can you help me to analyze this file please?

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
hi
i have analyzed this file, i'm new i want to learn

can somebody anayze this file and compare with me their results?
at least i can learn much more

i have upload here ,
hxxp://www7. zippyshare.com/v/hmKO05Cm/file.html
few seconds ago

re-upload with password winarar 5
Code:
h$$p://www17.zippyshare.com/v/SNyRmTgi/file.html
password infected
hope now it's ok


thanks
i will appreciate it a lot
sorry for my poor english

ps
i have upload but i got this error
ERROR :-(
Uploaded file over size limit. for this reason i added Malwr - Malware Analysis by Cuckoo Sandbox
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
hi
i have analyzed this file, i'm new i want to learn

can somebody anayze this file and compare with me their results?
at least i can learn much more

i have upload here ,
hxxp://www7. zippyshare.com/v/hmKO05Cm/file.html
few seconds ago

thanks
i will appreciate it a lot
sorry for my poor english

ps
i have upload but i got this error
ERROR :-(
Uploaded file over size limit. for this reason i added Malwr - Malware Analysis by Cuckoo Sandbox
FYI when the file is over size limit, you can still check the download link on Virus Total.
 
W

Wave

We cannot help you because you haven't actually provided us a sample to analyse; the Malwr URL doesn't point to analysis where registered users can download the sample.

Can you please upload the sample to Zippyshare and then post it here with a format of "hxxp://" instead of "http://"/"https://", an example would be the following:
Code:
hxxp://websiteurl.com/..../..../

Make sure to put the sample in a password protected archive (set the password as "infected" without the "").

Edit: Sorry I missed the Zippshare link in the original post, I apologise for being blind.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
You already uploaded to zippyshare on your first post so all good. @Wave will check it i guess.
i have done
at the begining
i re-type here
Code:
h$$p://www17.zippyshare.com/v/SNyRmTgi/file.html
password infected

just to be correct i tried it again but









hRN6NmP.png

and
Vo8AlWo.png
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
@giulia None told you to upload to malwr the password protected file. Obviously it can't take password protected files because the engine will then be unable to analyze the file and will have no point for them to get the sample.
What @Wave wanted was a zippyshare upload but password protected and the url changed to follow the rules and not be deleted so he can get it and check the sample.

All are good now so don't worry. Someone will check it.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
@giulia None told you to upload to malwr the password protected file. Obviously it can't take password protected files because the engine will then be unable to analyze the file and will have no point for them to get the sample.
What @Wave wanted was a zippyshare upload but password protected and the url changed to follow the rules and not be deleted so he can get it and check the sample.

All are good now so don't worry. Someone will check it.
hi
i have upload with password here zippyshare , i don't upload in malwr with the password, i just try to upload it again in malwr and i upload the exe but the file is too huge and i got the error , while in zippyshare winrar and with the password infected

All are good now so don't worry. Someone will check it.
i hope it

thanks
 
Last edited:
W

Wave

The sample you uploaded appears to be a crack for genuine software provided by Postbox Inc (although the crack is not digitally signed).

I managed to track down a source of the sample you submitted, it should have come from the following source:
Code:
hxxps://haxoff.net/postbox-full-version-serial-key
(the download link at the bottom will redirect to multiple sites containing advertisements and pop-ups, which may or may not be malicious (e.g. normal advertisements, but also fake AV alerts as I saw for myself), eventually you will reach the download stage and within the archive will be the exact same sample under a different file-name).

The original file name to the sample was: "Postbox 5.0.5 Repack - HaxOff.net.exe" and it was re-named to "Postbox.exe". Both file sizes are the same and you can check the HEX to both executable's so you know they are the same, as well as the checksum comparisons.

The real installer has a file size of 22,67KB (22.7MB rounded upwards, otherwise 22.6MB) and is digitally signed without the timestamp verification by "Postbox, Inc", unlike the sample from this thread.

Due to some personal health problems for the past few days I am unable to do proper PC work today; that being said, I have left some details below regarding static analysis for you to look at, which will help in you deciding a verdict. The below information was quickly obtained through a speedy static analysis overview, therefore I have not properly performed decompilation analysis and worked with disassembly.

Imports:
Code:
Address  Ordinal Name                                  Library
-------  ------- ----                                  -------
00513000         RegCreateKeyW                         ADVAPI32
00513004         LookupAccountSidW                     ADVAPI32
00513008         SetSecurityDescriptorDacl             ADVAPI32
0051300C         InitializeSecurityDescriptor          ADVAPI32
00513010         SetEntriesInAclW                      ADVAPI32
00513014         GetSecurityDescriptorDacl             ADVAPI32
00513018         AdjustTokenPrivileges                 ADVAPI32
0051301C         LookupPrivilegeValueW                 ADVAPI32
00513020         StartServiceW                         ADVAPI32
00513024         QueryServiceStatus                    ADVAPI32
00513028         OpenServiceW                          ADVAPI32
0051302C         RegDeleteValueA                       ADVAPI32
00513030         RegQueryValueExA                      ADVAPI32
00513034         RegDeleteValueW                       ADVAPI32
00513038         RegCreateKeyExW                       ADVAPI32
0051303C         RegSetValueExW                        ADVAPI32
00513040         RegEnumKeyExW                         ADVAPI32
00513044         RegQueryInfoKeyW                      ADVAPI32
00513048         RegDeleteKeyW                         ADVAPI32
0051304C         RegQueryValueExW                      ADVAPI32
00513050         RegOpenKeyExW                         ADVAPI32
00513054         RegCloseKey                           ADVAPI32
00513058         RegOpenKeyA                           ADVAPI32
0051305C         OpenSCManagerW                        ADVAPI32
00513060         LockServiceDatabase                   ADVAPI32
00513064         UnlockServiceDatabase                 ADVAPI32
00513068         CloseServiceHandle                    ADVAPI32
0051306C         RegOpenKeyExA                         ADVAPI32
00513070         RegEnumValueA                         ADVAPI32
00513074         RegOpenKeyW                           ADVAPI32
00513078         SystemFunction036                     ADVAPI32
0051307C         OpenProcessToken                      ADVAPI32
00513080         GetTokenInformation                   ADVAPI32
00513084         AllocateAndInitializeSid              ADVAPI32
00513088         EqualSid                              ADVAPI32
0051308C         FreeSid                               ADVAPI32
00513090         GetUserNameW                          ADVAPI32
00513094         RegDeleteKeyA                         ADVAPI32
00513098         RegCreateKeyA                         ADVAPI32
0051309C         RegSetValueExA                        ADVAPI32
005130A4         ImageList_LoadImageW                  COMCTL32
005130A8         ImageList_GetIcon                     COMCTL32
005130AC         ImageList_SetBkColor                  COMCTL32
005130B0         ImageList_AddMasked                   COMCTL32
005130B4         _TrackMouseEvent                      COMCTL32
005130B8         ImageList_Add                         COMCTL32
005130BC         ImageList_ReplaceIcon                 COMCTL32
005130C0         ImageList_Create                      COMCTL32
005130C4         ImageList_Destroy                     COMCTL32
005130C8         DestroyPropertySheetPage              COMCTL32
005130CC         CreatePropertySheetPageW              COMCTL32
005130D0         InitCommonControlsEx                  COMCTL32
005130D4         PropertySheetW                        COMCTL32
005130DC         GetOpenFileNameW                      COMDLG32
005130E0         GetSaveFileNameW                      COMDLG32
005130E8         GetLayout                             GDI32  
005130EC         GetBrushOrgEx                         GDI32  
005130F0         CreateFontIndirectW                   GDI32  
005130F4         CreateSolidBrush                      GDI32  
005130F8         GetRgnBox                             GDI32  
005130FC         CreatePolygonRgn                      GDI32  
00513100         EqualRgn                              GDI32  
00513104         CreateRectRgnIndirect                 GDI32  
00513108         GetStockObject                        GDI32  
0051310C         CreateFontW                           GDI32  
00513110         SetBkMode                             GDI32  
00513114         SetTextColor                          GDI32  
00513118         SetBrushOrgEx                         GDI32  
0051311C         CreatePatternBrush                    GDI32  
00513120         FillRgn                               GDI32  
00513124         SelectClipRgn                         GDI32  
00513128         GetBitmapBits                         GDI32  
0051312C         CreateRectRgn                         GDI32  
00513130         GetObjectW                            GDI32  
00513134         GetDeviceCaps                         GDI32  
00513138         Rectangle                             GDI32  
0051313C         ExtTextOutW                           GDI32  
00513140         SetBkColor                            GDI32  
00513144         ExcludeClipRect                       GDI32  
00513148         CreatePen                             GDI32  
0051314C         BitBlt                                GDI32  
00513150         SetViewportOrgEx                      GDI32  
00513154         CreateCompatibleBitmap                GDI32  
00513158         CreateCompatibleDC                    GDI32  
0051315C         DeleteObject                          GDI32  
00513160         SelectObject                          GDI32  
00513164         DeleteDC                              GDI32  
00513168         CreateBitmapIndirect                  GDI32  
0051316C         CreateDIBSection                      GDI32  
00513170         CombineRgn                            GDI32  
00513178         LoadLibraryW                          KERNEL32
0051317C         CreateDirectoryW                      KERNEL32
00513180         GetCurrentProcessId                   KERNEL32
00513184         GetExitCodeThread                     KERNEL32
00513188         SetEvent                              KERNEL32
0051318C         CreateEventW                          KERNEL32
00513190         SetLastError                          KERNEL32
00513194         GetDiskFreeSpaceExW                   KERNEL32
00513198         Sleep                                 KERNEL32
0051319C         GetCurrentThreadId                    KERNEL32
005131A0         DecodePointer                         KERNEL32
005131A4         WaitForSingleObject                   KERNEL32
005131A8         MulDiv                                KERNEL32
005131AC         FreeLibrary                           KERNEL32
005131B0         lstrlenW                              KERNEL32
005131B4         GetVersionExW                         KERNEL32
005131B8         lstrcmpiW                             KERNEL32
005131BC         ReadConsoleW                          KERNEL32
005131C0         WriteConsoleW                         KERNEL32
005131C4         SetStdHandle                          KERNEL32
005131C8         FindFirstFileExW                      KERNEL32
005131CC         GetCommandLineA                       KERNEL32
005131D0         FreeEnvironmentStringsW               KERNEL32
005131D4         GetEnvironmentStringsW                KERNEL32
005131D8         SetFilePointerEx                      KERNEL32
005131DC         GetOEMCP                              KERNEL32
005131E0         IsValidCodePage                       KERNEL32
005131E4         GetConsoleMode                        KERNEL32
005131E8         lstrcpynW                             KERNEL32
005131EC         EnumSystemLocalesW                    KERNEL32
005131F0         GetUserDefaultLCID                    KERNEL32
005131F4         IsValidLocale                         KERNEL32
005131F8         GetFileType                           KERNEL32
005131FC         GetModuleHandleExW                    KERNEL32
00513200         ExitProcess                           KERNEL32
00513204         GetACP                                KERNEL32
00513208         QueryPerformanceFrequency             KERNEL32
0051320C         RtlUnwind                             KERNEL32
00513210         QueryPerformanceCounter               KERNEL32
00513214         GetDriveTypeW                         KERNEL32
00513218         TerminateProcess                      KERNEL32
0051321C         UnhandledExceptionFilter              KERNEL32
00513220         WaitForSingleObjectEx                 KERNEL32
00513224         LCMapStringW                          KERNEL32
00513228         GetSystemTimeAsFileTime               KERNEL32
0051322C         TlsFree                               KERNEL32
00513230         TlsSetValue                           KERNEL32
00513234         TlsGetValue                           KERNEL32
00513238         TlsAlloc                              KERNEL32
0051323C         GetCPInfo                             KERNEL32
00513240         IsDebuggerPresent                     KERNEL32
00513244         VirtualFree                           KERNEL32
00513248         VirtualAlloc                          KERNEL32
0051324C         IsProcessorFeaturePresent             KERNEL32
00513250         FlushInstructionCache                 KERNEL32
00513254         InterlockedPushEntrySList             KERNEL32
00513258         InterlockedPopEntrySList              KERNEL32
0051325C         InitializeSListHead                   KERNEL32
00513260         EncodePointer                         KERNEL32
00513264         PeekNamedPipe                         KERNEL32
00513268         OpenEventW                            KERNEL32
0051326C         CopyFileExW                           KERNEL32
00513270         CompareFileTime                       KERNEL32
00513274         LocalAlloc                            KERNEL32
00513278         ResetEvent                            KERNEL32
0051327C         MoveFileW                             KERNEL32
00513280         GetLocaleInfoA                        KERNEL32
00513284         GetStringTypeW                        KERNEL32
00513288         ConnectNamedPipe                      KERNEL32
0051328C         CreateNamedPipeW                      KERNEL32
00513290         TerminateThread                       KERNEL32
00513294         GetSystemDirectoryW                   KERNEL32
00513298         GetLocalTime                          KERNEL32
0051329C         OutputDebugStringW                    KERNEL32
005132A0         Process32NextW                        KERNEL32
005132A4         Process32FirstW                       KERNEL32
005132A8         CreateToolhelp32Snapshot              KERNEL32
005132AC         GetWindowsDirectoryW                  KERNEL32
005132B0         FileTimeToSystemTime                  KERNEL32
005132B4         GetUserDefaultLangID                  KERNEL32
005132B8         GetSystemDefaultLangID                KERNEL32
005132BC         GetLocaleInfoW                        KERNEL32
005132C0         EnumResourceLanguagesW                KERNEL32
005132C4         SetEndOfFile                          KERNEL32
005132C8         SetCurrentDirectoryW                  KERNEL32
005132CC         GetCommandLineW                       KERNEL32
005132D0         CompareStringW                        KERNEL32
005132D4         InterlockedDecrement                  KERNEL32
005132D8         InterlockedIncrement                  KERNEL32
005132DC         GetModuleFileNameW                    KERNEL32
005132E0         GlobalUnlock                          KERNEL32
005132E4         GlobalLock                            KERNEL32
005132E8         GlobalAlloc                           KERNEL32
005132EC         lstrcmpW                              KERNEL32
005132F0         GetFileSize                           KERNEL32
005132F4         ReadFile                              KERNEL32
005132F8         GlobalFree                            KERNEL32
005132FC         GetTempPathW                          KERNEL32
00513300         GetSystemTime                         KERNEL32
00513304         SystemTimeToFileTime                  KERNEL32
00513308         GetTempFileNameW                      KERNEL32
0051330C         DeleteFileW                           KERNEL32
00513310         FindFirstFileW                        KERNEL32
00513314         RemoveDirectoryW                      KERNEL32
00513318         FindNextFileW                         KERNEL32
0051331C         GetLogicalDriveStringsW               KERNEL32
00513320         GetFileAttributesW                    KERNEL32
00513324         SetFileAttributesW                    KERNEL32
00513328         GetFileTime                           KERNEL32
0051332C         CopyFileW                             KERNEL32
00513330         FindClose                             KERNEL32
00513334         WaitForMultipleObjects                KERNEL32
00513338         GetSystemInfo                         KERNEL32
0051333C         GetCurrentProcess                     KERNEL32
00513340         InterlockedExchange                   KERNEL32
00513344         WideCharToMultiByte                   KERNEL32
00513348         LoadLibraryExW                        KERNEL32
0051334C         GetStartupInfoW                       KERNEL32
00513350         MultiByteToWideChar                   KERNEL32
00513354         FindResourceExW                       KERNEL32
00513358         FindResourceW                         KERNEL32
0051335C         LoadResource                          KERNEL32
00513360         LockResource                          KERNEL32
00513364         SizeofResource                        KERNEL32
00513368         LeaveCriticalSection                  KERNEL32
0051336C         InitializeCriticalSection             KERNEL32
00513370         EnterCriticalSection                  KERNEL32
00513374         GetModuleHandleW                      KERNEL32
00513378         GetProcAddress                        KERNEL32
0051337C         RaiseException                        KERNEL32
00513380         GetExitCodeProcess                    KERNEL32
00513384         CreateProcessW                        KERNEL32
00513388         GetModuleFileNameA                    KERNEL32
0051338C         FlushFileBuffers                      KERNEL32
00513390         GetProcessHeap                        KERNEL32
00513394         SetFilePointer                        KERNEL32
00513398         GetConsoleScreenBufferInfo            KERNEL32
0051339C         GetStdHandle                          KERNEL32
005133A0         SetConsoleTextAttribute               KERNEL32
005133A4         GetFullPathNameW                      KERNEL32
005133A8         GetCurrentThread                      KERNEL32
005133AC         LoadLibraryA                          KERNEL32
005133B0         LocalFree                             KERNEL32
005133B4         GetEnvironmentVariableW               KERNEL32
005133B8         HeapAlloc                             KERNEL32
005133BC         HeapFree                              KERNEL32
005133C0         HeapReAlloc                           KERNEL32
005133C4         HeapSize                              KERNEL32
005133C8         HeapDestroy                           KERNEL32
005133CC         InitializeCriticalSectionAndSpinCount KERNEL32
005133D0         GetLastError                          KERNEL32
005133D4         DeleteCriticalSection                 KERNEL32
005133D8         CloseHandle                           KERNEL32
005133DC         WriteFile                             KERNEL32
005133E0         CreateFileW                           KERNEL32
005133E4         GetConsoleCP                          KERNEL32
005133E8         VirtualProtect                        KERNEL32
005133EC         VirtualQuery                          KERNEL32
005133F0         LoadLibraryExA                        KERNEL32
005133F4         GetShortPathNameW                     KERNEL32
005133F8         FormatMessageW                        KERNEL32
005133FC         CreateThread                          KERNEL32
00513400         SetUnhandledExceptionFilter           KERNEL32
00513408         WNetAddConnection2W                   MPR    
00513410         AlphaBlend                            MSIMG32
00513414         TransparentBlt                        MSIMG32
0051341C 94      VarDateFromStr                        OLEAUT32
00513420 277     VarUI4FromStr                         OLEAUT32
00513424 418     OleLoadPicture                        OLEAUT32
00513428 149     SysStringByteLen                      OLEAUT32
0051342C 150     SysAllocStringByteLen                 OLEAUT32
00513430 4       SysAllocStringLen                     OLEAUT32
00513434 161     LoadTypeLib                           OLEAUT32
00513438 162     LoadRegTypeLib                        OLEAUT32
0051343C 7       SysStringLen                          OLEAUT32
00513440 420     OleCreateFontIndirect                 OLEAUT32
00513444 10      VariantCopy                           OLEAUT32
00513448 8       VariantInit                           OLEAUT32
0051344C 2       SysAllocString                        OLEAUT32
00513450 9       VariantClear                          OLEAUT32
00513454 6       SysFreeString                         OLEAUT32
0051345C         ShellExecuteW                         SHELL32
00513460         ShellExecuteExW                       SHELL32
00513464         SHGetFileInfoW                        SHELL32
00513468         SHGetSpecialFolderLocation            SHELL32
0051346C         SHGetMalloc                           SHELL32
00513470         SHGetFolderPathW                      SHELL32
00513474         SHBrowseForFolderW                    SHELL32
00513478         SHGetPathFromIDListW                  SHELL32
00513480         PathAddBackslashW                     SHLWAPI
00513484         PathIsUNCW                            SHLWAPI
00513488         PathFileExistsW                       SHLWAPI
0051348C         PathIsDirectoryW                      SHLWAPI
00513494         GetClientRect                         USER32
00513498         MapWindowPoints                       USER32
0051349C         GetParent                             USER32
005134A0         UnregisterClassW                      USER32
005134A4         SendMessageW                          USER32
005134A8         GetWindowTextW                        USER32
005134AC         GetWindowTextLengthW                  USER32
005134B0         FillRect                              USER32
005134B4         IsWindow                              USER32
005134B8         ShowWindow                            USER32
005134BC         GetWindowRect                         USER32
005134C0         UnionRect                             USER32
005134C4         IsWindowVisible                       USER32
005134C8         BeginPaint                            USER32
005134CC         EndPaint                              USER32
005134D0         ScreenToClient                        USER32
005134D4         SetWindowPos                          USER32
005134D8         GetWindowDC                           USER32
005134DC         CallWindowProcW                       USER32
005134E0         DefWindowProcW                        USER32
005134E4         GetWindowLongW                        USER32
005134E8         SetWindowLongW                        USER32
005134EC         GetWindow                             USER32
005134F0         DrawFrameControl                      USER32
005134F4         RegisterWindowMessageW                USER32
005134F8         InvalidateRgn                         USER32
005134FC         GetDesktopWindow                      USER32
00513500         GetKeyState                           USER32
00513504         DrawStateW                            USER32
00513508         DrawFocusRect                         USER32
0051350C         DrawTextExW                           USER32
00513510         ValidateRect                          USER32
00513514         DestroyMenu                           USER32
00513518         CreatePopupMenu                       USER32
0051351C         AppendMenuW                           USER32
00513520         TrackPopupMenu                        USER32
00513524         InflateRect                           USER32
00513528         LoadBitmapW                           USER32
0051352C         MessageBeep                           USER32
00513530         LoadImageW                            USER32
00513534         CharNextW                             USER32
00513538         GetClassNameW                         USER32
0051353C         SetCapture                            USER32
00513540         ReleaseCapture                        USER32
00513544         UpdateWindow                          USER32
00513548         DestroyIcon                           USER32
0051354C         GetDlgCtrlID                          USER32
00513550         GetCapture                            USER32
00513554         GetScrollPos                          USER32
00513558         SetScrollInfo                         USER32
0051355C         GetClassInfoExW                       USER32
00513560         RegisterClassExW                      USER32
00513564         DrawEdge                              USER32
00513568         SetScrollPos                          USER32
0051356C         SetRect                               USER32
00513570         MoveWindow                            USER32
00513574         GetScrollInfo                         USER32
00513578         GetMessagePos                         USER32
0051357C         SystemParametersInfoW                 USER32
00513580         GetActiveWindow                       USER32
00513584         TrackMouseEvent                       USER32
00513588         GetAsyncKeyState                      USER32
0051358C         DestroyCursor                         USER32
00513590         GetComboBoxInfo                       USER32
00513594         GetWindowRgn                          USER32
00513598         IsZoomed                              USER32
0051359C         SetWindowRgn                          USER32
005135A0         DialogBoxParamW                       USER32
005135A4         EndDialog                             USER32
005135A8         CreateDialogParamW                    USER32
005135AC         TranslateAcceleratorW                 USER32
005135B0         CreateAcceleratorTableW               USER32
005135B4         DestroyAcceleratorTable               USER32
005135B8         InvalidateRect                        USER32
005135BC         GetNextDlgTabItem                     USER32
005135C0         SetCursor                             USER32
005135C4         MonitorFromWindow                     USER32
005135C8         GetMonitorInfoW                       USER32
005135CC         IsDialogMessageW                      USER32
005135D0         IsChild                               USER32
005135D4         PostQuitMessage                       USER32
005135D8         PostMessageW                          USER32
005135DC         SetForegroundWindow                   USER32
005135E0         SetCursorPos                          USER32
005135E4         GetCursorPos                          USER32
005135E8         PeekMessageW                          USER32
005135EC         GetMessageW                           USER32
005135F0         TranslateMessage                      USER32
005135F4         DispatchMessageW                      USER32
005135F8         LoadCursorW                           USER32
005135FC         LoadStringW                           USER32
00513600         MessageBoxW                           USER32
00513604         GetFocus                              USER32
00513608         EnableWindow                          USER32
0051360C         DestroyWindow                         USER32
00513610         GetForegroundWindow                   USER32
00513614         EnumWindows                           USER32
00513618         GetWindowThreadProcessId              USER32
0051361C         DialogBoxIndirectParamW               USER32
00513620         MsgWaitForMultipleObjects             USER32
00513624         GetPropW                              USER32
00513628         GetSystemMenu                         USER32
0051362C         EnableMenuItem                        USER32
00513630         ModifyMenuW                           USER32
00513634         ExitWindowsEx                         USER32
00513638         GetScrollRange                        USER32
0051363C         RemovePropW                           USER32
00513640         SetPropW                              USER32
00513644         GetSubMenu                            USER32
00513648         LoadMenuW                             USER32
0051364C         OpenClipboard                         USER32
00513650         CloseClipboard                        USER32
00513654         EmptyClipboard                        USER32
00513658         SetClipboardData                      USER32
0051365C         GetIconInfo                           USER32
00513660         SendMessageTimeoutW                   USER32
00513664         DrawIconEx                            USER32
00513668         DrawTextW                             USER32
0051366C         GetSystemMetrics                      USER32
00513670         ClientToScreen                        USER32
00513674         OffsetRect                            USER32
00513678         SetRectEmpty                          USER32
0051367C         PtInRect                              USER32
00513680         GetSysColorBrush                      USER32
00513684         IntersectRect                         USER32
00513688         IsRectEmpty                           USER32
0051368C         SendMessageA                          USER32
00513690         RedrawWindow                          USER32
00513694         IsWindowEnabled                       USER32
00513698         CopyRect                              USER32
0051369C         SetFocus                              USER32
005136A0         GetSysColor                           USER32
005136A4         CreateWindowExW                       USER32
005136A8         GetDlgItem                            USER32
005136AC         SetWindowTextW                        USER32
005136B0         EqualRect                             USER32
005136B4         SetTimer                              USER32
005136B8         KillTimer                             USER32
005136BC         GetDC                                 USER32
005136C0         ReleaseDC                             USER32
005136C4         CreateIconFromResourceEx              USER32
005136C8         LookupIconIdFromDirectoryEx           USER32
005136D0         GetFileVersionInfoW                   VERSION
005136D4         VerQueryValueW                        VERSION
005136D8         GetFileVersionInfoSizeW               VERSION
005136E0         SymGetLineFromAddr                    dbghelp
005136E4         SymSetSearchPath                      dbghelp
005136E8         SymCleanup                            dbghelp
005136EC         SymInitialize                         dbghelp
005136F0         SymSetOptions                         dbghelp
005136F4         SymFunctionTableAccess                dbghelp
005136F8         StackWalk                             dbghelp
005136FC         SymGetModuleBase                      dbghelp
00513704         CoTaskMemRealloc                      ole32  
00513708         OleInitialize                         ole32  
0051370C         CoInitialize                          ole32  
00513710         OleUninitialize                       ole32  
00513714         CLSIDFromString                       ole32  
00513718         CLSIDFromProgID                       ole32  
0051371C         CoGetClassObject                      ole32  
00513720         CoCreateInstance                      ole32  
00513724         CreateStreamOnHGlobal                 ole32  
00513728         OleLockRunning                        ole32  
0051372C         StringFromGUID2                       ole32  
00513730         CoTaskMemFree                         ole32  
00513734         CoUninitialize                        ole32  
00513738         CoCreateGuid                          ole32  
0051373C         CreateILockBytesOnHGlobal             ole32  
00513740         StgCreateDocfileOnILockBytes          ole32  
00513744         CoInitializeEx                        ole32  
00513748         CoTaskMemAlloc                        ole32  
00565E00         OpenThemeData                         UxTheme
00565E04         IsThemeActive                         UxTheme
00565E08         DrawThemeParentBackground             UxTheme
00565E0C         DrawThemeBackground                   UxTheme
00565E10         GetThemeBackgroundContentRect         UxTheme
00565E14         IsAppThemed                           UxTheme
00565E18         BufferedPaintInit                     UxTheme
00565E1C         BufferedPaintUnInit                   UxTheme
00565E20         BeginBufferedPaint                    UxTheme
00565E24         EndBufferedPaint                      UxTheme
00565E28         BufferedPaintSetAlpha                 UxTheme
00565E2C         IsCompositionActive                   UxTheme
00565E30         SetWindowThemeAttribute               UxTheme
00565E34         CloseThemeData                        UxTheme
00565E38         DrawThemeTextEx                       UxTheme
00565E3C         GetThemeSysFont                       UxTheme
00565E40         IsThemeBackgroundPartiallyTransparent UxTheme
00565E48         InternetErrorDlg                      WININET
00565E4C         InternetCloseHandle                   WININET
00565E50         InternetSetStatusCallbackW            WININET
00565E54         InternetSetOptionW                    WININET
00565E58         InternetOpenW                         WININET
00565E5C         InternetGetLastResponseInfoW          WININET
00565E60         InternetReadFile                      WININET
00565E64         InternetQueryDataAvailable            WININET
00565E68         FtpGetFileSize                        WININET
00565E6C         HttpQueryInfoW                        WININET
00565E70         InternetConnectW                      WININET
00565E74         HttpOpenRequestW                      WININET
00565E78         HttpSendRequestW                      WININET
00565E7C         FtpOpenFileW                          WININET
00565E80         FtpCommandW                           WININET
00565E84         InternetQueryOptionW                  WININET
00565E88         InternetCrackUrlW                     WININET
00565E90         DwmSetWindowAttribute                 dwmapi
00565E94         DwmExtendFrameIntoClientArea          dwmapi
00565E9C         GdipSetImageAttributesRemapTable      gdiplus
00565EA0         GdipSetImageAttributesColorMatrix     gdiplus
00565EA4         GdipImageRotateFlip                   gdiplus
00565EA8         GdipDisposeImageAttributes            gdiplus
00565EAC         GdipCreateImageAttributes             gdiplus
00565EB0         GdipSetInterpolationMode              gdiplus
00565EB4         GdiplusStartup                        gdiplus
00565EB8         GdiplusShutdown                       gdiplus
00565EBC         GdipBitmapSetPixel                    gdiplus
00565EC0         GdipDrawRectangleI                    gdiplus
00565EC4         GdipDeletePen                         gdiplus
00565EC8         GdipCreatePen1                        gdiplus
00565ECC         GdipCreateHBITMAPFromBitmap           gdiplus
00565ED0         GdipCreateBitmapFromFile              gdiplus
00565ED4         GdipDrawImageRectRectI                gdiplus
00565ED8         GdipImageSelectActiveFrame            gdiplus
00565EDC         GdipGetPropertyItem                   gdiplus
00565EE0         GdipGetPropertyItemSize               gdiplus
00565EE4         GdipImageGetFrameCount                gdiplus
00565EE8         GdipImageGetFrameDimensionsList       gdiplus
00565EEC         GdipImageGetFrameDimensionsCount      gdiplus
00565EF0         GdipGetImageDimension                 gdiplus
00565EF4         GdipGetImageRawFormat                 gdiplus
00565EF8         GdipLoadImageFromFile                 gdiplus
00565EFC         GdipGetImagePixelFormat               gdiplus
00565F00         GdipCloneBitmapAreaI                  gdiplus
00565F04         GdipGetImageGraphicsContext           gdiplus
00565F08         GdipDisposeImage                      gdiplus
00565F0C         GdipCloneImage                        gdiplus
00565F10         GdipAlloc                             gdiplus
00565F14         GdipSetImageAttributesColorKeys       gdiplus
00565F18         GdipCreateBitmapFromScan0             gdiplus
00565F1C         GdipGetImageWidth                     gdiplus
00565F20         GdipGetImageHeight                    gdiplus
00565F24         GdipDrawImageRectI                    gdiplus
00565F28         GdipDeleteGraphics                    gdiplus
00565F2C         GdipCreateFromHDC                     gdiplus
00565F30         GdipDrawImagePointRectI               gdiplus
00565F34         GdipBitmapLockBits                    gdiplus
00565F38         GdipBitmapUnlockBits                  gdiplus
00565F3C         GdipFillRectangleI                    gdiplus
00565F40         GdipCloneBrush                        gdiplus
00565F44         GdipDeleteBrush                       gdiplus
00565F48         GdipCreateSolidFill                   gdiplus
00565F4C         GdipCreateBitmapFromHBITMAP           gdiplus
00565F50         GdipCreateBitmapFromHICON             gdiplus
00565F54         GdipBitmapGetPixel                    gdiplus
00565F58         GdipResetImageAttributes              gdiplus
00565F5C         GdipFree                              gdiplus
00565F60         GdipSetImageAttributesWrapMode        gdiplus
00565F68 204     MsiEnumRelatedProductsA               msi    
00565F6C 205     MsiEnumRelatedProductsW               msi    
00565F70 90      MsiLocateComponentW                   msi    
00565F74 24      MsiDatabaseGenerateTransformW         msi    
00565F78 186     MsiCreateTransformSummaryInfoW        msi    
00565F7C 20      MsiDatabaseCommit                     msi    
00565F80 141     MsiSetInternalUI                      msi    
00565F84 78      MsiGetSummaryInformationW             msi    
00565F88 150     MsiSummaryInfoGetPropertyW            msi    
00565F8C 52      MsiGetDatabaseState                   msi    
00565F90 166     MsiViewGetColumnInfo                  msi    
00565F94 115     MsiRecordGetFieldCount                msi    
00565F98 116     MsiRecordGetInteger                   msi    
00565F9C 137     MsiSetExternalUIW                     msi    
00565FA0 281     MsiSetExternalUIRecord                msi    
00565FA4 96      MsiOpenProductW                       msi    
00565FA8 19      MsiDatabaseApplyTransformW            msi    
00565FAC 224     MsiGetFileSignatureInformationW       msi    
00565FB0 80      MsiGetTargetPathW                     msi    
00565FB4 169     MsiEnableLogW                         msi    
00565FB8 51      MsiGetComponentStateW                 msi    
00565FBC 94      MsiOpenPackageW                       msi    
00565FC0 221     MsiEnumComponentCostsW                msi    
00565FC4 140     MsiSetInstallLevel                    msi    
00565FC8 147     MsiSetTargetPathW                     msi    
00565FCC 58      MsiGetFeatureStateW                   msi    
00565FD0 54      MsiGetFeatureCostW                    msi    
00565FD4 139     MsiSetFeatureStateW                   msi    
00565FD8 62      MsiGetFeatureValidStatesW             msi    
00565FDC 7       MsiCloseAllHandles                    msi    
00565FE0 6       MsiAdvertiseProductW                  msi    
00565FE4 195     MsiGetFileVersionW                    msi    
00565FE8 113     MsiQueryProductStateW                 msi    
00565FEC 16      MsiConfigureProductW                  msi    
00565FF0 70      MsiGetProductInfoW                    msi    
00565FF4 67      MsiGetProductInfoA                    msi    
00565FF8 114     MsiRecordDataSize                     msi    
00565FFC 120     MsiRecordReadStream                   msi    
00566000 47      MsiEvaluateConditionW                 msi    
00566004 26      MsiDatabaseGetPrimaryKeysW            msi    
00566008 160     MsiViewFetch                          msi    
0056600C 48      MsiGetLastErrorRecord                 msi    
00566010 159     MsiViewExecute                        msi    
00566014 32      MsiDatabaseOpenViewW                  msi    
00566018 34      MsiDoActionW                          msi    
0056601C 145     MsiSetPropertyW                       msi    
00566020 118     MsiRecordGetStringW                   msi    
00566024 103     MsiProcessMessage                     msi    
00566028 171     MsiFormatRecordW                      msi    
0056602C 74      MsiGetPropertyW                       msi    
00566030 92      MsiOpenDatabaseW                      msi    
00566034 121     MsiRecordSetInteger                   msi    
00566038 125     MsiRecordSetStringW                   msi    
0056603C 17      MsiCreateRecord                       msi    
00566040 158     MsiViewClose                          msi    
00566044 8       MsiCloseHandle                        msi    
00566048 49      MsiGetActiveDatabase                  msi

Strings:
Code:
Address         Length   Type String                                                                                                                                          
-------         ------   ---- ------                                                                                                                                          
.rdata:00513870 00000008 C    msi.dll                                                                                                                                        
.rdata:00513880 0000000C C    gdiplus.dll                                                                                                                                    
.rdata:00513908 00000018 C    AcquireSRWLockExclusive                                                                                                                        
.rdata:00513920 00000018 C    ReleaseSRWLockExclusive                                                                                                                        
.rdata:00513938 0000000D C    atlthunk.dll                                                                                                                                    
.rdata:00513948 00000016 C    AtlThunk_AllocateData                                                                                                                          
.rdata:00513960 00000012 C    AtlThunk_InitData                                                                                                                              
.rdata:00513974 00000014 C    AtlThunk_DataToCode                                                                                                                            
.rdata:00513988 00000012 C    AtlThunk_FreeData                                                                                                                              
.rdata:00513A40 0000000C C    UxTheme.dll                                                                                                                                    
.rdata:00513A68 0000000F C    bad allocation                                                                                                                                  
.rdata:00513AB8 00000058 C    regex_error(error_collate): The expression contained an invalid collating element name.                                                        
.rdata:00513B10 00000054 C    regex_error(error_ctype): The expression contained an invalid character class name.                                                            
.rdata:00513B68 00000068 C    regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.                                        
.rdata:00513BD0 00000050 C    regex_error(error_backref): The expression contained an invalid back reference.                                                                
.rdata:00513C20 00000047 C    regex_error(error_brack): The expression contained mismatched [ and ].                                                                          
.rdata:00513C68 00000047 C    regex_error(error_paren): The expression contained mismatched ( and ).                                                                          
.rdata:00513CB0 00000047 C    regex_error(error_brace): The expression contained mismatched { and }.                                                                          
.rdata:00513CF8 0000005C C    regex_error(error_badbrace): The expression contained an invalid range in a { expression }.                                                    
.rdata:00513D58 00000070 C    regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.                                
.rdata:00513DC8 0000006F C    regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.                                  
.rdata:00513E38 0000005A C    regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.                                                      
.rdata:00513E98 0000007B C    regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.                      
.rdata:00513F18 00000092 C    regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.
.rdata:00513FAC 00000019 C    regex_error(error_parse)                                                                                                                        
.rdata:00513FC8 0000001A C    regex_error(error_syntax)                                                                                                                      
.rdata:00513FE4 0000000C C    regex_error                                                                                                                                    
.rdata:00514508 0000001D C    address family not supported                                                                                                                    
.rdata:00514528 0000000F C    address in use                                                                                                                                  
.rdata:00514538 00000016 C    address not available                                                                                                                          
.rdata:00514550 00000012 C    already connected                                                                                                                              
.rdata:00514564 00000017 C    argument list too long                                                                                                                          
.rdata:0051457C 00000017 C    argument out of domain                                                                                                                          
.rdata:00514594 0000000C C    bad address                                                                                                                                    
.rdata:005145A0 00000014 C    bad file descriptor                                                                                                                            
.rdata:005145B4 0000000C C    bad message                                                                                                                                    
.rdata:005145C0 0000000C C    broken pipe                                                                                                                                    
.rdata:005145CC 00000013 C    connection aborted                                                                                                                              
.rdata:005145E0 0000001F C    connection already in progress                                                                                                                  
.rdata:00514600 00000013 C    connection refused                                                                                                                              
.rdata:00514614 00000011 C    connection reset                                                                                                                                
.rdata:00514628 00000012 C    cross device link                                                                                                                              
.rdata:0051463C 0000001D C    destination address required                                                                                                                    
.rdata:0051465C 00000018 C    device or resource busy                                                                                                                        
.rdata:00514674 00000014 C    directory not empty                                                                                                                            
.rdata:00514688 00000018 C    executable format error                                                                                                                        
.rdata:005146A0 0000000C C    file exists                                                                                                                                    
.rdata:005146AC 0000000F C    file too large                                                                                                                                  
.rdata:005146BC 00000012 C    filename too long                                                                                                                              
.rdata:005146D0 00000017 C    function not supported                                                                                                                          
.rdata:005146E8 00000011 C    host unreachable                                                                                                                                
.rdata:005146FC 00000013 C    identifier removed                                                                                                                              
.rdata:00514710 00000016 C    illegal byte sequence                                                                                                                          
.rdata:00514728 00000023 C    inappropriate io control operation                                                                                                              
.rdata:0051474C 0000000C C    interrupted                                                                                                                                    
.rdata:00514758 00000011 C    invalid argument                                                                                                                                
.rdata:0051476C 0000000D C    invalid seek                                                                                                                                    
.rdata:0051477C 00000009 C    io error                                                                                                                                        
.rdata:00514788 0000000F C    is a directory                                                                                                                                  
.rdata:00514798 0000000D C    message size                                                                                                                                    
.rdata:005147A8 0000000D C    network down                                                                                                                                    
.rdata:005147B8 0000000E C    network reset                                                                                                                                  
.rdata:005147C8 00000014 C    network unreachable                                                                                                                            
.rdata:005147DC 00000010 C    no buffer space                                                                                                                                
.rdata:005147EC 00000011 C    no child process                                                                                                                                
.rdata:00514800 00000008 C    no link                                                                                                                                        
.rdata:00514808 00000012 C    no lock available                                                                                                                              
.rdata:0051481C 00000015 C    no message available                                                                                                                            
.rdata:00514834 0000000B C    no message                                                                                                                                      
.rdata:00514840 00000013 C    no protocol option                                                                                                                              
.rdata:00514854 00000013 C    no space on device                                                                                                                              
.rdata:00514868 00000014 C    no stream resources                                                                                                                            
.rdata:0051487C 0000001A C    no such device or address                                                                                                                      
.rdata:00514898 0000000F C    no such device                                                                                                                                  
.rdata:005148A8 0000001A C    no such file or directory                                                                                                                      
.rdata:005148C4 00000010 C    no such process                                                                                                                                
.rdata:005148D4 00000010 C    not a directory                                                                                                                                
.rdata:005148E4 0000000D C    not a socket                                                                                                                                    
.rdata:005148F4 0000000D C    not a stream                                                                                                                                    
.rdata:00514904 0000000E C    not connected                                                                                                                                  
.rdata:00514914 00000012 C    not enough memory                                                                                                                              
.rdata:00514928 0000000E C    not supported                                                                                                                                  
.rdata:00514938 00000013 C    operation canceled                                                                                                                              
.rdata:0051494C 00000016 C    operation in progress                                                                                                                          
.rdata:00514964 00000018 C    operation not permitted                                                                                                                        
.rdata:0051497C 00000018 C    operation not supported                                                                                                                        
.rdata:00514994 00000016 C    operation would block                                                                                                                          
.rdata:005149AC 0000000B C    owner dead                                                                                                                                      
.rdata:005149B8 00000012 C    permission denied                                                                                                                              
.rdata:005149CC 0000000F C    protocol error                                                                                                                                  
.rdata:005149DC 00000017 C    protocol not supported                                                                                                                          
.rdata:005149F4 00000016 C    read only file system                                                                                                                          
.rdata:00514A0C 0000001E C    resource deadlock would occur                                                                                                                  
.rdata:00514A2C 0000001F C    resource unavailable try again                                                                                                                  
.rdata:00514A4C 00000014 C    result out of range                                                                                                                            
.rdata:00514A60 00000016 C    state not recoverable                                                                                                                          
.rdata:00514A78 0000000F C    stream timeout                                                                                                                                  
.rdata:00514A88 0000000F C    text file busy                                                                                                                                  
.rdata:00514A98 0000000A C    timed out                                                                                                                                      
.rdata:00514AA4 0000001E C    too many files open in system                                                                                                                  
.rdata:00514AC4 00000014 C    too many files open                                                                                                                            
.rdata:00514AD8 0000000F C    too many links                                                                                                                                  
.rdata:00514AE8 0000001E C    too many symbolic link levels                                                                                                                  
.rdata:00514B08 00000010 C    value too large                                                                                                                                
.rdata:00514B18 00000014 C    wrong protocol type                                                                                                                            
.rdata:00514B2C 0000000E C    unknown error                                                                                                                                  
.rdata:00514B3C 00000025 C    0123456789abcdefghijklmnopqrstuvwxyz                                                                                                            
.rdata:00514B6C 0000001E C    \v\v\n\n\t\t\t\t\t\b\b\b\b\b\b\b\a\a\a\a\a\a\a\a\a\a\a\a\a                                                                                      
.rdata:00514B8C 00000025 C    0123456789abcdefghijklmnopqrstuvwxyz                                                                                                            
.rdata:00514BD3 00000007 C    \r\r\r\r\r\r                                                                                                                                    
.rdata:00514E24 00000017 C    0123456789abcdefABCDEF                                                                                                                          
.rdata:00514E43 00000005 C    \a\b\t\n\v                                                                                                                                      
.rdata:00514EB0 00000009 C    FlsAlloc                                                                                                                                        
.rdata:00514EBC 00000008 C    FlsFree                                                                                                                                        
.rdata:00514EC4 0000000C C    FlsGetValue                                                                                                                                    
.rdata:00514ED0 0000000C C    FlsSetValue                                                                                                                                    
.rdata:00514EDC 0000001C C    InitializeCriticalSectionEx                                                                                                                    
.rdata:00514EF8 00000014 C    InitOnceExecuteOnce                                                                                                                            
.rdata:00514F0C 0000000F C    CreateEventExW                                                                                                                                  
.rdata:00514F1C 00000011 C    CreateSemaphoreW                                                                                                                                
.rdata:00514F30 00000013 C    CreateSemaphoreExW                                                                                                                              
.rdata:00514F44 00000016 C    CreateThreadpoolTimer                                                                                                                          
.rdata:00514F5C 00000013 C    SetThreadpoolTimer                                                                                                                              
.rdata:00514F70 00000020 C    WaitForThreadpoolTimerCallbacks                                                                                                                
.rdata:00514F90 00000015 C    CloseThreadpoolTimer                                                                                                                            
.rdata:00514FA8 00000015 C    CreateThreadpoolWait                                                                                                                            
.rdata:00514FC0 00000012 C    SetThreadpoolWait                                                                                                                              
.rdata:00514FD4 00000014 C    CloseThreadpoolWait                                                                                                                            
.rdata:00514FE8 00000019 C    FlushProcessWriteBuffers                                                                                                                        
.rdata:00515004 0000001F C    FreeLibraryWhenCallbackReturns                                                                                                                  
.rdata:00515024 0000001A C    GetCurrentProcessorNumber                                                                                                                      
.rdata:00515040 00000014 C    CreateSymbolicLinkW                                                                                                                            
.rdata:00515054 00000014 C    GetCurrentPackageId                                                                                                                            
.rdata:00515068 0000000F C    GetTickCount64                                                                                                                                  
.rdata:00515078 0000001D C    GetFileInformationByHandleEx                                                                                                                    
.rdata:00515098 0000001B C    SetFileInformationByHandle                                                                                                                      
.rdata:005150B4 0000001F C    GetSystemTimePreciseAsFileTime                                                                                                                  
.rdata:005150D4 0000001C C    InitializeConditionVariable                                                                                                                    
.rdata:005150F0 00000016 C    WakeConditionVariable                                                                                                                          
.rdata:00515108 00000019 C    WakeAllConditionVariable                                                                                                                        
.rdata:00515124 00000019 C    SleepConditionVariableCS                                                                                                                        
.rdata:00515140 00000012 C    InitializeSRWLock                                                                                                                              
.rdata:00515154 0000001B C    TryAcquireSRWLockExclusive                                                                                                                      
.rdata:00515170 0000001A C    SleepConditionVariableSRW                                                                                                                      
.rdata:0051518C 00000015 C    CreateThreadpoolWork                                                                                                                            
.rdata:005151A4 00000015 C    SubmitThreadpoolWork                                                                                                                            
.rdata:005151BC 00000014 C    CloseThreadpoolWork                                                                                                                            
.rdata:005151D0 00000010 C    CompareStringEx                                                                                                                                
.rdata:005151E0 00000010 C    GetLocaleInfoEx                                                                                                                                
.rdata:005151F0 0000000E C    LCMapStringEx                                                                                                                                  
.rdata:00516110 00000015 C    bad array new length                                                                                                                            
.rdata:00516138 0000000E C    bad exception                                                                                                                                  
.rdata:00516208 0000000E C    EventRegister                                                                                                                                  
.rdata:0051621C 00000014 C    EventSetInformation                                                                                                                            
.rdata:00516234 00000010 C    EventUnregister                                                                                                                                
.rdata:00516248 00000013 C    EventWriteTransfer                                                                                                                              
.rdata:00516288 0000000E C    Main Invoked.                                                                                                                                  
.rdata:00516298 0000000F C    Main Returned.                                                                                                                                  
.rdata:00516438 00000009 C    __based(                                                                                                                                        
.rdata:00516444 00000008 C    __cdecl                                                                                                                                        
.rdata:0051644C 00000009 C    __pascal                                                                                                                                        
.rdata:00516458 0000000A C    __stdcall                                                                                                                                      
.rdata:00516464 0000000B C    __thiscall                                                                                                                                      
.rdata:00516470 0000000B C    __fastcall                                                                                                                                      
.rdata:0051647C 0000000D C    __vectorcall                                                                                                                                    
.rdata:0051648C 0000000A C    __clrcall                                                                                                                                      
.rdata:00516498 00000007 C    __eabi                                                                                                                                          
.rdata:005164A0 00000008 C    __ptr64                                                                                                                                        
.rdata:005164A8 0000000B C    __restrict                                                                                                                                      
.rdata:005164B4 0000000C C    __unaligned                                                                                                                                    
.rdata:005164C0 0000000A C    restrict(                                                                                                                                      
.rdata:005164CC 00000005 C     new                                                                                                                                            
.rdata:005164D4 00000008 C     delete                                                                                                                                        
.rdata:005164F8 00000009 C    operator                                                                                                                                        
.rdata:00516578 0000000A C    `vftable'                                                                                                                                      
.rdata:00516584 0000000A C    `vbtable'                                                                                                                                      
.rdata:00516590 00000008 C    `vcall'                                                                                                                                        
.rdata:00516598 00000009 C    `typeof'                                                                                                                                        
.rdata:005165A4 00000015 C    `local static guard'                                                                                                                            
.rdata:005165BC 00000009 C    `string'                                                                                                                                        
.rdata:005165C8 00000013 C    `vbase destructor'                                                                                                                              
.rdata:005165DC 0000001D C    `vector deleting destructor'                                                                                                                    
.rdata:005165FC 0000001E C    `default constructor closure'                                                                                                                  
.rdata:0051661C 0000001D C    `scalar deleting destructor'                                                                                                                    
.rdata:0051663C 0000001E C    `vector constructor iterator'                                                                                                                  
.rdata:0051665C 0000001D C    `vector destructor iterator'                                                                                                                    
.rdata:0051667C 00000024 C    `vector vbase constructor iterator'                                                                                                            
.rdata:005166A0 0000001B C    `virtual displacement map'                                                                                                                      
.rdata:005166BC 00000021 C    `eh vector constructor iterator'                                                                                                                
.rdata:005166E0 00000020 C    `eh vector destructor iterator'                                                                                                                
.rdata:00516700 00000027 C    `eh vector vbase constructor iterator'                                                                                                          
.rdata:00516728 0000001B C    `copy constructor closure'                                                                                                                      
.rdata:00516744 00000010 C    `udt returning'                                                                                                                                
.rdata:00516758 00000006 C    `RTTI                                                                                                                                          
.rdata:00516760 00000010 C    `local vftable'                                                                                                                                
.rdata:00516770 00000024 C    `local vftable constructor closure'                                                                                                            
.rdata:00516794 00000007 C     new[]                                                                                                                                          
.rdata:0051679C 0000000A C     delete[]                                                                                                                                      
.rdata:005167A8 0000000F C    `omni callsig'                                                                                                                                  
.rdata:005167B8 0000001B C    `placement delete closure'                                                                                                                      
.rdata:005167D4 0000001D C    `placement delete[] closure'                                                                                                                    
.rdata:005167F4 00000026 C    `managed vector constructor iterator'                                                                                                          
.rdata:0051681C 00000025 C    `managed vector destructor iterator'                                                                                                            
.rdata:00516844 00000026 C    `eh vector copy constructor iterator'                                                                                                          
.rdata:0051686C 0000002C C    `eh vector vbase copy constructor iterator'                                                                                                    
.rdata:00516898 0000001B C    `dynamic initializer for '                                                                                                                      
.rdata:005168B4 00000021 C    `dynamic atexit destructor for '                                                                                                                
.rdata:005168D8 00000023 C    `vector copy constructor iterator'                                                                                                              
.rdata:005168FC 00000029 C    `vector vbase copy constructor iterator'                                                                                                        
.rdata:00516928 0000002B C    `managed vector copy constructor iterator'                                                                                                      
.rdata:00516954 0000001C C    `local static thread guard'                                                                                                                    
.rdata:00516970 0000000D C    operator \"\"                                                                                                                                  
.rdata:00516980 00000012 C     Type Descriptor'                                                                                                                              
.rdata:00516994 0000001C C     Base Class Descriptor at (                                                                                                                    
.rdata:005169B0 00000013 C     Base Class Array'                                                                                                                              
.rdata:005169C4 0000001D C     Class Hierarchy Descriptor'                                                                                                                    
.rdata:005169E4 0000001A C     Complete Object Locator'                                                                                                                      
.rdata:00516B89 00000008 C    ( 8PX\a\b                                                                                                                                      
.rdata:00516B91 00000007 C    700WP\a                                                                                                                                        
.rdata:00516B99 00000005 C      \b\a                                                                                                                                          
.rdata:00516BA0 00000008 C    \b`h````                                                                                                                                        
.rdata:00516BA9 0000000B C    xpxxxx\b\a\b\a                                                                                                                                  
.rdata:00516BC9 00000007 C    €€†€€                                                                                                                                          
.rdata:00516BED 00000005 C    ('8PW                                                                                                                                          
.rdata:00516BF6 00000005 C    700PP                                                                                                                                          
.rdata:00516C08 00000012 C    `h`hhh\b\b\axwpwpp\b\b                                                                                                                          
.rdata:00516C24 00000007 C    (null)                                                                                                                                          
.rdata:00516DD4 00000007 C    [aOni*{                                                                                                                                        
.rdata:00516EAB 00000005 C    eLK(w                                                                                                                                          
.rdata:00516F17 00000005 C    \bFEMh                                                                                                                                          
.rdata:00516FB5 00000006 C    ~ $s%r                                                                                                                                          
.rdata:00516FC3 00000007 C    \a@b;zO]                                                                                                                                        
.rdata:005170DC 00000005 C    iu+-,                                                                                                                                          
.rdata:0051714D 00000005 C    obwQ4                                                                                                                                          
.rdata:0051739F 00000006 C    v2!L.2                                                                                                                                          
.rdata:00517522 00000005 C    ^<V7w                                                                                                                                          
.rdata:00517726 00000005 C    \a\b\t\n\v                                                                                                                                      
.rdata:0051773F 0000005F C     !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~                                              
.rdata:00517D47 00000005 C    \a\b\t\n\v                                                                                                                                      
.rdata:00517D60 0000005F C     !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~                                              
.rdata:00517EC7 00000005 C    \a\b\t\n\v                                                                                                                                      
.rdata:00517EE0 0000005F C     !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~                                              
.rdata:00517FC0 00000005 C    sqrt                                                                                                                                            
.rdata:0051807C 0000000F C    CorExitProcess                                                                                                                                  
.rdata:00518124 00000007 C    Sunday                                                                                                                                          
.rdata:0051812C 00000007 C    Monday                                                                                                                                          
.rdata:00518134 00000008 C    Tuesday                                                                                                                                                                                                      
.rdata:0051B3F8 00000010 C    string too long                                                                                                                                
.rdata:0051B4BC 00000013 C    vector<T> too long                                                                                                                              
.rdata:0051BC41 00000040 C    BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/                                                                                
.rdata:0051BEA0 0000000B C    ADVINSTSFX                                                                                                                                      
.rdata:0051C588 00000017 C    ()$^.*+?[]|\\-{},:=!\n\r\b                                                                                                                      
.rdata:0051CFC4 00000011 C    list<T> too long                                                                                                                                
.rdata:0051CFD8 00000014 C    map/set<T> too long                                                                                                                            
.rdata:0051EB20 00000012 C    deque<T> too long                                                                                                                              
.rdata:0051FE40 00000035 C    SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\                                                                                      
.rdata:0051FE80 00000025 C    Software\\Caphyon\\Advanced Installer\\                                                                                                        
.rdata:0051FEB0 00000010 C    InstallLanguage                                                                                                                                
.rdata:00520A44 0000001C C    invalid vector<T> subscript                                                                                                                    
.rdata:00520B8C 0000000F C    SetWindowTheme                                                                                                                                  
.rdata:00520BB0 0000000F C    GetWindowTheme                                                                                                                                  
.rdata:00520BC0 00000014 C    DrawThemeBackground                                                                                                                            
.rdata:00520BD4 0000000E C    DrawThemeText                                                                                                                                  
.rdata:00520CB4 0000000E C    DllGetVersion                                                                                                                                  
.rdata:00520CE0 0000000E C    IsThemeActive                                                                                                                                  
.rdata:00521460 00000016 C    RegOpenKeyTransactedW                                                                                                                          
.rdata:00523FE1 00000005 C    @Qm6t                                                                                                                                          
.rdata:0052415B 00000005 C    \v%D,3                                                                                                                                          
.rdata:005266CC 0000000E C    OpenThemeData                                                                                                                                  
.rdata:00526704 0000000E C    DrawThemeEdge                                                                                                                                  
.rdata:00526714 0000000F C    CloseThemeData                                                                                                                                  
.rdata:00526724 0000000C C    IsAppThemed                                                                                                                                    
.rdata:00526740 00000066 C    @echo off \r\nATTRIB -r \"%s\" \r\n:try \r\nrd \"%s\" \r\nif exist \"%s\" goto try\r\nATTRIB -r \"%s\" \r\ndel \"%s\" | cls                    
.rdata:005267C0 00000067 C    @echo off \r\nATTRIB -r \"%s\" \r\n:try \r\ndel \"%s\" \r\nif exist \"%s\" goto try\r\nATTRIB -r \"%s\" \r\ndel \"%s\" | cls

NOTE: Due to the max character limit on this forum I had to remove some of the Strings output, therefore please re-output via IDA Pro or Strings.exe for the entire collection of them.

The sample uses the Caphyon Advanced Installer; if not it at least references it for registry-related actions in the Strings output. We already know that the sample can perform registry operations because it imports the following functions: Advapi32.dll!RegCreateKeyW; Advapi32.dll!RegDeleteValueA; Advapi32.dll!RegQueryValueExA; Advapi32.dll!RegDeleteValueW; Advapi32.dll!RegCreateKeyExW; Advapi32.dll!RegSetValueExW, and some others.

As an addition to this, the imports implies that the sample may at some point attempt to either modify existing windows services, or attempt to start it's own, since it imports the following functions: Advapi32.dll!OpenSCManagerW; Advapi32.dll!OpenServiceW; Advapi32.dll!StartServiceW. It does not import Advapi32.dll!CreateServiceA/W therefore I am convinced it will probably alter an existing one.

Another thing about the sample: it will attempt to adjust it's privileges. It imports the following functions: Advapi32.dll!AdjustTokenPrivileges; Advapi32.dll!LookupPrivilegeValueW; Advapi32.dll!OpenProcessToken, and some others. This implies it will attempt to adjust it's token privileges, probably to enable debugging rights (SeDebugPrivilege), since it does not require administrative privileges. As well as this, it imports the function GetCurrentProcess from Kernel32.dll and while this can be used for a number of things, it would match well with this usage.

The sample works with the resources therefore it'd be wise for you to perform some manual analysis to check the resources and see if you can find anything interesting. It would also be wise to check the Strings output first for any more indicators on this.

The sample does have the ability to perform networking actions, via the wininet library (wininet.dll).

There is a high chance that this sample is an installer since it works with the Msi library however without dynamic analysis it's hard to really know - I have not performed any dynamic analysis or any real decompilation/disassembly due to specific reasons, and the above is just lightwork details for you to interpret however you like.

The above details do not mean that the sample is malicious at all, however I did submit the sample to Avira and I will let you know on their verdict once they get back to me. That being said, it appears to be a crack, therefore it's automatically Riskware at the least.

Bad response, I know... You were expecting much better. I'm sorry I could not be of much use to anyone today but hopefully the above information can be found useful at least a little bit...

Stay safe,
Wave. ;)
 
W

Wave

hi
thanks a lot
i will read it very carefully
may i ask you a question? does the installer work on your virtual machine? i mean can you install it ?
under sandboxie it doesn't work (the installer)
thanks
I was originally going to perform dynamic analysis and monitor the API call executions, registry modifications, file operations, etc... But I had to remove my environment for analysis the other day and I need to re-create it, and I don't have time to do this for a few more days. Therefore, if no one has tested this for you still in a few days, then I will re-set things up and check that for you. :)

I doubt it would work under Sandboxie since Sandboxie will set hooks and redirect execution which will limit software from actually working properly in a lot of cases, causing them to break or just not function as expected. This is why a Virtual Machine is much better for testing, since you give the software a more accurate chance to function without modifications to it's execution flow while it's executing in memory.

Have you tried to execute it in a Virtual Machine yet? If so, make sure to disable shared clipboard/folder prior to running the sample, and also make sure to have some sort of VPN protection set-up (it can be on the Host, that should be good enough).
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Thanks @Wave !! :)

Interesting imports, especially the imports related to clipboard( OpenClipboard, CloseClipboard, setClipBoardData and EmptyClipboard), so it definetely use deep malicious functions, but also SendMessage, HTTPQuery, and internet related imports.
Maybe it is able to retrieve data from ClipBoard (such as passwords) and send them to a server.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
I doubt it would work under Sandboxie since Sandboxie will set hooks and redirect execution which will limit software from actually working properly in a lot of cases, causing them to break or just not function as expected. This is why a Virtual Machine is much better for testing, since you give the software a more accurate chance to function without modifications to it's execution flow while it's executing in memory.

Have you tried to execute it in a Virtual Machine yet? If so, make sure to disable shared clipboard/folder prior to running the sample, and also make sure to have some sort of VPN protection set-up (it can be on the Host, that should be good enough).
hi
yes i run under virtual machine but i have not disabled shared clipboard/folder and not VPN protection set-up
i have run it even outside a virtual machine under sandboxie
now i'm worried!!!
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
Thanks @Wave !! :)

Interesting imports, especially the imports related to clipboard( OpenClipboard, CloseClipboard, setClipBoardData and EmptyClipboard), so it definetely use deep malicious functions, but also SendMessage, HTTPQuery, and internet related imports.
Maybe it is able to retrieve data from ClipBoard (such as passwords) and send them to a server.
hi
that's makes me even more worried
 
W

Wave

hi
yes i run under virtual machine but i have not disabled shared clipboard/folder and not VPN protection set-up
i have run it even outside a virtual machine under sandboxie
now i'm worried!!!
Never perform malware analysis on your Host system at all to be on the safe side, unless within a Guest environment (such as a Virtual Machine). Sandboxie is not real virtualisation, it's just redirecting execution flow via API hooks and is not as secure as a lot of people really believe (sorry if the developer reads this and feels offended but if he/she does, look into VT-x utilisation).

Your IP address becomes exposed to many sites every day when you are browsing, like MalwareTips for example. Chances are nothing will happen, and there is no guarantee that the sample is even actually malicious yet, I said Riskware as a temporary place-holder since I did not do a full analysis for specific reasons, but Avira will tell me their verdict soon.

As for the shared folders and clipboard, they should be disabled as they could potentially be attack vectors for exploitation from running malware on the Guest OS, that does not mean all samples will try to do such a thing and even in itself it would be extremely rare to see - this sample definitely does nothing like this so you don't need to worry about that, this sample doesn't even know if it's functions were hooked let alone unhook/circumvent the hooks, either (in the case of Sandboxie).

But remember to keep all testing within a Virtual Environment or a dedicated malware analysis system. Remember that data theft can still occur within the analysis environment, also.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top