File[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

File.zip
Size

5.4MB
MD5

fd07c66c72aeeceecd3b54da560b03da
SHA1

159e64c7bb5f7dea64a89f80502cf02a95397e0a
SHA256

14fd3cd7e81a48af0c056c420dc62f7fd52f95ae96617e379e2f7ffc166d37aa
SHA512

76623f00d4f02f805797f7952dd1530324f2991ceb4625515e8879f9ea0dc3c2cc958809f3fb7d9ccbc4181d52ad4c03ccac86c13d6d6d6f22beb52790c9a392
SSDEEP

98304:kNoOrhfhzTCp8vX0Ty6kiKX1NXQHdnCVpEJyZsb9zfYodEROYH:Yjfhnv6kiI4dC/EJyZsFQxOYH

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/Install.exe	themida

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AcGenral.dll
unpack001/AcLayers.dll

Files

File.zip
.zip
AcGenral.dll
.dll windows:10 windows x86

cfac9aa030965dc89cae24a8eff928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

apphelp

SE_COM_AddHook
SE_COM_HookObject
SE_COM_Lookup
SE_COM_HookInterface
SE_CALLBACK_Lookup
SE_ShimDPF
SE_GetShimId
SdbInitDatabase
SdbGetPDBFromGUID
SdbResolveDatabase
SdbOpenLocalDatabase
SE_COM_AddServer
SE_CALLBACK_AddHook
SdbReleaseDatabase
SdbGetStringTagPtr
SdbFindNextTag
SdbFindFirstTag

msvcrt

memcmp
_local_unwind4
_CxxThrowException
memcpy
__CxxFrameHandler3
_wcsicmp
_vsnwprintf
_XcptFilter
_amsg_exit
free
malloc
_initterm
?terminate@@YAXXZ
_except_handler4_common
_lock
memmove
__dllonexit
_onexit
??1type_info@@UAE@XZ
_vscprintf
_wcsupr
wcspbrk
wcschr
wcscpy_s
towupper
towlower
iswctype
wcsspn
toupper
wcsrchr
memset
_unlock
strrchr
wcstoul
_errno
_wcsnicmp
strchr
strtoul
wcstol
atoi
_vscwprintf
_vsnprintf
wcsncmp
strtok
atol
wcsstr
_stricmp
strstr
qsort
_wtoi
wprintf
_wcslwr_s
_wcslwr
_wsplitpath_s
iswspace
swscanf_s
_strnicmp
strncmp
wcscat_s
wcstok_s
_tempnam

ntdll

RtlIsNameInExpression
RtlInitializeCriticalSection
NtQueryInformationThread
NtQueryVirtualMemory
NtProtectVirtualMemory
DbgPrint
NtSetInformationProcess
NtClose
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlUnicodeStringToInteger
RtlInitUnicodeString
RtlGUIDFromString
RtlIsDosDeviceName_U
RtlCreateServiceSid
RtlGetNtSystemRoot
RtlDosPathNameToNtPathName_U
NtOpenFile
NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlEqualSid
NtOpenKey
NtQueryValueKey
NtCreateKey
NtSetValueKey
RtlFormatCurrentUserKeyPath
NtQueryObject
NtConnectPort
NtQueryVolumeInformationFile
RtlFreeUnicodeString
RtlOemStringToUnicodeString
RtlNtStatusToDosError
RtlImageNtHeader
RtlReAllocateHeap
RtlSubAuthoritySid
NtRequestWaitReplyPort
RtlGetDaclSecurityDescriptor
RtlSubAuthorityCountSid
NtQueryInformationToken
RtlFreeHeap
RtlAllocateHeap
RtlIdentifierAuthoritySid
RtlLengthRequiredSid
NtOpenThreadToken
NtOpenProcessToken
RtlInitializeSid
NtQueryInformationProcess

api-ms-win-service-core-l1-1-1

EnumDependentServicesW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW
CreateServiceW
StartServiceW
DeleteService

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceStatusEx

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

shlwapi

SHGetValueW
SHStrDupW
ord619
SHDeleteKeyW

uxtheme

SetThemeAppProperties
ord67

user32

AllowSetForegroundWindow
MsgWaitForMultipleObjects
PeekMessageW
SetWindowsHookExAW
SetCursor
GetWindowLongA
mouse_event
GetForegroundWindow
ShowWindow
InvalidateRect
SetForegroundWindow
PostMessageW
GetAncestor
GetClassNameW
EmptyClipboard
CharUpperW
DestroyIcon
CreateIconIndirect
GetIconInfo
SetPropW
RemovePropW
PostQuitMessage
RegisterWindowMessageA
EnumDesktopWindows
GetWindowTextA
GetWindowTextLengthA
ScreenToClient
GetWindowInfo
IsWindowVisible
GetWindow
IsChild
WindowFromDC
GetUpdateRgn
ShowCursor
GetActiveWindow
DefWindowProcA
GetShellWindow
SystemParametersInfoA
CloseDesktop
CharNextA
SetThreadDesktop
OpenInputDesktop
EnumDisplayDevicesW
ReleaseDC
GetDC
CallNextHookEx
GetKeyState
SetWindowsHookExA
DispatchMessageW
TranslateMessage
GetMessageW
SetSystemCursor
DestroyCursor
CopyIcon
LoadCursorW
GetWindowLongW
CallWindowProcA
EnumDisplaySettingsW
SendMessageW
RegisterSuspendResumeNotification
GetParent
SetWindowPos
GetWindowRect
GetDesktopWindow
GetMonitorInfoW
MonitorFromRect
GetSystemMetrics
SetRect
SystemParametersInfoW
GetWindowThreadProcessId
GetGUIThreadInfo
wvsprintfA
ChangeWindowMessageFilterEx
ChangeDisplaySettingsA
EnumDisplaySettingsA
SetDlgItemTextA
IsWindow
GetClientRect
IsCharAlphaA
GetPropW

gdi32

SelectPalette
RealizePalette
DeleteObject
GetCurrentObject
GetPaletteEntries
GetClipBox
CreateRectRgnIndirect
CreatePalette
CreateRectRgn
SetRectRgn
CombineRgn
GetStockObject
CreateDIBSection
GetObjectW
CreateCompatibleDC
GetRgnBox
SelectObject
SetSystemPaletteUse
SetViewportOrgEx
DeleteDC
BitBlt
CreateDCW
GetDeviceCaps

winmm

mciSendCommandA

samcli

NetLocalGroupAddMembers
NetLocalGroupAdd

ole32

CoUninitialize
CoInitialize
CoGetObject
CoTaskMemFree
StringFromCLSID
StringFromGUID2
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
RegisterTypeLibForUser

msacm32

acmStreamOpen
acmStreamSize

version

GetFileVersionInfoExW
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

shell32

SHGetFolderPathEx
SHGetFolderPathW
SHChangeNotify
SHCreateDirectoryExW
SHGetSpecialFolderPathA
ShellExecuteExA
SHGetMalloc
ShellExecuteExW
ord165
SHGetSpecialFolderPathW

userenv

GetUserProfileDirectoryA
GetUserProfileDirectoryW
GetAllUsersProfileDirectoryW

dwmapi

DwmIsCompositionEnabled

urlmon

CoInternetSetFeatureEnabled

kernel32

GetDriveTypeA
WritePrivateProfileStringW
GetPrivateProfileStringW
CompareStringOrdinal
CompareStringW
CompareStringA
IsDBCSLeadByteEx
lstrlenA
GetLocaleInfoW
IsValidLocale
lstrcmpA
GetVolumeInformationW
DeviceIoControl
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetProcessAffinityMask
GetLogicalProcessorInformationEx
GetCurrentProcessorNumberEx
GetModuleHandleA
CheckElevationEnabled
ExpandEnvironmentStringsW
GetUserDefaultUILanguage
ResumeThread
WriteProcessMemory
DuplicateHandle
VirtualAllocEx
ReadProcessMemory
OpenProcess
GetSystemInfo
GetWindowsDirectoryW
lstrcmpW
FormatMessageW
QueryPerformanceFrequency
GetSystemTime
ReadFile
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
GetSystemWindowsDirectoryW
AddDllDirectory
IsNLSDefinedString
FindNLSStringEx
WideCharToMultiByte
HeapReAlloc
FindNextFileA
InitializeCriticalSection
OutputDebugStringA
RaiseException
SearchPathA
QueryActCtxSettingsW
GetShortPathNameW
GetLongPathNameW
GetFullPathNameW
GetTempPathW
GetTempFileNameW
SearchPathW
lstrcmpiW
GlobalAlloc
ResolveDelayLoadedAPI
DelayLoadFailureHook
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
ProcessIdToSessionId
CreateActCtxW
LCMapStringEx
GetLocaleInfoEx
LCIDToLocaleName
CompareStringEx
GetTickCount64
GetBinaryTypeW
GetShortPathNameA
Module32First
CreateToolhelp32Snapshot
SetEvent
ResetEvent
WaitForMultipleObjects
CreateEventW
LoadLibraryA
GetSystemDirectoryA
CreateThread
ReleaseActCtx
QueryActCtxW
SetThreadPriority
SetThreadPriorityBoost
GetVersionExW
GetCommandLineW
GetDiskFreeSpaceExW
GetDiskFreeSpaceExA
GlobalFree
GetUserDefaultLCID
FreeLibrary
LoadLibraryExW
SetEnvironmentVariableA
FlushFileBuffers
DeleteFileW
FreeResource
GetFileSize
MapViewOfFile
UnmapViewOfFile
SetFileAttributesA
CopyFileA
MoveFileA
GetFileAttributesA
GetEnvironmentVariableA
MultiByteToWideChar
FindResourceW
CloseHandle
OpenMutexW
GetCurrentProcessId
CreateMutexW
Sleep
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
GetProcAddress
HeapAlloc
GetProcessHeap
GetCommandLineA
GetEnvironmentVariableW
SetEnvironmentVariableW
CreateProcessA
ExitProcess
EnterCriticalSection
LeaveCriticalSection
HeapSize
HeapValidate
InitializeCriticalSectionAndSpinCount
VirtualAlloc
VirtualFree
SetProcessInformation
IsWow64Process
WaitForSingleObject
GetExitCodeProcess
GetModuleFileNameW
HeapFree
GetCurrentThread
CreateFileMappingA
CreateFileMappingW
GetLastError
LocalFree
GetDriveTypeW
CopyFileW
SetFileAttributesW
GetSystemDirectoryW
LoadLibraryW
MoveFileExW
GetTempPathA
GetTempFileNameA
CreateProcessW
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetLogicalDrives
lstrlenW
FindResourceA
SizeofResource
LocalAlloc
LoadResource
LockResource
CreateFileA
DeleteFileA
SetErrorMode
SetLastError
GetCurrentDirectoryW
IsDBCSLeadByte
IsBadWritePtr
IsBadReadPtr
IsBadStringPtrA
IsBadStringPtrW
VirtualQuery
VirtualProtect
GlobalMemoryStatusEx
GetModuleFileNameA
CreateFileW
DeleteCriticalSection

advapi32

RegSetKeySecurity
RegQueryValueExW
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegSetValueExW
RegEnumKeyExW
ConvertStringSidToSidW
LookupAccountSidW
RegOpenKeyExA
RegQueryValueExA
SetNamedSecurityInfoW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorDacl
GetSecurityDescriptorControl
OpenProcessToken
LookupPrivilegeValueW
QueryServiceStatus
GetTokenInformation
CheckTokenMembership
RegUnLoadKeyW
RegLoadKeyW
GetNamedSecurityInfoW
RegGetValueW
FreeSid
AllocateAndInitializeSid
EqualSid
GetAclInformation
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetAce
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AdjustTokenPrivileges
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetSecurityDescriptorLength
RegGetKeySecurity
LsaClose
LsaAddAccountRights
LsaNtStatusToWinError
LsaOpenPolicy
CreateWellKnownSid
RegSetValueExA
RegDeleteValueW
RegDeleteKeyExW
RegOpenKeyExW

winspool.drv

OpenPrinterA
ord201
GetPrinterA
ClosePrinter
EnumPrintersA

rpcrt4

RpcBindingSetAuthInfoExW
I_RpcExceptionFilter
RpcAsyncCompleteCall
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcAsyncInitializeHandle
NdrAsyncClientCall
RpcStringFreeW
RpcAsyncCancelCall
RpcBindingFree

mpr

WNetGetConnectionW

sspicli

GetUserNameExW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

GetHookAPIs
NotifyShims

Sections

.text
Size: 672KB - Virtual size: 671KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

TEXT
Size: 512B - Virtual size: 237B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AcLayers.dll
.dll windows:10 windows x86

f44448baacf169ee55feb42d760ce427

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

apphelp

SE_COM_AddServer
SE_COM_HookObject
SE_COM_Lookup
SE_ShimDPF
SE_COM_AddHook
SE_GetShimId

msvcrt

memcpy
memcmp
_CxxThrowException
memmove
__CxxFrameHandler3
_wcsicmp
_vscwprintf
_vsnwprintf
_vsnprintf
_stricmp
atol
strstr
sprintf_s
vsprintf_s
sscanf_s
wcsncmp
_wcsnicmp
_scwprintf
wcsrchr
wcsspn
iswctype
towlower
wcscpy_s
wcscat_s
wcschr
wcspbrk
_wcslwr
wcsstr
_vscprintf
iswspace
_XcptFilter
_amsg_exit
free
malloc
_initterm
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_except_handler4_common
memset

ntdll

RtlAllocateHeap
RtlFreeHeap
RtlInitUnicodeString
RtlEqualUnicodeString
RtlImageNtHeader
NtClose
RtlReportException
NtTerminateProcess
RtlRaiseException
NtQueryInformationProcess
RtlUniform
RtlValidateHeap
RtlCaptureStackBackTrace
RtlCaptureContext
WinSqmAddToStream
NtOpenFile
NtQueryObject
LdrAccessResource
NtQuerySystemInformation
RtlLengthRequiredSid
RtlInitializeSid
NtQueryInformationToken
RtlSubAuthoritySid
RtlCreateUnicodeStringFromAsciiz
RtlFreeUnicodeString
RtlMultiByteToUnicodeN
RtlNtStatusToDosError
RtlUnicodeToMultiByteSize
RtlUnicodeToMultiByteN
NtQueryKey
NtOpenKey
NtQueryValueKey
RtlGetOwnerSecurityDescriptor
RtlEqualSid
RtlAppendUnicodeToString
RtlFormatCurrentUserKeyPath
RtlGetLastNtStatus
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlCreateServiceSid
RtlGetNtSystemRoot
RtlDosPathNameToNtPathName_U
NtQuerySecurityObject

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExA
RegGetKeySecurity
RegDeleteKeyExW
RegEnumKeyExW
RegOpenKeyExW

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorDacl
GetTokenInformation
GetAce
CheckTokenMembership
GetFileSecurityW
CopySid
AllocateAndInitializeSid
GetAclInformation
FreeSid

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

user32

AllowSetForegroundWindow
MsgWaitForMultipleObjects
CharUpperW
EnumDisplaySettingsW
GetCapture
ScreenToClient
GetAncestor
WindowFromPoint
InvalidateRect
DestroyWindow
DispatchMessageW
TranslateMessage
GetMessageW
SetLayeredWindowAttributes
RegisterClassExW
LoadCursorW
GetClassInfoExW
KillTimer
EndPaint
BeginPaint
DefWindowProcW
GetSystemMetrics
PostQuitMessage
SetWindowPos
ChangeDisplaySettingsA
EnumDisplaySettingsA
GetWindowThreadProcessId
GetGUIThreadInfo
GetDesktopWindow
GetMonitorInfoW
PeekMessageW
SetCursor
EnableWindow
CreateWindowExW

gdi32

GdiFlush
GetObjectType
CreateCompatibleDC
CreateDIBSection
GetDIBits
DeleteObject
DeleteDC
CreateSolidBrush
OffsetWindowOrgEx
CreateCompatibleBitmap
SelectObject
OffsetClipRgn
OffsetRgn

shell32

SHGetFolderPathW
SHGetFolderPathA

shlwapi

ord9
ord10
StrChrA
StrRChrA
ord8
StrCmpNIA
ord7
StrStrIA
StrCSpnA
StrToIntA
StrChrW
StrRChrW
ord346
StrCmpNIW
StrStrW
StrRetToBufW
StrCSpnW
StrToIntW
StrChrIA
StrChrIW
StrRChrIA
StrRChrIW
StrRStrIA
StrRStrIW
StrCSpnIA
StrCSpnIW
IntlStrEqWorkerA
IntlStrEqWorkerW
PathFindFileNameW
StrCmpNW
StrStrA
StrCmpNA
StrStrIW

oleaut32

SysReAllocString

mpr

WNetGetConnectionW

kernel32

IsDebuggerPresent
ReadFile
WaitForSingleObject
CancelIo
OutputDebugStringA
InitializeCriticalSection
CreateEventW
DeleteCriticalSection
SetNamedPipeHandleState
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
InitializeSRWLock
GetCurrentThread
WerRegisterMemoryBlock
CreateProcessW
IsBadReadPtr
IsWow64Process
ProcessIdToSessionId
GetTickCount
GetSystemTimeAsFileTime
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
DelayLoadFailureHook
ResolveDelayLoadedAPI
SearchPathW
GetFullPathNameW
GetCurrentDirectoryW
CreateMutexW
OpenMutexW
CreateActCtxW
GetTempFileNameW
GetTempFileNameA
GetTempPathA
GetFileSize
SetFilePointer
CreateFileW
GetVolumeNameForVolumeMountPointW
GetSystemDirectoryW
GetModuleFileNameW
GetWindowsDirectoryW
GetDriveTypeW
GetLogicalDriveStringsW
QueryPerformanceFrequency
QueryPerformanceCounter
WaitForSingleObjectEx
CreateThread
ResetEvent
SetEvent
GetFileAttributesW
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
lstrcmpA
RegisterApplicationRestart
GetApplicationRestartSettings
ExpandEnvironmentStringsA
TlsAlloc
GetShortPathNameW
TlsSetValue
GetShortPathNameA
lstrcmpiA
TlsGetValue
GetVersionExW
CompareStringW
CompareStringA
FindClose
FindNextFileW
FindFirstFileW
CreateDirectoryW
GetTempPathW
DeleteFileW
CopyFileW
DeleteFileA
CopyFileA
QueryFullProcessImageNameW
LoadLibraryW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockShared
GetCurrentThreadId
AcquireSRWLockShared
AddAtomW
FindNLSStringEx
IsNLSDefinedString
HeapReAlloc
LCMapStringEx
HeapFree
MultiByteToWideChar
GetProcessHeap
HeapAlloc
GetLocaleInfoEx
CompareStringEx
LCIDToLocaleName
WideCharToMultiByte
ExpandEnvironmentStringsW
DeleteProcThreadAttributeList
InitializeProcThreadAttributeList
ResumeThread
SetLastError
ReleaseActCtx
QueryActCtxW
GetCurrentActCtx
LocalFree
LocalAlloc
GetLastError
ExitProcess
GetCurrentProcess
GetModuleHandleW
GetSystemFirmwareTable
CloseHandle
CreateFileA
Sleep
WriteProcessMemory
GetCurrentProcessId
GetEnvironmentVariableA
SetEnvironmentVariableA
WriteFile
GetStartupInfoA
LoadLibraryA
GetProcAddress
GetCommandLineA
GetModuleHandleA
GetVersion
WaitForDebugEvent
ReadProcessMemory

setupapi

PnpIsFilePnpDriver

sfc

SfcIsFileProtected
SfcIsKeyProtected

winspool.drv

ord203

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcAsyncCompleteCall
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcAsyncCancelCall
RpcBindingFree
NdrAsyncClientCall
RpcAsyncInitializeHandle

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

GetHookAPIs
NotifyShims

Sections

.text
Size: 314KB - Virtual size: 314KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Install.exe
.exe windows:6 windows x86

Code Sign

1c:0f:59:8c:2a:95:ea:bd:43:c1:b9:b3:c6:32:a8:16
Certificate

Issuer

CN=HDD Toshiba SATA-III 6Tb HDWG460EZSTA N300 (7200rpm) 256Mb 3.5 Rtl

Not Before

11/10/2022, 19:50

Not After

12/10/2032, 19:50

Subject

CN=HDD Toshiba SATA-III 6Tb HDWG460EZSTA N300 (7200rpm) 256Mb 3.5 Rtl

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7a:bf:81:d8:60:70:10:bd:bf:10:3b:e0:b3:48:f3:20:02:89:f4:03:ab:0f:fd:d4:70:a1:1d:47:a3:c3:15:59
Signer

Actual PE Digest

7a:bf:81:d8:60:70:10:bd:bf:10:3b:e0:b3:48:f3:20:02:89:f4:03:ab:0f:fd:d4:70:a1:1d:47:a3:c3:15:59

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

Size: 656KB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 61KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

≹Æƒ�
Size: 327KB - Virtual size: 327KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 22KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.themida
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

≹Æƒ�
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 16B

IMAGE_SCN_MEM_READ

.rsrc
Size: 327KB - Virtual size: 327KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Readme.txt
fonts/Alakob.ttf
fonts/AlaskanNights.ttf
fonts/Arggotsc.ttf
fonts/Army Condensed.ttf
fonts/Army Thin.ttf
fonts/BELL.TTF
fonts/BELLB.TTF
fonts/BELLI.TTF
fonts/BOD_BI.TTF
fonts/BOD_BLAI.TTF
fonts/BOD_I.TTF
fonts/CALISTB.TTF
fonts/CALISTBI.TTF
fonts/CENTAUR.TTF
fonts/Cabana-Regular.ttf
fonts/baby_csp.ttf
fonts/black.ttf
fonts/bold_0.ttf
fonts/browa.ttf
fonts/browau.ttf
fonts/browauz.ttf
fonts/browaz.ttf
fonts/deathrattlebb_reg.ttf

Sharing

General

Malware Config

Signatures

Files

cfac9aa030965dc89cae24a8eff928cc

Headers

DLL Characteristics

File Characteristics

Imports

apphelp

msvcrt

ntdll

api-ms-win-service-core-l1-1-1

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-eventing-provider-l1-1-0

shlwapi

uxtheme

user32

gdi32

winmm

samcli

ole32

oleaut32

msacm32

version

shell32

userenv

dwmapi

urlmon

kernel32

advapi32

winspool.drv

rpcrt4

mpr

sspicli

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 672KB - Virtual size: 671KB

TEXT Size: 512B - Virtual size: 237B

.data Size: 13KB - Virtual size: 21KB

.idata Size: 15KB - Virtual size: 15KB

.didat Size: 512B - Virtual size: 24B

.rsrc Size: 1.5MB - Virtual size: 1.5MB

.reloc Size: 61KB - Virtual size: 61KB

f44448baacf169ee55feb42d760ce427

Headers

DLL Characteristics

File Characteristics

Imports

apphelp

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-provider-l1-1-0

user32

gdi32

shell32

shlwapi

oleaut32

mpr

kernel32

setupapi

sfc

winspool.drv

rpcrt4

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 314KB - Virtual size: 314KB

.data Size: 21KB - Virtual size: 2.2MB

.idata Size: 9KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 80B

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 672KB - Virtual size: 671KB

TEXT
Size: 512B - Virtual size: 237B

.data
Size: 13KB - Virtual size: 21KB

.idata
Size: 15KB - Virtual size: 15KB

.didat
Size: 512B - Virtual size: 24B

.rsrc
Size: 1.5MB - Virtual size: 1.5MB

.reloc
Size: 61KB - Virtual size: 61KB

.text
Size: 314KB - Virtual size: 314KB

.data
Size: 21KB - Virtual size: 2.2MB

.idata
Size: 9KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 80B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 24KB - Virtual size: 24KB

1c:0f:59:8c:2a:95:ea:bd:43:c1:b9:b3:c6:32:a8:16
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

7a:bf:81:d8:60:70:10:bd:bf:10:3b:e0:b3:48:f3:20:02:89:f4:03:ab:0f:fd:d4:70:a1:1d:47:a3:c3:15:59
Signer

≹Æƒ�
Size: 327KB - Virtual size: 327KB

.idata
Size: 512B - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.themida
Size: 4.1MB - Virtual size: 4.1MB

≹Æƒ�
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 16B

.rsrc
Size: 327KB - Virtual size: 327KB