Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 1bd976dd77b31fe0f25708ad5c1351ae --

Hashes
MD5: 1bd976dd77b31fe0f25708ad5c1351ae
SHA1: 50d075688835df04484f0b93792a530cb47a1872
SHA256: b3c28941ceb057de44d9c322a38bb0f63c62d7ffbd91cf7970964413978f8eb7
SSDEEP: 6144:tjvrIFn6FqaWJbuDvodq8FDG3Ii+F55dPGJfKWXw:tjvkFODq1UYi+F1PifzXw
Details
File Type: PE32
Yara Hits
YRP/Visual_Cpp_2005_DLL_Microsoft | YRP/Visual_Cpp_2003_DLL_Microsoft | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation |
Parent Files
6f0c96f90c291731e428d50af0ebcb61
Source
Strings
		!This program cannot be run in DOS mode.
=zRich
`.data
@.reloc
DriverStoreDeleteDriverPackageW
SetupUninstallOEMInfW
SetupGetInfDriverStoreLocationW
DriverStoreFindDriverPackageW
aDriverStoreAddDriverPackageW
pSetupInstallCatalog
GetSystemWow64DirectoryW
NtClose
NtQueryDirectoryObject
NtQueryObject
RtlCompareUnicodeString
RtlInitUnicodeString
NtOpenDirectoryObject
InstallSelectedDriver
UpdateDriverForPlugAndPlayDevicesW
DiInstallDevice
aDelete
NoRemove
ForceRemove
SetThreadStackGuarantee
aCorExitProcess
mscoree.dll
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
abad exception
(null)
`h````
xpxxxx
Invalid parameter passed to C runtime function.
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
InitializeCriticalSectionAndSpinCount
aUnknown exception
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
`h`hhh
xppwpp
```hhh
xppwpp
1#QNAN
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
DIFXAPI.pdb
t)SSSSh
Y^Wh06
PVVVVW
?SSQPW
SSSSSSSh
9^,u<j
9^,u<j
9^,u<j
9X@tAj
PSSSSSSh 
PWWWWWWj
PSSSSSSh 
PVVVhhF
tnHtBHt
tBHt#Ht
PSSShhF
aSSSSj
9^,u<j
PSSSSSSh 
t(Ph z
t%Ph z
YYtfSSSSSj
SSSSSj
t!VPQR
9~$~ S
aG;~$|
QQSVWd
0WWWWW
0WWWWW
 CCGGf
 GGBBf;
_VVVVV
@@f90u
_VVVVV
@@f90u
awIVSP
0WWWWW
BBFFf;
j$j _W
< tI<	tE
s[S;7|G;w
tR99u2
HHtYHHt
URPQQhL
_VVVVV
^WWWWW
0A@@Ju
t0WWWWW
0SSSSS
;t$,v-
UQPXY]Y[
^SSSSS
j"^SSSSS
v	N+D$
0SSSSS
0SSSSS
v	N+D$
au8SS3
t!VV9u u
PPPPPPPP
0SSSSS
PPPPPPPP
t+SSVPV
tb9} u
<+t(<-t$:
+t HHt
u&f!;f;
aPWWWWj
HtwHHu[
atHf90Pt=
VerSetConditionMask
RtlUnwind
ntdll.dll
InitializeCriticalSection
HeapCreate
OutputDebugStringA
GetModuleFileNameA
DeleteCriticalSection
GetModuleHandleW
HeapDestroy
LeaveCriticalSection
HeapAlloc
EnterCriticalSection
HeapReAlloc
HeapFree
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
InterlockedIncrement
InterlockedDecrement
GetLastError
lstrcmpiW
InterlockedExchange
SetLastError
VerifyVersionInfoW
GetVersionExW
lstrlenW
FreeLibrary
GetProcAddress
LoadLibraryW
DeleteFileW
SetFileAttributesW
GetEnvironmentVariableW
CompareStringW
GetFileAttributesW
MoveFileExW
GetTempFileNameW
CloseHandle
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSize
CreateFileW
GetSystemWindowsDirectoryW
MultiByteToWideChar
WideCharToMultiByte
GetFullPathNameW
CopyFileW
LocalFree
RemoveDirectoryW
FindClose
FindNextFileW
lstrcmpW
FindFirstFileW
CreateDirectoryW
LocalReAlloc
LocalAlloc
GetProcessHeap
ReleaseMutex
GetSystemDirectoryW
DeviceIoControl
WaitForSingleObject
CreateMutexW
GetSystemTimeAsFileTime
RaiseException
GetVersionExA
HeapSize
GetCommandLineA
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetModuleHandleA
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
WriteFile
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
LoadLibraryA
SetFilePointer
GetConsoleCP
GetConsoleMode
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
CreateFileA
KERNEL32.dll
CharLowerW
UnregisterClassA
USER32.dll
SetupCopyOEMInfW
SetupOpenAppendInfFileW
SetupGetIntField
SetupGetFieldCount
SetupTermDefaultQueueCallback
SetupInitDefaultQueueCallbackEx
SetupDefaultQueueCallbackW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SetupGetStringFieldW
SetupFindFirstLineW
SetupCloseInfFile
SetupGetLineCountW
SetupCloseFileQueue
SetupQueueCopyW
SetupCommitFileQueueW
SetupOpenFileQueue
SetupOpenInfFileW
SetupFindNextMatchLineW
SetupFindNextLine
SetupDiGetActualSectionToInstallW
SetupInstallServicesFromInfSectionW
SetupInstallFromInfSectionW
SetupPromptReboot
SetupInstallFilesFromInfSectionW
SetupGetTargetPathW
SetupDiOpenClassRegKey
CM_Enumerate_Classes
CM_Get_DevNode_Status
CM_Locate_DevNodeW
CM_Get_Device_ID_List_SizeW
CM_Get_Device_ID_ListW
CM_Get_Device_IDW
SetupDiGetDeviceRegistryPropertyW
SetupDiEnumDeviceInfo
CM_Setup_DevNode
CM_Query_And_Remove_SubTreeW
SetupDiSetDeviceRegistryPropertyW
SetupQueueCopyIndirectW
SetupDiCallClassInstaller
SetupDiBuildDriverInfoList
SetupDiSetDeviceInstallParamsW
SetupDiGetDeviceInstallParamsW
SetupDiSetSelectedDevice
SetupDiOpenDeviceInfoW
SetupDiOpenDevRegKey
SetupDiGetDeviceInstanceIdW
SetupDiCreateDeviceInfoList
SetupDiGetDriverInfoDetailW
SetupDiGetSelectedDriverW
SetupDiSetClassInstallParamsW
SetupDiClassNameFromGuidW
SETUPAPI.dll
RegCloseKey
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
RegDeleteValueW
RegQueryValueExW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
SetEntriesInAclW
QueryServiceStatus
DeleteService
ControlService
CloseServiceHandle
OpenServiceW
OpenSCManagerW
StartServiceW
ADVAPI32.dll
CoUninitialize
CoInitialize
CoTaskMemFree
StringFromCLSID
CoCreateInstance
ole32.dll
pSetupGetGlobalFlags
pSetupSetGlobalFlags
WinVerifyTrust
CryptCATAdminCalcHashFromFileHandle
WINTRUST.dll
CertFreeCertificateContext
CertFreeCTLContext
CertGetCTLContextProperty
CryptQueryObject
CRYPT32.dll
RtlNtStatusToDosError
SetEndOfFile
CreateEventW
SetEvent
InterlockedCompareExchange
WaitForMultipleObjects
GetThreadLocale
CharPrevW
DIFXAPI.dll
DIFXAPISetLogCallbackA
DIFXAPISetLogCallbackW
DriverPackageGetPathA
DriverPackageGetPathW
DriverPackageInstallA
DriverPackageInstallW
DriverPackagePreinstallA
DriverPackagePreinstallW
DriverPackageUninstallA
DriverPackageUninstallW
SetDifxLogCallbackA
SetDifxLogCallbackW
.?AVCAtlException@ATL@@
.?AVSEHexception@@
.?AVCDfxException@@
.?AVbad_exception@std@@
.?AVexception@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
    type="win32"
    name="Microsoft.Windows.DIFxAPI"
    version="5.1.0.0"
    processorArchitecture="x86"
<description>DIFxAppA</description>
<dependency>
    <dependentAssembly>
        <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            processorArchitecture="x86"
            publicKeyToken="6595b64144ccf1df"
            language="*"
        />
    </dependentAssembly>
</dependency>
</assembly>
3<4@4D4H4L4P4T4X4
9 9$9<:d<h<l<
7 8$8(8,8084888<8|8
H0L0p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
2'242R2}2
4)4:4K4Y4f4
#0G0W0r0
1=1O1Y1~1#2
607O7~7
<1<Q<~<
<%=C=v=j>F?n?
343a3f3
9 :K:k:
3 3R3c3x3
=,=8=^=p=|=
=H>X>k>y>
0)0R0f0
0	1$1.1
5t506r6
979F9L9X9a9h9r9
=*>\>p>
?A?V?x?
6$606<6C6M6
6>7P7g7
;0;<;{;
<!<T<w<
5*6^6l6{6
0'1]1x1
:?:{:x;
0T0i0y0
1=1H2X2^2?3f3
5+696?6y6.7H7R7
+0C0h0
;$;7;<;K;\;m;~;
<N<U<r<}<
='=9=E=
000H0`0p0
071V1a1
6,7=7q7
838A8t8
:9:\:c:
:I;P;i;t;
?#?+?:?C?l?y?
1$1Z1d1r1|1^2
2W3g3q3
404G4U4\4n4
7/7C7^7h7x7
8)9I9W9j9o9
; ;3;P;g;
>$>->C>
001U1a1
2F2P2Z2s2
5#545E5l5
8$959F9W9
;h<q<,=D=P=
1*2a2m2
;1<?<z<
757?7I7V7b7i7u7
:":):8:\:
;5<T<[<r<
*0X0n0
2!252M2
6l7z7s8
7'8@8F8S8_8f8x8
8-999@9a9v9
1.1?1I1
2+212J2h2w2
3<3R3l3u3
5	6Q6^6g6
8K8b8k8
8.9D9R9[9p9
=">.???y?
6E7O7`7
1.181M1[1
7 8)868K8w8
1%1Q1Z1f1}1
3!414D4
8'909<9S9b9p9
0$050G0Z0s0
9*:T:n:
:0;J;T;i;w;
=E=N=m=
1(1=1t1
6 6)6B6K6T6h6o6
<"=F=Y=a=g=
>(>2>@>J>
9.:}:(;
0*111j1p1
1!262\2b2
>8?[?t?
999F9e9
0#0b0~0
3:3R3^3d3
=r=L>T>l>
?U?[?l?
161V1_1h1o1
5!5%5*50545:5>5D5H5N5R5
5Z6b6w6
3=3q3w3
6$6j6p6|647
:):.:9:B:X:h:
;/<5<@<L<a<g<p<w<
=$=1=@=G=T=u=
?&?0?h?p?
0#02080N0S0[0a0h0n0u0{0
1#101H1N1[1{1
223b3t3
464Q4^4
4%505;5C7V7^7d7i7q7
8*878>8u8
:*:4:@:I:Q:[:a:g:{:
;,;D;x;W<
:':2:@:E:K:V:]:
:S;Z;y<B=^=
2 4P4u4a6y8}8
8(949f9
1"2H274
8#9*949d9w9}9
;';-;D;I;
>$>*>0>5>>>[>a>l>q>y>
>3J3}3
757Z7m7
:O:h:o:w:|:
;^;d;h;l;p;
>->S>q>x>|>
>V?a?|?
0 0$0(0,000z0
>2?:?D?]?g?z?
2 272P2l2u2{2
7,7>7J7U7
0B3X4f5j5n5r5v5z5~5
7#7,757C7g7
8#818J8S8p8
:+:r:w:
:H;Q;W;
<"<2<d<j<s<z<
<#=,=8=G>
>	?&?y?
;'<2<W=u=
2$23292F2m2~2
1&121<1D1O1
646;6E6M6Z6a6
:*:<:N:`:r:
02080K0X0`0m0t0
5	6g6r6
7#787?7E7[7v7
8Q:G;O;
=%>+>;>
3$4;4p4C6
689O9f<j<n<r<v<z<~<
;"<(<-<8<B<Q<
<'=1=Q=w=
090L0V0`0
181^1p1#2P2
3x3(4:4N4q4
6+696U6[6
777J7m7
8%8+818K8\8l8r8
0u1	2F2
6.646C6H6P6\6e6
7"7B7T7s7
7 8&818P8U8h8
9(989>9N9T9d9
9%:>:6;B;N;Z;
767V7v7
<)<3<E<J<P<T<Y<_<q<v<
=4=@=`=l=
> >,>P>p>x>
? ?(?0?8?@?L?l?t?|?
0 0(000<0\0h0
1 1(10181@1H1P1X1`1h1t1
2$2,242<2H2h2p2x2
3$3,343<3D3L3T3\3d3|3
4$4,444@4`4h4p4|4
5$505P5X5d5
6<6\6d6l6t6|6
7 7,7L7T7\7d7l7t7|7
8 8(80888@8H8P8X8`8h8p8x8
9$9D9h9t9|9
: :(:0:8:@:H:P:\:|:
;$;4;H;P;h;t;
<$<0<P<\<
=$=,=4=<=D=L=T=\=d=l=t=|=
> >(>0>8>@>L>l>t>|>
? ?(?0?8?@?L?l?t?|?
0 040D0X0`0
1$1,141<1D1L1T1\1h1
20282@2H2P2X2`2h2t2
3$3,343<3H3h3p3x3
40484@4H4P4\4|4
5,5L5T5\5d5l5x5
6 6(60686@6H6T6t6|6
7,747L7T7\7d7p7x7
7 8@8H8P8X8`8h8p8x8
9$9H9h9p9x9
:,:4:@:`:l:
;$;D;P;p;|;
<$<,<4<<<D<L<T<\<h<
=@=`=h=p=x=
=(>4>T>\>d>l>t>|>
?4?<?H?h?p?x?
080@0L0p0
101P1X1`1h1
282@2H2P2X2`2h2t2
343<3D3L3T3\3d3l3t3|3
4 4(444T4\4h4
5$505P5X5`5l5
6$606P6X6d6
7 7(70787@7P7d7t7
8<8\8d8l8t8|8
9 9(90989D9h9
:0:8:@:H:P:X:`:h:p:x:
;$;,;4;<;H;h;p;x;
< <4<@<H<`<h<p<
= =0=8=@=H=P=X=`=h=p=x=
> >(>8>@>H>P>X>`>h>p>x>
?$?,?4?<?D?P?p?x?
040<0D0L0T0\0d0p0
1<1D1L1T1\1d1p1
2$2D2L2T2\2d2l2x2
3 3,343L3\3d3l3|3
4$4,444<4D4L4`4l4t4
5 5,5P5p5x5
6 6,6L6T6\6d6l6t6|6
7@7`7h7p7x7
8<8D8X8`8h8p8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:
;(;0;8;@;H;P;X;`;h;p;x;
< <(<0<8<@<H<P<X<`<h<|<
=$=,=4=<=H=h=p=x=
>4><>D>L>T>\>d>l>t>|>
?@?`?h?p?x?
0$0,040<0D0L0T0\0d0l0t0|0
1 1(1D1H1d1h1p1t1|1
282X2x2
3$3(383\3h3p3
44484T4X4t4x4
585X5x5
606P6\6x6
74787T7X7`7d7|7
8 8<8@8
0 0$0(0,0004080<0@0D0H0x0
5$5,545<5D5L5T5\5d5l5t5|5
:0;@;P;`;p;
;`>d>h>l>p>t>x>|>
? ?(?,?0?4?8?<?@?D?H?L?X?
Western Cape1
Durbanville1
Thawte1
Thawte Certification1
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
http://ocsp.verisign.com0
0http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
031204000000Z
081203235959Z0W1
VeriSign, Inc.1/0-
&VeriSign Time Stamping Services Signer0
http://ocsp.verisign.com0
"http://crl.verisign.com/tss-ca.crl0
TSA2048-1-540
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
970110070000Z
201231070000Z0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
051011215520Z
100426070000Z0
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Verification Intermediate PCA0
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
o=l#NX
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Verification Intermediate PCA0
051011232457Z
070111233457Z0
Washington1
Redmond1
Microsoft Corporation1.0,
%Microsoft Windows Component Publisher0
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
7http://crl.microsoft.com/pki/crl/products/WinIntPCA.crl0U
9http://www.microsoft.com/pki/certs/MicrosoftWinIntPCA.crt0
4https://www.microsoft.com/pki/ssl/cps/WindowsPCA.htm0f
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Verification Intermediate PCA
http://www.microsoft.com0
pE9iN3p
E=S&J0T
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
061102152152Z0