Create Interactive Tour

Windows Analysis Report
alternateshell.exe

Overview

General Information

Sample Name:alternateshell.exe
Analysis ID:614316
MD5:9ec3d89978c9a2ea2a7454d2913d79d2
SHA1:178f6491b30329f7946d0ba2c9d484e7d363ec6d
SHA256:7acd2e8f32235743d25b48d9b679b553e60a6348e13edd4f7eab6aee79fefe2c
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • alternateshell.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\alternateshell.exe" MD5: 9EC3D89978C9A2EA2A7454D2913D79D2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: alternateshell.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: alternateshell.exeStatic PE information: certificate valid
Source: alternateshell.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\adrien\Documents\JWTS\workbench-release\c++\UniversalLauncher\Release\UniversalLauncher.pdb source: alternateshell.exe
Source: alternateshell.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: alternateshell.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: alternateshell.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: alternateshell.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: alternateshell.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: alternateshell.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: alternateshell.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: alternateshell.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: alternateshell.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: alternateshell.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: alternateshell.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: alternateshell.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: alternateshell.exe, 00000000.00000002.247159785.00000000010AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: alternateshell.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: alternateshell.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alternateshell.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alternateshell.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alternateshell.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\alternateshell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: alternateshell.exeStatic PE information: certificate valid
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: alternateshell.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: alternateshell.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\adrien\Documents\JWTS\workbench-release\c++\UniversalLauncher\Release\UniversalLauncher.pdb source: alternateshell.exe
Source: alternateshell.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: alternateshell.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: alternateshell.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: alternateshell.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: alternateshell.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_0009336B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0009336B
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_000926A5 push ecx; ret 0_2_000926B8
Source: C:\Users\user\Desktop\alternateshell.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-2676
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_0009336B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0009336B
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_00092E19 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00092E19
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_00092E19 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00092E19
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_00091439 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00091439
Source: C:\Users\user\Desktop\alternateshell.exeCode function: 0_2_0009284F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0009284F
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Native API
Path InterceptionPath Interception1
Obfuscated Files or Information
1
Input Capture
1
System Time Discovery
Remote Services1
Input Capture
Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 614316 Sample: alternateshell.exe Startdate: 23/04/2022 Architecture: WINDOWS Score: 4 4 alternateshell.exe 2->4         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
alternateshell.exe0%VirustotalBrowse
alternateshell.exe0%MetadefenderBrowse
alternateshell.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:614316
Start date and time: 23/04/202210:59:432022-04-23 10:59:43 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:alternateshell.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.4% (good quality ratio 91.1%)
  • Quality average: 79.2%
  • Quality standard deviation: 31.4%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 5
  • Number of non-executed functions: 7
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.40.136.238
  • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, store-images.s-microsoft.com, arc.trafficmanager.net, arc.msn.com
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.106728522496812
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:alternateshell.exe
File size:97992
MD5:9ec3d89978c9a2ea2a7454d2913d79d2
SHA1:178f6491b30329f7946d0ba2c9d484e7d363ec6d
SHA256:7acd2e8f32235743d25b48d9b679b553e60a6348e13edd4f7eab6aee79fefe2c
SHA512:0d06435bcf7b5e1b7cb4d13ecff8048e8ed90dda953dab9ba5fddb7467d6474ca57a3d070feb5162b55e070ead2087ba4ab39ef4b0989ed0684bda84275c8f9b
SSDEEP:1536:6iysMsz9FI3Fs6Z4HLN72NBNhFaaDvsoAKQ3XDk/wXiv:ssMs5W3u6yHWBVU/nY/wk
TLSH:BAA36C82B690C4B2D47D4A3068B7D6A1193F7C52BA70521F36BEB36D1FB2392147931B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.....mY..mY..mYd^.Yu.mYd^.Yw.mYd^.YF.mYv..Yx.mY..lY8.mYd^.Y~.mYd^.Y~.mYd^.Y~.mYRich..mY........PE..L....A_Y.................H.
Icon Hash:f8f09a9ab6e2c478
Entrypoint:0x40142f
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x595F41C6 [Fri Jul 7 08:09:42 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:6c22b430b335a4c5df9dfac22085a338
Signature Valid:true
Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 12/6/2016 4:00:00 PM 12/7/2019 3:59:59 PM
Subject Chain
  • CN=JWTS, O=JWTS, STREET=105 RUE DE L ABBE GROULT, L=Paris, S=Paris, PostalCode=75015, C=FR
Version:3
Thumbprint MD5:A628AE2A47F43E753AFCE759375AE223
Thumbprint SHA-1:0A5056EF8D5A22AA72B8B23E6D8F481D578ED32D
Thumbprint SHA-256:5F7AFAC78212668738727EB174DC5D4DE230EC739A7904AC191804D5C6368C49
Serial:4656DAA8B8B1F3E94BB8DBC46B5026C6
Instruction
call 00007F5A444BE6B0h
jmp 00007F5A444BD12Ah
cmp ecx, dword ptr [00409050h]
jne 00007F5A444BD294h
rep ret
jmp 00007F5A444BE737h
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, eax
mov cx, word ptr [eax]
add eax, 02h
test cx, cx
jne 00007F5A444BD287h
mov cx, word ptr [ebp+0Ch]
sub eax, 02h
cmp eax, edx
je 00007F5A444BD297h
cmp word ptr [eax], cx
jne 00007F5A444BD286h
cmp word ptr [eax], cx
je 00007F5A444BD294h
xor eax, eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push ebx
mov ebx, dword ptr [ebp+0Ch]
cmp word ptr [ebx], 0000h
push edi
mov edi, eax
je 00007F5A444BD2D5h
movzx ecx, word ptr [eax]
test cx, cx
je 00007F5A444BD2CBh
mov edx, ecx
sub eax, ebx
mov ecx, dword ptr [ebp+0Ch]
test dx, dx
je 00007F5A444BD2ABh
movzx edx, word ptr [ecx]
test dx, dx
je 00007F5A444BD2BDh
movzx ebx, word ptr [eax+ecx]
sub ebx, edx
jne 00007F5A444BD29Bh
add ecx, 02h
cmp word ptr [eax+ecx], bx
jne 00007F5A444BD279h
cmp word ptr [ecx], 0000h
je 00007F5A444BD2A6h
add edi, 02h
movzx edx, word ptr [edi]
add eax, 02h
test dx, dx
jne 00007F5A444BD25Dh
xor eax, eax
pop edi
pop ebx
pop ebp
ret
mov eax, edi
jmp 00007F5A444BD28Ah
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F5A444BD2BCh
cmp dword ptr [eax+10h], 03h
jne 00007F5A444BD2B6h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
Programming Language:
  • [LNK] VS2010 SP1 build 40219
  • [ASM] VS2010 SP1 build 40219
  • [RES] VS2010 SP1 build 40219
  • [ C ] VS2010 SP1 build 40219
  • [C++] VS2010 SP1 build 40219
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x7b0c0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000xdd20.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x162000x1cc8.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x190000x5cc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x61400x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x78900x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x60000x10c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x46a20x4800False0.616048177083data6.46027549604IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x60000x21420x2200False0.340533088235data4.71286861664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x90000x18c00xc00False0.213216145833data2.47173833754IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xb0000xdd200xde00False0.439629082207data5.66526402542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x190000x81c0xa00False0.515625data4.62724530341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_ICON0xb3880xa68dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0xbdf00x668dataEnglishUnited States
RT_ICON0xc4580x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2415919103, next used block 7376776EnglishUnited States
RT_ICON0xc7400x1e8dataEnglishUnited States
RT_ICON0xc9280x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0xca500x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4009030900, next used block 4008636142EnglishUnited States
RT_ICON0xe0780xea8dataEnglishUnited States
RT_ICON0xef200x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0xf7c80x6c8dataEnglishUnited States
RT_ICON0xfe900x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x103f80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4294901760EnglishUnited States
RT_ICON0x146200x25a8dataEnglishUnited States
RT_ICON0x16bc80x10a8dataEnglishUnited States
RT_ICON0x17c700x988dataEnglishUnited States
RT_ICON0x185f80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_GROUP_ICON0x18a600xd8dataEnglishUnited States
RT_MANIFEST0x18b380x1e8ASCII text, with very long lines, with no line terminatorsEnglishUnited States
DLLImport
KERNEL32.dllGetCommandLineW, WaitForSingleObject, GetExitCodeProcess, GetFileAttributesW, GetModuleFileNameW, SetCurrentDirectoryW, CloseHandle, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapAlloc, GetCommandLineA, HeapSetInformation, SetUnhandledExceptionFilter, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, HeapFree, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, IsProcessorFeaturePresent
USER32.dllMessageBoxW
SHELL32.dllShellExecuteExW, CommandLineToArgvW
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
0102030s020406080100

Click to jump to process

0102030s0.002468MB

Click to jump to process

Target ID:0
Start time:11:00:41
Start date:23/04/2022
Path:C:\Users\user\Desktop\alternateshell.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\alternateshell.exe"
Imagebase:0x90000
File size:97992 bytes
MD5 hash:9EC3D89978C9A2EA2A7454D2913D79D2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:10.3%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:3.4%
Total number of Nodes:972
Total number of Limit Nodes:18
Show Legend
Hide Nodes/Edges
execution_graph 3601 9556a IsProcessorFeaturePresent 3602 9492d 3603 917f3 __amsg_exit 66 API calls 3602->3603 3604 94934 3603->3604 3476 9238c 3477 92398 __mtinitlocknum 3476->3477 3478 923b0 3477->3478 3479 9249a __mtinitlocknum 3477->3479 3480 936d6 _free 66 API calls 3477->3480 3481 923be 3478->3481 3482 936d6 _free 66 API calls 3478->3482 3480->3478 3483 923cc 3481->3483 3484 936d6 _free 66 API calls 3481->3484 3482->3481 3485 936d6 _free 66 API calls 3483->3485 3486 923da 3483->3486 3484->3483 3485->3486 3487 936d6 _free 66 API calls 3486->3487 3488 923e8 3486->3488 3487->3488 3489 923f6 3488->3489 3490 936d6 _free 66 API calls 3488->3490 3491 92404 3489->3491 3493 936d6 _free 66 API calls 3489->3493 3490->3489 3492 92415 3491->3492 3494 936d6 _free 66 API calls 3491->3494 3495 92bb4 __lock 66 API calls 3492->3495 3493->3491 3494->3492 3496 9241d 3495->3496 3497 92429 InterlockedDecrement 3496->3497 3498 92442 3496->3498 3497->3498 3499 92434 3497->3499 3512 924a6 3498->3512 3499->3498 3503 936d6 _free 66 API calls 3499->3503 3502 92bb4 __lock 66 API calls 3504 92456 3502->3504 3503->3498 3505 92487 3504->3505 3506 940b3 ___removelocaleref 8 API calls 3504->3506 3515 924b2 3505->3515 3510 9246b 3506->3510 3509 936d6 _free 66 API calls 3509->3479 3510->3505 3511 9414c ___freetlocinfo 66 API calls 3510->3511 3511->3505 3518 92adb LeaveCriticalSection 3512->3518 3514 9244f 3514->3502 3519 92adb LeaveCriticalSection 3515->3519 3517 92494 3517->3509 3518->3514 3519->3517 3605 9142f 3608 9284f 3605->3608 3607 91434 3607->3607 3609 92881 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3608->3609 3610 92874 3608->3610 3611 92878 3609->3611 3610->3609 3610->3611 3611->3607 2486 912ce 2487 912da __mtinitlocknum 2486->2487 2488 912e4 HeapSetInformation 2487->2488 2490 912ef 2487->2490 2488->2490 2523 92636 HeapCreate 2490->2523 2491 9133d 2492 91348 2491->2492 2631 912a5 2491->2631 2524 924bb GetModuleHandleW 2492->2524 2495 9134e 2496 91359 __RTC_Initialize 2495->2496 2497 912a5 _fast_error_exit 66 API calls 2495->2497 2549 91f31 GetStartupInfoW 2496->2549 2497->2496 2500 91373 GetCommandLineA 2562 91e9a GetEnvironmentStringsW 2500->2562 2507 91398 2586 91b69 2507->2586 2509 917f3 __amsg_exit 66 API calls 2509->2507 2510 9139e 2511 913a9 2510->2511 2512 917f3 __amsg_exit 66 API calls 2510->2512 2606 915d2 2511->2606 2512->2511 2514 913b1 2515 913bc 2514->2515 2516 917f3 __amsg_exit 66 API calls 2514->2516 2612 91000 2515->2612 2516->2515 2518 913d9 2519 913ea 2518->2519 2628 917a9 2518->2628 2646 917d5 2519->2646 2522 913ef __mtinitlocknum 2523->2491 2525 924d8 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 2524->2525 2526 924cf 2524->2526 2528 92522 TlsAlloc 2525->2528 2649 92208 2526->2649 2531 92631 2528->2531 2532 92570 TlsSetValue 2528->2532 2531->2495 2532->2531 2533 92581 2532->2533 2659 9157b 2533->2659 2538 925c9 DecodePointer 2541 925de 2538->2541 2539 9262c 2540 92208 __mtterm 70 API calls 2539->2540 2540->2531 2541->2539 2668 937b4 2541->2668 2544 925fc DecodePointer 2545 9260d 2544->2545 2545->2539 2546 92611 2545->2546 2674 92245 2546->2674 2548 92619 GetCurrentThreadId 2548->2531 2550 937b4 __calloc_crt 66 API calls 2549->2550 2552 91f4f 2550->2552 2551 91367 2551->2500 2639 917f3 2551->2639 2552->2551 2553 920c4 2552->2553 2555 937b4 __calloc_crt 66 API calls 2552->2555 2561 92044 2552->2561 2554 920fa GetStdHandle 2553->2554 2556 9215e SetHandleCount 2553->2556 2557 9210c GetFileType 2553->2557 2560 92132 InitializeCriticalSectionAndSpinCount 2553->2560 2554->2553 2555->2552 2556->2551 2557->2553 2558 9207b InitializeCriticalSectionAndSpinCount 2558->2551 2558->2561 2559 92070 GetFileType 2559->2558 2559->2561 2560->2551 2560->2553 2561->2553 2561->2558 2561->2559 2563 91383 2562->2563 2564 91eb6 WideCharToMultiByte 2562->2564 2575 91ddf 2563->2575 2566 91eeb 2564->2566 2567 91f23 FreeEnvironmentStringsW 2564->2567 2568 9376f __malloc_crt 66 API calls 2566->2568 2567->2563 2569 91ef1 2568->2569 2569->2567 2570 91ef9 WideCharToMultiByte 2569->2570 2571 91f0b 2570->2571 2572 91f17 FreeEnvironmentStringsW 2570->2572 2573 936d6 _free 66 API calls 2571->2573 2572->2563 2574 91f13 2573->2574 2574->2572 2576 91df9 GetModuleFileNameA 2575->2576 2577 91df4 2575->2577 2579 91e20 2576->2579 2923 93f9b 2577->2923 2917 91c45 2579->2917 2582 9376f __malloc_crt 66 API calls 2583 91e62 2582->2583 2584 91c45 _parse_cmdline 76 API calls 2583->2584 2585 9138d 2583->2585 2584->2585 2585->2507 2585->2509 2587 91b72 2586->2587 2590 91b77 _strlen 2586->2590 2588 93f9b ___initmbctable 94 API calls 2587->2588 2588->2590 2589 937b4 __calloc_crt 66 API calls 2596 91bac _strlen 2589->2596 2590->2589 2593 91b85 2590->2593 2591 91bfb 2592 936d6 _free 66 API calls 2591->2592 2592->2593 2593->2510 2594 937b4 __calloc_crt 66 API calls 2594->2596 2595 91c21 2597 936d6 _free 66 API calls 2595->2597 2596->2591 2596->2593 2596->2594 2596->2595 2599 91c38 2596->2599 3364 93710 2596->3364 2597->2593 2600 92f42 __invoke_watson 10 API calls 2599->2600 2601 91c44 2600->2601 2602 9400c _parse_cmdline 76 API calls 2601->2602 2604 91cd1 2601->2604 2602->2601 2603 91dcf 2603->2510 2604->2603 2605 9400c 76 API calls _parse_cmdline 2604->2605 2605->2604 2607 915e0 __IsNonwritableInCurrentImage 2606->2607 3373 9316a 2607->3373 2609 915fe __initterm_e 2611 9161f __IsNonwritableInCurrentImage 2609->2611 3376 93153 2609->3376 2611->2514 3441 95670 2612->3441 2615 9103c _wcsrchr 2616 91072 SetCurrentDirectoryW GetFileAttributesW 2615->2616 2617 910ba GetCommandLineW CommandLineToArgvW GetCommandLineW 2616->2617 2618 91090 MessageBoxW 2616->2618 2621 910e5 2617->2621 2619 91439 __call_reportfault 5 API calls 2618->2619 2620 910b6 2619->2620 2620->2518 2621->2621 2622 911e7 _memset 2621->2622 2623 911fc ShellExecuteExW 2622->2623 2624 9128e 2623->2624 2625 9125e WaitForSingleObject GetExitCodeProcess CloseHandle 2623->2625 2626 91439 __call_reportfault 5 API calls 2624->2626 2625->2624 2627 912a1 2626->2627 2627->2518 3443 91669 2628->3443 2630 917ba 2630->2519 2632 912b8 2631->2632 2633 912b3 2631->2633 2635 91837 __NMSG_WRITE 66 API calls 2632->2635 2634 919e6 __FF_MSGBANNER 66 API calls 2633->2634 2634->2632 2636 912c0 2635->2636 2637 91551 _malloc 3 API calls 2636->2637 2638 912ca 2637->2638 2638->2492 2640 919e6 __FF_MSGBANNER 66 API calls 2639->2640 2641 917fd 2640->2641 2642 91837 __NMSG_WRITE 66 API calls 2641->2642 2643 91805 2642->2643 3473 917bf 2643->3473 2647 91669 _doexit 66 API calls 2646->2647 2648 917e0 2647->2648 2648->2522 2650 92221 2649->2650 2651 92212 DecodePointer 2649->2651 2652 92232 TlsFree 2650->2652 2653 92240 2650->2653 2651->2650 2652->2653 2654 92aa0 DeleteCriticalSection 2653->2654 2655 92ab8 2653->2655 2687 936d6 2654->2687 2657 92aca DeleteCriticalSection 2655->2657 2658 924d4 2655->2658 2657->2655 2658->2495 2713 921c2 RtlEncodePointer 2659->2713 2661 91583 __init_pointers __initp_misc_winsig 2714 92a29 EncodePointer 2661->2714 2663 915a9 EncodePointer EncodePointer EncodePointer EncodePointer 2664 92a3a 2663->2664 2665 92a45 2664->2665 2666 92a4f InitializeCriticalSectionAndSpinCount 2665->2666 2667 925c5 2665->2667 2666->2665 2666->2667 2667->2538 2667->2539 2671 937bd 2668->2671 2670 925f4 2670->2539 2670->2544 2671->2670 2672 937db Sleep 2671->2672 2715 949ca 2671->2715 2673 937f0 2672->2673 2673->2670 2673->2671 2726 92660 2674->2726 2676 92251 GetModuleHandleW 2727 92bb4 2676->2727 2678 9228f InterlockedIncrement 2734 922e7 2678->2734 2681 92bb4 __lock 64 API calls 2682 922b0 2681->2682 2737 94024 InterlockedIncrement 2682->2737 2684 922ce 2749 922f0 2684->2749 2686 922db __mtinitlocknum 2686->2548 2688 9370a _free 2687->2688 2689 936e1 HeapFree 2687->2689 2688->2653 2689->2688 2690 936f6 2689->2690 2693 9301d 2690->2693 2696 922f9 GetLastError 2693->2696 2695 93022 GetLastError 2695->2688 2710 921d4 TlsGetValue 2696->2710 2699 92366 SetLastError 2699->2695 2700 937b4 __calloc_crt 62 API calls 2701 92324 2700->2701 2701->2699 2702 9232c DecodePointer 2701->2702 2703 92341 2702->2703 2704 9235d 2703->2704 2705 92345 2703->2705 2707 936d6 _free 62 API calls 2704->2707 2706 92245 __getptd_noexit 62 API calls 2705->2706 2708 9234d GetCurrentThreadId 2706->2708 2709 92363 2707->2709 2708->2699 2709->2699 2711 921e9 DecodePointer TlsSetValue 2710->2711 2712 92204 2710->2712 2711->2712 2712->2699 2712->2700 2713->2661 2714->2663 2716 949d6 2715->2716 2722 949f1 2715->2722 2717 949e2 2716->2717 2716->2722 2718 9301d _malloc 65 API calls 2717->2718 2720 949e7 2718->2720 2719 94a04 RtlAllocateHeap 2719->2722 2723 94a2b 2719->2723 2720->2671 2722->2719 2722->2723 2724 92fb3 DecodePointer 2722->2724 2723->2671 2725 92fc8 2724->2725 2725->2722 2726->2676 2728 92bc9 2727->2728 2729 92bdc EnterCriticalSection 2727->2729 2752 92af2 2728->2752 2729->2678 2731 92bcf 2731->2729 2732 917f3 __amsg_exit 65 API calls 2731->2732 2733 92bdb 2732->2733 2733->2729 2915 92adb LeaveCriticalSection 2734->2915 2736 922a9 2736->2681 2738 94042 InterlockedIncrement 2737->2738 2739 94045 2737->2739 2738->2739 2740 9404f InterlockedIncrement 2739->2740 2741 94052 2739->2741 2740->2741 2742 9405c InterlockedIncrement 2741->2742 2743 9405f 2741->2743 2742->2743 2744 94069 InterlockedIncrement 2743->2744 2746 9406c 2743->2746 2744->2746 2745 94085 InterlockedIncrement 2745->2746 2746->2745 2747 94095 InterlockedIncrement 2746->2747 2748 940a0 InterlockedIncrement 2746->2748 2747->2746 2748->2684 2916 92adb LeaveCriticalSection 2749->2916 2751 922f7 2751->2686 2753 92afe __mtinitlocknum 2752->2753 2754 92b24 2753->2754 2777 919e6 2753->2777 2763 92b34 __mtinitlocknum 2754->2763 2813 9376f 2754->2813 2761 92b55 2766 92bb4 __lock 65 API calls 2761->2766 2762 92b46 2765 9301d _malloc 65 API calls 2762->2765 2763->2731 2765->2763 2767 92b5c 2766->2767 2768 92b8f 2767->2768 2769 92b64 InitializeCriticalSectionAndSpinCount 2767->2769 2770 936d6 _free 65 API calls 2768->2770 2771 92b80 2769->2771 2772 92b74 2769->2772 2770->2771 2819 92bab 2771->2819 2773 936d6 _free 65 API calls 2772->2773 2774 92b7a 2773->2774 2776 9301d _malloc 65 API calls 2774->2776 2776->2771 2822 93697 2777->2822 2779 919ed 2780 93697 __NMSG_WRITE 66 API calls 2779->2780 2782 919fa 2779->2782 2780->2782 2781 91837 __NMSG_WRITE 66 API calls 2783 91a12 2781->2783 2782->2781 2784 91a1c 2782->2784 2785 91837 __NMSG_WRITE 66 API calls 2783->2785 2786 91837 2784->2786 2785->2784 2787 91858 __NMSG_WRITE 2786->2787 2788 91974 2787->2788 2790 93697 __NMSG_WRITE 63 API calls 2787->2790 2883 91439 2788->2883 2792 91872 2790->2792 2791 919e4 2810 91551 2791->2810 2793 91983 GetStdHandle 2792->2793 2794 93697 __NMSG_WRITE 63 API calls 2792->2794 2793->2788 2797 91991 _strlen 2793->2797 2795 91883 2794->2795 2795->2793 2796 91895 2795->2796 2796->2788 2847 93634 2796->2847 2797->2788 2800 919c7 WriteFile 2797->2800 2800->2788 2801 918c1 GetModuleFileNameW 2802 918e2 2801->2802 2806 918ee _wcslen 2801->2806 2803 93634 __NMSG_WRITE 63 API calls 2802->2803 2803->2806 2804 92f42 __invoke_watson 10 API calls 2804->2806 2805 934d7 63 API calls __NMSG_WRITE 2805->2806 2806->2804 2806->2805 2808 91964 2806->2808 2856 9354c 2806->2856 2865 9336b 2808->2865 2893 91526 GetModuleHandleW 2810->2893 2816 93778 2813->2816 2815 92b3f 2815->2761 2815->2762 2816->2815 2817 9378f Sleep 2816->2817 2897 94936 2816->2897 2818 937a4 2817->2818 2818->2815 2818->2816 2914 92adb LeaveCriticalSection 2819->2914 2821 92bb2 2821->2763 2823 936a3 2822->2823 2824 936ad 2823->2824 2825 9301d _malloc 66 API calls 2823->2825 2824->2779 2826 936c6 2825->2826 2829 92f94 2826->2829 2832 92f67 DecodePointer 2829->2832 2833 92f7c 2832->2833 2838 92f42 2833->2838 2835 92f93 2836 92f67 _strcpy_s 10 API calls 2835->2836 2837 92fa0 2836->2837 2837->2779 2841 92e19 2838->2841 2842 92e38 _memset __call_reportfault 2841->2842 2843 92e56 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2842->2843 2845 92f24 __call_reportfault 2843->2845 2844 91439 __call_reportfault 5 API calls 2846 92f40 GetCurrentProcess TerminateProcess 2844->2846 2845->2844 2846->2835 2848 93649 2847->2848 2849 93642 2847->2849 2850 9301d _malloc 66 API calls 2848->2850 2849->2848 2854 9366a 2849->2854 2851 9364e 2850->2851 2852 92f94 _strcpy_s 11 API calls 2851->2852 2853 918b6 2852->2853 2853->2801 2853->2806 2854->2853 2855 9301d _malloc 66 API calls 2854->2855 2855->2851 2861 9355e 2856->2861 2857 93562 2858 93567 2857->2858 2859 9301d _malloc 66 API calls 2857->2859 2858->2806 2860 9357e 2859->2860 2862 92f94 _strcpy_s 11 API calls 2860->2862 2861->2857 2861->2858 2863 935a5 2861->2863 2862->2858 2863->2858 2864 9301d _malloc 66 API calls 2863->2864 2864->2860 2891 921c2 RtlEncodePointer 2865->2891 2867 93391 2868 9341e 2867->2868 2869 933a1 LoadLibraryW 2867->2869 2875 93438 DecodePointer DecodePointer 2868->2875 2880 9344b 2868->2880 2870 934b6 2869->2870 2871 933b6 GetProcAddress 2869->2871 2876 91439 __call_reportfault 5 API calls 2870->2876 2871->2870 2874 933cc 7 API calls 2871->2874 2872 934aa DecodePointer 2872->2870 2873 93481 DecodePointer 2873->2872 2877 93488 2873->2877 2874->2868 2878 9340e GetProcAddress EncodePointer 2874->2878 2875->2880 2879 934d5 2876->2879 2877->2872 2881 9349b DecodePointer 2877->2881 2878->2868 2879->2788 2880->2872 2880->2873 2882 9346e 2880->2882 2881->2872 2881->2882 2882->2872 2884 91441 2883->2884 2885 91443 IsDebuggerPresent 2883->2885 2884->2791 2892 944b2 2885->2892 2888 929b7 SetUnhandledExceptionFilter UnhandledExceptionFilter 2889 929dc GetCurrentProcess TerminateProcess 2888->2889 2890 929d4 __call_reportfault 2888->2890 2889->2791 2890->2889 2891->2867 2892->2888 2894 9153a GetProcAddress 2893->2894 2895 9154f ExitProcess 2893->2895 2894->2895 2896 9154a 2894->2896 2896->2895 2898 949b3 2897->2898 2910 94944 2897->2910 2899 92fb3 _malloc DecodePointer 2898->2899 2900 949b9 2899->2900 2901 9301d _malloc 65 API calls 2900->2901 2913 949ab 2901->2913 2902 919e6 __FF_MSGBANNER 65 API calls 2909 9494f 2902->2909 2903 94972 RtlAllocateHeap 2903->2910 2903->2913 2904 91837 __NMSG_WRITE 65 API calls 2904->2909 2905 9499f 2908 9301d _malloc 65 API calls 2905->2908 2906 91551 _malloc 3 API calls 2906->2909 2907 92fb3 _malloc DecodePointer 2907->2910 2911 9499d 2908->2911 2909->2902 2909->2904 2909->2906 2909->2910 2910->2903 2910->2905 2910->2907 2910->2909 2910->2911 2912 9301d _malloc 65 API calls 2911->2912 2912->2913 2913->2816 2914->2821 2915->2736 2916->2751 2919 91c64 2917->2919 2921 91cd1 2919->2921 2927 9400c 2919->2927 2920 91dcf 2920->2582 2920->2585 2921->2920 2922 9400c 76 API calls _parse_cmdline 2921->2922 2922->2921 2924 93fa4 2923->2924 2925 93fab 2923->2925 3251 93e01 2924->3251 2925->2576 2930 93fb9 2927->2930 2933 93b15 2930->2933 2934 93b28 2933->2934 2940 93b75 2933->2940 2941 92372 2934->2941 2937 93b55 2937->2940 2961 93a71 2937->2961 2940->2919 2942 922f9 __getptd_noexit 66 API calls 2941->2942 2944 9237a 2942->2944 2943 92387 2943->2937 2946 942e4 2943->2946 2944->2943 2945 917f3 __amsg_exit 66 API calls 2944->2945 2945->2943 2947 942f0 __mtinitlocknum 2946->2947 2948 92372 __getptd 66 API calls 2947->2948 2949 942f5 2948->2949 2950 94323 2949->2950 2952 94307 2949->2952 2951 92bb4 __lock 66 API calls 2950->2951 2953 9432a 2951->2953 2954 92372 __getptd 66 API calls 2952->2954 2977 94297 2953->2977 2956 9430c 2954->2956 2959 917f3 __amsg_exit 66 API calls 2956->2959 2960 9431a __mtinitlocknum 2956->2960 2959->2960 2960->2937 2962 93a7d __mtinitlocknum 2961->2962 2963 92372 __getptd 66 API calls 2962->2963 2964 93a82 2963->2964 2965 92bb4 __lock 66 API calls 2964->2965 2972 93a94 2964->2972 2966 93ab2 2965->2966 2967 93afb 2966->2967 2970 93ac9 InterlockedDecrement 2966->2970 2971 93ae3 InterlockedIncrement 2966->2971 3247 93b0c 2967->3247 2969 917f3 __amsg_exit 66 API calls 2973 93aa2 __mtinitlocknum 2969->2973 2970->2971 2974 93ad4 2970->2974 2971->2967 2972->2969 2972->2973 2973->2940 2974->2971 2975 936d6 _free 66 API calls 2974->2975 2976 93ae2 2975->2976 2976->2971 2978 942d9 2977->2978 2979 942a4 2977->2979 2985 94351 2978->2985 2979->2978 2980 94024 ___addlocaleref 8 API calls 2979->2980 2981 942ba 2980->2981 2981->2978 2988 940b3 2981->2988 3246 92adb LeaveCriticalSection 2985->3246 2987 94358 2987->2956 2989 940c4 InterlockedDecrement 2988->2989 2990 94147 2988->2990 2991 940d9 InterlockedDecrement 2989->2991 2992 940dc 2989->2992 2990->2978 3002 9414c 2990->3002 2991->2992 2993 940e9 2992->2993 2994 940e6 InterlockedDecrement 2992->2994 2995 940f3 InterlockedDecrement 2993->2995 2996 940f6 2993->2996 2994->2993 2995->2996 2997 94100 InterlockedDecrement 2996->2997 2999 94103 2996->2999 2997->2999 2998 9411c InterlockedDecrement 2998->2999 2999->2998 3000 94137 InterlockedDecrement 2999->3000 3001 9412c InterlockedDecrement 2999->3001 3000->2990 3001->2999 3003 941d0 3002->3003 3005 94163 3002->3005 3004 9421d 3003->3004 3006 936d6 _free 66 API calls 3003->3006 3018 94246 3004->3018 3072 94e4d 3004->3072 3005->3003 3013 936d6 _free 66 API calls 3005->3013 3015 94197 3005->3015 3008 941f1 3006->3008 3010 936d6 _free 66 API calls 3008->3010 3016 94204 3010->3016 3011 936d6 _free 66 API calls 3017 941c5 3011->3017 3012 936d6 _free 66 API calls 3012->3018 3019 9418c 3013->3019 3014 9428b 3020 936d6 _free 66 API calls 3014->3020 3021 936d6 _free 66 API calls 3015->3021 3031 941b8 3015->3031 3023 936d6 _free 66 API calls 3016->3023 3024 936d6 _free 66 API calls 3017->3024 3018->3014 3022 936d6 66 API calls _free 3018->3022 3032 9522d 3019->3032 3026 94291 3020->3026 3027 941ad 3021->3027 3022->3018 3028 94212 3023->3028 3024->3003 3026->2978 3060 951c4 3027->3060 3030 936d6 _free 66 API calls 3028->3030 3030->3004 3031->3011 3033 9523e 3032->3033 3059 95327 3032->3059 3034 9524f 3033->3034 3035 936d6 _free 66 API calls 3033->3035 3036 95261 3034->3036 3037 936d6 _free 66 API calls 3034->3037 3035->3034 3038 95273 3036->3038 3039 936d6 _free 66 API calls 3036->3039 3037->3036 3040 95285 3038->3040 3041 936d6 _free 66 API calls 3038->3041 3039->3038 3042 95297 3040->3042 3043 936d6 _free 66 API calls 3040->3043 3041->3040 3044 952a9 3042->3044 3045 936d6 _free 66 API calls 3042->3045 3043->3042 3046 952bb 3044->3046 3047 936d6 _free 66 API calls 3044->3047 3045->3044 3048 952cd 3046->3048 3049 936d6 _free 66 API calls 3046->3049 3047->3046 3050 952df 3048->3050 3051 936d6 _free 66 API calls 3048->3051 3049->3048 3052 952f1 3050->3052 3053 936d6 _free 66 API calls 3050->3053 3051->3050 3054 936d6 _free 66 API calls 3052->3054 3056 95303 3052->3056 3053->3052 3054->3056 3055 936d6 _free 66 API calls 3057 95315 3055->3057 3056->3055 3056->3057 3058 936d6 _free 66 API calls 3057->3058 3057->3059 3058->3059 3059->3015 3061 951d1 3060->3061 3071 95229 3060->3071 3062 951e1 3061->3062 3063 936d6 _free 66 API calls 3061->3063 3064 936d6 _free 66 API calls 3062->3064 3067 951f3 3062->3067 3063->3062 3064->3067 3065 936d6 _free 66 API calls 3066 95205 3065->3066 3068 936d6 _free 66 API calls 3066->3068 3069 95217 3066->3069 3067->3065 3067->3066 3068->3069 3070 936d6 _free 66 API calls 3069->3070 3069->3071 3070->3071 3071->3031 3073 94e5e 3072->3073 3245 9423b 3072->3245 3074 936d6 _free 66 API calls 3073->3074 3075 94e66 3074->3075 3076 936d6 _free 66 API calls 3075->3076 3077 94e6e 3076->3077 3078 936d6 _free 66 API calls 3077->3078 3079 94e76 3078->3079 3080 936d6 _free 66 API calls 3079->3080 3081 94e7e 3080->3081 3082 936d6 _free 66 API calls 3081->3082 3083 94e86 3082->3083 3084 936d6 _free 66 API calls 3083->3084 3085 94e8e 3084->3085 3086 936d6 _free 66 API calls 3085->3086 3087 94e95 3086->3087 3088 936d6 _free 66 API calls 3087->3088 3089 94e9d 3088->3089 3090 936d6 _free 66 API calls 3089->3090 3091 94ea5 3090->3091 3092 936d6 _free 66 API calls 3091->3092 3093 94ead 3092->3093 3094 936d6 _free 66 API calls 3093->3094 3095 94eb5 3094->3095 3096 936d6 _free 66 API calls 3095->3096 3097 94ebd 3096->3097 3098 936d6 _free 66 API calls 3097->3098 3099 94ec5 3098->3099 3100 936d6 _free 66 API calls 3099->3100 3101 94ecd 3100->3101 3102 936d6 _free 66 API calls 3101->3102 3103 94ed5 3102->3103 3104 936d6 _free 66 API calls 3103->3104 3105 94edd 3104->3105 3106 936d6 _free 66 API calls 3105->3106 3107 94ee8 3106->3107 3108 936d6 _free 66 API calls 3107->3108 3109 94ef0 3108->3109 3110 936d6 _free 66 API calls 3109->3110 3111 94ef8 3110->3111 3112 936d6 _free 66 API calls 3111->3112 3113 94f00 3112->3113 3114 936d6 _free 66 API calls 3113->3114 3115 94f08 3114->3115 3116 936d6 _free 66 API calls 3115->3116 3117 94f10 3116->3117 3118 936d6 _free 66 API calls 3117->3118 3119 94f18 3118->3119 3120 936d6 _free 66 API calls 3119->3120 3121 94f20 3120->3121 3122 936d6 _free 66 API calls 3121->3122 3123 94f28 3122->3123 3124 936d6 _free 66 API calls 3123->3124 3125 94f30 3124->3125 3126 936d6 _free 66 API calls 3125->3126 3127 94f38 3126->3127 3128 936d6 _free 66 API calls 3127->3128 3129 94f40 3128->3129 3130 936d6 _free 66 API calls 3129->3130 3131 94f48 3130->3131 3132 936d6 _free 66 API calls 3131->3132 3133 94f50 3132->3133 3134 936d6 _free 66 API calls 3133->3134 3135 94f58 3134->3135 3136 936d6 _free 66 API calls 3135->3136 3137 94f60 3136->3137 3138 936d6 _free 66 API calls 3137->3138 3139 94f6e 3138->3139 3140 936d6 _free 66 API calls 3139->3140 3141 94f79 3140->3141 3142 936d6 _free 66 API calls 3141->3142 3143 94f84 3142->3143 3144 936d6 _free 66 API calls 3143->3144 3145 94f8f 3144->3145 3146 936d6 _free 66 API calls 3145->3146 3147 94f9a 3146->3147 3148 936d6 _free 66 API calls 3147->3148 3149 94fa5 3148->3149 3150 936d6 _free 66 API calls 3149->3150 3151 94fb0 3150->3151 3152 936d6 _free 66 API calls 3151->3152 3153 94fbb 3152->3153 3154 936d6 _free 66 API calls 3153->3154 3155 94fc6 3154->3155 3156 936d6 _free 66 API calls 3155->3156 3157 94fd1 3156->3157 3158 936d6 _free 66 API calls 3157->3158 3159 94fdc 3158->3159 3160 936d6 _free 66 API calls 3159->3160 3161 94fe7 3160->3161 3162 936d6 _free 66 API calls 3161->3162 3163 94ff2 3162->3163 3164 936d6 _free 66 API calls 3163->3164 3165 94ffd 3164->3165 3166 936d6 _free 66 API calls 3165->3166 3167 95008 3166->3167 3168 936d6 _free 66 API calls 3167->3168 3169 95013 3168->3169 3170 936d6 _free 66 API calls 3169->3170 3171 95021 3170->3171 3172 936d6 _free 66 API calls 3171->3172 3173 9502c 3172->3173 3174 936d6 _free 66 API calls 3173->3174 3175 95037 3174->3175 3176 936d6 _free 66 API calls 3175->3176 3177 95042 3176->3177 3178 936d6 _free 66 API calls 3177->3178 3179 9504d 3178->3179 3180 936d6 _free 66 API calls 3179->3180 3181 95058 3180->3181 3182 936d6 _free 66 API calls 3181->3182 3183 95063 3182->3183 3184 936d6 _free 66 API calls 3183->3184 3185 9506e 3184->3185 3186 936d6 _free 66 API calls 3185->3186 3187 95079 3186->3187 3188 936d6 _free 66 API calls 3187->3188 3189 95084 3188->3189 3190 936d6 _free 66 API calls 3189->3190 3191 9508f 3190->3191 3192 936d6 _free 66 API calls 3191->3192 3193 9509a 3192->3193 3194 936d6 _free 66 API calls 3193->3194 3195 950a5 3194->3195 3196 936d6 _free 66 API calls 3195->3196 3197 950b0 3196->3197 3198 936d6 _free 66 API calls 3197->3198 3199 950bb 3198->3199 3200 936d6 _free 66 API calls 3199->3200 3201 950c6 3200->3201 3202 936d6 _free 66 API calls 3201->3202 3203 950d4 3202->3203 3204 936d6 _free 66 API calls 3203->3204 3205 950df 3204->3205 3206 936d6 _free 66 API calls 3205->3206 3207 950ea 3206->3207 3208 936d6 _free 66 API calls 3207->3208 3209 950f5 3208->3209 3210 936d6 _free 66 API calls 3209->3210 3211 95100 3210->3211 3212 936d6 _free 66 API calls 3211->3212 3213 9510b 3212->3213 3214 936d6 _free 66 API calls 3213->3214 3215 95116 3214->3215 3216 936d6 _free 66 API calls 3215->3216 3217 95121 3216->3217 3218 936d6 _free 66 API calls 3217->3218 3219 9512c 3218->3219 3220 936d6 _free 66 API calls 3219->3220 3221 95137 3220->3221 3222 936d6 _free 66 API calls 3221->3222 3223 95142 3222->3223 3224 936d6 _free 66 API calls 3223->3224 3225 9514d 3224->3225 3226 936d6 _free 66 API calls 3225->3226 3227 95158 3226->3227 3228 936d6 _free 66 API calls 3227->3228 3229 95163 3228->3229 3230 936d6 _free 66 API calls 3229->3230 3231 9516e 3230->3231 3232 936d6 _free 66 API calls 3231->3232 3233 95179 3232->3233 3234 936d6 _free 66 API calls 3233->3234 3235 95187 3234->3235 3236 936d6 _free 66 API calls 3235->3236 3237 95192 3236->3237 3238 936d6 _free 66 API calls 3237->3238 3239 9519d 3238->3239 3240 936d6 _free 66 API calls 3239->3240 3241 951a8 3240->3241 3242 936d6 _free 66 API calls 3241->3242 3243 951b3 3242->3243 3244 936d6 _free 66 API calls 3243->3244 3244->3245 3245->3012 3246->2987 3250 92adb LeaveCriticalSection 3247->3250 3249 93b13 3249->2972 3250->3249 3252 93e0d __mtinitlocknum 3251->3252 3253 92372 __getptd 66 API calls 3252->3253 3254 93e16 3253->3254 3255 93a71 _LocaleUpdate::_LocaleUpdate 68 API calls 3254->3255 3256 93e20 3255->3256 3282 93b9c 3256->3282 3259 9376f __malloc_crt 66 API calls 3260 93e41 3259->3260 3261 93f60 __mtinitlocknum 3260->3261 3289 93c18 3260->3289 3261->2925 3264 93f6d 3264->3261 3271 936d6 _free 66 API calls 3264->3271 3274 93f80 3264->3274 3265 93e71 InterlockedDecrement 3266 93e81 3265->3266 3267 93e92 InterlockedIncrement 3265->3267 3266->3267 3269 936d6 _free 66 API calls 3266->3269 3267->3261 3270 93ea8 3267->3270 3268 9301d _malloc 66 API calls 3268->3261 3272 93e91 3269->3272 3270->3261 3273 92bb4 __lock 66 API calls 3270->3273 3271->3274 3272->3267 3276 93ebc InterlockedDecrement 3273->3276 3274->3268 3277 93f38 3276->3277 3278 93f4b InterlockedIncrement 3276->3278 3277->3278 3280 936d6 _free 66 API calls 3277->3280 3299 93f62 3278->3299 3281 93f4a 3280->3281 3281->3278 3283 93b15 _LocaleUpdate::_LocaleUpdate 76 API calls 3282->3283 3284 93bb0 3283->3284 3285 93bd9 3284->3285 3286 93bbb GetOEMCP 3284->3286 3287 93bcb 3285->3287 3288 93bde GetACP 3285->3288 3286->3287 3287->3259 3287->3261 3288->3287 3290 93b9c getSystemCP 78 API calls 3289->3290 3292 93c38 3290->3292 3291 93c43 setSBCS 3293 91439 __call_reportfault 5 API calls 3291->3293 3292->3291 3295 93c87 IsValidCodePage 3292->3295 3298 93cac _memset __setmbcp_nolock 3292->3298 3294 93dff 3293->3294 3294->3264 3294->3265 3295->3291 3296 93c99 GetCPInfo 3295->3296 3296->3291 3296->3298 3302 938e1 GetCPInfo 3298->3302 3363 92adb LeaveCriticalSection 3299->3363 3301 93f69 3301->3261 3303 93915 _memset 3302->3303 3311 939c9 3302->3311 3312 94e0d 3303->3312 3307 91439 __call_reportfault 5 API calls 3309 93a6f 3307->3309 3309->3298 3310 94ce0 ___crtLCMapStringA 82 API calls 3310->3311 3311->3307 3313 93b15 _LocaleUpdate::_LocaleUpdate 76 API calls 3312->3313 3314 94e20 3313->3314 3322 94d26 3314->3322 3317 94ce0 3318 93b15 _LocaleUpdate::_LocaleUpdate 76 API calls 3317->3318 3319 94cf3 3318->3319 3339 94af9 3319->3339 3323 94d4f MultiByteToWideChar 3322->3323 3324 94d44 3322->3324 3327 94d7c 3323->3327 3334 94d78 3323->3334 3324->3323 3325 94d91 _memset __crtGetStringTypeA_stat 3329 94dca MultiByteToWideChar 3325->3329 3325->3334 3326 91439 __call_reportfault 5 API calls 3328 93984 3326->3328 3327->3325 3330 94936 _malloc 66 API calls 3327->3330 3328->3317 3331 94df1 3329->3331 3332 94de0 GetStringTypeW 3329->3332 3330->3325 3335 94851 3331->3335 3332->3331 3334->3326 3336 9485d 3335->3336 3337 9486e 3335->3337 3336->3337 3338 936d6 _free 66 API calls 3336->3338 3337->3334 3338->3337 3341 94b17 MultiByteToWideChar 3339->3341 3342 94b75 3341->3342 3346 94b7c 3341->3346 3343 91439 __call_reportfault 5 API calls 3342->3343 3345 939a4 3343->3345 3344 94bc9 MultiByteToWideChar 3347 94cc1 3344->3347 3348 94be2 LCMapStringW 3344->3348 3345->3310 3349 94936 _malloc 66 API calls 3346->3349 3353 94b95 __crtGetStringTypeA_stat 3346->3353 3350 94851 __freea 66 API calls 3347->3350 3348->3347 3351 94c01 3348->3351 3349->3353 3350->3342 3352 94c0b 3351->3352 3356 94c34 3351->3356 3352->3347 3354 94c1f LCMapStringW 3352->3354 3353->3342 3353->3344 3354->3347 3355 94c83 LCMapStringW 3358 94c99 WideCharToMultiByte 3355->3358 3359 94cbb 3355->3359 3357 94936 _malloc 66 API calls 3356->3357 3360 94c4f __crtGetStringTypeA_stat 3356->3360 3357->3360 3358->3359 3361 94851 __freea 66 API calls 3359->3361 3360->3347 3360->3355 3361->3347 3363->3301 3365 9371e 3364->3365 3366 93725 3364->3366 3365->3366 3368 93743 3365->3368 3367 9301d _malloc 66 API calls 3366->3367 3372 9372a 3367->3372 3370 93734 3368->3370 3371 9301d _malloc 66 API calls 3368->3371 3369 92f94 _strcpy_s 11 API calls 3369->3370 3370->2596 3371->3372 3372->3369 3374 93170 EncodePointer 3373->3374 3374->3374 3375 9318a 3374->3375 3375->2609 3379 93117 3376->3379 3378 93160 3378->2611 3380 93123 __mtinitlocknum 3379->3380 3387 91569 3380->3387 3386 93144 __mtinitlocknum 3386->3378 3388 92bb4 __lock 66 API calls 3387->3388 3389 91570 3388->3389 3390 93030 DecodePointer DecodePointer 3389->3390 3391 930df 3390->3391 3392 9305e 3390->3392 3401 9314d 3391->3401 3392->3391 3404 948fa 3392->3404 3394 930c2 EncodePointer EncodePointer 3394->3391 3395 93070 3395->3394 3396 93094 3395->3396 3411 93800 3395->3411 3396->3391 3398 93800 __realloc_crt 70 API calls 3396->3398 3400 930b0 EncodePointer 3396->3400 3399 930aa 3398->3399 3399->3391 3399->3400 3400->3394 3437 91572 3401->3437 3405 9491a HeapSize 3404->3405 3406 94905 3404->3406 3405->3395 3407 9301d _malloc 66 API calls 3406->3407 3408 9490a 3407->3408 3409 92f94 _strcpy_s 11 API calls 3408->3409 3410 94915 3409->3410 3410->3395 3415 93809 3411->3415 3413 93848 3413->3396 3414 93829 Sleep 3414->3415 3415->3413 3415->3414 3416 94a4c 3415->3416 3417 94a62 3416->3417 3418 94a57 3416->3418 3420 94a6a 3417->3420 3428 94a77 3417->3428 3419 94936 _malloc 66 API calls 3418->3419 3421 94a5f 3419->3421 3422 936d6 _free 66 API calls 3420->3422 3421->3415 3436 94a72 _free 3422->3436 3423 94aaf 3425 92fb3 _malloc DecodePointer 3423->3425 3424 94a7f HeapReAlloc 3424->3428 3424->3436 3426 94ab5 3425->3426 3429 9301d _malloc 66 API calls 3426->3429 3427 94adf 3431 9301d _malloc 66 API calls 3427->3431 3428->3423 3428->3424 3428->3427 3430 92fb3 _malloc DecodePointer 3428->3430 3433 94ac7 3428->3433 3429->3436 3430->3428 3432 94ae4 GetLastError 3431->3432 3432->3436 3434 9301d _malloc 66 API calls 3433->3434 3435 94acc GetLastError 3434->3435 3435->3436 3436->3415 3440 92adb LeaveCriticalSection 3437->3440 3439 91579 3439->3386 3440->3439 3442 9100d GetModuleFileNameW 3441->3442 3442->2615 3444 91675 __mtinitlocknum 3443->3444 3445 92bb4 __lock 61 API calls 3444->3445 3446 9167c 3445->3446 3448 916a7 RtlDecodePointer 3446->3448 3452 91726 3446->3452 3449 916be DecodePointer 3448->3449 3448->3452 3457 916d1 3449->3457 3451 917a3 __mtinitlocknum 3451->2630 3464 91794 3452->3464 3455 9178b 3456 91551 _malloc 3 API calls 3455->3456 3458 91794 3456->3458 3457->3452 3460 916e8 DecodePointer 3457->3460 3463 916f7 DecodePointer DecodePointer 3457->3463 3469 921c2 RtlEncodePointer 3457->3469 3459 917a1 3458->3459 3471 92adb LeaveCriticalSection 3458->3471 3459->2630 3470 921c2 RtlEncodePointer 3460->3470 3463->3457 3465 9179a 3464->3465 3466 91774 3464->3466 3472 92adb LeaveCriticalSection 3465->3472 3466->3451 3468 92adb LeaveCriticalSection 3466->3468 3468->3455 3469->3457 3470->3457 3471->3459 3472->3466 3474 91669 _doexit 66 API calls 3473->3474 3475 917d0 3474->3475 3520 926c0 3521 926f9 3520->3521 3522 926ec 3520->3522 3524 91439 __call_reportfault 5 API calls 3521->3524 3523 91439 __call_reportfault 5 API calls 3522->3523 3523->3521 3527 92709 __except_handler4 __IsNonwritableInCurrentImage 3524->3527 3525 9278c 3526 92762 __except_handler4 3526->3525 3528 9277c 3526->3528 3529 91439 __call_reportfault 5 API calls 3526->3529 3527->3525 3527->3526 3536 94482 RtlUnwind 3527->3536 3530 91439 __call_reportfault 5 API calls 3528->3530 3529->3528 3530->3525 3532 927de __except_handler4 3533 92812 3532->3533 3534 91439 __call_reportfault 5 API calls 3532->3534 3535 91439 __call_reportfault 5 API calls 3533->3535 3534->3533 3535->3526 3536->3532 3537 91405 3538 9141a 3537->3538 3539 91414 3537->3539 3543 917e4 3538->3543 3540 917bf __amsg_exit 66 API calls 3539->3540 3540->3538 3542 9141f __mtinitlocknum 3544 91669 _doexit 66 API calls 3543->3544 3545 917ef 3544->3545 3545->3542 3612 930e6 3613 937b4 __calloc_crt 66 API calls 3612->3613 3614 930f2 EncodePointer 3613->3614 3615 9310b 3614->3615 3616 913f1 3619 91a1f 3616->3619 3620 922f9 __getptd_noexit 66 API calls 3619->3620 3621 91402 3620->3621 3622 95330 RtlUnwind 3623 943f0 3624 94402 3623->3624 3626 94410 @_EH4_CallFilterFunc@8 3623->3626 3625 91439 __call_reportfault 5 API calls 3624->3625 3625->3626 3550 92a14 3551 92a17 3550->3551 3554 944ba 3551->3554 3553 92a23 __mtinitlocknum 3563 92c3c DecodePointer 3554->3563 3556 944bf 3559 944ca 3556->3559 3564 92c49 3556->3564 3558 944e2 3561 917bf __amsg_exit 66 API calls 3558->3561 3559->3558 3560 92e19 __call_reportfault 8 API calls 3559->3560 3560->3558 3562 944ec 3561->3562 3562->3553 3563->3556 3567 92c55 __mtinitlocknum 3564->3567 3565 92cb0 3568 92c92 DecodePointer 3565->3568 3572 92cbf 3565->3572 3566 92c7c 3569 922f9 __getptd_noexit 66 API calls 3566->3569 3567->3565 3567->3566 3567->3568 3574 92c78 3567->3574 3571 92c81 _siglookup 3568->3571 3569->3571 3576 92d1c 3571->3576 3578 917bf __amsg_exit 66 API calls 3571->3578 3584 92c8a __mtinitlocknum 3571->3584 3573 9301d _malloc 66 API calls 3572->3573 3575 92cc4 3573->3575 3574->3566 3574->3572 3577 92f94 _strcpy_s 11 API calls 3575->3577 3579 92bb4 __lock 66 API calls 3576->3579 3580 92d27 3576->3580 3577->3584 3578->3576 3579->3580 3582 92d5c 3580->3582 3585 921c2 RtlEncodePointer 3580->3585 3586 92db0 3582->3586 3584->3559 3585->3582 3587 92dbd 3586->3587 3588 92db6 3586->3588 3587->3584 3590 92adb LeaveCriticalSection 3588->3590 3590->3587 3591 914d6 3592 91512 3591->3592 3594 914e8 3591->3594 3594->3592 3595 929f0 3594->3595 3596 929fc __mtinitlocknum 3595->3596 3597 92372 __getptd 66 API calls 3596->3597 3600 92a01 3597->3600 3598 944ba _abort 68 API calls 3599 92a23 __mtinitlocknum 3598->3599 3599->3592 3600->3598

Executed Functions

Control-flow Graph

C-Code - Quality: 95%
			E00091000() {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v66584;
				void* _v66588;
				long _v66592;
				int _v66596;
				struct _SHELLEXECUTEINFOW _v66656;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				short* _t61;
				long _t64;
				void* _t70;
				WCHAR* _t71;
				unsigned int _t72;
				short* _t76;
				void* _t77;
				unsigned int _t78;
				void* _t81;
				intOrPtr* _t92;
				WCHAR* _t99;
				WCHAR* _t101;
				signed int _t104;
				signed int _t105;
				short _t106;
				void _t107;
				signed int _t109;
				short _t114;
				short _t115;
				void _t116;
				void _t117;
				signed int _t119;
				int _t122;
				signed int _t124;
				intOrPtr _t130;
				short _t134;
				signed short* _t135;
				void* _t138;
				short _t139;
				void* _t140;
				void* _t142;
				short* _t143;
				void* _t145;
				void* _t147;
				void* _t153;
				void* _t157;
				short* _t158;
				void* _t160;
				intOrPtr* _t161;
				void* _t162;
				void* _t163;
				signed int _t165;

				E00095670(0x1045c);
				_t57 =  *0x99050; // 0x4b09c3c4
				_v8 = _t57 ^ _t165;
				GetModuleFileNameW(0,  &_v528, 0x104);
				_t61 = E00091448( &_v528, 0x5c);
				_t4 = _t61 + 2; // 0x2
				_t99 = _t4;
				_t101 = _t99;
				_t5 =  &(_t101[1]); // 0x4
				_t158 = _t5;
				do {
					_t134 =  *_t101;
					_t101 =  &(_t101[1]);
				} while (_t134 != 0);
				_t7 = (_t101 - _t158 >> 1) * 2; // -6
				_t143 = _t99 + _t7 - 8;
				_t135 = L".bin";
				_t160 = _t143 - _t135;
				do {
					_t104 =  *_t135 & 0x0000ffff;
					 *(_t160 + _t135) = _t104;
					_t135 =  &(_t135[1]);
				} while (_t104 != 0);
				 *_t61 = 0;
				SetCurrentDirectoryW( &_v528);
				_t64 = GetFileAttributesW(_t99); // executed
				if(_t64 != 0xffffffff) {
					_t161 = CommandLineToArgvW(GetCommandLineW(),  &_v66596);
					_t145 = GetCommandLineW();
					_v66588 = _t145;
					if(_t145 == E00091476(_t145,  *_t161)) {
						_t92 =  *_t161;
						_t14 = _t92 + 2; // 0x2
						_t142 = _t14;
						do {
							_t130 =  *_t92;
							_t92 = _t92 + 2;
						} while (_t130 != 0);
						_t16 = (_t92 - _t142 >> 1) * 2; // 0x2
						_v66588 = _t145 + _t16 + 2;
					}
					_t70 = 0;
					do {
						_t19 = _t70 + "\""; // 0x22
						_t105 =  *_t19 & 0x0000ffff;
						 *(_t165 + _t70 - 0x10414) = _t105;
						_t70 = _t70 + 2;
					} while (_t105 != 0);
					_t71 = _t99;
					_t138 = _t99;
					do {
						_t106 =  *_t71;
						_t71 =  &(_t71[1]);
					} while (_t106 != 0);
					_t72 = _t71 - _t138;
					_t147 =  &_v66584 + 0xfffffffe;
					do {
						_t107 =  *(_t147 + 2);
						_t147 = _t147 + 2;
					} while (_t107 != 0);
					_t109 = _t72 >> 2;
					_t162 = _t138;
					_t76 = memcpy(_t162 + _t109 + _t109, _t162, memcpy(_t147, _t162, _t109 << 2) & 0x00000003) + 0xfffffffe;
					do {
						_t114 = _t76[1];
						_t76 =  &(_t76[1]);
					} while (_t114 != 0);
					_t115 = L"\" "; // 0x200022
					_t139 =  *0x97874; // 0x0
					 *_t76 = _t115;
					_t76[2] = _t139;
					_t77 = _v66588;
					_t140 = _t77;
					do {
						_t116 =  *_t77;
						_t77 = _t77 + 2;
					} while (_t116 != 0);
					_t78 = _t77 - _t140;
					_t153 =  &_v66584 + 0xfffffffe;
					do {
						_t117 =  *(_t153 + 2);
						_t153 = _t153 + 2;
					} while (_t117 != 0);
					_t119 = _t78 >> 2;
					_t163 = _t140;
					_t122 = memcpy(_t153, _t163, _t119 << 2) & 0x00000003;
					memcpy(_t163 + _t119 + _t119, _t163, _t122);
					_t157 = _t163 + _t122 + _t122;
					_t81 = 0;
					do {
						_t32 = _t81 + L"svcr.exe"; // 0x760073
						_t124 =  *_t32 & 0x0000ffff;
						 *(_t165 + _t81 - 0x414) = _t124;
						_t81 = _t81 + 2;
					} while (_t124 != 0);
					_v66592 = 0;
					E00094880( &(_v66656.fMask), 0, 0x38);
					_t141 =  &_v66584;
					_v66656.cbSize = 0x3c;
					_v66656.fMask = 0x40;
					_v66656.hwnd = 0;
					_v66656.lpVerb = 0;
					_v66656.lpFile =  &_v1048;
					_v66656.lpParameters =  &_v66584;
					_v66656.lpDirectory = 0;
					_v66656.nShow = 5;
					_v66656.hInstApp = 0;
					if(ShellExecuteExW( &_v66656) != 0) {
						WaitForSingleObject(_v66656.hProcess, 0xffffffff);
						_t141 =  &_v66592;
						GetExitCodeProcess(_v66656.hProcess,  &_v66592);
						CloseHandle(_v66656.hProcess);
					}
					return E00091439(_v66592, _t99, _v8 ^ _t165, _t141, _t157, 0);
				} else {
					 *_t143 = 0; // executed
					MessageBoxW(0, L"File not found", _t99, 0x10); // executed
					return E00091439(1, _t99, _v8 ^ _t165, 0, _t143, _t160);
				}
			}

























































0x00091008
0x0009100d
0x00091014
0x00091028
0x00091037
0x0009103c
0x0009103c
0x0009103f
0x00091044
0x00091044
0x00091047
0x00091047
0x0009104a
0x0009104d
0x00091056
0x00091056
0x0009105a
0x00091061
0x00091063
0x00091063
0x00091066
0x0009106a
0x0009106d
0x00091074
0x0009107e
0x00091085
0x0009108e
0x000910d0
0x000910d4
0x000910da
0x000910ea
0x000910ec
0x000910ee
0x000910ee
0x000910f1
0x000910f1
0x000910f4
0x000910f7
0x00091100
0x00091104
0x00091104
0x0009110a
0x00091110
0x00091110
0x00091110
0x00091117
0x0009111f
0x00091122
0x00091127
0x00091129
0x00091130
0x00091130
0x00091133
0x00091136
0x00091141
0x00091143
0x00091146
0x00091146
0x0009114a
0x0009114d
0x00091154
0x00091157
0x00091168
0x00091170
0x00091170
0x00091174
0x00091177
0x0009117c
0x00091182
0x00091189
0x0009118b
0x0009118f
0x00091195
0x00091197
0x00091197
0x0009119a
0x0009119d
0x000911a8
0x000911aa
0x000911b0
0x000911b0
0x000911b4
0x000911b7
0x000911be
0x000911c1
0x000911c7
0x000911ca
0x000911ca
0x000911ce
0x000911d0
0x000911d0
0x000911d0
0x000911d7
0x000911df
0x000911e2
0x000911f1
0x000911f7
0x0009120b
0x00091212
0x0009121c
0x00091226
0x0009122c
0x00091232
0x00091238
0x0009123e
0x00091244
0x0009124e
0x0009125c
0x00091267
0x00091273
0x0009127b
0x00091288
0x00091288
0x000912a4
0x00091090
0x0009109b
0x0009109e
0x000910b9
0x000910b9

APIs
  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00091028
  • _wcsrchr.LIBCMT ref: 00091037
  • SetCurrentDirectoryW.KERNEL32(?), ref: 0009107E
  • GetFileAttributesW.KERNELBASE(00000002), ref: 00091085
  • MessageBoxW.USER32(00000000,File not found,00000002,00000010), ref: 0009109E
  • GetCommandLineW.KERNEL32(?), ref: 000910C7
  • CommandLineToArgvW.SHELL32(00000000), ref: 000910CA
  • GetCommandLineW.KERNEL32 ref: 000910D2
  • _memset.LIBCMT ref: 000911F7
  • ShellExecuteExW.SHELL32(?), ref: 00091254
  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00091267
  • GetExitCodeProcess.KERNEL32 ref: 0009127B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: CommandLine$File$ArgvAttributesCodeCurrentDirectoryExecuteExitMessageModuleNameObjectProcessShellSingleWait_memset_wcsrchr
  • String ID: .bin$<$@$File not found
  • API String ID: 3099538705-2818582479
  • Opcode ID: faeac68f449992d9a693f88c1c7e4af3a883d130228b8c17f7f66ff9a3b797f8
  • Instruction ID: ebc97f51b575be8e456ae98c8d5c82ca764e20bccd29d5179e0c96f47a0d05c9
  • Opcode Fuzzy Hash: faeac68f449992d9a693f88c1c7e4af3a883d130228b8c17f7f66ff9a3b797f8
  • Instruction Fuzzy Hash: 5A71C671A002199BCF24DF64CC95AEB73F4FF84310F0041A9EA4AD7291EBB56AC5DB90
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 39 91551-91562 call 91526 ExitProcess
C-Code - Quality: 100%
			E00091551(int _a4) {

				E00091526(_a4);
				ExitProcess(_a4);
			}



0x00091559
0x00091562

APIs
  • ___crtCorExitProcess.LIBCMT ref: 00091559
    • Part of subcall function 00091526: GetModuleHandleW.KERNEL32(mscoree.dll,?,0009155E,?,?,00094965,000000FF,0000001E,00000001,00000000,00000000,?,00093780,?,00000001,?), ref: 00091530
    • Part of subcall function 00091526: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00091540
  • ExitProcess.KERNEL32 ref: 00091562
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: ExitProcess$AddressHandleModuleProc___crt
  • String ID:
  • API String ID: 2427264223-0
  • Opcode ID: 0919f66d2f5745d37786a46cf73c32a1041470f9bc6828a22b10a24d7c6232dd
  • Instruction ID: 252ca4fa5dcf054fca0ffcc888ca7f4632cd3c4def95fdba71439343e6f57bd4
  • Opcode Fuzzy Hash: 0919f66d2f5745d37786a46cf73c32a1041470f9bc6828a22b10a24d7c6232dd
  • Instruction Fuzzy Hash: F4B09B31000108BBDF112F11DC098893F15EBC03507514011F91505131DF769D519581
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 42 949ca-949d4 43 949f1-949fa 42->43 44 949d6-949e0 42->44 46 949fd-94a02 43->46 47 949fc 43->47 44->43 45 949e2-949f0 call 9301d 44->45 49 94a04-94a15 RtlAllocateHeap 46->49 50 94a17-94a1e 46->50 47->46 49->50 51 94a49-94a4b 49->51 52 94a3c-94a41 50->52 53 94a20-94a29 call 92fb3 50->53 52->51 56 94a43 52->56 53->46 58 94a2b-94a30 53->58 56->51 59 94a38-94a3a 58->59 60 94a32 58->60 59->51 60->59
C-Code - Quality: 86%
			E000949CA(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x9a2a0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x9a780;
					if( *0x9a780 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00092FB3(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0009301D(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










0x000949cf
0x000949d4
0x000949f1
0x000949f6
0x000949f8
0x000949fa
0x000949fc
0x000949fc
0x000949fc
0x00000000
0x00094a04
0x00094a0d
0x00094a13
0x00094a15
0x00000000
0x00000000
0x00094a49
0x00094a4b
0x00000000
0x00094a17
0x00094a17
0x00094a1e
0x00094a3c
0x00094a3f
0x00094a41
0x00094a43
0x00094a43
0x00094a20
0x00094a21
0x00094a27
0x00094a29
0x000949fd
0x000949fd
0x000949ff
0x00094a02
0x00000000
0x00000000
0x00000000
0x00000000
0x00094a2b
0x00094a2b
0x00094a2e
0x00094a30
0x00094a32
0x00094a32
0x00094a38
0x00094a38
0x00094a29
0x00000000
0x000949d6
0x000949da
0x000949dd
0x000949e0
0x00000000
0x000949e2
0x000949e7
0x000949f0
0x000949f0
0x000949e0
0x00000000

APIs
  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000937CA,?,?,00000000,00000000,00000000,?,00092324,00000001,00000214,?,00091872), ref: 00094A0D
    • Part of subcall function 0009301D: __getptd_noexit.LIBCMT ref: 0009301D
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: AllocateHeap__getptd_noexit
  • String ID:
  • API String ID: 328603210-0
  • Opcode ID: 3357a536eeb983f79bb4a0e5e5e30089aa818eb5e2e55b89a268ad9f62d61ea1
  • Instruction ID: 63df1756454d78e76cdb559ae380793f9db452bc78c0ea484a4c7e9d221349a6
  • Opcode Fuzzy Hash: 3357a536eeb983f79bb4a0e5e5e30089aa818eb5e2e55b89a268ad9f62d61ea1
  • Instruction Fuzzy Hash: DB01B1312452119AEF689F76DC54F6B37D8BB81360F00462AE815CB1A1D7748C02E791
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 61 917a9-917b5 call 91669 63 917ba-917be 61->63
C-Code - Quality: 25%
			E000917A9(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00091669(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}










0x000917ae
0x000917b0
0x000917b2
0x000917b5
0x000917be

APIs
  • _doexit.LIBCMT ref: 000917B5
    • Part of subcall function 00091669: __lock.LIBCMT ref: 00091677
    • Part of subcall function 00091669: RtlDecodePointer.NTDLL(000979A0,00000020,000917D0,?,00000001,00000000,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D), ref: 000916B3
    • Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916C4
    • Part of subcall function 00091669: DecodePointer.KERNEL32(-00000004,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916EA
    • Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916FD
    • Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 00091707
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: DecodePointer$__lock_doexit
  • String ID:
  • API String ID: 3343572566-0
  • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
  • Instruction ID: 4c8c4062dcfe786a33c299c1907986b9efd86a4b841279fb8b283d31fd5d82a5
  • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
  • Instruction Fuzzy Hash: 9EB01232A8030C77DF202542EC07F863F0D87C1BA0F280020FE0C1D1E2A9E3B96190C9
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 64 921c2-921ca RtlEncodePointer
APIs
  • RtlEncodePointer.NTDLL(00000000,000916E0,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000921C4
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: EncodePointer
  • String ID:
  • API String ID: 2118026453-0
  • Opcode ID: 3221543673582f874f52d21363128cc88d063c98cc06bc142a4ca70d5a9ac98f
  • Instruction ID: a5fb41dc557ab68a1c0c02e949e0d1ae0d7af091f855144f05beb64016198225
  • Opcode Fuzzy Hash: 3221543673582f874f52d21363128cc88d063c98cc06bc142a4ca70d5a9ac98f
  • Instruction Fuzzy Hash:
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

C-Code - Quality: 85%
			E00091439(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x99050; // 0x4b09c3c4
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x9a3b0 = _t6;
				 *0x9a3ac = _t22;
				 *0x9a3a8 = _t25;
				 *0x9a3a4 = _t21;
				 *0x9a3a0 = _t27;
				 *0x9a39c = _t26;
				 *0x9a3c8 = ss;
				 *0x9a3bc = cs;
				 *0x9a398 = ds;
				 *0x9a394 = es;
				 *0x9a390 = fs;
				 *0x9a38c = gs;
				asm("pushfd");
				_pop( *0x9a3c0);
				 *0x9a3b4 =  *_t31;
				 *0x9a3b8 = _v0;
				 *0x9a3c4 =  &_a4;
				 *0x9a300 = 0x10001;
				_t11 =  *0x9a3b8; // 0x0
				 *0x9a2b4 = _t11;
				 *0x9a2a8 = 0xc0000409;
				 *0x9a2ac = 1;
				_t12 =  *0x99050; // 0x4b09c3c4
				_v812 = _t12;
				_t13 =  *0x99054; // 0xb4f63c3b
				_v808 = _t13;
				 *0x9a2f8 = IsDebuggerPresent();
				_push(1);
				E000944B2(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x96c60);
				if( *0x9a2f8 == 0) {
					_push(1);
					E000944B2(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x0009143f
0x00091441
0x00091441
0x000928f5
0x000928fa
0x00092900
0x00092906
0x0009290c
0x00092912
0x00092918
0x0009291f
0x00092926
0x0009292d
0x00092934
0x0009293b
0x00092942
0x00092943
0x0009294c
0x00092954
0x0009295c
0x00092967
0x00092971
0x00092976
0x0009297b
0x00092985
0x0009298f
0x00092994
0x0009299a
0x0009299f
0x000929ab
0x000929b0
0x000929b2
0x000929ba
0x000929c5
0x000929d2
0x000929d4
0x000929d6
0x000929db
0x000929ef

APIs
  • IsDebuggerPresent.KERNEL32 ref: 000929A5
  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000929BA
  • UnhandledExceptionFilter.KERNEL32(00096C60), ref: 000929C5
  • GetCurrentProcess.KERNEL32(C0000409), ref: 000929E1
  • TerminateProcess.KERNEL32(00000000), ref: 000929E8
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
  • String ID:
  • API String ID: 2579439406-0
  • Opcode ID: bfc2937e27f6f1700d2948ea27d40def3b32cbaaf8f1d005eda83be613c925d3
  • Instruction ID: 4d9ed93ab358b7469338188e1a6b006849953ce302284f80279064cedb8ea68e
  • Opcode Fuzzy Hash: bfc2937e27f6f1700d2948ea27d40def3b32cbaaf8f1d005eda83be613c925d3
  • Instruction Fuzzy Hash: 2421CEB4A00304EFEB41DF69ED896553BB4BB4A710F50811BF908872A1E7BD5A848F96
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 349 924bb-924cd GetModuleHandleW 350 924d8-92520 GetProcAddress * 4 349->350 351 924cf-924d7 call 92208 349->351 353 92538-92557 350->353 354 92522-92529 350->354 357 9255c-9256a TlsAlloc 353->357 354->353 356 9252b-92532 354->356 356->353 358 92534-92536 356->358 359 92631 357->359 360 92570-9257b TlsSetValue 357->360 358->353 358->357 362 92633-92635 359->362 360->359 361 92581-925c7 call 9157b EncodePointer * 4 call 92a3a 360->361 367 925c9-925e6 DecodePointer 361->367 368 9262c call 92208 361->368 367->368 371 925e8-925fa call 937b4 367->371 368->359 371->368 374 925fc-9260f DecodePointer 371->374 374->368 376 92611-9262a call 92245 GetCurrentThreadId 374->376 376->362
C-Code - Quality: 62%
			E000924BB(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x9a290 = GetProcAddress(_t36, "FlsAlloc");
					 *0x9a294 = GetProcAddress(_t36, "FlsGetValue");
					 *0x9a298 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x9a290;
					_t40 = TlsSetValue;
					 *0x9a29c = _t7;
					if( *0x9a290 == 0) {
						L6:
						 *0x9a294 = TlsGetValue;
						 *0x9a290 = 0x921cb;
						 *0x9a298 = _t40;
						 *0x9a29c = TlsFree;
					} else {
						__eflags =  *0x9a294;
						if( *0x9a294 == 0) {
							goto L6;
						} else {
							__eflags =  *0x9a298;
							if( *0x9a298 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x9904c = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x9a294);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0009157B();
							_t42 = __imp__EncodePointer;
							_t14 =  *_t42( *0x9a290);
							 *0x9a290 = _t14;
							_t15 =  *_t42( *0x9a294);
							 *0x9a294 = _t15;
							_t16 =  *_t42( *0x9a298);
							 *0x9a298 = _t16;
							 *0x9a29c =  *_t42( *0x9a29c);
							_t18 = E00092A3A();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00092208();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t37()))( *0x9a290, E0009238C);
								 *0x99048 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E000937B4(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t37()))( *0x9a298,  *0x99048, _t43);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E00092245(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00092208();
					return 0;
				}
			}






















0x000924bb
0x000924bb
0x000924c9
0x000924cd
0x000924ed
0x000924fa
0x00092507
0x0009250c
0x0009250e
0x00092515
0x0009251b
0x00092520
0x00092538
0x0009253d
0x00092547
0x00092551
0x00092557
0x00092522
0x00092522
0x00092529
0x00000000
0x0009252b
0x0009252b
0x00092532
0x00000000
0x00092534
0x00092534
0x00092536
0x00000000
0x00000000
0x00092536
0x00092532
0x00092529
0x0009255c
0x00092562
0x00092567
0x0009256a
0x00092631
0x00092631
0x00092631
0x00092570
0x00092577
0x00092579
0x0009257b
0x00000000
0x00092581
0x00092581
0x0009258c
0x00092592
0x0009259a
0x0009259f
0x000925a7
0x000925ac
0x000925b4
0x000925bb
0x000925c0
0x000925c5
0x000925c7
0x0009262c
0x0009262c
0x00000000
0x000925c9
0x000925c9
0x000925dc
0x000925de
0x000925e3
0x000925e6
0x00000000
0x000925e8
0x000925f4
0x000925f8
0x000925fa
0x00000000
0x000925fc
0x0009260d
0x0009260f
0x00000000
0x00092611
0x00092611
0x00092613
0x00092614
0x0009261b
0x00092621
0x00092625
0x00092629
0x00092629
0x0009260f
0x000925fa
0x000925e6
0x000925c7
0x0009257b
0x00092635
0x000924cf
0x000924cf
0x000924d7
0x000924d7

APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0009134E,00097980,00000014), ref: 000924C3
  • __mtterm.LIBCMT ref: 000924CF
    • Part of subcall function 00092208: DecodePointer.KERNEL32(00000005,00092631,?,0009134E,00097980,00000014), ref: 00092219
    • Part of subcall function 00092208: TlsFree.KERNEL32(00000019,00092631,?,0009134E,00097980,00000014), ref: 00092233
    • Part of subcall function 00092208: DeleteCriticalSection.KERNEL32(00000000,00000000,774BF3A0,?,00092631,?,0009134E,00097980,00000014), ref: 00092AA1
    • Part of subcall function 00092208: _free.LIBCMT ref: 00092AA4
    • Part of subcall function 00092208: DeleteCriticalSection.KERNEL32(00000019,774BF3A0,?,00092631,?,0009134E,00097980,00000014), ref: 00092ACB
  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000924E5
  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000924F2
  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000924FF
  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0009250C
  • TlsAlloc.KERNEL32(?,0009134E,00097980,00000014), ref: 0009255C
  • TlsSetValue.KERNEL32(00000000,?,0009134E,00097980,00000014), ref: 00092577
  • __init_pointers.LIBCMT ref: 00092581
  • EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 00092592
  • EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 0009259F
  • EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 000925AC
  • EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 000925B9
  • DecodePointer.KERNEL32(0009238C,?,0009134E,00097980,00000014), ref: 000925DA
  • __calloc_crt.LIBCMT ref: 000925EF
  • DecodePointer.KERNEL32(00000000,?,0009134E,00097980,00000014), ref: 00092609
  • GetCurrentThreadId.KERNEL32 ref: 0009261B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
  • API String ID: 3698121176-3819984048
  • Opcode ID: 65f54d48cb205d7343e0a1162137bbb9f9f74b1b300558d5652fe6bcd14568e9
  • Instruction ID: 90436bcf3e6d3c31e987a055bfbe451e4c7e4d4e1dcfc0942bf66872918cffd2
  • Opcode Fuzzy Hash: 65f54d48cb205d7343e0a1162137bbb9f9f74b1b300558d5652fe6bcd14568e9
  • Instruction Fuzzy Hash: 78314F71A01211AEFF12AB78AE4A5573FB0FBC5B60B15051BE518D22B1DB3E8441EE92
Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 91%
			E00092245(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x979c0);
				E00092660(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x96b78;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x99310;
				E00092BB4(__ebx, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E000922E7();
				E00092BB4(_t31, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x99a78; // 0x999a0
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00094024( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E000926A5(E000922F0());
			}







0x00092245
0x00092245
0x00092247
0x0009224c
0x00092256
0x0009225c
0x0009225f
0x00092266
0x0009226d
0x00092270
0x00092273
0x0009227a
0x00092281
0x0009228a
0x00092290
0x00092297
0x0009229d
0x000922a4
0x000922ab
0x000922b1
0x000922b4
0x000922b7
0x000922bc
0x000922be
0x000922c3
0x000922c3
0x000922c9
0x000922cf
0x000922e0

APIs
  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,000979C0,00000008,0009234D,00000000,00000000,?,00091872,00000003), ref: 00092256
  • __lock.LIBCMT ref: 0009228A
    • Part of subcall function 00092BB4: __mtinitlocknum.LIBCMT ref: 00092BCA
    • Part of subcall function 00092BB4: __amsg_exit.LIBCMT ref: 00092BD6
    • Part of subcall function 00092BB4: EnterCriticalSection.KERNEL32(?,?,?,0009228F,0000000D,?,00091872,00000003), ref: 00092BDE
  • InterlockedIncrement.KERNEL32(00099310), ref: 00092297
  • __lock.LIBCMT ref: 000922AB
  • ___addlocaleref.LIBCMT ref: 000922C9
Strings
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
  • String ID: KERNEL32.DLL$xk
  • API String ID: 637971194-616238704
  • Opcode ID: 9b313cd7a647b62f695df39f171f595640b785c5c4f0ae30a16a15c588828712
  • Instruction ID: 115b71b7f74dd412e6d5ec48de7926d190aad50d465ca0980c037062ff51b210
  • Opcode Fuzzy Hash: 9b313cd7a647b62f695df39f171f595640b785c5c4f0ae30a16a15c588828712
  • Instruction Fuzzy Hash: F0016D71405B00FBEF20AF69C806799BBF0BF40320F10894EE5D6976A2CBB5A644EB15
Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 80%
			E00093A71(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x97ab0);
				E00092660(__ebx, __edi, __esi);
				_t31 = E00092372(__ebx, _t35);
				_t15 =  *0x99a90; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00092BB4(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x99738; // 0xe815f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x99310;
								if(__eflags != 0) {
									E000936D6(_t33);
								}
							}
						}
						_t21 =  *0x99738; // 0xe815f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x99738; // 0xe815f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00093B0C();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E000917F3(_t29, _t38);
				}
				return E000926A5(_t33);
			}










0x00093a71
0x00093a71
0x00093a71
0x00093a71
0x00093a73
0x00093a78
0x00093a82
0x00093a84
0x00093a8c
0x00093aad
0x00093ab3
0x00093ab7
0x00093aba
0x00093abd
0x00093ac3
0x00093ac5
0x00093ac7
0x00093ad0
0x00093ad2
0x00093ad4
0x00093ada
0x00093add
0x00093ae2
0x00093ada
0x00093ad2
0x00093ae3
0x00093ae8
0x00093aeb
0x00093af1
0x00093af5
0x00093af5
0x00093afb
0x00093b02
0x00093a94
0x00093a94
0x00093a94
0x00093a97
0x00093a99
0x00093a9b
0x00093a9d
0x00093aa2
0x00093aaa

APIs
  • __getptd.LIBCMT ref: 00093A7D
    • Part of subcall function 00092372: __getptd_noexit.LIBCMT ref: 00092375
    • Part of subcall function 00092372: __amsg_exit.LIBCMT ref: 00092382
  • __amsg_exit.LIBCMT ref: 00093A9D
  • __lock.LIBCMT ref: 00093AAD
  • InterlockedDecrement.KERNEL32(?), ref: 00093ACA
  • _free.LIBCMT ref: 00093ADD
  • InterlockedIncrement.KERNEL32(00E815F8), ref: 00093AF5
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
  • String ID:
  • API String ID: 3470314060-0
  • Opcode ID: 8c1ec00d5bc2345709edbdcb2ea5a953d89454280289ec9ae8055f243faf86e1
  • Instruction ID: 69fa1039ed6952c0ec8f0afaedb485ca900f6091acd192bb4983b6b54b2545ec
  • Opcode Fuzzy Hash: 8c1ec00d5bc2345709edbdcb2ea5a953d89454280289ec9ae8055f243faf86e1
  • Instruction Fuzzy Hash: 61018432A05611ABEF21AF6998467DEB7E0BF04710F04400AE841A72D2CB395B41FFD2
Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 94%
			E00094A4C(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x9a2a0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x9a780 - _t7;
								if(__eflags == 0) {
									_t9 = E0009301D(__eflags);
									 *_t9 = E00092FDB(GetLastError());
									goto L17;
								} else {
									__eflags = E00092FB3(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0009301D(__eflags);
										 *_t12 = E00092FDB(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00092FB3(_t6, _t30);
						 *((intOrPtr*)(E0009301D(__eflags))) = 0xc;
						goto L12;
					} else {
						E000936D6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00094936(__edx, __edi, __esi, _a8);
				}
			}









0x00094a55
0x00094a62
0x00094a63
0x00094a66
0x00094a68
0x00094a77
0x00094aaa
0x00094aaa
0x00094aad
0x00000000
0x00000000
0x00094a7a
0x00094a7c
0x00094a7e
0x00094a7e
0x00094a7e
0x00094a8b
0x00094a91
0x00094a93
0x00094a95
0x00094af5
0x00094af5
0x00094a97
0x00094a97
0x00094a9d
0x00094adf
0x00094af3
0x00000000
0x00094a9f
0x00094aa6
0x00094aa8
0x00094ac7
0x00094adb
0x00094ac1
0x00094ac1
0x00094ac1
0x00000000
0x00000000
0x00000000
0x00094aa8
0x00094a9d
0x00000000
0x00094ac3
0x00094ab0
0x00094abb
0x00000000
0x00094a6a
0x00094a6d
0x00094a73
0x00094a73
0x00094ac4
0x00094ac6
0x00094a57
0x00094a61
0x00094a61

APIs
  • _malloc.LIBCMT ref: 00094A5A
    • Part of subcall function 00094936: __FF_MSGBANNER.LIBCMT ref: 0009494F
    • Part of subcall function 00094936: __NMSG_WRITE.LIBCMT ref: 00094956
    • Part of subcall function 00094936: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00093780,?,00000001,?,?,00092B3F,00000018,00097A30,0000000C,00092BCF), ref: 0009497B
  • _free.LIBCMT ref: 00094A6D
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: AllocateHeap_free_malloc
  • String ID:
  • API String ID: 1020059152-0
  • Opcode ID: 160d49f60a0573b41593bda6d81a2f09625737e2ab868bc5386eaed07dc6ea18
  • Instruction ID: d344757178c79528bfed39b028e2d01b5600b5487787f8f97eec1772f3e5a4f3
  • Opcode Fuzzy Hash: 160d49f60a0573b41593bda6d81a2f09625737e2ab868bc5386eaed07dc6ea18
  • Instruction Fuzzy Hash: 2211EB325845107BCF712F74DC05E9A37D4AF80360F100536F85887292DB358D42BB95
Uniqueness

Uniqueness Score: -1.00%

C-Code - Quality: 77%
			E000942E4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x97af0);
				E00092660(__ebx, __edi, __esi);
				_t28 = E00092372(__ebx, _t31);
				_t12 =  *0x99a90; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00092BB4(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00094297(_t29,  *0x99a78);
					 *(_t30 - 4) = 0xfffffffe;
					E00094351();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00092372(_t20, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E000917F3(_t25, _t34);
				}
				return E000926A5(_t29);
			}









0x000942e4
0x000942e4
0x000942e4
0x000942e4
0x000942e4
0x000942e6
0x000942eb
0x000942f5
0x000942f7
0x000942ff
0x00094323
0x00094325
0x0009432b
0x00094335
0x00094340
0x00094343
0x0009434a
0x00094301
0x00094301
0x00094305
0x00000000
0x00094307
0x0009430c
0x0009430c
0x00094305
0x0009430f
0x00094311
0x00094313
0x00094315
0x0009431a
0x00094322

APIs
  • __getptd.LIBCMT ref: 000942F0
    • Part of subcall function 00092372: __getptd_noexit.LIBCMT ref: 00092375
    • Part of subcall function 00092372: __amsg_exit.LIBCMT ref: 00092382
  • __getptd.LIBCMT ref: 00094307
  • __amsg_exit.LIBCMT ref: 00094315
  • __lock.LIBCMT ref: 00094325
  • __updatetlocinfoEx_nolock.LIBCMT ref: 00094339
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
  • String ID:
  • API String ID: 938513278-0
  • Opcode ID: 012f10d465506e0013248f77ae0650d0738e006cc75643b26a30180aec6f61f9
  • Instruction ID: 86629f831f5d2b693f666af4527d4db321076e0a02be681966f5d23132c1a6c0
  • Opcode Fuzzy Hash: 012f10d465506e0013248f77ae0650d0738e006cc75643b26a30180aec6f61f9
  • Instruction Fuzzy Hash: D3F09032D05310AAEE21BB789803F8D37E0BF00720F108109F455666D3CB684B42BB56
Uniqueness

Uniqueness Score: -1.00%

APIs
  • DecodePointer.KERNEL32(?,00092FA0,00000000,00000000,00000000,00000000,00000000,000936D1,?,00091872,00000003), ref: 00092F72
  • __invoke_watson.LIBCMT ref: 00092F8E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true
  • Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd
Similarity
  • API ID: DecodePointer__invoke_watson
  • String ID: aW`aW`
  • API String ID: 4034010525-35805422
  • Opcode ID: f9f1db970e276fb40bdac492d32b48aa3c0456a5b526c52e44136476c616b219
  • Instruction ID: 1f1265997f94962baf72ec03a4c5017a74adacbbc34ff52bb39ff14b01ed05b6
  • Opcode Fuzzy Hash: f9f1db970e276fb40bdac492d32b48aa3c0456a5b526c52e44136476c616b219
  • Instruction Fuzzy Hash: 7DE0B632104109BBDF012FA19C0A9AA3A6AEF54350B544470BE1480031DA36C870AB91
Uniqueness

Uniqueness Score: -1.00%