Loading ...

Play interactive tourEdit tour

Analysis Report evatest2.exe

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:881802
Start date:11.06.2019
Start time:14:48:08
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:evatest2.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:SUS
Classification:sus25.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 6
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold250 - 100Report FP / FNfalsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Winlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected
Source: 0.1.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected
Source: 0.2.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091C990_2_01091C99
Yara signature matchShow sources
Source: evatest2.exe, type: SAMPLEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Classification labelShow sources
Source: classification engineClassification label: sus25.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: evatest2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\evatest2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: evatest2.exeStatic file information: File size 6677504 > 1048576
PE file has a big raw sectionShow sources
Source: evatest2.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x651200
PE file contains a mix of data directories often seen in goodwareShow sources
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: evatest2.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\UnTroueCunTroueKhouya\Release\UnTroueCunTroueKhouya.pdb source: evatest2.exe
PE file contains a valid data directory to section mappingShow sources
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,0_2_01091000
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010922A5 push ecx; ret 0_2_010922B8

Malware Analysis System Evasion:

barindex
Country aware sample found (crashes after keyboard check)Show sources
Source: c:\users\user\desktop\evatest2.exeEvent Logs and Signature results: Application crash and keyboard check
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\evatest2.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-3409
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 09h and CTI: je 01091023h country: English (en)0_2_01091000
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: jne 0109102Dh country: Russian (ru)0_2_01091000

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\evatest2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\evatest2.exeProcess queried: DebugPortJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01093B64
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,0_2_01091000
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01093B64
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_0109120D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0109120D
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010960B7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010960B7

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: GetLocaleInfoA,0_2_01096D2C
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010938DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_010938DB

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881802 Sample: evatest2.exe Startdate: 11/06/2019 Architecture: WINDOWS Score: 25 7 Country aware sample found (crashes after keyboard check) 2->7 9 Antivirus or Machine Learning detection for unpacked file 2->9 5 evatest2.exe 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
14:50:07API Interceptor274x Sleep call for process: evatest2.exe modified

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File
0.1.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File
0.2.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

SourceRuleDescriptionAuthor
evatest2.exeEmbedded_PEunknownunknown

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000000.00000001.1662073315.01090000.00000002.sdmpEmbedded_PEunknownunknown
00000000.00000002.1671247806.01090000.00000002.sdmpEmbedded_PEunknownunknown
00000000.00000000.1660532969.01090000.00000002.sdmpEmbedded_PEunknownunknown

Unpacked PEs

SourceRuleDescriptionAuthor
0.1.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.2.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.0.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.0.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown
0.1.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown
0.2.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w7_1
  • evatest2.exe (PID: 2800 cmdline: 'C:\Users\user\Desktop\evatest2.exe' MD5: 4AE1716ABD362EA12F5E93C9D7010D68)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):7.848117084807777
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Java Script embedded in Visual Basic Script (1500/0) 0.01%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:evatest2.exe
File size:6677504
MD5:4ae1716abd362ea12f5e93c9d7010d68
SHA1:93d51ac86c5ed207dd6e77b2e767cdeb23106925
SHA256:4f305bea98220120fb71e82f6adb7708e300c87a49eeaa05d729600db4e4e9df
SHA512:8a31f0b7f00f7c9e3c4ea0ea30839cb6de32806bb02b64be7be012fc4adee8569860762012e4fd912ce9e522e92c638494f8050f3ab503374bbbe40cf02b9fb1
SSDEEP:98304:bTRvmbxXIuaWLZPxMKtCM8IjaPbktQWX8AfHbhIWwPaOJn3N/BUKTKR:QGMJ8Ijary8Af7hIjJn1
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W...W...W...I.G.M...I.V.G...I.@.....pI..R...W.......I.I.V...I.R.V...RichW...................PE..L...Qu.\.................f.

File Icon

Icon Hash:aab2e3e39383aa00

Static PE Info

General

Entrypoint:0x4014dc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5CFE7551 [Mon Jun 10 15:20:49 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:dadba842a33028572cf693651cd12efb

Entrypoint Preview

Instruction
call 1C59046Fh
jmp 1C58DEEDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00A5B198h], eax
mov dword ptr [00A5B194h], ecx
mov dword ptr [00A5B190h], edx
mov dword ptr [00A5B18Ch], ebx
mov dword ptr [00A5B188h], esi
mov dword ptr [00A5B184h], edi
mov word ptr [00A5B1B0h], ss
mov word ptr [00A5B1A4h], cs
mov word ptr [00A5B180h], ds
mov word ptr [00A5B17Ch], es
mov word ptr [00A5B178h], fs
mov word ptr [00A5B174h], gs
pushfd
pop dword ptr [00A5B1A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00A5B19Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00A5B1A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00A5B1ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00A5B0E8h], 00010001h
mov eax, dword ptr [00A5B1A0h]
mov dword ptr [00A5B09Ch], eax
mov dword ptr [00A5B090h], C0000409h
mov dword ptr [00A5B094h], 00000001h
mov eax, dword ptr [0040A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000034h]

Rich Headers

Programming Language:
  • [ C ] VS2008 build 21022
  • [IMP] VS2005 build 50727
  • [LNK] VS2008 build 21022
  • [C++] VS2008 build 21022
  • [ASM] VS2008 build 21022

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x96e40x3c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x65c0000x1b4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x65d0000x6d0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x81300x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x93900x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x80000x100.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x64340x6600False0.611481311275ump; DBase 3 data file with memo(s) (1750554197 records)6.57584458721IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x80000x1cb60x1e00False0.352864583333ump; data5.35731007345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xa0000x651c1c0x651200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x65c0000x1b40x200False0.490234375ump; data5.0997477791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x65d0000x47c40x4800False0.0876736111111ump; data1.04076936106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MANIFEST0x65c0580x15aump; ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
KERNEL32.dlllstrlenA, OutputDebugStringW, GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualProtect, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
USER32.dllGetKeyboardLayout

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Start time:14:50:07
Start date:11/06/2019
Path:C:\Users\user\Desktop\evatest2.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\evatest2.exe'
Imagebase:0x1090000
File size:6677504 bytes
MD5 hash:4AE1716ABD362EA12F5E93C9D7010D68
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: Embedded_PE, Description: unknown, Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, Author: unknown
  • Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, Author: unknown
  • Rule: Embedded_PE, Description: unknown, Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, Author: unknown
Reputation:low

Disassembly

Code Analysis

Reset < >

    Execution Graph

    Execution Coverage:7.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4%
    Total number of Nodes:1102
    Total number of Limit Nodes:13

    Graph

    execution_graph 4502 1091489 4505 1092a75 4502->4505 4506 109358c __getptd_noexit 69 API calls 4505->4506 4507 109149a 4506->4507 4564 109342b TlsAlloc 4565 10960ae 4566 10924ac __amsg_exit 69 API calls 4565->4566 4567 10960b5 4566->4567 4630 10939c0 4631 10939cc SetLastError 4630->4631 4632 10939d4 _doexit 4630->4632 4631->4632 4633 10922c0 4634 10922f9 4633->4634 4635 10922ec 4633->4635 4637 109120d ___convertcp 5 API calls 4634->4637 4636 109120d ___convertcp 5 API calls 4635->4636 4636->4634 4645 1092309 __except_handler4 __IsNonwritableInCurrentImage 4637->4645 4638 109238c 4639 109237c 4641 109120d ___convertcp 5 API calls 4639->4641 4640 109120d ___convertcp 5 API calls 4640->4639 4641->4638 4643 10923db __except_handler4 4644 109240f 4643->4644 4646 109120d ___convertcp 5 API calls 4643->4646 4647 109120d ___convertcp 5 API calls 4644->4647 4645->4638 4648 1092362 __except_handler4 4645->4648 4649 109414a RtlUnwind 4645->4649 4646->4644 4647->4648 4648->4638 4648->4639 4648->4640 4649->4643 4568 1092a24 4569 1092a60 4568->4569 4570 1092a36 4568->4570 4570->4569 4572 109442c 4570->4572 4573 1094438 _doexit 4572->4573 4574 1093605 __getptd 69 API calls 4573->4574 4576 109443d 4574->4576 4578 10960b7 4576->4578 4579 10960dd 4578->4579 4580 10960d6 4578->4580 4590 10944cb 4579->4590 4582 10927b4 __NMSG_WRITE 69 API calls 4580->4582 4582->4579 4584 10960ee _memset 4586 10961c6 4584->4586 4588 1096186 SetUnhandledExceptionFilter UnhandledExceptionFilter 4584->4588 4587 1092732 _abort 69 API calls 4586->4587 4589 10961cd 4587->4589 4588->4586 4591 10933b9 __decode_pointer 7 API calls 4590->4591 4592 10944d6 4591->4592 4592->4584 4593 10944d8 4592->4593 4597 10944e4 _doexit 4593->4597 4594 1094540 4595 1094521 4594->4595 4600 109454f 4594->4600 4599 10933b9 __decode_pointer 7 API calls 4595->4599 4596 109450b 4598 109358c __getptd_noexit 69 API calls 4596->4598 4597->4594 4597->4595 4597->4596 4601 1094507 4597->4601 4603 1094510 _siglookup 4598->4603 4599->4603 4604 10929da _malloc 69 API calls 4600->4604 4601->4596 4601->4600 4602 1094519 _doexit 4602->4584 4603->4602 4607 1092732 _abort 69 API calls 4603->4607 4608 10945b6 4603->4608 4605 1094554 4604->4605 4606 1093c8c _strcat_s 7 API calls 4605->4606 4606->4602 4607->4608 4609 1091768 __lock 69 API calls 4608->4609 4610 10945c1 4608->4610 4609->4610 4611 10933b0 _doexit 7 API calls 4610->4611 4612 10945f6 4610->4612 4611->4612 4614 109464c 4612->4614 4615 1094659 4614->4615 4616 1094652 4614->4616 4615->4602 4618 109168e LeaveCriticalSection 4616->4618 4618->4615 4497 1094387 4498 1093abb __calloc_crt 69 API calls 4497->4498 4499 1094393 4498->4499 4500 109333e __encode_pointer 7 API calls 4499->4500 4501 109439b 4500->4501 4650 1091146 4653 1091130 4650->4653 4651 1091191 LoadLibraryA 4651->4653 4652 10911df 4653->4651 4653->4652 4654 10911bb GetProcAddress 4653->4654 4654->4653 4619 10940b8 4620 10940ca 4619->4620 4622 10940d8 @_EH4_CallFilterFunc@8 4619->4622 4621 109120d ___convertcp 5 API calls 4620->4621 4621->4622 4508 109149d 4509 10914ac 4508->4509 4510 10914b2 4508->4510 4514 1092732 4509->4514 4517 1092757 4510->4517 4513 10914b7 _doexit 4515 10925f0 _doexit 69 API calls 4514->4515 4516 1092743 4515->4516 4516->4510 4518 10925f0 _doexit 69 API calls 4517->4518 4519 1092762 4518->4519 4519->4513 4655 10914dc 4658 10938db 4655->4658 4657 10914e1 4657->4657 4659 109390d GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4658->4659 4660 1093900 4658->4660 4661 1093904 4659->4661 4660->4659 4660->4661 4661->4657 4520 109361f 4521 109362b _doexit 4520->4521 4522 1093643 4521->4522 4523 109372d _doexit 4521->4523 4524 10939e8 __mtdeletelocks 69 API calls 4521->4524 4525 1093651 4522->4525 4526 10939e8 __mtdeletelocks 69 API calls 4522->4526 4524->4522 4527 10939e8 __mtdeletelocks 69 API calls 4525->4527 4528 109365f 4525->4528 4526->4525 4527->4528 4529 10939e8 __mtdeletelocks 69 API calls 4528->4529 4531 109366d 4528->4531 4529->4531 4530 109367b 4533 1093689 4530->4533 4535 10939e8 __mtdeletelocks 69 API calls 4530->4535 4531->4530 4532 10939e8 __mtdeletelocks 69 API calls 4531->4532 4532->4530 4534 1093697 4533->4534 4536 10939e8 __mtdeletelocks 69 API calls 4533->4536 4537 10936a8 4534->4537 4538 10939e8 __mtdeletelocks 69 API calls 4534->4538 4535->4533 4536->4534 4539 1091768 __lock 69 API calls 4537->4539 4538->4537 4540 10936b0 4539->4540 4541 10936bc InterlockedDecrement 4540->4541 4542 10936d5 4540->4542 4541->4542 4544 10936c7 4541->4544 4556 1093739 4542->4556 4544->4542 4547 10939e8 __mtdeletelocks 69 API calls 4544->4547 4546 1091768 __lock 69 API calls 4548 10936e9 4546->4548 4547->4542 4549 109371a 4548->4549 4550 109579d ___removelocaleref 8 API calls 4548->4550 4559 1093745 4549->4559 4554 10936fe 4550->4554 4553 10939e8 __mtdeletelocks 69 API calls 4553->4523 4554->4549 4555 10955c5 ___freetlocinfo 69 API calls 4554->4555 4555->4549 4562 109168e LeaveCriticalSection 4556->4562 4558 10936e2 4558->4546 4563 109168e LeaveCriticalSection 4559->4563 4561 1093727 4561->4553 4562->4558 4563->4561 3367 109135e 3406 1092260 3367->3406 3369 109136a GetStartupInfoA 3371 109138d 3369->3371 3407 109244c HeapCreate 3371->3407 3373 10913dd 3409 109374e GetModuleHandleW 3373->3409 3377 10913ee __RTC_Initialize 3443 109309e 3377->3443 3378 1091335 _fast_error_exit 69 API calls 3378->3377 3380 10913fc 3381 1091408 GetCommandLineA 3380->3381 3535 10924ac 3380->3535 3458 1092f67 3381->3458 3388 109142d 3497 1092c34 3388->3497 3389 10924ac __amsg_exit 69 API calls 3389->3388 3392 109143e 3512 109256b 3392->3512 3393 10924ac __amsg_exit 69 API calls 3393->3392 3395 1091445 3396 1091450 3395->3396 3398 10924ac __amsg_exit 69 API calls 3395->3398 3518 1092bd5 3396->3518 3398->3396 3402 109147f 3545 1092748 3402->3545 3405 1091484 _doexit 3406->3369 3408 10913d1 3407->3408 3408->3373 3527 1091335 3408->3527 3410 1093769 3409->3410 3411 1093762 3409->3411 3413 10938d1 3410->3413 3414 1093773 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 3410->3414 3589 109247c 3411->3589 3611 1093468 3413->3611 3416 10937bc TlsAlloc 3414->3416 3418 10913e3 3416->3418 3420 109380a TlsSetValue 3416->3420 3418->3377 3418->3378 3420->3418 3421 109381b 3420->3421 3548 1092766 3421->3548 3426 109333e __encode_pointer 7 API calls 3427 109383b 3426->3427 3428 109333e __encode_pointer 7 API calls 3427->3428 3429 109384b 3428->3429 3430 109333e __encode_pointer 7 API calls 3429->3430 3431 109385b 3430->3431 3567 10915ec 3431->3567 3438 10933b9 __decode_pointer 7 API calls 3439 10938af 3438->3439 3439->3413 3440 10938b6 3439->3440 3593 10934a5 3440->3593 3442 10938be GetCurrentThreadId 3442->3418 3937 1092260 3443->3937 3445 10930aa GetStartupInfoA 3446 1093abb __calloc_crt 69 API calls 3445->3446 3452 10930cb 3446->3452 3447 10932e9 _doexit 3447->3380 3448 1093266 GetStdHandle 3453 1093230 3448->3453 3449 1093abb __calloc_crt 69 API calls 3449->3452 3450 10932cb SetHandleCount 3450->3447 3451 1093278 GetFileType 3451->3453 3452->3447 3452->3449 3452->3453 3455 10931b3 3452->3455 3453->3447 3453->3448 3453->3450 3453->3451 3456 1093988 __ioinit InitializeCriticalSectionAndSpinCount 3453->3456 3454 10931dc GetFileType 3454->3455 3455->3447 3455->3453 3455->3454 3457 1093988 __ioinit InitializeCriticalSectionAndSpinCount 3455->3457 3456->3453 3457->3455 3459 1092fa4 3458->3459 3460 1092f85 GetEnvironmentStringsW 3458->3460 3462 1092f8d 3459->3462 3463 109303d 3459->3463 3461 1092f99 GetLastError 3460->3461 3460->3462 3461->3459 3465 1092fcf WideCharToMultiByte 3462->3465 3466 1092fc0 GetEnvironmentStringsW 3462->3466 3464 1093046 GetEnvironmentStrings 3463->3464 3467 1091418 3463->3467 3464->3467 3468 1093056 3464->3468 3471 1093003 3465->3471 3472 1093032 FreeEnvironmentStringsW 3465->3472 3466->3465 3466->3467 3484 1092eac 3467->3484 3473 1093a76 __malloc_crt 69 API calls 3468->3473 3474 1093a76 __malloc_crt 69 API calls 3471->3474 3472->3467 3475 1093070 3473->3475 3476 1093009 3474->3476 3478 1093077 FreeEnvironmentStringsA 3475->3478 3480 1093083 _realloc 3475->3480 3476->3472 3477 1093011 WideCharToMultiByte 3476->3477 3479 1093023 3477->3479 3483 109302b 3477->3483 3478->3467 3481 10939e8 __mtdeletelocks 69 API calls 3479->3481 3482 109308d FreeEnvironmentStringsA 3480->3482 3481->3483 3482->3467 3483->3472 3485 1092ec1 3484->3485 3486 1092ec6 GetModuleFileNameA 3484->3486 3944 1095235 3485->3944 3488 1092eed 3486->3488 3938 1092d12 3488->3938 3491 1091422 3491->3388 3491->3389 3492 1092f29 3493 1093a76 __malloc_crt 69 API calls 3492->3493 3494 1092f2f 3493->3494 3494->3491 3495 1092d12 _parse_cmdline 79 API calls 3494->3495 3496 1092f49 3495->3496 3496->3491 3498 1092c3d 3497->3498 3501 1092c42 _strlen 3497->3501 3499 1095235 ___initmbctable 111 API calls 3498->3499 3499->3501 3500 1091433 3500->3392 3500->3393 3501->3500 3502 1093abb __calloc_crt 69 API calls 3501->3502 3503 1092c77 _strlen 3502->3503 3503->3500 3504 1092cd5 3503->3504 3506 1093abb __calloc_crt 69 API calls 3503->3506 3507 1092cfb 3503->3507 3509 10949cb _strcpy_s 69 API calls 3503->3509 3510 1092cbc 3503->3510 3505 10939e8 __mtdeletelocks 69 API calls 3504->3505 3505->3500 3506->3503 3508 10939e8 __mtdeletelocks 69 API calls 3507->3508 3508->3500 3509->3503 3510->3503 3511 1093b64 __invoke_watson 10 API calls 3510->3511 3511->3510 3514 1092579 __IsNonwritableInCurrentImage 3512->3514 4353 109440b 3514->4353 3515 1092597 __initterm_e 3517 10925b6 __IsNonwritableInCurrentImage __initterm 3515->3517 4357 10943f4 3515->4357 3517->3395 3519 1092be3 3518->3519 3522 1092be8 3518->3522 3520 1095235 ___initmbctable 111 API calls 3519->3520 3520->3522 3521 1091456 3524 1091200 3521->3524 3522->3521 3523 1094b58 _parse_cmdline 79 API calls 3522->3523 3523->3522 4460 1091000 OutputDebugStringW GetKeyboardLayout 3524->4460 3528 1091348 3527->3528 3529 1091343 3527->3529 3531 10927b4 __NMSG_WRITE 69 API calls 3528->3531 3530 109295f __FF_MSGBANNER 69 API calls 3529->3530 3530->3528 3532 1091350 3531->3532 3533 1092500 _doexit 3 API calls 3532->3533 3534 109135a 3533->3534 3534->3373 3536 109295f __FF_MSGBANNER 69 API calls 3535->3536 3537 10924b6 3536->3537 3538 10927b4 __NMSG_WRITE 69 API calls 3537->3538 3539 10924be 3538->3539 3540 10933b9 __decode_pointer 7 API calls 3539->3540 3541 1091407 3540->3541 3541->3381 3542 109271c 4474 10925f0 3542->4474 3544 109272d 3544->3402 3546 10925f0 _doexit 69 API calls 3545->3546 3547 1092753 3546->3547 3547->3405 3617 10933b0 3548->3617 3550 109276e __init_pointers __initp_misc_winsig 3620 1094465 3550->3620 3553 109333e __encode_pointer 7 API calls 3554 10927aa 3553->3554 3555 109333e TlsGetValue 3554->3555 3556 1093377 GetModuleHandleW 3555->3556 3557 1093356 3555->3557 3559 1093392 GetProcAddress 3556->3559 3560 1093387 3556->3560 3557->3556 3558 1093360 TlsGetValue 3557->3558 3563 109336b 3558->3563 3562 109336f 3559->3562 3561 109247c __crt_waiting_on_module_handle 2 API calls 3560->3561 3564 109338d 3561->3564 3565 10933aa 3562->3565 3566 10933a2 RtlEncodePointer 3562->3566 3563->3556 3563->3562 3564->3559 3564->3565 3565->3426 3566->3565 3568 10915f7 3567->3568 3570 1091625 3568->3570 3623 1093988 3568->3623 3570->3413 3571 10933b9 TlsGetValue 3570->3571 3572 10933d1 3571->3572 3573 10933f2 GetModuleHandleW 3571->3573 3572->3573 3574 10933db TlsGetValue 3572->3574 3575 109340d GetProcAddress 3573->3575 3576 1093402 3573->3576 3579 10933e6 3574->3579 3578 10933ea 3575->3578 3577 109247c __crt_waiting_on_module_handle 2 API calls 3576->3577 3580 1093408 3577->3580 3581 109341d RtlDecodePointer 3578->3581 3582 1093425 3578->3582 3579->3573 3579->3578 3580->3575 3580->3582 3581->3582 3582->3413 3583 1093abb 3582->3583 3585 1093ac4 3583->3585 3586 1093895 3585->3586 3587 1093ae2 Sleep 3585->3587 3628 10958ea 3585->3628 3586->3413 3586->3438 3588 1093af7 3587->3588 3588->3585 3588->3586 3590 1092487 Sleep GetModuleHandleW 3589->3590 3591 10924a9 3590->3591 3592 10924a5 3590->3592 3591->3410 3592->3590 3592->3591 3916 1092260 3593->3916 3595 10934b1 GetModuleHandleW 3596 10934c7 3595->3596 3597 10934c1 3595->3597 3598 10934df GetProcAddress GetProcAddress 3596->3598 3599 1093503 3596->3599 3600 109247c __crt_waiting_on_module_handle 2 API calls 3597->3600 3598->3599 3601 1091768 __lock 65 API calls 3599->3601 3600->3596 3602 1093522 InterlockedIncrement 3601->3602 3917 109357a 3602->3917 3605 1091768 __lock 65 API calls 3606 1093543 3605->3606 3920 109570e InterlockedIncrement 3606->3920 3608 1093561 3932 1093583 3608->3932 3610 109356e _doexit 3610->3442 3612 1093472 3611->3612 3616 109347e 3611->3616 3613 10933b9 __decode_pointer 7 API calls 3612->3613 3613->3616 3614 10934a0 3614->3614 3615 1093492 TlsFree 3615->3614 3616->3614 3616->3615 3618 109333e __encode_pointer 7 API calls 3617->3618 3619 10933b7 3618->3619 3619->3550 3621 109333e __encode_pointer 7 API calls 3620->3621 3622 10927a0 3621->3622 3622->3553 3627 1092260 3623->3627 3625 1093994 InitializeCriticalSectionAndSpinCount 3626 10939d8 _doexit 3625->3626 3626->3568 3627->3625 3629 10958f6 _doexit 3628->3629 3630 109590e 3629->3630 3640 109592d _memset 3629->3640 3641 10929da 3630->3641 3634 109599f RtlAllocateHeap 3634->3640 3635 1095923 _doexit 3635->3585 3640->3634 3640->3635 3647 1091768 3640->3647 3654 1091f7a 3640->3654 3660 10959e6 3640->3660 3663 10929fc 3640->3663 3666 109358c GetLastError 3641->3666 3643 10929df 3644 1093c8c 3643->3644 3645 10933b9 __decode_pointer 7 API calls 3644->3645 3646 1093c9c __invoke_watson 3645->3646 3648 109177d 3647->3648 3649 1091790 EnterCriticalSection 3647->3649 3713 10916a5 3648->3713 3649->3640 3651 1091783 3651->3649 3652 10924ac __amsg_exit 68 API calls 3651->3652 3653 109178f 3652->3653 3653->3649 3656 1091fa8 3654->3656 3655 1092041 3659 109204a 3655->3659 3911 1091b91 3655->3911 3656->3655 3656->3659 3904 1091ae1 3656->3904 3659->3640 3915 109168e LeaveCriticalSection 3660->3915 3662 10959ed 3662->3640 3664 10933b9 __decode_pointer 7 API calls 3663->3664 3665 1092a0c 3664->3665 3665->3640 3680 1093434 TlsGetValue 3666->3680 3669 10935f9 SetLastError 3669->3643 3670 1093abb __calloc_crt 66 API calls 3671 10935b7 3670->3671 3671->3669 3672 10933b9 __decode_pointer 7 API calls 3671->3672 3673 10935d1 3672->3673 3674 10935d8 3673->3674 3675 10935f0 3673->3675 3676 10934a5 __initptd 66 API calls 3674->3676 3685 10939e8 3675->3685 3678 10935e0 GetCurrentThreadId 3676->3678 3678->3669 3679 10935f6 3679->3669 3681 1093449 3680->3681 3682 1093464 3680->3682 3683 10933b9 __decode_pointer 7 API calls 3681->3683 3682->3669 3682->3670 3684 1093454 TlsSetValue 3683->3684 3684->3682 3687 10939f4 _doexit 3685->3687 3686 1093a6d _doexit _realloc 3686->3679 3687->3686 3688 1093a33 3687->3688 3689 1091768 __lock 67 API calls 3687->3689 3688->3686 3690 1093a48 HeapFree 3688->3690 3694 1093a0b ___sbh_find_block 3689->3694 3690->3686 3691 1093a5a 3690->3691 3692 10929da _malloc 67 API calls 3691->3692 3693 1093a5f GetLastError 3692->3693 3693->3686 3697 1093a25 3694->3697 3698 10917cb 3694->3698 3705 1093a3e 3697->3705 3699 109180a 3698->3699 3700 1091aac 3698->3700 3699->3700 3701 10919f6 VirtualFree 3699->3701 3700->3697 3702 1091a5a 3701->3702 3702->3700 3703 1091a69 VirtualFree HeapFree 3702->3703 3708 1093cc0 3703->3708 3712 109168e LeaveCriticalSection 3705->3712 3707 1093a45 3707->3688 3709 1093cd8 3708->3709 3710 1093cff __VEC_memcpy 3709->3710 3711 1093d07 3709->3711 3710->3711 3711->3700 3712->3707 3714 10916b1 _doexit 3713->3714 3715 10916d7 3714->3715 3739 109295f 3714->3739 3723 10916e7 _doexit 3715->3723 3785 1093a76 3715->3785 3721 10916f9 3725 10929da _malloc 69 API calls 3721->3725 3722 1091708 3726 1091768 __lock 69 API calls 3722->3726 3723->3651 3725->3723 3728 109170f 3726->3728 3729 1091743 3728->3729 3730 1091717 3728->3730 3731 10939e8 __mtdeletelocks 69 API calls 3729->3731 3732 1093988 __ioinit InitializeCriticalSectionAndSpinCount 3730->3732 3733 1091734 3731->3733 3734 1091722 3732->3734 3790 109175f 3733->3790 3734->3733 3736 10939e8 __mtdeletelocks 69 API calls 3734->3736 3737 109172e 3736->3737 3738 10929da _malloc 69 API calls 3737->3738 3738->3733 3793 1094a33 3739->3793 3741 1092966 3742 1092973 3741->3742 3743 1094a33 __set_error_mode 69 API calls 3741->3743 3744 10927b4 __NMSG_WRITE 69 API calls 3742->3744 3747 10916c6 3742->3747 3743->3742 3745 109298b 3744->3745 3746 10927b4 __NMSG_WRITE 69 API calls 3745->3746 3746->3747 3748 10927b4 3747->3748 3749 10927c8 3748->3749 3750 1094a33 __set_error_mode 66 API calls 3749->3750 3780 10916cd 3749->3780 3751 10927ea 3750->3751 3752 1092928 GetStdHandle 3751->3752 3754 1094a33 __set_error_mode 66 API calls 3751->3754 3753 1092936 _strlen 3752->3753 3752->3780 3757 109294f WriteFile 3753->3757 3753->3780 3755 10927fb 3754->3755 3755->3752 3756 109280d 3755->3756 3756->3780 3799 10949cb 3756->3799 3757->3780 3760 1092843 GetModuleFileNameA 3761 1092861 3760->3761 3767 1092884 _strlen 3760->3767 3763 10949cb _strcpy_s 66 API calls 3761->3763 3765 1092871 3763->3765 3765->3767 3768 1093b64 __invoke_watson 10 API calls 3765->3768 3766 10928c7 3824 109480f 3766->3824 3767->3766 3815 1094883 3767->3815 3768->3767 3772 10928eb 3775 109480f _strcat_s 66 API calls 3772->3775 3774 1093b64 __invoke_watson 10 API calls 3774->3772 3777 10928ff 3775->3777 3776 1093b64 __invoke_watson 10 API calls 3776->3766 3779 1093b64 __invoke_watson 10 API calls 3777->3779 3781 1092910 3777->3781 3779->3781 3782 1092500 3780->3782 3833 10946a6 3781->3833 3871 10924d5 GetModuleHandleW 3782->3871 3789 1093a7f 3785->3789 3787 10916f2 3787->3721 3787->3722 3788 1093a96 Sleep 3788->3789 3789->3787 3789->3788 3874 109126b 3789->3874 3903 109168e LeaveCriticalSection 3790->3903 3792 1091766 3792->3723 3794 1094a42 3793->3794 3795 10929da _malloc 69 API calls 3794->3795 3798 1094a4c 3794->3798 3796 1094a65 3795->3796 3797 1093c8c _strcat_s 7 API calls 3796->3797 3797->3798 3798->3741 3800 10949dc 3799->3800 3801 10949e3 3799->3801 3800->3801 3806 1094a09 3800->3806 3802 10929da _malloc 69 API calls 3801->3802 3803 10949e8 3802->3803 3804 1093c8c _strcat_s 7 API calls 3803->3804 3805 109282f 3804->3805 3805->3760 3808 1093b64 3805->3808 3806->3805 3807 10929da _malloc 69 API calls 3806->3807 3807->3803 3860 1095c30 3808->3860 3810 1093b91 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3811 1093c6d GetCurrentProcess TerminateProcess 3810->3811 3812 1093c61 __invoke_watson 3810->3812 3862 109120d 3811->3862 3812->3811 3814 1092840 3814->3760 3820 1094895 3815->3820 3816 1094899 3817 10928b4 3816->3817 3818 10929da _malloc 69 API calls 3816->3818 3817->3766 3817->3776 3819 10948b5 3818->3819 3821 1093c8c _strcat_s 7 API calls 3819->3821 3820->3816 3820->3817 3822 10948df 3820->3822 3821->3817 3822->3817 3823 10929da _malloc 69 API calls 3822->3823 3823->3819 3825 1094827 3824->3825 3827 1094820 3824->3827 3826 10929da _malloc 69 API calls 3825->3826 3832 109482c 3826->3832 3827->3825 3829 109485b 3827->3829 3828 1093c8c _strcat_s 7 API calls 3830 10928da 3828->3830 3829->3830 3831 10929da _malloc 69 API calls 3829->3831 3830->3772 3830->3774 3831->3832 3832->3828 3834 10933b0 _doexit 7 API calls 3833->3834 3835 10946b6 3834->3835 3836 10946c9 LoadLibraryA 3835->3836 3837 1094751 3835->3837 3838 10947f3 3836->3838 3839 10946de GetProcAddress 3836->3839 3843 10933b9 __decode_pointer 7 API calls 3837->3843 3852 109477b 3837->3852 3838->3780 3839->3838 3840 10946f4 3839->3840 3844 109333e __encode_pointer 7 API calls 3840->3844 3841 10933b9 __decode_pointer 7 API calls 3841->3838 3842 10933b9 __decode_pointer 7 API calls 3854 10947be 3842->3854 3845 109476e 3843->3845 3846 10946fa GetProcAddress 3844->3846 3847 10933b9 __decode_pointer 7 API calls 3845->3847 3848 109333e __encode_pointer 7 API calls 3846->3848 3847->3852 3849 109470f GetProcAddress 3848->3849 3850 109333e __encode_pointer 7 API calls 3849->3850 3851 1094724 GetProcAddress 3850->3851 3853 109333e __encode_pointer 7 API calls 3851->3853 3852->3842 3859 10947a6 3852->3859 3855 1094739 3853->3855 3856 10933b9 __decode_pointer 7 API calls 3854->3856 3854->3859 3855->3837 3857 1094743 GetProcAddress 3855->3857 3856->3859 3858 109333e __encode_pointer 7 API calls 3857->3858 3858->3837 3859->3841 3861 1095c3c __VEC_memzero 3860->3861 3861->3810 3861->3861 3863 1091215 3862->3863 3864 1091217 IsDebuggerPresent 3862->3864 3863->3814 3870 1093971 3864->3870 3867 10915b3 SetUnhandledExceptionFilter UnhandledExceptionFilter 3868 10915d8 GetCurrentProcess TerminateProcess 3867->3868 3869 10915d0 __invoke_watson 3867->3869 3868->3814 3869->3868 3870->3867 3872 10924e9 GetProcAddress 3871->3872 3873 10924f9 ExitProcess 3871->3873 3872->3873 3875 109127d 3874->3875 3876 109131e 3874->3876 3879 109295f __FF_MSGBANNER 68 API calls 3875->3879 3882 10927b4 __NMSG_WRITE 68 API calls 3875->3882 3883 10912da HeapAlloc 3875->3883 3884 1092500 _doexit 3 API calls 3875->3884 3885 109130a 3875->3885 3887 10929fc _malloc 7 API calls 3875->3887 3888 109130f 3875->3888 3890 1091316 3875->3890 3891 109121c 3875->3891 3877 10929fc _malloc 7 API calls 3876->3877 3878 1091324 3877->3878 3880 10929da _malloc 68 API calls 3878->3880 3879->3875 3880->3890 3882->3875 3883->3875 3884->3875 3886 10929da _malloc 68 API calls 3885->3886 3886->3888 3887->3875 3889 10929da _malloc 68 API calls 3888->3889 3889->3890 3890->3789 3892 1091228 _doexit 3891->3892 3893 1091259 _doexit 3892->3893 3894 1091768 __lock 69 API calls 3892->3894 3893->3875 3895 109123e 3894->3895 3896 1091f7a ___sbh_alloc_block 5 API calls 3895->3896 3897 1091249 3896->3897 3899 1091262 3897->3899 3902 109168e LeaveCriticalSection 3899->3902 3901 1091269 3901->3893 3902->3901 3903->3792 3905 1091b28 HeapAlloc 3904->3905 3906 1091af4 HeapReAlloc 3904->3906 3907 1091b12 3905->3907 3909 1091b4b VirtualAlloc 3905->3909 3906->3907 3908 1091b16 3906->3908 3907->3655 3908->3905 3909->3907 3910 1091b65 HeapFree 3909->3910 3910->3907 3912 1091ba8 VirtualAlloc 3911->3912 3914 1091bef 3912->3914 3914->3659 3915->3662 3916->3595 3935 109168e LeaveCriticalSection 3917->3935 3919 109353c 3919->3605 3921 109572c InterlockedIncrement 3920->3921 3922 109572f 3920->3922 3921->3922 3923 1095739 InterlockedIncrement 3922->3923 3924 109573c 3922->3924 3923->3924 3925 1095749 3924->3925 3926 1095746 InterlockedIncrement 3924->3926 3927 1095753 InterlockedIncrement 3925->3927 3929 1095756 3925->3929 3926->3925 3927->3929 3928 109576f InterlockedIncrement 3928->3929 3929->3928 3930 109577f InterlockedIncrement 3929->3930 3931 109578a InterlockedIncrement 3929->3931 3930->3929 3931->3608 3936 109168e LeaveCriticalSection 3932->3936 3934 109358a 3934->3610 3935->3919 3936->3934 3937->3445 3940 1092d31 3938->3940 3942 1092d9e 3940->3942 3948 1094b58 3940->3948 3941 1092e9c 3941->3491 3941->3492 3942->3941 3943 1094b58 79 API calls _parse_cmdline 3942->3943 3943->3942 3945 109523e 3944->3945 3946 1095245 3944->3946 4170 109509b 3945->4170 3946->3486 3951 1094b05 3948->3951 3954 1094a7e 3951->3954 3955 1094a91 3954->3955 3961 1094ade 3954->3961 3962 1093605 3955->3962 3958 1094abe 3958->3961 3982 1094d96 3958->3982 3961->3940 3963 109358c __getptd_noexit 69 API calls 3962->3963 3964 109360d 3963->3964 3965 109361a 3964->3965 3966 10924ac __amsg_exit 69 API calls 3964->3966 3965->3958 3967 1095874 3965->3967 3966->3965 3968 1095880 _doexit 3967->3968 3969 1093605 __getptd 69 API calls 3968->3969 3970 1095885 3969->3970 3971 10958b3 3970->3971 3973 1095897 3970->3973 3972 1091768 __lock 69 API calls 3971->3972 3974 10958ba 3972->3974 3975 1093605 __getptd 69 API calls 3973->3975 3998 1095836 3974->3998 3977 109589c 3975->3977 3979 10958aa _doexit 3977->3979 3981 10924ac __amsg_exit 69 API calls 3977->3981 3979->3958 3981->3979 3983 1094da2 _doexit 3982->3983 3984 1093605 __getptd 69 API calls 3983->3984 3985 1094da7 3984->3985 3986 1091768 __lock 69 API calls 3985->3986 3993 1094db9 3985->3993 3987 1094dd7 3986->3987 3988 1094e20 3987->3988 3991 1094e08 InterlockedIncrement 3987->3991 3992 1094dee InterlockedDecrement 3987->3992 4166 1094e31 3988->4166 3989 10924ac __amsg_exit 69 API calls 3994 1094dc7 _doexit 3989->3994 3991->3988 3992->3991 3995 1094df9 3992->3995 3993->3989 3993->3994 3994->3961 3995->3991 3996 10939e8 __mtdeletelocks 69 API calls 3995->3996 3997 1094e07 3996->3997 3997->3991 3999 109583a 3998->3999 4000 109586c 3998->4000 3999->4000 4001 109570e ___addlocaleref 8 API calls 3999->4001 4006 10958de 4000->4006 4002 109584d 4001->4002 4002->4000 4009 109579d 4002->4009 4165 109168e LeaveCriticalSection 4006->4165 4008 10958e5 4008->3977 4010 10957ae InterlockedDecrement 4009->4010 4011 1095831 4009->4011 4012 10957c3 InterlockedDecrement 4010->4012 4013 10957c6 4010->4013 4011->4000 4023 10955c5 4011->4023 4012->4013 4014 10957d0 InterlockedDecrement 4013->4014 4015 10957d3 4013->4015 4014->4015 4016 10957dd InterlockedDecrement 4015->4016 4017 10957e0 4015->4017 4016->4017 4018 10957ea InterlockedDecrement 4017->4018 4019 10957ed 4017->4019 4018->4019 4020 1095806 InterlockedDecrement 4019->4020 4021 1095816 InterlockedDecrement 4019->4021 4022 1095821 InterlockedDecrement 4019->4022 4020->4019 4021->4019 4022->4011 4024 1095649 4023->4024 4025 10955dc 4023->4025 4026 1095696 4024->4026 4027 10939e8 __mtdeletelocks 69 API calls 4024->4027 4025->4024 4032 1095610 4025->4032 4036 10939e8 __mtdeletelocks 69 API calls 4025->4036 4044 10956bd 4026->4044 4077 10967d4 4026->4077 4029 109566a 4027->4029 4030 10939e8 __mtdeletelocks 69 API calls 4029->4030 4033 109567d 4030->4033 4038 10939e8 __mtdeletelocks 69 API calls 4032->4038 4052 1095631 4032->4052 4039 10939e8 __mtdeletelocks 69 API calls 4033->4039 4034 10939e8 __mtdeletelocks 69 API calls 4040 109563e 4034->4040 4035 1095702 4041 10939e8 __mtdeletelocks 69 API calls 4035->4041 4042 1095605 4036->4042 4037 10939e8 __mtdeletelocks 69 API calls 4037->4044 4043 1095626 4038->4043 4045 109568b 4039->4045 4047 10939e8 __mtdeletelocks 69 API calls 4040->4047 4048 1095708 4041->4048 4053 10969ae 4042->4053 4069 1096969 4043->4069 4044->4035 4046 10939e8 69 API calls __mtdeletelocks 4044->4046 4051 10939e8 __mtdeletelocks 69 API calls 4045->4051 4046->4044 4047->4024 4048->4000 4051->4026 4052->4034 4054 10969bb 4053->4054 4068 1096a38 4053->4068 4055 10969cc 4054->4055 4056 10939e8 __mtdeletelocks 69 API calls 4054->4056 4057 10969de 4055->4057 4058 10939e8 __mtdeletelocks 69 API calls 4055->4058 4056->4055 4059 10969f0 4057->4059 4060 10939e8 __mtdeletelocks 69 API calls 4057->4060 4058->4057 4061 10939e8 __mtdeletelocks 69 API calls 4059->4061 4062 1096a02 4059->4062 4060->4059 4061->4062 4063 10939e8 __mtdeletelocks 69 API calls 4062->4063 4064 1096a14 4062->4064 4063->4064 4065 1096a26 4064->4065 4066 10939e8 __mtdeletelocks 69 API calls 4064->4066 4067 10939e8 __mtdeletelocks 69 API calls 4065->4067 4065->4068 4066->4065 4067->4068 4068->4032 4070 1096976 4069->4070 4076 10969aa 4069->4076 4071 1096986 4070->4071 4072 10939e8 __mtdeletelocks 69 API calls 4070->4072 4073 10939e8 __mtdeletelocks 69 API calls 4071->4073 4074 1096998 4071->4074 4072->4071 4073->4074 4075 10939e8 __mtdeletelocks 69 API calls 4074->4075 4074->4076 4075->4076 4076->4052 4078 10967e5 4077->4078 4164 10956b6 4077->4164 4079 10939e8 __mtdeletelocks 69 API calls 4078->4079 4080 10967ed 4079->4080 4081 10939e8 __mtdeletelocks 69 API calls 4080->4081 4082 10967f5 4081->4082 4083 10939e8 __mtdeletelocks 69 API calls 4082->4083 4084 10967fd 4083->4084 4085 10939e8 __mtdeletelocks 69 API calls 4084->4085 4086 1096805 4085->4086 4087 10939e8 __mtdeletelocks 69 API calls 4086->4087 4088 109680d 4087->4088 4089 10939e8 __mtdeletelocks 69 API calls 4088->4089 4090 1096815 4089->4090 4091 10939e8 __mtdeletelocks 69 API calls 4090->4091 4092 109681c 4091->4092 4093 10939e8 __mtdeletelocks 69 API calls 4092->4093 4094 1096824 4093->4094 4095 10939e8 __mtdeletelocks 69 API calls 4094->4095 4096 109682c 4095->4096 4097 10939e8 __mtdeletelocks 69 API calls 4096->4097 4098 1096834 4097->4098 4099 10939e8 __mtdeletelocks 69 API calls 4098->4099 4100 109683c 4099->4100 4101 10939e8 __mtdeletelocks 69 API calls 4100->4101 4102 1096844 4101->4102 4103 10939e8 __mtdeletelocks 69 API calls 4102->4103 4104 109684c 4103->4104 4105 10939e8 __mtdeletelocks 69 API calls 4104->4105 4106 1096854 4105->4106 4107 10939e8 __mtdeletelocks 69 API calls 4106->4107 4108 109685c 4107->4108 4109 10939e8 __mtdeletelocks 69 API calls 4108->4109 4110 1096864 4109->4110 4111 10939e8 __mtdeletelocks 69 API calls 4110->4111 4112 109686f 4111->4112 4113 10939e8 __mtdeletelocks 69 API calls 4112->4113 4114 1096877 4113->4114 4115 10939e8 __mtdeletelocks 69 API calls 4114->4115 4116 109687f 4115->4116 4117 10939e8 __mtdeletelocks 69 API calls 4116->4117 4118 1096887 4117->4118 4119 10939e8 __mtdeletelocks 69 API calls 4118->4119 4120 109688f 4119->4120 4121 10939e8 __mtdeletelocks 69 API calls 4120->4121 4122 1096897 4121->4122 4123 10939e8 __mtdeletelocks 69 API calls 4122->4123 4124 109689f 4123->4124 4125 10939e8 __mtdeletelocks 69 API calls 4124->4125 4126 10968a7 4125->4126 4127 10939e8 __mtdeletelocks 69 API calls 4126->4127 4128 10968af 4127->4128 4129 10939e8 __mtdeletelocks 69 API calls 4128->4129 4130 10968b7 4129->4130 4131 10939e8 __mtdeletelocks 69 API calls 4130->4131 4132 10968bf 4131->4132 4133 10939e8 __mtdeletelocks 69 API calls 4132->4133 4134 10968c7 4133->4134 4135 10939e8 __mtdeletelocks 69 API calls 4134->4135 4136 10968cf 4135->4136 4137 10939e8 __mtdeletelocks 69 API calls 4136->4137 4138 10968d7 4137->4138 4139 10939e8 __mtdeletelocks 69 API calls 4138->4139 4140 10968df 4139->4140 4141 10939e8 __mtdeletelocks 69 API calls 4140->4141 4142 10968e7 4141->4142 4143 10939e8 __mtdeletelocks 69 API calls 4142->4143 4144 10968f5 4143->4144 4145 10939e8 __mtdeletelocks 69 API calls 4144->4145 4146 1096900 4145->4146 4147 10939e8 __mtdeletelocks 69 API calls 4146->4147 4148 109690b 4147->4148 4149 10939e8 __mtdeletelocks 69 API calls 4148->4149 4150 1096916 4149->4150 4151 10939e8 __mtdeletelocks 69 API calls 4150->4151 4152 1096921 4151->4152 4153 10939e8 __mtdeletelocks 69 API calls 4152->4153 4154 109692c 4153->4154 4155 10939e8 __mtdeletelocks 69 API calls 4154->4155 4156 1096937 4155->4156 4157 10939e8 __mtdeletelocks 69 API calls 4156->4157 4158 1096942 4157->4158 4159 10939e8 __mtdeletelocks 69 API calls 4158->4159 4160 109694d 4159->4160 4161 10939e8 __mtdeletelocks 69 API calls 4160->4161 4162 1096958 4161->4162 4163 10939e8 __mtdeletelocks 69 API calls 4162->4163 4163->4164 4164->4037 4165->4008 4169 109168e LeaveCriticalSection 4166->4169 4168 1094e38 4168->3993 4169->4168 4171 10950a7 _doexit 4170->4171 4172 1093605 __getptd 69 API calls 4171->4172 4173 10950b0 4172->4173 4174 1094d96 _LocaleUpdate::_LocaleUpdate 71 API calls 4173->4174 4175 10950ba 4174->4175 4201 1094e3a 4175->4201 4178 1093a76 __malloc_crt 69 API calls 4180 10950db 4178->4180 4179 10951fa _doexit 4179->3946 4180->4179 4208 1094eb6 4180->4208 4183 109510b InterlockedDecrement 4185 109511b 4183->4185 4186 109512c InterlockedIncrement 4183->4186 4184 1095207 4184->4179 4187 109521a 4184->4187 4189 10939e8 __mtdeletelocks 69 API calls 4184->4189 4185->4186 4191 10939e8 __mtdeletelocks 69 API calls 4185->4191 4186->4179 4188 1095142 4186->4188 4190 10929da _malloc 69 API calls 4187->4190 4188->4179 4193 1091768 __lock 69 API calls 4188->4193 4189->4187 4190->4179 4192 109512b 4191->4192 4192->4186 4195 1095156 InterlockedDecrement 4193->4195 4196 10951d2 4195->4196 4197 10951e5 InterlockedIncrement 4195->4197 4196->4197 4199 10939e8 __mtdeletelocks 69 API calls 4196->4199 4218 10951fc 4197->4218 4200 10951e4 4199->4200 4200->4197 4202 1094a7e _LocaleUpdate::_LocaleUpdate 79 API calls 4201->4202 4203 1094e4e 4202->4203 4204 1094e59 GetOEMCP 4203->4204 4205 1094e77 4203->4205 4207 1094e69 4204->4207 4206 1094e7c GetACP 4205->4206 4205->4207 4206->4207 4207->4178 4207->4179 4209 1094e3a getSystemCP 81 API calls 4208->4209 4210 1094ed6 4209->4210 4211 1094ee1 setSBCS 4210->4211 4214 1094f25 IsValidCodePage 4210->4214 4217 1094f4a _memset __setmbcp_nolock 4210->4217 4212 109120d ___convertcp 5 API calls 4211->4212 4213 1095099 4212->4213 4213->4183 4213->4184 4214->4211 4215 1094f37 GetCPInfo 4214->4215 4215->4211 4215->4217 4221 1094c03 GetCPInfo 4217->4221 4352 109168e LeaveCriticalSection 4218->4352 4220 1095203 4220->4179 4222 1094c37 _memset 4221->4222 4230 1094ce9 4221->4230 4231 1096792 4222->4231 4226 109120d ___convertcp 5 API calls 4228 1094d94 4226->4228 4228->4217 4229 1096593 ___crtLCMapStringA 102 API calls 4229->4230 4230->4226 4232 1094a7e _LocaleUpdate::_LocaleUpdate 79 API calls 4231->4232 4233 10967a5 4232->4233 4241 10965d8 4233->4241 4236 1096593 4237 1094a7e _LocaleUpdate::_LocaleUpdate 79 API calls 4236->4237 4238 10965a6 4237->4238 4307 10961ee 4238->4307 4242 10965f9 GetStringTypeW 4241->4242 4243 1096624 4241->4243 4244 1096619 GetLastError 4242->4244 4245 1096611 4242->4245 4243->4245 4246 109670b 4243->4246 4244->4243 4247 109665d MultiByteToWideChar 4245->4247 4258 1096705 4245->4258 4269 1096d2c GetLocaleInfoA 4246->4269 4254 109668a 4247->4254 4247->4258 4249 109120d ___convertcp 5 API calls 4251 1094ca4 4249->4251 4251->4236 4252 109669f _memset __alloca_probe_16 4257 10966d8 MultiByteToWideChar 4252->4257 4252->4258 4253 109675c GetStringTypeA 4253->4258 4259 1096777 4253->4259 4254->4252 4255 109126b _malloc 69 API calls 4254->4255 4255->4252 4261 10966ff 4257->4261 4262 10966ee GetStringTypeW 4257->4262 4258->4249 4263 10939e8 __mtdeletelocks 69 API calls 4259->4263 4265 10961ce 4261->4265 4262->4261 4263->4258 4266 10961eb 4265->4266 4267 10961da 4265->4267 4266->4258 4267->4266 4268 10939e8 __mtdeletelocks 69 API calls 4267->4268 4268->4266 4270 1096d5a 4269->4270 4271 1096d5f 4269->4271 4273 109120d ___convertcp 5 API calls 4270->4273 4300 1096f61 4271->4300 4274 109672f 4273->4274 4274->4253 4274->4258 4275 1096d75 4274->4275 4276 1096db5 GetCPInfo 4275->4276 4277 1096e3f 4275->4277 4278 1096e2a MultiByteToWideChar 4276->4278 4279 1096dcc 4276->4279 4280 109120d ___convertcp 5 API calls 4277->4280 4278->4277 4284 1096de5 _strlen 4278->4284 4279->4278 4281 1096dd2 GetCPInfo 4279->4281 4282 1096750 4280->4282 4281->4278 4283 1096ddf 4281->4283 4282->4253 4282->4258 4283->4278 4283->4284 4285 109126b _malloc 69 API calls 4284->4285 4287 1096e17 _memset __alloca_probe_16 4284->4287 4285->4287 4286 1096e74 MultiByteToWideChar 4288 1096e8c 4286->4288 4299 1096eab 4286->4299 4287->4277 4287->4286 4290 1096eb0 4288->4290 4291 1096e93 WideCharToMultiByte 4288->4291 4289 10961ce ___convertcp 69 API calls 4289->4277 4292 1096ebb WideCharToMultiByte 4290->4292 4293 1096ecf 4290->4293 4291->4299 4292->4293 4292->4299 4294 1093abb __calloc_crt 69 API calls 4293->4294 4295 1096ed7 4294->4295 4296 1096ee0 WideCharToMultiByte 4295->4296 4295->4299 4297 1096ef2 4296->4297 4296->4299 4298 10939e8 __mtdeletelocks 69 API calls 4297->4298 4298->4299 4299->4289 4303 10971da 4300->4303 4304 10971f3 4303->4304 4305 1096fab strtoxl 93 API calls 4304->4305 4306 1096f72 4305->4306 4306->4270 4308 109620f 4307->4308 4311 109622a 4307->4311 4309 1096232 GetLastError 4308->4309 4308->4311 4309->4311 4310 1096284 4313 109629d MultiByteToWideChar 4310->4313 4336 109641f 4310->4336 4311->4310 4312 1096428 4311->4312 4314 1096d2c __crtLCMapStringA_stat 93 API calls 4312->4314 4323 10962ca 4313->4323 4313->4336 4316 1096450 4314->4316 4315 109120d ___convertcp 5 API calls 4317 1094cc4 4315->4317 4318 1096469 4316->4318 4319 1096544 LCMapStringA 4316->4319 4316->4336 4317->4229 4321 1096d75 ___convertcp 76 API calls 4318->4321 4320 10964a0 4319->4320 4324 109656b 4320->4324 4329 10939e8 __mtdeletelocks 69 API calls 4320->4329 4326 109647b 4321->4326 4322 109631b MultiByteToWideChar 4327 1096334 LCMapStringW 4322->4327 4328 1096416 4322->4328 4325 109126b _malloc 69 API calls 4323->4325 4333 10962e3 __alloca_probe_16 4323->4333 4335 10939e8 __mtdeletelocks 69 API calls 4324->4335 4324->4336 4325->4333 4330 1096485 LCMapStringA 4326->4330 4326->4336 4327->4328 4332 1096355 4327->4332 4331 10961ce ___convertcp 69 API calls 4328->4331 4329->4324 4330->4320 4339 10964a7 4330->4339 4331->4336 4334 109635e 4332->4334 4338 1096387 4332->4338 4333->4322 4333->4336 4334->4328 4337 1096370 LCMapStringW 4334->4337 4335->4336 4336->4315 4337->4328 4340 109126b _malloc 69 API calls 4338->4340 4346 10963a2 __alloca_probe_16 4338->4346 4341 10964b8 _memset __alloca_probe_16 4339->4341 4342 109126b _malloc 69 API calls 4339->4342 4340->4346 4341->4320 4343 10964f6 LCMapStringA 4341->4343 4342->4341 4344 1096512 4343->4344 4345 1096516 4343->4345 4351 10961ce ___convertcp 69 API calls 4344->4351 4349 1096d75 ___convertcp 76 API calls 4345->4349 4346->4328 4347 1096410 4346->4347 4350 10963ff WideCharToMultiByte 4346->4350 4348 10961ce ___convertcp 69 API calls 4347->4348 4348->4328 4349->4344 4350->4347 4351->4320 4352->4220 4354 1094411 4353->4354 4355 109333e __encode_pointer 7 API calls 4354->4355 4356 1094429 4354->4356 4355->4354 4356->3515 4360 10943b8 4357->4360 4359 1094401 4359->3517 4361 10943c4 _doexit 4360->4361 4368 1092518 4361->4368 4367 10943e5 _doexit 4367->4359 4369 1091768 __lock 69 API calls 4368->4369 4370 109251f 4369->4370 4371 10942cd 4370->4371 4372 10933b9 __decode_pointer 7 API calls 4371->4372 4373 10942e1 4372->4373 4374 10933b9 __decode_pointer 7 API calls 4373->4374 4376 10942f1 4374->4376 4375 1094374 4391 10943ee 4375->4391 4376->4375 4394 109600b 4376->4394 4378 109430f 4379 109435b 4378->4379 4381 1094339 4378->4381 4382 109432a 4378->4382 4380 109333e __encode_pointer 7 API calls 4379->4380 4383 1094369 4380->4383 4381->4375 4385 1094333 4381->4385 4407 1093b07 4382->4407 4386 109333e __encode_pointer 7 API calls 4383->4386 4385->4381 4387 1093b07 __realloc_crt 75 API calls 4385->4387 4388 109434f 4385->4388 4386->4375 4389 1094349 4387->4389 4390 109333e __encode_pointer 7 API calls 4388->4390 4389->4375 4389->4388 4390->4379 4456 1092521 4391->4456 4395 1096017 _doexit 4394->4395 4396 1096044 4395->4396 4397 1096027 4395->4397 4398 1096085 HeapSize 4396->4398 4400 1091768 __lock 69 API calls 4396->4400 4399 10929da _malloc 69 API calls 4397->4399 4404 109603c _doexit 4398->4404 4401 109602c 4399->4401 4403 1096054 ___sbh_find_block 4400->4403 4402 1093c8c _strcat_s 7 API calls 4401->4402 4402->4404 4412 10960a5 4403->4412 4404->4378 4410 1093b10 4407->4410 4409 1093b4f 4409->4385 4410->4409 4411 1093b30 Sleep 4410->4411 4416 1095a08 4410->4416 4411->4410 4415 109168e LeaveCriticalSection 4412->4415 4414 1096080 4414->4398 4414->4404 4415->4414 4417 1095a14 _doexit 4416->4417 4418 1095a29 4417->4418 4419 1095a1b 4417->4419 4421 1095a3c 4418->4421 4422 1095a30 4418->4422 4420 109126b _malloc 69 API calls 4419->4420 4442 1095a23 _doexit _realloc 4420->4442 4428 1095bae 4421->4428 4443 1095a49 ___sbh_resize_block _realloc ___sbh_find_block 4421->4443 4423 10939e8 __mtdeletelocks 69 API calls 4422->4423 4423->4442 4424 1095be1 4426 10929fc _malloc 7 API calls 4424->4426 4425 1095bb3 HeapReAlloc 4425->4428 4425->4442 4429 1095be7 4426->4429 4427 1091768 __lock 69 API calls 4427->4443 4428->4424 4428->4425 4431 1095c05 4428->4431 4432 10929fc _malloc 7 API calls 4428->4432 4434 1095bfb 4428->4434 4430 10929da _malloc 69 API calls 4429->4430 4430->4442 4433 10929da _malloc 69 API calls 4431->4433 4431->4442 4432->4428 4435 1095c0e GetLastError 4433->4435 4437 10929da _malloc 69 API calls 4434->4437 4435->4442 4450 1095b7c 4437->4450 4438 1095ad4 HeapAlloc 4438->4443 4439 1095b29 HeapReAlloc 4439->4443 4440 1095b81 GetLastError 4440->4442 4441 1091f7a ___sbh_alloc_block 5 API calls 4441->4443 4442->4410 4443->4424 4443->4427 4443->4438 4443->4439 4443->4441 4443->4442 4444 1095b94 4443->4444 4445 10929fc _malloc 7 API calls 4443->4445 4448 1095b77 4443->4448 4451 10917cb VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 4443->4451 4452 1095b4c 4443->4452 4444->4442 4446 10929da _malloc 69 API calls 4444->4446 4445->4443 4447 1095ba1 4446->4447 4447->4435 4447->4442 4449 10929da _malloc 69 API calls 4448->4449 4449->4450 4450->4440 4450->4442 4451->4443 4455 109168e LeaveCriticalSection 4452->4455 4454 1095b53 4454->4443 4455->4454 4459 109168e LeaveCriticalSection 4456->4459 4458 1092528 4458->4367 4459->4458 4461 109101f 4460->4461 4462 1091035 lstrlenA 4461->4462 4462->4462 4463 1091059 4462->4463 4464 109126b _malloc 69 API calls 4463->4464 4465 1091063 GetModuleHandleA GetProcAddress 4464->4465 4466 109109c 4465->4466 4467 109126b _malloc 69 API calls 4466->4467 4471 10910af _realloc 4467->4471 4468 1091101 VirtualProtect 4472 1091129 4468->4472 4469 1091191 LoadLibraryA 4469->4472 4470 10911df 4470->3402 4470->3542 4471->4468 4472->4469 4472->4470 4473 10911bb GetProcAddress 4472->4473 4473->4472 4475 10925fc _doexit 4474->4475 4476 1091768 __lock 69 API calls 4475->4476 4478 1092603 4476->4478 4480 10933b9 __decode_pointer 7 API calls 4478->4480 4484 10926bc __initterm 4478->4484 4482 109263a 4480->4482 4481 1092704 _doexit 4481->3544 4482->4484 4486 10933b9 __decode_pointer 7 API calls 4482->4486 4491 1092707 4484->4491 4485 10926fb 4487 1092500 _doexit 3 API calls 4485->4487 4489 109264f 4486->4489 4487->4481 4488 10933b0 7 API calls _doexit 4488->4489 4489->4484 4489->4488 4490 10933b9 7 API calls __decode_pointer 4489->4490 4490->4489 4492 109270d 4491->4492 4494 10926e8 4491->4494 4496 109168e LeaveCriticalSection 4492->4496 4494->4481 4495 109168e LeaveCriticalSection 4494->4495 4495->4485 4496->4494 4662 1094450 4663 1094453 4662->4663 4664 10960b7 _abort 71 API calls 4663->4664 4665 109445f _doexit 4664->4665 4666 1095ed4 RtlUnwind 4623 1091637 4624 1091647 4623->4624 4625 1091653 DeleteCriticalSection 4624->4625 4626 109166b 4624->4626 4627 10939e8 __mtdeletelocks 69 API calls 4625->4627 4628 109167d DeleteCriticalSection 4626->4628 4629 109168b 4626->4629 4627->4624 4628->4626

    Executed Functions

    Control-flow Graph

    APIs
    • OutputDebugStringW.KERNELBASE(Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019), ref: 0109100C
    • GetKeyboardLayout.USER32(00000000), ref: 01091015
    • lstrlenA.KERNEL32(JhNL121jlUAVQBqa6T88S4BXvirw2PXL), ref: 0109103A
    • _malloc.LIBCMT ref: 0109105E
    • GetModuleHandleA.KERNEL32(ntdll,RtlDecompressBuffer), ref: 01091072
    • GetProcAddress.KERNEL32(00000000), ref: 01091079
    • _malloc.LIBCMT ref: 010910AA
    • VirtualProtect.KERNEL32(00000000,?,00000040,?), ref: 0109110D
    Strings
    • RtlDecompressBuffer, xrefs: 01091066
    • JhNL121jlUAVQBqa6T88S4BXvirw2PXL, xrefs: 01091035, 01091045
    • Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019, xrefs: 01091007
    • ntdll, xrefs: 0109106B
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: _malloc$AddressDebugHandleKeyboardLayoutModuleOutputProcProtectStringVirtuallstrlen
    • String ID: JhNL121jlUAVQBqa6T88S4BXvirw2PXL$RtlDecompressBuffer$Salut la scene de l'hexagone de la part de votre meilleur ami. Depuis Skopje, 06/06/2019$ntdll
    • API String ID: 2917901339-765280124
    • Opcode ID: 517781e4a7ab18d2f4fae7ea1eb9369228bea58d0e20e8d82ac2ade4fa0fb288
    • Instruction ID: 6f99394cf70af3179dfc535c8d805af62ed21ebf4034de3e5ea86f7413f0f11e
    • Opcode Fuzzy Hash: 517781e4a7ab18d2f4fae7ea1eb9369228bea58d0e20e8d82ac2ade4fa0fb288
    • Instruction Fuzzy Hash: CF51FFB170030AAFDB20CF69CCA4BAAB7A5FF85324F048469F99987341D335E815DB90
    Uniqueness

    Uniqueness Score: -1,00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 1094387-1094396 call 1093abb call 109333e 42 109439b-10943aa 38->42 43 10943ac-10943b0 42->43 44 10943b1-10943b7 42->44
    APIs
    • __calloc_crt.LIBCMT ref: 0109438E
      • Part of subcall function 01093ABB: __calloc_impl.LIBCMT ref: 01093ACC
      • Part of subcall function 01093ABB: Sleep.KERNEL32(00000000), ref: 01093AE3
    • __encode_pointer.LIBCMT ref: 01094396
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
      • Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: Value$EncodePointerSleep__calloc_crt__calloc_impl__encode_pointer
    • String ID:
    • API String ID: 2812158048-0
    • Opcode ID: 226acbb921075ca572401cc3be91de767efa0c3ee5bc0a07dc076e8757f62525
    • Instruction ID: 690b4f4d15878ef23a0e6b268c490db9a4dabff490f178e3c05331a655db4d1a
    • Opcode Fuzzy Hash: 226acbb921075ca572401cc3be91de767efa0c3ee5bc0a07dc076e8757f62525
    • Instruction Fuzzy Hash: 0DD05B73D456251AEFB196357C157D936D0D740770F11C166E544DE284EF60484257C0
    Uniqueness

    Uniqueness Score: -1,00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 45 109244c-109246e HeapCreate 46 1092470-1092471 45->46 47 1092472-109247b 45->47
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 01092461
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: 55b297b39118319f1b8980d8d675db49fe7a880871e4b6be3750bdc86a99c332
    • Instruction ID: 005c2c854da20e029e1987db6445d1c972bb01490cbbd63c57f779f88f09c402
    • Opcode Fuzzy Hash: 55b297b39118319f1b8980d8d675db49fe7a880871e4b6be3750bdc86a99c332
    • Instruction Fuzzy Hash: D9D05E76554309AADB619E766C08B623BDC9385395F10C436B95CCA144FA78C5509F00
    Uniqueness

    Uniqueness Score: -1,00%

    Control-flow Graph

    APIs
      • Part of subcall function 01092518: __lock.LIBCMT ref: 0109251A
    • __onexit_nolock.LIBCMT ref: 010943D0
      • Part of subcall function 010942CD: __decode_pointer.LIBCMT ref: 010942DC
      • Part of subcall function 010942CD: __decode_pointer.LIBCMT ref: 010942EC
      • Part of subcall function 010942CD: __msize.LIBCMT ref: 0109430A
      • Part of subcall function 010942CD: __realloc_crt.LIBCMT ref: 0109432E
      • Part of subcall function 010942CD: __realloc_crt.LIBCMT ref: 01094344
      • Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 01094356
      • Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 01094364
      • Part of subcall function 010942CD: __encode_pointer.LIBCMT ref: 0109436F
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
    • String ID:
    • API String ID: 1316407801-0
    • Opcode ID: e079d7076ebf568266cbacfdf6e9732690663e7b3985c759d0bd2b54dcfd0ad5
    • Instruction ID: 1f949755b19a22eecf1036e8de071498472f4f8868bf6b429ffe43d545c1840c
    • Opcode Fuzzy Hash: e079d7076ebf568266cbacfdf6e9732690663e7b3985c759d0bd2b54dcfd0ad5
    • Instruction Fuzzy Hash: 4AD05E71C0230ABAEF10BBB4C960BCE76707F20321FA08288A0E0A60D0CA744602BB41
    Uniqueness

    Uniqueness Score: -1,00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 59 1094465-1094475 call 109333e
    APIs
    • __encode_pointer.LIBCMT ref: 0109446A
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
      • Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: Value$EncodePointer__encode_pointer
    • String ID:
    • API String ID: 2585649348-0
    • Opcode ID: bd475dd3a91cf132121601a8e4f13c01cfdc920b7f9ed5e856f71acf36cbaaaf
    • Instruction ID: 02d088ff2abdf414b873dbd36b003354c8cc12b3d011a5ebaa3615f4e8312f8d
    • Opcode Fuzzy Hash: bd475dd3a91cf132121601a8e4f13c01cfdc920b7f9ed5e856f71acf36cbaaaf
    • Instruction Fuzzy Hash: 02A002A29C6246494F546BB6BE3258426D07595652750E25EF0A8CE248DFA000517A15
    Uniqueness

    Uniqueness Score: -1,00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 62 10933b0-10933b8 call 109333e
    APIs
    • __encode_pointer.LIBCMT ref: 010933B2
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093350
      • Part of subcall function 0109333E: TlsGetValue.KERNEL32(00000003,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 01093367
      • Part of subcall function 0109333E: RtlEncodePointer.NTDLL(00000000,?,010933B7,00000000,010946B6,016EB548,00000000,00000314,?,01092923,016EB548,Microsoft Visual C++ Runtime Library,00012010), ref: 010933A5
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: Value$EncodePointer__encode_pointer
    • String ID:
    • API String ID: 2585649348-0
    • Opcode ID: 47b9a5247b9d3b2232a05d43e38ee8037fc72fdec48eb7539effcff6c66b4fbc
    • Instruction ID: 037c1d300b38c76fdc58ad587e1d62720e1385852740713e3a02524a045eb3d5
    • Opcode Fuzzy Hash: 47b9a5247b9d3b2232a05d43e38ee8037fc72fdec48eb7539effcff6c66b4fbc
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1,00%

    Non-executed Functions

    APIs
    • IsDebuggerPresent.KERNEL32 ref: 010915A1
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010915B6
    • UnhandledExceptionFilter.KERNEL32(0109814C), ref: 010915C1
    • GetCurrentProcess.KERNEL32(C0000409), ref: 010915DD
    • TerminateProcess.KERNEL32(00000000), ref: 010915E4
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 47a8569a142b8be9175a7df26f41a24118ba4b45052d50173fbf3ae54428a015
    • Instruction ID: 158be9274d5d7e5af2fdf97ff41aaf896b92a7caaf246161019fd555998a998c
    • Opcode Fuzzy Hash: 47a8569a142b8be9175a7df26f41a24118ba4b45052d50173fbf3ae54428a015
    • Instruction Fuzzy Hash: 612123B4900209DFDB71DF24FD5A6883BF0BB49322F40621AE5498F358E7B5A9A4CF04
    Uniqueness

    Uniqueness Score: -1,00%

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,00000000), ref: 01096D50
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: d542dcd3b4e06b9419035c1b7e16c3fc1328cfe56b8fc90685bf38ae765a955c
    • Instruction ID: 038029e93591d03c46b205434be772a3dfaa706c5ad60451dcdb916af5d1ee58
    • Opcode Fuzzy Hash: d542dcd3b4e06b9419035c1b7e16c3fc1328cfe56b8fc90685bf38ae765a955c
    • Instruction Fuzzy Hash: ADF0ED30A0420CAECF10EBB8C824BAE7BA8AB48324F4041A9F5A1DA2C0DA729604D710
    Uniqueness

    Uniqueness Score: -1,00%

    APIs
    • __getptd.LIBCMT ref: 01094DA2
      • Part of subcall function 01093605: __getptd_noexit.LIBCMT ref: 01093608
      • Part of subcall function 01093605: __amsg_exit.LIBCMT ref: 01093615
    • __amsg_exit.LIBCMT ref: 01094DC2
    • __lock.LIBCMT ref: 01094DD2
    • InterlockedDecrement.KERNEL32(?), ref: 01094DEF
    • InterlockedIncrement.KERNEL32(00641690), ref: 01094E1A
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID:
    • API String ID: 4271482742-0
    • Opcode ID: 4a14a1dc4b897edc68df21453a04259b5bf87e41b597c172075473a8f662b7c7
    • Instruction ID: f6f148408252fc2b8723cb07679de74def5c8b4709b99c19183b5d92c4a85d93
    • Opcode Fuzzy Hash: 4a14a1dc4b897edc68df21453a04259b5bf87e41b597c172075473a8f662b7c7
    • Instruction Fuzzy Hash: 4A010432E4A716EBDF61AF28912578EB7E0BF04721F014049E4D0E7280C7786943EBD1
    Uniqueness

    Uniqueness Score: -1,00%

    APIs
    • __lock.LIBCMT ref: 01093A06
      • Part of subcall function 01091768: __mtinitlocknum.LIBCMT ref: 0109177E
      • Part of subcall function 01091768: __amsg_exit.LIBCMT ref: 0109178A
      • Part of subcall function 01091768: EnterCriticalSection.KERNEL32(?,?,?,0109596B,00000004,01099668,0000000C,01093AD1,?,?,00000000,00000000,00000000,?,010935B7,00000001), ref: 01091792
    • ___sbh_find_block.LIBCMT ref: 01093A11
    • ___sbh_free_block.LIBCMT ref: 01093A20
    • HeapFree.KERNEL32(00000000,?,01099568), ref: 01093A50
    • GetLastError.KERNEL32(?,0109596B,00000004,01099668,0000000C,01093AD1,?,?,00000000,00000000,00000000,?,010935B7,00000001,00000214), ref: 01093A61
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
    • String ID:
    • API String ID: 2714421763-0
    • Opcode ID: 41c6cc0237cd49862e55be84a8a65958311b0005b07422c7a69581aed153eb5a
    • Instruction ID: bd7148797fb667f266170f264c0ec27ca972b173306cf87503220209571a2b40
    • Opcode Fuzzy Hash: 41c6cc0237cd49862e55be84a8a65958311b0005b07422c7a69581aed153eb5a
    • Instruction Fuzzy Hash: 59018F31D01207AAEF31ABB49C28B9E7AA4BF10B60F204149F1C1AA184CA398580AF55
    Uniqueness

    Uniqueness Score: -1,00%

    APIs
    • __getptd.LIBCMT ref: 01095880
      • Part of subcall function 01093605: __getptd_noexit.LIBCMT ref: 01093608
      • Part of subcall function 01093605: __amsg_exit.LIBCMT ref: 01093615
    • __getptd.LIBCMT ref: 01095897
    • __amsg_exit.LIBCMT ref: 010958A5
    • __lock.LIBCMT ref: 010958B5
    Memory Dump Source
    • Source File: 00000000.00000002.1671252846.01091000.00000020.sdmp, Offset: 01090000, based on PE: true
    • Associated: 00000000.00000002.1671247806.01090000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671260044.01098000.00000002.sdmp Download File
    • Associated: 00000000.00000002.1671265307.0109A000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1671271050.0109B000.00000008.sdmp Download File
    • Associated: 00000000.00000002.1672060659.016EB000.00000004.sdmp Download File
    • Associated: 00000000.00000002.1672067476.016EC000.00000002.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1090000_evatest2.jbxd
    Yara matches
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID:
    • API String ID: 3521780317-0
    • Opcode ID: 6795282b0b9725a4ce6dcbc82f3fa518d85de902d0cdee0ae786dafd6c425d78
    • Instruction ID: ddb5a4d9ee631932785ef154fc9c263fbc55af83f5395e40211ac69467d1396d
    • Opcode Fuzzy Hash: 6795282b0b9725a4ce6dcbc82f3fa518d85de902d0cdee0ae786dafd6c425d78
    • Instruction Fuzzy Hash: F1F06D32A417029BEF62BBAA892179E77E47B14720F01414AC5C0AF2D0CB349901EB92
    Uniqueness

    Uniqueness Score: -1,00%