386a071c05945668b7f4fb5ed4b12b25d0277fb9202981225db6fed6e4996042

Sharing

Copy URL Twitter E-mail

General

Target

386a071c05945668b7f4fb5ed4b12b25d0277fb9202981225db6fed6e4996042
Size

9.2MB
MD5

ecb31ee3e9cc97223a2ac9f1dd08d19f
SHA1

31e46cd670232158edd5ee729c69a5a35b3f21a1
SHA256

386a071c05945668b7f4fb5ed4b12b25d0277fb9202981225db6fed6e4996042
SHA512

0e2fa410d4773add6db4cbf9569984bc6334a893b08b4780b83ea149a0c913d43f7cc1ce009a59e9cb1a354adc114d7db5fc92c9d9c130daed0ac001b8abb8ae
SSDEEP

196608:X6he8xjtQ61wszpgC3xg9QJNpa8EiQc9kU+69K1BcX4Fp/gWvu3yEXAT6zn:H8xh31F+C37Ng8PHr+68B84XgWvEZXcg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
386a071c05945668b7f4fb5ed4b12b25d0277fb9202981225db6fed6e4996042

Files

386a071c05945668b7f4fb5ed4b12b25d0277fb9202981225db6fed6e4996042
.dll windows:5 windows x86 arch:x86

56be97775b4e61215f937ed20fc0f53d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

E:\_KingSEMIDevelop\01 KingExGem\IDE_VisualStudio\Eq\2.0.1.11\04产品代码\KingExGemV C\Release\KingExGem_C_X86.pdb

Imports

msvcp100

?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??Bid@locale@std@@QAEIXZ
?_Incref@facet@locale@std@@QAEXXZ
?_Decref@facet@locale@std@@QAEPAV123@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
?in@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?unshift@?$codecvt@DDH@std@@QBEHAAHPAD1AAPAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
??_7?$basic_istream@DU?$char_traits@D@std@@@std@@6B@
?id@?$codecvt@DDH@std@@2V0locale@2@A
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Xfunc@tr1@std@@YAXXZ
?_BADOFF@std@@3_JB
??1_Container_base12@std@@QAE@XZ
?_Orphan_all@_Container_base0@std@@QAEXXZ
?_Swap_all@_Container_base0@std@@QAEXAAU12@@Z
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?out@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z

mfc100u

ord4290
ord2062
ord2823
ord421
ord10960
ord5231
ord11333
ord13398
ord2528
ord2057
ord6036
ord979
ord280
ord286
ord290
ord902
ord4331
ord2068
ord13415
ord11353
ord13396
ord11330
ord2614
ord7618
ord1312
ord1310
ord296
ord11494
ord4519
ord13208
ord1298
ord266
ord1300
ord4512
ord7524
ord11801
ord11683
ord2064

msvcr100

__clean_type_info_names_internal
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_except_handler4_common
_crt_debugger_hook
__CppXcptFilter
_amsg_exit
_initterm_e
_initterm
_encoded_null
_malloc_crt
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__CxxFrameHandler3
strcspn
strrchr
_beginthreadex
_endthreadex
_msize
_stat64i32
fopen
strncpy
isalnum
_snprintf
__iob_func
rewind
_time64
_gmtime64_s
fgets
_wtoi
feof
wcsftime
_recalloc
_CIpow
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABV01@@Z
memmove
isspace
memchr
sprintf_s
_atoi64
free
_strtoui64
malloc
atoi
atol
realloc
strtoul
atof
fputc
??1bad_cast@std@@UAE@XZ
??0bad_cast@std@@QAE@PBD@Z
??0bad_cast@std@@QAE@ABV01@@Z
_localtime64_s
calloc
fseek
ftell
fread
tolower
strchr
strncmp
sprintf
_purecall
strlen
strcat
strcpy
memset
memcpy
memcmp
strcmp
abort
wcsncpy
_wcsdup
wcslen
_snwprintf
_wcsnicmp
pow
floor
fabs
qsort
toupper
_mktime64
_stricmp
_strlwr
_findfirst64i32
_findclose
_findnext64i32
fclose
fwrite
memcpy_s
fprintf
_lock_file
setvbuf
fsetpos
vsprintf_s
fopen_s
fgetc
fflush
_fseeki64
fgetpos
ungetc
_unlock_file
_CxxThrowException

kernel32

GetProcAddress
GetEnvironmentVariableA
LoadLibraryW
GetCurrentProcess
SetConsoleTextAttribute
FreeLibrary
FindFirstFileW
DeleteFileW
CopyFileW
GetModuleHandleW
lstrlenA
GetSystemTime
SystemTimeToTzSpecificLocalTime
CreateThread
WaitForSingleObject
GetLocalTime
GetFileAttributesA
CreateDirectoryW
SystemTimeToFileTime
CloseHandle
GetSystemInfo
CreateFileMappingW
GetLastError
CreateFileW
UnmapViewOfFile
MapViewOfFile
GetFileSize
Sleep
lstrlenW
MultiByteToWideChar
FindClose
WideCharToMultiByte
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
CreateFileA
CreateMutexW
HeapCompact
SetFilePointer
TryEnterCriticalSection
SetEndOfFile
HeapAlloc
QueryPerformanceCounter
HeapFree
InterlockedCompareExchange
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetProcessHeap
GetSystemTimeAsFileTime
FormatMessageA
WriteFile
FormatMessageW
GetVersionExW
HeapDestroy
HeapCreate
HeapValidate
GetConsoleScreenBufferInfo
SetConsoleCtrlHandler
GetCurrentProcessId
GetFullPathNameW
GetFullPathNameA
GetModuleFileNameW
IsProcessorFeaturePresent
CheckRemoteDebuggerPresent
FindFirstFileA
SearchPathA
GetSystemDirectoryA
IsBadReadPtr
ProcessIdToSessionId
GetComputerNameA
GetModuleFileNameA
GetModuleHandleA
QueryPerformanceFrequency
GetNumberOfConsoleInputEvents
ReadConsoleInputW
FillConsoleOutputCharacterW
FillConsoleOutputAttribute
SetConsoleCursorPosition
WriteConsoleW
WriteConsoleInputW
ReadConsoleA
ReleaseSemaphore
CreateSemaphoreA
SetEvent
CancelIo
UnregisterWaitEx
GetExitCodeProcess
DuplicateHandle
SetHandleInformation
PeekNamedPipe
CreateEventA
RegisterWaitForSingleObject
ConnectNamedPipe
WaitNamedPipeW
SwitchToThread
LocalAlloc
CreateNamedPipeW
UnregisterWait
SetNamedPipeHandleState
QueueUserWorkItem
SetLastError
GetLongPathNameW
GetCurrentDirectoryW
ReadDirectoryChangesW
GetQueuedCompletionStatus
CreateIoCompletionPort
SetErrorMode
PostQueuedCompletionStatus
InterlockedDecrement
InterlockedIncrement
GetFileAttributesW
ReadFile
FlushFileBuffers
GetTempPathW
HeapSize
LockFileEx
GetDiskFreeSpaceW
LoadLibraryA
CreateFileMappingA
GetDiskFreeSpaceA
DisableThreadLibraryCalls
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
InterlockedExchange
DecodePointer
EncodePointer
CloseThreadpool
SubmitThreadpoolWork
WaitForThreadpoolWorkCallbacks
SetThreadpoolThreadMinimum
SetThreadpoolThreadMaximum
CreateThreadpool
CreateThreadpoolWork
CloseThreadpoolWork
DeleteFileA
AreFileApisANSI
LocalFree
GetTempPathA
GetVersionExA
OutputDebugStringA
GetCurrentThreadId
GetFileAttributesExW
HeapReAlloc

oleaut32

SystemTimeToVariantTime
VarUdateFromDate
VariantTimeToSystemTime

ws2_32

closesocket
socket
bind
recv
WSACleanup
htons
WSAGetLastError
select
inet_addr
WSAStartup
connect
ioctlsocket
WSASetLastError
accept
WSARecvFrom
WSADuplicateSocketW
WSASend
WSARecv
shutdown
setsockopt
WSAIoctl
WSASocketW
FreeAddrInfoW
listen
getsockopt
send

kingexlog_cplus_x86

?MakeLogEx@KingExLog@@QAEJPAEKEV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV23@PAUcSecson@@K@Z
?MakeLog@KingExLog@@QAEJPAEKEV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAUcSecson@@K@Z
?LogClose@KingExLog@@QAEJXZ
?LogStop@KingExLog@@QAEJXZ
?LogStart@KingExLog@@QAEJXZ
?LogInitialize@KingExLog@@QAEJAAULogParameter@@@Z
??1KingExLog@@QAE@XZ
??0KingExLog@@QAE@XZ
?SetLogPath@KingExLog@@QAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor

shlwapi

PathRemoveFileSpecA

iphlpapi

GetAdaptersInfo

rpcrt4

UuidFromStringA

Exports

Exports

_GEMClose@4
_GEMCloseObject@4
_GEMCreate@0
_GEMDelete@4
_GEMDeleteString@4
_GEMGetAlarmEnableState@16
_GEMGetAlarmInfo@24
_GEMGetAllAlarmInfo@4
_GEMGetAllDVInfo@4
_GEMGetAllEcvInfo@4
_GEMGetAllEnabledAlarm@4
_GEMGetAllEnabledEvent@4
_GEMGetAllEventInfo@4
_GEMGetAllReportInfo@4
_GEMGetAllSVInfo@4
_GEMGetAsciiItem2@8
_GEMGetAsciiItem@16
_GEMGetBinaryItem@16
_GEMGetBoolItem@16
_GEMGetDVInfo@36
_GEMGetEcvInfo@40
_GEMGetEventEnableState@16
_GEMGetEventInfo@32
_GEMGetFloat4Item@16
_GEMGetFloat8Item@16
_GEMGetFmtVariable@16
_GEMGetInt1Item@16
_GEMGetInt2Item@16
_GEMGetInt4Item@16
_GEMGetInt8Item@16
_GEMGetItemToString@8
_GEMGetJis8Item@16
_GEMGetListItem@8
_GEMGetParam@12
_GEMGetReportInfo@24
_GEMGetSVInfo@36
_GEMGetUint1Item@16
_GEMGetUint2Item@16
_GEMGetUint4Item@16
_GEMGetUint8Item@16
_GEMGetVariable2@20
_GEMGetVariable@16
_GEMInitialize@8
_GEMLoadSecsMsg@24
_GEMMakeObject@4
_GEMReqDateTime@4
_GEMReqLoopDiagnostic@12
_GEMReqOnlineTest@4
_GEMReqPP@8
_GEMReqPPFmt@8
_GEMReqPPFmtSend@32
_GEMReqPPLoadInquire@12
_GEMReqPPSend@16
_GEMReqPPSendEx@8
_GEMReqPPVerification@24
_GEMReqPPVerificationInquire@8
_GEMReqTerminalMessageSend@12
_GEMRspDateTime@12
_GEMRspDateTimeSend@12
_GEMRspEcvChange@12
_GEMRspEcvChangeEx@12
_GEMRspEnhancedRemoteCommand@24
_GEMRspMultiTerminalMessageSend@12
_GEMRspOffline@12
_GEMRspOnline@12
_GEMRspPP@20
_GEMRspPPDelete@12
_GEMRspPPEx@12
_GEMRspPPFmt@36
_GEMRspPPFmtSend@12
_GEMRspPPList@16
_GEMRspPPLoadInquire@12
_GEMRspPPSend@12
_GEMRspRemoteCommand@24
_GEMRspSimpleRemoteCommand@12
_GEMRspTerminalMessageSend@12
_GEMSendSecsMessage@20
_GEMSetAlarm@12
_GEMSetAlarmEnableState@16
_GEMSetAlarmEx@12
_GEMSetAlarmReportEnabled@8
_GEMSetAsciiItem@12
_GEMSetBinaryItem@12
_GEMSetBoolItem@12
_GEMSetConnectionEnable@8
_GEMSetControlState@8
_GEMSetEcvValue@16
_GEMSetEvent@8
_GEMSetEventEnableState@16
_GEMSetFloat4Item@12
_GEMSetFloat8Item@12
_GEMSetFmtVariable@12
_GEMSetInt1Item@12
_GEMSetInt2Item@12
_GEMSetInt4Item@12
_GEMSetInt8Item@12
_GEMSetJis8Item@12
_GEMSetListItem@8
_GEMSetPPChanged@12
_GEMSetPPSelected@8
_GEMSetParam@12
_GEMSetProcessingCommand@8
_GEMSetUint1Item@12
_GEMSetUint2Item@12
_GEMSetUint4Item@12
_GEMSetUint8Item@12
_GEMSetVariable2@20
_GEMSetVariable@16
_GEMStart@4
_GEMStop@4
_GEMUsingStringSetItem@12
_GemSetLogEnable@8
_RegistOnGEMAlarmEnableStateChanged@8
_RegistOnGEMCommStateChanged@8
_RegistOnGEMControlStateChanged@8
_RegistOnGEMECVChanged@8
_RegistOnGEMErrorEvent@8
_RegistOnGEMErrorMessage@8
_RegistOnGEMEvent@8
_RegistOnGEMEventEnableStateChanged@8
_RegistOnGEMEventSend@8
_RegistOnGEMLogMessage@8
_RegistOnGEMMessage@8
_RegistOnGEMProcessingStateChanged@8
_RegistOnGEMRemoteEvent@8
_RegistOnGEMReqChangeECV@8
_RegistOnGEMReqDateTime@8
_RegistOnGEMReqDateTimeSend@8
_RegistOnGEMReqEnhancedRemoteCommand@8
_RegistOnGEMReqOffline@8
_RegistOnGEMReqOnline@8
_RegistOnGEMReqPP@8
_RegistOnGEMReqPPDelete@8
_RegistOnGEMReqPPEx@8
_RegistOnGEMReqPPFmt@8
_RegistOnGEMReqPPFmtSend@8
_RegistOnGEMReqPPList@8
_RegistOnGEMReqPPLoadInquire@8
_RegistOnGEMReqPPSend@8
_RegistOnGEMReqPPSendEx@8
_RegistOnGEMReqRemoteCommand@8
_RegistOnGEMReqSimpleRemoteCommand@8
_RegistOnGEMRspAllAlarmInfo@8
_RegistOnGEMRspAllDvInfo@8
_RegistOnGEMRspAllEcvInfo@8
_RegistOnGEMRspAllEnabledAlarm@8
_RegistOnGEMRspAllEnabledEvent@8
_RegistOnGEMRspAllEventInfo@8
_RegistOnGEMRspAllReportInfo@8
_RegistOnGEMRspAllSvInfo@8
_RegistOnGEMRspDateTime@8
_RegistOnGEMRspLoopback@8
_RegistOnGEMRspPP@8
_RegistOnGEMRspPPEx@8
_RegistOnGEMRspPPFmt@8
_RegistOnGEMRspPPFmtSend@8
_RegistOnGEMRspPPLoadInquire@8
_RegistOnGEMRspPPSend@8
_RegistOnGEMRspPPSendEx@8
_RegistOnGEMRspPPVerification@8
_RegistOnGEMRspPPVerificationInquire@8
_RegistOnGEMSecondaryMsgReceived@8
_RegistOnGEMStateEvent@8
_RegistOnGEMTerminalMessage@8
_RegistOnGEMTerminalMultiMessage@8

Sections

.text
Size: 8.5MB - Virtual size: 8.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 481KB - Virtual size: 480KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 33KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mark
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.encode
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 243KB - Virtual size: 243KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

56be97775b4e61215f937ed20fc0f53d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp100

mfc100u

msvcr100

kernel32

oleaut32

ws2_32

kingexlog_cplus_x86

advapi32

shlwapi

iphlpapi

rpcrt4

Exports

Exports

Sections

.text Size: 8.5MB - Virtual size: 8.5MB

.rdata Size: 481KB - Virtual size: 480KB

.data Size: 33KB - Virtual size: 170KB

.mark Size: 512B - Virtual size: 448B

.encode Size: 2KB - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 243KB - Virtual size: 243KB

.text
Size: 8.5MB - Virtual size: 8.5MB

.rdata
Size: 481KB - Virtual size: 480KB

.data
Size: 33KB - Virtual size: 170KB

.mark
Size: 512B - Virtual size: 448B

.encode
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 243KB - Virtual size: 243KB