SURVEY_PROGRAM_WINDOWS_ENGLISH[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SURVEY_PROGRAM_WINDOWS_ENGLISH.exe
Size

77.2MB
MD5

2f92f4ad09d41287b36650aaf1e5359e
SHA1

354c9860294aa57f9e0982e58102e8150e2e9948
SHA256

5e5814b0a13cb1f9e850c45202309c1079dc1f43ab8a25537383c4810dc37308
SHA512

ac834d15df8c888f1d046a342f4dae3e743c9798df61fc1d427851f35b0d3158dbf69ee6821ebd351068b16a5f1c58c2e6086b23af6f3d93e833c069e9ae3d8c
SSDEEP

1572864:A32ankMJlPIh8owXlFYF6liXZpqqyKz1JVSfRoI4CoI/0FumK0G:rWkMPMRwXXyHyyS6I4CWvK0G

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
SURVEY_PROGRAM_WINDOWS_ENGLISH.exe
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/nsDialogs.dll
unpack001/DELTARUNE.exe
unpack001/uninstall.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2
static1/unpack001/uninstall.exe	nsis_installer_1
static1/unpack001/uninstall.exe	nsis_installer_2

Files

SURVEY_PROGRAM_WINDOWS_ENGLISH.exe
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 84KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-header.bmp
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/nsDialogs.dll
.dll windows:4 windows x86 arch:x86

1e2884056e655f2b7bc5a904e352fc80

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcpyA
GetFileAttributesA
lstrcmpiA
MulDiv
lstrlenA
HeapFree
GetCurrentDirectoryA
HeapAlloc
HeapReAlloc
GlobalFree
lstrcpynA
GlobalAlloc
GetProcessHeap
SetCurrentDirectoryA

user32

GetPropA
DestroyWindow
CallWindowProcA
SetCursor
LoadCursorA
RemovePropA
CharPrevA
GetWindowLongA
DrawTextA
GetWindowTextA
GetDlgItem
SetWindowLongA
SetWindowPos
CreateDialogParamA
MapWindowPoints
GetWindowRect
SetPropA
CreateWindowExA
IsWindow
SetTimer
KillTimer
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
ShowWindow
wsprintfA
MapDialogRect
GetClientRect
CharNextA
SendMessageA
DrawFocusRect

gdi32

SetTextColor

shell32

SHBrowseForFolderA
SHGetPathFromIDListA

comdlg32

GetSaveFileNameA
GetOpenFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

Create
CreateControl
CreateItem
CreateTimer
GetUserData
KillTimer
OnBack
OnChange
OnClick
OnNotify
SelectFileDialog
SelectFolderDialog
SetRTL
SetUserData
Show

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 572B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/vcredist_x86_2015.exe
.exe windows:5 windows x86 arch:x86

8e2588a9cf43886de3449dfff03137b6

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20/03/2015, 17:32

Not After

20/06/2016, 17:32

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:11

Not After

01/01/2016, 18:11

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4
Signer

Actual PE Digest

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4

Digest Algorithm

sha256

PE Digest Matches

true

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6
Signer

Actual PE Digest

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

PDB Paths

E:\delivery\Dev\wix37\build\ship\x86\burn.pdb

Imports

gdiplus

GdiplusShutdown
GdiplusStartup
GdipDeleteGraphics
GdipFree
GdipCloneImage
GdipDisposeImage
GdipGetImageWidth
GdipGetImageHeight
GdipCreateBitmapFromResource
GdipCreateFromHDC
GdipSetInterpolationMode
GdipDrawImageRectI
GdipAlloc

advapi32

QueryServiceConfigW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
GetUserNameW
InitiateSystemShutdownExW
CreateWellKnownSid
InitializeAcl
SetEntriesInAclW
DecryptFileW
ChangeServiceConfigW
ControlService
CloseServiceHandle
QueryServiceStatus
OpenServiceW
OpenSCManagerW
RegQueryInfoKeyW
RegSetValueExW
SetEntriesInAclA
SetSecurityDescriptorGroup
RegOpenKeyExW
GetTokenInformation
CheckTokenMembership
AllocateAndInitializeSid
FreeSid
LookupAccountNameW
SetNamedSecurityInfoW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner

user32

GetMessageW
PeekMessageW
PostMessageW
IsWindow
PostQuitMessage
GetWindowLongW
SetWindowLongW
DefWindowProcW
UnregisterClassW
DispatchMessageW
TranslateMessage
IsDialogMessageW
MsgWaitForMultipleObjects
WaitForInputIdle
LoadCursorW
BeginPaint
EndPaint
GetCursorPos
MonitorFromPoint
GetMonitorInfoW
ReleaseDC
MessageBoxW
PostThreadMessageW
RegisterClassW
CreateWindowExW

oleaut32

VariantClear
VariantInit
SysAllocString
SysFreeString

gdi32

GetDeviceCaps
CreateDCW

shell32

ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW

ole32

CoTaskMemFree
CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeEx
StringFromGUID2
CoInitializeSecurity
CLSIDFromProgID

kernel32

GetCurrentProcess
InitializeCriticalSection
TlsFree
DeleteCriticalSection
CloseHandle
TlsGetValue
Sleep
GetLastError
ReleaseMutex
TlsSetValue
TlsAlloc
GetCurrentThreadId
GetVersionExW
GetModuleHandleW
ReadFile
SetFilePointerEx
CreateFileW
GetCurrentProcessId
GetProcessId
WriteFile
ConnectNamedPipe
SetNamedPipeHandleState
lstrlenW
CompareStringW
LocalFree
CreateNamedPipeW
WaitForSingleObject
OpenProcess
lstrlenA
RemoveDirectoryW
GetFileAttributesW
ExpandEnvironmentStringsW
LeaveCriticalSection
EnterCriticalSection
FreeLibrary
GetProcAddress
VerifyVersionInfoW
VerSetConditionMask
GetComputerNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
GetVolumePathNameW
HeapAlloc
GetSystemDefaultLangID
GetUserDefaultLangID
GetDateFormatW
GetSystemTime
InterlockedExchange
LoadLibraryW
InterlockedCompareExchange
GetExitCodeThread
CreateThread
SetEvent
WaitForMultipleObjects
CreateEventW
ProcessIdToSessionId
InterlockedIncrement
InterlockedDecrement
GetStringTypeW
SetFileAttributesW
FindClose
FindNextFileW
FindFirstFileW
CreateProcessW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetExitCodeProcess
SetThreadExecutionState
CopyFileExW
HeapSetInformation
MapViewOfFile
CreateFileMappingW
CreateMutexW
SetEndOfFile
ResetEvent
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
CreateFileA
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
DeleteFileW
GetThreadLocale
GetTimeZoneInformation
TerminateProcess
UnhandledExceptionFilter
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GlobalAlloc
IsProcessorFeaturePresent
GetTickCount
QueryPerformanceCounter
HeapCreate
SetLastError
EncodePointer
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
GlobalFree
MoveFileExW
CopyFileW
GetFileSizeEx
GetModuleHandleA
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
HeapSize
HeapReAlloc
LCMapStringW
MultiByteToWideChar
SetStdHandle
WriteConsoleW
FlushFileBuffers
GetLocalTime
UnmapViewOfFile
IsDebuggerPresent
DuplicateHandle
HeapFree
FormatMessageW
GetTempFileNameW
GetWindowsDirectoryW
CompareStringA
FreeEnvironmentStringsW
GetModuleFileNameW
GetStdHandle
DecodePointer
ExitProcess
SetUnhandledExceptionFilter
GetStartupInfoW
GetCommandLineW
GetFullPathNameW
CreateDirectoryW
GetProcessHeap

cabinet

ord22
ord20
ord23

crypt32

CertGetCertificateContextProperty
CryptHashPublicKeyInfo

msi

ord88
ord17
ord125
ord116
ord115
ord118
ord8
ord171
ord205
ord45
ord137
ord141
ord238
ord190
ord169
ord90
ord173
ord111
ord70

rpcrt4

UuidCreate

wininet

InternetCloseHandle
HttpAddRequestHeadersW
HttpOpenRequestW
InternetErrorDlg
InternetReadFile
HttpSendRequestW
InternetSetOptionW
InternetOpenW
HttpQueryInfoW
InternetCrackUrlW
InternetConnectW

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminCalcHashFromFileHandle

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Sections

.text
Size: 229KB - Virtual size: 228KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wixburn
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AUDIO_INTRONOISE.ogg
DELTARUNE.exe
.exe windows:6 windows x86 arch:x86

2c5dca54550e34b8f3cc00484192539b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\hudson\ZeusBase\ZeusGreen\GameMaker\Runner\VC_Runner\Win32\Release-Zeus\Runner.pdb

Imports

wininet

InternetReadFile
InternetCloseHandle
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCanonicalizeUrlA
InternetWriteFile
InternetConnectA
InternetCrackUrlA
HttpEndRequestW
HttpQueryInfoA
InternetGetConnectedState

dxgi

CreateDXGIFactory1

d3d11

D3D11CreateDevice

dbghelp

MiniDumpWriteDump
SymInitialize
SymFromAddr

winmm

mciSendStringA
joyGetPosEx
joyGetPos
joyGetDevCapsA
mciGetErrorStringA

ws2_32

gethostname
socket
shutdown
setsockopt
send
recvfrom
recv
listen
inet_ntoa
inet_addr
WSAStartup
ioctlsocket
connect
closesocket
bind
accept
getpeername
select
__WSAFDIsSet
ntohs
ntohl
htons
htonl
WSACleanup
WSAGetLastError
WSAAddressToStringA
getaddrinfo
getsockopt
freeaddrinfo
sendto

gdiplus

GdiplusStartup
GdiplusShutdown

comctl32

InitCommonControlsEx

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

kernel32

FindNextFileA
FindFirstFileExA
GetFullPathNameA
SetCurrentDirectoryW
HeapReAlloc
GetTimeZoneInformation
MoveFileExW
SetFilePointerEx
SetStdHandle
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
EnumSystemLocalesW
IsValidLocale
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
DecodePointer
EncodePointer
GetStringTypeW
GetACP
WriteFile
GetStdHandle
GetModuleFileNameA
PeekNamedPipe
GetFileType
GetDriveTypeW
GetTempPathW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FindFirstFileExW
ReadFile
SetFileAttributesW
GetFileAttributesExW
GetModuleHandleExW
HeapWalk
HeapValidate
SetLastError
RtlUnwind
LoadLibraryExW
InterlockedFlushSList
InterlockedPushEntrySList
VirtualQuery
IsValidCodePage
GetOEMCP
GetProcessHeap
HeapFree
HeapAlloc
InitializeSListHead
GetProcAddress
LoadLibraryW
WideCharToMultiByte
CloseHandle
WaitForSingleObjectEx
CreateEventExW
MultiByteToWideChar
GetConsoleWindow
GetLastError
GetCurrentDirectoryW
GetCPInfo
GetFullPathNameW
CreateThread
GetExitCodeThread
GetModuleHandleW
LocalFree
FormatMessageW
SetCurrentDirectoryA
GetCurrentDirectoryA
FreeLibrary
GetEnvironmentVariableW
CreateDirectoryW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
RemoveDirectoryW
Sleep
GetExitCodeProcess
CreateProcessW
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObject
SetWaitableTimer
GetTickCount
CreateWaitableTimerW
GetCurrentProcess
GetCurrentThread
SetThreadPriority
SetPriorityClass
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExW
GetLocaleInfoW
GetUserDefaultLCID
ExitProcess
lstrlenA
GetCommandLineW
ExpandEnvironmentStringsW
CreateFileW
SetUnhandledExceptionFilter
SetErrorMode
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameW
MoveFileA
TlsAlloc
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlCaptureStackBackTrace
TlsSetValue
TlsFree
IsProcessorFeaturePresent
UnhandledExceptionFilter
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
RaiseException
GetSystemTimeAsFileTime
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
SetConsoleCtrlHandler
OutputDebugStringA
OutputDebugStringW
WriteConsoleW
SetEndOfFile
DeleteFileW
HeapSize
TlsGetValue

user32

DrawTextW
GetDC
ReleaseDC
SetWindowTextW
ScreenToClient
MoveWindow
SetCursorPos
ClientToScreen
MapWindowPoints
GetActiveWindow
GetCursorPos
wsprintfW
GetMessageW
TranslateMessage
DispatchMessageW
GetAsyncKeyState
keybd_event
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
IsClipboardFormatAvailable
GetDlgItemTextW
SetWindowTextA
MessageBoxA
SetDlgItemTextA
PeekMessageW
IsDialogMessageW
SetProcessDPIAware
GetForegroundWindow
UpdateWindow
SetWindowLongW
ChangeDisplaySettingsW
EnumDisplaySettingsW
DialogBoxParamW
CreateDialogParamW
LoadImageW
LoadCursorW
CallNextHookEx
SetCursor
AdjustWindowRectEx
GetWindowRect
GetClientRect
SetForegroundWindow
GetSystemMetrics
ReleaseCapture
SetDlgItemTextW
GetDlgItem
GetFocus
SetCapture
GetKeyState
SetFocus
BringWindowToTop
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExW
RegisterClassExW
DefWindowProcW
PostMessageW
SendMessageW
MessageBoxW
GetRawInputDeviceList
GetRawInputDeviceInfoA
EndDialog

gdi32

GetDeviceCaps
DeleteObject
SelectObject
CreateFontA

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

RegOpenKeyExW
RegQueryValueExW
RegCloseKey

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoInitialize
CoCreateInstance
CoTaskMemFree
CoCreateFreeThreadedMarshaler

dwmapi

DwmGetCompositionTimingInfo

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 913KB - Virtual size: 912KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 553KB - Virtual size: 3.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

minATL
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.mydata
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 236KB - Virtual size: 235KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
audiogroup1.dat
data.win
lang/lang_en.json
lang/lang_ja.json
license.txt
mus/AUDIO_ANOTHERHIM.ogg
mus/AUDIO_DARKNESS.ogg
mus/AUDIO_DRONE.ogg
mus/AUDIO_STORY.ogg
mus/GALLERY.ogg
mus/THE_HOLY.ogg
mus/april_2012.ogg
mus/basement.ogg
mus/battle.ogg
mus/bird.ogg
mus/card_castle.ogg
mus/castletown_empty.ogg
mus/charjoined.ogg
mus/checkers.ogg
mus/creepychase.ogg
mus/creepydoor.ogg
mus/creepylandscape.ogg
mus/dogcheck.ogg
mus/dontforget.ogg
mus/elevator.ogg
mus/fanfare.ogg
mus/field_of_hopes.ogg
mus/forest.ogg
mus/friendship.ogg
mus/hip_shop.ogg
.ps1
mus/home.ogg
mus/joker.ogg
mus/kingboss.ogg
mus/lancer.ogg
mus/lancer_susie.ogg
mus/lancerfight.ogg
mus/legend.ogg
mus/man.ogg
mus/mus_birdnoise.ogg
mus/mus_introcar.ogg
mus/mus_school.ogg
mus/ocean.ogg
mus/prejoker.ogg
mus/quiet_autumn.ogg
mus/ruruskaado.ogg
mus/s_neo.ogg
mus/s_neo_clip.ogg
mus/shop1.ogg
mus/tense.ogg
mus/thrash_rating.ogg
mus/thrashmachine.ogg
mus/town.ogg
mus/vs_susie.ogg
mus/w.ogg
mus/wind.ogg
snd_closet_fall.ogg
snd_closet_impact.ogg
snd_great_shine.ogg
snd_paper_rumble.ogg
snd_paper_surf.ogg
snd_revival.ogg
snd_rurus_appear.ogg
snd_usefountain.ogg
uninstall.exe
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 84KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7fa974366048f9c551ef45714595665e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 23KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 151KB

.ndata Size: - Virtual size: 84KB

.rsrc Size: 81KB - Virtual size: 81KB

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 100B

.reloc Size: 1024B - Virtual size: 520B

1e2884056e655f2b7bc5a904e352fc80

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 4KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 572B

8e2588a9cf43886de3449dfff03137b6

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71Certificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4Signer

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdiplus

advapi32

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 151KB

.ndata
Size: - Virtual size: 84KB

.rsrc
Size: 81KB - Virtual size: 81KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 572B

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4
Signer

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6
Signer

.text
Size: 229KB - Virtual size: 228KB

.rdata
Size: 104KB - Virtual size: 104KB

.data
Size: 4KB - Virtual size: 12KB

.wixburn
Size: 512B - Virtual size: 56B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 14KB - Virtual size: 14KB

.reloc
Size: 17KB - Virtual size: 17KB

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 913KB - Virtual size: 912KB

.data
Size: 553KB - Virtual size: 3.4MB

minATL
Size: 512B - Virtual size: 12B

.mydata
Size: 512B - Virtual size: 8B

.gfids
Size: 512B - Virtual size: 372B

_RDATA
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 236KB - Virtual size: 235KB

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 151KB