Sample details: ba3e2396cdb04a69d7b4beb9f0d44717 --

Hashes
MD5: ba3e2396cdb04a69d7b4beb9f0d44717
SHA1: a8b5d5b172bc2a190bbc59fbb416a5ebb78f0bb1
SHA256: 4350c36202813af727d63c26586afe460ab183359e1ad4200ea8ae45b337a4f9
SSDEEP: 6144:LF+LL7gToU7FYFWWcGLRGNJYoGDdZmkn5tjhLOqUzga9kIm0ddU9cziTiPmJcr0:h+374UFWjkwc9pzBLnhkU9cg
Details
File Type: PE32
Yara Hits
YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/anti_dbg | YRP/screenshot | YRP/win_registry | YRP/win_files_operation |
Source
http://www.bikner.de/red.php
http://bikner.de/red.php
http://134.0.117.224/exe/1000.exe
Strings
          	            !This program cannot be run in DOS mode.
`.rdata
@.data
HHtXHHt
>If90t
0SSSSS
0A@@Ju
t$hx[A
_VVVVV
^WWWWW
t$<"u	3
>=Yt1j
< tK<	tG
j@j ^V
^SSSSS
j"^SSSSS
v	N+D$
URPQQh\
t"SS9]
0SSSSS
PPPPPPPP
0SSSSS
PPPPPPPP
<+t(<-t$:
+t HHt
0SSSSS
v	N+D$
_VVVVV
;t$,v-
UQPXY]Y[
t+WWVPV
Omukig
Ekokew ukez iluvyz
Aqerap acib ebybiw uvuw
Ofyf ifip akarip
Urapal izojan
Ofetit ymoq ulyt utigoc
Yzyzag amamov odiq
Enutad; okutob icuk ywaf
Ubahev
Yqac ebowud; ixum
Uvukut egixaj utonoq icosow orupas
Owelok ebem %d ogyc uqym ixydyc
Igoxet %s ajej
Apek akoryd
Ivigop %d anit otyh; agyp ujidap
Ujatam. oweh.dll yfux: azexif aziqil
Oveh* imovak ifox ujowaq* ucuter
Ocevun ajer unowom elyc afazed
Olitat ohin ymolok = eqipil yfytyq
Ybelet osem: unatoh agunam
Ipil asub. aqen %s uhir
Abyq uxyk ykehyh efoz
Oxym ekog egygaf.dll acow
Elihut = ywokov ycys azafeq uragec
Inet ymogoz
Abyt ykenaf* emif amybog ogan
Igat: esar* axysiq ymud
Onivem %d elaxaz axamol: uqem
Axak oqet.dll icul
Utanup %s ulyq: uqeb ahylix ariluz
Ijih.dll yhokoz
Ypod yluz. ajoqon igepav
Oqyram yseq azines yperow
Ixyr ykod aneh
Yqiw. ivuc esih aruciw* esyz
Ypod yluz. ajoqon igepav
Esavix
Igob esaris
Ycineq
Iqices* omocul %s atox
Agod azoteh ijodyt olil
Ametaq. usuliw uqiz uryt
Ajav oxeh ysinyb imow ivow
Icuk ywaf
Ovatol ovud ysev itigip
Abon eridyp
Ikek ydodol
Ebuv ihyl
Oqumyb
Amazak ahaq ywex owux.dll azim
Ydisad ucehin akopup uhev anyh
Uhenah
Eqic apax
Acuc ypux
Efib uwyq eteqem ojafid %s ywap
Awafap
Adylih %d uhexip
Olafon inyv: asug %d awubom
Uhomoh iban yzobar ined* urejyn
Iciv.dll yduz = eciriw
Ohonif = ecuquc* ylavyk ykyj. ijif
Ohed yxefym ubocyn yzahes ipitut
Acopaj ojahoh ilybij itosos ytobup
Otofoj
Anib uqik asezud ynonow* iraf
Elepic ywozan: arebyh
Yqamet.dll opus
Afyvor ijef iforuz isux
Amisel
Ydap azew* adapub uvav
Ebagez egyg
Ilyk yhyrah axum yraf. uqowax
Idan* osij yrymet
Uvin; enidad. ufyx
Acuc ypux
Efib uwyq eteqem ojafid %s ywap
Yradys udyv usal. uquryf %d afyt
Ixodod apewac yledum epafur
Oqekas umyn adet %s ijugug
Ubasut. usuzul. etaw ejuxod uzew
Atecuw idyf asev = urikys edetix
Ykukej %d opum
Ynodag %d acazir okusim
Asec; ygilup %s ezukaz eper
Ypaled omesik %s uhed ybex
(null)
`h````
xpxxxx
CorExitProcess
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GAIsProcessorFeaturePresent
KERNEL32
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
1#QNAN
1#SNAN
CONOUT$
NotifyWinEvent
USER32.dll
CommandLineToArgvW
SHELL32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegEnumValueA
RegEnumKeyA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
ADVAPI32.dll
PlgBlt
BitBlt
ExtSelectClipRgn
EnumICMProfilesA
SelectClipPath
SetTextColor
SetBkMode
SetBkColor
SelectObject
GetDeviceCaps
DeleteObject
CreateFontIndirectA
CreateBrushIndirect
GDI32.dll
ImageList_Destroy
ImageList_Create
ImageList_AddMasked
COMCTL32.dll
WTSGetActiveConsoleSessionId
PrepareTape
GetCurrentProcessId
GetFileType
GetProcAddress
GetStartupInfoA
SetHandleCount
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetStdHandle
LCMapStringW
ExitProcess
HeapSize
SetStdHandle
LCMapStringA
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetFilePointer
GetConsoleCP
GetConsoleMode
GetProcessHeap
ReadFile
LoadLibraryA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CompareStringA
CompareStringW
RemoveDirectoryW
FindNextFileW
SetLastError
GetExitCodeProcess
ResumeThread
CreateProcessW
LocalFree
GetTickCount
CreateDirectoryW
GetTempPathW
GetFileAttributesW
GetCurrentProcess
GetCommandLineA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
WideCharToMultiByte
GetModuleHandleW
DeleteCriticalSection
HeapAlloc
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
GetLastError
GetModuleHandleA
WriteFile
FreeEnvironmentStringsA
GetEnvironmentStrings
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetSystemTimeAsFileTime
RtlUnwind
SetEnvironmentVariableA
InitializeCriticalSectionAndSpinCount
VirtualAlloc
HeapReAlloc
FlushFileBuffers
CloseHandle
CreateFileA
KERNEL32.dll
M=<tS"
l#6xrC*
g?;W$c#
OyBDh&$
wOcR: c
YmjTOE
r.4f .
b2TFh0
qmem7+#*
j$9W1C6[
/w6$jG
9D.Unbx
^b3ZcI*s
9;tcm$E
N+_qcfp
f,wjottWY
lZqh<S7B
MGv&%]
{	@oqE4
'%l.HV
T~^J}Y
 h(l5@
8xxRD\
A,.#9t
j61:H`
O1]?!D
ELv+_~
d2ACszU
+i3aUR
[g"RP2
@7h(S>
T={fjY
7D`xX&
5jMY4%
27d<DO~~
a6\2g&
?$;H4,
GVmR!)
TB6GT,
fn-'BY
8Olidd
tCSkJG
t~&V`ET
"9dq&v
ix\l +
jnUT_ZPF
O}'$qS
d':`76
f/IVfE
SAf[!J
EquDe+
x8i*{CH">
wJj|Yi#
,$Q<+J(
)'|G..
Q\J:m^s
)=dhXH
SdW .3
W0HWMM
 ExM@s
=(%p~_
$wpt"I
&[OUkGn
Y&"L-}
2\(yca
P##?)K
h9V_3Ui
^ive^4
QRE=$,
&}hG^j
{qKq-~M
G3JBgc
Keq{]K
_ B55`,
PfJY]<
EC?Qu+
er?<#P
&wSF/NO
26v6<Q'
2p<TCEVJ|
.k;K%/
MyPAI"
@9//39
R`>j4m
I{nE%	
Zf]#>hB*
!c*B<iPZ
{M#Jo\	d
u?_,:7
az_NMCb
a3`l0|4
TRv=sR
Pm[7Z#Z<WPX
eGl{Z[
"n@0>5
ld;b<:
H!u`5{e>
6qAvS.
HCa5VB
NR!?tQ/
J^zY4]
z$[yMTw
sA"S44
;<8A7M
`F#/n'
e-}i	3
Uj'$LX
miM;Ab
t}!"PV
~"doHW
|7vxyx
q&GcvH
Z&6x%#
ZCXw}k
7|=sHD
zTC$v/
!F8)6W>
_T|s1-D
)6a=GeB3
ZX2}36
_)>6]7
W F9f}
74^kI|
gUrcZf
9pJ'Uv
7@.$*1Y
U$()7#
Q>'0ks
-f05.\
2F`*T&
yO	(v:
6]%F3D{
b2=&^~
omvIM6
|yVukx
EE(:TSa$e
m(:{ZoS
rma%>d5Mm
-Vp#?..
u/w#{x
F6~Qrs
eKkO6gU
@FVf5FEW
t5e[yi
Psj+T=
2sY0.TUc
6<OcEq9.
x8~$6;
KH3t>PI_
9V<[f<
leeaL}
Q8h	IO
P:FYA8
.'b0gy
3?zL<9
*.kxg8
]f(c/([
;	,c@<;d
zz>c3l$?=
y"k+	8
Zv_!EuV
;/0Su%
PnFR^7
v?=1	<
`#\>HH
4A)(a7
sV]V/1
FIk2`]
^9`~jLYY
/q*M4<
e,ySmg
R/,{C1
_R1_D9.
%V{ h(
MzG9-i
!+@a[&
35or7_n
IQy#+:
:ki[@75
DU3m3Ya\s
VkIY)`
:) l w M
'Qhl[h5
n<dSLU
N PS PZ
7Ck7Nx
7	2eXB
K}_}oj
B$	Si|Q
	urCO1,!
sJ5+e\
Kw(7,r5Z
6u`=o}
e)xy1:~
`O:Ywc
FOADDB
Uz=O]miCa3
PUzI`,
w~B!x5
t2|C&Y
D|(E7=
"*UFP:O
knrW"q,
u?d`uNFb
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
bG(R<#E)
wY7xR(
wQ>"WA"YB"YC"YC"YC"YC"L-
yI	xH	vE
wH	uG	kB
|Q2	`;
uT,bK.XB%ZF-XC&YD)YD)YD)YE*L0
~T#}U#
~U$|S!wM
[2wP qH
tO"tQ'nI
zR sE	tI
zQ {Q sI
z||^6kD
uO"xP {R!tI
rM!xP"|S#rE
sO%xR%}U'sH
uQ&yZ2{^7y\7x[7wZ7tY7rW6xaB
oL!xP%|T'rG
oK wP#|T'qE
qN$yS)
rN%zT)
ml|_9hC
tP'{W.
wT+~[3
k@	vT(
mM"oO'fH!gL(mU4mU5mU5nU5pW6tY7rT.lH
kO*u^?mU7]B!X=
qQwR&nI
csN#jE
uT(vW5
nUkT5lT5qY9
yY0qQ+}\8
rP%vV1
kK"w]<u]>pY:vaDxbFpY9rY8{aAtU.sT2uT/}]9
a<sN!lC
mN*xX4
c@~\6qJ
tWuS.c@
hMjJ&sS.
`?|Z2iA
pS1oN)|]9
nTuV5yW4
sW5tU3{[8
v^qQ-tU1zZ5
cDz]<sS/{Z8~^;
mT{cGw]@jJ%nN)qR.rS.yZ7}\:
rQ(|];
lJ"uV2xY7xV1}]:
jKqP&sQ*wW1wW1uT,yW4|]9
rO%rO%sO'
w\}]:~];uT-sR(wW0uS,zY4
pM$pK!
w[wX1~];wW1uS,xX2
rQ(tR+qN%
v[wX2~_=tR+vU/wW1
pyX5|];~`?
dDtS,zZ6z[7z[7
vnJ kG
qN%vV0
fE}^<wX2xX4}^<~`?
qN'oJ!vX2
kLxW4yZ7
oL$sS-rQ+rQ+vV1{];
y_{\:zZ7z[9
oL$qO(oJ#rQ+uU0pN'
lJ nJ!pM%pN'qO(vW4rS-
nJ#pQ)qQ+sT/rR-
mJ#pQ)pN(vW4sT0pM'xZ9|_@y\:
kI nK$oM'rR-qQ,uW4sT0sT0xZ9|^?z]<
llI!nK%oM(pQ+pO)pQ,rS/sU1uW5wY7y[;{^?
}fkI!mL%nM'nM'oN(qQ-qS/tU2vW5uW5wY9z^=~aB
~gjI!lJ#mK%nM'oN)pO+rT0tV2tV4wX7y\;z^?|^@
}fjI!kJ#nM(nN(oQ+pQ,qR/qS0tU2vX7x[;{^?|`B
zajH!kJ$lK%nM(mM(pQ-qR/qS0sU2uW6vY9y[<}aC
x_lJ$kI#kK%mL(oN+pQ-pR/qS0qT1sW5vZ:y\<|`B
t[hH!jI#kI$nM)nM)nN+pQ/pS0qT1sW5vZ:x\=z^@
qWhH!jI$kK%kK'lK'nN+oO,pQ/qS1sW5tW7vZ;z^@|aD
lQhH!iI#kJ%mM)nN+oQ-oQ-nQ-pR0tW7tW7tW7y^@z^A
kOiH#hI#iI#kL(kJ%kK(mN+pQ/pR1pS1rV5rU5uZ;w\=y^A
hM|`D~fImN,nQ-oQ/rW6lM)lL)mN+oQ/pT2pS1qT4tX9sW7uZ;uY;~dHvZ<~cHx^@{aDhH#gH#hH#kL)nO-mN+kL)lM+nQ-pR1qU5qU4sW7rW7v\=v[<uZ<w]@x]@y^AgH#hI$fG!jI%nO/oQ0nQ/lN,mO-oQ0oR1oR1qW6qT4w\?rW6tY;rW7uZ<uY;fG!fE fG!iI%fH#lM+nO/lO-jK(lN-oQ0oQ1oO0oQ0sX:qW7qT5rW7rW7qV6dD
gH$hH$kM+oO0nO0mO/pR2qU5pT5oS2oR2qV6oR1oS2pU5oS2oS2bC
fG!dG!fG#fH#gH%hI'iL)kL+kL+pU5oS2qU6lO-mO/mO0oR2nQ0`@
cD cD cE dG#fH$gH%fH$jK)jK)kL+lM,lN-kN-kN-kM,kM,lN-`A
cD dE!dE!dG#fH$dH$hI'iK)jL+jL+kM,iK)hI(hJ(iK)^@
dD!bC dG#cE#gI'hH'gI'gI'dH$fH%fH%cE#^?
bD cE!cG#fH%fH%dG$cD!cE!bD bC \=
aD bE!bD!cD!aC `B
T5	T5	T4
S4	S4	T5
T5	T4	T4
S4	S4	T4
 #""**)(2+*)?
%$##3@?<^mli
!  -UTRr
%$#2XVTy
.-,%WUT
IGE`sqm
CBANB@@%KII
[YXsCBA1HFF
GEDEFED!IGG
]ZYlDCB 
RPN<igdo
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>