format[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

format.zip
Size

61KB
MD5

dfed7e55cb72112399c89c717ec88562
SHA1

428f90e11d125298076bab58e4a03efd222632be
SHA256

5260f6fb43c88046a11fa61c10ad4b97245800d7e4ac886bfe95abb42bc46ccf
SHA512

c79b82cae44eb3f5a029b04d0675f06280e2668dd69c0785dc0568c87d4e0cd36fefb8e6f05e0aeb110ce9539282215f5ff15d2d82616932138f2ea51b6a8ced
SSDEEP

1536:2MTDNc23G/c0LZUWXc958Wx6MxdEhv4ZkM43EhdX8mmMw39:2MX623G/ZBc95pHdE1sz43KX8f39

Score

N/A

Malware Config

Signatures

Files

format.zip
.zip
chcp.com
.exe windows x64

75fa51c548b19c4ad5051fab7d57eb56

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetThreadUILanguage
GetSystemDefaultLangID
GetCurrentProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
TerminateProcess

msvcrt

_commode
?terminate@@YAXXZ
_amsg_exit
__getmainargs
__set_app_type
exit
_exit
_cexit
__setusermatherr
_initterm
_fmode
_XcptFilter
__C_specific_handler

ulib

?PutSwitches@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?DoParsing@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?Initialize@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
??1ARGUMENT_LEXEMIZER@@UEAA@XZ
??0ARGUMENT_LEXEMIZER@@QEAA@XZ
?Initialize@STRING_ARGUMENT@@QEAAEPEAD@Z
??1STRING_ARGUMENT@@UEAA@XZ
??0FLAG_ARGUMENT@@QEAA@XZ
?SetOutputCodePage@SCREEN@@QEAAEK@Z
?SetCodePage@SCREEN@@QEAAEK@Z
?QueryCodePage@SCREEN@@QEAAKXZ
?MoveCursorTo@SCREEN@@QEAAEGG@Z
?Initialize@FLAG_ARGUMENT@@QEAAEPEAD@Z
?Initialize@SCREEN@@QEAAEXZ
??1SCREEN@@UEAA@XZ
??0SCREEN@@QEAA@XZ
??0PROGRAM@@IEAA@XZ
?QueryInvalidArgument@ARGUMENT_LEXEMIZER@@QEAAPEAVWSTRING@@XZ
?Usage@PROGRAM@@UEBAXXZ
?GetStandardError@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardOutput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardInput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?Fatal@PROGRAM@@UEBAXXZ
?Fatal@PROGRAM@@UEBAXKKPEADZZ
?ExitProgram@PROGRAM@@SAXK@Z
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@@Z
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@PEADZZ
??1PROGRAM@@UEAA@XZ
?Initialize@PROGRAM@@QEAAEKKK@Z
?Initialize@CLASS_DESCRIPTOR@@QEAAEPEBD@Z
??0CLASS_DESCRIPTOR@@QEAA@XZ
?Initialize@WSTRING@@QEAAEJ@Z
??0ARRAY@@QEAA@XZ
?PrepareToParse@ARGUMENT_LEXEMIZER@@QEAAEPEAVWSTRING@@@Z
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QEAAXE@Z
??1OBJECT@@UEAA@XZ
?Compare@OBJECT@@UEBAJPEBV1@@Z
?DebugDump@OBJECT@@UEBAXE@Z
?ValidateVersion@PROGRAM@@UEBAXKK@Z
??1ARRAY@@UEAA@XZ
?Initialize@ARRAY@@QEAAEKK@Z
?Put@ARRAY@@UEAAEPEAVOBJECT@@@Z
??0LONG_ARGUMENT@@QEAA@XZ
?Initialize@LONG_ARGUMENT@@QEAAEPEAD@Z
??0DSTRING@@QEAA@XZ
??1DSTRING@@UEAA@XZ
?IsValueSet@ARGUMENT@@QEAAEXZ
?EraseScreenAndResetAttribute@SCREEN@@QEAAEXZ
??0STRING_ARGUMENT@@QEAA@XZ

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
RtlAllocateHeap
RtlVirtualUnwind

Sections

.text
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
format.com
.exe windows x64

313d6e1164bc915f7d0201babc6c5bb1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_XcptFilter
_amsg_exit
__getmainargs
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
_wcsicmp

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetErrorMode

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

ulib

?AnalyzePath@PATH@@QEAA?AW4PATH_ANALYZE_CODE@@PEAVWSTRING@@PEAV1@0@Z
?IsGuidVolName@PATH@@QEAAEXZ
??1PATH@@UEAA@XZ
??0PATH@@QEAA@XZ
?DisplayMsg@MESSAGE@@QEAAEKPEBDZZ
?Display@MESSAGE@@QEAAEPEBDZZ
?Initialize@WSTRING@@QEAAEPEBV1@KK@Z
?Initialize@WSTRING@@QEAAEPEBGK@Z
?Initialize@WSTRING@@QEAAEPEBDK@Z
?DisplayMsg@MESSAGE@@QEAAEK@Z
?Strupr@WSTRING@@QEAAPEAV1@XZ
?SPrintf@DSTRING@@UEAAEPEBGZZ
Get_Standard_Input_Stream
?Initialize@STREAM_MESSAGE@@QEAAEPEAVSTREAM@@00@Z
??1STREAM_MESSAGE@@UEAA@XZ
??0STREAM_MESSAGE@@QEAA@XZ
?IsStorageDaxCapable@SYSTEM@@SAEPEBVWSTRING@@PEAE@Z
?FreeLibraryHandle@SYSTEM@@SAXPEAX@Z
?QueryLibraryEntryPoint@SYSTEM@@SAP6A_JXZPEBVWSTRING@@0PEAPEAX@Z
?QueryVolumeLabel@SYSTEM@@SAPEAVWSTRING@@PEAVPATH@@PEAU_VOL_SERIAL_NUMBER@@@Z
?QueryDriveType@SYSTEM@@SA?AW4DRIVE_TYPE@@PEBVWSTRING@@@Z
?QueryCurrentDosDriveName@SYSTEM@@SAEPEAVWSTRING@@@Z
?Initialize@PATH@@QEAAEPEBVWSTRING@@E@Z
Get_Standard_Output_Stream
?Strcat@WSTRING@@QEAAEPEBV1@@Z
?Stricmp@WSTRING@@QEBAJPEBV1@KKKK@Z
??1DSTRING@@UEAA@XZ
??0STRING_ARGUMENT@@QEAA@XZ
?Initialize@STRING_ARGUMENT@@QEAAEPEAD@Z
??0ARGUMENT_LEXEMIZER@@QEAA@XZ
??1ARGUMENT_LEXEMIZER@@UEAA@XZ
?Initialize@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?QueryInvalidArgument@ARGUMENT_LEXEMIZER@@QEAAPEAVWSTRING@@XZ
?PrepareToParse@ARGUMENT_LEXEMIZER@@QEAAEPEAVWSTRING@@@Z
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QEAAXE@Z
?GetLexeme@ARGUMENT@@QEAAPEAVWSTRING@@XZ
?IsValueSet@ARGUMENT@@QEAAEXZ
?QueryWindowsErrorMessage@SYSTEM@@SAEKPEAVWSTRING@@@Z
??0PATH_ARGUMENT@@QEAA@XZ
?Initialize@PATH_ARGUMENT@@QEAAEPEADE@Z
??0FLAG_ARGUMENT@@QEAA@XZ
?Initialize@FLAG_ARGUMENT@@QEAAEPEAD@Z
??0ARRAY@@QEAA@XZ
??1ARRAY@@UEAA@XZ
?Initialize@ARRAY@@QEAAEKK@Z
?DeleteAllMembers@ARRAY@@UEAAEXZ
?Put@ARRAY@@UEAAEPEAVOBJECT@@@Z
??0LONG_ARGUMENT@@QEAA@XZ
?Initialize@LONG_ARGUMENT@@QEAAEPEAD@Z
??0DSTRING@@QEAA@XZ
?DoParsing@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z

ifsutil

InvalidateFve
NotifyFveAfterFormat
GetDefaultFileSystemIfs
?IsThinlyProvisioned@DP_DRIVE@@QEAAEXZ
?QueryRecommendedMediaType@DP_DRIVE@@QEBA?AW4_MEDIA_TYPE@@XZ
?QueryPartitionInfo@DP_DRIVE@@UEAAEPEAU_PARTITION_INFORMATION_EX@@@Z
?QuerySectors@DP_DRIVE@@UEBA?AVBIG_INT@@XZ
?QuerySectorSize@DP_DRIVE@@UEBAKXZ
?CloseDriveHandle@DP_DRIVE@@QEAAXXZ
?Initialize@DP_DRIVE@@QEAAEPEBVWSTRING@@PEAVMESSAGE@@EE@Z
??1DP_DRIVE@@UEAA@XZ
??0DP_DRIVE@@QEAA@XZ
?QueryServer@IFS_SYSTEM@@SAEPEAE@Z
?FormatScaleQuickFormatVerify@IFS_SYSTEM@@SAE_KPEAK11PEA_K@Z
?EnableVolumeIntegrity@IFS_SYSTEM@@SAEPEBVWSTRING@@G@Z
?EnableVolumeCompression@IFS_SYSTEM@@SAEPEBVWSTRING@@@Z
?IsFileSystemEnabled@IFS_SYSTEM@@SAEPEBVWSTRING@@PEAE@Z
?EnableFileSystem@IFS_SYSTEM@@SAEPEBVWSTRING@@@Z
?DosDriveNameToNtDriveName@IFS_SYSTEM@@SAEPEBVWSTRING@@PEAV2@@Z
?QueryFileSystemName@IFS_SYSTEM@@SAEPEBVWSTRING@@PEAV2@PEAJ1@Z

ntdll

RtlFreeHeap
RtlAllocateHeap

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
mode.com
.exe windows x64

2f60c2ed7648c832822b0b1ee9787340

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ulib

?SetCodePage@SCREEN@@QEAAEK@Z
?QueryScreenSize@SCREEN@@QEBAXPEAG000@Z
?QueryCodePage@SCREEN@@QEAAKXZ
?ChangeScreenSize@SCREEN@@QEAAEGGPEAE@Z
?Initialize@SCREEN@@QEAAEXZ
??1SCREEN@@UEAA@XZ
??0SCREEN@@QEAA@XZ
??1PATH@@UEAA@XZ
?Initialize@PATH@@QEAAEPEBGE@Z
?Display@MESSAGE@@QEAAEPEBDZZ
?QueryStream@FSN_FILE@@QEAAPEAVFILE_STREAM@@W4STREAMACCESS@@K@Z
?WriteByte@STREAM@@QEAAEE@Z
?QueryIterator@ARRAY@@UEBAPEAVITERATOR@@XZ
??0FSTRING@@QEAA@XZ
??1FSTRING@@UEAA@XZ
?Initialize@FSTRING@@QEAAPEAVWSTRING@@PEAGK@Z
?Strstr@WSTRING@@QEBAKPEBV1@@Z
?Strupr@WSTRING@@QEAAPEAV1@XZ
?Stricmp@WSTRING@@QEBAJPEBV1@@Z
?QueryResourceString@BASE_SYSTEM@@SAEPEAVWSTRING@@KPEBDZZ
Get_Standard_Input_Stream
?Initialize@STREAM_MESSAGE@@QEAAEPEAVSTREAM@@00@Z
??0STREAM_MESSAGE@@QEAA@XZ
?IsCorrectVersion@SYSTEM@@SAEXZ
?Strchr@WSTRING@@QEBAKGK@Z
?Strcspn@WSTRING@@QEBAKPEBV1@K@Z
?Initialize@WSTRING@@QEAAEPEBDK@Z
?Initialize@WSTRING@@QEAAEPEBGK@Z
?Strlwr@WSTRING@@QEAAPEAV1@XZ
?Stricmp@WSTRING@@QEBAJPEBV1@KKKK@Z
??0COMM_DEVICE@@QEAA@XZ
??1COMM_DEVICE@@UEAA@XZ
?SetOutputCodePage@SCREEN@@QEAAEK@Z
?Initialize@WSTRING@@QEAAEPEBV1@KK@Z
?QueryNumber@WSTRING@@QEBAEPEAJKK@Z
?Compare@OBJECT@@UEBAJPEBV1@@Z
?DebugDump@OBJECT@@UEBAXE@Z
??0DSTRING@@QEAA@XZ
??1DSTRING@@UEAA@XZ
?Initialize@COMM_DEVICE@@QEAAEPEBVPATH@@PEAE@Z
?CommitState@COMM_DEVICE@@QEAAEXZ
?QueryTimeOut@COMM_DEVICE@@QEBAEXZ
?SetBaudRate@COMM_DEVICE@@QEAAEK@Z
?SetDataBits@COMM_DEVICE@@QEAAEK@Z
?SetDtrControl@COMM_DEVICE@@QEAAEW4DTR_CONTROL@@@Z
?SetIdsr@COMM_DEVICE@@QEAAEE@Z
?SetOcts@COMM_DEVICE@@QEAAEE@Z
?SetOdsr@COMM_DEVICE@@QEAAEE@Z
?SetParity@COMM_DEVICE@@QEAAEW4PARITY@@@Z
?SetRtsControl@COMM_DEVICE@@QEAAEW4RTS_CONTROL@@@Z
?SetStopBits@COMM_DEVICE@@QEAAEW4STOPBITS@@@Z
?SetTimeOut@COMM_DEVICE@@QEAAEE@Z
?SetXon@COMM_DEVICE@@QEAAEE@Z
?Initialize@WSTRING@@QEAAEJ@Z
?Replace@WSTRING@@QEAAEKKPEBV1@KK@Z
?Strcat@WSTRING@@QEAAEPEBV1@@Z
Get_Standard_Output_Stream
??0PATH@@QEAA@XZ
?Initialize@PATH@@QEAAEPEBVWSTRING@@E@Z
?QueryFileType@SYSTEM@@SA?AW4FILE_TYPE@@PEBVWSTRING@@@Z
??0ARRAY@@QEAA@XZ
??1ARRAY@@UEAA@XZ
?Initialize@ARRAY@@QEAAEKK@Z
?Resize@DSTRING@@UEAAEK@Z
?NewBuf@DSTRING@@UEAAEK@Z
?SPrintf@DSTRING@@UEAAEPEBGZZ
?QueryFile@SYSTEM@@SAPEAVFSN_FILE@@PEBVPATH@@EPEAE@Z
?SPrintfAppend@DSTRING@@UEAAEPEBGZZ

ureg

?Initialize@REGISTRY@@QEAAEPEBVWSTRING@@PEAK@Z
?QueryValues@REGISTRY@@QEAAEW4_PREDEFINED_KEY@@PEBVWSTRING@@1PEAVARRAY@@PEAK@Z
??1REGISTRY@@UEAA@XZ
??0REGISTRY@@QEAA@XZ

user32

SystemParametersInfoW

ntdll

RtlAllocateHeap
RtlCaptureContext
RtlVirtualUnwind
RtlFreeHeap
RtlLookupFunctionEntry

kernel32

TerminateProcess
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
DefineDosDeviceW
QueryDosDeviceW
GetLastError
SetThreadUILanguage
GetConsoleOutputCP
GetCommandLineW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
GetCurrentProcess
QueryPerformanceCounter

msvcrt

?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
exit
_wsetlocale
_snwprintf_s
towupper
isdigit

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 68B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
more.com
.exe windows x64

0c997052163f246eedf66bb131bfc0a3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
_fmode
_commode
?terminate@@YAXXZ
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
exit

ulib

?Initialize@BSTRING@@QEAAEPEBDK@Z
?QueryScreenSize@SCREEN@@QEBAXPEAG000@Z
?MoveCursorTo@SCREEN@@QEAAEGG@Z
?EraseScreenAndResetAttribute@SCREEN@@QEAAEXZ
?Cast@SCREEN@@SAPEAV1@PEBVOBJECT@@@Z
?NewBuf@BDSTRING@@UEAAEK@Z
?Resize@BDSTRING@@UEAAEK@Z
??1BDSTRING@@UEAA@XZ
??0BDSTRING@@QEAA@XZ
?Cast@FILE_STREAM@@SAPEAV1@PEBVOBJECT@@@Z
?QuerySTR@WSTRING@@QEBAPEADKKPEADKE@Z
?QueryByteCount@WSTRING@@QEBAKXZ
?Strchr@BSTRING@@QEBAKDK@Z
?NextChar@BSTRING@@QEAAKK@Z
?Initialize@BSTRING@@QEAAEXZ
?NewBuf@DSTRING@@UEAAEK@Z
?Strchr@WSTRING@@QEBAKGK@Z
?Initialize@WSTRING@@QEAAEXZ
?QueryStream@FSN_FILE@@QEAAPEAVFILE_STREAM@@W4STREAMACCESS@@K@Z
?QueryFile@SYSTEM@@SAPEAVFSN_FILE@@PEBVPATH@@EPEAE@Z
?QuerySTR@BSTRING@@QEBAPEADKKPEADKE@Z
??0PROGRAM@@IEAA@XZ
?ValidateVersion@PROGRAM@@UEBAXKK@Z
?Usage@PROGRAM@@UEBAXXZ
?GetStandardError@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardOutput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardInput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?Fatal@PROGRAM@@UEBAXXZ
?Fatal@PROGRAM@@UEBAXKKPEADZZ
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@@Z
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@PEADZZ
?Initialize@PROGRAM@@QEAAEKKK@Z
?Initialize@CLASS_DESCRIPTOR@@QEAAEPEBD@Z
??0CLASS_DESCRIPTOR@@QEAA@XZ
?EnableLineMode@KEYBOARD@@QEAAEXZ
?DisableLineMode@KEYBOARD@@QEAAEXZ
?Initialize@KEYBOARD@@QEAAEEE@Z
??0KEYBOARD@@QEAA@XZ
?SetConsoleConversions@WSTRING@@SAXXZ
?Strcat@WSTRING@@QEAAEPEBV1@@Z
?QueryNumber@WSTRING@@QEBAEPEAJKK@Z
?Truncate@WSTRING@@QEAAKK@Z
?Strupr@WSTRING@@QEAAPEAV1@XZ
?Stricmp@WSTRING@@QEBAJPEBV1@@Z
?ReplaceWithChars@BSTRING@@QEAAEKKDK@Z
?Compare@OBJECT@@UEBAJPEBV1@@Z
?DebugDump@OBJECT@@UEBAXE@Z
??0OBJECT@@IEAA@XZ
?ReadLine@STREAM@@QEAAEPEAVWSTRING@@E@Z
?QueryResourceString@BASE_SYSTEM@@SAEPEAVWSTRING@@KPEBDZZ
?Resize@DSTRING@@UEAAEK@Z
?SPrintf@DSTRING@@UEAAEPEBGZZ
?SPrintfAppend@DSTRING@@UEAAEPEBGZZ
?Initialize@WSTRING@@QEAAEPEBDK@Z
?Initialize@WSTRING@@QEAAEPEBGK@Z
?Display@MESSAGE@@QEAAEPEBDZZ
??0ARGUMENT_LEXEMIZER@@QEAA@XZ
??1ARGUMENT_LEXEMIZER@@UEAA@XZ
?Initialize@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?DoParsing@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?PutMultipleSwitch@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?PutSeparators@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?PutSwitches@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?QueryInvalidArgument@ARGUMENT_LEXEMIZER@@QEAAPEAVWSTRING@@XZ
?PrepareToParse@ARGUMENT_LEXEMIZER@@QEAAEPEAVWSTRING@@@Z
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QEAAXE@Z
??1OBJECT@@UEAA@XZ
?IsValueSet@ARGUMENT@@QEAAEXZ
??0MULTIPLE_PATH_ARGUMENT@@QEAA@XZ
?Initialize@MULTIPLE_PATH_ARGUMENT@@QEAAEPEADEE@Z
?QueryEnvironmentVariable@SYSTEM@@SAPEAVWSTRING@@PEBV2@@Z
??0PATH_ARGUMENT@@QEAA@XZ
??1PATH_ARGUMENT@@UEAA@XZ
?Initialize@PATH_ARGUMENT@@QEAAEPEADE@Z
??0FLAG_ARGUMENT@@QEAA@XZ
?Initialize@FLAG_ARGUMENT@@QEAAEPEAD@Z
??0ARRAY@@QEAA@XZ
??1ARRAY@@UEAA@XZ
?Initialize@ARRAY@@QEAAEKK@Z
?DeleteAllMembers@ARRAY@@UEAAEXZ
?Put@ARRAY@@UEAAEPEAVOBJECT@@@Z
??0LONG_ARGUMENT@@QEAA@XZ
?Initialize@LONG_ARGUMENT@@QEAAEPEAD@Z
??0DSTRING@@QEAA@XZ
??1DSTRING@@UEAA@XZ
?Strspn@WSTRING@@QEBAKPEBV1@K@Z

ntdll

RtlCaptureContext
RtlFreeHeap
RtlAllocateHeap
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcess
TerminateProcess
ExitProcess
GetCurrentProcessId

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP

api-ms-win-core-localization-l1-2-0

IsDBCSLeadByte
GetCPInfo

api-ms-win-core-console-l2-1-0

GenerateConsoleCtrlEvent

api-ms-win-core-synch-l1-2-0

Sleep
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

Sections

.text
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 588B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
tree.com
.exe windows x64

ce61f0d54e756cf478d6db3f61f7eca0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
exit

ulib

?GetLexeme@ARGUMENT@@QEAAPEAVWSTRING@@XZ
?DebugDump@OBJECT@@UEBAXE@Z
?Compare@OBJECT@@UEBAJPEBV1@@Z
??1OBJECT@@UEAA@XZ
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QEAAXE@Z
?PrepareToParse@ARGUMENT_LEXEMIZER@@QEAAEPEAVWSTRING@@@Z
?QueryInvalidArgument@ARGUMENT_LEXEMIZER@@QEAAPEAVWSTRING@@XZ
?PutSwitches@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?PutSeparators@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?DoParsing@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?Initialize@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
??1ARGUMENT_LEXEMIZER@@UEAA@XZ
??0ARGUMENT_LEXEMIZER@@QEAA@XZ
?Initialize@STRING_ARGUMENT@@QEAAEPEAD@Z
??1STRING_ARGUMENT@@UEAA@XZ
??0STRING_ARGUMENT@@QEAA@XZ
?QueryFsnodeArray@FSN_DIRECTORY@@QEBAPEAVARRAY@@PEAVFSN_FILTER@@@Z
??0STREAM_MESSAGE@@QEAA@XZ
?ValidateVersion@PROGRAM@@UEBAXKK@Z
?Usage@PROGRAM@@UEBAXXZ
?GetStandardError@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardOutput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?GetStandardInput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?Fatal@PROGRAM@@UEBAXXZ
?Fatal@PROGRAM@@UEBAXKKPEADZZ
?IsValueSet@ARGUMENT@@QEAAEXZ
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@PEADZZ
??1PROGRAM@@UEAA@XZ
?Initialize@CLASS_DESCRIPTOR@@QEAAEPEBD@Z
??0CLASS_DESCRIPTOR@@QEAA@XZ
?QueryFullPathString@PATH@@QEBAPEAVWSTRING@@XZ
?IsDrive@PATH@@QEBAEXZ
??1PATH@@UEAA@XZ
?Initialize@PATH@@QEAAEPEBGE@Z
?Initialize@PATH@@QEAAEPEBVWSTRING@@E@Z
??0PATH@@QEAA@XZ
?Display@MESSAGE@@QEAAEPEBDZZ
Get_Standard_Output_Stream
?SetAttributes@FSN_FILTER@@QEAAEKKK@Z
?SetFileName@FSN_FILTER@@QEAAEPEBD@Z
?Initialize@FSN_FILTER@@QEAAEXZ
??1FSN_FILTER@@UEAA@XZ
??0FSN_FILTER@@QEAA@XZ
?Strcat@WSTRING@@QEAAEPEBV1@@Z
?QueryString@WSTRING@@QEBAPEAV1@KK@Z
?Initialize@WSTRING@@QEAAEPEBV1@KK@Z
?Initialize@WSTRING@@QEAAEPEBGK@Z
?Initialize@WSTRING@@QEAAEPEBDK@Z
?Strupr@WSTRING@@QEAAPEAV1@XZ
?QueryDirectory@SYSTEM@@SAPEAVFSN_DIRECTORY@@PEBVPATH@@E@Z
?QueryVolumeLabel@SYSTEM@@SAPEAVWSTRING@@PEAVPATH@@PEAU_VOL_SERIAL_NUMBER@@@Z
??0PATH_ARGUMENT@@QEAA@XZ
??1PATH_ARGUMENT@@UEAA@XZ
?Initialize@PATH_ARGUMENT@@QEAAEPEADE@Z
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@@Z
?WriteByte@STREAM@@QEAAEE@Z
??1STREAM_MESSAGE@@UEAA@XZ
?Initialize@STREAM_MESSAGE@@QEAAEPEAVSTREAM@@00@Z
??0FLAG_ARGUMENT@@QEAA@XZ
?Initialize@FLAG_ARGUMENT@@QEAAEPEAD@Z
??0ARRAY@@QEAA@XZ
??1ARRAY@@UEAA@XZ
?Initialize@ARRAY@@QEAAEKK@Z
?Put@ARRAY@@UEAAEPEAVOBJECT@@@Z
Get_Standard_Input_Stream
??0DSTRING@@QEAA@XZ
??1DSTRING@@UEAA@XZ
??0PROGRAM@@IEAA@XZ

ntdll

RtlCaptureContext
RtlFreeHeap
RtlAllocateHeap
RtlLookupFunctionEntry
RtlVirtualUnwind

kernel32

GetConsoleOutputCP
Sleep
SetUnhandledExceptionFilter
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

75fa51c548b19c4ad5051fab7d57eb56

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

ulib

ntdll

Sections

.text Size: 8KB - Virtual size: 4KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 276B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 72B

313d6e1164bc915f7d0201babc6c5bb1

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

ulib

ifsutil

ntdll

Sections

.text Size: 36KB - Virtual size: 32KB

.rdata Size: 12KB - Virtual size: 9KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 288B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 48B

2f60c2ed7648c832822b0b1ee9787340

Headers

DLL Characteristics

File Characteristics

Imports

ulib

ureg

user32

ntdll

kernel32

msvcrt

Sections

.text Size: 20KB - Virtual size: 19KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 732B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 68B

0c997052163f246eedf66bb131bfc0a3

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ulib

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-console-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

.text
Size: 8KB - Virtual size: 4KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 276B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 72B

.text
Size: 36KB - Virtual size: 32KB

.rdata
Size: 12KB - Virtual size: 9KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 288B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 48B

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 732B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 68B

.text
Size: 16KB - Virtual size: 14KB

.rdata
Size: 12KB - Virtual size: 9KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 588B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 108B

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 336B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 72B