exm[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

exm.zip
Size

54.7MB
MD5

8b3658c2daf9541c54aeb7def230b92d
SHA1

7fcf0aad6a4acc6643394e773e595e6ff559f921
SHA256

16488b46eb55938f1892fb4b9d47f10ffe9f1ba929475e1f3b7ea569cdc2fcfb
SHA512

f5d6ed4849128efaee3425abacd7319a7284ef5e58e387f550f0e939a3b7af295ce2a1e6ca6808e2278bea39d6471fc792b06e746f881879ca791f870c58d9a8
SSDEEP

1572864:eR7IDEjc3u+Ig75Up5rEXW+fjYL26NMmAHs7tL:80D+M7n75KNkXjGjm/HOL

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Exm/FortniteSettings/Fortnite_Settings.exe

Files

exm.zip
.zip
Exm/Autoruns/autoruns.exe
.exe windows:6 windows x86 arch:x86

ee7d0ec49c38d4f4d12574e449f1a355

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bf:30:20:a0:42:0e:26:5e:60:73:43:49:b4:41:b7:ed:c7:d8:97:fa:20:fc:38:12:03:a5:93:53:98:4e:0d:cb
Signer

Actual PE Digest

bf:30:20:a0:42:0e:26:5e:60:73:43:49:b4:41:b7:ed:c7:d8:97:fa:20:fc:38:12:03:a5:93:53:98:4e:0d:cb

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReadConsoleInputW
SetConsoleMode
GetConsoleMode
GetTimeZoneInformation
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
LCMapStringW
CompareStringW
GetConsoleCP
ExitProcess
VirtualProtect
GetSystemInfo
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
RtlUnwind
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
ResetEvent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetSystemTimeAsFileTime
FlushFileBuffers
QueryPerformanceCounter
LCMapStringEx
InitOnceBeginInitialize
InitOnceComplete
AcquireSRWLockShared
ReleaseSRWLockShared
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
GetStringTypeW
LoadLibraryExA
VirtualFree
VirtualAlloc
IsProcessorFeaturePresent
FlushInstructionCache
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
OutputDebugStringW
IsDebuggerPresent
GetFullPathNameW
GetNativeSystemInfo
IsWow64Process
GetFileTime
QueryDosDeviceW
GetLogicalDrives
SearchPathW
K32GetMappedFileNameW
WaitForMultipleObjects
CreateSemaphoreW
CreateEventW
SetEnvironmentVariableW
FindClose
FindNextFileW
FindFirstFileW
ReleaseSemaphore
SetEvent
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSize
FileTimeToLocalFileTime
TrySubmitThreadpoolCallback
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer
GetWindowsDirectoryW
GetSystemWow64DirectoryW
GetSystemWindowsDirectoryW
GetConsoleOutputCP
GetFileSizeEx
SetFilePointerEx
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
ReadFile
WriteConsoleW
LocalAlloc
GetFileType
GetStdHandle
GetVersionExW
GetTickCount64
GetSystemDirectoryW
TerminateThread
CreateThread
WaitForSingleObject
WideCharToMultiByte
OpenProcess
Sleep
ExpandEnvironmentStringsW
GetStartupInfoW
CreateProcessW
GetCommandLineW
VerifyVersionInfoW
GetComputerNameW
lstrcmpW
LocalFree
VirtualQuery
GetCurrentProcessId
VerSetConditionMask
MoveFileW
SetFileAttributesW
RemoveDirectoryW
CreateDirectoryW
GetNumberFormatEx
GetLocaleInfoW
GetTimeFormatW
GlobalAlloc
GetDateFormatW
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
GetFileInformationByHandle
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
MultiByteToWideChar
lstrcmpiW
LoadLibraryExW
ReadConsoleW
SetThreadPriority
GetCurrentThread
DecodePointer
SetCurrentDirectoryW
FormatMessageW
GetModuleHandleExW
GetModuleFileNameA
DebugBreak
lstrlenW
MulDiv
LoadLibraryW
FreeLibrary
GetThreadId
CloseHandle
GetTempPathW
WriteFile
GetTempFileNameW
DeleteFileW
CreateFileW
GetModuleFileNameW
GetCurrentThreadId
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
SetLastError
GetLastError
RaiseException
GetPrivateProfileStringW
GetPrivateProfileIntW
GetFileAttributesW
GetProcAddress
GetModuleHandleW
GetCurrentProcess
FindResourceW
SizeofResource
LockResource
LoadResource
FindResourceExW
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GlobalLock
GlobalUnlock

user32

CloseClipboard
SendMessageW
SetClipboardData
EmptyClipboard
IsRectEmpty
EnumDisplaySettingsW
FindWindowExW
FindWindowW
SetForegroundWindow
WaitForInputIdle
IsDlgButtonChecked
CheckDlgButton
EnableWindow
GetDlgItemTextW
DestroyMenu
SetMenuItemInfoW
GetSysColor
LoadImageW
DialogBoxIndirectParamW
OpenClipboard
DrawIconEx
DefWindowProcW
CallWindowProcW
UnregisterClassW
RegisterClassExW
GetClassInfoExW
CreateWindowExW
SetFocus
GetFocus
SetTimer
KillTimer
DrawTextW
BeginPaint
EndPaint
InvalidateRect
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
GetClientRect
MonitorFromPoint
IsDialogMessageW
CheckMenuRadioItem
GetWindowThreadProcessId
GetDesktopWindow
SetRectEmpty
SetRect
WindowFromPoint
ClientToScreen
GetCursorPos
SetCursor
SetCursorPos
MessageBeep
AdjustWindowRectEx
SetMenuDefaultItem
GetMenuItemInfoW
SetMenuInfo
GetMenuInfo
TrackPopupMenuEx
DeleteMenu
RemoveMenu
ModifyMenuW
AppendMenuW
InsertMenuW
GetMenuItemCount
GetMenuItemID
GetSubMenu
EnableMenuItem
CreatePopupMenu
GetMenuStringW
SetMenu
GetMenu
TranslateAcceleratorW
ReleaseCapture
SetCapture
GetCapture
GetKeyState
GetActiveWindow
CharLowerW
GetDlgCtrlID
DialogBoxParamW
CreateDialogParamW
SetWindowPlacement
GetWindowPlacement
IsMenu
PostQuitMessage
GetMessagePos
DrawFrameControl
DrawEdge
TrackMouseEvent
RegisterWindowMessageW
LoadStringA
EnumChildWindows
MessageBoxW
LoadMenuW
LoadAcceleratorsW
CharNextW
DestroyWindow
IsWindow
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
LoadStringW
LoadIconW
GetDlgItem
GetWindow
MapWindowPoints
GetWindowRect
SetDlgItemTextW
EndDialog
GetAncestor
GetWindowModuleFileNameW
GetMonitorInfoW
MonitorFromWindow
SystemParametersInfoW
GetScrollInfo
SetScrollInfo
DestroyIcon
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
GetClassNameW
SetClassLongW
PtInRect
OffsetRect
InflateRect
CopyRect
FrameRect
FillRect
DrawFocusRect
ScreenToClient
ShowScrollBar
SetScrollPos
RedrawWindow
ReleaseDC
GetWindowDC
GetDC
UpdateWindow
GetSystemMetrics
IsWindowEnabled
IsZoomed
IsWindowVisible
SetWindowPos
MoveWindow
ShowWindow
IsChild
PostMessageW
GetSysColorBrush
LoadCursorW
GetParent
SetWindowLongW
GetWindowLongW

gdi32

SetBkColor
SelectObject
DeleteObject
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
ExtTextOutW
SetViewportOrgEx
CreateFontIndirectW
SetBkMode
SetTextColor
GetObjectW
CreateSolidBrush
CreatePen
GetDeviceCaps
GetStockObject
GetTextExtentPoint32W
LineTo
Rectangle
SetTextAlign
MoveToEx
TextOutW
Polyline
CreateBitmap
CreatePatternBrush
ExcludeClipRect
PatBlt
CreateDIBSection
SetBrushOrgEx
SetMapMode
StartDocW
EndDoc
StartPage
EndPage
Polygon
GetCurrentObject

comdlg32

PrintDlgW
ChooseFontW
FindTextW
GetOpenFileNameW
GetSaveFileNameW

advapi32

RegEnumKeyExW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
RegLoadMUIStringW
LookupPrivilegeValueW
AdjustTokenPrivileges
QueryServiceConfig2W
GetServiceDisplayNameW
CryptDestroyHash
RegGetValueW
RegOpenKeyW
RegCreateKeyW
RegRenameKey
RegEnumValueW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
DeleteService
ControlService
CloseServiceHandle
ConvertStringSidToSidW
LookupAccountSidW
RegCopyTreeW
RegDeleteTreeW
RegQueryValueExW
ConvertSidToStringSidW
RegLoadKeyW
IsValidSid
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegSetValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
CryptReleaseContext

shell32

ShellExecuteW
SHEvaluateSystemCommandTemplate
SHGetStockIconInfo
ExtractIconExW
SHGetKnownFolderPath
ExtractAssociatedIconW
CommandLineToArgvW
ShellExecuteExW

ole32

CoUninitialize
CoInitializeEx
CoCreateInstance
StringFromGUID2
CLSIDFromString
CoTaskMemFree
CoTaskMemRealloc
StgCreateStorageEx
StgOpenStorageEx
CoTaskMemAlloc

oleaut32

SysStringLen
VariantClear
VarUI4FromStr
SysFreeString
SysAllocString
VariantInit

shlwapi

SHCreateStreamOnFileW
SHAutoComplete

comctl32

ImageList_Destroy
ImageList_DrawIndirect
ImageList_GetImageCount
ImageList_Create
ImageList_WriteEx
ImageList_Read
ImageList_GetIcon
ImageList_ReplaceIcon
InitCommonControlsEx
ImageList_GetIconSize
ImageList_Duplicate
ImageList_DrawEx
CreateStatusWindowW
ImageList_DragShowNolock
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_AddMasked
ImageList_Draw

uxtheme

IsThemeActive
SetWindowTheme
IsAppThemed

msimg32

GradientFill

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

dwmapi

DwmSetWindowAttribute
DwmDefWindowProc

winhttp

WinHttpGetProxyForUrl
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpWriteData
WinHttpReceiveResponse
WinHttpConnect

crypt32

CertGetNameStringW

Sections

.text
Size: 720KB - Virtual size: 720KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 211KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 30KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 727KB - Virtual size: 726KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Exm/FortniteSettings/Fortnite_Settings.exe
.exe windows:6 windows x86 arch:x86

5faa4e2549a90b4b068a8d326d23ab61

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MultiByteToWideChar
GetTickCount
QueryPerformanceFrequency
QueryPerformanceCounter
GetModuleHandleW
FlushInstructionCache
InterlockedPushEntrySList
InterlockedFlushSList
InitializeSListHead
GetTickCount64
DuplicateHandle
QueueUserAPC
WaitForSingleObjectEx
SetThreadPriority
GetThreadPriority
ResumeThread
GetCurrentThreadId
Sleep
TlsAlloc
GetCurrentThread
CreateThread
WaitForMultipleObjectsEx
SignalObjectAndWait
SetThreadStackGuarantee
VirtualQuery
GetStdHandle
WideCharToMultiByte
GetConsoleOutputCP
MapViewOfFileEx
UnmapViewOfFile
GetStringTypeExW
SetEvent
GetCurrentProcessorNumber
GlobalMemoryStatusEx
CreateIoCompletionPort
PostQueuedCompletionStatus
SleepEx
GetQueuedCompletionStatus
InterlockedPopEntrySList
GetCurrentProcessorNumberEx
ExitProcess
CreateMemoryResourceNotification
GetProcessAffinityMask
SetThreadIdealProcessorEx
GetThreadIdealProcessorEx
GetLargePageMinimum
VirtualUnlock
ResetWriteWatch
GetWriteWatch
GetLogicalProcessorInformation
SetThreadGroupAffinity
SetThreadAffinityMask
IsProcessInJob
QueryInformationJobObject
K32GetProcessMemoryInfo
VirtualAlloc
VirtualFree
VirtualProtect
SwitchToThread
CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer
GetFileSize
GetEnvironmentVariableW
SetEnvironmentVariableW
CreateEventW
ResetEvent
CreateSemaphoreExW
ReleaseSemaphore
CreateMutexW
ReleaseMutex
GetThreadContext
SuspendThread
SetThreadContext
GetEnabledXStateFeatures
InitializeContext
CopyContext
GetSystemDefaultLCID
GetUserDefaultLCID
OutputDebugStringA
RtlUnwind
HeapAlloc
HeapFree
GetProcessHeap
HeapCreate
HeapDestroy
GetEnvironmentStringsW
FreeEnvironmentStringsW
FormatMessageW
GetACP
LCMapStringEx
LocalFree
VerSetConditionMask
VerifyVersionInfoW
IsWow64Process
FindClose
GetModuleFileNameW
FindNextFileW
QueryThreadCycleTime
VirtualAllocExNuma
GetNumaProcessorNodeEx
GetNumaHighestNodeNumber
GetSystemTimes
GetSystemTimeAsFileTime
CreateProcessW
GetCPInfo
LoadLibraryExW
CreateFileW
GetFileAttributesExW
GetTempPathW
GetCurrentDirectoryW
FindFirstFileExW
GetFullPathNameW
OpenProcess
LoadLibraryExA
OpenEventW
ExitThread
HeapReAlloc
CreateNamedPipeA
WaitForMultipleObjects
DisconnectNamedPipe
CreateFileA
CancelIoEx
GetOverlappedResult
ConnectNamedPipe
FlushFileBuffers
CreateFileMappingW
MapViewOfFile
GetActiveProcessorGroupCount
GetSystemTime
SetConsoleCtrlHandler
GetLocaleInfoEx
GetUserDefaultLocaleName
CreateDirectoryW
RemoveDirectoryW
GetFileSizeEx
LoadLibraryA
InitializeCriticalSectionAndSpinCount
AddVectoredExceptionHandler
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentProcessId
RaiseFailFastException
FreeLibrary
RaiseException
WaitForSingleObject
TlsSetValue
TlsGetValue
GetSystemInfo
ReadProcessMemory
IsDebuggerPresent
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
WriteFile
GetProcessTimes
GetCommandLineW
ReadFile
SetFilePointer
GetProcAddress
GetModuleHandleExW
SetErrorMode
CloseHandle
GetCurrentProcess
FlushProcessWriteBuffers
SetLastError
GetLastError
OutputDebugStringW
SetXStateFeaturesMask
DebugBreak
DecodePointer
GetStringTypeW
IsProcessorFeaturePresent
EncodePointer
TlsFree
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
TryEnterCriticalSection
GetExitCodeThread
CreateFileMappingA

advapi32

RegGetValueW
SetKernelObjectSecurity
GetSidSubAuthorityCount
GetSidSubAuthority
GetTokenInformation
DeregisterEventSource
ReportEventW
RegisterEventSourceW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
EventRegister
AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueW
SetThreadToken
RevertToSelf
OpenThreadToken
EventWriteTransfer
EventWrite

ole32

CoCreateGuid
CoTaskMemAlloc
CoUninitialize
CoReleaseMarshalData
CoInitializeEx
IIDFromString
CoRegisterInitializeSpy
CoGetMarshalSizeMax
CoMarshalInterface
CoUnmarshalInterface
CoGetContextToken
CoGetClassObject
CoCreateFreeThreadedMarshaler
CreateStreamOnHGlobal
CoRevokeInitializeSpy
CLSIDFromProgID
CoWaitForMultipleHandles
StringFromGUID2
CoTaskMemFree
CoGetObjectContext

oleaut32

SafeArrayAllocDescriptorEx
GetRecordInfoFromTypeInfo
SafeArraySetRecordInfo
SafeArrayAllocData
SafeArrayGetElemsize
SysStringByteLen
SysAllocStringByteLen
SafeArrayCreateVector
SafeArrayPutElement
LoadRegTypeLi
CreateErrorInfo
VariantInit
VariantClear
VarCyFromDec
VariantChangeType
SafeArrayGetVartype
LoadTypeLibEx
QueryPathOfRegTypeLi
SafeArrayDestroy
SafeArrayGetLBound
SafeArrayGetDim
SysAllocStringLen
SysStringLen
SysAllocString
SetErrorInfo
GetErrorInfo
SysFreeString
VariantChangeTypeEx

user32

MessageBoxW
LoadStringW

version

VerQueryValueW
GetFileVersionInfoExW
GetFileVersionInfoSizeExW

shell32

ShellExecuteW

api-ms-win-crt-string-l1-1-0

isspace
strtok_s
_wcsnicmp
strncmp
wcscpy_s
_strnicmp
strcpy_s
strlen
strcmp
_strdup
strncpy_s
wcsncmp
iswupper
towlower
isalpha
isdigit
wcstok_s
strcat_s
strcspn
_stricmp
wcsnlen
isupper
iswspace
_wcsicmp
_wcsdup
strncat_s
wcsncpy_s
tolower
islower
wcsncat_s
strnlen
__strncnt
iswascii
towupper
wcscat_s

api-ms-win-crt-stdio-l1-1-0

_set_fmode
_wfsopen
__stdio_common_vfprintf
fwrite
fputc
__stdio_common_vswprintf
__p__commode
__stdio_common_vswprintf_s
_putws
fgetc
_flushall
fputws
fputwc
_get_stream_buffer_pointers
fopen
_fseeki64
fread
__stdio_common_vsprintf_s
fsetpos
__acrt_iob_func
fflush
fputs
__stdio_common_vsnwprintf_s
ungetc
fgetpos
__stdio_common_vsscanf
setvbuf
_setmode
_dup
_fileno
ftell
fseek
fgets
fclose
_wfopen
__stdio_common_vfwprintf
__stdio_common_vsnprintf_s

api-ms-win-crt-runtime-l1-1-0

_controlfp_s
_errno
_invalid_parameter_noinfo_noreturn
_beginthreadex
_wcserror
_get_initial_wide_environment
terminate
_register_thread_local_exe_atexit_callback
_c_exit
__p___wargv
__p___argc
abort
exit
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_exit
_configure_wide_argv
_initialize_wide_environment
_invalid_parameter_noinfo
_initterm
_initterm_e

api-ms-win-crt-convert-l1-1-0

atoi
_ltow_s
_wtoi
_wcstoui64
strtoul
strtoull
atol
_itow_s
wcstoul

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc
calloc
free
realloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

_CIcosh
__libm_sse2_tan
_libm_sse2_acos_precise
_libm_sse2_asin_precise
_CIfmod
_CIsinh
_CItanh
__libm_sse2_sin
__libm_sse2_acos
__libm_sse2_asin
__libm_sse2_atan
_copysign
log2
atanh
modf
ilogb
cbrt
asinh
asinhf
ilogbf
atanhf
cbrtf
acoshf
log2f
_libm_sse2_atan_precise
__libm_sse2_pow
_libm_sse2_cos_precise
_libm_sse2_exp_precise
_isnan
_libm_sse2_log10_precise
_libm_sse2_log_precise
_libm_sse2_pow_precise
_libm_sse2_sin_precise
_libm_sse2_sqrt_precise
_fdopen
_libm_sse2_tan_precise
ceil
_finite
__libm_sse2_atan2
_CIatan2
__libm_sse2_cos
floor
__libm_sse2_log10
frexp
fma
fmaf
__libm_sse2_exp
acosh
__libm_sse2_log
__setusermatherr

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
wcsftime

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv
_lock_locales
_unlock_locales
setlocale
__pctype_func
___lc_locale_name_func
___lc_codepage_func
___mb_cur_max_func

api-ms-win-crt-filesystem-l1-1-0

_wremove
_wrename
_lock_file
_unlock_file

Exports

Exports

CLRJitAttachState
DotNetRuntimeInfo
MetaDataGetDispenser
g_CLREngineMetrics

Sections

.text
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.CLR_UEF
Size: 512B - Virtual size: 68B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 268KB - Virtual size: 268KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Exm/NvidiaProfileInspector/Exm_Premium_Profile_V4.nip
Exm/NvidiaProfileInspector/nv.config
Exm/PowerPlan/Exm_Premium_Power_Plan_V3.pow
Exm/WindowsUpdateBlocker/Wub.exe
.exe windows:5 windows x86 arch:x86

870b8e75c7190e202e9c6c81dff1040c

Code Sign

79:9e:5f:0f:69:be:cb:93:49:4a:b3:10:ef:62:cc:c3
Certificate

Issuer

CN=Sordum Software

Not Before

15/08/2021, 21:00

Not After

31/07/2032, 21:00

Subject

CN=Sordum Software

Extended Key Usages

ExtKeyUsageCodeSigning

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

20/02/2019, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:84:d3:a8:ce:37:81:eb:57:f4:fd:87:7b:83:ae:b2
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

27/05/2021, 10:00

Not After

28/06/2032, 10:00

Subject

CN=Globalsign TSA for MS Authenticode Advanced - G4,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

44:ec:fe:ae:ea:a1:aa:11:14:ef:5b:db:72:30:c7:f1:c8:a1:15:71
Signer

Actual PE Digest

44:ec:fe:ae:ea:a1:aa:11:14:ef:5b:db:72:30:c7:f1:c8:a1:15:71

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

__WSAFDIsSet
setsockopt
ntohs
recvfrom
sendto
htons
select
listen
WSAStartup
bind
closesocket
connect
socket
send
WSACleanup
ioctlsocket
accept
WSAGetLastError
inet_addr
gethostbyname
gethostname
recv

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
ImageList_ReplaceIcon
ImageList_Create
InitCommonControlsEx
ImageList_Destroy

mpr

WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W
WNetUseConnectionW

wininet

InternetReadFile
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetQueryOptionW
InternetQueryDataAvailable

psapi

EnumProcesses
GetModuleBaseNameW
GetProcessMemoryInfo
EnumProcessModules

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
UnloadUserProfile
LoadUserProfileW

kernel32

HeapAlloc
Sleep
GetCurrentThreadId
RaiseException
MulDiv
GetVersionExW
GetSystemInfo
MultiByteToWideChar
WideCharToMultiByte
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
DeleteFileW
FindNextFileW
lstrcmpiW
MoveFileW
CopyFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
GetProcessHeap
OutputDebugStringW
GetLocalTime
CompareStringW
CompareStringA
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
GetTempPathW
GetTempFileNameW
VirtualFree
FormatMessageW
GetExitCodeProcess
SetErrorMode
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
DeviceIoControl
SetFileAttributesW
GetShortPathNameW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetComputerNameW
GetWindowsDirectoryW
GetSystemDirectoryW
GetCurrentProcessId
GetCurrentThread
GetProcessIoCounters
CreateProcessW
SetPriorityClass
LoadLibraryW
VirtualAlloc
LoadLibraryExW
HeapFree
WaitForSingleObject
CreateThread
DuplicateHandle
GetLastError
CloseHandle
GetCurrentProcess
GetProcAddress
LoadLibraryA
FreeLibrary
GetModuleFileNameW
GetFullPathNameW
ExitProcess
ExitThread
GetSystemTimeAsFileTime
SetCurrentDirectoryW
IsDebuggerPresent
GetCurrentDirectoryW
ResumeThread
GetStartupInfoW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetModuleFileNameA
HeapReAlloc
HeapCreate
SetHandleCount
GetFileType
GetStartupInfoA
SetStdHandle
GetConsoleCP
GetConsoleMode
LCMapStringW
LCMapStringA
RtlUnwind
SetFilePointer
GetTimeZoneInformation
GetTimeFormatA
GetDateFormatA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetTickCount
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
GetModuleHandleA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
SetEndOfFile
EnumResourceNamesW
SetEnvironmentVariableA

user32

SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
ReleaseCapture
SetCapture
WindowFromPoint
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
CheckMenuRadioItem
CopyImage
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
SystemParametersInfoW
PeekMessageW
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetClassNameW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
GetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
MessageBoxW
DefWindowProcW
MoveWindow
AdjustWindowRectEx
SetRect
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
GetMenuItemID
TranslateMessage
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
UnregisterHotKey
CharLowerBuffW
MonitorFromRect
keybd_event
LoadImageW
GetWindowLongW

gdi32

DeleteObject
GetObjectW
GetTextExtentPoint32W
ExtCreatePen
StrokeAndFillPath
StrokePath
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
PolyDraw
BeginPath
Rectangle
GetDeviceCaps
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
SetTextColor
CreateFontW
GetTextFaceW
GetStockObject
CreateDCW
GetPixel
DeleteDC
SetViewportOrgEx

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
GetUserNameW
RegConnectRegistryW
RegEnumKeyExW
CloseServiceHandle
UnlockServiceDatabase
LockServiceDatabase
OpenSCManagerW
InitiateSystemShutdownExW
AdjustTokenPrivileges
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
SetSecurityDescriptorDacl
CopySid
LogonUserW
GetTokenInformation
GetAclInformation
GetAce
AddAce
GetSecurityDescriptorDacl

shell32

DragQueryPoint
ShellExecuteExW
SHGetFolderPathW
DragQueryFileW
SHEmptyRecycleBinW
SHBrowseForFolderW
SHFileOperationW
SHGetPathFromIDListW
SHGetDesktopFolder
SHGetMalloc
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoInitialize
CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
StringFromCLSID
IIDFromString
StringFromIID
OleInitialize
CreateBindCtx
CLSIDFromProgID
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket
OleUninitialize

oleaut32

SafeArrayAllocData
SafeArrayAllocDescriptorEx
SysAllocString
OleLoadPicture
SafeArrayGetVartype
SafeArrayDestroyData
SafeArrayAccessData
VarR8FromDec
VariantTimeToSystemTime
VariantClear
VariantCopy
VariantInit
SafeArrayDestroyDescriptor
LoadRegTypeLi
GetActiveObject
SafeArrayUnaccessData

Sections

.text
Size: 512KB - Virtual size: 512KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 79KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ee7d0ec49c38d4f4d12574e449f1a355

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

bf:30:20:a0:42:0e:26:5e:60:73:43:49:b4:41:b7:ed:c7:d8:97:fa:20:fc:38:12:03:a5:93:53:98:4e:0d:cbSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

uxtheme

msimg32

version

dwmapi

winhttp

crypt32

Sections

.text Size: 720KB - Virtual size: 720KB

.rdata Size: 211KB - Virtual size: 211KB

.data Size: 30KB - Virtual size: 106KB

.rsrc Size: 727KB - Virtual size: 726KB

.reloc Size: 41KB - Virtual size: 41KB

5faa4e2549a90b4b068a8d326d23ab61

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

ole32

oleaut32

user32

version

shell32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

Exports

Exports

Sections

.text Size: 5.3MB - Virtual size: 5.3MB

.CLR_UEF Size: 512B - Virtual size: 68B

.rdata Size: 1.2MB - Virtual size: 1.2MB

.data Size: 20KB - Virtual size: 72KB

.didat Size: 512B - Virtual size: 12B

_RDATA Size: 68KB - Virtual size: 67KB

.rsrc Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 268KB - Virtual size: 268KB

870b8e75c7190e202e9c6c81dff1040c

Code Sign

79:9e:5f:0f:69:be:cb:93:49:4a:b3:10:ef:62:cc:c3Certificate

Extended Key Usages

04:00:00:00:00:01:21:58:53:08:a2Certificate

Key Usages

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fcCertificate

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

bf:30:20:a0:42:0e:26:5e:60:73:43:49:b4:41:b7:ed:c7:d8:97:fa:20:fc:38:12:03:a5:93:53:98:4e:0d:cb
Signer

.text
Size: 720KB - Virtual size: 720KB

.rdata
Size: 211KB - Virtual size: 211KB

.data
Size: 30KB - Virtual size: 106KB

.rsrc
Size: 727KB - Virtual size: 726KB

.reloc
Size: 41KB - Virtual size: 41KB

.text
Size: 5.3MB - Virtual size: 5.3MB

.CLR_UEF
Size: 512B - Virtual size: 68B

.rdata
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 20KB - Virtual size: 72KB

.didat
Size: 512B - Virtual size: 12B

_RDATA
Size: 68KB - Virtual size: 67KB

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 268KB - Virtual size: 268KB

79:9e:5f:0f:69:be:cb:93:49:4a:b3:10:ef:62:cc:c3
Certificate

04:00:00:00:00:01:21:58:53:08:a2
Certificate

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

01:84:d3:a8:ce:37:81:eb:57:f4:fd:87:7b:83:ae:b2
Certificate

44:ec:fe:ae:ea:a1:aa:11:14:ef:5b:db:72:30:c7:f1:c8:a1:15:71
Signer

.text
Size: 512KB - Virtual size: 512KB

.rdata
Size: 54KB - Virtual size: 54KB

.data
Size: 26KB - Virtual size: 105KB

.rsrc
Size: 79KB - Virtual size: 78KB