Orbit[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Orbit.zip
Size

3.0MB
MD5

18cdecdb7689f56b90e162bc986fed91
SHA1

ea9ddfc153bbbe80a9dca5bb79fc6735e87f3523
SHA256

8b13d40ffb470f984837155e90b8dc17457a4c1153967fa9b0e9ed119dbfcfc0
SHA512

bf40ca65fe4fd1e839abfdbfc6a779de91b3d61fd28618c5e13c681431ec712a03e396f1c1c2491775fbd670d138bb17f6a6d7871554959e5f31f47390a0d2a1
SSDEEP

98304:5DKTKFRU73um1CZLSYjupxQ4tnvG4q2Y9KuP:8KFRU73j1CZmYjuY4VGFcuP

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Orbit Unknowncheats.exe
unpack001/Orbit/DriverMapper.exe
unpack001/Orbit/Win10_22H2.sys
unpack001/Orbit/Win11_22H2.sys
unpack001/Orbit/cs2-dumper.exe

Files

Orbit.zip
.zip
Orbit Unknowncheats.exe
.exe windows:6 windows x64 arch:x64

77a182e5dcb4d49e2fe8d9a4e0d1e52e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\sohil\OneDrive\Dokumentumok\GitHub\Orbit Free\x64\UC\Orbit Unknowncheats.pdb

Imports

gdiplus

GdipBitmapGetPixel
GdipFree
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdipGetImageHeight
GdipCloneImage
GdipAlloc
GdipGetImageWidth

kernel32

CreateFileW
SetFileInformationByHandle
VerifyVersionInfoW
AreFileApisANSI
SleepEx
GetCurrentProcessId
WaitForMultipleObjects
PeekNamedPipe
GetFileInformationByHandleEx
LocalFree
FormatMessageA
GetLocaleInfoEx
CloseHandle
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
ReadFile
GetFileType
OpenProcess
UnhandledExceptionFilter
GetEnvironmentVariableA
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetFileSizeEx
ExitProcess
GetFileAttributesExW
FindNextFileW
Process32FirstW
LoadLibraryA
Process32NextW
GetLastError
Sleep
CreateToolhelp32Snapshot
WaitForSingleObject
GetModuleFileNameW
SetConsoleMode
GetStdHandle
SetLastError
CreateEventW
SetEvent
GetCurrentProcess
IsDebuggerPresent
GetCurrentThreadId
GetSystemDirectoryW
GetSystemTimeAsFileTime
DeleteCriticalSection
GetCommandLineW
GetStartupInfoW
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetConsoleWindow
GetModuleHandleW
CreateProcessW
FindFirstFileExW
LoadLibraryW
GetCurrentDirectoryW
FindFirstFileW
FindClose
WaitForSingleObjectEx
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
GetTickCount
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
RtlVirtualUnwind
GetProcAddress
FormatMessageW
CreateDirectoryW
InitializeSListHead
MoveFileExW

user32

GetKeyNameTextW
mouse_event
GetForegroundWindow
GetAsyncKeyState
GetSystemMetrics
GetDC
MapVirtualKeyW
SetForegroundWindow
EnumWindows
ShowWindow
GetWindowThreadProcessId
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
ReleaseCapture
IsWindowUnicode
SetCursorPos
SetCursor
SetCapture
LoadCursorW
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
GetMessageExtraInfo
GetKeyState
UnregisterClassA
ReleaseDC
DestroyWindow
TranslateMessage
SetWindowDisplayAffinity
PeekMessageW
DispatchMessageW
RegisterClassExW
UnregisterClassW
SetWindowPos
DefWindowProcW
GetWindowLongW
SendInput
GetClientRect
PostQuitMessage
FindWindowA
UpdateWindow
SetWindowLongW

gdi32

SelectObject
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
DeleteObject

advapi32

CryptImportKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
CryptEncrypt
LookupPrivilegeValueW
RevertToSelf
PrivilegeCheck
SetTokenInformation
OpenProcessToken
SetThreadToken
CreateProcessAsUserW
DuplicateTokenEx
GetTokenInformation
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
CryptDestroyKey

shell32

SHGetKnownFolderPath

ole32

CoInitializeEx
CoTaskMemFree

msvcp140

?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Cnd_wait
_Thrd_id
_Query_perf_counter
_Thrd_detach
_Thrd_join
_Mtx_unlock
_Cnd_broadcast
_Cnd_destroy_in_situ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAK@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Throw_Cpp_error@std@@YAXH@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
_Query_perf_frequency
_Cnd_init_in_situ
_Thrd_hardware_concurrency
?good@ios_base@std@@QEBA_NXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
?_Winerror_map@std@@YAHH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_47

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

ws2_32

WSAEventSelect
getsockopt
send
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
closesocket
WSASetLastError
WSAGetLastError
inet_pton
ntohs
inet_ntop
setsockopt
WSAIoctl
htons
socket
__WSAFDIsSet
select
accept
bind
gethostname
ioctlsocket
getpeername
sendto
recvfrom
freeaddrinfo
getaddrinfo
recv
listen
htonl
getsockname
connect

crypt32

CryptDecodeObjectEx
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CertOpenStore
PFXImportCertStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow
ImmSetCandidateWindow

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler
_CxxThrowException
longjmp
__current_exception_context
memcmp
memmove
__intrinsic_setjmp
memchr
strrchr
wcschr
memset
memcpy
strchr
strstr
wcsstr
__std_terminate
__std_exception_copy
__std_exception_destroy
__current_exception

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc
calloc
_callnewh
free
realloc

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
__sys_errlist
__sys_nerr
abort
_register_thread_local_exe_atexit_callback
_configure_narrow_argv
_errno
_c_exit
__p___argv
_invalid_parameter_noinfo_noreturn
__p___argc
exit
_initialize_narrow_environment
terminate
_initialize_onexit_table
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
system

api-ms-win-crt-stdio-l1-1-0

fputc
__p__commode
_close
fflush
fgetpos
_lseeki64
setvbuf
ungetc
fclose
fgets
_fileno
fwrite
_wopen
fsetpos
fread
_fseeki64
feof
__stdio_common_vswprintf
_write
fputs
_get_stream_buffer_pointers
fopen
__acrt_iob_func
__stdio_common_vfprintf
_set_fmode
__stdio_common_vsscanf
_wfopen
__stdio_common_vsprintf
fgetc
fseek
ftell
_read

api-ms-win-crt-convert-l1-1-0

strtof
strtol
atoi
atof
wcstombs
strtod
strtoll
strtoull
strtoul

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlink
_unlock_file
_wstat64
_fstat64

api-ms-win-crt-string-l1-1-0

strncmp
_wcsicmp
strcspn
strspn
strcmp
wcsncmp
strpbrk
wcsncpy
wcspbrk
_strdup
strcpy_s
strncpy

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_gmtime64
strftime
_time64

api-ms-win-crt-math-l1-1-0

powf
__setusermatherr
acosf
atan2f
_dclass
fmodf
_fdopen
tan

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 346KB - Virtual size: 346KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Orbit/DriverMapper.exe
.exe windows:6 windows x64 arch:x64

5316a309ccf25a6ed74424e6475fbb52

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\sohil\OneDrive\Dokumentumok\GitHub\kdmapper\x64\Release\kdmapper_Release.pdb

Imports

kernel32

CloseHandle
GetProcAddress
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32NextW
GetModuleHandleA
SetUnhandledExceptionFilter
GetTempPathW
FormatMessageA
GetLocaleInfoEx
GetCurrentThreadId
CreateFileW
VirtualAlloc
DeviceIoControl
Process32FirstW
VirtualFree
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetLastError
GetModuleHandleW
GetFileInformationByHandleEx
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
LocalFree

user32

GetShellWindow
GetWindowThreadProcessId

advapi32

RegCloseKey
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
RegSetKeyValueW

msvcp140

??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
??Bid@locale@std@@QEAA_KXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ

ntdll

NtQuerySystemInformation
RtlInitUnicodeString

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler
__std_terminate
wcsstr
__std_exception_destroy
memcmp
memcpy
_CxxThrowException
__current_exception_context
__current_exception
__std_exception_copy
memset
memmove

api-ms-win-crt-stdio-l1-1-0

_set_fmode
_fseeki64
fread
fsetpos
_get_stream_buffer_pointers
__p__commode
fputc
setvbuf
fgetpos
fwrite
ungetc
fflush
fgetc
fclose

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_wremove
_unlock_file

api-ms-win-crt-string-l1-1-0

_wcsicmp
_stricmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_c_exit
_cexit
__p___wargv
__p___argc
_invalid_parameter_noinfo_noreturn
exit
_initterm_e
_initterm
_get_initial_wide_environment
_initialize_wide_environment
_configure_wide_argv
_crt_atexit
_set_app_type
_seh_filter_exe
abort
_exit
terminate
_register_thread_local_exe_atexit_callback

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
_callnewh
free

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Orbit/GrenadeHelper.txt
Orbit/Orbit Mapdata/ar_baggage.txt
Orbit/Orbit Mapdata/ar_shoots.txt
Orbit/Orbit Mapdata/cs_italy.txt
Orbit/Orbit Mapdata/cs_office.txt
Orbit/Orbit Mapdata/de_ancient.txt
Orbit/Orbit Mapdata/de_anubis.txt
Orbit/Orbit Mapdata/de_dust2.txt
Orbit/Orbit Mapdata/de_inferno.txt
Orbit/Orbit Mapdata/de_mirage.txt
Orbit/Orbit Mapdata/de_nuke.txt
Orbit/Orbit Mapdata/de_overpass.txt
Orbit/Orbit Mapdata/de_vertigo.txt
Orbit/SamsungSans-Regular.ttf
Orbit/SmallestPixel7-Regular.ttf
Orbit/Weaponicons-Regular.ttf
Orbit/Win10_22H2.sys
.dll windows:6 windows x64 arch:x64

110615eb47f35f324c9c0d454458d77d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\sohil\OneDrive\Dokumentumok\GitHub\CS2-Kernel-Driver\x64\Release\Kernel.pdb

Imports

ntoskrnl.exe

RtlCompareUnicodeString
ExAllocatePool
ZwQuerySystemInformation
PsGetProcessPeb
ObfDereferenceObject
RtlInitUnicodeString
tolower
KeStackAttachProcess
PsLookupProcessByProcessId
MmCopyMemory
RtlGetVersion
ExFreePoolWithTag
KeUnstackDetachProcess
strcmp

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Orbit/Win11_22H2.sys
.dll windows:6 windows x64 arch:x64

110615eb47f35f324c9c0d454458d77d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\sohil\OneDrive\Dokumentumok\GitHub\CS2-Kernel-Driver\x64\Release\Kernel.pdb

Imports

ntoskrnl.exe

RtlCompareUnicodeString
ExAllocatePool
ZwQuerySystemInformation
PsGetProcessPeb
ObfDereferenceObject
RtlInitUnicodeString
tolower
KeStackAttachProcess
PsLookupProcessByProcessId
MmCopyMemory
RtlGetVersion
ExFreePoolWithTag
KeUnstackDetachProcess
strcmp

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Orbit/Zappericons-Regular.ttf
Orbit/cs2-dumper.exe
.exe windows:6 windows x64 arch:x64

e5551a1e7e77a9ec93b0404e5ca02bcd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

bcryptprimitives

ProcessPrng

kernel32

OpenProcess
MultiByteToWideChar
WriteConsoleW
QueryPerformanceFrequency
GetModuleHandleW
FormatMessageW
GetCurrentDirectoryW
GetEnvironmentVariableW
K32GetModuleInformation
SetFileInformationByHandle
GetFileInformationByHandle
GetFileInformationByHandleEx
K32GetModuleFileNameExA
GetFullPathNameW
CreateDirectoryW
ExitProcess
HeapAlloc
GetProcessHeap
RtlCaptureContext
RtlLookupFunctionEntry
GetCurrentProcessId
CreateMutexA
WaitForSingleObjectEx
LoadLibraryA
ReleaseMutex
RtlVirtualUnwind
GetFinalPathNameByHandleW
GetFileType
GetCurrentThreadId
IsDebuggerPresent
GetModuleHandleA
Sleep
InitializeSListHead
K32EnumProcessModulesEx
VirtualQueryEx
GetCurrentProcess
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
CloseHandle
FreeLibrary
GetProcAddress
LoadLibraryExW
SetThreadErrorMode
FindFirstFileW
FindClose
WriteProcessMemory
FindNextFileW
GetSystemTimePreciseAsFileTime
lstrlenW
SetUnhandledExceptionFilter
GetModuleFileNameW
SetLastError
GetCommandLineW
GetCurrentThread
SetThreadStackGuarantee
ReadProcessMemory
AddVectoredExceptionHandler
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
SetConsoleMode
GetConsoleMode
GetStdHandle
HeapReAlloc
GetSystemTimeAsFileTime
GetLastError
QueryPerformanceCounter
HeapFree
WaitForSingleObject
UnhandledExceptionFilter
CreateFileW
IsProcessorFeaturePresent

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree

advapi32

OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

ntdll

RtlNtStatusToDosError
NtReadFile
NtWriteFile
NtQueryInformationProcess

oleaut32

GetErrorInfo

vcruntime140

__CxxFrameHandler3
__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
memset
memcpy
memmove
memcmp

api-ms-win-crt-string-l1-1-0

strlen

api-ms-win-crt-runtime-l1-1-0

_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
__p___argc
__p___argv
_set_app_type
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
terminate
_crt_atexit
_seh_filter_exe
_cexit
_configure_narrow_argv

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 425KB - Virtual size: 424KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

77a182e5dcb4d49e2fe8d9a4e0d1e52e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

msvcp140

d3d11

d3dcompiler_47

dwmapi

ws2_32

crypt32

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 346KB - Virtual size: 346KB

.data Size: 6KB - Virtual size: 11KB

.pdata Size: 60KB - Virtual size: 60KB

_RDATA Size: 9KB - Virtual size: 8KB

.rsrc Size: 120KB - Virtual size: 119KB

.reloc Size: 5KB - Virtual size: 5KB

5316a309ccf25a6ed74424e6475fbb52

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

msvcp140

ntdll

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 66KB - Virtual size: 65KB

.rdata Size: 68KB - Virtual size: 68KB

.data Size: 1KB - Virtual size: 3KB

.pdata Size: 3KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 512B - Virtual size: 264B

110615eb47f35f324c9c0d454458d77d

Headers

DLL Characteristics

File Characteristics

PDB Paths

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 346KB - Virtual size: 346KB

.data
Size: 6KB - Virtual size: 11KB

.pdata
Size: 60KB - Virtual size: 60KB

_RDATA
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 120KB - Virtual size: 119KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 66KB - Virtual size: 65KB

.rdata
Size: 68KB - Virtual size: 68KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 264B

.text
Size: 2KB - Virtual size: 2KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 32B

.pdata
Size: 512B - Virtual size: 132B

.text
Size: 2KB - Virtual size: 2KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 32B

.pdata
Size: 512B - Virtual size: 132B

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 425KB - Virtual size: 424KB

.data
Size: 512B - Virtual size: 928B

.pdata
Size: 45KB - Virtual size: 45KB

.reloc
Size: 17KB - Virtual size: 16KB