393a0596761cc9fc6150713963d50c70_NEAS

Sharing

Copy URL Twitter E-mail

General

Target

393a0596761cc9fc6150713963d50c70_NEAS
Size

2.2MB
MD5

393a0596761cc9fc6150713963d50c70
SHA1

46cb1a890fa7a1dd08c69d29c46fad49d45cbd25
SHA256

03e676f35ea01d440ddf1fbce9a733d355744276a9bb5cb589d50919dea0703e
SHA512

6055c73dd6b88c18cd3eb308261673e97e1ef621a04656bb9da93eb0e867d75792db0f858feddc8ac0e617cd6f7cb12f567ff2fd7b9e7622ad653e517ecd1e63
SSDEEP

49152:ih7XUlPixsx3yd2OluON4fA9uLLwL+fZx/X3yd2OluON4fA9uk3yd2OluON4fA9H:ihbUl8sdLwL+fZx/x

Score

1^/10

Malware Config

Signatures

Files

393a0596761cc9fc6150713963d50c70_NEAS
.dll regsvr32 windows:4 windows x86 arch:x86

91ddd9a0e8db69f63fbe597ccf3e803f

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:ba
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

04/04/2006, 17:44

Not After

26/04/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:46:9e:cb:00:04:00:00:00:65
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/04/2006, 19:43

Not After

04/10/2007, 19:53

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

bd:3b:f4:85:9c:d9:c9:d2:45:f2:a4:66:e6:2f:8f:a3:3b:64:05:61
Signer

Actual PE Digest

bd:3b:f4:85:9c:d9:c9:d2:45:f2:a4:66:e6:2f:8f:a3:3b:64:05:61

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\Office\Source\groove\bin\ReleaseSym\GrooveShellExtensions.pdb

Imports

shlwapi

PathFileExistsW
PathAddBackslashW
UrlGetPartW
PathFindFileNameW
StrCmpIW
PathRemoveBackslashW
PathFindExtensionW
StrFormatByteSizeW
PathCombineW
PathCreateFromUrlW
PathIsDirectoryW
PathIsUNCServerShareW
PathIsUNCServerW
PathIsUNCW
PathIsRootW
AssocQueryKeyW
PathParseIconLocationW
PathSearchAndQualifyW

kernel32

FreeLibrary
GetProcAddress
WaitForSingleObject
CreateMutexW
ReleaseMutex
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
CloseHandle
FindFirstFileW
FindNextFileW
SetLastError
LoadLibraryW
GetModuleFileNameW
GetVersion
GetFileAttributesW
GetModuleHandleW
GetModuleHandleA
OutputDebugStringA
RaiseException
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
GetLastError
InterlockedDecrement
HeapSize
HeapReAlloc
HeapDestroy
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
HeapAlloc
GetProcessHeap
HeapFree
FindClose
DeleteCriticalSection
InterlockedIncrement
lstrlenW
WideCharToMultiByte
FlushInstructionCache
GetCurrentProcess
LoadLibraryA
FindResourceW
SizeofResource
LockResource
GetVersionExA
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
LoadResource
FindResourceExW
lstrlenA
MultiByteToWideChar
FormatMessageW
InterlockedExchange
InterlockedCompareExchange
TerminateProcess
DuplicateHandle
GlobalUnlock
GlobalLock
GlobalSize
GetDriveTypeW
GetEnvironmentVariableW
InitializeCriticalSection
LocalFree
Sleep
CreateProcessW
GetSystemWindowsDirectoryW
TlsGetValue
TlsSetValue
TlsFree
TlsAlloc
DeleteFileW
ExpandEnvironmentStringsW
lstrcmpW
CreateEventW
SetEvent
UnhandledExceptionFilter

user32

RegisterWindowMessageW
SetForegroundWindow
ShowWindowAsync
IsIconic
SetParent
SetScrollPos
GetScrollInfo
SetWindowPos
MapWindowPoints
GetWindowRect
GetWindow
ScreenToClient
WindowFromPoint
IsRectEmpty
PtInRect
SetMenuDefaultItem
ScrollWindowEx
ShowScrollBar
EqualRect
InvalidateRect
OffsetRect
KillTimer
SetTimer
SetScrollInfo
GetMessagePos
FillRect
FrameRect
GetSysColorBrush
DrawEdge
InflateRect
DrawFrameControl
LoadIconW
LoadStringW
MonitorFromPoint
GetMonitorInfoW
UpdateWindow
SetWindowTextW
UnionRect
ReleaseCapture
GetCapture
SetCapture
EndPaint
BeginPaint
EnableScrollBar
EnableWindow
IsWindowEnabled
CheckMenuRadioItem
GetMenuItemID
IsMenu
TrackPopupMenu
GetCursorPos
GetMenuStringW
LoadMenuW
SendDlgItemMessageW
GetDlgItem
ShowWindow
GetForegroundWindow
GetClientRect
GetKeyState
IntersectRect
SetRect
ReleaseDC
GetDC
GetParent
GetPropW
DrawIconEx
DestroyMenu
AppendMenuW
CreatePopupMenu
LoadBitmapW
DrawTextW
MessageBoxW
MessageBeep
SetRectEmpty
SetMenuItemInfoW
GetSystemMetrics
EnableMenuItem
InsertMenuItemW
DeleteMenu
GetMenuItemInfoW
GetMenuItemCount
CopyRect
SystemParametersInfoW
GetSysColor
SetCursor
CreateWindowExW
DestroyWindow
LoadImageW
DestroyIcon
CallNextHookEx
DefWindowProcW
CallWindowProcW
GetClassNameW
IsWindowVisible
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowLongW
PostMessageW
SendMessageW
RemovePropW
EnumChildWindows
SetPropW
GetWindowLongW
SetFocus
IsWindow
GetFocus
GetClassInfoExW
RegisterClassExW
LoadCursorW
PeekMessageW
DispatchMessageW
IsChild
GetSubMenu
LoadStringA
RegisterClipboardFormatW
UnregisterClassA
CheckMenuItem

gdi32

RoundRect
CreateSolidBrush
Rectangle
GetBkColor
SetPixel
SetViewportOrgEx
CreateCompatibleBitmap
SetBrushOrgEx
CreateBitmap
CreatePatternBrush
GetObjectW
SelectObject
CreateCompatibleDC
BitBlt
DeleteDC
DeleteObject
GetStockObject
CreateFontIndirectW
SaveDC
RestoreDC
SetBkMode
SetTextColor
CreateDIBSection
ExtTextOutW
IntersectClipRect
GetCurrentObject
GetDeviceCaps
DPtoLP
SetWindowOrgEx
LPtoDP
GetClipBox
CreatePen
SetBkColor

advapi32

RegOpenKeyExW
RegCloseKey
RegSetValueExW
CryptGenRandom
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegDeleteKeyW
RegEnumKeyExW
RegQueryValueExW

shell32

ExtractIconExW
SHGetMalloc
SHLoadInProc
SHChangeNotify
DuplicateIcon
SHGetFileInfoW
SHGetDesktopFolder
SHGetPathFromIDListW
SHGetDataFromIDListW

ole32

CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
CoCreateGuid
StringFromGUID2
CoCreateInstance
CoTaskMemFree
StringFromCLSID
ReleaseStgMedium
CoInitializeEx
CoUninitialize

oleaut32

DispCallFunc
SysStringLen
SysFreeString
SysAllocString
VariantClear
VariantInit

grooveutil

?IGrooveDispatchImplHelper_SetObjectReturnValue@@YGXPAVGCoScriptDispatchTearoff@@PAUtagVARIANT@@@Z
?IGrooveDispatchImplHelper_FindMultiDispatchEntry@@YGPBUGrooveMultiDispatchEntry@@PBU1@ABU_GUID@@PB_W@Z
?HandleAllNoUIErrorCatch@@YGXXZ
?Encode@GCBase64Coder@@SG?AVGCStrRetVal@@PBEK_N@Z
?StartsWith@GCStr@@QBE_NPB_W@Z
?Set@GCStr@@QAEXPB_W@Z
?StringToLong@raw_GCStr@@SGJPB_WJ@Z
?Set@GCVariant@@QAEXABV1@@Z
?Empty@GCIPtrBase@@QAEXXZ
?SAFE_EMPTY_STRING_CBSTR@raw_GCStr@@2PB_WB
?Format@GCStr@@QAAJPB_WZZ
?CreateDirectories@GCFileInterface@@SGXPB_W@Z
?Append@GCStr@@QAEXPB_W@Z
?EndsWith@GCStr@@QBE_NPB_W@Z
?GetUserRootPath@GCStorageURIPathInfo@@QAEPB_WXZ
?CheckIsValid@GCStorageURIPathInfo@@QAEXXZ
??1GCStorageURIPathInfo@@QAE@XZ
??0GCStorageURIPathInfo@@QAE@XZ
??1GCEventSourceBase@@QAE@XZ
?CreateScriptDispatchTearoff@@YG?AV?$GCIPtrRetVal@UIDispatch@@$1?_GUID_00020400_0000_0000_c000_000000000046@@3U__s_GUID@@B@@PBUGrooveMultiDispatchEntry@@PAUIUnknown@@_N@Z
?ScriptHasInterfaceMethod@@YGJPAXPBXJGPAUtagDISPPARAMS@@PAUtagVARIANT@@@Z
?HandleAllIfMethodCatch@@YGJPBU_GUID@@@Z
??0GCStr@@QAE@PB_W@Z
?int_Inst@GCError@@CGPAUHINSTANCE__@@XZ
?int_RawError@GCError@@CG?AV1@KQAUHINSTANCE__@@JPB_W1KPAUIErrorInfo@@PAD@Z
?GOutputDebugString@@YGXPB_W@Z
?Append@GCStackStrBase@@QAEXQB_WK@Z
?Set@GCStackStrBase@@QAEXQB_WK@Z
?LongToString@raw_GCStr@@SGXJPAVGCStackStrBase@@J@Z
?int_DeallocateBufferIfNecessary@GCStackStrBase@@AAEXAAPA_W@Z
?_Release@GCStr@@AAEXXZ
?GetValue@GCRegistryKey@@QBEJAAKPB_WPAK@Z
?Open@GCRegistryKey@@QAEJK@Z
??1GCRegistryKey@@UAE@XZ
??0GCRegistryKey@@QAE@W4KEY_ROOT@0@PB_W_N@Z
?IGrooveDispatchImplHelper_IsSafeForScripting@@YG_NPBUGrooveSafeForScriptingEntry@@PAUITypeInfo@@ABU_GUID@@JG@Z
?ms_MainSTAThreadId@GCGrooveThreadId@@0KA
?hr_LoadTypeLib@GCTypeLibLoader@@SGJABU_GUID@@GGKPAPAUITypeLib@@@Z
?CreateInstanceNoRelease@GCIPtrBase@@IAEXABU_GUID@@0K@Z
?QueryInterfaceNoRelease@GCIPtrBase@@IAEXABU_GUID@@PAUIUnknown@@@Z
?IGrooveDispatchImplHelper_FindMultiDispatchEntry@@YGPBUGrooveMultiDispatchEntry@@PBU1@ABU_GUID@@J@Z
?Equals@GCStr@@QBE_NPB_W@Z
?CreateScriptDispatchTearoff@@YG?AV?$GCIPtrRetVal@UIDispatch@@$1?_GUID_00020400_0000_0000_c000_000000000046@@3U__s_GUID@@B@@PAUIUnknown@@_N@Z
?EndErrorBlock@GCCriticalErrorInfo@@SGXXZ
?StartErrorBlock@GCCriticalErrorInfo@@SGX_N@Z
??1GCAnyIPtr@@QAE@XZ
?int_Win32Error@GCError@@CG?AV1@KK@Z
?Set@GCVariant@@QAEXPB_W@Z
?AddSinkBase@IConnectionPointImplBase@@QAEJABU_GUID@@PAUIUnknown@@PAK@Z
?Length@raw_GCStr@@SGKABVGCStr@@@Z
?int_Equals@ObjectImpl@GWS@@ABE_NABVVariant@2@@Z
?int_Clone@ObjectImpl@GWS@@ABE?AVObject@2@XZ
?int_Deserialize@ObjectImpl@GWS@@AAEXPAUIXMLDOMNode@MSXML2@@PB_WPAVTypeResolver@2@@Z
?int_Serialize@ObjectImpl@GWS@@ABEXPAUIXMLDOMNode@MSXML2@@PB_W@Z
?CreateMethodArgs@Util@GWS@@SAPBUMethodArg@2@PB_WZZ
?CreateMethodDescriptors@Util@GWS@@SAPBUMethodDescriptor@2@PB_WZZ
?CreateAttrArgs@Util@GWS@@SAPBUAttrArg@2@PB_WZZ
?CreateAttrs@Util@GWS@@SAPBUAttr@2@PB_WZZ
?ReadValue@Util@GWS@@SG_NPB_W0PAX@Z
?RemoveSinkBase@GCEventSourceBase@@IAEJK@Z
?MakeTheCallsBase@GCEventSourceBase@@QAEXP6G_NPAXAAVGCFireCtx@@@Z0K0ABU_GUID@@@Z
?Init@GCFireCtx@@QAEXAAVGCDynamicUnkArray@@@Z
?DeallocateHashTable@@YGXPAXK@Z
?int_RawError@GCError@@CG?AV1@KJ@Z
??1GCError@@QAE@XZ
?int_FromLastErrorInfo@GCError@@CG?AV1@KJ_N@Z
?InterfaceSupportsErrorInfoHelper@GCoSupportErrorInfoTearOffBase@@AAEJPBXPAUIUnknown@@ABU_GUID@@@Z
?QueryInterfaceNoReleaseNoThrow@GCIPtrBase@@IAEJABU_GUID@@PAUIUnknown@@@Z
?ProvideIMarshal@GCFTMIMarshalProvider@@QAGJPAUIUnknown@@PAPAX@Z
?StopSharing@GCVariant@@AAEXXZ
?_Release@GCVariant@@AAEXXZ
?ToPowerOf2@@YGKK@Z
?AllocateHashTable@@YGPAXK@Z
?Hash@@YGKPBEKK@Z
?Compare@GCStr@@QBEJPB_W@Z
?int_COMError@GCError@@CG?AV1@JPAUIUnknown@@ABU_GUID@@11@Z
?Throw@GCError@@QBEXXZ
?HandleMessageMapErrorCatch@@YGXKIJ@Z
?HandleAllErrorCatch@@YGXXZ
?GetHandle@GCGrooveResourceModule@@SGPAUHINSTANCE__@@XZ
?Equals@raw_GCStr@@SG_NPB_W0@Z
?Create@GCRegistryKey@@QAEJK@Z
?SetValue@GCRegistryKey@@QAEJKPB_W@Z
?ConcatStringsWithLengths@GCStackStrBase@@QAAKKQB_WK0KZZ
??0GCRegistryKey@@QAE@PAUHKEY__@@PB_W_N@Z
?Set@GCErrorInfo@@SGXPAUIErrorInfo@@@Z
?SetWithConvert@GCStr@@QAEXPBD@Z
?EnableUIThreadProxy@@YGX_N@Z
?SetThreadName@@YGXPB_WK@Z
?EnumConnectionsBase@IConnectionPointImplBase@@QAEJPAPAUIEnumConnections@@@Z
??4GCAtom@@QAEABV0@PB_W@Z
?GrooveHandleShipAssert@@YGXPBDK0K@Z
?ms_RunningProcessChecked@GCSafeScriptingSupport@@0_NA
?ms_RunningInGrooveProcess@GCSafeScriptingSupport@@0_NA
?int_IsRunningInGrooveProcess@GCSafeScriptingSupport@@CG_NXZ
??1GCAtom@@QAE@XZ
?QIBase@IConnectionPointImplBase@@QAEJABU_GUID@@PAPAX@Z
?FindConnectionPointBase@IConnectionPointContainerGrooveBase@@QAEJPBU_ATL_CONNMAP_ENTRY@ATL@@ABU_GUID@@PAPAUIConnectionPoint@@@Z
?EnumConnectionPointsBase@IConnectionPointContainerGrooveBase@@QAEJPBU_ATL_CONNMAP_ENTRY@ATL@@HPAPAUIEnumConnectionPoints@@@Z
?IsWindowsVistaOrLater@GCOSVersionInformation@@SG_NXZ
?Set@raw_GCStr@@SGXAAVGCStr@@PB_WK@Z
?DeTokenize@raw_GCStr@@SG?AVGCStrRetVal@@ABVGCArrayStr@@PB_W@Z
?ToLowerInPlace@raw_GCStr@@SGXPA_WK@Z
?DeleteValue@GCRegistryKey@@QAEJPB_W@Z
?SetValue@GCRegistryKey@@QAEJPB_W0@Z
?GetValue@GCRegistryKey@@QBEJAAVGCStr@@PB_WPAK@Z
?FindLastChar@raw_GCStr@@SG_NPB_W_WAAK@Z
?EndsWithNoCase@GCStr@@QBE_NPB_W@Z
?Serialize@?$PersistHelper@UTimeRep@GWS@@@GWS@@SGXPAUIXMLDOMNode@MSXML2@@PB_WUTimeRep@2@@Z
?Deserialize@?$PersistHelper@UTimeRep@GWS@@@GWS@@SG?AUTimeRep@2@PAUIXMLDOMNode@MSXML2@@PB_WPAVTypeResolver@2@@Z
?DefaultValue@TimeRep@GWS@@2U12@A
?Decode@GCBase64Coder@@SGPAEPB_WAAKPA_N@Z
?LoadRBDString@GCRBDStringLoader@@SG?AVGCStrRetVal@@PB_W0@Z
?Mid@raw_GCStr@@SG?AVGCStrRetVal@@PB_WKK@Z
?Find@raw_GCStr@@SG_NPB_W_WAAK@Z
?Last@raw_GCStr@@SG?AVGCStrRetVal@@PB_WK@Z
?First@raw_GCStr@@SG?AVGCStrRetVal@@PB_WK@Z
?ToLowerCase@GCChar@@SG_W_W@Z
?ToLower@raw_GCStr@@SG?AVGCStrRetVal@@PB_W@Z
?Find@GCStr@@QBE_NPB_WAAK@Z
?MessageFormat@GCStr@@QAEJKPB_W000ABVGCLocale@@QAUHINSTANCE__@@@Z
?Serialize@?$PersistHelper@_N@GWS@@SGXPAUIXMLDOMNode@MSXML2@@PB_W_N@Z
??0GCDateFormat@@QAE@W4STYLE@0@0ABVGCLocale@@@Z
??1GCDate@@QAE@XZ
?Format@GCDateFormat@@QBE?AVGCStrRetVal@@ABVGCDate@@@Z
??0GCStr@@QAE@ABV0@@Z
??1GCLocale@@QAE@XZ
?GetDefault@GCLocale@@SG?BV1@XZ
?StringToUnsignedLong@raw_GCStr@@SGKPB_WJ@Z
?GetCharSet@GCIntlFontUtil@@SGEPB_W@Z
?LongToString@raw_GCStr@@SG?AVGCStrRetVal@@JJ@Z
?Tokenize_Helper@raw_GCStr@@CGXPB_W0PAVGCArrayStr@@PAV?$GCSet@VGCStr@@PB_WV?$GCHashMapResizeHelper@$01$00$03@@@@@Z
?EndsWith_Helper@raw_GCStr@@CG_NPB_W0_N@Z
?StartsWithNoCase@GCStr@@QBE_NPB_W@Z
?LaunchURL@GCHelpLauncher@@SGXPB_WPAUHWND__@@@Z
?GetHandle@GCStdCryptProv@@SGKXZ
?GetApplicationName@GCMso@@SGPB_WXZ
?FormatHelper@GCStr@@AAEJPB_WPADI@Z
?WriteValue@Util@GWS@@SA?AVGCStrRetVal@@PB_WZZ
?Set@GCError@@QAEXJPAUIUnknown@@ABU_GUID@@@Z
??0GCError@@QAE@XZ
?Set@GCVariant@@QAEXPAUIDispatch@@@Z
?int_ErrorBase@GCError@@CG?AV1@KJPB_W00PAUIErrorInfo@@JABU_GUID@@0K@Z
?Alloc@GCThunkHeap@@SGPAXK@Z
?Free@GCThunkHeap@@SGXPAX@Z
?SetFromResource@GCStr@@QAEXKQAUHINSTANCE__@@@Z
?EqualsNoCase@GCStr@@QBE_NPB_W@Z
?UsingLocalProtocol@Util@GWS@@SG_NXZ
?Prepare@SoapHttpClientImpl@GWS@@QAEXPB_W0_N@Z
??1ArrayInitializer@GWS@@QAE@XZ
??0ArrayInitializer@GWS@@QAA@HZZ
?Invoke@SoapHttpClientImpl@GWS@@IAE?AV?$Array@VObject@GWS@@@2@PB_WABV32@@Z
?DynamicCastHelper@Util@GWS@@SG?AVObject@2@PBVTypeInfo@2@ABVVariant@2@@Z
?GetMetadataLock@Object@GWS@@SGPAVGCUnenforcedReentrantSemaphore@@XZ
?CreateSerializationElement@Util@GWS@@SG?AV?$GCIPtrRetVal@UIXMLDOMElement@MSXML2@@$1?IID_IXMLDOMElement@2@3U_GUID@@B@@PAUIXMLDOMNode@MSXML2@@PBVTypeInfo@2@PB_W@Z
??1ArrayTypeInfoBase@GWS@@IAE@XZ
?TryDynamicCastHelper@Util@GWS@@SG_NAAVObject@2@PBVTypeInfo@2@ABVVariant@2@@Z
?DeserializeObject@Util@GWS@@SG?AVObject@2@PBVTypeInfo@2@PAUIXMLDOMNode@MSXML2@@PB_WPAVTypeResolver@2@@Z
??0ArrayTypeInfoBase@GWS@@IAE@PBVTypeInfo@1@@Z
?Deserialize@?$PersistHelper@_N@GWS@@SG_NPAUIXMLDOMNode@MSXML2@@PB_WPAVTypeResolver@2@@Z
?ConcatStringsToBuffer@raw_GCStr@@SAKPA_WKKPB_W1ZZ
??0GCStr@@QAE@PBDW4ExplicitConvert@0@@Z

msvcr80

__clean_type_info_names_internal
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_except_handler4_common
_crt_debugger_hook
__CppXcptFilter
_adjust_fdiv
_amsg_exit
_initterm_e
_initterm
_encoded_null
_malloc_crt
_decode_pointer
_onexit
_lock
__dllonexit
__CxxFrameHandler3
_encode_pointer
_unlock
?terminate@@YAXXZ
_beginthread
memcmp
_itow_s
_wtoi64
abs
strchr
qsort
floor
labs
strlen
memmove_s
_wcsicmp
_purecall
memcpy_s
memset
swprintf_s
_recalloc
free
_wcslwr_s
wcslen
wcscmp
_CxxThrowException

groovenew

?GrooveDelete@@YAXPAX@Z
?GrooveNew@@YAPAXI@Z

atl80

ord31
ord11
ord32
ord10
ord44
ord43
ord23
ord61
ord55
ord19
ord15
ord18
ord22
ord64
ord58
ord24

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 502KB - Virtual size: 501KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 211KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

91ddd9a0e8db69f63fbe597ccf3e803f

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:baCertificate

Extended Key Usages

Key Usages

61:46:9e:cb:00:04:00:00:00:65Certificate

Extended Key Usages

Key Usages

bd:3b:f4:85:9c:d9:c9:d2:45:f2:a4:66:e6:2f:8f:a3:3b:64:05:61Signer

Headers

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

grooveutil

msvcr80

groovenew

atl80

Exports

Exports

Sections

.text Size: 502KB - Virtual size: 501KB

.rdata Size: 211KB - Virtual size: 211KB

.data Size: 48KB - Virtual size: 50KB

.rsrc Size: 1.3MB - Virtual size: 1.3MB

.reloc Size: 98KB - Virtual size: 98KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:ba
Certificate

61:46:9e:cb:00:04:00:00:00:65
Certificate

bd:3b:f4:85:9c:d9:c9:d2:45:f2:a4:66:e6:2f:8f:a3:3b:64:05:61
Signer

.text
Size: 502KB - Virtual size: 501KB

.rdata
Size: 211KB - Virtual size: 211KB

.data
Size: 48KB - Virtual size: 50KB

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

.reloc
Size: 98KB - Virtual size: 98KB