Sample details: cf36e301c098dc696c5ab2b4c413190a --

Hashes
MD5: cf36e301c098dc696c5ab2b4c413190a
SHA1: 7dd13b7c9de655c4bd84716d67beafc21aa98c1a
SHA256: ac5fdd4b73663a7d88701324ae50b889e801adb697b1e5632dc538b9ae46e399
SSDEEP: 1536:cEXuz9nq22I3pLjjzkgdKVwf7XJPIOSSdj0/yoLzP0/XxLtKLdixCzeKm9M8LBxv:cEY9JkgdKVwzIXcpYZf/4BfR13a2F
Details
File Type: Composite
Added: 2018-12-26 16:12:14
Yara Hits
CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | YRP/NETexecutableMicrosoft | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Sandboxie_Detection | YRP/Base64d_PE | YRP/ThreadControl__Context |
Strings
		;;B&F7B
B4FhD&B
E(?(E8B
DrDhD7H
ExE(;2D
;;B&F7B
B4FhD&B
?dA/B6H
@H??wElDj>
@H??wElDj;
Name_D7D112F049BA1A655B5D9A1D0702DEE5TypeAdminExecuteSequenceActionConditionSequenceCostFinalizeCostInitializeDIRCA_TARGETDIRTARGETDIR=""FileCostInstallAdminPackageInstallFilesInstallFinalizeInstallInitializeInstallValidateAdvtExecuteSequenceCreateShortcutsMsiPublishAssembliesMsiUnpublishAssembliesPublishComponentsRegisterClassInfoRegisterExtensionInfoRegisterMIMEInfoRegisterProgIdInfoComponentComponentIdDirectory_AttributesKeyPathC_DefaultComponent{4C231858-2B39-11D3-8E0D-00C04F6837D0}TARGETDIR0CustomActionSourceTarget[WindowsFolder]\TempDirectoryDirectory_ParentDefaultDirSourceDirFeatureFeature_ParentTitleDescriptionDisplayLevelDefaultFeatureFeatureComponentsFeature_Component_FileFileNameFileSizeVersionLanguageInstallExecuteSequenceAllocateRegistrySpaceNOT InstalledAppSearchBindImageCCPSearchCreateFoldersDIRCA_CheckFXDeleteServicesVersionNTDuplicateFilesERRCA_CANCELNEWERVERSIONNEWERPRODUCTFOUND AND NOT InstalledFindRelatedProductsInstallExecuteInstallODBCInstallServicesIsolateComponentsRedirectedDllSupportLaunchConditionsMoveFilesPatchFilesProcessComponentsRMCCPSearchRegisterComPlusRegisterFontsRegisterTypeLibrariesRemoveDuplicateFilesRemoveEnvironmentStringsRemoveExistingProductsRemoveFilesRemoveFoldersRemoveIniValuesRemoveODBCRemoveRegistryValuesRemoveShortcutsSelfRegModulesSelfUnregModulesSetODBCFoldersStartServicesStopServicesUnpublishComponentsUnpublishFeaturesUnregisterClassInfoUnregisterComPlusUnregisterExtensionInfoUnregisterFontsUnregisterMIMEInfoUnregisterProgIdInfoUnregisterTypeLibrariesVSDCA_VsdLaunchConditionsValidateProductIDWriteEnvironmentStringsWriteIniValuesWriteRegistryValuesMediaDiskIdLastSequenceDiskPromptCabinetVolumeLabelPropertyValueARPCONTACTwww.exetomsi.comManufacturerProductCode{29EF7317-DCA1-4159-97B2-C883AD400AC6}ARPNOMODIFY1LIMITUIProductVersionProductLanguage1033ProductNameExe to msi converter freeUpgradeCode{1630D902-D790-41C1-AE26-9D5E5D17566F}BinaryData2.0.0_B3D13F97_1369_417D_A477_B4C42B829328NOT REMOVE~="ALL"
Windows Installer
Exe to msi converter free
www.exetomsi.com
devuser
{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v2.0.50727
#Strings
<Module>
BAMIDELE.exe
Program
Chockovich
ExecutionState
mscorlib
System
Object
VirtualProtect
FindPassword
Characters
PathExtra
NatProc
GetModuleHandle
FindResource
LoadResource
SizeofResource
ReadNative
LoadPersis
Startup
PreventSleep
SetThreadExecutionState
EncryptDecrypt
Recurse
ForbidMem
HideFiles
DetectSandboxie
Win10Rekt
Decompress
value__
EsAwaymodeRequired
EsContinuous
EsDisplayRequired
EsSystemRequired
System.Text
StringBuilder
CreateProcess
GetThreadContext
NtUnmapViewOfSection
ReadProcessMemory
ResumeThread
SetThreadContext
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
FUcKUCTkNh
SZFCPdNuRfuvjeLSPFojhWzfQOHYI
System.Reflection
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCultureAttribute
AssemblyTrademarkAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
BAMIDELE
System.Runtime.InteropServices
DllImportAttribute
kernel32.dll
hProcess
dwAddress
flNewProtect
lpflOldProtect
OutAttribute
module
hModule
lpName
lpType
hResInfo
Assembly
GetExecutingAssembly
get_Location
Marshal
System.Diagnostics
Process
GetProcessesByName
System.IO
GetFileNameWithoutExtension
Directory
GetCurrentDirectory
String
Concat
Exists
Convert
FromBase64String
WriteAllBytes
GetEntryAssembly
Replace
Environment
SpecialFolder
GetFolderPath
WriteAllText
esFlags
Encoding
get_ASCII
GetBytes
Lenght
Position
BaseString
op_Equality
GetCurrentProcess
get_MainWindowHandle
ProcessModule
get_MainModule
get_BaseAddress
IntPtr
op_Explicit
FileInfo
FileSystemInfo
FileAttributes
set_Attributes
ToInt32
GetTempPath
Format
ProcessStartInfo
get_StartInfo
set_WorkingDirectory
set_FileName
set_CreateNoWindow
set_Verb
ProcessWindowStyle
set_WindowStyle
WaitForExit
MemoryStream
System.IO.Compression
GZipStream
Stream
CompressionMode
ToArray
IDisposable
Dispose
.cctor
<PrivateImplementationDetails>{EAAE31C9-0E0D-4276-A08D-229B6EDE135E}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=134
$$method0x6000021-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
FlagsAttribute
kernel32
appName
ncPWrTtnwB
ajsWuhvqQw
ImgRYylvav
TKhoZneSnJ
MarshalAsAttribute
UnmanagedType
znApNHgxFv
VxSlumYFjp
curDir
hDEoWacPTO
fScCxCbK
dCFovEGjg
vjLloMTzwA
aetFAhLrrb
fQUrBbidXi
fQUrBbidXiSize
fjiKacYpW
fScCxCbKead
allocType
IbilkzRxcG
vjLloMTzwAess
lpAddress
dlzgRdJEG
lItsvVoNdJ
RlMujpqsvw
FZbaNCDjmC
KGCvUwpVto
oKACSSDbTN
get_Handle
lpProcess
GCHandle
GCHandleType
AddrOfPinnedObject
BitConverter
ToInt16
Buffer
BlockCopy
System.Security
UnverifiableCodeAttribute
2.5.4.3
Media Center
Sew solution
Berscare communications
PennoPenno
WrapNonExceptionThrows
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
_CorExeMain
mscoree.dll
0T-0Tm
M)"&	3
XOk\/u
qy#bMb
v~AZew
,pZXx.
-kqGj`
m]Bv5y
;PK	'{1
>	81~_j
$y5r+zD
]2\mTM]Y\
m(:=2:r
>X7A!i
+,-R7a
}}]	l,
7m4qi,]
+{$:&0
7o+'B!
3N,7NG
V#o/> -N K
@`n&!c
!n'shjs
 3f2OY
X!D1r6>
c~mfm}
7KUvlHX
+>)cGF
C|R##-
k~_j<9
wJ".rC
~qJeN_
#]Mu..b
r-}W^?
[$5gw|
y2@e,7u
=o_sSJ"Y
AaxESu
OI_{+}q
>gTc"]O
yi[O [
4C#Ob\4
J=]TyE2
	vP3Tnf7
EX</}G%
UblY{O
{MNi@%
sv[_J65
56sptmuR
	tCe)/
:2k=vg
XUy*VU
CA!Zg?5
-(ry44*
N]5SKmD
VF!VN{
fn3vMO
UaSawoj)`
\W3T<>
Vpqt'%
'!YB[|
D<,Dc<
fU=yb}
;lEyYF
o:Ga=N!
8+tyS4
E5Y(a5Il
\fs?<0
kAbB"e
 19:$&
,w.D\"
)z';+u
8p4(4B
~ -cVW
uXD/0j$
h#]tO?
y3!Oif
u+9Awd
3.oxo;9g
&u/&x`
h FPD*
/d.&(9
s|P_[{
;/'VHw
jFOONK+
s}ryE!6
EI6wKJ9+
!#=#Yf
hK`9;/
zy0;1H`
v"+>lP
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD