New folder (3)[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

New folder (3).zip
Size

33.3MB
MD5

167c6e6a3a7dd629dfd8901c934e0cef
SHA1

dcd81b0c376cae0838d0c0459eeb2d94485ab269
SHA256

52ea8836c5508aa419d4d934b7cb0b4b27aa3d2bb2fddd2f5eedd987ef89cb52
SHA512

49e403b3b2f9b4354423f9417bc15daffb48a27396be089910722c6f1f9e3a5b3d1af277809549049e9dc69cf60ed97241adc85b60cb8d7a6c2f2ad58e88e1fe
SSDEEP

786432:f414a+2+2VBXTunC7VVHUzEt16qqvTQ/LQ7k0M0VP999:Aaa+2pfIC7THUz+l/YbVVP999

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/New folder (3)/autorun.dll
unpack001/New folder (3)/upgrade/netfx/netfxupdate.exe

Files

New folder (3).zip
.zip
New folder (3)/autorun.dll
.dll windows x64

82b70ba1357706ec3ecdc0b7e96dab48

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

Imports

msvcrt

_isatty
_write
_lseeki64
_fileno
__pioinfo
__badioinfo
ferror
_itoa
_snprintf
_iob
isleadbyte
__mb_cur_max
mbtowc
_CxxThrowException
memcpy
??1type_info@@UEAA@XZ
realloc
wcschr
_wcsicmp
_vscwprintf
memmove
wcscoll
free
malloc
??3@YAXPEAX@Z
wcsrchr
wcsstr
_wcsicoll
_onexit
_lock
__dllonexit
_unlock
_amsg_exit
_initterm
_XcptFilter
__C_specific_handler
memset
_wcsupr
_wcslwr
_errno
__CxxFrameHandler
??_U@YAPEAX_K@Z
??2@YAPEAX_K@Z
wcscspn
wcsspn
iswspace
_wcsrev
_wcsnicmp
_vsnwprintf
towupper
bsearch
_wtoi
wcspbrk
??_V@YAXPEAX@Z

spwizeng

??1WizardDesciption@@UEAA@XZ
?ShowReadMoreWnd@@YAHPEAUHINSTANCE__@@PEAUHWND__@@IPEBGI@Z
?Init@CResourceModuleFactory@@QEAAXPEAUHINSTANCE__@@PEBG@Z
?GetResourceInstance@CResourceModuleFactory@@QEAAPEAUHINSTANCE__@@XZ
?WaitForSingleObjectMessageSafe@WizardUI@@QEAAKPEAXK@Z
?GetWizUI@WizardUI@@SAPEAV1@XZ
?CStringGetModuleFileName@@YA?AV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@PEAUHINSTANCE__@@@Z
??4WizardHandler@@QEAAAEAV0@AEBV0@@Z
??0WizardHandler@@QEAA@AEBV0@@Z
?CanPageBeActivated@WizardHandler@@EEAAHW4Direction@@PEAH@Z
?FirstVisit@WizardHandler@@EEAAXXZ
?KillActive@WizardHandler@@UEAAXAEAH@Z
?OnResourceChanged@WizardHandler@@UEAAXAEAH@Z
?NotifyWizFinish@WizardHandler@@UEAAHAEAH@Z
?NotifyWizBack@WizardHandler@@UEAAHAEAH@Z
?NotifyWizNext@WizardHandler@@UEAAHAEAH@Z
?InitPage@WizardHandler@@UEAAXXZ
??0WizardHandler@@QEAA@XZ
?Uninit@CResourceModuleFactory@@QEAAXXZ
??1Wizard_PageDesciption@@UEAA@XZ
??0Wizard_PageDesciption@@QEAA@KPEBG0KP6APEAVWizardRoot@@PEAVWizardPage@@@ZK@Z
?CanPageBeActivated@LanguageNeutralSelectionDialogBase@@UEAAHW4Direction@@PEAH@Z
??1LanguageNeutralSelectionDialogBase@@QEAA@XZ
??0LanguageNeutralSelectionDialogBase@@QEAA@XZ
?GetResourceModule@CResourceModuleFactory@@QEAAPEAVCResourceModule@@XZ
??_7WizardDesciption@@6B@
?MessageBoxFromMessage@@YAHPEAUHINSTANCE__@@PEAUHWND__@@III@Z
??1LanguageSelectionDialogBase@@QEAA@XZ
??0LanguageSelectionDialogBase@@QEAA@XZ
?OnResourceChanged@LanguageSelectionDialogBase@@UEAAXAEAH@Z
?CanPageBeActivated@LanguageSelectionDialogBase@@UEAAHW4Direction@@PEAH@Z
?NotifyWizCancel@WizardHandler@@UEAAHAEAH@Z
?SetActive@WizardHandler@@UEAAXAEAH@Z
?ProcessWindowMessage@LanguageSelectionDialogBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
?ProcessLanguageSelection@LanguageSelectionDialogBase@@UEAAHAEAH@Z
?ProcessWindowMessage@LanguageNeutralSelectionDialogBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
??0WizardDialogPre@@QEAA@XZ
??0WizardDialogPost@@QEAA@XZ
?ResetLanguage@CResourceModuleFactory@@QEAAHXZ
?ChangeUiLanguage@CResourceModule@@SAHPEBG@Z
?CreateIndirect@CCustomButtonEx@@SAPEAV1@PEAUHINSTANCE__@@0PEAUHWND__@@QEAU_Button_Data@@@Z
?Destroy@CCustomButtonEx@@SAXPEAV1@@Z
??0WizardRoot@@QEAA@XZ
??1WizardRoot@@UEAA@XZ
?SetTextStyle@WizardRoot@@QEAAHHMHHH@Z
?CenterRelativeToWindow@@YAHPEAUHWND__@@0I@Z
??0ProtoPageDimensions@@QEAA@USimpleRect@@USimpleSize@@HH11MM@Z
?GetHwndLogFont@@YAHPEAUHWND__@@PEAUtagLOGFONTW@@@Z
??0WizardUI@@QEAA@XZ
??1WizardUI@@QEAA@XZ
?Initialize@WizardUI@@QEAAHPEAVCResourceModule@@0@Z
?StartUI@WizardUI@@QEAAHPEBVProtoPageList@@@Z
?WaitForUIEnd@WizardUI@@QEAAHXZ
?EndUI@WizardUI@@QEAAHXZ
?GetUiMutex@WizardUI@@QEAAPEAXXZ
?GetResourceInstanceNonLoc@WizardPage@@QEAAPEAUHINSTANCE__@@XZ
?GetResourceInstanceLoc@WizardPage@@QEAAPEAUHINSTANCE__@@XZ
?GetInstance@CHighContrast@@SAPEAV1@XZ
?GetTextColor@CHighContrast@@QEAAKK@Z
??0CAnimationControl@@QEAA@XZ
??1CAnimationControl@@UEAA@XZ
?Init@CAnimationControl@@QEAAHPEAUHWND__@@IPEAUHINSTANCE__@@IKHH@Z
?SetAllowMirror@CAnimationControl@@QEAAXH@Z
?CanPageBeActivatedWrapper@WizardHandler@@QEAAHW4Direction@@PEAH@Z
??0ProtoPageList@@QEAA@PEAVWizardDesciption@@KKKHPEAVICreateProgressWnd@@HPEAUtagSIZE@@PEAVICreateNavbarWnd@@UProtoPageDimensions@@KKH@Z

uxlib

??0CInternationalUtils@@QEAA@XZ
??1CInternationalUtils@@QEAA@XZ

wdscore

WdsSetupLogMessageW
WdsSetupLogInit
ConstructPartialMsgVW
CurrentIP

unattend

UnattendFindFileFromCmdLine
UnattendFindAnswerFile

user32

RegisterHotKey
MessageBoxW
UnregisterClassA
CharNextW
PostMessageW
GetFocus
GetParent
GetWindowLongPtrW
UnregisterHotKey
SetFocus
GetDC
LoadIconW
ReleaseDC
GetDlgItem
LoadStringW
CreateWindowExW
SetWindowLongPtrW
SendMessageW
MapWindowPoints
CallWindowProcW
GetWindowThreadProcessId
SetForegroundWindow
SetWindowPos
ShowWindow
PostThreadMessageW
GetMessageW
GetClientRect

gdi32

DeleteObject
EnumFontFamiliesExW
CreateDCW
TranslateCharsetInfo
DeleteDC
GetTextExtentPoint32W
GetTextMetricsW
SetTextColor
CreateFontIndirectW
SelectObject

oleaut32

VariantInit
VarUI4FromStr
VariantChangeType
SysAllocStringLen
VariantClear
SysReAllocStringLen

kernel32

TerminateProcess
GetWindowsDirectoryW
CreateEventW
OpenThread
GetFullPathNameW
GetLocaleInfoW
ExpandEnvironmentStringsW
CreateThread
SetEvent
VerifyVersionInfoW
VerSetConditionMask
UnhandledExceptionFilter
GetFileAttributesW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
OutputDebugStringA
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
GetVersionExA
Sleep
VirtualProtect
DeleteCriticalSection
lstrcmpiW
DisableThreadLibraryCalls
EnterCriticalSection
lstrlenW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
GetModuleHandleW
LoadLibraryExW
GetProcAddress
CreateFileW
LoadLibraryW
GetProcessHeap
HeapFree
FreeLibrary
ReleaseMutex
WaitForSingleObject
LocalFree
CloseHandle
LockResource
GetLastError
RaiseException
MultiByteToWideChar
GetVersionExW
FormatMessageW
SizeofResource
GetCurrentProcess
CreateProcessW
LoadResource
FindResourceW
FindResourceExW
SetPriorityClass
GetEnvironmentVariableW
IsValidLocale
IsValidCodePage
SetUnhandledExceptionFilter
LocalAlloc
SetLastError

ntdll

RtlAllocateHeap
RtlFreeHeap

ole32

CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CoTaskMemRealloc

advapi32

GetTraceEnableFlags
RegDeleteValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegisterTraceGuidsW
GetTraceEnableLevel
UnregisterTraceGuids
GetTraceLoggerHandle
RegQueryInfoKeyW
RegEnumValueW
RegQueryValueExW

shell32

ShellExecuteExW

Exports

Exports

??0?$CSimpleStringT@G$0A@@ATL@@QEAA@AEBV01@@Z
??0?$CSimpleStringT@G$0A@@ATL@@QEAA@AEBV?$CSimpleStringT@G$00@1@@Z
??0?$CSimpleStringT@G$0A@@ATL@@QEAA@PEAUIAtlStringMgr@1@@Z
??0?$CSimpleStringT@G$0A@@ATL@@QEAA@PEBGHPEAUIAtlStringMgr@1@@Z
??0?$CSimpleStringT@G$0A@@ATL@@QEAA@PEBGPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@AEBUtagVARIANT@@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@AEBUtagVARIANT@@PEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@AEBV01@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@DH@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@GH@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBD@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBDH@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBDHPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBDPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBE@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBEPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBG@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBGH@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBGHPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@PEBGPEAUIAtlStringMgr@1@@Z
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@XZ
??0AutorunAppBase@@QEAA@AEBV0@@Z
??0AutorunAppBase@@QEAA@XZ
??0AutorunUIAppBase@@QEAA@AEBV0@@Z
??0AutorunUIAppBase@@QEAA@XZ
??0LanguageNeutralUIAppBase@@QEAA@AEBV0@@Z
??0LanguageNeutralUIAppBase@@QEAA@XZ
??0LanguageUIAppBase@@QEAA@AEBV0@@Z
??0LanguageUIAppBase@@QEAA@XZ
??1?$CSimpleStringT@G$0A@@ATL@@QEAA@XZ
??1?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAA@XZ
??4?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@AEBV01@@Z
??4?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@AEBV?$CSimpleStringT@G$00@1@@Z
??4?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@PEBG@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@AEBUtagVARIANT@@@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@AEBV01@@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@D@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@G@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@PEBD@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@PEBE@Z
??4?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@PEBG@Z
??4AutorunAppBase@@QEAAAEAV0@AEBV0@@Z
??4AutorunUIAppBase@@QEAAAEAV0@AEBV0@@Z
??4LanguageNeutralUIAppBase@@QEAAAEAV0@AEBV0@@Z
??4LanguageUIAppBase@@QEAAAEAV0@AEBV0@@Z
??A?$CSimpleStringT@G$0A@@ATL@@QEBAGH@Z
??B?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV?$CSimpleStringT@G$00@1@XZ
??B?$CSimpleStringT@G$0A@@ATL@@QEBAPEBGXZ
??B?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV?$CSimpleStringT@G$00@1@XZ
??Y?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@AEBV01@@Z
??Y?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@D@Z
??Y?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@E@Z
??Y?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@G@Z
??Y?$CSimpleStringT@G$0A@@ATL@@QEAAAEAV01@PEBG@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@AEBUtagVARIANT@@@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@AEBV?$CSimpleStringT@G$0A@@1@@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@D@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@E@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@G@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@PEBD@Z
??Y?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV01@PEBG@Z
??_7AutorunAppBase@@6B@
??_7AutorunUIAppBase@@6B@
??_7LanguageNeutralUIAppBase@@6B@
??_7LanguageUIAppBase@@6B@
?AllocSysString@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAPEAGXZ
?Append@?$CSimpleStringT@G$0A@@ATL@@QEAAXAEBV12@@Z
?Append@?$CSimpleStringT@G$0A@@ATL@@QEAAXPEBG@Z
?Append@?$CSimpleStringT@G$0A@@ATL@@QEAAXPEBGH@Z
?AppendChar@?$CSimpleStringT@G$0A@@ATL@@QEAAXG@Z
?AppendFormat@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXIZZ
?AppendFormat@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGZZ
?AppendFormatV@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGPEAD@Z
?Attach@?$CSimpleStringT@G$0A@@ATL@@AEAAXPEAUCStringData@2@@Z
?AutorunPage@@3VWizard_PageDesciption@@A
?CharToOemA@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXXZ
?CheckImplicitLoad@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@AEAA_NPEBX@Z
?CloneData@?$CSimpleStringT@G$0A@@ATL@@CAPEAUCStringData@2@PEAU32@@Z
?Collate@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBG@Z
?CollateNoCase@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBG@Z
?Compare@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBG@Z
?CompareNoCase@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBG@Z
?Concatenate@?$CSimpleStringT@G$0A@@ATL@@KAXAEAV12@PEBGH1H@Z
?Construct@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@SAXPEAV12@@Z
?CopyChars@?$CSimpleStringT@G$0A@@ATL@@SAXPEAGPEBGH@Z
?CopyChars@?$CSimpleStringT@G$0A@@ATL@@SAXPEAG_KPEBGH@Z
?CopyCharsOverlapped@?$CSimpleStringT@G$0A@@ATL@@SAXPEAGPEBGH@Z
?CopyCharsOverlapped@?$CSimpleStringT@G$0A@@ATL@@SAXPEAG_KPEBGH@Z
?Delete@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHHH@Z
?Empty@?$CSimpleStringT@G$0A@@ATL@@QEAAXXZ
?Find@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHGH@Z
?Find@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBGH@Z
?FindOneOf@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHPEBG@Z
?Fork@?$CSimpleStringT@G$0A@@ATL@@AEAAXH@Z
?Format@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXIZZ
?Format@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGZZ
?FormatMessageV@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGPEAPEAD@Z
?FormatMessageW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXIZZ
?FormatMessageW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGZZ
?FormatV@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXPEBGPEAD@Z
?FreeExtra@?$CSimpleStringT@G$0A@@ATL@@QEAAXXZ
?GetAllocLength@?$CSimpleStringT@G$0A@@ATL@@QEBAHXZ
?GetAt@?$CSimpleStringT@G$0A@@ATL@@QEBAGH@Z
?GetBuffer@?$CSimpleStringT@G$0A@@ATL@@QEAAPEAGH@Z
?GetBuffer@?$CSimpleStringT@G$0A@@ATL@@QEAAPEAGXZ
?GetBufferSetLength@?$CSimpleStringT@G$0A@@ATL@@QEAAPEAGH@Z
?GetData@?$CSimpleStringT@G$0A@@ATL@@AEBAPEAUCStringData@2@XZ
?GetEnvironmentVariableW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHPEBG@Z
?GetLength@?$CSimpleStringT@G$0A@@ATL@@QEBAHXZ
?GetManager@?$CSimpleStringT@G$0A@@ATL@@QEBAPEAUIAtlStringMgr@2@XZ
?GetManager@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAPEAUIAtlStringMgr@2@XZ
?GetString@?$CSimpleStringT@G$0A@@ATL@@QEBAPEBGXZ
?InitializeAutorunCore@@YAHH@Z
?Insert@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHHG@Z
?Insert@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHHPEBG@Z
?IsEmpty@?$CSimpleStringT@G$0A@@ATL@@QEBA_NXZ
?Left@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@H@Z
?LoadStringW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHI@Z
?LoadStringW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHPEAUHINSTANCE__@@I@Z
?LoadStringW@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHPEAUHINSTANCE__@@IG@Z
?LockBuffer@?$CSimpleStringT@G$0A@@ATL@@QEAAPEAGXZ
?MakeLower@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?MakeReverse@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?MakeUpper@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?Mid@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@H@Z
?Mid@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@HH@Z
?NotifyWizCancel@AutorunAppBase@@UEAAHAEAH@Z
?OemToCharA@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAXXZ
?OnCtlColorStatic@AutorunAppBase@@QEAA_JI_K_JAEAH@Z
?OnInitDialog@AutorunAppBase@@UEAA_JI_K_JAEAH@Z
?OnInitDialog@AutorunUIAppBase@@UEAA_JI_K_JAEAH@Z
?Preallocate@?$CSimpleStringT@G$0A@@ATL@@QEAAXH@Z
?PrepareWrite2@?$CSimpleStringT@G$0A@@ATL@@AEAAXH@Z
?PrepareWrite@?$CSimpleStringT@G$0A@@ATL@@AEAAPEAGH@Z
?ProcessWindowMessage@AutorunAppBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
?ProcessWindowMessage@AutorunUIAppBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
?ProcessWindowMessage@LanguageNeutralUIAppBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
?ProcessWindowMessage@LanguageUIAppBase@@UEAAHPEAUHWND__@@I_K_JAEA_JK@Z
?Reallocate@?$CSimpleStringT@G$0A@@ATL@@AEAAXH@Z
?ReleaseBuffer@?$CSimpleStringT@G$0A@@ATL@@QEAAXH@Z
?ReleaseBufferSetLength@?$CSimpleStringT@G$0A@@ATL@@QEAAXH@Z
?Remove@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHG@Z
?Replace@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHGG@Z
?Replace@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAHPEBG0@Z
?ReverseFind@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAHG@Z
?Right@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@H@Z
?SetActive@AutorunAppBase@@UEAAXAEAH@Z
?SetAt@?$CSimpleStringT@G$0A@@ATL@@QEAAXHG@Z
?SetLength@?$CSimpleStringT@G$0A@@ATL@@AEAAXH@Z
?SetManager@?$CSimpleStringT@G$0A@@ATL@@QEAAXPEAUIAtlStringMgr@2@@Z
?SetString@?$CSimpleStringT@G$0A@@ATL@@QEAAXPEBG@Z
?SetString@?$CSimpleStringT@G$0A@@ATL@@QEAAXPEBGH@Z
?SetSysString@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBAPEAGPEAPEAG@Z
?SpanExcluding@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@PEBG@Z
?SpanIncluding@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@PEBG@Z
?StringLength@?$CSimpleStringT@G$0A@@ATL@@SAHPEBD@Z
?StringLength@?$CSimpleStringT@G$0A@@ATL@@SAHPEBG@Z
?TerminateAutorunCore@@YAXXZ
?ThrowMemoryException@?$CSimpleStringT@G$0A@@ATL@@KAXXZ
?Tokenize@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEBA?AV12@PEBGAEAH@Z
?Trim@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@G@Z
?Trim@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@PEBG@Z
?Trim@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?TrimLeft@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@G@Z
?TrimLeft@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@PEBG@Z
?TrimLeft@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?TrimRight@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@G@Z
?TrimRight@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@PEBG@Z
?TrimRight@?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QEAAAEAV12@XZ
?Truncate@?$CSimpleStringT@G$0A@@ATL@@QEAAXH@Z
?UnlockBuffer@?$CSimpleStringT@G$0A@@ATL@@QEAAXXZ
?g_AutorunCore@@3VCAutorunCore@@A
?v_SetAppWindowUserData@AutorunAppBase@@IEAAXXZ
StartAutorun

Sections

.text
Size: 139KB - Virtual size: 138KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
New folder (3)/install_Windows 7 ULTIMATE.clg
New folder (3)/setup.exe
.exe windows x64

f9191610f983f48ce262a1c988bda844

Code Sign

61:08:77:5f:00:00:00:00:00:4a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/07/2010, 22:53

Not After

19/10/2011, 22:53

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:03:dc:f6:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:12

Not After

25/07/2011, 19:22

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:159C-A3F7-2570,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:15:08:27:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

25/01/2006, 23:22

Not After

25/01/2017, 23:32

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

99:83:0d:27:17:64:3c:e1:e7:9b:57:77:f1:2e:0d:6e:ff:77:9f:04
Signer

Actual PE Digest

99:83:0d:27:17:64:3c:e1:e7:9b:57:77:f1:2e:0d:6e:ff:77:9f:04

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

20/11/2010, 13:28
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

Imports

kernel32

Sleep
CloseHandle
VerifyVersionInfoW
VerSetConditionMask
GetCurrentDirectoryW
HeapAlloc
FormatMessageW
LocalAlloc
LocalFree
lstrlenW
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
GetStartupInfoW
SetCurrentDirectoryW
GetProcAddress
SetLastError
GetLastError
GetModuleFileNameW
GetProcessHeap
HeapFree
SetEnvironmentVariableW
LoadLibraryExW
FreeLibrary
CreateMutexW
GetFullPathNameW

user32

LoadStringW
SetForegroundWindow
GetWindowLongPtrW
EnumWindows
ShowWindow
MessageBoxW
GetWindowThreadProcessId

msvcrt

??3@YAXPEAX@Z
?terminate@@YAXXZ
memset
__set_app_type
_fmode
_commode
__setusermatherr
_amsg_exit
_initterm
_wcmdln
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__wgetmainargs
??2@YAPEAX_K@Z

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 85KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 332B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
New folder (3)/upgrade/netfx/netfx.msi
.msi
New folder (3)/upgrade/netfx/netfx.msp
New folder (3)/upgrade/netfx/netfx1.cab
.cab
New folder (3)/upgrade/netfx/netfxupdate.exe
.exe windows x86

c93fb3b3067c891bb5db2cf4ac13c7cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RegEnumValueA
RegCloseKey

kernel32

InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
InterlockedExchange
CloseHandle
GetLastError
CreateFileA
SetEvent
HeapAlloc
GetProcessHeap
HeapFree
GetProcAddress
LoadLibraryA
DeleteCriticalSection
LocalFree
FormatMessageA
GetModuleFileNameA
SetFilePointer
GetFileType
GetTempPathA
FlushFileBuffers
WriteFile
GetLocalTime
GetVolumeInformationA
GetSystemDirectoryA
GetVersionExA
GetWindowsDirectoryA
ResetEvent
TerminateProcess
GetExitCodeProcess
WaitForMultipleObjects
CreateProcessA
CreateEventA
Sleep
ReleaseMutex
WaitForSingleObject
CreateMutexA
CreateThread
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
RaiseException
RtlUnwind
ExitProcess
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetCurrentProcess
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
TlsFree
SetLastError
GetCurrentThreadId
TlsSetValue
TlsGetValue
TlsAlloc
HeapDestroy
HeapCreate
VirtualFree
GetACP
GetOEMCP
GetCPInfo
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapReAlloc
HeapSize
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
IsBadWritePtr
LCMapStringA
LCMapStringW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
ReadFile
GetLocaleInfoA
SetEndOfFile

user32

LoadStringA

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

Sections

.text
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

82b70ba1357706ec3ecdc0b7e96dab48

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

spwizeng

uxlib

wdscore

unattend

user32

gdi32

oleaut32

kernel32

ntdll

ole32

advapi32

shell32

Exports

Exports

Sections

.text Size: 139KB - Virtual size: 138KB

.data Size: 3KB - Virtual size: 5KB

.pdata Size: 5KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 3KB - Virtual size: 2KB

f9191610f983f48ce262a1c988bda844

Code Sign

61:08:77:5f:00:00:00:00:00:4aCertificate

Extended Key Usages

Key Usages

61:03:dc:f6:00:00:00:00:00:0cCertificate

Extended Key Usages

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:15:08:27:00:00:00:00:00:0cCertificate

Extended Key Usages

Key Usages

99:83:0d:27:17:64:3c:e1:e7:9b:57:77:f1:2e:0d:6e:ff:77:9f:04Signer

Signature Validations

Verification

20/11/2010, 13:28 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

msvcrt

ntdll

Sections

.text Size: 8KB - Virtual size: 8KB

.data Size: 1KB - Virtual size: 2KB

.pdata Size: 512B - Virtual size: 360B

.rsrc Size: 85KB - Virtual size: 85KB

.reloc Size: 512B - Virtual size: 332B

c93fb3b3067c891bb5db2cf4ac13c7cc

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

version

Sections

.text Size: 60KB - Virtual size: 57KB

.data Size: 4KB - Virtual size: 9KB

.rsrc Size: 4KB - Virtual size: 1KB

.text
Size: 139KB - Virtual size: 138KB

.data
Size: 3KB - Virtual size: 5KB

.pdata
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 3KB - Virtual size: 2KB

61:08:77:5f:00:00:00:00:00:4a
Certificate

61:03:dc:f6:00:00:00:00:00:0c
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:15:08:27:00:00:00:00:00:0c
Certificate

99:83:0d:27:17:64:3c:e1:e7:9b:57:77:f1:2e:0d:6e:ff:77:9f:04
Signer

20/11/2010, 13:28
Valid: false

.text
Size: 8KB - Virtual size: 8KB

.data
Size: 1KB - Virtual size: 2KB

.pdata
Size: 512B - Virtual size: 360B

.rsrc
Size: 85KB - Virtual size: 85KB

.reloc
Size: 512B - Virtual size: 332B

.text
Size: 60KB - Virtual size: 57KB

.data
Size: 4KB - Virtual size: 9KB

.rsrc
Size: 4KB - Virtual size: 1KB