15d28c0f6f0e47f1cb36fdeb3eba5d43_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

15d28c0f6f0e47f1cb36fdeb3eba5d43_JaffaCakes118
Size

797KB
MD5

15d28c0f6f0e47f1cb36fdeb3eba5d43
SHA1

f6bd61db9052c34c2ebee61fc9743afbc244c109
SHA256

bb3e659c7667027142a17dc6ef5604c54ed8146a1ec2dde6138133f629102779
SHA512

f900405bb19cb0494be5a477718bd59add816901027dd26f6962082e213ed4aafb1fcd14b6efda5c0990ae492551b133d1529347e47a738f603f2144775ae978
SSDEEP

24576:w2S1j9TWd7WKospoKRNiVt9YXy+mqZXptxfpdCk:w2CxspdRs+C+bxhf

Score

1^/10

Malware Config

Signatures

Files

15d28c0f6f0e47f1cb36fdeb3eba5d43_JaffaCakes118
.rar
7z.dll
.dll windows:4 windows x86 arch:x86

25bcc7010e8e7f0e059da50586853709

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysAllocString
VariantClear
VariantCopy
SysFreeString
SysAllocStringByteLen

user32

CharLowerW
CharUpperA
CharNextA
CharPrevExA
CharUpperW
CharLowerA

msvcrt

_adjust_fdiv
_initterm
?terminate@@YAXXZ
_onexit
__dllonexit
??1type_info@@UAE@XZ
_except_handler3
_beginthreadex
memset
strcmp
memcmp
_purecall
strlen
free
malloc
memmove
_CxxThrowException
memcpy
__CxxFrameHandler

kernel32

InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreA
ResetEvent
SetEvent
CreateEventA
WaitForSingleObject
VirtualFree
VirtualAlloc
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
FileTimeToLocalFileTime
DeleteCriticalSection
LocalFileTimeToFileTime
GetVersionExA
WaitForMultipleObjects
EnterCriticalSection
LeaveCriticalSection
FileTimeToDosDateTime
DosDateTimeToFileTime
GetModuleHandleA
GetProcAddress
GetSystemInfo
CompareFileTime
WriteFile
ReadFile
MultiByteToWideChar
WideCharToMultiByte
GetLastError
CloseHandle
SetFileAttributesA
DeleteFileA
GetTempPathA
GetTempFileNameA
CreateFileA

Exports

Exports

CreateObject
GetHandlerProperty
GetHandlerProperty2
GetMethodProperty
GetNumberOfFormats
GetNumberOfMethods
SetLargePageMode

Sections

.text
Size: 612KB - Virtual size: 611KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Cab.dll
.dll windows:4 windows x86 arch:x86

71bf7988e89a627ed7891b3ce81879e6

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\xiaobai\gui\dll\cab\release\Cab.pdb

Imports

shlwapi

PathFileExistsA
PathFileExistsW

shell32

SHCreateDirectoryExW
SHCreateDirectoryExA

user32

wsprintfW
SendMessageW

kernel32

SetEnvironmentVariableA
FlushFileBuffers
CompareStringA
CompareStringW
ReadFile
LCMapStringW
LCMapStringA
GetStringTypeW
FileTimeToDosDateTime
CreateFileA
GetFileSize
FindFirstFileW
WaitForSingleObject
GetFileAttributesA
GetModuleFileNameW
CreateFileW
FindFirstFileA
FindClose
FindNextFileA
FindNextFileW
CloseHandle
FileTimeToLocalFileTime
GetFileInformationByHandle
DeleteFileA
CreateThread
DosDateTimeToFileTime
SetFileTime
SetThreadPriority
GetLastError
SetFileAttributesA
DeleteFileW
LocalFileTimeToFileTime
CreateMutexW
ReleaseMutex
MoveFileExW
GetTickCount
WideCharToMultiByte
MultiByteToWideChar
RemoveDirectoryW
GetCurrentThreadId
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
SetFilePointer
OutputDebugStringW
WriteFile
lstrlenW
GetPrivateProfileIntW
GetWindowsDirectoryW
HeapFree
HeapAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetConsoleCP
GetConsoleMode
MoveFileW
GetLocalTime
GetCommandLineA
GetVersionExA
GetProcessHeap
RaiseException
RtlUnwind
GetStdHandle
GetModuleFileNameA
GetProcAddress
GetModuleHandleA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
GetFileType
ExitProcess
SetHandleCount
GetStartupInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
LoadLibraryA
GetCPInfo
GetACP
GetOEMCP
GetLocaleInfoA
HeapSize
SetEndOfFile
GetStringTypeA

Exports

Exports

??0CCab@@QAE@ABV0@@Z
??0CCab@@QAE@XZ
??1CCab@@UAE@XZ
??4CCab@@QAEAAV0@ABV0@@Z
??_7CCab@@6B@
CabGetObject

Sections

.text
Size: 152KB - Virtual size: 150KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Data/reginit.dat
Data/新云软件.url
.url
Drivers/XiaobaiFsRForVista.inf
Drivers/XiaobaiFsRForVista.sys
.sys windows:6 windows x86 arch:x86

2d3f0f58945fdfb46f7ca48333aa684b

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

z:\xiaobai\sys\xiaobaifs\bin-vista-r\i386\XiaobaiFsRForVista.pdb

Imports

ntoskrnl.exe

memcpy
_wcsnicmp
InterlockedPopEntrySList
InterlockedPushEntrySList
ExDeleteNPagedLookasideList
ExFreePoolWithTag
ExInitializeNPagedLookasideList
ExAllocatePoolWithTag
RtlCopyUnicodeString
ObOpenObjectByPointer
PsLookupProcessByProcessId
MmGetSystemRoutineAddress
memset
ZwOpenProcess
IoFileObjectType
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlPrefixUnicodeString
ZwQueryDirectoryFile
ProbeForRead
MmMapLockedPagesSpecifyCache
ExAllocatePool
KeTickCount
KeBugCheckEx
RtlUnwind
ZwCreateKey
ZwSetValueKey
IoRaiseInformationalHardError
KeDelayExecutionThread
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByHandle
PsProcessType
ObfDereferenceObject
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetDaclSecurityDescriptor
RtlValidSecurityDescriptor
ZwOpenKey
ZwQueryValueKey
RtlInitUnicodeString
ZwClose
_vsnwprintf
ExDeleteResourceLite
RtlEqualUnicodeString
DbgPrint
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
KeLeaveCriticalRegion
ZwTerminateProcess
ExInitializeResourceLite

fltmgr.sys

FltSetInformationFile
FltCancelFileOpen
FltDoCompletionProcessingWhenSafe
FltLockUserBuffer
FltGetRequestorProcessId
FltSetCallbackDataDirty
FltIsDirectory
FltGetFileNameInformation
FltReleaseFileNameInformation
FltQueryInformationFile
FltQueryDirectoryFile
FltCreateFileEx2
FltCreateFile
FltClose
FltEnumerateVolumes
FltAttachVolume
FltObjectDereference
FltGetStreamContext
FltAllocateContext
FltSetStreamContext
FltDeleteContext
FltReleaseContext
FltGetStreamHandleContext
FltSetStreamHandleContext
FltGetVolumeName
FltRegisterFilter
FltCreateCommunicationPort
FltStartFiltering
FltCloseCommunicationPort
FltUnregisterFilter
FltCloseClientPort
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor

Sections

.text
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Drivers/XiaobaiFsRForXp.inf
Drivers/XiaobaiFsRForXp.sys
.sys windows:6 windows x86 arch:x86

8d53e95f70c51a091dc5a49e9f3bbe28

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

z:\xiaobai\sys\xiaobaifs\bin-xp-r\i386\XiaobaiFsRForXp.pdb

Imports

ntoskrnl.exe

memset
memcpy
_wcsnicmp
InterlockedPopEntrySList
InterlockedPushEntrySList
ExDeleteNPagedLookasideList
ExFreePoolWithTag
ExInitializeNPagedLookasideList
ExAllocatePoolWithTag
RtlCopyUnicodeString
ObOpenObjectByPointer
PsLookupProcessByProcessId
ZwOpenProcess
IoFileObjectType
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
RtlPrefixUnicodeString
ZwQueryDirectoryFile
ProbeForRead
MmMapLockedPagesSpecifyCache
ExAllocatePool
KeTickCount
KeBugCheckEx
ZwCreateKey
ZwSetValueKey
IoRaiseInformationalHardError
KeDelayExecutionThread
PsSetCreateProcessNotifyRoutine
KeServiceDescriptorTable
ZwTerminateProcess
PsGetCurrentProcessId
ObReferenceObjectByHandle
PsProcessType
PsGetProcessId
ObfDereferenceObject
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetDaclSecurityDescriptor
RtlValidSecurityDescriptor
ZwOpenKey
ZwQueryValueKey
RtlInitUnicodeString
ZwOpenFile
ZwCreateSection
ZwMapViewOfSection
RtlInitString
RtlCompareString
ZwUnmapViewOfSection
ZwClose
_vsnwprintf
ExDeleteResourceLite
RtlEqualUnicodeString
DbgPrint
ExAcquireResourceSharedLite
KeEnterCriticalRegion
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
KeLeaveCriticalRegion
MmGetSystemRoutineAddress
ExInitializeResourceLite
RtlUnwind

fltmgr.sys

FltSetInformationFile
FltCancelFileOpen
FltDoCompletionProcessingWhenSafe
FltLockUserBuffer
FltGetRequestorProcessId
FltSetCallbackDataDirty
FltIsDirectory
FltGetFileNameInformation
FltReleaseFileNameInformation
FltQueryInformationFile
FltAllocateCallbackData
FltPerformSynchronousIo
FltFreeCallbackData
FltCreateFile
FltClose
FltEnumerateVolumes
FltAttachVolume
FltObjectDereference
FltGetStreamContext
FltAllocateContext
FltSetStreamContext
FltDeleteContext
FltReleaseContext
FltGetStreamHandleContext
FltSetStreamHandleContext
FltGetVolumeName
FltRegisterFilter
FltCreateCommunicationPort
FltStartFiltering
FltCloseCommunicationPort
FltUnregisterFilter
FltCloseClientPort
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Drivers/XiaobaiRegR.sys
.sys windows:6 windows x86 arch:x86

53f72d2b8803ea420dd33f3a4b2cc714

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

y:\unnoo.xiaobai\sys\xiaobairegr\objfre_wxp_x86\i386\XiaobaiRegR.pdb

Imports

ntoskrnl.exe

InterlockedPopEntrySList
InterlockedPushEntrySList
KeGetCurrentThread
strncmp
IoGetCurrentProcess
ObfDereferenceObject
PsLookupProcessByProcessId
ExAllocatePoolWithTag
memset
ExFreePoolWithTag
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
ExGetPreviousMode
memcpy
ObReferenceObjectByHandle
KeReleaseMutex
KeWaitForSingleObject
_wcsnicmp
ObQueryNameString
swprintf
wcschr
ProbeForRead
ProbeForWrite
PsGetCurrentProcessId
IoFreeIrp
KeSetEvent
IofCallDriver
IoAllocateIrp
KeInitializeEvent
RtlVolumeDeviceToDosName
IoGetLowerDeviceObject
IoGetRelatedDeviceObject
MmIsAddressValid
wcsstr
_wcsupr
ZwClose
ZwDeleteValueKey
ZwCreateKey
ZwSetValueKey
ZwDeleteKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwQueryKey
ZwOpenKey
PsSetCreateProcessNotifyRoutine
IofCompleteRequest
ExDeletePagedLookasideList
IoDeleteDevice
IoDeleteSymbolicLink
RtlInitUnicodeString
ExInitializePagedLookasideList
KeServiceDescriptorTable
KeInitializeMutex
IoCreateSymbolicLink
IoCreateDevice
KeTickCount
KeBugCheckEx
RtlUnwind

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 640B - Virtual size: 612B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 946B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DrvMgr.dll
.dll windows:4 windows x86 arch:x86

568e45da6782d541e10b6c947210b213

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\xiaobai\gui\dll\drvmgr\release\DrvMgr.pdb

Imports

setupapi

SetupTermDefaultQueueCallback
SetupCloseFileQueue
SetupInstallServicesFromInfSectionW
SetupQueueDeleteSectionW
SetupInitDefaultQueueCallback
SetupCommitFileQueueW
SetupOpenInfFileW
SetupOpenFileQueue
SetupCloseInfFile

advapi32

OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegLoadKeyW
RegOpenKeyExW
RegCloseKey
CreateServiceW
CloseServiceHandle
DeleteService
OpenServiceW
StartServiceW
QueryServiceStatusEx
OpenProcessToken

user32

GetSystemMetrics
SendMessageW
wsprintfW

shlwapi

SHDeleteKeyW
PathFileExistsW

kernel32

FlushFileBuffers
GetStringTypeA
GetStringTypeW
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
lstrlenW
SetStdHandle
CreateFileA
GetConsoleMode
GetConsoleCP
HeapSize
GetLocaleInfoA
LoadLibraryA
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
SetHandleCount
LCMapStringW
LCMapStringA
GetOEMCP
GetACP
GetCPInfo
GetSystemDirectoryW
CopyFileW
GetLastError
SetFileAttributesW
CreateFileW
DeviceIoControl
CloseHandle
GetWindowsDirectoryW
DeleteFileW
FreeLibrary
LoadLibraryW
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetFileSize
SetFilePointer
OutputDebugStringW
WriteFile
GetModuleFileNameW
GetPrivateProfileIntW
FindFirstFileW
WideCharToMultiByte
GetTempPathW
FindClose
HeapAlloc
GetCurrentProcess
HeapFree
GetModuleHandleW
GetTickCount
GetProcessHeap
Sleep
GetVersionExW
TerminateProcess
GetLocalTime
Process32FirstW
GetSystemInfo
Process32NextW
CreateToolhelp32Snapshot
GetCurrentThreadId
GetCurrentProcessId
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
MoveFileW
GetCommandLineA
GetVersionExA
RaiseException
RtlUnwind
GetStdHandle
GetModuleFileNameA
GetModuleHandleA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
ExitProcess
MultiByteToWideChar

Exports

Exports

??0CDriverManager@@QAE@ABV0@@Z
??0CDriverManager@@QAE@XZ
??1CDriverManager@@UAE@XZ
??4CDriverManager@@QAEAAV0@ABV0@@Z
??_7CDriverManager@@6B@
DMGetObject

Sections

.text
Size: 72KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Recorder.exe
.exe windows:4 windows x86 arch:x86

ae8c8f4d89c2dc6197f37c29c83adc54

Code Sign

01
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

01-08-1996 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06-08-2003 00:00

Not After

05-08-2013 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

20-10-2008 08:01

Not After

20-10-2010 08:01

Subject

CN=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,OU=Secure Application Development,O=ShenZhen DaChengTianXia Information Technology Co.\, Ltd.,L=ShenZhen,ST=GuangDong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Xiaobai\gui\bin\Recorder\Recorder.pdb

Imports

kernel32

VirtualAlloc
LCMapStringA
LCMapStringW
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
CreateFileA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEnvironmentVariableA
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
QueryPerformanceCounter
VirtualFree
HeapCreate
HeapDestroy
GetStartupInfoA
GetFileType
SetHandleCount
VirtualQuery
VirtualProtect
GetExitCodeThread
GetCommandLineW
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
GetStdHandle
HeapSize
RaiseException
RtlUnwind
HeapReAlloc
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
SetFileTime
FileTimeToLocalFileTime
SetErrorMode
GetFullPathNameW
DuplicateHandle
SetEndOfFile
UnlockFile
LockFile
MoveFileW
WritePrivateProfileStringW
InterlockedIncrement
TlsFree
LocalReAlloc
TlsSetValue
TlsAlloc
GlobalHandle
GlobalReAlloc
TlsGetValue
FileTimeToSystemTime
GetThreadLocale
GlobalGetAtomNameW
GlobalFlags
GetModuleHandleA
SetThreadPriority
GetCurrentThread
ConvertDefaultLocale
GetVersion
EnumResourceLanguagesW
GetLocaleInfoW
CompareStringA
InterlockedExchange
lstrlenA
lstrcmpA
GlobalAddAtomW
GlobalFindAtomW
GlobalDeleteAtom
CompareStringW
LoadLibraryA
lstrcmpW
GetVersionExA
GlobalAlloc
GlobalFree
FreeResource
SetLastError
MultiByteToWideChar
lstrcmpiW
WinExec
lstrcatW
MulDiv
lstrcpyW
LoadLibraryExW
EnumResourceNamesW
GetPrivateProfileIntW
lstrcpynW
SetFilePointer
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
LocalAlloc
FlushFileBuffers
GlobalUnlock
lstrlenW
FormatMessageW
GlobalLock
InterlockedDecrement
LocalFree
GetCurrentThreadId
GetFileTime
GetSystemInfo
GetProcAddress
GetFileAttributesW
LoadLibraryW
GetProcessHeap
GetTickCount
GetModuleHandleW
HeapFree
HeapAlloc
FreeLibrary
GetVolumeInformationW
GetCurrentProcessId
GetVersionExW
RemoveDirectoryW
GetTempPathW
CopyFileW
WideCharToMultiByte
CreateDirectoryW
GetModuleFileNameW
OutputDebugStringW
CreateThread
SetFileAttributesW
ResumeThread
DeleteFileW
GetWindowsDirectoryW
FindNextFileW
FindClose
GetLastError
Sleep
GetSystemDirectoryW
WriteFile
MoveFileExW
CreateProcessW
FindFirstFileW
GetFileSize
ExitProcess
CloseHandle
ReleaseMutex
CreateFileW
ReadFile
WaitForSingleObject
CreateMutexW
GetLocalTime
SystemTimeToFileTime
LockResource
TerminateProcess
SizeofResource
GetCurrentProcess
LoadResource
SetStdHandle
FindResourceW

user32

DestroyMenu
GetMenuItemInfoW
InflateRect
GetSysColorBrush
ReleaseCapture
SetCapture
DrawIcon
EndPaint
BeginPaint
GetWindowDC
GrayStringW
DrawTextExW
DrawTextW
TabbedTextOutW
InvalidateRect
GetMessageW
TranslateMessage
ValidateRect
ShowOwnedPopups
PostQuitMessage
MoveWindow
SetWindowTextW
IsDialogMessageW
SetDlgItemTextW
RegisterWindowMessageW
SendDlgItemMessageW
SendDlgItemMessageA
WinHelpW
IsChild
GetCapture
SetWindowsHookExW
CallNextHookEx
GetClassLongW
DestroyIcon
EnableWindow
SendMessageW
MessageBoxW
ShowWindow
LoadIconW
SetPropW
GetPropW
RemovePropW
CharUpperW
GetWindowTextLengthW
GetForegroundWindow
GetLastActivePopup
DispatchMessageW
BeginDeferWindowPos
EndDeferWindowPos
GetTopWindow
UnhookWindowsHookEx
GetMessageTime
GetMessagePos
PeekMessageW
MapWindowPoints
ScrollWindow
TrackPopupMenu
GetKeyState
SetScrollRange
GetScrollRange
SetScrollPos
GetScrollPos
ShowScrollBar
IsWindowVisible
UpdateWindow
GetMenu
CreateWindowExW
GetClassInfoExW
RegisterClassW
AdjustWindowRectEx
DeferWindowPos
GetScrollInfo
SetScrollInfo
GetDlgCtrlID
CallWindowProcW
SetWindowLongW
SetWindowPos
RegisterClassExW
SystemParametersInfoA
IsIconic
GetWindowPlacement
GetWindow
AppendMenuW
InsertMenuW
GetSubMenu
UnregisterClassW
TranslateAcceleratorW
SetMenu
BringWindowToTop
CreatePopupMenu
InsertMenuItemW
LoadAcceleratorsW
LoadMenuW
ReuseDDElParam
UnpackDDElParam
GetSystemMenu
ClipCursor
DrawFrameControl
DrawIconEx
GetDesktopWindow
GetActiveWindow
SetActiveWindow
CreateDialogIndirectParamW
DestroyWindow
GetDlgItem
SetMenuItemInfoW
DrawStateW
IsMenu
CallWindowProcA
IsClipboardFormatAvailable
HideCaret
SetFocus
GetAsyncKeyState
SetForegroundWindow
KillTimer
PostMessageW
FrameRect
GetWindowRect
SetTimer
PostThreadMessageW
GetNextDlgGroupItem
RegisterClipboardFormatW
SetWindowContextHelpId
MapDialogRect
CharNextW
InvalidateRgn
CopyAcceleratorTableW
MessageBeep
RedrawWindow
TranslateMDISysAccel
DrawMenuBar
DefMDIChildProcW
DefFrameProcW
UnregisterClassA
GetWindowThreadProcessId
GetSystemMetrics
wsprintfW
FindWindowW
ReleaseDC
CopyIcon
GetNextDlgTabItem
EndDialog
GetClientRect
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
LoadBitmapW
GetFocus
ModifyMenuW
EnableMenuItem
CheckMenuItem
ClientToScreen
SetWindowRgn
ScreenToClient
GetMenuItemID
GetParent
IsWindowEnabled
WindowFromPoint
SetRectEmpty
PtInRect
GetClassInfoW
ChildWindowFromPoint
OffsetRect
GetMenuItemRect
SetRect
GetWindowLongW
GetWindowTextW
GetClassNameW
GetMenuState
GetCursorPos
GetMenuItemCount
IsWindow
EqualRect
DefWindowProcW
CopyRect
IsRectEmpty
SetCursor
LoadImageW
LoadCursorW
SystemParametersInfoW
DestroyCursor
GetSysColor
UpdateLayeredWindow
IntersectRect
GetDC
GetIconInfo
CreateIconIndirect
FillRect

gdi32

GetMapMode
SetRectRgn
Ellipse
LPtoDP
DPtoLP
CreateEllipticRgn
GetStockObject
CreatePatternBrush
ExtSelectClipRgn
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
Escape
ExtTextOutW
RectVisible
PtVisible
GetPixel
GetWindowExtEx
GetViewportExtEx
SetMapMode
GetBitmapBits
GetTextExtentPointW
GetCurrentObject
SetPixel
GetTextColor
SetROP2
RestoreDC
SaveDC
CreateFontW
GetBkColor
GetClipBox
CreateCompatibleDC
SelectObject
DeleteObject
CreateDIBSection
DeleteDC
BitBlt
CreateSolidBrush
CreatePen
GetObjectW
CreateCompatibleBitmap
CreateBitmap
StretchBlt
SetTextColor
LineTo
MoveToEx
TextOutW
SetTextJustification
SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectW
GetTextMetricsW
GetTextExtentPoint32W
CreateRectRgn
CreateRoundRectRgn
FillRgn
OffsetRgn
CombineRgn
SelectClipRgn
FrameRgn
ExcludeClipRect
Rectangle
GetRgnBox
CreatePolygonRgn
CreateRectRgnIndirect
PatBlt

msimg32

GradientFill

comdlg32

GetFileTitleW

winspool.drv

OpenPrinterW
DocumentPropertiesW
ClosePrinter

advapi32

RegEnumKeyW
RegOpenKeyW
RegQueryValueW
GetUserNameW
RegSetValueExW
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegQueryValueExW
RegCreateKeyExW
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
DeleteService
CloseServiceHandle

shell32

SHBrowseForFolderW
SHChangeNotify
SHGetMalloc
DragAcceptFiles
SHGetPathFromIDListW
DragQueryFileW
DragFinish
SHGetFileInfoW
SHGetSpecialFolderPathW
ShellExecuteW
SHFileOperationW
SHCreateDirectoryExW

comctl32

ImageList_GetImageCount
ImageList_GetIcon
ord17

shlwapi

StrStrIW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathStripToRootW
SHDeleteKeyW
PathIsUNCW

ole32

CoDisconnectObject
CLSIDFromString
OleInitialize
CoTaskMemAlloc
CoTaskMemFree
OleRun
GetHGlobalFromStream
CreateStreamOnHGlobal
CoCreateGuid
CoInitialize
CoUninitialize
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
OleIsCurrentClipboard
OleFlushClipboard
CoGetClassObject
StgOpenStorageOnILockBytes
CLSIDFromProgID
OleUninitialize
CoFreeUnusedLibraries
CoRevokeClassObject
CoRegisterMessageFilter
CoCreateInstance

oleaut32

SysAllocString
VariantClear
VariantCopy
VariantInit
SysFreeString
SafeArrayGetUBound
VariantChangeType
SysStringLen
SysAllocStringLen
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetElemsize
SafeArrayGetDim
SafeArrayCreate
SafeArrayDestroy
VariantTimeToSystemTime
SystemTimeToVariantTime
GetErrorInfo
OleCreateFontIndirect
LoadTypeLi

drvmgr

DMGetObject

cab

CabGetObject

gdiplus

GdipCreateBitmapFromScan0
GdipDisposeImageAttributes
GdipAlloc
GdipDisposeImage
GdipCreateBitmapFromHICON
GdipCloneImage
GdipGetImageWidth
GdiplusStartup
GdipSetImageAttributesColorMatrix
GdipFree
GdipLoadImageFromStream
GdipCreateImageAttributes
GdipGetImageHeight
GdipDeleteGraphics
GdipCreateFromHDC
GdiplusShutdown
GdipDrawImageRectI
GdipDrawImageRectRectI

oledlg

OleUIBusyW

Exports

Exports

??0CXB7z@_7zInterface@@QAE@ABV01@@Z
??0CXB7z@_7zInterface@@QAE@XZ
??1CXB7z@_7zInterface@@UAE@XZ
??4CXB7z@_7zInterface@@QAEAAV01@ABV01@@Z
??_7CXB7z@_7zInterface@@6B@
?_7zGetObject@_7zInterface@@YAPAVCXB7z@1@PA_W@Z

Sections

.text
Size: 620KB - Virtual size: 618KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 72KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Skins/Default/Recorder/Background.png
.png
Skins/Default/Recorder/Button.png
.png
Skins/Default/Recorder/CheckBox.png
.png
Skins/Default/Recorder/EditBox.png
.png
Skins/Default/Recorder/Main/CloseBtn.png
.png
Skins/Default/Recorder/Main/MinimizeBtn.png
.png
Skins/Default/Recorder/Main/config.xml
.xml
Skins/Default/Recorder/Recorder.png
.png
Skins/Default/Recorder/ResInfo/Add.png
.png
Skins/Default/Recorder/ResInfo/Delete.png
.png
Skins/Default/Recorder/ResInfo/MoveDown.png
.png
Skins/Default/Recorder/ResInfo/MoveUp.png
.png
Skins/Default/Recorder/ResInfo/SpeedBtn.png
.png
Skins/Default/Recorder/ResInfo/config.xml
.xml
Skins/Default/Recorder/SysButton.png
.png

Sharing

General

Malware Config

Signatures

Files

25bcc7010e8e7f0e059da50586853709

Code Sign

01Certificate

0aCertificate

Extended Key Usages

Key Usages

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72Certificate

Extended Key Usages

Signer

Headers

File Characteristics

Imports

oleaut32

user32

msvcrt

kernel32

Exports

Exports

Sections

.text Size: 612KB - Virtual size: 611KB

.rdata Size: 78KB - Virtual size: 78KB

.data Size: 23KB - Virtual size: 45KB

.sxdata Size: 512B - Virtual size: 4B

.rsrc Size: 91KB - Virtual size: 91KB

.reloc Size: 31KB - Virtual size: 31KB

71bf7988e89a627ed7891b3ce81879e6

Code Sign

01Certificate

0aCertificate

Extended Key Usages

Key Usages

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72Certificate

Extended Key Usages

Signer

Headers

File Characteristics

PDB Paths

Imports

shlwapi

shell32

user32

kernel32

Exports

Exports

Sections

.text Size: 152KB - Virtual size: 150KB

.rdata Size: 28KB - Virtual size: 24KB

.data Size: 8KB - Virtual size: 22KB

.rsrc Size: 4KB - Virtual size: 960B

.reloc Size: 12KB - Virtual size: 9KB

2d3f0f58945fdfb46f7ca48333aa684b

Code Sign

01Certificate

0aCertificate

Extended Key Usages

Key Usages

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72Certificate

01
Certificate

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

.text
Size: 612KB - Virtual size: 611KB

.rdata
Size: 78KB - Virtual size: 78KB

.data
Size: 23KB - Virtual size: 45KB

.sxdata
Size: 512B - Virtual size: 4B

.rsrc
Size: 91KB - Virtual size: 91KB

.reloc
Size: 31KB - Virtual size: 31KB

01
Certificate

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

.text
Size: 152KB - Virtual size: 150KB

.rdata
Size: 28KB - Virtual size: 24KB

.data
Size: 8KB - Virtual size: 22KB

.rsrc
Size: 4KB - Virtual size: 960B

.reloc
Size: 12KB - Virtual size: 9KB

01
Certificate

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

.text
Size: 22KB - Virtual size: 22KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 4KB

PAGE
Size: 6KB - Virtual size: 5KB

INIT
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 5KB

01
Certificate

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 4KB

PAGE
Size: 5KB - Virtual size: 5KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 5KB

01
Certificate

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

2c:fb:c2:fa:fd:4d:b3:60:fd:52:ce:64:fe:f4:57:72
Certificate

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 640B - Virtual size: 612B

.data
Size: 4KB - Virtual size: 4KB

INIT
Size: 1KB - Virtual size: 1KB