Sample details: ad7b9c14083b52bc532fba5948342b98 --

Hashes
MD5: ad7b9c14083b52bc532fba5948342b98
SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SSDEEP: 3072:H/Fkbff/FoeMrx9O1vfjQdLCQMcP7FRCMkLjyGez1c:H9kbtoLtM1nM9xf/CMkLmt+
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsConsole | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/DebuggerCheck__QueryInfo | YRP/DebuggerException__SetConsoleCtrl | YRP/anti_dbg | YRP/disable_dep | YRP/win_registry | YRP/win_token | YRP/win_files_operation |
Source
http://111.231.215.98/cmd.exe
Strings
		!This program cannot be run in DOS mode.
`.data
@.reloc
msvcrt.dll
ntdll.dll
KERNEL32.dll
api-ms-win-core-processthreads-l1-1-0.DLL
WINBRAND.dll
QQSVWj
,j%_f;
J3t/95|A
Jj/h,'
Jj2h('
Jj1hX*
Jj0h|*
9:tq9]
u.WhpF
F<@@Ph
FFf9>u
t-Wh$J
JtiSh@K
 v	j Xf
 v	j Xf
Jj Zf;
JYY_^[
SetThreadUILanguage
SetConsoleInputExeNameW
IsDebuggerPresent
CopyFileExW
Jj [Sh
?"u3GG
:tTAAC
SSSSSWj
@<VWj(
QRPh<%
SVWj=Xf
9x t99=
Juz@PW
v	N+D$
SSSSVh@
J }#j@
JPWPVh
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ItGIIt9
LGj:GXf
YFj:FXf
FFj\Xf
Nj0NXf
Null environment
(j:Xj.f
t	@@f9
Jt\j/P
u"Sh7#
Jt\j/P
u"Sh8#
JWj"_f;
u!Sh*#
tbf97t]
NtQueryInformationProcess
PSWSSS
AjcAZf
Aj)AZf
HuhSVh|*
jSVhX*
;u7SVh
SVWt#j
tAHt3HHt$
SSSSSS
?"u0j"Yf
FFGGCC
tZHt9Ht
QRPh\%
ADVAPI32.dll
USER32.dll
SHELL32.dll
MPR.dll
RevertToSelf
SaferRecordEventLogEntry
ImpersonateLoggedOnUser
SaferCloseLevel
SaferComputeTokenFromLevel
SaferIdentifyLevel
RegEnumKeyW
RegSetValueW
CreateProcessAsUserW
LookupAccountSidW
GetSecurityDescriptorOwner
GetFileSecurityW
MessageBeep
ShellExecuteExW
SHChangeNotify
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W
WINBRAND.dll
KERNEL32.dll
ntdll.dll
msvcrt.dll
_getch
iswdigit
wcstol
_vsnwprintf
_wcsicmp
_controlfp
?terminate@@YAXXZ
_except_handler4_common
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
_XcptFilter
_cexit
__getmainargs
calloc
_wcslwr
_open_osfhandle
_close
swscanf
_ultoa
_setmode
wcsncmp
iswxdigit
fflush
_get_osfhandle
_setjmp3
wcsstr
_local_unwind4
_errno
wcstoul
iswalpha
wcsrchr
memcpy
printf
fprintf
towlower
realloc
setlocale
_wcsupr
_wpopen
ferror
_pclose
memmove
wcschr
iswspace
memset
wcsspn
towupper
longjmp
_wcsnicmp
RtlNtStatusToDosError
NtSetInformationProcess
NtQueryInformationProcess
RtlFindLeastSignificantBit
RtlFreeHeap
NtFsControlFile
RtlDosPathNameToNtPathName_U
NtQueryInformationToken
NtClose
NtOpenProcessToken
NtOpenThreadToken
GetDateFormatW
UnhandledExceptionFilter
GetCurrentProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
InterlockedExchange
LoadLibraryExA
InterlockedCompareExchange
FreeLibrary
DelayLoadFailureHook
CreateHardLinkW
CreateSymbolicLinkW
GetVolumePathNameW
GetThreadLocale
GetThreadGroupAffinity
GetNumaNodeProcessorMaskEx
SetProcessAffinityMask
ResumeThread
FindFirstFileExW
DeviceIoControl
FindFirstStreamW
FindNextStreamW
GetDiskFreeSpaceExW
CompareFileTime
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
TerminateProcess
WaitForSingleObject
GetExitCodeProcess
CopyFileW
SetFileAttributesW
SetEndOfFile
DeleteFileW
SetFileTime
CreateDirectoryW
FillConsoleOutputAttribute
SetConsoleTextAttribute
ScrollConsoleScreenBufferW
FormatMessageW
GetACP
DuplicateHandle
FlushFileBuffers
HeapReAlloc
HeapSize
VirtualAlloc
VirtualFree
GetCurrentThreadId
OpenThread
HeapSetInformation
GetFileAttributesExW
GetDriveTypeW
InitializeCriticalSection
SetConsoleCtrlHandler
GetWindowsDirectoryW
GetVersion
GetModuleFileNameW
ExpandEnvironmentStringsW
CancelSynchronousIo
EnterCriticalSection
LeaveCriticalSection
GetVolumeInformationW
SearchPathW
WriteFile
SetFilePointerEx
GlobalAlloc
GlobalFree
MoveFileW
SetConsoleTitleW
LocalFree
MoveFileExW
GetConsoleTitleW
GetFileAttributesW
NeedCurrentDirectoryForExePathW
GetBinaryTypeW
SetFilePointer
lstrcmpW
lstrcmpiW
HeapFree
GetProcessHeap
SetThreadLocale
GetProcAddress
GetModuleHandleW
VirtualQuery
HeapAlloc
CloseHandle
MultiByteToWideChar
ReadFile
WriteConsoleW
FillConsoleOutputCharacterW
SetConsoleCursorPosition
ReadConsoleW
GetConsoleScreenBufferInfo
GetStdHandle
GetFileType
GetLastError
WideCharToMultiByte
GetFileSize
FlushConsoleInputBuffer
GetCPInfo
GetConsoleOutputCP
CmdBatNotification
CreateFileW
FindClose
FindNextFileW
FindFirstFileW
GetFullPathNameW
GetUserDefaultLCID
SetLocalTime
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
GetLocaleInfoW
FileTimeToLocalFileTime
GetTimeFormatW
GetLocalTime
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetEnvironmentVariableW
SetEnvironmentStringsW
SetConsoleMode
GetConsoleMode
GetNumaHighestNodeNumber
GetCommandLineW
GetEnvironmentVariableW
SetErrorMode
GetVDMCurrentDirectories
RegCloseKey
SetLastError
RegQueryValueExW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyExW
ReadProcessMemory
LoadLibraryW
QueryFullProcessImageNameW
GetConsoleWindow
CreateProcessW
GetStartupInfoW
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
RegSetValueExW
RegCreateKeyExW
BrandingFormatString
RSDSY}o
cmd.pdb
CMD Internal Error %s
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="x86"
    name="Microsoft.Windows.FileSystem.CMD"
    type="win32"
<description>Windows Command Processor</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="asInvoker"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<application  xmlns="urn:schemas-microsoft-com:asm.v3">
    <windowsSettings>
        <dpiAware  xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
    </windowsSettings>
</application>
</assembly>
wwwwwwwwwwwwwwwwwwwww
Se%ae`
cCBR_p
RRRRP%
CCCC@40`P@ 
cG?CCRRRRP`R
4qaCCRCCCB
pqacG%%apppppppaB
prRRRPa
wwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwww
se%%%%% R
u%6RRRRRPp
wwwwwwwwwwwwwww
wwwwwwwwp
wwwwwwww
((((&&(&&&(&(&&&&&&(((#&&###
*)))))))))))))))))))))
eIDATx
 """"""""""""""""""""""""""""""""""""""""
'Px0&D
XXX8Pvh8v
],//cuu
`ii	+++<
n<DSbb
`ii	7o
!KD4)#
NDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
3<4F4m4v4}4
6%6/6<6L6]6x6
6;7_7e7o7v7
9&979>9I9P9~9*:4:::D:j:z:
:!;@;h;
<<<B<_<e<o<
=3=`=e=|=
=(>>>L>X>`>n>t>z>
>%?.?G?Y?]?y?}?
4W5d5|5
6(6K6h6
7C7J7l7~7
9$9M9R9Y9
:B:G:N:d:i:p:
:!;6;q;
='=;=O=r=
? ?&?8?A?b?r?
8/949F9j9
?%?-?F?M?Z?z?
010G0L0
4R5^5p5
8k9q9w9R:_:z:
;(<9<?<o<
=#=)=8={=
=#>;>V>g>v>
0(0Q0`0
212=2}2
3 4&4.4
5"5P5t5
696A6[6}6
6$747?7G7
7#8)8X8j8
:5:I:]:
=!=7=G=X=l=q=
>8>Y>h>p>
?)?G?d?y?
9%9-949>9
:9;I;e;
3'3-3=3N3U3[3
585C5K5o5
:5:=:E:T:\:b:j:p:
;';2;F;V;_;
< <,<1<7<<<A<F<K<Q<Y<d<j<x<
=#>Q>Z>l>
?-?H?y?
0!0Q0k0r0
3&373=3I3O3U3e3p3|3
454=4F4L4T4`4k4u4{4
5%5>5j5}5
6!6'6,62696?6D6K6Q6V6]6
7+7=7R7i7t7z7
839O9T9]9g9m9x9
:5:N:g:
2+242O2y2
3'333S3
3%4V4g4
6*6=6L6W6n6
7<7R7a7k7
818;8I8n8
2)2K2x2
<#=.=4=
:W: ;{;
<9<S<j<
=)>4>o>
>%?5?O?g?
0,000B0l0{0
6%616=6D6P6\6x6
707:7K7Q7
9-9o9|9
<S=[=d=j=p=
:0D1j1|1
757I7]7q7
;#<I>V>_>
>.?<?I?N?\?u?
0D0M0z0
0(11171I1[1m1
5,5C5Z5q5
5=6G6U6`6f6
8 8V8n8
3!42484{4Q6
717M7e7
7"8/8H8
:2:d:r:p;
;)<H<R<]=
1$1E1{1
2L2d2|2
2.3<3M3]3|3
5*5q5}5
7,7D7\7t798k8
859T9b9i9w9~9
;&;O;W;j;w;
;/<7<C<
4%515`5o5w5
5-6I6h6
6"787f7|7
9#9P9X9v9
9%:W:_:q:
</<Q<]<
<T<[<z<
3?4b4o4
535D5T5
5#6J6b6
8<8X8^8d8o8v8
98:S:l:~:
;+;6;;;F;Q;n;
<$<K<U<_<i<s<}<
=$>X?i?
0 0&0,01060c0
292P2f2m2
2A3H3V3]3k3r3
4;4N4_4l4
6 626<6L6Z6s6
797R7Y7_7s7{7
9":`:1;9;n;
='=+=5=G=X=i=z=
=Q>e>p>
>(?H?S?Y?d?j?t?}?
0'060V0
7,7J7c7n7v7
8-8>8I8]8
9$9d9s9
142:2f2
5C5P5d5
6]6l6x6
7(7.7C7K7R7X7
8(8D8R8{8
8+989T9d9
:+:R:e:
<@=]=d=
?$?2?;?N?X?g?
)000O0f0
2I2T2[2
3^3k3|3
4N4\4l4
5G5O5`5n5|5
8$8)878D8X8e8m8
8O9B:J:
:2;:;{;
<*<><R<[<
<2=O=^=g=o=
>)?B?U?}?
1'2N2Y2^2i2
3+373=3
=W=d=l=
0#1<1c1
1S2[2a2m2
4N5T5Z5e5
7^7B8W8l8
9-999M9S9Z9f9m9x9
=2=C=O=m=u={=
?"?/?I?a?}?
3=3L3p3
;/<5<g<m<t<
="=`=i=
=&>R>b>
1!2.2t2y2
90979>9D9O9U9`9{9
>0>Y>v>}>
4G5`5p5
9&9D9I9Q9X9x9
;:<D<Z<
070R0^0
3-363Q3f3w3
4-484J4
405L5S5Y5^5g5n5s5{5
7+8a8~8
=$=6=h=
?!?7?J?
5G5Q5b5s5
5'6G6o6
7 7F7O7W7_7f7k7u7}7
8%858;8G8
=	>">X>^>h>s>
0;0D0P0Y0l0x0
2)2/2i2
3'353;3D3J3
324A4I4U4x4
4@5H5b5
566>6M6U6]6
9>:K:V:
=i=s=x=
2)2G2U2f2z2
243]3.4
727?7M7j7q7
>C>j>r>
? ?+?6?A?
1 252<2
2'3.3E3P3V3
41484@4E4Z4_4f4q4w4
<9<H<O<
3&3,32383>3D3J3P3V3\3b3h3o3w3
4(4-474A4K4U4_4i4s4}4
0 0$0(0,040<0@0H0L0P0
9(9,9@9D9X9\9p9t9
:0:4:H:L:`:d:x:|:
; ;$;8;<;P;T;h;l;
<(<,<@<D<X<\<
=4=L=`=d=x=|=