- Doublecad xt v5 serial number archive#
- Doublecad xt v5 serial number portable#
- Doublecad xt v5 serial number code#
Doublecad xt v5 serial number code#
So we started digging into the code of msimg32.dll to find out exactly why the sample didn’t execute.Īfter initial unpacking, the sample starts to calculate the base address of the kernel32.dll from the TEB (Thread Environment Block)-a typical method used by malware to retrieve the API addresses required for it to execute.įigure 4: Base address calculation of kernel32.dllįigure 5: Relevant APIs retrieved in the first stageĪfter resolving the APIs, the DLL collects certain information listed below: When we executed the sample, an error message was thrown:įigure 3: Failed execution Inside msimg32.dllĪs our attempt to run the sample failed, it made us even more curious to investigate it further. Unfortunately this time, even with the complete archive, the sample failed to execute in the analysis environment which included both virtual and physical environments. The file setup.exe is a digitally signed clean file, and is a component of the software.
Doublecad xt v5 serial number archive#
The archive was always called something like “setup.zip” or “setup_.zip”. Consequently, we decided to find the archive-which we achieved with the help of Avira Threat Intelligence. So before we began our static analysis of the file, we assumed that it may have failed to execute because the DLL expects to be loaded by the setup.exe file along with the resource DLL. The msimg32.dll library was executed in the analysis environment, but it failed to execute. The DLL came packed using one of many popular packers like UPX, MPress, VMProtect, or using custom packers.
Doublecad xt v5 serial number portable#
In general the Portable Executable attributes of the DLL were constantly changing, except one: The export name “AlphaBlend”. The msimg32.dll libraries-each always containing setup.exe – with the remaining two files changing daily. Even though the former is not an original Windows DLL, both of them were part of the archive, with the archive typically containing one further resource DLL. We were seeing DLLs with the name msimg32.dll being loaded by an executable named setup.exe. Once the loader is activated, the payload can trigger a chain of events that eventually result in the installation of adware, bots, pay-per-install campaigns, and even other Trojan Downloaders. The loader caught our attention because of the anti-analysis methods it implemented throughout its infection cycle. During the last year, Avira researchers have been monitoring and investigating a loader family. As the different types do so, they find new ways to bypass security solutions and try to slip under the radar of security companies to become more persistent and hide their identity.