3d5dc2f7bf36afb1c92464a8e4df503a_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

3d5dc2f7bf36afb1c92464a8e4df503a_JaffaCakes118
Size

1.8MB
MD5

3d5dc2f7bf36afb1c92464a8e4df503a
SHA1

402256b1e42e21423e80e4a5319e56a1ab329349
SHA256

b190b23b937022ec925b163b55c8302d47c8e69846c5fd342f94fbdca09e21aa
SHA512

8e26c51fe0eea8df1cc57bc55d67d7ec7cb9c67b974ffbc4d46d4afe021e92951d74e2fd264c74c39a94e8e929e15189badda7ce84e817df70c34e2c56375307
SSDEEP

49152:s3tqz3ZS52akHkKmsBYpXP2ti1YvYga1bsgjtUM/WhX:s9w3ZS5+HkK5BYR8iXga1pZUMIX

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
3d5dc2f7bf36afb1c92464a8e4df503a_JaffaCakes118
unpack001/$PLUGINSDIR/InstallOptions.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

3d5dc2f7bf36afb1c92464a8e4df503a_JaffaCakes118
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 48KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
GetPrivateProfileIntA
GlobalLock
GetModuleHandleA
lstrcmpiA
GetPrivateProfileStringA
lstrcatA
lstrcpynA
WritePrivateProfileStringA
lstrlenA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalAlloc

user32

MapWindowPoints
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
PtInRect
SetWindowRgn
LoadIconA
LoadImageA
SetWindowLongA
CreateWindowExA
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamA
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageA
TranslateMessage
GetMessageA
IsDialogMessageA
LoadCursorA
SetCursor
DrawTextA
GetWindowLongA
DrawFocusRect
CallWindowProcA
PostMessageA
MessageBoxA
CharNextA
wsprintfA
GetWindowTextA
SetWindowTextA
SendMessageA
GetClientRect

gdi32

SetTextColor
CreateCompatibleDC
GetObjectA
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderA
SHGetDesktopFolder
SHGetPathFromIDListA
ShellExecuteA

comdlg32

GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/option_big.ini
$PLUGINSDIR/option_cn.ini
$PLUGINSDIR/option_en.ini
$R0
.dll regsvr32 windows:4 windows x86 arch:x86

dcabbf47e96f109aebbc0c273964a214

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f
Signer

Actual PE Digest

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapCreate
lstrlenW
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
GetVersionExA
LoadLibraryExA
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
HeapDestroy
GetProcAddress
LoadLibraryA
lstrcpyA
lstrcatA
DebugBreak
HeapReAlloc
HeapFree
GetSystemInfo
HeapAlloc
InterlockedDecrement
EnterCriticalSection
InterlockedIncrement
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetLastError
DisableThreadLibraryCalls

user32

CharNextA

advapi32

RegQueryInfoKeyA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA

ole32

CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoCreateInstance

oleaut32

SysFreeString
SysStringLen
LoadRegTypeLi
RegisterTypeLi
LoadTypeLi
SysAllocString
VarUI4FromStr

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 713B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/modules/Shell.exe
.exe windows:4 windows x86 arch:x86

3dc0af63f4ebd16eb0df7f76d2fc2fab

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51
Signer

Actual PE Digest

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WritePrivateProfileStringA
lstrlenA
GetSystemDefaultLangID
FreeLibrary
GetProcAddress
LoadLibraryA
Process32Next
TerminateProcess
OpenProcess
CloseHandle
Process32First
CreateToolhelp32Snapshot
CreateDirectoryA
LocalFree
InterlockedDecrement
DebugBreak
GetLastError
GetPrivateProfileIntA
Sleep
WinExec
ReadFile
SetStdHandle
FlushFileBuffers
InterlockedIncrement
FindFirstFileA
SetFileAttributesA
DeleteFileA
FindNextFileA
FindClose
RemoveDirectoryA
GetModuleFileNameA
GetPrivateProfileStringA
OutputDebugStringA
ExpandEnvironmentStringsA
VirtualAlloc
LCMapStringW
RaiseException
LCMapStringA
IsBadCodePtr
IsBadWritePtr
IsBadReadPtr
SetUnhandledExceptionFilter
SetFilePointer
WriteFile
RtlUnwind
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
GetCPInfo
GetACP
GetOEMCP
HeapFree
HeapAlloc
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
HeapReAlloc
GetCurrentProcess
HeapSize
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree

user32

CharNextA
wvsprintfA
LoadStringA

advapi32

SetEntriesInAclA
GetNamedSecurityInfoA
BuildExplicitAccessWithNameA
SetNamedSecurityInfoA
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegEnumKeyA

shell32

StrStrIA

shlwapi

SHSetValueA
SHDeleteValueA
PathFileExistsA
PathRemoveFileSpecA
SHGetValueA
SHDeleteKeyA
PathAppendA

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/modules/addrtips.exe
.exe windows:4 windows x86 arch:x86

2f283cf771b4c7c3087b4eac519beb0a

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4f:fa:bd:98:f0:6a:c4:3b:b9:d7:59:ad:2e:67:ee:2c:8c:82:3c:51
Signer

Actual PE Digest

4f:fa:bd:98:f0:6a:c4:3b:b9:d7:59:ad:2e:67:ee:2c:8c:82:3c:51

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathRemoveFileSpecA
PathAppendA

kernel32

RtlUnwind
GetStartupInfoA
ExitProcess
TerminateProcess
HeapFree
HeapAlloc
RaiseException
HeapSize
HeapReAlloc
GetACP
GetTimeZoneInformation
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
LCMapStringA
LCMapStringW
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
CompareStringA
CompareStringW
FormatMessageA
GetProfileStringA
ExpandEnvironmentStringsA
GetPrivateProfileStringA
lstrcpyA
GetModuleFileNameA
GetLastError
FreeLibrary
GetProcAddress
LoadLibraryA
GetCommandLineA
CreateMutexA
GetVersionExA
WritePrivateProfileStringA
GetSystemDefaultLangID
GetPrivateProfileIntA
GetModuleHandleA
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
GlobalAlloc
GlobalLock
CloseHandle
InterlockedIncrement
InterlockedDecrement
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
LoadResource
FindResourceA
LockResource
GlobalFree
GlobalUnlock
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
lstrcatA
SetEnvironmentVariableA
GetFileTime
GetFileSize
GetFileAttributesA
GetTickCount
FileTimeToLocalFileTime
FileTimeToSystemTime
GetFullPathNameA
GetVolumeInformationA
FindFirstFileA
FindClose
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
CreateFileA
GetCurrentProcess
DuplicateHandle
SetErrorMode
GetOEMCP
GetCPInfo
GetThreadLocale
SizeofResource
GetProcessVersion
GlobalFlags
lstrcpynA
TlsGetValue
LocalReAlloc
TlsSetValue
EnterCriticalSection
GlobalReAlloc
LeaveCriticalSection
TlsFree
GlobalHandle
DeleteCriticalSection
TlsAlloc
InitializeCriticalSection
LocalFree
LocalAlloc
MulDiv
SetLastError
GetVersion

user32

InvalidateRect
CharUpperA
InflateRect
RegisterClipboardFormatA
PostThreadMessageA
DestroyMenu
MessageBeep
GetNextDlgGroupItem
SetRect
CopyAcceleratorTableA
CharNextA
LoadStringA
GetSysColorBrush
PtInRect
GetClassNameA
GetDesktopWindow
LoadCursorA
GrayStringA
DrawTextA
TabbedTextOutA
EndPaint
BeginPaint
GetWindowDC
ReleaseDC
ClientToScreen
ShowWindow
MoveWindow
SetWindowTextA
IsDialogMessageA
UpdateWindow
SendDlgItemMessageA
GetSysColor
SetFocus
AdjustWindowRectEx
ScreenToClient
CopyRect
GetTopWindow
IsChild
GetCapture
WinHelpA
wsprintfA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetSubMenu
GetMenuItemID
GetWindowTextLengthA
GetWindowTextA
GetDlgCtrlID
DefWindowProcA
CreateWindowExA
GetClassLongA
SetPropA
UnhookWindowsHookEx
GetPropA
CallWindowProcA
RemovePropA
GetMessageTime
GetMessagePos
IsWindow
LoadIconA
UnregisterClassA
HideCaret
ShowCaret
ExcludeUpdateRgn
MapWindowPoints
DrawFocusRect
GetForegroundWindow
SetForegroundWindow
RegisterWindowMessageA
OffsetRect
IntersectRect
SystemParametersInfoA
GetWindowPlacement
MapDialogRect
SetWindowPos
GetWindow
SetWindowContextHelpId
EndDialog
SetActiveWindow
CreateDialogIndirectParamA
DestroyWindow
GetDlgItem
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
DefDlgProcA
IsWindowUnicode
SendMessageA
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
SetTimer
EqualRect
GetWindowThreadProcessId
WindowFromPoint
GetWindowRect
IsWindowVisible
EnableWindow
SetWindowLongA
GetWindowLongA
GetDC
PostMessageA
PostQuitMessage
SetCursor
MessageBoxA
IsWindowEnabled
GetLastActivePopup
GetParent
SetWindowsHookExA
GetCursorPos
PeekMessageA
ValidateRect
CallNextHookEx
GetKeyState
GetActiveWindow
DispatchMessageA
TranslateMessage
GetMessageA
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem

gdi32

GetStockObject
SetBkMode
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
IntersectClipRect
DeleteObject
SelectObject
GetDeviceCaps
GetViewportExtEx
GetWindowExtEx
CreateSolidBrush
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GetTextColor
GetBkColor
DPtoLP
LPtoDP
GetMapMode
PatBlt
RestoreDC
SaveDC
DeleteDC
SetBkColor
SetTextColor
GetClipBox
CreateBitmap
CreateFontIndirectA
StretchBlt
CreateCompatibleDC
CreateDIBSection
CreateDIBitmap
GetTextExtentPointA
BitBlt
GetObjectA

comdlg32

GetFileTitleA

winspool.drv

ClosePrinter
DocumentPropertiesA
OpenPrinterA

advapi32

RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA

comctl32

ord17

oledlg

ord8

ole32

CoFreeUnusedLibraries
CoRegisterMessageFilter
OleInitialize
CoTaskMemAlloc
CoTaskMemFree
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoRevokeClassObject
OleFlushClipboard
OleIsCurrentClipboard
OleUninitialize

olepro32

ord253

oleaut32

SysStringLen
SysFreeString
SysAllocStringLen
VariantClear
VariantTimeToSystemTime
VariantCopy
VariantChangeType
SysAllocString
SysAllocStringByteLen

Sections

.text
Size: 140KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/modules/addrtips.tga
$TEMP/modules/auxr.dll
.dll windows:4 windows x86 arch:x86

47678825157cd635a4fcc2bed640ea66

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

cc:9a:76:d5:f7:cb:39:e5:44:71:c3:7b:7d:f6:cb:b0:1b:3e:f0:46
Signer

Actual PE Digest

cc:9a:76:d5:f7:cb:39:e5:44:71:c3:7b:7d:f6:cb:b0:1b:3e:f0:46

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

iphlpapi

GetAdaptersInfo

kernel32

RtlUnwind
GetCommandLineA
GetVersion
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
HeapAlloc
HeapFree
ExitProcess
TerminateProcess
GetCurrentProcess
HeapReAlloc
HeapSize
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
WriteFile
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadWritePtr
IsBadCodePtr
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetFilePointer
InterlockedDecrement
InterlockedIncrement
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
CloseHandle

Exports

Exports

Aux_Aux
Aux_Uid

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/modules/auxr.exe
.exe windows:4 windows x86 arch:x86

f6f56a57a829e59bf4d1821b7d4b1a14

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

82:19:88:17:cb:b2:25:db:ee:50:c6:18:b3:83:a5:d4:5b:b1:9c:02
Signer

Actual PE Digest

82:19:88:17:cb:b2:25:db:ee:50:c6:18:b3:83:a5:d4:5b:b1:9c:02

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetPrivateProfileIntA
ExpandEnvironmentStringsA
CreateDirectoryA
DeleteFileA
FreeLibrary
MultiByteToWideChar
WinExec
lstrcatA
SetEnvironmentVariableA
CompareStringW
GetTimeZoneInformation
LCMapStringW
LCMapStringA
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
WriteFile
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
WideCharToMultiByte
FreeEnvironmentStringsW
GetPrivateProfileStringA
UnhandledExceptionFilter
HeapSize
TerminateProcess
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapCreate
GetVersionExA
GetEnvironmentVariableA
ExitProcess
GetVersion
GetCommandLineA
GetStartupInfoA
GetModuleHandleA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindNextFileA
FindFirstFileA
HeapReAlloc
HeapFree
HeapAlloc
RtlUnwind
WritePrivateProfileStringA
SetFileAttributesA
LoadLibraryA
GetProcAddress
LocalFree
DeleteCriticalSection
HeapDestroy
InitializeCriticalSection
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
GetSystemDefaultLangID
SetThreadLocale
RaiseException
ReleaseMutex
CloseHandle
CreateMutexA
GetLastError
GetCurrentProcess
FlushInstructionCache
OutputDebugStringA
DebugBreak
CompareStringA
InterlockedDecrement
InterlockedIncrement
lstrcmpiA
lstrlenA
lstrcpyA
GetModuleFileNameA
FreeEnvironmentStringsA
GetThreadLocale

user32

CallWindowProcA
IsWindowEnabled
GetSysColor
GetFocus
DrawFocusRect
GetDlgCtrlID
GetCursorPos
ScreenToClient
IsDialogMessageA
InvalidateRect
PtInRect
SetFocus
SetCapture
GetCapture
ReleaseCapture
LoadImageA
GetSystemMetrics
GetDlgItem
GetParent
SetDlgItemTextA
PostQuitMessage
DrawTextW
CheckDlgButton
IsDlgButtonChecked
SetCursor
UpdateWindow
DestroyCursor
SetRectEmpty
FrameRect
EnableWindow
DestroyWindow
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
CreateDialogParamA
FindWindowA
IsWindowVisible
IsIconic
BringWindowToTop
SetForegroundWindow
DefWindowProcA
ShowWindow
LoadStringA
wvsprintfA
CharNextA
SetWindowTextA
CreateWindowExA
ReleaseDC
GetDC
DrawTextA
OffsetRect
GetClassNameA
SetWindowLongA
CreateCursor
GetWindowTextLengthA
GetWindowTextA
GetWindowLongA
GetWindow
GetWindowRect
SystemParametersInfoA
MapWindowPoints
SetWindowPos
EndPaint
IsWindow
SendMessageA
BeginPaint
GetClientRect
ClientToScreen
FillRect

gdi32

ExtTextOutA
GetTextExtentPointA
SetBkMode
CreateSolidBrush
SetTextColor
TextOutA
DeleteDC
GetStockObject
GetObjectA
CreateFontIndirectA
CreatePen
DeleteObject
LineTo
SetBkColor
SelectObject
MoveToEx

advapi32

RegQueryValueExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA

shell32

ShellExecuteA

ole32

CoUninitialize
CoInitialize

shlwapi

PathFileExistsA
PathRemoveFileSpecA
PathAppendA
SHGetValueA

comctl32

InitCommonControlsEx
_TrackMouseEvent

Sections

.text
Size: 68KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/modules/sapi.tga
$TEMP/modules/sign.dll
.dll windows:4 windows x86 arch:x86

42c095e840a02bdbd17c7caf849a3f19

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

45:45:2f:a6:23:11:11:0b:55:a0:fc:4b:40:64:90:23:75:83:8b:24
Signer

Actual PE Digest

45:45:2f:a6:23:11:11:0b:55:a0:fc:4b:40:64:90:23:75:83:8b:24

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrlenA
CloseHandle
ReadFile
GetFileSize
CreateFileA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CopyFileA
WriteFile
HeapAlloc
HeapFree
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
HeapDestroy
HeapCreate
VirtualFree
InitializeCriticalSection
DeleteCriticalSection
VirtualAlloc
HeapReAlloc
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
FlushFileBuffers
GetStringTypeA
GetStringTypeW
SetStdHandle
LCMapStringA
LCMapStringW
RtlUnwind

Exports

Exports

Sign_SplitSgnFile
Sign_VerifySgnFile

Sections

.text
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/modules/ukwreg.dll
.dll regsvr32 windows:4 windows x86 arch:x86

dcabbf47e96f109aebbc0c273964a214

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f
Signer

Actual PE Digest

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapCreate
lstrlenW
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
GetVersionExA
LoadLibraryExA
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
HeapDestroy
GetProcAddress
LoadLibraryA
lstrcpyA
lstrcatA
DebugBreak
HeapReAlloc
HeapFree
GetSystemInfo
HeapAlloc
InterlockedDecrement
EnterCriticalSection
InterlockedIncrement
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetLastError
DisableThreadLibraryCalls

user32

CharNextA

advapi32

RegQueryInfoKeyA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA

ole32

CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoCreateInstance

oleaut32

SysFreeString
SysStringLen
LoadRegTypeLi
RegisterTypeLi
LoadTypeLi
SysAllocString
VarUI4FromStr

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 713B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/modules/ukwsvr.exe
.exe windows:4 windows x86 arch:x86

16f359f3e7cc07b88737898bfcdcdf05

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4b:2f:1f:f4:af:5d:80:d4:29:62:9f:9a:36:02:b2:9a:ee:14:ec:fa
Signer

Actual PE Digest

4b:2f:1f:f4:af:5d:80:d4:29:62:9f:9a:36:02:b2:9a:ee:14:ec:fa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RemoveDirectoryA
DeleteFileA
FreeLibrary
GetProcAddress
LoadLibraryA
Sleep
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
OpenProcess
WaitForSingleObject
GetExitCodeProcess
SetFilePointer
ReadFile
SystemTimeToFileTime
GetCurrentDirectoryA
LocalFileTimeToFileTime
SetFileTime
TerminateThread
GetExitCodeThread
OutputDebugStringA
GetLastError
CreateMutexA
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
InitializeCriticalSection
HeapDestroy
DeleteCriticalSection
FlushInstructionCache
GetCurrentProcess
SetFileAttributesA
CompareStringW
CompareStringA
FlushFileBuffers
SetStdHandle
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FindFirstFileA
FindNextFileA
FindClose
CopyFileA
MoveFileExA
CreateDirectoryA
GetFileAttributesA
GetModuleFileNameA
InterlockedDecrement
CreateThread
GetTickCount
CloseHandle
lstrcpynA
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetSystemDefaultLangID
GetModuleHandleA
FindResourceA
LoadResource
LockResource
SizeofResource
CreateFileA
FreeEnvironmentStringsA
UnhandledExceptionFilter
LCMapStringW
LCMapStringA
MultiByteToWideChar
WideCharToMultiByte
IsBadWritePtr
VirtualAlloc
WriteFile
SetEnvironmentVariableA
VirtualFree
HeapCreate
GetVersionExA
GetEnvironmentVariableA
HeapSize
HeapReAlloc
TerminateProcess
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
RaiseException
ExitProcess
RtlUnwind
HeapFree
HeapAlloc
GetTimeZoneInformation
GetSystemTime
GetLocalTime
InterlockedIncrement
GetStartupInfoA
GetCommandLineA
GetVersion

user32

GetSystemMetrics
EndDialog
UpdateWindow
LoadImageA
MessageBoxA
SendMessageA
MapWindowPoints
GetClientRect
SetWindowTextA
GetDlgItem
ShowWindow
wsprintfA
SystemParametersInfoA
GetWindowRect
GetWindow
PostMessageA
SetWindowPos
SetWindowLongA
DestroyWindow
DefWindowProcA
GetActiveWindow
DialogBoxParamA
GetWindowLongA
GetParent

advapi32

SetServiceStatus
StartServiceCtrlDispatcherA
ControlService
DeleteService
OpenSCManagerA
OpenServiceA
CreateServiceA
ChangeServiceConfig2A
StartServiceA
CloseServiceHandle
RegisterServiceCtrlHandlerA
OpenProcessToken
DuplicateTokenEx
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CreateProcessAsUserA
RegEnumKeyExA
RegOpenKeyA
RegQueryInfoKeyA
RegQueryValueExA
RegCloseKey

shell32

ShellExecuteA

ole32

CoInitialize
CoUninitialize

shlwapi

SHGetValueA
SHDeleteValueA
SHSetValueA

comctl32

InitCommonControlsEx

ws2_32

recv
WSAStartup
socket
closesocket
inet_ntoa
gethostbyname
WSAGetLastError
connect
inet_addr
htons
send
setsockopt

wininet

InternetCrackUrlA

Sections

.text
Size: 92KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/unikeyword/config.dat
$TEMP/unikeyword/rscver.dat
$TEMP/unikeyword/setup.dat
$WINDIR/ocinfo.dat
KwData/Resource/default.ini
KwData/Resource/default/addrlist.ini
KwData/Resource/default/kwinfo.ini
KwData/Resource/default/listicon.ico
KwData/Resource/default/vistabmp.bmp
KwData/Resource/default/xpbmp.bmp
KwData/Resource/education.ini
KwData/Resource/education/addrlist.ini
KwData/Resource/education/kwinfo.ini
KwData/Resource/education/listicon.ico
KwData/Resource/education/vistabmp.bmp
KwData/Resource/education/xpbmp.bmp
KwData/Resource/finance.ini
KwData/Resource/finance/addrlist.ini
KwData/Resource/finance/kwinfo.ini
KwData/Resource/finance/listicon.ico
KwData/Resource/finance/vistabmp.bmp
KwData/Resource/finance/xpbmp.bmp
KwData/Resource/fun.ini
KwData/Resource/fun/addrlist.ini
KwData/Resource/fun/kwinfo.ini
KwData/Resource/news.ini
KwData/Resource/news/addrlist.ini
KwData/Resource/news/kwinfo.ini
KwData/Resource/user.ini
KwData/rscver.dat
Shell.exe
.exe windows:4 windows x86 arch:x86

3dc0af63f4ebd16eb0df7f76d2fc2fab

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51
Signer

Actual PE Digest

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WritePrivateProfileStringA
lstrlenA
GetSystemDefaultLangID
FreeLibrary
GetProcAddress
LoadLibraryA
Process32Next
TerminateProcess
OpenProcess
CloseHandle
Process32First
CreateToolhelp32Snapshot
CreateDirectoryA
LocalFree
InterlockedDecrement
DebugBreak
GetLastError
GetPrivateProfileIntA
Sleep
WinExec
ReadFile
SetStdHandle
FlushFileBuffers
InterlockedIncrement
FindFirstFileA
SetFileAttributesA
DeleteFileA
FindNextFileA
FindClose
RemoveDirectoryA
GetModuleFileNameA
GetPrivateProfileStringA
OutputDebugStringA
ExpandEnvironmentStringsA
VirtualAlloc
LCMapStringW
RaiseException
LCMapStringA
IsBadCodePtr
IsBadWritePtr
IsBadReadPtr
SetUnhandledExceptionFilter
SetFilePointer
WriteFile
RtlUnwind
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
GetCPInfo
GetACP
GetOEMCP
HeapFree
HeapAlloc
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
HeapReAlloc
GetCurrentProcess
HeapSize
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree

user32

CharNextA
wvsprintfA
LoadStringA

advapi32

SetEntriesInAclA
GetNamedSecurityInfoA
BuildExplicitAccessWithNameA
SetNamedSecurityInfoA
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA
RegDeleteKeyA
RegCloseKey
RegSetValueExA
RegEnumKeyA

shell32

StrStrIA

shlwapi

SHSetValueA
SHDeleteValueA
PathFileExistsA
PathRemoveFileSpecA
SHGetValueA
SHDeleteKeyA
PathAppendA

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
addrmsg.ini
addrtips.exe
.exe windows:4 windows x86 arch:x86

2f283cf771b4c7c3087b4eac519beb0a

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4f:fa:bd:98:f0:6a:c4:3b:b9:d7:59:ad:2e:67:ee:2c:8c:82:3c:51
Signer

Actual PE Digest

4f:fa:bd:98:f0:6a:c4:3b:b9:d7:59:ad:2e:67:ee:2c:8c:82:3c:51

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathRemoveFileSpecA
PathAppendA

kernel32

RtlUnwind
GetStartupInfoA
ExitProcess
TerminateProcess
HeapFree
HeapAlloc
RaiseException
HeapSize
HeapReAlloc
GetACP
GetTimeZoneInformation
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
LCMapStringA
LCMapStringW
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
CompareStringA
CompareStringW
FormatMessageA
GetProfileStringA
ExpandEnvironmentStringsA
GetPrivateProfileStringA
lstrcpyA
GetModuleFileNameA
GetLastError
FreeLibrary
GetProcAddress
LoadLibraryA
GetCommandLineA
CreateMutexA
GetVersionExA
WritePrivateProfileStringA
GetSystemDefaultLangID
GetPrivateProfileIntA
GetModuleHandleA
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
GlobalAlloc
GlobalLock
CloseHandle
InterlockedIncrement
InterlockedDecrement
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
LoadResource
FindResourceA
LockResource
GlobalFree
GlobalUnlock
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
lstrcatA
SetEnvironmentVariableA
GetFileTime
GetFileSize
GetFileAttributesA
GetTickCount
FileTimeToLocalFileTime
FileTimeToSystemTime
GetFullPathNameA
GetVolumeInformationA
FindFirstFileA
FindClose
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
CreateFileA
GetCurrentProcess
DuplicateHandle
SetErrorMode
GetOEMCP
GetCPInfo
GetThreadLocale
SizeofResource
GetProcessVersion
GlobalFlags
lstrcpynA
TlsGetValue
LocalReAlloc
TlsSetValue
EnterCriticalSection
GlobalReAlloc
LeaveCriticalSection
TlsFree
GlobalHandle
DeleteCriticalSection
TlsAlloc
InitializeCriticalSection
LocalFree
LocalAlloc
MulDiv
SetLastError
GetVersion

user32

InvalidateRect
CharUpperA
InflateRect
RegisterClipboardFormatA
PostThreadMessageA
DestroyMenu
MessageBeep
GetNextDlgGroupItem
SetRect
CopyAcceleratorTableA
CharNextA
LoadStringA
GetSysColorBrush
PtInRect
GetClassNameA
GetDesktopWindow
LoadCursorA
GrayStringA
DrawTextA
TabbedTextOutA
EndPaint
BeginPaint
GetWindowDC
ReleaseDC
ClientToScreen
ShowWindow
MoveWindow
SetWindowTextA
IsDialogMessageA
UpdateWindow
SendDlgItemMessageA
GetSysColor
SetFocus
AdjustWindowRectEx
ScreenToClient
CopyRect
GetTopWindow
IsChild
GetCapture
WinHelpA
wsprintfA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetSubMenu
GetMenuItemID
GetWindowTextLengthA
GetWindowTextA
GetDlgCtrlID
DefWindowProcA
CreateWindowExA
GetClassLongA
SetPropA
UnhookWindowsHookEx
GetPropA
CallWindowProcA
RemovePropA
GetMessageTime
GetMessagePos
IsWindow
LoadIconA
UnregisterClassA
HideCaret
ShowCaret
ExcludeUpdateRgn
MapWindowPoints
DrawFocusRect
GetForegroundWindow
SetForegroundWindow
RegisterWindowMessageA
OffsetRect
IntersectRect
SystemParametersInfoA
GetWindowPlacement
MapDialogRect
SetWindowPos
GetWindow
SetWindowContextHelpId
EndDialog
SetActiveWindow
CreateDialogIndirectParamA
DestroyWindow
GetDlgItem
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
DefDlgProcA
IsWindowUnicode
SendMessageA
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
SetTimer
EqualRect
GetWindowThreadProcessId
WindowFromPoint
GetWindowRect
IsWindowVisible
EnableWindow
SetWindowLongA
GetWindowLongA
GetDC
PostMessageA
PostQuitMessage
SetCursor
MessageBoxA
IsWindowEnabled
GetLastActivePopup
GetParent
SetWindowsHookExA
GetCursorPos
PeekMessageA
ValidateRect
CallNextHookEx
GetKeyState
GetActiveWindow
DispatchMessageA
TranslateMessage
GetMessageA
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem

gdi32

GetStockObject
SetBkMode
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
IntersectClipRect
DeleteObject
SelectObject
GetDeviceCaps
GetViewportExtEx
GetWindowExtEx
CreateSolidBrush
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GetTextColor
GetBkColor
DPtoLP
LPtoDP
GetMapMode
PatBlt
RestoreDC
SaveDC
DeleteDC
SetBkColor
SetTextColor
GetClipBox
CreateBitmap
CreateFontIndirectA
StretchBlt
CreateCompatibleDC
CreateDIBSection
CreateDIBitmap
GetTextExtentPointA
BitBlt
GetObjectA

comdlg32

GetFileTitleA

winspool.drv

ClosePrinter
DocumentPropertiesA
OpenPrinterA

advapi32

RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA

comctl32

ord17

oledlg

ord8

ole32

CoFreeUnusedLibraries
CoRegisterMessageFilter
OleInitialize
CoTaskMemAlloc
CoTaskMemFree
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoRevokeClassObject
OleFlushClipboard
OleIsCurrentClipboard
OleUninitialize

olepro32

ord253

oleaut32

SysStringLen
SysFreeString
SysAllocStringLen
VariantClear
VariantTimeToSystemTime
VariantCopy
VariantChangeType
SysAllocString
SysAllocStringByteLen

Sections

.text
Size: 140KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
addrtips.tga
auxr.dll
.dll windows:4 windows x86 arch:x86

47678825157cd635a4fcc2bed640ea66

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

cc:9a:76:d5:f7:cb:39:e5:44:71:c3:7b:7d:f6:cb:b0:1b:3e:f0:46
Signer

Actual PE Digest

cc:9a:76:d5:f7:cb:39:e5:44:71:c3:7b:7d:f6:cb:b0:1b:3e:f0:46

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

iphlpapi

GetAdaptersInfo

kernel32

RtlUnwind
GetCommandLineA
GetVersion
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
HeapAlloc
HeapFree
ExitProcess
TerminateProcess
GetCurrentProcess
HeapReAlloc
HeapSize
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
WriteFile
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadWritePtr
IsBadCodePtr
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetFilePointer
InterlockedDecrement
InterlockedIncrement
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
CloseHandle

Exports

Exports

Aux_Aux
Aux_Uid

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
auxr.exe
.exe windows:4 windows x86 arch:x86

f6f56a57a829e59bf4d1821b7d4b1a14

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

82:19:88:17:cb:b2:25:db:ee:50:c6:18:b3:83:a5:d4:5b:b1:9c:02
Signer

Actual PE Digest

82:19:88:17:cb:b2:25:db:ee:50:c6:18:b3:83:a5:d4:5b:b1:9c:02

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetPrivateProfileIntA
ExpandEnvironmentStringsA
CreateDirectoryA
DeleteFileA
FreeLibrary
MultiByteToWideChar
WinExec
lstrcatA
SetEnvironmentVariableA
CompareStringW
GetTimeZoneInformation
LCMapStringW
LCMapStringA
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
WriteFile
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
WideCharToMultiByte
FreeEnvironmentStringsW
GetPrivateProfileStringA
UnhandledExceptionFilter
HeapSize
TerminateProcess
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapCreate
GetVersionExA
GetEnvironmentVariableA
ExitProcess
GetVersion
GetCommandLineA
GetStartupInfoA
GetModuleHandleA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindNextFileA
FindFirstFileA
HeapReAlloc
HeapFree
HeapAlloc
RtlUnwind
WritePrivateProfileStringA
SetFileAttributesA
LoadLibraryA
GetProcAddress
LocalFree
DeleteCriticalSection
HeapDestroy
InitializeCriticalSection
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
GetSystemDefaultLangID
SetThreadLocale
RaiseException
ReleaseMutex
CloseHandle
CreateMutexA
GetLastError
GetCurrentProcess
FlushInstructionCache
OutputDebugStringA
DebugBreak
CompareStringA
InterlockedDecrement
InterlockedIncrement
lstrcmpiA
lstrlenA
lstrcpyA
GetModuleFileNameA
FreeEnvironmentStringsA
GetThreadLocale

user32

CallWindowProcA
IsWindowEnabled
GetSysColor
GetFocus
DrawFocusRect
GetDlgCtrlID
GetCursorPos
ScreenToClient
IsDialogMessageA
InvalidateRect
PtInRect
SetFocus
SetCapture
GetCapture
ReleaseCapture
LoadImageA
GetSystemMetrics
GetDlgItem
GetParent
SetDlgItemTextA
PostQuitMessage
DrawTextW
CheckDlgButton
IsDlgButtonChecked
SetCursor
UpdateWindow
DestroyCursor
SetRectEmpty
FrameRect
EnableWindow
DestroyWindow
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
CreateDialogParamA
FindWindowA
IsWindowVisible
IsIconic
BringWindowToTop
SetForegroundWindow
DefWindowProcA
ShowWindow
LoadStringA
wvsprintfA
CharNextA
SetWindowTextA
CreateWindowExA
ReleaseDC
GetDC
DrawTextA
OffsetRect
GetClassNameA
SetWindowLongA
CreateCursor
GetWindowTextLengthA
GetWindowTextA
GetWindowLongA
GetWindow
GetWindowRect
SystemParametersInfoA
MapWindowPoints
SetWindowPos
EndPaint
IsWindow
SendMessageA
BeginPaint
GetClientRect
ClientToScreen
FillRect

gdi32

ExtTextOutA
GetTextExtentPointA
SetBkMode
CreateSolidBrush
SetTextColor
TextOutA
DeleteDC
GetStockObject
GetObjectA
CreateFontIndirectA
CreatePen
DeleteObject
LineTo
SetBkColor
SelectObject
MoveToEx

advapi32

RegQueryValueExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA

shell32

ShellExecuteA

ole32

CoUninitialize
CoInitialize

shlwapi

PathFileExistsA
PathRemoveFileSpecA
PathAppendA
SHGetValueA

comctl32

InitCommonControlsEx
_TrackMouseEvent

Sections

.text
Size: 68KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
kwhkcu_big.reg
kwhkcu_cn.reg
kwhkcu_en.reg
kwhklm_big.reg
kwhklm_cn.reg
kwhklm_en.reg
logo.bmp
nav.bmp
sapi.tga
sign.dll
.dll windows:4 windows x86 arch:x86

42c095e840a02bdbd17c7caf849a3f19

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

45:45:2f:a6:23:11:11:0b:55:a0:fc:4b:40:64:90:23:75:83:8b:24
Signer

Actual PE Digest

45:45:2f:a6:23:11:11:0b:55:a0:fc:4b:40:64:90:23:75:83:8b:24

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrlenA
CloseHandle
ReadFile
GetFileSize
CreateFileA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
CopyFileA
WriteFile
HeapAlloc
HeapFree
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
HeapDestroy
HeapCreate
VirtualFree
InitializeCriticalSection
DeleteCriticalSection
VirtualAlloc
HeapReAlloc
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
FlushFileBuffers
GetStringTypeA
GetStringTypeW
SetStdHandle
LCMapStringA
LCMapStringW
RtlUnwind

Exports

Exports

Sign_SplitSgnFile
Sign_VerifySgnFile

Sections

.text
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
stcr.dat
uktb.xml
ukwrbtn.html
.html .js polyglot
ukwreg.dll
.dll regsvr32 windows:4 windows x86 arch:x86

dcabbf47e96f109aebbc0c273964a214

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f
Signer

Actual PE Digest

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapCreate
lstrlenW
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
GetVersionExA
LoadLibraryExA
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
HeapDestroy
GetProcAddress
LoadLibraryA
lstrcpyA
lstrcatA
DebugBreak
HeapReAlloc
HeapFree
GetSystemInfo
HeapAlloc
InterlockedDecrement
EnterCriticalSection
InterlockedIncrement
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetLastError
DisableThreadLibraryCalls

user32

CharNextA

advapi32

RegQueryInfoKeyA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA

ole32

CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoCreateInstance

oleaut32

SysFreeString
SysStringLen
LoadRegTypeLi
RegisterTypeLi
LoadTypeLi
SysAllocString
VarUI4FromStr

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 713B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ukwsvr.exe
.exe windows:4 windows x86 arch:x86

16f359f3e7cc07b88737898bfcdcdf05

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

14/09/2010, 00:00

Not After

14/09/2011, 23:59

Subject

CN=KNET Co.\, Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=KNET Co.\, Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4b:2f:1f:f4:af:5d:80:d4:29:62:9f:9a:36:02:b2:9a:ee:14:ec:fa
Signer

Actual PE Digest

4b:2f:1f:f4:af:5d:80:d4:29:62:9f:9a:36:02:b2:9a:ee:14:ec:fa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RemoveDirectoryA
DeleteFileA
FreeLibrary
GetProcAddress
LoadLibraryA
Sleep
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
OpenProcess
WaitForSingleObject
GetExitCodeProcess
SetFilePointer
ReadFile
SystemTimeToFileTime
GetCurrentDirectoryA
LocalFileTimeToFileTime
SetFileTime
TerminateThread
GetExitCodeThread
OutputDebugStringA
GetLastError
CreateMutexA
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
InitializeCriticalSection
HeapDestroy
DeleteCriticalSection
FlushInstructionCache
GetCurrentProcess
SetFileAttributesA
CompareStringW
CompareStringA
FlushFileBuffers
SetStdHandle
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
IsBadCodePtr
IsBadReadPtr
SetUnhandledExceptionFilter
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FindFirstFileA
FindNextFileA
FindClose
CopyFileA
MoveFileExA
CreateDirectoryA
GetFileAttributesA
GetModuleFileNameA
InterlockedDecrement
CreateThread
GetTickCount
CloseHandle
lstrcpynA
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetSystemDefaultLangID
GetModuleHandleA
FindResourceA
LoadResource
LockResource
SizeofResource
CreateFileA
FreeEnvironmentStringsA
UnhandledExceptionFilter
LCMapStringW
LCMapStringA
MultiByteToWideChar
WideCharToMultiByte
IsBadWritePtr
VirtualAlloc
WriteFile
SetEnvironmentVariableA
VirtualFree
HeapCreate
GetVersionExA
GetEnvironmentVariableA
HeapSize
HeapReAlloc
TerminateProcess
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
RaiseException
ExitProcess
RtlUnwind
HeapFree
HeapAlloc
GetTimeZoneInformation
GetSystemTime
GetLocalTime
InterlockedIncrement
GetStartupInfoA
GetCommandLineA
GetVersion

user32

GetSystemMetrics
EndDialog
UpdateWindow
LoadImageA
MessageBoxA
SendMessageA
MapWindowPoints
GetClientRect
SetWindowTextA
GetDlgItem
ShowWindow
wsprintfA
SystemParametersInfoA
GetWindowRect
GetWindow
PostMessageA
SetWindowPos
SetWindowLongA
DestroyWindow
DefWindowProcA
GetActiveWindow
DialogBoxParamA
GetWindowLongA
GetParent

advapi32

SetServiceStatus
StartServiceCtrlDispatcherA
ControlService
DeleteService
OpenSCManagerA
OpenServiceA
CreateServiceA
ChangeServiceConfig2A
StartServiceA
CloseServiceHandle
RegisterServiceCtrlHandlerA
OpenProcessToken
DuplicateTokenEx
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CreateProcessAsUserA
RegEnumKeyExA
RegOpenKeyA
RegQueryInfoKeyA
RegQueryValueExA
RegCloseKey

shell32

ShellExecuteA

ole32

CoInitialize
CoUninitialize

shlwapi

SHGetValueA
SHDeleteValueA
SHSetValueA

comctl32

InitCommonControlsEx

ws2_32

recv
WSAStartup
socket
closesocket
inet_ntoa
gethostbyname
WSAGetLastError
connect
inet_addr
htons
send
setsockopt

wininet

InternetCrackUrlA

Sections

.text
Size: 92KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
url.ico
version.dat

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 48KB

.rsrc Size: 14KB - Virtual size: 14KB

b1cd0d78f652ce5fc63f0879371af012

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

dcabbf47e96f109aebbc0c273964a214

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5fCertificate

Extended Key Usages

Key Usages

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3fSigner

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 10KB

.rdata Size: 4KB - Virtual size: 2KB

.data Size: 4KB - Virtual size: 713B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 880B

3dc0af63f4ebd16eb0df7f76d2fc2fab

Code Sign

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5fCertificate

Extended Key Usages

Key Usages

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51Signer

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

Sections

.text Size: 48KB - Virtual size: 44KB

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 48KB

.rsrc
Size: 14KB - Virtual size: 14KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

fc:2f:53:33:84:de:5e:d1:f6:e7:09:ed:2b:bd:ec:b8:c7:46:14:3f
Signer

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 713B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 880B

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

7a:0e:70:d7:6e:3a:50:1d:0d:4c:6c:6b:5d:48:4f:91:7c:69:22:51
Signer

.text
Size: 48KB - Virtual size: 44KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 16KB - Virtual size: 18KB

.rsrc
Size: 4KB - Virtual size: 960B

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

4f:fa:bd:98:f0:6a:c4:3b:b9:d7:59:ad:2e:67:ee:2c:8c:82:3c:51
Signer

.text
Size: 140KB - Virtual size: 137KB

.rdata
Size: 36KB - Virtual size: 34KB

.data
Size: 12KB - Virtual size: 26KB

.rsrc
Size: 20KB - Virtual size: 16KB

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

cc:9a:76:d5:f7:cb:39:e5:44:71:c3:7b:7d:f6:cb:b0:1b:3e:f0:46
Signer

.text
Size: 32KB - Virtual size: 31KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 12KB - Virtual size: 17KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB

63:09:a5:9a:b9:f3:2b:c7:74:d5:b1:c8:f7:fc:03:5f
Certificate

82:19:88:17:cb:b2:25:db:ee:50:c6:18:b3:83:a5:d4:5b:b1:9c:02
Signer

.text
Size: 68KB - Virtual size: 64KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 16KB - Virtual size: 16KB