Sample details: 9051b1b3d07cb2400ae07258e75221ab --

Hashes
MD5: 9051b1b3d07cb2400ae07258e75221ab
SHA1: d6ca05ccdaefd3b60eecc2ba01fee3754aa488c6
SHA256: 6914512fdcde1849454e9e97477d7af4a841b14336770f3e85754917e0e96d2d
SSDEEP: 6144:wuLYmsnL7HuK21G8n+pcd6q7EUNUTfKM83z5gOysXOGflVZ2XfcoA3zXCJu0n:wucvPl21G8nocJwr2t5SslVccoA3zx0n
Details
File Type: PE32
Yara Hits
YRP/contentis_base64 | YRP/url | YRP/domain | YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasRichSignature | YRP/anti_dbg | YRP/screenshot | YRP/keylogger | YRP/win_files_operation | YRP/win_hook |
Source
http://134.0.117.224/itexe/stat.php
http://134.0.117.224/itexe/1100.exe
http://www.kfzgutachten-berlin.eu/TempCont/ri.php
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
0SSSSS
0A@@Ju
HHtXHHt
>If90t
t$<"u	3
>=Yt1j
< tK<	tG
j@j ^V
t"SS9]
0SSSSS
PPPPPPPP
0SSSSS
PPPPPPPP
^SSSSS
j"^SSSSS
v	N+D$
URPQQh
t+WWVPV
;t$,v-
UQPXY]Y[
On program startup, the locale selected is the
On program startup, the locale selected is the
greater than
less than
equal to
greater than
less than
equal to
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Enter year: 
Enter month: 
Enter day: 
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
xpxxxx
CorExitProcess
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
GetParent
MessageBoxA
CharUpperW
wvsprintfW
GetSystemMenu
EnableMenuItem
IsWindow
EnableWindow
MessageBeep
LoadIconW
LoadImageW
SetWindowsHookExW
PtInRect
CallNextHookEx
DefWindowProcW
CallWindowProcW
DrawIconEx
DialogBoxIndirectParamW
GetWindow
ClientToScreen
DrawTextW
ShowWindow
SystemParametersInfoW
GetSystemMetrics
SetFocus
UnhookWindowsHookEx
SetWindowLongW
GetClientRect
GetDlgItem
CreateWindowExW
SetWindowTextW
wsprintfA
GetSysColor
GetWindowTextLengthW
GetWindowTextW
GetClassNameA
wsprintfW
SendMessageW
EndDialog
DestroyWindow
KillTimer
DispatchMessageW
GetMessageW
SetTimer
GetWindowLongW
ScreenToClient
GetWindowRect
GetKeyState
CopyImage
ReleaseDC
GetWindowDC
SetWindowPos
GetMenu
IsWindowVisible
USER32.dll
ShellExecuteExW
SHGetFileInfoW
SHBrowseForFolderW
SHELL32.dll
SetBkMode
GetDeviceCaps
GDI32.dll
GetFileVersionInfoA
VERSION.dll
GetCommandLineA
GetVersion
GetStringTypeA
GetLocaleInfoW
ResumeThread
GetSystemTimeAsFileTime
GetStartupInfoA
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
EnterCriticalSection
LeaveCriticalSection
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeW
GetLocaleInfoA
VirtualAlloc
HeapReAlloc
RtlUnwind
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetFilePointer
HeapSize
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA
KERNEL32.dll
j1nen7
8o#+	G
1,'`uh
dR3 EK@$
{Qj?Z{
=4{)z>
"S|XTpif
	&'Du*
{)P[ym)
wnwG`U:
|ARm0UC
2L>Z()
u}NVj8ZL
Nt'x9[
g#auo_
g\!j:Wj
9Bc)[0
P6n2Pld#"
NS|3|:Z
SV$pt-
Ib.8i*
 qG?9p
[Om8E	"^
`M,tQY
Z5'5@\
/~5VwFc?
`O`ULw
uH{Z8I
mf&&pM
y3C,AW7
3+1Y2l
WAc,qx
T>I#H#
K4Qfp!
D1p)k!
z'rTO(<B
"[Qdg|/
EFbFS@
;xWn9d[ 
r	aubn
q<*l*"
TXbGa]-
?RjY>u
2#z.=w
+R)d2|
Fln-,p
~8(Uf(
VOi,X]13D
ip=)fD
B/B]gb8Nnio}
`ht@^_
9C(*'q
#FuUF`
RasR@J
PX7	%[Dg%
`,5'^I
qB'DX){
."wWtvK
Js	^"p
, 	m2iP
Sajam^
GRyC<!
%u+9rA
+xSVUu
=LG2.]
N*M)+D
5h'#lg
l+3AqY
,q82(ThyQ
]v+MV&
mw-0?{
Z|sZ,:
:OEHs>
{ANB{Q
^W)l.n
Alw#M7
"x$a`h
mC0JY<
4_K(1V
]R4Ba6
.BZ$-0R
rp4iS9
H!v6G`
f	ry[S]5
;xkr9N
d^	[`DE
k=	&gL
w*%\ZA
i^'\cI
FInof5
9']sCg
Y4:[@L
 *$e?S-
'P=:eSfV
aFiLEh]&
GIzRUp
2y}=\y
EQBwGm_
-0@pTs
XLZ!`^:a
[QQ?-BF+
?(]e+P
-Shs:\?
G?$H'T
TyV9KG
,bJT9,)
eAlXaU
u*XeG6
JT~G23
Qv$zLn
JDsLm6
oWJ95A
T2ta=J
Sl/#XB
w)=]VM
93HeyR.
2_chQQ3
l[`wy=
G?ipSw
`^Rj|<
5PLf}k
0!)d$Q
vQ4Gw+
qUy],f
GQv[Hpd
^9f]ub
m,2DX,
\WYn-m}
",w-#R
c0[_H?V
aNH /o
35)\VU
 ;W~Cj
"i9R"RT[
awq5x	
s|TmrEr
>OV_H=
('%T5C
|.)AO-kBq
e\^j4e
aov?#Y
-*fn$G1
lxf[nb
o"z)b+k
NSy^Z,}
;^1Lp8
}Ox7qu
W?b@Mg
yo@(2$
ALuZ	0
/"	`+K
WU40>"*Z
c-R8sV
,	WDZA4y~
4/zL "
/Pvsxvg
Qy}Or0
gFf$:)>
6gOTW:
6z;Y\2W3l
$cZ4E(
$J'r-c
p5Z#:)@
lZ@<v?
El;CP/
y*xAi[
%Tv,~|w
)$ZU- q
sfW4]>
qH<A<z
!5F~EC
Ciq Mx
KG;kE%m
*j'3da
^4([p]
sl)OJ~X{
d6?Uk5NN
s7,[w7z1
kNk;e;
;0fU1H
:jb$03'
msri2}H
gls\?L
aS!So$
\Fr6nf
efJI<R
Qi?`vl
Z^#Q'T
AjunAn
5$]Y04
Drjuz-:7Z
cm<p6l
9eQ85n
I(z+'s
[{`V)7:
MS=B0@"-
Vz%B{]
5$WiI7B
<:?.*j
]{r0^'
LK,g8B}7
+z9$QV
*4A"_}_
l9DzPh
1?`acC
>goTs;
Tbgnw)
JT^XIx
IP]cHBv
xS!@2Q -K
a3[eIP
Bk/6d?o
=iaM=o
F&\4QV4
tC/	Ji
q}z:k2
Aw5eg^=
#rH}<%
|_jDW5
cQPj0G
?E][FZ2
`@btEZ
XwK'-C
yBz)s1
Amad ygaq* oryk* efif
Yfun* icejaq uqyvok ejijus ipelod
Enam. ulud. umavyf
Icaw oquh
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
xn`#I;)&D6#
L?-:}iVg
L<()D6#
^QA,TC0U
YF1?D6#
eO9VD6#
u\DsD6#
D6#!D6#
D6#5XL;
D6#@D6#
~lcD6#
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
      
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
    </application>
  </compatibility>
  <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
    <ms_asmv2:security>
      <ms_asmv2:requestedPrivileges>
        <ms_asmv2:requestedExecutionLevel level="asInvoker"></ms_asmv2:requestedExecutionLevel>
      </ms_asmv2:requestedPrivileges>
    </ms_asmv2:security>
  </ms_asmv2:trustInfo>
</assembly>
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
161207000000Z
171207235959Z0
1091251
Moscow1
Moscow1705
.d. 24 pomeshchenie VI, KOMN 1, ul.Saratovskaya1
INFORM VT, OOO1
INFORM VT, OOO0
[+!?Ge
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
20171025073228Z
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
151231000000Z
190709184036Z0
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer0
fO\r6{
'1Oqtn
lZGfD{
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
http://ocsp.usertrust.com0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object
171025073228Z0+