client[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

client.exe
Size

6.9MB
MD5

d6ddbd3ad11da51c91ab08f71faa378e
SHA1

132b6b1f27484b97763fdfa17967967f62b3eaf8
SHA256

a2c58e28095d7936171b0ca1ae501956d12603e0cdf592d6c2d26103b6cd314d
SHA512

79fe86a4a4bade97c9598acd6e2ef0e74382568cc30d79756601500895a699b97c04c421e071eb5e7ce3dc549d99b1debbf415d32f10dd37d2adcc0235140803
SSDEEP

98304:sTnIL4vw68rpD5HU2W4/p0+9R2I3BbL+ebB7Unp4Akcbkw0+tJVyskQuGqQf3sc5:sMrr93pHdh+aBQpkCNJuGqLc3o6

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
client.exe

Files

client.exe
.exe windows:6 windows x64 arch:x64

Password: ppp

b158a4c36c8d5fd3f26284396b70fd38

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSACleanup
__WSAFDIsSet
accept
bind
WSAIoctl
closesocket
WSASend
select
ntohl
listen
WSASetLastError
WSASocketW
getaddrinfo
WSAStartup
getpeername
getsockname
ntohs
connect
shutdown
socket
send
recv
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
inet_addr
gethostbyname
WSAAddressToStringW
WSARecv
getsockopt
htonl
htons
freeaddrinfo
ioctlsocket
setsockopt
WSAGetLastError

kernel32

GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
VerSetConditionMask
GetModuleHandleW
FreeLibrary
QueryPerformanceCounter
VirtualFree
VirtualAlloc
CreateFileW
GetCurrentThreadId
GetCurrentProcessId
GetTempPathW
SetWaitableTimer
TlsSetValue
SetLastError
GetCurrentProcess
CreateWaitableTimerW
WaitForMultipleObjects
InitializeCriticalSectionAndSpinCount
GetQueuedCompletionStatus
CreateMutexA
OpenProcess
PostQueuedCompletionStatus
CreateToolhelp32Snapshot
CreateEventW
Process32NextW
SetEvent
GetCurrentThread
TerminateThread
TlsAlloc
Process32FirstW
QueueUserAPC
GetThreadContext
LocalFree
GlobalMemoryStatusEx
GetConsoleWindow
SleepEx
TlsGetValue
TlsFree
CreateDirectoryA
FormatMessageA
CreateIoCompletionPort
VirtualQuery
IsDebuggerPresent
CheckRemoteDebuggerPresent
GetSystemInfo
InitializeCriticalSectionEx
VirtualProtect
Thread32Next
Thread32First
MultiByteToWideChar
ResumeThread
GetExitCodeProcess
SetThreadContext
OpenThread
GetFileSizeEx
ReadFile
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
IsBadReadPtr
ConvertThreadToFiberEx
InitializeCriticalSection
InitializeConditionVariable
FindClose
FindFirstFileW
FindNextFileW
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetLocaleInfoEx
GetFileAttributesW
AreFileApisANSI
OutputDebugStringW
ResetEvent
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
LeaveCriticalSection
GetProcessHeap
DeleteCriticalSection
GlobalAlloc
CloseHandle
Sleep
SuspendThread
GetProcessId
DeviceIoControl
EnterCriticalSection
HeapFree
SystemTimeToFileTime
ConvertFiberToThread
WriteFile
GetFileType
GetStdHandle
HeapAlloc
HeapReAlloc
DeleteFileA
CreateFileA
GetLastError
FlushInstructionCache
WaitForSingleObject
GetACP
CreateFiberEx
DeleteFiber
SwitchToFiber
GetEnvironmentVariableW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetModuleHandleExW
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
GetSystemTime
ReleaseSRWLockExclusive
InitializeSRWLock
HeapCreate
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
SetLastError
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

EmptyClipboard
EnumDisplayDevicesA
MonitorFromPoint
GetWindowRect
SetWindowLongPtrW
DispatchMessageW
SetWindowLongA
PeekMessageW
GetMonitorInfoA
DefWindowProcA
CreateWindowExA
TranslateMessage
GetWindowLongPtrA
PostQuitMessage
GetDesktopWindow
SetWindowLongPtrA
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
RegisterClassExA
GetWindowLongW
DefWindowProcW
AdjustWindowRectEx
GetKeyState
DestroyWindow
GetDC
SetWindowPos
MonitorFromWindow
EnumDisplayMonitors
CreateWindowExW
ScreenToClient
SetWindowTextW
RegisterClassExW
MessageBoxA
GetClipboardData
CloseClipboard
OpenClipboard
GetCursorPos
ReleaseDC
SetCursorPos
IsIconic
SetForegroundWindow
ReleaseCapture
UpdateWindow
IsWindowUnicode
GetClientRect
SetWindowLongW
SetCursor
SetCapture
LoadCursorW
BringWindowToTop
SetFocus
SetLayeredWindowAttributes
GetForegroundWindow
UnregisterClassW
SetClipboardData
WindowFromPoint
ShowWindow
GetCapture
GetMonitorInfoW
ClientToScreen
IsChild
TrackMouseEvent
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

GetObjectW
SelectObject
CreateRectRgn
DeleteObject
DeleteDC
CreateCompatibleBitmap
GetDeviceCaps
CreateCompatibleDC
BitBlt

advapi32

ReportEventW
CryptReleaseContext
CryptGenRandom
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
RegisterEventSourceW
DeregisterEventSource
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegSetKeyValueW
RegCloseKey
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
CryptAcquireContextW

shell32

ShellExecuteExW
ShellExecuteExA

ole32

CoInitializeEx
CreateStreamOnHGlobal
CoInitializeSecurity
CoCreateInstance
CoUninitialize
CoSetProxyBlanket

oleaut32

SysAllocString
VariantClear
SysFreeString

msvcp140

?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?toupper@?$ctype@D@std@@QEBADD@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?copyfmt@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAAEAV12@AEBV12@@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Throw_Cpp_error@std@@YAXH@Z
?_Xbad_function_call@std@@YAXXZ
?_Throw_C_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_detach
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$numpunct@D@std@@2V0locale@2@A
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
_Query_perf_frequency
_Thrd_sleep
_Query_perf_counter
_Xtime_get_ticks
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?classic@locale@std@@SAAEBV12@XZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$ctype@D@std@@2V0locale@2@A
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
_Mtx_destroy_in_situ
?__ExceptionPtrDestroy@@YAXPEAX@Z
_Mtx_lock
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
_Mtx_init_in_situ
_Mtx_unlock
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??_D?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_K@Z
?getline@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?_Random_device@std@@YAIXZ

shlwapi

ord213
ord214
ord184

gdiplus

GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipCreateBitmapFromScan0
GdiplusShutdown
GdipGetImageEncoders
GdiplusStartup

d3d11

D3D11CreateDeviceAndSwapChain

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

d3dcompiler_47

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea
DwmEnableBlurBehindWindow
DwmIsCompositionEnabled
DwmGetColorizationColor

ntdll

RtlCaptureContext
RtlVirtualUnwind
RtlInitUnicodeString
NtQuerySystemInformation
RtlLookupFunctionEntry

urlmon

URLDownloadToFileA

vcruntime140_1

__CxxFrameHandler4

vcruntime140

_CxxThrowException
__intrinsic_setjmp
__current_exception_context
__current_exception
wcsstr
memcmp
memchr
memset
memmove
memcpy
longjmp
strrchr
__std_type_info_compare
__C_specific_handler
strstr
strchr
_purecall
__std_terminate
__std_exception_copy
__std_exception_destroy

api-ms-win-crt-stdio-l1-1-0

setvbuf
__stdio_common_vfprintf
__acrt_iob_func
ungetc
feof
fwrite
fgetc
fsetpos
fseek
fclose
_wfopen
ftell
fread
fflush
fputc
fopen
_fseeki64
__stdio_common_vswprintf
_set_fmode
_setmode
__stdio_common_vsscanf
__stdio_common_vsprintf
_fileno
ferror
fgets
fgetpos
__p__commode
fputs
_get_stream_buffer_pointers
__stdio_common_vsprintf_s

api-ms-win-crt-heap-l1-1-0

calloc
realloc
_set_new_mode
free
malloc
_callnewh

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_configure_narrow_argv
_c_exit
abort
__p___argv
_initialize_narrow_environment
_errno
__p___argc
_invalid_parameter_noinfo_noreturn
_beginthreadex
_exit
terminate
raise
strerror_s
_initialize_onexit_table
signal
_initterm_e
_register_onexit_function
_initterm
_crt_atexit
exit
_resetstkoflw
_get_initial_narrow_environment
system
_cexit
_set_app_type
_seh_filter_exe

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
_wremove
_stat64i32

api-ms-win-crt-math-l1-1-0

_dsign
_fdsign
_ldsign
sqrtf
_fdclass
ldexp
_dclass
acosf
__setusermatherr
ceilf
cosf
fmaf
pow
powf
_finite
sinf
_ldclass
_isnan

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
_localtime64_s
strftime
clock

api-ms-win-crt-string-l1-1-0

strncmp
tolower
toupper
isdigit
strncpy
strcspn
strncpy_s
strcmp
_stricmp
isspace
strcat_s
strcpy_s
strspn

api-ms-win-crt-convert-l1-1-0

strtol
strtoul
atoi

api-ms-win-crt-utility-l1-1-0

qsort
srand
rand

api-ms-win-crt-environment-l1-1-0

getenv

crypt32

CertFreeCertificateContext
CertOpenSystemStoreW
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertOpenStore

wtsapi32

WTSSendMessageW

Exports

Exports

��/E��J|m�i$� wɬ��2�wT�p��f�V�7.1N+I.c��|��yF��2%ƕR��}��*(�x��+߸F'��w�P�G7��} q݌��Yh�CN֕)/,B �w�OmV�c��h`��^J��:\"�75��j,��(�SP)|�y�mS<Q�{�OW_��q��z�g?�Gp�.K~;s峵,ߗ��D�S��Mh�Ŭ�:萬T�f��W��^|y��ۿ��m1��7)��^F�m�Y{)�Q�J��ȆY��A�8�6[� L��нX �mb��S8 ?�}]�T�pb*X[�v��I�bV�d�� Ny�Yx��_~}g@_�4=b^Lo�2��a�4x��<k2l�!�J ��[Z3Q6�j0��VW5�k��Rd�r��Ւ��U�36��nE�<��˴z[�un*��,�c"� Xlҩxm �$�@��- ��@��A��[��;�`�Mk�3]�rЀ4��Fe��c�c��8�~�fX!�c-Z�坓|yI�s�� &�[��o˯,5a�iɄ�s�~�ajb��>byI�q��!�>��?s17�4<��\��_ɡ��3;"�(7Y��g�Z��Q.`+)Y�k�D��'��.��_�s ۓ`�O�rZ<Gl��9R�"ZA9��J�+륫YN~��t�ۅh��x�KП0Oy��G��C�bl��=%�v��qAu>�6�s�'(�$�Q��8�^�o�;Hѥ )��7$�1�W��~/+��:��};n%��H�2G��8��|#�Z8��/w�R��uRG��111��$��ns��0�V~Uw՚M��VM�oZFqp%�ֆ��!EV�� |��r[Ҝ��#6d�F�Z�P^��9�z�7`��]��w,��XH!0��ԋ5>}�t9|�nl9��\��a�J��#b��6��'1��:<�15GY�wd��1qKN�N)��7c]5*��&fDX7�v��c��0� �p��r�w�C8f�uN��6t~��1<x|&�K�n�:��B��^�J��b�9S�kEׁ��CU��l@��ţb�@��M ��ex�"e��O�P��)�Z��OH.q��N�i��h~i� �)02�]��\3�SZ��<AL bi&��i��q^Y� �7��?]8F��;�w�¿!ͅ�A��r>�6X��bݫ�jH�1.�� zi��+�Ӛ��)�1^��JMK��I�Y�7v��R�<"�ܜ򭃁��x��2Sb��3��O(��2�5��`�3[��P��bJ��g�h>�jd(�7�oĐ:�@��0d.��-M�A�ѯ�!�\G�R��ቶ}�G�b\��#�\�� *�h��49�/C*P+�9a� ��7IvE(ȑ��Vo1��o��^:G5��!�i�t��jn��+a-̽AJU��,�tŔ�&�`��% ��9�Z��e��#P�8��`k��4�g��͹�9��h�m��/�4�cDM��C';8�bx�'��}��!3��k�"��`�"qtXYñ�)��{�"]w�V^U<�X��b��42��dd��ȣ�p��jdc�\�n��έ��hMW��R��u��|.��s��:?��C$1/��P�b3C�r� WX�U�]�^i�� _�~��NV�f�r�7��f�iP[x��GC��t��M��G�M��HZ��o�\0��D��'Y"�`��~��B@V�?��&GK�Pf؜��#��r蹧��eZ��m��m��.N,+'1Wӗ��)��C/&R�u6��|��آ��j^�&*��h��_�;�c�(�a��P�a7�H�\f��2X}��,q̺��>�;Ү}C2߿��N>�� [-?�±6U�� Q��>��4�<O,Uݓ��1{� �T��n��k� ?�>w��=n]��a��nK��#Jx��N�ը9��g��5��.іud =\�o��7��V�-�`Q��l�ğ��%��L?�s��<�t�L��2j �ݕ��dG/��<Z��Ȫ/��0?�aU�P��Н&��,Ms��E��3��Y�4��6m,��h�f ��⽹L5�?��w��:6��ڄ��|�SM�QI�ҁ%�<��QL*p�[]��X�<��<StR��PU�k�O� S��q�-6�0So/�!�0�g��%��׸b>�e<��8��b�j��=�N~ޡ�w��JP��F�T�4��@6��D��i�yx=yW-� T,��ƽ�n�K H�ee��|vt��i��JaC9��D�Rϝמ�T�K�?�ԍ�i�F�m7��~At��%��g</��h�qԤ8:I҄��ڶP/��^�<(��4�}�'J�_�ћ�j%��ะ�?o�7�c:�E�~'��c끤s��6ۥV�у<iI[�١��]��s�Z��/󔒾��nw�$PQ�S��8O[� ��W?�&��e��3��7��k\FW}��F�{��L�VZn��hf��!ï�pw�4hZ��$.��ק@ #)��T��Q 됲 ��B%Q@�> �V%졣D�kZ|IG��џ)T`�f��fS�[��M��8\v��8�6�"��G�hI��QQR��*Ѳ��ZY�j��`,ˋ�K�4Ap�iJȈ~{��e$%E �'vdḓ�Z��#i��6e7�J��Ze��9��Eje��o��Zl��M�ӄ�w|��)�L��T��~~��~w^i�껆�ؽEv�q�"AK�?R7��Z)�s�V��32��D])��Q�� "��D>d눈x@�F7d-��;��ȐC�r{�\NW��Z�ic��v|��hM'�f��T��t�)��vr

Sections

.text
Size: - Virtual size: 4.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 6.9MB - Virtual size: 6.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: ppp

b158a4c36c8d5fd3f26284396b70fd38

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcp140

shlwapi

gdiplus

d3d11

imm32

d3dcompiler_47

dwmapi

ntdll

urlmon

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-environment-l1-1-0

crypt32

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 4.6MB

.rdata Size: - Virtual size: 1.3MB

.data Size: - Virtual size: 102KB

.pdata Size: - Virtual size: 172KB

.vmp0 Size: - Virtual size: 2.9MB

.vmp1 Size: 6.9MB - Virtual size: 6.9MB

.rsrc Size: 512B - Virtual size: 480B

.text
Size: - Virtual size: 4.6MB

.rdata
Size: - Virtual size: 1.3MB

.data
Size: - Virtual size: 102KB

.pdata
Size: - Virtual size: 172KB

.vmp0
Size: - Virtual size: 2.9MB

.vmp1
Size: 6.9MB - Virtual size: 6.9MB

.rsrc
Size: 512B - Virtual size: 480B