gdps[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

gdps.zip
Size

164.9MB
MD5

6f8105ad77292abae562a7a4002c86dd
SHA1

8511e3dc905ee312431c94fb8f1d29ffcaf848c1
SHA256

adaef1f22970e6022cc067f62bef3ce0df047fe6296222eecd88177eaf814605
SHA512

2bcb1f30045d4bd7ea83bd03a0b6fdfefa69f3d645b579820e939a13555a98ea61691053aaa7970b5ce87cafcfcd297712cf15d5f3b31586976042ed5a45a82f
SSDEEP

3145728:3ItXCxzf91Rt4RjN8BnU6C3dxsLrKnXZ4ZaP4OZWS5wkDKv0fwBb/69U9lmcRE+Q:4tXunX0Nt6e+PKXim4OZWRsjs02mcq35

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/U8setupB.exe

Files

gdps.zip
.zip
U8setupB.exe
.exe windows:6 windows x86 arch:x86

eb5bc6ff6263b364dfbfb78bdb48ed59

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetACP
GetExitCodeProcess
LocalFree
CloseHandle
SizeofResource
VirtualProtect
VirtualFree
GetFullPathNameW
ExitProcess
HeapAlloc
GetCPInfoExW
RtlUnwind
GetCPInfo
GetStdHandle
GetModuleHandleW
FreeLibrary
HeapDestroy
ReadFile
CreateProcessW
GetLastError
GetModuleFileNameW
SetLastError
FindResourceW
CreateThread
CompareStringW
LoadLibraryA
ResetEvent
GetVersion
RaiseException
FormatMessageW
SwitchToThread
GetExitCodeThread
GetCurrentThread
LoadLibraryExW
LockResource
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
LoadResource
SuspendThread
GetTickCount
GetFileSize
GetStartupInfoW
GetFileAttributesW
InitializeCriticalSection
GetThreadPriority
SetThreadPriority
GetCurrentProcess
VirtualAlloc
GetSystemInfo
GetCommandLineW
LeaveCriticalSection
GetProcAddress
ResumeThread
GetVersionExW
VerifyVersionInfoW
HeapCreate
GetWindowsDirectoryW
VerSetConditionMask
GetDiskFreeSpaceW
FindFirstFileW
GetUserDefaultUILanguage
lstrlenW
QueryPerformanceCounter
SetEndOfFile
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
CreateFileW
GetLocaleInfoW
GetSystemDirectoryW
DeleteFileW
GetLocalTime
GetEnvironmentVariableW
WaitForSingleObject
WriteFile
ExitThread
DeleteCriticalSection
TlsGetValue
GetDateFormatW
SetErrorMode
IsValidLocale
TlsSetValue
CreateDirectoryW
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
GetUserDefaultLangID
RemoveDirectoryW
CreateEventW
SetThreadLocale
GetThreadLocale

comctl32

InitCommonControls

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

user32

CreateWindowExW
TranslateMessage
CharLowerBuffW
CallWindowProcW
CharUpperW
PeekMessageW
GetSystemMetrics
SetWindowLongW
MessageBoxW
DestroyWindow
CharNextW
MsgWaitForMultipleObjects
LoadStringW
ExitWindowsEx
DispatchMessageW

oleaut32

SysAllocStringLen
SafeArrayPtrOfIndex
VariantCopy
SafeArrayGetLBound
SafeArrayGetUBound
VariantInit
VariantClear
SysFreeString
SysReAllocStringLen
VariantChangeType
SafeArrayCreate

netapi32

NetWkstaGetInfo
NetApiBufferFree

advapi32

RegQueryValueExW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCloseKey
OpenProcessToken
RegOpenKeyExW

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: 660KB - Virtual size: 660KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 25KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 154B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 93B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
vcredist_x64.exe
.exe windows:5 windows x86 arch:x86

dcbe94b8cc54b8e53867c61cc96811d6

Code Sign

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27/03/2013, 20:08

Not After

27/06/2014, 20:08

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/04/2014, 17:39

Not After

22/07/2015, 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24/09/2013, 17:41

Not After

24/12/2014, 17:41

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:6e:f7:b9:cb:0e:18:01:30:7b:f2:29:41:95:40:27:dc:96:8b:12:27:00:26:61:7a:3b:f6:bc:6d:cd:fb:f6
Signer

Actual PE Digest

05:6e:f7:b9:cb:0e:18:01:30:7b:f2:29:41:95:40:27:dc:96:8b:12:27:00:26:61:7a:3b:f6:bc:6d:cd:fb:f6

Digest Algorithm

sha256

PE Digest Matches

true

b7:2c:ca:7c:3d:dc:f5:31:93:ef:66:19:70:82:e5:d8:2d:35:0f:17
Signer

Actual PE Digest

b7:2c:ca:7c:3d:dc:f5:31:93:ef:66:19:70:82:e5:d8:2d:35:0f:17

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\delivery\Dev\wix37\build\ship\x86\burn.pdb

Imports

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
GetUserNameW
InitiateSystemShutdownExW
CreateWellKnownSid
InitializeAcl
SetEntriesInAclW
DecryptFileW
ChangeServiceConfigW
ControlService
CloseServiceHandle
QueryServiceStatus
OpenServiceW
OpenSCManagerW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegSetValueExW
SetEntriesInAclA
SetSecurityDescriptorGroup
RegOpenKeyExW
GetTokenInformation
CheckTokenMembership
AllocateAndInitializeSid
FreeSid
LookupAccountNameW
SetNamedSecurityInfoW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
QueryServiceConfigW

user32

GetMessageW
PeekMessageW
PostMessageW
PostThreadMessageW
PostQuitMessage
SetWindowLongW
DefWindowProcW
UnregisterClassW
DispatchMessageW
TranslateMessage
GetMonitorInfoW
IsDialogMessageW
MessageBoxW
GetWindowLongW
RegisterClassW
IsWindow
MsgWaitForMultipleObjects
WaitForInputIdle
LoadCursorW
LoadBitmapW
GetCursorPos
MonitorFromPoint
CreateWindowExW

oleaut32

SysFreeString
SysAllocString
VariantInit
VariantClear

gdi32

DeleteObject
GetObjectW
CreateCompatibleDC
SelectObject
DeleteDC
StretchBlt

shell32

ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW

ole32

CoTaskMemFree
CoInitializeSecurity
CLSIDFromProgID
CoCreateInstance
CoInitialize
StringFromGUID2
CoInitializeEx
CoUninitialize

kernel32

ReadFile
SetFilePointerEx
CreateFileW
GetCurrentProcessId
GetProcessId
WriteFile
ConnectNamedPipe
SetNamedPipeHandleState
lstrlenW
CompareStringW
LocalFree
CreateNamedPipeW
WaitForSingleObject
OpenProcess
lstrlenA
RemoveDirectoryW
GetFileAttributesW
ExpandEnvironmentStringsW
LeaveCriticalSection
EnterCriticalSection
FreeLibrary
GetProcAddress
VerifyVersionInfoW
VerSetConditionMask
GetComputerNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
GetVolumePathNameW
GetWindowsDirectoryW
GetSystemDefaultLangID
RtlUnwind
GetDateFormatW
GetSystemTime
InterlockedExchange
LoadLibraryW
InterlockedCompareExchange
GetExitCodeThread
CreateThread
SetEvent
WaitForMultipleObjects
CreateEventW
ProcessIdToSessionId
InterlockedIncrement
InterlockedDecrement
GetStringTypeW
GetModuleHandleW
FindClose
FindNextFileW
FindFirstFileW
CreateProcessW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetExitCodeProcess
DuplicateHandle
SetThreadExecutionState
CopyFileExW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateMutexW
SetEndOfFile
ResetEvent
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
CreateFileA
CompareStringA
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
DeleteFileW
GetThreadLocale
GetVersionExW
GetCurrentThreadId
TlsAlloc
TlsSetValue
ReleaseMutex
GetLastError
Sleep
TlsGetValue
CloseHandle
DeleteCriticalSection
GetTimeZoneInformation
GetACP
GetCPInfo
RaiseException
HeapAlloc
HeapFree
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GlobalAlloc
GlobalFree
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
TlsFree
InitializeCriticalSection
GetCurrentProcess
HeapSetInformation
GetOEMCP
SetFileAttributesW
IsValidCodePage
HeapSize
HeapReAlloc
LCMapStringW
MultiByteToWideChar
SetStdHandle
WriteConsoleW
FlushFileBuffers
GetLocalTime
FormatMessageW
GetTempFileNameW
GetFullPathNameW
CreateDirectoryW
GetProcessHeap
GetModuleHandleA
GetFileSizeEx
GetUserDefaultLangID
GetTickCount
QueryPerformanceCounter
HeapCreate
SetLastError
EncodePointer
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
MoveFileExW
FreeEnvironmentStringsW
GetModuleFileNameW
GetStdHandle
DecodePointer
GetCommandLineW
GetStartupInfoW
SetUnhandledExceptionFilter
ExitProcess
CopyFileW

cabinet

ord23
ord22
ord20

crypt32

CryptHashPublicKeyInfo
CertGetCertificateContextProperty

msi

ord116
ord17
ord125
ord171
ord8
ord115
ord118
ord205
ord45
ord137
ord141
ord238
ord190
ord88
ord90
ord173
ord111
ord70
ord169

rpcrt4

UuidCreate

wininet

InternetCrackUrlW
HttpQueryInfoW
InternetCloseHandle
HttpAddRequestHeadersW
HttpOpenRequestW
InternetErrorDlg
InternetReadFile
HttpSendRequestW
InternetSetOptionW
InternetConnectW
InternetOpenW

wintrust

CryptCATAdminCalcHashFromFileHandle
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wixburn
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vcredist_x86.exe
.exe windows:5 windows x86 arch:x86

dcbe94b8cc54b8e53867c61cc96811d6

Code Sign

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27/03/2013, 20:08

Not After

27/06/2014, 20:08

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/04/2014, 17:39

Not After

22/07/2015, 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24/09/2013, 17:41

Not After

24/12/2014, 17:41

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:03:68:29:ee:df:2d:44:63:07:7c:ba:b5:ae:7a:2d:ed:74:ed:0d:fb:57:37:bb:20:0d:5f:d8:0f:50:21:5e
Signer

Actual PE Digest

77:03:68:29:ee:df:2d:44:63:07:7c:ba:b5:ae:7a:2d:ed:74:ed:0d:fb:57:37:bb:20:0d:5f:d8:0f:50:21:5e

Digest Algorithm

sha256

PE Digest Matches

true

35:15:07:62:5d:9d:9c:2b:d2:a3:a1:b0:f7:a8:70:19:17:d7:d6:cb
Signer

Actual PE Digest

35:15:07:62:5d:9d:9c:2b:d2:a3:a1:b0:f7:a8:70:19:17:d7:d6:cb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\delivery\Dev\wix37\build\ship\x86\burn.pdb

Imports

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
GetUserNameW
InitiateSystemShutdownExW
CreateWellKnownSid
InitializeAcl
SetEntriesInAclW
DecryptFileW
ChangeServiceConfigW
ControlService
CloseServiceHandle
QueryServiceStatus
OpenServiceW
OpenSCManagerW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegSetValueExW
SetEntriesInAclA
SetSecurityDescriptorGroup
RegOpenKeyExW
GetTokenInformation
CheckTokenMembership
AllocateAndInitializeSid
FreeSid
LookupAccountNameW
SetNamedSecurityInfoW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
QueryServiceConfigW

user32

GetMessageW
PeekMessageW
PostMessageW
PostThreadMessageW
PostQuitMessage
SetWindowLongW
DefWindowProcW
UnregisterClassW
DispatchMessageW
TranslateMessage
GetMonitorInfoW
IsDialogMessageW
MessageBoxW
GetWindowLongW
RegisterClassW
IsWindow
MsgWaitForMultipleObjects
WaitForInputIdle
LoadCursorW
LoadBitmapW
GetCursorPos
MonitorFromPoint
CreateWindowExW

oleaut32

SysFreeString
SysAllocString
VariantInit
VariantClear

gdi32

DeleteObject
GetObjectW
CreateCompatibleDC
SelectObject
DeleteDC
StretchBlt

shell32

ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW

ole32

CoTaskMemFree
CoInitializeSecurity
CLSIDFromProgID
CoCreateInstance
CoInitialize
StringFromGUID2
CoInitializeEx
CoUninitialize

kernel32

ReadFile
SetFilePointerEx
CreateFileW
GetCurrentProcessId
GetProcessId
WriteFile
ConnectNamedPipe
SetNamedPipeHandleState
lstrlenW
CompareStringW
LocalFree
CreateNamedPipeW
WaitForSingleObject
OpenProcess
lstrlenA
RemoveDirectoryW
GetFileAttributesW
ExpandEnvironmentStringsW
LeaveCriticalSection
EnterCriticalSection
FreeLibrary
GetProcAddress
VerifyVersionInfoW
VerSetConditionMask
GetComputerNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
GetVolumePathNameW
GetWindowsDirectoryW
GetSystemDefaultLangID
RtlUnwind
GetDateFormatW
GetSystemTime
InterlockedExchange
LoadLibraryW
InterlockedCompareExchange
GetExitCodeThread
CreateThread
SetEvent
WaitForMultipleObjects
CreateEventW
ProcessIdToSessionId
InterlockedIncrement
InterlockedDecrement
GetStringTypeW
GetModuleHandleW
FindClose
FindNextFileW
FindFirstFileW
CreateProcessW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetExitCodeProcess
DuplicateHandle
SetThreadExecutionState
CopyFileExW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateMutexW
SetEndOfFile
ResetEvent
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
CreateFileA
CompareStringA
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
DeleteFileW
GetThreadLocale
GetVersionExW
GetCurrentThreadId
TlsAlloc
TlsSetValue
ReleaseMutex
GetLastError
Sleep
TlsGetValue
CloseHandle
DeleteCriticalSection
GetTimeZoneInformation
GetACP
GetCPInfo
RaiseException
HeapAlloc
HeapFree
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GlobalAlloc
GlobalFree
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
TlsFree
InitializeCriticalSection
GetCurrentProcess
HeapSetInformation
GetOEMCP
SetFileAttributesW
IsValidCodePage
HeapSize
HeapReAlloc
LCMapStringW
MultiByteToWideChar
SetStdHandle
WriteConsoleW
FlushFileBuffers
GetLocalTime
FormatMessageW
GetTempFileNameW
GetFullPathNameW
CreateDirectoryW
GetProcessHeap
GetModuleHandleA
GetFileSizeEx
GetUserDefaultLangID
GetTickCount
QueryPerformanceCounter
HeapCreate
SetLastError
EncodePointer
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
MoveFileExW
FreeEnvironmentStringsW
GetModuleFileNameW
GetStdHandle
DecodePointer
GetCommandLineW
GetStartupInfoW
SetUnhandledExceptionFilter
ExitProcess
CopyFileW

cabinet

ord23
ord22
ord20

crypt32

CryptHashPublicKeyInfo
CertGetCertificateContextProperty

msi

ord116
ord17
ord125
ord171
ord8
ord115
ord118
ord205
ord45
ord137
ord141
ord238
ord190
ord88
ord90
ord173
ord111
ord70
ord169

rpcrt4

UuidCreate

wininet

InternetCrackUrlW
HttpQueryInfoW
InternetCloseHandle
HttpAddRequestHeadersW
HttpOpenRequestW
InternetErrorDlg
InternetReadFile
HttpSendRequestW
InternetSetOptionW
InternetConnectW
InternetOpenW

wintrust

CryptCATAdminCalcHashFromFileHandle
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wixburn
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eb5bc6ff6263b364dfbfb78bdb48ed59

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

comctl32

version

user32

oleaut32

netapi32

advapi32

Exports

Exports

Sections

.text Size: 660KB - Virtual size: 660KB

.itext Size: 6KB - Virtual size: 5KB

.data Size: 14KB - Virtual size: 13KB

.bss Size: - Virtual size: 25KB

.idata Size: 4KB - Virtual size: 3KB

.didata Size: 512B - Virtual size: 420B

.edata Size: 512B - Virtual size: 154B

.tls Size: - Virtual size: 24B

.rdata Size: 512B - Virtual size: 93B

.rsrc Size: 17KB - Virtual size: 17KB

dcbe94b8cc54b8e53867c61cc96811d6

Code Sign

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34Certificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1aCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

05:6e:f7:b9:cb:0e:18:01:30:7b:f2:29:41:95:40:27:dc:96:8b:12:27:00:26:61:7a:3b:f6:bc:6d:cd:fb:f6Signer

b7:2c:ca:7c:3d:dc:f5:31:93:ef:66:19:70:82:e5:d8:2d:35:0f:17Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

user32

oleaut32

gdi32

shell32

ole32

kernel32

cabinet

crypt32

msi

rpcrt4

wininet

wintrust

version

Sections

.text Size: 227KB - Virtual size: 226KB

.rdata Size: 103KB - Virtual size: 102KB

.data Size: 4KB - Virtual size: 12KB

.wixburn Size: 512B - Virtual size: 56B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 14KB - Virtual size: 13KB

.reloc Size: 17KB - Virtual size: 16KB

dcbe94b8cc54b8e53867c61cc96811d6

Code Sign

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34Certificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

.text
Size: 660KB - Virtual size: 660KB

.itext
Size: 6KB - Virtual size: 5KB

.data
Size: 14KB - Virtual size: 13KB

.bss
Size: - Virtual size: 25KB

.idata
Size: 4KB - Virtual size: 3KB

.didata
Size: 512B - Virtual size: 420B

.edata
Size: 512B - Virtual size: 154B

.tls
Size: - Virtual size: 24B

.rdata
Size: 512B - Virtual size: 93B

.rsrc
Size: 17KB - Virtual size: 17KB

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

05:6e:f7:b9:cb:0e:18:01:30:7b:f2:29:41:95:40:27:dc:96:8b:12:27:00:26:61:7a:3b:f6:bc:6d:cd:fb:f6
Signer

b7:2c:ca:7c:3d:dc:f5:31:93:ef:66:19:70:82:e5:d8:2d:35:0f:17
Signer

.text
Size: 227KB - Virtual size: 226KB

.rdata
Size: 103KB - Virtual size: 102KB

.data
Size: 4KB - Virtual size: 12KB

.wixburn
Size: 512B - Virtual size: 56B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 14KB - Virtual size: 13KB

.reloc
Size: 17KB - Virtual size: 16KB

33:00:00:00:34:24:31:40:c9:a0:c1:79:8d:00:00:00:00:00:34
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

77:03:68:29:ee:df:2d:44:63:07:7c:ba:b5:ae:7a:2d:ed:74:ed:0d:fb:57:37:bb:20:0d:5f:d8:0f:50:21:5e
Signer

35:15:07:62:5d:9d:9c:2b:d2:a3:a1:b0:f7:a8:70:19:17:d7:d6:cb
Signer

.text
Size: 227KB - Virtual size: 226KB

.rdata
Size: 103KB - Virtual size: 102KB

.data
Size: 4KB - Virtual size: 12KB

.wixburn
Size: 512B - Virtual size: 56B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 14KB - Virtual size: 13KB

.reloc
Size: 17KB - Virtual size: 16KB