NEAS[.]7e696bebd251d9dfa11f2ac775276cd0[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.7e696bebd251d9dfa11f2ac775276cd0.exe
Size

340KB
MD5

7e696bebd251d9dfa11f2ac775276cd0
SHA1

8a72a9f6e9515a84db5435220c3f5bfc26f6bd34
SHA256

673eba98d54f0c0e6c9c6b4d46c6f16d83ec3f4df340c1ec5fef7f0f9fb54ec3
SHA512

2369484369737d10af5841b5de7769d8d3bbb139c82f0c73d41a3346d0b049008a271f3a66091c1cf4404eb5a8be7c6ecbcc1985740fae349ed26c558afddc19
SSDEEP

6144:MzehfLwvFEjIA6RlVOlXSG+451xgvfx0fegZwweoK+451xgvfx0fegZwweo+Z:MzehfMvOjIAKkCG+4BgvGfegZwxb+4BG

Score

1^/10

Malware Config

Signatures

Files

NEAS.7e696bebd251d9dfa11f2ac775276cd0.exe
.exe windows:5 windows x86

b57f4d231363eb5fb1a8f2d3f14c73a4

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

07/01/2015, 00:00

Not After

29/12/2016, 23:59

Subject

CN=DotCash Limited,OU=IT,O=DotCash Limited,L=Hong Kong,ST=Hong Kong,C=HK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:e6:c5:6b:a9:e0:40:97:b4:ee:12:4d:41:91:92:74:e5:ef:eb:7d
Signer

Actual PE Digest

23:e6:c5:6b:a9:e0:40:97:b4:ee:12:4d:41:91:92:74:e5:ef:eb:7d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

lpcmanager

?Parse_StartProcess@CLpcParser@@QAEHAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z
?Parser@CLpcParser@@QAEHPAD@Z
??0CLpcParser@@QAE@XZ

winservice

??1CServiceBase@@UAE@XZ
?OnStart@CServiceBase@@MAEXKPAPA_W@Z
?OnStop@CServiceBase@@MAEXXZ
?OnPause@CServiceBase@@MAEXXZ
??0CServiceBase@@QAE@HHH@Z
?OnShutdown@CServiceBase@@MAEXXZ
?OnSessionChanged@CServiceBase@@MAEKKPAUtagWTSSESSION_NOTIFICATION@@@Z
?OnCommandLine@CServiceApp@@UAEHPA_W@Z
?Run@CServiceApp@@UAEXPA_WPAVCServiceBase@@@Z
??1CServiceApp@@QAE@XZ
?LogEvent@CServiceBase@@QAAXPB_WZZ
?OnContinue@CServiceBase@@MAEXXZ
??0CServiceApp@@QAE@XZ

xprocessbus

?CreateProcessBus@XProcessBus@@YAPAUIXProcessBus@1@XZ
?ReleaseProcessBus@XProcessBus@@YAXPAUIXProcessBus@1@@Z

support

?MPC_InitDriver@support@@YAPAXPB_W@Z
?IsLogined@HttpHelper@support@@SA_NXZ
?DeleteRegValue@AppHelper@support@@SAHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?CreateStartMenu@SetupHelper@support@@SAXH@Z
?CreateDesktopShortCut@SetupHelper@support@@SAXH@Z
?DeleteStartMenu@SetupHelper@support@@SAXHH@Z
?DeleteDesktopShortCut@SetupHelper@support@@SAXHH@Z
?SetRegIntValue@AppHelper@support@@SAHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@H@Z
?GetRegIntValue@AppHelper@support@@SAHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?SetServiceActiveTime@AppHelper@support@@SAXV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?GetServiceActiveTime@AppHelper@support@@SA?AV?$AutoPtr@_W@util@@XZ
?GetTestSignal@AppHelper@support@@SA?AV?$AutoPtr@_W@util@@XZ
?MPC_AddProcessProtect@support@@YAHPAXE@Z
?MPC_OpenAllProtect@support@@YAHPAX@Z
?MPC_InitSelfProtectDir@support@@YAHPAX@Z
?MPC_CloseAllProtect@support@@YAHPAX@Z

kernel32

CreateDirectoryW
RemoveDirectoryW
FindClose
SetFileAttributesW
FindNextFileW
FindFirstFileW
GetFileAttributesW
GetVolumeInformationW
SetFileTime
SystemTimeToFileTime
GetSystemTime
CreateFileW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
OpenFileMappingW
GlobalMemoryStatusEx
GetSystemDirectoryW
GetThreadIOPendingFlag
SetProcessWorkingSetSize
SetThreadPriorityBoost
SetProcessPriorityBoost
GetProcessPriorityBoost
SetThreadPriority
GetThreadPriority
SetPriorityClass
GetPriorityClass
TerminateProcess
ReadFile
GetStartupInfoW
CloseHandle
FreeLibrary
LoadLibraryW
GetProcAddress
GetModuleFileNameW
GetDiskFreeSpaceExW
WaitForSingleObject
SetFilePointer
GetLastError
CreateEventW
ResetEvent
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
MoveFileExW
DeleteFileW
CreatePipe
CreateProcessW
GetExitCodeProcess
ReadProcessMemory
Thread32Next
Thread32First
GetModuleHandleW
OpenThread
GetCurrentThread
GetCurrentProcess
GetCurrentProcessId
OpenProcess
SetLastError
OutputDebugStringA
ReleaseMutex
CreateMutexW
OpenMutexW
HeapFree
GetProcessHeap
HeapAlloc
GetCurrentThreadId
MultiByteToWideChar
WideCharToMultiByte
InterlockedExchange
SetEvent
GetFileSize
QueryDosDeviceW
InterlockedCompareExchange
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
Sleep
CreateFileA

ole32

CoTaskMemFree

msvcp90

?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
?_Myptr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEPADXZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?end@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?begin@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE?AV?$_String_iterator@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@2@XZ
?reserve@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?push_back@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXD@Z
?eq_int_type@?$char_traits@D@std@@SA_NABH0@Z
?eof@?$char_traits@D@std@@SAHXZ
?rdstate@ios_base@std@@QBEHXZ
?good@ios_base@std@@QBE_NXZ
?flags@ios_base@std@@QBEHXZ
?setf@ios_base@std@@QAEHH@Z
?setf@ios_base@std@@QAEHHH@Z
?width@ios_base@std@@QBEHXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?width@ios_base@std@@QAEHH@Z
??_D?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ID@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
?str@?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEDD@Z
?uncaught_exception@std@@YA_NXZ
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?_Myptr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IBEPBDXZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IBEPB_WXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??$?6DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?setw@std@@YA?AU?$_Smanip@H@1@H@Z
?length@?$char_traits@D@std@@SAIPBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??$?9_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD0@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ

psapi

GetProcessMemoryInfo
GetProcessImageFileNameW
GetModuleFileNameExW

utility

?GetOsVersion@OSHelper@util@@SAHXZ
?StartProcessAsPowerUser@MiscHelper@util@@SAHPB_WPAK@Z
?FormatW@StringHelper@util@@SA?AV?$AutoPtr@_W@2@PB_WZZ
?ReadBool@CRegistry@util@@QAEHV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@H@Z
?ReadString@CRegistry@util@@QAE?AV?$AutoPtr@_W@2@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z
?SetFullKey@CRegistry@util@@QAEPAUHKEY__@@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HK@Z
?SetWow64Key@CRegistry@util@@QAEXH@Z
??1CRegistry@util@@UAE@XZ
??0CRegistry@util@@QAE@XZ
?GetModuleDir@PathHelper@util@@SA?AV?$AutoPtr@_W@2@PAUHINSTANCE__@@@Z
?CreateThread@CThreadManager@util@@UAEPAVIThreadObject@2@HV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?LogToFile@LogHelper@util@@SAXPB_W0ZZ
??1CThreadManager@util@@UAE@XZ
??0CThreadManager@util@@QAE@XZ
?OnThreadEntry@CThreadManager@util@@MAEXPAVIThreadObject@2@@Z
?OnThreadExit@CThreadManager@util@@MAEXPAVIThreadObject@2@@Z
?CreateThread@CThreadManager@util@@UAEPAVIThreadObject@2@HKKKV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?DestoryThread@CThreadManager@util@@UAEXPAVIThreadObject@2@@Z
?DestoryThread@CThreadManager@util@@UAEXXZ
?IsFileExist@PathHelper@util@@SAHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?Timet2SysTime@TimeHelper@util@@SA?AU_SYSTEMTIME@@_J@Z
?GetCurrentLocalSystemTime@TimeHelper@util@@SA?AU_SYSTEMTIME@@XZ
?GetDiffDays@TimeHelper@util@@SAIABU_SYSTEMTIME@@0@Z
?GetTickCount@TimeHelper@util@@SA_JXZ
?ConvertFromIntW@StringHelper@util@@SA?AV?$AutoPtr@_W@2@_K@Z
?QueryActiveSession@PowerProcess@@YAHAAK@Z
??0TString@util@@QAE@PB_WH@Z
??1TString@util@@UAE@XZ
??4TString@util@@QAEABV01@PB_W@Z
??BTString@util@@QBEPB_WXZ
?Trim@TString@util@@QAE?AV12@_W@Z
?ExtractFileName@PathHelper@util@@SA?AV?$AutoPtr@_W@2@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?c_str@TString@util@@QAEPB_WXZ
?GetAllXDatas@XDataHelper@util@@SAHAAV?$vector@UWiFiInfo@util@@V?$allocator@UWiFiInfo@util@@@std@@@std@@@Z
?UnicodeToANSI@StringHelper@util@@SA?AV?$AutoPtr@D@2@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?DeleteValue@CRegistry@util@@QAEHV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
?ConvertToInt64@StringHelper@util@@SA_JV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z

msvcr90

_invoke_watson
_controlfp_s
_except_handler4_common
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_CxxThrowException
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm_e
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
_decode_pointer
_onexit
_lock
_encode_pointer
__dllonexit
_unlock
?terminate@@YAXXZ
strpbrk
sprintf_s
strchr
malloc
free
_vsnprintf_s
_vsnwprintf_s
toupper
tolower
strlen
wcschr
wcsrchr
wcsstr
memcpy
fclose
fgetc
fopen_s
iswalpha
_vsnwprintf
wcscat_s
??_U@YAPAXI@Z
_wcsnicmp
wcslen
memset
_wcsicmp
_itoa
_i64toa
??2@YAPAXI@Z
??3@YAXPAX@Z
??_V@YAXPAX@Z
_invalid_parameter_noinfo
??0exception@std@@QAE@ABV01@@Z
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
memmove_s
_configthreadlocale
__CxxFrameHandler3
_purecall

iphlpapi

GetExtendedTcpTable

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

mpr

WNetOpenEnumW
WNetCloseEnum
WNetEnumResourceW

user32

IsHungAppWindow
GetUserObjectInformationW
GetThreadDesktop
PostMessageW
EnumWindows
GetWindowLongW
GetParent
AttachThreadInput
GetWindowThreadProcessId
GetForegroundWindow
IsWindowEnabled
IsWindowVisible
GetLastActivePopup
ShowWindow
IsIconic
SetForegroundWindow
SetWindowPos

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken

ntdll

NtTerminateProcess
NtSetInformationProcess
NtSetSystemInformation
NtLockVirtualMemory
NtClose
RtlNtPathNameToDosPathName
RtlInitUnicodeString
NtCreatePagingFile
NtDuplicateObject
NtSuspendProcess
NtUnlockVirtualMemory
NtQueryInformationProcess
RtlNtStatusToDosError
NtOpenProcess
NtQuerySystemInformation
NtResumeProcess

shlwapi

PathFileExistsW
PathRemoveBackslashW
StrStrW
PathFindFileNameW
PathStripPathW

ws2_32

ntohs

Exports

Exports

??0CProtectServiceApp@@QAE@ABV0@@Z
??0CProtectServiceApp@@QAE@XZ
??0CServiceApp@@QAE@ABV0@@Z
??0CServiceBase@@QAE@ABV0@@Z
??1CProtectServiceApp@@QAE@XZ
??4CLpcParser@@QAEAAV0@ABV0@@Z
??4CProtectServiceApp@@QAEAAV0@ABV0@@Z
??4CServiceApp@@QAEAAV0@ABV0@@Z
??4CServiceBase@@QAEAAV0@ABV0@@Z
??_7CProtectServiceApp@@6B@
??_7CServiceApp@@6B@
??_7CServiceBase@@6B@
??_FCServiceBase@@QAEXXZ
?OnCommandLine@CProtectServiceApp@@UAEHPA_W@Z

Sections

.text
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 174KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b57f4d231363eb5fb1a8f2d3f14c73a4

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78Certificate

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

23:e6:c5:6b:a9:e0:40:97:b4:ee:12:4d:41:91:92:74:e5:ef:eb:7dSigner

Headers

DLL Characteristics

File Characteristics

Imports

lpcmanager

winservice

xprocessbus

support

kernel32

ole32

msvcp90

psapi

utility

msvcr90

iphlpapi

version

mpr

user32

advapi32

ntdll

shlwapi

ws2_32

Exports

Exports

Sections

.text Size: 108KB - Virtual size: 107KB

.rdata Size: 39KB - Virtual size: 39KB

.data Size: 1024B - Virtual size: 1KB

.rsrc Size: 174KB - Virtual size: 174KB

.reloc Size: 9KB - Virtual size: 9KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

1b:09:3b:78:60:96:da:37:bb:a4:51:94:46:c8:96:78
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

1c:04:dc:c9:be:35:c5:58:42:2b:af:ef:34:98:49:75
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

23:e6:c5:6b:a9:e0:40:97:b4:ee:12:4d:41:91:92:74:e5:ef:eb:7d
Signer

.text
Size: 108KB - Virtual size: 107KB

.rdata
Size: 39KB - Virtual size: 39KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 174KB - Virtual size: 174KB

.reloc
Size: 9KB - Virtual size: 9KB