52a73b7be0196ad7670bd446ade40479

Sharing

Copy URL Twitter E-mail

General

Target

52a73b7be0196ad7670bd446ade40479
Size

722KB
MD5

52a73b7be0196ad7670bd446ade40479
SHA1

c3643286640667c8836b476dc467a3dc999cca49
SHA256

fda716f43ef3085f181e3c83e6f8f97d43a15821138d856c054a39a68b6f888c
SHA512

9f1a0ebb4f0a3f4bbebc477e71c41e9dffd4f7d71f29bb268c5ea47c62693b3e7fd527d1baf77d4ed4e7907fcb885654399c131a37119be27d0f6d6caf4f8539
SSDEEP

12288:ZYanEH25RGmsuS0kVio/+ECAqMoyYBy+BC9R12agKt97fAuCouvYjdsO2hi/zyfc:ZYadwuS0kViomTInGy+g12avfAsJjF2E

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/RealClear/cls tools/Real 事件清除工具.exe	upx

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/RealClear/Real_Clear/REAL 媒体过滤器.exe
unpack001/RealClear/cls tools/Real 事件清除工具.exe
unpack002/out.upx
unpack001/RealClear/cls tools/Tools/rmme3260.dll
unpack001/RealClear/cls tools/Tools/rmto3260.dll
unpack001/RealClear/cls tools/rmevents.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
static1/unpack001/RealClear/Real_Clear/REAL 媒体过滤器.exe	nsis_installer_1

Files

52a73b7be0196ad7670bd446ade40479
.rar
RealClear/Real_Clear/REAL 媒体过滤器.exe
.exe windows:4 windows x86 arch:x86

1cf4252ebbb4f173d97a6ef4f79a60b5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

comctl32

ord17
ImageList_AddMasked
ImageList_Destroy
ImageList_Create

kernel32

ExpandEnvironmentStringsA
GetEnvironmentVariableA
lstrcmpiA
CloseHandle
SetFileTime
GetFileAttributesA
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
lstrcatA
SetCurrentDirectoryA
CreateDirectoryA
SetFileAttributesA
Sleep
CreateFileA
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
ExitProcess
WaitForSingleObject
GetCommandLineA
GetWindowsDirectoryA
GetTempPathA
GetUserDefaultLangID
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
GlobalAlloc
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
SetEndOfFile
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
lstrcpyA
lstrlenA
GetSystemDirectoryA
GlobalFree
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
SetFilePointer
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
lstrcpynA

user32

ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
LoadCursorA
SetCursor
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
DispatchMessageA
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
PeekMessageA

gdi32

GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SetBkColor
SelectObject

advapi32

RegEnumValueA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegEnumKeyA

shell32

ShellExecuteA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetMalloc
SHGetSpecialFolderLocation
SHFileOperationA

ole32

OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RealClear/Real_Clear/使用说明.htm
RealClear/cls tools/Real 事件清除工具.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 76KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 60KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
RealClear/cls tools/Tools/rmme3260.dll
.dll windows:4 windows x86 arch:x86

73d1e5484edd4cc0df5cf92ac0a2ac9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

pncrt

_adjust_fdiv
_initterm
__dllonexit
_findclose
_findnext
_findfirst
printf
_onexit
_tzset
localtime
_timezone
_strnicmp
_strlwr
??2@YAPAXI@Z
strchr
_fstat
_get_osfhandle
_write
_read
_lseek
_close
_open
_ftime
_putenv
_unlink
_tell
_errno
_beginthreadex
_endthreadex
_ismbcspace
memmove
_stat
fread
_assert
free
atof
strncmp
fopen
fprintf
fclose
strtok
realloc
atoi
strstr
time
vsprintf
malloc
_stricmp
_ftol
qsort
strncpy
_purecall
strrchr
sprintf
remove
??3@YAXPAX@Z
_itoa
_sopen
_creat

user32

CharNextA
SendMessageA
wsprintfA
GetMessageA
PostThreadMessageA
CharLowerA
ClientToScreen
OffsetRect
IsWindow
EnumDisplaySettingsA
SetActiveWindow
SetFocus
SetWindowRgn
GetCapture
SetScrollInfo
SetParent
EnumChildWindows
IsWindowVisible
UnionRect
FillRect
LoadCursorA
SetCursor
GetForegroundWindow
SystemParametersInfoA
SetForegroundWindow
GetCursorPos
WindowFromPoint
ScreenToClient
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
IntersectRect
DrawTextA
PeekMessageA
PostQuitMessage
TranslateMessage
DispatchMessageA
ShowWindow
SetWindowPos
UnregisterClassA
RegisterClassA
CallWindowProcA
DefWindowProcA
BeginPaint
EndPaint
PostMessageA
GetAsyncKeyState
UpdateWindow
GetDC
ReleaseDC
InvalidateRgn
InvalidateRect
GetClientRect
GetSystemMetrics
GetWindowRect
GetParent
MapWindowPoints
MoveWindow
DestroyWindow
GetWindowLongA
SetWindowLongA
CreateWindowExA
RegisterWindowMessageA
SetTimer
KillTimer

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

advapi32

RegQueryValueExA
RegCloseKey
RegQueryValueA
RegEnumKeyExA
RegEnumKeyA
RegOpenKeyExA
RegSetValueA
RegCreateKeyA
RegOpenKeyA
RegDeleteKeyA

gdi32

BitBlt
Rectangle
GetTextMetricsA
DeleteObject
GetObjectA
SelectObject
CreateSolidBrush
GetPixel
GetTextExtentPointA
CreateCompatibleBitmap
CreateCompatibleDC
CreatePen
SetTextColor
SetBkMode
DeleteDC
CombineRgn
CreateRectRgnIndirect
GetRgnBox
GetDeviceCaps
CreateRectRgn
OffsetRgn
GetStockObject
GetClipBox
PtInRegion
GetRegionData
CreateBrushIndirect
SetBkColor
CreateFontA
SetMapMode
EqualRgn
SelectPalette
SetROP2
StretchDIBits
SetDIBitsToDevice
RealizePalette
CreatePalette
GetDIBits
CreateDIBSection
GetSystemPaletteEntries
GdiFlush
TextOutA
SetDIBColorTable
SetStretchBltMode
CreateDCA
StretchBlt
SetPixel

ole32

CoCreateGuid

kernel32

lstrcmpiA
GlobalLock
GlobalUnlock
GetVersion
GetTempPathA
GetTempFileNameA
CreateFileA
MapViewOfFile
UnmapViewOfFile
GetSystemInfo
GetCurrentProcessId
GetFileSize
ResetEvent
SetEvent
CreateEventA
GetLastError
WaitForSingleObject
GetThreadPriority
SetThreadPriority
ResumeThread
SuspendThread
GetSystemDirectoryA
GetVersionExA
GetModuleHandleA
SetErrorMode
OutputDebugStringA
Sleep
GlobalSize
GlobalAlloc
GetTickCount
InterlockedDecrement
GlobalFree
CloseHandle
CreateFileMappingA
LocalAlloc
LocalFree
MulDiv
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
FreeLibrary
LoadLibraryA
GetProcAddress
GetCurrentThreadId
GlobalMemoryStatus
InterlockedIncrement

Exports

Exports

?AsyncNotifyProc@CAsyncNetThread@@KGJPAUHWND__@@IIJ@Z
?AsyncNotifyProc@CAsyncSockN@@KGJPAUHWND__@@IIJ@Z
?CPNSiteStatusTextProc@@YGJPAUHWND__@@IIJ@Z
?CPNSiteWindowedProc@@YGJPAUHWND__@@IIJ@Z
?CRNSiteWindowedProc@@YGJPAUHWND__@@IIJ@Z
?PNxSubclassProc@@YGJPAUHWND__@@IIJ@Z
?PNxSubclassProcFroFullScreen@@YGJPAUHWND__@@IIJ@Z
?RNxHookAllMessages@@YGJHIJ@Z
?RNxHookChar@@YGJHIJ@Z
?RNxHookSiteProc@@YGJPAUHWND__@@IIJ@Z
?WinDrawHelperCallWndProc@@YGJHIJ@Z
?WindowProc@CPNFullScreenWindow@@SGJPAUHWND__@@IIJ@Z
?WindowProc@CPNNewFullScreenWindow@@SGJPAUHWND__@@IIJ@Z
RMACreateAsmConversionFilter
RMACreateRM1Merge
RMACreateRM2Converter
RMACreateRM2Converter2
RMClose
RMInit
RMMerge
RMMergeConvert
_windraw_GetColorConverter@8
_windraw_InitColorConverter@0
_windraw_ScanAllCompatibleColorFormats@12
_windraw_ScanCompatibleColorFormats@16
_windraw_SetRGB8Palette@12
_windraw_SuggestRGB8Palette@8

Sections

.text
Size: 424KB - Virtual size: 420KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 56KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RealClear/cls tools/Tools/rmto3260.dll
.dll windows:4 windows x86 arch:x86

6eee045e7827e5c861e4b89f20fa0b8c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

pncrt

_mbctype
strrchr
_strnicmp
_control87
_findnext
_findfirst
_findclose
_tzset
__dllonexit
_onexit
printf
localtime
??3@YAXPAX@Z
sprintf
ungetc
isdigit
??2@YAPAXI@Z
_iob
_timezone
_chmod
vfprintf
getenv
fprintf
fopen
atol
fclose
strtok
_ftol
ceil
floor
atoi
_assert
strchr
_get_osfhandle
atof
_fstat
_lseek
_write
_read
_errno
_close
_open
memmove
time
strstr
malloc
vsprintf
_stricmp
fgets
rename
remove
isspace
tolower
fgetc
_initterm
isalpha
_adjust_fdiv
strncpy
free
_purecall
_getcwd
_strlwr
_creat
_sopen
_tell
_unlink
_mkdir
_rmdir
_chdir
_putenv
_ftime
_getpid

user32

wsprintfA
CharNextA
GetSystemMetrics
CharPrevA

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

advapi32

RegEnumKeyA
RegOpenKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryValueExA
RegDeleteKeyA
RegQueryValueA
RegCloseKey
RegSetValueA
RegCreateKeyA

ole32

CoCreateGuid

kernel32

GlobalLock
GlobalFree
GetSystemDirectoryA
GlobalUnlock
WinExec
CopyFileA
lstrcpyA
GetDriveTypeA
FindFirstFileA
FindNextFileA
GetWindowsDirectoryA
GetDiskFreeSpaceA
GetModuleFileNameA
GetProcAddress
FreeLibrary
FindClose
GetTempPathA
GetTempFileNameA
LoadLibraryA
CreateFileA
CreateFileMappingA
CloseHandle
GetLastError
UnmapViewOfFile
MapViewOfFile
GetFileSize
GlobalMemoryStatus
GetSystemInfo
GetTickCount
InterlockedIncrement
GetFullPathNameA
GlobalAlloc
GetVersionExA
GetVersion
GlobalHandle
InterlockedDecrement

Exports

Exports

RMACreateRMEdit
RMACreateRMEvents
RMACreateRMFF2Reader
RMACreateRMFFCopy
RMACreateRMFFDump
RMACreateRMFile
RMACreateRealMediaRegistration
SetDLLAccessPath

Sections

.text
Size: 280KB - Virtual size: 276KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RealClear/cls tools/comdlg32.ocx
.dll regsvr32 windows:4 windows x86 arch:x86

988f29c1eb8054253091352741683c76

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:de:aa:11:d4:d8:40:9a:a8:be:e6
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/12/2000, 08:00

Not After

12/11/2005, 08:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:0e:7d:a7:00:00:00:00:00:48
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/10/2003, 05:59

Not After

25/01/2005, 06:09

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:04:be:c7:7e:04:0a:8e:9c:44:86:a8:95:a7:50:5e:ca:0f:22:ec
Signer

Actual PE Digest

30:04:be:c7:7e:04:0a:8e:9c:44:86:a8:95:a7:50:5e:ca:0f:22:ec

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

HeapReAlloc
GetLastError
LockResource
GetWindowsDirectoryA
InterlockedDecrement
InterlockedIncrement
IsDBCSLeadByte
CompareStringA
CompareStringW
lstrcmpA
GetLocaleInfoA
GetVersion
GetModuleFileNameA
GetFileAttributesA
IsBadWritePtr
DisableThreadLibraryCalls
GlobalAlloc
lstrcmpiA
LoadLibraryA
GetProcAddress
lstrcatA
lstrlenA
lstrcpyA
WriteProfileStringA
GlobalLock
GlobalUnlock
LoadResource
FindResourceA
lstrcpynA
LeaveCriticalSection
DeleteCriticalSection
FreeLibrary
HeapFree
WideCharToMultiByte
lstrlenW
HeapAlloc
GetProfileStringA
EnterCriticalSection
GetProcessHeap
GetCurrentThreadId
MultiByteToWideChar
InitializeCriticalSection
GlobalFree

user32

SetWindowRgn
IntersectRect
EqualRect
PtInRect
IsDialogMessageA
IsChild
GetKeyState
CreateDialogIndirectParamA
MessageBeep
PostMessageA
ClientToScreen
wsprintfA
SendMessageTimeoutA
CharNextA
GetActiveWindow
GetWindowThreadProcessId
LoadCursorA
MessageBoxA
GetWindowLongA
GetWindowRect
CreateWindowExA
SetWindowLongA
ShowWindow
DialogBoxParamA
EnableWindow
GetDesktopWindow
GetWindow
IsWindowEnabled
OffsetRect
GetParent
GetDlgItem
SendMessageA
SetFocus
SetParent
SetDlgItemInt
EndPaint
SetActiveWindow
IsWindowVisible
WinHelpA
GetDlgItemInt
EndDialog
GetDlgItemTextA
DestroyWindow
SetDlgItemTextA
GetWindowTextA
GetNextDlgTabItem
SendDlgItemMessageA
RegisterClassA
GetDC
ReleaseDC
LoadIconA
DrawIcon
DestroyIcon
GetSystemMetrics
RegisterWindowMessageA
LoadStringA
DefWindowProcA
UnregisterClassA
GetClientRect
BeginPaint
RegisterClipboardFormatA
SetWindowPos
MoveWindow

ole32

CreateOleAdviseHolder
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
ReleaseStgMedium

advapi32

RegEnumKeyExA
RegQueryValueA
RegOpenKeyA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyExA
RegSetValueExA
RegCloseKey

oleaut32

LoadRegTypeLi
OleCreatePropertyFrame
SetErrorInfo
UnRegisterTypeLi
LoadTypeLi
LoadTypeLibEx
OleLoadPicture
VariantChangeType
RegisterTypeLi
VariantInit
GetErrorInfo
VariantClear
SysStringLen
SysAllocStringLen
OleTranslateColor
SysFreeString
SysAllocString
CreateErrorInfo

comdlg32

CommDlgExtendedError
PrintDlgA
ChooseFontA
ChooseColorA
GetOpenFileNameA
GetSaveFileNameA

gdi32

GetDIBits
CreateCompatibleDC
CreateBitmap
GetSystemPaletteEntries
StretchDIBits
SetViewportOrgEx
SetWindowExtEx
SetWindowOrgEx
SetMapMode
LPtoDP
SetViewportExtEx
GetViewportExtEx
CreateRectRgnIndirect
GetWindowExtEx
CreateDCA
GetObjectA
EnumFontFamiliesA
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject

Exports

Exports

DLLGetDocumentation
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 72KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
RealClear/cls tools/event.bat
RealClear/cls tools/rmevents.exe
.exe windows:4 windows x86 arch:x86

516019e278abb9debeec52779a5658f0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

pncrt

_assert
strrchr
__dllonexit
_onexit
_purecall
_iob
exit
__p___initenv
__getmainargs
_initterm
__setusermatherr
??3@YAXPAX@Z
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
fprintf
??2@YAPAXI@Z
printf
sprintf
_exit
_XcptFilter
_adjust_fdiv
_putenv
strchr

kernel32

GetProcAddress
FreeLibrary
GetModuleFileNameA
InterlockedDecrement
LoadLibraryA
InterlockedIncrement

user32

GetSystemMetrics
CharNextA

Sections

.text
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
RealClear/新云软件.url
.url

Sharing

General

Malware Config

Signatures

Files

1cf4252ebbb4f173d97a6ef4f79a60b5

Headers

File Characteristics

Imports

comctl32

kernel32

user32

gdi32

advapi32

shell32

ole32

version

Sections

.text Size: 22KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 108KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 19KB - Virtual size: 20KB

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 76KB

UPX1 Size: 24KB - Virtual size: 24KB

.rsrc Size: 24KB - Virtual size: 28KB

Headers

File Characteristics

Sections

.text Size: 60KB - Virtual size: 58KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 28KB - Virtual size: 24KB

73d1e5484edd4cc0df5cf92ac0a2ac9f

Headers

File Characteristics

Imports

pncrt

user32

version

advapi32

gdi32

ole32

kernel32

Exports

Exports

Sections

.text Size: 424KB - Virtual size: 420KB

.rdata Size: 20KB - Virtual size: 18KB

.data Size: 56KB - Virtual size: 65KB

.rsrc Size: 12KB - Virtual size: 11KB

.reloc Size: 20KB - Virtual size: 17KB

6eee045e7827e5c861e4b89f20fa0b8c

Headers

File Characteristics

Imports

pncrt

user32

version

advapi32

ole32

kernel32

Exports

Exports

Sections

.text Size: 280KB - Virtual size: 276KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 32KB - Virtual size: 32KB

.rsrc Size: 8KB - Virtual size: 7KB

.reloc Size: 12KB - Virtual size: 11KB

988f29c1eb8054253091352741683c76

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

.text
Size: 22KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 108KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 19KB - Virtual size: 20KB

UPX0
Size: - Virtual size: 76KB

UPX1
Size: 24KB - Virtual size: 24KB

.rsrc
Size: 24KB - Virtual size: 28KB

.text
Size: 60KB - Virtual size: 58KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 28KB - Virtual size: 24KB

.text
Size: 424KB - Virtual size: 420KB

.rdata
Size: 20KB - Virtual size: 18KB

.data
Size: 56KB - Virtual size: 65KB

.rsrc
Size: 12KB - Virtual size: 11KB

.reloc
Size: 20KB - Virtual size: 17KB

.text
Size: 280KB - Virtual size: 276KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 8KB - Virtual size: 7KB

.reloc
Size: 12KB - Virtual size: 11KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:de:aa:11:d4:d8:40:9a:a8:be:e6
Certificate

61:0e:7d:a7:00:00:00:00:00:48
Certificate

30:04:be:c7:7e:04:0a:8e:9c:44:86:a8:95:a7:50:5e:ca:0f:22:ec
Signer

.text
Size: 72KB - Virtual size: 69KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 52KB - Virtual size: 51KB

.reloc
Size: 8KB - Virtual size: 5KB

.text
Size: 12KB - Virtual size: 8KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 2KB