Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SaturdayNight.exe

Overview

General Information

Sample name:SaturdayNight.exe
Analysis ID:1431507
MD5:67bce1b3b40e27aea7b0b2c7ad5a689c
SHA1:0c13e6d533c6aca87184b6f0d1fc0e6062094666
SHA256:89e22471cada6ad8f4da2a73ed2bc168314d57606ba7f659384f1781c167cba7
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • SaturdayNight.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\SaturdayNight.exe" MD5: 67BCE1B3B40E27AEA7B0B2C7AD5A689C)
    • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • LogonUI.exe (PID: 2088 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3fbe055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 7152 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • LogonUI.exe (PID: 7000 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f48055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 6940 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f57855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 1744 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 6212 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • LogonUI.exe (PID: 6712 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f60855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 6388 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f68055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • fontdrvhost.exe (PID: 6208 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • LogonUI.exe (PID: 2484 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f70055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SaturdayNight.exeReversingLabs: Detection: 28%
Source: SaturdayNight.exeVirustotal: Detection: 9%Perma Link
Machine Learning detection for sample
Source: SaturdayNight.exeJoe Sandbox ML: detected
Source: SaturdayNight.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SaturdayNight.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\DEV\source\repos\FIAP\FIAP-2023-Exercicios\Release\SaturdayNight.pdb'' source: SaturdayNight.exe
Source: Binary string: C:\Users\DEV\source\repos\FIAP\FIAP-2023-Exercicios\Release\SaturdayNight.pdb source: SaturdayNight.exe
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B1B80 ShowWindow,memset,GetCurrentConsoleFontEx,SetCurrentConsoleFontEx,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,_invalid_parameter_noinfo_noreturn,0_2_005B1B80
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B15B00_2_005B15B0
Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
Source: SaturdayNight.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal52.winEXE@12/1@1/0
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B1B80 ShowWindow,memset,GetCurrentConsoleFontEx,SetCurrentConsoleFontEx,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,_invalid_parameter_noinfo_noreturn,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,_invalid_parameter_noinfo_noreturn,0_2_005B1B80
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: SaturdayNight.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SaturdayNight.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SaturdayNight.exeReversingLabs: Detection: 28%
Source: SaturdayNight.exeVirustotal: Detection: 9%
Source: unknownProcess created: C:\Users\user\Desktop\SaturdayNight.exe "C:\Users\user\Desktop\SaturdayNight.exe"
Source: C:\Users\user\Desktop\SaturdayNight.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3fbe055 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f48055 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f57855 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f60855 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f68055 /state1:0x41c64e6d
Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f70055 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\SaturdayNight.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\LogonUI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bdc6fc7-83e3-46a4-bfa0-1bc14dbf8b38}\InProcServer32Jump to behavior
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SaturdayNight.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SaturdayNight.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\DEV\source\repos\FIAP\FIAP-2023-Exercicios\Release\SaturdayNight.pdb'' source: SaturdayNight.exe
Source: Binary string: C:\Users\DEV\source\repos\FIAP\FIAP-2023-Exercicios\Release\SaturdayNight.pdb source: SaturdayNight.exe
Source: SaturdayNight.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SaturdayNight.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SaturdayNight.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SaturdayNight.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SaturdayNight.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B3499 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005B3499
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B315E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005B315E
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B35FE SetUnhandledExceptionFilter,0_2_005B35FE
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B3499 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005B3499
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B32B5 cpuid 0_2_005B32B5
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SaturdayNight.exeCode function: 0_2_005B36E7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_005B36E7

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
LSASS Driver		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
LSASS Driver		1
Process Injection		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		1
DLL Side-Loading		Security Account Manager23
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431507 Sample: SaturdayNight.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 17 api.msn.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 7 SaturdayNight.exe 1 2->7         started        9 LogonUI.exe 2->9         started        11 LogonUI.exe 2->11         started        13 13 other processes 2->13 signatures3 process4 process5 15 conhost.exe 7->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SaturdayNight.exe29%ReversingLabsWin32.Trojan.Znyonm
SaturdayNight.exe10%VirustotalBrowse
SaturdayNight.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
bg.microsoft.map.fastly.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalseunknown
api.msn.com
unknown
unknownfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1431507
    Start date and time:2024-04-25 11:10:05 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 21s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:36
    Number of new started drivers analysed:5
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Sample name:SaturdayNight.exe
    Detection:MAL
    Classification:mal52.winEXE@12/1@1/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 93%
    • Number of executed functions: 4
    • Number of non-executed functions: 14
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Connection to analysis system has been lost, crash info: Unknown
    • Exclude process from analysis (whitelisted): smss.exe, dwm.exe, csrss.exe, winlogon.exe, SIHClient.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 23.55.253.34, 40.127.169.103, 40.126.29.10, 20.190.157.11, 40.126.29.13, 40.126.29.8, 40.126.29.5, 40.126.29.9, 40.126.29.11, 40.126.29.7, 23.39.7.73, 23.4.36.190, 204.79.197.203, 23.1.33.213, 23.1.33.202, 13.107.22.200, 131.253.33.200, 23.47.204.79, 23.47.204.45
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, r.bing.com, www-bing-com.dual-a-0001.a-msedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, dual-a-0001.dc-msedge.net, e1553.dspg.akamaiedge.net, wwwprod.www-bing-com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, api-msn-com.a-0003.a-msedge
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    bg.microsoft.map.fastly.netFTG_PD_04024024001.vbsGet hashmaliciousFormBook, GuLoaderBrowse
    • 199.232.214.172
    SWIFT.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
    • 199.232.210.172
    https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
    • 199.232.214.172
    page97.exeGet hashmaliciousLonePageBrowse
    • 199.232.210.172
    Minutes_of_15th_Session_of_PSC.pdf.exeGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    KMj8h32vWy.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
    • 199.232.214.172
    https://cos-aliyun8789.towqzg.cn/Get hashmaliciousUnknownBrowse
    • 199.232.210.172
    https://shining-melodic-magnesium.glitch.me/rvicendDev.htmlGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
    • 199.232.214.172
    https://univ-paris13.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
    • 199.232.210.172

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    \Device\ConDrv

    Download File
    Process:C:\Users\user\Desktop\SaturdayNight.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):13688
    Entropy (8bit):2.3523521088681463
    Encrypted:false
    SSDEEP:96:kv6i/d+OlhdBJg3sQY/6GOeLm1ltB8/NlAENIyRSe/mgvqWRqnSDuk2AcExcLcxJ:kvN/UOqdi6GzLFusv5vqzAYO
    MD5:BA7D42F7DE428972ADD943849A500E34
    SHA1:5F99FC14F57D084AB3FE8D091C8A8D8F440F964F
    SHA-256:9AB2668A2FF776B90436B7E00F581BE9864D8773C36313A7A26BC92CDFC3B07F
    SHA-512:EDDF9E7B0DEA83253CF9A204C0CCB895BB690A0DCE49778937B313DA04C41AA84A4219A62D7C46FB1F88D1B677390176ED7A340477BAACF3CD2CA29FCFFB9602
    Malicious:false
    Preview:....@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%%*#+**#@@@@@@@@@@@@@@%%%%@%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%###%%%@%%%%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%#%%#%%#**=*+#@@@@@@@@@@@@%%%%@%%%##%%@@@@@@%%%%%%%@@@@@@@@@@@@@%%####%%%@%%%%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#%%%@#%%#%#*+-*=%@@@@@@@@@@%%%%%%%####%%%%%%######%%%%%%%%%@@@@@@%%#*##%%%%%%%%#**#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@%%@@@@@@@@%#@%######%**+=+=%@@@@@@@@%%%%%%######%#***+++++****#####%%%%%%#%#######%%######%%%@@@%@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%@@@@@@@@%##########**-*-*@@@@@@@%%%%%%#######+ ##***#%%%######%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%@@@@@@@@@%####*#####**-*=@@@@@@@%%%%%%#####*+= -***###%%######%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%##*#**##*#+++@@#%@@@@%%@%%%#%%#*+==--::::

    Static File Info

    General

    File type:PE32 executable (console) Intel 80386, for MS Windows
    Entropy (8bit):5.380354613992533
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:SaturdayNight.exe
    File size:35'328 bytes
    MD5:67bce1b3b40e27aea7b0b2c7ad5a689c
    SHA1:0c13e6d533c6aca87184b6f0d1fc0e6062094666
    SHA256:89e22471cada6ad8f4da2a73ed2bc168314d57606ba7f659384f1781c167cba7
    SHA512:6ff5396de0eb4e4afb12e2038b2dc8ec2d7f2bfecf6b9d9c298f77a37bfbfdcdda4022f043b76382a1080fdda0b545014da4bda13dd2f8a8fe87070a9706b505
    SSDEEP:384:ZSolOGGxaNS9FpPkFiOxa+yu7A0DQOdDJ5O0jOQGEYgXCAmyYCuq1qRUdnM5BWQK:IqiOxh/DTDDOpTgXXgQW5BW4dc
    TLSH:F1F28F72FB424D6CF614C1BE54EA29B8857E51EB4F62C2B3F38C6D9903ED3C19422259
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..;4..;4..;4..2L#.14...K.."4...K..74...K..>4...K..?4...D..:4...D..24..;4..b4......:4....O.:4......:4..Rich;4.................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x403154
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x650677EC [Sun Sep 17 03:52:12 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:98dff28d0a554cb39bc5fad723cfb9f1

    Entrypoint Preview

    Instruction
    call 00007FC1545F6B40h
    jmp 00007FC1545F63D9h
    push ebp
    mov ebp, esp
    push 00000000h
    call dword ptr [0040402Ch]
    push dword ptr [ebp+08h]
    call dword ptr [00404028h]
    push C0000409h
    call dword ptr [00404038h]
    push eax
    call dword ptr [00404030h]
    pop ebp
    ret
    push ebp
    mov ebp, esp
    sub esp, 00000324h
    push 00000017h
    call dword ptr [00404044h]
    test eax, eax
    je 00007FC1545F6567h
    push 00000002h
    pop ecx
    int 29h
    mov dword ptr [004091C8h], eax
    mov dword ptr [004091C4h], ecx
    mov dword ptr [004091C0h], edx
    mov dword ptr [004091BCh], ebx
    mov dword ptr [004091B8h], esi
    mov dword ptr [004091B4h], edi
    mov word ptr [004091E0h], ss
    mov word ptr [004091D4h], cs
    mov word ptr [004091B0h], ds
    mov word ptr [004091ACh], es
    mov word ptr [004091A8h], fs
    mov word ptr [004091A4h], gs
    pushfd
    pop dword ptr [004091D8h]
    mov eax, dword ptr [ebp+00h]
    mov dword ptr [004091CCh], eax
    mov eax, dword ptr [ebp+04h]
    mov dword ptr [004091D0h], eax
    lea eax, dword ptr [ebp+08h]
    mov dword ptr [004091DCh], eax
    mov eax, dword ptr [ebp-00000324h]
    mov dword ptr [00409118h], 00010001h

    Rich Headers

    Programming Language:
    • [IMP] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x82440xf0.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x1e0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000x3a4.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x79a00x70.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x78e00x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x40000x160.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2e670x300097e2739f30605ea640043d201c2135f1False0.57763671875data6.352534657414724IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x40000x4cb60x4e00b84470cc23d6b55e09b97e3f25d8f49eFalse0.28630809294871795data3.881810892385155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x90000x4480x2002b74e32789c0fcfbe56806b059435b38False0.20703125data1.799784447615981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0xa0000x1e00x200101f04294dcfeea9dfe10d3c920461d9False0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0xb0000x3a40x400a155238d44033b143897e4063a094c71False0.8427734375data6.1513713381822175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_MANIFEST0xa0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

    Imports

    DLLImport
    KERNEL32.dllCreateFileW, CloseHandle, GetCurrentConsoleFontEx, GetConsoleWindow, SetCurrentConsoleFontEx, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStdHandle, GetCurrentProcess, IsDebuggerPresent, ReadFile, IsProcessorFeaturePresent, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, InitializeSListHead, GetModuleHandleW
    USER32.dllShowWindow, ExitWindowsEx
    ADVAPI32.dllAdjustTokenPrivileges, OpenProcessToken, LookupPrivilegeValueW
    SHELL32.dllSHGetKnownFolderPath
    MSVCP140.dll_Xtime_get_ticks, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?good@ios_base@std@@QBE_NXZ, _Thrd_sleep, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _Query_perf_frequency, _Query_perf_counter, ?_Xlength_error@std@@YAXPBD@Z
    VCRUNTIME140.dll_except_handler4_common, memset, __current_exception_context, memmove, memcpy, _CxxThrowException, __std_terminate, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, __current_exception
    api-ms-win-crt-runtime-l1-1-0.dll__p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _exit, _configure_narrow_argv, terminate, _controlfp_s, _initialize_narrow_environment, exit, __p___argc, _initialize_onexit_table, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _invalid_parameter_noinfo_noreturn
    api-ms-win-crt-heap-l1-1-0.dll_callnewh, free, _set_new_mode, malloc
    api-ms-win-crt-math-l1-1-0.dll__setusermatherr
    api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Apr 25, 2024 11:11:15.389647007 CEST5312653192.168.2.41.1.1.1

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Apr 25, 2024 11:11:15.389647007 CEST192.168.2.41.1.1.10x310dStandard query (0)api.msn.comA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Apr 25, 2024 11:11:12.903764009 CEST1.1.1.1192.168.2.40x4958No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
    Apr 25, 2024 11:11:12.903764009 CEST1.1.1.1192.168.2.40x4958No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
    Apr 25, 2024 11:11:15.499376059 CEST1.1.1.1192.168.2.40x310dNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:11:10:51
    Start date:25/04/2024
    Path:C:\Users\user\Desktop\SaturdayNight.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\SaturdayNight.exe"
    Imagebase:0x5b0000
    File size:35'328 bytes
    MD5 hash:67BCE1B3B40E27AEA7B0B2C7AD5A689C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:1
    Start time:11:10:52
    Start date:25/04/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:11:10:55
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):false
    Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa3fbe055 /state1:0x41c64e6d
    Imagebase:0x7ff75ff10000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:7
    Start time:11:10:56
    Start date:25/04/2024
    Path:C:\Windows\System32\cdd.dll
    Wow64 process (32bit):false
    Commandline:
    Imagebase:0x7ff7714f0000
    File size:267'264 bytes
    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:8
    Start time:11:10:56
    Start date:25/04/2024
    Path:C:\Windows\System32\fontdrvhost.exe
    Wow64 process (32bit):false
    Commandline:"fontdrvhost.exe"
    Imagebase:0x7ff72c440000
    File size:827'408 bytes
    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:9
    Start time:11:10:56
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):false
    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f48055 /state1:0x41c64e6d
    Imagebase:0x7ff75ff10000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:14
    Start time:11:11:06
    Start date:25/04/2024
    Path:C:\Windows\System32\cdd.dll
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:267'264 bytes
    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:15
    Start time:11:11:06
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):true
    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f57855 /state1:0x41c64e6d
    Imagebase:0x1d0000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:16
    Start time:11:11:06
    Start date:25/04/2024
    Path:C:\Windows\System32\fontdrvhost.exe
    Wow64 process (32bit):false
    Commandline:"fontdrvhost.exe"
    Imagebase:0x7ff72c440000
    File size:827'408 bytes
    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:24
    Start time:11:11:07
    Start date:25/04/2024
    Path:C:\Windows\System32\cdd.dll
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:267'264 bytes
    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:25
    Start time:11:11:07
    Start date:25/04/2024
    Path:C:\Windows\System32\fontdrvhost.exe
    Wow64 process (32bit):false
    Commandline:"fontdrvhost.exe"
    Imagebase:0x7ff72c440000
    File size:827'408 bytes
    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:26
    Start time:11:11:07
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):false
    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f60855 /state1:0x41c64e6d
    Imagebase:0x7ff75ff10000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:31
    Start time:11:11:09
    Start date:25/04/2024
    Path:C:\Windows\System32\cdd.dll
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:267'264 bytes
    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:32
    Start time:11:11:09
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):false
    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f68055 /state1:0x41c64e6d
    Imagebase:0x7ff75ff10000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:34
    Start time:11:11:09
    Start date:25/04/2024
    Path:C:\Windows\System32\fontdrvhost.exe
    Wow64 process (32bit):false
    Commandline:"fontdrvhost.exe"
    Imagebase:0x7ff72c440000
    File size:827'408 bytes
    MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:39
    Start time:11:11:11
    Start date:25/04/2024
    Path:C:\Windows\System32\cdd.dll
    Wow64 process (32bit):
    Commandline:
    Imagebase:
    File size:267'264 bytes
    MD5 hash:9B684213A399B4E286982BDAD6CF3D07
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Has exited:false

    General

    Target ID:40
    Start time:11:11:11
    Start date:25/04/2024
    Path:C:\Windows\System32\LogonUI.exe
    Wow64 process (32bit):false
    Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f70055 /state1:0x41c64e6d
    Imagebase:0x7ff6ec4b0000
    File size:13'824 bytes
    MD5 hash:893144FE49AA16124B5BD3034E79BBC6
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:13.6%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:24.4%
      Total number of Nodes:320
      Total number of Limit Nodes:6
      execution_graph 996 5b2fd2 997 5b2fde ___scrt_is_nonwritable_in_current_image 996->997 1017 5b2d01 997->1017 999 5b2fe5 1000 5b313e 999->1000 1004 5b300f 999->1004 1056 5b3499 IsProcessorFeaturePresent 1000->1056 1002 5b3145 exit 1003 5b314b _exit 1002->1003 1005 5b3013 _initterm_e 1004->1005 1007 5b305c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 1004->1007 1006 5b303f _initterm 1005->1006 1016 5b302e ___scrt_uninitialize_crt 1005->1016 1006->1007 1008 5b30b0 _get_initial_narrow_environment __p___argv __p___argc 1007->1008 1011 5b30a8 _register_thread_local_exe_atexit_callback 1007->1011 1021 5b1b80 ShowWindow 1008->1021 1011->1008 1012 5b35bc GetModuleHandleW 1013 5b30d6 1012->1013 1013->1002 1014 5b30da 1013->1014 1015 5b30de _cexit 1014->1015 1014->1016 1015->1016 1018 5b2d0a 1017->1018 1060 5b32b5 IsProcessorFeaturePresent 1018->1060 1020 5b2d16 ___scrt_uninitialize_crt 1020->999 1062 5b2c5b 1021->1062 1023 5b1bc3 memset GetCurrentConsoleFontEx SetCurrentConsoleFontEx 1071 5b22f0 1023->1071 1026 5b1c16 1080 5b1b50 1026->1080 1027 5b1c74 1083 5b1280 IsDebuggerPresent 1027->1083 1033 5b1c84 1035 5b1280 9 API calls 1033->1035 1041 5b1c90 1035->1041 1036 5b1f72 1036->1012 1037 5b1b50 8 API calls 1039 5b1ed9 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 1037->1039 1038 5b1cf0 1055 5b1e21 1038->1055 1105 5b15b0 SHGetKnownFolderPath 1038->1105 1040 5b1f2b 1039->1040 1042 5b1f4e 1039->1042 1040->1042 1044 5b1f48 _invalid_parameter_noinfo_noreturn 1040->1044 1041->1038 1041->1055 1160 5b2c4d 1042->1160 1044->1042 1045 5b1e30 1046 5b22f0 5 API calls 1045->1046 1047 5b1e40 1046->1047 1151 5b2a60 1047->1151 1049 5b1d9b 1051 5b1b50 8 API calls 1049->1051 1052 5b1da0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 1051->1052 1054 5b1dff 1052->1054 1052->1055 1053 5b1ec8 _invalid_parameter_noinfo_noreturn 1053->1055 1054->1042 1054->1053 1054->1055 1055->1037 1057 5b34af 1056->1057 1058 5b34bb memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1057->1058 1059 5b35a5 1058->1059 1059->1002 1061 5b32d9 1060->1061 1061->1020 1063 5b2c6d malloc 1062->1063 1064 5b2c7a 1063->1064 1065 5b2c60 _callnewh 1063->1065 1064->1023 1065->1063 1066 5b2c7c 1065->1066 1067 5b1120 Concurrency::cancel_current_task 1066->1067 1068 5b2c86 1066->1068 1069 5b112e _CxxThrowException __std_exception_copy 1067->1069 1070 5b32a6 _CxxThrowException 1068->1070 1069->1023 1072 5b2330 1071->1072 1073 5b23ab ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 1072->1073 1078 5b23be 1072->1078 1073->1078 1075 5b2426 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 1079 5b23d0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 1075->1079 1076 5b24db ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1077 5b1c10 1076->1077 1077->1026 1077->1027 1078->1075 1078->1079 1079->1076 1079->1077 1167 5b21a0 1080->1167 1084 5b12aa 1083->1084 1085 5b1293 1083->1085 1087 5b2090 1084->1087 1086 5b21a0 8 API calls 1085->1086 1086->1084 1088 5b20c0 1087->1088 1088->1088 1089 5b2190 1088->1089 1090 5b20d5 1088->1090 1177 5b11c0 ?_Xlength_error@std@@YAXPBD 1089->1177 1092 5b20fe 1090->1092 1093 5b20e1 memmove 1090->1093 1094 5b210b 1092->1094 1095 5b2195 1092->1095 1097 5b2155 1092->1097 1093->1033 1098 5b2c5b 5 API calls 1094->1098 1180 5b1120 1095->1180 1100 5b2127 memmove 1097->1100 1102 5b2c5b 5 API calls 1097->1102 1101 5b211e 1098->1101 1099 5b219a 1100->1033 1101->1100 1104 5b214f _invalid_parameter_noinfo_noreturn 1101->1104 1102->1100 1104->1097 1106 5b1630 1105->1106 1106->1106 1107 5b1b39 1106->1107 1108 5b165a memmove 1106->1108 1109 5b1687 1106->1109 1110 5b11c0 3 API calls 1107->1110 1111 5b1739 1108->1111 1112 5b1694 1109->1112 1117 5b1b43 1109->1117 1120 5b16ec 1109->1120 1113 5b1b3e 1110->1113 1114 5b175b memmove 1111->1114 1115 5b179c 1111->1115 1112->1117 1122 5b2c5b 5 API calls 1112->1122 1116 5b11c0 3 API calls 1113->1116 1118 5b17b9 1114->1118 1184 5b2820 1115->1184 1116->1117 1121 5b1120 Concurrency::cancel_current_task 2 API calls 1117->1121 1123 5b1838 CreateFileW 1118->1123 1130 5b182e 1118->1130 1131 5b1828 _invalid_parameter_noinfo_noreturn 1118->1131 1125 5b16d4 1120->1125 1126 5b2c5b 5 API calls 1120->1126 1124 5b1b48 1121->1124 1122->1125 1127 5b18e3 ReadFile CloseHandle 1123->1127 1128 5b1880 1123->1128 1129 5b16fd memmove 1125->1129 1125->1131 1126->1125 1132 5b1920 1127->1132 1133 5b2090 13 API calls 1128->1133 1129->1111 1130->1123 1131->1130 1149 5b1a68 1132->1149 1204 5b12b0 1132->1204 1138 5b188c 1133->1138 1134 5b2090 13 API calls 1134->1138 1135 5b18bc 1137 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1135->1137 1140 5b18df 1137->1140 1138->1135 1139 5b1b33 _invalid_parameter_noinfo_noreturn 1138->1139 1139->1107 1140->1045 1140->1049 1141 5b193e 1141->1113 1142 5b19c9 1141->1142 1143 5b19e4 1141->1143 1144 5b1a2e 1141->1144 1215 5b14c0 1142->1215 1143->1117 1146 5b2c5b 5 API calls 1143->1146 1147 5b2c5b 5 API calls 1144->1147 1150 5b19f7 1144->1150 1146->1150 1147->1150 1148 5b1a41 memmove 1148->1142 1149->1134 1149->1139 1150->1139 1150->1148 1152 5b2aa7 1151->1152 1155 5b2af3 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 1152->1155 1156 5b2b06 1152->1156 1154 5b2b6f ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 1159 5b2b18 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 1154->1159 1155->1156 1156->1154 1156->1159 1157 5b2c1b 1157->1054 1158 5b2c13 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1158->1157 1159->1157 1159->1158 1161 5b2c56 IsProcessorFeaturePresent 1160->1161 1162 5b2c55 1160->1162 1164 5b319b 1161->1164 1162->1036 1240 5b315e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1164->1240 1166 5b327e 1166->1036 1175 5b11d0 _Query_perf_frequency _Query_perf_counter 1167->1175 1169 5b11d0 2 API calls 1171 5b21bd __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 1169->1171 1170 5b22db 1172 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1170->1172 1171->1169 1171->1170 1173 5b223c _Xtime_get_ticks 1171->1173 1174 5b1b70 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 1172->1174 1173->1171 1174->1042 1176 5b11fb __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 1175->1176 1176->1171 1178 5b11d0 _Query_perf_frequency _Query_perf_counter 1177->1178 1179 5b11fb __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 1178->1179 1179->1095 1183 5b1100 1180->1183 1182 5b112e _CxxThrowException __std_exception_copy 1182->1099 1183->1182 1185 5b299a 1184->1185 1189 5b2844 1184->1189 1186 5b11c0 3 API calls 1185->1186 1188 5b299f ?uncaught_exception@std@ 1186->1188 1187 5b285a 1190 5b2995 1187->1190 1191 5b28a6 1187->1191 1192 5b29cf ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1188->1192 1193 5b29d7 1188->1193 1189->1187 1189->1190 1194 5b28c2 1189->1194 1196 5b1120 Concurrency::cancel_current_task 2 API calls 1190->1196 1195 5b2c5b 5 API calls 1191->1195 1192->1193 1193->1118 1198 5b2c5b 5 API calls 1194->1198 1199 5b28ac 1194->1199 1195->1199 1196->1185 1197 5b2962 _invalid_parameter_noinfo_noreturn 1200 5b2968 memmove memmove 1197->1200 1198->1199 1199->1197 1199->1200 1201 5b2903 memmove memmove 1199->1201 1200->1118 1202 5b2949 1201->1202 1203 5b2939 1201->1203 1202->1118 1203->1197 1203->1202 1205 5b2c5b 5 API calls 1204->1205 1206 5b1351 1205->1206 1207 5b1375 memset 1206->1207 1211 5b1387 1206->1211 1207->1211 1208 5b146a 1209 5b1499 1208->1209 1213 5b1493 _invalid_parameter_noinfo_noreturn 1208->1213 1210 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1209->1210 1212 5b14bc 1210->1212 1211->1208 1222 5b26e0 1211->1222 1212->1141 1213->1209 1216 5b2090 13 API calls 1215->1216 1219 5b1508 1216->1219 1217 5b1565 1218 5b1591 1217->1218 1221 5b158b _invalid_parameter_noinfo_noreturn 1217->1221 1218->1149 1219->1217 1220 5b26e0 13 API calls 1219->1220 1220->1219 1221->1218 1223 5b280c 1222->1223 1225 5b2702 1222->1225 1224 5b11c0 3 API calls 1223->1224 1226 5b2811 1224->1226 1227 5b275f 1225->1227 1228 5b276c 1225->1228 1230 5b2713 1225->1230 1229 5b1120 Concurrency::cancel_current_task 2 API calls 1226->1229 1227->1226 1227->1230 1233 5b2c5b 5 API calls 1228->1233 1234 5b2723 1228->1234 1231 5b2816 1229->1231 1232 5b2c5b 5 API calls 1230->1232 1232->1234 1233->1234 1235 5b27e1 _invalid_parameter_noinfo_noreturn 1234->1235 1236 5b2792 memmove 1234->1236 1237 5b27e7 memmove 1234->1237 1235->1237 1238 5b27c8 1236->1238 1239 5b27b8 1236->1239 1237->1211 1238->1211 1239->1235 1239->1238 1240->1166 1248 5b2497 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 1249 5b3154 1252 5b3734 1249->1252 1251 5b3159 1251->1251 1253 5b374a 1252->1253 1254 5b3753 1253->1254 1256 5b36e7 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1253->1256 1254->1251 1256->1254 1257 5b104a 1258 5b2090 13 API calls 1257->1258 1259 5b104f 1258->1259 1262 5b2ec7 1259->1262 1265 5b2e9a 1262->1265 1266 5b2ea9 _crt_atexit 1265->1266 1267 5b2eb0 _register_onexit_function 1265->1267 1268 5b1059 1266->1268 1267->1268 1269 5b360a 1270 5b3641 1269->1270 1272 5b361c 1269->1272 1271 5b3649 __current_exception __current_exception_context terminate 1272->1270 1272->1271 987 5b310d 994 5b35bc GetModuleHandleW 987->994 990 5b314b _exit 991 5b3119 992 5b311f _c_exit 991->992 993 5b3124 991->993 992->993 995 5b3115 994->995 995->990 995->991 1274 5b2f0d _set_app_type 1298 5b377f 1274->1298 1276 5b2f1a _set_fmode 1299 5b35b9 1276->1299 1278 5b2f25 __p__commode 1300 5b2d3a 1278->1300 1280 5b3499 6 API calls 1281 5b2fb7 1280->1281 1282 5b2f35 __RTC_Initialize 1283 5b2ec7 2 API calls 1282->1283 1296 5b2fa1 1282->1296 1284 5b2f4e 1283->1284 1285 5b2f53 _configure_narrow_argv 1284->1285 1286 5b2f5f 1285->1286 1285->1296 1310 5b3785 InitializeSListHead 1286->1310 1288 5b2f64 1289 5b2f6d __setusermatherr 1288->1289 1290 5b2f78 1288->1290 1289->1290 1311 5b3794 _controlfp_s 1290->1311 1292 5b2f87 1293 5b2f8c _configthreadlocale 1292->1293 1294 5b2f98 ___scrt_uninitialize_crt 1293->1294 1295 5b2f9c _initialize_narrow_environment 1294->1295 1294->1296 1295->1296 1296->1280 1297 5b2faf 1296->1297 1298->1276 1299->1278 1301 5b2d4a 1300->1301 1302 5b2d46 1300->1302 1303 5b2db9 1301->1303 1305 5b2d57 ___scrt_release_startup_lock 1301->1305 1302->1282 1304 5b3499 6 API calls 1303->1304 1306 5b2dc0 1304->1306 1307 5b2d64 _initialize_onexit_table 1305->1307 1309 5b2d82 1305->1309 1308 5b2d73 _initialize_onexit_table 1307->1308 1307->1309 1308->1309 1309->1282 1310->1288 1312 5b37ad 1311->1312 1313 5b37ac 1311->1313 1314 5b3499 6 API calls 1312->1314 1313->1292 1315 5b37b4 1314->1315 1321 5b2fc0 1325 5b35fe SetUnhandledExceptionFilter 1321->1325 1323 5b2fc5 1324 5b2fca _set_new_mode 1323->1324 1325->1323 1326 5b1000 GetStdHandle 1328 5b1f80 1329 5b1f89 1328->1329 1330 5b1fa9 1328->1330 1329->1330 1331 5b1fcb _invalid_parameter_noinfo_noreturn 1329->1331 1332 5b200c 1331->1332 1333 5b1feb 1331->1333 1333->1332 1334 5b202d _invalid_parameter_noinfo_noreturn 1333->1334 1335 5b204b 1334->1335 1336 5b2066 1334->1336 1335->1336 1337 5b2085 _invalid_parameter_noinfo_noreturn 1335->1337 1349 5b30f9 _seh_filter_exe 1350 5b3c38 1351 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1350->1351 1352 5b3c49 1351->1352 1356 5b24b1 1357 5b24b7 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 1356->1357 1359 5b24db ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 1357->1359 1360 5b24e3 1357->1360 1359->1360 1361 5b3db0 1362 5b3dbb 1361->1362 1363 5b3dd9 1361->1363 1362->1363 1364 5b3e01 _invalid_parameter_noinfo_noreturn 1362->1364 1365 5b36b5 1368 5b391a 1365->1368 1369 5b36c3 _except_handler4_common 1368->1369 1370 5b102a 1371 5b2090 13 API calls 1370->1371 1372 5b102f 1371->1372 1373 5b2ec7 2 API calls 1372->1373 1374 5b1039 1373->1374 1380 5b3be8 1381 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1380->1381 1382 5b3bf9 1381->1382 1383 5b2c4d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 1382->1383 1384 5b3c03 1383->1384 1385 5b1060 __std_exception_copy 1386 5b10e0 __std_exception_destroy 1387 5b10a0 __std_exception_destroy 1388 5b10bf 1387->1388

      Callgraph

      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_005B2C5B 31 Function_005B1100 0->31 88 Function_005B3280 0->88 1 Function_005B315E 2 Function_005B3D52 8 Function_005B2C4D 2->8 3 Function_005B3A50 4 Function_005B1B50 106 Function_005B21A0 4->106 5 Function_005B2E55 83 Function_005B348D 5->83 6 Function_005B3154 38 Function_005B3734 6->38 7 Function_005B104A 57 Function_005B2EC7 7->57 77 Function_005B2090 7->77 8->1 9 Function_005B3D78 10 Function_005B377F 11 Function_005B3C73 12 Function_005B2E72 76 Function_005B3791 12->76 13 Function_005B3670 14 Function_005B3D70 15 Function_005B3C6B 16 Function_005B1060 17 Function_005B2A60 18 Function_005B3660 19 Function_005B3C60 20 Function_005B391A 21 Function_005B3C18 22 Function_005B3E10 46 Function_005B2EDC 22->46 23 Function_005B3C10 24 Function_005B2A10 25 Function_005B2510 26 Function_005B360A 27 Function_005B310D 96 Function_005B35BC 27->96 28 Function_005B2F0D 28->10 33 Function_005B2D3A 28->33 45 Function_005B37DE 28->45 51 Function_005B37C1 28->51 28->57 65 Function_005B37F6 28->65 73 Function_005B36E4 28->73 75 Function_005B3499 28->75 28->76 80 Function_005B3794 28->80 82 Function_005B3489 28->82 91 Function_005B3785 28->91 94 Function_005B35B9 28->94 105 Function_005B35B4 28->105 29 Function_005B2D01 29->76 102 Function_005B32B5 29->102 30 Function_005B1000 32 Function_005B3D07 32->8 33->75 33->83 34 Function_005B2E39 35 Function_005B3C38 35->8 36 Function_005B3D32 36->8 37 Function_005B3B30 72 Function_005B36E7 38->72 39 Function_005B102A 39->57 39->77 40 Function_005B3822 41 Function_005B1120 41->31 42 Function_005B2820 42->0 42->41 42->46 53 Function_005B11C0 42->53 43 Function_005B2E26 44 Function_005B3BD9 47 Function_005B2FD2 47->5 47->12 47->13 47->29 50 Function_005B2CCF 47->50 52 Function_005B2DC1 47->52 63 Function_005B37F0 47->63 67 Function_005B37EA 47->67 47->75 85 Function_005B1B80 47->85 47->96 48 Function_005B11D0 48->3 48->37 108 Function_005B39A0 48->108 49 Function_005B2BCF 50->83 93 Function_005B37BB 51->93 104 Function_005B37B5 51->104 52->13 81 Function_005B2C8B 52->81 53->3 53->37 53->108 54 Function_005B14C0 54->46 70 Function_005B26E0 54->70 54->77 55 Function_005B2FC0 61 Function_005B35FE 55->61 55->94 56 Function_005B3BC0 74 Function_005B2E9A 57->74 58 Function_005B3CC7 58->8 59 Function_005B30F9 60 Function_005B3CF8 62 Function_005B22F0 64 Function_005B3CF0 66 Function_005B2EEA 66->46 68 Function_005B2BE9 69 Function_005B3BE8 69->8 70->0 70->41 70->46 70->53 71 Function_005B10E0 75->18 77->0 77->41 77->53 78 Function_005B1090 79 Function_005B2497 80->75 84 Function_005B3C82 84->8 85->0 85->4 85->8 85->17 85->46 85->62 85->77 87 Function_005B1280 85->87 99 Function_005B15B0 85->99 86 Function_005B1180 87->106 89 Function_005B1F80 89->46 90 Function_005B3D87 90->8 92 Function_005B3B84 95 Function_005B3CB8 97 Function_005B24B1 98 Function_005B12B0 98->0 98->8 98->46 98->70 99->0 99->8 99->25 99->41 99->42 99->46 99->53 99->54 99->77 99->98 100 Function_005B3CB0 101 Function_005B3DB0 101->46 103 Function_005B36B5 103->20 106->8 106->37 106->48 106->108 107 Function_005B10A0 107->46

      Executed Functions

      Function 005B1B80 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 313shutdownCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 5b1b80-5b1c14 ShowWindow call 5b2c5b memset GetCurrentConsoleFontEx SetCurrentConsoleFontEx call 5b22f0 5 5b1c16-5b1c6f call 5b1b50 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 0->5 6 5b1c74-5b1ca5 call 5b1280 call 5b2090 call 5b1280 0->6 11 5b1f5a-5b1f75 call 5b2c4d 5->11 18 5b1cab-5b1cb3 6->18 19 5b1ece 6->19 21 5b1cc6-5b1cc9 18->21 22 5b1cb5-5b1cb9 18->22 20 5b1ed4-5b1f29 call 5b1b50 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 19->20 32 5b1f2b-5b1f36 20->32 33 5b1f58 20->33 24 5b1ccb-5b1ccf 21->24 26 5b1cff 21->26 22->24 25 5b1cbb-5b1cc4 22->25 27 5b1cf8-5b1cfd 24->27 28 5b1cd1-5b1cd4 24->28 25->21 25->22 30 5b1d01-5b1d03 26->30 27->30 28->26 31 5b1cd6-5b1cdc 28->31 30->19 34 5b1d09-5b1d3c call 5b15b0 30->34 31->27 35 5b1cde-5b1ce1 31->35 36 5b1f38-5b1f46 32->36 37 5b1f4e-5b1f55 call 5b2edc 32->37 33->11 45 5b1d42-5b1d45 34->45 46 5b1e30-5b1e5e call 5b22f0 call 5b2a60 34->46 35->26 39 5b1ce3-5b1ce9 35->39 36->37 40 5b1f48 _invalid_parameter_noinfo_noreturn 36->40 37->33 39->27 43 5b1ceb-5b1cee 39->43 40->37 43->26 48 5b1cf0-5b1cf6 43->48 49 5b1d58-5b1d5b 45->49 50 5b1d47-5b1d4b 45->50 63 5b1e88-5b1e9d 46->63 64 5b1e60-5b1e6c 46->64 48->26 48->27 51 5b1d5d-5b1d61 49->51 52 5b1d91 49->52 50->51 54 5b1d4d-5b1d56 50->54 55 5b1d8a-5b1d8f 51->55 56 5b1d63-5b1d66 51->56 58 5b1d93-5b1d95 52->58 54->49 54->50 55->58 56->52 59 5b1d68-5b1d6e 56->59 58->46 61 5b1d9b-5b1df9 call 5b1b50 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges ExitWindowsEx 58->61 59->55 62 5b1d70-5b1d73 59->62 61->20 74 5b1dff-5b1e0b 61->74 62->52 66 5b1d75-5b1d7b 62->66 63->33 70 5b1ea3-5b1eae 63->70 67 5b1e7e-5b1e85 call 5b2edc 64->67 68 5b1e6e-5b1e7c 64->68 66->55 71 5b1d7d-5b1d80 66->71 67->63 68->67 72 5b1ec8 _invalid_parameter_noinfo_noreturn 68->72 70->37 75 5b1eb4-5b1ec2 70->75 71->52 76 5b1d82-5b1d88 71->76 72->19 78 5b1e0d-5b1e1b 74->78 79 5b1e21-5b1e2b call 5b2edc 74->79 75->37 75->72 76->52 76->55 78->72 78->79 79->20
      APIs
      • ShowWindow.USER32(00000003,FFDC9AE9), ref: 005B1BB6
        • Part of subcall function 005B2C5B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C70
      • memset.VCRUNTIME140(00000004,00000000,00000050,00000054), ref: 005B1BCD
      • GetCurrentConsoleFontEx.KERNELBASE(00000000,00000000), ref: 005B1BE4
      • SetCurrentConsoleFontEx.KERNELBASE(00000000,00000000), ref: 005B1BFA
        • Part of subcall function 005B22F0: ?good@ios_base@std@@QBE_NXZ.MSVCP140(FFDC9AE9,?,00000000,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B2390
        • Part of subcall function 005B22F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B23AB
        • Part of subcall function 005B22F0: ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B23B8
        • Part of subcall function 005B22F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24C8
        • Part of subcall function 005B22F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24CE
        • Part of subcall function 005B22F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24DD
      • GetCurrentProcess.KERNEL32(00000028,?), ref: 005B1C21
      • OpenProcessToken.ADVAPI32(00000000), ref: 005B1C28
      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 005B1C39
      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 005B1C5C
      • ExitWindowsEx.USER32(0000000C,00000000), ref: 005B1C66
      • GetCurrentProcess.KERNEL32(00000028,?,?), ref: 005B1DA6
      Strings
      • /get_f, xrefs: 005B1CAB
      • SeShutdownPrivilege, xrefs: 005B1C32, 005B1DB9, 005B1EEC
      • hIl, xrefs: 005B1C00, 005B1E30
      • @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%%*#+**#@@@@@@@@@@@@@@%%%%@%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%###%%%@%%%%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%#%%#%%#**=*+#@@@@@@@@@@@@%%%%@%%%##%%@@@@@@%%%%%%%@@@@@@@@@@@@@%%####%, xrefs: 005B1C06
      • , xrefs: 005B1E36
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: Current$D@std@@@std@@ProcessU?$char_traits@$?good@ios_base@std@@ConsoleFontToken$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exception@std@@AdjustExitLookupOpenOsfx@?$basic_ostream@PrivilegePrivilegesShowV12@ValueWindowWindowsmallocmemset
      • String ID: $@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%%*#+**#@@@@@@@@@@@@@@%%%%@%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%###%%%@%%%%%%%%%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%#%%#%%#**=*+#@@@@@@@@@@@@%%%%@%%%##%%@@@@@@%%%%%%%@@@@@@@@@@@@@%%####%$/get_f$SeShutdownPrivilege$hIl
      • API String ID: 4177092641-364595043
      • Opcode ID: 2b50ab4b8aa64ea148599dbf03f63239ead78eada501b76446fa90b8b353c769
      • Instruction ID: 0592c4af030366c242c690e2c0b7b9ac1bd572ac873a7e3f857ab352a2956c09
      • Opcode Fuzzy Hash: 2b50ab4b8aa64ea148599dbf03f63239ead78eada501b76446fa90b8b353c769
      • Instruction Fuzzy Hash: B9B103326005089FDB649BA4CC69BFDBF75FB05310FA40354EA55AA2D2C730BD49CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B22F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 178COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 82 5b22f0-5b232d 83 5b2330-5b2335 82->83 83->83 84 5b2337-5b234b 83->84 85 5b234d 84->85 86 5b2364-5b236f 84->86 87 5b234f-5b2351 85->87 88 5b235d-5b2362 85->88 89 5b2372-5b237b 86->89 87->86 90 5b2353-5b2355 87->90 88->89 91 5b237d 89->91 92 5b2382-5b2398 89->92 90->86 93 5b2357 90->93 91->92 96 5b239a-5b23a5 92->96 97 5b23c2-5b23ce 92->97 93->88 95 5b2359-5b235b 93->95 95->86 95->88 98 5b23c0 96->98 99 5b23a7-5b23a9 96->99 100 5b23da-5b23ef 97->100 101 5b23d0-5b23d5 97->101 98->97 99->98 102 5b23ab-5b23be ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ 99->102 104 5b23f1-5b23f3 100->104 105 5b2426-5b2440 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 100->105 103 5b24be-5b24d9 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z ?uncaught_exception@std@@YA_NXZ 101->103 102->97 106 5b24db-5b24dd ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 103->106 107 5b24e3-5b24f5 103->107 104->105 110 5b23f5 104->110 108 5b2442-5b2444 105->108 109 5b2446 105->109 106->107 111 5b24fc-5b250f 107->111 112 5b24f7 107->112 108->109 113 5b2462 108->113 114 5b2448 109->114 116 5b23fb-5b2417 110->116 117 5b23f7-5b23f9 110->117 112->111 119 5b2464-5b2466 113->119 118 5b244b-5b24b7 114->118 123 5b2419-5b241c 116->123 124 5b241e-5b2424 116->124 117->105 117->116 118->103 119->118 122 5b2468 119->122 125 5b246a-5b246c 122->125 126 5b246e-5b248d 122->126 123->118 124->104 125->118 125->126 126->114 128 5b248f-5b2495 126->128 128->119
      APIs
      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(FFDC9AE9,?,00000000,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B2390
      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B23AB
      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B23B8
      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B240E
      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B2437
      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B2481
      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24C8
      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24CE
      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?,?,?,?,00000000,005B3D05,000000FF), ref: 005B24DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
      • String ID: HlPl0Wl
      • API String ID: 3274656010-3215543413
      • Opcode ID: e8558c9c1f6012cd3247cdc278da0d848aa72476452934a06c5e20c5a46638cf
      • Instruction ID: 3c79f9c510b2b4d35f550e36f6dbb060411931f473faf1aa80c3d6f331636616
      • Opcode Fuzzy Hash: e8558c9c1f6012cd3247cdc278da0d848aa72476452934a06c5e20c5a46638cf
      • Instruction Fuzzy Hash: AC718C35A006048FCF24CF58D998BA9BFB1BF49314F158698D916AB7A2CB35AC05CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B21A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 129 5b21a0-5b21d0 call 5b11d0 132 5b221b-5b221e 129->132 133 5b21d2 129->133 134 5b2220-5b222b call 5b11d0 132->134 135 5b21d8-5b21f4 call 5b3b30 133->135 136 5b21d4-5b21d6 133->136 143 5b22db-5b22eb call 5b2c4d 134->143 144 5b2231 134->144 141 5b220b-5b2219 135->141 142 5b21f6-5b21f9 135->142 136->132 136->135 141->134 145 5b21fb-5b21fd 142->145 146 5b21ff-5b2209 142->146 148 5b223c-5b2271 _Xtime_get_ticks call 5b3b30 call 5b3b70 144->148 149 5b2233-5b2236 144->149 145->141 145->146 146->134 155 5b2273-5b228f 148->155 156 5b2291-5b229d 148->156 149->143 149->148 157 5b22a0-5b22c4 call 5b39a0 155->157 156->157 160 5b22cd-5b22d6 157->160 160->134
      APIs
        • Part of subcall function 005B11D0: _Query_perf_frequency.MSVCP140(?,00000000,?), ref: 005B11DE
        • Part of subcall function 005B11D0: _Query_perf_counter.MSVCP140 ref: 005B11E9
      • _Xtime_get_ticks.MSVCP140 ref: 005B223C
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B22AD
      • _Thrd_sleep.MSVCP140(?,00000000,?,3B9ACA00,00000000,00000000,?,00000064,00000000), ref: 005B22C7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: Query_perf_counterQuery_perf_frequencyThrd_sleepUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
      • String ID: 0Wl
      • API String ID: 957792454-1794809872
      • Opcode ID: 435f487b0bd5a2b71277857cca6bc5c4141aa16e32918151a2537c29e873e9a0
      • Instruction ID: ee4bb9edba178d1a371602d64328b3dc41f12c6ba96f06a36c357ca9ac748014
      • Opcode Fuzzy Hash: 435f487b0bd5a2b71277857cca6bc5c4141aa16e32918151a2537c29e873e9a0
      • Instruction Fuzzy Hash: 2C416175E002199BCB14DFA9D8956EEFBB4BB88350F15422AE926F7381D6707D048FA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B310D Relevance: 3.0, APIs: 2, Instructions: 20COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 161 5b310d-5b3117 call 5b35bc 164 5b314b-5b3153 _exit 161->164 165 5b3119-5b311d 161->165 166 5b311f _c_exit 165->166 167 5b3124-5b313d 165->167 166->167
      APIs
        • Part of subcall function 005B35BC: GetModuleHandleW.KERNEL32(00000000,005B30D6), ref: 005B35BE
      • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B311F
      • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,005B8198,00000014), ref: 005B314E
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: HandleModule_c_exit_exit
      • String ID:
      • API String ID: 750871209-0
      • Opcode ID: e9fa94c375ffde0c17db606f38cd79c9a31fa569d46af263a41f68108dba0375
      • Instruction ID: 59dba031a7cd5156e053ee4fa5d0d0873c4965b27bf26ad6de8ec560801da23d
      • Opcode Fuzzy Hash: e9fa94c375ffde0c17db606f38cd79c9a31fa569d46af263a41f68108dba0375
      • Instruction Fuzzy Hash: 2BE04672E0464A8FCF20AB98D8063DCBBB2FB80324F104569E81132292DB356A008A91
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 005B15B0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 396fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 217 5b15b0-5b162a SHGetKnownFolderPath 218 5b1630-5b1639 217->218 218->218 219 5b163b-5b1645 218->219 220 5b164b-5b1658 219->220 221 5b1b39 call 5b11c0 219->221 222 5b165a-5b1682 memmove 220->222 223 5b1687-5b1692 220->223 228 5b1b3e call 5b11c0 221->228 225 5b1739-5b1759 222->225 226 5b16a2-5b16b4 223->226 227 5b1694-5b16a0 223->227 229 5b175b-5b179a memmove 225->229 230 5b179c-5b17b4 call 5b2820 225->230 233 5b16ba-5b16c1 226->233 234 5b1b43-5b1b48 call 5b1120 226->234 231 5b16c3-5b16c8 227->231 228->234 235 5b17b9-5b17ff 229->235 230->235 231->234 239 5b16ce-5b16db call 5b2c5b 231->239 233->231 237 5b16ec-5b16ee 233->237 243 5b1838-5b187e CreateFileW 235->243 244 5b1801-5b1816 235->244 241 5b16fb 237->241 242 5b16f0-5b16f9 call 5b2c5b 237->242 253 5b1828 _invalid_parameter_noinfo_noreturn 239->253 255 5b16e1-5b16ea 239->255 250 5b16fd-5b1735 memmove 241->250 242->250 248 5b18e3-5b1916 ReadFile CloseHandle 243->248 249 5b1880-5b1892 call 5b2090 243->249 251 5b1818-5b1826 244->251 252 5b182e-5b1835 call 5b2edc 244->252 254 5b1920-5b192a 248->254 265 5b18c6-5b18e2 call 5b2c4d 249->265 266 5b1894-5b18a6 249->266 250->225 251->252 251->253 252->243 253->252 259 5b1aef-5b1b01 call 5b2090 254->259 260 5b1930-5b1934 254->260 255->250 259->265 273 5b1b07-5b1b19 259->273 260->254 263 5b1936-5b19b7 call 5b12b0 call 5b2510 260->263 263->228 281 5b19bd-5b19c7 263->281 269 5b18a8-5b18b6 266->269 270 5b18bc-5b18c3 call 5b2edc 266->270 269->270 274 5b1b33 _invalid_parameter_noinfo_noreturn 269->274 270->265 273->270 278 5b1b1f-5b1b2d 273->278 274->221 278->270 278->274 282 5b19c9-5b19d2 281->282 283 5b19d7-5b19e2 281->283 284 5b1a60-5b1aae call 5b14c0 282->284 285 5b1a0d-5b1a1f 283->285 286 5b19e4-5b19ee 283->286 298 5b1ad8-5b1ae6 284->298 299 5b1ab0-5b1abc 284->299 287 5b1a2e-5b1a30 285->287 288 5b1a21-5b1a26 285->288 290 5b19f1-5b19fc call 5b2c5b 286->290 292 5b1a3f 287->292 293 5b1a32-5b1a3d call 5b2c5b 287->293 288->234 291 5b1a2c 288->291 290->274 304 5b1a02-5b1a0b 290->304 291->290 297 5b1a41-5b1a5d memmove 292->297 293->297 297->284 298->259 302 5b1ace-5b1ad5 call 5b2edc 299->302 303 5b1abe-5b1acc 299->303 302->298 303->274 303->302 304->297
      APIs
      • SHGetKnownFolderPath.SHELL32(005B41B0,00000000,00000000,?,FFDC9AE9), ref: 005B15F8
      • memmove.VCRUNTIME140(?,?,?), ref: 005B1670
      • memmove.VCRUNTIME140(00000000,?,?), ref: 005B171F
      • memmove.VCRUNTIME140(0000000A,\paif.galf,00000014), ref: 005B177F
      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(0000000A,00000000,00000000,0000000A), ref: 005B1828
      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000000A,00000000,00000000,0000000A), ref: 005B1873
      • ReadFile.KERNEL32(00000000,?,0000001D,?,00000000), ref: 005B1907
      • CloseHandle.KERNEL32(00000000), ref: 005B190E
        • Part of subcall function 005B2C5B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C70
      • memmove.VCRUNTIME140(00000000,?,00000001), ref: 005B1A58
      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(FIAP), ref: 005B1B33
      • Concurrency::cancel_current_task.LIBCPMT ref: 005B1B43
        • Part of subcall function 005B2C5B: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C63
        • Part of subcall function 005B2C5B: _CxxThrowException.VCRUNTIME140(FFDC9AE9,005B81B4,FFDC9AE9), ref: 005B32AF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: memmove$File_invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskCreateExceptionFolderHandleKnownPathReadThrow_callnewhmalloc
      • String ID: FIAP$\paif.galf
      • API String ID: 1447041684-3386750439
      • Opcode ID: 8651321ce510ca7816869c21e6a5435b2f133226fdabe7b7a4ad636150d0d0c6
      • Instruction ID: cf38daf12d16003aec795acc9523b3fb4be045d392b8419bb5b57fc90d136319
      • Opcode Fuzzy Hash: 8651321ce510ca7816869c21e6a5435b2f133226fdabe7b7a4ad636150d0d0c6
      • Instruction Fuzzy Hash: 0EF1E131D006198FDB24DF68CC697EDBBB5FF55300F644299E41AA7291EB30BA84CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B3499 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005B34A5
      • memset.VCRUNTIME140(?,00000000,00000003), ref: 005B34CB
      • memset.VCRUNTIME140(?,00000000,00000050), ref: 005B3555
      • IsDebuggerPresent.KERNEL32 ref: 005B3571
      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005B3591
      • UnhandledExceptionFilter.KERNEL32(?), ref: 005B359B
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
      • String ID:
      • API String ID: 1045392073-0
      • Opcode ID: 765ee5aefbbd4b84b632d7684b71d3a90ec9c576748325fadbebb54a367bb421
      • Instruction ID: ea481cc1d04b762dc7ae2e80971590fc3e25316c77afc9de6a865cd5e09f8728
      • Opcode Fuzzy Hash: 765ee5aefbbd4b84b632d7684b71d3a90ec9c576748325fadbebb54a367bb421
      • Instruction Fuzzy Hash: CD310D75D0521D9BDF61DF64D9497CCBBB8BF08300F1041A9E509AB250E7716B889F45
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B32B5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
      Download Yara Rule
      APIs
      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005B32CB
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: FeaturePresentProcessor
      • String ID:
      • API String ID: 2325560087-0
      • Opcode ID: 02b4382b472717a5a3167d87f624de137d8a240172aaa5b6095962354689bd90
      • Instruction ID: 5d89c860f4df177c70a2a99a8ab7c1ab9a03f3990a030f41c0dfb898b78c7393
      • Opcode Fuzzy Hash: 02b4382b472717a5a3167d87f624de137d8a240172aaa5b6095962354689bd90
      • Instruction Fuzzy Hash: 1E518E71A01619CBEB55CF59D8997EABBF0FB58310F24892EC501EB290D774BA04CF60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B35FE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32(Function_0000360A,005B2FC5), ref: 005B3603
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID:
      • API String ID: 3192549508-0
      • Opcode ID: b4cdf46b1778e196937aa22004c90ceb3a1cc2b7531f750907a3b429bc86823a
      • Instruction ID: dd65fabd6557e650bea060ed735aab60590e4db498f119aa2f7a195b56f9e457
      • Opcode Fuzzy Hash: b4cdf46b1778e196937aa22004c90ceb3a1cc2b7531f750907a3b429bc86823a
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2A60 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 307 5b2a60-5b2aa5 308 5b2ab8 307->308 309 5b2aa7 307->309 312 5b2aba-5b2ac3 308->312 310 5b2aa9-5b2aab 309->310 311 5b2aad-5b2ab2 309->311 310->308 310->311 311->308 313 5b2ab4-5b2ab6 311->313 314 5b2aca-5b2ae0 312->314 315 5b2ac5 312->315 313->312 317 5b2b0a-5b2b16 314->317 318 5b2ae2-5b2aed 314->318 315->314 319 5b2b18-5b2b1d 317->319 320 5b2b22-5b2b37 317->320 321 5b2b08 318->321 322 5b2aef-5b2af1 318->322 323 5b2bf6-5b2c11 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z ?uncaught_exception@std@@YA_NXZ 319->323 324 5b2b39 320->324 325 5b2b6f-5b2b89 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z 320->325 321->317 322->321 326 5b2af3-5b2b06 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ 322->326 328 5b2c1b-5b2c2d 323->328 329 5b2c13-5b2c15 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 323->329 327 5b2b40-5b2b42 324->327 330 5b2b8b-5b2b8d 325->330 331 5b2bb5 325->331 326->317 327->325 334 5b2b44-5b2b60 327->334 335 5b2c2f 328->335 336 5b2c34-5b2c47 328->336 329->328 330->331 337 5b2b8f 330->337 333 5b2bb8-5b2bef 331->333 333->323 342 5b2b6c-5b2b6d 334->342 343 5b2b62-5b2b6a 334->343 335->336 339 5b2b90-5b2b92 337->339 339->333 340 5b2b94-5b2bb0 339->340 340->331 345 5b2bb2-5b2bb3 340->345 342->327 343->339 345->339
      APIs
      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(FFDC9AE9,?,?,?,00000000,005B3D85,000000FF,?,005B1E55,?), ref: 005B2AD8
      • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,005B1E55,?), ref: 005B2AF3
      • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,005B1E55,?), ref: 005B2B00
      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,005B1E55,?), ref: 005B2B57
      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,005B1E55,?), ref: 005B2B80
      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,005B1E55,?), ref: 005B2BA7
      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,005B1E55,?), ref: 005B2C00
      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,005B1E55,?), ref: 005B2C06
      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,005B1E55,?), ref: 005B2C15
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
      • String ID: HlPl0Wl
      • API String ID: 3274656010-3215543413
      • Opcode ID: 6636981ee963c887fb15be93e8900dde4bee989a99486430a7bb9cb1fa424d61
      • Instruction ID: 27d6ce1b81986968c3e86dbd1a6c06a8cf1ff8baaa0dcda9d1c1501abc472e5e
      • Opcode Fuzzy Hash: 6636981ee963c887fb15be93e8900dde4bee989a99486430a7bb9cb1fa424d61
      • Instruction Fuzzy Hash: 09516A34605205DFCB25CF58C588BA9BFB1FF08304F258198E9169B762CB31ED01DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2820 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 173COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 346 5b2820-5b283e 347 5b299a-5b29cd call 5b11c0 ?uncaught_exception@std@@YA_NXZ 346->347 348 5b2844-5b2858 346->348 359 5b29cf-5b29d1 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ 347->359 360 5b29d7-5b29eb 347->360 350 5b285a-5b2863 348->350 351 5b2865-5b286d 348->351 353 5b289b-5b28a0 350->353 354 5b286f-5b287b 351->354 355 5b287d-5b288c 351->355 357 5b2995 call 5b1120 353->357 358 5b28a6-5b28b1 call 5b2c5b 353->358 354->353 356 5b2892-5b2899 355->356 355->357 356->353 361 5b28c2-5b28c4 356->361 357->347 369 5b2962 _invalid_parameter_noinfo_noreturn 358->369 370 5b28b7-5b28c0 358->370 359->360 364 5b29ed 360->364 365 5b29f2-5b2a01 360->365 367 5b28d3 361->367 368 5b28c6-5b28d1 call 5b2c5b 361->368 364->365 372 5b28d5-5b2901 367->372 368->372 373 5b2968-5b2992 memmove * 2 369->373 370->372 372->373 375 5b2903-5b2937 memmove * 2 372->375 376 5b294b-5b295f call 5b2edc 375->376 377 5b2939-5b2947 375->377 377->369 379 5b2949 377->379 379->376
      APIs
      • memmove.VCRUNTIME140(00000000,7FFFFFFE,7FFFFFFE,?,00000000,?), ref: 005B2907
      • memmove.VCRUNTIME140(?,\paif.galf,?,00000000,7FFFFFFE,7FFFFFFE,?,00000000,?), ref: 005B2917
      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?), ref: 005B2962
      • memmove.VCRUNTIME140(00000000,?,7FFFFFFE,?,00000000,?), ref: 005B296A
      • memmove.VCRUNTIME140(?,\paif.galf,7FFFFFFE,00000000,?,7FFFFFFE,?,00000000,?), ref: 005B2978
        • Part of subcall function 005B2C5B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C70
      • Concurrency::cancel_current_task.LIBCPMT ref: 005B2995
        • Part of subcall function 005B1120: _CxxThrowException.VCRUNTIME140(?,005B8218), ref: 005B1137
        • Part of subcall function 005B1120: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,005B8218), ref: 005B115E
      • ?uncaught_exception@std@@YA_NXZ.MSVCP140(FFDC9AE9,00000000,00000000,005B3D30,000000FF,?,00000000,?), ref: 005B29C5
      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,00000000,?), ref: 005B29D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: memmove$?uncaught_exception@std@@Concurrency::cancel_current_taskD@std@@@std@@ExceptionOsfx@?$basic_ostream@ThrowU?$char_traits@__std_exception_copy_invalid_parameter_noinfo_noreturnmalloc
      • String ID: \paif.galf
      • API String ID: 4248727273-2421135167
      • Opcode ID: 4df5f8cf600f4cf82fc03905c40629085dc74dd311822620884983e11f42f3a1
      • Instruction ID: ef658b3f4f438240dd784791909967b38e2e754a87f45410010a36322f1da71a
      • Opcode Fuzzy Hash: 4df5f8cf600f4cf82fc03905c40629085dc74dd311822620884983e11f42f3a1
      • Instruction Fuzzy Hash: AD51C272A002049FCB14DF68C8859DEBBE9FB49310F104669E816EB351DB30AE45CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2F0D Relevance: 12.1, APIs: 8, Instructions: 56COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 005B2F10
      • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 005B2F1B
      • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 005B2F27
      • __RTC_Initialize.LIBCMT ref: 005B2F3F
      • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,005B3822), ref: 005B2F54
        • Part of subcall function 005B3785: InitializeSListHead.KERNEL32(005B93F0,005B2F64), ref: 005B378A
      • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_000035B9), ref: 005B2F72
      • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 005B2F8D
      • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B2F9C
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
      • String ID:
      • API String ID: 1933938900-0
      • Opcode ID: 1820a75b352d9ac83e1285ee62ee41722094c87c7f0db616b21fff0775eb0a69
      • Instruction ID: 7e90baf08d52652a5d686972935e55267461a1491b1b84e3f2d7436fd7ff55dd
      • Opcode Fuzzy Hash: 1820a75b352d9ac83e1285ee62ee41722094c87c7f0db616b21fff0775eb0a69
      • Instruction Fuzzy Hash: 560114E068121328DB213BF2180F6EE5F58BFD1750F140A59B804BA1D3FE6AB70940B3
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2C5B Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • _CxxThrowException.VCRUNTIME140(?,005B8218), ref: 005B1137
      • __std_exception_copy.VCRUNTIME140(?,?,?,?,?,005B8218), ref: 005B115E
      • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C63
      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C70
      • _CxxThrowException.VCRUNTIME140(FFDC9AE9,005B81B4,FFDC9AE9), ref: 005B32AF
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: ExceptionThrow$__std_exception_copy_callnewhmalloc
      • String ID:
      • API String ID: 3601187372-0
      • Opcode ID: 089370ffab47295cd8089ad9539164d0ee23a2ccade7da75c142331a16c3ebd6
      • Instruction ID: b94f2f4b2a75d004700a5f7367fda7a38a3beaddedb2a3babc8ba00859fc77db
      • Opcode Fuzzy Hash: 089370ffab47295cd8089ad9539164d0ee23a2ccade7da75c142331a16c3ebd6
      • Instruction Fuzzy Hash: 3C01C43580020EB7CB14BBA8DC498D9BFACBE01350F508625FA14B7052FB70FA54C695
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B11C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,005B2811,?,?,00000000), ref: 005B11C5
      • _Query_perf_frequency.MSVCP140(?,00000000,?), ref: 005B11DE
      • _Query_perf_counter.MSVCP140 ref: 005B11E9
      • __alldvrm.LIBCMT ref: 005B1223
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B1245
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@Xlength_error@std@@__alldvrm__ehfuncinfo$??2@
      • String ID: string too long
      • API String ID: 423504433-2556327735
      • Opcode ID: b08346234bd4bb766458544ca8f9451e71ddb2c1d7b99ae7fc85f0cbb2c29dfd
      • Instruction ID: 93a75d095ded9d04dd6155e86e5ad3581a9b76bbb4b5a635532ff3508c5d950c
      • Opcode Fuzzy Hash: b08346234bd4bb766458544ca8f9451e71ddb2c1d7b99ae7fc85f0cbb2c29dfd
      • Instruction Fuzzy Hash: 59F05E36B002089FCB64EF6DAD891ADFBFDEB98220B15817AE90DC7351E6709C145B50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B360A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 457 5b360a-5b361a 458 5b361c-5b3620 457->458 459 5b3641-5b3646 457->459 458->459 460 5b3622-5b362a 458->460 461 5b3649-5b365f __current_exception __current_exception_context terminate 460->461 462 5b362c-5b3631 460->462 462->461 463 5b3633-5b3638 462->463 463->461 464 5b363a-5b363f 463->464 464->459 464->461
      APIs
      • __current_exception.VCRUNTIME140 ref: 005B3649
      • __current_exception_context.VCRUNTIME140 ref: 005B3653
      • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B365A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: __current_exception__current_exception_contextterminate
      • String ID: csm
      • API String ID: 2542180945-1018135373
      • Opcode ID: 0dca423a7642069a8a196ffef79e827bd4c7eb8b0427a789a81a33ecbf7ad9f4
      • Instruction ID: 19482aa7b161fea3ebb5e5311b1f0f491ca411fe12155f3ebe189c04c699599d
      • Opcode Fuzzy Hash: 0dca423a7642069a8a196ffef79e827bd4c7eb8b0427a789a81a33ecbf7ad9f4
      • Instruction Fuzzy Hash: 14F082318003056B8B305F2A9045099BFADBF91B217540919E445AB710CB70FF51CAD2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B26E0 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 465 5b26e0-5b26fc 466 5b280c call 5b11c0 465->466 467 5b2702-5b2711 465->467 473 5b2811-5b2816 call 5b1120 466->473 469 5b273c-5b2744 467->469 470 5b2713 467->470 471 5b274d-5b275d 469->471 472 5b2746-5b274b 469->472 474 5b2715-5b271a 470->474 475 5b275f-5b2764 471->475 476 5b276c-5b276e 471->476 472->474 478 5b271d-5b2728 call 5b2c5b 474->478 475->473 479 5b276a 475->479 480 5b2780 476->480 481 5b2770-5b277e call 5b2c5b 476->481 487 5b272e-5b273a 478->487 488 5b27e1 _invalid_parameter_noinfo_noreturn 478->488 479->478 485 5b2782-5b2790 480->485 481->485 490 5b2792-5b27b6 memmove 485->490 491 5b27e7-5b2809 memmove 485->491 487->485 488->491 492 5b27ca-5b27de call 5b2edc 490->492 493 5b27b8-5b27c6 490->493 493->488 495 5b27c8 493->495 495->492
      APIs
      • memmove.VCRUNTIME140(00000000,00000001,00000000,00000000,?), ref: 005B2796
      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?), ref: 005B27E1
      • memmove.VCRUNTIME140(00000000,?,00000000,00000000,?), ref: 005B27E9
      • Concurrency::cancel_current_task.LIBCPMT ref: 005B2811
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
      • String ID:
      • API String ID: 2016347663-0
      • Opcode ID: ff1dc9d1d7e514ce3a91583921012bde6523f7d69f558747dc96c37a6c4b7fee
      • Instruction ID: 3983b32fbeb761a7d3a0f03b9193e8647290e454318a2399b64721991d9545fb
      • Opcode Fuzzy Hash: ff1dc9d1d7e514ce3a91583921012bde6523f7d69f558747dc96c37a6c4b7fee
      • Instruction Fuzzy Hash: 943126329002059BC7159F6898846EEBFA6FBC4300F2443A9E8199B346DA30FE15C7B5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2090 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
      Download Yara Rule
      APIs
      • memmove.VCRUNTIME140(?,00000000,00000001), ref: 005B20E7
      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 005B214F
      • memmove.VCRUNTIME140(00000000,00000000,00000001), ref: 005B2176
      • Concurrency::cancel_current_task.LIBCPMT ref: 005B2195
        • Part of subcall function 005B2C5B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,005B1351,00000400,FFDC9AE9), ref: 005B2C70
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
      • String ID:
      • API String ID: 2075926362-0
      • Opcode ID: 5e5ae98891538c30110050d2f8406b02a34bd7be7e4be899c5548fff6f37f97e
      • Instruction ID: 62820998ddf7e22ae5abf9e4aa67f0a8f1620ad7e5ca5279624d94b48cb2bbb7
      • Opcode Fuzzy Hash: 5e5ae98891538c30110050d2f8406b02a34bd7be7e4be899c5548fff6f37f97e
      • Instruction Fuzzy Hash: D2313A729002059BD7149F2CD8847EBBFE9FF55310F1002AAE8158B296EB31EA55C7E1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B11D0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • _Query_perf_frequency.MSVCP140(?,00000000,?), ref: 005B11DE
      • _Query_perf_counter.MSVCP140 ref: 005B11E9
      • __alldvrm.LIBCMT ref: 005B1223
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B1245
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
      • String ID:
      • API String ID: 3135650852-0
      • Opcode ID: db992b272b0191bda88cfce80ad8a5fa4aca240e3be42c7b41a59ad028a20a6e
      • Instruction ID: 92e2c530606374e18a35c5e56beac5c55d8a4cb86d2ac2b9531a7942decfe325
      • Opcode Fuzzy Hash: db992b272b0191bda88cfce80ad8a5fa4aca240e3be42c7b41a59ad028a20a6e
      • Instruction Fuzzy Hash: AE119072B00208AFCB14DA5D9C85AAEFBFDEBC8260B1581BAF90DDB310E5309D0047A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 005B2C4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005B3191
      • ___raise_securityfailure.LIBCMT ref: 005B3279
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1664059101.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
      • Associated: 00000000.00000002.1663650970.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664151457.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664182814.00000000005B9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1664204403.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5b0000_SaturdayNight.jbxd
      Similarity
      • API ID: FeaturePresentProcessor___raise_securityfailure
      • String ID: "[
      • API String ID: 3761405300-3208272576
      • Opcode ID: 8d889ae435ef2a611cb35439f7d50ee106094464aed791e32a7384a2ce4e4722
      • Instruction ID: 151522b63390546d8ca6a333acd3806a54b60dfd1b60cf593e1f55eb45ea61d6
      • Opcode Fuzzy Hash: 8d889ae435ef2a611cb35439f7d50ee106094464aed791e32a7384a2ce4e4722
      • Instruction Fuzzy Hash: E921C9B45043069ED794DF1DE94E6803BB4BB69310F10425AEB049B3A0E3717988FF45
      Uniqueness

      Uniqueness Score: -1.00%