Sample details: 150e4bc31f0177adf31ff3ae80943328 --

Hashes
MD5: 150e4bc31f0177adf31ff3ae80943328
SHA1: 9e821c38b4567550218f83e874d855bb7773310c
SHA256: a37b4a11fab690ad359ae8d477236599359177cdff419156544c309978e4cac0
SSDEEP: 6144:UAcveQosFXOyK5xtxh/TACX29oFpTsRcTo7:1dQosEt5xXdTD2YsGo7
Details
File Type: PE32
Yara Hits
YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/network_dropper | YRP/win_registry | YRP/win_files_operation | YRP/BASE64_table |
Parent Files
01d838ca84eeba30591f789dcfcc3cca
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
98tR9}
C098tR9}
C498tR9}
Nt3Nt"Nt
	t{Otm
</t~<>
<<tdj0
G F;0r
tX<<uT
HHt$HHt
?If90t
HHt$HHt
^SSSSS
t$<"u	3
< tK<	tG
j@j ^V
URPQQh
<+t"<-t
+t HHt
t"SS9] u
v	N+D$
PPPPPPPP
PPPPPPPP
;t$,v-
UQPXY]Y[
v	N+D$
QQSVWd
t*=RCC
;7|G;p
tR99u2
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
(null)
`h````
xpxxxx
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Unknown exception
UTF-16LE
UNICODE
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
1#QNAN
1#SNAN
impactsetupcsnet2
impactsetupcsnet4
impactsetupnsi
/mpath="
/manifestfile="
http://b.greenpipesky.com/GetSoftwareFromICS.aspx?dd=greenpipesky&name=
 /upg=y
NSISUCIWindow
Version
Install
Software\Microsoft\NET Framework Setup\NDP\v4\Client
Software\Microsoft\NET Framework Setup\NDP\v3.5
InstallSuccess
Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup
Software\Microsoft\NET Framework Setup\NDP\v2.0.50727
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
File does not exist: '%s'
CreateProcess on file %s: %lu
urlmon.dll
URLDownloadToFileA
&#x%02X;
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
<?xml 
version="%s" 
version="
encoding="%s" 
encoding="
standalone="%s" 
standalone="
<![CDATA[
&apos;
&quot;
version
encoding
standalone
Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.
Error parsing CDATA.
Error null (0) or unexpected EOF found in input stream.
Error document empty.
Error parsing Declaration.
Error parsing Comment.
Error parsing Unknown.
Error reading end tag.
Error: empty tag.
Error reading Attributes.
Error reading Element value.
Failed to read Element name
Error parsing Element.
Failed to open file
No error
bad exception
KERNEL32.DLL
ADVAPI32.dll
SHLWAPI.dll
USER32.dll
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WideCharToMultiByte
EnumResourceTypesA
EnumResourceNamesA
EnumResourceLanguagesA
FindResourceA
GetModuleHandleA
OpenThread
CloseHandle
CreateFileA
GetProcAddress
GetLastError
WriteFile
GetTempFileNameA
CreateProcessA
GetTempPathA
FreeLibrary
WriteConsoleW
FlushFileBuffers
SetStdHandle
GetConsoleMode
GetConsoleCP
GetStringTypeW
LoadLibraryW
LCMapStringW
SetFilePointer
GetTickCount
DeleteFileA
LoadLibraryA
GetCommandLineA
MultiByteToWideChar
RtlUnwind
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EncodePointer
DecodePointer
HeapSetInformation
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
ExitProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
CreateFileW
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
PathQuoteSpacesA
PathFileExistsA
PathAddExtensionA
EnumThreadWindows
FindWindowA
PostQuitMessage
ShowWindow
GetWindowRect
IsWindowVisible
DestroyWindow
IsWindow
SetTimer
SetForegroundWindow
BringWindowToTop
AnimateWindow
CreateDialogParamA
DispatchMessageA
TranslateMessage
GetMessageA
GetWindowTextA
.?AVtype_info@@
.?AVbad_alloc@std@@
.?AVexception@std@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVCAtlException@ATL@@
.?AVCICSManifestLoader@@
.?AVTiXmlBase@@
.?AVTiXmlNode@@
.?AVTiXmlDocument@@
?456789:;<=
 !"#$%&'()*+,-./0123
.?AVTiXmlDeclaration@@
.?AVTiXmlText@@
.?AVTiXmlAttribute@@
.?AVTiXmlUnknown@@
.?AVTiXmlComment@@
.?AVTiXmlElement@@
.?AVbad_exception@std@@
=<\N%R2
P	cJZ=
x8zm\n
' kD^1x
coGy~X
rI'jmF
%wBsEu
`sQk;W2
/P;c|)40p-
_/E>"n
AcDDeTHe
#HiZ!k:M%
<y[c(^
[}j@yB]
lV.\"T
~ezB&-~
c("!V}
Meq/Ay
.jSLxT
~Qm0ol
yqv	?f
k4Rl'k
'@j/^	
!|l0`$
!P4;N7
Kl?lg;
{bjD.F
](^{jU
`+N^!e	
)^(D	tS
MeLe>{
octuz5
$d5BgFp)
A	uAi!
__VI<U
/!1_5w
]N/5ke	U
Gzm]+0
,$,wnMb#
/5SlAp
tt4R+*|@
P&tCcRc
--|1XN
?ti8]~9
Jc\bnW
N*',wn
"rZ.Op
	^Sc?0L
fykc:z9
::K~Yo
9^!d0v@
Z3x% +
,UZIco
}!T&y:
a	r.@NM
lPwW4Q
0?.6\S-';
,>N3rg
u1F96,#
qt9 j"}
~(||j3M>MJ
J=hTz^^
}_a5}X
`:=:]S
N#Aly[
C?(S]F
$GsB7N
;/q]PA
dwhJg	
?Cv2*v; 
V<uCQrHQ
0F1DY#3aU
k" "^{
lnFc$6F'j/
KP9]mY
p+Ji5rj
-5Z(g@=1
 _j_{'
MK[lFK
!1'=$Y
g7n*8fD'p^OL
p: 60D
^|:Po_&
(K'X0"J@
dOd}Xl
<I|s&b
|3	_Y{v
Fv}&Cf
hs	z.c
C~i,UGU
<7VAWI
S4HHj8
rHx/09
{-Nbs"
oE(3;_I
v4Qz\5!
-s%+5xq
!z^Z2f
UGKTzk
>Vc5UR&
|S)}F*?
!.z_VP
>%~zB=
gWfl4g
'	mooi
G#7g:._
}WFTyu
.W]6m&
F*S9	g4
)Dmn"o>
EPFA/X
-&;*sg
M9'Bh1
-<n:`nk	_]
f]AX'!
z*h"\:H
'?l~WX
-XJEf`
X19"H#
KPvm|yN
">Bjqe
3_:	JM
OT:$au
b|pT8hJ{3
F/;1kB
OP]+mvN$wZ
dN$_%=
{P w>eK
gX4-0?8
=mE%FgR*
#UWtJ:ha
s`xAwF
'%K*$;d?)
mZYF^[
FmS=)t
g[4+8!v
[adNhp/
kMQ9=Kw
7Zjim_
hX9O``1$
'mKDgPN
>m5^-:	
P;s.&oYC
VoH+Wx
Lf4LDkC
>vp_Cf
3 o<35sg
*#">L(
86*xUv1
IDH5Sk
XY3y%{
5W`[l9q
oV1~6Y
Y?]9D7
? dc^.7[
fZJPmm
3^`(n)Z
J9v):C+
o/9Fx3
-@Kj|%
XUmr[ 
ZrW_Ts
V}uyPJ
)'DG ?
'^:o9%
Kv]m;>
yUCca{
=2'7|BW
8Ku`VRL
(EF?Ru
L!q};y
wxr""/p
wr""/p
ozR1ML
oLLLLL
wwwwwwwxp
"""""/
"""""/
wwwwwwww
zz1111MMM
^zz1111MM
^zz1111M
^zz1111
^zz111
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
      <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
    </application>
  </compatibility></assembly>P
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
120829000000Z
140829235959Z0
Nevada1
Carson City1
	LI Impact1>0<
5Digital ID Class 3 - Microsoft Software Validation v21
	LI Impact0
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
100208000000Z
200207235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
	image/gif0!0
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
|{P i'