win64help.dll?ex=670c3661&is=670ae4e1&hm=34e9d9802f25be6669092bd636fdec89da344d630c1feed0501755a57d63d928&

First submission 2024-10-13 18:33:02

File details

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	333.17 KB (341168 bytes)
Compile time:	2024-10-12 02:55:47
MD5:	3fe8eb38f23d00e1045c26084724785e
SHA1:	94e0d3db024a69c57914f10a00303ec2b4a40b2e
SHA256:	313565edbc274cf11332be23cb1c6af341281a969acd9c5f4b4e951c059739c0
Import Hash :	3254359579f23afe607e1d61dde58b23
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 6	import resource debug tls relocation security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	8/77 VT report date: 2024-10-13 17:12:56
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1294417693801189386/1294768227334885457/win64help.dll?ex=670c3661&is=670ae4e1&hm=34e9d9802f25be6669092bd636fdec89da344d630c1feed0501755a57d63d928&	cdn.discordapp.com	2024-10-13 18:33:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x3effb	258048	a284209a45ee0fb3441f4f1070f82e595d361493	e5b30f03c385e9496cb7f415587d6841
.rdata	0x40000	0xeb5c	60416	608a6a9656bac2fd93134fe48054b04b12cc1153	4a8b8352afec621a3ee78deba453fb28
.data	0x4f000	0x1e08	2560	0d09b4693f6537dc79e04e38c4d9f72ac252f7f4	b4438c0d30de02275d9a4bf4b89e8a6b
.pdata	0x51000	0x2c4c	11776	81aff6a2723b49c8d7268c12b50a04ef062b840a	8c3c2c61aafe2885eb3951d312a8f393
.rsrc	0x54000	0xf8	512	6bbc15a0367b83368d6ac205d6d53848301792ab	7c139771cc4b97d7f468254be5d2679a
.reloc	0x55000	0x148	512	e2c72d2de20e89a94352c9ea9825ab193068aad8	4dc9b1e2cecb0a6d7bf3095fe687757c

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x54060	145

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

File signature

MD5	SHA1	Block size	Virtual Address
7e04e15785463d741366b602ef6d9f12	ce40ca758995b5be09c61ee19bad97b2a0271cab	6320	334848

Strings analysis - File found

Log
\FortniteGame\Saved\Logs\FortniteGame.log
Text
imgui_log.txt
Library
api-ms-win-core-registry-l1-1-0.dll
DiscordHook64.dll
ADVAPI32.dll
bin\amd64\MSPDB140.DLL
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
msvcp140.dll
api-ms-win-crt-stdio-l1-1-0.dll
WS2_32.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-filesystem-l1-1-0.dll
VCRUNTIME140_1.dll
d3dcompiler_47.dll
IMM32.dll
xinput1_4.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
USER32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 12

https://www.verisign.com/cps0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
https://d.symcb.com/cps0%
http://sf.symcb.com/sf.crt0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
http://sf.symcb.com/sf.crl0f
http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/rpa0
http://logo.verisign.com/vslogo.gif04
http://sf.symcd.com0&
https://d.symcb.com/rpa0

Import functions

api-ms-win-crt-environment-l1-1-0.dll 1 api-ms-win-crt-filesystem-l1-1-0.dll 2 VCRUNTIME140.dll 17 XINPUT1_4.dll 2 MSVCP140.dll 43 api-ms-win-crt-convert-l1-1-0.dll 3 api-ms-win-crt-string-l1-1-0.dll 6 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 15 KERNEL32.dll 56 api-ms-win-crt-math-l1-1-0.dll 6 api-ms-win-crt-utility-l1-1-0.dll 1 D3DCOMPILER_47.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 16 WS2_32.dll 2 api-ms-win-crt-heap-l1-1-0.dll 4 USER32.dll 22 IMM32.dll 3

Function	Address	Souspicious	Anti Debug
getenv	0x180040500

Function	Address	Souspicious	Anti Debug
_lock_file	0x180040510
_unlock_file	0x180040518

Function	Address	Souspicious	Anti Debug
__vcrt_LoadLibraryExW	0x180040410
__std_type_info_destroy_list	0x180040418
__std_exception_destroy	0x180040420
memchr	0x180040428
memcmp	0x180040430
memmove	0x180040438
__std_exception_copy	0x180040440
__std_terminate	0x180040448
memcpy	0x180040450
_CxxThrowException	0x180040458
__C_specific_handler_noexcept	0x180040460
__current_exception_context	0x180040468
__current_exception	0x180040470
__C_specific_handler	0x180040478
memset	0x180040480
__vcrt_GetModuleFileNameW	0x180040488
strstr	0x180040490

Function	Address	Souspicious	Anti Debug
None	0x1800404c8
None	0x1800404d0

Function	Address	Souspicious	Anti Debug
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z	0x1800401f8
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z	0x180040200
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z	0x180040208
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ	0x180040210
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ	0x180040218
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z	0x180040220
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z	0x180040228
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ	0x180040230
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z	0x180040238
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ	0x180040240
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z	0x180040248
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ	0x180040250
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x180040258
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ	0x180040260
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z	0x180040268
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z	0x180040270
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x180040278
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z	0x180040280
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z	0x180040288
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x180040290
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z	0x180040298
?good@ios_base@std@@QEBA_NXZ	0x1800402a0
?always_noconv@codecvt_base@std@@QEBA_NXZ	0x1800402a8
??Bid@locale@std@@QEAA_KXZ	0x1800402b0
_Query_perf_counter	0x1800402b8
?_Xlength_error@std@@YAXPEBD@Z	0x1800402c0
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ	0x1800402c8
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ	0x1800402d0
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ	0x1800402d8
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z	0x1800402e0
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z	0x1800402e8
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z	0x1800402f0
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A	0x1800402f8
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A	0x180040300
?_Xout_of_range@std@@YAXPEBD@Z	0x180040308
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ	0x180040310
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A	0x180040318
?uncaught_exceptions@std@@YAHXZ	0x180040320
??0_Lockit@std@@QEAA@H@Z	0x180040328
??1_Lockit@std@@QEAA@XZ	0x180040330
_Query_perf_frequency	0x180040338
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z	0x180040340
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z	0x180040348

Function	Address	Souspicious	Anti Debug
atoi	0x1800404e0
strtoul	0x1800404e8
mbstowcs_s	0x1800404f0

Function	Address	Souspicious	Anti Debug
strcmp	0x180040690
strcpy_s	0x180040698
strncpy_s	0x1800406a0
strncpy	0x1800406a8
_wcsicmp	0x1800406b0
strcat_s	0x1800406b8

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x1800404a0

Function	Address	Souspicious	Anti Debug
_initialize_narrow_environment	0x180040588
_configure_narrow_argv	0x180040590
_seh_filter_dll	0x180040598
_register_onexit_function	0x1800405a0
_execute_onexit_table	0x1800405a8
_beginthreadex	0x1800405b0
_crt_atexit	0x1800405b8
_invalid_parameter_noinfo	0x1800405c0
_cexit	0x1800405c8
_errno	0x1800405d0
_initterm_e	0x1800405d8
_invalid_parameter_noinfo_noreturn	0x1800405e0
_initterm	0x1800405e8
terminate	0x1800405f0
_initialize_onexit_table	0x1800405f8

Function	Address	Souspicious	Anti Debug
Beep	0x180040030
GetCurrentProcessId	0x180040038
GetModuleHandleW	0x180040040
CreateSemaphoreW	0x180040048
VirtualQuery	0x180040050
GlobalAlloc	0x180040058
GlobalFree	0x180040060
GlobalLock	0x180040068
GlobalUnlock	0x180040070
QueryPerformanceFrequency	0x180040078
QueryPerformanceCounter	0x180040080
FreeLibrary	0x180040088
GetProcessHeap	0x180040090
InitializeSListHead	0x180040098
GetSystemTimeAsFileTime	0x1800400a0
WideCharToMultiByte	0x1800400a8
MultiByteToWideChar	0x1800400b0
RaiseException	0x1800400b8
IsDebuggerPresent	0x1800400c0
IsProcessorFeaturePresent	0x1800400c8
TerminateProcess	0x1800400d0
SetUnhandledExceptionFilter	0x1800400d8
UnhandledExceptionFilter	0x1800400e0
RtlVirtualUnwind	0x1800400e8
RtlLookupFunctionEntry	0x1800400f0
RtlCaptureContext	0x1800400f8
SleepConditionVariableSRW	0x180040100
GetLastError	0x180040108
AcquireSRWLockExclusive	0x180040110
ReleaseSRWLockExclusive	0x180040118
GetSystemInfo	0x180040120
VirtualFree	0x180040128
VirtualAlloc	0x180040130
Thread32Next	0x180040138
Thread32First	0x180040140
CreateToolhelp32Snapshot	0x180040148
ResumeThread	0x180040150
SuspendThread	0x180040158
SetThreadContext	0x180040160
GetThreadContext	0x180040168
OpenThread	0x180040170
GetCurrentThreadId	0x180040178
GetCurrentProcess	0x180040180
HeapFree	0x180040188
HeapReAlloc	0x180040190
HeapAlloc	0x180040198
HeapDestroy	0x1800401a0
HeapCreate	0x1800401a8
VirtualProtect	0x1800401b0
FlushInstructionCache	0x1800401b8
GetProcAddress	0x1800401c0
Sleep	0x1800401c8
OpenProcess	0x1800401d0
CloseHandle	0x1800401d8
K32GetProcessImageFileNameW	0x1800401e0
WakeAllConditionVariable	0x1800401e8

Function	Address	Souspicious	Anti Debug
floorf	0x180040550
fmodf	0x180040558
sinf	0x180040560
sqrtf	0x180040568
ceilf	0x180040570
cosf	0x180040578

Function	Address	Souspicious	Anti Debug
qsort	0x1800406c8

Function	Address	Souspicious	Anti Debug
D3DCompile	0x180040000

Function	Address	Souspicious	Anti Debug
fread	0x180040608
fsetpos	0x180040610
ungetc	0x180040618
_fseeki64	0x180040620
setvbuf	0x180040628
fgetpos	0x180040630
__stdio_common_vswprintf	0x180040638
fwrite	0x180040640
fputc	0x180040648
__stdio_common_vsscanf	0x180040650
fgetc	0x180040658
_wfopen	0x180040660
__stdio_common_vsprintf	0x180040668
fflush	0x180040670
fclose	0x180040678
_get_stream_buffer_pointers	0x180040680

Function	Address	Souspicious	Anti Debug
WSACleanup	0x1800404b0
WSAStartup	0x1800404b8

Function	Address	Souspicious	Anti Debug
realloc	0x180040528
free	0x180040530
malloc	0x180040538
_callnewh	0x180040540

Function	Address	Souspicious	Anti Debug
GetKeyState	0x180040358
ScreenToClient	0x180040360
GetCapture	0x180040368
ClientToScreen	0x180040370
IsChild	0x180040378
GetForegroundWindow	0x180040380
MessageBoxA	0x180040388
GetAsyncKeyState	0x180040390
SetWindowLongPtrW	0x180040398
CallWindowProcW	0x1800403a0
SetClipboardData	0x1800403a8
LoadCursorW	0x1800403b0
GetClipboardData	0x1800403b8
EmptyClipboard	0x1800403c0
CloseClipboard	0x1800403c8
OpenClipboard	0x1800403d0
GetCursorPos	0x1800403d8
SetCursorPos	0x1800403e0
ReleaseCapture	0x1800403e8
GetClientRect	0x1800403f0
SetCursor	0x1800403f8
SetCapture	0x180040400

Function	Address	Souspicious	Anti Debug
ImmReleaseContext	0x180040010
ImmGetContext	0x180040018
ImmSetCompositionWindow	0x180040020

Name	Latest seen	MD5
CompPkgSup.dll?ex=670ef1f2&is=670da072&hm=0ef149bf8000f5d08bd27446ab0651cfc3038bd4f627014443f6e0056b60f8df	2024-10-15 19:54:02	f0fa6871cb996242a649dd629a0591f1

win64help.dll?ex=670c3661&is=670ae4e1&hm=34e9d9802f25be6669092bd636fdec89da344d630c1feed0501755a57d63d928&

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 0 suspicious

PE Resources 1

Anti debug functions 6

File signature

Strings analysis - File found

Strings analysis - Possible URLs found 12

Import functions

Related files by ImpHash 1 3254359579f23afe607e1d61dde58b23