Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 2ac6921981cd2c57b4ffd1a91b881f15 --

Hashes
MD5: 2ac6921981cd2c57b4ffd1a91b881f15
SHA1: 9ff5bc88b7604a7da61744490cc573695f111786
SHA256: 7ddedf5c4f4c098af0d4983af66303a6866ba0dae11165898fec3f7f8ed17c09
SSDEEP: 1536:xHOSFFlykET+BETuYSDj3pLc8mVPsWjcdQtYpx:NtFy+BETn4JQtwx
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/win_files_operation | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/RookieStrings | YRP/Rookie |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
<at-<rt"<wt
URPQQh
~pjCXf
j@j _W
< t8<	t4
;t$,v-
UQPXY]Y[
~';_t|%3
tHHt*Ht#
PP9E u
tO9=0O
jA[jZZ+
v	N+D$
PWWWWV
PSSSSV
+t"HHt
,SVWj0X
Wj0XPV
v	N+D$
UTF-16LE
UNICODE
CorExitProcess
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
CreateFile2
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1#SNAN
1#QNAN
RookIE/1.0
c:\rwe.exe
http://211.200.126.134:1573/544.exe
http://211.200.126.134:1573/544.exe
Information
DLL_PROCESS_DETACH
\Projects\Dllhijack\Dllhijack\Release\Dllhijack.pdb
KERNEL32.dll
MessageBoxA
USER32.dll
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
InternetReadFile
InternetOpenA
InternetCloseHandle
WININET.dll
GetCommandLineA
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
WriteFile
GetLastError
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
CloseHandle
HeapFree
SetLastError
ExitProcess
GetModuleHandleExW
GetProcAddress
AreFileApisANSI
MultiByteToWideChar
GetProcessHeap
GetStdHandle
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
SetFilePointerEx
SetStdHandle
WriteConsoleW
FlushFileBuffers
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetModuleFileNameW
LoadLibraryExW
HeapAlloc
HeapReAlloc
CreateFileW
GetStringTypeW
OutputDebugStringW
HeapSize
LCMapStringW
SetEndOfFile
ReadFile
ReadConsoleW
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
050X0^0i0
1#1(181>1I1N1]1b1m1r1z1
4A5y5~5
5&6<6e6
8%8]8c8i8o8u8{8
9(919H9*:j:u:{:
;);8;?;P;^;i;q;~;
<F<O<q<|<
?2?Q?p?
#070g0q0
5E7c7|7
8 8$8(8r8x8|8
9 9$9E9o9
;L;R;{;
<2=L=Y=
>	>'>4><>X>d>j>u>
>6?>?Q?\?a?q?}?
181=1I1N1m1
2@3F3M3
8(8W8_8p8
9-979=9L9V9\9n9x9~9
:':,:2:::?:E:M:R:X:`:e:k:s:x:~:
;#;);1;6;<;D;I;O;W;\;b;j;o;u;};
< <(<-<3<;<@<E<N<S<Y<a<g<u<
?$?*?4?J?]?s?|?
01060[0p0v0
8P9Z9u9
;%;2;<;
;	<%<h<z<
=I=O=W=
>$>+>w>
1+1I1^1h1
2o2)3\3
5 515[5b5i5p5
7'8<8J8S8~8
9.9H9P9[9r9
;)<R<e<u<
=(=9=E=L=S=n=x=
>9>>>C>Z>
>"?'?0?<?A?m?s?y?
0 0%0*0/080
3V4\4h4
6'8@9K9e9}9
0(0:0L0^0p0
9#:2:U:f:l:x:
;#;;;A;J;P;Z;e;
;'<-<O<
1.1Q1e1
;@<,=2=6=;=A=E=K=O=U=Y=^=d=h=n=r=x=|=
7-8D8~8
=E?c?|?
0 0$0(0r0x0|0
1 1$1E1o1
4E6P6`6
4181<1@1L1P1T1
8$9,949<9D9L9T9\9d9l9t9|9
,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
5 5(50585@5H5P5X5`5h5p5x5
6 6(60686@6H6P6X6`6h6p6x6
7 7(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
9 9(90989@9H9P9X9`9h9p9x9
: :(:0:8:@:H:P:X:`:
(=,>0>
?(?H?d?h?
080D0`0
1 1@1L1h1
2$2(2H2h2
6 6$6(6,6064686<6@6L6P6T6X6\6`6d6h6l6p6t6x6|6
6$747D7T7d7
= =$=(=,=0=4=@=D=H=L=P=T=X=\=d=h=p>