7706bde3316f14ff91e211a624b7f4ea_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

7706bde3316f14ff91e211a624b7f4ea_JaffaCakes118
Size

241KB
MD5

7706bde3316f14ff91e211a624b7f4ea
SHA1

7df712eb9da3d439dac48bf90ab90b18c336e3bc
SHA256

58c6571f99a22defc7233e0032491e55dff3fbdcc756a5f62bdae8c7f19a86ed
SHA512

db5241d84d8044909d22161504bf16a93064f680f9f44fdda4be9584535e2f5ee822091f8bc96fe030a48dc13b5924a14f90f62e4053f778271af49366bab515
SSDEEP

6144:mv9WWVkN5xxZjTWlt054gKjmFrPKQRU3KdeKs2fgUWjo05uVGdc5UDUeyD:VxxZHWlCVK8rPe3KdeKseoIVcUHD

Score

3^/10

Malware Config

Signatures

Unsigned PE 16 IoCs

Checks for missing Authenticode signature.

resource
7706bde3316f14ff91e211a624b7f4ea_JaffaCakes118
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/KmdUtil.exe
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/UserInfo.dll
unpack001/Control.exe
unpack001/RegDump.exe
unpack001/Sandbox.sys
unpack001/SandboxieDcomLaunch.exe
unpack001/SandboxieExplorer.exe
unpack001/SandboxieHelper.dll
unpack001/SandboxieHelper32.dll
unpack001/SandboxieRpcSs.exe
unpack001/SandboxieServer.exe
unpack001/SandboxieToolbar.dll
unpack001/Start.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_1

Files

7706bde3316f14ff91e211a624b7f4ea_JaffaCakes118
.exe windows:4 windows x86 arch:x86

73b73e00f465fa1a2a3bf6377a40219b

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
CreateFileA
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
ExitProcess
lstrcpynA
CloseHandle
GetWindowsDirectoryA
GetTempPathA
GetUserDefaultLangID
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
SetEndOfFile
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
lstrcpyA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpiA
GetEnvironmentVariableA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
MulDiv
GetPrivateProfileStringA
WriteFile
ReadFile
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetCommandLineA

user32

ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
LoadCursorA
SetCursor
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
EndDialog
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfA
SendMessageTimeoutA
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
TrackPopupMenu
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
FindWindowExA

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

57354bdeea3dfae6e948101add87501a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
GetPrivateProfileIntA
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
MultiByteToWideChar
GlobalAlloc

user32

GetDlgCtrlID
GetClientRect
SetWindowRgn
MapWindowPoints
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
PtInRect
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
LoadIconA

gdi32

SetTextColor
GetObjectA
SelectObject
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
CreateCompatibleDC

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetDesktopFolder
SHGetMalloc
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 954B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallType.ini
$PLUGINSDIR/KmdUtil.exe
.exe windows:5 windows x86 arch:x86

5a9d33a3c6cb6c8c267ed11df5b14402

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\kmdutil\obj\i386\KmdUtil.pdb

Imports

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
wcslen
_wcsicmp
_wcsnicmp
wcscpy
__getmainargs
wcscat
swprintf

advapi32

RegCloseKey
RegDeleteKeyW
OpenServiceW
DeleteService
CreateServiceW
RegSetValueExW
RegCreateKeyExW
StartServiceW
ControlService
OpenSCManagerW
RegOpenKeyExW

kernel32

QueryPerformanceCounter
Sleep
GetTickCount
GetLastError
FormatMessageW
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
GetCommandLineW

user32

MessageBoxW

shell32

CommandLineToArgvW

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetLastError
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 494B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UserInfo.dll
.dll windows:4 windows x86 arch:x86

48cfa0ea7e353e4a7dd23572da8374ef

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersion
GetCurrentThread
GetCurrentProcess
GetLastError
GlobalFree
CloseHandle
lstrcpynA
GlobalAlloc

advapi32

OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
GetUserNameA
OpenThreadToken

Exports

Exports

GetAccountType
GetName

Sections

.text
Size: 1024B - Virtual size: 573B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 576B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 45B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/Warning.ini
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
Control.exe
.exe windows:5 windows x86 arch:x86

908a2ac6caedf2df3a83abc10037f0b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\control\obj\i386\Control.pdb

Imports

msvcrt

exit
_wcsupr
iswdigit
_wtoi
swprintf
atof
strchr
wcsncpy
wcschr
_wcsnicmp
_c_exit
_exit
_XcptFilter
wcslen
wcscat
wcsrchr
??2@YAPAXI@Z
free
_cexit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
_purecall
??3@YAXPAX@Z
_wcsicmp
wcscpy
wcscmp
realloc
_except_handler3
memmove
_vsnprintf
sprintf

advapi32

InitializeSecurityDescriptor
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetFileSecurityW
CloseEventLog
OpenEventLogW
ReadEventLogW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
AllocateAndInitializeSid

kernel32

HeapCreate
CreateThread
GetFileTime
GetSystemTimeAsFileTime
OutputDebugStringW
DebugBreak
lstrlenA
ExitProcess
WriteFile
Sleep
GetCurrentProcessId
GetFileAttributesW
DeleteFileW
CopyFileW
CreateProcessW
GetWindowsDirectoryW
GetExitCodeProcess
LoadLibraryW
CreateFileW
GetLastError
GetProcAddress
GetTickCount
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
WaitNamedPipeW
ReadFile
VirtualAlloc
VirtualFree
LoadLibraryA
WaitForSingleObject
CreateDirectoryW
SetLastError
QueryPerformanceCounter
RaiseException
DeleteCriticalSection
InitializeCriticalSection
HeapDestroy
EnterCriticalSection
LeaveCriticalSection
GetFullPathNameW
GetCommandLineW
GetCurrentThreadId
GetVersionExW
lstrcpynA
lstrcpynW
lstrlenW
CreateMutexW
OpenMutexW
FlushInstructionCache
GetCurrentProcess
InterlockedDecrement
HeapFree
FormatMessageW
HeapAlloc
GetProcessHeap
FindClose
FindNextFileW
FindFirstFileW
InterlockedIncrement
CloseHandle

user32

TrackPopupMenu
SendDlgItemMessageW
CharNextW
wvsprintfW
IsDlgButtonChecked
GetDlgItemTextW
GetWindowTextW
EndDialog
GetDlgItem
SetDlgItemTextW
InvalidateRect
GetSystemMetrics
LoadAcceleratorsW
GetActiveWindow
DialogBoxParamW
CreateWindowExW
DeleteMenu
UpdateWindow
InsertMenuW
DispatchMessageW
TranslateMessage
GetMessageW
PeekMessageW
DefWindowProcW
DestroyWindow
SetWindowLongW
GetWindowLongW
CallWindowProcW
SetMenuItemInfoW
GetMenuItemInfoW
SetMenuDefaultItem
PostQuitMessage
SetFocus
LoadStringW
SendMessageW
LoadStringA
SetWindowPos
GetClientRect
GetWindowRect
TrackPopupMenuEx
IsWindow
MapWindowPoints
MessageBeep
DestroyMenu
AppendMenuW
GetMenuItemCount
CreatePopupMenu
PtInRect
RemoveMenu
GetMenuItemID
PostMessageW
RegisterWindowMessageW
SetForegroundWindow
GetCursorPos
GetSubMenu
LoadMenuW
SetWindowTextW
MoveWindow
ShowWindow
IsWindowVisible
RedrawWindow
SetTimer
KillTimer
MessageBoxW
RegisterClassExW
LoadImageW
wsprintfW
LoadCursorW
GetClassInfoExW
TranslateAcceleratorW
ModifyMenuW
CheckMenuItem

ntdll

ZwClose
NtQuerySymbolicLinkObject
NtQueryDirectoryFile
RtlInitUnicodeString
NtCreateFile
NtOpenSymbolicLinkObject
NtDeviceIoControlFile
NtOpenFile
NtClose

shell32

SHFileOperationW
SHBrowseForFolderW
SHBindToParent
SHGetPathFromIDListW
ord165
CommandLineToArgvW
DragAcceptFiles
DragQueryFileW
SHGetFolderPathW
ShellExecuteW
Shell_NotifyIconW

comctl32

InitCommonControlsEx

wininet

InternetOpenUrlW
InternetCloseHandle
InternetReadFile
InternetOpenW

ole32

CoTaskMemFree

Sections

.text
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 409KB - Virtual size: 409KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Control.exe.manifest
.xml
LICENSE.TXT
RegDump.exe
.exe windows:5 windows x86 arch:x86

555e3a25050f6869e92695305831e451

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\regdump\obj\i386\RegDump.pdb

Imports

msvcrt

__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_initterm
_except_handler3
_controlfp
__getmainargs
__initenv
exit
_cexit
_XcptFilter
_exit
_c_exit
free
malloc
swprintf
wprintf
__set_app_type
wcslen

kernel32

UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
CreateFileW
GetProcessHeap
HeapAlloc
HeapFree
GetTickCount
SetUnhandledExceptionFilter

ntdll

ZwReadFile
ZwClose

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Sandbox.sys
.sys windows:5 windows x86 arch:x86

860a38cecc1cc67dcd327bfd8e378fab

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\driver\obj\i386\Sandbox.pdb

Imports

ntoskrnl.exe

KeDelayExecutionThread
ZwYieldExecution
swprintf
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
ProbeForWrite
ProbeForRead
_except_handler3
MmMapLockedPagesSpecifyCache
MmProbeAndLockPages
MmBuildMdlForNonPagedPool
ZwUnmapViewOfSection
ZwClose
ZwMapViewOfSection
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
RtlInitUnicodeString
wcscpy
_wcsicmp
DbgPrint
KeServiceDescriptorTable
ZwAccessCheckAndAuditAlarm
RtlCompareMemory
wcstombs
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
wcsncat
wcscat
ZwOpenDirectoryObject
_wcsnicmp
ZwQueryDirectoryObject
memmove
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwQueryObject
ExGetPreviousMode
wcscmp
ZwSetValueKey
KeQuerySystemTime
ZwCreateKey
ZwReadFile
IoCreateFile
ZwQueryValueKey
ZwOpenKey
wcsncpy
RtlQueryRegistryValues
wcslen
RtlUnicodeStringToInteger
ZwTerminateProcess
PsIsThreadTerminating
KeGetCurrentThread
PsGetCurrentProcessId
ZwOpenProcess
_aulldiv
PsSetCreateProcessNotifyRoutine
RtlIntegerToUnicodeString
ZwCreateDirectoryObject
ZwCreateSymbolicLinkObject
wcsrchr
ZwQueryInformationProcess
RtlConvertSidToUnicodeString
ZwQueryInformationToken
ZwOpenProcessToken
ZwOpenThreadToken
PsGetCurrentThreadId
PsSetCreateThreadNotifyRoutine
_stricmp
ZwQuerySystemInformation
KeEnterCriticalRegion
ZwQueryKey
RtlPrefixUnicodeString
ZwEnumerateValueKey
ZwEnumerateKey
ZwSetInformationFile
ZwWriteFile
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
ZwQueryDirectoryFile
ZwSetInformationThread
wcsncmp
RtlCompareUnicodeString
ZwOpenEvent
ZwCreateEvent
ZwOpenSection
IofCompleteRequest
ZwDuplicateToken
IoCreateDevice
IoDeleteDevice
PsGetVersion
RtlSetDaclSecurityDescriptor
SePublicDefaultDacl
RtlCreateSecurityDescriptor
ZwAdjustPrivilegesToken
KeTickCount
ExFreePoolWithTag
KeBugCheckEx
wcschr
ExAllocatePoolWithTag

hal

KeRaiseIrqlToDpcLevel
KfLowerIrql
KeGetCurrentIrql

Sections

.text
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SandboxieDcomLaunch.exe
.exe windows:5 windows x86 arch:x86

8a35fc057a3bb83a78d99e61f50acb59

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\services\dcomlaunch\obj\i386\SandboxieDcomLaunch.pdb

Imports

msvcrt

__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_except_handler3
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
_controlfp
__getmainargs
wcscpy
_wcsicmp
wcscmp

advapi32

SetServiceStatus
RegisterServiceCtrlHandlerW
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
OpenServiceW
CloseServiceHandle
QueryServiceStatus
StartServiceW
ControlService
QueryServiceStatusEx
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW
OpenSCManagerW

kernel32

TerminateProcess
ExitProcess
Sleep
GetProcAddress
CreateThread
SuspendThread
GetCurrentThread
CreateFileMappingW
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
LoadLibraryW
LocalFree
HeapFree
CloseHandle
SetLastError
OpenProcess
HeapAlloc
GetProcessHeap
GetCurrentProcess

user32

MessageBoxW
wsprintfW

sandboxiehelper

_Sandboxie_Helper_Hook@12

ntdll

NtOpenFile
RtlInitUnicodeString
NtDeviceIoControlFile

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieExplorer.exe
.exe windows:5 windows x86 arch:x86

52934f70372b999b86bbe1fb789c15cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\explorer\obj\i386\SandboxieExplorer.pdb

Imports

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
wcslen
wcschr
free
_wcsicmp
wcscpy
_wcsdup
_except_handler3
memcpy
realloc
memcmp
??3@YAXPAX@Z
wcscat
_purecall
memset
memmove
_wcsnicmp
??2@YAPAXI@Z

advapi32

RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

kernel32

GetStartupInfoA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
VirtualAlloc
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GlobalFree
CreateFileW
CloseHandle
GlobalAlloc
GlobalLock
GlobalUnlock
GetCommandLineW
GetProcessHeap
VirtualFree
LoadLibraryA
TerminateProcess
GetVersionExW
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
RaiseException
lstrcpynA
lstrcpynW
MulDiv
lstrlenW
FlushInstructionCache
GetCurrentProcess
SetLastError
ExitProcess
DeleteCriticalSection
InitializeCriticalSection
HeapDestroy
InterlockedDecrement
OutputDebugStringW
GetProcAddress
LoadLibraryW
FindNextChangeNotification
WaitForMultipleObjects
CreateThread
FindFirstChangeNotificationW
HeapFree
GetFullPathNameW
HeapAlloc

gdi32

CreateBitmap
CreatePatternBrush
DeleteObject
PatBlt
SelectObject
DeleteDC

user32

ShowWindow
LoadMenuW
LoadAcceleratorsW
GetMessageW
TranslateMessage
DispatchMessageW
ClientToScreen
GetCursorPos
TrackPopupMenu
CreateWindowExW
LoadImageW
SetWindowLongW
SetMenuItemInfoW
GetMenuItemInfoW
SetMenuDefaultItem
SendMessageW
GetParent
GetClientRect
SetWindowTextW
DrawEdge
PostQuitMessage
PostMessageW
SetFocus
GetFocus
wsprintfW
MessageBoxW
TranslateAcceleratorW
DestroyWindow
RegisterClassExW
LoadCursorW
GetClassInfoExW
DefWindowProcW
SetRectEmpty
LoadStringW
GetWindowLongW
LoadStringA
SetWindowPos
InvalidateRect
MessageBeep
TrackPopupMenuEx
IsWindow
MapWindowPoints
PtInRect
PeekMessageW
BeginPaint
EndPaint
GetMessagePos
ScreenToClient
SetCursor
GetCapture
UpdateWindow
SetCapture
ReleaseCapture
GetWindowRect
CallWindowProcW
GetWindowDC
ReleaseDC
SystemParametersInfoW
GetSystemMetrics
CreatePopupMenu
DestroyMenu
AppendMenuW
GetMenuItemCount
RemoveMenu
FillRect
GetWindowTextW

sandboxiehelper

_Sandboxie_Helper_Hook@12

shell32

DragQueryFileW
CommandLineToArgvW
ord190
ord524
SHGetSpecialFolderLocation
SHGetDesktopFolder
SHGetFileInfoW

comctl32

InitCommonControlsEx

ole32

OleUninitialize
OleInitialize
CoTaskMemAlloc
OleSetClipboard
CoTaskMemFree

ntdll

NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtClose
RtlInitUnicodeString
NtOpenFile

Sections

.text
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieHelper.dll
.dll windows:5 windows x86 arch:x86

2f83e905c0ef6560a12ec2e87ec1ce43

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sandbox\helper\obj\i386\SandboxieHelper.pdb

Imports

ntdll

ZwWriteFile
ZwReadFile
_chkstk
LdrLoadDll
LdrUnloadDll
NtOpenFile
NtClose
memmove
strchr
sprintf
strncmp
_stricmp
wcsncmp
RtlInitString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
NtCreatePort
NtConnectPort
NtSecureConnectPort
wcscat
RtlCreateProcessParameters
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
wcscpy
wcschr
wcsrchr
_wcsicmp
wcsstr
ZwSetValueKey
RtlInitUnicodeString
NtOpenKey
ZwClose
ZwCreateKey
wcscmp
RtlUnwind
NtQueryVirtualMemory
NtDeviceIoControlFile
_vsnprintf
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
_wcsnicmp
wcslen
swprintf

user32

SendMessageTimeoutA
SendMessageTimeoutW
DdeInitializeA
DdeInitializeW
GetAncestor
GetDesktopWindow
GetWindowLongW
SetWindowLongW
CallWindowProcW
PostMessageA
PostMessageW
SendNotifyMessageA
SendNotifyMessageW
SendMessageCallbackA
SendMessageCallbackW
SetWindowsHookExA
SetWindowsHookExW
SendInput
GetShellWindow
CreateDialogParamA
CreateDialogParamW
CreateDialogIndirectParamA
CreateDialogIndirectParamW
DialogBoxParamA
DialogBoxParamW
DialogBoxIndirectParamA
DialogBoxIndirectParamW
CreateWindowExA
CreateWindowExW
DefWindowProcA
DefWindowProcW
DefFrameProcA
DefFrameProcW
DefDlgProcA
SendMessageW
SetWindowTextA
SetWindowTextW
GetWindowTextA
GetWindowTextW
FindWindowA
FindWindowW
FindWindowExA
FindWindowExW
EmptyClipboard
SetClipboardData
RegisterClassExA
RegisterClassExW
RegisterClassA
RegisterClassW
UnregisterClassA
UnregisterClassW
GetClassInfoExA
GetClassInfoExW
GetClassInfoA
GetClassInfoW
GetClassNameA
GetPropA
GetPropW
SetPropA
SetPropW
EnumWindows
EnumChildWindows
EnumThreadWindows
EnumDesktopWindows
GetThreadDesktop
GetClassNameW
GetParent
GetWindowThreadProcessId
wsprintfW
MessageBoxW
SendMessageA
DefDlgProcW

kernel32

LeaveCriticalSection
WriteFile
HeapCreate
CreateMutexW
WaitForSingleObject
ReleaseMutex
HeapDestroy
TerminateProcess
ResumeThread
ReadFile
VirtualAllocEx
ReadProcessMemory
WriteProcessMemory
GetWindowsDirectoryW
CreateFileMappingW
UnmapViewOfFile
LocalAlloc
InterlockedExchange
InterlockedIncrement
LoadLibraryW
CreateFileA
GetModuleFileNameW
GetTickCount
GetModuleHandleW
GetProcAddress
FindResourceW
FindResourceA
LoadResource
LockResource
SetConsoleTitleA
SetConsoleTitleW
GetCurrentThreadId
IsDebuggerPresent
OpenFileMappingW
MapViewOfFile
GetCurrentProcessId
SuspendThread
GetCurrentThread
Sleep
TlsAlloc
CreateProcessW
WinExec
CreateProcessA
CreateFileW
TlsGetValue
TlsSetValue
ExpandEnvironmentStringsW
GetLongPathNameW
OpenProcess
HeapFree
DisableThreadLibraryCalls
SetLastError
ExitProcess
InitializeCriticalSection
GetCommandLineW
GetCurrentProcess
CloseHandle
GetProcessHeap
HeapAlloc
WideCharToMultiByte
EnterCriticalSection
VirtualAlloc
WaitNamedPipeW
VirtualProtect
GetLastError
FormatMessageW
OutputDebugStringW

advapi32

StartServiceCtrlDispatcherW
RegOpenKeyExA
RegSetKeySecurity
RegQueryValueExA
OpenSCManagerA
OpenSCManagerW
OpenServiceA
OpenServiceW
CloseServiceHandle
QueryServiceConfigA
QueryServiceLockStatusA
QueryServiceLockStatusW
ControlService
StartServiceA
StartServiceW
EnumServicesStatusA
EnumServicesStatusW
EnumServicesStatusExA
EnumServicesStatusExW
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
RegisterServiceCtrlHandlerW
RegisterServiceCtrlHandlerExA
RegisterServiceCtrlHandlerExW
SetServiceStatus
RegisterEventSourceA
RegisterEventSourceW
ReportEventA
ReportEventW
DeregisterEventSource
QueryServiceStatus
QueryServiceConfigW
QueryServiceStatusEx
CreateProcessAsUserA
CreateProcessAsUserW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegOpenCurrentUser

psapi

GetModuleBaseNameW
EnumProcessModules

Exports

Exports

_SandboxieHelper_PStoreInit@0
_Sandboxie_Helper_CreateProcessW@44
_Sandboxie_Helper_Hook@12
_Sandboxie_Helper_Init_OpenKey@0
_Sandboxie_Helper_Init_SCM@0
_Sandboxie_Helper_IsDirectory@4
_Sandboxie_Helper_Start_Servers@0

Sections

.text
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SandboxieHelper32.dll
.dll windows:5 windows x86 arch:x86

2f83e905c0ef6560a12ec2e87ec1ce43

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sandbox\helper\obj\i386\SandboxieHelper.pdb

Imports

ntdll

ZwWriteFile
ZwReadFile
_chkstk
LdrLoadDll
LdrUnloadDll
NtOpenFile
NtClose
memmove
strchr
sprintf
strncmp
_stricmp
wcsncmp
RtlInitString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
NtCreatePort
NtConnectPort
NtSecureConnectPort
wcscat
RtlCreateProcessParameters
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
wcscpy
wcschr
wcsrchr
_wcsicmp
wcsstr
ZwSetValueKey
RtlInitUnicodeString
NtOpenKey
ZwClose
ZwCreateKey
wcscmp
RtlUnwind
NtQueryVirtualMemory
NtDeviceIoControlFile
_vsnprintf
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
_wcsnicmp
wcslen
swprintf

user32

SendMessageTimeoutA
SendMessageTimeoutW
DdeInitializeA
DdeInitializeW
GetAncestor
GetDesktopWindow
GetWindowLongW
SetWindowLongW
CallWindowProcW
PostMessageA
PostMessageW
SendNotifyMessageA
SendNotifyMessageW
SendMessageCallbackA
SendMessageCallbackW
SetWindowsHookExA
SetWindowsHookExW
SendInput
GetShellWindow
CreateDialogParamA
CreateDialogParamW
CreateDialogIndirectParamA
CreateDialogIndirectParamW
DialogBoxParamA
DialogBoxParamW
DialogBoxIndirectParamA
DialogBoxIndirectParamW
CreateWindowExA
CreateWindowExW
DefWindowProcA
DefWindowProcW
DefFrameProcA
DefFrameProcW
DefDlgProcA
SendMessageW
SetWindowTextA
SetWindowTextW
GetWindowTextA
GetWindowTextW
FindWindowA
FindWindowW
FindWindowExA
FindWindowExW
EmptyClipboard
SetClipboardData
RegisterClassExA
RegisterClassExW
RegisterClassA
RegisterClassW
UnregisterClassA
UnregisterClassW
GetClassInfoExA
GetClassInfoExW
GetClassInfoA
GetClassInfoW
GetClassNameA
GetPropA
GetPropW
SetPropA
SetPropW
EnumWindows
EnumChildWindows
EnumThreadWindows
EnumDesktopWindows
GetThreadDesktop
GetClassNameW
GetParent
GetWindowThreadProcessId
wsprintfW
MessageBoxW
SendMessageA
DefDlgProcW

kernel32

LeaveCriticalSection
WriteFile
HeapCreate
CreateMutexW
WaitForSingleObject
ReleaseMutex
HeapDestroy
TerminateProcess
ResumeThread
ReadFile
VirtualAllocEx
ReadProcessMemory
WriteProcessMemory
GetWindowsDirectoryW
CreateFileMappingW
UnmapViewOfFile
LocalAlloc
InterlockedExchange
InterlockedIncrement
LoadLibraryW
CreateFileA
GetModuleFileNameW
GetTickCount
GetModuleHandleW
GetProcAddress
FindResourceW
FindResourceA
LoadResource
LockResource
SetConsoleTitleA
SetConsoleTitleW
GetCurrentThreadId
IsDebuggerPresent
OpenFileMappingW
MapViewOfFile
GetCurrentProcessId
SuspendThread
GetCurrentThread
Sleep
TlsAlloc
CreateProcessW
WinExec
CreateProcessA
CreateFileW
TlsGetValue
TlsSetValue
ExpandEnvironmentStringsW
GetLongPathNameW
OpenProcess
HeapFree
DisableThreadLibraryCalls
SetLastError
ExitProcess
InitializeCriticalSection
GetCommandLineW
GetCurrentProcess
CloseHandle
GetProcessHeap
HeapAlloc
WideCharToMultiByte
EnterCriticalSection
VirtualAlloc
WaitNamedPipeW
VirtualProtect
GetLastError
FormatMessageW
OutputDebugStringW

advapi32

StartServiceCtrlDispatcherW
RegOpenKeyExA
RegSetKeySecurity
RegQueryValueExA
OpenSCManagerA
OpenSCManagerW
OpenServiceA
OpenServiceW
CloseServiceHandle
QueryServiceConfigA
QueryServiceLockStatusA
QueryServiceLockStatusW
ControlService
StartServiceA
StartServiceW
EnumServicesStatusA
EnumServicesStatusW
EnumServicesStatusExA
EnumServicesStatusExW
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
RegisterServiceCtrlHandlerW
RegisterServiceCtrlHandlerExA
RegisterServiceCtrlHandlerExW
SetServiceStatus
RegisterEventSourceA
RegisterEventSourceW
ReportEventA
ReportEventW
DeregisterEventSource
QueryServiceStatus
QueryServiceConfigW
QueryServiceStatusEx
CreateProcessAsUserA
CreateProcessAsUserW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegOpenCurrentUser

psapi

GetModuleBaseNameW
EnumProcessModules

Exports

Exports

_SandboxieHelper_PStoreInit@0
_Sandboxie_Helper_CreateProcessW@44
_Sandboxie_Helper_Hook@12
_Sandboxie_Helper_Init_OpenKey@0
_Sandboxie_Helper_Init_SCM@0
_Sandboxie_Helper_IsDirectory@4
_Sandboxie_Helper_Start_Servers@0

Sections

.text
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SandboxieRpcSs.exe
.exe windows:5 windows x86 arch:x86

f01e8ab94f2501615e02068b03577b16

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\services\rpcss\obj\i386\SandboxieRpcSs.pdb

Imports

msvcrt

__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_adjust_fdiv
_XcptFilter
_exit
_c_exit
__p__commode
__p__fmode
__set_app_type
wcscpy
_wcsicmp
_except_handler3
_controlfp
_cexit
wcscmp

advapi32

SetServiceStatus
RegisterServiceCtrlHandlerW
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
OpenServiceW
CloseServiceHandle
QueryServiceStatus
StartServiceW
ControlService
QueryServiceStatusEx
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW
OpenSCManagerW

kernel32

TerminateProcess
ExitProcess
Sleep
GetProcAddress
CreateThread
SuspendThread
GetCurrentThread
CreateFileMappingW
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
LoadLibraryW
GetProcessHeap
HeapFree
CloseHandle
LocalFree
OpenProcess
HeapAlloc
SetLastError
GetCurrentProcess

user32

wsprintfW
MessageBoxW

ntdll

RtlAdjustPrivilege
NtSetInformationProcess
NtDeviceIoControlFile
NtOpenFile
RtlInitUnicodeString

ws2_32

listen
bind
WSAStartup

sandboxiehelper

_Sandboxie_Helper_Hook@12

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieServer.exe
.exe windows:5 windows x86 arch:x86

a92b1c9ab42c5fd91cd9ca8001956e71

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\server\obj\i386\SandboxieServer.pdb

Imports

msvcrt

_initterm
__getmainargs
_acmdln
exit
_cexit
__setusermatherr
_exit
_c_exit
wcscmp
wcslen
wcsrchr
__p__commode
_adjust_fdiv
__p__fmode
__set_app_type
_controlfp
_XcptFilter
_except_handler3
wcscpy
wcscat
memcpy
memset
??2@YAPAXI@Z

advapi32

StartServiceCtrlDispatcherW
QueryServiceStatusEx
QueryServiceConfigW
ImpersonateNamedPipeClient
OpenServiceW
StartServiceW
RevertToSelf
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCloseKey
OpenSCManagerW
EnumServicesStatusW
CloseServiceHandle
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
InitializeSecurityDescriptor
SetSecurityDescriptorOwner
SetEntriesInAclW
SetSecurityDescriptorDacl
ReportEventW
OpenEventLogW
RegisterServiceCtrlHandlerExW
SetServiceStatus

kernel32

GetFileTime
QueueUserWorkItem
Sleep
FlushFileBuffers
TerminateProcess
OpenProcess
GetProcAddress
LoadLibraryW
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
CreateFileW
LocalFree
GetModuleFileNameW
HeapDestroy
GetLastError
HeapFree
HeapAlloc
GetProcessHeap
CloseHandle
GetCurrentProcess
SetLastError
OutputDebugStringW
MapViewOfFile
CreateFileMappingW
ReadFileEx
HeapCreate
SetEvent
CreateThread
CreateEventW
CreateWaitableTimerW
GetOverlappedResult
WaitForMultipleObjectsEx
ExitThread
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CancelIo
CancelWaitableTimer
SetWaitableTimer
WriteFileEx

user32

wsprintfW

setupapi

CM_Get_Device_ID_List_SizeW
CM_Get_Device_ID_ListW
SetupDiBuildClassInfoList
SetupDiClassNameFromGuidExW
CM_Get_Device_Interface_List_SizeW
CM_Get_Device_Interface_ListW

crypt32

CryptUnprotectData
CryptProtectData

ole32

IIDFromString
CoTaskMemFree

ntdll

RtlInitUnicodeString
NtOpenFile
NtDeviceIoControlFile

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SandboxieToolbar.dll
.dll regsvr32 windows:5 windows x86 arch:x86

c1ab6229cb342c0e3b633cd2430c15cb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\work\sandbox\toolbar\obj\i386\SandboxieToolbar.pdb

Imports

msvcrt

wcscat
_except_handler3
??3@YAXPAX@Z
wcsstr
_wcslwr
_wcsnicmp
memmove
wcscmp
_wcsicmp
strstr
strchr
swprintf
wcsrchr
wcsncpy
wcscpy
free
wcslen
??2@YAPAXI@Z
_purecall
_vsnprintf
sprintf

ntdll

NtClose
NtQueryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenFile
RtlInitUnicodeString

shell32

SHGetFolderPathW

ole32

CoCreateInstance

oleaut32

RegisterTypeLi
SysAllocString
SysFreeString
LoadTypeLi
SysStringLen
LoadRegTypeLi
VariantInit

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_Destroy

advapi32

RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegCloseKey

user32

CreatePopupMenu
SetMenuInfo
GetMenuItemCount
InsertMenuItemW
DestroyMenu
GetClientRect
CreateMenu
SetWindowLongW
DestroyWindow
ShowWindow
GetClassInfoExW
LoadCursorW
wsprintfW
IsWindow
CharNextW
TrackPopupMenu
LoadStringW
CallWindowProcW
GetWindowLongW
DefWindowProcW
LoadImageW
SendMessageW
MessageBoxW
CreateWindowExW
GetWindowRect
RegisterClassExW

gdi32

DeleteObject

kernel32

GetTickCount
QueryPerformanceCounter
FindFirstFileW
FindNextFileW
FindClose
CreateFileW
GetFileInformationByHandle
ReadFile
HeapFree
GetProcessHeap
HeapAlloc
CreateProcessW
RaiseException
GetCurrentProcess
CloseHandle
SetLastError
GetCurrentProcessId
DisableThreadLibraryCalls
LoadLibraryW
GetProcAddress
FreeLibrary
lstrlenW
GetModuleFileNameW
HeapDestroy
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
LoadLibraryA
VirtualFree
VirtualAlloc
WriteFile
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
DeleteCriticalSection
InitializeCriticalSection
GetLastError
lstrcpyW
FlushInstructionCache
WaitNamedPipeW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 468B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Start.exe
.exe windows:5 windows x86 arch:x86

c723f845a639852938b694999aaeb4be

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\work\sandbox\start\obj\i386\Start.pdb

Imports

advapi32

RegOpenKeyExW
SetThreadToken
RegCloseKey
RegQueryValueExW

kernel32

Sleep
CreateProcessW
OpenMutexW
CloseHandle
SetLastError
TerminateThread
GetCurrentThread
GetModuleHandleW
FindClose
FindNextFileW
GetCommandLineW
HeapDestroy
HeapCreate
HeapFree
SetCurrentDirectoryW
GetFileAttributesW
GetFullPathNameW
GetSystemTimeAsFileTime
GetExitCodeProcess
WaitForSingleObject
ExpandEnvironmentStringsW
GetProcessHeap
HeapAlloc
GetSystemDirectoryW
GetLastError
ExitProcess
WaitNamedPipeW
WriteFile
ReadFile
FormatMessageW
FindFirstFileW
CreateFileW

gdi32

CreateCompatibleDC
CreateCompatibleBitmap
PatBlt
SelectObject

user32

CreateMenu
GetMenuItemCount
InsertMenuItemW
SetMenuInfo
DestroyMenu
GetDC
CreatePopupMenu
GetWindowTextW
EndDialog
SetWindowTextW
SetFocus
GetSysColorBrush
DrawIconEx
DestroyIcon
LoadImageW
DialogBoxParamW
TrackPopupMenu
DestroyWindow
SetWindowPos
SendDlgItemMessageW
GetDlgItem
GetWindowRect
CreateWindowExW
SendMessageW
wsprintfW
MessageBoxW
GetWindowInfo

ntdll

ZwEnumerateKey
NtOpenKey
ZwDeleteKey
NtClose
NtQueryVirtualMemory
NtCreateFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
sprintf
_vsnprintf
RtlInitUnicodeString
RtlUnwind
NtSetInformationFile
RtlNtStatusToDosError
wcsrchr
_wcsicmp
wcscmp
_wcsnicmp
iswctype
wcsncpy
wcslen
wcsncmp
wcscat
swprintf
wcscpy
NtDeviceIoControlFile
NtOpenFile
memmove

shlwapi

SHAutoComplete
AssocQueryStringW

shell32

SHGetPathFromIDListW
SHGetFolderPathW
ExtractIconExW

ole32

CoTaskMemFree
CoInitialize
CoCreateInstance

comdlg32

GetOpenFileNameW

comctl32

InitCommonControlsEx

sandboxiehelper

_Sandboxie_Helper_CreateProcessW@44
_Sandboxie_Helper_Init_OpenKey@0
_Sandboxie_Helper_Init_SCM@0
_SandboxieHelper_PStoreInit@0
_Sandboxie_Helper_IsDirectory@4
_Sandboxie_Helper_Start_Servers@0

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

73b73e00f465fa1a2a3bf6377a40219b

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 22KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 109KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 9KB - Virtual size: 12KB

57354bdeea3dfae6e948101add87501a

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 1KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 954B

5a9d33a3c6cb6c8c267ed11df5b14402

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

shell32

Sections

.text Size: 6KB - Virtual size: 5KB

.data Size: 512B - Virtual size: 72B

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 92B

.reloc Size: 512B - Virtual size: 494B

48cfa0ea7e353e4a7dd23572da8374ef

Headers

File Characteristics

Imports

kernel32

advapi32

Exports

Exports

Sections

.text Size: 1024B - Virtual size: 573B

.rdata Size: 1024B - Virtual size: 576B

.data Size: 512B - Virtual size: 45B

.text
Size: 22KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 109KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 9KB - Virtual size: 12KB

.text
Size: 6KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 1KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 954B

.text
Size: 6KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 72B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 92B

.reloc
Size: 512B - Virtual size: 494B

.text
Size: 1024B - Virtual size: 573B

.rdata
Size: 1024B - Virtual size: 576B

.data
Size: 512B - Virtual size: 45B

.reloc
Size: 512B - Virtual size: 132B

.text
Size: 71KB - Virtual size: 71KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 409KB - Virtual size: 409KB

.text
Size: 9KB - Virtual size: 8KB

.data
Size: 512B - Virtual size: 88B

.text
Size: 86KB - Virtual size: 86KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 1KB

INIT
Size: 14KB - Virtual size: 14KB

.rsrc
Size: 9KB - Virtual size: 9KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 7KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 156B

.rsrc
Size: 1024B - Virtual size: 984B