Woofer[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Woofer.rar
Size

4.5MB
MD5

855663f3a865d1c2bb6b232945789178
SHA1

c4bd45002d8b337c83c4738d750e3ecb78681073
SHA256

8b7944c7d06e2e11b3b6daed19291a0acfe93727c74629c30695c21cd9e996b0
SHA512

566ccb46b8bb496c27bff6dfff0b83c749ef24f34146099dd252977f7cece3fd0f7558e276d0edf589778d38aca9a25d4ca2250d71642ac4fc088e56177fb6a1
SSDEEP

98304:k+PJw8TntrBFgEdpi+JHsfMIP4OpTiKhvEj/P/778toF4Bzy1eixgry+l:keJwwrBzdU+Jw3xvIPz7Ko2Bgxg+M

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/applecleaner.exe	themida

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Arctix Woofer.exe
unpack001/applecleaner.exe
unpack001/kdmapper_Release.exe

Files

Woofer.rar
.rar
AJR.sys
.sys windows:10 windows x64 arch:x64

f94d546ff9f6c68715317e36e751e07c

Code Sign

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/04/2023, 19:16

Not After

03/04/2024, 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

12:f6:38:91:03:3d:a8:ef:d2:81:c4:6a:e2:d9:dd:9d:23:69:e4:dd:f0:6b:9d:14:08:f2:8c:3f:e6:1d:ae:ff
Signer

Actual PE Digest

12:f6:38:91:03:3d:a8:ef:d2:81:c4:6a:e2:d9:dd:9d:23:69:e4:dd:f0:6b:9d:14:08:f2:8c:3f:e6:1d:ae:ff

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\LWAY\Desktop\SV\s\k\x64\Release\iqvw64e.pdb

Imports

ntoskrnl.exe

IoEnumerateDeviceObjectList
KeDelayExecutionThread
ZwReadFile
ObQueryNameString
strcpy
ZwCreateFile
ObfDereferenceObject
RtlInitUnicodeString
rand
IoBuildDeviceIoControlRequest
IoCreateDriver
IoGetDeviceObjectPointer
strlen
wcsstr
swprintf
ExAllocatePoolWithTag
IofCallDriver
ExFreePoolWithTag
KeInitializeEvent
ObReferenceObjectByName
KeWaitForSingleObject
IoDriverObjectType
DbgPrint
ZwClose
IoGetAttachedDeviceReference
MmMapLockedPages
ZwQuerySystemInformation
tolower
MmCopyMemory
strstr

Sections

.text
Size: 392KB - Virtual size: 391KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

memset_
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 874B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 760B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Arctix Woofer.exe
.exe windows:6 windows x64 arch:x64

ae718173b3205305d4eda02acf91d589

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\KeyAuth-ImGui-Loader-main\KeyAuth-ImGui-Loader-main\KeyAuth-ImGui-Loader-main\x64\Release\CeosDen.pdb

Imports

kernel32

RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
RtlLookupFunctionEntry
ReadFile
GetFileType
GetStdHandle
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
RtlVirtualUnwind
UnhandledExceptionFilter
PeekNamedPipe
SetUnhandledExceptionFilter
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
CloseHandle
CreateFileW
GlobalAlloc
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
Sleep
Beep
VerifyVersionInfoW
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GetEnvironmentVariableA

user32

PostQuitMessage
GetCursorPos
ClientToScreen
ScreenToClient
UpdateWindow
WindowFromPoint
GetWindowLongW
SetWindowLongA
SetWindowLongW
LoadCursorA
SetCursorPos
AdjustWindowRectEx
GetClientRect
MonitorFromWindow
GetMonitorInfoA
SetWindowTextW
ReleaseDC
GetDC
SetForegroundWindow
EnumDisplayMonitors
GetForegroundWindow
ReleaseCapture
SetCapture
GetCapture
GetKeyState
SetFocus
BringWindowToTop
TranslateMessage
DispatchMessageA
PeekMessageA
IsIconic
SetWindowPos
SetLayeredWindowAttributes
GetDesktopWindow
MessageBoxA
ShowWindow
DestroyWindow
IsChild
CreateWindowExA
OpenClipboard
CloseClipboard
GetWindowRect
SetClipboardData
GetClipboardData
EmptyClipboard
DefWindowProcA
UnregisterClassA
RegisterClassExA
SetCursor

gdi32

GetDeviceCaps

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

msvcp140

?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
_Query_perf_counter
_Query_perf_frequency
_Thrd_detach
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
?good@ios_base@std@@QEBA_NXZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?setf@ios_base@std@@QEAAHHH@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

d3d9

Direct3DCreate9

normaliz

IdnToAscii

wldap32

ord26
ord27
ord32
ord33
ord35
ord79
ord22
ord200
ord301
ord41
ord143
ord217
ord45
ord60
ord46
ord30
ord211
ord50

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertOpenStore
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertAddCertificateContextToStore

ws2_32

getpeername
getsockname
getsockopt
bind
WSAGetLastError
send
recv
htons
closesocket
connect
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
ntohl
gethostname
sendto
recvfrom

rpcrt4

RpcStringFreeA
UuidCreate
UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140

__current_exception
__C_specific_handler
strrchr
__current_exception_context
__std_exception_destroy
__std_exception_copy
memcmp
strchr
memset
_CxxThrowException
__std_terminate
strstr
memchr
memcpy
memmove

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-string-l1-1-0

tolower
strpbrk
strncpy
strcspn
strspn
strcmp
strncmp
isupper
_strdup

api-ms-win-crt-runtime-l1-1-0

_cexit
_exit
_register_thread_local_exe_atexit_callback
_initterm
_get_narrow_winmain_command_line
_errno
_beginthreadex
terminate
system
exit
_invalid_parameter_noinfo_noreturn
strerror
_invalid_parameter_noinfo
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_c_exit
_initialize_narrow_environment
_getpid
_initterm_e
_configure_narrow_argv
_set_app_type
_seh_filter_exe
_wassert
__sys_nerr
_resetstkoflw

api-ms-win-crt-stdio-l1-1-0

ftell
__acrt_iob_func
_wfopen
fclose
fwrite
fseek
fgets
__stdio_common_vsprintf
_open
_close
_write
_read
__stdio_common_vsscanf
__p__commode
_set_fmode
fflush
_pclose
_popen
_lseeki64
fread
fputc
fopen
feof
fputs

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
free
malloc
realloc
calloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

sqrtf
acosf
ceilf
__setusermatherr
sinf
cosf
_dclass
fmodf

api-ms-win-crt-convert-l1-1-0

strtoul
strtoull
strtoll
atoi
strtod
strtol

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-filesystem-l1-1-0

_access
_unlink
_stat64
_fstat64

advapi32

CryptReleaseContext
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptImportKey
OpenProcessToken

shell32

ShellExecuteA

Sections

.text
Size: 753KB - Virtual size: 752KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 594KB - Virtual size: 594KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
READ ME.txt
applecleaner.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 54KB - Virtual size: 142KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 12KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 300B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
kdmapper_Release.exe
.exe windows:6 windows x64 arch:x64

8613b496027ce842c1160a3b8fd30bda

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Fortn\Downloads\kdmapper-master\kdmapper-master\x64\Release\kdmapper_Release.pdb

Imports

kernel32

CloseHandle
GetProcAddress
GetModuleHandleA
SetUnhandledExceptionFilter
GetTempPathW
FormatMessageA
GetCurrentThreadId
CreateFileW
VirtualAlloc
DeviceIoControl
GetCurrentProcessId
VirtualFree
GetLocaleInfoEx
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetLastError
GetModuleHandleW
GetFileInformationByHandleEx
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
LocalFree

advapi32

RegCloseKey
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
RegSetKeyValueW

msvcp140

?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z

ntdll

NtQuerySystemInformation
RtlInitUnicodeString

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
_CxxThrowException
__C_specific_handler
__std_terminate
wcsstr
__std_exception_destroy
memcmp
memcpy
memset
__std_exception_copy
memmove

api-ms-win-crt-stdio-l1-1-0

_set_fmode
_fseeki64
fread
fsetpos
_get_stream_buffer_pointers
__p__commode
fputc
setvbuf
fgetpos
fwrite
ungetc
fflush
fgetc
fclose

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_wremove
_unlock_file

api-ms-win-crt-string-l1-1-0

_wcsicmp
_stricmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_cexit
__p___wargv
__p___argc
_invalid_parameter_noinfo_noreturn
_crt_atexit
exit
_initterm_e
_initterm
_get_initial_wide_environment
_initialize_wide_environment
_configure_wide_argv
_register_onexit_function
_set_app_type
_seh_filter_exe
_exit
terminate
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
_callnewh
free

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f94d546ff9f6c68715317e36e751e07c

Code Sign

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

12:f6:38:91:03:3d:a8:ef:d2:81:c4:6a:e2:d9:dd:9d:23:69:e4:dd:f0:6b:9d:14:08:f2:8c:3f:e6:1d:ae:ffSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 392KB - Virtual size: 391KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 20KB

.pdata Size: 1024B - Virtual size: 540B

memset_ Size: 512B - Virtual size: 56B

INIT Size: 1024B - Virtual size: 874B

.rsrc Size: 1024B - Virtual size: 760B

.reloc Size: 512B - Virtual size: 12B

ae718173b3205305d4eda02acf91d589

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

imm32

msvcp140

d3d9

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

advapi32

shell32

Sections

.text Size: 753KB - Virtual size: 752KB

.rdata Size: 594KB - Virtual size: 594KB

.data Size: 3KB - Virtual size: 6KB

.pdata Size: 33KB - Virtual size: 32KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1KB - Virtual size: 1KB

Headers

DLL Characteristics

File Characteristics

Sections

Size: 54KB - Virtual size: 142KB

Size: 12KB - Virtual size: 40KB

Size: 512B - Virtual size: 3KB

Size: 3KB - Virtual size: 4KB

Size: 49KB - Virtual size: 48KB

Size: 512B - Virtual size: 300B

.idata Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 49KB - Virtual size: 49KB

33:00:00:00:62:f4:5c:f9:9e:58:a9:6a:89:00:00:00:00:00:62
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

12:f6:38:91:03:3d:a8:ef:d2:81:c4:6a:e2:d9:dd:9d:23:69:e4:dd:f0:6b:9d:14:08:f2:8c:3f:e6:1d:ae:ff
Signer

.text
Size: 392KB - Virtual size: 391KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 20KB

.pdata
Size: 1024B - Virtual size: 540B

memset_
Size: 512B - Virtual size: 56B

INIT
Size: 1024B - Virtual size: 874B

.rsrc
Size: 1024B - Virtual size: 760B

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 753KB - Virtual size: 752KB

.rdata
Size: 594KB - Virtual size: 594KB

.data
Size: 3KB - Virtual size: 6KB

.pdata
Size: 33KB - Virtual size: 32KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1KB - Virtual size: 1KB

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 49KB - Virtual size: 49KB

.themida
Size: - Virtual size: 5.9MB

.boot
Size: 3.5MB - Virtual size: 3.5MB

.reloc
Size: 16B - Virtual size: 4KB

.text
Size: 65KB - Virtual size: 65KB

.rdata
Size: 67KB - Virtual size: 67KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 264B