Release[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Release.rar
Size

26.5MB
MD5

2d7120cce5003755309fc9215ff5abee
SHA1

739a591ecd500f1708d0dfcdca70e1dd4757b53d
SHA256

b0dd085cd406ed9d9ef68b4cd4a0af4c390c52fd3d174a0789be25e1423084e5
SHA512

ab7c9a280df8b1242bc66e7e5c9372beed62dc33fd67c70de5d44821b37b4c20a80b33e0ad5c461c71e250c668654118f196fc14a2a8f412115bec0f0c3ca198
SSDEEP

393216:2aC1F/X8m3A0GU9TXEEF/IlayF+8nEpckYcgJM/LDuTEbZsCqk3eM70dd593klXS:2fFT9Xo2PcRJADqE2Jk3enKXS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/XeyWare Tool.exe

Files

Release.rar
.rar
DirectML.Debug.dll
.dll windows:6 windows x64 arch:x64

a5e8e970bdcf7b222ff55714f5d9785a

Code Sign

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:af
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:09

Not After

14/11/2024, 19:09

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:86:93:f6:81:67:29:cf:6e:be:7e:3e:a3:47:06:06:66:3b:ab:70:e8:5b:22:86:af:47:80:42:b8:ab:1a:98
Signer

Actual PE Digest

03:86:93:f6:81:67:29:cf:6e:be:7e:3e:a3:47:06:06:66:3b:ab:70:e8:5b:22:86:af:47:80:42:b8:ab:1a:98

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\__w\1\s\build\x64-win-redist-release\bin\DirectML.Debug.pdb

Imports

kernel32

IsDebuggerPresent
DebugBreak
OutputDebugStringW
CloseHandle
GetLastError
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
ReleaseSemaphore
ReleaseMutex
WaitForSingleObject
WaitForSingleObjectEx
OpenSemaphoreW
CreateMutexExW
CreateSemaphoreExW
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameA
GetModuleHandleW
GetModuleHandleExW
GetProcAddress
FormatMessageW
OutputDebugStringA
WriteConsoleW
FormatMessageA
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
LocalFree
GetLocaleInfoEx
EncodePointer
DecodePointer
MultiByteToWideChar
LCMapStringEx
GetStringTypeW
CompareStringEx
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
RtlPcToFileHeader
RaiseException
RtlUnwindEx
InterlockedPushEntrySList
InterlockedFlushSList
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleFileNameW
GetCurrentThread
GetStdHandle
GetFileType
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
SetConsoleCtrlHandler
GetTimeZoneInformation
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetFileSizeEx
SetFilePointerEx
SetStdHandle
HeapSize
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
ReadFile
ReadConsoleW
CreateFileW
RtlUnwind

Exports

Exports

DMLCreateDebugDevice

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 487KB - Virtual size: 487KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 102KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 1024B - Virtual size: 640B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DirectML.dll
.dll windows:6 windows x64 arch:x64

0eb962894c1f1cf400b452799094c50a

Code Sign

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:af
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:09

Not After

14/11/2024, 19:09

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

42:01:9d:23:ed:83:f5:b2:12:0a:cf:48:be:3a:4b:8a:81:99:0c:5d:a0:fa:25:be:04:46:88:91:15:4b:89:59
Signer

Actual PE Digest

42:01:9d:23:ed:83:f5:b2:12:0a:cf:48:be:3a:4b:8a:81:99:0c:5d:a0:fa:25:be:04:46:88:91:15:4b:89:59

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\__w\1\s\build\x64-win-redist-release\bin\DirectML.pdb

Imports

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-heap-l1-1-0

HeapReAlloc
GetProcessHeap
HeapFree
HeapAlloc
HeapSize

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
CreateSemaphoreExW
CreateMutexExW
OpenSemaphoreW
WaitForSingleObject
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseMutex
TryAcquireSRWLockExclusive
ReleaseSemaphore
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetStartupInfoW
GetCurrentProcessId
TerminateProcess
GetCurrentProcess
TlsAlloc
ExitProcess
TlsGetValue
TlsSetValue
TlsFree

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetModuleFileNameW
GetModuleHandleW
DisableThreadLibraryCalls
LoadResource
FreeLibrary
GetModuleHandleExW
GetModuleFileNameA
GetProcAddress
LockResource

api-ms-win-core-localization-l1-2-0

GetCPInfo
FormatMessageW
GetLocaleInfoEx
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetLocaleInfoW
GetOEMCP
LCMapStringEx
IsValidLocale
GetACP
LCMapStringW

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

d3d12

D3D12SerializeVersionedRootSignature

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringEx
MultiByteToWideChar
GetStringTypeW
CompareStringW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-file-l1-1-0

FindFirstFileExW
FindClose
CreateFileW
SetFilePointerEx
GetFileType
FlushFileBuffers
FindNextFileW
WriteFile

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlPcToFileHeader
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx

api-ms-win-core-interlocked-l1-1-0

InterlockedFlushSList
InitializeSListHead

api-ms-win-core-processenvironment-l1-1-0

SetEnvironmentVariableW
GetCommandLineA
SetStdHandle
GetCommandLineW
GetEnvironmentStringsW
GetStdHandle
FreeEnvironmentStringsW

api-ms-win-core-fibers-l1-1-0

FlsSetValue
FlsFree
FlsGetValue
FlsAlloc

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

GetConsoleMode
WriteConsoleW
GetConsoleOutputCP

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation

api-ms-win-appmodel-runtime-l1-1-0

GetCurrentPackageFullName

Exports

Exports

DMLCreateDevice
DMLCreateDevice1

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15.1MB - Virtual size: 15.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 99KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 138KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 1024B - Virtual size: 640B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 7.7MB - Virtual size: 7.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
XeyWare Tool.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 16.0MB - Virtual size: 16.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 167KB - Virtual size: 166KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
onnxruntime.dll
.dll windows:6 windows x64 arch:x64

db58dd2eb5b1901d2de51a4ee1a0e91a

Code Sign

33:00:00:03:ae:2d:35:51:c8:53:8f:55:1d:00:00:00:00:03:ae
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:08

Not After

14/11/2024, 19:08

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f7:b9:28:ea:34:8d:cd:04:cb:cb:f0:17:a2:1b:ae:0d:b9:81:e4:50:3b:f9:8c:81:95:e0:dc:c1:04:dd:1c:ea
Signer

Actual PE Digest

f7:b9:28:ea:34:8d:cd:04:cb:cb:f0:17:a2:1b:ae:0d:b9:81:e4:50:3b:f9:8c:81:95:e0:dc:c1:04:dd:1c:ea

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\b\RelWithDebInfo\RelWithDebInfo\onnxruntime.pdb

Imports

kernel32

GetLastError
WideCharToMultiByte
LoadLibraryW
GetFileInformationByHandleEx
GetFileAttributesExW
CreateFileW
GetLocaleInfoEx
LocalFree
FindFirstFileW
LoadLibraryExA
VirtualQuery
VirtualProtect
RaiseException
AcquireSRWLockShared
ReleaseSRWLockShared
GetSystemTimePreciseAsFileTime
GetCurrentProcessorNumber
WakeConditionVariable
MultiByteToWideChar
FindClose
FindNextFileW
MapViewOfFile
CreateFileMappingW
FormatMessageA
SetLastError
SetFilePointerEx
SetThreadGroupAffinity
GetSystemInfo
DeleteFileW
GetCurrentThread
GetLogicalProcessorInformationEx
GetFileAttributesA
Sleep
GetModuleHandleA
UnmapViewOfFile
CreateFile2
GetFileAttributesW
GetEnvironmentVariableA
GetFinalPathNameByHandleW
RemoveDirectoryW
GetFileSizeEx
ReadFile
CreateDirectoryW
VerifyVersionInfoW
VerSetConditionMask
FreeLibrary
LoadLibraryExW
GetFullPathNameW
GetModuleFileNameW
VirtualAlloc
VirtualFree
CreateEventW
DebugBreak
GetProcessHeap
CreateMutexExW
GetProcAddress
HeapAlloc
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
FormatMessageW
ReleaseMutex
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
CreateDirectoryA
GetModuleHandleW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
InitOnceComplete
InitOnceBeginInitialize
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable

msvcp140

?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Xlength_error@std@@YAXPEBD@Z
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Mtx_unlock
?eof@ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?put@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@AEAVios_base@2@_WPEBUtm@@PEB_W4@Z
?_Getcat@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?id@?$numpunct@_W@std@@2V0locale@2@A
?id@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@2V0locale@2@A
?wclog@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
_Thrd_id
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
_Thrd_hardware_concurrency
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?_Syserror_map@std@@YAPEBDH@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_alloc@std@@YAXXZ
_Mbrtowc
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Xbad_function_call@std@@YAXXZ
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??Bid@locale@std@@QEAA_KXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?classic@locale@std@@SAAEBV12@XZ
?id@?$ctype@_W@std@@2V0locale@2@A
?_Xinvalid_argument@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
_Query_perf_counter
_Xtime_get_ticks
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_K@Z
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAF@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??7ios_base@std@@QEBA_NXZ
??Bios_base@std@@QEBA_NXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Incref@facet@locale@std@@UEAAXXZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_type_info_compare
__std_exception_destroy
memchr
__std_type_info_name
memcpy
memcmp
memmove
_CxxThrowException
__current_exception
memset
__current_exception_context
__RTtypeid
__std_type_info_destroy_list
__C_specific_handler
strchr
__std_terminate
_purecall
__std_exception_copy

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_get_errno
_configure_narrow_argv
_seh_filter_dll
_set_errno
_errno
_invalid_parameter_noinfo_noreturn
_register_onexit_function
_execute_onexit_table
abort
_crt_atexit
_initialize_onexit_table
_invalid_parameter_noinfo
_initterm_e
_initterm
strerror_s
_cexit
_set_doserrno
_beginthreadex
__doserrno
terminate
strerror

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnprintf_s
fwrite
fgetwc
_sopen_s
_write
ungetwc
fputwc
fclose
_close
__stdio_common_vswprintf
fputc
_read
fgetpos
setvbuf
__stdio_common_vsprintf_s
ungetc
fsetpos
fread
_fseeki64
_get_stream_buffer_pointers
fgetc
__acrt_iob_func
fflush
__stdio_common_vfprintf
__stdio_common_vsprintf
_wsopen_s

api-ms-win-crt-string-l1-1-0

isalpha
isalnum
towlower
tolower
iswspace
strcmp
isdigit
isspace
strncmp
strnlen
_towlower_l
_towupper_l
_strnicmp

api-ms-win-crt-convert-l1-1-0

strtol
strtoull
strtoll
strtof
_strtoi64
atoi
strtod

api-ms-win-crt-filesystem-l1-1-0

_wstat64
_fstat64i32
_unlock_file
_lock_file

api-ms-win-crt-heap-l1-1-0

malloc
free
_aligned_malloc
_aligned_free
_callnewh
calloc

advapi32

EventRegister
EventUnregister
EventSetInformation
EventWriteTransfer

api-ms-win-core-path-l1-1-0

PathCchRemoveBackslash
PathCchRemoveFileSpec

msvcp140_1

_Aligned_get_default_resource

api-ms-win-crt-time-l1-1-0

wcsftime
_localtime64_s
_difftime64
_gmtime64_s
_mktime64

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func
_create_locale
_free_locale

api-ms-win-crt-math-l1-1-0

_ldclass
acosf
asinf
atanf
ceil
ceilf
cos
cosf
coshf
exp
expf
floor
floorf
fmod
fmodf
log
_ldsign
llroundl
log10
ldexp
log2
logf
pow
_dsign
powf
sin
sinf
roundf
fmax
sinhf
scalbnf
ilogb
scalbn
ilogbf
sqrt
sqrtf
tanf
tanh
tanhf
rint
rintf
_fdsign
nearbyintf
nearbyint
asinhf
atanhf
acoshf
log1pf
remainderf

ole32

CoTaskMemAlloc
CoCreateFreeThreadedMarshaler

Exports

Exports

OrtGetApiBase
OrtGetWinMLAdapter
OrtSessionOptionsAppendExecutionProviderEx_DML
OrtSessionOptionsAppendExecutionProvider_CPU
OrtSessionOptionsAppendExecutionProvider_DML

Sections

.text
Size: 9.8MB - Virtual size: 9.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 403KB - Virtual size: 419KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 317KB - Virtual size: 316KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a5e8e970bdcf7b222ff55714f5d9785a

Code Sign

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:afCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

03:86:93:f6:81:67:29:cf:6e:be:7e:3e:a3:47:06:06:66:3b:ab:70:e8:5b:22:86:af:47:80:42:b8:ab:1a:98Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

Exports

Exports

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 487KB - Virtual size: 487KB

.data Size: 17KB - Virtual size: 25KB

.pdata Size: 102KB - Virtual size: 102KB

_RDATA Size: 1024B - Virtual size: 640B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 24KB - Virtual size: 23KB

0eb962894c1f1cf400b452799094c50a

Code Sign

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:afCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

42:01:9d:23:ed:83:f5:b2:12:0a:cf:48:be:3a:4b:8a:81:99:0c:5d:a0:fa:25:be:04:46:88:91:15:4b:89:59Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-memory-l1-1-0

d3d12

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-appmodel-runtime-l1-1-0

Exports

Exports

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rdata Size: 15.1MB - Virtual size: 15.1MB

.data Size: 99KB - Virtual size: 127KB

.pdata Size: 138KB - Virtual size: 138KB

_RDATA Size: 1024B - Virtual size: 640B

.rsrc Size: 7.7MB - Virtual size: 7.7MB

.reloc Size: 56KB - Virtual size: 55KB

Headers

DLL Characteristics

File Characteristics

Sections

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:af
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

03:86:93:f6:81:67:29:cf:6e:be:7e:3e:a3:47:06:06:66:3b:ab:70:e8:5b:22:86:af:47:80:42:b8:ab:1a:98
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 487KB - Virtual size: 487KB

.data
Size: 17KB - Virtual size: 25KB

.pdata
Size: 102KB - Virtual size: 102KB

_RDATA
Size: 1024B - Virtual size: 640B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 24KB - Virtual size: 23KB

33:00:00:03:af:30:40:0e:4c:a3:4d:05:41:00:00:00:00:03:af
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

42:01:9d:23:ed:83:f5:b2:12:0a:cf:48:be:3a:4b:8a:81:99:0c:5d:a0:fa:25:be:04:46:88:91:15:4b:89:59
Signer

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 15.1MB - Virtual size: 15.1MB

.data
Size: 99KB - Virtual size: 127KB

.pdata
Size: 138KB - Virtual size: 138KB

_RDATA
Size: 1024B - Virtual size: 640B

.rsrc
Size: 7.7MB - Virtual size: 7.7MB

.reloc
Size: 56KB - Virtual size: 55KB

.text
Size: 16.0MB - Virtual size: 16.0MB

.rsrc
Size: 167KB - Virtual size: 166KB

33:00:00:03:ae:2d:35:51:c8:53:8f:55:1d:00:00:00:00:03:ae
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

f7:b9:28:ea:34:8d:cd:04:cb:cb:f0:17:a2:1b:ae:0d:b9:81:e4:50:3b:f9:8c:81:95:e0:dc:c1:04:dd:1c:ea
Signer

.text
Size: 9.8MB - Virtual size: 9.8MB

.rdata
Size: 2.6MB - Virtual size: 2.6MB

.data
Size: 403KB - Virtual size: 419KB

.pdata
Size: 317KB - Virtual size: 316KB

.didat
Size: 512B - Virtual size: 120B

_RDATA
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 66KB - Virtual size: 65KB