97ac88ec3e2fe911f03d25858cbfdd7db65e270d71b9d6b6629dcf54ec1faea1N

Sharing

Copy URL Twitter E-mail

General

Target

97ac88ec3e2fe911f03d25858cbfdd7db65e270d71b9d6b6629dcf54ec1faea1N
Size

2.2MB
MD5

89677cc11647817b82977a71a8150870
SHA1

e4be0eed67737ee3617e2f1d4a783230d7f78a99
SHA256

97ac88ec3e2fe911f03d25858cbfdd7db65e270d71b9d6b6629dcf54ec1faea1
SHA512

c4edd1b41f01b20eab598a7b060377b10d3e6ff5f806f3e3f6daedd84fe9503df3be676cefdaa4bdccd3fa2b13acfb50ec244f9daec1292151c9955a9479df11
SSDEEP

49152:a26pOw9WRTkY6d337lzn9EH2JHNMtbkTSaJQ1r7ep:a2lG35JHwAhQ1mp

Score

3^/10

Malware Config

Signatures

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$0/cbhook-x64.dll
unpack001/$0/cbhook-x86.dll
unpack001/$0/embedhook-x64.exe
unpack001/$0/embedhook-x86.exe
unpack001/$0/nstvhk64.dll
unpack001/$0/nstvhook.dll
unpack001/$0/nstvstub.exe
unpack001/$0/winrtpxy.dll
unpack001/$PLUGINSDIR/System.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

97ac88ec3e2fe911f03d25858cbfdd7db65e270d71b9d6b6629dcf54ec1faea1N
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30/01/2013, 00:00

Not After

30/04/2016, 23:59

Subject

CN=Bomgar Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:f4:6e:d0:d1:6e:42:60:c5:c7:a5:c1:c5:b6:45:86:68:fd:e1:3d
Signer

Actual PE Digest

2b:f4:6e:d0:d1:6e:42:60:c5:c7:a5:c1:c5:b6:45:86:68:fd:e1:3d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 44KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$0/$OUTDIR/remove.exe.nsis
$0/app_icon_16.png
.png
$0/app_icon_32.png
.png
$0/bomgar-scc.exe
.exe windows:5 windows x64 arch:x64

fdfe51e5b0d67dd5330ce08275900212

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30/01/2013, 00:00

Not After

30/04/2016, 23:59

Subject

CN=Bomgar Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

18:29:7a:ed:92:1a:ca:8b:48:27:cb:25:16:33:10:27:af:7f:c8:6d
Signer

Actual PE Digest

18:29:7a:ed:92:1a:ca:8b:48:27:cb:25:16:33:10:27:af:7f:c8:6d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bomgar-scc-x64.pdb

Imports

kernel32

GetDiskFreeSpaceExA
UnmapViewOfFile
GetSystemDirectoryA
LoadLibraryA
QueryPerformanceCounter
QueryPerformanceFrequency
VirtualQuery
VirtualAlloc
VirtualProtect
HeapReAlloc
GetTimeFormatA
GetDateFormatA
ExitProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetLocaleInfoA
RtlPcToFileHeader
GetFullPathNameW
FileTimeToSystemTime
FileTimeToLocalFileTime
FlushFileBuffers
GetFileInformationByHandle
ExitThread
RtlUnwindEx
GetCPInfo
LCMapStringA
LCMapStringW
GetStringTypeW
GetLogicalDriveStringsA
EncodePointer
DecodePointer
FlsGetValue
FlsSetValue
FlsFree
FlsAlloc
GetModuleFileNameA
HeapSetInformation
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
HeapSize
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetFileType
SetHandleCount
GetStartupInfoA
GetCurrentDirectoryA
GetStringTypeA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
GetLocaleInfoW
SetEnvironmentVariableA
WriteConsoleA
GetConsoleOutputCP
CreateFileA
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
DisconnectNamedPipe
GetOverlappedResult
CreateNamedPipeW
ConnectNamedPipe
lstrlenA
WriteConsoleW
InterlockedPushEntrySList
VirtualFree
InterlockedPopEntrySList
GetComputerNameW
SystemTimeToFileTime
GetSystemInfo
GetTempPathW
GetTempFileNameW
GetDiskFreeSpaceExW
RemoveDirectoryW
SetCurrentDirectoryW
CreateDirectoryW
ReleaseMutex
CreateMutexW
GetCurrentThread
TlsAlloc
TlsSetValue
TlsGetValue
OpenEventW
SetStdHandle
GetSystemTimeAsFileTime
LocalAlloc
LockFileEx
MoveFileW
UnlockFileEx
SetEndOfFile
SetFilePointer
OutputDebugStringW
FormatMessageA
GetModuleFileNameW
FindNextFileW
FindClose
GetDriveTypeA
SetFileTime
GetLogicalDrives
WaitForMultipleObjects
SetNamedPipeHandleState
CreateThread
CreateSemaphoreW
ReleaseSemaphore
TerminateThread
VirtualQueryEx
SetUnhandledExceptionFilter
DeleteFileW
FindFirstFileW
CreateFileMappingW
lstrcmpW
CreateEventW
GetCommandLineW
lstrcmpiW
lstrlenW
GetVersionExW
ResumeThread
GetExitCodeThread
WriteFileEx
CancelIo
SleepEx
ReadFileEx
QueueUserAPC
PeekNamedPipe
SetConsoleWindowInfo
SetConsoleCtrlHandler
GetConsoleScreenBufferInfo
GetStdHandle
ReadConsoleOutputW
FreeConsole
GenerateConsoleCtrlEvent
SetConsoleScreenBufferSize
AllocConsole
WriteConsoleInputW
DuplicateHandle
CreatePipe
CreateProcessW
SetFileAttributesW
GetCurrentThreadId
FlushInstructionCache
CopyFileW
GetTickCount
GetExitCodeProcess
GetWindowsDirectoryW
GetTimeZoneInformation
GetStartupInfoW
GetTimeFormatW
GetDriveTypeW
GetDateFormatW
SetLastError
ReadFile
WriteFile
WaitNamedPipeW
OpenProcess
GetProcessHeap
HeapFree
HeapAlloc
GlobalUnlock
GlobalLock
GetShortPathNameW
GetFileAttributesW
lstrcpyW
lstrcpynW
ExpandEnvironmentStringsW
GlobalFree
FormatMessageW
GlobalAlloc
LoadLibraryExW
GetLastError
CreateFileW
RaiseException
CompareStringW
MulDiv
GetModuleHandleW
WideCharToMultiByte
LocalFree
lstrcatW
GetProcAddress
MultiByteToWideChar
TerminateProcess
Sleep
GetCurrentProcess
LoadLibraryW
GetSystemDirectoryW
FreeLibrary
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetEvent
WaitForSingleObject
GetCurrentProcessId
ResetEvent
CloseHandle
CreateEventA
OpenEventA
CompareStringA
InitializeCriticalSection

user32

IsWindowEnabled
GetMenuItemInfoW
PtInRect
GetClassInfoExW
TrackPopupMenuEx
MonitorFromWindow
LoadStringW
IsWindow
RemoveMenu
MapWindowPoints
GetMonitorInfoW
GetWindow
SetProcessWindowStation
CloseWindowStation
GetProcessWindowStation
OpenDesktopW
GetUserObjectSecurity
CloseDesktop
SetUserObjectSecurity
OpenWindowStationW
PeekMessageW
VkKeyScanW
MapVirtualKeyW
GetActiveWindow
TrackPopupMenu
RegisterWindowMessageW
GetSubMenu
DeleteMenu
GetMenuStringW
LoadMenuW
AppendMenuW
GetCursorPos
GetMenuItemCount
SetMenuItemInfoW
GetMessageW
WaitForInputIdle
ExitWindowsEx
TranslateMessage
GetForegroundWindow
BlockInput
CreateDialogParamW
MonitorFromRect
DispatchMessageW
SetWindowRgn
LoadBitmapW
RedrawWindow
GetScrollPos
EndPaint
CloseClipboard
SetCapture
MessageBeep
GetAsyncKeyState
EmptyClipboard
ShowScrollBar
OpenClipboard
ReleaseCapture
SetClipboardData
GetTopWindow
ScreenToClient
PostThreadMessageW
SetThreadDesktop
SetClassLongPtrW
DrawIcon
TrackMouseEvent
UpdateLayeredWindow
GetShellWindow
GetWindowThreadProcessId
GetAncestor
EnumWindows
GetUserObjectInformationW
OpenInputDesktop
GetThreadDesktop
GetClipboardOwner
SetClipboardViewer
ChangeClipboardChain
UnregisterClassA
CreatePopupMenu
DestroyMenu
SystemParametersInfoW
GetClipboardData
IsClipboardFormatAvailable
mouse_event
ToUnicodeEx
ToUnicode
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyboardLayout
GetKeyboardState
CallNextHookEx
SendInput
VkKeyScanExW
keybd_event
SendMessageTimeoutW
GetDCEx
GetClassLongPtrW
GetLastActivePopup
GetUpdateRect
IsWindowVisible
AdjustWindowRect
DialogBoxParamW
LoadStringA
GetKeyState
IsIconic
PostQuitMessage
SetCursor
EnableMenuItem
DialogBoxIndirectParamW
HideCaret
GetSystemMenu
IsDialogMessageW
BeginPaint
EnumDesktopsW
DestroyWindow
GetWindowInfo
GetScrollBarInfo
GetScrollInfo
ScrollWindow
UpdateWindow
UnregisterClassW
MapDialogRect
EnumDisplaySettingsW
GetCursor
GetIconInfo
EnumDisplayMonitors
ChangeDisplaySettingsExW
EnumDisplayDevicesW
SetLayeredWindowAttributes
WaitMessage
GetDoubleClickTime
SetScrollInfo
GetNextDlgTabItem
SetWindowPlacement
SetForegroundWindow
SetFocus
GetWindowPlacement
BringWindowToTop
GetClassNameW
SendDlgItemMessageW
GetDlgItemTextW
SetDlgItemTextW
SetTimer
LockWorkStation
MessageBoxW
KillTimer
GetMenu
SetWindowLongW
EndDialog
SetWindowPos
ShowWindow
AdjustWindowRectEx
SetWindowTextW
LoadImageW
FindWindowW
CopyIcon
DestroyIcon
GetDlgItem
CopyImage
CreateIconIndirect
GetDC
ReleaseDC
DrawStateW
GetDesktopWindow
GetSystemMetrics
GetWindowRect
GetClientRect
DrawFocusRect
GetWindowLongW
MoveWindow
GetWindowTextLengthW
FillRect
PostMessageW
DrawTextW
GetParent
LoadCursorW
GetWindowLongPtrW
InflateRect
RegisterClassExW
LoadIconW
OffsetRect
GetWindowTextW
GetSysColor
GetSysColorBrush
FrameRect
CreateWindowExW
SetWindowLongPtrW
SendMessageW
EnableWindow
GetDlgCtrlID
DrawFrameControl
CallWindowProcW
DefWindowProcW
CopyRect
InvalidateRect
WindowFromPoint

gdi32

GetRegionData
GetRandomRgn
MoveToEx
LineTo
Rectangle
Ellipse
CreatePen
CreateDCW
GetDeviceCaps
GetTextExtentPoint32W
ExtTextOutW
CreateFontW
SetTextAlign
GetTextMetricsW
GetBitmapBits
GetStockObject
BitBlt
DeleteDC
CreateDIBSection
StretchBlt
SetBrushOrgEx
GetDIBits
CreateBitmap
SelectObject
CreateCompatibleDC
DPtoLP
CreateSolidBrush
DeleteObject
SetBkMode
SetBkColor
SetTextColor
GetObjectW
GetPixel
ExtEscape
CreateFontIndirectW
CreateRectRgn
SetStretchBltMode
GetMapMode
CreateCompatibleBitmap
CombineRgn
SetMapMode

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

advapi32

ImpersonateLoggedOnUser
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
AccessCheck
SetSecurityDescriptorGroup
OpenThreadToken
CryptGenRandom
CryptAcquireContextA
CryptReleaseContext
RegCreateKeyW
GetSecurityDescriptorGroup
MakeSelfRelativeSD
GetSecurityDescriptorSacl
InitializeSid
GetSidLengthRequired
GetSecurityDescriptorOwner
MakeAbsoluteSD
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSidSubAuthority
CreateWellKnownSid
CheckTokenMembership
RegSetValueExW
RegOpenKeyExW
RegEnumValueW
RegDeleteValueW
RegConnectRegistryW
RegDeleteKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyW
RegQueryValueExW
ControlService
RegisterServiceCtrlHandlerW
SetServiceStatus
QueryServiceStatus
StartServiceA
OpenServiceW
StartServiceCtrlDispatcherW
DeleteService
LookupAccountSidW
OpenEventLogW
GetOldestEventLogRecord
GetNumberOfEventLogRecords
ReadEventLogW
CloseEventLog
RegQueryValueW
RegCloseKey
OpenServiceA
CloseServiceHandle
OpenSCManagerW
QueryServiceConfig2W
CreateProcessWithLogonW
LogonUserW
GetTokenInformation
CopySid
DuplicateTokenEx
IsValidSid
GetLengthSid
GetAclInformation
EqualSid
CreateProcessAsUserW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetAce
DuplicateToken
InitializeAcl
AddAccessAllowedAce
RevertToSelf
AddAce
GetSecurityDescriptorDacl
GetUserNameW
AllocateAndInitializeSid
FreeSid
RegisterEventSourceW
DeregisterEventSource
ReportEventW
OpenProcessToken
CreateServiceW

shell32

SHChangeNotify
CommandLineToArgvW
DragFinish
DragQueryFileW
ShellExecuteExW
SHGetPathFromIDListW
SHGetFolderLocation
ShellExecuteW
SHGetSpecialFolderLocation
SHGetFolderPathW
SHGetDesktopFolder
Shell_NotifyIconW
ExtractIconExW
SHBrowseForFolderW

ole32

CoTaskMemFree
CoSetProxyBlanket
CoCreateGuid
CoInitializeEx
CoUninitialize
CoInitialize
CoCreateInstance

oleaut32

SysFreeString
SysAllocString
SysStringLen
VariantClear
SysAllocStringByteLen
VariantInit
SafeArrayGetLBound
SafeArrayDestroy
SafeArrayUnlock
SysStringByteLen
VariantCopy
SafeArrayCopy
SafeArrayGetUBound
SafeArrayGetVartype
SafeArrayLock
VariantChangeType
SafeArrayGetDim

crypt32

CryptHashPublicKeyInfo
CertNameToStrW

shlwapi

AssocQueryStringByKeyW
AssocQueryStringW
SHDeleteKeyW
SHCopyKeyW
StrCmpIW
StrStrIW
StrRetToBufW
StrRetToStrW

comctl32

ImageList_Destroy
ImageList_ReplaceIcon
ImageList_Create
InitCommonControlsEx
_TrackMouseEvent

setupapi

SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDevsW
SetupDiClassNameFromGuidW
SetupDiClassGuidsFromNameW
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
CM_Enumerate_Classes

rpcrt4

UuidToStringW
RpcStringFreeW

userenv

CreateEnvironmentBlock
LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock

winmm

timeGetTime
PlaySoundW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

mpr

WNetGetUniversalNameW

iphlpapi

SendARP

ws2_32

htonl
htons
getservbyport
getservbyname
WSASetLastError
gethostbyaddr
gethostbyname
select
bind
listen
sendto
inet_addr
closesocket
ntohs
getpeername
connect
WSASocketW
getsockname
setsockopt
recv
send
getsockopt
shutdown
inet_ntoa
WSACleanup
WSAStartup
ioctlsocket
socket
__WSAFDIsSet
recvfrom
accept
WSAGetLastError

urlmon

URLDownloadToFileW

Sections

.text
Size: 5.5MB - Virtual size: 5.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 111KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 411KB - Virtual size: 411KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE

data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/button_cb_access_key.png
.png
$0/button_cb_private.png
.png
$0/button_cb_survey.png
.png
$0/button_cb_team.png
.png
$0/button_panic.png
.png
$0/button_sidebar_alert.png
.png
$0/button_sidebar_collapsed.png
.png
$0/button_sidebar_expanded.png
.png
$0/button_viewer_actual_size.png
.png
$0/button_viewer_fit.png
.png
$0/button_viewer_quality16.png
.png
$0/button_viewer_quality32.png
.png
$0/button_viewer_quality8.png
.png
$0/cbhook-x64.dll
.dll windows:5 windows x64 arch:x64

bfbf57b8ad678eac1cc050371f55df9f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

c:\Source\maintenance-ingredi-14.3\networkstreaming\trymax\sdcust\client\Win32\embedded_cb\cbhook\cbhook-x64.pdb

Imports

psapi

GetModuleFileNameExW

kernel32

CloseHandle
GlobalAddAtomW
InitializeCriticalSection
DeleteCriticalSection
CreateProcessW
FreeLibrary
GetProcAddress
LoadLibraryW
LoadLibraryA
lstrcmpiW
GlobalDeleteAtom
CreateFileMappingW
MapViewOfFile
GetCurrentProcessId
LocalAlloc
GetCurrentProcess
GetLastError
lstrlenW
LocalFree
LeaveCriticalSection
EnterCriticalSection
lstrcpynW
OutputDebugStringW
lstrcpynA
OutputDebugStringA
DisableThreadLibraryCalls
RaiseException

user32

GetPropW
wsprintfW
PtInRect
GetParent
DefWindowProcW
RegisterClassW
LoadCursorW
EnumWindows
SendMessageTimeoutW
SetWindowsHookExW
LoadImageW
FindWindowExW
GetClassNameW
GetMonitorInfoW
MonitorFromWindow
OffsetRect
GetWindowRgn
GetCursorPos
GetForegroundWindow
DrawIconEx
SetPropW
MoveWindow
ShowWindow
CreateWindowExW
SetLayeredWindowAttributes
GetSystemMetrics
GetWindowLongW
IsZoomed
UnregisterClassW
FindWindowW
GetWindowThreadProcessId
PostMessageW
BeginPaint
GetWindowRect
EndPaint
IsWindow
SendMessageW
RemovePropW
CharLowerBuffW
wvsprintfW
CallNextHookEx
IsIconic
PostThreadMessageW
InvalidateRect
DrawFrameControl
IsWindowVisible
wvsprintfA
UnhookWindowsHookEx

gdi32

GetObjectW
BitBlt
DeleteDC
CreateDIBSection
CreateCompatibleDC
CreateRectRgn
GetRgnBox
DeleteObject
SetBkMode
SelectObject
SetViewportOrgEx
CreateSolidBrush

advapi32

RegQueryInfoKeyW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegEnumKeyExW

shlwapi

StrToIntW
StrRChrW
StrCpyNW
StrNCatW
StrStrW

Exports

Exports

InstallMessageHook
Kill
UnInstallMessageHook

Sections

.text
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/cbhook-x86.dll
.dll windows:5 windows x86 arch:x86

6d5d5bf09f5bc2fdc83e57cfe61e6cde

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Source\maintenance-ingredi-14.3\networkstreaming\trymax\sdcust\client\Win32\embedded_cb\cbhook\cbhook-x86.pdb

Imports

psapi

GetModuleFileNameExW

kernel32

CloseHandle
GlobalAddAtomW
InitializeCriticalSection
DeleteCriticalSection
CreateProcessW
FreeLibrary
GetProcAddress
LoadLibraryW
LoadLibraryA
InterlockedExchange
lstrcmpiW
GlobalDeleteAtom
CreateFileMappingW
MapViewOfFile
GetCurrentProcessId
LocalAlloc
GetCurrentProcess
GetLastError
lstrlenW
LocalFree
LeaveCriticalSection
EnterCriticalSection
lstrcpynW
OutputDebugStringW
lstrcpynA
OutputDebugStringA
DisableThreadLibraryCalls
RaiseException

user32

wsprintfW
PtInRect
GetParent
DefWindowProcW
RegisterClassW
LoadCursorW
EnumWindows
SendMessageTimeoutW
SetWindowsHookExW
LoadImageW
FindWindowExW
GetClassNameW
GetMonitorInfoW
MonitorFromWindow
OffsetRect
GetWindowRgn
GetCursorPos
GetForegroundWindow
DrawIconEx
GetPropW
IsIconic
MoveWindow
ShowWindow
CreateWindowExW
SetLayeredWindowAttributes
GetSystemMetrics
GetWindowLongW
IsZoomed
UnregisterClassW
FindWindowW
GetWindowThreadProcessId
PostMessageW
BeginPaint
GetWindowRect
EndPaint
IsWindow
SendMessageW
RemovePropW
CharLowerBuffW
SetPropW
CallNextHookEx
IsWindowVisible
PostThreadMessageW
DrawFrameControl
InvalidateRect
wvsprintfW
wvsprintfA
UnhookWindowsHookEx

gdi32

GetObjectW
BitBlt
DeleteDC
CreateDIBSection
CreateCompatibleDC
CreateRectRgn
GetRgnBox
DeleteObject
SetBkMode
SelectObject
SetViewportOrgEx
CreateSolidBrush

advapi32

RegQueryInfoKeyW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegEnumKeyExW

shlwapi

StrToIntW
StrRChrW
StrCpyNW
StrNCatW
StrStrW

Exports

Exports

InstallMessageHook
Kill
UnInstallMessageHook

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/embedhook-x64.exe
.exe windows:5 windows x64 arch:x64

dbfb7cae1a1af2fe0d60bbfa032f3eb3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

embedhook-x64.pdb

Imports

kernel32

OutputDebugStringA
lstrcpynA
OutputDebugStringW
lstrcpynW
LocalFree
lstrcatW
GetSystemTimeAsFileTime
LocalReAlloc
GetModuleFileNameW
LocalAlloc
lstrlenW
GetLastError
CreateProcessW
FreeLibrary
GetProcAddress
LoadLibraryW
lstrcmpiW
GetCurrentThreadId
GetCommandLineW

user32

DispatchMessageW
TranslateMessage
GetMessageW
CharPrevW
wvsprintfW
wvsprintfA

shell32

CommandLineToArgvW

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$0/embedhook-x86.exe
.exe windows:5 windows x86 arch:x86

dbfb7cae1a1af2fe0d60bbfa032f3eb3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

embedhook-x86.pdb

Imports

kernel32

OutputDebugStringA
lstrcpynA
OutputDebugStringW
lstrcpynW
LocalFree
lstrcatW
GetSystemTimeAsFileTime
LocalReAlloc
GetModuleFileNameW
LocalAlloc
lstrlenW
GetLastError
CreateProcessW
FreeLibrary
GetProcAddress
LoadLibraryW
lstrcmpiW
GetCurrentThreadId
GetCommandLineW

user32

DispatchMessageW
TranslateMessage
GetMessageW
CharPrevW
wvsprintfW
wvsprintfA

shell32

CommandLineToArgvW

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 222B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/icon_exclamation.png
.png
$0/indicator_ft_animation0.png
.png
$0/indicator_ft_animation1.png
.png
$0/indicator_ft_animation2.png
.png
$0/indicator_ft_animation3.png
.png
$0/indicator_ft_animation4.png
.png
$0/indicator_pinned_connected.png
.png
$0/indicator_pinned_disconnected.png
.png
$0/indicator_rep_not_present.png
.png
$0/indicator_rep_present.png
.png
$0/indicator_rep_viewing.png
.png
$0/indicator_ss_watermark.png
.png
$0/nstvhk64.dll
.dll windows:5 windows x64 arch:x64

a65677f0afb3fbb63455df2df8e9a8b7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

psapi

GetModuleFileNameExA

kernel32

GetLastError
GetCurrentProcess
lstrlenA
LocalAlloc
MapViewOfFile
OpenFileMappingA
lstrcpynA
UnmapViewOfFile
CreateFileMappingA
GlobalDeleteAtom
GlobalAddAtomA
LocalFree
OutputDebugStringA
CloseHandle

user32

ClientToScreen
GetCursor
SubtractRect
GetClientRect
IsRectEmpty
GetWindowRect
IsIconic
IsWindowVisible
IsWindow
CallNextHookEx
RegisterWindowMessageA
SetWindowsHookExA
PostMessageA
GetPropA
UnhookWindowsHookEx
wvsprintfA
SetPropA

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetEntriesInAclA
AllocateAndInitializeSid
FreeSid

Exports

Exports

InstallMessageHook
UnInstallMessageHook

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$0/nstvhook.dll
.dll windows:5 windows x86 arch:x86

79aa119aec4025407b5fe76aa65ae077

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

psapi

GetModuleFileNameExA

kernel32

GetLastError
GetCurrentProcess
lstrlenA
LocalAlloc
MapViewOfFile
OpenFileMappingA
LocalFree
UnmapViewOfFile
CreateFileMappingA
GlobalDeleteAtom
GlobalAddAtomA
lstrcpynA
OutputDebugStringA
CloseHandle

user32

PostMessageA
ClientToScreen
SubtractRect
GetClientRect
IsRectEmpty
GetWindowRect
IsIconic
IsWindowVisible
IsWindow
CallNextHookEx
RegisterWindowMessageA
SetWindowsHookExA
GetPropA
SetPropA
UnhookWindowsHookEx
wvsprintfA
GetCursor

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetEntriesInAclA
AllocateAndInitializeSid
FreeSid

Exports

Exports

InstallMessageHook
UnInstallMessageHook

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 522B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/nstvstub.exe
.exe windows:5 windows x86 arch:x86

81ddd3155066cac467cf6c78f4aba9e0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

nstvstub-Win32.pdb

Imports

kernel32

FreeLibrary
LoadLibraryW
GetLastError
GetProcAddress
lstrcmpiW
LocalFree
LCMapStringW
LCMapStringA
GetStringTypeW
MultiByteToWideChar
GetStringTypeA
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
WideCharToMultiByte

user32

PostQuitMessage
KillTimer
TranslateMessage
IsWindow
DispatchMessageW
GetMessageW
SetTimer

shell32

CommandLineToArgvW

shlwapi

StrToIntExW

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/nudge.wav
$0/pinuninstall.bat
$0/preload-en-us.rdf
$0/sas.dll
.dll windows:6 windows x64 arch:x64

539b8218dccc41fb0ec666e865913971

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:94:2d:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:02

Not After

25/07/2013, 19:12

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:7A82-688A-9F92,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

0d:ff:89:21:46:f8:29:6c:d0:d3:97:97:a9:6e:e8:b8:e9:2a:f3:c8
Signer

Actual PE Digest

0d:ff:89:21:46:f8:29:6c:d0:d3:97:97:a9:6e:e8:b8:e9:2a:f3:c8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

SAS.pdb

Imports

msvcrt

malloc
_initterm
free
_amsg_exit
__C_specific_handler
_XcptFilter
_vsnwprintf
memset

kernel32

RtlLookupFunctionEntry
SetLastError
GetProcessHeap
HeapFree
HeapAlloc
LoadLibraryA
GetProcAddress
FreeLibrary
RtlCaptureContext
RtlVirtualUnwind
DisableThreadLibraryCalls
Sleep
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter

rpcrt4

RpcStringFreeW
RpcBindingFree
RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
NdrClientCall3
I_RpcExceptionFilter

Exports

Exports

SendSAS

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 324B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$0/server.lic
$0/spinner.exe
.exe windows:5 windows x64 arch:x64

790cc1c461d643d22f46c65fcc84af02

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30/01/2013, 00:00

Not After

30/04/2016, 23:59

Subject

CN=Bomgar Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Remote Support,O=Bomgar Corporation,L=Ridgeland,ST=Mississippi,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

82:0b:9e:7a:3b:01:d0:15:75:55:04:52:91:92:c0:64:14:bd:5b:30
Signer

Actual PE Digest

82:0b:9e:7a:3b:01:d0:15:75:55:04:52:91:92:c0:64:14:bd:5b:30

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Source\maintenance-ingredi-14.3\networkstreaming\user_interface\ProgressFeedback\Win32\spinner\spinner-x64.pdb

Imports

kernel32

GetCurrentThreadId
OutputDebugStringW
GetModuleHandleW
lstrlenW
GetModuleFileNameW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
OutputDebugStringA
WaitForSingleObject
SetEvent
GetExitCodeThread
DeleteCriticalSection
SetLastError
CreateEventW
LocalAlloc
lstrcpyW
GetCommandLineW
lstrcmpW
CreateThread
GetLastError
LocalFree
CloseHandle
GetStartupInfoW

user32

LoadCursorW
LoadImageW
CharPrevW
UnregisterClassW
DefWindowProcW
SetWindowLongPtrW
GetWindowLongPtrW
SetTimer
SetWindowPos
EndPaint
BeginPaint
PostMessageW
InvalidateRect
MoveWindow
GetSystemMetrics
DestroyWindow
PostQuitMessage
ShowWindow
GetClassLongPtrW
CreateWindowExW
GetSysColorBrush
wsprintfW
wvsprintfW
wsprintfA
wvsprintfA
GetMessageW
TranslateMessage
DispatchMessageW
RegisterClassExW

gdi32

DeleteObject
GetObjectW
SelectObject
CreateCompatibleDC
DeleteDC
BitBlt

shell32

CommandLineToArgvW

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$0/start-cb-hook.bat
.bat .vbs
$0/startup_animation_1.bmp
$0/startup_animation_2.bmp
$0/startup_animation_3.bmp
$0/startup_animation_4.bmp
$0/startup_animation_5.bmp
$0/stop-cb-hook.bat.template
$0/uninstall.bat
$0/winrtpxy.dll
.dll windows:6 windows x64 arch:x64

bac41e6974b90458624ca534de5b49a7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

winrtpxy.pdb

Imports

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsDeleteString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

kernel32

FreeEnvironmentStringsW
CloseHandle
WriteConsoleW
SetFilePointerEx
SetStdHandle
RaiseException
GetConsoleMode
GetConsoleCP
FlushFileBuffers
HeapSize
EncodePointer
DecodePointer
GetCommandLineA
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
RtlUnwindEx
GetStdHandle
WriteFile
GetModuleFileNameW
GetLastError
HeapFree
HeapAlloc
RtlPcToFileHeader
RtlLookupFunctionEntry
SetLastError
ExitProcess
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
GetProcessHeap
GetFileType
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InitOnceExecuteOnce
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount64
GetEnvironmentStringsW
CreateFileW
WideCharToMultiByte
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetCurrentProcess
TerminateProcess
GetModuleHandleW
Sleep
OutputDebugStringW
LoadLibraryExW
LoadLibraryW
LCMapStringEx
EnterCriticalSection
LeaveCriticalSection
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
HeapReAlloc
GetStringTypeW

ole32

CoUninitialize
CoInitializeEx
CoCreateInstance

Exports

Exports

??0WinRT_AppVisibility@@QEAA@AEBV0@@Z
??0WinRT_AppVisibility@@QEAA@XZ
??0WinRT_ToastNotification@@QEAA@AEBV0@@Z
??0WinRT_ToastNotification@@QEAA@PEBG000@Z
??1WinRT_AppVisibility@@UEAA@XZ
??1WinRT_ToastNotification@@UEAA@XZ
??4WinRT_AppVisibility@@QEAAAEAV0@AEBV0@@Z
??4WinRT_ToastNotification@@QEAAAEAV0@AEBV0@@Z
??_7WinRT_AppVisibility@@6B@
??_7WinRT_ToastNotification@@6B@
?__autoclassinit@WinRT_AppVisibility@@QEAAXI@Z
?__autoclassinit@WinRT_ToastNotification@@QEAAXI@Z
?getAppVisibilityOnMonitor@WinRT_AppVisibility@@QEAA_NPEAUHMONITOR__@@@Z
?isLauncherVisible@WinRT_AppVisibility@@QEAA_NXZ
?onActivated@WinRT_ToastNotification@@UEAAXXZ
?onAppVisibilityOnMonitorChanged@WinRT_AppVisibility@@UEAAXPEAUHMONITOR__@@H@Z
?onDismissed@WinRT_ToastNotification@@UEAAXH@Z
?onFailed@WinRT_ToastNotification@@UEAAXXZ
?onLauncherVisibilityChanged@WinRT_AppVisibility@@UEAAXH@Z

Sections

.text
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

2b:f4:6e:d0:d1:6e:42:60:c5:c7:a5:c1:c5:b6:45:86:68:fd:e1:3dSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 44KB

.rsrc Size: 16KB - Virtual size: 16KB

fdfe51e5b0d67dd5330ce08275900212

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

18:29:7a:ed:92:1a:ca:8b:48:27:cb:25:16:33:10:27:af:7f:c8:6dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

crypt32

shlwapi

comctl32

setupapi

rpcrt4

userenv

winmm

version

mpr

iphlpapi

ws2_32

urlmon

Sections

.text Size: 5.5MB - Virtual size: 5.5MB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

2b:f4:6e:d0:d1:6e:42:60:c5:c7:a5:c1:c5:b6:45:86:68:fd:e1:3d
Signer

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 44KB

.rsrc
Size: 16KB - Virtual size: 16KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

7d:b1:04:bf:89:32:9f:d8:b9:e2:c3:6f:80:fc:38:8c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

18:29:7a:ed:92:1a:ca:8b:48:27:cb:25:16:33:10:27:af:7f:c8:6d
Signer

.text
Size: 5.5MB - Virtual size: 5.5MB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 111KB - Virtual size: 179KB

.pdata
Size: 411KB - Virtual size: 411KB

text
Size: 4KB - Virtual size: 3KB

data
Size: 9KB - Virtual size: 9KB

.rsrc
Size: 17KB - Virtual size: 17KB

.reloc
Size: 36KB - Virtual size: 36KB

.text
Size: 15KB - Virtual size: 15KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 152B

.pdata
Size: 1024B - Virtual size: 984B

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 72B

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 6KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 76B

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 2KB - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 96B

.rsrc
Size: 3KB - Virtual size: 2KB