Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: ae775d9859b0dd0e3f05e6f3862fca4e --

Hashes
MD5: ae775d9859b0dd0e3f05e6f3862fca4e
SHA1: 2575897780676a8697a0339a3f8c94ec33cbb313
SHA256: 487926b1a8cdb26e9aae041a75e90e046d3729a8af33dfc88c1dc1833b4f5ce1
SSDEEP: 6144:ZQGCIImWp0yN90vEhCTI2IOGdpDpB4SR:ZQEy90YCTI2IO6X4SR
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation |
Sub Files
f7b5120ffda1c67a92076a5143a1686d
Source
http://80.85.157.130:4577/last.exe
Strings
		!This program cannot be run in DOS mode.
`.data
.idata
@.rsrc
@.reloc
Invalid parameter passed to C runtime function.
advapi32.dll
CheckTokenMembership
Reboot
AdvancedINF
Version
setupx.dll
setupapi.dll
SeShutdownPrivilege
advpack.dll
DelNodeRunDLL32
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
HeapSetInformation
EXTRACTOPT
INSTANCECHECK
VERCHECK
DecryptFileA
LICENSE
<None>
REBOOT
SHOWWINDOW
ADMQCMD
USRQCMD
RUNPROGRAM
POSTRUNPROGRAM
FINISHMSG
LoadString() Error.  Could not load string resource.
CABINET
FILESIZES
PACKINSTSPACE
UPROMPT
IXP%03d.TMP
msdownld.tmp
TMP4351$.TMP
RegServer
UPDFILE%lu
Control Panel\Desktop\ResourceLocale
wextract.pdb
PQQQQQQh 
PSSSSSSh 
PSSShp
D$<tVhH
PVVVVVV
D$HjDj
t$ u"3
WWj WWWVW
:<\u6:
<At <Bt
< t~<	tz<
<At	<Ut
jXhhu@
j"_VVVVV
URPQQh
v	N+D$
UQPXY]Y[
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
System\CurrentControlSet\Control\Session Manager
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
Command.com /c %s
rundll32.exe %s,InstallHinfSection %s 128 %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
DefaultInstall
%s /D:%s
PendingFileRenameOperations
*MEMCAB
SHBrowseForFolder
SHELL32.DLL
DoInfInstall
SHGetPathFromIDList
OpenProcessToken
GetTokenInformation
RegSetValueExA
EqualSid
RegQueryValueExA
LookupPrivilegeValueA
RegCreateKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegDeleteValueA
AllocateAndInitializeSid
FreeSid
AdjustTokenPrivileges
RegCloseKey
ADVAPI32.dll
lstrcmpA
_llseek
FreeLibrary
GetCurrentProcess
GlobalLock
_lclose
ExpandEnvironmentStringsA
GetWindowsDirectoryA
GlobalAlloc
GetPrivateProfileIntA
GetFileAttributesA
IsDBCSLeadByte
GetSystemDirectoryA
GlobalUnlock
GetShortPathNameA
CreateDirectoryA
FindFirstFileA
GetLastError
GetProcAddress
RemoveDirectoryA
SetFileAttributesA
GlobalFree
FindClose
GetPrivateProfileStringA
LoadLibraryA
LocalAlloc
WritePrivateProfileStringA
GetModuleFileNameA
FindNextFileA
CompareStringA
_lopen
CloseHandle
LocalFree
DeleteFileA
ExitProcess
DosDateTimeToFileTime
CreateFileA
FindResourceA
SetFilePointer
FreeResource
LoadResource
WaitForSingleObject
SetEvent
GetModuleHandleW
FormatMessageA
SetFileTime
WriteFile
GetDriveTypeA
GetVolumeInformationA
TerminateThread
SizeofResource
CreateEventA
GetExitCodeProcess
CreateProcessA
ReadFile
SetCurrentDirectoryA
GetTempFileNameA
ResetEvent
LockResource
GetSystemInfo
LoadLibraryExA
CreateMutexA
GetCurrentDirectoryA
GetVersionExA
GetVersion
GetTempPathA
CreateThread
LocalFileTimeToFileTime
KERNEL32.dll
GetDeviceCaps
GDI32.dll
SetDlgItemTextA
GetDesktopWindow
EndDialog
CharPrevA
ExitWindowsEx
CharNextA
CharUpperA
MessageBeep
LoadStringA
GetDlgItemTextA
DialogBoxIndirectParamA
CallWindowProcA
EnableWindow
SetWindowTextA
DispatchMessageA
ShowWindow
SetWindowPos
GetDlgItem
ReleaseDC
PeekMessageA
GetWindowLongA
MessageBoxA
SetWindowLongA
SendMessageA
SetForegroundWindow
MsgWaitForMultipleObjects
SendDlgItemMessageA
GetWindowRect
USER32.dll
_vsnprintf
_errno
_XcptFilter
__p__commode
_amsg_exit
__getmainargs
__set_app_type
_cexit
__p__fmode
_ismbblead
__setusermatherr
_initterm
_acmdln
msvcrt.dll
memcpy
memset
?terminate@@YAXXZ
_controlfp
COMCTL32.dll
Cabinet.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VERSION.dll
GetStartupInfoA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
OutputDebugStringA
RtlUnwind
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
EnumResourceLanguagesA
MulDiv
GetDiskFreeSpaceA
GetSystemMetrics
AVI LIST
hdrlavih8
strlstrh8
vidsRLE 
LISTv$
movi00dc(
wgwwxx
wwwwwwp
wwwwwwp
\)((Bc 
tZXXXj!
kXZt&'pp
\Xt'Qp
IhhI>In
IG>G>h
:>G>G>h
ICGIGn
:>>>H>r
eeRC>:y
RCIeeee
kII=GCR
>~32"*_h
nhII:h
h40.+Il
{{aFIdqx
WPMMMPPUW
WWWUWW
W***lf
****kf
PM/1NJ\
~dD>>CEwC9
8w>68~
~xxwwEwu~
ExxwwEEx
X)$DJF
}:75235:p~
"&&4(A?=
(@KM<"
Q999999999Q
GGGGGGGGGGG
>J >*	
wh:Mzn
{BPMS}
h0`0p@o6kll4
,m$I"=
SX+3	cT}0
[H)Yk6x
gF@m1%
(C!xg0
?Ed`n0
6_z0#;
Gx:=,F1
]h]e()I
ij8::f{{
iw;t:=
B/#5/s
xl}QO.
Gg}W_n
xgXw	T2=F
$&Bu^C
VaL_d1PY
n`nT";
78><bp
RCYH($
Bj,*3E
t\gWh$
F'u@&:
GdYNRV
<g0>&o
ZpNbx!
nE&Lh/
PH7TJ)
Mx!]x1
9NZ|QA9
!#hG*I
VLon8:
4mp-LeQ
|Zg}UUK
Z-Y,fX
b3eSAy
R!Spss
dCJ5@K
GGGXky
aaV<^-
|bdA*0jq 
@^@i-"
D,evd2
6X'e7U
@75MU:
cVUI)#j]
M{Zk}Hr-@
f?:88x#
W%y%)JMU
pINJJ<KP[Efk
Y%HRIZH
x4z]*EU
G`Zw-B)p
4K9=9e
T1R;D2]
j[3PC"$
A6@XAY
mma[W[
"	uUQ45MS#
L&V)eNNN
Y.s0)Q4a
'FtHc1
n@WXl3
TX@'IR
_>99y5I
8I&DQF
QIDAT{
UUqttt
I\D <,
#)QQD"#
W6Z]#P\
LaFN"M
la:EOu#
c:gazz
gA`0)%UJ
9=D2'O
yyHaOO
P@@sRCC
O??qYIIYVEECRBB
L==^\KKpYHHeUDD2SDD
J<<Q[IIaZIIfXGGKVFF1WII
J<<BYHHSYHHVXHHCXHH8SDD#RCC
H::2UEE:UDD9TEE)SCC"SED
SCC%RBB"QBB
www	IJJ
]LLNQBB
aOOx[JJgSCC%QBB
\JJX[IIdZJJQUEE&QBB
ZII?XGGKXGG?TDD0SDD
SCC%QBB
lll	:::
~~~	===
ab`L4K*
ZZ[:443
WFFYO??
eee8AB@
[IIZYHHRVFF;RCC
jjj;FFD
[HH/RBB
ggg=EED
FFF?@>?
[\\?>>=
]^^@JAC
^__AQFJ
cccCIHH
YYYEHGG
TTTI444
WWWILLL
Wuwgevv
gwxC7wwwx
S9wawwv
gww%n~n~~
~~`R4a
Aaa$ ppR
$4#CBRR
6qCwwv
yyqrw7
Xyqwv5;q
Wut~u0yqswFp
'7Vwwv
gwx44t
aeTFTUFTGCCwxv
wRRRppp3R
wpppppppppppwv
gqaaaaaaaaaawv
RWx@wv
vSu7tpv
xsGE4rAv
wwrWcCpv
7qsw%wv
xwxwhP7
wqgGVVVdu%aawv
t444%'p
tueVT7p
?g@=gZO]<;
X4nU^}
popopop
ooooooooopoof
foQ	!(
ooooooopooooo
oooooooooooopp
oUoooooUooooo
AI5A5A
333333333333
3333333333
333333333
333333333
333333
?Gd=oQ
Yhojjmj:
cckmjbjjjjpoh^jjn
j^j^jbj^jjbjkjbbm
^^^b^^^^b^^^b
]^]^^^^`^^^b`3Pcb
]]]]\]`\
[][]]]Ie
[[[[[[[[fg8
[[[[I[[_I7
TUUVVSOK
<::;;QPN	
95923Q4
776MM*
onkCBrhs
zz~{{)iv
{accc_Z]
ddeeeee^
#DB!"b
D477wJJ
xkm<11
~;Z_YY96
^VUSwz)
<gKiep
gOD<;~
th1Zs;
%AxhzxAE
;a/h=M
4f'YY18
2`&P,~
h4<_{E
pswnB%
%	=oXI3ZYJ
$"p(QC$S
* [erL
\a0=If=.
K{0'*:
e\:F2>
Q8O1d%
"	{tV2
Y]Z`mi
v<VWW1
t)Q`	D
ES8$csvH
8kqf/i
s*Sc]`Z
WWW_?t
(	Z2m{
>[]]}c
F6eg P
K*#Y:t
=t*1jJ
IT)NJ<
{H;&-;
=4`eY~ 58
	sss~o
tX^^&I
	RdX/H
h'@HJ<
yLZQ{C
IJ-qQR
b/[L.,,
I L#:mSc
[o=P.@
S"EZKb-
KoRqFI
|" *K[&T
(@{I[K:
+O.5-/P
-DYsZE
y"jVJC+8Z=
LDAEI"!
+L]`EM
MquMwi
_^FxC7
h6v5k[
zrLTc&
B1)3,_(
5R9DXDF
K3rxrn
Y]m`Z!#
^\\drr
(_:Gk)
-1tbviL
p14D"d
SrXY]bmm
!F+fV5hY6~\g|[
GJA.[`u
IDATzk
~xK	An
M^_f),
KKR$o~
4Y	k4U
MOd3#C
@F`#1l
BmpR69
`W&OFh
t_VJ3t
)-LR_E
R&"-|t
,..299
+pETyNW
AX)QiX
($h5Q:@X
IDATL]
Go\qh_
!hKo7j/
I.Llcu
C?@?hPZJ
.Ey1gB
iv>`zv
/o9"Py
p}|I ~
a#"UG*
low8+=VZ
cm;}S0
7)727 dy
m[.uV;
)?P$*5JXl`
&O=[ IN,.K
(q|S-7
TD%2P5
^[@4}|
%HchEK
S$J0+$
R,9otn
r[3i4&NI
v=duaD
<J6!MQA
o[f*Yg
G#Z~@H
1O=#Qsor
(f*54G#j
<w yxf
['}N')
/7,7 d{
OGhL2$
)/R3+xi
m%7 \9(
D)TY"p
	A4BK t
t(-pHp
*;*fG%H
KbcDP8
]'@0%*@O
4wwwZyy_
cccHppU
!KKKKllP
>>Fxiii
>>Fxll\
77?Xnnn
77?Xnn^
33:7uuu
33:7ssf
<None>
last.ps1
vE@V\UW(
Id~SmB
&8j*\v
>=^bM#
yR]1)1
A3[sc9
s\NR<iL
g-TL,r
]aX$6uo
^?zQ6J
<None>
<None>
<None>
powershell -NoP -NonI -W Hidden -Exec Bypass "& '.\last.ps1'
<None>
<None>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="5.1.0.0"
     processorArchitecture="x86"
     name="wextract"
     type="win32"/>
  <description>IExpress extraction tool</description>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity
          type="win32"
          name="Microsoft.Windows.Common-Controls"
          version="6.0.0.0"
          processorArchitecture="x86"
          publicKeyToken="6595b64144ccf1df"
          language="*"
       />
    </dependentAssembly>
  </dependency>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <!--The ID below indicates application support for Windows Vista -->
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
      <!--The ID below indicates application support for Windows 7 -->
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <!--The ID below indicates application support for Windows 8 -->
      <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
    </application>
  </compatibility>
</assembly>
6(626f6m6|6
7 7*7=7e7
8'9S9b9
:8:=:B:H:R:
;7<@<N<t<
<>=V=c=|=
=%>0>A>H>_>k>
?(?.?I?c?
0%0A0L0u0
1!1-1U1
2W2e2q2
4%5P5{5
6#6A6q6{6
7-7>7Y7n7w7
:&:>:]:f:u:
;%;+;2;7;Y;h;
<%<-<><E<Q<Y<b<h<
=!=*=D=x=}=
>!>+>3>8>B>V>]>
?,?1?8???G?R?W?_?e?r?
)040:0m0y0
1J1S1^1o1
1)232=2N2U2[2g2n2{2
3#3.343:3@3T3Z3k3
4E4X4q4
5"575=5T5Z5`5f5
7:7C7j7
8!8'828C8K8U8d8j8r8
9.949=9B9g9x9
:+:G:[:
:6;>;\;q;
<6<F<Q<
>$>[>j>
?,?R?o?x?
0"0-080F0]0k0{0
5'535J5`5
7 7)7A7J7O7U7[7e7k7
858@8_8e8{8
9+9>9L9W9]9}9
<#<(<-<3<L<g<w<
='=A=H=M=R=W=\=a=f=l=z=
>/>4>W>c>h>z>
?%?0?7?B?b?m?u?
0/050E0L0a0
1*1V1m1
232=2V2_2e2s2{2
3!3,333@3G3L3Z3h3
6 6A6K6Z6a6r6
7"878D8L8T8^8
<(<4<:<V<`<
?(?G?s?
0%030;0
151G1T1~1
5!5@5M5t5
6"6P6X6
7'717=7C7J7S7Y7a7g7t7|7
8,8D8L8T8]8b8x8
9"9,9G9u9{9
:&:=:C:I:O:U:[:b:i:p:w:~:
;+;4;L;R;X;^;d;j;q;x;
3(313F3[3h3p3