28d73f78ea6371309ffd38fa5d160506_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

28d73f78ea6371309ffd38fa5d160506_JaffaCakes118
Size

475KB
MD5

28d73f78ea6371309ffd38fa5d160506
SHA1

8f4a015260fc09ce1421f04bad1a2f905b5d3c8d
SHA256

1cc4750e037202a080a1b596cb114a21975bca271965de2fb03f032c4da30ba1
SHA512

75a0a69c61ecd5f2c941f884fb0e5b1c8015f5866d0133556b31a8a814a20aa370472ea28547951ac3a8afa2b1a357cc433868db9e41251130714ddfc1e3f47f
SSDEEP

12288:UEuD5rWnMCvjLkGb+bIurB5LUUZ/nah3honQe6:UEQ5rKM2jLpb+curBuknOUQX

Score

3^/10

Malware Config

Signatures

Unsigned PE 19 IoCs

Checks for missing Authenticode signature.

resource
28d73f78ea6371309ffd38fa5d160506_JaffaCakes118
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/KmdUtil.exe
unpack001/$PLUGINSDIR/LangDLL.dll
unpack001/$PLUGINSDIR/SbieMsg.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/SandboxieBITS.exe
unpack001/SandboxieCrypto.exe
unpack001/SandboxieDcomLaunch.exe
unpack001/SandboxieEventSys.exe
unpack001/SandboxieRpcSs.exe
unpack001/SandboxieWUAU.exe
unpack001/SbieCtrl.exe
unpack001/SbieDll.dll
unpack001/SbieDllX.dll
unpack001/SbieDrv.sys
unpack001/SbieMsg.dll
unpack001/SbieSvc.exe
unpack001/Start.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_1

Files

28d73f78ea6371309ffd38fa5d160506_JaffaCakes118
.exe windows:4 windows x86 arch:x86

73b73e00f465fa1a2a3bf6377a40219b

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
CreateFileA
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
ExitProcess
lstrcpynA
CloseHandle
GetWindowsDirectoryA
GetTempPathA
GetUserDefaultLangID
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
SetEndOfFile
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
lstrcpyA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpiA
GetEnvironmentVariableA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
MulDiv
GetPrivateProfileStringA
WriteFile
ReadFile
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetCommandLineA

user32

ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
LoadCursorA
SetCursor
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
EndDialog
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfA
SendMessageTimeoutA
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
TrackPopupMenu
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
FindWindowExA

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 40KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

57354bdeea3dfae6e948101add87501a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
GetPrivateProfileIntA
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
MultiByteToWideChar
GlobalAlloc

user32

GetDlgCtrlID
GetClientRect
SetWindowRgn
MapWindowPoints
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
PtInRect
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
LoadIconA

gdi32

SetTextColor
GetObjectA
SelectObject
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
CreateCompatibleDC

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetDesktopFolder
SHGetMalloc
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 954B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallType.ini
$PLUGINSDIR/KmdUtil.exe
.exe windows:5 windows x86 arch:x86

90eaa9abe63a57f4658a685128db528c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\install\kmdutil\obj\i386\KmdUtil.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_cexit
_XcptFilter
_exit
_c_exit
wcscat
wcslen
memcpy
_wtoi
_wcsicmp
_wcsnicmp
memset
wcsrchr
exit
wcscpy
swprintf

advapi32

StartServiceW
RegSetValueExW
CreateServiceW
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
OpenServiceW
DeleteService
ControlService
OpenSCManagerW
AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueW
RegCreateKeyExW

kernel32

GetCommandLineW
GetLastError
GetModuleFileNameW
Sleep
FormatMessageW
LocalAlloc
SetLastError
CloseHandle
GetCurrentProcess
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
LoadLibraryW

user32

MessageBoxW

ntdll

NtClose
NtUnloadDriver
NtDeviceIoControlFile
RtlInitUnicodeString
NtOpenFile

shell32

CommandLineToArgvW

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 868B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$PLUGINSDIR/LangDLL.dll
.dll windows:4 windows x86 arch:x86

2db813254ea8b4d2a92d703ecb659f39

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalFree
lstrcpynA
lstrcmpA
lstrlenA
GetModuleHandleA
MulDiv
lstrcpyA
GlobalAlloc

user32

SetWindowTextA
SetDlgItemTextA
SendDlgItemMessageA
EndDialog
DialogBoxParamA
LoadIconA
SendMessageA
ShowWindow
GetDC

gdi32

CreateFontIndirectA
GetDeviceCaps
DeleteObject

Exports

Exports

LangDialog

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 681B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 352B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 254B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/SbieMsg.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sbie\msgs\obj\i386\SbieMsg.pdb

Sections

.text
Size: 512B - Virtual size: 147B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 729KB - Virtual size: 728KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetLastError
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 494B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/Warning.ini
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
LICENSE.TXT
SandboxieBITS.exe
.exe windows:5 windows x86 arch:x86

b53ed76dccfa9816ba1ab9f4e5111ed5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\bits\obj\i386\SandboxieBITS.pdb

Imports

msvcrt

__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_except_handler3
_acmdln
exit
_cexit
_XcptFilter
_controlfp
_wcsicmp
swprintf
__getmainargs
_exit
_c_exit
wcslen
wcscpy
wcscat

advapi32

OpenProcessToken
AccessCheckByType
LogonUserW
DuplicateTokenEx
SetThreadToken
StartServiceCtrlDispatcherW

kernel32

QueryPerformanceCounter
GetCurrentProcess
GetTickCount
GetCurrentProcessId
ExitProcess
LoadLibraryW
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
HeapAlloc
GetProcessHeap
SetEvent
OpenEventW
Sleep
SetLastError
CreateThread
CloseHandle
GetProcAddress

user32

wsprintfW
MessageBoxW

ole32

CoImpersonateClient

wtsapi32

WTSQueryUserToken

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieCrypto.exe
.exe windows:5 windows x86 arch:x86

fd7cae790698373a15c25dbd50530580

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\crypto\obj\i386\SandboxieCrypto.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
_initterm
__getmainargs
_acmdln
exit
_cexit
_XcptFilter
__setusermatherr
_exit
_c_exit
wcslen
wcscpy
wcscat
swprintf
_wcsicmp

advapi32

StartServiceCtrlDispatcherW
AccessCheckByType
SetThreadToken
DuplicateToken
OpenProcessToken
GetTokenInformation

kernel32

GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetSystemTimeAsFileTime
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
GetStartupInfoA
SetLastError
CreateThread
GetProcAddress
LoadLibraryW
ExitProcess
GetCurrentProcessId
DuplicateHandle
CloseHandle
Sleep
HeapAlloc
GetProcessHeap
SetEvent
OpenEventW

user32

MessageBoxW
wsprintfW

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieDcomLaunch.exe
.exe windows:5 windows x86 arch:x86

6c2681c755d4bfc99af02f3feb4b9863

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\dcomlaunch\obj\i386\SandboxieDcomLaunch.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
_initterm
__getmainargs
_acmdln
exit
_cexit
_XcptFilter
__setusermatherr
_wcsicmp
swprintf
wcscat
_exit
_c_exit
wcslen
wcscpy
wcscmp

advapi32

QueryServiceStatusEx
SetServiceStatus
OpenServiceW
CloseServiceHandle
QueryServiceStatus
StartServiceW
ControlService
AccessCheckByType
SetThreadToken
DuplicateToken
StartServiceCtrlDispatcherW
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW

kernel32

GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
CreateFileMappingW
GetSystemTimeAsFileTime
TlsGetValue
TlsSetValue
SuspendThread
GetCurrentThread
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter
GetStartupInfoA
OpenEventW
Sleep
SetLastError
CreateThread
GetProcAddress
LoadLibraryW
ExitProcess
TlsAlloc
CloseHandle
LocalFree
HeapFree
SetEvent
OpenProcess
HeapAlloc
GetProcessHeap
GetCurrentProcessId

user32

MessageBoxW
wsprintfW

ntdll

NtSetInformationProcess
RtlAdjustPrivilege

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_IsBoxedService@4
_Scm_StartBoxedService@4
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieEventSys.exe
.exe windows:5 windows x86 arch:x86

c445d6fe3505029794aeaf4901b646a9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\eventsys\obj\i386\SandboxieEventSys.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
_initterm
__getmainargs
_acmdln
exit
_cexit
_XcptFilter
__setusermatherr
_exit
_c_exit
wcslen
wcscpy
wcscat
swprintf
_wcsicmp

advapi32

AccessCheckByType
LogonUserW
StartServiceCtrlDispatcherW
OpenProcessToken

kernel32

GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetCurrentProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
ExitProcess
LoadLibraryW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
HeapAlloc
GetProcessHeap
SetEvent
OpenEventW
Sleep
SetLastError
CreateThread
GetProcAddress

user32

MessageBoxW
wsprintfW

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieRpcSs.exe
.exe windows:5 windows x86 arch:x86

2b5a73d9f293965ee9da1dc8392054cf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\rpcss\obj\i386\SandboxieRpcSs.pdb

Imports

msvcrt

__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_adjust_fdiv
_XcptFilter
__p__commode
__p__fmode
_wcsicmp
swprintf
wcscat
__set_app_type
_except_handler3
_controlfp
_cexit
_exit
_c_exit
wcslen
wcscpy
wcscmp

advapi32

DuplicateToken
SetServiceStatus
OpenServiceW
CloseServiceHandle
QueryServiceStatus
StartServiceW
ControlService
RegOpenKeyExW
RegQueryValueExW
OpenThreadToken
AccessCheckByType
SetThreadToken
StartServiceCtrlDispatcherW
QueryServiceStatusEx
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW

kernel32

CreateFileMappingW
TlsAlloc
TlsGetValue
QueryPerformanceCounter
SuspendThread
GetCurrentThread
GetTickCount
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
HeapAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
OpenEventW
Sleep
SetLastError
CreateThread
GetProcAddress
LoadLibraryW
ExitProcess
TlsSetValue
CloseHandle
LocalFree
HeapFree
GetLastError
OpenProcess
SetEvent
GetProcessHeap
GetCurrentProcessId

user32

MessageBoxW
wsprintfW

ntdll

NtSetInformationProcess
RtlAdjustPrivilege

ws2_32

WSASocketW
WSASetLastError
listen
bind
WSAStartup

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_IsBoxedService@4
_Scm_StartBoxedService@4
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieWUAU.exe
.exe windows:5 windows x86 arch:x86

ac3823fc63606cfb3b274ab5b7907fbb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\com\wuau\obj\i386\SandboxieWUAU.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
__getmainargs
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
_initterm
wcschr
_wcsnicmp
wcslen
wcscpy
wcscat
swprintf
_wcsicmp
wcscmp

advapi32

ConvertSidToStringSidW
AccessCheckByType
StartServiceCtrlDispatcherW
OpenProcessToken
GetTokenInformation

kernel32

TerminateProcess
GetSystemTimeAsFileTime
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetCurrentProcess
GetVersionExW
GetCurrentProcessId
ExitProcess
LoadLibraryW
LocalFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
HeapAlloc
GetProcessHeap
SetEvent
OpenEventW
Sleep
SetLastError
CreateThread
CreateProcessW
CloseHandle
OpenProcess
HeapFree
GetLastError
GetProcAddress

user32

MessageBoxW
wsprintfW

sbiedll

_SbieApi_QueryProcess@20
_SbieApi_EnumProcessEx@16
_SbieDll_KillOne@4
_SbieApi_QueryConf@20
_SbieDll_Hook@12

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SbieCtrl.exe
.exe windows:5 windows x86 arch:x86

e83a7d19614782c12a158af557d689aa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\control\obj\i386\SbieCtrl.pdb

Imports

mfc42u

ord6278
ord3312
ord491
ord5426
ord6211
ord6193
ord5856
ord1165
ord772
ord5602
ord500
ord5977
ord1662
ord2644
ord5949
ord6563
ord5945
ord3356
ord3090
ord5947
ord3658
ord3621
ord2406
ord3566
ord1634
ord1633
ord5781
ord2858
ord2371
ord6051
ord1768
ord5286
ord3393
ord4418
ord3728
ord567
ord810
ord2966
ord5755
ord6188
ord5752
ord6182
ord4324
ord6185
ord6168
ord5869
ord5785
ord5790
ord5674
ord5732
ord5575
ord5567
ord6057
ord5860
ord3591
ord640
ord6190
ord6017
ord323
ord4266
ord4532
ord2115
ord3282
ord3291
ord6266
ord3909
ord1084
ord4688
ord3749
ord5142
ord3016
ord4847
ord6376
ord2078
ord326
ord4270
ord3737
ord818
ord2144
ord773
ord5603
ord6373
ord3614
ord4215
ord2576
ord3649
ord1637
ord1143
ord5677
ord6371
ord4480
ord2546
ord2504
ord5727
ord3917
ord1089
ord5193
ord2388
ord3341
ord5296
ord5298
ord4074
ord4692
ord5303
ord5285
ord5710
ord3396
ord4616
ord3733
ord561
ord815
ord2430
ord2613
ord5568
ord2910
ord4237
ord4718
ord2715
ord2382
ord3054
ord5094
ord5097
ord4461
ord4298
ord3345
ord5006
ord975
ord5468
ord3398
ord2874
ord2873
ord4146
ord4072
ord5278
ord2641
ord1658
ord4430
ord5248
ord4421
ord3618
ord674
ord3865
ord2455
ord6279
ord2447
ord2550
ord366
ord1105
ord4219
ord291
ord910
ord2574
ord4396
ord3635
ord693
ord2857
ord4238
ord697
ord395
ord4181
ord6896
ord3281
ord3905
ord6688
ord686
ord3991
ord2445
ord2088
ord384
ord2092
ord5625
ord3431
ord4118
ord2855
ord3397
ord3716
ord795
ord2567
ord4390
ord3569
ord609
ord1764
ord6362
ord2405
ord2016
ord4214
ord2573
ord4395
ord3634
ord692
ord6316
ord2769
ord3084
ord5639
ord2070
ord2091
ord2108
ord4282
ord4279
ord6867
ord6865
ord6238
ord1644
ord913
ord700
ord398
ord3434
ord2776
ord909
ord3638
ord696
ord3930
ord394
ord5586
ord3430
ord4180
ord1172
ord3568
ord5706
ord283
ord5871
ord4128
ord4292
ord2746
ord2836
ord2099
ord4199
ord5446
ord6390
ord5436
ord6379
ord613
ord3490
ord4078
ord1834
ord289
ord3688
ord2705
ord3995
ord6004
ord2579
ord4400
ord3389
ord3724
ord804
ord6777
ord4254
ord1900
ord1683
ord2520
ord5284
ord4433
ord2046
ord4425
ord771
ord497
ord2400
ord6868
ord2606
ord6655
ord4120
ord3470
ord3285
ord3298
ord5845
ord2876
ord6451
ord2877
ord6437
ord1258
ord2111
ord1761
ord4709
ord2629
ord1230
ord5784
ord472
ord755
ord470
ord2036
ord2440
ord1569
ord2634
ord3871
ord2756
ord926
ord860
ord6024
ord768
ord4253
ord2854
ord414
ord3979
ord713
ord3657
ord5817
ord5600
ord5855
ord924
ord5617
ord859
ord4124
ord927
ord6654
ord539
ord501
ord1083
ord536
ord4273
ord941
ord715
ord415
ord1081
ord1008
ord5597
ord2010
ord5616
ord1085
ord2757
ord6565
ord5605
ord3694
ord4829
ord5283
ord4371
ord4352
ord4942
ord4970
ord4899
ord5154
ord5156
ord5155
ord823
ord5618
ord542
ord3798
ord802
ord5679
ord4272
ord2755
ord4197
ord3087
ord6195
ord535
ord540
ord2810
ord922
ord940
ord925
ord825
ord2637
ord324
ord538
ord537
ord800
ord942
ord861
ord858
ord641
ord3592
ord4419
ord4621
ord4075
ord3074
ord3820
ord3826
ord3825
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord5273
ord2116
ord2438
ord5257
ord1720
ord5059
ord3744
ord6372
ord2047
ord2640
ord4435
ord4831
ord3793
ord5276
ord4347
ord6370
ord5157
ord2377
ord5237
ord4401
ord1767
ord4073
ord6048
ord2506
ord4992
ord4370
ord5261
ord4229
ord2859
ord3133
ord1135
ord4294
ord5830

msvcrt

wcscat
malloc
wcscpy
_wcsicmp
wcscmp
__CxxFrameHandler
_wcsnicmp
wcschr
towlower
free
memcpy
memset
_wtoi64
wcslen
_controlfp
?terminate@@YAXXZ
_onexit
__dllonexit
wcstol
swprintf
wcsrchr
wcsncpy
memcmp
exit
_wtoi
time
wcsstr
memmove
atof
strchr
toupper
_purecall
__RTDynamicCast
_c_exit
_exit
_XcptFilter
_cexit
_wcmdln
__wgetmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
??1type_info@@UAE@XZ

advapi32

OpenEventLogW
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
CloseEventLog
ReadEventLogW
RegEnumValueW
RegOpenKeyW
RegDeleteValueW
RegSetValueExW

kernel32

InterlockedDecrement
GetModuleHandleW
FindFirstFileW
ExpandEnvironmentStringsW
GetSystemWindowsDirectoryW
GetDriveTypeW
GetModuleFileNameW
DeleteFileW
CopyFileW
UnmapViewOfFile
InterlockedIncrement
CreateFileMappingW
RemoveDirectoryW
CreateDirectoryW
WriteFile
GetTempPathW
GetProcAddress
GetProcessTimes
OpenProcess
LoadLibraryW
GetStartupInfoW
GlobalUnlock
GlobalFree
GlobalLock
GlobalAlloc
LockResource
LoadResource
SizeofResource
FindResourceW
LeaveCriticalSection
GetCurrentThreadId
EnterCriticalSection
InitializeCriticalSection
LocalAlloc
LocalFree
CloseHandle
GetFileTime
GetWindowsDirectoryW
GetLastError
CreateFileW
GetCurrentProcessId
CreateThread
HeapFree
GetProcessHeap
ProcessIdToSessionId
HeapAlloc
GetShortPathNameW
GetVersionExW
CreateMutexW
OpenMutexW
GetCommandLineW
WaitForSingleObject
GetFileAttributesW
FindClose
MapViewOfFile
FindNextFileW
FreeLibrary
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
Sleep
SetUnhandledExceptionFilter
UnhandledExceptionFilter

gdi32

GetCurrentObject
SetTextColor
GetClipBox
CreateFontIndirectW
GetObjectW
CreatePen
GetTextMetricsW
GetPixel
Rectangle
CreatePatternBrush
GetStockObject
Ellipse
BitBlt
Escape
ExtTextOutW
TextOutW
RectVisible
PtVisible
PatBlt
LPtoDP
DPtoLP
GetWindowExtEx
GetViewportExtEx
GetMapMode
CreateSolidBrush
CreatePolygonRgn
CreateCompatibleDC
CreateCompatibleBitmap
SetPixel
DeleteDC
SelectObject
GetTextExtentPoint32W
DeleteObject
GetTextColor

user32

GetWindowLongW
SendMessageW
UnhookWindowsHookEx
SetCursor
ReleaseCapture
GetParent
CallNextHookEx
PostMessageW
IsWindowVisible
PtInRect
EnumChildWindows
WindowFromPoint
CallWindowProcW
SetWindowsHookExW
SetCapture
SetWindowLongW
SetWindowPos
MoveWindow
GetDC
CreateWindowExW
SetFocus
ScreenToClient
GetDlgItem
SetWindowTextW
ShowWindow
GetDlgCtrlID
GetWindow
SendDlgItemMessageW
MessageBoxW
EnableWindow
DestroyWindow
DestroyCursor
SetClassLongW
GetCursorPos
GetAsyncKeyState
GetWindowThreadProcessId
IsIconic
GetForegroundWindow
LoadBitmapW
SetTimer
SetLayeredWindowAttributes
RegisterClassExW
LoadIconW
DefWindowProcW
CopyRect
EnableMenuItem
GetSubMenu
BeginPaint
EndPaint
UpdateWindow
InvalidateRect
TabbedTextOutW
DrawTextW
GrayStringW
GetMessagePos
SetForegroundWindow
DispatchMessageW
TranslateMessage
GetMessageW
OpenClipboard
CloseClipboard
SetClipboardData
EmptyClipboard
GetMenuItemCount
LoadMenuW
MsgWaitForMultipleObjects
PeekMessageW
SetMenuItemInfoW
GetMenuItemInfoW
RegisterWindowMessageW
SystemParametersInfoW
FindWindowW
CreatePopupMenu
DeleteMenu
AppendMenuW
SetMenuDefaultItem
GetMenuItemID
GetMenuStringW
InsertMenuW
ModifyMenuW
GetMenu
SetMenu
PostQuitMessage
wsprintfW
GetSystemMetrics
GetKeyState
FindWindowExW
DestroyIcon
EnumWindows
DrawStateW
GetSysColor
GetMenuItemRect
GetClassNameW
IsMenu
IsRectEmpty
GetDesktopWindow
IsWindow
GetSysColorBrush
GetIconInfo
LoadCursorW
GetWindowRect
GetClientRect
ClientToScreen
OffsetRect
GetWindowDC
SetRect
InvertRect
ReleaseDC
KillTimer
SetWindowRgn

ntdll

NtCreateFile
NtQueryDirectoryFile

psapi

GetModuleFileNameExW

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
Shell_NotifyIconW
DragQueryFileW
ShellExecuteExW
SHFileOperationW
ord165
SHGetFolderPathW
ShellExecuteW
ExtractIconExW

comctl32

ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Draw
ImageList_GetIcon
ImageList_GetImageCount
ImageList_Remove
ImageList_GetImageInfo

comdlg32

ChooseColorW
GetOpenFileNameW

gdiplus

GdipDisposeImage
GdipCreateBitmapFromStream
GdipCreateHBITMAPFromBitmap
GdiplusStartup

wininet

InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetCloseHandle

ole32

CreateStreamOnHGlobal
CoTaskMemFree
CoInitialize
CoCreateInstance

sbiedll

_SbieApi_MonitorControl@8
_SbieApi_GetWork@12
_SbieDll_GetStartError@0
_SbieDll_StartSbieSvc@4
_SbieApi_CallServer@4
_SbieApi_FreeReply@4
_SbieApi_GetVersion@4
_SbieDll_StartSbieDrv@4
_SbieDll_FormatMessage0@4
_SbieDll_FormatMessage1@8
_SbieApi_EnumBoxes@8
_SbieApi_ReloadConf@4
_SbieDll_KillAll@8
_SbieApi_QueryConf@20
_SbieApi_QueryBoxPath@28
_SbieDll_TranslateNtToDosPath@4
_SbieDll_GetAllUsersPath@0
_SbieDll_GetUserPath@0
_SbieDll_GetDrivePath@4
_SbieApi_EnumProcessEx@16
_SbieApi_QueryProcess@20
_SbieApi_MonitorGet@8
_SbieDll_GetLanguage@4
_SbieApi_SetLicense@8
_SbieApi_GetLicense@4
_SbieDll_FormatMessage@8
_SbieDll_FormatMessage2@12
_SbieDll_KillOne@4
_SbieDll_DeviceChange@8
_SbieApi_DisableForceProcess@8
_SbieDll_CanElevateOnVista@0
_SbieApi_CallZero@4
_SbieDll_RunFromHome@16

Sections

.text
Size: 227KB - Virtual size: 227KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 98KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SbieDll.dll
.dll windows:5 windows x86 arch:x86

22b52e6857e75e8d0ec041a42a48587a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sbie\core\dll\obj\i386\SbieDll.pdb

Imports

ntdll

RtlCreateProcessParameters
NtDeviceIoControlFile
_vsnprintf
NtRegisterThreadTerminatePort
NtRequestWaitReplyPort
NtAdjustPrivilegesToken
NtSetSecurityObject
LdrGetProcedureAddress
NtDuplicateObject
NtOpenThread
NtOpenProcess
NtQuerySystemInformation
RtlUnwind
NtQueryVirtualMemory
NtAssignProcessToJobObject
RtlFreeAnsiString
LdrLoadDll
NtLoadDriver
LdrUnloadDll
NtDeleteKey
NtEnumerateKey
NtEnumerateValueKey
NtQueryMultipleValueKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtSaveKey
NtSetInformationKey
NtCreatePort
NtConnectPort
NtCreateEvent
NtOpenEvent
NtCreateMutant
NtOpenMutant
NtCreateSemaphore
NtOpenSemaphore
NtCreateSection
NtOpenSection
RtlInitString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
strchr
sprintf
_stricmp
RtlUnicodeStringToAnsiString
strncmp
_wtoi
NtQueryAttributesFile
NtQueryInformationFile
NtSetInformationFile
NtCreateNamedPipeFile
NtCreateMailslotFile
NtFsControlFile
RtlGetCurrentDirectory_U
RtlSetCurrentDirectory_U
RtlGetFullPathName_U
NtQueryVolumeInformationFile
NtDeleteFile
RtlRaiseStatus
NtReadFile
NtWriteFile
NtOpenProcessToken
NtQueryInformationToken
RtlConvertSidToUnicodeString
NtQueryObject
RtlQueryRegistryValues
RtlCompareUnicodeString
RtlCreateRegistryKey
NtCreateFile
NtQueryFullAttributesFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtOpenDirectoryObject
NtSetInformationProcess
NtOpenFile
wcsrchr
NtQueryDirectoryFile
wcscmp
wcsncpy
RtlCompareMemory
_wcslwr
RtlCreateAcl
RtlAddAccessAllowedAce
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
NtProtectVirtualMemory
wcsstr
NtDeleteValueKey
NtQueryKey
NtOpenKey
NtCreateKey
NtClose
NtSetValueKey
towlower
wcsncmp
_wcsicmp
wcscat
wcschr
swprintf
_itow
wcscpy
wcslen
memmove
RtlInitUnicodeString
NtQueryValueKey
NtQuerySecurityObject
_wcsnicmp

kernel32

CreateMutexW
CreateFileMappingW
ReleaseMutex
HeapDestroy
GlobalSize
GetTempPathW
CreateDirectoryW
GlobalFree
WriteFile
GlobalAlloc
GlobalLock
GlobalUnlock
OpenProcess
CreateFileA
FormatMessageW
SetLocaleInfoW
SetLocaleInfoA
QueueUserWorkItem
GetLongPathNameW
GetFullPathNameW
OpenFileMappingW
MapViewOfFile
CreateThread
GetSystemWindowsDirectoryW
WinExec
GetWindowsDirectoryW
CreateProcessA
GetCurrentDirectoryW
GetEnvironmentStringsW
GetTickCount
CreateEventW
OpenEventW
HeapFree
GetProcessHeap
HeapAlloc
VirtualFree
GetCommandLineW
Sleep
FindResourceW
FindResourceA
LoadResource
LockResource
GetCurrentThreadId
OpenThread
GetThreadTimes
WideCharToMultiByte
GetModuleFileNameW
GlobalAddAtomW
SetConsoleTitleA
SetConsoleTitleW
WaitNamedPipeW
MoveFileWithProgressW
GetCurrentThread
QueueUserAPC
CreateFileW
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
GetEnvironmentVariableW
SetEnvironmentVariableW
SetEvent
InterlockedCompareExchange
TlsGetValue
TlsSetValue
IsDebuggerPresent
TlsAlloc
InitializeCriticalSection
DisableThreadLibraryCalls
GetCurrentProcessId
GetCurrentProcess
EnterCriticalSection
VirtualAlloc
LeaveCriticalSection
VirtualProtect
ExitProcess
CreateProcessW
WaitForSingleObject
CloseHandle
LocalAlloc
LocalFree
SetLastError
ExpandEnvironmentStringsW
InterlockedDecrement
InterlockedIncrement
RaiseException
LoadLibraryW
FreeLibrary
OutputDebugStringW
GetModuleHandleW
GetProcAddress
GetLastError
HeapCreate

Exports

Exports

SbieApi_Log
SbieApi_LogEx
_SbieApi_CallServer@4
_SbieApi_CallZero@4
_SbieApi_CreateDirOrLink@8
_SbieApi_DisableForceProcess@8
_SbieApi_DuplicateObject@20
_SbieApi_EnumBoxes@8
_SbieApi_EnumProcessEx@16
_SbieApi_FreeReply@4
_SbieApi_GetInjectSaveArea@12
_SbieApi_GetLicense@4
_SbieApi_GetSetDeviceMap@4
_SbieApi_GetVersion@4
_SbieApi_GetWork@12
_SbieApi_HookTramp@8
_SbieApi_MonitorControl@8
_SbieApi_MonitorGet@8
_SbieApi_MonitorPut@8
_SbieApi_PortName@0
_SbieApi_QueryBoxPath@28
_SbieApi_QueryConf@20
_SbieApi_QueryPathList@12
_SbieApi_QueryProcess@20
_SbieApi_QueryProcessPath@28
_SbieApi_ReloadConf@4
_SbieApi_RenameFile@16
_SbieApi_SetLicense@8
_SbieApi_SetUserName@8
_SbieApi_StartProcess@16
_SbieDll_AssocQueryCommand@4
_SbieDll_AssocQueryProgram@4
_SbieDll_CanElevateOnVista@0
_SbieDll_ComCreateProxy@16
_SbieDll_ComCreateStub@16
_SbieDll_DeviceChange@8
_SbieDll_FormatMessage0@4
_SbieDll_FormatMessage1@8
_SbieDll_FormatMessage2@12
_SbieDll_FormatMessage@8
_SbieDll_GetAllUsersPath@0
_SbieDll_GetDrivePath@4
_SbieDll_GetHandlePath@12
_SbieDll_GetLanguage@4
_SbieDll_GetStartError@0
_SbieDll_GetUserPath@0
_SbieDll_Hook@12
_SbieDll_InitPStore@0
_SbieDll_InitProcess@0
_SbieDll_IsBoxedService@4
_SbieDll_IsDirectory@4
_SbieDll_IsOpenClsid@12
_SbieDll_IsWow64@0
_SbieDll_KillAll@8
_SbieDll_KillOne@4
_SbieDll_RunFromHome@16
_SbieDll_StartCOM@0
_SbieDll_StartSbieDrv@4
_SbieDll_StartSbieSvc@4
_SbieDll_TranslateNtToDosPath@4
_Scm_StartBoxedService@4

Sections

.text
Size: 203KB - Virtual size: 202KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SbieDllX.dll
.dll windows:5 windows x86 arch:x86

22b52e6857e75e8d0ec041a42a48587a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sbie\core\dll\obj\i386\SbieDll.pdb

Imports

ntdll

RtlCreateProcessParameters
NtDeviceIoControlFile
_vsnprintf
NtRegisterThreadTerminatePort
NtRequestWaitReplyPort
NtAdjustPrivilegesToken
NtSetSecurityObject
LdrGetProcedureAddress
NtDuplicateObject
NtOpenThread
NtOpenProcess
NtQuerySystemInformation
RtlUnwind
NtQueryVirtualMemory
NtAssignProcessToJobObject
RtlFreeAnsiString
LdrLoadDll
NtLoadDriver
LdrUnloadDll
NtDeleteKey
NtEnumerateKey
NtEnumerateValueKey
NtQueryMultipleValueKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtSaveKey
NtSetInformationKey
NtCreatePort
NtConnectPort
NtCreateEvent
NtOpenEvent
NtCreateMutant
NtOpenMutant
NtCreateSemaphore
NtOpenSemaphore
NtCreateSection
NtOpenSection
RtlInitString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
strchr
sprintf
_stricmp
RtlUnicodeStringToAnsiString
strncmp
_wtoi
NtQueryAttributesFile
NtQueryInformationFile
NtSetInformationFile
NtCreateNamedPipeFile
NtCreateMailslotFile
NtFsControlFile
RtlGetCurrentDirectory_U
RtlSetCurrentDirectory_U
RtlGetFullPathName_U
NtQueryVolumeInformationFile
NtDeleteFile
RtlRaiseStatus
NtReadFile
NtWriteFile
NtOpenProcessToken
NtQueryInformationToken
RtlConvertSidToUnicodeString
NtQueryObject
RtlQueryRegistryValues
RtlCompareUnicodeString
RtlCreateRegistryKey
NtCreateFile
NtQueryFullAttributesFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtOpenDirectoryObject
NtSetInformationProcess
NtOpenFile
wcsrchr
NtQueryDirectoryFile
wcscmp
wcsncpy
RtlCompareMemory
_wcslwr
RtlCreateAcl
RtlAddAccessAllowedAce
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
NtProtectVirtualMemory
wcsstr
NtDeleteValueKey
NtQueryKey
NtOpenKey
NtCreateKey
NtClose
NtSetValueKey
towlower
wcsncmp
_wcsicmp
wcscat
wcschr
swprintf
_itow
wcscpy
wcslen
memmove
RtlInitUnicodeString
NtQueryValueKey
NtQuerySecurityObject
_wcsnicmp

kernel32

CreateMutexW
CreateFileMappingW
ReleaseMutex
HeapDestroy
GlobalSize
GetTempPathW
CreateDirectoryW
GlobalFree
WriteFile
GlobalAlloc
GlobalLock
GlobalUnlock
OpenProcess
CreateFileA
FormatMessageW
SetLocaleInfoW
SetLocaleInfoA
QueueUserWorkItem
GetLongPathNameW
GetFullPathNameW
OpenFileMappingW
MapViewOfFile
CreateThread
GetSystemWindowsDirectoryW
WinExec
GetWindowsDirectoryW
CreateProcessA
GetCurrentDirectoryW
GetEnvironmentStringsW
GetTickCount
CreateEventW
OpenEventW
HeapFree
GetProcessHeap
HeapAlloc
VirtualFree
GetCommandLineW
Sleep
FindResourceW
FindResourceA
LoadResource
LockResource
GetCurrentThreadId
OpenThread
GetThreadTimes
WideCharToMultiByte
GetModuleFileNameW
GlobalAddAtomW
SetConsoleTitleA
SetConsoleTitleW
WaitNamedPipeW
MoveFileWithProgressW
GetCurrentThread
QueueUserAPC
CreateFileW
InitializeCriticalSectionAndSpinCount
GetSystemTimeAsFileTime
GetEnvironmentVariableW
SetEnvironmentVariableW
SetEvent
InterlockedCompareExchange
TlsGetValue
TlsSetValue
IsDebuggerPresent
TlsAlloc
InitializeCriticalSection
DisableThreadLibraryCalls
GetCurrentProcessId
GetCurrentProcess
EnterCriticalSection
VirtualAlloc
LeaveCriticalSection
VirtualProtect
ExitProcess
CreateProcessW
WaitForSingleObject
CloseHandle
LocalAlloc
LocalFree
SetLastError
ExpandEnvironmentStringsW
InterlockedDecrement
InterlockedIncrement
RaiseException
LoadLibraryW
FreeLibrary
OutputDebugStringW
GetModuleHandleW
GetProcAddress
GetLastError
HeapCreate

Exports

Exports

SbieApi_Log
SbieApi_LogEx
_SbieApi_CallServer@4
_SbieApi_CallZero@4
_SbieApi_CreateDirOrLink@8
_SbieApi_DisableForceProcess@8
_SbieApi_DuplicateObject@20
_SbieApi_EnumBoxes@8
_SbieApi_EnumProcessEx@16
_SbieApi_FreeReply@4
_SbieApi_GetInjectSaveArea@12
_SbieApi_GetLicense@4
_SbieApi_GetSetDeviceMap@4
_SbieApi_GetVersion@4
_SbieApi_GetWork@12
_SbieApi_HookTramp@8
_SbieApi_MonitorControl@8
_SbieApi_MonitorGet@8
_SbieApi_MonitorPut@8
_SbieApi_PortName@0
_SbieApi_QueryBoxPath@28
_SbieApi_QueryConf@20
_SbieApi_QueryPathList@12
_SbieApi_QueryProcess@20
_SbieApi_QueryProcessPath@28
_SbieApi_ReloadConf@4
_SbieApi_RenameFile@16
_SbieApi_SetLicense@8
_SbieApi_SetUserName@8
_SbieApi_StartProcess@16
_SbieDll_AssocQueryCommand@4
_SbieDll_AssocQueryProgram@4
_SbieDll_CanElevateOnVista@0
_SbieDll_ComCreateProxy@16
_SbieDll_ComCreateStub@16
_SbieDll_DeviceChange@8
_SbieDll_FormatMessage0@4
_SbieDll_FormatMessage1@8
_SbieDll_FormatMessage2@12
_SbieDll_FormatMessage@8
_SbieDll_GetAllUsersPath@0
_SbieDll_GetDrivePath@4
_SbieDll_GetHandlePath@12
_SbieDll_GetLanguage@4
_SbieDll_GetStartError@0
_SbieDll_GetUserPath@0
_SbieDll_Hook@12
_SbieDll_InitPStore@0
_SbieDll_InitProcess@0
_SbieDll_IsBoxedService@4
_SbieDll_IsDirectory@4
_SbieDll_IsOpenClsid@12
_SbieDll_IsWow64@0
_SbieDll_KillAll@8
_SbieDll_KillOne@4
_SbieDll_RunFromHome@16
_SbieDll_StartCOM@0
_SbieDll_StartSbieDrv@4
_SbieDll_StartSbieSvc@4
_SbieDll_TranslateNtToDosPath@4
_Scm_StartBoxedService@4

Sections

.text
Size: 203KB - Virtual size: 202KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SbieDrv.sys
.sys windows:5 windows x86 arch:x86

357634b623b1abdb5090e3a229ec1ffe

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\core\drv\obj\i386\SbieDrv.pdb

Imports

ntoskrnl.exe

_except_handler3
ProbeForWrite
wcslen
ZwClose
ZwSetEvent
ZwOpenEvent
RtlInitUnicodeString
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
wcsncpy
ExRaiseStatus
IoCreateDevice
IoDeleteDevice
wcscpy
RtlFreeUnicodeString
memmove
RtlCompareUnicodeString
wcschr
wcscat
_wcsicmp
ExAcquireResourceSharedLite
KeDelayExecutionThread
RtlQueryRegistryValues
_itow
_wcsnicmp
ExFreePoolWithTag
ExAllocatePoolWithTag
RtlUnicodeStringToInteger
swprintf
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
PsGetVersion
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
ObfDereferenceObject
ObReferenceObjectByHandle
wcsrchr
ZwQueryValueKey
ZwOpenKey
ZwAdjustPrivilegesToken
ZwDuplicateToken
ZwOpenProcessToken
ZwOpenProcess
ExInitializeResourceLite
ExDeleteResourceLite
wcscmp
ZwSetInformationFile
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
MmGetSystemRoutineAddress
KeGetCurrentThread
PsLookupThreadByThreadId
ZwQuerySystemInformation
ExGetPreviousMode
ZwAllocateVirtualMemory
PsGetCurrentProcessId
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeSetImportanceDpc
KeInitializeDpc
KeQueryActiveProcessors
PsGetCurrentThreadId
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
MmBuildMdlForNonPagedPool
KeServiceDescriptorTable
ZwYieldExecution
ZwAccessCheckAndAuditAlarm
RtlCompareMemory
wcstombs
IoCreateFile
ZwReadFile
wcsstr
_wcslwr
ZwCreateDirectoryObject
RtlCheckRegistryKey
ZwQueryInformationProcess
ZwCreateSymbolicLinkObject
ZwLoadKey
ZwUnloadKey
ZwSetValueKey
KeQuerySystemTime
ZwCreateKey
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
DbgPrint
ObOpenObjectByName
ObQueryNameString
RtlCaptureStackBackTrace
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
wcsncmp
RtlIntegerToUnicodeString
PsLookupProcessByProcessId
_stricmp
strncpy
ZwSetSecurityObject
ZwQueryInformationToken
SeQueryInformationToken
IoGetRequestorProcessId
ZwSetInformationProcess
IoGetCurrentProcess
NtDuplicateObject
SeSinglePrivilegeCheck
IoThreadToProcess
SeTokenIsAdmin
PsReferencePrimaryToken
_alldiv
RtlConvertSidToUnicodeString
ZwOpenThreadToken
ProbeForRead
KeBugCheckEx
ZwOpenThread
IofCompleteRequest

hal

KfLowerIrql
KeGetCurrentIrql
KfRaiseIrql

Sections

.text
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SbieMsg.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sbie\msgs\obj\i386\SbieMsg.pdb

Sections

.text
Size: 512B - Virtual size: 147B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 729KB - Virtual size: 728KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SbieSvc.exe
.exe windows:5 windows x86 arch:x86

ec29d942355f87957e0a9c190c184ba7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\core\svc\obj\i386\SbieSvc.pdb

Imports

msvcrt

wcsstr
wcscat
wcscpy
_except_handler3
wcscmp
??3@YAXPAX@Z
_wcslwr
towlower
_wcsnicmp
wcschr
wcsrchr
_wtoi
_c_exit
??2@YAPAXI@Z
_wcsicmp
_exit
_XcptFilter
_cexit
exit
_acmdln
__getmainargs
_initterm
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
wcslen

advapi32

ReportEventW
SetThreadToken
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserW
EnumServicesStatusW
QueryServiceConfigW
QueryServiceConfig2W
QueryServiceStatusEx
CloseServiceHandle
StartServiceW
OpenThreadToken
CheckTokenMembership
FreeSid
ConvertStringSidToSidW
LookupAccountSidW
LookupPrivilegeValueW
AdjustTokenPrivileges
RevertToSelf
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
SetEntriesInAclW
SetSecurityDescriptorDacl
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus
OpenSCManagerW
OpenServiceW
ControlService
OpenEventLogW

kernel32

WriteFile
CreateFileW
CopyFileW
SetFileAttributesW
SetEndOfFile
HeapReAlloc
GetSystemWindowsDirectoryW
CancelIo
GetProcAddress
LoadLibraryW
DeleteFileW
GetFileAttributesW
GetWindowsDirectoryW
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
UnmapViewOfFile
ReleaseMutex
CreateMutexW
OpenEventW
GetCurrentProcessId
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
TerminateProcess
VirtualAlloc
ExitProcess
RaiseException
VirtualFree
InitializeCriticalSectionAndSpinCount
TlsAlloc
LeaveCriticalSection
OutputDebugStringW
EnterCriticalSection
TlsSetValue
TlsGetValue
GetLastError
QueueUserWorkItem
Sleep
GetCommandLineW
CloseHandle
HeapAlloc
GetProcessHeap
GetCurrentProcess
HeapFree
SetLastError
MapViewOfFile
CreateFileMappingW
OpenFileMappingW
HeapDestroy
HeapCreate
WaitForMultipleObjects
TerminateThread
WaitForSingleObject
SetEvent
InterlockedExchange
CreateEventW
SetThreadPriority
GetCurrentThread
InterlockedIncrement
CreateThread
GetVersionExW
OpenProcess
LocalFree
GetTickCount
ProcessIdToSessionId
InitializeCriticalSection

user32

wsprintfW

ntdll

NtOpenThreadToken
NtOpenProcessToken
NtQueryInformationToken
NtFilterToken
NtDuplicateToken
NtSetInformationThread
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
NtClose
NtCompleteConnectPort
NtAcceptConnectPort
NtImpersonateClientOfPort
NtReplyWaitReceivePort
NtCreatePort
RtlInitUnicodeString
NtLoadDriver
NtReadFile
NtWriteFile
NtQueryInformationFile
NtQueryFullAttributesFile
NtSetInformationFile
NtQueryDirectoryFile
NtCreateFile

setupapi

SetupDiClassNameFromGuidExW
SetupDiBuildClassInfoList
CM_Get_Device_ID_ListW
CM_Get_Device_ID_List_SizeW
SetupDiDestroyDeviceInfoList
SetupDiOpenDeviceInfoW
SetupDiCreateDeviceInfoList
CM_Get_Device_Interface_ListA
CM_Get_Device_Interface_ListW
CM_Get_Device_Interface_List_SizeA
CM_Get_Device_Interface_List_SizeW
CM_Get_Device_Interface_Alias_ExW

crypt32

CryptUnprotectData
CryptProtectData

wintrust

CryptCATAdminCalcHashFromFileHandle

ole32

CoInitializeEx
CoUninitialize
CoCopyProxy
CoSetProxyBlanket
CoQueryProxyBlanket
CoMarshalInterface
CreateStreamOnHGlobal
CoUnmarshalInterface
CoGetClassObject
CoTaskMemFree
CoInitializeSecurity

sbiedll

SbieApi_Log
_SbieApi_PortName@0
_SbieApi_CallZero@4
_SbieApi_GetVersion@4
SbieApi_LogEx
_SbieApi_EnumProcessEx@16
_SbieApi_SetUserName@8
_SbieApi_QueryProcess@20
_SbieApi_GetWork@12
_SbieApi_QueryConf@20
_SbieDll_RunFromHome@16
_SbieApi_ReloadConf@4
_SbieApi_QueryProcessPath@28
_SbieDll_ComCreateStub@16
_SbieDll_IsOpenClsid@12

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Start.exe
.exe windows:5 windows x86 arch:x86

16b0cc2b28a26841f220ac4b079d9262

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sbie\apps\start\obj\i386\Start.pdb

Imports

advapi32

SetThreadToken
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
CreateProcessAsUserW

kernel32

ExpandEnvironmentStringsW
HeapAlloc
GetProcessHeap
ExitProcess
GetCommandLineW
MapViewOfFile
GetCurrentProcessId
FindClose
FindNextFileW
FindFirstFileW
HeapFree
HeapReAlloc
HeapDestroy
HeapCreate
GetSystemWindowsDirectoryW
GetFullPathNameW
GetPrivateProfileStringW
GetExitCodeProcess
WaitForSingleObject
GetModuleFileNameW
GetSystemTimeAsFileTime
RemoveDirectoryW
CreateProcessW
GetModuleHandleW
OpenMutexW
CloseHandle
Sleep
GetStdHandle
WriteFile
SetLastError
GetLastError
LocalFree
FormatMessageW

gdi32

SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
PatBlt
SetBkColor
SetTextColor
GetObjectW
CreateFontIndirectW

user32

DefWindowProcW
MessageBoxW
wsprintfW
SetTimer
SendMessageW
SetWindowPos
EndDialog
SetFocus
ShowWindow
SendDlgItemMessageW
KillTimer
EnableWindow
GetSysColorBrush
GetSysColor
GetDlgItem
DialogBoxParamW
LoadImageW
CreateWindowExW
GetWindowInfo
GetWindowRect
SetDlgItemTextW
SetWindowTextW
GetWindowTextW
GetClientRect
GetDesktopWindow
DestroyIcon
DrawIconEx
GetDC
CreateMenu
GetMenuItemCount
InsertMenuItemW
SetMenuInfo
GetMenuInfo
DestroyWindow
CreatePopupMenu
RegisterClassW
TrackPopupMenu
DestroyMenu

ntdll

NtTerminateProcess
wcscpy
_chkstk
_wcsnicmp
RtlUnwind
NtQueryVirtualMemory
NtCreateFile
NtQueryInformationFile
NtSetInformationFile
RtlNtStatusToDosError
iswspace
wcscmp
wcscat
iswctype
_wcsicmp
wcsncmp
_wtoi
wcsrchr
memmove
wcslen
memcpy
wcsncpy
RtlInitUnicodeString
NtOpenDirectoryObject
NtQueryObject
NtClose
strcmp
memset
towlower
sprintf
strlen
NtTerminateThread

shlwapi

SHAutoComplete
AssocQueryStringW

shell32

ShellExecuteExW
ShellExecuteW
SHGetFolderPathW
ExtractIconExW

ole32

CoTaskMemFree
CoInitialize
CoCreateInstance

comdlg32

GetOpenFileNameW

comctl32

InitCommonControlsEx

sbiedll

_SbieDll_StartCOM@0
_SbieDll_FormatMessage1@8
SbieApi_Log
_SbieApi_GetSetDeviceMap@4
_SbieApi_StartProcess@16
_SbieDll_InitProcess@0
_SbieApi_QueryProcess@20
_SbieDll_RunFromHome@16
_SbieApi_CallServer@4
_SbieDll_StartSbieSvc@4
_SbieDll_StartSbieDrv@4
_SbieApi_QueryConf@20
_SbieApi_FreeReply@4
_SbieApi_EnumProcessEx@16
_SbieApi_SetLicense@8
_SbieDll_FormatMessage@8
_SbieDll_FormatMessage0@4
_SbieDll_GetLanguage@4
_SbieDll_CanElevateOnVista@0
_SbieApi_DisableForceProcess@8
_SbieDll_KillAll@8
_SbieApi_ReloadConf@4
_SbieDll_InitPStore@0
_SbieApi_EnumBoxes@8
_SbieDll_IsDirectory@4
_SbieDll_TranslateNtToDosPath@4
_SbieApi_QueryBoxPath@28

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

73b73e00f465fa1a2a3bf6377a40219b

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 22KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 109KB

.ndata Size: - Virtual size: 40KB

.rsrc Size: 14KB - Virtual size: 16KB

57354bdeea3dfae6e948101add87501a

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 1KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 954B

90eaa9abe63a57f4658a685128db528c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

ntdll

shell32

Sections

.text Size: 8KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 868B

2db813254ea8b4d2a92d703ecb659f39

Headers

File Characteristics

Imports

kernel32

user32

gdi32

Exports

Exports

Sections

.text Size: 1KB - Virtual size: 1KB

.rdata Size: 1024B - Virtual size: 681B

.data Size: 512B - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 352B

.reloc Size: 512B - Virtual size: 254B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Sections

.text Size: 512B - Virtual size: 147B

.rsrc Size: 729KB - Virtual size: 728KB

.reloc Size: 512B - Virtual size: 8B

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

.text
Size: 22KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 109KB

.ndata
Size: - Virtual size: 40KB

.rsrc
Size: 14KB - Virtual size: 16KB

.text
Size: 6KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 1KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 954B

.text
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 868B

.text
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 681B

.data
Size: 512B - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 352B

.reloc
Size: 512B - Virtual size: 254B

.text
Size: 512B - Virtual size: 147B

.rsrc
Size: 729KB - Virtual size: 728KB

.reloc
Size: 512B - Virtual size: 8B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 92B

.reloc
Size: 512B - Virtual size: 494B

.text
Size: 6KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 944B

.rsrc
Size: 1024B - Virtual size: 960B

.text
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 960B

.rsrc
Size: 1024B - Virtual size: 976B

.text
Size: 9KB - Virtual size: 9KB

.data
Size: 512B - Virtual size: 968B

.rsrc
Size: 1024B - Virtual size: 984B