Loading ...

Play interactive tourEdit tour

Analysis Report analyseme.exe

Overview

General Information

Sample Name:analyseme.exe
Analysis ID:380019
MD5:66bd29e885429f3e371e745ca32896b1
SHA1:cb15ea23ba47f5c66cab4bc3c90216e06a9af50b
SHA256:ff362a3f7078f8b5793e8d2cac35de29ae1dab6608cfc1545c24c9e2372c892a
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • analyseme.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\analyseme.exe' MD5: 66BD29E885429F3E371E745CA32896B1)
    • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
analyseme.exeHunting_Rule_ShikataGaNaiunknownSteven Miller
  • 0x2262:$varInitializeAndXorCondition1_XorEAX: B8 95 C7 FA 03 D9 74 24 F4 5B 31 C9 B1 70 31 43 18

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.197420968.0000000001343000.00000002.00020000.sdmpHunting_Rule_ShikataGaNaiunknownSteven Miller
  • 0x262:$varInitializeAndXorCondition1_XorEAX: B8 95 C7 FA 03 D9 74 24 F4 5B 31 C9 B1 70 31 43 18
00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmpHunting_Rule_ShikataGaNaiunknownSteven Miller
  • 0x262:$varInitializeAndXorCondition1_XorEAX: B8 95 C7 FA 03 D9 74 24 F4 5B 31 C9 B1 70 31 43 18

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.analyseme.exe.1340000.0.unpackHunting_Rule_ShikataGaNaiunknownSteven Miller
  • 0x2262:$varInitializeAndXorCondition1_XorEAX: B8 95 C7 FA 03 D9 74 24 F4 5B 31 C9 B1 70 31 43 18
0.0.analyseme.exe.1340000.0.unpackHunting_Rule_ShikataGaNaiunknownSteven Miller
  • 0x2262:$varInitializeAndXorCondition1_XorEAX: B8 95 C7 FA 03 D9 74 24 F4 5B 31 C9 B1 70 31 43 18

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: analyseme.exeVirustotal: Detection: 55%Perma Link
Source: analyseme.exeMetadefender: Detection: 33%Perma Link
Source: analyseme.exeReversingLabs: Detection: 58%
Machine Learning detection for sampleShow sources
Source: analyseme.exeJoe Sandbox ML: detected
Source: analyseme.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: analyseme.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\echo\source\repos\btlo\Release\btlo.pdb source: analyseme.exe
Source: Binary string: C:\Users\echo\source\repos\btlo\Release\btlo.pdb&& source: analyseme.exe
Source: analyseme.exe, 00000000.00000002.1277067301.00000000010AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: analyseme.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: analyseme.exe, type: SAMPLEMatched rule: Hunting_Rule_ShikataGaNai author = Steven Miller, reference = https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html, company = FireEye
Source: 00000000.00000000.197420968.0000000001343000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hunting_Rule_ShikataGaNai author = Steven Miller, reference = https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html, company = FireEye
Source: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hunting_Rule_ShikataGaNai author = Steven Miller, reference = https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html, company = FireEye
Source: 0.2.analyseme.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: Hunting_Rule_ShikataGaNai author = Steven Miller, reference = https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html, company = FireEye
Source: 0.0.analyseme.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: Hunting_Rule_ShikataGaNai author = Steven Miller, reference = https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html, company = FireEye
Source: classification engineClassification label: mal60.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
Source: analyseme.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\analyseme.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: analyseme.exeVirustotal: Detection: 55%
Source: analyseme.exeMetadefender: Detection: 33%
Source: analyseme.exeReversingLabs: Detection: 58%
Source: unknownProcess created: C:\Users\user\Desktop\analyseme.exe 'C:\Users\user\Desktop\analyseme.exe'
Source: C:\Users\user\Desktop\analyseme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: analyseme.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: analyseme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\echo\source\repos\btlo\Release\btlo.pdb source: analyseme.exe
Source: Binary string: C:\Users\echo\source\repos\btlo\Release\btlo.pdb&& source: analyseme.exe
Source: analyseme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: analyseme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: analyseme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: analyseme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: analyseme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_01342714 push ecx; ret 0_2_01342726
Source: C:\Users\user\Desktop\analyseme.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Users\user\Desktop\analyseme.exe TID: 5716Thread sleep time: -180000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\analyseme.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_0134249D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0134249D
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_013425FF SetUnhandledExceptionFilter,0_2_013425FF
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_0134222C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0134222C
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_0134249D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0134249D

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_01341220 Sleep,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,CreateProcessW,WaitForSingleObject,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,0_2_01341220
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_01341220 Sleep,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,CreateProcessW,WaitForSingleObject,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,0_2_01341220
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_01342757 cpuid 0_2_01342757
Source: C:\Users\user\Desktop\analyseme.exeCode function: 0_2_01342387 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_01342387

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection21Virtualization/Sandbox Evasion21Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection21LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
analyseme.exe55%VirustotalBrowse
analyseme.exe36%MetadefenderBrowse
analyseme.exe59%ReversingLabsWin32.Trojan.Zusy
analyseme.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:380019
Start date:01.04.2021
Start time:13:52:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:analyseme.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.evad.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 69.1%)
  • Quality average: 52.1%
  • Quality standard deviation: 40.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

TimeTypeDescription
13:53:21API Interceptor1x Sleep call for process: analyseme.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv
Process:C:\Users\user\Desktop\analyseme.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):3
Entropy (8bit):1.584962500721156
Encrypted:false
SSDEEP:3:T:T
MD5:A1B174CBB45338DD2E3F7BFB42CBD6C8
SHA1:E593A22B9179F222F23B596B2EE1BF77CBA8774D
SHA-256:7F999CCCFBCAE52185A73094FEF75E8C95920FEA525C2C3999BE62DC51A8C5F7
SHA-512:D715EB0573B365B7D6D3E74B4F042FB8EA117A99FD56AB6D24BD5AF177356803940445BF61627D36941249692747BE74079AFCF817FFAF7D31AF42636AF0AE0B
Malicious:false
Reputation:low
Preview: ?..

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):5.853484472102521
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:analyseme.exe
File size:16896
MD5:66bd29e885429f3e371e745ca32896b1
SHA1:cb15ea23ba47f5c66cab4bc3c90216e06a9af50b
SHA256:ff362a3f7078f8b5793e8d2cac35de29ae1dab6608cfc1545c24c9e2372c892a
SHA512:28ac72a18189efc26c16770e31896b48768b228ab3159505dba9dfb4b2998696b7e7f1ad44029af2215c3ba193ae4062b948ff497b8f1a3f1fa2c168f34144b8
SSDEEP:384:L/jTfLYn/u+gZ6uUlUe/f57/v/ApjnO3o73JJ76D:3B6Ae/f1v/AFO3k3JJ76D
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8...8...8...@...8..dI...8..dI...8..dI...8..dI...8...P...8...8...8..BJ...8..BJr..8..BJ...8..Rich.8.........................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x401fce
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x60349EC5 [Tue Feb 23 06:20:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:2e71e4e9d7522c32114abd5dde43a654

Entrypoint Preview

Instruction
call 00007F71C4D910C6h
jmp 00007F71C4D90B39h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F71C4D90CDBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F71C4D90CCCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F71C4D90CCEh
add edx, 28h
cmp edx, esi
jne 00007F71C4D90CACh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F71C4D90CBBh
push esi
call 00007F71C4D915CAh
test eax, eax
je 00007F71C4D90CE2h
mov eax, dword ptr fs:[00000018h]
mov esi, 004050BCh
mov edx, dword ptr [eax+04h]
jmp 00007F71C4D90CC6h
cmp edx, eax
je 00007F71C4D90CD2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F71C4D90CB2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F71C4D90CC9h
mov byte ptr [004050C0h], 00000001h
call 00007F71C4D913B9h
call 00007F71C4D91095h
test al, al
jne 00007F71C4D90CC6h
xor al, al
pop ebp
ret
call 00007F71C4D91088h
test al, al
jne 00007F71C4D90CCCh
push 00000000h
call 00007F71C4D9107Dh
pop ecx
jmp 00007F71C4D90CABh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [004050C1h], 00000000h
je 00007F71C4D90CC6h
mov al, 01h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3d340xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x70000x300.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x34580x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x34c80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000x14c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1bf70x1c00False0.616908482143data6.35632617372IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x30000x18320x1a00False0.431941105769data4.96891380381IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000x4300x200False0.205078125data2.02253428603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x60000x1e00x200False0.525390625data4.69759700825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x70000x3000x400False0.6962890625data5.44697919625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MANIFEST0x60600x17dXML 1.0 document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllWriteProcessMemory, WaitForSingleObject, Sleep, VirtualAllocEx, CreateProcessW, CreateRemoteThread, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, UnhandledExceptionFilter
MSVCP140.dll?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??Bid@locale@std@@QAEIXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Xlength_error@std@@YAXPBD@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
VCRUNTIME140.dll_except_handler4_common, memset, __current_exception_context, __current_exception, _CxxThrowException, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, memcpy, __std_terminate
api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _register_onexit_function, _crt_atexit, __p___argv, _controlfp_s, __p___argc, _cexit, _register_thread_local_exe_atexit_callback, _invalid_parameter_noinfo_noreturn, _c_exit, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _seh_filter_exe, _set_app_type, terminate
api-ms-win-crt-heap-l1-1-0.dllfree, malloc, _callnewh, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Start time:13:53:20
Start date:01/04/2021
Path:C:\Users\user\Desktop\analyseme.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\analyseme.exe'
Imagebase:0x1340000
File size:16896 bytes
MD5 hash:66BD29E885429F3E371E745CA32896B1
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: Hunting_Rule_ShikataGaNai, Description: unknown, Source: 00000000.00000000.197420968.0000000001343000.00000002.00020000.sdmp, Author: Steven Miller
  • Rule: Hunting_Rule_ShikataGaNai, Description: unknown, Source: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp, Author: Steven Miller
Reputation:low

General

Start time:13:53:21
Start date:01/04/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6b2800000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >

    Execution Graph

    Execution Coverage:13.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:9.5%
    Total number of Nodes:201
    Total number of Limit Nodes:2

    Graph

    execution_graph 770 1341f73 _seh_filter_exe 771 13417bf 772 13417c5 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 771->772 774 13417f0 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 772->774 775 13417f8 772->775 774->775 760 1341e3a 764 13425ff SetUnhandledExceptionFilter 760->764 762 1341e3f 763 1341e44 _set_new_mode 762->763 764->762 776 13417a5 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 777 1342b27 778 1341d15 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 777->778 779 1342b38 778->779 780 13414a0 781 13414ab 780->781 782 13414c6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 780->782 781->782 783 13414e5 _invalid_parameter_noinfo_noreturn 781->783 784 1342aa2 785 1341d15 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 784->785 786 1342ab6 785->786 787 1341d15 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 786->787 788 1342ac0 787->788 792 1342728 795 1342a05 792->795 796 1342736 _except_handler4_common 795->796 802 1341010 __std_exception_copy 803 1341090 __std_exception_destroy 804 1341050 __std_exception_destroy 805 134106f std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 804->805 806 1342ad0 ??1_Lockit@std@@QAE 813 1341005 816 1342214 813->816 819 13421e7 816->819 820 13421f6 _crt_atexit 819->820 821 13421fd _register_onexit_function 819->821 822 134100a 820->822 821->822 823 1341d87 _set_app_type 847 1342426 823->847 825 1341d94 _set_fmode 848 134241f 825->848 827 1341d9f __p__commode 849 1342087 827->849 829 134249d ___scrt_fastfail 6 API calls 830 1341e31 829->830 831 1341daf __RTC_Initialize 832 1342214 2 API calls 831->832 845 1341e1b 831->845 833 1341dc8 832->833 834 1341dcd _configure_narrow_argv 833->834 835 1341dd9 834->835 834->845 859 134242c InitializeSListHead 835->859 837 1341dde 838 1341de7 __setusermatherr 837->838 839 1341df2 837->839 838->839 860 134243b _controlfp_s 839->860 841 1341e01 842 1341e06 _configthreadlocale 841->842 843 1341e12 ___scrt_uninitialize_crt 842->843 844 1341e16 _initialize_narrow_environment 843->844 843->845 844->845 845->829 846 1341e29 845->846 847->825 848->827 850 1342097 849->850 851 1342093 849->851 852 1342106 850->852 854 13420a4 ___scrt_release_startup_lock 850->854 851->831 853 134249d ___scrt_fastfail 6 API calls 852->853 855 134210d 853->855 856 13420b1 _initialize_onexit_table 854->856 858 13420cf 854->858 857 13420c0 _initialize_onexit_table 856->857 856->858 857->858 858->831 859->837 861 1342454 860->861 862 1342453 860->862 863 134249d ___scrt_fastfail 6 API calls 861->863 862->841 864 134245b 863->864 865 1341f87 866 13425bc GetModuleHandleW 865->866 867 1341f8f 866->867 868 1341fc5 _exit 867->868 869 1341f93 867->869 870 1341f9e 869->870 871 1341f99 _c_exit 869->871 871->870 625 1341e4c 626 1341e58 ___scrt_is_nonwritable_in_current_image 625->626 647 134204e 626->647 628 1341e5f 629 1341fb8 628->629 632 1341e89 628->632 666 134249d IsProcessorFeaturePresent 629->666 631 1341fbf exit 633 1341fc5 _exit 631->633 634 1341ed6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 632->634 635 1341e8d _initterm_e 632->635 638 1341f2a _get_initial_narrow_environment __p___argv __p___argc 634->638 642 1341f22 _register_thread_local_exe_atexit_callback 634->642 636 1341ea8 635->636 637 1341eb9 _initterm 635->637 637->634 651 1341220 Sleep 638->651 642->638 644 1341f54 645 1341f5d ___scrt_uninitialize_crt 644->645 646 1341f58 _cexit 644->646 645->636 646->645 648 1342057 647->648 670 1342757 IsProcessorFeaturePresent 648->670 650 1342063 ___scrt_uninitialize_crt 650->628 672 13415f0 651->672 655 134142f 657 13415f0 7 API calls 655->657 656 134129b 656->655 658 1341337 CreateProcessW WaitForSingleObject VirtualAllocEx WriteProcessMemory CreateRemoteThread 656->658 659 134143f 657->659 658->659 660 134146d std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 659->660 662 1341467 _invalid_parameter_noinfo_noreturn 659->662 697 1341d15 660->697 662->660 663 1341490 664 13425bc GetModuleHandleW 663->664 665 1341f50 664->665 665->631 665->644 667 13424b2 ___scrt_fastfail 666->667 668 13424be memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 667->668 669 13425a8 ___scrt_fastfail 668->669 669->631 671 134277a 670->671 671->650 673 1341631 672->673 674 13416b2 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 673->674 681 13416a3 673->681 674->681 676 1341737 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 679 13416db ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 676->679 684 1341751 676->684 677 13417f0 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 678 134128a 677->678 685 1341a40 678->685 679->677 679->678 680 1341735 680->676 681->676 681->679 681->680 682 134170a ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 681->682 682->679 682->681 683 134175f ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 683->679 683->684 684->679 684->683 686 1341a8a 685->686 687 1341ab2 ?getloc@ios_base@std@@QBE?AVlocale@2 686->687 693 1341b41 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 686->693 704 13414f0 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 687->704 690 1341c1c 690->656 693->690 694 1341b36 694->693 696 1341b90 ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 694->696 718 1341830 694->718 696->694 698 1341d20 IsProcessorFeaturePresent 697->698 699 1341d1e 697->699 701 1342268 698->701 699->663 759 134222c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 701->759 703 134234b 703->663 705 134154e 704->705 706 13415b4 ??1_Lockit@std@@QAE 705->706 707 1341562 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 705->707 709 134156d 705->709 708 1341d15 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 706->708 707->709 710 13415d7 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 708->710 709->706 711 134157e ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@ 709->711 710->694 712 1341591 711->712 713 13415db 711->713 738 1341ce9 712->738 741 13411a0 713->741 717 13415e0 719 1341853 718->719 720 134195f 718->720 723 1341895 719->723 724 13418bf 719->724 754 1341170 ?_Xlength_error@std@@YAXPBD 720->754 722 1341964 755 13410d0 722->755 723->722 726 13418a0 723->726 729 1341d26 std::_Facet_Register 5 API calls 724->729 734 13418a6 724->734 728 1341d26 std::_Facet_Register 5 API calls 726->728 727 1341969 ?uncaught_exception@std@ 730 13419a7 727->730 731 134199f ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 727->731 728->734 729->734 730->696 731->730 732 13418e5 memcpy 735 134191b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 732->735 736 134190b 732->736 733 134193a memcpy 733->696 734->732 734->733 737 1341934 _invalid_parameter_noinfo_noreturn 734->737 735->696 736->735 736->737 737->733 744 1341d26 738->744 740 13415a1 740->706 753 1341180 741->753 743 13411ae _CxxThrowException __std_exception_copy 743->717 745 1341d38 malloc 744->745 746 1341d45 745->746 747 1341d2b _callnewh 745->747 746->740 747->745 748 1341d47 747->748 749 1341d51 std::_Facet_Register 748->749 750 13410d0 Concurrency::cancel_current_task 748->750 752 1342373 _CxxThrowException 749->752 751 13410de _CxxThrowException __std_exception_copy 750->751 751->740 753->743 758 13410b0 755->758 757 13410de _CxxThrowException __std_exception_copy 757->727 758->757 759->703 872 1341fce 875 13423d4 872->875 874 1341fd3 874->874 876 13423ea 875->876 877 13423f3 876->877 879 1342387 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 876->879 877->874 879->877 880 1341bca 881 1341bd0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 880->881 883 1341c1c 881->883 884 134260b 885 1342642 884->885 887 134261d 884->887 886 134264a __current_exception __current_exception_context terminate 887->885 887->886

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_01341130 1 Function_01341830 11 Function_01341D26 1->11 57 Function_01341170 1->57 74 Function_01341D56 1->74 76 Function_013410D0 1->76 2 Function_013410B0 3 Function_01341BB0 4 Function_013425BC 5 Function_013421BF 7 Function_01342438 5->7 6 Function_013417BF 8 Function_01341E3A 41 Function_0134241F 8->41 63 Function_013425FF 8->63 9 Function_0134243B 40 Function_0134249D 9->40 10 Function_013417A5 11->2 90 Function_0134234D 11->90 12 Function_01342426 13 Function_01342927 14 Function_01342B27 29 Function_01341D15 14->29 15 Function_01341220 15->29 56 Function_013415F0 15->56 15->74 85 Function_01341A40 15->85 16 Function_013411A0 53 Function_01341180 16->53 17 Function_013414A0 17->74 18 Function_01342BA0 19 Function_01342422 20 Function_013421A2 20->13 21 Function_01342AA2 21->29 22 Function_0134222C 23 Function_0134242C 24 Function_01342BAF 24->29 25 Function_01342728 45 Function_01342A05 25->45 26 Function_01342229 27 Function_01342214 65 Function_013421E7 27->65 28 Function_01342714 29->22 30 Function_01342695 31 Function_01342497 32 Function_01342B10 33 Function_01341010 34 Function_01341090 35 Function_01342A90 36 Function_01342B90 37 Function_01341C91 38 Function_01342491 39 Function_0134201C 39->13 67 Function_01342661 40->67 42 Function_01342B18 43 Function_01342B98 44 Function_01341005 44->27 46 Function_01342485 47 Function_01342186 48 Function_01342387 49 Function_01342087 49->13 49->40 50 Function_01341D87 50->7 50->9 50->12 50->19 50->23 50->26 50->27 50->40 50->41 50->46 50->49 69 Function_01342468 50->69 71 Function_01342669 50->71 51 Function_01341F87 51->4 52 Function_01341200 54 Function_0134210E 78 Function_013426D0 54->78 83 Function_01341FD8 54->83 55 Function_0134260B 58 Function_013414F0 58->16 58->29 72 Function_01341CE9 58->72 59 Function_013419F0 60 Function_01342B72 60->29 61 Function_01341F73 62 Function_01342173 64 Function_01341D64 64->74 66 Function_013419E0 68 Function_01342462 69->68 82 Function_0134245C 69->82 70 Function_01342AE8 70->29 72->11 73 Function_013423D4 73->48 75 Function_01342757 76->2 77 Function_01341050 77->74 79 Function_01342AD0 80 Function_01342B52 80->29 81 Function_01342BD2 81->29 84 Function_01342AD9 85->1 85->58 86 Function_01341C40 87 Function_01341040 88 Function_01341CC2 88->37 88->74 89 Function_01341E4C 89->4 89->5 89->15 89->20 89->31 89->38 89->39 89->40 89->54 89->78 91 Function_0134204E 89->91 91->7 91->75 92 Function_01341FCE 92->73 93 Function_01341BCA

    Executed Functions

    Control-flow Graph

    C-Code - Quality: 66%
    			E01341220(void* __edi, void* __esi) {
    				struct _SECURITY_ATTRIBUTES* _v8;
    				char _v16;
    				signed int _v20;
    				void _v496;
    				intOrPtr _v500;
    				struct _SECURITY_ATTRIBUTES* _v504;
    				char _v520;
    				struct _STARTUPINFOW _v588;
    				struct _PROCESS_INFORMATION _v604;
    				signed int _t36;
    				signed int _t37;
    				signed int _t41;
    				intOrPtr _t43;
    				intOrPtr _t46;
    				signed int _t58;
    				intOrPtr* _t63;
    				void* _t69;
    				intOrPtr* _t75;
    				char _t78;
    				struct _SECURITY_ATTRIBUTES* _t84;
    				void* _t86;
    				_Unknown_base(*)()* _t89;
    				signed int _t90;
    				void* _t91;
    				void* _t92;
    				void* _t108;
    
    				_push(0xffffffff);
    				_push(0x1342aa0);
    				_push( *[fs:0x0]);
    				_t92 = _t91 - 0x24c;
    				_t36 =  *0x1345008; // 0xc33ece8e
    				_t37 = _t36 ^ _t90;
    				_v20 = _t37;
    				_push(_t37);
    				 *[fs:0x0] =  &_v16;
    				Sleep(0x2bf20); // executed
    				_v504 = 0;
    				_v500 = 0xf;
    				_v520 = 0;
    				_v8 = 0;
    				E013415F0(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, "?\n"); // executed
    				E01341A40(__imp__?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,  &_v520); // executed
    				_t78 = _v520;
    				_t84 = _v504;
    				_t63 =  >=  ? _t78 :  &_v520;
    				_t85 =  >  ? 4 : _t84;
    				_t75 = "btlo";
    				_t86 = ( >  ? 4 : _t84) - 4;
    				if(_t86 < 0) {
    					L4:
    					if(_t86 == 0xfffffffc) {
    						L13:
    						_t41 = 0;
    						L14:
    						if(_t41 != 0) {
    							L18:
    							E013415F0(__imp__?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, "Easy! Try again");
    							L19:
    							_t43 = _v500;
    							if(_t43 >= 0x10) {
    								_t31 = _t43 + 1; // 0x11
    								_t69 = _t31;
    								_t46 = _t78;
    								if(_t69 >= 0x1000) {
    									_t78 =  *((intOrPtr*)(_t78 - 4));
    									_t69 = _t69 + 0x23;
    									if(_t46 > 0x1f) {
    										__imp___invalid_parameter_noinfo_noreturn();
    									}
    								}
    								_push(_t69);
    								E01341D56(_t46, _t78);
    							}
    							 *[fs:0x0] = _v16;
    							return E01341D15(_v20 ^ _t90);
    						}
    						_t108 = _v504 - 4;
    						if(_t108 < 0 || _t108 > 0) {
    							goto L18;
    						} else {
    							_v588.cb = 0x44;
    							memcpy( &_v496, 0x1343260, 0x76 << 2);
    							_t92 = _t92 + 0xc;
    							asm("xorps xmm0, xmm0");
    							asm("movlpd [ebp-0x244], xmm0");
    							asm("movsb");
    							asm("movlpd [ebp-0x23c], xmm0");
    							asm("movlpd [ebp-0x234], xmm0");
    							asm("movlpd [ebp-0x22c], xmm0");
    							asm("movlpd [ebp-0x224], xmm0");
    							asm("movlpd [ebp-0x21c], xmm0");
    							asm("movlpd [ebp-0x214], xmm0");
    							asm("movlpd [ebp-0x20c], xmm0");
    							asm("movups [ebp-0x258], xmm0");
    							CreateProcessW(L"C:\\Windows\\System32\\nslookup.exe", 0, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604);
    							WaitForSingleObject(_v604.hProcess, 0x3e8);
    							_t89 = VirtualAllocEx(_v604.hProcess, 0, 0x1d9, 0x3000, 0x40);
    							WriteProcessMemory(_v604.hProcess, _t89,  &_v496, 0x1d9, 0);
    							CreateRemoteThread(_v604, 0, 0, _t89, 0, 0, 0);
    							_t78 = _v520;
    							goto L19;
    						}
    					}
    					L5:
    					_t58 =  *_t63;
    					if(_t58 !=  *_t75) {
    						L12:
    						asm("sbb eax, eax");
    						_t41 = _t58 | 0x00000001;
    						goto L14;
    					}
    					if(_t86 == 0xfffffffd) {
    						goto L13;
    					}
    					_t58 =  *((intOrPtr*)(_t63 + 1));
    					if(_t58 !=  *((intOrPtr*)(_t75 + 1))) {
    						goto L12;
    					}
    					if(_t86 == 0xfffffffe) {
    						goto L13;
    					}
    					_t58 =  *((intOrPtr*)(_t63 + 2));
    					if(_t58 !=  *((intOrPtr*)(_t75 + 2))) {
    						goto L12;
    					}
    					if(_t86 == 0xffffffff) {
    						goto L13;
    					}
    					_t58 =  *((intOrPtr*)(_t63 + 3));
    					if(_t58 ==  *((intOrPtr*)(_t75 + 3))) {
    						goto L13;
    					}
    					goto L12;
    				}
    				while( *_t63 ==  *_t75) {
    					_t63 = _t63 + 4;
    					_t75 = _t75 + 4;
    					_t86 = _t86 - 4;
    					if(_t86 >= 0) {
    						continue;
    					}
    					goto L4;
    				}
    				goto L5;
    			}





























    0x01341223
    0x01341225
    0x01341230
    0x01341231
    0x01341237
    0x0134123c
    0x0134123e
    0x01341243
    0x01341247
    0x01341252
    0x01341258
    0x01341262
    0x0134126c
    0x01341273
    0x01341285
    0x01341296
    0x013412a8
    0x013412b3
    0x013412b9
    0x013412be
    0x013412c1
    0x013412c6
    0x013412c9
    0x013412e1
    0x013412e4
    0x0134131a
    0x0134131a
    0x0134131c
    0x0134131e
    0x0134142f
    0x0134143a
    0x0134143f
    0x0134143f
    0x01341448
    0x0134144a
    0x0134144a
    0x0134144d
    0x01341455
    0x01341457
    0x0134145a
    0x01341465
    0x01341467
    0x01341467
    0x01341465
    0x0134146d
    0x0134146f
    0x01341474
    0x0134147c
    0x01341493
    0x01341493
    0x01341324
    0x0134132b
    0x00000000
    0x01341337
    0x0134133c
    0x01341351
    0x01341351
    0x01341359
    0x01341363
    0x01341382
    0x01341383
    0x0134138b
    0x01341393
    0x0134139b
    0x013413a3
    0x013413ab
    0x013413b3
    0x013413bb
    0x013413c2
    0x013413d3
    0x013413f5
    0x0134140a
    0x01341421
    0x01341427
    0x00000000
    0x01341427
    0x0134132b
    0x013412e6
    0x013412e6
    0x013412ea
    0x01341313
    0x01341313
    0x01341315
    0x00000000
    0x01341315
    0x013412ef
    0x00000000
    0x00000000
    0x013412f1
    0x013412f7
    0x00000000
    0x00000000
    0x013412fc
    0x00000000
    0x00000000
    0x013412fe
    0x01341304
    0x00000000
    0x00000000
    0x01341309
    0x00000000
    0x00000000
    0x0134130b
    0x01341311
    0x00000000
    0x00000000
    0x00000000
    0x01341311
    0x013412d0
    0x013412d6
    0x013412d9
    0x013412dc
    0x013412df
    0x00000000
    0x00000000
    0x00000000
    0x013412df
    0x00000000

    APIs
    • Sleep.KERNELBASE(0002BF20,C33ECE8E), ref: 01341252
      • Part of subcall function 013415F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 013417D6
      • Part of subcall function 013415F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 013417E3
      • Part of subcall function 013415F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 013417F2
      • Part of subcall function 01341A40: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000000,C33ECE8E,?,?,?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341A9A
      • Part of subcall function 01341A40: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341ABD
      • Part of subcall function 01341A40: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341B30
    • CreateProcessW.KERNEL32 ref: 013413C2
    • WaitForSingleObject.KERNEL32(000003E8,000003E8), ref: 013413D3
    • VirtualAllocEx.KERNEL32(00000040,00000000,000001D9,00003000,00000040), ref: 013413ED
    • WriteProcessMemory.KERNEL32(00000000,00000000,?,000001D9,00000000), ref: 0134140A
    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01341421
    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01341467
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$CreateProcess$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?uncaught_exception@std@@AllocIpfx@?$basic_istream@MemoryObjectOsfx@?$basic_ostream@RemoteSingleSleepThreadVirtualVlocale@2@WaitWrite_invalid_parameter_noinfo_noreturn
    • String ID: C:\Windows\System32\nslookup.exe$D$Easy! Try again$btlo
    • API String ID: 4075514931-1607064576
    • Opcode ID: 90fbcb37218d1d3e098f5854f3ef4ce0e15b7d759580112b53e75eaa9560e137
    • Instruction ID: daf99f502dbb4545317eb4fe22183867c70977a31e9d7c45de0243b8865704a1
    • Opcode Fuzzy Hash: 90fbcb37218d1d3e098f5854f3ef4ce0e15b7d759580112b53e75eaa9560e137
    • Instruction Fuzzy Hash: 1161F5329406699BDB319B18CC08BE9BBB5FB45318F1443D4E659BB2D1CB707AC18F44
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 116 13425ff-134260a SetUnhandledExceptionFilter
    C-Code - Quality: 100%
    			E013425FF() {
    				_Unknown_base(*)()* _t1;
    
    				_t1 = SetUnhandledExceptionFilter(E0134260B); // executed
    				return _t1;
    			}




    0x01342604
    0x0134260a

    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_0000260B,01341E3F), ref: 01342604
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 7fdb854bc5bae16b0e715d1a1b23e7415f47ed93386b9d6a8d131d7d45365e54
    • Instruction ID: 4fe88752ab5e669f51e0c72f7eb6d2d5eed5c782876336b63906b365d834d89e
    • Opcode Fuzzy Hash: 7fdb854bc5bae16b0e715d1a1b23e7415f47ed93386b9d6a8d131d7d45365e54
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 34 13415f0-134162e 35 1341631-1341636 34->35 35->35 36 1341638-134164f 35->36 37 1341651 36->37 38 1341668-1341673 36->38 40 1341661-1341666 37->40 41 1341653-1341655 37->41 39 1341676-1341680 38->39 43 1341691-13416a1 39->43 44 1341682-134168f 39->44 40->39 41->38 42 1341657-1341659 41->42 42->38 45 134165b 42->45 46 13416a7-13416ac 43->46 47 13416a3-13416a5 43->47 44->43 45->40 48 134165d-134165f 45->48 51 13416ae-13416b0 46->51 52 13416cb 46->52 50 13416cd-13416d9 47->50 48->38 48->40 53 13416e5-13416f8 50->53 54 13416db-13416e0 50->54 51->52 55 13416b2-13416c9 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ 51->55 52->50 57 1341737-134174f ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 53->57 58 13416fa 53->58 56 13417cc-13417ee ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z ?uncaught_exception@std@@YA_NXZ 54->56 55->50 60 13417f0-13417f2 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 56->60 61 13417f8-1341807 56->61 62 1341751-1341753 57->62 63 134177d-1341782 57->63 59 1341700-1341702 58->59 65 1341704 59->65 66 1341735 59->66 60->61 67 134180e-1341821 61->67 68 1341809 61->68 62->63 69 1341755-1341757 62->69 64 134178e-13417c5 63->64 64->56 71 1341706-1341708 65->71 72 134170a-1341726 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 65->72 66->57 68->67 73 134178c 69->73 74 1341759 69->74 71->66 71->72 75 134172d-1341733 72->75 76 1341728-134172b 72->76 73->64 77 134175f-134177b ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z 74->77 78 134175b-134175d 74->78 75->59 76->64 77->63 79 1341784-134178a 77->79 78->73 78->77 79->69
    APIs
    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(C33ECE8E), ref: 013416B4
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(00000000,C33ECE8E), ref: 0134171D
    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,000000FF,00000000,C33ECE8E), ref: 01341746
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 01341772
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 013417D6
    • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 013417E3
    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 013417F2
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
    • String ID:
    • API String ID: 1492985063-0
    • Opcode ID: 545bbefef9018cffca0915b196352a7776aab0d71eb189a43388f262ee8fb2f3
    • Instruction ID: 824bebe7cd22cadcbc517b85863b432991f01b19c0a02b62c5e026dba256e4b6
    • Opcode Fuzzy Hash: 545bbefef9018cffca0915b196352a7776aab0d71eb189a43388f262ee8fb2f3
    • Instruction Fuzzy Hash: 7E719279A00A048FDB14CF58C584BA9BFF5BF49328F198258DD169B392DB35F881CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 1341a40-1341a88 81 1341a8f-1341a93 80->81 82 1341a8a 80->82 83 1341aa0-1341aac 81->83 82->81 84 1341bd7-1341bf0 83->84 85 1341ab2-1341ad8 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ call 13414f0 83->85 86 1341bf5-1341c1a ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z 84->86 87 1341bf2 84->87 92 1341ada-1341ae3 85->92 93 1341aeb-1341af8 85->93 89 1341c21-1341c34 86->89 90 1341c1c 86->90 87->86 90->89 92->93 99 1341ae5-1341ae7 92->99 94 1341afc-1341b14 93->94 95 1341afa 93->95 97 1341b24-1341b29 94->97 98 1341b16 94->98 95->94 102 1341b2c-1341b30 ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 97->102 100 1341b1c-1341b22 98->100 101 1341b18-1341b1a 98->101 99->93 100->97 100->102 101->97 101->100 103 1341b36-1341b3a 102->103 104 1341bac-1341bae 103->104 105 1341b3c-1341b3f 103->105 106 1341bd0 104->106 107 1341b41-1341b44 105->107 108 1341b49-1341b56 105->108 106->84 107->106 108->104 109 1341b58-1341b63 108->109 110 1341b65-1341b70 109->110 111 1341b7e-1341b8b call 1341830 109->111 112 1341b74-1341b7c 110->112 113 1341b72 110->113 115 1341b90-1341baa ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ 111->115 112->115 113->112 115->103
    C-Code - Quality: 25%
    			E01341A40(intOrPtr* __ecx, intOrPtr* __edx) {
    				char _v8;
    				char _v16;
    				intOrPtr _v20;
    				signed char _v24;
    				char _v25;
    				intOrPtr _v32;
    				intOrPtr* _v36;
    				intOrPtr _v40;
    				char _v44;
    				signed int _v48;
    				char _v52;
    				intOrPtr* _v56;
    				intOrPtr* _v60;
    				char _v64;
    				void* __ebx;
    				void* __edi;
    				signed int _t72;
    				intOrPtr _t75;
    				char _t76;
    				signed char _t78;
    				intOrPtr _t85;
    				char* _t86;
    				signed char _t88;
    				intOrPtr* _t94;
    				signed int _t101;
    				intOrPtr _t103;
    				intOrPtr _t104;
    				intOrPtr* _t107;
    				intOrPtr* _t113;
    				intOrPtr* _t118;
    				intOrPtr _t121;
    				intOrPtr* _t124;
    				signed char _t127;
    				intOrPtr* _t129;
    				intOrPtr* _t132;
    				signed int _t134;
    				void* _t135;
    				intOrPtr _t143;
    
    				_t125 = __edx;
    				_push(0xffffffff);
    				_push(0x1342bad);
    				_push( *[fs:0x0]);
    				_t72 =  *0x1345008; // 0xc33ece8e
    				_push(_t72 ^ _t134);
    				 *[fs:0x0] =  &_v16;
    				_v20 = _t135 - 0x30;
    				_t132 = __edx;
    				_t129 = __ecx;
    				_t75 =  *__ecx;
    				_t101 = 0;
    				_v36 = __ecx;
    				_v48 = 0;
    				_v25 = 0;
    				_t6 = _t75 + 4; // 0x8d10ffff
    				_t76 =  *_t6;
    				_v56 = __ecx;
    				_t107 =  *((intOrPtr*)(_t76 + __ecx + 0x38));
    				if(_t107 != 0) {
    					_t76 =  *((intOrPtr*)( *_t107 + 4))();
    				}
    				_v8 = 0;
    				__imp__?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z(0); // executed
    				_v52 = _t76;
    				_v8 = 1;
    				if(_t76 == 0) {
    					L26:
    					_t78 =  *( *_t129 + 4);
    					 *((intOrPtr*)(_t78 + _t129 + 0x20)) = 0;
    					 *((intOrPtr*)(_t78 + _t129 + 0x24)) = 0;
    					if(_v25 == 0) {
    						_t101 = _t101 | 0x00000002;
    					}
    					__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(_t101, 0);
    					_v8 = 5;
    					_t113 =  *((intOrPtr*)( *((intOrPtr*)( *_v56 + 4)) + _v56 + 0x38));
    					if(_t113 != 0) {
    						 *((intOrPtr*)( *_t113 + 8))();
    					}
    					 *[fs:0x0] = _v16;
    					return _t129;
    				} else {
    					__imp__?getloc@ios_base@std@@QBE?AVlocale@2@XZ( &_v64);
    					_v8 = 2;
    					_t85 = E013414F0(_t125,  *_t129);
    					_t118 = _v60;
    					_v40 = _t85;
    					if(_t118 != 0) {
    						_t124 =  *((intOrPtr*)( *_t118 + 8))();
    						if(_t124 != 0) {
    							 *((intOrPtr*)( *_t124))(1);
    						}
    					}
    					 *((intOrPtr*)(_t132 + 0x10)) = 0;
    					_t86 = _t132;
    					if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
    						_t86 =  *_t132;
    					}
    					 *_t86 = 0;
    					_v8 = 3;
    					_t88 =  *( *_t129 + 4);
    					_t143 =  *((intOrPtr*)(_t88 + _t129 + 0x24));
    					_t103 =  *((intOrPtr*)(_t88 + _t129 + 0x20));
    					_v32 = _t103;
    					if(_t143 < 0 || _t143 <= 0 && _t103 == 0 || _t103 >= 0x7fffffff) {
    						_t103 = 0x7fffffff;
    						_v32 = 0x7fffffff;
    					}
    					__imp__?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ();
    					while(1) {
    						_t127 = _t88;
    						if(_t103 == 0) {
    							break;
    						}
    						if(_t127 != 0xffffffff) {
    							if(( *( *((intOrPtr*)(_v40 + 0xc)) + (_t127 & 0x000000ff) * 2) & 0x00000048) != 0) {
    								break;
    							}
    							_t121 =  *((intOrPtr*)(_t132 + 0x10));
    							_t104 =  *((intOrPtr*)(_t132 + 0x14));
    							_v24 = _t127;
    							if(_t121 >= _t104) {
    								_push(_v24);
    								_v44 = 0;
    								E01341830(_t104, _t132, _t129, _t121, _v44);
    							} else {
    								 *((intOrPtr*)(_t132 + 0x10)) = _t121 + 1;
    								_t94 = _t132;
    								if(_t104 >= 0x10) {
    									_t94 =  *_t132;
    								}
    								 *(_t94 + _t121) = _t127;
    								 *((char*)(_t94 + _t121 + 1)) = 0;
    							}
    							_t103 = _v32 - 1;
    							_v25 = 1;
    							_v32 = _t103;
    							_t88 =  *( *_t129 + 4);
    							__imp__?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ();
    							continue;
    						}
    						_t32 = _t88 + 2; // 0x2
    						_t101 = _t32;
    						L25:
    						_v8 = 1;
    						goto L26;
    					}
    					_t101 = 0;
    					goto L25;
    				}
    			}









































    0x01341a40
    0x01341a43
    0x01341a45
    0x01341a50
    0x01341a57
    0x01341a5e
    0x01341a62
    0x01341a68
    0x01341a6b
    0x01341a6d
    0x01341a6f
    0x01341a71
    0x01341a73
    0x01341a76
    0x01341a79
    0x01341a7c
    0x01341a7c
    0x01341a7f
    0x01341a82
    0x01341a88
    0x01341a8c
    0x01341a8c
    0x01341a93
    0x01341a9a
    0x01341aa0
    0x01341aa3
    0x01341aac
    0x01341bd7
    0x01341bdd
    0x01341be0
    0x01341be8
    0x01341bf0
    0x01341bf2
    0x01341bf2
    0x01341bff
    0x01341c05
    0x01341c14
    0x01341c1a
    0x01341c1e
    0x01341c1e
    0x01341c26
    0x01341c34
    0x01341ab2
    0x01341abd
    0x01341ac4
    0x01341ac8
    0x01341acd
    0x01341ad3
    0x01341ad8
    0x01341adf
    0x01341ae3
    0x01341ae9
    0x01341ae9
    0x01341ae3
    0x01341aeb
    0x01341af2
    0x01341af8
    0x01341afa
    0x01341afa
    0x01341afc
    0x01341aff
    0x01341b05
    0x01341b08
    0x01341b0d
    0x01341b11
    0x01341b14
    0x01341b24
    0x01341b29
    0x01341b29
    0x01341b30
    0x01341b36
    0x01341b36
    0x01341b3a
    0x00000000
    0x00000000
    0x01341b3f
    0x01341b56
    0x00000000
    0x00000000
    0x01341b58
    0x01341b5b
    0x01341b5e
    0x01341b63
    0x01341b7e
    0x01341b81
    0x01341b8b
    0x01341b65
    0x01341b68
    0x01341b6b
    0x01341b70
    0x01341b72
    0x01341b72
    0x01341b74
    0x01341b77
    0x01341b77
    0x01341b95
    0x01341b96
    0x01341b9a
    0x01341b9d
    0x01341ba4
    0x00000000
    0x01341ba4
    0x01341b41
    0x01341b41
    0x01341bd0
    0x01341bd0
    0x00000000
    0x01341bd0
    0x01341bac
    0x00000000
    0x01341bac

    APIs
    • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000000,C33ECE8E,?,?,?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341A9A
    • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341ABD
    • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341B30
    • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00000000,000000FF), ref: 01341BA4
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,?,?,?,?,?,?,00000000,01342BAD,000000FF,?,0134129B), ref: 01341BFF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
    • String ID: P}@n
    • API String ID: 481934583-3960678631
    • Opcode ID: ad9b78135376f9568e191ff614e1db31c64a4759b9ffba22e116ebc3e6fc1409
    • Instruction ID: 5aedcea708dc9c6ac75577d181b87e569f8fa14d229876b27b5c67e8b70a8dd4
    • Opcode Fuzzy Hash: ad9b78135376f9568e191ff614e1db31c64a4759b9ffba22e116ebc3e6fc1409
    • Instruction Fuzzy Hash: 3F618A34A04A45DFDB24CF99C494BAAFBF5BF08308F14419CE9169B7A2CB71B944CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    C-Code - Quality: 88%
    			E01342757(signed int __edx) {
    				signed int _v8;
    				signed int _v12;
    				signed int _v16;
    				signed int _v20;
    				signed int _v24;
    				signed int _v28;
    				signed int _v32;
    				signed int _v36;
    				signed int _v40;
    				intOrPtr _t60;
    				signed int _t61;
    				signed int _t62;
    				signed int _t63;
    				signed int _t66;
    				signed int _t67;
    				signed int _t73;
    				intOrPtr _t74;
    				intOrPtr _t75;
    				intOrPtr* _t77;
    				signed int _t78;
    				intOrPtr* _t82;
    				signed int _t85;
    				signed int _t90;
    				intOrPtr* _t93;
    				signed int _t96;
    				signed int _t99;
    				signed int _t104;
    
    				_t90 = __edx;
    				 *0x134541c =  *0x134541c & 0x00000000;
    				 *0x1345010 =  *0x1345010 | 0x00000001;
    				if(IsProcessorFeaturePresent(0xa) == 0) {
    					L23:
    					return 0;
    				}
    				_v20 = _v20 & 0x00000000;
    				_push(_t74);
    				_t93 =  &_v40;
    				asm("cpuid");
    				_t75 = _t74;
    				 *_t93 = 0;
    				 *((intOrPtr*)(_t93 + 4)) = _t74;
    				 *((intOrPtr*)(_t93 + 8)) = 0;
    				 *(_t93 + 0xc) = _t90;
    				_v16 = _v40;
    				_v12 = _v28 ^ 0x49656e69;
    				_v8 = _v36 ^ 0x756e6547;
    				_push(_t75);
    				asm("cpuid");
    				_t77 =  &_v40;
    				 *_t77 = 1;
    				 *((intOrPtr*)(_t77 + 4)) = _t75;
    				 *((intOrPtr*)(_t77 + 8)) = 0;
    				 *(_t77 + 0xc) = _t90;
    				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
    					L9:
    					_t96 =  *0x1345420; // 0x2
    					L10:
    					_t85 = _v32;
    					_t60 = 7;
    					_v8 = _t85;
    					if(_v16 < _t60) {
    						_t78 = _v20;
    					} else {
    						_push(_t77);
    						asm("cpuid");
    						_t82 =  &_v40;
    						 *_t82 = _t60;
    						 *((intOrPtr*)(_t82 + 4)) = _t77;
    						 *((intOrPtr*)(_t82 + 8)) = 0;
    						_t85 = _v8;
    						 *(_t82 + 0xc) = _t90;
    						_t78 = _v36;
    						if((_t78 & 0x00000200) != 0) {
    							 *0x1345420 = _t96 | 0x00000002;
    						}
    					}
    					_t61 =  *0x1345010; // 0x6f
    					_t62 = _t61 | 0x00000002;
    					 *0x134541c = 1;
    					 *0x1345010 = _t62;
    					if((_t85 & 0x00100000) != 0) {
    						_t63 = _t62 | 0x00000004;
    						 *0x134541c = 2;
    						 *0x1345010 = _t63;
    						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
    							asm("xgetbv");
    							_v24 = _t63;
    							_v20 = _t90;
    							_t104 = 6;
    							if((_v24 & _t104) == _t104) {
    								_t66 =  *0x1345010; // 0x6f
    								_t67 = _t66 | 0x00000008;
    								 *0x134541c = 3;
    								 *0x1345010 = _t67;
    								if((_t78 & 0x00000020) != 0) {
    									 *0x134541c = 5;
    									 *0x1345010 = _t67 | 0x00000020;
    									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
    										 *0x1345010 =  *0x1345010 | 0x00000040;
    										 *0x134541c = _t104;
    									}
    								}
    							}
    						}
    					}
    					goto L23;
    				}
    				_t73 = _v40 & 0x0fff3ff0;
    				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
    					_t99 =  *0x1345420; // 0x2
    					_t96 = _t99 | 0x00000001;
    					 *0x1345420 = _t96;
    					goto L10;
    				} else {
    					goto L9;
    				}
    			}






























    0x01342757
    0x0134275a
    0x01342764
    0x01342774
    0x01342923
    0x01342926
    0x01342926
    0x0134277a
    0x01342780
    0x01342785
    0x01342789
    0x0134278d
    0x0134278e
    0x01342790
    0x01342793
    0x01342798
    0x013427a1
    0x013427b2
    0x013427bd
    0x013427c3
    0x013427c4
    0x013427c9
    0x013427cc
    0x013427d1
    0x013427d9
    0x013427dc
    0x013427df
    0x01342824
    0x01342824
    0x0134282a
    0x0134282a
    0x0134282f
    0x01342830
    0x01342836
    0x01342867
    0x01342838
    0x0134283a
    0x0134283b
    0x01342840
    0x01342843
    0x01342845
    0x01342848
    0x0134284b
    0x0134284e
    0x01342851
    0x0134285a
    0x0134285f
    0x0134285f
    0x0134285a
    0x0134286a
    0x0134286f
    0x01342872
    0x0134287c
    0x01342887
    0x0134288d
    0x01342890
    0x0134289a
    0x013428a5
    0x013428b1
    0x013428b4
    0x013428b7
    0x013428c2
    0x013428c7
    0x013428c9
    0x013428ce
    0x013428d1
    0x013428db
    0x013428e3
    0x013428e8
    0x013428f2
    0x01342900
    0x01342913
    0x0134291a
    0x0134291a
    0x01342900
    0x013428e3
    0x013428c7
    0x013428a5
    0x00000000
    0x01342922
    0x013427e4
    0x013427ee
    0x01342813
    0x01342819
    0x0134281c
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0134276D
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 0056a73e0b6d688446e8df3b42f439e63aa0980e10890fe4bda7f06a298ccee1
    • Instruction ID: b4b0338bf68ebb56b885d3c2cfcb53ad2356d88ee79dc0a46123bfa3ae0f2250
    • Opcode Fuzzy Hash: 0056a73e0b6d688446e8df3b42f439e63aa0980e10890fe4bda7f06a298ccee1
    • Instruction Fuzzy Hash: 5E51AEB9E102158BEB25CF59E8857AEBBF4FB48304F14882AE545FB344D775A900CFA0
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    C-Code - Quality: 75%
    			E01341D87(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
    				intOrPtr* _t2;
    				void* _t3;
    				void* _t9;
    				void* _t18;
    				void* _t28;
    
    				_t25 = __edi;
    				_t24 = __edx;
    				_push(1);
    				L0134296F();
    				_push(E01342426());
    				L013429A5();
    				_t2 = E0134241F();
    				L013429D5();
    				 *_t2 = _t2;
    				_t3 = E01342087(__ebx, __edx, __edi, 1);
    				_pop(_t28);
    				_t32 = _t3;
    				if(_t3 == 0) {
    					L8:
    					E0134249D(_t24, _t25, _t28, 7);
    					asm("int3");
    					E01342468();
    					__eflags = 0;
    					return 0;
    				} else {
    					asm("fclex");
    					E01342669();
    					E01342214(_t32, E01342695);
    					_t9 = E01342422();
    					_push(_t9);
    					L0134297B();
    					if(_t9 != 0) {
    						goto L8;
    					} else {
    						E0134242C(_t9);
    						if(E01342485() != 0) {
    							_push(E0134241F);
    							L01342975();
    						}
    						E0134243B(E01342229(E01342229(_t11)));
    						_push(E0134241F());
    						L013429C9();
    						if(E01342438() != 0) {
    							L01342981();
    						}
    						E0134241F();
    						_t18 = L013425B7();
    						if(_t18 != 0) {
    							goto L8;
    						} else {
    							return _t18;
    						}
    					}
    				}
    			}








    0x01341d87
    0x01341d87
    0x01341d88
    0x01341d8a
    0x01341d94
    0x01341d95
    0x01341d9a
    0x01341da1
    0x01341da8
    0x01341daa
    0x01341db2
    0x01341db3
    0x01341db5
    0x01341e2a
    0x01341e2c
    0x01341e31
    0x01341e32
    0x01341e37
    0x01341e39
    0x01341db7
    0x01341db7
    0x01341db9
    0x01341dc3
    0x01341dc8
    0x01341dcd
    0x01341dce
    0x01341dd7
    0x00000000
    0x01341dd9
    0x01341dd9
    0x01341de5
    0x01341de7
    0x01341dec
    0x01341df1
    0x01341dfc
    0x01341e06
    0x01341e07
    0x01341e14
    0x01341e16
    0x01341e16
    0x01341e1b
    0x01341e20
    0x01341e27
    0x00000000
    0x01341e29
    0x01341e29
    0x01341e29
    0x01341e27
    0x01341dd7

    APIs
    • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 01341D8A
    • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 01341D95
    • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 01341DA1
    • __RTC_Initialize.LIBCMT ref: 01341DB9
    • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,01342695), ref: 01341DCE
      • Part of subcall function 0134242C: InitializeSListHead.KERNEL32(01345400,01341DDE), ref: 01342431
    • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000241F), ref: 01341DEC
    • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 01341E07
    • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 01341E16
    • ___scrt_fastfail.LIBCMT ref: 01341E2C
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: Initialize$HeadList___scrt_fastfail__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
    • String ID:
    • API String ID: 1979175733-0
    • Opcode ID: 7ff5edc737f8476749a5c701953879c772a04aa1eff1912527ab78537e96aaff
    • Instruction ID: 3cebbe756578a5636570c6fa83bbf082f0a9eecc17a930f7e42e8b7eb34fe63c
    • Opcode Fuzzy Hash: 7ff5edc737f8476749a5c701953879c772a04aa1eff1912527ab78537e96aaff
    • Instruction Fuzzy Hash: D201A41990075313E8A137FE7808B6F56E4CF715ECF550864BE08BA695ED89F09140B6
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 205 1341830-134184d 206 1341853-1341861 205->206 207 134195f call 1341170 205->207 208 1341867-134186f 206->208 209 1341863-1341865 206->209 214 1341964-134199d call 13410d0 ?uncaught_exception@std@@YA_NXZ 207->214 212 1341871-1341876 208->212 213 1341878-134187c 208->213 211 134187f-1341893 209->211 215 1341895-134189a 211->215 216 13418bf-13418c1 211->216 212->211 213->211 225 13419a7-13419bb 214->225 226 134199f-13419a1 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 214->226 215->214 218 13418a0 215->218 219 13418d3 216->219 220 13418c3 216->220 223 13418a1 call 1341d26 218->223 222 13418d5-13418e3 219->222 224 13418c4 call 1341d26 220->224 229 13418e5-1341909 memcpy 222->229 230 134193a-134195c memcpy 222->230 231 13418a6-13418ab 223->231 232 13418c9-13418d1 224->232 227 13419c2-13419d1 225->227 228 13419bd 225->228 226->225 228->227 233 134191d-1341931 call 1341d56 229->233 234 134190b-1341919 229->234 235 1341934 _invalid_parameter_noinfo_noreturn 231->235 236 13418b1-13418bd 231->236 232->222 234->235 237 134191b 234->237 235->230 236->222 237->233
    C-Code - Quality: 30%
    			E01341830(void* __ebx, void* __ecx, void* __edi, char _a12) {
    				intOrPtr _v8;
    				void* _v12;
    				intOrPtr _v20;
    				char _v36;
    				signed int _t42;
    				char* _t44;
    				intOrPtr _t46;
    				unsigned int _t49;
    				void* _t60;
    				intOrPtr _t62;
    				void* _t64;
    				intOrPtr* _t69;
    				intOrPtr* _t70;
    				void* _t80;
    				intOrPtr _t81;
    				intOrPtr _t82;
    				intOrPtr _t83;
    				void* _t84;
    				signed int _t87;
    				signed int _t88;
    				void* _t90;
    				void* _t92;
    				void* _t93;
    				signed int _t94;
    				void* _t99;
    				signed int _t101;
    				void* _t105;
    
    				_t64 = __ecx;
    				_t68 = 0x7fffffff;
    				_push(_t93);
    				_t81 =  *((intOrPtr*)(__ecx + 0x10));
    				_v8 = _t81;
    				if(0x7fffffff - _t81 < 1) {
    					E01341170(0x7fffffff);
    					goto L21;
    				} else {
    					_t93 =  *(__ecx + 0x14);
    					_t87 = _t81 + 0x00000001 | 0x0000000f;
    					_v12 = _t93;
    					_t105 = _t87 - 0x7fffffff;
    					if(_t105 <= 0) {
    						_t49 = _t93 >> 1;
    						if(_t93 <= 0x7fffffff - _t49) {
    							_t88 =  <  ? _t93 + _t49 : _t87;
    						} else {
    							_t88 = 0x7fffffff;
    						}
    					} else {
    						_t88 = 0x7fffffff;
    					}
    					_t68 =  ~(0 | _t105 > 0x00000000) | _t88 + 0x00000001;
    					if(_t68 < 0x1000) {
    						if(_t68 == 0) {
    							_t93 = 0;
    						} else {
    							_t60 = E01341D26(_t68);
    							_t81 = _v8;
    							_t101 = _t101 + 4;
    							_t93 = _t60;
    						}
    						goto L13;
    					} else {
    						_t8 = _t68 + 0x23; // 0x23
    						_t61 = _t8;
    						if(_t8 <= _t68) {
    							L21:
    							E013410D0();
    							asm("int3");
    							asm("int3");
    							asm("int3");
    							asm("int3");
    							asm("int3");
    							asm("int3");
    							asm("int3");
    							_t42 =  *0x1345008; // 0xc33ece8e
    							_t44 =  &_v36;
    							 *[fs:0x0] = _t44;
    							_t94 = _t68;
    							__imp__?uncaught_exception@std@@YA_NXZ(_t42 ^ _t101, _t93,  *[fs:0x0], 0x1342b50, 0xffffffff, _t99);
    							if(_t44 == 0) {
    								__imp__?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ();
    							}
    							_v12 = 0;
    							_t69 =  *_t94;
    							_t46 =  *((intOrPtr*)( *_t69 + 4));
    							_t70 =  *((intOrPtr*)(_t46 + _t69 + 0x38));
    							if(_t70 != 0) {
    								_t46 =  *((intOrPtr*)( *_t70 + 8))();
    							}
    							 *[fs:0x0] = _v20;
    							return _t46;
    						} else {
    							_t62 = E01341D26(_t61);
    							_t101 = _t101 + 4;
    							if(_t62 == 0) {
    								L18:
    								__imp___invalid_parameter_noinfo_noreturn();
    								goto L19;
    							} else {
    								_t81 = _v8;
    								_t10 = _t62 + 0x23; // 0x23
    								_t93 = _t10 & 0xffffffe0;
    								 *((intOrPtr*)(_t93 - 4)) = _t62;
    								L13:
    								_t14 = _t81 + 1; // 0x100
    								 *((intOrPtr*)(_t64 + 0x10)) = _t14;
    								 *(_t64 + 0x14) = _t88;
    								_push(_t81);
    								if(_v12 < 0x10) {
    									L19:
    									memcpy(_t93, _t64, ??);
    									_t82 = _v8;
    									 *((char*)(_t93 + _t82)) = _a12;
    									 *((char*)(_t93 + _t82 + 1)) = 0;
    									 *_t64 = _t93;
    									return _t64;
    								} else {
    									_t90 =  *_t64;
    									memcpy(_t93, _t90, ??);
    									_t83 = _v8;
    									_t101 = _t101 + 0xc;
    									_t57 = _a12;
    									_t80 = _v12 + 1;
    									 *((char*)(_t93 + _t83)) = _a12;
    									 *((char*)(_t93 + _t83 + 1)) = 0;
    									if(_t80 < 0x1000) {
    										L17:
    										_push(_t80);
    										E01341D56(_t57, _t90);
    										 *_t64 = _t93;
    										return _t64;
    									} else {
    										_t84 =  *(_t90 - 4);
    										_t80 = _t80 + 0x23;
    										_t92 = _t90 - _t84;
    										_t57 = _t92 - 4;
    										if(_t92 - 4 > 0x1f) {
    											goto L18;
    										} else {
    											_t90 = _t84;
    											goto L17;
    										}
    									}
    								}
    							}
    						}
    					}
    				}
    			}






























    0x01341837
    0x01341839
    0x01341840
    0x01341842
    0x01341847
    0x0134184d
    0x0134195f
    0x00000000
    0x01341853
    0x01341853
    0x01341859
    0x0134185c
    0x0134185f
    0x01341861
    0x01341869
    0x0134186f
    0x0134187c
    0x01341871
    0x01341871
    0x01341871
    0x01341863
    0x01341863
    0x01341863
    0x0134188b
    0x01341893
    0x013418c1
    0x013418d3
    0x013418c3
    0x013418c4
    0x013418c9
    0x013418cc
    0x013418cf
    0x013418cf
    0x00000000
    0x01341895
    0x01341895
    0x01341895
    0x0134189a
    0x01341964
    0x01341964
    0x01341969
    0x0134196a
    0x0134196b
    0x0134196c
    0x0134196d
    0x0134196e
    0x0134196f
    0x01341982
    0x0134198a
    0x0134198d
    0x01341993
    0x01341995
    0x0134199d
    0x013419a1
    0x013419a1
    0x013419a7
    0x013419ae
    0x013419b2
    0x013419b5
    0x013419bb
    0x013419bf
    0x013419bf
    0x013419c5
    0x013419d1
    0x013418a0
    0x013418a1
    0x013418a6
    0x013418ab
    0x01341934
    0x01341934
    0x00000000
    0x013418b1
    0x013418b1
    0x013418b4
    0x013418b7
    0x013418ba
    0x013418d5
    0x013418d9
    0x013418dc
    0x013418df
    0x013418e2
    0x013418e3
    0x0134193a
    0x0134193c
    0x01341941
    0x0134194c
    0x0134194f
    0x01341955
    0x0134195c
    0x013418e5
    0x013418e5
    0x013418e9
    0x013418ee
    0x013418f1
    0x013418f7
    0x013418fa
    0x013418fb
    0x013418fe
    0x01341909
    0x0134191d
    0x0134191d
    0x0134191f
    0x01341927
    0x01341931
    0x0134190b
    0x0134190b
    0x0134190e
    0x01341911
    0x01341913
    0x01341919
    0x00000000
    0x0134191b
    0x0134191b
    0x00000000
    0x0134191b
    0x01341919
    0x01341909
    0x013418e3
    0x013418ab
    0x0134189a
    0x01341893

    APIs
    • memcpy.VCRUNTIME140(00000000,?,?,6E434AC8,00000000,?), ref: 013418E9
    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(6E434AC8,00000000,?), ref: 01341934
    • memcpy.VCRUNTIME140(00000000,00000000,?,6E434AC8,00000000,?), ref: 0134193C
      • Part of subcall function 01341D26: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(013415A1,?,01341CF4,00000008,?,?,013415A1,?), ref: 01341D3B
    • Concurrency::cancel_current_task.LIBCPMT ref: 01341964
    • ?uncaught_exception@std@@YA_NXZ.MSVCP140(C33ECE8E,00000000,00000000,01342B50,000000FF,?,00000000,?,00000000,000000FF), ref: 01341995
    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,00000000,?,00000000,000000FF), ref: 013419A1
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: memcpy$?uncaught_exception@std@@Concurrency::cancel_current_taskD@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@_invalid_parameter_noinfo_noreturnmalloc
    • String ID:
    • API String ID: 1014556540-0
    • Opcode ID: 215356787f797a644ac94816d141d5115df720383c7f90a45bf25edf416674d8
    • Instruction ID: d7e1a82fed16ff5fbbe6ec357a8eed34334de636153ffcbfd390082f7f3f2704
    • Opcode Fuzzy Hash: 215356787f797a644ac94816d141d5115df720383c7f90a45bf25edf416674d8
    • Instruction Fuzzy Hash: C4513432A00A459FD715DF6CD880A6EFBEAEF85318F14426DE855CB341DA30F941CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,C33ECE8E,6E434AC8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,01342BAD), ref: 01341523
    • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 0134153E
    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140 ref: 01341562
    • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?), ref: 01341583
    • std::_Facet_Register.LIBCPMT ref: 0134159C
    • ??1_Lockit@std@@QAE@XZ.MSVCP140 ref: 013415B7
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
    • String ID:
    • API String ID: 295490909-0
    • Opcode ID: e44f1a7e2047589a6255953177d1c00b189487d41803b41be3d0ff3d88195d3c
    • Instruction ID: c7f47084f1eb2dc0228dc8a2bffb9b7d7148c80d9c212c416cee785a87b7ce8e
    • Opcode Fuzzy Hash: e44f1a7e2047589a6255953177d1c00b189487d41803b41be3d0ff3d88195d3c
    • Instruction Fuzzy Hash: 83317E75D00625DFCB21CF58D448AAEBBF8FB04724F094299E816AB345DB34B941CBD0
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    APIs
    • _CxxThrowException.VCRUNTIME140(?,01343D08), ref: 013410E7
    • __std_exception_copy.VCRUNTIME140(?,?,?,?,?,01343D08), ref: 0134110E
    • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(013415A1,?,01341CF4,00000008,?,?,013415A1,?), ref: 01341D2E
    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(013415A1,?,01341CF4,00000008,?,?,013415A1,?), ref: 01341D3B
    • _CxxThrowException.VCRUNTIME140(?,01343C6C), ref: 0134237C
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: ExceptionThrow$__std_exception_copy_callnewhmalloc
    • String ID:
    • API String ID: 3601187372-0
    • Opcode ID: 6af8ecbcb9b99af0f15fe0a45be44172427d6c98875a60a84cade1fc426bfcf7
    • Instruction ID: da9fdae83265ca097e96aa4495ffaebf64ebc5b36759449d53842b6f5a5e54e0
    • Opcode Fuzzy Hash: 6af8ecbcb9b99af0f15fe0a45be44172427d6c98875a60a84cade1fc426bfcf7
    • Instruction Fuzzy Hash: E401047980020E77CB14BBACEC0499AB7FCAF1165CB104635FA54E7550EB70F59486D5
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 272 134260b-134261b 273 1342642-1342647 272->273 274 134261d-1342621 272->274 274->273 275 1342623-134262b 274->275 276 134262d-1342632 275->276 277 134264a-1342660 __current_exception __current_exception_context terminate 275->277 276->277 278 1342634-1342639 276->278 278->277 279 134263b-1342640 278->279 279->273 279->277
    C-Code - Quality: 92%
    			E0134260B(void* __edi, void* __esi, intOrPtr* _a4) {
    				intOrPtr* _t6;
    				intOrPtr* _t8;
    				intOrPtr* _t11;
    
    				_t8 = _a4;
    				_t11 =  *_t8;
    				if( *_t11 != 0xe06d7363 ||  *((intOrPtr*)(_t11 + 0x10)) != 3) {
    					L6:
    					return 0;
    				} else {
    					_t6 =  *((intOrPtr*)(_t11 + 0x14));
    					if(_t6 == 0x19930520 || _t6 == 0x19930521 || _t6 == 0x19930522 || _t6 == 0x1994000) {
    						L01342945();
    						 *_t6 = _t11;
    						L0134294B();
    						 *_t6 =  *((intOrPtr*)(_t8 + 4));
    						L013429F9();
    						asm("int3");
    						 *0x1345418 =  *0x1345418 & 0x00000000;
    						return _t6;
    					} else {
    						goto L6;
    					}
    				}
    			}






    0x01342610
    0x01342613
    0x0134261b
    0x01342642
    0x01342647
    0x01342623
    0x01342623
    0x0134262b
    0x0134264a
    0x0134264f
    0x01342654
    0x01342659
    0x0134265b
    0x01342660
    0x01342661
    0x01342668
    0x00000000
    0x00000000
    0x00000000
    0x0134262b

    APIs
    • __current_exception.VCRUNTIME140 ref: 0134264A
    • __current_exception_context.VCRUNTIME140 ref: 01342654
    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0134265B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1277107723.0000000001341000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
    • Associated: 00000000.00000002.1277094895.0000000001340000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277129698.0000000001343000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277148362.0000000001345000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.1277165991.0000000001346000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1340000_analyseme.jbxd
    Yara matches
    Similarity
    • API ID: __current_exception__current_exception_contextterminate
    • String ID: csm
    • API String ID: 2542180945-1018135373
    • Opcode ID: a943883b17fe3fbbd7c94f459275773531bdf43c46499ccd5cefbac2704667d1
    • Instruction ID: 2a7311f176370231eda6d06a10b523fb741b334c9eea09454d339b6de2393817
    • Opcode Fuzzy Hash: a943883b17fe3fbbd7c94f459275773531bdf43c46499ccd5cefbac2704667d1
    • Instruction Fuzzy Hash: 52F082750002029BDB315E6DB45411BBBEDAF211793590415F5C8AB630CBA4BD51CAD9
    Uniqueness

    Uniqueness Score: -1.00%