Sample details: c372226f50312cc0e414d7f425e08664 --

Hashes
MD5: c372226f50312cc0e414d7f425e08664
SHA1: 1754f99bb0fa28eea21c1624f3f4e201a2dafd7c
SHA256: 5cfd6dda53f07eb2414502a0f6fb7c91839df35120e13c28baaf76844384bd0c
SSDEEP: 3072:aAcveQosFXOmaZEK5JnaMEvQRfmpX03sOzB9GoT0XhdBBwSn5YDa31hzihmM4WI2:aAcveQosFXOyK5xt2k363BXl2mHD2
Details
File Type: PE32
Yara Hits
YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasRichSignature | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/network_dropper | YRP/win_registry | YRP/win_files_operation | YRP/BASE64_table |
Parent Files
00ef56ce5b1b91eff3c1d79a162b45a4
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
98tR9}
C098tR9}
C498tR9}
Nt3Nt"Nt
	t{Otm
</t~<>
<<tdj0
G F;0r
tX<<uT
HHt$HHt
?If90t
HHt$HHt
^SSSSS
t$<"u	3
< tK<	tG
j@j ^V
URPQQh
<+t"<-t
+t HHt
t"SS9] u
v	N+D$
PPPPPPPP
PPPPPPPP
;t$,v-
UQPXY]Y[
v	N+D$
QQSVWd
t*=RCC
;7|G;p
tR99u2
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
(null)
`h````
xpxxxx
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Unknown exception
UTF-16LE
UNICODE
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
1#QNAN
1#SNAN
impactsetupcsnet2
impactsetupcsnet4
impactsetupnsi
/mpath="
/manifestfile="
http://b.greenpipesky.com/GetSoftwareFromICS.aspx?dd=greenpipesky&name=
 /upg=y
NSISUCIWindow
Version
Install
Software\Microsoft\NET Framework Setup\NDP\v4\Client
Software\Microsoft\NET Framework Setup\NDP\v3.5
InstallSuccess
Software\Microsoft\NET Framework Setup\NDP\v3.0\Setup
Software\Microsoft\NET Framework Setup\NDP\v2.0.50727
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
File does not exist: '%s'
CreateProcess on file %s: %lu
urlmon.dll
URLDownloadToFileA
&#x%02X;
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
<?xml 
version="%s" 
version="
encoding="%s" 
encoding="
standalone="%s" 
standalone="
<![CDATA[
&apos;
&quot;
version
encoding
standalone
Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.
Error parsing CDATA.
Error null (0) or unexpected EOF found in input stream.
Error document empty.
Error parsing Declaration.
Error parsing Comment.
Error parsing Unknown.
Error reading end tag.
Error: empty tag.
Error reading Attributes.
Error reading Element value.
Failed to read Element name
Error parsing Element.
Failed to open file
No error
bad exception
KERNEL32.DLL
ADVAPI32.dll
SHLWAPI.dll
USER32.dll
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WideCharToMultiByte
EnumResourceTypesA
EnumResourceNamesA
EnumResourceLanguagesA
FindResourceA
GetModuleHandleA
OpenThread
CloseHandle
CreateFileA
GetProcAddress
GetLastError
WriteFile
GetTempFileNameA
CreateProcessA
GetTempPathA
FreeLibrary
WriteConsoleW
FlushFileBuffers
SetStdHandle
GetConsoleMode
GetConsoleCP
GetStringTypeW
LoadLibraryW
LCMapStringW
SetFilePointer
GetTickCount
DeleteFileA
LoadLibraryA
GetCommandLineA
MultiByteToWideChar
RtlUnwind
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EncodePointer
DecodePointer
HeapSetInformation
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
ExitProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
CreateFileW
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
PathQuoteSpacesA
PathFileExistsA
PathAddExtensionA
EnumThreadWindows
FindWindowA
PostQuitMessage
ShowWindow
GetWindowRect
IsWindowVisible
DestroyWindow
IsWindow
SetTimer
SetForegroundWindow
BringWindowToTop
AnimateWindow
CreateDialogParamA
DispatchMessageA
TranslateMessage
GetMessageA
GetWindowTextA
.?AVtype_info@@
.?AVbad_alloc@std@@
.?AVexception@std@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVCAtlException@ATL@@
.?AVCICSManifestLoader@@
.?AVTiXmlBase@@
.?AVTiXmlNode@@
.?AVTiXmlDocument@@
?456789:;<=
 !"#$%&'()*+,-./0123
.?AVTiXmlDeclaration@@
.?AVTiXmlText@@
.?AVTiXmlAttribute@@
.?AVTiXmlUnknown@@
.?AVTiXmlComment@@
.?AVTiXmlElement@@
.?AVbad_exception@std@@
)20_;Y
BW333*
=&9-})AS
9>9yxt
'_Fk'(6
\L*Ae\[>0O
{/N[0r
K),nG@
\Nnbtf
]ua~gVJV
J)xI`R
8jc}>f
t+:"7h\
F*d@	S%
^7{[kp
;a\ X%
Y_#=,8
V"dse5
bl^_tV
?pQP9spT
='U#9JW
GE#b7>
?h&;BVWV
H4e|FP
	zW3Tt|w[2
FS1#;G
nJKG;t%l
P<NH,% 
l" UO"]y_
4NwhW.
CQuOu^
S-Sb2Oe
^]!^nT
ufY5T6
-Ep)r 
6nFujt1
K]ls+B~
t+E2g1O
Q-U?\i
K=c*#l^
*}'FPn
EVV>w:
-nV`x_
u3PiNa
U1?rU>
{nmh4D
u'>m!(
!ilx.F
_0[[A*
zq\VzVN
(Um-57
^8qF,:
8}Tw8O
T;aZ=ta;
3Ios*wj
Z@n=V5]
bo3L5e
i	||g=
Mp+A0R
@"G0`>
LAGWsn
i3%I	0
NKp_	!
95v1SZ
GuW+m%
-ztm+NR}
=n;PNK
	V9I(+,S
\Pr<Z 
xI5|@h]
X&:*%y7
ta}y@a
5:}vWS
Y'0+BnC
VY{ctK$
iTac	b
Efj-=y8
[[8{?L
H$JC{%
VF<	5^cYFp,
wKMLX[
f Vrgp
8\*U|d
C!.5(M
~k/bN 
!"~T]M
)%jP;W
ueGs@f
!<<Ir/
vWFFF4$ 
%O.u%!
o>V<6K
,I~9V_D-
UR}=)L
9nQlp &
9<S^#I
Jj6T"j
y!;+|R
9!88H0
dd`lRy[
TAd,,x
;D}&9Icm
x}6	"UM
]Mq{*Ap
qz^a54D
$Zup!lV
*WLXK'8
5*A4-|@/]-
>g:4.)
DD4G?#I"
G\%n#\
%CD Gr
(HuL&p
,3CXoJs
Q&Kc2T%q
Q<P*?M
T4XP~T
YqK(N&
h5K'v9
+(Chh\R
1tSAZd
5nTGaS
#`37eV
9#_IxE
 %_*Ri
101A?[
/,ggKF>
<@|p	5
?&<hah
OG()o<
0X]W6f
@%LAc|@
3V	E<	.
_eyK99
SBb -\
x,`~?,
UXI)R`
ngN-U372
%o};,O;
b_H1Wf
x@kw0j
qdz?8Q
:;("7%~)p2{
$IL6dm
L&t]qi
9Jd*>ZZ&
 z+dJ+
)7ZHSD
>R$FFE
2E	&wid%D
/OQ>:1
aYR!tcJP
"q.B~p
`%3gZh
U @3hA@n
k	SuhlG&Z
CI"#UO
OIo\ia
o|Wh3g<n
c(sdlO
j>'wp:m
IAs5h|
vlqb!P
8R	~HZ
wxr""/p
wr""/p
ozR1ML
oLLLLL
wwwwwwwxp
"""""/
"""""/
wwwwwwww
zz1111MMM
^zz1111MM
^zz1111M
^zz1111
^zz111
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
      <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
    </application>
  </compatibility></assembly>P
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
120829000000Z
140829235959Z0
Nevada1
Carson City1
	LI Impact1>0<
5Digital ID Class 3 - Microsoft Software Validation v21
	LI Impact0
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0;
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
VeriSign, Inc.1
VeriSign Trust Network1:08
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
<VeriSign Class 3 Public Primary Certification Authority - G50
100208000000Z
200207235959Z0
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
	image/gif0!0
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA