The sample you uploaded appears to be a crack for genuine software provided by Postbox Inc (although the crack is not digitally signed).
I managed to track down a source of the sample you submitted, it should have come from the following source:
Code:
hxxps://haxoff.net/postbox-full-version-serial-key
(the download link at the bottom will redirect to multiple sites containing advertisements and pop-ups, which may or may not be malicious (e.g. normal advertisements, but also fake AV alerts as I saw for myself), eventually you will reach the download stage and within the archive will be the exact same sample under a different file-name).
The original file name to the sample was: "Postbox 5.0.5 Repack - HaxOff.net.exe" and it was re-named to "Postbox.exe". Both file sizes are the same and you can check the HEX to both executable's so you know they are the same, as well as the checksum comparisons.
The real installer has a file size of 22,67KB (22.7MB rounded upwards, otherwise 22.6MB) and is digitally signed without the timestamp verification by "Postbox, Inc", unlike the sample from this thread.
Due to some personal health problems for the past few days I am unable to do proper PC work today; that being said, I have left some details below regarding static analysis for you to look at, which will help in you deciding a verdict. The below information was quickly obtained through a speedy static analysis overview, therefore I have not properly performed decompilation analysis and worked with disassembly.
Imports:
Code:
Address Ordinal Name Library
------- ------- ---- -------
00513000 RegCreateKeyW ADVAPI32
00513004 LookupAccountSidW ADVAPI32
00513008 SetSecurityDescriptorDacl ADVAPI32
0051300C InitializeSecurityDescriptor ADVAPI32
00513010 SetEntriesInAclW ADVAPI32
00513014 GetSecurityDescriptorDacl ADVAPI32
00513018 AdjustTokenPrivileges ADVAPI32
0051301C LookupPrivilegeValueW ADVAPI32
00513020 StartServiceW ADVAPI32
00513024 QueryServiceStatus ADVAPI32
00513028 OpenServiceW ADVAPI32
0051302C RegDeleteValueA ADVAPI32
00513030 RegQueryValueExA ADVAPI32
00513034 RegDeleteValueW ADVAPI32
00513038 RegCreateKeyExW ADVAPI32
0051303C RegSetValueExW ADVAPI32
00513040 RegEnumKeyExW ADVAPI32
00513044 RegQueryInfoKeyW ADVAPI32
00513048 RegDeleteKeyW ADVAPI32
0051304C RegQueryValueExW ADVAPI32
00513050 RegOpenKeyExW ADVAPI32
00513054 RegCloseKey ADVAPI32
00513058 RegOpenKeyA ADVAPI32
0051305C OpenSCManagerW ADVAPI32
00513060 LockServiceDatabase ADVAPI32
00513064 UnlockServiceDatabase ADVAPI32
00513068 CloseServiceHandle ADVAPI32
0051306C RegOpenKeyExA ADVAPI32
00513070 RegEnumValueA ADVAPI32
00513074 RegOpenKeyW ADVAPI32
00513078 SystemFunction036 ADVAPI32
0051307C OpenProcessToken ADVAPI32
00513080 GetTokenInformation ADVAPI32
00513084 AllocateAndInitializeSid ADVAPI32
00513088 EqualSid ADVAPI32
0051308C FreeSid ADVAPI32
00513090 GetUserNameW ADVAPI32
00513094 RegDeleteKeyA ADVAPI32
00513098 RegCreateKeyA ADVAPI32
0051309C RegSetValueExA ADVAPI32
005130A4 ImageList_LoadImageW COMCTL32
005130A8 ImageList_GetIcon COMCTL32
005130AC ImageList_SetBkColor COMCTL32
005130B0 ImageList_AddMasked COMCTL32
005130B4 _TrackMouseEvent COMCTL32
005130B8 ImageList_Add COMCTL32
005130BC ImageList_ReplaceIcon COMCTL32
005130C0 ImageList_Create COMCTL32
005130C4 ImageList_Destroy COMCTL32
005130C8 DestroyPropertySheetPage COMCTL32
005130CC CreatePropertySheetPageW COMCTL32
005130D0 InitCommonControlsEx COMCTL32
005130D4 PropertySheetW COMCTL32
005130DC GetOpenFileNameW COMDLG32
005130E0 GetSaveFileNameW COMDLG32
005130E8 GetLayout GDI32
005130EC GetBrushOrgEx GDI32
005130F0 CreateFontIndirectW GDI32
005130F4 CreateSolidBrush GDI32
005130F8 GetRgnBox GDI32
005130FC CreatePolygonRgn GDI32
00513100 EqualRgn GDI32
00513104 CreateRectRgnIndirect GDI32
00513108 GetStockObject GDI32
0051310C CreateFontW GDI32
00513110 SetBkMode GDI32
00513114 SetTextColor GDI32
00513118 SetBrushOrgEx GDI32
0051311C CreatePatternBrush GDI32
00513120 FillRgn GDI32
00513124 SelectClipRgn GDI32
00513128 GetBitmapBits GDI32
0051312C CreateRectRgn GDI32
00513130 GetObjectW GDI32
00513134 GetDeviceCaps GDI32
00513138 Rectangle GDI32
0051313C ExtTextOutW GDI32
00513140 SetBkColor GDI32
00513144 ExcludeClipRect GDI32
00513148 CreatePen GDI32
0051314C BitBlt GDI32
00513150 SetViewportOrgEx GDI32
00513154 CreateCompatibleBitmap GDI32
00513158 CreateCompatibleDC GDI32
0051315C DeleteObject GDI32
00513160 SelectObject GDI32
00513164 DeleteDC GDI32
00513168 CreateBitmapIndirect GDI32
0051316C CreateDIBSection GDI32
00513170 CombineRgn GDI32
00513178 LoadLibraryW KERNEL32
0051317C CreateDirectoryW KERNEL32
00513180 GetCurrentProcessId KERNEL32
00513184 GetExitCodeThread KERNEL32
00513188 SetEvent KERNEL32
0051318C CreateEventW KERNEL32
00513190 SetLastError KERNEL32
00513194 GetDiskFreeSpaceExW KERNEL32
00513198 Sleep KERNEL32
0051319C GetCurrentThreadId KERNEL32
005131A0 DecodePointer KERNEL32
005131A4 WaitForSingleObject KERNEL32
005131A8 MulDiv KERNEL32
005131AC FreeLibrary KERNEL32
005131B0 lstrlenW KERNEL32
005131B4 GetVersionExW KERNEL32
005131B8 lstrcmpiW KERNEL32
005131BC ReadConsoleW KERNEL32
005131C0 WriteConsoleW KERNEL32
005131C4 SetStdHandle KERNEL32
005131C8 FindFirstFileExW KERNEL32
005131CC GetCommandLineA KERNEL32
005131D0 FreeEnvironmentStringsW KERNEL32
005131D4 GetEnvironmentStringsW KERNEL32
005131D8 SetFilePointerEx KERNEL32
005131DC GetOEMCP KERNEL32
005131E0 IsValidCodePage KERNEL32
005131E4 GetConsoleMode KERNEL32
005131E8 lstrcpynW KERNEL32
005131EC EnumSystemLocalesW KERNEL32
005131F0 GetUserDefaultLCID KERNEL32
005131F4 IsValidLocale KERNEL32
005131F8 GetFileType KERNEL32
005131FC GetModuleHandleExW KERNEL32
00513200 ExitProcess KERNEL32
00513204 GetACP KERNEL32
00513208 QueryPerformanceFrequency KERNEL32
0051320C RtlUnwind KERNEL32
00513210 QueryPerformanceCounter KERNEL32
00513214 GetDriveTypeW KERNEL32
00513218 TerminateProcess KERNEL32
0051321C UnhandledExceptionFilter KERNEL32
00513220 WaitForSingleObjectEx KERNEL32
00513224 LCMapStringW KERNEL32
00513228 GetSystemTimeAsFileTime KERNEL32
0051322C TlsFree KERNEL32
00513230 TlsSetValue KERNEL32
00513234 TlsGetValue KERNEL32
00513238 TlsAlloc KERNEL32
0051323C GetCPInfo KERNEL32
00513240 IsDebuggerPresent KERNEL32
00513244 VirtualFree KERNEL32
00513248 VirtualAlloc KERNEL32
0051324C IsProcessorFeaturePresent KERNEL32
00513250 FlushInstructionCache KERNEL32
00513254 InterlockedPushEntrySList KERNEL32
00513258 InterlockedPopEntrySList KERNEL32
0051325C InitializeSListHead KERNEL32
00513260 EncodePointer KERNEL32
00513264 PeekNamedPipe KERNEL32
00513268 OpenEventW KERNEL32
0051326C CopyFileExW KERNEL32
00513270 CompareFileTime KERNEL32
00513274 LocalAlloc KERNEL32
00513278 ResetEvent KERNEL32
0051327C MoveFileW KERNEL32
00513280 GetLocaleInfoA KERNEL32
00513284 GetStringTypeW KERNEL32
00513288 ConnectNamedPipe KERNEL32
0051328C CreateNamedPipeW KERNEL32
00513290 TerminateThread KERNEL32
00513294 GetSystemDirectoryW KERNEL32
00513298 GetLocalTime KERNEL32
0051329C OutputDebugStringW KERNEL32
005132A0 Process32NextW KERNEL32
005132A4 Process32FirstW KERNEL32
005132A8 CreateToolhelp32Snapshot KERNEL32
005132AC GetWindowsDirectoryW KERNEL32
005132B0 FileTimeToSystemTime KERNEL32
005132B4 GetUserDefaultLangID KERNEL32
005132B8 GetSystemDefaultLangID KERNEL32
005132BC GetLocaleInfoW KERNEL32
005132C0 EnumResourceLanguagesW KERNEL32
005132C4 SetEndOfFile KERNEL32
005132C8 SetCurrentDirectoryW KERNEL32
005132CC GetCommandLineW KERNEL32
005132D0 CompareStringW KERNEL32
005132D4 InterlockedDecrement KERNEL32
005132D8 InterlockedIncrement KERNEL32
005132DC GetModuleFileNameW KERNEL32
005132E0 GlobalUnlock KERNEL32
005132E4 GlobalLock KERNEL32
005132E8 GlobalAlloc KERNEL32
005132EC lstrcmpW KERNEL32
005132F0 GetFileSize KERNEL32
005132F4 ReadFile KERNEL32
005132F8 GlobalFree KERNEL32
005132FC GetTempPathW KERNEL32
00513300 GetSystemTime KERNEL32
00513304 SystemTimeToFileTime KERNEL32
00513308 GetTempFileNameW KERNEL32
0051330C DeleteFileW KERNEL32
00513310 FindFirstFileW KERNEL32
00513314 RemoveDirectoryW KERNEL32
00513318 FindNextFileW KERNEL32
0051331C GetLogicalDriveStringsW KERNEL32
00513320 GetFileAttributesW KERNEL32
00513324 SetFileAttributesW KERNEL32
00513328 GetFileTime KERNEL32
0051332C CopyFileW KERNEL32
00513330 FindClose KERNEL32
00513334 WaitForMultipleObjects KERNEL32
00513338 GetSystemInfo KERNEL32
0051333C GetCurrentProcess KERNEL32
00513340 InterlockedExchange KERNEL32
00513344 WideCharToMultiByte KERNEL32
00513348 LoadLibraryExW KERNEL32
0051334C GetStartupInfoW KERNEL32
00513350 MultiByteToWideChar KERNEL32
00513354 FindResourceExW KERNEL32
00513358 FindResourceW KERNEL32
0051335C LoadResource KERNEL32
00513360 LockResource KERNEL32
00513364 SizeofResource KERNEL32
00513368 LeaveCriticalSection KERNEL32
0051336C InitializeCriticalSection KERNEL32
00513370 EnterCriticalSection KERNEL32
00513374 GetModuleHandleW KERNEL32
00513378 GetProcAddress KERNEL32
0051337C RaiseException KERNEL32
00513380 GetExitCodeProcess KERNEL32
00513384 CreateProcessW KERNEL32
00513388 GetModuleFileNameA KERNEL32
0051338C FlushFileBuffers KERNEL32
00513390 GetProcessHeap KERNEL32
00513394 SetFilePointer KERNEL32
00513398 GetConsoleScreenBufferInfo KERNEL32
0051339C GetStdHandle KERNEL32
005133A0 SetConsoleTextAttribute KERNEL32
005133A4 GetFullPathNameW KERNEL32
005133A8 GetCurrentThread KERNEL32
005133AC LoadLibraryA KERNEL32
005133B0 LocalFree KERNEL32
005133B4 GetEnvironmentVariableW KERNEL32
005133B8 HeapAlloc KERNEL32
005133BC HeapFree KERNEL32
005133C0 HeapReAlloc KERNEL32
005133C4 HeapSize KERNEL32
005133C8 HeapDestroy KERNEL32
005133CC InitializeCriticalSectionAndSpinCount KERNEL32
005133D0 GetLastError KERNEL32
005133D4 DeleteCriticalSection KERNEL32
005133D8 CloseHandle KERNEL32
005133DC WriteFile KERNEL32
005133E0 CreateFileW KERNEL32
005133E4 GetConsoleCP KERNEL32
005133E8 VirtualProtect KERNEL32
005133EC VirtualQuery KERNEL32
005133F0 LoadLibraryExA KERNEL32
005133F4 GetShortPathNameW KERNEL32
005133F8 FormatMessageW KERNEL32
005133FC CreateThread KERNEL32
00513400 SetUnhandledExceptionFilter KERNEL32
00513408 WNetAddConnection2W MPR
00513410 AlphaBlend MSIMG32
00513414 TransparentBlt MSIMG32
0051341C 94 VarDateFromStr OLEAUT32
00513420 277 VarUI4FromStr OLEAUT32
00513424 418 OleLoadPicture OLEAUT32
00513428 149 SysStringByteLen OLEAUT32
0051342C 150 SysAllocStringByteLen OLEAUT32
00513430 4 SysAllocStringLen OLEAUT32
00513434 161 LoadTypeLib OLEAUT32
00513438 162 LoadRegTypeLib OLEAUT32
0051343C 7 SysStringLen OLEAUT32
00513440 420 OleCreateFontIndirect OLEAUT32
00513444 10 VariantCopy OLEAUT32
00513448 8 VariantInit OLEAUT32
0051344C 2 SysAllocString OLEAUT32
00513450 9 VariantClear OLEAUT32
00513454 6 SysFreeString OLEAUT32
0051345C ShellExecuteW SHELL32
00513460 ShellExecuteExW SHELL32
00513464 SHGetFileInfoW SHELL32
00513468 SHGetSpecialFolderLocation SHELL32
0051346C SHGetMalloc SHELL32
00513470 SHGetFolderPathW SHELL32
00513474 SHBrowseForFolderW SHELL32
00513478 SHGetPathFromIDListW SHELL32
00513480 PathAddBackslashW SHLWAPI
00513484 PathIsUNCW SHLWAPI
00513488 PathFileExistsW SHLWAPI
0051348C PathIsDirectoryW SHLWAPI
00513494 GetClientRect USER32
00513498 MapWindowPoints USER32
0051349C GetParent USER32
005134A0 UnregisterClassW USER32
005134A4 SendMessageW USER32
005134A8 GetWindowTextW USER32
005134AC GetWindowTextLengthW USER32
005134B0 FillRect USER32
005134B4 IsWindow USER32
005134B8 ShowWindow USER32
005134BC GetWindowRect USER32
005134C0 UnionRect USER32
005134C4 IsWindowVisible USER32
005134C8 BeginPaint USER32
005134CC EndPaint USER32
005134D0 ScreenToClient USER32
005134D4 SetWindowPos USER32
005134D8 GetWindowDC USER32
005134DC CallWindowProcW USER32
005134E0 DefWindowProcW USER32
005134E4 GetWindowLongW USER32
005134E8 SetWindowLongW USER32
005134EC GetWindow USER32
005134F0 DrawFrameControl USER32
005134F4 RegisterWindowMessageW USER32
005134F8 InvalidateRgn USER32
005134FC GetDesktopWindow USER32
00513500 GetKeyState USER32
00513504 DrawStateW USER32
00513508 DrawFocusRect USER32
0051350C DrawTextExW USER32
00513510 ValidateRect USER32
00513514 DestroyMenu USER32
00513518 CreatePopupMenu USER32
0051351C AppendMenuW USER32
00513520 TrackPopupMenu USER32
00513524 InflateRect USER32
00513528 LoadBitmapW USER32
0051352C MessageBeep USER32
00513530 LoadImageW USER32
00513534 CharNextW USER32
00513538 GetClassNameW USER32
0051353C SetCapture USER32
00513540 ReleaseCapture USER32
00513544 UpdateWindow USER32
00513548 DestroyIcon USER32
0051354C GetDlgCtrlID USER32
00513550 GetCapture USER32
00513554 GetScrollPos USER32
00513558 SetScrollInfo USER32
0051355C GetClassInfoExW USER32
00513560 RegisterClassExW USER32
00513564 DrawEdge USER32
00513568 SetScrollPos USER32
0051356C SetRect USER32
00513570 MoveWindow USER32
00513574 GetScrollInfo USER32
00513578 GetMessagePos USER32
0051357C SystemParametersInfoW USER32
00513580 GetActiveWindow USER32
00513584 TrackMouseEvent USER32
00513588 GetAsyncKeyState USER32
0051358C DestroyCursor USER32
00513590 GetComboBoxInfo USER32
00513594 GetWindowRgn USER32
00513598 IsZoomed USER32
0051359C SetWindowRgn USER32
005135A0 DialogBoxParamW USER32
005135A4 EndDialog USER32
005135A8 CreateDialogParamW USER32
005135AC TranslateAcceleratorW USER32
005135B0 CreateAcceleratorTableW USER32
005135B4 DestroyAcceleratorTable USER32
005135B8 InvalidateRect USER32
005135BC GetNextDlgTabItem USER32
005135C0 SetCursor USER32
005135C4 MonitorFromWindow USER32
005135C8 GetMonitorInfoW USER32
005135CC IsDialogMessageW USER32
005135D0 IsChild USER32
005135D4 PostQuitMessage USER32
005135D8 PostMessageW USER32
005135DC SetForegroundWindow USER32
005135E0 SetCursorPos USER32
005135E4 GetCursorPos USER32
005135E8 PeekMessageW USER32
005135EC GetMessageW USER32
005135F0 TranslateMessage USER32
005135F4 DispatchMessageW USER32
005135F8 LoadCursorW USER32
005135FC LoadStringW USER32
00513600 MessageBoxW USER32
00513604 GetFocus USER32
00513608 EnableWindow USER32
0051360C DestroyWindow USER32
00513610 GetForegroundWindow USER32
00513614 EnumWindows USER32
00513618 GetWindowThreadProcessId USER32
0051361C DialogBoxIndirectParamW USER32
00513620 MsgWaitForMultipleObjects USER32
00513624 GetPropW USER32
00513628 GetSystemMenu USER32
0051362C EnableMenuItem USER32
00513630 ModifyMenuW USER32
00513634 ExitWindowsEx USER32
00513638 GetScrollRange USER32
0051363C RemovePropW USER32
00513640 SetPropW USER32
00513644 GetSubMenu USER32
00513648 LoadMenuW USER32
0051364C OpenClipboard USER32
00513650 CloseClipboard USER32
00513654 EmptyClipboard USER32
00513658 SetClipboardData USER32
0051365C GetIconInfo USER32
00513660 SendMessageTimeoutW USER32
00513664 DrawIconEx USER32
00513668 DrawTextW USER32
0051366C GetSystemMetrics USER32
00513670 ClientToScreen USER32
00513674 OffsetRect USER32
00513678 SetRectEmpty USER32
0051367C PtInRect USER32
00513680 GetSysColorBrush USER32
00513684 IntersectRect USER32
00513688 IsRectEmpty USER32
0051368C SendMessageA USER32
00513690 RedrawWindow USER32
00513694 IsWindowEnabled USER32
00513698 CopyRect USER32
0051369C SetFocus USER32
005136A0 GetSysColor USER32
005136A4 CreateWindowExW USER32
005136A8 GetDlgItem USER32
005136AC SetWindowTextW USER32
005136B0 EqualRect USER32
005136B4 SetTimer USER32
005136B8 KillTimer USER32
005136BC GetDC USER32
005136C0 ReleaseDC USER32
005136C4 CreateIconFromResourceEx USER32
005136C8 LookupIconIdFromDirectoryEx USER32
005136D0 GetFileVersionInfoW VERSION
005136D4 VerQueryValueW VERSION
005136D8 GetFileVersionInfoSizeW VERSION
005136E0 SymGetLineFromAddr dbghelp
005136E4 SymSetSearchPath dbghelp
005136E8 SymCleanup dbghelp
005136EC SymInitialize dbghelp
005136F0 SymSetOptions dbghelp
005136F4 SymFunctionTableAccess dbghelp
005136F8 StackWalk dbghelp
005136FC SymGetModuleBase dbghelp
00513704 CoTaskMemRealloc ole32
00513708 OleInitialize ole32
0051370C CoInitialize ole32
00513710 OleUninitialize ole32
00513714 CLSIDFromString ole32
00513718 CLSIDFromProgID ole32
0051371C CoGetClassObject ole32
00513720 CoCreateInstance ole32
00513724 CreateStreamOnHGlobal ole32
00513728 OleLockRunning ole32
0051372C StringFromGUID2 ole32
00513730 CoTaskMemFree ole32
00513734 CoUninitialize ole32
00513738 CoCreateGuid ole32
0051373C CreateILockBytesOnHGlobal ole32
00513740 StgCreateDocfileOnILockBytes ole32
00513744 CoInitializeEx ole32
00513748 CoTaskMemAlloc ole32
00565E00 OpenThemeData UxTheme
00565E04 IsThemeActive UxTheme
00565E08 DrawThemeParentBackground UxTheme
00565E0C DrawThemeBackground UxTheme
00565E10 GetThemeBackgroundContentRect UxTheme
00565E14 IsAppThemed UxTheme
00565E18 BufferedPaintInit UxTheme
00565E1C BufferedPaintUnInit UxTheme
00565E20 BeginBufferedPaint UxTheme
00565E24 EndBufferedPaint UxTheme
00565E28 BufferedPaintSetAlpha UxTheme
00565E2C IsCompositionActive UxTheme
00565E30 SetWindowThemeAttribute UxTheme
00565E34 CloseThemeData UxTheme
00565E38 DrawThemeTextEx UxTheme
00565E3C GetThemeSysFont UxTheme
00565E40 IsThemeBackgroundPartiallyTransparent UxTheme
00565E48 InternetErrorDlg WININET
00565E4C InternetCloseHandle WININET
00565E50 InternetSetStatusCallbackW WININET
00565E54 InternetSetOptionW WININET
00565E58 InternetOpenW WININET
00565E5C InternetGetLastResponseInfoW WININET
00565E60 InternetReadFile WININET
00565E64 InternetQueryDataAvailable WININET
00565E68 FtpGetFileSize WININET
00565E6C HttpQueryInfoW WININET
00565E70 InternetConnectW WININET
00565E74 HttpOpenRequestW WININET
00565E78 HttpSendRequestW WININET
00565E7C FtpOpenFileW WININET
00565E80 FtpCommandW WININET
00565E84 InternetQueryOptionW WININET
00565E88 InternetCrackUrlW WININET
00565E90 DwmSetWindowAttribute dwmapi
00565E94 DwmExtendFrameIntoClientArea dwmapi
00565E9C GdipSetImageAttributesRemapTable gdiplus
00565EA0 GdipSetImageAttributesColorMatrix gdiplus
00565EA4 GdipImageRotateFlip gdiplus
00565EA8 GdipDisposeImageAttributes gdiplus
00565EAC GdipCreateImageAttributes gdiplus
00565EB0 GdipSetInterpolationMode gdiplus
00565EB4 GdiplusStartup gdiplus
00565EB8 GdiplusShutdown gdiplus
00565EBC GdipBitmapSetPixel gdiplus
00565EC0 GdipDrawRectangleI gdiplus
00565EC4 GdipDeletePen gdiplus
00565EC8 GdipCreatePen1 gdiplus
00565ECC GdipCreateHBITMAPFromBitmap gdiplus
00565ED0 GdipCreateBitmapFromFile gdiplus
00565ED4 GdipDrawImageRectRectI gdiplus
00565ED8 GdipImageSelectActiveFrame gdiplus
00565EDC GdipGetPropertyItem gdiplus
00565EE0 GdipGetPropertyItemSize gdiplus
00565EE4 GdipImageGetFrameCount gdiplus
00565EE8 GdipImageGetFrameDimensionsList gdiplus
00565EEC GdipImageGetFrameDimensionsCount gdiplus
00565EF0 GdipGetImageDimension gdiplus
00565EF4 GdipGetImageRawFormat gdiplus
00565EF8 GdipLoadImageFromFile gdiplus
00565EFC GdipGetImagePixelFormat gdiplus
00565F00 GdipCloneBitmapAreaI gdiplus
00565F04 GdipGetImageGraphicsContext gdiplus
00565F08 GdipDisposeImage gdiplus
00565F0C GdipCloneImage gdiplus
00565F10 GdipAlloc gdiplus
00565F14 GdipSetImageAttributesColorKeys gdiplus
00565F18 GdipCreateBitmapFromScan0 gdiplus
00565F1C GdipGetImageWidth gdiplus
00565F20 GdipGetImageHeight gdiplus
00565F24 GdipDrawImageRectI gdiplus
00565F28 GdipDeleteGraphics gdiplus
00565F2C GdipCreateFromHDC gdiplus
00565F30 GdipDrawImagePointRectI gdiplus
00565F34 GdipBitmapLockBits gdiplus
00565F38 GdipBitmapUnlockBits gdiplus
00565F3C GdipFillRectangleI gdiplus
00565F40 GdipCloneBrush gdiplus
00565F44 GdipDeleteBrush gdiplus
00565F48 GdipCreateSolidFill gdiplus
00565F4C GdipCreateBitmapFromHBITMAP gdiplus
00565F50 GdipCreateBitmapFromHICON gdiplus
00565F54 GdipBitmapGetPixel gdiplus
00565F58 GdipResetImageAttributes gdiplus
00565F5C GdipFree gdiplus
00565F60 GdipSetImageAttributesWrapMode gdiplus
00565F68 204 MsiEnumRelatedProductsA msi
00565F6C 205 MsiEnumRelatedProductsW msi
00565F70 90 MsiLocateComponentW msi
00565F74 24 MsiDatabaseGenerateTransformW msi
00565F78 186 MsiCreateTransformSummaryInfoW msi
00565F7C 20 MsiDatabaseCommit msi
00565F80 141 MsiSetInternalUI msi
00565F84 78 MsiGetSummaryInformationW msi
00565F88 150 MsiSummaryInfoGetPropertyW msi
00565F8C 52 MsiGetDatabaseState msi
00565F90 166 MsiViewGetColumnInfo msi
00565F94 115 MsiRecordGetFieldCount msi
00565F98 116 MsiRecordGetInteger msi
00565F9C 137 MsiSetExternalUIW msi
00565FA0 281 MsiSetExternalUIRecord msi
00565FA4 96 MsiOpenProductW msi
00565FA8 19 MsiDatabaseApplyTransformW msi
00565FAC 224 MsiGetFileSignatureInformationW msi
00565FB0 80 MsiGetTargetPathW msi
00565FB4 169 MsiEnableLogW msi
00565FB8 51 MsiGetComponentStateW msi
00565FBC 94 MsiOpenPackageW msi
00565FC0 221 MsiEnumComponentCostsW msi
00565FC4 140 MsiSetInstallLevel msi
00565FC8 147 MsiSetTargetPathW msi
00565FCC 58 MsiGetFeatureStateW msi
00565FD0 54 MsiGetFeatureCostW msi
00565FD4 139 MsiSetFeatureStateW msi
00565FD8 62 MsiGetFeatureValidStatesW msi
00565FDC 7 MsiCloseAllHandles msi
00565FE0 6 MsiAdvertiseProductW msi
00565FE4 195 MsiGetFileVersionW msi
00565FE8 113 MsiQueryProductStateW msi
00565FEC 16 MsiConfigureProductW msi
00565FF0 70 MsiGetProductInfoW msi
00565FF4 67 MsiGetProductInfoA msi
00565FF8 114 MsiRecordDataSize msi
00565FFC 120 MsiRecordReadStream msi
00566000 47 MsiEvaluateConditionW msi
00566004 26 MsiDatabaseGetPrimaryKeysW msi
00566008 160 MsiViewFetch msi
0056600C 48 MsiGetLastErrorRecord msi
00566010 159 MsiViewExecute msi
00566014 32 MsiDatabaseOpenViewW msi
00566018 34 MsiDoActionW msi
0056601C 145 MsiSetPropertyW msi
00566020 118 MsiRecordGetStringW msi
00566024 103 MsiProcessMessage msi
00566028 171 MsiFormatRecordW msi
0056602C 74 MsiGetPropertyW msi
00566030 92 MsiOpenDatabaseW msi
00566034 121 MsiRecordSetInteger msi
00566038 125 MsiRecordSetStringW msi
0056603C 17 MsiCreateRecord msi
00566040 158 MsiViewClose msi
00566044 8 MsiCloseHandle msi
00566048 49 MsiGetActiveDatabase msi
Strings:
Code:
Address Length Type String
------- ------ ---- ------
.rdata:00513870 00000008 C msi.dll
.rdata:00513880 0000000C C gdiplus.dll
.rdata:00513908 00000018 C AcquireSRWLockExclusive
.rdata:00513920 00000018 C ReleaseSRWLockExclusive
.rdata:00513938 0000000D C atlthunk.dll
.rdata:00513948 00000016 C AtlThunk_AllocateData
.rdata:00513960 00000012 C AtlThunk_InitData
.rdata:00513974 00000014 C AtlThunk_DataToCode
.rdata:00513988 00000012 C AtlThunk_FreeData
.rdata:00513A40 0000000C C UxTheme.dll
.rdata:00513A68 0000000F C bad allocation
.rdata:00513AB8 00000058 C regex_error(error_collate): The expression contained an invalid collating element name.
.rdata:00513B10 00000054 C regex_error(error_ctype): The expression contained an invalid character class name.
.rdata:00513B68 00000068 C regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.
.rdata:00513BD0 00000050 C regex_error(error_backref): The expression contained an invalid back reference.
.rdata:00513C20 00000047 C regex_error(error_brack): The expression contained mismatched [ and ].
.rdata:00513C68 00000047 C regex_error(error_paren): The expression contained mismatched ( and ).
.rdata:00513CB0 00000047 C regex_error(error_brace): The expression contained mismatched { and }.
.rdata:00513CF8 0000005C C regex_error(error_badbrace): The expression contained an invalid range in a { expression }.
.rdata:00513D58 00000070 C regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.
.rdata:00513DC8 0000006F C regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.
.rdata:00513E38 0000005A C regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.
.rdata:00513E98 0000007B C regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.
.rdata:00513F18 00000092 C regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.
.rdata:00513FAC 00000019 C regex_error(error_parse)
.rdata:00513FC8 0000001A C regex_error(error_syntax)
.rdata:00513FE4 0000000C C regex_error
.rdata:00514508 0000001D C address family not supported
.rdata:00514528 0000000F C address in use
.rdata:00514538 00000016 C address not available
.rdata:00514550 00000012 C already connected
.rdata:00514564 00000017 C argument list too long
.rdata:0051457C 00000017 C argument out of domain
.rdata:00514594 0000000C C bad address
.rdata:005145A0 00000014 C bad file descriptor
.rdata:005145B4 0000000C C bad message
.rdata:005145C0 0000000C C broken pipe
.rdata:005145CC 00000013 C connection aborted
.rdata:005145E0 0000001F C connection already in progress
.rdata:00514600 00000013 C connection refused
.rdata:00514614 00000011 C connection reset
.rdata:00514628 00000012 C cross device link
.rdata:0051463C 0000001D C destination address required
.rdata:0051465C 00000018 C device or resource busy
.rdata:00514674 00000014 C directory not empty
.rdata:00514688 00000018 C executable format error
.rdata:005146A0 0000000C C file exists
.rdata:005146AC 0000000F C file too large
.rdata:005146BC 00000012 C filename too long
.rdata:005146D0 00000017 C function not supported
.rdata:005146E8 00000011 C host unreachable
.rdata:005146FC 00000013 C identifier removed
.rdata:00514710 00000016 C illegal byte sequence
.rdata:00514728 00000023 C inappropriate io control operation
.rdata:0051474C 0000000C C interrupted
.rdata:00514758 00000011 C invalid argument
.rdata:0051476C 0000000D C invalid seek
.rdata:0051477C 00000009 C io error
.rdata:00514788 0000000F C is a directory
.rdata:00514798 0000000D C message size
.rdata:005147A8 0000000D C network down
.rdata:005147B8 0000000E C network reset
.rdata:005147C8 00000014 C network unreachable
.rdata:005147DC 00000010 C no buffer space
.rdata:005147EC 00000011 C no child process
.rdata:00514800 00000008 C no link
.rdata:00514808 00000012 C no lock available
.rdata:0051481C 00000015 C no message available
.rdata:00514834 0000000B C no message
.rdata:00514840 00000013 C no protocol option
.rdata:00514854 00000013 C no space on device
.rdata:00514868 00000014 C no stream resources
.rdata:0051487C 0000001A C no such device or address
.rdata:00514898 0000000F C no such device
.rdata:005148A8 0000001A C no such file or directory
.rdata:005148C4 00000010 C no such process
.rdata:005148D4 00000010 C not a directory
.rdata:005148E4 0000000D C not a socket
.rdata:005148F4 0000000D C not a stream
.rdata:00514904 0000000E C not connected
.rdata:00514914 00000012 C not enough memory
.rdata:00514928 0000000E C not supported
.rdata:00514938 00000013 C operation canceled
.rdata:0051494C 00000016 C operation in progress
.rdata:00514964 00000018 C operation not permitted
.rdata:0051497C 00000018 C operation not supported
.rdata:00514994 00000016 C operation would block
.rdata:005149AC 0000000B C owner dead
.rdata:005149B8 00000012 C permission denied
.rdata:005149CC 0000000F C protocol error
.rdata:005149DC 00000017 C protocol not supported
.rdata:005149F4 00000016 C read only file system
.rdata:00514A0C 0000001E C resource deadlock would occur
.rdata:00514A2C 0000001F C resource unavailable try again
.rdata:00514A4C 00000014 C result out of range
.rdata:00514A60 00000016 C state not recoverable
.rdata:00514A78 0000000F C stream timeout
.rdata:00514A88 0000000F C text file busy
.rdata:00514A98 0000000A C timed out
.rdata:00514AA4 0000001E C too many files open in system
.rdata:00514AC4 00000014 C too many files open
.rdata:00514AD8 0000000F C too many links
.rdata:00514AE8 0000001E C too many symbolic link levels
.rdata:00514B08 00000010 C value too large
.rdata:00514B18 00000014 C wrong protocol type
.rdata:00514B2C 0000000E C unknown error
.rdata:00514B3C 00000025 C 0123456789abcdefghijklmnopqrstuvwxyz
.rdata:00514B6C 0000001E C \v\v\n\n\t\t\t\t\t\b\b\b\b\b\b\b\a\a\a\a\a\a\a\a\a\a\a\a\a
.rdata:00514B8C 00000025 C 0123456789abcdefghijklmnopqrstuvwxyz
.rdata:00514BD3 00000007 C \r\r\r\r\r\r
.rdata:00514E24 00000017 C 0123456789abcdefABCDEF
.rdata:00514E43 00000005 C \a\b\t\n\v
.rdata:00514EB0 00000009 C FlsAlloc
.rdata:00514EBC 00000008 C FlsFree
.rdata:00514EC4 0000000C C FlsGetValue
.rdata:00514ED0 0000000C C FlsSetValue
.rdata:00514EDC 0000001C C InitializeCriticalSectionEx
.rdata:00514EF8 00000014 C InitOnceExecuteOnce
.rdata:00514F0C 0000000F C CreateEventExW
.rdata:00514F1C 00000011 C CreateSemaphoreW
.rdata:00514F30 00000013 C CreateSemaphoreExW
.rdata:00514F44 00000016 C CreateThreadpoolTimer
.rdata:00514F5C 00000013 C SetThreadpoolTimer
.rdata:00514F70 00000020 C WaitForThreadpoolTimerCallbacks
.rdata:00514F90 00000015 C CloseThreadpoolTimer
.rdata:00514FA8 00000015 C CreateThreadpoolWait
.rdata:00514FC0 00000012 C SetThreadpoolWait
.rdata:00514FD4 00000014 C CloseThreadpoolWait
.rdata:00514FE8 00000019 C FlushProcessWriteBuffers
.rdata:00515004 0000001F C FreeLibraryWhenCallbackReturns
.rdata:00515024 0000001A C GetCurrentProcessorNumber
.rdata:00515040 00000014 C CreateSymbolicLinkW
.rdata:00515054 00000014 C GetCurrentPackageId
.rdata:00515068 0000000F C GetTickCount64
.rdata:00515078 0000001D C GetFileInformationByHandleEx
.rdata:00515098 0000001B C SetFileInformationByHandle
.rdata:005150B4 0000001F C GetSystemTimePreciseAsFileTime
.rdata:005150D4 0000001C C InitializeConditionVariable
.rdata:005150F0 00000016 C WakeConditionVariable
.rdata:00515108 00000019 C WakeAllConditionVariable
.rdata:00515124 00000019 C SleepConditionVariableCS
.rdata:00515140 00000012 C InitializeSRWLock
.rdata:00515154 0000001B C TryAcquireSRWLockExclusive
.rdata:00515170 0000001A C SleepConditionVariableSRW
.rdata:0051518C 00000015 C CreateThreadpoolWork
.rdata:005151A4 00000015 C SubmitThreadpoolWork
.rdata:005151BC 00000014 C CloseThreadpoolWork
.rdata:005151D0 00000010 C CompareStringEx
.rdata:005151E0 00000010 C GetLocaleInfoEx
.rdata:005151F0 0000000E C LCMapStringEx
.rdata:00516110 00000015 C bad array new length
.rdata:00516138 0000000E C bad exception
.rdata:00516208 0000000E C EventRegister
.rdata:0051621C 00000014 C EventSetInformation
.rdata:00516234 00000010 C EventUnregister
.rdata:00516248 00000013 C EventWriteTransfer
.rdata:00516288 0000000E C Main Invoked.
.rdata:00516298 0000000F C Main Returned.
.rdata:00516438 00000009 C __based(
.rdata:00516444 00000008 C __cdecl
.rdata:0051644C 00000009 C __pascal
.rdata:00516458 0000000A C __stdcall
.rdata:00516464 0000000B C __thiscall
.rdata:00516470 0000000B C __fastcall
.rdata:0051647C 0000000D C __vectorcall
.rdata:0051648C 0000000A C __clrcall
.rdata:00516498 00000007 C __eabi
.rdata:005164A0 00000008 C __ptr64
.rdata:005164A8 0000000B C __restrict
.rdata:005164B4 0000000C C __unaligned
.rdata:005164C0 0000000A C restrict(
.rdata:005164CC 00000005 C new
.rdata:005164D4 00000008 C delete
.rdata:005164F8 00000009 C operator
.rdata:00516578 0000000A C `vftable'
.rdata:00516584 0000000A C `vbtable'
.rdata:00516590 00000008 C `vcall'
.rdata:00516598 00000009 C `typeof'
.rdata:005165A4 00000015 C `local static guard'
.rdata:005165BC 00000009 C `string'
.rdata:005165C8 00000013 C `vbase destructor'
.rdata:005165DC 0000001D C `vector deleting destructor'
.rdata:005165FC 0000001E C `default constructor closure'
.rdata:0051661C 0000001D C `scalar deleting destructor'
.rdata:0051663C 0000001E C `vector constructor iterator'
.rdata:0051665C 0000001D C `vector destructor iterator'
.rdata:0051667C 00000024 C `vector vbase constructor iterator'
.rdata:005166A0 0000001B C `virtual displacement map'
.rdata:005166BC 00000021 C `eh vector constructor iterator'
.rdata:005166E0 00000020 C `eh vector destructor iterator'
.rdata:00516700 00000027 C `eh vector vbase constructor iterator'
.rdata:00516728 0000001B C `copy constructor closure'
.rdata:00516744 00000010 C `udt returning'
.rdata:00516758 00000006 C `RTTI
.rdata:00516760 00000010 C `local vftable'
.rdata:00516770 00000024 C `local vftable constructor closure'
.rdata:00516794 00000007 C new[]
.rdata:0051679C 0000000A C delete[]
.rdata:005167A8 0000000F C `omni callsig'
.rdata:005167B8 0000001B C `placement delete closure'
.rdata:005167D4 0000001D C `placement delete[] closure'
.rdata:005167F4 00000026 C `managed vector constructor iterator'
.rdata:0051681C 00000025 C `managed vector destructor iterator'
.rdata:00516844 00000026 C `eh vector copy constructor iterator'
.rdata:0051686C 0000002C C `eh vector vbase copy constructor iterator'
.rdata:00516898 0000001B C `dynamic initializer for '
.rdata:005168B4 00000021 C `dynamic atexit destructor for '
.rdata:005168D8 00000023 C `vector copy constructor iterator'
.rdata:005168FC 00000029 C `vector vbase copy constructor iterator'
.rdata:00516928 0000002B C `managed vector copy constructor iterator'
.rdata:00516954 0000001C C `local static thread guard'
.rdata:00516970 0000000D C operator \"\"
.rdata:00516980 00000012 C Type Descriptor'
.rdata:00516994 0000001C C Base Class Descriptor at (
.rdata:005169B0 00000013 C Base Class Array'
.rdata:005169C4 0000001D C Class Hierarchy Descriptor'
.rdata:005169E4 0000001A C Complete Object Locator'
.rdata:00516B89 00000008 C ( 8PX\a\b
.rdata:00516B91 00000007 C 700WP\a
.rdata:00516B99 00000005 C \b\a
.rdata:00516BA0 00000008 C \b`h````
.rdata:00516BA9 0000000B C xpxxxx\b\a\b\a
.rdata:00516BC9 00000007 C €€†€€
.rdata:00516BED 00000005 C ('8PW
.rdata:00516BF6 00000005 C 700PP
.rdata:00516C08 00000012 C `h`hhh\b\b\axwpwpp\b\b
.rdata:00516C24 00000007 C (null)
.rdata:00516DD4 00000007 C [aOni*{
.rdata:00516EAB 00000005 C eLK(w
.rdata:00516F17 00000005 C \bFEMh
.rdata:00516FB5 00000006 C ~ $s%r
.rdata:00516FC3 00000007 C \a@b;zO]
.rdata:005170DC 00000005 C iu+-,
.rdata:0051714D 00000005 C obwQ4
.rdata:0051739F 00000006 C v2!L.2
.rdata:00517522 00000005 C ^<V7w
.rdata:00517726 00000005 C \a\b\t\n\v
.rdata:0051773F 0000005F C !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.rdata:00517D47 00000005 C \a\b\t\n\v
.rdata:00517D60 0000005F C !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
.rdata:00517EC7 00000005 C \a\b\t\n\v
.rdata:00517EE0 0000005F C !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
.rdata:00517FC0 00000005 C sqrt
.rdata:0051807C 0000000F C CorExitProcess
.rdata:00518124 00000007 C Sunday
.rdata:0051812C 00000007 C Monday
.rdata:00518134 00000008 C Tuesday
.rdata:0051B3F8 00000010 C string too long
.rdata:0051B4BC 00000013 C vector<T> too long
.rdata:0051BC41 00000040 C BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
.rdata:0051BEA0 0000000B C ADVINSTSFX
.rdata:0051C588 00000017 C ()$^.*+?[]|\\-{},:=!\n\r\b
.rdata:0051CFC4 00000011 C list<T> too long
.rdata:0051CFD8 00000014 C map/set<T> too long
.rdata:0051EB20 00000012 C deque<T> too long
.rdata:0051FE40 00000035 C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\
.rdata:0051FE80 00000025 C Software\\Caphyon\\Advanced Installer\\
.rdata:0051FEB0 00000010 C InstallLanguage
.rdata:00520A44 0000001C C invalid vector<T> subscript
.rdata:00520B8C 0000000F C SetWindowTheme
.rdata:00520BB0 0000000F C GetWindowTheme
.rdata:00520BC0 00000014 C DrawThemeBackground
.rdata:00520BD4 0000000E C DrawThemeText
.rdata:00520CB4 0000000E C DllGetVersion
.rdata:00520CE0 0000000E C IsThemeActive
.rdata:00521460 00000016 C RegOpenKeyTransactedW
.rdata:00523FE1 00000005 C @Qm6t
.rdata:0052415B 00000005 C \v%D,3
.rdata:005266CC 0000000E C OpenThemeData
.rdata:00526704 0000000E C DrawThemeEdge
.rdata:00526714 0000000F C CloseThemeData
.rdata:00526724 0000000C C IsAppThemed
.rdata:00526740 00000066 C @echo off \r\nATTRIB -r \"%s\" \r\n:try \r\nrd \"%s\" \r\nif exist \"%s\" goto try\r\nATTRIB -r \"%s\" \r\ndel \"%s\" | cls
.rdata:005267C0 00000067 C @echo off \r\nATTRIB -r \"%s\" \r\n:try \r\ndel \"%s\" \r\nif exist \"%s\" goto try\r\nATTRIB -r \"%s\" \r\ndel \"%s\" | cls
NOTE: Due to the max character limit on this forum I had to remove some of the Strings output, therefore please re-output via IDA Pro or
Strings.exe for the entire collection of them.
The sample uses the
Caphyon Advanced Installer; if not it at least references it for registry-related actions in the Strings output. We already know that the sample can perform registry operations because it imports the following functions: Advapi32.dll!RegCreateKeyW; Advapi32.dll!RegDeleteValueA; Advapi32.dll!RegQueryValueExA; Advapi32.dll!RegDeleteValueW; Advapi32.dll!RegCreateKeyExW; Advapi32.dll!RegSetValueExW, and some others.
As an addition to this, the imports implies that the sample may at some point attempt to either modify existing windows services, or attempt to start it's own, since it imports the following functions: Advapi32.dll!OpenSCManagerW; Advapi32.dll!OpenServiceW; Advapi32.dll!StartServiceW. It does not import Advapi32.dll!CreateServiceA/W therefore I am convinced it will probably alter an existing one.
Another thing about the sample: it will attempt to adjust it's privileges. It imports the following functions: Advapi32.dll!AdjustTokenPrivileges; Advapi32.dll!LookupPrivilegeValueW; Advapi32.dll!OpenProcessToken, and some others. This implies it will attempt to adjust it's token privileges, probably to enable debugging rights (SeDebugPrivilege), since it does not require administrative privileges. As well as this, it imports the function GetCurrentProcess from Kernel32.dll and while this can be used for a number of things, it would match well with this usage.
The sample works with the resources therefore it'd be wise for you to perform some manual analysis to check the resources and see if you can find anything interesting. It would also be wise to check the Strings output first for any more indicators on this.
The sample does have the ability to perform networking actions, via the wininet library (wininet.dll).
There is a high chance that this sample is an installer since it works with the Msi library however without dynamic analysis it's hard to really know - I have not performed any dynamic analysis or any real decompilation/disassembly due to specific reasons, and the above is just lightwork details for you to interpret however you like.
The above details do not mean that the sample is malicious at all, however I did submit the sample to Avira and I will let you know on their verdict once they get back to me. That being said, it appears to be a crack, therefore it's automatically Riskware at the least.
Bad response, I know... You were expecting much better. I'm sorry I could not be of much use to anyone today but hopefully the above information can be found useful at least a little bit...
Stay safe,
Wave.