Sample details: 341e985543bd48c6182912988e2e0ebf --

Hashes
MD5: 341e985543bd48c6182912988e2e0ebf
SHA1: f09ef1a973c10797b70f7dd4b4a0bc12562ce1aa
SHA256: be5281b9174330dd4d1df3fe2871372d92398732a92d49f3ef8b0cd6b0301982
SSDEEP: 1536:Cw5kDyNw1UTSjWa/dmxRAG4XPnsJrypU4Ouk32how9ufeGiWN5A/i4qNz:j5kDMw1U2jWa0R74/svl32z9u1RNyaLB
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | YRP/suspicious_packer_section |
Parent Files
6ebff6659608d8bb5c4885268eceea55
Strings
		!This program cannot be run in DOS mode.
Rich;F
SVWj@3
SVWj@3
SeDebugPrivilege
kernel32
IsWow64Process
ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\system32\
%s "%s" pfjaoidjglkajd %s
%s "%s" m3
%s "%s" pfjieaoidjglkajd
%08Xce.dll
mml16026
mml98%s.ocx
mml99%s.ime
CloseHandle
ReadFile
CreateFileA
GetTickCount
WriteFile
FindClose
FindFirstFileA
SetFilePointer
SetFileTime
GetFileTime
GetFileSize
GetModuleFileNameA
GetModuleHandleA
FreeResource
LoadResource
SizeofResource
FindResourceA
GetProcAddress
GetCurrentProcess
GetWindowsDirectoryA
CreateProcessA
ExitProcess
KERNEL32.DLL
wsprintfA
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
sprintf
strchr
strlen
memcpy
MSVCRT.dll
WSOCK32.dll
!This program cannot be run in DOS mode.
@.reloc
jah038_fd_regamle_%08d_
IME File
System\CurrentControlSet\Control\Keyboard Layouts\
Keyboard Layout\Preload
sfc_os.dll
\system\
mml99*
mml99%s.ime
win39%08x.dll
Chinese( PRC )
SeDebugPrivilege
\system32\
tXVWSP
SVWj@Z3
VWj@Y3
SVWj@3
GetProcAddress
LoadLibraryA
VirtualAlloc
VirtualFree
CloseHandle
ReadFile
GetFileSize
CreateFileA
GetVersionExA
GetModuleFileNameA
GetCurrentProcessId
ReleaseMutex
LocalAlloc
GetTickCount
MultiByteToWideChar
lstrlenA
MoveFileExA
DeleteFileA
CopyFileA
GetWindowsDirectoryA
GetSystemDirectoryA
lstrcpyA
lstrcatA
CreateThread
TerminateProcess
GetCurrentProcess
GlobalAlloc
GlobalFree
SetEndOfFile
WriteFile
SetFilePointer
GetModuleHandleA
FindClose
FindFirstFileA
GetTempPathA
GetLastError
CreateMutexA
SetFileAttributesA
GetFileAttributesA
FindNextFileA
KERNEL32.dll
wsprintfA
ActivateKeyboardLayout
SystemParametersInfoA
GetKeyboardLayoutList
GetKeyboardLayout
RegisterClassExA
LoadCursorA
UnregisterClassA
MessageBoxA
USER32.dll
RegSetValueExA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
memcpy
memset
strstr
_strlwr
strcpy
strrchr
strlen
sprintf
strcat
_except_handler3
??3@YAXPAX@Z
??2@YAPAXI@Z
_stricmp
strchr
MSVCRT.dll
ImmIsIME
IMM32.dll
IMEHost.dll
CandWndProc
CompWndProc
IMEClearPubString
IMESetPubString
ImeConversionList
ImeEnumRegisterWord
ImeInquire
ImeRegisterWord
ImeUnregisterWord
StatusWndProc
UIWndProc
pfjieaoidjglkajd
ImeConfigure
ImeDestroy
ImeEscape
ImeGetRegisterWordStyle
ImeProcessKey
ImeSelect
ImeSetActiveContext
ImeSetCompositionString
ImeToAsciiEx
NotifyIME
5 565R5[5
6$6y6~6
8@9M9T9t9
;2;L;];j;
;0k0x0
181T1u1
2+323M3b3
8K:W:^:
; ;%;O;y<
>"?-?4?:?@?M?^?d?~?
0.151<1X1b1`3B4
797J7Q7Y7v7
7*868Z8
!This program cannot be run in DOS mode.
.reloc
SeDebugPrivilege
WSPStartup
win%08x.dll
SVWj/3
SVWj@3
CloseHandle
CopyFileA
GetTickCount
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetProcAddress
LoadLibraryA
GetModuleFileNameA
MultiByteToWideChar
GetLastError
GlobalAlloc
GlobalFree
LoadLibraryW
ExpandEnvironmentStringsW
GetModuleFileNameW
KERNEL32.dll
wsprintfW
USER32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
SHELL32.dll
sprintf
memset
strcpy
_except_handler3
strchr
swprintf
memcmp
wcscpy
memcpy
strcat
strstr
MSVCRT.dll
WSCWriteProviderOrder
WSCInstallProvider
WSCEnumProtocols
WSCGetProviderPath
WS2_32.dll
UuidCreate
RPCRT4.dll
LSP.dll
WSPStartup
T1X1j1
2M2]2l2
7L8]8f8m8
9%969Q9
<<=B=R=X=^=d=
!This program cannot be run in DOS mode.
`.reloc
SeDebugPrivilege
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
%s_%d.jpg
_0.jpg
wininet.dll
\wininet1.dll
\wininet.dll
WinInet
HttpSendRequestEx
Option
action=getRate
%02X%02X%02X%02X%02X%02X
MOYU_%s.tmp
ServiceName
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
soul.exe
<St	<Jt
1234567890
	QWERTYUIOP
ASDFGHJKL
ZXCVBNM
NtCreateThread
ntdll.dll
\ntdll1.dll
\ntdll.dll
tqat.exe
wlzs.exe
Kernel32.dll
CreateThread
3DRole.dll
SoulLogin.dll
FFFFFF
%c:%s %c:%s %c:%s
VAR_FOCUS
jahMOYU16026_rel_regamle_%08d_
play.exe
QQSVW3
SVWj@3
SVWj@3
SVWj@3
VWj@Y3
SVWj?3
SVWj@3
VVVVh,< 
SVWj?3
SSSSh<< 
jPXSSj
SVWj@3
SVWj@3
j PShT< 
QQSVW3
SVWj@3
DSVWh\@ 
v#VhT  
tXVWSP
CloseHandle
GetCurrentProcessId
CreateToolhelp32Snapshot
VirtualProtect
GetProcessHeap
HeapAlloc
Process32Next
Process32First
GetFileSize
CreateFileA
GetModuleFileNameA
LoadLibraryA
GetModuleHandleA
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
FindClose
FindFirstFileA
WriteProcessMemory
OpenProcess
GetTempPathA
GetCurrentProcess
ReleaseMutex
GetLastError
CreateMutexA
GetSystemDirectoryA
DeleteFileA
VirtualProtectEx
GetLocalTime
ReadFile
SetFilePointer
IsBadReadPtr
VirtualFree
ReadProcessMemory
VirtualAlloc
VirtualQueryEx
SetThreadPriority
CreateThread
CopyFileA
GetTickCount
GetPrivateProfileStringA
ExitProcess
TerminateProcess
WritePrivateProfileStringA
DeviceIoControl
lstrcmpiA
SetUnhandledExceptionFilter
KERNEL32.dll
wsprintfA
GetWindow
GetClassNameW
GetForegroundWindow
GetWindowTextW
ReleaseDC
GetWindowRect
IsWindowVisible
ToAscii
GetKeyboardState
PostMessageA
GetClassNameA
GetWindowTextA
GetDesktopWindow
FindWindowA
USER32.dll
DeleteDC
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
GDI32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegEnumKeyExA
ADVAPI32.dll
SHELL32.dll
memset
memcpy
_except_handler3
strcat
strlen
_stricmp
malloc
strchr
sprintf
strncpy
isspace
isalnum
strcpy
??3@YAXPAX@Z
wcscmp
??2@YAPAXI@Z
mbstowcs
wcscat
wcscpy
wcslen
strstr
wcsncat
wcsstr
sscanf
_vsnprintf
strrchr
_strlwr
MSVCRT.dll
WSOCK32.dll
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDisposeImage
GdipSaveImageToFile
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
gdiplus.dll
_strupr
_strcmpi
Stolor.dll
pfjaoidjgfdjkj
pfjaoidjglkajd
B%:$0-
L$,hB.A
M`QVDZh/
hkG0WS
:hnJdN
Mbt'[y
CMYWcMc0"
GOQc0"Aa
WYM#cmYWQa]
\T:zdF
2MxjZDf
PJzd\B^PDZVHpnLO+
1/9jBLv%
]k8*i]3q
jl?7)#
CWYmsOQo
Mj}|cu
F^0tjx
1?%vN@tjd
q	(H0>
h@^R\LRp
#@j95+!
MmXOMW}
}	n4;/
MmkxjpH-/lxv`
p9mO_AyWwic
S[Eywm
t@N^@xfN`DZB\B
')7TtjR<v5
xw1i'%
.}qo}>
E|jzhv
Mt^EGy
zZDlB`
Muv{tN
1/-~h+?!-39
MvaFTB
;79)7/!
Mwyn|nS
	n,<"<
C]e{gIk
2`FV8v
q#00Hp
|PNb|V
woa{(:i[
bZDhvjtJ
M~lmr`
vVH`~D
ZD|bdG
^FXZ	?lV
2 2WMs0$J
NT`~RLR
UmsKUk
vLf57tdj~`B!
;9zNPZ
VJTL"fxZ	
HG0T.!o}IWy:
#p\rX"a>M	
A8NOh$
>(>D>`>|>
161;1j1x1
3,3:3I3
4)464D4T4
415B5S5Z5
6)6C6Z6n6
4<5B5[5j5u5
5"6`6q6
7'8,878<8
;/;C;`;
<@<]<t=J>U>
60=0S0Z0|0
0 1H1|1
1*2D2L2W2^2o2
3!383=3H3V3]3c3n3
3 4*424t4|4
6(6g6~6
6A7V7c7j7
8&8F8O8f8p8
=!=_=e=t=
5 535f5
70868Q8c8
424H4Q4a4p4x4
8"9O9c9
;B;M;n;x;
=#=7=]=h=o=
=>>E>X>]>c>
1:1Z1c1r1
2H3R3f3
4,4<4C4X4i4y4
5'5=5D5T5[5j5r5}5
6(61676K6e6m6{6
7&7/7A7X7^7i7s7
8%8=8F8P8W8_8
9#909w9
:,:2:7:J:Q:W:\:o:~:
;+;1;>;D;P;V;_;f;
<)<4<<<C<I<
2/2F2p2u2~2
4%4=4{4
6-646;6@6F6`6g6n6s6y6
8;8\8t8
979x9~9
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0"
     processorArchitecture="X86"
     name="IsUserAdmin"
     type="win32"/>
  <description>Description of your application</description>
  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="highestAvailable"
          uiAccess="false"/>
        </requestedPrivileges>
       </security>
  </trustInfo>
</assembly>