Sample details: 5705c4391c9bdedcfc825a967e4e30f3 --

Hashes
MD5: 5705c4391c9bdedcfc825a967e4e30f3
SHA1: 5fd7871504a6579c56f42bb34b881f4b63305305
SHA256: 04b7adfe7a8c6d077c85842119e8e3db0055fbf92f9f6f8b439319fdef270c94
SSDEEP: 3072:3y8p5g3y67f0RMozutg3C3MqqDL2/LRfvds:3y8p5vLV3DqqDL65vds
Details
File Type: PE32
Yara Hits
YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/contentis_base64 | YRP/Antivirus | YRP/VM_Generic_Detection | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/anti_dbg | YRP/network_http | YRP/network_dga | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/Crypt32_CryptBinaryToString_API | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | FlorianRoth/ReflectiveLoader |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
D$,+D$
L$0+L$ 
~pjCXf
uChl*@
j@j _W
< t8<	t4
<v5hB9B
URPQQh J@
tO9= DB
PP9E u
jA[jZZ+
;t$,v-
UQPXY]Y[
~';_t|%3
v	N+D$
PWWWWV
PSSSSV
+t"HHt
,SVWj0X
Wj0XPV
v	N+D$
ivpCkv
CorExitProcess
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1#SNAN
1#QNAN
ReflectiveLoader
VirtualProtect
ExitProcess
GetTickCount
VirtualFree
OpenProcess
ExitThread
GetLastError
VirtualAlloc
GetWindowsDirectoryW
GetVolumeInformationW
KERNEL32.dll
GetSystemMetrics
MessageBoxW
GetCursorPos
USER32.dll
GetCommandLineA
SetLastError
GetCurrentThreadId
EncodePointer
DecodePointer
GetModuleHandleExW
GetProcAddress
MultiByteToWideChar
WideCharToMultiByte
GetProcessHeap
GetStdHandle
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
WriteFile
GetModuleFileNameW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsDebuggerPresent
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
EnterCriticalSection
LeaveCriticalSection
HeapFree
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
LoadLibraryExW
RtlUnwind
OutputDebugStringW
HeapAlloc
HeapReAlloc
GetStringTypeW
HeapSize
LCMapStringW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
((((((((((((((((((((((((((
																																																										
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
VdclVdc\
!This program cannot be run in DOS mode.
:4Rich
`.rdata
@.data
@.rsrc
@.reloc
SVWj@h
<}tK<=tBF
<}t)F<=t
HthHuo
<}tcG<=t
SVWj@h
SVWj@h
D$$PQh
D$$PWh
D$$PWh
SVWj@h
SVWj@h
QSVWj@h
0SWj@h
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
gg}V++
jL&&Zl66A~??
Sb11?*
tX,,.4
RRMv;;a
MMUf33
PPDx<<
cB!!0 
~~Gz==
fD""~T**
Vd22Nt::
xxoJ%%r\..$8
ppB|>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
a5_j5W
=&&jL66Zl??A~
g99KrJJ
==Gzdd
""fD**~T
22Vd::Nt
$$lH\\
77Ynmm
%%oJ..r\
55_jWW
[T:$6.
[.:$6g
j_FbT~
h4,8$@_
2\tHlWB
PQAeS~
~4[C)v
8$4,6-9'$6.:*?#1pHhX~AeSlZrNbS
EHl\tFeQ
T~FbZwKi
,8$4'6-9:$6.1*?#XpHhS~AeNlZrEbS
FeQbT~FiZwK
4,8$9'6-.:$6#1*?hXpHeS~ArNlZ
EbS\tHlQ
FeFbT~KiZw
$4,8-9'66.:$?#1*HhXpAeS~ZrNlS
Ebl\tHeQ
F~FbTwKiZ
pub_key
DELETE}
{DELETE}
Fatal error
Fatal error: rsaenh.dll is not initialized as well
advapi32.dll
CheckTokenMembership
Address:
fabian wosar <3
Can't find server
aeriedjD#shasj
*******************
RtlComputeCrc32
GandCrabGandCrabnomoreransom.coinomoreransom.bit
encryption.dll
_ReflectiveLoader@0
ExitProcess
lstrlenA
HeapAlloc
HeapFree
GetProcessHeap
GetProcAddress
VirtualAlloc
GetModuleHandleA
lstrcpyA
GetEnvironmentVariableW
GetFileSize
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
WriteFile
GetModuleFileNameW
CreateFileW
ExitThread
lstrlenW
GetTempPathW
CreateFileMappingW
lstrcatW
CloseHandle
CreateThread
VirtualFree
lstrcmpiW
lstrcmpiA
SetFilePointer
GetFileAttributesW
ReadFile
GetLastError
MoveFileW
lstrcpyW
SetFileAttributesW
CreateMutexW
GetDriveTypeW
VerSetConditionMask
WaitForSingleObject
GetTickCount
InitializeCriticalSection
OpenProcess
GetSystemDirectoryW
TerminateThread
TerminateProcess
VerifyVersionInfoW
WaitForMultipleObjects
DeleteCriticalSection
ExpandEnvironmentStringsW
CreateProcessW
SetHandleInformation
lstrcatA
MultiByteToWideChar
CreatePipe
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
lstrcmpW
FindClose
FindNextFileW
GetNativeSystemInfo
GetComputerNameW
GetDiskFreeSpaceW
GetWindowsDirectoryW
GetVolumeInformationW
LoadLibraryA
KERNEL32.dll
DispatchMessageW
DefWindowProcW
UpdateWindow
SendMessageW
CreateWindowExW
ShowWindow
SetWindowLongW
LoadIconW
RegisterClassExW
TranslateMessage
wsprintfW
BeginPaint
LoadCursorW
GetMessageW
DestroyWindow
EndPaint
MessageBoxA
GetForegroundWindow
USER32.dll
TextOutW
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegSetValueExW
AllocateAndInitializeSid
FreeSid
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
GetUserNameW
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
CryptStringToBinaryA
CryptBinaryToStringA
CRYPT32.dll
InternetOpenW
InternetReadFile
InternetConnectW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
InternetCloseHandle
WININET.dll
GetDeviceDriverBaseNameW
EnumDeviceDrivers
PSAPI.DLL
IsProcessorFeaturePresent
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
1#1-171A1i1s1}1
2:2D2N2X2b2l2v2
3)333=3G3^3h3r3|3
4/494C4M4W4g4q4{4
5(585B5L5V5~5
6'6O6Y6c6m6w6
6 7*747>7H7R7\7s7}7
8#8-8D8N8X8b8l8|8
9)939=9M9W9a9k9
:(:2:<:d:n:x:
;5;?;I;S;];g;q;
='=1=;=E=m=w=
>?>I>S>]>g>q>{>
?%?/?9?C?M?e?o?y?
070A0K0U0_0o0y0
1'111A1K1U1_1
2'212Y2c2m2w2
3+353?3I3S3]3g3
4%4/494Q4[4e4o4y4
5#5-575A5K5[5e5o5y5
6-676A6K6s6}6
7E7O7Y7c7m7w7
7N8k8{8
<0<7<I<Z<b<
>0>U>[>j>w>
1S2]2d2u2
6(6Z6e6m6
6.737:7@7u7{7
919B9i9~9
9+:2:@:G:N:U:\:c:q:x:
>B>T>]>g>
20N0b0i0s0z0
2)2/2?2D2
7'7/777?7G7O7W7_7g7o7w7
8'828=8H8S8^8d8~8
9]9n9y9
9,:F:_:g:
;%;+;K;Q;s;
<1<_<m<
0>0L0S0j0
1#181?1P1a1h1y1
1$2;2`2m2u2
3,3=3C3H3Y3x3
404<4[4m4|4
5$555B5O5\5i5t5
7"7,7<7K7o7
;#;(;5;O;
;(<2<H<
3@3X3b3n3w3
575=5W5c5m5}5
6-62686e6j6
8)858A8f8}8
9d:i:v:
;#;.;L;a;j;z;
<1<><O<`<i<p<w<
<!=.=;=H=d=
> >.>b>
?+?9?t?
000>0R0`0t0
1)171A1a1{1
2"282C2Y2d2
3(313`3
4B4T4o4x4
5!5C5V5_5j5s5
6'6G6N6S6c6h6o6v6}6
6 72777R7g7l7
8!8(8/868=8D8J8n8v8
829<9E9N9d9p9x9
:::b:i:p:w:~:
;7;\;a;i;q;x;
=%?D?q?{?
0'0F0r0~0
3_3m3|3
364C4R4\4b4
5g5n5~5
5$6+6;6H6s6z6
7H7O7^7h7n7
8$838=8C8
<#<+<0<4<8<a<
>A>H>L>P>T>X>\>`>d>
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
0!0Z0u0
1?1N1S1
3F3j3y3
5e5k5w5
6[6`6j6
= =,=;=`=
>:>S>d>x>
?#?3???D?O?Y?o?
00G0T0`0p0v0
1/1r1y1
4@4U4_4e4k4q4
7'727d7
8-848:8H8N8c8t8
:::B:O:T:o:t:
;+<3<J<h<
= =3=k=q=w=}=
>&>6>?>Q>_>v>
?&?@?_?t?~?
00161;1D1J1Z1b1h1w1
2/252;2B2K2P2V2^2c2i2q2v2|2
3!3'3/343:3B3G3M3U3Z3_3h3m3s3{3
4&4+41494>4D4L4Q4W4_4d4j4r4w4}4
5%5+555K5^5t5}5
62676\6q6w6
7&7e7z7
9 :6:o:
:/;6;L;V;
<*>A>y>
0#0Q0|0
122j2L3
464J4z4
5<6C6K6
7%7+7M7Z7b7h7t7y7~7
7#8(81868?8D8Q8
;#;5;D;K;\;j;u;
<L<Q?`?
0'0.060?0Q0i0o0x0~0
1F2L2X2
3F3X3j3|3
4=4O4a4s4
1!2(2,2024282<2@2D2
2F4Z425X5c5
7/787Z7{7
8'8G9w9
=P>Y>6?A?T?h?
*030?1H142~2
575M5`5
:p;\<b<f<k<q<u<{<
<>=`>h>
0<1D1P1_1
? ?$?(?,?0?4?8?<?@?D?H?
6@7H<S<
0#0+0004080a0
2A2H2L2P2T2X2\2`2d2
9E:^:m:
014181<1@1L1P1T1<2D2L2T2\2d2l2t2|2
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3 3(30383@3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
5 5(50585@5H5P5X5`5h5p5x5
6 6(60686@6H6P6X6`6h6p6x6
7 7(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
9 9(90989@9H9P9X9`9h9p9x9
?8?T?X?x?
080X0d0
1 1@1\1`1
2 2$2(2,2024282D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3,3<3L3\3|3
7@:D:H:L:P:T:X:\:`:d:p:x:
= =$=0=4=8=<=@=D=H=L=T=X=p=