usermode[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

usermode.exe
Size

1.2MB
MD5

a5099df96a9607915b82a2c9876d0dbd
SHA1

26bc43f02c85937a839ff5dd2c1686da0b18e597
SHA256

76e340616e4ccb08110c5b4476034a341aab1420be53e34273ecc85d745ffe05
SHA512

fb593037820b0c6286690b87f426b50de04362af37a493cd1fc51cbbc8c3830e42b35e4c44af1f3c5e7ccf23c76aa8e29937ca203d53d21218ec23fc6c15f2a5
SSDEEP

24576:+zI9lXNEeFbFwf9/s2+SO2eM8MuGKFLnFVYzMj:+ilXaebw908OpNnFV+6

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
usermode.exe

Files

usermode.exe
.exe windows:6 windows x64 arch:x64

3a0f02d94c9b23fc91a15034c03780f9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Final\Downloads\orqur fortnite cheat source 1\orqur fortnite cheat source 1\orqur fortnite cheat source 1\Ghosty\build\usermode\usermode.pdb

Imports

d3d9

Direct3DCreate9Ex

kernel32

OutputDebugStringW
GetFileAttributesExW
WideCharToMultiByte
GetProcessHeap
GetCurrentProcessId
FindFirstFileW
FindClose
GetProcAddress
GetThreadContext
HeapSetInformation
CreateThread
K32GetModuleBaseNameA
GetCurrentDirectoryW
CloseHandle
Process32Next
DeleteFileA
LoadLibraryA
GetCurrentThread
GetLastError
Sleep
MultiByteToWideChar
CreateToolhelp32Snapshot
GetModuleHandleA
GetCurrentThreadId
GetFileInformationByHandleEx
CreateFileW
Thread32First
Thread32Next
VirtualAlloc
DeviceIoControl
GetLocaleInfoEx
InitializeSListHead
GetSystemTimeAsFileTime
AreFileApisANSI
CheckRemoteDebuggerPresent
IsDebuggerPresent
OpenThread
GetTickCount
K32EnumProcessModules
CreateDirectoryW
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
VerifyVersionInfoA
FreeLibrary
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
lstrcmpiA
OutputDebugStringA
GetStdHandle
GetCurrentProcess
VirtualFree
SetLastError
VirtualProtect
Process32First
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
MapViewOfFile
UnmapViewOfFile
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
CreateFileMappingW

user32

GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
GetClientRect
SetCursor
ClientToScreen
GetActiveWindow
ScreenToClient
LoadCursorA
GetKeyState
SendInput
SetClipboardData
UpdateWindow
RegisterClassExA
FindWindowA
GetDesktopWindow
PeekMessageA
LoadIconA
mouse_event
TranslateMessage
SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
GetForegroundWindow
MessageBoxA
SetWindowLongA
GetAsyncKeyState
ShowWindow
GetSystemMetrics
SetWindowPos
DestroyWindow
GetWindowRect
DispatchMessageA
GetWindow

advapi32

CryptAcquireContextA
GetLengthSid
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
GetTokenInformation
OpenProcessToken
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
AddAccessAllowedAce

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext

msvcp140

?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?fail@ios_base@std@@QEBA_NXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Query_perf_counter
_Thrd_detach
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z

ntdll

RtlCaptureContext
VerSetConditionMask
RtlLookupFunctionEntry
RtlVirtualUnwind

wininet

InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile

dwmapi

DwmExtendFrameIntoClientArea

normaliz

IdnToAscii

wldap32

ord35
ord79
ord30
ord33
ord143
ord32
ord27
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord200
ord301

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

ws2_32

htonl
closesocket
recv
send
ioctlsocket
__WSAFDIsSet
select
WSAGetLastError
bind
connect
getpeername
getaddrinfo
getsockname
freeaddrinfo
getsockopt
htons
ntohs
accept
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
recvfrom
ntohl
gethostname
sendto
listen

shlwapi

PathFindFileNameW

rpcrt4

RpcStringFreeA
UuidToStringA
UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memchr
__std_exception_copy
_CxxThrowException
memcmp
__std_terminate
strstr
strchr
memcpy
memmove
__C_specific_handler
__current_exception_context
__current_exception
strrchr
memset
__std_exception_destroy

api-ms-win-crt-stdio-l1-1-0

__p__commode
__acrt_iob_func
fwrite
__stdio_common_vsprintf_s
_lseeki64
_wfopen
__stdio_common_vsprintf
fread
__stdio_common_vsscanf
feof
fputs
fopen
_read
_write
_close
_open
fputc
fseek
fgetc
fclose
_popen
_pclose
fgets
_get_stream_buffer_pointers
ftell
_fseeki64
fsetpos
ungetc
__stdio_common_vsnprintf_s
setvbuf
fgetpos
_set_fmode
__stdio_common_vfprintf
fflush

api-ms-win-crt-string-l1-1-0

_strdup
isupper
strspn
strncpy
isprint
strncmp
tolower
strpbrk
strcspn
strcmp
_stricmp

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-heap-l1-1-0

_set_new_mode
realloc
free
_callnewh
malloc
calloc

api-ms-win-crt-convert-l1-1-0

strtoll
atof
strtoull
atoi
strtol
strtoul
strtod

api-ms-win-crt-runtime-l1-1-0

strerror
_errno
_invalid_parameter_noinfo_noreturn
system
_beginthreadex
abort
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
exit
_getpid
terminate
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-math-l1-1-0

atan2
__setusermatherr
atan2f
ceilf
_dsign
asin
_dclass
cosf
floorf
fmodf
pow
powf
sinf
sqrt
sqrtf
tanf

api-ms-win-crt-filesystem-l1-1-0

_stat64
_fstat64
_access
remove
_lock_file
_unlink
_unlock_file

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_time64
strftime
_localtime64
_gmtime64

shell32

ShellExecuteA

Sections

.text
Size: 763KB - Virtual size: 762KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 281KB - Virtual size: 280KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 113KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3a0f02d94c9b23fc91a15034c03780f9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

advapi32

imm32

msvcp140

ntdll

wininet

dwmapi

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

shell32

Sections

.text Size: 763KB - Virtual size: 762KB

.rdata Size: 281KB - Virtual size: 280KB

.data Size: 113KB - Virtual size: 118KB

.pdata Size: 29KB - Virtual size: 29KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 763KB - Virtual size: 762KB

.rdata
Size: 281KB - Virtual size: 280KB

.data
Size: 113KB - Virtual size: 118KB

.pdata
Size: 29KB - Virtual size: 29KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 1KB