Sample details: a3edfee67c4edfe37d97412d4dbfb19c --

Hashes
MD5: a3edfee67c4edfe37d97412d4dbfb19c
SHA1: abd7126e6a48ff5e6ecf76c225d0068f6e28900c
SHA256: 934b7cce2c370b5bfcd462e33e55aa45cc25c588361fdb32e7a2670a3acef0e2
SSDEEP: 1536:MM9duIuon2cAQ6nIiYQ7yZ3i/bP5AJI0v:zu8T6nHktGPuI0v
Details
File Type: PE32+
Added: 2018-06-22 19:04:36
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/MD5_Constants |
Strings
		!This program cannot be run in DOS mode.
h.rdata
H.data
.pdata
B.reloc
L$ SVWH
L$ SUVWH
DL@t:I
lKTDu	
|$HDr`
isi1Hc
UVWATAUH
@A]A\_^]
WATAUH
:lKTDup
0A]A\_
WATAUAVAWH
\$ A;t$
0A_A^A]A\_
ATAUAVH
u<H9_`t6E
|$(H97u
0A^A]A\
UVWATAUH
A]A\_^]
l$ VWAUH
VWATAUAVH
 A^A]A\_^
SVWATAUAVAWH
A_A^A]A\_^[
SVWATAUAVAWH
A_A^A]A\_^[
@SUVWATH
A\_^][
WATAUAVAWH
A_A^A]A\_
[ UVWATAUH
pA]A\_^]
WATAUAVAWH
A_A^A]A\_
x ATE3
t$ WATAUH
 A]A\_
WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
\$ UVWATAUAVAWH
A_A^A]A\_^]
WATAUAVAWD
A_A^A]A\_
D$tvT2
l$ VWATH
x ATAUAVH
 A^A]A\
UVWATAUAVAWH
A_A^A]A\_^]
\$ UVWATAUAVAWH
`A_A^A]A\_^]
@SUVWATAUAVAWH
T$h9D$ht
A_A^A]A\_^][
s WATAUH
L9c uJ
@SUVWATH
PA\_^][
x ATAUAVH
0A^A]A\
H!L$ H
AUAVAWH
A_A^A]
VWATAUAVAWH
A_A^A]A\_^
WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
http://img.rmb777.me/
%s%d.gif
C:\Windows
DriverPath = %ws
DriverName : %wZ
Do not kill my drive, God bless you! ^_^
Call SetRegistryDwordValue error. %08x
WinExec
LoadLibraryA
CmRegisterCallback failed, status= %08x
ZwOpenKey Failed! status = %08x
ZwQueryValueKey ImagePath Failed! status = %08x
ImagePath not equal!
ZwQueryValueKey Start Failed! status = %08x
create protect reg thread! id = %d
create protect file thread! id = %d
RegistryThread live!
create protect reg thread!
FileThreadId live!
create protect file thread!
dpc rountine find reg thread timeout!
dpc rountine find file thread timeout!
system shut down!
find reg change in shutdown routine!
shutdown routine!drive file size no equal! src_size = %d local_size = %d
UAC Closed!
UAC Opened!
find reg change in protect thread!
write back reg failed. path = %wZ
reg new path = %wZ
DrGetFileData Failed. status = %08x
CheckFile Failed.path = %ws status = %08x
create driver file failed. status = %08x path = %ws
new driver file. path = %ws
local file size = %d
drive file size no equal! src_size = %d local_size = %d
enter download thread!
idx get dns failed!
idx html path: %s
IndexCount Over Max Count!
get http idx failed!
idx html size : %d
destip:%s filepath:%s
Set IndexUrl %s
Set HeartUrl %s
check update sys!
enter update sys!
Need admin: %s
\??\%s\%s
%s\%s %s
\??\%s
pfnObRegisterCallbacks status = %08x
ProcessPath: %ws, ProcessId: %d
Process Exit: %ws ProcessId: %d
Kill Process: %ws, ProcessId: %d
Inset ProcessPath: %ws TickCount:%I64d
Find ProcessPath = %ws ProcessID = %d
Delete ProcessID = %d
og:image
content=
ieCssRetrofitLinks
image_src
s1600%s
Threadid = %d, State = %d, WaitReason = %d
%s%08x%08x
%s&ct=%08x%08x&sn=%08x
%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
{[%s]}
mid=%s%s&sv=64&agentid=%d&idx=%d%d
POST /%s HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/520.16 (KHTML, like Gecko) Chrome/61 Safari/517
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
HTTP/1.1 200 OK
GetMachineId Failed. status = %08x
DiskDriverObject = %I64x
Disk0DeviceObject = %I64x
8.8.8.8
GET /%s HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: %s
Connection: Keep-Alive
Content-Length:
cf failed. status = %08x
%u.%u.%u.%u
TransportAddress
ConnectionContext
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
http://1022k.blogspot.com/2018/02/1022s.html
http://xmr1022.livejournal.com/763.html
http://xmr1022x.livejournal.com/656.html
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
KeStackAttachProcess
KeUnstackDetachProcess
ExAllocatePoolWithTag
KeClearEvent
ExFreePoolWithTag
IoRegisterShutdownNotification
IoCreateNotificationEvent
RtlInitUnicodeString
IoDeleteDevice
wcsncpy
_vsnwprintf
_vsnprintf
IofCompleteRequest
RtlWriteRegistryValue
PsGetVersion
DbgPrint
_stricmp
PsGetProcessPeb
PsProcessType
RtlAnsiStringToUnicodeString
PsLookupProcessByProcessId
ZwQuerySymbolicLinkObject
_wcsnicmp
MmGetSystemRoutineAddress
RtlInitAnsiString
RtlUnicodeStringToAnsiString
ZwSetValueKey
ZwQuerySystemInformation
ZwOpenSymbolicLinkObject
MmUserProbeAddress
KeDelayExecutionThread
RtlFreeUnicodeString
wcsstr
ZwQueryValueKey
ZwClose
RtlFreeAnsiString
ObfDereferenceObject
RtlImageNtHeader
ObOpenObjectByPointer
ZwOpenKey
KeInitializeApc
KeInsertQueueApc
KeUnstackDetachProcess
ZwFreeVirtualMemory
KeStackAttachProcess
PsLookupThreadByThreadId
ZwAllocateVirtualMemory
ZwCreateKey
PsSetLoadImageNotifyRoutine
swprintf
IoFreeWorkItem
PsSetCreateThreadNotifyRoutine
KeInitializeDpc
PsSetCreateProcessNotifyRoutine
KeInitializeTimer
ObQueryNameString
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateWorkItem
KeSetTimer
CmRegisterCallback
PsGetCurrentThreadId
MmIsAddressValid
IoQueueWorkItem
ZwReadFile
IoGetRelatedDeviceObject
KeSetEvent
IoCreateFile
KeInitializeEvent
IoFreeMdl
IoFileObjectType
ZwCreateFile
ObReferenceObjectByHandle
KeWaitForSingleObject
IoFreeIrp
IoAllocateIrp
RtlCopyUnicodeString
ZwQueryInformationFile
ZwWriteFile
IofCallDriver
_strnicmp
strstr
strrchr
_wcsicmp
IoUnregisterShutdownNotification
PsGetCurrentProcessId
PsGetProcessId
sprintf
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
_snwprintf
RtlAppendUnicodeToString
KeEnterCriticalRegion
IoDriverObjectType
ExAcquireResourceSharedLite
ExReleaseResourceLite
KeQueryTimeIncrement
RtlRandom
IoCreateSymbolicLink
ObReferenceObjectByName
IoCreateDevice
ExInitializeResourceLite
_strrev
ZwQueryVolumeInformationFile
ZwOpenFile
ExAllocatePool
isspace
isdigit
islower
isxdigit
IoBuildDeviceIoControlRequest
MmProbeAndLockPages
IoAllocateMdl
KeBugCheckEx
ntoskrnl.exe
__C_specific_handler
Washington1
Redmond1
Microsoft Corporation1)0'
 Microsoft Code Verification Root0
110222192517Z
210222193517Z0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
,N<jPl
3BH8Q:|8
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
130613000000Z
140613235959Z0
Jiangsu1
Xuzhou1705
.Jiangsu innovation safety assessment Co., Ltd.1>0<
5Digital ID Class 3 - Microsoft Software Validation v21705
.Jiangsu innovation safety assessment Co., Ltd.0
%\A&tst
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
100208000000Z
200207235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
	image/gif0!0
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
C]`)|jt