Sample details: b3b983a017eee5ea8dfe2fe52d7b11ac --

Hashes
MD5: b3b983a017eee5ea8dfe2fe52d7b11ac
SHA1: b2e2bf29c6d057e550a726ec1528d2ef97d6b377
SHA256: 16cb5e4105838049e4180f728658437013028ec57bf35329f947b1052803780f
SSDEEP: 3072:KQhdle85D9tLdNvYADBRlWeXOBea98DzMSFQ2wiJggZOdvqfZTQGBCPOClscj9HB:ZhLea9tLd9QeX2eMxs2+
Details
File Type: PE32
Yara Hits
CuckooSandbox/vmdetect | YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsConsole | YRP/HasDebugData | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/RE_Tools | YRP/VM_Generic_Detection | YRP/VMWare_Detection | YRP/Sandboxie_Detection | YRP/VirtualBox_Detection | YRP/Qemu_Detection | YRP/WMI_strings | YRP/DebuggerCheck__QueryInfo | YRP/DebuggerCheck__RemoteAPI | YRP/DebuggerHiding__Thread | YRP/SEH__vectored | YRP/Check_Dlls | YRP/Check_Qemu_Description | YRP/Check_Qemu_DeviceMap | YRP/Check_VBox_Description | YRP/Check_VBox_DeviceMap | YRP/Check_VBox_Guest_Additions | YRP/Check_VBox_VideoDrivers | YRP/Check_VMWare_DeviceMap | YRP/Check_VmTools | YRP/Check_Wine | YRP/vmdetect | YRP/Check_Debugger | YRP/anti_dbg | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/vmdetect_misc |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.gfids
@.reloc
t#h8~B
Whiiiij
$SVWh<
$SVWh<
$SVWh<
RhIPCA
<SVWh<
T$8SSR
T$8SSR
t$(+t$,F
RhIPCA
VhIPCA
QQSVWd
URPQQh
;t$,v-
UQPXY]Y[
Tt1jhZ;
Tt1jhZ;
^$+^8+
t	j-Xf
t0jXXf
~$+~8+
t	j-Xf
t0jXXf
~$+~8+
F2jgYf;
SVWjA_jZ+
uBjAYjZ+
< t1<	t-
QSSSSj
u0jAXf;
u0jAXf;
Wj0XPV
SSPQSS
u kE$<
>:uBFV
WWWPWS
u-PWWS
SSVWh 
f9:t!V
|VWj=S
QQSWj0j@
PPPPPWS
PP9E u:PPVWP
D8(HXt:f
D8(Ht5F
SVjA[jZ^+
jAZjZ^
v!j"X_^[
PPPPPPPP
v	N+D$
v	N+D$
VC20XC00U
Unknown exception
bad allocation
bad array new length
bad exception
Main Invoked.
Main Returned.
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator "" 
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`h````
xpxxxx
`h`hhh
xwpwpp
(null)
CorExitProcess
CompareStringEx
GetCurrentPackageId
GetSystemTimePreciseAsFileTime
LCMapStringEx
LocaleNameToLCID
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
?5Wg4p
"B <1=
_hypot
_nextafter
[*] Delay value is set to %u minutes ...
NtClose
NtQueryInformationProcess
NtQueryObject
NtCreateDebugObject
NtQuerySystemInformation
NtSetInformationThread
NtYieldExecution
invalid string position
string too long
CsrGetProcessId
GetWriteWatch failed. Last error: %d
GlobalGetAtomName succeeded when it should've failed... not sure what happened!
GetEnvironmentVariable succeeded when it should've failed... not sure what happened!
GetBinaryType succeeded when it should've failed... not sure what happened!
HeapQueryInformation succeeded when it should've failed... not sure what happened!
ReadProcessMemory succeeded when it should've failed... not sure what happened!
GetThreadContext succeeded when it should've failed... not sure what happened!
GetWriteWatch succeeded when it should've failed... not sure what happened!
Write watch API check skipped, ignore the result as it is inconclusive.
Failed to get services list.
Failed to get SCM handle.
ERROR: %d
VirtualBox
VMware
VMWARE
wine_get_unix_file_name
IsWow64Process
Error allocating memory needed to call GetAdaptersinfo
RtlGetVersion
GetNativeSystemInfo
GetProductInfo
First call failed :(
Second call failed :(
K.$Failed to open a handle to NTDLL... this is suspicious!
NtDelayExecution
NTDLL does not have an NtDelayExecution entry point... this is suspicious!
Data Buffer
	Unable to open handle.
IcmpCreatefile returned error: %ld
	Unable to allocate memory
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
N:\Research\al-khaser-mainrepo\al-khaser\Release\al-khaser.pdb
.text$mn
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLF
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
GetCurrentProcess
CheckRemoteDebuggerPresent
CloseHandle
LoadLibraryW
GetProcAddress
VirtualAlloc
GetCurrentThread
GetThreadContext
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
IsDebuggerPresent
VirtualProtect
VirtualFree
GetSystemInfo
SetLastError
GetLastError
OutputDebugStringW
VerSetConditionMask
VerifyVersionInfoW
GetModuleHandleW
QueryInformationJobObject
OpenProcess
GetCurrentProcessId
SetHandleInformation
CreateMutexW
RaiseException
SetUnhandledExceptionFilter
GetBinaryTypeW
GetEnvironmentVariableW
GetWriteWatch
ResetWriteWatch
GlobalGetAtomNameW
HeapQueryInformation
ReadProcessMemory
DeviceIoControl
LocalAlloc
CreateFileW
GetDiskFreeSpaceExW
LocalFree
GlobalMemoryStatusEx
GetTickCount
EnumSystemFirmwareTables
ExpandEnvironmentStringsW
GetWindowsDirectoryW
WaitForSingleObject
ReadFile
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
lstrlenW
GetStdHandle
MultiByteToWideChar
FormatMessageW
LocalSize
GetConsoleWindow
SetConsoleTitleW
GetSystemFirmwareTable
HeapFree
GetFileAttributesW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
HeapAlloc
GetProcessHeap
CreateEventW
KERNEL32.dll
GetShellWindow
GetWindowThreadProcessId
MessageBoxW
GetCursorPos
FindWindowW
MoveWindow
GetSystemMetrics
KillTimer
TranslateMessage
SetTimer
DispatchMessageW
GetMessageW
USER32.dll
EnumServicesStatusExW
OpenSCManagerW
GetTokenInformation
RegQueryValueExW
RegOpenKeyExW
OpenProcessToken
RegCloseKey
ADVAPI32.dll
SHGetSpecialFolderPathW
SHELL32.dll
CoUninitialize
CoCreateInstance
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
ole32.dll
OLEAUT32.dll
GetAdaptersInfo
IcmpSendEcho
IcmpCreateFile
IPHLPAPI.DLL
StrCmpW
StrStrIW
StrCmpIW
PathCombineW
SHLWAPI.dll
GetProcessImageFileNameW
PSAPI.DLL
WNetGetProviderNameW
MPR.dll
GetPwrCapabilities
POWRPROF.dll
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDevsW
SETUPAPI.dll
timeGetDevCaps
timeKillEvent
timeEndPeriod
timeSetEvent
WINMM.dll
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
UnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
EncodePointer
GetModuleFileNameW
RtlUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
WideCharToMultiByte
WriteFile
GetModuleFileNameA
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
GetACP
CompareStringW
LCMapStringW
GetFileType
HeapReAlloc
GetCPInfo
GetTimeZoneInformation
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetStdHandle
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
ReadConsoleW
SetFilePointerEx
HeapSize
WriteConsoleW
SetEndOfFile
DecodePointer
SystemFunction036
VirtualQuery
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
3"3j3x3}3
4!4&40454?4D4N4S4]4b4l4q4{4
5 5%5/545>5C5M5R5\5a5k5p5z5
6$6.636=6B6L6Q6[6`6j6o6y6~6
7-727<7A7P7U7_7d7n7s7}7
8"8'81868@8O8T8^8h8m8|8
9*9B9Q9W9g9n9s9
;#;*;1;8;_;
;!<T<q<
?&?+?e?w?
&03080?0Q0
1I1O1T1[1|1
3c3k3p3w3
5*5i5p5
;Z=d=n=
070A0N0\0
121B1H1[1b1g1z1
1-2_2h2
3"3+3D3L3U3d3~3
3(4H4R4X4}4
5;5E5K5e5
6!6(6/666_6~6
;.;?;p;v;
;&<,<M<c<q<
=Y=d=n=
>3>@>F>
"0'040S0v0|0
2<2E2T2c2
3$3C3f3l3
3$4t4{4
5#5A5q5
5!6&636R6p6
9#:/:a:
222g2s2
2!3T3q3
6$6B6P6k6p6v6}6
7/787?7F7M7j7
;A<F<S<r<
>.>8>K>^>r>
212n2s2
4&4-444;4B4I4m4
6>6C6n6y6
7"8(8_8
:6:<:K:f:s:
<O<X<y<
?#?N?Y?f?r?
303R3\3i3
5$5?5M5T5i5)6E6M6T6Y6f6r6x6
7#7j8q8|8
8X9o9z9
:0:5:<:
:?;I;m;t;
< <*<4<><H<R<\<f<p<z<
=2=B=L=]=k=y=
00090]0f0q0~0
3$32393\3p3
585R5X5h5
676X6w6
8'8H9s9
;;;P;W;];o;y;
=1=W=`=f=
=B>a>k>|>
?3?A?^?
c0l0t0
1(111@1K1a1j1u1|1
2#2-272G2W2g2p2
919L9o9
4.4=4I4W4y4
5F5K5P5
616=6B6G6n6z6
757A7X8
:(:H:b:q:
;/;<;J;X;c;y;
7/7D7f7x7
:p:^;h;u;
T0Y0`0
1)7_7}8
9;9_9z9
;";0;<;O;V;^;w;
<"<(<.<
0,1G1\1a1k1p1{1
4)424C4U4p4
54696?6D6O6U6]6h6r6x6
7F7O7W7
;<;A;N;Z;p;
<$<-<2<?<D<
<W=]=o=
9&90959:9W9_9
:%:3:U:g:
;1;<;A;F;a;k;
<6<A<F<K<f<p<
=6=Z=v=
>">D>R>a>
0&0+0(1a1
=7=H=c=o=
=	>+><>Q>[>~>
93:>:z:
3]4e4;5
9"9(9O9{9
:Y<a<m<z<
?'?:?@?F?
4'4T4[4f4t4{4
7*8Q8Z9
:#:A:K:\:a:v:
>#>(>3>G>R>i>
>1?g?z?
3B3M3Z3k3y3
767=7T7j7
7'8:8D8e8
939n9u9
9C:U:g:y:
;<;N;`;r;
162=2G2V2z2
2"3@3K3
4\4i4v4
6>6l6Y7
2,3U3~3
8!8X8_8
6:6G6R6
<7<K<m<w<
:(:F:Q:
:+;C;s;
5'575i5
6B6Q6p6b7
8'848d8
5:5B5_5o5{5
787U7i7t7
:[:\;l;};
<"<(<1<s<
313G3]3e3
7X:^:d:
;+;?;E;
1'1E1S1
383?3D3H3L3P3
;L<[<e<
=!=3=O=
=F>V>c>
3 3 5$5(5@5D5H5\5`5d5h5l5p5t5x5|5
6 6$6(6
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
2p;t;x;|;
<$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
<$<,<4<<<D<L<T<\<d<l<t<|<
(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
9 9(90989@9H9P9X9`9h9p9x9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;p;x;
< <(<0<8<@<H<P<X<`<h<p<x<
= =(=0=8=@=H=P=X=`=h=p=x=
> >(>0>8>@>
:2>2B2F2
<$<,<4<<<D<L<T<\<d<l<t<|<
\<`<h<|<
=$=4=8=H=L=P=X=p=
> >$>4>8>@>X>h>l>|>
,404<4@4L4P4\4|4
5 5(50545<5P5X5l5t5
6 6(60686<6@6H6\6t6x6
7<7H7P7|7
888X8x8
9 9<9@9`9
:(:H:h:
;(;H;h;
<(<H<d<h<
$0X0p1
8 8$8(8,888<8@8D8H8L8P8T8
:8:P:x: