596ec42431bd1d80e239b5dcac81d7a4

Sharing

Copy URL Twitter E-mail

General

Target

596ec42431bd1d80e239b5dcac81d7a4
Size

1.2MB
MD5

596ec42431bd1d80e239b5dcac81d7a4
SHA1

c342314b7fba0354bf7a676081a048d8db2dabfd
SHA256

50c31e894d04b7f49bad282cc19b99911a6230164cd992c3aa7bbd579fbaaca2
SHA512

87b40d77227cd8f7ad6033be33b061fb19a94d72c650051f23681e3688e50014f52e4d010c35cb2b844b31bfc65d6a8ad968e77de9d7757f7934823f4094cdc2
SSDEEP

24576:/FlPiET3JkuWPPCIwyUbLFMbDJx21PC8tqj7jRXxT5ot:/niET3Jku0qpbLFMbDJSPx27Xmt

Score

3^/10

Malware Config

Signatures

Unsigned PE 13 IoCs

Checks for missing Authenticode signature.

resource
596ec42431bd1d80e239b5dcac81d7a4
unpack001/$PLUGINSDIR/BrandingURL.dll
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/LangDLL.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/ToolTips.dll
unpack001/1314.exe
unpack001/gpupdate.exe
unpack001/ipseccmd.exe
unpack001/polstore.dll
unpack001/uninst.exe
unpack003/$PLUGINSDIR/FindProcDLL.dll
unpack001/winipsec.dll

NSIS installer 1 IoCs

installer

resource	yara_rule
static1/unpack001/1314.exe	nsis_installer_1

Files

596ec42431bd1d80e239b5dcac81d7a4
.exe windows:4 windows x86 arch:x86

dd1742eadfc6df18ded3c26ae64ad610

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
CloseHandle
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
ExitProcess

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 56KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/BrandingURL.dll
.dll windows:4 windows x86 arch:x86

711c893e4d8189fd14b6563a4e35e663

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcpyA
GlobalFree

user32

GetWindowRect
SetCapture
InvalidateRect
SendMessageA
GetCapture
ClientToScreen
GetDlgItem
RedrawWindow
EnableWindow
LoadImageA
SetPropA
GetWindowLongA
PtInRect
ReleaseCapture
SetCursor
GetPropA
CallWindowProcA
SetWindowLongA

gdi32

GetObjectA
SetTextColor
CreateFontIndirectA

shell32

ShellExecuteA

Exports

Exports

Set
Unload

Sections

.text
Size: 1024B - Virtual size: 994B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 871B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 300B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
GetPrivateProfileIntA
GlobalLock
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalAlloc

user32

MapWindowPoints
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
PtInRect
SetWindowRgn
LoadIconA
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
GetClientRect

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 1012B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/LangDLL.dll
.dll windows:4 windows x86 arch:x86

946eb0a1e85c9ade4acaf634eb5a64f1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetACP
GlobalFree
lstrcpynA
lstrcmpA
lstrlenA
GetModuleHandleA
MulDiv
lstrcpyA
GlobalAlloc

user32

SetWindowTextA
SetDlgItemTextA
SendDlgItemMessageA
EndDialog
DialogBoxParamA
LoadIconA
SendMessageA
ShowWindow
GetDC

gdi32

CreateFontIndirectA
GetDeviceCaps
DeleteObject

Exports

Exports

LangDialog

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 697B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 352B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetLastError
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ToolTips.dll
.dll windows:4 windows x86 arch:x86

04338c58e26f4ac6ae89608ac6276429

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcessHeap
GlobalFree
HeapAlloc

user32

GetClientRect
SendMessageA
CreateWindowExA

comctl32

ord17

Exports

Exports

Author
Classic
Modern

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 409B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 68B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 186B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-header.bmp
$PLUGINSDIR/modern-wizard.bmp
1314.exe
.exe windows:4 windows x86 arch:x86

9c523d8653da5455667e3f82274f2f88

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
CreateFileA
GetFileSize
GetModuleFileNameA
GetTickCount
lstrcmpiA
CopyFileA
ExitProcess
GetCommandLineA
GetWindowsDirectoryA
GetTempPathA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpA
GetEnvironmentVariableA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetCurrentProcess

user32

ScreenToClient
GetWindowRect
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
EndDialog
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
TrackPopupMenu
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$APPDATA/Baidu/Toolbar/Custom Buttons/custom.xml
$PROFILE/AppData/LocalLow/Baidu/Toolbar/Custom Buttons/custom.xml
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
.dll regsvr32 windows:4 windows x86 arch:x86

2e96c5697f8ebb6b2a4bbd7625920c54

Code Sign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:89:03:55:99:b2:04:cb:18:73:d5:5a:bd:23:83:fe
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

28/07/2006, 00:00

Not After

12/08/2009, 23:59

Subject

CN=Baidu.com,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Internet,O=Baidu.com,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

setupapi

SetupIterateCabinetW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

kernel32

GetPrivateProfileStringW
GetACP
MoveFileExW
RemoveDirectoryW
FindNextFileW
FindClose
FindFirstFileW
SetFilePointer
Process32NextW
GetCurrentProcessId
Process32FirstW
CreateToolhelp32Snapshot
ReadProcessMemory
OpenProcess
GlobalFree
GlobalAlloc
LockResource
SetCurrentDirectoryW
TerminateThread
GetExitCodeThread
OpenMutexW
SetPriorityClass
CreateProcessW
ExpandEnvironmentStringsW
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetPrivateProfileIntW
WritePrivateProfileStringW
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
lstrcmpW
GetEnvironmentVariableW
SystemTimeToFileTime
GetCurrentDirectoryW
LocalFileTimeToFileTime
SetFileTime
SwitchToThread
SetErrorMode
CreateFileA
SetEvent
FileTimeToSystemTime
GetFileInformationByHandle
GetLocalTime
SetEnvironmentVariableA
CompareStringA
SetFileAttributesW
SetEndOfFile
SetConsoleCtrlHandler
GetOEMCP
GetDriveTypeA
GetFullPathNameA
FlushFileBuffers
SetStdHandle
GetUserDefaultLCID
EnumSystemLocalesA
GetLocaleInfoA
IsValidCodePage
IsValidLocale
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadCodePtr
IsBadReadPtr
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
SetUnhandledExceptionFilter
LCMapStringW
LCMapStringA
SetCurrentDirectoryA
GetCurrentDirectoryA
UnhandledExceptionFilter
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapCreate
GetVersionExA
GetEnvironmentVariableA
GetModuleFileNameA
HeapSize
TerminateProcess
GetCurrentThread
FatalAppExitA
ExitProcess
GetCommandLineA
RaiseException
GetFullPathNameW
GetDriveTypeW
FileTimeToLocalFileTime
GetSystemTime
GetTimeZoneInformation
HeapReAlloc
RtlUnwind
GetWindowsDirectoryW
DeviceIoControl
GetSystemDirectoryW
CopyFileW
GetVersionExW
GetTempPathW
GetTempFileNameW
DeleteFileW
GlobalLock
GlobalUnlock
CompareStringW
LoadLibraryA
lstrcatW
lstrcpyW
DisableThreadLibraryCalls
TryEnterCriticalSection
HeapDestroy
ExitThread
GetCurrentThreadId
CreateThread
lstrcpynW
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
lstrcmpiW
GetShortPathNameW
GetModuleFileNameW
GetModuleHandleW
OutputDebugStringA
GetVersion
GetFileAttributesW
GetModuleHandleA
LoadLibraryW
SetLastError
DeleteCriticalSection
InitializeCriticalSection
GetProcAddress
FreeLibrary
LocalFree
MultiByteToWideChar
CreateDirectoryW
CreateFileW
GetFileSize
ReadFile
WriteFile
EnterCriticalSection
LeaveCriticalSection
CreateMutexW
WaitForSingleObject
CloseHandle
ReleaseMutex
GetProcessHeap
HeapAlloc
HeapFree
Sleep
GetLastError
GetTickCount
WideCharToMultiByte
WriteProcessMemory
lstrlenA
OutputDebugStringW
DebugBreak
lstrlenW
GetCurrentProcess
FlushInstructionCache
InterlockedDecrement
InterlockedIncrement
VirtualProtect
VirtualQuery
GetLocaleInfoW

user32

EnableMenuItem
GetSysColorBrush
GetMessageW
PostThreadMessageW
DrawIconEx
InflateRect
FindWindowExW
GetUpdateRect
DeleteMenu
GetTopWindow
MenuItemFromPoint
GetMenuItemID
SetDlgItemTextW
CreateDialogParamW
GetDlgItemTextW
GetWindowDC
AdjustWindowRect
LoadIconW
EnumWindows
IsDialogMessageW
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
CharUpperW
CharUpperBuffA
GetAsyncKeyState
CharNextA
WaitForInputIdle
SetForegroundWindow
GetForegroundWindow
AttachThreadInput
CharLowerBuffW
CreatePopupMenu
AppendMenuW
CreateMenu
InsertMenuW
TrackPopupMenu
RemoveMenu
GetMenuItemInfoW
CopyRect
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
RedrawWindow
GetMenuItemCount
WindowFromPoint
InsertMenuItemW
SetScrollPos
SetScrollInfo
GetScrollInfo
SetWindowRgn
GetMenuItemRect
RemovePropW
SetPropW
GetPropW
SetWindowLongA
DefWindowProcW
EndDialog
ShowWindow
SetWindowTextW
IsWindow
SetWindowLongW
GetDlgItem
LoadImageW
EndPaint
BeginPaint
GetDC
CallWindowProcW
GetWindowLongW
LoadStringW
wvsprintfW
CharNextW
IsChild
EnableWindow
DestroyIcon
DialogBoxParamW
FindWindowW
MessageBoxW
GetClassInfoExW
RegisterClassExW
wsprintfW
ClientToScreen
IsRectEmpty
GetWindowThreadProcessId
GetGUIThreadInfo
IsWindowVisible
KillTimer
SetTimer
GetActiveWindow
AdjustWindowRectEx
IsWindowUnicode
CallWindowProcA
EnumChildWindows
GetMessagePos
MessageBeep
SetMenuItemInfoW
FrameRect
LoadBitmapW
DrawStateW
PeekMessageW
GetSubMenu
ModifyMenuW
TrackPopupMenuEx
CharLowerBuffA
CreateIconFromResourceEx
ScrollWindow
GetDesktopWindow
DestroyMenu
CharLowerW
PostMessageW
IsMenu
SetWindowPos
MapWindowPoints
GetClientRect
SystemParametersInfoW
GetWindowRect
GetWindow
GetParent
SendMessageW
DestroyWindow
RegisterWindowMessageW
PtInRect
SetRectEmpty
ScreenToClient
GetCursorPos
ReleaseCapture
GetCapture
SetCapture
SetFocus
UpdateWindow
SetCursor
InvalidateRect
GetDlgCtrlID
OffsetRect
ReleaseDC
GetWindowTextW
GetWindowTextLengthW
LoadCursorW
GetClassNameW
FillRect
DrawFocusRect
GetFocus
GetSysColor
IsWindowEnabled
DrawTextW
CreateWindowExW
DispatchMessageW
TranslateMessage
GetKeyState
MoveWindow
GetSystemMetrics

gdi32

PatBlt
GetTextColor
Rectangle
CreateRectRgn
ExcludeClipRect
GetDeviceCaps
DPtoLP
SelectObject
MoveToEx
LineTo
DeleteObject
GetClipBox
ExtTextOutW
SaveDC
RestoreDC
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
CreateBitmap
GetCurrentObject
CreateSolidBrush
GetTextExtentPoint32W
GetPixel
TextOutW
SetTextColor
DeleteDC
CreateFontIndirectW
SetBkMode
SetBkColor
GetStockObject
GetObjectW
CreatePen
SetViewportOrgEx

advapi32

RegQueryValueExW
GetUserNameW
RegSetKeySecurity
AllocateAndInitializeSid
InitializeAcl
AddAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
FreeSid
RegGetKeySecurity
GetSidIdentifierAuthority
GetSidSubAuthorityCount
RegCloseKey
RegEnumValueW
RegOpenKeyW
RegSetValueExW
RegCreateKeyW
RegDeleteValueW
QueryServiceStatus
ChangeServiceConfigW
StartServiceW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
ControlService
EnumDependentServicesW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
SetSecurityInfo
GetSecurityDescriptorSacl
RegEnumKeyW
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
GetSidSubAuthority

shell32

ShellExecuteW
SHGetFolderPathW
SHFileOperationW
DragQueryFileA
ExtractIconW
SHGetSpecialFolderPathW
SHGetMalloc
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFileInfoW
DuplicateIcon

ole32

OleInitialize
OleUninitialize
RevokeDragDrop
RegisterDragDrop
ReleaseStgMedium
CLSIDFromProgID
StringFromGUID2
GetHGlobalFromStream
CoCreateInstance
CoTaskMemRealloc
CoTaskMemAlloc
CoTaskMemFree
CoInitialize
CoUninitialize
CoCreateGuid
CreateStreamOnHGlobal

oleaut32

SysAllocString
LoadRegTypeLi
VarUI4FromStr
LoadTypeLi
RegisterTypeLi
VariantClear
VariantCopy
VariantInit
SysStringLen
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreate
SetErrorInfo
VariantChangeType
GetErrorInfo
SysAllocStringLen
SysFreeString
CreateErrorInfo

shlwapi

SHCopyKeyW
SHGetValueW
SHDeleteKeyW
SHDeleteValueW
SHSetValueW
StrStrIW
PathFindFileNameW
PathRemoveExtensionW
UrlUnescapeA
StrRetToStrW
StrRetToStrA
PathIsDirectoryA
PathRemoveFileSpecA
UrlUnescapeW
UrlCanonicalizeW
PathRemoveFileSpecW
PathFileExistsW
PathIsDirectoryW

wininet

InternetCrackUrlW
InternetCanonicalizeUrlW
InternetCloseHandle
InternetReadFile
HttpSendRequestExA
InternetSetStatusCallbackW
FtpOpenFileA
HttpSendRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
InternetOpenA
InternetSetOptionA
InternetConnectA
InternetAttemptConnect
InternetSetFilePointer
FindFirstUrlCacheGroup
DeleteUrlCacheGroup
FindNextUrlCacheGroup
FindCloseUrlCache
FindFirstUrlCacheEntryW
FindNextUrlCacheEntryW
InternetOpenUrlW
HttpSendRequestExW
InternetWriteFile
HttpEndRequestW
InternetGetConnectedState
DeleteUrlCacheEntryW
InternetQueryDataAvailable
InternetGetCookieW
InternetSetCookieW
HttpQueryInfoW
GetUrlCacheEntryInfoW
InternetOpenW
InternetSetOptionW
InternetConnectW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW

urlmon

CoInternetGetSession
URLDownloadToFileW

rpcrt4

UuidCreate

iphlpapi

GetAdaptersInfo
GetNetworkParams

ws2_32

gethostname
gethostbyname

msimg32

AlphaBlend

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
RunOnceRemove
RunOnceUpdate
SVCUninstall
Uninstall
UpdateBaiduToolbar

Sections

.text
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 240KB - Virtual size: 239KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 140KB - Virtual size: 158KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Shared
Size: 4KB - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 256KB - Virtual size: 254KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 140KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduService.exe
.exe windows:4 windows x86 arch:x86

b2e7f59043adad73fe020115daa83498

Code Sign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:89:03:55:99:b2:04:cb:18:73:d5:5a:bd:23:83:fe
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

28/07/2006, 00:00

Not After

12/08/2009, 23:59

Subject

CN=Baidu.com,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Internet,O=Baidu.com,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shell32

SHGetFolderPathW

shlwapi

PathFileExistsW

kernel32

GetShortPathNameW
GetModuleHandleW
GetModuleFileNameW
MultiByteToWideChar
lstrlenA
SizeofResource
LoadResource
FindResourceW
GetLastError
LoadLibraryExW
lstrcpynW
InitializeCriticalSection
lstrcpyW
lstrcatW
InterlockedDecrement
InterlockedIncrement
CloseHandle
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
FlushInstructionCache
lstrlenW
GetCPInfo
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
WideCharToMultiByte
LoadLibraryA
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
GetCommandLineW
lstrcmpiW
LoadLibraryW
GetProcAddress
FreeLibrary
GetACP
GetOEMCP
FreeEnvironmentStringsW
GetCurrentProcess
WriteFile
GetStartupInfoA
GetFileType
FreeEnvironmentStringsA
GetStdHandle
SetHandleCount
GetCommandLineA
GetEnvironmentStrings
UnhandledExceptionFilter
TerminateProcess
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
HeapFree
RtlUnwind
HeapAlloc
HeapReAlloc
GetModuleHandleA
GetStartupInfoW
GetVersion
ExitProcess
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
GetEnvironmentStringsW

user32

CharNextW
DispatchMessageW
GetMessageW
ShowWindow
PostThreadMessageW
GetClassInfoExW
LoadCursorW
wsprintfW
RegisterClassExW
CreateWindowExW
CallWindowProcW
GetWindowLongW
SetWindowLongW
PostQuitMessage
DestroyWindow
DefWindowProcW
FindWindowW
IsWindow
GetWindowThreadProcessId

advapi32

RegQueryInfoKeyW
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegDeleteValueW
RegCreateKeyExW
RegDeleteKeyW
RegEnumValueW

ole32

CoUninitialize
CoInitialize
CoTaskMemAlloc
CoTaskMemRealloc
CoCreateInstance
CoInitializeEx
CoTaskMemFree

oleaut32

SysAllocStringLen
RegisterTypeLi
LoadTypeLi
SysAllocString
SysFreeString
VarUI4FromStr

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/1.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/11.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/12.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/13.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/14.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/17.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/18.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/19.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/2.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/20.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/23.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/24.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/27.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/29.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/3.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/31.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/32.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/37.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/38.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/39.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/5.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/6.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/7.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/8.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/9.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/HighLight.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/Kongjian.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/MediaSave1.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/MediaSave2.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/PageFind.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/at.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/baidu.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/def.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/dengchu.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/denglu.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/ditu.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/down.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/fangdajing.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/fankui.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/fengyun.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/fengyun_high.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/film.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/flashbar.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/gechi.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/image.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/lianmeng.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/logo.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/logobtn.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/medal.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/music.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/resize.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/shezhi.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/soucang.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/webim_off.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/webim_on.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/xiezai.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/xiezai.ico
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/xinwen.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/xiongzhang.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/xuanxiang.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/yingpan.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/youyi.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/zhidao.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/IMG/zuoyi.bmp
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/config/face.xml
23.txt
8.txt
9.txt
gpupdate.exe
.exe windows:5 windows x86 arch:x86

30ce53551eb068df0751508714087698

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FormatMessageW
CloseHandle
WaitForSingleObject
OpenEventW
GetLastError
GlobalFree
WaitForMultipleObjects
CreateThread
GetCurrentProcess
GetModuleHandleW
lstrlenW
GetConsoleOutputCP
GetProcAddress
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
SetUnhandledExceptionFilter
LocalAlloc
LocalReAlloc
GetCommandLineW
LocalFree
SetThreadUILanguage
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
MultiByteToWideChar
Sleep
LCMapStringA
LCMapStringW
LoadLibraryA
GetACP
GetOEMCP
GetCPInfo
VirtualAlloc
HeapReAlloc
RtlUnwind
InterlockedExchange
VirtualQuery
ReadFile
FlushFileBuffers
GetStringTypeA
GetStringTypeW
VirtualProtect
GetSystemInfo
GetLocaleInfoA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
SetFilePointer
SetStdHandle
GetLocaleInfoW

advapi32

LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken

user32

LoadStringW
ExitWindowsEx

userenv

ForceSyncFgPolicy
RefreshPolicyEx

shlwapi

wvnsprintfW

shell32

CommandLineToArgvW

ntdll

RtlCopySid
RtlLengthSid
NtQueryInformationToken
RtlConvertSidToUnicodeString

Sections

.text
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ipseccmd.exe
.exe windows:5 windows x86 arch:x86

06e28cc5468c27081f2546bbda798b1d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_XcptFilter
_exit
__initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
exit
fwprintf
_strdup
??2@YAPAXI@Z
_cexit
_c_exit
__set_app_type
_controlfp
_except_handler3
wprintf
fopen
strtok
printf
_flushall
fgets
realloc
isdigit
isalpha
_stricmp
strrchr
atoi
free
strchr
strncmp
atol
sprintf
fprintf
wcstol
wcschr
towlower
tolower
wcscpy
wcsncmp
wcslen
swprintf
wcscmp
??3@YAXPAX@Z
_iob

advapi32

StartServiceW
OpenSCManagerW
OpenServiceW
QueryServiceStatus
CloseServiceHandle

kernel32

GetModuleHandleA
GetModuleHandleW
GetLastError
FormatMessageW
LocalFree
MultiByteToWideChar
Sleep

ws2_32

inet_ntoa
gethostbyname
WSACleanup
WSAStartup
inet_addr

rpcrt4

UuidCreate
UuidIsNil
UuidCompare
UuidFromStringA
UuidCreateNil

msvcirt

?cin@@3Vistream_withassign@@A
??5istream@@QAEAAV0@AAD@Z
?cerr@@3Vostream_withassign@@A
?endl@@YAAAVostream@@AAV1@@Z
??6ostream@@QAEAAV0@PBD@Z
??6ostream@@QAEAAV0@P6AAAV0@AAV0@@Z@Z
?cout@@3Vostream_withassign@@A

ole32

StringFromGUID2

crypt32

CertNameToStrW
CertStrToNameW

winipsec

ord39
ord56
ord61
ord55
ord62
ord69
ord70
ord40
ord71
ord72
ord25
ord73
ord74
ord65
ord35
ord49
ord30
ord24
ord64
ord48
ord34
ord29
ord47
ord33
ord28
ord38
ord23
ord63
ord46
ord51
ord45
ord22

polstore

IPSecEnumPolicyData
IPSecCopyPolicyData
IPSecEnumNFAData
IPSecGetISAKMPData
IPSecGetNegPolData
IPSecFreePolicyData
IPSecAllocPolStr
IPSecSetPolicyData
IPSecFreeMulPolicyData
IPSecAllocPolMem
IPSecCreatePolicyData
IPSecClosePolicyStore
IPSecOpenPolicyStore
IPSecDeleteISAKMPData
IPSecCreateISAKMPData
IPSecFreeISAKMPData
IPSecFreePolMem
IPSecDeleteNegPolData
IPSecDeleteFilterData
IPSecSetNFAData
IPSecCreateFilterData
IPSecCreateNegPolData
IPSecFreePolStr
IPSecFreeNegPolData
IPSecFreeFilterData
IPSecCreateNFAData
IPSecUnassignPolicy
IPSecGetAssignedPolicyData
IPSecAssignPolicy
IPSecDeletePolicyData
IPSecDeleteNFAData
IPSecGetFilterData

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
irunin.bmp
irunin.dat
irunin.ini
irunin.lng
polstore.dll
.dll regsvr32 windows:5 windows x86 arch:x86

913093b352fdd20d8149a67afb567f89

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

_except_handler3
_wremove
wcschr
_wcsicmp
time
wcsstr
_itow
wcscat
_wtol
wcslen
wcscpy

advapi32

RegQueryValueExW
RegSaveKeyW
RegRestoreKeyW
RegCreateKeyExW
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegConnectRegistryW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegCloseKey
RegOpenKeyExW
CloseServiceHandle
ControlService
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerW
RegSetValueExW

kernel32

LocalAlloc
GetCurrentThread
CloseHandle
GetCurrentProcess
LocalFree
GetModuleHandleW
GetLastError
DisableThreadLibraryCalls
FormatMessageW

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

netapi32

DsGetDcNameW
NetApiBufferFree

wldap32

ord26
ord208
ord27
ord97
ord140
ord77
ord142
ord16
ord73
ord41
ord36
ord224
ord79
ord69
ord157
ord113
ord13
ord88
ord14
ord145
ord210

Exports

Exports

DllRegisterServer
DllUnregisterServer
IPSecAllocPolMem
IPSecAllocPolStr
IPSecAssignPolicy
IPSecClosePolicyStore
IPSecCopyAuthMethod
IPSecCopyFilterData
IPSecCopyFilterSpec
IPSecCopyISAKMPData
IPSecCopyNFAData
IPSecCopyNegPolData
IPSecCopyPolicyData
IPSecCreateFilterData
IPSecCreateISAKMPData
IPSecCreateNFAData
IPSecCreateNegPolData
IPSecCreatePolicyData
IPSecDeleteFilterData
IPSecDeleteISAKMPData
IPSecDeleteNFAData
IPSecDeleteNegPolData
IPSecDeletePolicyData
IPSecEnumFilterData
IPSecEnumISAKMPData
IPSecEnumNFAData
IPSecEnumNegPolData
IPSecEnumPolicyData
IPSecExportPolicies
IPSecFreeFilterData
IPSecFreeFilterSpec
IPSecFreeFilterSpecs
IPSecFreeISAKMPData
IPSecFreeMulFilterData
IPSecFreeMulISAKMPData
IPSecFreeMulNFAData
IPSecFreeMulNegPolData
IPSecFreeMulPolicyData
IPSecFreeNFAData
IPSecFreeNegPolData
IPSecFreePolMem
IPSecFreePolStr
IPSecFreePolicyData
IPSecGetAssignedDomainPolicyName
IPSecGetAssignedPolicyData
IPSecGetFilterData
IPSecGetISAKMPData
IPSecGetNegPolData
IPSecImportPolicies
IPSecIsDomainPolicyAssigned
IPSecIsLocalPolicyAssigned
IPSecOpenPolicyStore
IPSecReallocatePolMem
IPSecReallocatePolStr
IPSecRestoreDefaultPolicies
IPSecSetFilterData
IPSecSetISAKMPData
IPSecSetNFAData
IPSecSetNegPolData
IPSecSetPolicyData
IPSecUnassignPolicy

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
uninst.exe
.exe windows:4 windows x86 arch:x86

dd1742eadfc6df18ded3c26ae64ad610

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetFileSize
GetModuleFileNameA
GetTickCount
GetCurrentProcess
CopyFileA
CloseHandle
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
SetErrorMode
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
ExitProcess

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
CreateDialogParamA
DestroyWindow
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 56KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/FindProcDLL.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-header.bmp
winipsec.dll
.dll windows:5 windows x86 arch:x86

e0cf5626e368af92842b2bcc431c9339

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ntdll

RtlUnwind

kernel32

LocalFree
DisableThreadLibraryCalls
LocalAlloc

rpcrt4

RpcBindingSetOption
RpcBindingFromStringBindingW
NdrClientCall2
RpcSsDestroyClientContext
RpcStringFreeW
RpcMgmtInqServerPrincNameW
RpcStringBindingComposeW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcRaiseException

ws2_32

ntohl

Exports

Exports

AddMMAuthMethods
AddMMFilter
AddMMPolicy
AddQMPolicy
AddTransportFilter
AddTunnelFilter
CloseMMFilterHandle
CloseTransportFilterHandle
CloseTunnelFilterHandle
DeleteMMAuthMethods
DeleteMMFilter
DeleteMMPolicy
DeleteQMPolicy
DeleteTransportFilter
DeleteTunnelFilter
EnumIPSecInterfaces
EnumMMAuthMethods
EnumMMFilters
EnumMMPolicies
EnumQMPolicies
EnumQMSAs
EnumTransportFilters
EnumTunnelFilters
GetMMAuthMethods
GetMMFilter
GetMMPolicy
GetMMPolicyByID
GetQMPolicy
GetQMPolicyByID
GetTransportFilter
GetTunnelFilter
IPSecAddSAs
IPSecCloseIKENegotiationHandle
IPSecCloseNotifyHandle
IPSecDeleteMMSAs
IPSecDeleteQMSAs
IPSecEnumMMSAs
IPSecInitiateIKENegotiation
IPSecQueryIKENegotiationStatus
IPSecQueryIKEStatistics
IPSecQueryNotifyData
IPSecRegisterIKENotifyClient
InitializeDll
MatchMMFilter
MatchTransportFilter
MatchTunnelFilter
OpenMMFilterHandle
OpenTransportFilterHandle
OpenTunnelFilterHandle
QueryIPSecStatistics
SPDApiBufferAllocate
SPDApiBufferFree
SetMMAuthMethods
SetMMFilter
SetMMPolicy
SetQMPolicy
SetTransportFilter
SetTunnelFilter

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 700B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ܾ˿˲.bat

Sharing

General

Malware Config

Signatures

Files

dd1742eadfc6df18ded3c26ae64ad610

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 22KB - Virtual size: 21KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 56KB

.rsrc Size: 12KB - Virtual size: 12KB

711c893e4d8189fd14b6563a4e35e663

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

Exports

Exports

Sections

.text Size: 1024B - Virtual size: 994B

.rdata Size: 1024B - Virtual size: 871B

.data Size: - Virtual size: 300B

.reloc Size: 512B - Virtual size: 220B

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 1012B

946eb0a1e85c9ade4acaf634eb5a64f1

Headers

File Characteristics

Imports

kernel32

user32

gdi32

Exports

Exports

Sections

.text Size: 1KB - Virtual size: 1KB

.rdata Size: 1024B - Virtual size: 697B

.data Size: 512B - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 352B

.reloc Size: 512B - Virtual size: 264B

4ec328f99bdd944fc98d8a5cf11f7a62

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

.text
Size: 22KB - Virtual size: 21KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 56KB

.rsrc
Size: 12KB - Virtual size: 12KB

.text
Size: 1024B - Virtual size: 994B

.rdata
Size: 1024B - Virtual size: 871B

.data
Size: - Virtual size: 300B

.reloc
Size: 512B - Virtual size: 220B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 1012B

.text
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 697B

.data
Size: 512B - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 352B

.reloc
Size: 512B - Virtual size: 264B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 92B

.reloc
Size: 512B - Virtual size: 496B

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 409B

.data
Size: 512B - Virtual size: 68B

.reloc
Size: 512B - Virtual size: 186B

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 110KB

.ndata
Size: - Virtual size: 32KB

.rsrc
Size: 24KB - Virtual size: 24KB

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

23:89:03:55:99:b2:04:cb:18:73:d5:5a:bd:23:83:fe
Certificate

.text
Size: 1.7MB - Virtual size: 1.7MB