Sample details: 664ecb6af2af6469eb9b244db34449ff --

Hashes
MD5: 664ecb6af2af6469eb9b244db34449ff
SHA1: f950ee4efd8919142d1ac3af81e18cba1db9add6
SHA256: 4704de87ef010ac7a8d04e2e650e53527d4b924c4e3900f98edbc16dbd0f75c2
SSDEEP: 6144:ew3xp0yN90QEwjoJTbe249BIDtPwqfPEL/gnwLE8bqkEBpJ3TJlR4erq:ew8y90RpbRWBktPw6P6InKbqF9FBq
Details
File Type: PE32+
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation |
Sub Files
a7e89f6bb73a1e94778627bf054567a9
Source
http://hgfjhfs.ru/pdgfhj56.EXE
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
D8	t	H
L$ SVWH
@8+tiH
UVWATAUAVAWH
t"D8!H
tiE8&tdL
A_A^A]A\_^]
u#!D$(E3
UATAVH
H!t$0H
H!t$ E3
uF!D$(E3
UVWATAVH
A^A\_^]
USVWATAUAVAWH
HA_A^A]A\_^[]
t$ WAVAWH
u-!|$(E3
!|$(E3
!|$(E3
u !D$(L
!D$(E3
x UATAUAVAWH
A_A^A]A\]
u?!D$(E3
u7!D$(E3
UATAUAVAWH
A_A^A]A\]
u !D$(E3
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
pA_A^A]A\_^]
@USVWATAUAVAWH
8\$pu>
A_A^A]A\_^[]
u*!D$(E3
u.!D$(E3
x AUAVAWH
@A_A^A]
x UAVAWH
fD9w4u
tvD95M
9D$Pu+9\$`u%9\$du
!\$(E3
u !D$(E3
u=!D$(E3
u3!D$(E3
l$ VWAVH
` UAVAWH
uO!D$(E3
x UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
< ti,	<
D8|$Ct
<At	<Ut
A_A^A]A\]
8\u*H;
u*9Q<|%
LcA<E3
 H3E H3E
advapi32.dll
CheckTokenMembership
Reboot
AdvancedINF
Version
setupx.dll
setupapi.dll
SeShutdownPrivilege
advpack.dll
DelNodeRunDLL32
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
HeapSetInformation
EXTRACTOPT
INSTANCECHECK
VERCHECK
DecryptFileA
LICENSE
<None>
REBOOT
SHOWWINDOW
ADMQCMD
USRQCMD
RUNPROGRAM
POSTRUNPROGRAM
FINISHMSG
LoadString() Error.  Could not load string resource.
CABINET
FILESIZES
PACKINSTSPACE
UPROMPT
IXP%03d.TMP
msdownld.tmp
TMP4351$.TMP
RegServer
UPDFILE%lu
Control Panel\Desktop\ResourceLocale
wextract.pdb
.text$mn
.text$mn$00
.text$x
.rdata$brc
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIY
.CRT$XIZ
.cfguard
.rdata
.rdata$zzzdbg
.xdata
.idata$2
.idata$3
.idata$4
.idata$6
.pdata
.rsrc$01
.rsrc$02
GetTokenInformation
RegDeleteValueA
RegOpenKeyExA
RegQueryInfoKeyA
FreeSid
OpenProcessToken
RegSetValueExA
RegCreateKeyExA
LookupPrivilegeValueA
AllocateAndInitializeSid
RegQueryValueExA
EqualSid
RegCloseKey
AdjustTokenPrivileges
ADVAPI32.dll
GetShortPathNameA
GetModuleFileNameA
FindFirstFileA
GetCurrentProcess
FindNextFileA
ExpandEnvironmentStringsA
FindClose
LocalAlloc
lstrcmpA
_lopen
_llseek
CompareStringA
GetLastError
GetFileAttributesA
GetSystemDirectoryA
LoadLibraryA
DeleteFileA
GlobalAlloc
GlobalFree
CloseHandle
WritePrivateProfileStringA
IsDBCSLeadByte
GetWindowsDirectoryA
SetFileAttributesA
GetProcAddress
GlobalLock
LocalFree
RemoveDirectoryA
FreeLibrary
_lclose
CreateDirectoryA
GetPrivateProfileIntA
GetPrivateProfileStringA
GlobalUnlock
ReadFile
SizeofResource
WriteFile
GetDriveTypeA
LoadLibraryExA
SetFileTime
SetFilePointer
FindResourceA
CreateMutexA
GetVolumeInformationA
WaitForSingleObject
GetCurrentDirectoryA
FreeResource
GetVersion
SetCurrentDirectoryA
GetTempPathA
LocalFileTimeToFileTime
CreateFileA
SetEvent
TerminateThread
GetVersionExA
LockResource
GetSystemInfo
CreateThread
ResetEvent
LoadResource
ExitProcess
GetModuleHandleW
CreateProcessA
FormatMessageA
GetTempFileNameA
DosDateTimeToFileTime
CreateEventA
GetExitCodeProcess
KERNEL32.dll
GetDeviceCaps
GDI32.dll
GetDesktopWindow
CharUpperA
SetDlgItemTextA
ExitWindowsEx
MessageBeep
EndDialog
CharPrevA
LoadStringA
CharNextA
EnableWindow
ReleaseDC
SetForegroundWindow
SetWindowLongPtrA
GetWindowLongPtrA
PeekMessageA
GetDlgItem
SendMessageA
SendDlgItemMessageA
MessageBoxA
SetWindowTextA
CallWindowProcA
GetDlgItemTextA
DialogBoxIndirectParamA
ShowWindow
MsgWaitForMultipleObjects
SetWindowPos
GetWindowRect
DispatchMessageA
USER32.dll
_vsnprintf
memcpy_s
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
_cexit
_ismbblead
__setusermatherr
_initterm
__C_specific_handler
_acmdln
_fmode
_commode
msvcrt.dll
?terminate@@YAXXZ
COMCTL32.dll
Cabinet.dll
GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA
VERSION.dll
GetStartupInfoW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
EnumResourceLanguagesA
GetDiskFreeSpaceA
MulDiv
GetSystemMetrics
memcpy
memset
System\CurrentControlSet\Control\Session Manager
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Software\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup%d
rundll32.exe %s,InstallHinfSection %s 128 %s
PendingFileRenameOperations
DefaultInstall
Command.com /c %s
%s /D:%s
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
SHELL32.DLL
DoInfInstall
SHBrowseForFolder
SHGetPathFromIDList
*MEMCAB
AVI LIST
hdrlavih8
strlstrh8
vidsRLE 
LISTv$
movi00dc(
wgwwxx
wwwwwwp
wwwwwwp
\)((Bc 
tZXXXj!
kXZt&'pp
\Xt'Qp
IhhI>In
IG>G>h
:>G>G>h
ICGIGn
:>>>H>r
eeRC>:y
RCIeeee
kII=GCR
>~32"*_h
nhII:h
h40.+Il
{{aFIdqx
WPMMMPPUW
WWWUWW
W***lf
****kf
PM/1NJ\
~dD>>CEwC9
8w>68~
~xxwwEwu~
ExxwwEEx
X)$DJF
}:75235:p~
"&&4(A?=
(@KM<"
Q999999999Q
GGGGGGGGGGG
>J >*	
wh:Mzn
{BPMS}
h0`0p@o6kll4
,m$I"=
SX+3	cT}0
[H)Yk6x
gF@m1%
(C!xg0
?Ed`n0
6_z0#;
Gx:=,F1
]h]e()I
ij8::f{{
iw;t:=
B/#5/s
xl}QO.
Gg}W_n
xgXw	T2=F
$&Bu^C
VaL_d1PY
n`nT";
78><bp
RCYH($
Bj,*3E
t\gWh$
F'u@&:
GdYNRV
<g0>&o
ZpNbx!
nE&Lh/
PH7TJ)
Mx!]x1
9NZ|QA9
!#hG*I
VLon8:
4mp-LeQ
|Zg}UUK
Z-Y,fX
b3eSAy
R!Spss
dCJ5@K
GGGXky
aaV<^-
|bdA*0jq 
@^@i-"
D,evd2
6X'e7U
@75MU:
cVUI)#j]
M{Zk}Hr-@
f?:88x#
W%y%)JMU
pINJJ<KP[Efk
Y%HRIZH
x4z]*EU
G`Zw-B)p
4K9=9e
T1R;D2]
j[3PC"$
A6@XAY
mma[W[
"	uUQ45MS#
L&V)eNNN
Y.s0)Q4a
'FtHc1
n@WXl3
TX@'IR
_>99y5I
8I&DQF
QIDAT{
UUqttt
I\D <,
#)QQD"#
W6Z]#P\
LaFN"M
la:EOu#
c:gazz
gA`0)%UJ
9=D2'O
yyHaOO
P@@sRCC
O??qYIIYVEECRBB
L==^\KKpYHHeUDD2SDD
J<<Q[IIaZIIfXGGKVFF1WII
J<<BYHHSYHHVXHHCXHH8SDD#RCC
H::2UEE:UDD9TEE)SCC"SED
SCC%RBB"QBB
www	IJJ
]LLNQBB
aOOx[JJgSCC%QBB
\JJX[IIdZJJQUEE&QBB
ZII?XGGKXGG?TDD0SDD
SCC%QBB
lll	:::
~~~	===
ab`L4K*
ZZ[:443
WFFYO??
eee8AB@
[IIZYHHRVFF;RCC
jjj;FFD
[HH/RBB
ggg=EED
FFF?@>?
[\\?>>=
]^^@JAC
^__AQFJ
cccCIHH
YYYEHGG
TTTI444
WWWILLL
PA<None>
PP_OUT~1.EXE
)I^m=;II.
86o-v[Eq
5Ev',p
ls.&nN
[nK-al
P[a2fY
609lS5=
\jZz7i
,r\}Aa
v	o's$
JP>(J"
`V`b>2
  %e~l\T
0Cp.9]
c?p9xM
rFMs	A$
k;m'z!
/9D<jsc[V@
j4]} 14
PjbcX?
(8kYim
Z7+q/OMVPj
,^~Ud=I
Rqmj"P
7dWH^?
1GVLnH
x^8?oX
~Q>/kG
\SaaL8
2.@zG5
1d;(V'
pJzVWX
W	r^";U
N'QrD<|$A
X}[X,.%
h*N7(%
	)$vZ#
4s7]QpW
GXq/no
5JY:K@
7:2QT=
=%uAAxj
;0)4>u
YWBj!hL#
Y.@lv	G
z=KYYt
Q^$LOr
]o(mpB='~
rm,Y{Y
>jt=2Y
>}z#Q`+
RTpvB-
,_6Ej2x
#VlsFV
Z_BR>5
 JiOOEa<
BveQf4SS
O!r.^G
: UBS;
F**'9(6
*o&o>Kc
4u#4w;
qbNi&{
j.);P 
0 L"fp@
zj>Ie##
	K`~01
JV'Z}7
z.s7>2
%yQ|^@
Bbv%|-
r`%39n
.uQZzk
l%-nd7~
hO9,\n
X"s>"^
sK1<8i
mx'7\'
y73QRh
=BGJJn([x
KCv6:q|u
@l;;-3
.).?T 
]v^\o&,/<
l;Sq2X
}1P#S(c
DThWEZ%Grn
u#Fqv/Y
MyD3-Y+k
3v^ZK:
G9Q$,D
*$<qDi
.9[awX}C
C|;?Hx
^l]}Rs
GO/+v&"|
5uw9gF
Bst6l`
#\j[V(
E{262F
n`-uxN
;suSZ<
[2=Wcw
gSroxk
+]nOQ!pE+>NSr
I4o''D
LM)"ja
st	+D1
.?{cW.
|'M_6T
DqVM+>Mh
kxzw6.
DNr@Bt
4k^Km+,
7!F%HWW
0iW2	8
~.<2&r$
y`&k-v
_lPv;5;
0+p)g*
QbaA; 
,DHe7[
VH_-xa
fr-O;j
`GIu=4#G\
|	r7G?
(&li|\s
"J{0]p#
s	6Geq
H;3Bac
A,#1t,
S|e#>?
Y$[(f%oW
e~ !"6
C{v5iU
$}D#vH!8
"P9~n74
aDEKTL
<[j,_4^DRe[
Ned$Ot
}{)F-)A3z
&75+>S
dMyNBG'H'
iZ gDD
9B 0ii
0yF-.'`~
S4)Jik
5G'< '
fpR\huw2
j3z"Pd\/
Yaq,QTj
t9bR]P
1dRm)p
>kY~e7
YFs.Lyh
VP OG<
:6:,MH
Gl-Mhc7
bZ7OGv
, C'2`
_"-;eB7
%P}%!c
Y.#-Li
6H:k_}
P %qby
MdOib[X
2"J>dVv
(;UQPZJD
jX1+))R
vM-XtW
qwCADT
52M=ay
NLYMk$b
,>OS?j
:XJoYm]e
h~nf4c{
#;q7tmR
5Vu'-<
}1^@`uF
n{1iD7N
J:}-y#
qsax>6N|
C>M,5O
B3~?sS
G?fOg$
(*r~Lp)
c4]4Ih
'A,Ie`
aUCF'Ps
&o@_e~
wwc2+.
6*@.Ns2<
F`g*Z*
T70XX]
+E92P<4
M|4,V5
&w1~&S
#t#\ly
,%cR{F
$z[Ef+
lE;THtiK0
:%{g$X
$+<`'V
A<3_d&
B$pV:.*
C%YLX*
9@6;15
a	~P%a
._aVR_
*dH6aw
3hY@vl
PcjSvpI
2: J.f
`#fp@h)
(yh"Yeh
#<r J5X
	gd@eO
BiAg;S@
jr?^ng
Sk`C`-T&
jRVqI)
:~!cLN
ob0Qpk
">$XxA
~IC`J(
\;V*ooq
(6"r.h4	
	d^S_j
rt]`X6
~QD#%R
`)ot>6
9[tRc|
?(f@Fz
0]{RVd
Wz&<-c*z
I=+LD[
yM' :`p
U0GP'%p
;A`Y4(V
O?!%Y*
@r1.Oy
}RJH3oqh
Z0B-A=j+S
*[^-Az
Z%0s=U
n3 T>l
'S`cu0:
%&@;CE
,E1!g7
xC`_?`]
1<d_5o&
a~7\l!
bsv7cG
4'.y3N
F#Vfkfi
9sdu;wX
W(kRlx"
"+4i:j
wZv.Vj
t!0%dl
_4\r<|
~31Ot5
dfLqFZ
uA7]*!
Zu!dv/{
p:JmL/4:opt
[Dq<.cs5
J7W@@-
|0$XL"
}MP]E5
?]w0m'
q407x~
u@MPdd
o rn{w%P
DKn~>!
<Er{IP	
D4;9+s
.,u*o|
U9	2zQ
dW[':	
dS9GiY
f^O4#\W
2;3CZ,q
No7>lE
^g=K}o
#u!O0wa
?E66/I
{k}Xx@[
41F{.!
O652vv
 Y-2'"
w g&`u
I#{JBhV
8g<%Q}
oDM+?sU
g8G3QV?X
VU		cE
RGz[t^f
X~Kg:9
k.}mQo
;]\-{tWcv
7^+C9-*,
uNk4[_$
w]1WhT/p|
Dl=Ids
It9VW`
GZx=CMp{vd
-eWauR
ObxFkB
mC4UTTVCUpGH
;_R^vFf
acP^d5
[,'Fw^GR
Pnk^kd
'5zq_$
	v;8y+
 U2V#=*y|
<None>
P<None>
<None>
PP_OUT~1.EXE
hgbgdfxcv
PA<None>
P<None>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="5.1.0.0"
     processorArchitecture="amd64"
     name="wextract"
     type="win32"/>
  <description>IExpress extraction tool</description>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity
          type="win32"
          name="Microsoft.Windows.Common-Controls"
          version="6.0.0.0"
          processorArchitecture="amd64"
          publicKeyToken="6595b64144ccf1df"
          language="*"
       />
    </dependentAssembly>
  </dependency>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
        <application> 
            <!--This Id value indicates the application supports Windows Vista/Server 2008 functionality -->
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
            <!--This Id value indicates the application supports Windows 7/Server 2008 R2 functionality-->
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
            <!--This Id value indicates the application supports Windows 8/Server 2012 functionality-->
            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
    	    <!-- This Id value indicates the application supports Windows Blue/Server 2012 R2 functionality-->            
    	    <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
    	    <!-- This Id value indicates the application supports Windows Threshold functionality-->            
    	    <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
        </application> 
    </compatibility>
</assembly>
PAPADDINGXXPADDINGPADDINGXXPAD