CheaterRun[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

CheaterRun.rar
Size

13.5MB
MD5

3f0a92f3422a8c53bd5078a1d80cb16f
SHA1

3c81a3281f8e6725df3e7bfbafc83438d81a9549
SHA256

44880640df1e0881a978f60b0668b955b94e1c305d2178671b5ff60c4f15319e
SHA512

07ba457db17ca9f0145ab037f5e938f5008472f963cb9b998349f1019b85cd6a079aaa4c25fcab5faa4369878a1249e7a8bcfdb2b70819697a56f0c4faadb4b7
SSDEEP

393216:29CrvL6FBCruoJyCtK9ECxr0JlhlOetsY34:trvLSs/JD491R0JlbvtsY34

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack002/#/RealtekHDAudio.exe	themida

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/CheaterRun/ExLoader.exe
unpack002/#/RealtekHDAudio.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
static1/unpack001/CheaterRun/ExLoader.exe	nsis_installer_1
static1/unpack001/CheaterRun/ExLoader.exe	nsis_installer_2

Files

CheaterRun.rar
.rar

Password: 2024
CheaterRun/ExLoader.exe
.exe windows:4 windows x86 arch:x86

Password: 2024

ced282d9b261d1462772017fe2f6972b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegCreateKeyExA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetFileSecurityA
RegOpenKeyExA
RegEnumValueA

shell32

SHGetFileInfoA
SHFileOperationA
SHGetPathFromIDListA
ShellExecuteExA
SHGetSpecialFolderLocation
SHBrowseForFolderA

ole32

IIDFromString
OleInitialize
OleUninitialize
CoCreateInstance
CoTaskMemFree

comctl32

ord17
ImageList_Create
ImageList_Destroy
ImageList_AddMasked

user32

SetClipboardData
CharPrevA
CallWindowProcA
PeekMessageA
DispatchMessageA
MessageBoxIndirectA
GetDlgItemTextA
SetDlgItemTextA
GetSystemMetrics
CreatePopupMenu
AppendMenuA
TrackPopupMenu
FillRect
EmptyClipboard
LoadCursorA
GetMessagePos
CheckDlgButton
GetSysColor
SetCursor
GetWindowLongA
SetClassLongA
SetWindowPos
IsWindowEnabled
GetWindowRect
GetSystemMenu
EnableMenuItem
RegisterClassA
ScreenToClient
EndDialog
GetClassInfoA
SystemParametersInfoA
CreateWindowExA
ExitWindowsEx
DialogBoxParamA
CharNextA
SetTimer
DestroyWindow
CreateDialogParamA
SetForegroundWindow
SetWindowTextA
PostQuitMessage
SendMessageTimeoutA
ShowWindow
wsprintfA
GetDlgItem
FindWindowExA
IsWindow
GetDC
SetWindowLongA
LoadImageA
InvalidateRect
ReleaseDC
EnableWindow
BeginPaint
SendMessageA
DefWindowProcA
DrawTextA
GetClientRect
EndPaint
IsWindowVisible
CloseClipboard
OpenClipboard

gdi32

SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
SetTextColor
SelectObject

kernel32

GetExitCodeProcess
WaitForSingleObject
GetProcAddress
GetSystemDirectoryA
WideCharToMultiByte
MoveFileExA
ReadFile
GetTempFileNameA
WriteFile
RemoveDirectoryA
CreateProcessA
CreateFileA
GetLastError
CreateThread
CreateDirectoryA
GlobalUnlock
GetDiskFreeSpaceA
GlobalLock
SetErrorMode
GetVersion
lstrcpynA
GetCommandLineA
GetTempPathA
lstrlenA
SetEnvironmentVariableA
ExitProcess
GetWindowsDirectoryA
GetCurrentProcess
GetModuleFileNameA
CopyFileA
GetTickCount
Sleep
GetFileSize
GetFileAttributesA
SetCurrentDirectoryA
SetFileAttributesA
GetFullPathNameA
GetShortPathNameA
MoveFileA
CompareFileTime
SetFileTime
SearchPathA
lstrcmpiA
lstrcmpA
CloseHandle
GlobalFree
GlobalAlloc
ExpandEnvironmentStringsA
LoadLibraryExA
FreeLibrary
lstrcpyA
lstrcatA
FindClose
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
SetFilePointer
GetModuleHandleA
FindNextFileA
FindFirstFileA
DeleteFileA
MulDiv

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
#/RealtekHDAudio.exe
.exe windows:6 windows x64 arch:x64

Password: 2024

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6.9MB - Virtual size: 6.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 396B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: 11.5MB - Virtual size: 11.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
CheaterRun/README !!!.txt
CheaterRun/dllhelper64.dll
.dll windows:5 windows x64 arch:x64

Password: 2024

c8820c92458429ac52b291ca51bad0e4

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2031, 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:55:db:cf:a2:75:1e:85:ba:b8:2f:2a:ea:1c:f2:e8
Certificate

Issuer

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/04/2020, 00:00

Not After

16/06/2023, 12:00

Subject

SERIALNUMBER=1962832,CN=International Media Ltd,O=International Media Ltd,ST=Tortola,C=VG,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025647

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2031, 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:d6:da:1a:da:8f:d6:b3:69:a2:ea:e1:6a:07:31:ef
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/04/2020, 00:00

Not After

16/06/2023, 12:00

Subject

SERIALNUMBER=1962832,CN=International Media Ltd,O=International Media Ltd,ST=Tortola,C=VG,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025647

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

24:c2:ef:fc:08:27:a1:fb:4b:f8:58:8b:3e:f5:7e:3c:b5:71:4e:26:20:7b:ed:13:a8:4a:0f:30:7b:4b:50:94
Signer

Actual PE Digest

24:c2:ef:fc:08:27:a1:fb:4b:f8:58:8b:3e:f5:7e:3c:b5:71:4e:26:20:7b:ed:13:a8:4a:0f:30:7b:4b:50:94

Digest Algorithm

sha256

PE Digest Matches

true

37:3f:c6:23:c3:cf:ff:ba:35:17:70:cb:48:f8:d5:ed:57:d9:b5:83
Signer

Actual PE Digest

37:3f:c6:23:c3:cf:ff:ba:35:17:70:cb:48:f8:d5:ed:57:d9:b5:83

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

EnterCriticalSection
RtlUnwindEx
GetACP
CloseHandle
LocalFree
TlsAlloc
GetTickCount
OpenFileMappingW
VirtualFree
GetStartupInfoW
ExitProcess
InitializeCriticalSection
VirtualAlloc
RtlUnwind
GetCPInfo
GetCommandLineW
GetSystemInfo
GetProcAddress
LeaveCriticalSection
EnumSystemLocalesW
GetStdHandle
GetVersionExW
VerifyVersionInfoW
GetModuleHandleW
FreeLibrary
GetDiskFreeSpaceW
VerSetConditionMask
GetUserDefaultUILanguage
FindFirstFileW
TlsFree
GetModuleFileNameW
GetLastError
lstrlenW
CompareStringA
CompareStringW
CreateThread
WideCharToMultiByte
MapViewOfFile
MultiByteToWideChar
FindClose
LoadLibraryW
LoadLibraryA
ResetEvent
SetEvent
GetLocaleInfoW
GetVersion
RaiseException
SwitchToThread
GetLocalTime
WaitForSingleObject
WriteFile
DeleteCriticalSection
TlsGetValue
IsValidLocale
TlsSetValue
LoadLibraryExW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
CreateEventW
GetThreadLocale
Sleep
SetThreadLocale

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CallNextHookEx
CharUpperBuffW
CharNextW
CharLowerBuffW
SetWindowsHookExW
UnhookWindowsHookEx
LoadStringW
CharUpperW
GetSystemMetrics
MessageBoxW

oleaut32

SysAllocStringLen
SysFreeString
SysReAllocStringLen

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

Exports

Exports

StartHook
StopHook

Sections

.text
Size: 164KB - Virtual size: 164KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 41KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 1024B - Virtual size: 608B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 153B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
CheaterRun/resources/AdobePIM.dll
.dll windows:5 windows x86 arch:x86

Password: 2024

bad4069efbb0fea858e33d102d409210

Code Sign

05:35:93:bf:71:f7:48:1b:9f:b7:6b:cb:4e:cc:f5:78
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

19/12/2020, 00:00

Not After

20/12/2022, 23:59

Subject

SERIALNUMBER=2748129,CN=Adobe Inc.,OU=AAM 256,O=Adobe Inc.,L=San Jose,ST=ca,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ec:cc:74:af:3f:ff:e1:cd:b7:59:c9:19:0e:52:ca:a8:49:7b:fe:33:5c:94:8a:f7:0d:ba:cb:7d:44:1f:28:93
Signer

Actual PE Digest

ec:cc:74:af:3f:ff:e1:cd:b7:59:c9:19:0e:52:ca:a8:49:7b:fe:33:5c:94:8a:f7:0d:ba:cb:7d:44:1f:28:93

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\jenkins\CI\CCCore\build\x64\main\ccd-core\build\msvs_win32\Release\x86\sym\PIM\PIM\AdobePIM.pdb

Imports

kernel32

GetCurrentProcessId
CreateSemaphoreW
AreFileApisANSI
ReadFile
TryEnterCriticalSection
HeapCreate
HeapFree
EnterCriticalSection
GetFullPathNameW
WriteFile
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
LeaveCriticalSection
InitializeCriticalSection
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
CreateFileW
GetFileAttributesW
GetCurrentThreadId
UnmapViewOfFile
HeapValidate
HeapSize
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
GetSystemInfo
LoadLibraryW
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
GetProcAddress
LockFileEx
GetFileSize
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
ReleaseSemaphore
MultiByteToWideChar
GetTempPathW
CreateDirectoryW
GetDateFormatW
GetTimeFormatW
GetLocalTime
GetCommandLineW
GetExitCodeProcess
lstrcmpW
lstrcmpiW
CopyFileW
CreateProcessW
LocalFree
ResetEvent
CreateThread
CloseHandle
OpenSemaphoreW
Process32FirstW
GetDiskFreeSpaceExW
ReleaseMutex
SetEvent
Process32NextW
Sleep
CreateEventW
CreateToolhelp32Snapshot
SetFileAttributesW
OpenProcess
GetVersionExW
LocalAlloc
WaitForSingleObject
FindClose
RemoveDirectoryW
TerminateProcess
FindNextFileW
FindFirstFileW
DeleteCriticalSection
DecodePointer
RaiseException
GetLastError
WriteConsoleW
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetConsoleCP
ReadConsoleW
GetConsoleMode
GetFileType
GetStdHandle
EnumSystemLocalesW
IsValidLocale
ExitProcess
GetTimeZoneInformation
GetModuleHandleExW
ExitThread
RtlUnwind
InterlockedFlushSList
InterlockedPushEntrySList
LoadLibraryExW
FreeLibraryAndExitThread
GetStartupInfoW
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
QueryPerformanceFrequency
GetLocaleInfoW
CompareStringW
InitializeCriticalSectionEx
EncodePointer
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
CreateMutexW
InitializeCriticalSectionAndSpinCount
GetExitCodeThread
SwitchToThread
GetStringTypeW
GetCurrentProcess
GetFileSizeEx
lstrlenW
GetACP
SetFilePointerEx
GlobalFree
ResumeThread
TerminateThread
SetThreadPriority
GetCurrentThread
SizeofResource
GetModuleFileNameW
LockResource
LoadResource
FindResourceW
MoveFileExW
GlobalAlloc
VerSetConditionMask
GetModuleHandleW
VerifyVersionInfoW
SetLastError
DuplicateHandle
ProcessIdToSessionId
FindResourceExW
lstrcpyW
GetThreadTimes
QueryFullProcessImageNameW
GetUserDefaultLangID
GetUserDefaultLCID
LCMapStringW
FileTimeToSystemTime
OpenMutexW
VirtualFree
VirtualAlloc
GetUserDefaultUILanguage

user32

wsprintfW
GetWindowThreadProcessId
GetShellWindow
EnumWindows

advapi32

CryptAcquireContextW
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
LookupAccountSidW
CreateWellKnownSid
EqualSid
GetTokenInformation
DuplicateTokenEx
GetUserNameW
ConvertSidToStringSidW
ImpersonateLoggedOnUser
ConvertStringSidToSidW
RevertToSelf
CryptReleaseContext
SetSecurityDescriptorDacl
RegCloseKey
RegDeleteKeyExW
AllocateAndInitializeSid
SetEntriesInAclW
RegCreateKeyExW
RegSetValueExW
FreeSid
InitializeSecurityDescriptor
RegOpenKeyExW
RegDeleteValueW
RegQueryValueExW
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash

shell32

SHGetKnownFolderPath
ord680
SHGetFolderLocation
SHGetFolderPathW
SHGetPathFromIDListW
ShellExecuteExW
SHCreateDirectoryExW
SHCreateItemFromParsingName
SHGetSpecialFolderPathW
CommandLineToArgvW
ord51

ole32

OleRun
CLSIDFromProgID
StringFromGUID2
CoCreateGuid
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize
CoCreateInstance
CoInitializeEx
CoInitialize
CLSIDFromString
CoTaskMemFree

oleaut32

VariantInit
SysFreeString
SysAllocString
VariantClear
GetErrorInfo
VariantCopy
SysStringLen
VariantChangeType

msi

ord145
ord74
ord147

winhttp

WinHttpSendRequest
WinHttpSetCredentials
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpenRequest
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpQueryAuthSchemes
WinHttpGetIEProxyConfigForCurrentUser
WinHttpCloseHandle
WinHttpSetOption
WinHttpReadData
WinHttpSetTimeouts

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

psapi

GetProcessImageFileNameW
GetModuleFileNameExW
EnumProcessModules

wtsapi32

WTSEnumerateSessionsW
WTSFreeMemory

shlwapi

PathFileExistsW
PathIsDirectoryW
PathRenameExtensionW
PathAppendW
PathRemoveBackslashW
PathStripPathW
PathAppendA
PathFindFileNameW
PathRemoveFileSpecW
PathFileExistsA
PathIsRootW
PathIsSystemFolderW
PathIsDirectoryEmptyW
PathIsDirectoryA
PathRemoveFileSpecA
PathRemoveExtensionW
PathAddExtensionW
PathIsFileSpecW

crypt32

CertGetNameStringW

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WTHelperGetProvCertFromChain

bcrypt

BCryptOpenAlgorithmProvider
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptHashData

Exports

Exports

AAMIU_Uninstall
AAMIU_getDeploymentValidationStatus
AAMIU_preInstallPropertySet
pim_createLibraryRef
pim_freeLibraryRef
pim_freeLiraryRef
pim_freeString
pim_getAppletAndPackageInfo
pim_getAppletRegistrationInfo
pim_getAppletRelationshipInfo
pim_getCurrentCCVersion
pim_getCurrentPackagesVersion
pim_getInstallStatus
pim_getInstalledPackagesInfo
pim_launchACCCUninstallerExecutableAsAdmin
pim_selfUpdateCheck
pim_selfUpdateCheckWithData
pim_selfUpdateCheckWithDataV2
pim_startWorkflow
pim_startWorkflowWithData
pim_syncFromPathToACF
pim_syncFromPathToPath
pim_syncUSFToACF
pim_uninstallAAMFromAAMCleanerTool
pim_uninstallAAMUsingAAMCleanerTool
pim_uninstallACCC64FromACCCCleanerTool
pim_uninstallACCCFromACCCCleanerTool
pim_uninstallADC64UsingADCCleanerTool
pim_uninstallADCUsingADCCleanerTool

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 366KB - Virtual size: 366KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CheaterRun/resources/Config.xml
.xml
CheaterRun/resources/content/images/appIcon.png
.png

Password: 2024

Sharing

General

Malware Config

Signatures

Files

Password: 2024

Password: 2024

ced282d9b261d1462772017fe2f6972b

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

ole32

comctl32

user32

gdi32

kernel32

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 149KB

.ndata Size: - Virtual size: 32KB

.rsrc Size: 68KB - Virtual size: 67KB

Password: 2024

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 34KB - Virtual size: 33KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 6.9MB - Virtual size: 6.9MB

.pdata Size: 512B - Virtual size: 396B

.00cfg Size: 512B - Virtual size: 16B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 512B - Virtual size: 120B

.idata Size: 512B - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.themida Size: 11.5MB - Virtual size: 11.5MB

.reloc Size: 16B - Virtual size: 4KB

Password: 2024

c8820c92458429ac52b291ca51bad0e4

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

03:55:db:cf:a2:75:1e:85:ba:b8:2f:2a:ea:1c:f2:e8Certificate

Extended Key Usages

Key Usages

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06Certificate

Extended Key Usages

Key Usages

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

02:d6:da:1a:da:8f:d6:b3:69:a2:ea:e1:6a:07:31:efCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

24:c2:ef:fc:08:27:a1:fb:4b:f8:58:8b:3e:f5:7e:3c:b5:71:4e:26:20:7b:ed:13:a8:4a:0f:30:7b:4b:50:94Signer

37:3f:c6:23:c3:cf:ff:ba:35:17:70:cb:48:f8:d5:ed:57:d9:b5:83Signer

Headers

File Characteristics

Imports

kernel32

version

user32

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 149KB

.ndata
Size: - Virtual size: 32KB

.rsrc
Size: 68KB - Virtual size: 67KB

.text
Size: 34KB - Virtual size: 33KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 6.9MB - Virtual size: 6.9MB

.pdata
Size: 512B - Virtual size: 396B

.00cfg
Size: 512B - Virtual size: 16B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 512B - Virtual size: 120B

.idata
Size: 512B - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.themida
Size: 11.5MB - Virtual size: 11.5MB

.reloc
Size: 16B - Virtual size: 4KB

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

03:55:db:cf:a2:75:1e:85:ba:b8:2f:2a:ea:1c:f2:e8
Certificate

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

02:d6:da:1a:da:8f:d6:b3:69:a2:ea:e1:6a:07:31:ef
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

24:c2:ef:fc:08:27:a1:fb:4b:f8:58:8b:3e:f5:7e:3c:b5:71:4e:26:20:7b:ed:13:a8:4a:0f:30:7b:4b:50:94
Signer

37:3f:c6:23:c3:cf:ff:ba:35:17:70:cb:48:f8:d5:ed:57:d9:b5:83
Signer

.text
Size: 164KB - Virtual size: 164KB

.data
Size: 19KB - Virtual size: 18KB

.bss
Size: - Virtual size: 41KB

.idata
Size: 3KB - Virtual size: 3KB

.didata
Size: 1024B - Virtual size: 608B

.edata
Size: 512B - Virtual size: 153B

.rdata
Size: 512B - Virtual size: 69B

.reloc
Size: 8KB - Virtual size: 7KB

.pdata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 5KB - Virtual size: 5KB

05:35:93:bf:71:f7:48:1b:9f:b7:6b:cb:4e:cc:f5:78
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

ec:cc:74:af:3f:ff:e1:cd:b7:59:c9:19:0e:52:ca:a8:49:7b:fe:33:5c:94:8a:f7:0d:ba:cb:7d:44:1f:28:93
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 366KB - Virtual size: 366KB

.data
Size: 21KB - Virtual size: 29KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 72KB - Virtual size: 71KB