APEX_DMA0305_[unknowncheats[.]me]_[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

APEX_DMA0305_[unknowncheats.me]_.zip
Size

8.7MB
MD5

840b945d85edb4e5099603eb3f91cf23
SHA1

7da71aa7158abe3a2b1da85c8cc5abb772c3b5e8
SHA256

3e3f5d714de14c4e8e7407f440d1ca8e39f4ed04375d9a1d8b6947fd1bf7b1f1
SHA512

9b7b5c6525ecbf6fbc01d38cb920bbee3faab070cfb13ba99a5dbad0c964d1da10cd3640aa5a581597b3d853cc02f43c4b0a7b5456c9b0dc6f6ec02fb5f251c6
SSDEEP

196608:cjAwgFaKn55Q5fH1NGajJyD/hSdgosCE3rgKccNkoj1+jF5i5Nl2Ut:+KdLcH/GajJfsCsMKcjoj1Mzi5H

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/APEX_DMA0305/FUN Plus+.exe

Files

APEX_DMA0305_[unknowncheats.me]_.zip
.zip
APEX_DMA0305/FTD3XX.dll
.dll windows:6 windows x64 arch:x64

94eff8313f705d14c2421a2e17c00648

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:e4:41:cb:6d:7c:0b:ab:94:2c:24:2e:b3:05:8f:ed
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

20/04/2023, 00:00

Not After

19/04/2024, 23:59

Subject

SERIALNUMBER=SC136640,CN=Future Technology Devices International Ltd,O=Future Technology Devices International Ltd,L=Glasgow,C=GB,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024742

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

59:d1:a6:6c:07:39:e4:9c:0f:fe:4c:31:eb:63:3d:6a:be:ab:fd:97:e7:2f:10:1b:b8:bb:0d:eb:3b:e6:59:22
Signer

Actual PE Digest

59:d1:a6:6c:07:39:e4:9c:0f:fe:4c:31:eb:63:3d:6a:be:ab:fd:97:e7:2f:10:1b:b8:bb:0d:eb:3b:e6:59:22

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Work\Project\D3xx\trunk\D3XX\d2xxdll\x64\Release\FTD3XX.pdb

Imports

setupapi

SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo

kernel32

ExitThread
WriteConsoleW
OutputDebugStringW
ReadConsoleW
ReadFile
SetFilePointerEx
CreateFileW
CloseHandle
GetLastError
DeviceIoControl
GetOverlappedResult
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ReleaseMutex
WaitForSingleObject
CreateMutexW
CreateEventW
Sleep
WaitForMultipleObjects
GetFileSizeEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
InterlockedPushEntrySList
InterlockedFlushSList
RtlPcToFileHeader
RaiseException
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
EncodePointer
CreateThread
RtlUnwind
ResumeThread
FreeLibraryAndExitThread
GetModuleHandleExW
ExitProcess
GetModuleFileNameW
GetCurrentThread
HeapFree
HeapAlloc
MultiByteToWideChar
GetTempPathW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
GetStdHandle
GetFileType
SetConsoleCtrlHandler
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode

Exports

Exports

FT_AbortPipe
FT_ClearNotificationCallback
FT_ClearStreamPipe
FT_Close
FT_ControlTransfer
FT_Create
FT_CreateDeviceInfoList
FT_CycleDevicePort
FT_EnableGPIO
FT_FlushPipe
FT_GetChipConfiguration
FT_GetConfigurationDescriptor
FT_GetDescriptor
FT_GetDeviceDescriptor
FT_GetDeviceInfo
FT_GetDeviceInfoDetail
FT_GetDeviceInfoList
FT_GetDriverVersion
FT_GetFirmwareVersion
FT_GetGPIO
FT_GetInterfaceDescriptor
FT_GetLibraryVersion
FT_GetOverlappedResult
FT_GetPipeInformation
FT_GetPipeTimeout
FT_GetStringDescriptor
FT_GetSuspendTimeout
FT_GetVIDPID
FT_InitializeOverlapped
FT_IsDevicePath
FT_ListDevices
FT_ReadGPIO
FT_ReadPipe
FT_ReadPipeEx
FT_ReleaseOverlapped
FT_ResetDevicePort
FT_SetChipConfiguration
FT_SetGPIO
FT_SetGPIOLevel
FT_SetGPIOPull
FT_SetNotificationCallback
FT_SetPipeTimeout
FT_SetStreamPipe
FT_SetSuspendTimeout
FT_WriteGPIO
FT_WritePipe
FT_WritePipeEx

Sections

.text
Size: 384KB - Virtual size: 384KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 77KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
APEX_DMA0305/FUN Plus+.exe
.exe windows:6 windows x64 arch:x64

59a6f9162364117ae78c49fddfa14417

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_47

D3DCompile

ws2_32

recvfrom

vmm

VMMDLL_Map_GetEATU

leechcore

LcCommand

kernel32

GetFileAttributesW
GetVersion
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetClipboardData
CharUpperBuffW

gdi32

GetDeviceCaps

msvcp140

??1_Locinfo@std@@QEAA@XZ

imm32

ImmAssociateContextEx

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memchr

api-ms-win-crt-heap-l1-1-0

malloc

api-ms-win-crt-runtime-l1-1-0

_beginthreadex

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-stdio-l1-1-0

fputc

api-ms-win-crt-filesystem-l1-1-0

_lock_file

api-ms-win-crt-string-l1-1-0

strcpy_s

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

strftime

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-math-l1-1-0

acosf

Sections

.text
Size: - Virtual size: 445KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.8n6
Size: - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

._lc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Jq|
Size: 7.7MB - Virtual size: 7.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
APEX_DMA0305/config.cfg
APEX_DMA0305/imgui.ini
APEX_DMA0305/leechcore.dll
.dll windows:6 windows x64 arch:x64

245f8d40de6893b471d1e488cfaf8c43

Code Sign

61:41:98:e7:6e:19:1c:5c:7a:9b:36:24:ae:39:1d:d1
Certificate

Issuer

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

24/11/2023, 06:35

Not After

23/11/2024, 06:35

Subject

CN=Open Source Developer\, Ulf Frisk,O=Open Source Developer,L=Stockholm,C=SE,1.2.840.113549.1.9.1=#0c16756c662e667269736b40756c66667269736b2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19/05/2021, 05:32

Not After

18/05/2036, 05:32

Subject

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a7:be:3c:4b:b2:e9:8d:6d:9c:0b:8e:4d:83:b8:da:9a:90:3a:3f:69:89:c1:75:dd:a6:06:db:21:b5:29:d5:59
Signer

Actual PE Digest

a7:be:3c:4b:b2:e9:8d:6d:9c:0b:8e:4d:83:b8:da:9a:90:3a:3f:69:89:c1:75:dd:a6:06:db:21:b5:29:d5:59

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Github\production\LeechCore\files\lib\leechcore.pdb

Imports

credui

CredUIPromptForWindowsCredentialsW
CredUnPackAuthenticationBufferW

rpcrt4

NdrClientCall3
RpcBindingSetAuthInfoExA
RpcBindingFree
RpcStringFreeA
RpcBindingSetAuthInfoExW
RpcStringBindingComposeA
RpcBindingFromStringBindingA

secur32

LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaConnectUntrusted

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW

winusb

WinUsb_WritePipe
WinUsb_Free
WinUsb_SetPipePolicy
WinUsb_ReadPipe
WinUsb_Initialize

ws2_32

setsockopt
WSAGetLastError
htons
recvfrom
connect
socket
send
inet_addr
WSAStartup
closesocket
ioctlsocket

kernel32

IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
GetTickCount64
GetModuleFileNameA
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
QueryPerformanceCounter
TryEnterCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
LocalAlloc
LocalFree
DeleteCriticalSection
Sleep
LoadLibraryA
CloseHandle
CreateThread
SwitchToThread
GetProcAddress
FreeLibrary
ReadFile
DeviceIoControl
GetLastError
CreateFileA
SetFilePointerEx
VirtualFree
VirtualAlloc
CreateFileW
VerSetConditionMask
VerifyVersionInfoW
WriteProcessMemory
GetCurrentProcess
K32GetModuleFileNameExW
OpenProcess
K32EnumProcesses
ReadProcessMemory
K32GetMappedFileNameW
VirtualQueryEx
WaitForMultipleObjects
WaitForSingleObject
CreateEventW
SetEvent
QueryPerformanceFrequency
ResetEvent
IsProcessorFeaturePresent

advapi32

StartServiceA
ControlService
DeleteService
OpenSCManagerA
OpenSCManagerW
CloseServiceHandle
CreateServiceA
RegQueryValueExA
RegOpenKeyA
RegCloseKey
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenServiceA

ole32

CoTaskMemFree

vcruntime140

memset
memcpy
__C_specific_handler
strstr
__std_type_info_destroy_list
memcmp
wcsstr

api-ms-win-crt-stdio-l1-1-0

fread
fopen_s
fwrite
__stdio_common_vsnwprintf_s
_fseeki64
__stdio_common_vswprintf_s
__stdio_common_vfprintf
fclose
__acrt_iob_func
getchar
__stdio_common_vsnprintf_s
__stdio_common_vsprintf
_ftelli64

api-ms-win-crt-string-l1-1-0

strncat_s
strtok_s
wcsncpy_s
strcpy_s
wcsncat_s
_strnicmp
_wcsicmp
strncpy_s
wcscpy_s
strcat_s
strcmp
_stricmp

api-ms-win-crt-convert-l1-1-0

atoi
_itoa_s
strtoull

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_execute_onexit_table
_initterm
_cexit
_initterm_e
_seh_filter_dll

Exports

Exports

LcAllocScatter1
LcAllocScatter2
LcAllocScatter3
LcClose
LcCommand
LcCreate
LcCreateEx
LcDeviceParameterGet
LcDeviceParameterGetNumeric
LcGetOption
LcMemFree
LcMemMap_AddRange
LcMemMap_GetMaxAddress
LcMemMap_IsInitialized
LcRead
LcReadScatter
LcSetOption
LcWrite
LcWriteScatter

Sections

.text
Size: 92KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
APEX_DMA0305/vmm.dll
.dll windows:6 windows x64 arch:x64

0b77eba7e489d82b694bf66be928bc65

Code Sign

61:41:98:e7:6e:19:1c:5c:7a:9b:36:24:ae:39:1d:d1
Certificate

Issuer

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

24/11/2023, 06:35

Not After

23/11/2024, 06:35

Subject

CN=Open Source Developer\, Ulf Frisk,O=Open Source Developer,L=Stockholm,C=SE,1.2.840.113549.1.9.1=#0c16756c662e667269736b40756c66667269736b2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19/05/2021, 05:32

Not After

18/05/2036, 05:32

Subject

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4a:22:15:06:9a:9d:d6:5e:22:ed:34:52:e0:8d:3e:6c:48:32:22:36:d8:22:13:a8:44:1d:38:fc:13:75:29:28
Signer

Actual PE Digest

4a:22:15:06:9a:9d:d6:5e:22:ed:34:52:e0:8d:3e:6c:48:32:22:36:d8:22:13:a8:44:1d:38:fc:13:75:29:28

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Github\production\MemProcFS\files\lib\vmm.pdb

Imports

leechcore

LcRead
LcCreateEx
LcClose
LcSetOption
LcReadScatter
LcAllocScatter1
LcWriteScatter
LcGetOption
LcCommand
LcAllocScatter2
LcMemFree

bcrypt

BCryptCreateHash
BCryptHashData
BCryptGetProperty
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptDestroyHash

crypt32

CertFreeCertificateContext
CertCreateCertificateContext
CertGetNameStringW

shlwapi

StrStrIA

ws2_32

inet_ntop

kernel32

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
GetCurrentProcess
IsDebuggerPresent
TerminateProcess
UnhandledExceptionFilter
LockResource
ResetEvent
LocalAlloc
LocalFree
AreFileApisANSI
ReadFile
TryEnterCriticalSection
HeapCreate
HeapFree
EnterCriticalSection
GetFullPathNameW
WriteFile
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
LeaveCriticalSection
InitializeCriticalSection
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
CreateMutexW
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetCurrentThreadId
UnmapViewOfFile
HeapValidate
HeapSize
MultiByteToWideChar
Sleep
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetLastError
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
CloseHandle
GetSystemInfo
LoadLibraryW
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
GetProcAddress
LockFileEx
GetFileSize
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
GetLongPathNameW
WaitForMultipleObjects
CreateEventW
GetTickCount64
SetEvent
GetLocalTime
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
InitializeSRWLock
VerSetConditionMask
VerifyVersionInfoW
QueryPerformanceFrequency
GetModuleFileNameA
SizeofResource
FileTimeToSystemTime
FindClose
LoadResource
FindResourceW
InitializeCriticalSectionAndSpinCount
GetModuleHandleA
InterlockedPushEntrySList
InitializeSListHead
InterlockedPopEntrySList
QueryDepthSList
GetStdHandle
ReadConsoleA
SwitchToThread
CreateThread
FindFirstFileA
LoadLibraryExA
FindNextFileA

advapi32

LookupAccountSidA
RegDeleteValueA
IsValidSid
ConvertStringSidToSidA
RegCreateKeyA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegGetValueA
ConvertSidToStringSidA

vcruntime140

strstr
__std_type_info_destroy_list
__C_specific_handler
strrchr
memcmp
memcpy
memmove
memset

api-ms-win-crt-string-l1-1-0

_wcsnicmp
_strnicmp
strncmp
strcmp
strcat_s
_stricmp
strcpy_s
strtok_s
strncpy_s
strncat_s
strspn
strnlen
strcspn
toupper

api-ms-win-crt-heap-l1-1-0

free
malloc
_msize
realloc

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
_cexit
_execute_onexit_table
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_initterm_e
_initterm
_endthreadex

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnprintf_s
fread
tmpnam_s
__stdio_common_vsprintf
__stdio_common_vsprintf_s
fwrite
fclose
__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vsnwprintf_s
fopen_s
_fseeki64
_fsopen
fflush

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-convert-l1-1-0

strtoull
strtoul

api-ms-win-crt-filesystem-l1-1-0

remove
_access_s

api-ms-win-crt-math-l1-1-0

floor
log10

Exports

Exports

VMMDLL_Close
VMMDLL_CloseAll
VMMDLL_ConfigGet
VMMDLL_ConfigSet
VMMDLL_ForensicFileAppend
VMMDLL_Initialize
VMMDLL_InitializeEx
VMMDLL_InitializePlugins
VMMDLL_Log
VMMDLL_LogEx
VMMDLL_Map_GetEATU
VMMDLL_Map_GetEATW
VMMDLL_Map_GetHandleU
VMMDLL_Map_GetHandleW
VMMDLL_Map_GetHeap
VMMDLL_Map_GetHeapAlloc
VMMDLL_Map_GetIATU
VMMDLL_Map_GetIATW
VMMDLL_Map_GetModuleFromNameU
VMMDLL_Map_GetModuleFromNameW
VMMDLL_Map_GetModuleU
VMMDLL_Map_GetModuleW
VMMDLL_Map_GetNetU
VMMDLL_Map_GetNetW
VMMDLL_Map_GetPfn
VMMDLL_Map_GetPfnEx
VMMDLL_Map_GetPhysMem
VMMDLL_Map_GetPool
VMMDLL_Map_GetPteU
VMMDLL_Map_GetPteW
VMMDLL_Map_GetServicesU
VMMDLL_Map_GetServicesW
VMMDLL_Map_GetThread
VMMDLL_Map_GetUnloadedModuleU
VMMDLL_Map_GetUnloadedModuleW
VMMDLL_Map_GetUsersU
VMMDLL_Map_GetUsersW
VMMDLL_Map_GetVMU
VMMDLL_Map_GetVMW
VMMDLL_Map_GetVadEx
VMMDLL_Map_GetVadU
VMMDLL_Map_GetVadW
VMMDLL_MemFree
VMMDLL_MemPrefetchPages
VMMDLL_MemRead
VMMDLL_MemReadEx
VMMDLL_MemReadPage
VMMDLL_MemReadScatter
VMMDLL_MemSearch
VMMDLL_MemSize
VMMDLL_MemVirt2Phys
VMMDLL_MemWrite
VMMDLL_MemWriteScatter
VMMDLL_PdbLoad
VMMDLL_PdbSymbolAddress
VMMDLL_PdbSymbolName
VMMDLL_PdbTypeChildOffset
VMMDLL_PdbTypeSize
VMMDLL_PidGetFromName
VMMDLL_PidList
VMMDLL_ProcessGetDirectoriesU
VMMDLL_ProcessGetDirectoriesW
VMMDLL_ProcessGetInformation
VMMDLL_ProcessGetInformationAll
VMMDLL_ProcessGetInformationString
VMMDLL_ProcessGetModuleBaseU
VMMDLL_ProcessGetModuleBaseW
VMMDLL_ProcessGetProcAddressU
VMMDLL_ProcessGetProcAddressW
VMMDLL_ProcessGetSectionsU
VMMDLL_ProcessGetSectionsW
VMMDLL_Scatter_Clear
VMMDLL_Scatter_CloseHandle
VMMDLL_Scatter_Execute
VMMDLL_Scatter_ExecuteRead
VMMDLL_Scatter_Initialize
VMMDLL_Scatter_Prepare
VMMDLL_Scatter_PrepareEx
VMMDLL_Scatter_PrepareWrite
VMMDLL_Scatter_PrepareWriteEx
VMMDLL_Scatter_Read
VMMDLL_UtilFillHexAscii
VMMDLL_UtilVfsReadFile_FromBOOL
VMMDLL_UtilVfsReadFile_FromDWORD
VMMDLL_UtilVfsReadFile_FromPBYTE
VMMDLL_UtilVfsReadFile_FromQWORD
VMMDLL_UtilVfsWriteFile_BOOL
VMMDLL_UtilVfsWriteFile_DWORD
VMMDLL_VfsListBlobU
VMMDLL_VfsListU
VMMDLL_VfsListW
VMMDLL_VfsList_AddDirectory
VMMDLL_VfsList_AddDirectoryW
VMMDLL_VfsList_AddFile
VMMDLL_VfsList_AddFileW
VMMDLL_VfsReadU
VMMDLL_VfsReadW
VMMDLL_VfsWriteU
VMMDLL_VfsWriteW
VMMDLL_VmGetVmmHandle
VMMDLL_VmMemRead
VMMDLL_VmMemReadScatter
VMMDLL_VmMemTranslateGPA
VMMDLL_VmMemWrite
VMMDLL_VmMemWriteScatter
VMMDLL_VmScatterInitialize
VMMDLL_WinGetThunkInfoIATU
VMMDLL_WinGetThunkInfoIATW
VMMDLL_WinReg_EnumKeyExU
VMMDLL_WinReg_EnumKeyExW
VMMDLL_WinReg_EnumValueU
VMMDLL_WinReg_EnumValueW
VMMDLL_WinReg_HiveList
VMMDLL_WinReg_HiveReadEx
VMMDLL_WinReg_HiveWrite
VMMDLL_WinReg_QueryValueExU
VMMDLL_WinReg_QueryValueExW
VMMDLL_YaraSearch

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 277KB - Virtual size: 277KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 74KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 117KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

94eff8313f705d14c2421a2e17c00648

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

02:e4:41:cb:6d:7c:0b:ab:94:2c:24:2e:b3:05:8f:edCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

59:d1:a6:6c:07:39:e4:9c:0f:fe:4c:31:eb:63:3d:6a:be:ab:fd:97:e7:2f:10:1b:b8:bb:0d:eb:3b:e6:59:22Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

setupapi

kernel32

Exports

Exports

Sections

.text Size: 384KB - Virtual size: 384KB

.rdata Size: 77KB - Virtual size: 77KB

.data Size: 4KB - Virtual size: 11KB

.pdata Size: 19KB - Virtual size: 19KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 2KB

59a6f9162364117ae78c49fddfa14417

Headers

DLL Characteristics

File Characteristics

Imports

d3d11

d3dcompiler_47

ws2_32

vmm

leechcore

kernel32

user32

gdi32

msvcp140

imm32

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: - Virtual size: 445KB

.rdata Size: - Virtual size: 2.7MB

.data Size: - Virtual size: 6KB

.pdata Size: - Virtual size: 19KB

.8n6 Size: - Virtual size: 3.7MB

._lc Size: 4KB - Virtual size: 4KB

.Jq| Size: 7.7MB - Virtual size: 7.7MB

.reloc Size: 512B - Virtual size: 224B

.rsrc Size: 5KB - Virtual size: 4KB

245f8d40de6893b471d1e488cfaf8c43

Code Sign

61:41:98:e7:6e:19:1c:5c:7a:9b:36:24:ae:39:1d:d1Certificate

Extended Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

02:e4:41:cb:6d:7c:0b:ab:94:2c:24:2e:b3:05:8f:ed
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

59:d1:a6:6c:07:39:e4:9c:0f:fe:4c:31:eb:63:3d:6a:be:ab:fd:97:e7:2f:10:1b:b8:bb:0d:eb:3b:e6:59:22
Signer

.text
Size: 384KB - Virtual size: 384KB

.rdata
Size: 77KB - Virtual size: 77KB

.data
Size: 4KB - Virtual size: 11KB

.pdata
Size: 19KB - Virtual size: 19KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: - Virtual size: 445KB

.rdata
Size: - Virtual size: 2.7MB

.data
Size: - Virtual size: 6KB

.pdata
Size: - Virtual size: 19KB

.8n6
Size: - Virtual size: 3.7MB

._lc
Size: 4KB - Virtual size: 4KB

.Jq|
Size: 7.7MB - Virtual size: 7.7MB

.reloc
Size: 512B - Virtual size: 224B

.rsrc
Size: 5KB - Virtual size: 4KB

61:41:98:e7:6e:19:1c:5c:7a:9b:36:24:ae:39:1d:d1
Certificate

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

a7:be:3c:4b:b2:e9:8d:6d:9c:0b:8e:4d:83:b8:da:9a:90:3a:3f:69:89:c1:75:dd:a6:06:db:21:b5:29:d5:59
Signer

.text
Size: 92KB - Virtual size: 92KB

.rdata
Size: 27KB - Virtual size: 26KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 184B

61:41:98:e7:6e:19:1c:5c:7a:9b:36:24:ae:39:1d:d1
Certificate

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

4a:22:15:06:9a:9d:d6:5e:22:ed:34:52:e0:8d:3e:6c:48:32:22:36:d8:22:13:a8:44:1d:38:fc:13:75:29:28
Signer