Sample details: b5256eb3ced25e9ab39b8171f1613dc2 --

Hashes
MD5: b5256eb3ced25e9ab39b8171f1613dc2
SHA1: d82a6c2f7dd6ea4fe6b6ae875bfa70dba0c3c527
SHA256: 277738198f5a598d44d0a7c0cf1a62310aa39d013b93ecd07bf5c11032fc6c83
SSDEEP: 1536:LmIYJEZrCroF2iXZcuUxERskouJ1gJcxWGd+oryMm+HerUgAd3Yxy:iIYJKXhUxkskofOWGd2Mm+HerUgAdB
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/MinGW_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/network_http | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/MD5_Constants | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Parent Files
0891bb8f769c24325bd1bbab56ec2370
Strings
		!This program cannot be run in DOS mode.
P`.data
.idata
uB<KuY
<Vt5<rt1<Kt-
S ;S$}
<CtF<D
<1tx<2tk<0
~5<Stt<Zu1
C ;C$}
@DCUNG
!This program cannot be run in DOS mode.
d^lKdV
d^l{dD
d^lzdD
d^l}dD
dRichE
`.rdata
@.data
@.reloc
twHtJHt$H
It.It%It
VLSSWP
uKQPPh
FT[;FLu'3
SSSShl
8^EtHh<
Y8^DtM8^EuHh0
http://rfr.agent.mail.ru/magent_rfrset_%s.exe
 -installsilent -nolaunch -nosputnik -nodownloader -nohomepage -nosearch -noaltergeo -nosparberater -nobrowser /partner_new_url=%s
magent_rfrset_%s.exe
 leave from base cose 10 attempts were used; 
 Need to restart in base
:		%s 
A%s - %d%%
http://internetmailru.cdnmail.ru/Internet.exe
Internet.exe
Filename: %s
Complete: %s
 leave from progress cose 10 attempts were used; 
 Need to restart in browser
%d.%s%d 
>%d.%s%d 
A%d.%s%d 
0A%d %s
CMD == %d
tiny-dl/nix
Request returned code %d
code: %d, requested %d bytes, read %d bytes, total: %d of %d
Range: bytes=%d-
Last-Modified: 
Content-Type: 
Content-Length
InternetConnect () failed
Protocol not supported
Content-Length: 
%02X%02X%02X%02X
$__HWSIG
&hsig=
tGn3BdC0
simple
dltype
referer
force_run
agent_new_url
agent_rfr
nohomesearch
notoolbar
internet_silent
file_size
partner_online_url
hMK5D6dq
partner_new_url
k7jsGY99
profitraf1
-----------------------------
XML to search in:
-----------------------------
>, NOT FOUND
<![CDATA[
>, FOUND
Tag to search: <
partner_new_url_inet
referer_inet
<internet_silent>
<internet>
 /silent /rfr=%s /partner_new_url=%s
%s%s%d
\downloader_tmp_
DL: failed to save runner (%s)
DL: run failed with code %d
DL: successful run
DL: Running <%s> with args <%s>
runprog.exe
explorer
http://dlm.mail.ru/about/
http://internet.mail.ru
http://sputnik.mail.ru
http://agent.mail.ru
version
NO CONTROL
%s.%d.exe
%s      
All files
 (*.*)
 %s...
 leave the progress due to 10 attempts were used; 
>>>>>>>>>>>>>>>>>>>>>>> Need to restart
tiny-dl
http://binupdate.mail.ru/dwnld/url?u=
http://r.mail.ru/cln5491/exe.agent.mail.ru/sputnik/mailrusputnik.exe
mailrusputnik.exe
 --mpcln=
 /partner_online_url=
 /nosputnik
 /nosearch /nohomepage 
InternetCloseHandle
HttpQueryInfoA
InternetSetOptionA
InternetOpenA
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
WININET.dll
wvnsprintfA
PathFileExistsA
PathFindExtensionA
PathFindFileNameA
SHLWAPI.dll
CreateThread
DeleteFileA
WaitForSingleObject
lstrlenA
GetStdHandle
CreateMutexA
AllocConsole
FreeConsole
CloseHandle
ReleaseMutex
WriteConsoleA
HeapAlloc
GetProcessHeap
HeapFree
GetLastError
lstrcpyA
lstrcatA
lstrcmpiA
SystemTimeToFileTime
FindClose
FindFirstFileA
SetFileTime
OutputDebugStringA
SetFileAttributesA
WriteFile
SetFilePointer
CreateFileA
MoveFileA
WideCharToMultiByte
MoveFileExA
GetSystemTimeAsFileTime
GetModuleHandleA
GetModuleFileNameA
SetLastError
GetTempPathA
FreeResource
LockResource
SizeofResource
LoadResource
FindResourceA
KERNEL32.dll
GetDlgItem
MessageBoxW
SetWindowTextA
SetWindowLongA
GetWindowLongA
EnableWindow
SendMessageA
GetWindowLongW
SetWindowLongW
SetTimer
LoadIconA
KillTimer
MoveWindow
ScreenToClient
EndDialog
SendDlgItemMessageA
DialogBoxParamA
MessageBoxA
GetWindowRect
DefWindowProcA
SetFocus
ShowWindow
SetWindowTextW
SetWindowPos
GetWindowTextA
USER32.dll
CreateFontW
GetStockObject
GDI32.dll
GetSaveFileNameA
COMDLG32.dll
RegQueryValueExA
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHGetSpecialFolderPathA
SHELL32.dll
tiny-dl.dll
StartDL
!This program cannot be run in DOS mode.
`.rdata
@.reloc
RunProg: run failed with code %d
RunProg: successful run
RunProg: running <%S> with args <%S>
RunProg: argv [%d]: <%S>
RunProg: argc: %d
RunProg: args: <%S>
wvnsprintfA
SHLWAPI.dll
HeapFree
OutputDebugStringA
HeapAlloc
GetProcessHeap
lstrcatW
lstrlenW
ExitProcess
GetCommandLineW
KERNEL32.dll
ShellExecuteW
CommandLineToArgvW
SHELL32.dll
0,030?0V0^0s0}0
1@1T1[1f1x1
7*898]8p8
:N;_;k;r;
<%<=<F<W<_<w<
<H=O=_=f=~=
>Y>_>|>
>.?I?|?
1$1:1H1_1l1w1~1
2)262A2H2f2
4i4p4w4~4
445K5o5
516[6j7
8G9Q9W9
<"<C<b<
?$?c?x?
2(3-373h3
4(5h5~5
6.6E6\6
;^<V=|=
50>1Y1j1
484I5D6L6b6
7Q8V8]8
8!9P9U9\9
;#<X<f<m<
50J0n0
1.272t2
4+4@4]4l4y4
4+585q5|5
5p6u6~6
>&>,>K>
0\1|1^2
8,8<8I8[8w8
1\2`2d2h2
384<4@4D4H4L4P4T4X4\4`4
:\=`=d=h=l=p=t=x=|=
libgcj_s.dll
_Jv_RegisterClasses
EFGNG@C@
353741605
std::exception
std::bad_exception
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
std::bad_alloc
pure virtual method called
terminate called recursively
terminate called after throwing an instance of '
  what():  
terminate called without an active exception
_GLOBAL_
(anonymous namespace)
string literal
JArray
vtable for 
VTT for 
construction vtable for 
typeinfo for 
typeinfo name for 
typeinfo fn for 
non-virtual thunk to 
virtual thunk to 
covariant return thunk to 
java Class for 
guard variable for 
reference temporary for 
hidden alias for 
_Accum
_Fract
operator
operator 
java resource 
decltype (
global destructors keyed to 
global constructors keyed to 
 restrict
 volatile
 const
complex 
imaginary 
signed char
boolean
double
long double
__float128
unsigned char
unsigned int
unsigned
unsigned long
__int128
unsigned __int128
unsigned short
wchar_t
long long
unsigned long long
decimal32
decimal64
decimal128
char16_t
char32_t
std::allocator
allocator
std::basic_string
basic_string
std::string
std::basic_string<char, std::char_traits<char>, std::allocator<char> >
std::istream
std::basic_istream<char, std::char_traits<char> >
basic_istream
std::ostream
std::basic_ostream<char, std::char_traits<char> >
basic_ostream
std::iostream
std::basic_iostream<char, std::char_traits<char> >
basic_iostream
delete[]
delete
sizeof 
alignof 
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p
  Unknown pseudo relocation protocol version %d.
  Unknown pseudo relocation bit size %d.
N10__cxxabiv115__forced_unwindE
N10__cxxabiv117__class_type_infoE
N10__cxxabiv119__foreign_exceptionE
N10__cxxabiv120__si_class_type_infoE
N9__gnu_cxx24__concurrence_lock_errorE
N9__gnu_cxx26__concurrence_unlock_errorE
St13bad_exception
St9bad_alloc
St9exception
St9type_info
CloseHandle
CreateSemaphoreA
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FreeLibrary
GetCommandLineA
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
HeapAlloc
HeapFree
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsBadReadPtr
LeaveCriticalSection
LoadLibraryA
ReleaseSemaphore
SetLastError
SetUnhandledExceptionFilter
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForSingleObject
_write
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_onexit
_setmode
_winmajor
atexit
calloc
fwrite
malloc
memcpy
memmove
memset
realloc
signal
sprintf
strcmp
strcpy
strlen
vfprintf
KERNEL32.DLL
msvcrt.dll
msvcrt.dll
555n'B+	
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>
thawte, Inc.1(0&
Certification Services Division1806
/(c) 2006 thawte, Inc. - For authorized use only1
thawte Primary Root CA0
100208000000Z
200207235959Z0J1
Thawte, Inc.1$0"
Thawte Code Signing CA - G20
#http://crl.thawte.com/ThawtePCA.crl0
http://ocsp.thawte.com0
VeriSignMPKI-2-100
thawte, Inc.1(0&
Certification Services Division1806
/(c) 2006 thawte, Inc. - For authorized use only1
thawte Primary Root CA0
061117000000Z
360716235959Z0
thawte, Inc.1(0&
Certification Services Division1806
/(c) 2006 thawte, Inc. - For authorized use only1
thawte Primary Root CA0
l[HhIY7
Thawte, Inc.1$0"
Thawte Code Signing CA - G20
111209000000Z
140206235959Z0[1
Moscow1
Moscow1
LLC Mail.Ru1
LLC Mail.Ru0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://ocsp.thawte.com0
Thawte, Inc.1$0"
Thawte Code Signing CA - G2
131005144130Z0
http://mail.ru/0
X)zAhT