neshta | ab0ea9871e4dad2e55f687a9d5ac30c1[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

ab0ea9871e4dad2e55f687a9d5ac30c1.bin
Size

2.6MB
MD5

0ea4f65ca5fbabfc2179c305a53a18a7
SHA1

ef91c58020ab4fb2fac061a80b65583f289b5193
SHA256

93ca3bcd4ce0a0fa22b8e0b884028c9b53c388ecd3bfaf16167044ef20d8167d
SHA512

94122bca2c47bbea5650ad0b8fe39fed9aa427b9eb817393ff55edb6d954bca1aa725af21feb9f6d93e10fe7767eeef535d098a755882f7995f11d5fa87a8807
SSDEEP

49152:1DxLGd9a4/+6G4rXOCC/Esc0am8L9Rt8WqzGTQjBWtlCRTLdam3TJpg9x6OHwA:11LU9/aCaEsc/FzSWqzDjBmExdJ3di/r

Score

10^/10

neshta

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
static1/unpack001/5734e8e832f2afce8c95cf4d2e489b79e3e2642a8d025679870eec42534c6246.unknown	family_neshta

Neshta family
neshta

Files

ab0ea9871e4dad2e55f687a9d5ac30c1.bin
.zip

Password: infected
5734e8e832f2afce8c95cf4d2e489b79e3e2642a8d025679870eec42534c6246.unknown
.exe windows

Password: infected

486be6fa36428caa8cdbfb93e6873ba4

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

35:11:cd:a3:b7:45:66:cb:e0:3b:63:61:39:73:11:11
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

02/06/2017, 00:00

Not After

02/06/2018, 23:59

Subject

CN=LLC Panzar,O=LLC Panzar,L=Moscow,ST=Moscow,C=RU

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

90:37:2d:78:6c:28:19:92:b4:a8:46:c2:53:4c:8a:8f:53:59:95:0a
Signer

Actual PE Digest

90:37:2d:78:6c:28:19:92:b4:a8:46:c2:53:4c:8a:8f:53:59:95:0a

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=LLC Panzar,O=LLC Panzar,L=Moscow,ST=Moscow,C=RU

11/08/2017, 12:55
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

rpcrt4

UuidToStringA
RpcStringFreeA

ws2_32

closesocket
connect
bind
shutdown
WSARecv
getaddrinfo
recv
WSASend
WSAAddressToStringA
getsockname
getpeername
send
setsockopt
WSASocketA
socket
WSAAccept
listen
freeaddrinfo
WSASetLastError
WSACleanup
WSAGetLastError
WSAStartup
WSAEnumNetworkEvents
WSAEventSelect

secur32

AcceptSecurityContext
FreeCredentialsHandle
InitializeSecurityContextW
FreeContextBuffer
DecryptMessage
EncryptMessage
DeleteSecurityContext
QueryContextAttributesA
AcquireCredentialsHandleA

kernel32

FreeResource
GlobalUnlock
GlobalLock
MulDiv
FormatMessageW
GlobalAlloc
GetModuleHandleA
CompareStringA
LoadLibraryExW
GetLocaleInfoW
lstrcmpA
EnumResourceLanguagesW
ConvertDefaultLocale
GetCurrentThread
LocalAlloc
TlsGetValue
GlobalReAlloc
GlobalHandle
TlsAlloc
TlsSetValue
LocalReAlloc
TlsFree
GlobalFlags
WritePrivateProfileStringW
SetErrorMode
GlobalAddAtomW
GetStartupInfoW
RtlUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GlobalDeleteAtom
GetCPInfo
GetTimeZoneInformation
HeapAlloc
HeapCreate
VirtualFree
HeapReAlloc
HeapSize
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
VirtualAlloc
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEnvironmentVariableA
CreateWaitableTimerA
CancelWaitableTimer
SetWaitableTimer
GetSystemTime
CreateSemaphoreA
ReleaseSemaphore
GlobalFindAtomW
LockResource
LoadResource
FindResourceW
GetCommandLineW
GetProcAddress
LoadLibraryW
GetSystemTimeAsFileTime
ExitProcess
Sleep
LocalFree
GetCurrentProcessId
OutputDebugStringW
LoadLibraryA
GlobalFree
GlobalMemoryStatusEx
GetVersionExW
GetLastError
lstrcmpiW
SetLastError
InterlockedIncrement
InterlockedDecrement
InterlockedExchangeAdd
InterlockedCompareExchange
InterlockedExchange
WideCharToMultiByte
CompareStringW
lstrcmpW
SizeofResource
FreeLibrary
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateIoCompletionPort
lstrlenW
GetProcessHeap
HeapFree
GetOverlappedResult
ConnectNamedPipe
CreateFileA
SetNamedPipeHandleState
CreateNamedPipeA
lstrlenA
GetModuleHandleW
SetFilePointer
FindFirstFileW
FindClose
FindNextFileW
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
TryEnterCriticalSection
InitializeCriticalSection
CreateMutexA
ReleaseMutex
RemoveDirectoryW
CreateDirectoryW
GetNativeSystemInfo
GetVersionExA
GetDiskFreeSpaceExW
GetEnvironmentStringsW
FreeEnvironmentStringsW
Process32First
Process32Next
GetFullPathNameA
GetModuleFileNameW
GetModuleFileNameA
GetCurrentDirectoryW
OpenProcess
GetProcessId
CreatePipe
SetHandleInformation
GetStdHandle
CreateProcessW
SetCurrentDirectoryW
MultiByteToWideChar
ExpandEnvironmentStringsW
GetExitCodeProcess
TerminateProcess
GetCurrentProcess
IsWow64Process
MoveFileWithProgressW
MoveFileExW
MoveFileW
GetFullPathNameW
FlushFileBuffers
SetEndOfFile
ReadFile
WriteFile
SetFilePointerEx
GetFileTime
GetFileSizeEx
CreateFileW
GetFileAttributesW
FormatMessageA
SetFileAttributesW
DeleteFileW
DebugBreak
CreateEventA
ResetEvent
SetEvent
WaitForMultipleObjects
SuspendThread
ResumeThread
CreateThread
WaitForSingleObject
CreateToolhelp32Snapshot
RaiseException
TerminateThread
CloseHandle
GetCurrentThreadId
IsDebuggerPresent

user32

GetSysColorBrush
GetWindowThreadProcessId
PostQuitMessage
DestroyMenu
GetMessageW
ValidateRect
ClientToScreen
GrayStringW
DrawTextExW
TabbedTextOutW
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
LoadBitmapW
ModifyMenuW
GetMenuState
EnableMenuItem
CheckMenuItem
GetActiveWindow
CreateDialogIndirectParamW
GetNextDlgTabItem
EndDialog
IsWindowEnabled
ShowWindow
SetWindowTextW
IsDialogMessageW
IsDlgButtonChecked
RegisterWindowMessageW
SendDlgItemMessageW
SendDlgItemMessageA
WinHelpW
GetCapture
SetWindowsHookExW
CallNextHookEx
GetClassLongW
GetClassNameW
SetPropW
GetPropW
RemovePropW
GetFocus
GetWindowTextLengthW
GetForegroundWindow
GetLastActivePopup
DispatchMessageW
UnregisterClassW
GetDlgItem
GetTopWindow
DestroyWindow
UnhookWindowsHookEx
GetMessageTime
GetMessagePos
PeekMessageW
MapWindowPoints
TrackPopupMenuEx
GetKeyState
SetMenu
UpdateWindow
GetSubMenu
GetMenuItemID
GetMenuItemCount
MessageBoxW
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
GetSysColor
AdjustWindowRectEx
GetDlgCtrlID
DefWindowProcW
CallWindowProcW
GetMenu
SystemParametersInfoA
GetWindowPlacement
GetWindow
SetForegroundWindow
FindWindowW
wsprintfW
IsWindow
SetCursor
LoadIconW
LoadCursorW
KillTimer
SetTimer
IsIconic
SetWindowPos
GetWindowTextW
EqualRect
GetWindowRect
IsWindowVisible
EnableWindow
GetSystemMetrics
SendMessageW
InvalidateRect
GetParent
GetAsyncKeyState
PtInRect
GetCursorPos
CopyRect
RedrawWindow
ReleaseDC
UpdateLayeredWindow
GetDC
GetDesktopWindow
SetFocus
SetActiveWindow
TranslateMessage
PostMessageW
EnumDisplaySettingsW
AppendMenuW
CreatePopupMenu
GetWindowDC
DrawTextW
OffsetRect
BeginPaint
EndPaint
GetClientRect
SetCapture
ScreenToClient
ReleaseCapture
GetWindowLongW
SetWindowLongW

gdi32

OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
SetViewportOrgEx
GetStockObject
Escape
ExtTextOutW
TextOutW
RectVisible
PtVisible
SetMapMode
RestoreDC
SaveDC
GetDeviceCaps
CreateBitmap
GetObjectW
SetBkColor
GetClipBox
CreatePatternBrush
DeleteObject
CreateFontIndirectW
DeleteDC
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
SetTextColor
SetBkMode
GetTextColor
CreateDIBSection

msimg32

AlphaBlend

winspool.drv

ClosePrinter
DocumentPropertiesW
OpenPrinterW

advapi32

GetExplicitEntriesFromAclW
RegQueryValueExW
SetNamedSecurityInfoW
SetEntriesInAclW
ConvertStringSidToSidW
ConvertSecurityDescriptorToStringSecurityDescriptorW
GetNamedSecurityInfoW
RegSetValueExW
RegCreateKeyExW
RegQueryValueW
RegOpenKeyW
RegEnumKeyW
RegDeleteKeyW
IsTokenRestricted
GetTokenInformation
RegOpenKeyExW
LookupPrivilegeValueA
OpenProcessToken
AdjustTokenPrivileges
CryptImportKey
CryptDestroyKey
CryptSetKeyParam
CryptEncrypt
CryptGetKeyParam
CryptDeriveKey
CryptGetHashParam
CryptVerifySignatureA
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
RegSetValueExA
RegQueryValueExA
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey

shell32

ShellExecuteW
ord680
SHGetFolderPathW
CommandLineToArgvW
ShellExecuteExW

comctl32

InitCommonControlsEx

shlwapi

PathFindExtensionW
PathFindFileNameW

ole32

CoInitializeEx
CoCreateInstance
CoCreateGuid
CoSetProxyBlanket
CoTaskMemFree
CoInitializeSecurity
CoTaskMemAlloc
CoTaskMemRealloc
CoGetMalloc
CoUninitialize

oleaut32

VariantClear
SafeArrayCreate
SafeArrayDestroy
SysAllocString
SafeArrayGetElement
GetErrorInfo
VariantChangeType
SysStringLen
VariantInit
SafeArrayUnlock
SafeArrayLock
SafeArrayPutElement
SysFreeString
VariantCopy

awesomium

?ToObject@JSValue@Awesomium@@QAEAAVJSObject@2@XZ
?SetProperty@JSObject@Awesomium@@QAEXABVWebString@2@ABVJSValue@2@@Z
?CopyTo@BitmapSurface@Awesomium@@QBEXPAEHH_N1@Z
??0WebKeyboardEvent@Awesomium@@QAE@IIJ@Z
?CreateFromUTF8@WebString@Awesomium@@SA?AV12@PBDI@Z
?SetCustomMethod@JSObject@Awesomium@@QAEXABVWebString@2@_N@Z
??4JSValue@Awesomium@@QAEAAV01@ABV01@@Z
?ToBoolean@JSValue@Awesomium@@QBE_NXZ
?IsBoolean@JSValue@Awesomium@@QBE_NXZ
?Invoke@JSObject@Awesomium@@QAE?AVJSValue@2@ABVWebString@2@ABVJSArray@2@@Z
?HasMethod@JSObject@Awesomium@@QBE_NABVWebString@2@@Z
??0JSValue@Awesomium@@QAE@XZ
??1JSArray@Awesomium@@QAE@XZ
?Push@JSArray@Awesomium@@QAEXABVJSValue@2@@Z
??0JSValue@Awesomium@@QAE@H@Z
??0JSArray@Awesomium@@QAE@XZ
??AJSArray@Awesomium@@QAEAAVJSValue@1@I@Z
?Insert@JSArray@Awesomium@@QAEXABVJSValue@2@I@Z
??0JSArray@Awesomium@@QAE@ABV01@@Z
?size@JSArray@Awesomium@@QBEIXZ
?IsEmpty@WebString@Awesomium@@QBE_NXZ
?ToInteger@JSValue@Awesomium@@QBEHXZ
?IsInteger@JSValue@Awesomium@@QBE_NXZ
??1JSObject@Awesomium@@QAE@XZ
??0JSValue@Awesomium@@QAE@ABVJSObject@1@@Z
??0JSObject@Awesomium@@QAE@XZ
??0JSValue@Awesomium@@QAE@ABVWebString@1@@Z
?ToUTF8@WebString@Awesomium@@QBEIPADI@Z
?SetPropertyAsync@JSObject@Awesomium@@QAEXABVWebString@2@ABVJSValue@2@@Z
?Erase@JSArray@Awesomium@@QAEXI@Z
??0JSValue@Awesomium@@QAE@ABV01@@Z
?Shutdown@WebCore@Awesomium@@SAXXZ
??1WebPreferences@Awesomium@@QAE@XZ
??0WebPreferences@Awesomium@@QAE@XZ
??1WebConfig@Awesomium@@QAE@XZ
?Initialize@WebCore@Awesomium@@SAPAV12@ABUWebConfig@2@@Z
??4WebString@Awesomium@@QAEAAV01@ABV01@@Z
??0WebConfig@Awesomium@@QAE@XZ
??0WebString@Awesomium@@QAE@XZ
?IsString@JSValue@Awesomium@@QBE_NXZ
?ToString@JSValue@Awesomium@@QBE?AVWebString@2@XZ
??1JSValue@Awesomium@@QAE@XZ
?spec@WebURL@Awesomium@@QBE?AVWebString@2@XZ
?length@WebString@Awesomium@@QBEIXZ
?data@WebString@Awesomium@@QBEPBGXZ
??0JSValue@Awesomium@@QAE@_N@Z
?ToObject@JSValue@Awesomium@@QBEABVJSObject@2@XZ
?remote_id@JSObject@Awesomium@@QBEIXZ
??0WebURL@Awesomium@@QAE@ABVWebString@1@@Z
??1WebString@Awesomium@@QAE@XZ
??1WebURL@Awesomium@@QAE@XZ
??_7View@WebViewListener@Awesomium@@6B@
??_7Load@WebViewListener@Awesomium@@6B@
??_7Process@WebViewListener@Awesomium@@6B@
??1View@WebViewListener@Awesomium@@MAE@XZ
??1Load@WebViewListener@Awesomium@@MAE@XZ
??1Process@WebViewListener@Awesomium@@MAE@XZ
??1Menu@WebViewListener@Awesomium@@MAE@XZ
??0WebString@Awesomium@@QAE@PBG@Z
?instance@WebCore@Awesomium@@SAPAV12@XZ
?IsObject@JSValue@Awesomium@@QBE_NXZ
??AJSArray@Awesomium@@QBEABVJSValue@1@I@Z

winhttp

WinHttpCrackUrl
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser

psapi

GetModuleFileNameExW

version

GetFileVersionInfoW
VerQueryValueW

dbghelp

MiniDumpWriteDump

crypt32

CertFreeCertificateContext
CertFindCertificateInStore
CertOpenSystemStoreA
CertCloseStore

Exports

Exports

??0?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@H@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@H@@@@QAE@PAVCClient@?$CPnzMtThreadPool@H@@@Z
??0?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@@QAE@PAVCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@Z
??0?$CPnzWeakPtr@VCPnzContextContainer@@@@QAE@PAVCPnzContextContainer@@@Z
??0?$CPnzWeakPtr@VCPnzNetRmiClPxNodePx@@@@QAE@PAVCPnzNetRmiClPxNodePx@@@Z
??0?$CPnzWeakPtr@VCPnzRouterNode@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCPnzRouterNode@@@@QAE@PAVCPnzRouterNode@@@Z
??0?$CPnzWeakPtr@VCPnzRouterNode@@@@QAE@XZ
??0?$CPnzWeakPtr@VCPnzRouterNodes@@@@QAE@PAVCPnzRouterNodes@@@Z
??0?$CPnzWeakPtr@VCPnzSocketContext@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCPnzSocketContext@@@@QAE@PAVCPnzSocketContext@@@Z
??0?$CPnzWeakPtr@VCPnzSocketContext@@@@QAE@XZ
??0?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QAE@PAVCPnzUcHtmlRenderer@@@Z
??0?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QAE@XZ
??0?$CPnzWeakPtr@VCPnzUpdClientP2PNode@@@@QAE@XZ
??0?$CPnzWeakPtr@VCPnzUpdClientPpsNodePpc@@@@QAE@XZ
??0?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAE@PAVCPnzUpdNodeUs@@@Z
??0?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAE@XZ
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QAE@PAVCProxy@IPnzDbCacheRecordListener@@@Z
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QAE@XZ
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QAE@PAVCProxy@IPnzDbCacheTableListener@@@Z
??0?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordAccount@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordCharacter@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordGlobalConst@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordLevel@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordLocale@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAE@PAVCRecordPlayer@CPnzDb@@@Z
??0?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordPlayerLevelUp@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordRegion@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAE@PAVCRecordSceneObjectInstance@CPnzDb@@@Z
??0?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAE@PAVCRecordServerCluster@CPnzDb@@@Z
??0?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QAE@PAVCRecordText@CPnzDb@@@Z
??0?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAE@PAVCRecordWebSite@CPnzDb@@@Z
??0?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAE@XZ
??0?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QAE@ABV0@@Z
??0?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@H@@@@QAE@XZ
??1?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzContextContainer@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzNetRmiClNmNodeNm@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzNetRmiClPxNodePx@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzNetRmiClass@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzNetRmiClassExternal@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzNetRmiNmNodeCl@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzRouterNode@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzRouterNodes@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzSocketContext@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzUpdClientP2PNode@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzUpdClientPpsNodePpc@@@@QAE@XZ
??1?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAE@XZ
??1?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QAE@XZ
??1?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordAccount@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordCharacter@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordGlobalConst@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordLevel@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordLocale@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordPlayerLevelUp@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordRegion@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAE@XZ
??1?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QAE@XZ
??4?$CPnzWeakPtr@VCPnzRouterNode@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCPnzRouterNode@@@@QAEAAV0@PAVCPnzRouterNode@@@Z
??4?$CPnzWeakPtr@VCPnzSocketContext@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCPnzSocketContext@@@@QAEAAV0@PAVCPnzSocketContext@@@Z
??4?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QAEAAV0@PAVCPnzUcHtmlRenderer@@@Z
??4?$CPnzWeakPtr@VCPnzUpdClientP2PNode@@@@QAEAAV0@PAVCPnzUpdClientP2PNode@@@Z
??4?$CPnzWeakPtr@VCPnzUpdClientPpsNodePpc@@@@QAEAAV0@PAVCPnzUpdClientPpsNodePpc@@@Z
??4?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QAEAAV0@PAVCPnzUpdNodeUs@@@Z
??4?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordAccount@CPnzDb@@@@QAEAAV0@PAVCRecordAccount@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordCharacter@CPnzDb@@@@QAEAAV0@PAVCRecordCharacter@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordGlobalConst@CPnzDb@@@@QAEAAV0@PAVCRecordGlobalConst@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordLevel@CPnzDb@@@@QAEAAV0@PAVCRecordLevel@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordLocale@CPnzDb@@@@QAEAAV0@PAVCRecordLocale@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QAEAAV0@PAVCRecordLocaleRegionLink@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QAEAAV0@PAVCRecordPlayer@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordPlayerLevelUp@CPnzDb@@@@QAEAAV0@PAVCRecordPlayerLevelUp@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QAEAAV0@PAVCRecordPlayerQuestMission@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordRegion@CPnzDb@@@@QAEAAV0@PAVCRecordRegion@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QAEAAV0@PAVCRecordSceneObjectInstance@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QAEAAV0@PAVCRecordServerCluster@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QAEAAV0@PAVCRecordTextRow@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QAEAAV0@PAVCRecordWebSite@CPnzDb@@@Z
??4?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QAEAAV0@ABV0@@Z
??4?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QAEAAV0@PAVCRecordWebSiteSubnet@CPnzDb@@@Z
??8?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QBE_NABV0@@Z
??8?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QBE_NABV0@@Z
?IsExpired@?$CPnzWeakPtr@VCPnzRouterNode@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordAccount@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordCharacter@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordGlobalConst@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordLevel@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordLocale@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordPlayerLevelUp@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordRegion@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QBE_NXZ
?IsExpired@?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QBE_NXZ
?Lock@?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@H@@@@QBE?AV?$CPnzSmartPtr@VCClient@?$CPnzMtThreadPool@H@@@@XZ
?Lock@?$CPnzWeakPtr@VCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@@QBE?AV?$CPnzSmartPtr@VCClient@?$CPnzMtThreadPool@VCPnzNetRmiCombinedKey@@@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzContextContainer@@@@QBE?AV?$CPnzSmartPtr@VCPnzContextContainer@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzNetRmiNmDbFactory@@@@QBE?AV?$CPnzSmartPtr@VCPnzNetRmiNmDbFactory@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzNetRmiNmNodeCl@@@@QBE?AV?$CPnzSmartPtr@VCPnzNetRmiNmNodeCl@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzRouterNode@@@@QBE?AV?$CPnzSmartPtr@VCPnzRouterNode@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzRouterNodes@@@@QBE?AV?$CPnzSmartPtr@VCPnzRouterNodes@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzSocketContext@@@@QBE?AV?$CPnzSmartPtr@VCPnzSocketContext@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzUcHtmlRenderer@@@@QBE?AV?$CPnzSmartPtr@VCPnzUcHtmlRenderer@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzUpdClientP2PNode@@@@QBE?AV?$CPnzSmartPtr@VCPnzUpdClientP2PNode@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzUpdClientPpsNodePpc@@@@QBE?AV?$CPnzSmartPtr@VCPnzUpdClientPpsNodePpc@@@@XZ
?Lock@?$CPnzWeakPtr@VCPnzUpdNodeUs@@@@QBE?AV?$CPnzSmartPtr@VCPnzUpdNodeUs@@@@XZ
?Lock@?$CPnzWeakPtr@VCProxy@IPnzDbCacheRecordListener@@@@QBE?AV?$CPnzSmartPtr@VCProxy@IPnzDbCacheRecordListener@@@@XZ
?Lock@?$CPnzWeakPtr@VCProxy@IPnzDbCacheTableListener@@@@QBE?AV?$CPnzSmartPtr@VCProxy@IPnzDbCacheTableListener@@@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordAccount@CPnzDb@@@@QBEPAVCRecordAccount@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordCharacter@CPnzDb@@@@QBEPAVCRecordCharacter@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordGlobalConst@CPnzDb@@@@QBEPAVCRecordGlobalConst@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordLevel@CPnzDb@@@@QBEPAVCRecordLevel@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordLocale@CPnzDb@@@@QBEPAVCRecordLocale@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordLocaleRegionLink@CPnzDb@@@@QBEPAVCRecordLocaleRegionLink@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordPlayer@CPnzDb@@@@QBEPAVCRecordPlayer@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordPlayerLevelUp@CPnzDb@@@@QBEPAVCRecordPlayerLevelUp@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordPlayerQuestMission@CPnzDb@@@@QBEPAVCRecordPlayerQuestMission@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordRegion@CPnzDb@@@@QBEPAVCRecordRegion@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordSceneObjectInstance@CPnzDb@@@@QBEPAVCRecordSceneObjectInstance@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordServerCluster@CPnzDb@@@@QBEPAVCRecordServerCluster@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordText@CPnzDb@@@@QBEPAVCRecordText@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordTextRow@CPnzDb@@@@QBEPAVCRecordTextRow@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordWebSite@CPnzDb@@@@QBEPAVCRecordWebSite@CPnzDb@@XZ
?Unsafe@?$CPnzWeakPtr@VCRecordWebSiteSubnet@CPnzDb@@@@QBEPAVCRecordWebSiteSubnet@CPnzDb@@XZ

Sections

.text
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 767KB - Virtual size: 766KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 80KB - Virtual size: 477KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

486be6fa36428caa8cdbfb93e6873ba4

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cbCertificate

Extended Key Usages

Key Usages

35:11:cd:a3:b7:45:66:cb:e0:3b:63:61:39:73:11:11Certificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

90:37:2d:78:6c:28:19:92:b4:a8:46:c2:53:4c:8a:8f:53:59:95:0aSigner

Signature Validations

Verification

11/08/2017, 12:55 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

rpcrt4

ws2_32

secur32

kernel32

user32

gdi32

msimg32

winspool.drv

advapi32

shell32

comctl32

shlwapi

ole32

oleaut32

awesomium

winhttp

psapi

version

dbghelp

crypt32

Exports

Exports

Sections

.text Size: 3.4MB - Virtual size: 3.4MB

.rdata Size: 767KB - Virtual size: 766KB

.data Size: 80KB - Virtual size: 477KB

.rsrc Size: 3.5MB - Virtual size: 3.5MB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

35:11:cd:a3:b7:45:66:cb:e0:3b:63:61:39:73:11:11
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

90:37:2d:78:6c:28:19:92:b4:a8:46:c2:53:4c:8a:8f:53:59:95:0a
Signer

11/08/2017, 12:55
Valid: false

.text
Size: 3.4MB - Virtual size: 3.4MB

.rdata
Size: 767KB - Virtual size: 766KB

.data
Size: 80KB - Virtual size: 477KB

.rsrc
Size: 3.5MB - Virtual size: 3.5MB