Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 0facfd29431720f9240d98b678c26ed5 --

Hashes
MD5: 0facfd29431720f9240d98b678c26ed5
SHA1: 1dda02b7651810e1823309a8f9df78f0ac5944f1
SHA256: d602f3f71b61ff12d1740e4e7eb2e21c58084e7eba123f37cb68bd56f18fdcef
SSDEEP: 768:2Z09dLu62ggaqPARI4GkcTBHbRZ5ACwOM57EAs4hu6uwiKtNfAWaDl:2ZALu69cARg9RSOM57EL4iKzfjaD
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/escalate_priv | YRP/win_token | YRP/win_files_operation | YRP/MD5_Constants |
Parent Files
71307d3abb40d8f29e810d2cb39a38f2
Strings
		!This program cannot be run in DOS mode.
lRicho
`.rdata
@.data
.reloc
 SVWj8
j@hXA@
WVhl	A
YY_^[]
SVWj@3
PVh\P@
SVWj@3
VPWh\n@
q\j@PV
<4,$?7/'
(3-!0,1'8"5.*2$
GetLastError
GetModuleFileNameA
GetTempPathA
GetWindowsDirectoryA
GetSystemDirectoryA
CloseHandle
GetCurrentProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
MoveFileExA
GetTempFileNameA
DeleteFileA
GetFileAttributesA
TerminateProcess
OpenProcess
MoveFileA
GetTickCount
SetCurrentDirectoryA
GetCurrentDirectoryA
WriteFile
CreateFileA
WinExec
CopyFileA
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetShortPathNameA
WaitForSingleObject
CreateThread
KERNEL32.DLL
wsprintfA
GetKeyboardLayoutList
GetKeyboardLayoutNameA
ActivateKeyboardLayout
GetKeyboardLayout
LoadKeyboardLayoutA
UnloadKeyboardLayout
SystemParametersInfoA
SendMessageA
GetWindowThreadProcessId
EnumWindows
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
S2_32.dll
ImmGetDescriptionA
ImmIsIME
ImmInstallIMEA
IMM32.dll
memcpy
sprintf
strcpy
strrchr
??3@YAXPAX@Z
strstr
??2@YAPAXI@Z
strlen
memset
strncpy
strcat
strcmp
__CxxFrameHandler
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
NETAPI32.dll
GetModuleHandleA
GetStartupInfoA
_strlwr
_stricmp
game.exe
ksuser.dll
midimap.dll
Nua467RI
!3uSeDebugPrivilege
%c:\Recycled\%d.tmp
%c:\RECYCLER\%d.tmp
hml^o\i
aZfilk
If^d0'
])n\_mY
=)`YrZ
=)n]jh[
QOOe=*
;jhk`EXk_h]
Bbk@pnjcglKof``ok
Kof``ok1+F`uk
Hph[`pj0-Bapll
>n]_m]Olficadn,*NkXmndgr
Mfmpm_e>mb\Bs
PYdq=lmOal`d`LYg`_l
>o\^oaJcfgobKemaYb
>boLjm\9_aibno
BbkJj`mj^@\k[i`=
Ro`q`Ljm\]npDbhkjw
Mfmpm_e9gif`@t
Jm\kKnga^kn
BalQrkobdAdn]amgmv8
DmZ\GfYo\nq?
:o`]lcM`mbXa
@]oIXpoAjphj
>n]_m]@s\ko=
BbkJj`mj^>di\K\i]?
FBIK@H+0'\gi
9amaq^kbFaq`hYmaC^tkmr
>boG]w[g\o[I\ugsmDdpk
Jc`anq\o>hYql=s>
DmZ\>ripjn9
Pkibbekr^j>iXpn=
Hbjp\c]@hp<
LP@N+0'\gi
9bcmnqKlfafNkaqfcbbak
GlfhplHpbndi\d`RYjn]<
Jl]lIjj`\pnPgi^f
8AQ=HG,*)aci
AKF+-+[ig
llmi\k
llmoZem
lhmfeqa
llm`gv
EQO;MQ%agh
Xaifkq`ne
h^cij_
Z^[gpol]_\ds
Wqmjd`dm
X_`qgf_
dj\ejol,]dg
:^i`Ol]HmlZ
>kenPf_Mil^
KrZlppNk_Ljm\
PFNk_Ljm\
Dj\@jj^g`mmb
Fha;mgn`ojfjjDgll
Fdb?akrkgt
@j`AfsfJ`d`poajUhj_
@j`AkaZh`
@j`C]rK]bfjq`nOmk\Nqpi`
Ak^Ainlfma
Gf]Kof``okI^q
FdbMa_gll`oNlm`
Gf]Nbcb^p
Gf]Nbk>^pat^;jkkbsp
Gf]Nbk@jihmlaoffkNpjgg_
FdbOk9q\adBo
Di]Sgj`d`poajUhj_
Eloe^wBE@
Jb?aZs`Hmfmfga_c
bbmj]j,*)aci
Eg\aCf]nYpr9
kwlYkm
`thjhj`o%bsa
TQWGF=ZBMBIP
mreagh+0']sb
<JEANR@
-&,..6(W-\-
.&-)/1)B.J.X-a/y)
/51A+J0V0h/p1
1,160F2L,V1u1
2)143:-A2B2Q1[3f-}2
chinasougou.ime
:NW	A(
`wQt?,
e\iq#p
bxw4ic
F{JupCN
Is\XY-
1|t/B6L4
x1~`I(
?Ob~,m0
l`Q^>aml
(78>,s
A]/T4T
3Rl@E~f
Y t0E/
4nrh,Ep
&ewL+g
aJ*DNd
/^djPU
'7ed_q
^W5ocLd
CU6&qc
b`hAJNXi4
pY2 }j
.Ued_q
%	hT8,
$ CB4,
sD,A7V-u
oiawt?%
4r>dJhN
p3"3yQ
H<714j^?
[@].(6
J3=CG]bq
w4$!*R
x`}>*M>:1
~R)n~m
87c`@eZ/>
`4#:6n`
0wD"tX
y,D{C-^
iUQHV5Qr
hz18UL
	(UgH;
BRT/NXQ8
B9GRuZ
%FpQ,G
P;sYs{
?OqCw-".
AfH=pm
dS;__,Y
?OqCw-".
AfH=pm
2h~a"H
/B1Rx(l
0	L"as
?0g6Ln?
= ['l:*
<#*]oJJ"
NwQM5b
a`_lbS
p[3c:9B
Dsc delete cryptsvc
sc config cryptsvc start= disabled
net stop cryptsvc
%s%s%d.dll
sysapp
%sdllcache\%s
%syu%s
ComSpec
 >> NUL
/c del