Sample details: aa1978b9105d99cbd9331bce822a05ad --

Hashes
MD5: aa1978b9105d99cbd9331bce822a05ad
SHA1: de7c98c819f56c111d73f5582971329f00bdfe46
SHA256: 1f0b7d79bb14a7e6bb8d939e6a3f38ddbd3ef2c0446b0b69369eb39a52c2cf9d
SSDEEP: 12288:KwCy90e4dX0QUAgKBYIEAGZXvfhcXSdmfBcaZ:KwCy80oHBYI8ZXvfhcXUmKaZ
Details
File Type: PE32+
Added: 2019-09-10 23:44:28
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation |
Sub Files
479d5d9f4a2b35eadde34d93cb2dadff
Source
http://partaususd.ru/asdf.EXE
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
D8	t	H
L$ SVWH
@8+tiH
UVWATAUAVAWH
t"D8!H
tiE8&tdL
A_A^A]A\_^]
u#!D$(E3
UATAVH
H!t$0H
H!t$ E3
uF!D$(E3
UVWATAVH
A^A\_^]
USVWATAUAVAWH
HA_A^A]A\_^[]
t$ WAVAWH
u-!|$(E3
!|$(E3
!|$(E3
u !D$(L
!D$(E3
x UATAUAVAWH
A_A^A]A\]
u?!D$(E3
u7!D$(E3
UATAUAVAWH
A_A^A]A\]
u !D$(E3
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
pA_A^A]A\_^]
@USVWATAUAVAWH
8\$pu>
A_A^A]A\_^[]
u*!D$(E3
u.!D$(E3
x AUAVAWH
@A_A^A]
x UAVAWH
fD9w4u
tvD95M
9D$Pu+9\$`u%9\$du
!\$(E3
u !D$(E3
u=!D$(E3
u3!D$(E3
l$ VWAVH
` UAVAWH
uO!D$(E3
x UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
< ti,	<
D8|$Ct
<At	<Ut
A_A^A]A\]
8\u*H;
u*9Q<|%
LcA<E3
 H3E H3E
advapi32.dll
CheckTokenMembership
Reboot
AdvancedINF
Version
setupx.dll
setupapi.dll
SeShutdownPrivilege
advpack.dll
DelNodeRunDLL32
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
HeapSetInformation
EXTRACTOPT
INSTANCECHECK
VERCHECK
DecryptFileA
LICENSE
<None>
REBOOT
SHOWWINDOW
ADMQCMD
USRQCMD
RUNPROGRAM
POSTRUNPROGRAM
FINISHMSG
LoadString() Error.  Could not load string resource.
CABINET
FILESIZES
PACKINSTSPACE
UPROMPT
IXP%03d.TMP
msdownld.tmp
TMP4351$.TMP
RegServer
UPDFILE%lu
Control Panel\Desktop\ResourceLocale
wextract.pdb
.text$mn
.text$mn$00
.text$x
.rdata$brc
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIY
.CRT$XIZ
.cfguard
.rdata
.rdata$zzzdbg
.xdata
.idata$2
.idata$3
.idata$4
.idata$6
.pdata
.rsrc$01
.rsrc$02
GetTokenInformation
RegDeleteValueA
RegOpenKeyExA
RegQueryInfoKeyA
FreeSid
OpenProcessToken
RegSetValueExA
RegCreateKeyExA
LookupPrivilegeValueA
AllocateAndInitializeSid
RegQueryValueExA
EqualSid
RegCloseKey
AdjustTokenPrivileges
ADVAPI32.dll
GetShortPathNameA
GetModuleFileNameA
FindFirstFileA
GetCurrentProcess
FindNextFileA
ExpandEnvironmentStringsA
FindClose
LocalAlloc
lstrcmpA
_lopen
_llseek
CompareStringA
GetLastError
GetFileAttributesA
GetSystemDirectoryA
LoadLibraryA
DeleteFileA
GlobalAlloc
GlobalFree
CloseHandle
WritePrivateProfileStringA
IsDBCSLeadByte
GetWindowsDirectoryA
SetFileAttributesA
GetProcAddress
GlobalLock
LocalFree
RemoveDirectoryA
FreeLibrary
_lclose
CreateDirectoryA
GetPrivateProfileIntA
GetPrivateProfileStringA
GlobalUnlock
ReadFile
SizeofResource
WriteFile
GetDriveTypeA
LoadLibraryExA
SetFileTime
SetFilePointer
FindResourceA
CreateMutexA
GetVolumeInformationA
WaitForSingleObject
GetCurrentDirectoryA
FreeResource
GetVersion
SetCurrentDirectoryA
GetTempPathA
LocalFileTimeToFileTime
CreateFileA
SetEvent
TerminateThread
GetVersionExA
LockResource
GetSystemInfo
CreateThread
ResetEvent
LoadResource
ExitProcess
GetModuleHandleW
CreateProcessA
FormatMessageA
GetTempFileNameA
DosDateTimeToFileTime
CreateEventA
GetExitCodeProcess
KERNEL32.dll
GetDeviceCaps
GDI32.dll
GetDesktopWindow
CharUpperA
SetDlgItemTextA
ExitWindowsEx
MessageBeep
EndDialog
CharPrevA
LoadStringA
CharNextA
EnableWindow
ReleaseDC
SetForegroundWindow
SetWindowLongPtrA
GetWindowLongPtrA
PeekMessageA
GetDlgItem
SendMessageA
SendDlgItemMessageA
MessageBoxA
SetWindowTextA
CallWindowProcA
GetDlgItemTextA
DialogBoxIndirectParamA
ShowWindow
MsgWaitForMultipleObjects
SetWindowPos
GetWindowRect
DispatchMessageA
USER32.dll
_vsnprintf
memcpy_s
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
_cexit
_ismbblead
__setusermatherr
_initterm
__C_specific_handler
_acmdln
_fmode
_commode
msvcrt.dll
?terminate@@YAXXZ
COMCTL32.dll
Cabinet.dll
GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA
VERSION.dll
GetStartupInfoW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
EnumResourceLanguagesA
GetDiskFreeSpaceA
MulDiv
GetSystemMetrics
memcpy
memset
System\CurrentControlSet\Control\Session Manager
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Software\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup%d
rundll32.exe %s,InstallHinfSection %s 128 %s
PendingFileRenameOperations
DefaultInstall
Command.com /c %s
%s /D:%s
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
SHELL32.DLL
DoInfInstall
SHBrowseForFolder
SHGetPathFromIDList
*MEMCAB
AVI LIST
hdrlavih8
strlstrh8
vidsRLE 
LISTv$
movi00dc(
wgwwxx
wwwwwwp
wwwwwwp
\)((Bc 
tZXXXj!
kXZt&'pp
\Xt'Qp
IhhI>In
IG>G>h
:>G>G>h
ICGIGn
:>>>H>r
eeRC>:y
RCIeeee
kII=GCR
>~32"*_h
nhII:h
h40.+Il
{{aFIdqx
WPMMMPPUW
WWWUWW
W***lf
****kf
PM/1NJ\
~dD>>CEwC9
8w>68~
~xxwwEwu~
ExxwwEEx
X)$DJF
}:75235:p~
"&&4(A?=
(@KM<"
Q999999999Q
GGGGGGGGGGG
>J >*	
wh:Mzn
{BPMS}
h0`0p@o6kll4
,m$I"=
SX+3	cT}0
[H)Yk6x
gF@m1%
(C!xg0
?Ed`n0
6_z0#;
Gx:=,F1
]h]e()I
ij8::f{{
iw;t:=
B/#5/s
xl}QO.
Gg}W_n
xgXw	T2=F
$&Bu^C
VaL_d1PY
n`nT";
78><bp
RCYH($
Bj,*3E
t\gWh$
F'u@&:
GdYNRV
<g0>&o
ZpNbx!
nE&Lh/
PH7TJ)
Mx!]x1
9NZ|QA9
!#hG*I
VLon8:
4mp-LeQ
|Zg}UUK
Z-Y,fX
b3eSAy
R!Spss
dCJ5@K
GGGXky
aaV<^-
|bdA*0jq 
@^@i-"
D,evd2
6X'e7U
@75MU:
cVUI)#j]
M{Zk}Hr-@
f?:88x#
W%y%)JMU
pINJJ<KP[Efk
Y%HRIZH
x4z]*EU
G`Zw-B)p
4K9=9e
T1R;D2]
j[3PC"$
A6@XAY
mma[W[
"	uUQ45MS#
L&V)eNNN
Y.s0)Q4a
'FtHc1
n@WXl3
TX@'IR
_>99y5I
8I&DQF
QIDAT{
UUqttt
I\D <,
#)QQD"#
W6Z]#P\
LaFN"M
la:EOu#
c:gazz
gA`0)%UJ
9=D2'O
yyHaOO
P@@sRCC
O??qYIIYVEECRBB
L==^\KKpYHHeUDD2SDD
J<<Q[IIaZIIfXGGKVFF1WII
J<<BYHHSYHHVXHHCXHH8SDD#RCC
H::2UEE:UDD9TEE)SCC"SED
SCC%RBB"QBB
www	IJJ
]LLNQBB
aOOx[JJgSCC%QBB
\JJX[IIdZJJQUEE&QBB
ZII?XGGKXGG?TDD0SDD
SCC%QBB
lll	:::
~~~	===
ab`L4K*
ZZ[:443
WFFYO??
eee8AB@
[IIZYHHRVFF;RCC
jjj;FFD
[HH/RBB
ggg=EED
FFF?@>?
[\\?>>=
]^^@JAC
^__AQFJ
cccCIHH
YYYEHGG
TTTI444
WWWILLL
PA<None>
A2_OUT~2.EXE
JwFC3!H
&4>t=q
nrbRqD7n
}uY/fT
GN(;&}
(1FLSh
QGv5@`2S
EXBv{_
WYAD}m
@q\LoX
@/!)9_
sJ+(@C
SLUrEob
`rm72P
KjF+ze`
(hDce<)
/+VNao
YmV[rf
J{'y)>
"+BNZr`
83T6t5x
/KFH]}E^0
[.@v/5
-|5X;du
/~U-lp
dPB.)`
!rXVTv
E0Bm)jFfz
_'DQd]
QIbhY	<
9efL#;
F:c_5p
r)6g0jB
h:OlLv
;CsU(g
!1q y	G
swCi:M@R
l:E<Gk
Lz[^+[
0&@"KS
uLvZKr
5|ZDf"xsjGT
KUfK >
woeO K	
6B/78xs
];*C:8
~B%JJ]R%sx]
}I,@!~
fW$jSh[
WE>#<^
Dn>CWv{U
>jAqod
rnO]Ij]
[8P	]CC
=Hvc@W
/f1!o3fq
ED;85v
~-"[!	
,cg`{+
X+j/&C)
5Iw	On
hl(^}p4)
iJKGj^
7of+]}
%v?^LK
G+k`"ey
\p3#J2'S
P0MioB
(MDdt$:
[EItQ`*W
HxvRkT.
m~[8~dQ
bN`Gz!
oD7r]av>
^=Pq{#M
d%O)-Dk
7'9'{WW
JlisZg
&ko-wv
 wZ/hc
Gna{4e
g,YEP 
$#3BM46
RN<yk8
G%(r*e
c#=|d[
]XK7rB}|
ai_Tc{
W~x-+y|
1<aRDs
m~2vvGX
L*<@FW}
2nYssP
xH(31<
,h:5N<^
3rlG>Y
ON!LGGA
==/nTx
$`r=6	<
M~/VO|
zXY8]]
i=JLqmy8DT,
6^8HLW)
Cj{^bR
UHh1sN
zrsB72
ep;A)=
)Med[e5
BD<e/]Av
ED#}-w
5T'X>it5
t<F;${
"djq!r
|QW,%|
HS?a6}
;o}U\vb5
B ;w>Y.
smt_a;
v]Wlep
;=g8pu
	n7pI*
N.^v(o
8sZ	)E
[z(DBL
}H(QQ):
C}^]	&
^t5`QE
j1?l)y
I 8O0D
PWe?sH
a~fM=34
/]~uB-Zj
jL@aJ]
4<i{<P
ovz.<`oC`
i)n}w6
2'|ba3
2&OkSU
S{a	t96
k]=\=J
5`l<9m
,?d=vu
 /I'jYJ
u%Mz^1
 3N^b9
Or-ZOILh/ 
(A:bSP
re#!PR
,>iOj$
Kv(k[#
[Oj3;.
V>IZhHdB
:r $K8
].]~Y>p
"1~F2e
tX~6\"LC
Zt2.);Yz
iE1[fx&
uMS=H.
_i3(c"F
j>d#u[z
i;}W&~
xb,ezFk
R[srtA
 9qAf7
8w)btc
?u!(2=D
B.X<w_\&
aF,o<"
wTkR!M
Vb<yeh
-2-}Ma
C|7y&E
?v.cHV
49hC,FEq
qYW;3Q
p7nc&L
x[6[6u
aM66NN
P:]&;6
=]L)&R
1_Ny_F
x	Bvc|
oEtV]w
))'MTh=
Fy5>>"
49rx;o
$u_zF.yZ
\?Vgo"
3pg` Y
x!?QTz
oMwWl%
z;@<7Q
Kuz9Z1
W2HYxo
jQR[Ol
Y4Wm7rU
&=D/UQ
/VtV(J
*\)%^=
y'}&|w
lI^=Z:2g
hP[y%e-
}?W/~[
JV/soe
0u(~~:B
%qt	8~=
%Q<ZT9
J|jv4p
Ol{Q ,w
oavpS/
Z^3C]Ex
|_T&W[
g%rxeZ
9Z^=Y\U1
<wc?55g
n0mS-1
Vcpz^;
[jbI8'
u5-a_ 
Dwj(6c
ol0C</R
\8<ef3
y/613:
FB[kI"
@W\dB1
iZ@-jU(
A9Iot'5
]1B^6A
dW8]rb
aN[U-_l
DAH@\[
,:kbd3u
e|CS";
~&Y3.p
{6@u/A
 <	$a]
4KEC;9
39.D2O
abPfp,
&12{]F
PJ0:m^
'R$n<<@
~yg@go
}wxc*u
=3'cx6
$jhBHf
*3ONN}
{	<)?0
;Oxs>W
xc'tFH
.$wT"0
k	m8A:xP
=3~[y=
>5sKC>%b
spAxjz
Nt:Wa[
=|%:,0
'tye&F-
8,~Q7^)
h#tOi|[O
\uRL'O
xO|))c
Uu]x7C
j.|RkR
LqgD"[
9Se|^2
U^[^||
,8w6a-g
)y<S}q
0{5^_p
kZO=_JoN
7VbIOM
|dN&H[
b!VJ:h
Ky6W<u{
Z8^:dL
McI5ZYS
gns}lI
5GdjnT
a?]+xV
{UFVB9
QL]3~Hv
>T];(l
MkK}xn
|_+_q*^6
fi#0CE
4gTaV/
};B'~O
}nCl[x
[rr0V-
atsF6S
T	MM9w_
i0+iuZ
c4yb`m8
1zxKGl
s+g[{x
}El4@)
Y90_u;
gM/#Zw
O4=@_!vkd
&?i<Y 
Om<)7v"|
-p2w>x
O}*e/U! 
1]yRB(_Z
wgk}i<
X)45|=.WJO
^3@Q16
]r!tkyv
#EvEeN(
=o~:>4j
r^4:QX
JL('Ft
15 X$e
6Iy`Fw
M}A4ds
Pwv-Y~
8N#^Td0S,]
}	FHL/
H9Ab_&
8]XP9CS
'orB%m
sL9;[TN
hGo*+D
a\QJ>~Z%:!
Za'}5Q
<}cf~>
}0[wlvQ
>h+V	1m^w
t?iwJk
W(w!Y/U
/kd9$W
<w"-x/
ZwuUc1
kn9@<#
Dj@=;v
6{!|a 
Y 6%~A
t#S|]xH
OUds_L
~ZrT?V
FmKv3w
uQs:9xa
!{Ca 0^7
m:w((q
hbd7.N*
t42z;'
ELbh&$
Q`\E}^U
T'1;_k
4Ii2zU
\-=yO;
[?oM6nA
tU]^59
g|DR`lxN1
lmc| m
J<yZbt
t)VeWi
jlKE?Y
zr_LdV
=|%i;Y
Bg%;[9
Tm'`()
Txle'}
F	%,WB
9\TnxE
)3|-8TDZ]}WSa|
(5,cfeG;R
-^4MNE
S1!"y1i
`26><}g
#- nSBr
;'<g:A
8.A.c]
phWTN\
/v>5V%
J1Jo5Q
}@>v#6
(<~Y(	'$
7`M92l
|x iD`@
)z3Vep
9/YsgoL#
}D:61&
}!tI'&F
S4&jAO
A\YrQN3
yu:.sx(
r+mQ7H
lZ"niW
g7JU0tb
}}qQ* 
|ZW}t;
3(6gs,
ohn1gb
%;YM;,
ALza+w
| JlX;~
n`%k <.H
8~_@	1v
`V(PGxb
ZB;DXy
V~#Rc1(
;N3#~c
P^yyg_?
Hp6|3<
k"mO~,U
`\~Zt&
=F7`ye
4ebuc_
-N1V}j
a7{H'vq
l)vk/+5
]!3`uPj
)x"FyKN
{4hNH{
Rkq6(S
.Uq.uH
AZmOd`Nr
SPP+_$i
KMG*{=c
]O?}({y|
.nATyc
b4"T0:
]s+[@}
bxgp{,
&v&fx_G
Sb|%TW5y("<i
S5wWHu
%.5bl|v
d:Z@~5
BsR#I*
Vk8hq^
~34xr26
?/]1Io
8]3*C@
&e\Q{#
gpz"Mi
'7W46|
$0p 7wr
jh^/dw
<{+Ja 
%9IlY/
ZwiX}35S
WoDx5m
FnL= M
_go0`]
)I}svdx
)%pC!.
#E^,ww
1(PHa`
Ty?W/u
z7p,{=V
9k/E\H_l
U,*o?p
#J~pI|
6@&yl0p
}5pYfU
<bl:TZ
;dyC[L
4_yy4q
%[6>t=
Lg3$;XYo!
|VF?,S
	Dg3k 
;KK+j;;
kn7[R^
{VVrjy
*VQer*S}v0
GkT{x<m
D<wI Bp|"
>|Gg5}
rOd: L
0bm]v1
94ei/6
w%@g^\
>8\wG:1zm
p,1'yX
}9=/o;_
P@t]`^
JG4|l/
={#Xm{
rytHFEl9
7esjC~8N
R	?70}
CtG^uc
.~Ye|V'
]N!u'Ts=
 _Ddst
$JxO3j
!':mD}
Un*gi5
)]&	'X
F63B {
(0t}"'#
KM8137
g4a+<gm
Pm*cCG
-3=Onid
`^3z0:
Jl+Rwz
7m	A8u
#~^09+KD
Zs<,e^E
d\_6k	
 `c?p'
Sl>O3ZC
,r 41)y
S`\ev;	
Q~B"kc
M!Djmrj
9D;ej>
nV?H=j
)'Lv;G
wpNj[n
q}\)R~
xZt-1b
5xd,[ys
Llsu.:
H<uG$QCx
mV>]x7
=9fu][S
v|"*'#
%"cq";
{=lK>e
&bmVO/
,>Z7{+
@(N{Tg
g;iF?>
c[Yw+$Z
sIZx+m
gAj='G
o/fo3,
{C|4c.v
j7&\E?
Y+hkp4
O8]qe<
sWsXsY9
v'Uki;
3?'-qY
UUUUUUUUUUUUUUUUUUUU
<None>
P<None>
<None>
A2_OUT~2.EXE
asxcvsd
<None>
P<None>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="5.1.0.0"
     processorArchitecture="amd64"
     name="wextract"
     type="win32"/>
  <description>IExpress extraction tool</description>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity
          type="win32"
          name="Microsoft.Windows.Common-Controls"
          version="6.0.0.0"
          processorArchitecture="amd64"
          publicKeyToken="6595b64144ccf1df"
          language="*"
       />
    </dependentAssembly>
  </dependency>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
        <application> 
            <!--This Id value indicates the application supports Windows Vista/Server 2008 functionality -->
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
            <!--This Id value indicates the application supports Windows 7/Server 2008 R2 functionality-->
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
            <!--This Id value indicates the application supports Windows 8/Server 2012 functionality-->
            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
    	    <!-- This Id value indicates the application supports Windows Blue/Server 2012 R2 functionality-->            
    	    <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
    	    <!-- This Id value indicates the application supports Windows Threshold functionality-->            
    	    <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
        </application> 
    </compatibility>
</assembly>
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING