e6184d3b9f9a0732967e9c5f74be9250ddf68f3a9ce3ce25f00a772b755abd72

Sharing

Copy URL Twitter E-mail

General

Target

e6184d3b9f9a0732967e9c5f74be9250ddf68f3a9ce3ce25f00a772b755abd72
Size

3.0MB
MD5

960d065556f31be6ddb6d59532eef657
SHA1

a2589b9d44d02bb9d7aa7da50999bc8520bc25b4
SHA256

e6184d3b9f9a0732967e9c5f74be9250ddf68f3a9ce3ce25f00a772b755abd72
SHA512

b708ebff5f22bdddc8713bf7c18f1a87049b4a381b45e6ff225ae5fe238d4322671b531813a75b53f1e91dd0ebc8b65cb0c979c3b33183bbb97e12b9bb9216b3
SSDEEP

49152:768PEzK93vtfyt5iQ2hteZH3yVksQpLa1wSEQaRBuvW7T/lMdPf6aeiDSNmFfNiw:76XqftfiEDjcH3oks6eWgoLlMdPfNei7

Score

10^/10

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
static1/unpack001/CCleaner.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
static1/unpack001/CCleaner.exe	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
e6184d3b9f9a0732967e9c5f74be9250ddf68f3a9ce3ce25f00a772b755abd72
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/inetc.dll
unpack001/$PLUGINSDIR/nsDialogs.dll
unpack001/$PLUGINSDIR/nsProcess.dll
unpack001/CCleaner64.exe

Files

e6184d3b9f9a0732967e9c5f74be9250ddf68f3a9ce3ce25f00a772b755abd72
.exe windows:5 windows x86 arch:x86

377a97652fdf5740d8cc11d5ce124fed

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
Sleep
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
ExitProcess
CopyFileW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetFileTime
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
LoadLibraryW
GetSystemDirectoryW
GetProcAddress
OpenProcess
lstrcpyW
LoadLibraryA
GetVersionExW
lstrcpyA
RemoveDirectoryW
lstrcmpA
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GlobalFree
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
lstrlenA
MulDiv
WriteFile
ReadFile
MultiByteToWideChar
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
SetErrorMode

user32

IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetAsyncKeyState
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
DispatchMessageW
PeekMessageW
wvsprintfW
wsprintfA
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
CheckDlgButton
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
GetClassInfoW
CharNextW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
SendMessageTimeoutW

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor
SelectObject

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
SHGetSpecialFolderLocation

advapi32

RegOpenKeyExW
RegEnumValueW
RegEnumKeyW
RegCloseKey
SetFileSecurityW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegDeleteKeyW
RegQueryValueExW

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 415KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:5 windows x86 arch:x86

039bcbc605477e8e87ec550c2e60e748

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyW
lstrcpynW
GetProcAddress
WideCharToMultiByte
lstrcatW
lstrlenW
lstrcmpiW
LoadLibraryW
GetModuleHandleW
MultiByteToWideChar
VirtualAlloc
VirtualProtect
FreeLibrary

user32

wsprintfW

ole32

CLSIDFromString
StringFromGUID2

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 963B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 588B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/inetc.dll
.dll windows:4 windows x86 arch:x86

917ae9b9adb269abd5543f5bf5676bac

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

wcschr
_adjust_fdiv
malloc
_initterm
free
strlen
strchr
strrchr
wcsrchr
wcstoul
memset
wcsstr
wcstol

kernel32

DeleteFileW
WideCharToMultiByte
CreateFileA
CreateThread
WaitForSingleObject
TerminateThread
GetModuleHandleW
MulDiv
lstrcpyW
GlobalAlloc
LoadLibraryW
GetProcAddress
lstrcmpiW
lstrlenW
WriteFile
ReadFile
lstrcmpW
lstrcpynW
GetLastError
CreateFileW
GlobalFree
CloseHandle
SleepEx
SetFilePointer
GetTickCount
lstrcatW
GetFileSize

user32

MessageBoxW
GetParent
ShowWindow
SetWindowLongW
IsWindow
SetWindowTextW
SendDlgItemMessageW
GetDlgItem
PostMessageW
GetWindowTextW
SendMessageW
SetDlgItemTextW
SetWindowPos
SystemParametersInfoW
GetClientRect
GetWindowRect
SetTimer
LoadIconW
UpdateWindow
DestroyWindow
KillTimer
RedrawWindow
DispatchMessageW
TranslateMessage
GetMessageW
IsDialogMessageW
IsWindowVisible
EnableWindow
CreateDialogParamW
FindWindowExW
wsprintfA
wsprintfW
GetWindowLongW

wininet

HttpSendRequestW
HttpSendRequestExW
HttpQueryInfoW
FtpCreateDirectoryW
FtpOpenFileW
InternetGetLastResponseInfoW
InternetSetFilePointer
InternetSetOptionW
InternetQueryOptionW
HttpAddRequestHeadersA
InternetCloseHandle
InternetErrorDlg
HttpOpenRequestW
HttpAddRequestHeadersW
HttpEndRequestW
InternetConnectW
InternetCrackUrlW
InternetOpenW
InternetReadFile
InternetWriteFile

comctl32

ord17

Exports

Exports

get
head
post
put

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-header.bmp
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/nsDialogs.dll
.dll windows:5 windows x86 arch:x86

9ea5bdc8c90dfcffe309465c26c89758

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
MulDiv
lstrlenW
HeapFree
GetProcessHeap
lstrcmpiW
HeapReAlloc
lstrcpynW
GetFileAttributesW
lstrcpyW
GetCurrentDirectoryW
SetCurrentDirectoryW
HeapAlloc
GlobalFree

user32

LoadCursorW
RemovePropW
DrawFocusRect
GetPropW
DrawTextW
GetWindowTextW
GetDlgItem
SetWindowLongW
SetWindowPos
CreateDialogParamW
MapWindowPoints
GetWindowRect
SetCursor
CreateWindowExW
IsWindow
SetTimer
KillTimer
DispatchMessageW
TranslateMessage
GetMessageW
IsDialogMessageW
ShowWindow
wsprintfW
GetClientRect
CharPrevW
CallWindowProcW
SetPropW
DestroyWindow
MapDialogRect
CharNextW
SendMessageW
GetWindowLongW

gdi32

SetTextColor

shell32

SHGetPathFromIDListW
SHBrowseForFolderW

comdlg32

GetSaveFileNameW
CommDlgExtendedError
GetOpenFileNameW

ole32

CoTaskMemFree

Exports

Exports

Create
CreateControl
CreateItem
CreateTimer
GetUserData
KillTimer
OnBack
OnChange
OnClick
OnNotify
SelectFileDialog
SelectFolderDialog
SetRTL
SetUserData
Show

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 590B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/nsProcess.dll
.dll windows:5 windows x86 arch:x86

439074d1c01f7b16781bdf060930814a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
TerminateProcess
WaitForSingleObject
GetExitCodeProcess
OpenProcess
MultiByteToWideChar
lstrlenA
lstrlenW
LoadLibraryA
lstrcmpiW
lstrcpynW
FreeLibrary
LocalFree
LocalAlloc
GetProcAddress
LoadLibraryW
GetVersionExW
GlobalFree
GlobalAlloc

user32

GetWindowThreadProcessId
EnumWindows
wsprintfW
PostMessageW

Exports

Exports

_CloseProcess
_FindProcess
_KillProcess
_Unload

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 927B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 254B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CCleaner.exe
.exe windows:5 windows x86 arch:x86

e8fb508b62ec97479673910b8a64a7e3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

12/08/2015, 00:00

Not After

10/10/2018, 23:59

Subject

CN=Piriform Ltd,O=Piriform Ltd,L=London,ST=London,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

12/08/2015, 00:00

Not After

10/10/2018, 23:59

Subject

CN=Piriform Ltd,O=Piriform Ltd,L=London,ST=London,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 3,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

94:28:71:3d:a8:3f:39:dd:48:20:b5:2e:47:25:6b:70:0d:fd:6d:28:98:6e:2e:4a:f0:a2:ff:46:27:88:62:cd
Signer

Actual PE Digest

94:28:71:3d:a8:3f:39:dd:48:20:b5:2e:47:25:6b:70:0d:fd:6d:28:98:6e:2e:4a:f0:a2:ff:46:27:88:62:cd

Digest Algorithm

sha256

PE Digest Matches

true

5c:a6:92:d7:c4:8a:fd:f5:48:bd:cf:0e:32:80:69:52:f0:65:f5:08
Signer

Actual PE Digest

5c:a6:92:d7:c4:8a:fd:f5:48:bd:cf:0e:32:80:69:52:f0:65:f5:08

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

H:\Piriform\CCleaner\branches\v5.22\bin\CCleaner\Release\CCleaner.pdb

Imports

rpcrt4

UuidFromStringA

kernel32

MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
GetLocalTime
OutputDebugStringA
GetSystemTimeAsFileTime
DeviceIoControl
FindFirstFileW
FindClose
MoveFileW
GetDiskFreeSpaceW
GetVolumeInformationW
SetFilePointerEx
SetEndOfFile
GetFileAttributesExW
SetFileTime
RemoveDirectoryW
CreateDirectoryW
GetDriveTypeW
GetCompressedFileSizeW
BackupRead
BackupSeek
lstrcmpA
GetFullPathNameW
FindNextFileW
WritePrivateProfileStringW
GetShortPathNameW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
GetUserDefaultLangID
ExpandEnvironmentStringsW
GetEnvironmentVariableW
SetFileAttributesW
GetTempPathW
GetTempFileNameW
CopyFileW
IsBadStringPtrW
GetTickCount
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
LoadLibraryA
SystemTimeToFileTime
MoveFileExW
SetProcessWorkingSetSize
GetComputerNameW
CompareFileTime
LocalAlloc
LocalLock
LocalUnlock
GetDateFormatA
GetTimeFormatA
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
DeleteFileA
GetTempPathA
GetDiskFreeSpaceA
CreateFileMappingA
LockFileEx
HeapValidate
GetFileAttributesA
UnlockFileEx
OutputDebugStringW
LockFile
UnlockFile
GetFullPathNameA
GetThreadTimes
SetEnvironmentVariableA
CreateFileA
SetStdHandle
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetConsoleMode
GetConsoleCP
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
HeapCreate
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
RtlUnwind
GetLogicalDrives
IsDebuggerPresent
UnhandledExceptionFilter
GetStdHandle
GetFileType
WriteConsoleW
HeapSetInformation
ExitProcess
ExitThread
VirtualProtect
AreFileApisANSI
FormatMessageA
CreateWaitableTimerA
WaitForMultipleObjectsEx
TlsSetValue
OpenEventA
WaitForSingleObjectEx
SetWaitableTimer
TlsGetValue
TlsFree
TlsAlloc
GetModuleHandleA
InterlockedPopEntrySList
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedCompareExchange
HeapSize
HeapReAlloc
HeapDestroy
GetLocaleInfoW
VerifyVersionInfoW
VerSetConditionMask
GlobalMemoryStatus
GetVersionExA
WaitForMultipleObjects
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
CreateThread
CreateSemaphoreW
ReleaseSemaphore
TerminateThread
VirtualQueryEx
SetUnhandledExceptionFilter
RtlCaptureContext
GetSystemTime
ResumeThread
SuspendThread
GetCurrentProcessId
GetThreadPriority
GetSystemInfo
OpenThread
VirtualProtectEx
VirtualAlloc
SetThreadPriority
InitializeCriticalSection
VirtualFree
GetCurrentThread
VirtualQuery
GetThreadContext
lstrlenA
GlobalHandle
lstrcmpW
GetDiskFreeSpaceExW
GetWindowsDirectoryW
GetProcessTimes
GetLongPathNameW
SetFilePointer
GetFileSize
ReadFile
GetVersion
CompareStringW
lstrcpyW
GetPrivateProfileStringW
DeleteFileW
LocalFree
FormatMessageW
lstrcpynW
GetVersionExW
MulDiv
SetCurrentDirectoryW
GetCurrentDirectoryW
QueryPerformanceCounter
QueryPerformanceFrequency
GetCommandLineW
CreateProcessW
GetStartupInfoW
LoadLibraryW
GetSystemDirectoryW
SetErrorMode
InterlockedIncrement
InterlockedDecrement
LoadLibraryExW
lstrcmpiW
FreeLibrary
WriteFile
FlushFileBuffers
GetFileAttributesW
WideCharToMultiByte
CreateMutexW
lstrlenW
GetProcAddress
MultiByteToWideChar
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetLastError
RaiseException
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleW
CreateEventA
CloseHandle
HeapAlloc
HeapFree
GetProcessHeap
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
InterlockedExchange
ResetEvent
SetEvent
CreateEventW
CreateFileW
Sleep
GetLastError
OpenProcess
TerminateProcess
WaitForSingleObject
LeaveCriticalSection
EnterCriticalSection
FlushInstructionCache
GetCurrentProcess
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
CreateFileMappingW

user32

MapDialogRect
SetWindowContextHelpId
SendDlgItemMessageW
DestroyAcceleratorTable
wsprintfW
GetForegroundWindow
GetDlgItemInt
GetNextDlgTabItem
SetDlgItemTextW
CloseClipboard
GetClipboardData
OpenClipboard
IsClipboardFormatAvailable
GetShellWindow
GetWindowInfo
SetMenuDefaultItem
LockWindowUpdate
PostQuitMessage
IsDialogMessageW
FindWindowExW
LoadIconW
GetComboBoxInfo
AdjustWindowRectEx
GetMenu
DrawEdge
SetLayeredWindowAttributes
DeleteMenu
UnhookWindowsHookEx
SetWindowsHookExW
CallNextHookEx
SetPropW
GetWindowTextLengthW
SetScrollPos
GetScrollInfo
ScrollWindowEx
SetScrollInfo
AppendMenuW
GetScrollPos
InvalidateRgn
CreateAcceleratorTableW
EnableScrollBar
GetPropW
ShowScrollBar
GetScrollRange
SetScrollRange
RemovePropW
DrawFrameControl
GetSystemMetrics
GetMonitorInfoW
MonitorFromWindow
LoadBitmapW
GetWindowPlacement
GetWindowRect
SetWindowPos
GetWindowLongW
GetParent
GetWindow
GetDesktopWindow
GetClientRect
MapWindowPoints
UnregisterClassA
SetWindowLongW
SendMessageW
GetDlgItem
ScreenToClient
MoveWindow
GetDC
ReleaseDC
GetWindowTextW
SetWindowTextW
IsWindow
DefWindowProcW
InvalidateRect
BeginPaint
EndPaint
DrawTextW
OffsetRect
GetClassLongW
DrawFocusRect
DestroyIcon
DrawStateW
GetKeyState
GetMessagePos
CreateDialogParamW
FrameRect
DialogBoxParamW
IsChild
ChildWindowFromPoint
GetSysColor
SetRectEmpty
SetCursorPos
InsertMenuW
SystemParametersInfoA
DrawTextExW
GetMenuItemID
UnregisterClassW
CharLowerW
CharLowerA
GetDlgItemTextW
EmptyClipboard
SetClipboardData
WaitForInputIdle
EnumDisplaySettingsW
ExitWindowsEx
GetLastInputInfo
SendMessageTimeoutW
GetAsyncKeyState
GetNextDlgGroupItem
DestroyCursor
GetLastActivePopup
MessageBeep
DrawIcon
GetDialogBaseUnits
LoadStringW
WinHelpW
WaitMessage
CreateDialogIndirectParamW
GetCursorPos
CreatePopupMenu
MsgWaitForMultipleObjects
IsWindowUnicode
GetMessageA
DispatchMessageA
EnableMenuItem
EnableWindow
BringWindowToTop
UpdateWindow
GetFocus
GetWindowDC
MessageBoxW
PeekMessageW
GetMessageW
GetActiveWindow
PostMessageW
EndDialog
GetDlgCtrlID
PtInRect
RedrawWindow
TrackMouseEvent
GetSystemMenu
TrackPopupMenu
SetForegroundWindow
IsZoomed
SystemParametersInfoW
InflateRect
LoadImageW
CallWindowProcW
ShowWindow
KillTimer
SetTimer
DestroyWindow
FillRect
GetSysColorBrush
ClientToScreen
RegisterWindowMessageW
RegisterClassExW
GetClassInfoExW
LoadCursorW
CreateWindowExW
DestroyMenu
CopyRect
IsWindowEnabled
CheckDlgButton
IsDlgButtonChecked
GetClassNameW
IsWindowVisible
OpenIcon
FindWindowW
EnumWindows
IsIconic
SetFocus
SetRect
GetCapture
SetCapture
WindowFromPoint
ReleaseCapture
SetCursor
CharNextW
TranslateMessage
DispatchMessageW
RegisterClassW
GetClassInfoW
GetWindowThreadProcessId

gdi32

SelectClipRgn
GetBkColor
GetTextColor
CreateRectRgnIndirect
CombineRgn
ExcludeClipRect
GetTextMetricsW
GetTextExtentPoint32W
GetClipBox
CreatePatternBrush
CreateBitmap
PatBlt
GetStockObject
SaveDC
SetDIBColorTable
Rectangle
SelectObject
SetViewportOrgEx
CreateCompatibleBitmap
CreateCompatibleDC
DeleteObject
BitBlt
GetDeviceCaps
SetBkMode
GetObjectW
CreateSolidBrush
SetBkColor
ExtTextOutW
SetTextColor
RestoreDC
CreatePen
MoveToEx
LineTo
Ellipse
PolylineTo
UnrealizeObject
GetClipRgn
BeginPath
EndPath
StrokeAndFillPath
CreateRectRgn
CreateDCW
CreateFontIndirectW
StretchBlt
CreateDIBSection
GetDIBColorTable
DeleteDC
TextOutW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
ConvertSidToStringSidW
CloseEventLog
ClearEventLogW
OpenEventLogW
LookupPrivilegeNameW
RegUnLoadKeyW
RegLoadKeyW
RegNotifyChangeKeyValue
GetUserNameW
LookupAccountNameW
CopySid
GetLengthSid
LookupAccountSidW
EqualSid
OpenThreadToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
IsValidSid
RegEnumValueW
AccessCheck
MapGenericMask
DuplicateToken
GetFileSecurityW
SetNamedSecurityInfoW
SetEntriesInAclW
AllocateAndInitializeSid
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
RegQueryValueExW
OpenProcessToken
GetTokenInformation
LookupPrivilegeValueW
AdjustTokenPrivileges
FreeSid
CryptGenRandom

shell32

SHGetPathFromIDListW
SHBrowseForFolderW
DragQueryFileW
DragFinish
ShellExecuteExW
Shell_NotifyIconW
SHGetSpecialFolderLocation
ExtractIconExW
SHGetFileInfoW
SHEmptyRecycleBinW
SHAddToRecentDocs
ShellExecuteW

ole32

CoInitializeEx
PropVariantClear
CoSetProxyBlanket
OleLockRunning
StringFromGUID2
CLSIDFromString
CLSIDFromProgID
CoGetClassObject
CoInitializeSecurity
DoDragDrop
RegisterDragDrop
RevokeDragDrop
OleDuplicateData
ReleaseStgMedium
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
OleUninitialize
OleInitialize
CreateStreamOnHGlobal
CoUninitialize
CoInitialize

oleaut32

SysFreeString
VarUI4FromStr
SysAllocString
VariantClear
VariantInit
SysStringLen
SysAllocStringLen
LoadRegTypeLi
LoadTypeLi
DispCallFunc
OleCreateFontIndirect
VarBstrFromR8
VarBstrFromI4
VariantChangeType
VariantTimeToSystemTime

shlwapi

PathIsDirectoryEmptyW
PathRemoveExtensionA
PathRemoveExtensionW
PathAddExtensionW
PathStripToRootW
PathSkipRootW
PathRemoveBackslashW
PathCombineW
PathCompactPathW
PathRemoveFileSpecW
PathIsDirectoryW
PathAppendW
PathFileExistsW
PathMatchSpecW
PathFindExtensionW
PathUnquoteSpacesW
PathStripPathW
SHStrDupW
PathIsURLW
PathCreateFromUrlW
PathStripPathA
PathIsUNCW
PathIsRelativeW
PathFindFileNameW
ord487
StrRetToStrW
PathRemoveArgsW
PathGetDriveNumberW

comctl32

ImageList_Destroy
ImageList_Draw
ImageList_LoadImageW
ImageList_Add
ImageList_Create
_TrackMouseEvent
ImageList_Remove
ImageList_SetIconSize
ImageList_Duplicate
ImageList_GetIcon
ImageList_ReplaceIcon
ImageList_GetImageCount
ImageList_GetIconSize
InitCommonControlsEx

gdiplus

GdipCreateBitmapFromFile
GdipDrawPieI
GdipFillPieI
GdipCreateHatchBrush
GdipDrawRectangleI
GdipDeletePen
GdipCreatePen1
GdipIsVisiblePathPointI
GdipAddPathPieI
GdipSetSmoothingMode
GdipCreateFromHDC
GdipFillRectangleI
GdipCreateSolidFill
GdipCloneBrush
GdipDeleteBrush
GdipDeletePath
GdipCreatePath
GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromStream
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipGetImagePaletteSize
GdipGetImagePalette
GdipBitmapLockBits
GdipBitmapUnlockBits
GdipCreateBitmapFromScan0
GdipCloneImage
GdipAlloc
GdipFree
GdipDisposeImage
GdipGetImageGraphicsContext
GdipDeleteGraphics
GdipDrawImageI

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 856KB - Virtual size: 855KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 351KB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 296KB - Virtual size: 295KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
CCleaner64.exe
.exe windows:5 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 380KB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE

data
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 79KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

377a97652fdf5740d8cc11d5ce124fed

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 29KB - Virtual size: 28KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 512B - Virtual size: 415KB

.ndata Size: - Virtual size: 3.1MB

.rsrc Size: 38KB - Virtual size: 37KB

039bcbc605477e8e87ec550c2e60e748

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 963B

.data Size: 512B - Virtual size: 64B

.reloc Size: 1024B - Virtual size: 588B

917ae9b9adb269abd5543f5bf5676bac

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

wininet

comctl32

Exports

Exports

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 5KB - Virtual size: 7KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

9ea5bdc8c90dfcffe309465c26c89758

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 4KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: - Virtual size: 48B

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1024B - Virtual size: 590B

439074d1c01f7b16781bdf060930814a

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

.text
Size: 29KB - Virtual size: 28KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 512B - Virtual size: 415KB

.ndata
Size: - Virtual size: 3.1MB

.rsrc
Size: 38KB - Virtual size: 37KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 963B

.data
Size: 512B - Virtual size: 64B

.reloc
Size: 1024B - Virtual size: 588B

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 5KB - Virtual size: 7KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: - Virtual size: 48B

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1024B - Virtual size: 590B

.text
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 927B

.data
Size: - Virtual size: 2KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 512B - Virtual size: 254B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

94:28:71:3d:a8:3f:39:dd:48:20:b5:2e:47:25:6b:70:0d:fd:6d:28:98:6e:2e:4a:f0:a2:ff:46:27:88:62:cd
Signer

5c:a6:92:d7:c4:8a:fd:f5:48:bd:cf:0e:32:80:69:52:f0:65:f5:08
Signer

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 856KB - Virtual size: 855KB

.data
Size: 351KB - Virtual size: 2.4MB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

.reloc
Size: 296KB - Virtual size: 295KB

.text
Size: 4.2MB - Virtual size: 4.2MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 380KB - Virtual size: 2.4MB

.pdata
Size: 187KB - Virtual size: 187KB