Sample details: c6a1da5bc37db98d4394e16f7cbd3f18 --

Hashes
MD5: c6a1da5bc37db98d4394e16f7cbd3f18
SHA1: efac08bf3e55a9676e8ed77785eab2ddd8d19a48
SHA256: 353897e93ba9eeb9e09022443135cac466ee8747887c719de755f60dfdf8c59b
SSDEEP: 1536:gUt/JZt/mDDe1N0ZxFhQN9WQg+WjkCefW7:gUtBbO/e70ZjhQN9/g+5W7
Details
File Type: PE32
Yara Hits
CuckooSandbox/vmdetect | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/VMWare_Detection | YRP/Qemu_Detection | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/DebuggerCheck__QueryInfo | YRP/vmdetect | YRP/disable_dep | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Strings
		!This program cannot be run in DOS mode.
|xRich
`.rdata
@.data
u$h/v@
PVhur@
5Bq@pP3
tmQQQj
t4hPr@
t6=P=*
D$<+D$
tMh\t@
tOh\t@
t=VVSP
SVWj'^
0QRAPAQUH
]AYAXZY
SQRVWU
]_^ZY[
SQRVWU
]_^ZY[
VC20XC00U
;t$(v(
UQPXY]Y[
1`u@F`uP
Xw@#Xw
]wd1Yw
Xw9mZw
Unknown Device
RBC Device
Enclosure Device
Array Device
ASCIT8
Comm. Device
Media Changer
Optical Disk
Scanner Device
CDROM Device
WORM Device
Processor Device
Printer Device
Tape Device
Direct Access Device
IEEE 1394
UNKNOWN
Oct  3 2016
RtlFreeUnicodeString
RtlUpcaseUnicodeString
RtlImageNtHeader
ntdll.dll
StrStrIA
StrTrimW
StrChrW
SHLWAPI.dll
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsA
SetupDiGetDeviceRegistryPropertyA
SETUPAPI.dll
WaitForSingleObject
ReadFile
CreateFileA
CloseHandle
GetModuleHandleA
ExitProcess
GetCommandLineW
HeapDestroy
HeapCreate
GetExitCodeProcess
lstrlenA
ResetEvent
LoadLibraryA
DeleteFileW
CreateWaitableTimerA
MapViewOfFile
UnmapViewOfFile
CreateProcessA
CreateFileMappingA
SetFileAttributesW
HeapAlloc
SetWaitableTimer
lstrlenW
HeapFree
GetLastError
lstrcatW
SetEvent
CreateEventA
GetProcAddress
KERNEL32.dll
GetCursorInfo
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
ADVAPI32.dll
memcpy
memset
NtCreateSection
RtlNtStatusToDosError
ZwClose
NtUnmapViewOfSection
NtMapViewOfSection
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
ZwQueryInformationProcess
NtQuerySystemInformation
mbstowcs
StrRChrA
StrChrA
OpenProcess
SuspendThread
ResumeThread
VirtualProtectEx
GetLongPathNameW
GetVersion
GetCurrentProcessId
LocalFree
lstrcatA
SetLastError
lstrcmpiA
lstrcpyA
VirtualFree
VirtualAlloc
SetFilePointer
GetModuleFileNameW
GetModuleFileNameA
FindNextFileA
GetFileTime
CompareFileTime
FindFirstFileA
FindClose
lstrcpynA
ExpandEnvironmentStringsA
lstrcmpA
wsprintfA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RtlUnwind
NtQueryVirtualMemory
SUVWATAUAVAWH
HA_A^A]A\_^][
S:(ML;;NW;;;LW)
Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders
%systemroot%\system32\svchost.exe
Local\
Global\
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
Local\ShellReadyEvent
%systemroot%\system32\c_1252.nls
SOFTWARE\Microsoft\Windows NT\CurrentVersion
NTDLL.DLL
Software\AppDataLow\Software\Microsoft\
Install
Client
\*.dll
NTDSAPI.DLL
KERNEL32.DLL
USER32.DLL
Wow64EnableWow64FsRedirection
GetWindowThreadProcessId
FindWindowA
Client32
Client64
ZwSetContextThread
ZwGetContextThread
ZwWow64ReadVirtualMemory64
ZwWow64QueryInformationProcess64
LoadLibraryA
attrib -r -s -h %%1
del %%1
if exist %%1 goto %u
del %%0
if not exist %%1 goto %u
cmd /C "%%1 %%2"
if errorlevel 1 goto %u
del %%0
IsWow64Process
%02u-%02u-%02u %02u:%02u:%02u
RtlSetUnhandledExceptionFilter
SystemRoot
%08X-%04X-%04X-%04X-%08X%04X
{%08X-%04X-%04X-%04X-%08X%04X}
ADVAPI32.DLL
ZwWriteVirtualMemory
LdrGetProcedureAddress
RtlExitUserThread
CreateRemoteThread
LdrLoadDll
ZwProtectVirtualMemory
kernelbase
LdrRegisterDllNotification
LdrUnregisterDllNotification
CreateProcessAsUserA
%TEMP%\Low
CreateProcessA
CreateProcessW
CreateProcessAsUserW
"%S" "%S"
vmware
virtual hd
c:\321.txt
ProgMan
version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
This pr9og
h`2$,3
j?Z$ V
|PVc*f
[+]4BP 2u
+ $[BQe
pdcW&]zC
|z;i/Vd
-YabSG
}}^vK(
8)Hv5<
aFCM'!V
kX.c9jtIX
1	D6"Pt
'U![	l
_Y{B)L
JS]$:Z
b/eqRrYL
qSUU' c
XA"LF5bv
-bXR!y
U8)j$U-0
Dd%=4i
,+)W(!Y
Wj0tm(
.#n$"J
@B	jxVm
	1t*Ix
$drdxrd
dEBytg
#TE$21T
:5E7=(
*<}iD?G
(-Ex5|
p$WL	_p
5D"mtDhf
Px#r$pmdu
Mgi%a*
89XEY]D
]9AY(X
K%73Q,
Dp'xDf"
VC2:0Xs
5?xTH<
DVtI(~2
UQ	PXY]
	$"<DHV
4"LDZl
L"XDfx
	J"TE`
PSAaI.DL
DEFGHIJK
LMNOPQRSNT
XYZabcd
efghijkl
mnopqrst
uvwxyz01
23456789)+/
>?@;aB `
[\]^+_`m
E=	 )['`
dF	`Hz
GetModu
E,xW:`trCh
To;Ind2A@RegCr
Ca6chF
0aJfoAJ
$oSnh@:Z
mOnHGamb
SSf)Jaj6lpL9vf
eOpUE6
wDd)SD
R022qM
0hp#UZ
`ePxw>
'920:Y;b<
7rZt`vnxvz
' G(g0
5r1t=IIF=Y>`?
97':1;B<P=Y>b?q?w?
9>.:8;
Y>vxwz
/>rFtLv
vKxVz\|k~
9:<;@<D=
consti
4@b7d2ca
proggam
RichDP(
`.rdat
4";2tE$
=9uAnF W
h5	*e}
L~s,_[
jh$0Fp<D
PD]|B`
~!X,{em
A_'^G]g\t
U*K-c&p
._O"LKl!
N"%>!v
ct)`oB
lIOty"=|?x
k0D:/o
K5_v77
P#Y)'*?B#
!\yrKfZk
B;xLRDp@
n&Cn&|
3B\S:]
9IZ@P8
*|:;1u%
Wf7*/E
.uL	2m
"tFX/.b
j@49;tK	
e9rL? 
<0r`F9,vGR3
s3IY/h
y-gli\
|V]fIO
 dG0tO+
2b@V:	
	^?gp^
6:RNuP
"\,"CIE
W@5	DK
BY*oW'ho
	LHudS
jRJz`^
odk[@eLD
$2@vm#
?#"-D)
QRAP]YU
f7\=CI
<}3;8#s
Ed8R,T
3lgX<"UI&}b
o]|A#`Gx:
&dEy2m(
43 K=03)+
PKhS!-
RDgE#<
0T'2"8
|>Fp#tyx
E@|',r&%/
U<YU_A
CDEFGHIJ
XYZabcd
efghijkl
mnopqrst
uvwxyz01
23456789$+/
[\]^_`
Oct .3l2
 d2 T1 40P
7"h64`
"Rn#Xfd
tModul
K*y"`Clos
2l,b:k
ictZQzO
8Ll`aHd
 `3mbFe)4s0J
IPBwsp
+R:+\d@Li"~
Sisd?ubs
K3y=K5*
d;r/9#
2z$x|(O
nWE:z+
@b7d2ca