3cb801965f4b23058c68203969c1f100_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

3cb801965f4b23058c68203969c1f100_JaffaCakes118
Size

2.7MB
MD5

3cb801965f4b23058c68203969c1f100
SHA1

e4ff178dd0bb914721febcf66ca021a52d823100
SHA256

35a0217dbe327fcd171cc3a333c299b92c0b0029555b12f3b3df368e26583685
SHA512

1694671a9f1ce3704187f4eed7b684854dc5392605d7df4abc0868c81cd6e565c21f39432feadee9c35e48295dac134cbf6dfcdc9af2d6b84ceb3c819fd34f82
SSDEEP

49152:QSsiExiGpbpZrA6gO+GrQC18/D4tzYyJC9eGSSkwZwJzzwal5yUqhE3VgvSe:Q/3iG9qk/NJueGSoGJzVl5pVQx

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/$PLUGINSDIR/KillProc.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/$PLUGINSDIR/KillProc.dll	upx

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/KillProc.dll
unpack002/out.upx
unpack001/$PLUGINSDIR/ShellExecAsUser.dll
unpack001/$PLUGINSDIR/SimpleFC.dll
unpack001/$PLUGINSDIR/nsExec.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

3cb801965f4b23058c68203969c1f100_JaffaCakes118
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/07/2017, 00:00

Not After

12/07/2018, 23:59

Subject

CN=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),O=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),POSTALCODE=92300,STREET=3 Square André Malraux,L=Levallois Perret,ST=Ile de France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

89:7d:9f:d4:40:c8:bf:0e:f4:5f:6c:0a:8e:dc:a7:50:36:f5:e1:d7
Signer

Actual PE Digest

89:7d:9f:d4:40:c8:bf:0e:f4:5f:6c:0a:8e:dc:a7:50:36:f5:e1:d7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/KillProc.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

FindProcesses
KillProcesses

Sections

UPX0
Size: - Virtual size: 48KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 101B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ShellExecAsUser.dll
.dll windows:4 windows x86 arch:x86

fb89301642ac2a39aefdd3cc2610ed81

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetCurrentProcess
CloseHandle
WaitForSingleObject
OutputDebugStringA
MultiByteToWideChar
lstrlenA
GetModuleHandleA
lstrcmpA
SetEvent
GlobalFree
lstrcpyA
GetProcAddress
CreateEventA
GetVersionExA

user32

CreateWindowExA
PostMessageA
GetMessageA
SetWindowLongA
RegisterClassExA
TranslateMessage
DispatchMessageA
DefWindowProcA
DestroyWindow
GetWindowLongA
PostQuitMessage
wsprintfA

advapi32

GetTokenInformation
OpenProcessToken

shell32

ShellExecuteA

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
VariantClear
SysAllocStringLen
SysFreeString

shlwapi

ord176

msvcrt

malloc
_initterm
free
_beginthreadex
??2@YAPAXI@Z
??3@YAXPAX@Z
memset
_adjust_fdiv

Exports

Exports

ShellExecAsUser

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 426B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/SimpleFC.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

AddApplication
AddPort
AdvAddRule
AdvExistsRule
AdvRemoveRule
AllowDisallowExceptionsNotAllowed
AllowDisallowIcmpInboundEchoRequest
AllowDisallowIcmpInboundMaskRequest
AllowDisallowIcmpInboundRouterRequest
AllowDisallowIcmpInboundTimestampRequest
AllowDisallowIcmpOutboundDestinationUnreachable
AllowDisallowIcmpOutboundPacketTooBig
AllowDisallowIcmpOutboundParameterProblem
AllowDisallowIcmpOutboundSourceQuench
AllowDisallowIcmpOutboundTimeExceeded
AllowDisallowIcmpRedirect
AreExceptionsNotAllowed
AreNotificationsEnabled
EnableDisableApplication
EnableDisableFirewall
EnableDisableNotifications
EnableDisablePort
IsApplicationAdded
IsApplicationEnabled
IsFirewallEnabled
IsFirewallServiceRunning
IsIcmpTypeAllowed
IsPortAdded
IsPortEnabled
RemoveApplication
RemovePort
RestoreDefaults
StartStopFirewallService

Sections

CODE
Size: 148KB - Virtual size: 148KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/nsExec.dll
.dll windows:4 windows x86 arch:x86

d83f71e61ee459ee63ca3e829966a9dc

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetExitCodeProcess
WaitForSingleObject
Sleep
TerminateProcess
lstrcpyA
lstrcpynA
GlobalReAlloc
GlobalUnlock
GlobalSize
ReadFile
PeekNamedPipe
GetTickCount
CreateProcessA
GetStartupInfoA
CreatePipe
GetVersionExA
GetModuleHandleA
DeleteFileA
lstrcmpiA
lstrlenA
lstrcatA
CloseHandle
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CreateFileA
CopyFileA
GetTempFileNameA
GlobalFree
GlobalAlloc
GetModuleFileNameA
ExitProcess
GetCommandLineA
GetProcAddress
GlobalLock
GetCurrentProcess

user32

SendMessageA
OemToCharBuffA
CharNextA
wsprintfA
CharPrevA
FindWindowExA

advapi32

InitializeSecurityDescriptor
SetSecurityDescriptorDacl

Exports

Exports

Exec
ExecToLog
ExecToStack

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 410B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CrashRpt1403.dll
.dll windows:6 windows x86 arch:x86

6df2e6330e23d3c25df3c5a70d4c4f7f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/07/2017, 00:00

Not After

12/07/2018, 23:59

Subject

CN=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),O=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),POSTALCODE=92300,STREET=3 Square André Malraux,L=Levallois Perret,ST=Ile de France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

16:97:5a:b9:4b:45:4a:cb:c9:1f:a0:39:da:23:2a:39:fa:8f:59:78
Signer

Actual PE Digest

16:97:5a:b9:4b:45:4a:cb:c9:1f:a0:39:da:23:2a:39:fa:8f:59:78

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\dev\crashrpt\bin\CrashRpt1403.pdb

Imports

rpcrt4

UuidToStringA
RpcStringFreeA

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

shell32

SHFileOperationW
SHGetSpecialFolderPathW

gdi32

SetLayout

kernel32

SetEnvironmentVariableW
SetFilePointerEx
GetConsoleMode
GetTimeZoneInformation
SetStdHandle
WriteConsoleW
InterlockedIncrement
InterlockedDecrement
FreeLibrary
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
TerminateProcess
GetExitCodeProcess
SetUnhandledExceptionFilter
CreateThread
GetCurrentThreadId
DebugBreak
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
WaitForSingleObject
CloseHandle
lstrlenA
lstrlenW
CreateEventW
LoadLibraryW
CreateProcessW
OutputDebugStringW
CreateFileW
GetFileAttributesW
MultiByteToWideChar
FlushFileBuffers
RaiseException
GetLastError
InitializeCriticalSectionAndSpinCount
GetSystemInfo
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
DecodePointer
GlobalAlloc
GlobalFree
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
FormatMessageW
GetModuleFileNameW
GetModuleHandleW
GetPrivateProfileStringW
WritePrivateProfileStringW
GetTempPathW
GetTempFileNameW
CreateDirectoryW
GetFileAttributesExW
GetConsoleCP
LoadLibraryExW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapReAlloc
QueryPerformanceCounter
GetModuleFileNameA
HeapSize
GetProcessHeap
WideCharToMultiByte
SetEnvironmentVariableA
GetFileType
FreeEnvironmentStringsW
GetStringTypeW
GetCPInfo
IsDebuggerPresent
EncodePointer
IsProcessorFeaturePresent
SetConsoleCtrlHandler
RtlUnwind
HeapFree
GetSystemTimeAsFileTime
GetCommandLineA
HeapAlloc
UnhandledExceptionFilter
SetLastError
Sleep
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW

user32

GetWindow
SetWindowLongW
GetWindowLongW
MapWindowPoints
GetWindowRect
MoveWindow
GetClientRect
MessageBoxW
GetActiveWindow
CharNextW
GetDC
LoadStringW

advapi32

RegOpenKeyExW
RegCloseKey
RegQueryValueExW

ole32

CoCreateGuid

Exports

Exports

crAddFile2A
crAddFile2W
crAddPropertyA
crAddPropertyW
crAddRegKeyA
crAddRegKeyW
crAddScreenshot
crAddScreenshot2
crAddVideo
crEmulateCrash
crExceptionFilter
crGenerateErrorReport
crGetLastErrorMsgA
crGetLastErrorMsgW
crInstallA
crInstallToCurrentThread2
crInstallW
crSetCrashCallbackA
crSetCrashCallbackW
crUninstall
crUninstallFromCurrentThread

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CrashSender1403.exe
.exe windows:5 windows x86 arch:x86

6fcebef71eba123a939189e7ec33868b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/07/2017, 00:00

Not After

12/07/2018, 23:59

Subject

CN=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),O=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),POSTALCODE=92300,STREET=3 Square André Malraux,L=Levallois Perret,ST=Ile de France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4a:ad:3f:8c:b5:4c:4f:e3:70:a0:aa:fd:0c:7d:d1:c9:b2:bb:8a:a8
Signer

Actual PE Digest

4a:ad:3f:8c:b5:4c:4f:e3:70:a0:aa:fd:0c:7d:d1:c9:b2:bb:8a:a8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\dev\crashrpt\bin\CrashSender.pdb

Imports

ws2_32

ntohs
inet_ntoa
inet_addr
htons
htonl
closesocket
connect
recv
WSAGetLastError
WSASetLastError
WSACleanup
WSAStartup
getservbyname
getservbyport
gethostbyname
gethostbyaddr
socket
send

dnsapi

DnsQuery_W
DnsFree

wininet

InternetWriteFile
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
InternetCloseHandle
InternetSetOptionW
InternetQueryOptionW
InternetConnectW
HttpQueryInfoW
HttpEndRequestW
InternetOpenW

rpcrt4

UuidToStringA
RpcStringFreeA

psapi

GetProcessMemoryInfo

gdi32

CreateDIBSection
GetDIBits
CreateDCW
SetViewportOrgEx
TextOutW
CreateHalftonePalette
GetDIBColorTable
SetDIBits
SetStretchBltMode
StretchBlt
SelectPalette
SelectClipRgn
SetLayout
CreateCompatibleBitmap
CreateCompatibleDC
CreateFontIndirectW
CreatePen
DeleteDC
DeleteObject
GetStockObject
SelectObject
SetBkMode
SetTextColor
GetObjectW
Polygon
CreateSolidBrush
SetBkColor
BitBlt
CreateFontW
CreatePalette
CreateRectRgn
RealizePalette

shell32

SHFileOperationW
ExtractIconW
SHGetFileInfoW
ShellExecuteW
CommandLineToArgvW
Shell_NotifyIconW
SHGetSpecialFolderPathW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

kernel32

ExitProcess
GetModuleHandleExW
PeekNamedPipe
AreFileApisANSI
GetTempPathA
GetCurrentThread
GetStringTypeW
FatalAppExitA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
GetFileType
HeapSize
HeapReAlloc
GetDriveTypeW
FindFirstFileExW
EncodePointer
GetSystemTimeAsFileTime
RtlUnwind
VirtualFree
VirtualAlloc
SetCurrentDirectoryW
GetCurrentDirectoryW
GetDateFormatW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
InterlockedIncrement
InterlockedDecrement
CloseHandle
GetSystemInfo
MapViewOfFile
UnmapViewOfFile
lstrlenW
CreateFileMappingW
OpenFileMappingW
FreeLibrary
GetProcAddress
GlobalAlloc
GlobalFree
GetCurrentProcess
FileTimeToLocalFileTime
DebugBreak
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
EnumSystemLocalesW
lstrlenA
LoadLibraryW
GetModuleFileNameW
GetModuleHandleW
OutputDebugStringW
GetPrivateProfileStringW
WritePrivateProfileStringW
GetTempPathW
GetTempFileNameW
CreateDirectoryW
GetFileAttributesW
GetFileAttributesExW
MultiByteToWideChar
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
WideCharToMultiByte
GetProcessTimes
OpenProcess
SetLastError
ReadProcessMemory
GetFileSizeEx
FindClose
GetSystemTime
FileTimeToSystemTime
GetFullPathNameW
CreateFileW
FindFirstFileW
FindNextFileW
CopyFileW
DecodePointer
FlushInstructionCache
RaiseException
GetCurrentThreadId
LoadResource
SizeofResource
MulDiv
lstrcmpW
lstrcmpiW
LoadLibraryExW
GetCommandLineW
FindResourceW
CompareStringW
GetVersionExW
GetCurrentProcessId
TerminateProcess
GetExitCodeProcess
CreateThread
GetFileInformationByHandle
WriteFile
ReadFile
CreateMutexW
CreateProcessW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
InitializeCriticalSection
Sleep
GlobalLock
GlobalUnlock
GetTimeZoneInformation
LoadLibraryA
GetSystemDirectoryA
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
GetProcessHeap
HeapFree
HeapAlloc
IsDebuggerPresent
GetTimeFormatW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetLastError
GetUserDefaultLCID
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetTickCount
CreateSemaphoreW
GetConsoleMode
ReadConsoleW
GetConsoleCP
SetFilePointerEx
QueryPerformanceCounter
SetConsoleCtrlHandler
FlushFileBuffers
SetEnvironmentVariableW
SetStdHandle
SetEndOfFile
WriteConsoleW
SetEnvironmentVariableA
FormatMessageW
GetFullPathNameA
UnhandledExceptionFilter

user32

DestroyIcon
LoadImageW
SystemParametersInfoW
EndDialog
GetActiveWindow
LoadMenuW
DestroyMenu
EnableMenuItem
GetSubMenu
DeleteMenu
TrackPopupMenu
SetMenuItemInfoW
SetWindowTextW
CheckMenuRadioItem
MonitorFromPoint
MonitorFromWindow
GetMonitorInfoW
PostQuitMessage
FlashWindow
DialogBoxParamW
EnableWindow
GetMenu
DrawIcon
DrawTextExW
AdjustWindowRectEx
MessageBoxW
CopyRect
LoadIconW
GetIconInfo
IsDialogMessageW
PostMessageW
SetProcessDefaultLayout
CharUpperW
SetTimer
KillTimer
DrawTextExA
SetScrollInfo
GetScrollInfo
AnimateWindow
OpenClipboard
CloseClipboard
SetClipboardData
DrawFocusRect
GetSystemMetrics
IntersectRect
EnumWindows
LoadCursorW
EnumDisplayMonitors
GetCursorInfo
DrawTextW
IsWindowEnabled
ReleaseCapture
SetCapture
GetCapture
GetKeyState
GetFocus
SetFocus
GetDlgCtrlID
GetDlgItem
CreateDialogParamW
IsWindowVisible
SetWindowPos
ShowWindow
DestroyWindow
IsWindow
CreateWindowExW
UnregisterClassW
CallWindowProcW
DefWindowProcW
SendMessageW
PeekMessageW
GetSysColorBrush
GetSysColor
ScreenToClient
GetCursorPos
SetCursor
GetWindowTextLengthW
GetWindowTextW
RedrawWindow
DispatchMessageW
TranslateMessage
GetMessageW
GetGuiResources
LoadStringW
GetWindow
SetWindowLongW
GetWindowLongW
MapWindowPoints
GetWindowRect
GetClientRect
GetDC
CharNextW
MoveWindow
GetClassNameW
GetParent
GetDesktopWindow
PtInRect
OffsetRect
SetRectEmpty
GetWindowThreadProcessId
FillRect
InvalidateRect
EndPaint
BeginPaint
ReleaseDC
EmptyClipboard
UpdateWindow

advapi32

RegCloseKey
RegQueryValueExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
RegEnumValueW
RegOpenKeyExW

ole32

CoInitialize
CoUninitialize
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateGuid

oleaut32

VarR8FromStr
VarDateFromStr
VarUI4FromStr
VarDecFromStr
SysFreeString
VarDecCmp
VarI4FromStr

comctl32

InitCommonControlsEx
ImageList_Create
ImageList_ReplaceIcon
ImageList_Remove
_TrackMouseEvent

Sections

.text
Size: 846KB - Virtual size: 846KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 218KB - Virtual size: 217KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 99KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
crashrpt_lang.ini
dbghelp.dll
.dll windows:6 windows x86 arch:x86

3f5a00ef2a36f3cd8924690a5a1d6f3c

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bf:18:b5:d8:36:d5:03:90:4b:8d:d1:1f:b3:91:e5:ba:23:df:bc:92
Signer

Actual PE Digest

bf:18:b5:d8:36:d5:03:90:4b:8d:d1:1f:b3:91:e5:ba:23:df:bc:92

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dbghelp.pdb

Imports

msvcrt

_isatty
_write
_lseeki64
??3@YAXPAX@Z
_fileno
_read
__pioinfo
__badioinfo
ferror
wctomb
_snprintf
isleadbyte
mbtowc
_onexit
_lock
__dllonexit
_unlock
_ismbblead
_amsg_exit
_initterm
_XcptFilter
memmove
_iob
__mb_cur_max
strchr
_vsnwprintf
_errno
__CxxFrameHandler
iswspace
calloc
_itoa
_wcsdup
towlower
tolower
_wcslwr
time
_wctime
_ltoa
_wcsnicmp
_purecall
ctime
malloc
strncmp
isspace
_stricmp
_strlwr
free
wcsrchr
strstr
memcpy
_wcsicmp
qsort
wcschr
wcsstr
wcsncmp
iswxdigit
memset
??2@YAPAXI@Z
iswprint
atol
fclose
__unDName
iswdigit
_CxxThrowException
bsearch
_wfsopen
fread
fseek
wcstol
_wfullpath
_wgetenv
_get_osfhandle
_chsize
_close
_open_osfhandle
ftell
_memicmp
_mbscmp
??1type_info@@UAE@XZ
_wsopen

kernel32

HeapReAlloc
MapViewOfFileEx
GetCurrentDirectoryW
InitializeCriticalSectionAndSpinCount
GetFileType
DeviceIoControl
SetFileAttributesW
CreateFileMappingW
InterlockedIncrement
InterlockedDecrement
LocalFree
FormatMessageW
DelayLoadFailureHook
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetTickCount
QueryPerformanceCounter
RtlUnwind
InterlockedExchange
GetThreadSelectorEntry
CreateThread
TerminateThread
VirtualQueryEx
GetPriorityClass
GetThreadPriority
GetThreadTimes
GetThreadContext
ResumeThread
SuspendThread
GetCurrentThreadId
GetSystemTimeAsFileTime
Sleep
GetVersion
GetSystemInfo
LoadLibraryExA
InterlockedCompareExchange
ReadProcessMemory
GetProcessHeap
GetFileAttributesA
SetErrorMode
WriteFile
OutputDebugStringA
VirtualFree
OpenProcess
GetCurrentProcessId
GetModuleHandleA
CreateFileMappingA
MapViewOfFile
DuplicateHandle
VirtualAlloc
VirtualProtect
CreateDirectoryA
UnmapViewOfFile
GetCurrentProcess
SetFilePointer
IsDBCSLeadByte
HeapFree
HeapAlloc
GetVersionExA
InitializeCriticalSection
HeapCreate
HeapDestroy
FindClose
LocalAlloc
SetLastError
LeaveCriticalSection
EnterCriticalSection
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetLastError
TlsSetValue
TlsGetValue
FreeLibrary
LoadLibraryA
TlsAlloc
TlsFree
DeleteCriticalSection
FlushViewOfFile

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MapDebugInformation
MiniDumpReadDumpStream
MiniDumpWriteDump
SearchTreeForFile
SearchTreeForFileW
StackWalk
StackWalk64
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymCleanup
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrW64
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmapBlockBase
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileFromToken
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSearch
SymSearchW
SymSetContext
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetSearchPath
SymSetSearchPathW
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
UnmapDebugInformation
WinDbgExtensionDllInit
block
chksym
dbghelp
dh
fptr
homedir
itoldyouso
lmi
lminfo
omap
srcfiles
stack_force_ebp
stackdbg
sym
symsrv
vc7fpo

Sections

.text
Size: 979KB - Virtual size: 979KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msgdll.dll
.dll windows:5 windows x86 arch:x86

6483f402544c93f274bbf948e81dbe14

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/07/2017, 00:00

Not After

12/07/2018, 23:59

Subject

CN=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),O=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),POSTALCODE=92300,STREET=3 Square André Malraux,L=Levallois Perret,ST=Ile de France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5e:e5:26:d1:ae:34:fe:95:35:f0:e1:08:85:e6:c7:5e:03:d7:92:0f
Signer

Actual PE Digest

5e:e5:26:d1:ae:34:fe:95:35:f0:e1:08:85:e6:c7:5e:03:d7:92:0f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\nodria\spotimote\Release\msgdll.pdb

Imports

kernel32

InterlockedExchange
InterlockedCompareExchange
OutputDebugStringA
Sleep
GetLastError
InterlockedIncrement
CloseHandle
WriteConsoleW
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
RaiseException
InterlockedFlushSList
SetLastError
EncodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
GetACP
GetStdHandle
GetFileType
CompareStringW
LCMapStringW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetProcessHeap
GetStringTypeW
SetStdHandle
GetTimeZoneInformation
HeapSize
HeapReAlloc
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointerEx
FlushFileBuffers
CreateFileW

user32

UnhookWindowsHookEx
SetWindowsHookExW
CallNextHookEx
PostMessageW

Exports

Exports

?InstallHooks@@YAXXZ
?RemoveHooks@@YAXXZ
?WaitMsg@@YAXPAUHWND__@@@Z
?resetSpotifyMsg@@YAXXZ
?spotifyReady@@YAXH@Z

Sections

.text
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.SHARED
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
timote.exe
.exe windows:6 windows x86 arch:x86

7f9639b606690f4b6f1f8e3e9abb7dad

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/07/2017, 00:00

Not After

12/07/2018, 23:59

Subject

CN=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),O=Jean-Baptiste LERNOUT (LERNOUT JEAN-BAPTISTE ANDRE GEORGES),POSTALCODE=92300,STREET=3 Square André Malraux,L=Levallois Perret,ST=Ile de France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

43:dd:31:1e:9c:e6:84:c3:bb:b6:78:f4:20:9d:36:d7:cd:a5:34:fb
Signer

Actual PE Digest

43:dd:31:1e:9c:e6:84:c3:bb:b6:78:f4:20:9d:36:d7:cd:a5:34:fb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\nodria\spotimote\Release\timote.pdb

Imports

wldap32

ord46
ord211
ord45
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord41
ord50
ord143

crashrpt1403

ord12
ord15
ord7
ord11

wtsapi32

WTSRegisterSessionNotification

kernel32

GetTimeZoneInformation
SetStdHandle
GetProcessHeap
FindFirstFileExA
HeapSize
CreateProcessA
GetExitCodeProcess
GlobalAlloc
GlobalUnlock
GlobalLock
GetLastError
ReleaseMutex
WaitForSingleObject
CreateMutexW
Sleep
CreateThread
CloseHandle
GetModuleHandleW
GetProcAddress
LoadLibraryW
GetCommandLineW
CreateEventW
LocalFree
SetEvent
FindClose
FindFirstFileW
FindNextFileW
QueryDosDeviceW
OpenProcess
GetVersionExW
K32GetProcessImageFileNameW
CreateProcessW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetSystemTimeAsFileTime
OutputDebugStringA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
CreateFileA
CreateFileW
DeleteFileA
DeleteFileW
FlushFileBuffers
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetFileAttributesA
GetFileAttributesW
GetFileAttributesExW
GetFileSize
GetFullPathNameW
GetFullPathNameA
LockFile
LockFileEx
ReadFile
SetEndOfFile
SetFilePointer
UnlockFile
UnlockFileEx
WriteFile
GetTempPathW
AreFileApisANSI
GetTempPathA
QueryPerformanceCounter
DeleteCriticalSection
FindNextFileA
GetSystemTime
GetTickCount
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
FreeLibrary
LoadLibraryA
FormatMessageA
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetCurrentDirectoryW
InterlockedCompareExchange
QueryPerformanceFrequency
SetLastError
GetTickCount64
InitializeCriticalSectionEx
SleepEx
WaitForSingleObjectEx
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
ExpandEnvironmentStringsA
VerSetConditionMask
GetSystemDirectoryA
GetModuleHandleA
WriteConsoleW
GetEnvironmentVariableW
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GlobalMemoryStatus
SwitchToFiber
DeleteFiber
CreateFiber
ConvertFiberToThread
ConvertThreadToFiber
GetConsoleMode
ReadConsoleA
ReadConsoleW
SetConsoleMode
SystemTimeToFileTime
SwitchToThread
ResetEvent
SetThreadPriority
GetExitCodeThread
CreateDirectoryW
GetSystemInfo
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetConsoleCP
GetACP
GetModuleFileNameA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetCurrentProcessId
VerifyVersionInfoA
RaiseException
VirtualProtect
VirtualQuery
LoadLibraryExA
EncodePointer
DecodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
RtlUnwind
InterlockedPushEntrySList
LoadLibraryExW
ExitThread
FreeLibraryAndExitThread
SetFilePointerEx
GetDriveTypeW
GetFileInformationByHandle
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExitProcess
SetConsoleCtrlHandler
HeapAlloc
HeapFree
HeapReAlloc

shell32

ShellExecuteW
CommandLineToArgvW
SHGetFolderPathW
Shell_NotifyIconW

oleaut32

SysAllocString
VariantClear

crypt32

CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertGetCertificateContextProperty

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 564KB - Virtual size: 563KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 58KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 836KB - Virtual size: 835KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
timote.nsi
uninstall.exe.nsis

Sharing

General

Malware Config

Signatures

Files

7fa974366048f9c551ef45714595665e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:ebCertificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

89:7d:9f:d4:40:c8:bf:0e:f4:5f:6c:0a:8e:dc:a7:50:36:f5:e1:d7Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 23KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 151KB

.ndata Size: - Virtual size: 32KB

.rsrc Size: 5KB - Virtual size: 4KB

Headers

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 48KB

UPX1 Size: 21KB - Virtual size: 24KB

.rsrc Size: 2KB - Virtual size: 4KB

Headers

File Characteristics

Sections

CODE Size: 33KB - Virtual size: 33KB

DATA Size: 1KB - Virtual size: 1KB

BSS Size: - Virtual size: 2KB

.idata Size: 2KB - Virtual size: 1KB

.edata Size: 512B - Virtual size: 101B

.reloc Size: 3KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 4KB

fb89301642ac2a39aefdd3cc2610ed81

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

msvcrt

Exports

Exports

Sections

.text Size: 3KB - Virtual size: 2KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 1024B - Virtual size: 732B

.reloc Size: 512B - Virtual size: 426B

Headers

File Characteristics

Exports

Exports

Sections

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

89:7d:9f:d4:40:c8:bf:0e:f4:5f:6c:0a:8e:dc:a7:50:36:f5:e1:d7
Signer

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 151KB

.ndata
Size: - Virtual size: 32KB

.rsrc
Size: 5KB - Virtual size: 4KB

UPX0
Size: - Virtual size: 48KB

UPX1
Size: 21KB - Virtual size: 24KB

.rsrc
Size: 2KB - Virtual size: 4KB

CODE
Size: 33KB - Virtual size: 33KB

DATA
Size: 1KB - Virtual size: 1KB

BSS
Size: - Virtual size: 2KB

.idata
Size: 2KB - Virtual size: 1KB

.edata
Size: 512B - Virtual size: 101B

.reloc
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 4KB

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 1024B - Virtual size: 732B

.reloc
Size: 512B - Virtual size: 426B

CODE
Size: 148KB - Virtual size: 148KB

DATA
Size: 3KB - Virtual size: 2KB

BSS
Size: - Virtual size: 2KB

.idata
Size: 4KB - Virtual size: 3KB

.edata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 7KB - Virtual size: 7KB

.text
Size: 3KB - Virtual size: 2KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 410B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

16:97:5a:b9:4b:45:4a:cb:c9:1f:a0:39:da:23:2a:39:fa:8f:59:78
Signer

.text
Size: 192KB - Virtual size: 191KB

.rdata
Size: 40KB - Virtual size: 40KB

.data
Size: 5KB - Virtual size: 13KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

57:e3:74:53:d9:ac:56:31:97:f6:cb:06:14:1c:92:eb
Certificate