home

wintool.exe

Haitao Gu

The application wintool.exe by Haitao Gu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-54-230-216-29.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Haitao Gu  (signed and verified)

MD5:
e9c03e53982f01a9d98d43640376acb0

SHA-1:
8be8bca0086d900b94240eb61c7520863ad0cbc9

SHA-256:
35052137438aa96df5256f213e163b90d2b431d476adabf79ba130e8f1a00773

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
7/6/2025 7:24:56 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Elex.HG (M)
17.2.13.9

File size:
102.7 KB (105,168 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\wintool.exe

Digital Signature
Signed by:
Haitao Gu

Authority:
thawte, Inc.

Valid from:
1/12/2017 7:00:00 AM

Valid to:
8/19/2017 6:59:59 AM

Subject:
CN=Haitao Gu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
7DFA9A2793C23E2B568C61ED310546B4

File PE Metadata
Compilation timestamp:
2/7/2017 9:32:35 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1E8F

Entry point:
E8, DE, 46, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 54, 75, 41, 00, FF, 15, 60, 00, 41, 00, 85, C0, 75, 18, 56, E8, CE, 11, 00, 00, 8B, F0, FF, 15, 5C, 00, 41, 00, 50, E8, D3, 11, 00, 00, 59, 89, 06, 5E, 5D, C3, 55, 8B, EC, FF, 15, 64, 00, 41, 00, 6A, 01, A3, 0C, 75, 41, 00, E8, F3, 4B, 00, 00, FF, 75, 08, E8, 88, 4B, 00, 00, 83, 3D, 0C, 75, 41, 00, 00, 59, 59, 75, 08, 6A, 01, E8, D9, 4B, 00, 00, 59, 68, 09, 04, 00, C0, E8, 56, 4B, 00, 00, 59, 5D, C3, 55...
 
[+]

Code size:
59.5 KB (60,928 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-84-230-229.sfo9.r.cloudfront.net  (52.84.230.229:80)

TCP (HTTP):
Connects to server-52-85-83-234.lax1.r.cloudfront.net  (52.85.83.234:80)

TCP (HTTP):
Connects to server-54-230-187-20.cdg51.r.cloudfront.net  (54.230.187.20:80)

TCP (HTTP):
Connects to server-52-85-83-145.lax1.r.cloudfront.net  (52.85.83.145:80)

TCP (HTTP):
Connects to server-52-84-230-93.sfo9.r.cloudfront.net  (52.84.230.93:80)

TCP (HTTP):
Connects to server-54-230-141-114.sfo5.r.cloudfront.net  (54.230.141.114:80)

TCP (HTTP):
Connects to server-54-192-129-164.ams50.r.cloudfront.net  (54.192.129.164:80)

TCP (HTTP):
Connects to server-52-85-83-8.lax1.r.cloudfront.net  (52.85.83.8:80)

TCP (HTTP):
Connects to server-52-84-230-245.sfo9.r.cloudfront.net  (52.84.230.245:80)

TCP (HTTP):
Connects to server-54-230-216-79.mrs50.r.cloudfront.net  (54.230.216.79:80)

TCP (HTTP):
Connects to server-54-230-141-223.sfo5.r.cloudfront.net  (54.230.141.223:80)

TCP (HTTP):
Connects to server-52-85-83-32.lax1.r.cloudfront.net  (52.85.83.32:80)

TCP (HTTP):
Connects to server-52-85-83-168.lax1.r.cloudfront.net  (52.85.83.168:80)

TCP (HTTP):
Connects to server-52-85-77-6.lax3.r.cloudfront.net  (52.85.77.6:80)

TCP (HTTP):
Connects to server-52-84-230-52.sfo9.r.cloudfront.net  (52.84.230.52:80)

TCP (HTTP):
Connects to server-52-84-230-12.sfo9.r.cloudfront.net  (52.84.230.12:80)

TCP (HTTP):
Connects to server-52-84-126-233.iad16.r.cloudfront.net  (52.84.126.233:80)

TCP (HTTP):
Connects to server-54-230-216-54.mrs50.r.cloudfront.net  (54.230.216.54:80)

TCP (HTTP):
Connects to server-54-230-216-29.mrs50.r.cloudfront.net  (54.230.216.29:80)

TCP (HTTP):
Connects to server-54-230-216-223.mrs50.r.cloudfront.net  (54.230.216.223:80)

Remove wintool.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.