removeanysetup[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

removeanysetup.exe
Size

933KB
MD5

4482b838f6d026d85bbdec727628123b
SHA1

900b647d528a7c459657e0c56b787029718111a1
SHA256

1b2ae3a9e73dd8d91429df6330a89f60484aa1294585fb37937f3c9bea9ded4b
SHA512

ae3fe91433a13cb18ff313f09a536bbe2ec4f30ecfcd16accfdacc9e6f48c99f6563363773550a032931bc94042cd96463673c0afd9362096887ac9d1b98c388
SSDEEP

24576:tfujL3JXQMvhMrhIstaTxWlJwCwJRD8tBYdoLf:gjL3N/JMrhEWlJnwfD8tBYaf

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/GetVersion.dll
unpack001/$PLUGINSDIR/NSSCM.DLL
unpack001/BugTrap.dll
unpack001/lua5.1.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

removeanysetup.exe
.exe windows:4 windows x86 arch:x86

Password: infected

099c0646ea7282d232219f8807883be0

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

18/05/2011, 00:00

Not After

17/05/2012, 23:59

Subject

CN=Valery Kuzniatsou,O=Valery Kuzniatsou,POSTALCODE=220025,STREET=Slobodskaia st. 167-101,L=Minsk,ST=Minsk,C=BY

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bf:f2:ae:de:91:49:1d:e5:89:7e:77:00:81:a2:9a:34:67:4a:6c:de
Signer

Actual PE Digest

bf:f2:ae:de:91:49:1d:e5:89:7e:77:00:81:a2:9a:34:67:4a:6c:de

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/GetVersion.dll
.dll windows:4 windows x86 arch:x86

Password: infected

add11ce79d4925abda7b305cc53287d2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
GetVersionExA
GetProcAddress
GetModuleHandleA
lstrcmpiA
FreeLibrary
GlobalAlloc
lstrcatA
lstrcpynA

user32

wsprintfA
GetSystemMetrics

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

Exports

Exports

IEVersion
WindowsName
WindowsPlatformArchitecture
WindowsPlatformId
WindowsServerName
WindowsServicePack
WindowsServicePackBuild
WindowsType
WindowsVersion

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/NSSCM.DLL
.dll windows:4 windows x86 arch:x86

Password: infected

cae3b41a07819ca715746a4d081b8a6c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

CreateServiceA
StartServiceA
OpenServiceA
ControlService
QueryServiceStatus
DeleteService
OpenSCManagerA
CloseServiceHandle

kernel32

GlobalFree
GetLastError
lstrcpyA
lstrcpynA
GlobalAlloc

user32

wsprintfA

Exports

Exports

Install
QueryStatus
Remove
Start
Stop

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 650B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 284B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$SYSDIR/Drivers/RemoveAny.sys
.sys windows:6 windows x86 arch:x86

addbd323bbef183bd0ae98558ac2934c

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

18/05/2011, 00:00

Not After

17/05/2012, 23:59

Subject

CN=Valery Kuzniatsou,O=Valery Kuzniatsou,POSTALCODE=220025,STREET=Slobodskaia st. 167-101,L=Minsk,ST=Minsk,C=BY

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

ef:04:94:37:26:c7:4f:36:80:b7:76:00:2d:5f:cd:82:09:44:c3:7a
Signer

Actual PE Digest

ef:04:94:37:26:c7:4f:36:80:b7:76:00:2d:5f:cd:82:09:44:c3:7a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

f:\work\projects\removeany\src\driver\objfre_wxp_x86\i386\RemoveAny.pdb

Imports

ntoskrnl.exe

RtlFreeUnicodeString
RtlUpcaseUnicodeString
KeUnstackDetachProcess
KeStackAttachProcess
IoGetCurrentProcess
PsGetCurrentThreadId
RtlInitUnicodeString
KeQuerySystemTime
ObfDereferenceObject
PsLookupProcessByProcessId
PsGetCurrentProcessId
MmIsAddressValid
KeGetCurrentThread
IoDeleteDevice
KeWaitForSingleObject
KeSetTimer
KeInitializeTimer
PsRemoveLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
IofCompleteRequest
IoUnregisterShutdownNotification
ExAllocatePoolWithTag
IoRegisterShutdownNotification
PsSetLoadImageNotifyRoutine
IoCreateDevice
KeInitializeMutex
ZwCreateFile
ZwClose
ZwWriteFile
KeReleaseMutex
IoFreeWorkItem
IoQueueWorkItem
IoAllocateWorkItem
memcpy
_vsnprintf
ZwDeleteFile
isdigit
islower
isupper
memset
NtBuildNumber
KeBugCheckEx
_snprintf
KeTickCount
ExFreePoolWithTag
RtlUnwind

hal

KeGetCurrentIrql
KeQueryPerformanceCounter

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 768B - Virtual size: 708B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 896B - Virtual size: 848B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 640B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BugTrap.dll
.dll windows:5 windows x86 arch:x86

Password: infected

1b7b645004f22e7cf6cf83d958ceee2d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Documents and Settings\Max\My Documents\Visual Studio 2008\Projects\BugTrap\Win32\Bin\BugTrap.pdb

Imports

ws2_32

inet_ntoa
WSACleanup
inet_addr
htons
WSASocketA
WSAEventSelect
connect
WSAEnumNetworkEvents
WSASend
WSAGetOverlappedResult
shutdown
setsockopt
closesocket
WSAGetLastError
WSAStartup
gethostname
gethostbyname

comctl32

InitCommonControlsEx
ImageList_LoadImageA
ImageList_Destroy

shlwapi

PathRemoveBackslashA
PathRemoveExtensionA
PathAddExtensionA
PathSkipRootA
PathCreateFromUrlA
UrlIsA
PathIsURLA
PathFindNextComponentA
PathIsRootA
PathRemoveFileSpecA
PathAppendA
StrTrimA
PathIsRelativeA
PathCombineA
PathFindFileNameA

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

wininet

InternetCrackUrlA
InternetOpenA
InternetSetStatusCallback
InternetConnectA
InternetAttemptConnect
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA
InternetCloseHandle
InternetGetLastResponseInfoA
HttpOpenRequestA

kernel32

QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStartupInfoA
GetFileType
SetHandleCount
RtlUnwind
HeapSize
LCMapStringW
LCMapStringA
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
IsDebuggerPresent
CloseHandle
WriteFile
CreateFileA
CopyFileA
FindClose
FindFirstFileA
RaiseException
FindNextFileA
SetEvent
WaitForSingleObject
WideCharToMultiByte
ReadFile
SetFilePointer
GetStringTypeA
GetFileSize
MulDiv
FreeLibrary
GetProcAddress
LoadLibraryA
GetProfileIntA
GetLastError
OpenProcess
GetModuleFileNameA
GetCurrentProcessId
GetModuleHandleA
GetVersionExA
DeleteCriticalSection
OutputDebugStringA
GetStdHandle
InitializeCriticalSection
WriteConsoleA
MultiByteToWideChar
GetConsoleCP
LeaveCriticalSection
EnterCriticalSection
SetEndOfFile
GetLocalTime
VirtualProtect
VirtualQuery
ReadProcessMemory
GetCurrentProcess
LocalFree
FormatMessageA
GetSystemInfo
GlobalMemoryStatus
GetThreadContext
GetCurrentThread
FreeEnvironmentStringsA
GetEnvironmentStrings
GetTimeFormatA
GetDateFormatA
SystemTimeToFileTime
GetFileAttributesA
DeleteFileA
GetCurrentThreadId
ResumeThread
SuspendThread
GetCurrentDirectoryA
GetCommandLineA
GetComputerNameA
CreateProcessA
GetUserDefaultLangID
SetUnhandledExceptionFilter
TerminateProcess
CreateEventA
DisableThreadLibraryCalls
WaitForMultipleObjects
LocalReAlloc
GetExitCodeThread
GetTempPathA
ResetEvent
RemoveDirectoryA
CreateDirectoryA
GetTickCount
IsDBCSLeadByte
GetWindowsDirectoryA
CreateThread
ExitThread
HeapAlloc
InterlockedDecrement
UnhandledExceptionFilter
HeapFree
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
SetLastError
HeapReAlloc
HeapCreate
HeapDestroy
GetModuleHandleW
Sleep
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
GetConsoleMode
InitializeCriticalSectionAndSpinCount
GetLocaleInfoA
GetStringTypeW
SetStdHandle
WriteConsoleW
FlushFileBuffers
GetProcessHeap
GetConsoleOutputCP

user32

IsZoomed
IsWindowVisible
EndDeferWindowPos
DeferWindowPos
MapWindowPoints
BeginDeferWindowPos
DrawEdge
GetTabbedTextExtentA
TabbedTextOutA
EnumDisplayDevicesA
AppendMenuA
GetSystemMenu
GetWindowThreadProcessId
GetForegroundWindow
GetActiveWindow
SendMessageTimeoutA
GetWindow
DrawTextA
DrawIconEx
GetClassLongA
CopyIcon
LoadCursorA
DestroyIcon
GetSysColorBrush
FillRect
KillTimer
SetTimer
PostMessageA
GetMessageA
DispatchMessageA
SetScrollPos
CreateDialogParamA
GetWindowRect
ScreenToClient
SetWindowPos
LoadIconA
SetForegroundWindow
MessageBoxA
GetWindowLongA
SetWindowLongA
CheckRadioButton
LoadImageA
ShowWindow
DestroyWindow
CreateWindowExA
EnableWindow
IsWindowEnabled
DialogBoxParamA
UpdateWindow
InvalidateRect
GetClientRect
GetSystemMetrics
LoadStringA
GetSysColor
SetWindowTextA
GetWindowTextLengthA
SendMessageA
SetCursor
GetDialogBaseUnits
GetMessagePos
IsChild
GetCapture
GetParent
GetDlgItem
ReleaseCapture
SetCapture
GetFocus
SetFocus
GetWindowTextA
EndDialog
DrawFocusRect
PtInRect
SystemParametersInfoA
GetKeyState
GetScrollPos
GetScrollInfo
SetScrollInfo
ScrollWindowEx
GetDC
ReleaseDC
DefWindowProcA
RedrawWindow
BeginPaint
EndPaint
PostQuitMessage
IsRectEmpty
GetDlgCtrlID

gdi32

GetDIBits
GetDeviceCaps
GetTextExtentPoint32A
SetTextColor
TextOutA
GetObjectA
CreateDCA
PatBlt
CreateFontIndirectA
StretchBlt
MoveToEx
LineTo
GetTextMetricsA
CreateCompatibleBitmap
CreateCompatibleDC
SetViewportOrgEx
SelectObject
GetClipBox
BitBlt
DeleteDC
SetBkColor
DeleteObject

comdlg32

GetSaveFileNameA

advapi32

RegEnumKeyExA
RegEnumValueA
OpenProcessToken
GetTokenInformation
AdjustTokenPrivileges
GetUserNameA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey

shell32

SHGetSpecialFolderPathA
SHGetFileInfoA
ShellExecuteA

ole32

StringFromGUID2

oleaut32

GetErrorInfo
SysFreeString

Exports

Exports

BT_AddLogFile
BT_AddRegFile
BT_AppLogEntry
BT_AppLogEntryF
BT_AppLogEntryV
BT_CallCppFilter
BT_CallNetFilter
BT_CallSehFilter
BT_ClearLog
BT_ClearLogFiles
BT_CloseLogFile
BT_CppFilter
BT_DeleteLogFile
BT_ExportRegistryKey
BT_FlushLogFile
BT_GetActivityType
BT_GetAppName
BT_GetAppVersion
BT_GetDialogMessage
BT_GetDumpType
BT_GetExitMode
BT_GetFlags
BT_GetLogEchoMode
BT_GetLogFileEntry
BT_GetLogFileName
BT_GetLogFilesCount
BT_GetLogFlags
BT_GetLogLevel
BT_GetLogSizeInBytes
BT_GetLogSizeInEntries
BT_GetMailProfile
BT_GetNotificationEMail
BT_GetPostErrHandler
BT_GetPreErrHandler
BT_GetReportFilePath
BT_GetReportFormat
BT_GetSupportEMail
BT_GetSupportHost
BT_GetSupportPort
BT_GetSupportURL
BT_GetUserMessage
BT_InsLogEntry
BT_InsLogEntryF
BT_InsLogEntryV
BT_InstallSehFilter
BT_InterceptSUEF
BT_MailSnapshot
BT_MailSnapshotEx
BT_NetFilter
BT_OpenLogFile
BT_ReadVersionInfo
BT_SaveSnapshot
BT_SaveSnapshotEx
BT_SehFilter
BT_SendSnapshot
BT_SendSnapshotEx
BT_SetActivityType
BT_SetAppName
BT_SetAppVersion
BT_SetDialogMessage
BT_SetDumpType
BT_SetExitMode
BT_SetFlags
BT_SetLogEchoMode
BT_SetLogFlags
BT_SetLogLevel
BT_SetLogSizeInBytes
BT_SetLogSizeInEntries
BT_SetMailProfile
BT_SetNotificationEMail
BT_SetPostErrHandler
BT_SetPreErrHandler
BT_SetReportFilePath
BT_SetReportFormat
BT_SetSupportEMail
BT_SetSupportHost
BT_SetSupportPort
BT_SetSupportServer
BT_SetSupportURL
BT_SetUserMessage
BT_SetUserMessageFromCode
BT_UninstallSehFilter

Sections

.text
Size: 179KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cfu.exe
.exe windows:4 windows x86 arch:x86

Password: infected

6baf87bb723ea21184d064e4dd4b49dd

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

18/05/2011, 00:00

Not After

17/05/2012, 23:59

Subject

CN=Valery Kuzniatsou,O=Valery Kuzniatsou,POSTALCODE=220025,STREET=Slobodskaia st. 167-101,L=Minsk,ST=Minsk,C=BY

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2c:2b:f7:36:a9:3d:70:1a:22:2b:74:ad:89:c9:47:bf:c7:2b:29:aa
Signer

Actual PE Digest

2c:2b:f7:36:a9:3d:70:1a:22:2b:74:ad:89:c9:47:bf:c7:2b:29:aa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

WSAEventSelect
WSARecv
WSASend
WSAEnumNetworkEvents
setsockopt
gethostbyaddr
ioctlsocket
recvfrom
recv
sendto
send
accept
listen
bind
connect
getsockopt
socket
shutdown
closesocket
select
WSAGetLastError
WSAStartup
WSACleanup
htonl
getsockname
getpeername
gethostname
gethostbyname
inet_ntoa
ntohs
htons
__WSAFDIsSet

winmm

timeGetTime

mfc42

ord470
ord755
ord2379
ord2863
ord4160
ord3092
ord6199
ord2370
ord1168
ord1146
ord4234
ord324
ord3597
ord4425
ord4627
ord5277
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord4710
ord4998
ord4853
ord4376
ord5265
ord537
ord860
ord1134
ord2621
ord823
ord540
ord858
ord6877
ord2514
ord800
ord641
ord815
ord825
ord561
ord3738
ord4424
ord1576
ord4622
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord4673
ord2124

msvcrt

gmtime
localtime
strftime
clock
getenv
tmpnam
rename
remove
system
_ftol
strpbrk
_HUGE
srand
rand
frexp
modf
_CIfmod
ceil
_CIacos
_CIasin
_CItanh
_CIcosh
_CIsinh
fputs
fgets
_CIpow
floor
strcoll
strncpy
strcspn
strncat
strtod
strtoul
_isctype
__mb_cur_max
time
_setjmp3
longjmp
exit
fprintf
free
realloc
_errno
strerror
_iob
getc
ungetc
strchr
strstr
toupper
tolower
_vsnprintf
sprintf
memmove
_splitpath
fwrite
??0exception@@QAE@ABQBD@Z
fopen
fseek
ftell
fread
fclose
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
_purecall
_CxxThrowException
__p___argc
__p___argv
memchr
_access
__CxxFrameHandler
mktime
difftime
setlocale
_popen
tmpfile
clearerr
fscanf
setvbuf
fflush
_pclose
strrchr
_getmaxstdio
_setmaxstdio
_fdopen
_open_osfhandle
_get_osfhandle
malloc
localeconv
sscanf
_beginthreadex
calloc
_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
_exit
??1type_info@@UAE@XZ
_onexit
_pctype
__dllonexit
_stat
_utime
_setmbcp
ldexp

kernel32

GetStartupInfoA
GetModuleHandleA
ExpandEnvironmentStringsA
Beep
GetQueuedCompletionStatus
FindCloseChangeNotification
CancelIo
FindFirstChangeNotificationA
FindNextFileA
DeleteFileA
FindFirstFileA
ExitProcess
GetModuleFileNameA
GetCurrentProcess
GetCurrentDirectoryA
GetSystemDirectoryA
GetLongPathNameA
SizeofResource
LockResource
LoadResource
FindResourceA
EnumResourceNamesA
WideCharToMultiByte
MultiByteToWideChar
LoadLibraryA
FormatMessageA
GetLastError
GetProcAddress
FreeLibrary
SetLastError
GetSystemInfo
SetCommState
GetCommState
SetCommTimeouts
SetupComm
PurgeComm
SetFilePointer
CreateFileA
GetTempFileNameA
GetTempPathA
CreatePipe
CloseHandle
SetStdHandle
SetEndOfFile
UnlockFile
LockFile
WriteFile
ReadFile
FlushFileBuffers
CreateMailslotA
GetMailslotInfo
CreateNamedPipeA
SetMailslotInfo
GetEnvironmentVariableA
SetEnvironmentVariableA
FreeEnvironmentStringsA
GetEnvironmentStrings
QueryPerformanceFrequency
QueryPerformanceCounter
GetFileAttributesA
MoveFileA
SetCurrentDirectoryA
CreateDirectoryA
RemoveDirectoryA
GetDriveTypeA
CreateProcessA
DuplicateHandle
GetStdHandle
GetCurrentProcessId
GetExitCodeProcess
WaitForSingleObject
TerminateProcess
FindNextChangeNotification
GetVersionExA
GetSystemTimeAsFileTime
Sleep
TlsSetValue
TlsGetValue
ReleaseMutex
TlsAlloc
DeleteCriticalSection
CreateMutexA
GetCurrentThreadId
InitializeCriticalSectionAndSpinCount
CreateEventA
FindClose
PulseEvent
LeaveCriticalSection
EnterCriticalSection
MapViewOfFile
CreateFileMappingA
GetFileSize
FlushViewOfFile
UnmapViewOfFile
SetConsoleCtrlHandler
SetEvent
CreateIoCompletionPort
SetThreadPriority
CreateThread
ResetEvent
WaitForMultipleObjects

user32

EnableWindow
IsIconic
CharLowerBuffA
CharUpperBuffA
MsgWaitForMultipleObjects
GetSystemMetrics
GetClientRect
DrawIcon
GetSystemMenu
AppendMenuA
SendMessageA
LoadIconA
GetQueueStatus

advapi32

RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceCtrlDispatcherA
OpenServiceA
ControlService
QueryServiceStatus
DeleteService
OpenSCManagerA
CreateServiceA
CloseServiceHandle
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
ReportEventA
CloseEventLog
OpenEventLogA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegQueryValueExA
RegSetValueExA

shell32

ShellExecuteA

msvcp60

?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD1@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??_7runtime_error@std@@6B@
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??1runtime_error@std@@UAE@XZ
??0runtime_error@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?_Xlen@std@@YAXXZ
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z

psapi

GetModuleBaseNameA

Sections

.text
Size: 172KB - Virtual size: 170KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
dbghelp.dll
.dll windows:6 windows x86 arch:x86

Password: infected

e246e1939eedffac25310343ba57d266

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0f:78:4d:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2007, 00:23

Not After

23/02/2009, 00:33

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

53:12:dc:61:b5:ac:22:99:f7:b3:0a:4c:f8:7c:8c:75:88:08:11:78
Signer

Actual PE Digest

53:12:dc:61:b5:ac:22:99:f7:b3:0a:4c:f8:7c:8c:75:88:08:11:78

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dbghelp.pdb

Imports

msvcrt

_isatty
_write
_lseeki64
??3@YAXPAX@Z
_fileno
_read
__pioinfo
__badioinfo
ferror
wctomb
_snprintf
isleadbyte
mbtowc
_onexit
_lock
__dllonexit
_unlock
_ismbblead
_amsg_exit
_initterm
_XcptFilter
memmove
_iob
__mb_cur_max
strchr
_vsnwprintf
_errno
__CxxFrameHandler
iswspace
calloc
_itoa
_wcsdup
towlower
tolower
_wcslwr
time
_wctime
_ltoa
_wcsnicmp
_purecall
ctime
malloc
strncmp
isspace
_stricmp
_strlwr
free
wcsrchr
strstr
memcpy
_wcsicmp
qsort
wcschr
wcsstr
wcsncmp
iswxdigit
memset
??2@YAPAXI@Z
iswprint
atol
fclose
__unDName
iswdigit
_CxxThrowException
bsearch
_wfsopen
fread
fseek
wcstol
_wfullpath
_wgetenv
_get_osfhandle
_chsize
_close
_open_osfhandle
ftell
_memicmp
_mbscmp
??1type_info@@UAE@XZ
_wsopen

kernel32

HeapAlloc
MapViewOfFileEx
GetCurrentDirectoryW
InitializeCriticalSectionAndSpinCount
GetFileType
DeviceIoControl
SetFileAttributesW
CreateFileMappingW
InterlockedIncrement
InterlockedDecrement
LocalFree
FormatMessageW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetTickCount
QueryPerformanceCounter
RtlUnwind
InterlockedExchange
GetThreadSelectorEntry
CreateThread
TerminateThread
VirtualQueryEx
GetPriorityClass
GetThreadPriority
GetThreadTimes
GetThreadContext
ResumeThread
SuspendThread
GetCurrentThreadId
GetSystemTimeAsFileTime
Sleep
GetVersion
GetSystemInfo
LoadLibraryA
InterlockedCompareExchange
DelayLoadFailureHook
ReadProcessMemory
GetProcessHeap
GetFileAttributesA
SetErrorMode
WriteFile
OutputDebugStringA
VirtualFree
OpenProcess
GetCurrentProcessId
GetModuleHandleA
CreateFileMappingA
MapViewOfFile
DuplicateHandle
VirtualAlloc
VirtualProtect
CreateDirectoryA
UnmapViewOfFile
GetCurrentProcess
SetFilePointer
IsDBCSLeadByte
HeapFree
HeapReAlloc
GetVersionExA
InitializeCriticalSection
HeapCreate
FindClose
LocalAlloc
SetLastError
LeaveCriticalSection
EnterCriticalSection
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetLastError
TlsSetValue
TlsGetValue
TlsAlloc
TlsFree
DeleteCriticalSection
HeapDestroy
FreeLibrary
FlushViewOfFile

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MapDebugInformation
MiniDumpReadDumpStream
MiniDumpWriteDump
SearchTreeForFile
SearchTreeForFileW
StackWalk
StackWalk64
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymCleanup
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrW64
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmapBlockBase
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileFromToken
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSearch
SymSearchW
SymSetContext
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetSearchPath
SymSetSearchPathW
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
UnmapDebugInformation
WinDbgExtensionDllInit
block
chksym
dbghelp
dh
fptr
homedir
itoldyouso
lmi
lminfo
omap
srcfiles
stack_force_ebp
stackdbg
sym
symsrv
vc7fpo

Sections

.text
Size: 965KB - Virtual size: 965KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
lang/1031.txt
lang/1033.txt
lang/1036.txt
lang/1040.txt
lang/1049.txt
lang/2070.txt
lang/3082.txt
license.txt
lua5.1.dll
.dll windows:4 windows x86 arch:x86

Password: infected

3c694bdf5ae536700daecd20f13c2718

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

CloseServiceHandle
CreateServiceA
OpenSCManagerA
DeleteService
QueryServiceStatus
ControlService
OpenServiceA
StartServiceCtrlDispatcherA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegQueryValueExA
RegSetValueExA
OpenEventLogA
CloseEventLog
ReportEventA
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom

user32

MsgWaitForMultipleObjects
GetQueueStatus
CharUpperBuffA
CharLowerBuffA

winmm

timeGetTime

shell32

ShellExecuteA

ws2_32

bind
connect
socket
shutdown
closesocket
select
WSAStartup
WSACleanup
__WSAFDIsSet
setsockopt
htonl
send
listen
getpeername
ntohs
gethostname
inet_ntoa
WSAEnumNetworkEvents
WSAEventSelect
getsockopt
WSAGetLastError
WSARecv
WSASend
sendto
recv
getsockname
accept
recvfrom
ioctlsocket
gethostbyaddr
gethostbyname
htons

msvcrt

strrchr
getenv
strtod
sprintf
strncat
strcspn
strncpy
system
remove
rename
tmpnam
clock
strftime
localtime
gmtime
time
mktime
difftime
setlocale
strpbrk
tolower
memchr
strcoll
_beginthreadex
memmove
malloc
calloc
_getmaxstdio
_setmaxstdio
_fdopen
_open_osfhandle
_get_osfhandle
sscanf
_initterm
_adjust_fdiv
__dllonexit
_onexit
_HUGE
srand
rand
ldexp
frexp
modf
_CIfmod
ceil
_CIacos
_CIasin
_CItanh
_CIcosh
_CIsinh
localeconv
fflush
setvbuf
fseek
ftell
fwrite
fscanf
clearerr
tmpfile
_popen
_setjmp3
longjmp
exit
fgets
_CIpow
floor
_ftol
strtoul
_isctype
__mb_cur_max
_pctype
fputs
fprintf
free
realloc
_errno
strerror
fread
fopen
_iob
getc
fclose
ungetc
strchr
strstr
_stat
_pclose
_utime

kernel32

CreateFileA
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
GetVersionExA
FindNextChangeNotification
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
GetStdHandle
DuplicateHandle
CreateProcessA
GetDriveTypeA
FindNextFileA
FindClose
FindFirstFileA
RemoveDirectoryA
CreateDirectoryA
SetCurrentDirectoryA
GetCurrentDirectoryA
MoveFileA
DeleteFileA
GetFileAttributesA
QueryPerformanceCounter
QueryPerformanceFrequency
GetEnvironmentStrings
FreeEnvironmentStringsA
SetEnvironmentVariableA
GetEnvironmentVariableA
SetMailslotInfo
CreateNamedPipeA
GetMailslotInfo
CreateMailslotA
FlushFileBuffers
ReadFile
WriteFile
LockFile
UnlockFile
SetEndOfFile
SetStdHandle
CreatePipe
GetTempPathA
SetFilePointer
PurgeComm
SetupComm
SetCommTimeouts
GetCommState
SetCommState
GetSystemInfo
SetLastError
GetQueuedCompletionStatus
GetExitCodeProcess
FindCloseChangeNotification
CancelIo
FindFirstChangeNotificationA
WaitForMultipleObjects
SetThreadPriority
CreateIoCompletionPort
SetConsoleCtrlHandler
UnmapViewOfFile
FlushViewOfFile
GetFileSize
CreateFileMappingA
MapViewOfFile
EnterCriticalSection
LeaveCriticalSection
PulseEvent
InitializeCriticalSectionAndSpinCount
GetCurrentThreadId
CreateMutexA
DeleteCriticalSection
TlsAlloc
ReleaseMutex
TlsGetValue
TlsSetValue
ExpandEnvironmentStringsA
GetTempFileNameA
SetEvent
CreateEventA
CreateThread
CloseHandle
WaitForSingleObject
ResetEvent
Sleep
Beep
GetModuleFileNameA
FreeLibrary
GetProcAddress
GetLastError
FormatMessageA
LoadLibraryA

Exports

Exports

luaD_growstack
luaF_newproto
luaL_addlstring
luaL_addstring
luaL_addvalue
luaL_argerror
luaL_buffinit
luaL_callmeta
luaL_checkany
luaL_checkinteger
luaL_checklstring
luaL_checknumber
luaL_checkoption
luaL_checkstack
luaL_checktype
luaL_checkudata
luaL_error
luaL_findtable
luaL_getmetafield
luaL_gsub
luaL_loadbuffer
luaL_loadfile
luaL_loadstring
luaL_newmetatable
luaL_newstate
luaL_openlib
luaL_openlibs
luaL_optinteger
luaL_optlstring
luaL_optnumber
luaL_prepbuffer
luaL_pushresult
luaL_ref
luaL_register
luaL_typerror
luaL_unref
luaL_where
luaM_realloc_
luaM_toobig
luaP_opmodes
luaP_opnames
luaS_newlstr
luaU_dump
lua_atpanic
lua_call
lua_checkstack
lua_close
lua_concat
lua_cpcall
lua_createtable
lua_dump
lua_equal
lua_error
lua_gc
lua_getallocf
lua_getfenv
lua_getfield
lua_gethook
lua_gethookcount
lua_gethookmask
lua_getinfo
lua_getlocal
lua_getmetatable
lua_getstack
lua_gettable
lua_gettop
lua_getupvalue
lua_insert
lua_iscfunction
lua_isnumber
lua_isstring
lua_isuserdata
lua_lessthan
lua_load
lua_newstate
lua_newthread
lua_newuserdata
lua_next
lua_objlen
lua_pcall
lua_pushboolean
lua_pushcclosure
lua_pushfstring
lua_pushinteger
lua_pushlightuserdata
lua_pushlstring
lua_pushnil
lua_pushnumber
lua_pushstring
lua_pushthread
lua_pushvalue
lua_pushvfstring
lua_rawequal
lua_rawget
lua_rawgeti
lua_rawset
lua_rawseti
lua_remove
lua_replace
lua_resume
lua_setallocf
lua_setfenv
lua_setfield
lua_sethook
lua_setlocal
lua_setmetatable
lua_settable
lua_settop
lua_setupvalue
lua_status
lua_toboolean
lua_tocfunction
lua_tointeger
lua_tolstring
lua_tonumber
lua_topointer
lua_tothread
lua_touserdata
lua_type
lua_typename
lua_xmove
lua_yield
luaopen_base
luaopen_debug
luaopen_io
luaopen_math
luaopen_os
luaopen_package
luaopen_string
luaopen_sys
luaopen_table

Sections

.text
Size: 196KB - Virtual size: 192KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
removeany.exe
.exe windows:4 windows x86 arch:x86

Password: infected

cedfb10f525305e54e39209491043bdd

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

18/05/2011, 00:00

Not After

17/05/2012, 23:59

Subject

CN=Valery Kuzniatsou,O=Valery Kuzniatsou,POSTALCODE=220025,STREET=Slobodskaia st. 167-101,L=Minsk,ST=Minsk,C=BY

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

5c:59:8c:84:78:bd:5c:a0:cd:fd:ce:64:eb:8e:c0:5e:41:90:8b:9e
Signer

Actual PE Digest

5c:59:8c:84:78:bd:5c:a0:cd:fd:ce:64:eb:8e:c0:5e:41:90:8b:9e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

psapi

GetModuleBaseNameA
GetModuleFileNameExA
GetModuleInformation
EnumProcessModules
EnumProcesses

lua5.1

lua_pushnumber
lua_tolstring
lua_pushcclosure
lua_setfield
lua_pushboolean
lua_pushvalue
lua_getfield
lua_remove
luaL_loadbuffer
lua_pcall
lua_close
luaL_newstate
luaL_openlibs
lua_createtable
lua_rawset
lua_gettop
lua_type
lua_settop
lua_pushlstring
lua_tonumber
lua_pushstring
lua_gettable

sfc

SfcIsFileProtected

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

mfc42

ord6855
ord6832
ord6859
ord6867
ord6847
ord6814
ord6839
ord6846
ord6858
ord6816
ord6815
ord6812
ord6845
ord6856
ord4589
ord4588
ord4899
ord4370
ord4892
ord6817
ord4340
ord4347
ord4720
ord4889
ord4531
ord4545
ord4543
ord4526
ord4529
ord4524
ord4963
ord4960
ord4108
ord6054
ord1776
ord5240
ord5281
ord3748
ord1725
ord5260
ord6614
ord6691
ord4432
ord6478
ord6514
ord6800
ord535
ord941
ord939
ord926
ord860
ord5651
ord3127
ord3616
ord3663
ord6803
ord1979
ord6385
ord665
ord5186
ord350
ord354
ord1168
ord3303
ord6808
ord2864
ord5981
ord6835
ord1816
ord2575
ord6055
ord4396
ord5290
ord3402
ord4424
ord3574
ord567
ord609
ord2302
ord2370
ord6199
ord4160
ord4612
ord4610
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord815
ord561
ord6215
ord617
ord5301
ord5214
ord296
ord986
ord6823
ord4159
ord6117
ord2621
ord1134
ord6876
ord1825
ord4238
ord4696
ord3058
ord3065
ord6336
ord2510
ord2542
ord5243
ord5740
ord1746
ord5577
ord3172
ord5653
ord4420
ord4953
ord4858
ord2399
ord4387
ord3454
ord3198
ord6080
ord6175
ord4623
ord700
ord652
ord398
ord338
ord4823
ord5594
ord6329
ord4426
ord1175
ord913
ord5632
ord3439
ord1945
ord4273
ord4341
ord4349
ord4723
ord4890
ord4964
ord4961
ord1726
ord560
ord813
ord1942
ord4532
ord5076
ord3399
ord3734
ord3571
ord5259
ord686
ord2097
ord384
ord303
ord3626
ord2414
ord4272
ord2652
ord6008
ord1669
ord2408
ord2862
ord4284
ord5572
ord2915
ord3297
ord2379
ord3914
ord5054
ord1842
ord4242
ord2723
ord2390
ord3059
ord5100
ord5103
ord4303
ord3350
ord5012
ord5472
ord2879
ord2878
ord4151
ord4077
ord5237
ord5282
ord2649
ord1665
ord4436
ord794
ord807
ord796
ord674
ord527
ord554
ord529
ord366
ord2494
ord2627
ord2626
ord6000
ord2117
ord4163
ord6625
ord2863
ord4457
ord5252
ord5910
ord2252
ord5066
ord975
ord2920
ord4224
ord4427
ord2817
ord923
ord765
ord3698
ord2358
ord1105
ord5681
ord4123
ord2642
ord4220
ord6857
ord3654
ord2438
ord1644
ord1146
ord500
ord772
ord5860
ord6142
ord6807
ord6591
ord6650
ord6597
ord823
ord4710
ord6334
ord858
ord4129
ord924
ord2818
ord537
ord922
ord6877
ord2645
ord4234
ord2301
ord825
ord324
ord540
ord641
ord800
ord3597
ord4425
ord4627
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord5265
ord1576
ord520
ord2584

msvcrt

_errno
fputs
qsort
fgets
strncmp
strncpy
sscanf
strstr
strtoul
memchr
_findnext
memmove
_ftol
strchr
time
fputc
strtol
_isctype
__mb_cur_max
_lseeki64
gmtime
_fstati64
fflush
getenv
strerror
_sys_nerr
_beginthreadex
fprintf
_fdopen
clearerr
_setmbcp
?set_terminate@@YAP6AXXZP6AXXZ@Z
_access
_CxxThrowException
_mbscmp
_purecall
printf
atoi
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
fclose
fread
ftell
fseek
fopen
??0exception@@QAE@ABQBD@Z
fwrite
_splitpath
wcslen
?what@exception@@UBEPBDXZ
??0exception@@QAE@XZ
_vsnprintf
tolower
toupper
_except_handler3
sprintf
_stat
_snprintf
mbstowcs
isdigit
islower
isupper
_stricmp
__dllonexit
_onexit
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_findfirst
__CxxFrameHandler
_fileno
_strdup
_strnicmp
_open
_close
_read
_controlfp
_pctype
malloc
free
realloc
calloc
strrchr
_stati64
_iob

kernel32

GetModuleHandleA
FreeLibrary
CreateMutexA
GetLastError
DeleteFileA
CreateProcessA
WaitForSingleObject
GetExitCodeProcess
CloseHandle
GetACP
GetUserDefaultUILanguage
MoveFileExA
Sleep
GetCurrentProcess
GetCurrentDirectoryA
GetSystemDirectoryA
GetLongPathNameA
WideCharToMultiByte
FindResourceA
GetWindowsDirectoryA
GetFileSize
CreateFileA
GetProcAddress
GetFileType
QueryDosDeviceA
SizeofResource
LockResource
LoadResource
EnumResourceNamesA
GetVersionExA
GetNativeSystemInfo
GetSystemTime
FileTimeToSystemTime
GetFileAttributesExA
GetTempFileNameA
GetTempPathA
ReadProcessMemory
OpenProcess
SearchPathA
Thread32Next
ResumeThread
SuspendThread
OpenThread
Thread32First
CreateToolhelp32Snapshot
FormatMessageA
TerminateProcess
HeapAlloc
HeapFree
GetProcessHeap
GetStartupInfoA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetLastError
SleepEx
GetStdHandle
GetTickCount
ExpandEnvironmentStringsA
LoadLibraryA
GetFileAttributesA
MultiByteToWideChar
GetModuleFileNameA

user32

SendMessageTimeoutA
PostMessageA
UpdateWindow
ShowWindow
IsIconic
SetForegroundWindow
EnumWindows
SetMenuDefaultItem
AppendMenuA
CheckMenuItem
RemoveMenu
GetDlgItem
DestroyMenu
IsZoomed
IsWindowVisible
GetParent
LoadIconA
TrackPopupMenu
GetCursorPos
EnableMenuItem
GetSubMenu
LoadMenuA
wsprintfA
SetWindowTextA
GetFocus
RegisterWindowMessageA
SendMessageA
InvalidateRect
EnableWindow
GetSystemMenu

advapi32

AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueA

shell32

ShellExecuteA
Shell_NotifyIconA

ole32

CoInitialize
CoCreateInstance

msvcp60

??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z
?_Freeze@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIABV12@II@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD1@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??_7runtime_error@std@@6B@
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??1runtime_error@std@@UAE@XZ
??0runtime_error@std@@QAE@ABV01@@Z
?_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ
?assign@?$char_traits@D@std@@SAXAADABD@Z
??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?_Xlen@std@@YAXXZ
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?capacity@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?copy@?$char_traits@D@std@@SAPADPADPBDI@Z
??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

bugtrap

BT_SetSupportURL
BT_CallCppFilter
BT_SetSupportEMail
BT_SetAppName
BT_SetSupportServer
BT_SetFlags
BT_InstallSehFilter

ws2_32

htons
WSAStartup
WSACleanup
getnameinfo
inet_ntoa
ioctlsocket
select
__WSAFDIsSet
accept
listen
recvfrom
sendto
getservbyport
gethostbyaddr
getservbyname
inet_addr
gethostbyname
htonl
WSASetLastError
bind
ntohs
getsockname
socket
connect
setsockopt
getsockopt
recv
send
WSAGetLastError
gethostname
closesocket

iphlpapi

GetExtendedUdpTable
GetExtendedTcpTable

imagehlp

ImageGetCertificateHeader
ImageGetCertificateData

crypt32

CertFindAttribute
CertFindCertificateInStore
CryptMsgVerifyCountersignatureEncodedEx
CryptDecodeObjectEx
CertVerifyTimeValidity
CryptMsgOpenToDecode
CryptMsgUpdate
CertOpenStore
CertGetSubjectCertificateFromStore
CertGetNameStringA
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CryptMsgGetParam
CertCreateCertificateContext
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain

wintrust

WinVerifyTrustEx

Sections

.text
Size: 344KB - Virtual size: 343KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 212KB - Virtual size: 210KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
removeany.exe.manifest
.xml
removeany.xml
.xml
uninstall.exe.nsis

Sharing

General

Malware Config

Signatures

Files

Password: infected

099c0646ea7282d232219f8807883be0

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79Certificate

Extended Key Usages

Key Usages

bf:f2:ae:de:91:49:1d:e5:89:7e:77:00:81:a2:9a:34:67:4a:6c:deSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 4KB - Virtual size: 4KB

Password: infected

add11ce79d4925abda7b305cc53287d2

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 2KB - Virtual size: 1KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: - Virtual size: 180B

.reloc Size: 512B - Virtual size: 368B

Password: infected

cae3b41a07819ca715746a4d081b8a6c

Headers

File Characteristics

Imports

advapi32

kernel32

user32

Exports

Exports

Sections

.text Size: 2KB - Virtual size: 2KB

.rdata Size: 1024B - Virtual size: 650B

.data Size: 512B - Virtual size: 28B

.reloc Size: 512B - Virtual size: 284B

addbd323bbef183bd0ae98558ac2934c

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79Certificate

Extended Key Usages

Key Usages

ef:04:94:37:26:c7:4f:36:80:b7:76:00:2d:5f:cd:82:09:44:c3:7aSigner

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

bf:f2:ae:de:91:49:1d:e5:89:7e:77:00:81:a2:9a:34:67:4a:6c:de
Signer

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 4KB - Virtual size: 4KB

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: - Virtual size: 180B

.reloc
Size: 512B - Virtual size: 368B

.text
Size: 2KB - Virtual size: 2KB

.rdata
Size: 1024B - Virtual size: 650B

.data
Size: 512B - Virtual size: 28B

.reloc
Size: 512B - Virtual size: 284B

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

ef:04:94:37:26:c7:4f:36:80:b7:76:00:2d:5f:cd:82:09:44:c3:7a
Signer

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 768B - Virtual size: 708B

.data
Size: 512B - Virtual size: 448B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 896B - Virtual size: 848B

.reloc
Size: 640B - Virtual size: 536B

.text
Size: 179KB - Virtual size: 178KB

.rdata
Size: 35KB - Virtual size: 35KB

.data
Size: 5KB - Virtual size: 17KB

.rsrc
Size: 38KB - Virtual size: 38KB

.reloc
Size: 11KB - Virtual size: 11KB

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

7f:9b:59:67:bf:bf:b7:f7:61:3e:02:68:c5:7c:cf:79
Certificate

2c:2b:f7:36:a9:3d:70:1a:22:2b:74:ad:89:c9:47:bf:c7:2b:29:aa
Signer

.text
Size: 172KB - Virtual size: 170KB

.rdata
Size: 20KB - Virtual size: 16KB

.data
Size: 16KB - Virtual size: 15KB

.rsrc
Size: 100KB - Virtual size: 96KB

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:0f:78:4d:00:00:00:00:00:03
Certificate