gwclient[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

gwclient.exe
Size

3.5MB
MD5

7597b1f8122dbbeb39bc70c48a815153
SHA1

9705c19ede0ae31eae5b73f65e9544ccf96b19cd
SHA256

cbf3005ffa7245406133fa9d2c9cb75b718e31265c7dea160fb18385a9a2f09a
SHA512

0df080725eb09d946138e124afdbdd738bea2649d8e959e17feb6631004ada76b3df979957d127f5cd3947f0728e944f6bcb9b0e379ab2e91c6cf40975de8d98
SSDEEP

49152:0QCVNiOOUSvy/EpEGZHhMByshTqtHAAoeTDvFmuuhQF/vFYnZe0Bi5IxtNpvQ3B:0QYNiOONK/EpEaBMYpRNuSlaZRw+NpvE

Score

1^/10

Malware Config

Signatures

Files

gwclient.exe
.exe windows:4 windows x86 arch:x86

f5ac2cada7558afdde4c3751955809ec

Code Sign

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

31-07-2020 00:00

Not After

03-08-2023 12:00

Subject

CN=Qi An Xin Technology Group Inc.,O=Qi An Xin Technology Group Inc.,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-04-2011 19:41

Not After

15-04-2021 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31-05-2021 06:43

Not After

17-09-2029 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

19-05-2021 05:42

Not After

18-05-2032 05:42

Subject

CN=Certum Timestamp 2021,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11-02-2011 12:00

Not After

10-02-2026 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15-04-2011 19:45

Not After

15-04-2021 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9a
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

06-08-2020 00:00

Not After

03-08-2023 12:00

Subject

SERIALNUMBER=91110105397625067T,CN=Qi An Xin Technology Group Inc.,O=Qi An Xin Technology Group Inc.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

19-05-2021 05:42

Not After

18-05-2032 05:42

Subject

CN=Certum Timestamp 2021,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31-05-2021 06:43

Not After

17-09-2029 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

67:0d:74:23:a6:50:31:6b:de:b4:f4:ba:ac:f0:a8:79:e1:39:84:ad:00:e7:6d:3a:98:a7:eb:cd:2b:7a:a8:a2
Signer

Actual PE Digest

67:0d:74:23:a6:50:31:6b:de:b4:f4:ba:ac:f0:a8:79:e1:39:84:ad:00:e7:6d:3a:98:a7:eb:cd:2b:7a:a8:a2

Digest Algorithm

sha256

PE Digest Matches

true

9f:b8:1b:03:0f:5e:d6:b2:09:61:f7:03:fb:a9:09:d9:41:92:40:2a
Signer

Actual PE Digest

9f:b8:1b:03:0f:5e:d6:b2:09:61:f7:03:fb:a9:09:d9:41:92:40:2a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetLastError
CreateFileW
WaitForMultipleObjects
CreateEventA
DeleteCriticalSection
InitializeCriticalSection
CopyFileW
GetSystemWindowsDirectoryA
VirtualQuery
GetModuleHandleW
LocalFree
Module32First
Module32Next
GetCurrentThread
CreateProcessA
ProcessIdToSessionId
GetExitCodeProcess
GetStartupInfoA
Process32FirstW
Process32NextW
OpenProcess
GetLogicalDriveStringsA
QueryDosDeviceA
CreateToolhelp32Snapshot
Process32First
Process32Next
GetSystemInfo
GetVersionExA
GetFileTime
GetTimeZoneInformation
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FindFirstFileA
FindNextFileA
FindClose
RemoveDirectoryA
FlushConsoleInputBuffer
DefineDosDeviceA
GlobalMemoryStatus
GetStdHandle
GetVersion
DuplicateHandle
GetFileType
MulDiv
FreeResource
SizeofResource
GetCurrentDirectoryA
GetACP
LoadLibraryExA
FindResourceA
LoadResource
LockResource
lstrcmpiW
MoveFileExA
GetProcessHeap
HeapAlloc
HeapFree
GetSystemDirectoryA
EnterCriticalSection
LeaveCriticalSection
GetLocalTime
OutputDebugStringA
SetFilePointer
DeviceIoControl
SetEndOfFile
CopyFileA
DeleteFileA
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
GetFileAttributesA
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
SetFileAttributesA
lstrcpynA
LocalAlloc
QueryPerformanceCounter
lstrcpyA
lstrcatA
lstrcmpiA
GetFullPathNameA
GetModuleHandleA
GetTickCount
GetExitCodeThread
GetDiskFreeSpaceExA
TerminateThread
GetLogicalDrives
FreeLibrary
OpenEventA
SetEvent
LoadLibraryA
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
CreateFileMappingA
MapViewOfFile
GetSystemTime
SystemTimeToFileTime
GlobalLock
GlobalUnlock
GetEnvironmentVariableA
CreateThread
WaitForSingleObject
ExpandEnvironmentStringsA
GetSystemDefaultLangID
SetUnhandledExceptionFilter
GetTempPathA
CreateDirectoryA
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
Sleep
CreateSemaphoreA
GetLastError
GetModuleFileNameA
GlobalFree
lstrlenA
WriteFile
CreateFileA
GetFileSize
GlobalAlloc
ReadFile
ResetEvent
CloseHandle

user32

GetClassNameA
GetWindowTextA
OpenInputDesktop
GetUserObjectInformationA
SwitchDesktop
GetWindowLongA
IsIconic
GetClientRect
OpenDesktopA
EnumDesktopWindows
GetThreadDesktop
CloseDesktop
CreateDesktopA
ExitWindowsEx
EnumWindows
GetWindowThreadProcessId
DestroyWindow
CreateWindowExA
SetWindowLongA
ShowWindow
PostQuitMessage
PostMessageA
IsWindow
GetCursorPos
MessageBoxA
ScreenToClient
SetWindowRgn
GetWindowRect
ClientToScreen
KillTimer
SetTimer
SendMessageA
TrackPopupMenu
SetForegroundWindow
ModifyMenuA
GetSubMenu
LoadMenuA
IsWindowEnabled
SetWindowPos
GetSystemMetrics
GetParent
GetMonitorInfoA
MonitorFromWindow
SendMessageTimeoutA
LoadIconA
DestroyIcon
GetForegroundWindow
GetProcessWindowStation
GetUserObjectInformationW
CreateAcceleratorTableA
InvalidateRgn
SetRect
CharPrevA
DrawTextA
FillRect
GetWindowRgn
UpdateLayeredWindow
GetSysColor
SetCaretPos
ShowCaret
HideCaret
CreateCaret
IntersectRect
GetWindowTextLengthA
SetWindowTextA
CharNextA
PtInRect
ReleaseCapture
SetCapture
GetFocus
GetUpdateRect
FindWindowA
LoadCursorA
BeginPaint
EndPaint
IsRectEmpty
InvalidateRect
MapWindowPoints
DefWindowProcA
GetKeyState
RegisterClassExA
GetDC
SetUserObjectInformationA
SetThreadDesktop
EnableWindow
GetDesktopWindow
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
SetFocus
OffsetRect
wvsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
GetWindow
SystemParametersInfoA
RegisterClassA
GetClassInfoExA
CallWindowProcA
GetPropA
SetPropA
AdjustWindowRectEx
GetMenu
SetCursor
ReleaseDC
MoveWindow

gdi32

CreateRoundRectRgn
CombineRgn
CreateRectRgnIndirect
CreateRectRgn
GetObjectA
SelectObject
CreateCompatibleDC
DeleteObject
CreatePen
CreateFontIndirectA
GetStockObject
SetWindowOrgEx
Rectangle
RestoreDC
BitBlt
SaveDC
CreateCompatibleBitmap
GetTextMetricsA
CreateSolidBrush
SetTextColor
SetBkMode
GetDeviceCaps
PtInRegion
SelectClipRgn
ExtSelectClipRgn
GetClipBox
StretchBlt
SetStretchBltMode
ExtTextOutA
SetBkColor
LineTo
MoveToEx
RoundRect
TextOutA
GetTextExtentPoint32A
GetCharABCWidthsA
DeleteDC
CreateDIBSection
GetPixel

comdlg32

GetOpenFileNameA
GetSaveFileNameA

advapi32

DuplicateTokenEx
RegDeleteValueA
AddAccessAllowedAce
RegSetKeySecurity
RegEnumKeyExA
RegDeleteKeyA
RegEnumKeyA
RegEnumValueA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
LookupAccountNameA
ConvertSidToStringSidA
LookupAccountSidA
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenSCManagerA
CloseServiceHandle
LookupPrivilegeNameA
OpenThreadToken
GetTokenInformation
EqualSid
DeregisterEventSource
SetTokenInformation
OpenProcessToken
CreateProcessAsUserA
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAceEx
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetFileSecurityA
FreeSid
CryptDecrypt
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDeriveKey
CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptReleaseContext
ReportEventA
RegisterEventSourceA

shell32

StrChrIA
StrStrIA
StrCmpNIA
ShellExecuteA
SHGetSpecialFolderPathA
SHChangeNotify
ShellExecuteExA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
Shell_NotifyIconA

ole32

CoCreateInstance
CLSIDFromString
CoCreateGuid
CoInitialize
OleInitialize
OleUninitialize
CLSIDFromProgID
OleLockRunning

ws2_32

accept
WSAEnumNetworkEvents
bind
WSAEventSelect
listen
shutdown
WSASend
WSARecv
WSASocketA
setsockopt
getsockname
WSAIoctl
WSACleanup
WSAStartup
getservbyport
gethostbyaddr
getservbyname
WSASetLastError
WSAAddressToStringA
WSAGetLastError
ntohl
htonl
ntohs
gethostbyname
inet_ntoa
socket
ioctlsocket
closesocket
htons
inet_addr
connect
select
WSAGetOverlappedResult

comctl32

ord17
_TrackMouseEvent

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

imm32

ImmAssociateContext
ImmGetContext
ImmReleaseContext

dbghelp

MiniDumpWriteDump

msvcp60

??0?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??_7?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@6B@
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??1?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??_7?$basic_ostream@DU?$char_traits@D@std@@@std@@6B@
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
??_7runtime_error@std@@6B@
??1runtime_error@std@@UAE@XZ
??0runtime_error@std@@QAE@ABV01@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD1@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?getline@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@1@AAV21@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@D@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHIIPBDI@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?open@?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAEPAV12@PBDH@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??_F?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??_8?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@7B@
?setw@std@@YA?AU?$_Smanip@H@1@H@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??_8?$basic_ifstream@DU?$char_traits@D@std@@@std@@7B@
??0ios_base@std@@IAE@XZ
??_7?$basic_ios@DU?$char_traits@D@std@@@std@@6B@
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N1@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAE@PAU_iobuf@@@Z
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1ios_base@std@@UAE@XZ
??_7?$basic_istream@DU?$char_traits@D@std@@@std@@6B@
??1?$basic_filebuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?_Initcvt@?$basic_filebuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?_Init@?$basic_filebuf@DU?$char_traits@D@std@@@std@@IAEXPAU_iobuf@@W4_Initfl@12@@Z
?__Fiopen@std@@YAPAU_iobuf@@PBDH@Z
??_7?$basic_ifstream@DU?$char_traits@D@std@@@std@@6B@

shlwapi

PathRemoveFileSpecA
StrTrimW
PathIsDirectoryA
SHGetValueA
StrTrimA

crypt32

CertFindCertificateInStore
CryptDecryptMessage
CryptEncryptMessage
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertFindChainInStore
CertGetIntendedKeyUsage
CertNameToStrA
CertGetNameStringA
CertFreeCertificateContext
CertCloseStore
CertOpenSystemStoreA
CertAddCertificateContextToStore
CertOpenStore

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

iphlpapi

SetTcpEntry
GetIpForwardTable
GetIpAddrTable
GetTcpTable

msvcrt

_mbsnbcmp
_itoa
_stricmp
_controlfp
_iob
?terminate@@YAXXZ
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_XcptFilter
??1type_info@@UAE@XZ
_onexit
__dllonexit
signal
_getch
isupper
isxdigit
_except_handler3
_strnicmp
_setmode
fflush
_wfopen
isspace
tolower
getenv
qsort
strcmp
memset
fprintf
wcsstr
raise
_exit
gmtime
_ismbcalnum
_fileno
isdigit
strtol
toupper
_mbsstr
_mbslwr
_mbscmp
_mbsnbcpy
realloc
strpbrk
_ftol
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
_strdup
fgets
fputs
rewind
fread
wcscpy
wcscat
iscntrl
_wcsicmp
ftell
strtoul
calloc
_vsnprintf
remove
_errno
_lseek
_close
_write
_read
_CxxThrowException
_open
printf
exit
fwrite
wcsncpy
strchr
fopen
fseek
fgetws
wcslen
atoi
strncat
strncpy
_strrev
??2@YAPAXI@Z
strrchr
_purecall
__p___argv
__p___argc
strstr
_access
sprintf
_snprintf
strncmp
fclose
rand
srand
time
memchr
__CxxFrameHandler
free
malloc
memmove
atof
sscanf

wininet

HttpSendRequestA
InternetOpenA
InternetConnectA
HttpOpenRequestA
InternetCloseHandle
InternetQueryOptionA
InternetSetOptionA
InternetReadFile

setupapi

SetupIterateCabinetA

wintrust

WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust

riched20

ord4

Exports

Exports

strdup

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 204KB - Virtual size: 203KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 82KB - Virtual size: 339KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 579KB - Virtual size: 579KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f5ac2cada7558afdde4c3751955809ec

Code Sign

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8Certificate

Extended Key Usages

Key Usages

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8Certificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9aCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8Certificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

67:0d:74:23:a6:50:31:6b:de:b4:f4:ba:ac:f0:a8:79:e1:39:84:ad:00:e7:6d:3a:98:a7:eb:cd:2b:7a:a8:a2Signer

9f:b8:1b:03:0f:5e:d6:b2:09:61:f7:03:fb:a9:09:d9:41:92:40:2aSigner

Headers

File Characteristics

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

ws2_32

comctl32

version

imm32

dbghelp

msvcp60

shlwapi

crypt32

psapi

iphlpapi

msvcrt

wininet

setupapi

wintrust

riched20

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 204KB - Virtual size: 203KB

.data Size: 82KB - Virtual size: 339KB

.rsrc Size: 579KB - Virtual size: 579KB

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8
Certificate

61:1c:b2:8a:00:00:00:00:00:26
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9a
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

67:0d:74:23:a6:50:31:6b:de:b4:f4:ba:ac:f0:a8:79:e1:39:84:ad:00:e7:6d:3a:98:a7:eb:cd:2b:7a:a8:a2
Signer

9f:b8:1b:03:0f:5e:d6:b2:09:61:f7:03:fb:a9:09:d9:41:92:40:2a
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 204KB - Virtual size: 203KB

.data
Size: 82KB - Virtual size: 339KB

.rsrc
Size: 579KB - Virtual size: 579KB