JaffaCakes118_0be35975a9936bc239c69fb4c6e123f1b9f8b20c469d7fc38c62ae41fbde017b

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_0be35975a9936bc239c69fb4c6e123f1b9f8b20c469d7fc38c62ae41fbde017b
Size

468KB
MD5

b7211c9280527a2527b36f5cac012b2b
SHA1

53a23345075daeba0061329f2c1dfc34ffcbcf97
SHA256

0be35975a9936bc239c69fb4c6e123f1b9f8b20c469d7fc38c62ae41fbde017b
SHA512

16962b9640953917fed01ef53786915f5f8b70c84fa5117fb9474282cfa0bc967ec2572b5e9311468d08ce537861b1f4e0d43e29761e56567c7e4ee23bb306d9
SSDEEP

12288:yKgWQeotCQ1eN4j7taYBHyHISGw51WtJZKNViWma3DBI8JpGBnq:dgEN4j74lhGwWzKaWma3j/F

Score

3^/10

Malware Config

Signatures

Unsigned PE 15 IoCs

Checks for missing Authenticode signature.

resource
unpack001/InvoiceFB1.bin
unpack002/$APPDATA/black/MFC80CHS.dll
unpack002/$APPDATA/black/bscmakeui.dll
unpack002/$APPDATA/black/fusion.dll
unpack002/$APPDATA/carts/msdatasrc.dll
unpack002/$APPDATA/carts/sbssystemconfigurationinstall.dll
unpack002/$APPDATA/carts/sqlleUI.dll
unpack002/$APPDATA/carts/tcprops.dll
unpack002/$APPDATA/carts/vcbuildui.dll
unpack002/$APPDATA/route/ProjWizUI.dll
unpack002/$TEMP/LigulaObloquy.dll
unpack002/$TEMP/_stats/ppc/orders/JConvertUI.dll
unpack002/$TEMP/wp-settings/intranet/Vsa7Director.dll
unpack002/$TEMP/wp-settings/intranet/WizardFrameworkVS.dll
unpack002/$TEMP/wp-settings/intranet/sbssystementerpriseservices.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
static1/unpack001/InvoiceFB1.bin	nsis_installer_1
static1/unpack001/InvoiceFB1.bin	nsis_installer_2

Files

JaffaCakes118_0be35975a9936bc239c69fb4c6e123f1b9f8b20c469d7fc38c62ae41fbde017b
.zip

Password: infected
InvoiceFB1.bin
.exe windows:4 windows x86 arch:x86

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetFileAttributesA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileTime
GetFileAttributesA
SetCurrentDirectoryA
MoveFileA
GetFullPathNameA
GetShortPathNameA
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MulDiv
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

GetSystemMenu
SetClassLongA
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
LoadImageA
CreateDialogParamA
SetTimer
SetWindowTextA
SetForegroundWindow
ShowWindow
SetWindowLongA
SendMessageTimeoutA
FindWindowExA
IsWindow
AppendMenuA
TrackPopupMenu
CreatePopupMenu
DrawTextA
EndPaint
DestroyWindow
wsprintfA
PostQuitMessage

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/background/manifest/works/phonecallactivity.xml
$APPDATA/background/manifest/works/x-cmu-raster.xml
.xml
$APPDATA/black/11.opends60.dll
$APPDATA/black/MFC80CHS.dll
.dll windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/black/bscmakeui.dll
.dll windows:5 windows x64 arch:x64

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/black/com.ubuntu.notifications.settings.gschema.xml
.xml
$APPDATA/black/fusion.dll
.dll windows:5 windows x86 arch:x86

1fbfda287918de75af6c952e1896a40d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

fusion.pdb

Imports

mscoree

GetRealProcAddress

kernel32

IsDebuggerPresent
SetUnhandledExceptionFilter
InterlockedCompareExchange
InterlockedExchange
DisableThreadLibraryCalls
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
Sleep
UnhandledExceptionFilter

msvcr80

__CppXcptFilter
_adjust_fdiv
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
_crt_debugger_hook
_amsg_exit
_initterm_e
_initterm
_decode_pointer
free
_encoded_null
_malloc_crt
_encode_pointer
__clean_type_info_names_internal

Exports

Exports

ClearDownloadCache
CopyPDBs
CreateApplicationContext
CreateAssemblyCache
CreateAssemblyEnum
CreateAssemblyNameObject
CreateHistoryReader
CreateInstallReferenceEnum
GetCachePath
GetHistoryFileDirectory
InitializeFusion
InstallCustomAssembly
InstallCustomModule
LookupHistoryAssembly
NukeDownloadedCache
PreBindAssembly
PreBindAssemblyEx

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 940B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/black/iges.xml
.xml
$APPDATA/black/makehm.exe
.exe windows:4 windows x86 arch:x86

2e82afb4dae4cef9f42c23c20c36abb9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10-01-1997 07:00

Not After

31-12-2020 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

23-05-2002 08:00

Not After

25-09-2011 08:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:05:87:58:00:03:00:00:00:5a
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05-01-2005 23:20

Not After

05-04-2006 23:30

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

a2:78:32:69:a9:5d:6a:83:4e:77:65:00:fa:9e:56:fc:42:61:6c:dc
Signer

Actual PE Digest

a2:78:32:69:a9:5d:6a:83:4e:77:65:00:fa:9e:56:fc:42:61:6c:dc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

makehm.pdb

Imports

kernel32

InterlockedExchange
MultiByteToWideChar
WideCharToMultiByte
GetLastError
GetVersion
lstrlenW
CompareStringA
CompareStringW
lstrcmpiA
lstrcmpiW
lstrlenA
GetEnvironmentVariableA
GetEnvironmentVariableW
GetStringTypeExA
GetStringTypeExW
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
GetSystemTimeAsFileTime
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
Sleep

user32

CharLowerW
CharLowerA
CharUpperA
CharUpperW

mfc80

ord6174
ord578
ord781
ord6138
ord310
ord744
ord1452
ord5097
ord556
ord3320
ord3098
ord2746
ord6180
ord2750
ord2125
ord5630
ord5877
ord2910
ord5329
ord6295
ord4060
ord6215
ord920
ord2314
ord2471
ord6310
ord5346
ord5347
ord784
ord1489
ord299
ord6703
ord1482
ord5563
ord782
ord298
ord746
ord911
ord908
ord297
ord2699
ord1006
ord558
ord530
ord722
ord1005
ord304
ord762
ord2468
ord5403
ord5714
ord1191
ord1187
ord1185
ord764
ord2753

msvcr80

strtok_s
_strdup
strncmp
sprintf_s
__CxxFrameHandler3
calloc
_recalloc
_resetstkoflw
strstr
_stricmp
wcslen
_except_handler4_common
_unlock
_encode_pointer
__dllonexit
_lock
_onexit
_decode_pointer
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_invoke_watson
_controlfp_s
isdigit
isxdigit
isalpha
isalnum
__iob_func
fprintf
exit
wcscpy_s
free
malloc
strchr

oleaut32

SysFreeString

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/black/org.gnome.Characters.appdata.xml
.xml
$APPDATA/carts/23.opends60.dll
$APPDATA/carts/54.opends60.dll
$APPDATA/carts/SamplesTable.xml
$APPDATA/carts/VBUpgrade.exe
.xml
$APPDATA/carts/aspnetwp.exe
.exe windows:5 windows x86 arch:x86

f8f9782601130b9a734b4e856933dbe9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10-01-1997 07:00

Not After

31-12-2020 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

23-05-2002 08:00

Not After

25-09-2011 08:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:05:87:58:00:03:00:00:00:5a
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05-01-2005 23:20

Not After

05-04-2006 23:30

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

b3:41:2a:51:49:04:0b:1f:75:7f:25:07:c9:a6:22:8e:19:fc:16:22
Signer

Actual PE Digest

b3:41:2a:51:49:04:0b:1f:75:7f:25:07:c9:a6:22:8e:19:fc:16:22

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

aspnet_wp.pdb

Imports

kernel32

GetSystemTimeAsFileTime
GetLastError
ReadFile
WriteFile
SetNamedPipeHandleState
GetHandleInformation
Sleep
DebugBreak
GetOverlappedResult
lstrlenA
lstrlenW
SetEvent
ResetEvent
WaitForSingleObject
ExitProcess
OpenEventW
SetProcessAffinityMask
GetCurrentProcess
QueryPerformanceCounter
GetModuleHandleW
GetCurrentThreadId
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
LoadLibraryA
FreeLibrary
LocalAlloc
GetProcAddress
CreateFileW
InterlockedDecrement
InterlockedIncrement
GetCurrentProcessId
InterlockedCompareExchange
LeaveCriticalSection
EnterCriticalSection
GetProcessAffinityMask
HeapFree
HeapAlloc
SwitchToThread
InterlockedExchange
TryEnterCriticalSection
CloseHandle
GetTickCount
RaiseException
InitializeCriticalSection

msvcr80

_except_handler4_common
_invoke_watson
_controlfp_s
_decode_pointer
_lock
__dllonexit
_unlock
__set_app_type
memset
memcpy
_itow_s
_vsnwprintf_s
_beginthread
_wtoi
wcstoul
printf
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
__winitenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_onexit
_encode_pointer

advapi32

RegCloseKey
RegOpenKeyExW
SetThreadToken
CryptReleaseContext
RegQueryValueExW

webengine

EtwTraceAspNetRegister
InitializeManagedCode
ReleaseWmiEventManager
EtwTraceAspNetUnregister
MonitorGlobalConfigFile
IsManagedDebuggerConnectedIndirect
XspLogEvent
DisposeAppDomainsIndirect
PerfCounterInitialize
IsConfigFileName
GetGlobalConfigFullPathW
GetConfigurationFromNativeCode
ClrQueueUserWorkItem
PerfDecrementGlobalCounter
PerfIncrementGlobalCounter
TraceEnabled
TraceRaiseEvent
UnInitializeManagedCode
DrainThreadPool
GetXSPHeap
GetAppDomainIndirect
AttachHandleToThreadPool
LoadLibraryUsingFullPath
GetProcessMemoryInformation
InitializeLibrary

Exports

Exports

PMAppendLogParameter
PMCallISAPI
PMCloseConnection
PMDoneWithSession
PMEmptyResponse
PMFlushCore
PMGetAdditionalPostedContent
PMGetAllServerVariables
PMGetBasics
PMGetClientCertificate
PMGetCurrentProcessInfo
PMGetHistoryTable
PMGetImpersonationToken
PMGetMemoryLimitInMB
PMGetPreloadedPostedContent
PMGetQueryString
PMGetQueryStringRawBytes
PMGetServerVariable
PMGetStartTimeStamp
PMGetTraceContextId
PMGetVirtualPathToken
PMIsClientConnected
PMMapUrlToPath
PMTraceRaiseEvent
PMWriteBytes
PMWriteHeaders

Sections

.text
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/carts/autorun.exe
.exe windows:5 windows x86 arch:x86

17e17281b87b0983598d16ad72b33114

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10-01-1997 07:00

Not After

31-12-2020 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

23-05-2002 08:00

Not After

25-09-2011 08:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:05:87:58:00:03:00:00:00:5a
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05-01-2005 23:20

Not After

05-04-2006 23:30

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

3b:52:59:6c:94:c7:be:e7:2f:5d:77:03:e5:ec:c5:3a:b7:69:9e:69
Signer

Actual PE Digest

3b:52:59:6c:94:c7:be:e7:2f:5d:77:03:e5:ec:c5:3a:b7:69:9e:69

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

autorun.pdb

Imports

advapi32

RegQueryValueExA
RegOpenKeyExA

kernel32

GetVersionExA
GetCurrentDirectoryA
GetFileAttributesA
GetModuleHandleA
OpenMutexA
CloseHandle
CreateFileMappingA
GetLastError
GetModuleFileNameA
CreateProcessA
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
GetStartupInfoA
GetProcAddress
ExitProcess
WriteFile
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
GetCPInfo
GetACP
GetOEMCP
Sleep
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
MultiByteToWideChar
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW

user32

MessageBoxA
LoadStringA

shell32

ShellExecuteA

Sections

.text
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/carts/conditional.xml
.xml
$APPDATA/carts/msdatasrc.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/player.xml
.xml
$APPDATA/carts/sbssystemconfigurationinstall.dll
.dll windows:5 windows x86 arch:x86

67a93297e14b927bc8a7a8f49c55bfe1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\clr\bin\i386\bbt\sbs_system.configuration.install.pdb

Imports

msvcr70

_adjust_fdiv
_initterm
_onexit
_except_handler3
__dllonexit
malloc
free

kernel32

DisableThreadLibraryCalls

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/sqlleUI.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/tcprops.dll
.dll regsvr32 windows:4 windows x86 arch:x86

14a4e0788b91f693a3c25055540c4c8b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

TCProps.pdb

Imports

kernel32

LoadResource
FindResourceA
FlushInstructionCache
GetCurrentProcess
MulDiv
GetCurrentThreadId
FreeLibrary
LoadLibraryA
SetLastError
LoadLibraryExA
GetModuleHandleA
GetModuleFileNameA
SetUnhandledExceptionFilter
LockResource
TerminateProcess
Sleep
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
GetProcAddress
HeapAlloc
GetProcessHeap
HeapFree
InterlockedCompareExchange
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
InterlockedExchange
SizeofResource
LeaveCriticalSection
EnterCriticalSection
InterlockedDecrement
InterlockedIncrement
lstrcmpiA
IsDBCSLeadByte
lstrlenA
DeleteCriticalSection
InitializeCriticalSection
GetLastError
RaiseException
lstrlenW
WideCharToMultiByte
UnhandledExceptionFilter
MultiByteToWideChar
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent

user32

CreateDialogParamA
WinHelpA
IsWindow
DestroyWindow
IsDialogMessageA
MoveWindow
ShowWindow
GetDC
ReleaseDC
GetDialogBaseUnits
SetWindowLongA
GetWindowTextLengthA
GetWindowTextA
GetDlgItem
SetDlgItemTextA
CharNextA
UnregisterClassA

gdi32

CreateFontIndirectA
SelectObject
GetTextMetricsA
GetTextExtentPointA
DeleteObject
GetDeviceCaps

advapi32

RegQueryInfoKeyA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegEnumKeyExA

ole32

CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoCreateInstance

oleaut32

SysAllocStringLen
SysStringLen
SysAllocString
VarUI4FromStr
SysFreeString

msvcr80

__clean_type_info_names_internal
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
__CppXcptFilter
_adjust_fdiv
??3@YAXPAX@Z
??_V@YAXPAX@Z
_mbsnbcpy_s
malloc
free
memcpy_s
_CxxThrowException
memset
calloc
_recalloc
_resetstkoflw
__CxxFrameHandler3
_purecall
??_U@YAPAXI@Z
??2@YAPAXI@Z
strlen
memmove_s
?terminate@@YAXXZ
_except_handler4_common
_unlock
_encode_pointer
__dllonexit
_lock
_onexit
_decode_pointer
_malloc_crt
_encoded_null
_initterm
_initterm_e
_amsg_exit

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/trackeditemhistory.xml
$APPDATA/carts/u2l2000.dll
.dll windows:4 windows x86 arch:x86

db1f83381e6714a2f3906af15138a0f6

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

57:64:6e:2b:55:00:23:d4:90:53:4a:55:3e:ab:0d:0a
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2009 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

62:38:83:0d:12:9b:9a:97:ce:d5:b1:d8:76:03:24:5b
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

24-11-2004 00:00

Not After

19-02-2006 23:59

Subject

CN=Business Objects Americas,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Business Objects Americas,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

y:\components\cpp\ufls\ufl2000\crys-50\obj32\u2l2000.pdb

Imports

kernel32

GlobalFindAtomA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetProfileStringA
GetModuleFileNameA
LoadLibraryA
FreeLibrary
GetProcAddress
SetErrorMode
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
InterlockedCompareExchange
Sleep
InterlockedExchange
GetSystemTimeAsFileTime

user32

LoadStringA

msvcr80

malloc
free
_wsplitpath_s
wcsncpy_s
_wmakepath_s
fopen_s
_wfopen_s
freopen_s
_wfreopen_s
_access_s
_waccess_s
_itoa_s
_ltoa_s
_ltow_s
_ultoa_s
_ultow_s
wcscat_s
vsprintf_s
vswprintf_s
_vsnwprintf_s
_vsnprintf_s
strncat_s
wcsncat_s
strtok_s
wcstok_s
memset
_wcslwr_s
wcscpy_s
_strupr_s
_wcsupr_s
wctomb_s
wcstombs_s
mbstowcs_s
_ftime64_s
_wcsnset_s
_itow_s
_i64tow_s
asctime_s
strerror_s
_wgetenv_s
_wputenv_s
getenv_s
_putenv_s
atoi
isdigit
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
strcmp
wcslen
strlen
??2@YAPAXI@Z
??3@YAXPAX@Z
strcpy_s
strcat_s
_makepath_s
strncpy_s
_splitpath_s
_strlwr_s

Exports

Exports

DTSTo2000
DateTo2000
UFEndJob
UFErrorRecovery
UFGetFunctionDefStrings
UFGetFunctionExamples
UFGetFunctionTemplates
UFGetVersion
UFInitialize
UFStartJob
UFTerminate

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 808B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/vcbuildui.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\binaries.x86ret\bin\i386\1033\vcbuildui.pdb

Sections

.text
Size: 512B - Virtual size: 99B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$APPDATA/carts/vnd.ms-word.template.macroenabled.12.xml
.xml
$APPDATA/carts/x-thomson-cartridge-memo7.xml
.xml
$APPDATA/route/ProjWizUI.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/Jumpstart
$TEMP/LigulaObloquy.dll
.dll windows:4 windows x86 arch:x86

512b9baeca93e2f5918026ff1aadb6c8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

IsIconic
IsWindowUnicode
LoadBitmapA
SendMessageTimeoutW
SetCursor

advapi32

LookupAccountSidW
ObjectOpenAuditAlarmA

kernel32

LCMapStringW
LCMapStringA
GetEnvironmentStrings
UpdateResourceA
SuspendThread
GetTempFileNameA
GetProcAddress
GetModuleHandleA
GetCurrentThreadId
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetLastError
InterlockedDecrement
Sleep
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
WriteFile
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
MultiByteToWideChar
GetLocaleInfoA
GetStringTypeA
GetStringTypeW

Exports

Exports

Defiantness
Hypocorism
Vertical
Warpath
Xerophytes

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/_stats/ppc/orders/JConvertUI.dll
.dll windows:4 windows x86 arch:x86

ecbfb5cdb40fe01cce60f0d617945eb9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

g:\FreedomStudio\bin\Release\1033\JConvertUI.pdb

Imports

msvcr80

_onexit
_lock
_crt_debugger_hook
__dllonexit
_unlock
__clean_type_info_names_internal
__CppXcptFilter
_adjust_fdiv
_amsg_exit
_initterm_e
_initterm
_decode_pointer
free
_encoded_null
_malloc_crt
_except_handler4_common
_encode_pointer

kernel32

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
InterlockedCompareExchange
Sleep
InterlockedExchange
IsDebuggerPresent

Exports

Exports

_DllMain@12

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 860B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 342B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/_stats/ppc/orders/hangul-keyboard-3f.xml
.xml
$TEMP/_stats/ppc/orders/x-microdvd.xml
.xml
$TEMP/_stats/ppc/orders/x-patch.xml
.xml
$TEMP/cisco/apl/WindowsTechLonghornWinFx60.xml
.xml
$TEMP/wp-settings/intranet/CppCodeProvider.xml
$TEMP/wp-settings/intranet/Vsa7Director.dll
.dll regsvr32 windows:5 windows x86 arch:x86

0c089433cc11d187c270039002fb20c3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vsa7director.pdb

Imports

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey

kernel32

LoadLibraryA
LocalAlloc
GetProcAddress
InitializeCriticalSection
DeleteCriticalSection
FreeLibrary
MultiByteToWideChar
SizeofResource
LoadResource
GetLastError
InterlockedDecrement
InterlockedIncrement
RaiseException
GetTickCount
DisableThreadLibraryCalls
InterlockedExchange
Sleep
InterlockedCompareExchange
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetACP
GetLocaleInfoA
GetThreadLocale
GetVersionExA

msvcr80

_except_handler4_common
__clean_type_info_names_internal
_onexit
_lock
__dllonexit
_unlock
__CppXcptFilter
_adjust_fdiv
_amsg_exit
_initterm_e
_initterm
_decode_pointer
_encoded_null
_malloc_crt
_encode_pointer
_purecall
??_V@YAXPAX@Z
_recalloc
??3@YAXPAX@Z
free
??2@YAPAXI@Z
memcpy_s
malloc
wcsncpy_s
_crt_debugger_hook
memset
strncpy

ole32

CoTaskMemRealloc
CoCreateInstance
CoRegisterMessageFilter
CoTaskMemFree
CoTaskMemAlloc

oleaut32

SysFreeString
SysAllocString
VariantClear
VariantInit
SetErrorInfo
GetErrorInfo
VarUI4FromStr

oledlg

OleUIBusyW

user32

TranslateMessage
DispatchMessageA
UnregisterClassA
IsWindowUnicode
GetWindowThreadProcessId
GetMessageA

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/wp-settings/intranet/WizardFrameworkVS.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\binaries.x86ret\bin\i386\Microsoft.WizardFrameworkVS.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/wp-settings/intranet/line.xml
.xml
$TEMP/wp-settings/intranet/sbssystementerpriseservices.dll
.dll windows:5 windows x86 arch:x86

67a93297e14b927bc8a7a8f49c55bfe1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\clr\bin\i386\bbt\sbs_system.enterpriseservices.pdb

Imports

msvcr70

_adjust_fdiv
_initterm
_onexit
_except_handler3
__dllonexit
malloc
free

kernel32

DisableThreadLibraryCalls

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/wp-settings/intranet/x-cmake.xml
.xml

Sharing

General

Malware Config

Signatures

Files

Password: infected

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 149KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 8KB - Virtual size: 8KB

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 32KB - Virtual size: 31KB

.reloc Size: 4KB - Virtual size: 8B

Headers

File Characteristics

Sections

.rsrc Size: 6KB - Virtual size: 5KB

1fbfda287918de75af6c952e1896a40d

Headers

File Characteristics

PDB Paths

Imports

mscoree

kernel32

msvcr80

Exports

Exports

Sections

.text Size: 5KB - Virtual size: 5KB

.data Size: 512B - Virtual size: 940B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 454B

2e82afb4dae4cef9f42c23c20c36abb9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7eCertificate

Extended Key Usages

Key Usages

61:05:87:58:00:03:00:00:00:5aCertificate

Extended Key Usages

Key Usages

a2:78:32:69:a9:5d:6a:83:4e:77:65:00:fa:9e:56:fc:42:61:6c:dcSigner

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

mfc80

msvcr80

oleaut32

Sections

.text Size: 14KB - Virtual size: 14KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 1KB

f8f9782601130b9a734b4e856933dbe9

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 149KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 32KB - Virtual size: 31KB

.reloc
Size: 4KB - Virtual size: 8B

.rsrc
Size: 6KB - Virtual size: 5KB

.text
Size: 5KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 940B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 454B

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

61:05:87:58:00:03:00:00:00:5a
Certificate

a2:78:32:69:a9:5d:6a:83:4e:77:65:00:fa:9e:56:fc:42:61:6c:dc
Signer

.text
Size: 14KB - Virtual size: 14KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

61:05:87:58:00:03:00:00:00:5a
Certificate

b3:41:2a:51:49:04:0b:1f:75:7f:25:07:c9:a6:22:8e:19:fc:16:22
Signer

.text
Size: 19KB - Virtual size: 19KB

.data
Size: 512B - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

61:05:87:58:00:03:00:00:00:5a
Certificate

3b:52:59:6c:94:c7:be:e7:2f:5d:77:03:e5:ec:c5:3a:b7:69:9e:69
Signer

.text
Size: 33KB - Virtual size: 33KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 1KB - Virtual size: 1KB

.text
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 832B

.reloc
Size: 512B - Virtual size: 12B