Sample details: e93ba507b5541faaaa778a697e356820 --

Hashes
MD5: e93ba507b5541faaaa778a697e356820
SHA1: 87b53e3f36085d3babed7e32cdb03d93d6b4ff49
SHA256: 831028b5971a96c47af7797d06e439234dc9112a16ddbbc8b4e4c436c15ee94f
SSDEEP: 3072:ibheNN98Vlt9E90eH/6n7bumlnai3vGVY/Bj67611bHrbg7stnX5201ynKu:PmV690ef4bSEGVY/Q0fbNXMnf
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Armadillo_v4x | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/win_files_operation | YRP/Big_Numbers4 | YRP/Big_Numbers5 | YRP/VC6_Random | YRP/Typical_Malware_String_Transforms | YRP/IndiaBravo_RomeoCharlie | YRP/IndiaBravo_generic | YRP/wiper_unique_strings | YRP/firewallOpener | FlorianRoth/Typical_Malware_String_Transforms |
Source
http://ihtour.net/board_period/taskhost.exe
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
1AABBf
^;5|MA
QQSVWd
t.;t$$t(
Ht~HtS
btHHt.
Y;5\-A
6;5xMA
HHtpHHtl
<]t_G<-uA
sO;>|C;~
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
VC20XC00U
QSUVW3
<f9-V`A
>:uNFV
>:u#FV
,f9=T`A
t-Ht!Ht
0B=hRA
W;5@dA
HHtYHHtF
"WWSh\
t/WWUPj
QQSVW3
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
`h````
ppxxxx
(null)
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetTickCount
GetSystemDirectoryW
GetLastError
LocalAlloc
WriteFile
LocalFree
CloseHandle
ReadFile
GetProcAddress
LoadLibraryA
KERNEL32.dll
MultiByteToWideChar
GetTimeZoneInformation
GetSystemTime
GetLocalTime
ExitProcess
TerminateProcess
GetCurrentProcess
HeapAlloc
HeapFree
WideCharToMultiByte
RtlUnwind
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
SetFilePointer
SetStdHandle
FlushFileBuffers
CreateFileW
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
SetEndOfFile
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
 k- exe.tsohcvs\23metsyS\%tooRmetsyS%
 k- exe.tsohcvs\23metsyS\%tooRmetsyS%
secivres\teSlortnoCtnerruC\METSYS
secivres\teSlortnoCtnerruC\METSYS
tsohcvS\noisreVtnerruC\TN swodniW\tfosorciM\erawtfoS
tsohcvS\noisreVtnerruC\TN swodniW\tfosorciM\erawtfoS
zxu{5pyL
zxu{5pyL
\x%02X
e93390f593548a724dc54bf20cafea0d9fa5c6bd89b1cb060c3bcadcc3233f7c86a4da0c917d3b9135b3fdab4076315986c7a8bda5dfe2877e56b514fdcd0b2d
c1b753a54041777583b7b18460be3f65f89ff4312585ab4363524e1d2f2c796dd037fc2e71927a3ad1b20033c06551298b17ef73eaf11abf9d21aba36d5585ff
0f9204bc78db9d5a9803f02e8208bcbb2cc309fd9fdd5d2350c4b836eeb28ae0f1f5e21edd4d670b5ad38b089487df82f2b1aca3ea491c8a4c57a66c3cb93284cfdad698815b292912e25be5e0d3aa290c00ac9eae44d053ec6e66ad870c0200c829dd45ba95b7b6210284540050302510fc41a8bb61e095ec03b45773b16fad
7b75a718994adfe2292c3743e8995dcafa2a966457f4b6c6f76af2ed583fd650fbfcebe889424cb6499b864b9a98ecf3293c868284fe0e83f79750cee0b7d8bd
9f87ea8816cc807ee4f1a13fd7334344eade1464b57d23a0e861e5f9ea9d18b4c99784627ba5ce1252565a84f8cbe87c90aa4cb9d08a52437257f6c2d282aa95
8a4f784d31e49703a8f544b71b29b6fc1086803825db5319ab41d46b0ff63f0dbd716919e53776fdd4fbe10a38fb1a61d8e5d2ceb5e2ef446d9a36d8e10865f6
b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b00827b693593a76be884f41b491ee1f6136b3755add91e2de9b0f5b3849d463fcd7b9a3b6cd0744caf809f510ee04ab3c714f53422d24f33361f75145b08286d2d7d99704684ed1d25fd5a9dc7b993f8e4d074234fd82d3
b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b00827b693593a76be884f41b491ee1f6136b3755add91e2de9b0f5b3849d463fcd7b9a3b6cd0744caf809f510ee04ab3c714f53422d24f33361f75145b08286d2d7d99704684ed1d25fd5a9dc7b993f8e4d074234fd82d3
abcdefghijklmnopqrstuvwxyz
%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d "%s"
abcdefghijklmnopqrstuvwxyz
lld.23lenrek
sserddAcorPteG
WyrarbiLdaoL
yrarbiLeerF
WeldnaHeludoMteG
WemaNeliFeludoMteG
WssecorPetaerC
AssecorPetaerC
daerhTetaerC
ssecorPedoCtixEteG
daerhTedoCtixEteG
ssecorPetanimreT
daerhTetanimreT
tcejbOelgniSroFtiaW
stcejbOelpitluMroFtiaW
eldnaHesolC
cexEniW
WeliFetaerC
eliFetirW
eliFdaeR
eziSeliFteG
retnioPeliFteS
xEretnioPeliFteS
WeliFeteleD
WsetubirttAeliFteG
tohspanS23plehlooTetaerC
WtsriF23ssecorP
WtxeN23ssecorP
ssecorPnepO
semiTssecorPteG
WtsriF23eludoM
emiTeliFteG
emiTeliFteS
collAlacoL
eerFlacoL
WeliFtsriFdniF
WeliFtxeNdniF
esolCdniF
emiTlacoLteG
WyrotceriDmetsySteG
WemaNretupmoCteG
WhtaPpmeTteG
WemaNeliFpmeTteG
sevirDlacigoLteG
WepyTevirDteG
WxEecapSeerFksiDteG
rorrEtsaLteG
WnoitamrofnIemuloVteG
tnuoCkciTteG
WeliFevoM
WxEnoisreVteG
ofnImetsySteG
WyrotceriDtnerruCteG
WyrotceriDtnerruCteS
lld.23ipavda
WyeKetaerCgeR
WxEyeKetaerCgeR
WxEyeKnepOgeR
WyeKnepOgeR
AyeKnepOgeR
WxEeulaVyreuQgeR
AxEeulaVyreuQgeR
WxEeulaVteSgeR
AxEeulaVteSgeR
yeKesolCgeR
WeulaVeteleDgeR
WreganaMCSnepO
WecivreSetaerC
ecivreSlortnoC
WecivreSnepO
eldnaHecivreSesolC
WecivreStratS
sutatSecivreSteS
ecivreSeteleD
W2gifnoCecivreSegnahC
WrehctapsiDlrtCecivreStratS
WreldnaHlrtCecivreSretsigeR
WsutatSsecivreSmunE
W2gifnoCecivreSyreuQ
WemaNresUteG
nekoTssecorPnepO
noitamrofnInekoTteG
WdiStnuoccApukooL
lld.23_2sw
lld.23kcosw
putratSASW
punaelCASW
rorrEtsaLteGASW
tekcos
netsil
tpecca
tcennoc
tceles
emanybtsohteg
tekcosesolc
nwodtuhs
tpokcostes
teSsIDFASW__
rdda_teni
tekcosltcoi
lld.ipaplhpi
ofnIsretpadAteG
elbaTpcTteG
!This program cannot be run in DOS mode.
Rich[X
`.rdata
@.data
@.reloc
_tH9l$
VYP[QPYXPQXYQPYXPYU^3
WU_]W]
_^SX][Y
~+SWS_[S_
tTVWQ_YQ_
VWQ_YQ_
VQWY_QWY_WY
ZSZZSR[ZS
ZSR[ZS
L$ RSZ[R[3
D$ VS^[VS
^V[[S^3
SSSW[_
_SW[_SS
_WS_[S_3
L$ SZ3
PQQUY]Q]
PQUQ]YUQ]YUQ]Y
QSY[Q[K
RQZYRYSUVW
UW]_W]
D$$SUV
L$09D$
WX@9D$
PSX[SP[XSP[X
SW[_W[
Z@APBQRV
WP_XWP_XP
XQWSRPh,
L$$9L$
\$ 9D$
7XI9D$
_P_9|$
QQVY^Q^^QV
YQ^^QVVQ
YVY^VQ^YQ
D$$;\$ t
6XI9D$
PQXYPY3
6YH9L$
[RSZ[S
ZR[[SR[ZSR
[SZZR[3
L$$9D$
_UP]XP]^][
YUQ]YQ]YQUY]U
YARQRYZRYYRY
SR[ZRSZ[SZ
RRRSZ[R[[SRSZ[SZZRS
[SR[ZRSZ[S
[SRSZ[SZZRSZ[R[
L$$SQV
D$$=MZ
T$`QRP
SQSQ[YQ[[SYUV
QWY_QWY_W
QZUW]_WU_]UW
L$$RQP
_UP]XP]^]
_t#9|$
_UX^][
SUVQVY^VYW
F<_^]3
CLUX_^][
WP_XP__^][Y
tgVSQWY_QWY_WY
Gd_^]3
QXVWV_^
YPYYQPYX
QXWWV_^W^^VW^_W^R_
W^R_QZ
QPYXPYVVW^_V__VW^_WV_^V_R_
uDX9D$
uDZ9D$ht
T$!RQZYRY
T$#RQZY
T$&QRYZRY
]Q]]UYYU
t QUY]QUY]UY
L$8QQUY]Q]
QUY]Q]
YQ]]Q]
L$H9T$
f9|$>t
Yt$QZ3
SUVWQ_3
T$LQRS
L$0PSSQS
L$ PQW
_UX^][
UVVS^[V[
[S]]US][U[]US][UU
[U[[S]]U[W
V_PUX]P]
|$0hQ$
T$0hR$
Xt)9D$
PYR_QZ
+;D$,t
VX_^][
T$ VRW
D$ SPYS
L$$PQU
D$4WPQ
t$$9\$
[_UX^]
QRPPPPP
L$\hQ$
T$\hR$
P^PUX]P]%
T$ j\R
D$(jxPU
T$$PRh
L$,PQV
QRYZRY
D$hVWh
QRPPPPPf
^t59t$
SYU_QXS
IWS_[SW[_SW[_SWW
_WS_[WW
]UYYUY
WS_[SWS_[S
VX_^][
t	BBFFf
1AABBf
QQSVWd
t.;t$$t(
VC20XC00U
HHtpHHtl
QQSVWj
>:uNFV
>:u#FV
Ht~HtS
sO;>|C;~
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
YYF;5@
PPPPPPPP
PPPPPPPP
E VVVV
VWuBhT|
t/WWUPj
HSVHWtgHHtF
QQSVW3
^}%95$
Qkkbal
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
`h````
ppxxxx
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
FileTimeToSystemTime
FileTimeToDosDateTime
ReadFile
SetFilePointer
GetFileSize
SystemTimeToFileTime
GetLocalTime
GetSystemTime
GetFileInformationByHandle
GetFileType
CloseHandle
MapViewOfFile
CreateFileMappingW
CreateFileW
DuplicateHandle
GetCurrentProcess
WriteFile
UnmapViewOfFile
WideCharToMultiByte
FindClose
GetLastError
FindNextFileW
FindFirstFileW
CreateThread
GetTickCount
GetACP
GetComputerNameW
GetDriveTypeW
LocalAlloc
GetProcAddress
LoadLibraryA
KERNEL32.dll
GetSystemMetrics
USER32.dll
SetServiceStatus
ADVAPI32.dll
HeapAlloc
HeapFree
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
GetFileAttributesW
GetTimeZoneInformation
RtlUnwind
GetCommandLineA
GetVersion
GetModuleHandleA
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
ExitProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
TerminateProcess
SetHandleCount
GetStdHandle
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetCPInfo
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetOEMCP
SetStdHandle
FlushFileBuffers
CompareStringA
CompareStringW
SetEnvironmentVariableA
WCCACREA.DLL
ServiceMain
b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b00827b693593a76be884f41b491ee1f6136b3755add91e2de9b0f5b3849d463fcd7b9a3b6cd0744caf809f510ee04ab3c714f53422d24f33361f75145b08286d2d7d99704684ed1d25fd5a9dc7b993f8e4d074234fd82d3
insufficient lookahead
ct_init: dist != 256
Code too clever
ct_init: 256+dist != 512
wild scan
more < 2
bad d_code
invalid length
no future
bad compressed size
bl code %2d 
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%) 
lit data: dyn %ld, stat %ld
dist data: dyn %ld, stat %ld
ct_tally: bad match
ct_init: length != 256
output buffer too small for in-memory compression
too many codes
code %d bits %d->%d
bl counts: 
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u 
dist tree: sent %ld
gen_codes: max_code %d 
bl tree: sent %ld
lit tree: sent %ld
not enough codes
dyn trees: dyn %ld, stat %ld
inconsistent bit counts
bit length overflow
Call UPDATE_HASH() MIN_MATCH-3 more times
bad pack level
lld.lldtn
91-.3$3o$9$
lld.23lenrek
Error - %d, %d
ofnItcudorPteG
ofnImetsySevitaNteG
Network information
noitamrofnImetsySyreuQwZ
End - %d
gnirtSemaNrossecorP
sz NULL
Start = %d
0\rossecorPlartneC\metsyS\NOITPIRCSED\ERAWDRAH
WreganaMCSnepO
abcdefghijklmnopqrstuvwxyz
WemaNeliFeludoMteG
collAlacoL
WtsriF23ssecorP
AxEeulaVyreuQgeR
WnoitamrofnIemuloVteG
WyrarbiLdaoL
emiTeliFteS
W2gifnoCecivreSegnahC
WemaNresUteG
WxEyeKnepOgeR
AyeKnepOgeR
WrehctapsiDlrtCecivreStratS
emiTlacoLteG
WyeKetaerCgeR
WeulaVeteleDgeR
WxEecapSeerFksiDteG
ofnImetsySteG
rdda_teni
esolCdniF
nekoTssecorPnepO
emanybtsohteg
WsetubirttAeliFteG
WyrotceriDtnerruCteS
WeliFtxeNdniF
tekcosltcoi
WecivreSetaerC
tcejbOelgniSroFtiaW
lld.23_2sw
semiTssecorPteG
WyeKnepOgeR
ecivreSeteleD
ecivreSlortnoC
W2gifnoCecivreSyreuQ
xEretnioPeliFteS
nwodtuhs
eldnaHesolC
tekcosesolc
daerhTetanimreT
WxEeulaVyreuQgeR
WxEyeKetaerCgeR
WsutatSsecivreSmunE
WecivreStratS
tcennoc
tpokcostes
elbaTpcTteG
teSsIDFASW__
lld.23kcosw
eziSeliFteG
WeliFetaerC
netsil
emiTeliFteG
rorrEtsaLteGASW
AssecorPetaerC
retnioPeliFteS
sserddAcorPteG
WreldnaHlrtCecivreSretsigeR
WemaNretupmoCteG
WdiStnuoccApukooL
AxEeulaVteSgeR
rorrEtsaLteG
%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d "%s"
tpecca
abcdefghijklmnopqrstuvwxyz
WemaNeliFpmeTteG
daerhTetaerC
lld.23ipavda
WecivreSnepO
ssecorPnepO
sevirDlacigoLteG
ssecorPedoCtixEteG
tceles
eerFlacoL
noitamrofnInekoTteG
daerhTedoCtixEteG
eliFdaeR
WeldnaHeludoMteG
lld.ipaplhpi
WhtaPpmeTteG
WeliFeteleD
ssecorPetanimreT
stcejbOelpitluMroFtiaW
WtsriF23eludoM
WyrotceriDmetsySteG
eliFetirW
yrarbiLeerF
cexEniW
WxEeulaVteSgeR
punaelCASW
putratSASW
WeliFevoM
WepyTevirDteG
WeliFtsriFdniF
WtxeN23ssecorP
eldnaHecivreSesolC
tnuoCkciTteG
WxEnoisreVteG
ofnIsretpadAteG
WssecorPetaerC
tekcos
WyrotceriDtnerruCteG
tohspanS23plehlooTetaerC
sutatSecivreSteS
yeKesolCgeR
Bold Italic
071H1k1
182>2M2
5B6J7g8
4N5_5p5
2 2;2W2r2
414H4_4v4
1T2d2y2q4
>1=2O3
7S7_7r7
8,999?9I9O9U9[9e9y9
::;J;_;t;|;
;)<:<M<|<
=)=8=F=[=k={=
?"?1?]?b?n?s?
617<7b7
888P8j8
9 :2:F:M:i:t:
;7;X;/<M<
<:=T=s=
>J?h?w?
!0'050;0
0N1U1[1a1l1q1w1
4+4;4m4
9*;:;A;
3*4S4u4
455E5r5
7=7D7Q7
9(9>9L9\9j9!;=;j;N<
="=g=w=
040P0c0n0
1&1;1F1
7S9c9l9s9
>.>3>8>H>M>R>b>g>l>|>
?"?2?7?<?L?Q?V?f?k?p?
0!0&060;0@0P0U0Z0j0o0t0
1 1%1*1:1?1D1T1Y1^1n1s1x1
2$2)2.2>2C2H2X2]2b2r2w2|2
3(3-323B3G3L3\3a3f3v3{3
4,41464F4K4P4`4e4j4z4
5 50555:5J5O5T5d5i5n5~5
6$64696>6N6S6X6h6m6r6
7 7%757:7?7O7T7Y7i7n7s7
8$8)898>8C8S8X8]8m8r8w8
9@9O9Z9j9o9t9
:;;@;d;
0$1,121:1
2=2K2g2m2
3e3Z4e4
5"5-5:5G5T5a5h5w5
7:7S7c7
7*8E8n8
=%=I=P=_=g=r=x=~=
1(10181H1_1k1q1
4'4-4G4L4[4a4q4|4
8$8:8A8G8Q8W8\8b8r8{8
<)=3=;=A=I=R=[=
>$>*>D>J>R>a>
4+434`4{4
>">&>*>
11282?2F2c2i2w2}2
3$3+323J3a3|3
4;4C4^4h4s4}4
5!5+545<5H5Q5b5l5t5|5
7.7:7N7Y7h7y7
8 818M8\8n8w8
9!9-989G9Q9
091=1A1E1I1M1Q1U1
3.3G3S3Y3f3v3|3
3U4m4s4
5-5O5^5
;C=H=">'>
>+?7?>?N?T?[?e?~?
151_1m1
5,585H5
5(6:6I6[6
627F7d7p7
<;<U<\<`<d<h<l<p<t<x<
<:=E=`=g=l=p=t=
>Z>`>d>h>l>
1*2A2S2[2a2i2
7#8)878
9	:J:W:
<5<[<u<|<
> >$>(>,>0>z>
?#?-?5?C?a?~?
0(1f1k1
3!434B4c4i4
4'535=5H5R5\5b5
5L6R6p6
717?7N7_7m7v7|7
939B9b9
:,:D:^:i:
>.?v?|?
	0d0j0x0
0*1/171<1D1I1n1s1
3<3Y3q3
5)545?5I5Q5\5j5
=5>;>T>
h1h7t7
>$>D>T>d>
307@7t7|7
: :$:(:,:0:4:8:<:@:D:H:L:P:`:d:h:l:p:t:x:|: