Sample details: b80aa583591eaf758fd95ab4ea7afe39 --

Hashes
MD5: b80aa583591eaf758fd95ab4ea7afe39
SHA1: f9a090dbbf2985d8a082fea6da490e8a952fce9b
SHA256: 0753f8a7ae38fdb830484d0d737f975884499b9335e70b7d22b7d4ab149c01b5
SSDEEP: 6144:s6EQd7Yl0ooomZYloYl9SaG6GnxaKloTvKpDWWUMm:vd7Y+ZomClodaG6GxaK2Uo
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Armadillo_v4x | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/create_service | YRP/escalate_priv | YRP/spreading_share | YRP/win_token | YRP/win_files_operation | YRP/VC8_Random | YRP/Str_Win32_Winsock2_Library | YRP/WhiskeyAlfa |
Strings
		!This program cannot be run in DOS mode.
Rich=@
`.rdata
@.data
T$ PQRRRj
D$8RPSSS
L$$RPUSQ
uRPPPPPhD&A
L$$j\Q
D$$PRj
T$LQRSP
j(h`]A
T$$QhP
D$(QRVVVj
jdhd^A
T$ RVP
D$$_^[
D$PjdPjjQ
htAHt%
T$`PRW
1AABBf
_9=l_A
QQSVWd
t.;t$$t(
t	BBFFf
VC20XC00U
Ht~HtS
sO;>|C;~
HHtpHHtl
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
_9= vA
G;= vA
Y95 vA
YYF;5 vA
E VVVV
PPPPPPPP
PPPPPPPP
VWuBhH
HSVHWtgHHtF
`h````
ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CloseHandle
WaitForSingleObject
CreateThread
CreateProcessW
WriteFile
CreateFileW
GetTempPathW
GlobalUnlock
SizeofResource
LoadResource
FindResourceW
GetModuleHandleW
DeleteFileW
ReadFile
GetFileSize
GetCurrentThreadId
GetTickCount
FindClose
FindNextFileW
FindFirstFileW
GetDiskFreeSpaceExW
GetCurrentProcess
GetProcAddress
MoveFileW
GetFileAttributesW
LocalAlloc
CreateFileA
GetModuleFileNameA
SetFilePointerEx
SetFilePointer
GetDriveTypeW
GetLogicalDrives
GetWindowsDirectoryW
SetFileAttributesW
GetComputerNameA
GetModuleFileNameW
LoadLibraryW
GetLastError
CopyFileW
KERNEL32.dll
SystemParametersInfoW
DispatchMessageW
TranslateMessage
TranslateAcceleratorW
GetMessageW
LoadAcceleratorsW
LoadStringW
RegisterClassExW
LoadCursorW
UpdateWindow
ShowWindow
CreateWindowExW
PostQuitMessage
EndPaint
DrawTextW
GetClientRect
BeginPaint
DialogBoxParamW
DestroyWindow
DefWindowProcW
EndDialog
USER32.dll
StartServiceA
QueryServiceStatus
CloseServiceHandle
CreateServiceW
OpenServiceW
OpenSCManagerA
DeleteService
ControlService
OpenSCManagerW
CreateProcessAsUserW
AdjustTokenPrivileges
SetTokenInformation
DuplicateTokenEx
LookupPrivilegeValueW
SetServiceStatus
RegisterServiceCtrlHandlerW
StartServiceW
ChangeServiceConfig2W
StartServiceCtrlDispatcherW
ADVAPI32.dll
SHGetSpecialFolderPathW
SHELL32.dll
WS2_32.dll
StrStrIA
PathFindExtensionW
SHLWAPI.dll
DestroyEnvironmentBlock
CreateEnvironmentBlock
USERENV.dll
NetApiBufferFree
NetShareEnum
NETAPI32.dll
ExitProcess
TerminateProcess
RtlUnwind
InterlockedDecrement
InterlockedIncrement
HeapFree
HeapAlloc
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
MultiByteToWideChar
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
LCMapStringA
LCMapStringW
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
SetStdHandle
FlushFileBuffers
GetStringTypeA
GetStringTypeW
CSRSS/SSSSSSSSSSCS
SSSSSSSSSSSSS
212.31.102.100
58.185.154.99
200.87.126.116
successfully
IsWow64Process
\PhysicalDrive0
#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F
\\?\ElRawDisk\??\
$MFT Record read failed.
SetFilePointer failed.
Drive Boot Sector read failed. 
WTSQueryUserToken
WTSEnumerateSessionsW
^*!'Uy
Pg#&EKA
Ix1c!u
3|0x'Ds
6667=!
667<+}N
t7cZq7
Dtd{B=Xv
H!R458T
hH/	|e
q40^	>~
vI?z$-~f
ln'6d|
C"MB4^	
O7ooez
57>.=|
'rLnp_
Kj/&a 
.R#<N_
A'C7Jd
]kcGTi`>
*RiF4|x
!G_0c<KI
vG)`w6
6>/v~S!
bb*.UJ
3T0D4w4[7F1S"
343502?$
3~Z~P{
EBRCoB
6bGX|]a7
4y]yBh8
q1#19+GZ
w6R&rg
3Q3^(wU
5x0\>[
_7Z3]#yp
342743=)
0a7?" |Af+
%T32(\
48&7`PC
>537;&
"2S.%*
f\ZMrx
@\_E+7
MYivJr
K-G|5T
7'0MiM
JIE;W=W/
:#?xWZV_WO
\\WXDQ7
\Q?y1#}
xLKOv4>f
&u6%0p
333328,
v3^~}p
uM6!?*
3)f.==&e
`(=RM{T
605604<$
T=721v
;2f<E~
 QOmQNf+
<v[8z!
9:1Y*`"
Binkau
\=7u"Q
N85i#r
1'|f4T
04560<,
3vCl{+
A\Q\\y
aVBOLt.
ZtHMl:
`[][JDdy)
BQ_GL3
FX]Ay-
SBYBg0
TYWVLu[
732169'
g6|.S^
Y7U)qY
R1W f~
6t6\=K
6C7S0Q7^+gA
U1B0b4P6K&b
73;*	N
PGaPHeb
D@ZL@c
|+1ews
-35l+	Z
/-+QHu9}dZ
<C6\#5
J_{:b-
EV_HEj3
z<4zD@
yLo[h`O&
WS@g\Q_
{X]Zk.
s$m0 m
t^WNm 
4 +|Gd)
6%/zCd(
tsuxbR4
V&N_1x?
*_|~*JK
;v~hY 
4sslP:
OU%Uq`
twu|"^',+
7eX"_=
3%Pc}`W3
rutymB
kAD_<s
&:fVvoLJ
tH9q#k|
V>~?9!
klx@$bm
s&drLz
4P!svMx
D{`hpI
ZJ<I;n
@ Tc>p
0$ v(5
P#LZ;h
3ps0st
=qqq},D@f
?8626+	
0351t2wpssnBZ
uqqq<.
ts)7	[
\(^x@^
|{<635|jKB
1u0v2{a
]pV6z?	w
2231=a
isO?G/K]
O7_7W&esG7
]4w|/HO
xj!hnp
bD!r&M6Q
 $.u/2T7
OxO	~l_D
kwNl{Zf
uqq}6Tv
62;(O	
K7W>p#
wt630>"
}43xaQt
!Xwp?(
27=aP3
(Z~s9 
V3xg]$
$w19hJ
`S`RbRo
s4v-|8NX
vE#AA"
hjtP	;
U.J^O<
aA.GO?F
_HSU$e	
ua	Q%T
F-Uh(Q
ffej5nw
$(fV?UY
utz117
714?j$
7q1psux
|cTD[N
{M;s%h?~
%Yk~O6]
2D!buI
Fo8{	CO
5jgEzD
^&R~w%
7tsuq4zg\
+PslZ/
_<wx0W
xf9o3}aPb
AEMU!L
MP+PoJ
8mGRP8
rP[DuN
4714w"pt;
TTUWS^
SRQ_F+
r,10S<
H$Z@|HJ[
t#!)=C
5[Q?+a
p" ,?&t
jSpv:*
CtA"m`ag
nj/>KD
V.WeLF
N<I2;u:
63=4?)
D+huH9
U&_kK(
U0J	*l
U8\:v>c]?
#TsG/}L9
7U']zU
70>kID
V5B$az
ZgE+g]
2H2T!]]}
"lk$(n
da8gbn
0TD;P3
*OT.NR
oUiQaD
wqp2{-	
6M+sL9
 1F'vd
ts5=-@[
62Od5S
pA+pi-Zr
Ai6g6@
4706;%
OlZwm@
2v7dS|~
tpA+v^
KS'T	+
<-QoYw
uJojK_t
15t78/
SQIa8+
v}N^&p
qJ[xrz#]e
54v2;!
$"-55</
?%aVI]
*Vg@Gz
]eYx:k
{(B[lRnW
&')2<M
#144.#
d[p2+;
x;<:?=1(
strvv~f
73"!->
d_a\gQ
Uyyq9m
47546"
47p2>/
5t714>*
7FSx7,
7146:#
$$$$%& 
Frh*kBp
23<'Y%
4su9hB
q8bW5v
'")>	^
uu5u=-
U,K]5x
BDNQ._
=wtrst;,C]
)AA|Wh
_jte#^.+
cknL6wp
nNmhC;
eps|c\#
fW1i]@?
"St+J0S`
ts^Pst{mSp
zSa4V3
uqJZz:
Quy83%L
!4yaX,
	U`MXCH
psts}iI
suxb_,
W,RfJHit
2238ez
iHWc]!
%qqprh
vw|b_$
yf/_IE
?juy`Rp
06we9558v
w=-M	9cU9
AG~j+M
I]w}iA
EwwAM\u
z?D|P;
oMvOk#
s02743:
r:#])LO
*KCMg-
@FBJSa
I`#CKVj
FBC@GH^r#
twu&~*
dd1^F.
467yhGY
vrzfWs
b9V&JB
Nqqy[q,
CAMUd5A~
DG@OXu
>>3|bV7
EDGHW`
EFEDGPf
Wa&f4]I
fKQKB;*
jiojavP
in`}G2
nhmgrY
^t`|DI
yL	wjawR
^\PAk7
gs[C ?k
g<XuwC]
hb'#"-
igs	A.
crYN1p
cgzAvJ
XF#4]m&:4
fq%~In
3yE>q$
k{C33^
_n`"TDS
&:=)AJ+
h*[_ ,
P}O#CA&
pK^Cn<
A$7kUj
?/aMXj
i[se}u|
{vL3#[
+{54vl
xMga$P4L9
'ncqA?
EK*cp/B
+ViG/)
}O"?M1
:6;ECe~s
3C#M&O_
+%	>>/
Mp]N35
]wck5j	
D4ojavY
$e~I,..
fk8x4?e
6XsWK8
ZyF9-]f
C"'+Yo&)
czIo{D
pUSOgrY
$7/(9;H
}eeI&zc
fh&Anp':
p]G'931(
PE,zc2
3<&o]u"
mokQJt
vdE?|Q
niiaJ*
{#xF8z[
5p:rQc
@!.010
mD<rCf
mE>~[^
C!k-D1
`H$tTa
][_VEc'
<']tM'
okkcsR
>rd|L%
u^	HiW
rkbxE6
nin`}FjF
KEpkc{C;
winavY
bjbdPN
Ymchntx
i^cBJ,
elfmokkc{B1
idhe~A>
nelnu^
iEiDcSRK
mo``~]
mokcs[
kj`1Dp
'inhmnawS
hmnifp
njiduT
ojigs[
/imd~C0
knicrT
BDGDT|+
vp}`V=
kdnmk{P7
djpSxY
\ko`Zb
{?mak~'
UnhdmT%
tmobq^
kkbxM&
=,<ZUT%S
nigz@4
lmnhlmfq^	
hlle~I'
mn`|E>
mle~@5
ioj`|D<
kkjavP
jhlllmnavY
inigzI/
kjhllld|E7
llmokbq_
)gyO"!
m/khmfP
nbyF!J)
mnhd}O+
lle~H-
ojinhe~@mI(
hmnifWF9
IPk*`wZ	
jifxM.
+KvzI0
J$p}N!
zhm#0he
!J);>zHlhD=
{J oE6Qk
mn`}G3
jhlmn`tT
ojhld|M'
9DW"	-
vtq{gV<
ruswvdpqrtqrdx`Y*
EvuntybU;
urtppyjD!
tq{g_'
rtpyjL
*r2LoqKh@e
I>~9Q0
RpaD*p
. #p2qK
7|*A+~w%goN
f4"G:<
i,# v\(Yd
xr`YiB
@DM^q&
DDDM^y7
{,[hsPD
Q[iBP*
P ?0&uiB
pppJPe
u{e[&{
cVKx`Q2
YPurEjL
rti_y|t5=
tq{f\ 
rtyc_.
qrtpybT0
tpx`X 
sww~lI
rur|`P1
qrtq{f]#
U36PS7
vtxaR4
ruzdY+
ppxaS>
ZmSZ,~w,|
^>.lRHBHTl
FH\}6-
sL}bU2
~mC[?	,
^PHxjLD	
pkQpcH-
\||oNM
6g\)xu
K~:I{N
@jMM[aS
]*~}tJ
H|xhHL
~dXd\u!;
a{gVyg
|}%V52
"Y"kU,
'CVeKh
j>^=)(
xs$eZK
ow(lH?
WM@MVh
rNpxhI
*e<A5a#
}nER.o
yjE[&'$
{*|i62
Y:Gq4:
zl@Y?>&*
csl[(s
r(x8@y
pqswvuzmJ
tpqswv|hI
qr}bT8
wvtppyb\ 
ww~dX!
ru{nD:
ppx`Q?^|aR5
ruzdP9
vtq{oO
wvu{f]#
vuydX(
vtyc_/
bkE:H.
LBBN^c
D*oex2
9eZNAr
}YrymM
GBACBw1
sav$)TE
cQ2u@jo
]!BR+~0i(B
!&'TGv9
2/C	M/
Tz|M<$PhV;