms-win-crt-private-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-1.dll, api-ms-win-core-heap-l2-1-0.dll, SystemEventsBrokerClient.dll, api-ms-win-security-lsalookup-l1-1-0.dll, ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 13824
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 8192
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 106367
Suspicous: False cancel

Sections
Allowed: .text, .data, .idata, .didat, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 10
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 10
Linker
Version: 14.20
Suspicious: False cancel
Subsystem
Version: 10.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 47920
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: ntdll.dll, kernelbase.dll, ext-ms-win-kernel32-package-l1-1-0.dll, ext-ms-win-session-wtsapi32-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-kernel32-legacy-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-interlocked-l1-1-0.dll, api-ms-win-core-debug-l1-1-0.dll, api-ms-win-core-handle-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-delayload-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-eventing-provider-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, api-ms-win-core-winrt-l1-1-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core-com-l1-1-0.dll, ext-ms-win-ntuser-synch-l1-1-0.dll, api-ms-win-core-threadpool-l1-2-0.dll, api-ms-win-power-setting-l1-1-0.dll, api-ms-win-security-sddl-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-1.dll, systemeventsbrokerclient.dll, api-ms-win-security-lsalookup-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasLibs: True check_circle
Suspicious: api-ms-win-rtcore-ntuser-powermanagement-l1-1-0.dll, api-ms-win-crt-string-l1-1-0.dll, api-ms-win-core-console-l3-2-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll, devicecredential.dll, api-ms-win-crt-runtime-l1-1-0.dll, api-ms-win-crt-private-l1-1-0.dll, api-ms-win-core-heap-l2-1-0.dll, ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2099-10-20 19:33:16
Future: True check_circle

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
ldr
.text: 1

pushret
.text: 3

pushpopmath
.text: 1
.reloc: 3

sizeofimage
.text: 1

garbagebytes
.text: 1

stealthimport
.rsrc: 1

isdebbugerpresent
.text: 1

programcontrolflowchange
.text: 1

cpuinstructionsresultscomparison
.idata: 1

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 90.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 70.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 67.15%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 88.20%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 51.87%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel