Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
stopka2017.exe

Overview

General Information

Sample name:stopka2017.exe
Analysis ID:1467972
MD5:68d9fe381653db089a1e64d02f6177e6
SHA1:9b7655142f01fd2b6b5c964f640404fb72b0e3b5
SHA256:63afd59bc83f6d3742a63702fa0b0eaa452471a814c4dcf416801475b4b15ae7
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates HTA files
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Execution From GUID Like Folder Names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • stopka2017.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\stopka2017.exe" MD5: 68D9FE381653DB089A1E64D02F6177E6)
    • mshta.exe (PID: 5168 cmdline: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\stopka2017.exe", ParentImage: C:\Users\user\Desktop\stopka2017.exe, ParentProcessId: 6244, ParentProcessName: stopka2017.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , ProcessId: 5168, ProcessName: mshta.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\stopka2017.exe", ParentImage: C:\Users\user\Desktop\stopka2017.exe, ParentProcessId: 6244, ParentProcessName: stopka2017.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , ProcessId: 5168, ProcessName: mshta.exe
Sigma detected: Suspicious Execution From GUID Like Folder Names
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\stopka2017.exe", ParentImage: C:\Users\user\Desktop\stopka2017.exe, ParentProcessId: 6244, ParentProcessName: stopka2017.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" , ProcessId: 5168, ProcessName: mshta.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: stopka2017.exeVirustotal: Detection: 13%Perma Link
Source: stopka2017.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\Projets\vbsedit_source\script2exe\Release\hta2exe.pdb source: stopka2017.exe
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00409F80 FindFirstFileW,FindClose,0_2_00409F80

System Summary

barindex
Creates HTA files
Source: C:\Users\user\Desktop\stopka2017.exeFile created: C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.htaJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_004060A90_2_004060A9
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: stopka2017.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_0040A030 SHGetFolderPathW,FindResourceW,LoadResource,LockResource,SizeofResource,_memset,SHCreateDirectoryExW,_swprintf,SHCreateDirectoryExW,CreateFileW,FindResourceW,LoadResource,SizeofResource,LockResource,WriteFile,FreeResource,CloseHandle,GetDesktopWindow,MessageBoxW,ShellExecuteW,0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeFile created: C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: \Temp0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: #1290_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: #%d0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: HtaEdit0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: mshta.exe0_2_0040A030
Source: C:\Users\user\Desktop\stopka2017.exeCommand line argument: open0_2_0040A030
Source: stopka2017.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\stopka2017.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: stopka2017.exeVirustotal: Detection: 13%
Source: unknownProcess created: C:\Users\user\Desktop\stopka2017.exe "C:\Users\user\Desktop\stopka2017.exe"
Source: C:\Users\user\Desktop\stopka2017.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta"
Source: C:\Users\user\Desktop\stopka2017.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: adsldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: stopka2017.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Projets\vbsedit_source\script2exe\Release\hta2exe.pdb source: stopka2017.exe
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00407665 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00407665
Source: stopka2017.exeStatic PE information: real checksum: 0x1822d should be: 0x4e895
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00404145 push ecx; ret 0_2_00404158
Source: C:\Users\user\Desktop\stopka2017.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-4674
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00409F80 FindFirstFileW,FindClose,0_2_00409F80
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401000
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00407665 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00407665
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401000
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00402437 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402437
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00407A9F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00407A9F
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_00404778 SetUnhandledExceptionFilter,0_2_00404778
Source: C:\Users\user\Desktop\stopka2017.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta" Jump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeCode function: GetLocaleInfoA,0_2_004097E2
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\stopka2017.exeCode function: 0_2_0040103B GetSystemTimeAsFileTime,__aulldiv,0_2_0040103B

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Mshta		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
stopka2017.exe13%VirustotalBrowse
stopka2017.exe6%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467972
Start date and time:2024-07-05 07:36:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:stopka2017.exe
Detection:MAL
Classification:mal60.winEXE@3/1@0/0
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 7
  • Number of non-executed functions: 9
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target mshta.exe, PID 5168 because there are no executed function
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
01:36:58API Interceptor1x Sleep call for process: mshta.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta

Download File
Process:C:\Users\user\Desktop\stopka2017.exe
File Type:HTML document, Non-ISO extended-ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4175
Entropy (8bit):5.384071289809177
Encrypted:false
SSDEEP:96:h/henryHYGMzFwpvQapvQCBQDhvME9nlRcfo:WvzFwpvzpv7mDhvME9P
MD5:CC0B5911FE6E810A1190124770EA3607
SHA1:DAA3453841500B7FE090C205C64C6CBD20A0842C
SHA-256:9DC21ABCF71F028E9FF97FE52BAB5CB2FEB6B687DBBA36626DECCC80198AF5F7
SHA-512:DEA8CB6CCCAC423655FDBE7CA6D40D04CEFBB1226C04259FEF58EA410364FDF8F859CAAD99B1AC46524E69CFE8A08F19F3795FF6CD4EDD6739E2887C8DAE93BE
Malicious:true
Reputation:low
Preview: <html>.. <title>Stopka 2017</title>.. <head>.. <HTA:APPLICATION .. APPLICATIONNAME="Signature 2017".. BORDER="thin".. MAXIMIZEBUTTON="no".. SCROLL="yes".. SINGLEINSTANCE="yes".. WINDOWSTATE="normal".. ICON="stopka.ico">.. </head>.. .. <style>.. BODY.. {.. background-color: buttonface;.. Font: arial,sans-serif.. margin-top: 10px;.. margin-left: 20px;.. margin-right: 20px;.. margin-bottom: 5px;.. }.. .button.. {.. width: 91px;.. height: 25px;.. font-family: arial,sans-serif;.. font-size: 8pt;.. }.. td.. {.. font-family: arial,sans-serif;.. font-size: 10pt;.. } .. #scroll.. {.. height:100%;.. overflow:auto;.. }.. SELECT.FixedWidth .. {.. width: 17em; /* maybe use px for pixels or pt for points here */.. }.. </style>.. .. <script language="vbscript">.. .. Option Explicit .. .. Dim WinWidth : WinWidth = 370.. Dim WinHeight : WinHeight = 325.. Window.ResizeTo WinWidth, WinHeight.. .. Sub CheckRadioButtons.. 'If Radio(0).Checked Or Radio(1).Checked Then.. '.napis.value =

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):2.7359930855306023
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:stopka2017.exe
File size:321'536 bytes
MD5:68d9fe381653db089a1e64d02f6177e6
SHA1:9b7655142f01fd2b6b5c964f640404fb72b0e3b5
SHA256:63afd59bc83f6d3742a63702fa0b0eaa452471a814c4dcf416801475b4b15ae7
SHA512:b3f404e6fc850362072a321fa13a5c7bbad19079a5c01dde765ce6b78d7c0f6b8e206d7761d6c99212f3677e18e666e4a8a0439bb0f8fc97c48c3e43c188de45
SSDEEP:1536:iiv/NzFqFyRPCsLBPi6EczQVC3RbwSzKQ58/ztk:iMUqFLIddpQ58LO
TLSH:916483A369009835E86217B80131D9FA977F3EA839B1E20666E5FD377F331C15D62983
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.M.>.#G>.#G>.#G7..G..#G7..G/.#G7..GV.#G..XG9.#G>."G_.#G7..G<.#G ..G?.#G7..G?.#GRich>.#G........PE..L.....`R...................

File Icon

Icon Hash:6f2b380f0323338e

Static PE Info

General

Entrypoint:0x401d0e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x5260FEC8 [Fri Oct 18 09:26:32 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:f0d2a479b7bd825eb66677ed15d67759

Entrypoint Preview

Instruction
call 00007F54D919378Ch
jmp 00007F54D919058Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0040F0B8h], eax
mov dword ptr [0040F0B4h], ecx
mov dword ptr [0040F0B0h], edx
mov dword ptr [0040F0ACh], ebx
mov dword ptr [0040F0A8h], esi
mov dword ptr [0040F0A4h], edi
mov word ptr [0040F0D0h], ss
mov word ptr [0040F0C4h], cs
mov word ptr [0040F0A0h], ds
mov word ptr [0040F09Ch], es
mov word ptr [0040F098h], fs
mov word ptr [0040F094h], gs
pushfd
pop dword ptr [0040F0C8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040F0BCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0040F0C0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0040F0CCh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0040F008h], 00010001h
mov eax, dword ptr [0040F0C0h]
mov dword ptr [0040EFBCh], eax
mov dword ptr [0040EFB0h], C0000409h
mov dword ptr [0040EFB4h], 00000001h
mov eax, dword ptr [0040E048h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040E04Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000060h]

Rich Headers

Programming Language:
  • [C++] VS2008 SP1 build 30729
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2005 build 50727
  • [RES] VS2008 build 21022
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd2840x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x41098.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0xb1900x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xccd00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb0000x150.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x970d0x9800374b689d059029b464ccc836a57bb089False0.6057514391447368data6.5499267773949255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb0000x29f80x2a00bab75a8a7792e29e923d5d9a1e767979False0.375data5.434401623855427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xe0000x2c840x1000b7fff4fbd55494b0f90b7c9df8168291False0.217529296875data2.266296966661002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x110000x410980x41200986b5c5602f3a2bcb56a035f6fc0913bFalse0.05420015595009597data1.6247437156370073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x112200x3e428Device independent bitmap graphic, 241 x 512 x 32, image size 246784, resolution 2834 x 2834 px/m0.04015826457947737
RT_ICON0x4f6480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2326454033771107
RT_ICON0x506f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.3608156028368794
RT_GROUP_ICON0x50b580x14data1.2
RT_VERSION0x50b6c0x1e4data0.506198347107438
RT_HTML0x50d500x6eUnicode text, UTF-16, little-endian text, with no line terminators0.8
RT_HTML0x50dc00x104fNon-ISO extended-ASCII text, with very long lines (850), with NEL line terminators0.3882634730538922
RT_MANIFEST0x51e100x12aASCII text, with no line terminators0.5838926174496645
RT_MANIFEST0x51f3c0x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

Imports

DLLImport
KERNEL32.dllFindFirstFileW, FindClose, FindResourceW, LoadResource, LockResource, SizeofResource, CreateFileW, WriteFile, FreeResource, CloseHandle, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, GetSystemTimeAsFileTime, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapAlloc, RaiseException, HeapFree, GetStdHandle, GetModuleFileNameA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, RtlUnwind, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA
USER32.dllMessageBoxW, GetDesktopWindow
SHELL32.dllSHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 5, 2024 07:37:43.409583092 CEST5349758162.159.36.2192.168.2.6
Jul 5, 2024 07:37:43.904211998 CEST53562561.1.1.1192.168.2.6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:36:57
Start date:05/07/2024
Path:C:\Users\user\Desktop\stopka2017.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\stopka2017.exe"
Imagebase:0x400000
File size:321'536 bytes
MD5 hash:68D9FE381653DB089A1E64D02F6177E6
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:01:36:57
Start date:05/07/2024
Path:C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\mshta.exe" "C:\Users\user\AppData\Local\Temp\{86E40C64-8653-4A9E-A0CD-DAC878E788CC}\Stopka2017.hta"
Imagebase:0x900000
File size:13'312 bytes
MD5 hash:06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:7.1%
    Total number of Nodes:1658
    Total number of Limit Nodes:35
    execution_graph 6002 407180 6009 409044 6002->6009 6005 407193 6007 403b13 __crtGetStringTypeA_stat 66 API calls 6005->6007 6008 40719e 6007->6008 6022 408f6a 6009->6022 6011 407185 6011->6005 6012 408e1b 6011->6012 6013 408e27 __close 6012->6013 6014 403f01 __lock 66 API calls 6013->6014 6016 408e33 6014->6016 6015 408e9c 6063 408eb1 6015->6063 6016->6015 6020 408e71 DeleteCriticalSection 6016->6020 6050 409ad7 6016->6050 6018 408ea8 __close 6018->6005 6021 403b13 __crtGetStringTypeA_stat 66 API calls 6020->6021 6021->6016 6023 408f76 __close 6022->6023 6024 403f01 __lock 66 API calls 6023->6024 6031 408f85 6024->6031 6025 40901d 6040 40903b 6025->6040 6028 409029 __close 6028->6011 6030 408f22 104 API calls __fflush_nolock 6030->6031 6031->6025 6031->6030 6032 4071e1 6031->6032 6037 40900c 6031->6037 6033 407204 EnterCriticalSection 6032->6033 6034 4071ee 6032->6034 6033->6031 6035 403f01 __lock 66 API calls 6034->6035 6036 4071f7 6035->6036 6036->6031 6043 40724f 6037->6043 6039 40901a 6039->6031 6049 403e27 LeaveCriticalSection 6040->6049 6042 409042 6042->6028 6044 407272 LeaveCriticalSection 6043->6044 6045 40725f 6043->6045 6044->6039 6048 403e27 LeaveCriticalSection 6045->6048 6047 40726f 6047->6039 6048->6047 6049->6042 6051 409ae3 __close 6050->6051 6052 409b14 6051->6052 6053 409af7 6051->6053 6061 409b0c __close 6052->6061 6066 4071a0 6052->6066 6054 4025c7 __close 66 API calls 6053->6054 6055 409afc 6054->6055 6057 40255f __close 6 API calls 6055->6057 6057->6061 6061->6016 6159 403e27 LeaveCriticalSection 6063->6159 6065 408eb8 6065->6018 6067 4071b2 6066->6067 6068 4071d4 EnterCriticalSection 6066->6068 6067->6068 6069 4071ba 6067->6069 6071 4071ca 6068->6071 6070 403f01 __lock 66 API calls 6069->6070 6070->6071 6072 409a60 6071->6072 6073 409a90 6072->6073 6074 409a74 6072->6074 6080 409a89 6073->6080 6091 408eba 6073->6091 6075 4025c7 __close 66 API calls 6074->6075 6077 409a79 6075->6077 6079 40255f __close 6 API calls 6077->6079 6079->6080 6088 409b4b 6080->6088 6083 40727e __fileno 66 API calls 6084 409aaa 6083->6084 6101 409d3d 6084->6101 6086 409ab0 6086->6080 6087 403b13 __crtGetStringTypeA_stat 66 API calls 6086->6087 6087->6080 6152 407213 6088->6152 6090 409b51 6090->6061 6092 408ed3 6091->6092 6096 408ef5 6091->6096 6093 40727e __fileno 66 API calls 6092->6093 6092->6096 6094 408eee 6093->6094 6095 406f40 __locking 100 API calls 6094->6095 6095->6096 6097 409e0a 6096->6097 6098 409aa4 6097->6098 6099 409e1a 6097->6099 6098->6083 6099->6098 6100 403b13 __crtGetStringTypeA_stat 66 API calls 6099->6100 6100->6098 6102 409d49 __close 6101->6102 6103 409d51 6102->6103 6104 409d6c 6102->6104 6106 4025da __close 66 API calls 6103->6106 6105 409d7a 6104->6105 6110 409dbb 6104->6110 6107 4025da __close 66 API calls 6105->6107 6108 409d56 6106->6108 6109 409d7f 6107->6109 6111 4025c7 __close 66 API calls 6108->6111 6112 4025c7 __close 66 API calls 6109->6112 6113 408c62 ___lock_fhandle 67 API calls 6110->6113 6114 409d5e __close 6111->6114 6115 409d86 6112->6115 6116 409dc1 6113->6116 6114->6086 6117 40255f __close 6 API calls 6115->6117 6118 409ddc 6116->6118 6119 409dce 6116->6119 6117->6114 6120 4025c7 __close 66 API calls 6118->6120 6124 409ca1 6119->6124 6122 409dd6 6120->6122 6139 409e00 6122->6139 6125 408beb __close_nolock 66 API calls 6124->6125 6128 409cb1 6125->6128 6126 409d07 6142 408b65 6126->6142 6128->6126 6131 408beb __close_nolock 66 API calls 6128->6131 6138 409ce5 6128->6138 6129 408beb __close_nolock 66 API calls 6132 409cf1 CloseHandle 6129->6132 6134 409cdc 6131->6134 6132->6126 6135 409cfd GetLastError 6132->6135 6133 409d31 6133->6122 6137 408beb __close_nolock 66 API calls 6134->6137 6135->6126 6136 4025ed __dosmaperr 66 API calls 6136->6133 6137->6138 6138->6126 6138->6129 6151 408d02 LeaveCriticalSection 6139->6151 6141 409e08 6141->6114 6143 408bd1 6142->6143 6144 408b76 6142->6144 6145 4025c7 __close 66 API calls 6143->6145 6144->6143 6149 408ba1 6144->6149 6146 408bd6 6145->6146 6147 4025da __close 66 API calls 6146->6147 6148 408bc7 6147->6148 6148->6133 6148->6136 6149->6148 6150 408bc1 SetStdHandle 6149->6150 6150->6148 6151->6141 6153 407243 LeaveCriticalSection 6152->6153 6154 407224 6152->6154 6153->6090 6154->6153 6155 40722b 6154->6155 6158 403e27 LeaveCriticalSection 6155->6158 6157 407240 6157->6090 6158->6157 6159->6065 6160 401f0b TlsAlloc 6161 401d0e 6164 404d8a 6161->6164 6163 401d13 6163->6163 6165 404dbc GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6164->6165 6166 404daf 6164->6166 6167 404db3 6165->6167 6166->6165 6166->6167 6167->6163 6168 40470e 6169 40471a SetLastError 6168->6169 6170 404722 __close 6168->6170 6169->6170 5686 401ccf 5687 401ce4 5686->5687 5688 401cde 5686->5688 5695 401b0b 5687->5695 5692 401ae6 5688->5692 5691 401ce9 __close 5693 4019a4 _doexit 66 API calls 5692->5693 5694 401af7 5693->5694 5694->5687 5696 4019a4 _doexit 66 API calls 5695->5696 5697 401b16 5696->5697 5697->5691 5698 4070cf 5699 4070dc 5698->5699 5700 405875 __calloc_crt 66 API calls 5699->5700 5701 4070f6 5700->5701 5702 405875 __calloc_crt 66 API calls 5701->5702 5703 40710f 5701->5703 5702->5703 6171 404310 6172 404313 6171->6172 6175 407a9f 6172->6175 6176 407ac5 6175->6176 6177 407abe 6175->6177 6187 4044ec 6176->6187 6178 403ba1 __NMSG_WRITE 66 API calls 6177->6178 6178->6176 6181 407ad6 _memset 6183 407bae 6181->6183 6186 407b6e SetUnhandledExceptionFilter UnhandledExceptionFilter 6181->6186 6184 401ae6 _raise 66 API calls 6183->6184 6185 407bb5 6184->6185 6186->6183 6188 401e99 __decode_pointer 6 API calls 6187->6188 6189 4044f7 6188->6189 6189->6181 6190 4044f9 6189->6190 6193 404505 __close 6190->6193 6191 404561 6192 404542 6191->6192 6197 404570 6191->6197 6196 401e99 __decode_pointer 6 API calls 6192->6196 6193->6191 6193->6192 6194 40452c 6193->6194 6199 404528 6193->6199 6195 40206c __getptd_noexit 66 API calls 6194->6195 6200 404531 _siglookup 6195->6200 6196->6200 6198 4025c7 __close 66 API calls 6197->6198 6201 404575 6198->6201 6199->6194 6199->6197 6202 4045d7 6200->6202 6203 40453a __close 6200->6203 6205 401ae6 _raise 66 API calls 6200->6205 6204 40255f __close 6 API calls 6201->6204 6206 403f01 __lock 66 API calls 6202->6206 6207 4045e2 6202->6207 6203->6181 6204->6203 6205->6202 6206->6207 6208 401e90 _doexit 6 API calls 6207->6208 6209 404617 6207->6209 6208->6209 6211 40466d 6209->6211 6212 404673 6211->6212 6213 40467a 6211->6213 6215 403e27 LeaveCriticalSection 6212->6215 6213->6203 6215->6213 4634 401b91 4671 404100 4634->4671 4636 401b9d GetStartupInfoW 4639 401bc0 4636->4639 4672 404d5a HeapCreate 4639->4672 4642 401c10 4674 40222e GetModuleHandleW 4642->4674 4644 401c21 __RTC_Initialize 4708 404b06 4644->4708 4645 401b68 _fast_error_exit 66 API calls 4645->4644 4647 401c2f 4648 401c3b GetCommandLineW 4647->4648 4834 401860 4647->4834 4723 404aa9 GetEnvironmentStringsW 4648->4723 4652 401c4a 4732 4049fb GetModuleFileNameW 4652->4732 4655 401c5f 4738 4047cc 4655->4738 4656 401860 __amsg_exit 66 API calls 4656->4655 4659 401c70 4751 40191f 4659->4751 4661 401860 __amsg_exit 66 API calls 4661->4659 4662 401c77 4663 401860 __amsg_exit 66 API calls 4662->4663 4664 401c82 __wwincmdln 4662->4664 4663->4664 4757 40a030 4664->4757 4667 401cb1 4841 401afc 4667->4841 4670 401cb6 __close 4671->4636 4673 401c04 4672->4673 4673->4642 4826 401b68 4673->4826 4675 402242 4674->4675 4676 402249 4674->4676 4844 401830 4675->4844 4678 4023b1 4676->4678 4679 402253 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4676->4679 4903 401f48 4678->4903 4681 40229c TlsAlloc 4679->4681 4684 401c16 4681->4684 4685 4022ea TlsSetValue 4681->4685 4684->4644 4684->4645 4685->4684 4686 4022fb 4685->4686 4848 401b1a 4686->4848 4691 401e1e __encode_pointer 6 API calls 4692 40231b 4691->4692 4693 401e1e __encode_pointer 6 API calls 4692->4693 4694 40232b 4693->4694 4695 401e1e __encode_pointer 6 API calls 4694->4695 4696 40233b 4695->4696 4865 403d85 4696->4865 4703 401e99 __decode_pointer 6 API calls 4704 40238f 4703->4704 4704->4678 4705 402396 4704->4705 4885 401f85 4705->4885 4707 40239e GetCurrentThreadId 4707->4684 5232 404100 4708->5232 4710 404b12 GetStartupInfoA 4711 405875 __calloc_crt 66 API calls 4710->4711 4714 404b33 4711->4714 4712 404d51 __close 4712->4647 4713 404c98 4713->4712 4715 404cce GetStdHandle 4713->4715 4716 404d33 SetHandleCount 4713->4716 4718 404ce0 GetFileType 4713->4718 4719 4046d6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 4713->4719 4714->4712 4714->4713 4717 405875 __calloc_crt 66 API calls 4714->4717 4721 404c1b 4714->4721 4715->4713 4716->4712 4717->4714 4718->4713 4719->4713 4720 404c44 GetFileType 4720->4721 4721->4712 4721->4713 4721->4720 4722 4046d6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 4721->4722 4722->4721 4724 404aba 4723->4724 4725 404abe 4723->4725 4724->4652 4727 405830 __malloc_crt 66 API calls 4725->4727 4728 404adf 4727->4728 4729 404ae6 FreeEnvironmentStringsW 4728->4729 5233 4014c0 4728->5233 4729->4652 4733 404a30 _wparse_cmdline 4732->4733 4734 401c54 4733->4734 4735 404a6d 4733->4735 4734->4655 4734->4656 4736 405830 __malloc_crt 66 API calls 4735->4736 4737 404a73 _wparse_cmdline 4736->4737 4737->4734 4739 4047e4 _wcslen 4738->4739 4743 401c65 4738->4743 4740 405875 __calloc_crt 66 API calls 4739->4740 4746 404808 _wcslen 4740->4746 4741 40486d 4742 403b13 __crtGetStringTypeA_stat 66 API calls 4741->4742 4742->4743 4743->4659 4743->4661 4744 405875 __calloc_crt 66 API calls 4744->4746 4745 404893 4747 403b13 __crtGetStringTypeA_stat 66 API calls 4745->4747 4746->4741 4746->4743 4746->4744 4746->4745 4749 404852 4746->4749 5237 40144f 4746->5237 4747->4743 4749->4746 4750 402437 __invoke_watson 10 API calls 4749->4750 4750->4749 4752 40192d __IsNonwritableInCurrentImage 4751->4752 5246 403f80 4752->5246 4754 40194b __initterm_e 4756 40196a __IsNonwritableInCurrentImage __initterm 4754->4756 5250 402826 4754->5250 4756->4662 4758 40a03d __write_nolock 4757->4758 5351 409f20 4758->5351 4765 40a0bd LoadResource 4766 40a0db LockResource 4765->4766 4770 40a10c 4765->4770 4767 40a0f7 SizeofResource 4766->4767 4766->4770 4767->4770 4768 401000 __crtGetStringTypeA_stat 5 API calls 4769 401ca3 4768->4769 4769->4667 4823 401ad0 4769->4823 4802 40a2ea ctype 4770->4802 5366 401173 4770->5366 4771 40108c 66 API calls 4772 40a5eb 4771->4772 4774 40108c 66 API calls 4772->4774 4776 40a606 4774->4776 4775 40a1cf _memset 5378 40125a 4775->5378 4777 40108c 66 API calls 4776->4777 4795 40a61f 4777->4795 4780 40a6a3 4785 40a6c7 ShellExecuteW 4780->4785 4786 40a6ae GetDesktopWindow MessageBoxW 4780->4786 4781 40a2f9 5387 409f40 4781->5387 4782 40a24e 4784 40108c 66 API calls 4782->4784 4787 40a264 4784->4787 4814 40a10e 4785->4814 4786->4785 4788 40108c 66 API calls 4787->4788 4789 40a27f SHCreateDirectoryExW 4788->4789 4796 40a2b8 4789->4796 4790 40a3b4 4797 40144f __wsetenvp 66 API calls 4790->4797 4791 40a313 4791->4790 4794 40125a 66 API calls 4791->4794 4792 40108c 66 API calls 4792->4795 4798 40a364 4794->4798 4795->4780 4795->4792 4799 40108c 66 API calls 4796->4799 4796->4814 4800 40a3cc 4797->4800 4801 40144f __wsetenvp 66 API calls 4798->4801 4799->4802 4803 40108c 66 API calls 4800->4803 4805 40a37f 4801->4805 4802->4771 4804 40a3e7 4803->4804 4806 40a40d 4804->4806 4808 40144f __wsetenvp 66 API calls 4804->4808 4807 40108c 66 API calls 4805->4807 5390 409f80 FindFirstFileW 4806->5390 4810 40a39a SHCreateDirectoryExW 4807->4810 4808->4806 4810->4790 4812 40a431 CreateFileW 4813 40a466 FindResourceW LoadResource 4812->4813 4812->4814 4815 40a59f CloseHandle 4813->4815 4816 40a49f SizeofResource LockResource 4813->4816 4814->4768 4815->4802 4816->4815 4817 40a4d4 4816->4817 4818 401173 75 API calls 4817->4818 4819 40a4e3 4818->4819 4820 4014c0 _realloc __VEC_memcpy 4819->4820 4821 40a512 WriteFile FreeResource 4820->4821 4821->4815 5654 4019a4 4823->5654 4825 401ae1 4825->4667 4827 401b76 4826->4827 4828 401b7b 4826->4828 4829 403d4c __FF_MSGBANNER 66 API calls 4827->4829 4830 403ba1 __NMSG_WRITE 66 API calls 4828->4830 4829->4828 4831 401b83 4830->4831 4832 4018b4 __mtinitlocknum 3 API calls 4831->4832 4833 401b8d 4832->4833 4833->4642 4835 403d4c __FF_MSGBANNER 66 API calls 4834->4835 4836 40186a 4835->4836 4837 403ba1 __NMSG_WRITE 66 API calls 4836->4837 4838 401872 4837->4838 4839 401e99 __decode_pointer 6 API calls 4838->4839 4840 40187d 4839->4840 4840->4648 4842 4019a4 _doexit 66 API calls 4841->4842 4843 401b07 4842->4843 4843->4670 4845 40183b Sleep GetModuleHandleW 4844->4845 4846 401859 4845->4846 4847 40185d 4845->4847 4846->4845 4846->4847 4847->4676 4914 401e90 4848->4914 4850 401b22 __init_pointers __initp_misc_winsig 4917 404325 4850->4917 4853 401e1e __encode_pointer 6 API calls 4854 401b5e 4853->4854 4855 401e1e TlsGetValue 4854->4855 4856 401e36 4855->4856 4857 401e57 GetModuleHandleW 4855->4857 4856->4857 4858 401e40 TlsGetValue 4856->4858 4859 401e72 GetProcAddress 4857->4859 4860 401e67 4857->4860 4864 401e4b 4858->4864 4861 401e4f 4859->4861 4862 401830 __crt_waiting_on_module_handle 2 API calls 4860->4862 4861->4691 4863 401e6d 4862->4863 4863->4859 4863->4861 4864->4857 4864->4861 4867 403d90 4865->4867 4868 402348 4867->4868 4920 4046d6 4867->4920 4868->4678 4869 401e99 TlsGetValue 4868->4869 4870 401eb1 4869->4870 4871 401ed2 GetModuleHandleW 4869->4871 4870->4871 4872 401ebb TlsGetValue 4870->4872 4873 401ee2 4871->4873 4874 401eed GetProcAddress 4871->4874 4876 401ec6 4872->4876 4875 401830 __crt_waiting_on_module_handle 2 API calls 4873->4875 4878 401eca 4874->4878 4877 401ee8 4875->4877 4876->4871 4876->4878 4877->4874 4877->4878 4878->4678 4879 405875 4878->4879 4881 40587e 4879->4881 4882 402375 4881->4882 4883 40589c Sleep 4881->4883 4925 4084ba 4881->4925 4882->4678 4882->4703 4884 4058b1 4883->4884 4884->4881 4884->4882 5211 404100 4885->5211 4887 401f91 GetModuleHandleW 4888 401fa1 4887->4888 4889 401fa7 4887->4889 4890 401830 __crt_waiting_on_module_handle 2 API calls 4888->4890 4891 401fe3 4889->4891 4892 401fbf GetProcAddress GetProcAddress 4889->4892 4890->4889 4893 403f01 __lock 62 API calls 4891->4893 4892->4891 4894 402002 InterlockedIncrement 4893->4894 5212 40205a 4894->5212 4897 403f01 __lock 62 API calls 4898 402023 4897->4898 5215 404f71 InterlockedIncrement 4898->5215 4900 402041 5227 402063 4900->5227 4902 40204e __close 4902->4707 4904 401f52 4903->4904 4905 401f5e 4903->4905 4906 401e99 __decode_pointer 6 API calls 4904->4906 4907 401f80 4905->4907 4908 401f72 TlsFree 4905->4908 4906->4905 4909 403dec DeleteCriticalSection 4907->4909 4911 403e04 4907->4911 4908->4907 4910 403b13 __crtGetStringTypeA_stat 66 API calls 4909->4910 4910->4907 4912 403e16 DeleteCriticalSection 4911->4912 4913 403e24 4911->4913 4912->4911 4913->4684 4915 401e1e __encode_pointer 6 API calls 4914->4915 4916 401e97 4915->4916 4916->4850 4918 401e1e __encode_pointer 6 API calls 4917->4918 4919 401b54 4918->4919 4919->4853 4924 404100 4920->4924 4922 4046e2 InitializeCriticalSectionAndSpinCount 4923 404726 __close 4922->4923 4923->4867 4924->4922 4926 4084c6 __close 4925->4926 4927 4084de 4926->4927 4935 4084fd _memset 4926->4935 4938 4025c7 4927->4938 4931 40856f HeapAlloc 4931->4935 4932 4084f3 __close 4932->4881 4935->4931 4935->4932 4944 403f01 4935->4944 4951 40638a 4935->4951 4957 4085b6 4935->4957 4960 402965 4935->4960 4963 40206c GetLastError 4938->4963 4940 4025cc 4941 40255f 4940->4941 4942 401e99 __decode_pointer 6 API calls 4941->4942 4943 40256f __invoke_watson 4942->4943 4945 403f16 4944->4945 4946 403f29 EnterCriticalSection 4944->4946 5006 403e3e 4945->5006 4946->4935 4948 403f1c 4948->4946 4949 401860 __amsg_exit 65 API calls 4948->4949 4950 403f28 4949->4950 4950->4946 4954 4063b8 4951->4954 4952 406451 4956 40645a 4952->4956 5206 405fa1 4952->5206 4954->4952 4954->4956 5199 405ef1 4954->5199 4956->4935 5210 403e27 LeaveCriticalSection 4957->5210 4959 4085bd 4959->4935 4961 401e99 __decode_pointer 6 API calls 4960->4961 4962 402975 4961->4962 4962->4935 4978 401f14 TlsGetValue 4963->4978 4966 4020d9 SetLastError 4966->4940 4967 405875 __calloc_crt 63 API calls 4968 402097 4967->4968 4968->4966 4969 40209f 4968->4969 4970 401e99 __decode_pointer 6 API calls 4969->4970 4971 4020b1 4970->4971 4972 4020d0 4971->4972 4973 4020b8 4971->4973 4983 403b13 4972->4983 4974 401f85 __mtinit 63 API calls 4973->4974 4976 4020c0 GetCurrentThreadId 4974->4976 4976->4966 4977 4020d6 4977->4966 4979 401f44 4978->4979 4980 401f29 4978->4980 4979->4966 4979->4967 4981 401e99 __decode_pointer 6 API calls 4980->4981 4982 401f34 TlsSetValue 4981->4982 4982->4979 4985 403b1f __close 4983->4985 4984 403b5e 4986 403b98 __close _realloc 4984->4986 4987 403b73 HeapFree 4984->4987 4985->4984 4985->4986 4988 403f01 __lock 64 API calls 4985->4988 4986->4977 4987->4986 4989 403b85 4987->4989 4991 403b36 ___sbh_find_block 4988->4991 4990 4025c7 __close 64 API calls 4989->4990 4992 403b8a GetLastError 4990->4992 4993 403b50 4991->4993 4996 405bdb 4991->4996 4992->4986 5002 403b69 4993->5002 4997 405c1a 4996->4997 5001 405ebc ___sbh_free_block 4996->5001 4998 405e06 VirtualFree 4997->4998 4997->5001 4999 405e6a 4998->4999 5000 405e79 VirtualFree HeapFree 4999->5000 4999->5001 5000->5001 5001->4993 5005 403e27 LeaveCriticalSection 5002->5005 5004 403b70 5004->4984 5005->5004 5007 403e4a __close 5006->5007 5008 403e70 5007->5008 5032 403d4c 5007->5032 5014 403e80 __close 5008->5014 5078 405830 5008->5078 5014->4948 5016 403ea1 5018 403f01 __lock 66 API calls 5016->5018 5017 403e92 5020 4025c7 __close 66 API calls 5017->5020 5021 403ea8 5018->5021 5020->5014 5022 403eb0 5021->5022 5023 403edc 5021->5023 5024 4046d6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 5022->5024 5025 403b13 __crtGetStringTypeA_stat 66 API calls 5023->5025 5026 403ebb 5024->5026 5027 403ecd 5025->5027 5026->5027 5029 403b13 __crtGetStringTypeA_stat 66 API calls 5026->5029 5083 403ef8 5027->5083 5030 403ec7 5029->5030 5031 4025c7 __close 66 API calls 5030->5031 5031->5027 5086 4078f7 5032->5086 5035 403d60 5037 403ba1 __NMSG_WRITE 66 API calls 5035->5037 5039 403d82 5035->5039 5036 4078f7 __set_error_mode 66 API calls 5036->5035 5038 403d78 5037->5038 5040 403ba1 __NMSG_WRITE 66 API calls 5038->5040 5041 403ba1 5039->5041 5040->5039 5042 403bb5 5041->5042 5043 403d10 5042->5043 5044 4078f7 __set_error_mode 63 API calls 5042->5044 5075 4018b4 5043->5075 5045 403bd7 5044->5045 5046 403d15 GetStdHandle 5045->5046 5048 4078f7 __set_error_mode 63 API calls 5045->5048 5046->5043 5047 403d23 _strlen 5046->5047 5047->5043 5051 403d3c WriteFile 5047->5051 5049 403be8 5048->5049 5049->5046 5050 403bfa 5049->5050 5050->5043 5092 40590f 5050->5092 5051->5043 5054 403c30 GetModuleFileNameA 5056 403c4e 5054->5056 5060 403c71 _strlen 5054->5060 5058 40590f _strcpy_s 63 API calls 5056->5058 5059 403c5e 5058->5059 5059->5060 5062 402437 __invoke_watson 10 API calls 5059->5062 5061 403cb4 5060->5061 5108 407842 5060->5108 5117 4077ce 5061->5117 5062->5060 5067 403cd8 5068 4077ce _strcat_s 63 API calls 5067->5068 5070 403cec 5068->5070 5069 402437 __invoke_watson 10 API calls 5069->5067 5072 403cfd 5070->5072 5073 402437 __invoke_watson 10 API calls 5070->5073 5071 402437 __invoke_watson 10 API calls 5071->5061 5126 407665 5072->5126 5073->5072 5164 401889 GetModuleHandleW 5075->5164 5080 405839 5078->5080 5081 403e8b 5080->5081 5082 405850 Sleep 5080->5082 5168 40288c 5080->5168 5081->5016 5081->5017 5082->5080 5198 403e27 LeaveCriticalSection 5083->5198 5085 403eff 5085->5014 5087 407906 5086->5087 5088 403d53 5087->5088 5089 4025c7 __close 66 API calls 5087->5089 5088->5035 5088->5036 5090 407929 5089->5090 5091 40255f __close 6 API calls 5090->5091 5091->5088 5093 405920 5092->5093 5094 405927 5092->5094 5093->5094 5097 40594d 5093->5097 5095 4025c7 __close 66 API calls 5094->5095 5100 40592c 5095->5100 5096 40255f __close 6 API calls 5099 403c1c 5096->5099 5098 4025c7 __close 66 API calls 5097->5098 5097->5099 5098->5100 5099->5054 5101 402437 5099->5101 5100->5096 5153 4011e0 5101->5153 5103 402464 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5104 402540 GetCurrentProcess TerminateProcess 5103->5104 5106 402534 __invoke_watson 5103->5106 5155 401000 5104->5155 5106->5104 5107 40255d 5107->5054 5111 407854 5108->5111 5109 407858 5110 4025c7 __close 66 API calls 5109->5110 5112 403ca1 5109->5112 5116 407874 5110->5116 5111->5109 5111->5112 5114 40789e 5111->5114 5112->5061 5112->5071 5113 40255f __close 6 API calls 5113->5112 5114->5112 5115 4025c7 __close 66 API calls 5114->5115 5115->5116 5116->5113 5118 4077e6 5117->5118 5120 4077df 5117->5120 5119 4025c7 __close 66 API calls 5118->5119 5121 4077eb 5119->5121 5120->5118 5124 40781a 5120->5124 5122 40255f __close 6 API calls 5121->5122 5123 403cc7 5122->5123 5123->5067 5123->5069 5124->5123 5125 4025c7 __close 66 API calls 5124->5125 5125->5121 5127 401e90 _doexit 6 API calls 5126->5127 5128 407675 5127->5128 5129 407688 LoadLibraryA 5128->5129 5152 407710 5128->5152 5130 40769d GetProcAddress 5129->5130 5132 4077b2 5129->5132 5131 4076b3 5130->5131 5130->5132 5136 401e1e __encode_pointer 6 API calls 5131->5136 5132->5043 5133 401e99 __decode_pointer 6 API calls 5133->5132 5134 401e99 __decode_pointer 6 API calls 5145 40777d 5134->5145 5135 401e99 __decode_pointer 6 API calls 5137 40772d 5135->5137 5138 4076b9 GetProcAddress 5136->5138 5139 401e99 __decode_pointer 6 API calls 5137->5139 5140 401e1e __encode_pointer 6 API calls 5138->5140 5143 40773a 5139->5143 5141 4076ce GetProcAddress 5140->5141 5142 401e1e __encode_pointer 6 API calls 5141->5142 5144 4076e3 GetProcAddress 5142->5144 5143->5134 5149 407765 5143->5149 5146 401e1e __encode_pointer 6 API calls 5144->5146 5147 401e99 __decode_pointer 6 API calls 5145->5147 5145->5149 5148 4076f8 5146->5148 5147->5149 5150 407702 GetProcAddress 5148->5150 5148->5152 5149->5133 5151 401e1e __encode_pointer 6 API calls 5150->5151 5151->5152 5152->5135 5152->5143 5154 4011ec __VEC_memzero 5153->5154 5154->5103 5156 401008 5155->5156 5157 40100a IsDebuggerPresent 5155->5157 5156->5107 5163 404e20 5157->5163 5160 401de5 SetUnhandledExceptionFilter UnhandledExceptionFilter 5161 401e02 __invoke_watson 5160->5161 5162 401e0a GetCurrentProcess TerminateProcess 5160->5162 5161->5162 5162->5107 5163->5160 5165 4018b2 ExitProcess 5164->5165 5166 40189d GetProcAddress 5164->5166 5166->5165 5167 4018ad 5166->5167 5167->5165 5169 40293f 5168->5169 5175 40289e 5168->5175 5170 402965 __calloc_impl 6 API calls 5169->5170 5171 402945 5170->5171 5173 4025c7 __close 65 API calls 5171->5173 5172 403d4c __FF_MSGBANNER 65 API calls 5179 4028af 5172->5179 5174 402937 5173->5174 5174->5080 5175->5174 5178 4028fb RtlAllocateHeap 5175->5178 5175->5179 5181 40292b 5175->5181 5182 402965 __calloc_impl 6 API calls 5175->5182 5184 402930 5175->5184 5186 40283d 5175->5186 5176 403ba1 __NMSG_WRITE 65 API calls 5176->5179 5178->5175 5179->5172 5179->5175 5179->5176 5180 4018b4 __mtinitlocknum 3 API calls 5179->5180 5180->5179 5183 4025c7 __close 65 API calls 5181->5183 5182->5175 5183->5184 5185 4025c7 __close 65 API calls 5184->5185 5185->5174 5187 402849 __close 5186->5187 5188 40287a __close 5187->5188 5189 403f01 __lock 66 API calls 5187->5189 5188->5175 5190 40285f 5189->5190 5191 40638a ___sbh_alloc_block 5 API calls 5190->5191 5192 40286a 5191->5192 5194 402883 5192->5194 5197 403e27 LeaveCriticalSection 5194->5197 5196 40288a 5196->5188 5197->5196 5198->5085 5200 405f04 HeapReAlloc 5199->5200 5201 405f38 HeapAlloc 5199->5201 5202 405f22 5200->5202 5203 405f26 5200->5203 5201->5202 5204 405f5b VirtualAlloc 5201->5204 5202->4952 5203->5201 5204->5202 5205 405f75 HeapFree 5204->5205 5205->5202 5207 405fb8 VirtualAlloc 5206->5207 5209 405fff 5207->5209 5209->4956 5210->4959 5211->4887 5230 403e27 LeaveCriticalSection 5212->5230 5214 40201c 5214->4897 5216 404f92 5215->5216 5217 404f8f InterlockedIncrement 5215->5217 5218 404f9c InterlockedIncrement 5216->5218 5219 404f9f 5216->5219 5217->5216 5218->5219 5220 404fa9 InterlockedIncrement 5219->5220 5221 404fac 5219->5221 5220->5221 5222 404fb6 InterlockedIncrement 5221->5222 5224 404fb9 5221->5224 5222->5224 5223 404fd2 InterlockedIncrement 5223->5224 5224->5223 5225 404fe2 InterlockedIncrement 5224->5225 5226 404fed InterlockedIncrement 5224->5226 5225->5224 5226->4900 5231 403e27 LeaveCriticalSection 5227->5231 5229 40206a 5229->4902 5230->5214 5231->5229 5232->4710 5234 4014d8 5233->5234 5235 401507 5234->5235 5236 4014ff __VEC_memcpy 5234->5236 5235->4729 5236->5235 5238 401460 5237->5238 5239 401467 5237->5239 5238->5239 5244 401493 5238->5244 5240 4025c7 __close 66 API calls 5239->5240 5241 40146c 5240->5241 5242 40255f __close 6 API calls 5241->5242 5243 40147b 5242->5243 5243->4746 5244->5243 5245 4025c7 __close 66 API calls 5244->5245 5245->5241 5247 403f86 5246->5247 5248 401e1e __encode_pointer 6 API calls 5247->5248 5249 403f9e 5247->5249 5248->5247 5249->4754 5253 4027ea 5250->5253 5252 402833 5252->4756 5254 4027f6 __close 5253->5254 5261 4018cc 5254->5261 5260 402817 __close 5260->5252 5262 403f01 __lock 66 API calls 5261->5262 5263 4018d3 5262->5263 5264 4026ff 5263->5264 5265 401e99 __decode_pointer 6 API calls 5264->5265 5266 402713 5265->5266 5267 401e99 __decode_pointer 6 API calls 5266->5267 5268 402723 5267->5268 5277 4027a6 5268->5277 5284 405b08 5268->5284 5270 401e1e __encode_pointer 6 API calls 5273 40279b 5270->5273 5271 402765 5276 4058c1 __realloc_crt 73 API calls 5271->5276 5271->5277 5278 40277b 5271->5278 5272 402741 5272->5271 5280 40278d 5272->5280 5297 4058c1 5272->5297 5275 401e1e __encode_pointer 6 API calls 5273->5275 5275->5277 5276->5278 5281 402820 5277->5281 5278->5277 5279 401e1e __encode_pointer 6 API calls 5278->5279 5279->5280 5280->5270 5347 4018d5 5281->5347 5285 405b14 __close 5284->5285 5286 405b41 5285->5286 5287 405b24 5285->5287 5288 405b82 HeapSize 5286->5288 5290 403f01 __lock 66 API calls 5286->5290 5289 4025c7 __close 66 API calls 5287->5289 5292 405b39 __close 5288->5292 5291 405b29 5289->5291 5294 405b51 ___sbh_find_block 5290->5294 5293 40255f __close 6 API calls 5291->5293 5292->5272 5293->5292 5302 405ba2 5294->5302 5301 4058ca 5297->5301 5299 405909 5299->5271 5300 4058ea Sleep 5300->5301 5301->5299 5301->5300 5306 4085d8 5301->5306 5305 403e27 LeaveCriticalSection 5302->5305 5304 405b7d 5304->5288 5304->5292 5305->5304 5307 4085e4 __close 5306->5307 5308 4085f9 5307->5308 5309 4085eb 5307->5309 5311 408600 5308->5311 5312 40860c 5308->5312 5310 40288c _malloc 66 API calls 5309->5310 5327 4085f3 __close _realloc 5310->5327 5313 403b13 __crtGetStringTypeA_stat 66 API calls 5311->5313 5320 40877e 5312->5320 5341 408619 ___sbh_resize_block ___sbh_find_block 5312->5341 5313->5327 5314 4087b1 5315 402965 __calloc_impl 6 API calls 5314->5315 5318 4087b7 5315->5318 5316 403f01 __lock 66 API calls 5316->5341 5317 408783 HeapReAlloc 5317->5320 5317->5327 5319 4025c7 __close 66 API calls 5318->5319 5319->5327 5320->5314 5320->5317 5321 4087d5 5320->5321 5322 402965 __calloc_impl 6 API calls 5320->5322 5324 4087cb 5320->5324 5323 4025c7 __close 66 API calls 5321->5323 5321->5327 5322->5320 5325 4087de GetLastError 5323->5325 5328 4025c7 __close 66 API calls 5324->5328 5325->5327 5327->5301 5330 40874c 5328->5330 5329 4086a4 HeapAlloc 5329->5341 5330->5327 5332 408751 GetLastError 5330->5332 5331 4086f9 HeapReAlloc 5331->5341 5332->5327 5333 40638a ___sbh_alloc_block 5 API calls 5333->5341 5334 408764 5334->5327 5336 4025c7 __close 66 API calls 5334->5336 5335 402965 __calloc_impl 6 API calls 5335->5341 5339 408771 5336->5339 5337 408747 5340 4025c7 __close 66 API calls 5337->5340 5338 4014c0 __VEC_memcpy _realloc 5338->5341 5339->5325 5339->5327 5340->5330 5341->5314 5341->5316 5341->5327 5341->5329 5341->5331 5341->5333 5341->5334 5341->5335 5341->5337 5341->5338 5342 405bdb VirtualFree VirtualFree HeapFree ___sbh_free_block 5341->5342 5343 40871c 5341->5343 5342->5341 5346 403e27 LeaveCriticalSection 5343->5346 5345 408723 5345->5341 5346->5345 5350 403e27 LeaveCriticalSection 5347->5350 5349 4018dc 5349->5260 5350->5349 5395 40103b GetSystemTimeAsFileTime 5351->5395 5353 409f2c 5354 401029 5353->5354 5397 4020e5 5354->5397 5357 40108c 5358 4010a4 5357->5358 5361 40109d 5357->5361 5359 4025c7 __close 66 API calls 5358->5359 5360 4010a9 5359->5360 5362 40255f __close 6 API calls 5360->5362 5361->5358 5363 4010e0 5361->5363 5364 4010b8 FindResourceW 5362->5364 5363->5364 5365 4025c7 __close 66 API calls 5363->5365 5364->4765 5364->4814 5365->5360 5367 40117d 5366->5367 5368 40288c _malloc 66 API calls 5367->5368 5369 401197 5367->5369 5370 402965 __calloc_impl 6 API calls 5367->5370 5374 401199 std::bad_alloc::bad_alloc 5367->5374 5368->5367 5369->4775 5370->5367 5371 4011bf 5402 401156 5371->5402 5374->5371 5376 402826 __cinit 74 API calls 5374->5376 5376->5371 5377 4011d7 5382 40126c 5378->5382 5379 401270 5380 401275 5379->5380 5381 4025c7 __close 66 API calls 5379->5381 5380->4781 5380->4782 5386 40128c 5381->5386 5382->5379 5382->5380 5384 4012bc 5382->5384 5383 40255f __close 6 API calls 5383->5380 5384->5380 5385 4025c7 __close 66 API calls 5384->5385 5385->5386 5386->5383 5414 401425 5387->5414 5391 409fb3 5390->5391 5392 409fb7 FindClose 5390->5392 5393 401000 __crtGetStringTypeA_stat 5 API calls 5391->5393 5392->5391 5394 409fd0 5393->5394 5394->4802 5394->4812 5396 40106b __aulldiv 5395->5396 5396->5353 5398 40206c __getptd_noexit 66 API calls 5397->5398 5399 4020ed 5398->5399 5400 401033 SHGetFolderPathW 5399->5400 5401 401860 __amsg_exit 66 API calls 5399->5401 5400->5357 5401->5400 5408 40262d 5402->5408 5405 40298d 5406 4029c2 RaiseException 5405->5406 5407 4029b6 5405->5407 5406->5377 5407->5406 5409 401166 5408->5409 5410 40264d _strlen 5408->5410 5409->5405 5410->5409 5411 40288c _malloc 66 API calls 5410->5411 5412 402660 5411->5412 5412->5409 5413 40590f _strcpy_s 66 API calls 5412->5413 5413->5409 5417 40132d 5414->5417 5418 40135d 5417->5418 5419 40133d 5417->5419 5421 40138d 5418->5421 5423 40136d 5418->5423 5420 4025c7 __close 66 API calls 5419->5420 5422 401342 5420->5422 5428 401352 5421->5428 5429 4013d4 5421->5429 5432 402b7e 5421->5432 5424 40255f __close 6 API calls 5422->5424 5425 4025c7 __close 66 API calls 5423->5425 5424->5428 5426 401372 5425->5426 5427 40255f __close 6 API calls 5426->5427 5427->5428 5428->4791 5429->5428 5431 402b7e __flsbuf 100 API calls 5429->5431 5431->5428 5453 40727e 5432->5453 5435 402bb0 5438 402bb4 5435->5438 5443 402bc1 __flswbuf 5435->5443 5436 402b99 5437 4025c7 __close 66 API calls 5436->5437 5439 402b9e 5437->5439 5440 4025c7 __close 66 API calls 5438->5440 5439->5429 5440->5439 5441 402cb1 5445 406f40 __locking 100 API calls 5441->5445 5442 402c31 5444 402c48 5442->5444 5447 402c65 5442->5447 5443->5439 5449 402c17 5443->5449 5452 402c22 5443->5452 5459 407065 5443->5459 5471 406f40 5444->5471 5445->5439 5447->5439 5496 4066f4 5447->5496 5449->5452 5468 40701c 5449->5468 5452->5441 5452->5442 5454 402b8e 5453->5454 5455 40728d 5453->5455 5454->5435 5454->5436 5456 4025c7 __close 66 API calls 5455->5456 5457 407292 5456->5457 5458 40255f __close 6 API calls 5457->5458 5458->5454 5460 407081 5459->5460 5461 407072 5459->5461 5464 4025c7 __close 66 API calls 5460->5464 5466 4070a5 5460->5466 5462 4025c7 __close 66 API calls 5461->5462 5463 407077 5462->5463 5463->5449 5465 407095 5464->5465 5467 40255f __close 6 API calls 5465->5467 5466->5449 5467->5466 5469 405830 __malloc_crt 66 API calls 5468->5469 5470 407031 5469->5470 5470->5452 5472 406f4c __close 5471->5472 5473 406f54 5472->5473 5474 406f6f 5472->5474 5528 4025da 5473->5528 5476 406f7d 5474->5476 5479 406fbe 5474->5479 5478 4025da __close 66 API calls 5476->5478 5481 406f82 5478->5481 5531 408c62 5479->5531 5480 4025c7 __close 66 API calls 5489 406f61 __close 5480->5489 5483 4025c7 __close 66 API calls 5481->5483 5485 406f89 5483->5485 5484 406fc4 5486 406fd1 5484->5486 5487 406fe7 5484->5487 5488 40255f __close 6 API calls 5485->5488 5541 40680d 5486->5541 5491 4025c7 __close 66 API calls 5487->5491 5488->5489 5489->5439 5493 406fec 5491->5493 5492 406fdf 5600 407012 5492->5600 5494 4025da __close 66 API calls 5493->5494 5494->5492 5497 406700 __close 5496->5497 5498 406711 5497->5498 5499 40672d 5497->5499 5500 4025da __close 66 API calls 5498->5500 5501 40673b 5499->5501 5503 40675c 5499->5503 5502 406716 5500->5502 5504 4025da __close 66 API calls 5501->5504 5508 4025c7 __close 66 API calls 5502->5508 5506 4067a2 5503->5506 5507 40677c 5503->5507 5505 406740 5504->5505 5509 4025c7 __close 66 API calls 5505->5509 5512 408c62 ___lock_fhandle 67 API calls 5506->5512 5510 4025da __close 66 API calls 5507->5510 5511 40671e __close 5508->5511 5513 406747 5509->5513 5514 406781 5510->5514 5511->5439 5515 4067a8 5512->5515 5518 40255f __close 6 API calls 5513->5518 5519 4025c7 __close 66 API calls 5514->5519 5516 4067d1 5515->5516 5517 4067b5 5515->5517 5521 4025c7 __close 66 API calls 5516->5521 5520 40666f __lseeki64_nolock 68 API calls 5517->5520 5518->5511 5522 406788 5519->5522 5523 4067c6 5520->5523 5524 4067d6 5521->5524 5525 40255f __close 6 API calls 5522->5525 5650 406803 5523->5650 5526 4025da __close 66 API calls 5524->5526 5525->5511 5526->5523 5529 40206c __getptd_noexit 66 API calls 5528->5529 5530 4025df 5529->5530 5530->5480 5532 408c6e __close 5531->5532 5533 408cc9 5532->5533 5536 403f01 __lock 66 API calls 5532->5536 5534 408ceb __close 5533->5534 5535 408cce EnterCriticalSection 5533->5535 5534->5484 5535->5534 5537 408c9a 5536->5537 5538 408cb1 5537->5538 5539 4046d6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 5537->5539 5603 408cf9 5538->5603 5539->5538 5542 40681c __write_nolock 5541->5542 5543 406875 5542->5543 5544 40684e 5542->5544 5574 406843 5542->5574 5547 4068b7 5543->5547 5548 4068dd 5543->5548 5546 4025da __close 66 API calls 5544->5546 5545 401000 __crtGetStringTypeA_stat 5 API calls 5549 406f3e 5545->5549 5550 406853 5546->5550 5551 4025da __close 66 API calls 5547->5551 5552 4068f1 5548->5552 5607 40666f 5548->5607 5549->5492 5553 4025c7 __close 66 API calls 5550->5553 5554 4068bc 5551->5554 5557 407065 __write_nolock 66 API calls 5552->5557 5556 40685a 5553->5556 5558 4025c7 __close 66 API calls 5554->5558 5559 40255f __close 6 API calls 5556->5559 5560 4068fc 5557->5560 5561 4068c5 5558->5561 5559->5574 5562 406ba2 5560->5562 5564 4020e5 __getptd 66 API calls 5560->5564 5563 40255f __close 6 API calls 5561->5563 5565 406e71 WriteFile 5562->5565 5566 406bb2 5562->5566 5563->5574 5567 406917 GetConsoleMode 5564->5567 5568 406ea4 GetLastError 5565->5568 5569 406b84 5565->5569 5570 406c90 5566->5570 5589 406bc6 5566->5589 5567->5562 5572 406942 5567->5572 5568->5569 5571 406eef 5569->5571 5569->5574 5576 406ec2 5569->5576 5588 406d70 5570->5588 5592 406c9f 5570->5592 5571->5574 5575 4025c7 __close 66 API calls 5571->5575 5572->5562 5573 406954 GetConsoleCP 5572->5573 5573->5569 5595 406977 5573->5595 5574->5545 5578 406f12 5575->5578 5580 406ee1 5576->5580 5581 406ecd 5576->5581 5577 406c34 WriteFile 5577->5568 5577->5589 5584 4025da __close 66 API calls 5578->5584 5579 406dd6 WideCharToMultiByte 5579->5568 5586 406e0d WriteFile 5579->5586 5620 4025ed 5580->5620 5585 4025c7 __close 66 API calls 5581->5585 5582 406d14 WriteFile 5582->5568 5582->5592 5584->5574 5590 406ed2 5585->5590 5587 406e44 GetLastError 5586->5587 5586->5588 5587->5588 5588->5569 5588->5571 5588->5579 5588->5586 5589->5569 5589->5571 5589->5577 5591 4025da __close 66 API calls 5590->5591 5591->5574 5592->5569 5592->5571 5592->5582 5594 407564 78 API calls __fassign 5594->5595 5595->5568 5595->5569 5595->5594 5596 406a23 WideCharToMultiByte 5595->5596 5598 408d29 11 API calls __putwch_nolock 5595->5598 5599 406aa8 WriteFile 5595->5599 5617 4075b6 5595->5617 5596->5569 5597 406a54 WriteFile 5596->5597 5597->5568 5597->5595 5598->5595 5599->5568 5599->5595 5649 408d02 LeaveCriticalSection 5600->5649 5602 40701a 5602->5489 5606 403e27 LeaveCriticalSection 5603->5606 5605 408d00 5605->5533 5606->5605 5625 408beb 5607->5625 5609 40668d 5610 406695 5609->5610 5611 4066a6 SetFilePointer 5609->5611 5612 4025c7 __close 66 API calls 5610->5612 5613 4066be GetLastError 5611->5613 5614 40669a 5611->5614 5612->5614 5613->5614 5615 4066c8 5613->5615 5614->5552 5616 4025ed __dosmaperr 66 API calls 5615->5616 5616->5614 5638 40757e 5617->5638 5621 4025da __close 66 API calls 5620->5621 5622 4025f8 _realloc 5621->5622 5623 4025c7 __close 66 API calls 5622->5623 5624 40260b 5623->5624 5624->5574 5626 408c10 5625->5626 5627 408bf8 5625->5627 5629 4025da __close 66 API calls 5626->5629 5634 408c55 5626->5634 5628 4025da __close 66 API calls 5627->5628 5630 408bfd 5628->5630 5631 408c3e 5629->5631 5632 4025c7 __close 66 API calls 5630->5632 5633 4025c7 __close 66 API calls 5631->5633 5635 408c05 5632->5635 5636 408c45 5633->5636 5634->5609 5635->5609 5637 40255f __close 6 API calls 5636->5637 5637->5634 5641 402ce2 5638->5641 5642 402cf5 5641->5642 5646 402d42 5641->5646 5643 4020e5 __getptd 66 API calls 5642->5643 5644 402cfa 5643->5644 5645 4050d7 _LocaleUpdate::_LocaleUpdate 74 API calls 5644->5645 5647 402d22 5644->5647 5645->5647 5646->5595 5647->5646 5648 405373 _LocaleUpdate::_LocaleUpdate 68 API calls 5647->5648 5648->5646 5649->5602 5653 408d02 LeaveCriticalSection 5650->5653 5652 40680b 5652->5511 5653->5652 5655 4019b0 __close 5654->5655 5656 403f01 __lock 66 API calls 5655->5656 5657 4019b7 5656->5657 5658 401a80 __initterm 5657->5658 5660 4019e3 5657->5660 5673 401abb 5658->5673 5662 401e99 __decode_pointer 6 API calls 5660->5662 5664 4019ee 5662->5664 5663 401ab8 __close 5663->4825 5666 401a70 __initterm 5664->5666 5668 401e99 __decode_pointer 6 API calls 5664->5668 5666->5658 5667 401aaf 5669 4018b4 __mtinitlocknum 3 API calls 5667->5669 5672 401a03 5668->5672 5669->5663 5670 401e99 6 API calls __decode_pointer 5670->5672 5671 401e90 6 API calls _doexit 5671->5672 5672->5666 5672->5670 5672->5671 5674 401ac1 5673->5674 5675 401a9c 5673->5675 5678 403e27 LeaveCriticalSection 5674->5678 5675->5663 5677 403e27 LeaveCriticalSection 5675->5677 5677->5667 5678->5675 6216 405813 6219 405678 6216->6219 6218 405822 6220 405684 __close 6219->6220 6221 4020e5 __getptd 66 API calls 6220->6221 6222 40568d 6221->6222 6250 405373 6222->6250 6224 405697 6266 405417 6224->6266 6227 405830 __malloc_crt 66 API calls 6228 4056b8 6227->6228 6229 4057d7 __close 6228->6229 6273 405493 6228->6273 6229->6218 6232 4057e4 6232->6229 6236 4057f7 6232->6236 6238 403b13 __crtGetStringTypeA_stat 66 API calls 6232->6238 6233 4056e8 InterlockedDecrement 6234 4056f8 6233->6234 6235 405709 InterlockedIncrement 6233->6235 6234->6235 6240 403b13 __crtGetStringTypeA_stat 66 API calls 6234->6240 6235->6229 6237 40571f 6235->6237 6239 4025c7 __close 66 API calls 6236->6239 6237->6229 6242 403f01 __lock 66 API calls 6237->6242 6238->6236 6239->6229 6241 405708 6240->6241 6241->6235 6244 405733 InterlockedDecrement 6242->6244 6245 4057c2 InterlockedIncrement 6244->6245 6246 4057af 6244->6246 6283 4057d9 6245->6283 6246->6245 6248 403b13 __crtGetStringTypeA_stat 66 API calls 6246->6248 6249 4057c1 6248->6249 6249->6245 6251 40537f __close 6250->6251 6252 4020e5 __getptd 66 API calls 6251->6252 6253 405384 6252->6253 6254 403f01 __lock 66 API calls 6253->6254 6261 405396 6253->6261 6255 4053b4 6254->6255 6256 4053fd 6255->6256 6257 4053e5 InterlockedIncrement 6255->6257 6258 4053cb InterlockedDecrement 6255->6258 6286 40540e 6256->6286 6257->6256 6258->6257 6263 4053d6 6258->6263 6260 401860 __amsg_exit 66 API calls 6262 4053a4 __close 6260->6262 6261->6260 6261->6262 6262->6224 6263->6257 6264 403b13 __crtGetStringTypeA_stat 66 API calls 6263->6264 6265 4053e4 6264->6265 6265->6257 6267 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6266->6267 6268 40542b 6267->6268 6269 405454 6268->6269 6270 405436 GetOEMCP 6268->6270 6271 405459 GetACP 6269->6271 6272 405446 6269->6272 6270->6272 6271->6272 6272->6227 6272->6229 6274 405417 getSystemCP 78 API calls 6273->6274 6276 4054b3 6274->6276 6275 4054be setSBCS 6277 401000 __crtGetStringTypeA_stat 5 API calls 6275->6277 6276->6275 6278 405502 IsValidCodePage 6276->6278 6282 405527 _memset __setmbcp_nolock 6276->6282 6279 405676 6277->6279 6278->6275 6280 405514 GetCPInfo 6278->6280 6279->6232 6279->6233 6280->6275 6280->6282 6290 4051e0 GetCPInfo 6282->6290 6442 403e27 LeaveCriticalSection 6283->6442 6285 4057e0 6285->6229 6289 403e27 LeaveCriticalSection 6286->6289 6288 405415 6288->6261 6289->6288 6291 4052c6 6290->6291 6292 405214 _memset 6290->6292 6296 401000 __crtGetStringTypeA_stat 5 API calls 6291->6296 6300 408040 6292->6300 6298 405371 6296->6298 6298->6282 6299 408475 ___crtLCMapStringA 101 API calls 6299->6291 6301 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6300->6301 6302 408053 6301->6302 6310 407e86 6302->6310 6305 408475 6306 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6305->6306 6307 408488 6306->6307 6395 4080d0 6307->6395 6311 407ed2 6310->6311 6312 407ea7 GetStringTypeW 6310->6312 6313 407fb9 6311->6313 6315 407ebf 6311->6315 6314 407ec7 GetLastError 6312->6314 6312->6315 6338 4097e2 GetLocaleInfoA 6313->6338 6314->6311 6316 407f0b MultiByteToWideChar 6315->6316 6327 407fb3 6315->6327 6323 407f38 6316->6323 6316->6327 6319 401000 __crtGetStringTypeA_stat 5 API calls 6321 405281 6319->6321 6320 407f4d _memset __crtGetStringTypeA_stat 6325 407f86 MultiByteToWideChar 6320->6325 6320->6327 6321->6305 6322 40800a GetStringTypeA 6326 408025 6322->6326 6322->6327 6323->6320 6328 40288c _malloc 66 API calls 6323->6328 6330 407f9c GetStringTypeW 6325->6330 6331 407fad 6325->6331 6332 403b13 __crtGetStringTypeA_stat 66 API calls 6326->6332 6327->6319 6328->6320 6330->6331 6334 407bb6 6331->6334 6332->6327 6335 407bd3 6334->6335 6336 407bc2 6334->6336 6335->6327 6336->6335 6337 403b13 __crtGetStringTypeA_stat 66 API calls 6336->6337 6337->6335 6339 409810 6338->6339 6340 409815 6338->6340 6342 401000 __crtGetStringTypeA_stat 5 API calls 6339->6342 6369 4097cc 6340->6369 6343 407fdd 6342->6343 6343->6322 6343->6327 6344 40982b 6343->6344 6345 40986b GetCPInfo 6344->6345 6348 4098f5 6344->6348 6346 4098e0 MultiByteToWideChar 6345->6346 6347 409882 6345->6347 6346->6348 6353 40989b _strlen 6346->6353 6347->6346 6349 409888 GetCPInfo 6347->6349 6350 401000 __crtGetStringTypeA_stat 5 API calls 6348->6350 6349->6346 6352 409895 6349->6352 6351 407ffe 6350->6351 6351->6322 6351->6327 6352->6346 6352->6353 6354 40288c _malloc 66 API calls 6353->6354 6356 4098cd _memset __crtGetStringTypeA_stat 6353->6356 6354->6356 6355 40992a MultiByteToWideChar 6357 409961 6355->6357 6358 409942 6355->6358 6356->6348 6356->6355 6359 407bb6 __crtGetStringTypeA_stat 66 API calls 6357->6359 6360 409966 6358->6360 6361 409949 WideCharToMultiByte 6358->6361 6359->6348 6362 409971 WideCharToMultiByte 6360->6362 6363 409985 6360->6363 6361->6357 6362->6357 6362->6363 6364 405875 __calloc_crt 66 API calls 6363->6364 6365 40998d 6364->6365 6365->6357 6366 409996 WideCharToMultiByte 6365->6366 6366->6357 6367 4099a8 6366->6367 6368 403b13 __crtGetStringTypeA_stat 66 API calls 6367->6368 6368->6357 6372 409579 6369->6372 6373 409592 6372->6373 6376 40934a 6373->6376 6377 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6376->6377 6380 40935f 6377->6380 6378 409371 6379 4025c7 __close 66 API calls 6378->6379 6381 409376 6379->6381 6380->6378 6384 4093ae 6380->6384 6382 40255f __close 6 API calls 6381->6382 6387 409386 6382->6387 6385 4093f3 6384->6385 6388 4096db 6384->6388 6386 4025c7 __close 66 API calls 6385->6386 6385->6387 6386->6387 6387->6339 6389 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6388->6389 6390 4096ef 6389->6390 6391 4096fc 6390->6391 6392 40757e __isleadbyte_l 76 API calls 6390->6392 6391->6384 6393 409724 6392->6393 6394 408040 ___crtGetStringTypeA 90 API calls 6393->6394 6394->6391 6396 4080f1 LCMapStringW 6395->6396 6397 40810c 6395->6397 6396->6397 6398 408114 GetLastError 6396->6398 6399 40830a 6397->6399 6400 408166 6397->6400 6398->6397 6401 4097e2 ___ansicp 90 API calls 6399->6401 6402 40817f MultiByteToWideChar 6400->6402 6425 408301 6400->6425 6403 408332 6401->6403 6408 4081ac 6402->6408 6402->6425 6406 408426 LCMapStringA 6403->6406 6407 40834b 6403->6407 6403->6425 6404 401000 __crtGetStringTypeA_stat 5 API calls 6405 4052a1 6404->6405 6405->6299 6409 408382 6406->6409 6410 40982b ___convertcp 73 API calls 6407->6410 6413 40288c _malloc 66 API calls 6408->6413 6421 4081c5 __crtGetStringTypeA_stat 6408->6421 6412 40844d 6409->6412 6417 403b13 __crtGetStringTypeA_stat 66 API calls 6409->6417 6414 40835d 6410->6414 6411 4081fd MultiByteToWideChar 6415 408216 LCMapStringW 6411->6415 6416 4082f8 6411->6416 6423 403b13 __crtGetStringTypeA_stat 66 API calls 6412->6423 6412->6425 6413->6421 6418 408367 LCMapStringA 6414->6418 6414->6425 6415->6416 6420 408237 6415->6420 6419 407bb6 __crtGetStringTypeA_stat 66 API calls 6416->6419 6417->6412 6418->6409 6428 408389 6418->6428 6419->6425 6422 408240 6420->6422 6427 408269 6420->6427 6421->6411 6421->6425 6422->6416 6424 408252 LCMapStringW 6422->6424 6423->6425 6424->6416 6425->6404 6426 4082b8 LCMapStringW 6429 4082d0 WideCharToMultiByte 6426->6429 6430 4082f2 6426->6430 6432 408284 __crtGetStringTypeA_stat 6427->6432 6434 40288c _malloc 66 API calls 6427->6434 6431 40288c _malloc 66 API calls 6428->6431 6433 40839a _memset __crtGetStringTypeA_stat 6428->6433 6429->6430 6435 407bb6 __crtGetStringTypeA_stat 66 API calls 6430->6435 6431->6433 6432->6416 6432->6426 6433->6409 6436 4083d8 LCMapStringA 6433->6436 6434->6432 6435->6416 6438 4083f4 6436->6438 6439 4083f8 6436->6439 6441 407bb6 __crtGetStringTypeA_stat 66 API calls 6438->6441 6440 40982b ___convertcp 73 API calls 6439->6440 6440->6438 6441->6409 6442->6285 6443 402d98 6444 402da2 6443->6444 6445 402dbc 6444->6445 6447 402d69 6444->6447 6448 402d74 6447->6448 6450 402d83 6448->6450 6451 4072b0 6448->6451 6450->6444 6452 4072d2 6451->6452 6453 407408 6451->6453 6455 40727e __fileno 66 API calls 6452->6455 6454 4073c4 6453->6454 6489 40904d 6453->6489 6459 401000 __crtGetStringTypeA_stat 5 API calls 6454->6459 6456 4072d8 6455->6456 6458 407305 6456->6458 6460 40727e __fileno 66 API calls 6456->6460 6458->6453 6463 40727e __fileno 66 API calls 6458->6463 6461 407435 6459->6461 6462 4072e9 6460->6462 6461->6450 6462->6458 6464 40727e __fileno 66 API calls 6462->6464 6465 407326 6463->6465 6466 4072f5 6464->6466 6467 40734e 6465->6467 6469 40727e __fileno 66 API calls 6465->6469 6468 40727e __fileno 66 API calls 6466->6468 6467->6453 6471 40727e __fileno 66 API calls 6467->6471 6468->6458 6470 407332 6469->6470 6470->6467 6472 40727e __fileno 66 API calls 6470->6472 6473 40736f 6471->6473 6474 40733e 6472->6474 6475 407397 6473->6475 6477 40727e __fileno 66 API calls 6473->6477 6476 40727e __fileno 66 API calls 6474->6476 6475->6453 6478 4073ab 6475->6478 6476->6467 6479 40737b 6477->6479 6486 40932d 6478->6486 6479->6475 6482 40727e __fileno 66 API calls 6479->6482 6481 4073bd 6481->6454 6485 402b7e __flsbuf 100 API calls 6481->6485 6483 407387 6482->6483 6484 40727e __fileno 66 API calls 6483->6484 6484->6475 6485->6481 6510 4091c1 6486->6510 6490 40727e __fileno 66 API calls 6489->6490 6491 40905d 6490->6491 6492 409081 6491->6492 6493 409068 6491->6493 6495 409085 6492->6495 6503 409092 __flswbuf 6492->6503 6494 4025c7 __close 66 API calls 6493->6494 6497 40906d 6494->6497 6496 4025c7 __close 66 API calls 6495->6496 6496->6497 6497->6454 6498 409105 6501 40911d 6498->6501 6505 40913a 6498->6505 6499 409188 6500 406f40 __locking 100 API calls 6499->6500 6500->6497 6502 406f40 __locking 100 API calls 6501->6502 6502->6497 6503->6497 6504 407065 __write_nolock 66 API calls 6503->6504 6506 4090eb 6503->6506 6509 4090f6 6503->6509 6504->6506 6505->6497 6507 4066f4 __lseeki64 70 API calls 6505->6507 6508 40701c __getbuf 66 API calls 6506->6508 6506->6509 6507->6497 6508->6509 6509->6498 6509->6499 6511 4091d8 6510->6511 6512 409219 6511->6512 6513 4091fe 6511->6513 6523 4091dc 6511->6523 6514 402ce2 _LocaleUpdate::_LocaleUpdate 76 API calls 6512->6514 6515 4025c7 __close 66 API calls 6513->6515 6516 409224 6514->6516 6517 409203 6515->6517 6518 409230 6516->6518 6519 4092cc WideCharToMultiByte 6516->6519 6520 40255f __close 6 API calls 6517->6520 6522 409274 _memset 6518->6522 6524 40923e _memset 6518->6524 6521 4092fe GetLastError 6519->6521 6519->6524 6520->6523 6521->6522 6521->6524 6522->6523 6526 4025c7 __close 66 API calls 6522->6526 6523->6481 6524->6523 6525 4025c7 __close 66 API calls 6524->6525 6527 409256 6525->6527 6528 409281 6526->6528 6529 4025c7 __close 66 API calls 6527->6529 6530 40255f __close 6 API calls 6528->6530 6529->6523 6530->6523 5704 4079dc 5705 4079ee 5704->5705 5707 4079fc @_EH4_CallFilterFunc@8 5704->5707 5706 401000 __crtGetStringTypeA_stat 5 API calls 5705->5706 5706->5707 5708 4026de 5711 4026ce 5708->5711 5710 4026eb ctype 5714 405a0b 5711->5714 5713 4026dc 5713->5710 5715 405a17 __close 5714->5715 5716 403f01 __lock 66 API calls 5715->5716 5719 405a1e 5716->5719 5717 405a57 5724 405a72 5717->5724 5719->5717 5720 405a4e 5719->5720 5723 403b13 __crtGetStringTypeA_stat 66 API calls 5719->5723 5722 403b13 __crtGetStringTypeA_stat 66 API calls 5720->5722 5721 405a68 __close 5721->5713 5722->5717 5723->5720 5727 403e27 LeaveCriticalSection 5724->5727 5726 405a79 5726->5721 5727->5726 5728 404160 5729 404199 5728->5729 5730 40418c 5728->5730 5732 401000 __crtGetStringTypeA_stat 5 API calls 5729->5732 5731 401000 __crtGetStringTypeA_stat 5 API calls 5730->5731 5731->5729 5738 4041a9 __except_handler4 __IsNonwritableInCurrentImage 5732->5738 5733 40422c 5734 404202 __except_handler4 5734->5733 5735 40421c 5734->5735 5736 401000 __crtGetStringTypeA_stat 5 API calls 5734->5736 5737 401000 __crtGetStringTypeA_stat 5 API calls 5735->5737 5736->5735 5737->5733 5738->5733 5738->5734 5744 407a6e RtlUnwind 5738->5744 5740 4042af 5743 401000 __crtGetStringTypeA_stat 5 API calls 5740->5743 5741 40427b __except_handler4 5741->5740 5742 401000 __crtGetStringTypeA_stat 5 API calls 5741->5742 5742->5740 5743->5734 5744->5741 5745 40a164 5746 40a173 5745->5746 5749 401173 75 API calls 5746->5749 5781 40a2ea ctype 5746->5781 5747 40108c 66 API calls 5748 40a5eb 5747->5748 5750 40108c 66 API calls 5748->5750 5751 40a1cf _memset 5749->5751 5752 40a606 5750->5752 5754 40125a 66 API calls 5751->5754 5753 40108c 66 API calls 5752->5753 5774 40a61f 5753->5774 5755 40a22d 5754->5755 5757 40a2f9 5755->5757 5758 40a24e 5755->5758 5756 40a6a3 5762 40a6c7 ShellExecuteW 5756->5762 5763 40a6ae GetDesktopWindow MessageBoxW 5756->5763 5759 409f40 _swprintf 100 API calls 5757->5759 5761 40108c 66 API calls 5758->5761 5771 40a313 5759->5771 5760 40108c 66 API calls 5760->5774 5764 40a264 5761->5764 5765 40a2cd 5762->5765 5763->5762 5766 40108c 66 API calls 5764->5766 5767 401000 __crtGetStringTypeA_stat 5 API calls 5765->5767 5768 40a27f SHCreateDirectoryExW 5766->5768 5769 40a6f3 5767->5769 5775 40a2b8 5768->5775 5770 40a3b4 5776 40144f __wsetenvp 66 API calls 5770->5776 5771->5770 5773 40125a 66 API calls 5771->5773 5777 40a364 5773->5777 5774->5756 5774->5760 5775->5765 5778 40108c 66 API calls 5775->5778 5779 40a3cc 5776->5779 5780 40144f __wsetenvp 66 API calls 5777->5780 5778->5781 5782 40108c 66 API calls 5779->5782 5784 40a37f 5780->5784 5781->5747 5783 40a3e7 5782->5783 5785 40a40d 5783->5785 5787 40144f __wsetenvp 66 API calls 5783->5787 5786 40108c 66 API calls 5784->5786 5788 409f80 7 API calls 5785->5788 5789 40a39a SHCreateDirectoryExW 5786->5789 5787->5785 5790 40a423 5788->5790 5789->5770 5790->5781 5791 40a431 CreateFileW 5790->5791 5791->5765 5792 40a466 FindResourceW LoadResource 5791->5792 5793 40a59f CloseHandle 5792->5793 5794 40a49f SizeofResource LockResource 5792->5794 5793->5781 5794->5793 5795 40a4d4 5794->5795 5796 401173 75 API calls 5795->5796 5797 40a4e3 5796->5797 5798 4014c0 _realloc __VEC_memcpy 5797->5798 5799 40a512 WriteFile FreeResource 5798->5799 5799->5793 6531 4095a4 RtlUnwind 6532 401125 6535 40268a 6532->6535 6534 401142 ctype 6536 402696 6535->6536 6537 40269e 6535->6537 6538 403b13 __crtGetStringTypeA_stat 66 API calls 6536->6538 6537->6534 6538->6537 6539 4026ad 6540 40268a ctype 66 API calls 6539->6540 6541 4026ba ctype 6540->6541 6542 40112f 6543 401142 ctype 6542->6543 6544 40268a ctype 66 API calls 6542->6544 6544->6543 6545 409a33 6546 409a44 6545->6546 6547 409a4c 6545->6547 6546->6547 6548 409a49 CloseHandle 6546->6548 6549 409a5e 6547->6549 6550 409a5b CloseHandle 6547->6550 6548->6547 6550->6549 6551 404736 6552 404772 6551->6552 6553 404748 6551->6553 6553->6552 6555 4042ec 6553->6555 6556 4042f8 __close 6555->6556 6557 4020e5 __getptd 66 API calls 6556->6557 6558 4042fd 6557->6558 6559 407a9f _abort 68 API calls 6558->6559 6560 40431f __close 6559->6560 6560->6552 5801 404778 SetUnhandledExceptionFilter 6561 4027b9 6562 405875 __calloc_crt 66 API calls 6561->6562 6563 4027c5 6562->6563 6564 401e1e __encode_pointer 6 API calls 6563->6564 6565 4027cd 6564->6565 6566 401cbb 6569 404337 6566->6569 6570 40206c __getptd_noexit 66 API calls 6569->6570 6571 401ccc 6570->6571 5802 4020ff 5804 40210b __close 5802->5804 5803 402123 5807 402131 5803->5807 5808 403b13 __crtGetStringTypeA_stat 66 API calls 5803->5808 5804->5803 5805 40220d __close 5804->5805 5806 403b13 __crtGetStringTypeA_stat 66 API calls 5804->5806 5806->5803 5809 40213f 5807->5809 5811 403b13 __crtGetStringTypeA_stat 66 API calls 5807->5811 5808->5807 5810 40214d 5809->5810 5812 403b13 __crtGetStringTypeA_stat 66 API calls 5809->5812 5813 40215b 5810->5813 5814 403b13 __crtGetStringTypeA_stat 66 API calls 5810->5814 5811->5809 5812->5810 5815 402169 5813->5815 5816 403b13 __crtGetStringTypeA_stat 66 API calls 5813->5816 5814->5813 5817 402177 5815->5817 5819 403b13 __crtGetStringTypeA_stat 66 API calls 5815->5819 5816->5815 5818 402188 5817->5818 5820 403b13 __crtGetStringTypeA_stat 66 API calls 5817->5820 5821 403f01 __lock 66 API calls 5818->5821 5819->5817 5820->5818 5822 402190 5821->5822 5823 4021b5 5822->5823 5824 40219c InterlockedDecrement 5822->5824 5838 402219 5823->5838 5824->5823 5825 4021a7 5824->5825 5825->5823 5828 403b13 __crtGetStringTypeA_stat 66 API calls 5825->5828 5828->5823 5829 403f01 __lock 66 API calls 5830 4021c9 5829->5830 5837 4021fa 5830->5837 5841 405000 5830->5841 5834 403b13 __crtGetStringTypeA_stat 66 API calls 5834->5805 5885 402225 5837->5885 5888 403e27 LeaveCriticalSection 5838->5888 5840 4021c2 5840->5829 5842 405011 InterlockedDecrement 5841->5842 5843 4021de 5841->5843 5844 405026 InterlockedDecrement 5842->5844 5845 405029 5842->5845 5843->5837 5855 404e28 5843->5855 5844->5845 5846 405033 InterlockedDecrement 5845->5846 5847 405036 5845->5847 5846->5847 5848 405040 InterlockedDecrement 5847->5848 5849 405043 5847->5849 5848->5849 5850 40504d InterlockedDecrement 5849->5850 5851 405050 5849->5851 5850->5851 5852 405069 InterlockedDecrement 5851->5852 5853 405079 InterlockedDecrement 5851->5853 5854 405084 InterlockedDecrement 5851->5854 5852->5851 5853->5851 5854->5843 5856 404eac 5855->5856 5861 404e3f 5855->5861 5857 404ef9 5856->5857 5858 403b13 __crtGetStringTypeA_stat 66 API calls 5856->5858 5871 404f20 5857->5871 5913 407bd6 5857->5913 5862 404ecd 5858->5862 5860 404e73 5864 404e94 5860->5864 5875 403b13 __crtGetStringTypeA_stat 66 API calls 5860->5875 5861->5856 5861->5860 5868 403b13 __crtGetStringTypeA_stat 66 API calls 5861->5868 5865 403b13 __crtGetStringTypeA_stat 66 API calls 5862->5865 5866 403b13 __crtGetStringTypeA_stat 66 API calls 5864->5866 5870 404ee0 5865->5870 5872 404ea1 5866->5872 5867 403b13 __crtGetStringTypeA_stat 66 API calls 5867->5871 5873 404e68 5868->5873 5869 404f65 5874 403b13 __crtGetStringTypeA_stat 66 API calls 5869->5874 5877 403b13 __crtGetStringTypeA_stat 66 API calls 5870->5877 5871->5869 5876 403b13 66 API calls __crtGetStringTypeA_stat 5871->5876 5878 403b13 __crtGetStringTypeA_stat 66 API calls 5872->5878 5889 407db0 5873->5889 5880 404f6b 5874->5880 5881 404e89 5875->5881 5876->5871 5882 404eee 5877->5882 5878->5856 5880->5837 5905 407d6b 5881->5905 5884 403b13 __crtGetStringTypeA_stat 66 API calls 5882->5884 5884->5857 6001 403e27 LeaveCriticalSection 5885->6001 5887 402207 5887->5834 5888->5840 5890 407dbd 5889->5890 5904 407e3a 5889->5904 5891 403b13 __crtGetStringTypeA_stat 66 API calls 5890->5891 5892 407dce 5890->5892 5891->5892 5893 403b13 __crtGetStringTypeA_stat 66 API calls 5892->5893 5895 407de0 5892->5895 5893->5895 5894 407df2 5897 407e04 5894->5897 5899 403b13 __crtGetStringTypeA_stat 66 API calls 5894->5899 5895->5894 5896 403b13 __crtGetStringTypeA_stat 66 API calls 5895->5896 5896->5894 5898 407e16 5897->5898 5900 403b13 __crtGetStringTypeA_stat 66 API calls 5897->5900 5901 407e28 5898->5901 5902 403b13 __crtGetStringTypeA_stat 66 API calls 5898->5902 5899->5897 5900->5898 5903 403b13 __crtGetStringTypeA_stat 66 API calls 5901->5903 5901->5904 5902->5901 5903->5904 5904->5860 5906 407d78 5905->5906 5912 407dac 5905->5912 5907 403b13 __crtGetStringTypeA_stat 66 API calls 5906->5907 5908 407d88 5906->5908 5907->5908 5909 407d9a 5908->5909 5910 403b13 __crtGetStringTypeA_stat 66 API calls 5908->5910 5911 403b13 __crtGetStringTypeA_stat 66 API calls 5909->5911 5909->5912 5910->5909 5911->5912 5912->5864 5914 407be7 5913->5914 5915 404f19 5913->5915 5916 403b13 __crtGetStringTypeA_stat 66 API calls 5914->5916 5915->5867 5917 407bef 5916->5917 5918 403b13 __crtGetStringTypeA_stat 66 API calls 5917->5918 5919 407bf7 5918->5919 5920 403b13 __crtGetStringTypeA_stat 66 API calls 5919->5920 5921 407bff 5920->5921 5922 403b13 __crtGetStringTypeA_stat 66 API calls 5921->5922 5923 407c07 5922->5923 5924 403b13 __crtGetStringTypeA_stat 66 API calls 5923->5924 5925 407c0f 5924->5925 5926 403b13 __crtGetStringTypeA_stat 66 API calls 5925->5926 5927 407c17 5926->5927 5928 403b13 __crtGetStringTypeA_stat 66 API calls 5927->5928 5929 407c1e 5928->5929 5930 403b13 __crtGetStringTypeA_stat 66 API calls 5929->5930 5931 407c26 5930->5931 5932 403b13 __crtGetStringTypeA_stat 66 API calls 5931->5932 5933 407c2e 5932->5933 5934 403b13 __crtGetStringTypeA_stat 66 API calls 5933->5934 5935 407c36 5934->5935 5936 403b13 __crtGetStringTypeA_stat 66 API calls 5935->5936 5937 407c3e 5936->5937 5938 403b13 __crtGetStringTypeA_stat 66 API calls 5937->5938 5939 407c46 5938->5939 5940 403b13 __crtGetStringTypeA_stat 66 API calls 5939->5940 5941 407c4e 5940->5941 5942 403b13 __crtGetStringTypeA_stat 66 API calls 5941->5942 5943 407c56 5942->5943 5944 403b13 __crtGetStringTypeA_stat 66 API calls 5943->5944 5945 407c5e 5944->5945 5946 403b13 __crtGetStringTypeA_stat 66 API calls 5945->5946 5947 407c66 5946->5947 5948 403b13 __crtGetStringTypeA_stat 66 API calls 5947->5948 5949 407c71 5948->5949 5950 403b13 __crtGetStringTypeA_stat 66 API calls 5949->5950 5951 407c79 5950->5951 5952 403b13 __crtGetStringTypeA_stat 66 API calls 5951->5952 5953 407c81 5952->5953 5954 403b13 __crtGetStringTypeA_stat 66 API calls 5953->5954 5955 407c89 5954->5955 5956 403b13 __crtGetStringTypeA_stat 66 API calls 5955->5956 5957 407c91 5956->5957 5958 403b13 __crtGetStringTypeA_stat 66 API calls 5957->5958 5959 407c99 5958->5959 5960 403b13 __crtGetStringTypeA_stat 66 API calls 5959->5960 5961 407ca1 5960->5961 5962 403b13 __crtGetStringTypeA_stat 66 API calls 5961->5962 5963 407ca9 5962->5963 5964 403b13 __crtGetStringTypeA_stat 66 API calls 5963->5964 5965 407cb1 5964->5965 5966 403b13 __crtGetStringTypeA_stat 66 API calls 5965->5966 5967 407cb9 5966->5967 5968 403b13 __crtGetStringTypeA_stat 66 API calls 5967->5968 5969 407cc1 5968->5969 5970 403b13 __crtGetStringTypeA_stat 66 API calls 5969->5970 5971 407cc9 5970->5971 5972 403b13 __crtGetStringTypeA_stat 66 API calls 5971->5972 5973 407cd1 5972->5973 5974 403b13 __crtGetStringTypeA_stat 66 API calls 5973->5974 5975 407cd9 5974->5975 5976 403b13 __crtGetStringTypeA_stat 66 API calls 5975->5976 5977 407ce1 5976->5977 5978 403b13 __crtGetStringTypeA_stat 66 API calls 5977->5978 5979 407ce9 5978->5979 5980 403b13 __crtGetStringTypeA_stat 66 API calls 5979->5980 5981 407cf7 5980->5981 5982 403b13 __crtGetStringTypeA_stat 66 API calls 5981->5982 5983 407d02 5982->5983 5984 403b13 __crtGetStringTypeA_stat 66 API calls 5983->5984 5985 407d0d 5984->5985 5986 403b13 __crtGetStringTypeA_stat 66 API calls 5985->5986 5987 407d18 5986->5987 5988 403b13 __crtGetStringTypeA_stat 66 API calls 5987->5988 5989 407d23 5988->5989 5990 403b13 __crtGetStringTypeA_stat 66 API calls 5989->5990 5991 407d2e 5990->5991 5992 403b13 __crtGetStringTypeA_stat 66 API calls 5991->5992 5993 407d39 5992->5993 5994 403b13 __crtGetStringTypeA_stat 66 API calls 5993->5994 5995 407d44 5994->5995 5996 403b13 __crtGetStringTypeA_stat 66 API calls 5995->5996 5997 407d4f 5996->5997 5998 403b13 __crtGetStringTypeA_stat 66 API calls 5997->5998 5999 407d5a 5998->5999 6000 403b13 __crtGetStringTypeA_stat 66 API calls 5999->6000 6000->5915 6001->5887 6572 402dbf 6576 402dd0 6572->6576 6573 402dd6 6574 402d69 102 API calls _write_multi_char 6574->6576 6575 4025c7 __close 66 API calls 6575->6576 6576->6573 6576->6574 6576->6575

    Executed Functions

    Function 0040A030 Relevance: 49.4, APIs: 20, Strings: 8, Instructions: 411COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 40a030-40a0bb call 408df0 call 409f20 call 401029 SHGetFolderPathW call 40108c FindResourceW 9 40a0bd-40a0d9 LoadResource 0->9 10 40a10e-40a110 0->10 11 40a0db-40a0f5 LockResource 9->11 12 40a10c-40a17f 9->12 13 40a6e9-40a6f6 call 401000 10->13 11->12 14 40a0f7-40a106 SizeofResource 11->14 19 40a185-40a198 12->19 20 40a5cc-40a62c call 40108c * 3 12->20 14->12 22 40a5c7 19->22 23 40a19e-40a248 call 401173 call 4011e0 call 40125a 19->23 34 40a63d-40a649 20->34 22->20 38 40a2f9-40a343 call 409f40 call 409fe0 23->38 39 40a24e-40a28f call 40108c * 2 23->39 36 40a6a3-40a6ac 34->36 37 40a64b-40a6a1 call 40108c * 3 34->37 43 40a6c7-40a6e7 ShellExecuteW 36->43 44 40a6ae-40a6c1 GetDesktopWindow MessageBoxW 36->44 37->34 54 40a3b4-40a3f3 call 40144f call 40108c 38->54 55 40a345-40a3ae call 40125a call 40144f call 40108c SHCreateDirectoryExW 38->55 57 40a291 39->57 58 40a298-40a2b6 SHCreateDirectoryExW 39->58 43->13 44->43 76 40a3f5-40a410 call 40144f 54->76 77 40a417-40a42b call 409f80 54->77 55->54 57->58 61 40a2d4-40a2f4 call 40108c 58->61 62 40a2b8-40a2c2 58->62 73 40a5ac-40a5c4 call 401825 61->73 62->61 66 40a2c4-40a2cb 62->66 66->61 70 40a2cd-40a2cf 66->70 70->13 73->22 76->77 77->73 86 40a431-40a45d CreateFileW 77->86 87 40a466-40a499 FindResourceW LoadResource 86->87 88 40a45f-40a461 86->88 89 40a59f-40a5a6 CloseHandle 87->89 90 40a49f-40a4ce SizeofResource LockResource 87->90 88->13 89->73 90->89 91 40a4d4-40a52e call 401173 call 4014c0 90->91 96 40a53f-40a54b 91->96 97 40a54d-40a56c 96->97 98 40a56e-40a599 WriteFile FreeResource 96->98 97->96 98->89
    APIs
      • Part of subcall function 00409F20: __time64.LIBCMT ref: 00409F27
      • Part of subcall function 00401029: __getptd.LIBCMT ref: 0040102E
    • SHGetFolderPathW.SHELL32(00000000,0000801C,00000000,00000000,?), ref: 0040A06C
    • FindResourceW.KERNEL32(00000000,#129,00000017), ref: 0040A0A8
    • LoadResource.KERNEL32(00000000,00000000), ref: 0040A0C6
    • LockResource.KERNEL32(00000000), ref: 0040A0E2
    • SizeofResource.KERNEL32(00000000,00000000), ref: 0040A100
    • _memset.LIBCMT ref: 0040A1F8
    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040A2A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: Resource$CreateDirectoryFindFolderLoadLockPathSizeof__getptd__time64_memset
    • String ID: #%d$#129$HtaEdit$P$This executable has been built with the unregistered version of HtaEdit.The registered version does not display this notice.$\Temp$mshta.exe$open
    • API String ID: 2271237972-606975464
    • Opcode ID: e6fa5b21570bd89c168d2b12b429e11aed5585307e325dbfb3118079b7b3469c
    • Instruction ID: 67c7c94e90a422b0cbe3450348450bbebdaaf90e0d4bef1a922550f5e4d56a62
    • Opcode Fuzzy Hash: e6fa5b21570bd89c168d2b12b429e11aed5585307e325dbfb3118079b7b3469c
    • Instruction Fuzzy Hash: BD026DF1A40228ABDB20DB50DC85BA9B374EB58304F4445E9F608B72C1E7B95A94CF5E
    Function 00409F80 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 205 409f80-409fb1 FindFirstFileW 206 409fb3-409fb5 205->206 207 409fb7-409fc4 FindClose 205->207 208 409fc6-409fd3 call 401000 206->208 207->208
    APIs
    • FindFirstFileW.KERNELBASE(?,?), ref: 00409F9E
    • FindClose.KERNEL32(000000FF), ref: 00409FBE
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: 2a6c6789138963b8a2ae7610846c8dc9940de07343a11337a4b492bacadab8d2
    • Instruction ID: b51912a9b18dfb52d7f56d418a7bdb167fabce29a6e348d5735fcdb69d59bfdd
    • Opcode Fuzzy Hash: 2a6c6789138963b8a2ae7610846c8dc9940de07343a11337a4b492bacadab8d2
    • Instruction Fuzzy Hash: 26F0A77090070C9FCB10DF71DD086DA73B4EB88315F1046A9E519A7281EA345D449F9C
    Function 00401173 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 100 401173-40117b 101 40118a-401195 call 40288c 100->101 104 401197-401198 101->104 105 40117d-401188 call 402965 101->105 105->101 108 401199-4011a5 105->108 109 4011c0-4011d7 call 401156 call 40298d 108->109 110 4011a7-4011bf call 401109 call 402826 108->110 110->109
    APIs
    • _malloc.LIBCMT ref: 0040118D
      • Part of subcall function 0040288C: __FF_MSGBANNER.LIBCMT ref: 004028AF
      • Part of subcall function 0040288C: __NMSG_WRITE.LIBCMT ref: 004028B6
      • Part of subcall function 0040288C: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00405841,?,00000001,?,?,00403E8B,00000018,0040CFE0,0000000C,00403F1C), ref: 00402903
    • std::bad_alloc::bad_alloc.LIBCMT ref: 004011B0
      • Part of subcall function 00401109: std::exception::exception.LIBCMT ref: 00401115
    • std::bad_exception::bad_exception.LIBCMT ref: 004011C4
    • __CxxThrowException@8.LIBCMT ref: 004011D2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
    • String ID: `@
    • API String ID: 1411284514-951712118
    • Opcode ID: 26ee4b0004ab71c9a39da855a1725d71866f8fcae9d167e8e966bf64585d7f62
    • Instruction ID: d9a083ce72f4b8abaf0dcd5c603cd8fdc8e54bc2bf3e4dbfd8ce5d58bc4fb1f4
    • Opcode Fuzzy Hash: 26ee4b0004ab71c9a39da855a1725d71866f8fcae9d167e8e966bf64585d7f62
    • Instruction Fuzzy Hash: 58F0BE3590020AA3CB0C7732E80A95937685B08358F24853BE941BA1E1DFBD8941CA9C
    Function 0040A164 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93filewindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _memset.LIBCMT ref: 0040A1F8
    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040A2A3
    • _swprintf.LIBCMTD ref: 0040A30E
    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040A3A8
    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0040A44A
    • GetDesktopWindow.USER32 ref: 0040A6BA
    • MessageBoxW.USER32(00000000), ref: 0040A6C1
    • ShellExecuteW.SHELL32(00000000,open,mshta.exe,?,0040CCAC,00000005), ref: 0040A6E1
      • Part of subcall function 00401173: _malloc.LIBCMT ref: 0040118D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: Create$Directory$DesktopExecuteFileMessageShellWindow_malloc_memset_swprintf
    • String ID: P
    • API String ID: 550803703-3110715001
    • Opcode ID: c6b6d7fb4b017b01e8b4468b11cb176858a29ec168429b8c168cdcd66f1b0aa1
    • Instruction ID: 7e0d718fa788e4c34e49f5937c9f7049fa39a3e959662ce66ae89e3f9deabd87
    • Opcode Fuzzy Hash: c6b6d7fb4b017b01e8b4468b11cb176858a29ec168429b8c168cdcd66f1b0aa1
    • Instruction Fuzzy Hash: 854149B1A002289BCB28DB54DC85AADB3B1EB88305F4441EEF60977291D7795ED0CF59
    Function 004018B4 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 211 4018b4-4018c5 call 401889 ExitProcess
    APIs
    • ___crtCorExitProcess.LIBCMT ref: 004018BC
      • Part of subcall function 00401889: GetModuleHandleW.KERNEL32(mscoree.dll,?,004018C1,?,?,004028C5,000000FF,0000001E,?,00405841,?,00000001,?,?,00403E8B,00000018), ref: 00401893
      • Part of subcall function 00401889: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004018A3
    • ExitProcess.KERNEL32 ref: 004018C5
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: ExitProcess$AddressHandleModuleProc___crt
    • String ID:
    • API String ID: 2427264223-0
    • Opcode ID: a45f812da7ce9f3fa687a9a22a86aa22456d670c9996326a439d8a9088c856bb
    • Instruction ID: d9eb1fcb8d5c172a914f002d6296a9f79f9da5bbe669f2d7aa44f8a5d01aa008
    • Opcode Fuzzy Hash: a45f812da7ce9f3fa687a9a22a86aa22456d670c9996326a439d8a9088c856bb
    • Instruction Fuzzy Hash: 6AB09232000208BFCB053F12EC0A85A3F2AEB803A5B108035F81919072DF76AE929AC8
    Function 00404D5A Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 214 404d5a-404d7c HeapCreate 215 404d80-404d89 214->215 216 404d7e-404d7f 214->216
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00404D6F
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: bf2cbcc806c6bc44710c7ddcaa6f85f66d302889f1da169e8c5da3c8d7cdd469
    • Instruction ID: 6184b2da281ca6016ac0271474126ac2c76021815db6eaa891f361928dfac60c
    • Opcode Fuzzy Hash: bf2cbcc806c6bc44710c7ddcaa6f85f66d302889f1da169e8c5da3c8d7cdd469
    • Instruction Fuzzy Hash: 6BD02E72564304AAEB218FB4BC087323BDCD780395F008036FD0CC2180E370C5408148
    Function 00401AD0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 401ad0-401adc call 4019a4 219 401ae1-401ae5 217->219
    APIs
    • _doexit.LIBCMT ref: 00401ADC
      • Part of subcall function 004019A4: __lock.LIBCMT ref: 004019B2
      • Part of subcall function 004019A4: __decode_pointer.LIBCMT ref: 004019E9
      • Part of subcall function 004019A4: __decode_pointer.LIBCMT ref: 004019FE
      • Part of subcall function 004019A4: __decode_pointer.LIBCMT ref: 00401A28
      • Part of subcall function 004019A4: __decode_pointer.LIBCMT ref: 00401A3E
      • Part of subcall function 004019A4: __decode_pointer.LIBCMT ref: 00401A4B
      • Part of subcall function 004019A4: __initterm.LIBCMT ref: 00401A7A
      • Part of subcall function 004019A4: __initterm.LIBCMT ref: 00401A8A
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: __decode_pointer$__initterm$__lock_doexit
    • String ID:
    • API String ID: 1597249276-0
    • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
    • Instruction ID: 31ad72b1b0a8f67507cfb5c715645a0153882bf3641726bcdd5842da0ec406e5
    • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
    • Instruction Fuzzy Hash: F2B09B7154020833D51015429C03F553A0947C0764E540021B60C191E155A6655580C9

    Non-executed Functions

    Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00401DD3
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401DE8
    • UnhandledExceptionFilter.KERNEL32(0040B1F0), ref: 00401DF3
    • GetCurrentProcess.KERNEL32(C0000409), ref: 00401E0F
    • TerminateProcess.KERNEL32(00000000), ref: 00401E16
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 6e3e836b459f597e3b132ebfebc9e9b8bbf38e264aa1dfad4248ff04983e6aec
    • Instruction ID: 0bb735be146273eb839fa64778d0a4a719c761efff924a73d878bf610d17bcc9
    • Opcode Fuzzy Hash: 6e3e836b459f597e3b132ebfebc9e9b8bbf38e264aa1dfad4248ff04983e6aec
    • Instruction Fuzzy Hash: 3121C0B4815304DFD720DF65EF456467BA0FB08305F10843AEA08B7BA2E7B459888F9D
    Function 00404778 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00004736), ref: 0040477D
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: fd3b61a800fc77083c6e0b9dad2a4fde3d86a5c3e7a1598b086878a8b411c7c9
    • Instruction ID: 6230234ed6b9396946f7160fedeb2ede5b9f78823a6655994de373a722a7f816
    • Opcode Fuzzy Hash: fd3b61a800fc77083c6e0b9dad2a4fde3d86a5c3e7a1598b086878a8b411c7c9
    • Instruction Fuzzy Hash: 439002A025120096D730A7705D0D5076690DA8A71775184716251E5494DB744000956D
    Function 00401F85 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 57libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0040CF10,0000000C,004020C0,00000000,00000000,?,?,004020ED,?,00401033), ref: 00401F97
    • __crt_waiting_on_module_handle.LIBCMT ref: 00401FA2
      • Part of subcall function 00401830: Sleep.KERNEL32(000003E8,00000000,?,00401EE8,KERNEL32.DLL,?,00401F34,?,00402083,?,?,004020ED,?,00401033), ref: 0040183C
      • Part of subcall function 00401830: GetModuleHandleW.KERNEL32(?,?,00401EE8,KERNEL32.DLL,?,00401F34,?,00402083,?,?,004020ED,?,00401033), ref: 00401845
    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00401FCB
    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00401FDB
    • __lock.LIBCMT ref: 00401FFD
    • InterlockedIncrement.KERNEL32(0040E538), ref: 0040200A
    • __lock.LIBCMT ref: 0040201E
    • ___addlocaleref.LIBCMT ref: 0040203C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
    • String ID: 8@$DecodePointer$EncodePointer$KERNEL32.DLL$P@
    • API String ID: 1028249917-1886493496
    • Opcode ID: 51e3c0664736392c74b8b277f5d8175cebf14eb29050de6281f278ac3fb4163e
    • Instruction ID: 93dfbdf727b1262c84f29c5e97bf611300e02d5b8e8abe8377074ce84542701f
    • Opcode Fuzzy Hash: 51e3c0664736392c74b8b277f5d8175cebf14eb29050de6281f278ac3fb4163e
    • Instruction Fuzzy Hash: CF11A171840702EAD710AF76D945B5ABBE0EF14314F10453FE565B63E0CBB89A41CB5C
    Function 00405373 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 397 405373-40538e call 404100 call 4020e5 402 405390-405394 397->402 403 4053ad-4053c5 call 403f01 397->403 402->403 405 405396 402->405 408 4053c7-4053c9 403->408 409 4053fd-405409 call 40540e 403->409 407 405399-40539b 405->407 410 4053a5-4053ac call 404145 407->410 411 40539d-4053a4 call 401860 407->411 413 4053e5-4053f7 InterlockedIncrement 408->413 414 4053cb-4053d4 InterlockedDecrement 408->414 409->407 411->410 413->409 414->413 420 4053d6-4053dc 414->420 420->413 421 4053de-4053e4 call 403b13 420->421 421->413
    APIs
    • __getptd.LIBCMT ref: 0040537F
      • Part of subcall function 004020E5: __getptd_noexit.LIBCMT ref: 004020E8
      • Part of subcall function 004020E5: __amsg_exit.LIBCMT ref: 004020F5
    • __amsg_exit.LIBCMT ref: 0040539F
    • __lock.LIBCMT ref: 004053AF
    • InterlockedDecrement.KERNEL32(?), ref: 004053CC
    • InterlockedIncrement.KERNEL32(02132D90), ref: 004053F7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID: 8@
    • API String ID: 4271482742-819625340
    • Opcode ID: cf1e1f270195e85c79e8c3b319aa750a28a249f4b8efd5e4d64402f02bbee5ea
    • Instruction ID: 89bafbd8448753d296c7fafddd7cbb45ae6d8989632fa875147614c87ea326c6
    • Opcode Fuzzy Hash: cf1e1f270195e85c79e8c3b319aa750a28a249f4b8efd5e4d64402f02bbee5ea
    • Instruction Fuzzy Hash: 6B01AD32901A21EBDB20AB66994974F77A0EB04759F10083BEC10B76D1DBBC6951CFCD
    Function 004050D7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 424 4050d7-4050f2 call 404100 call 4020e5 429 4050f4-4050f8 424->429 430 405116-40513f call 403f01 call 405099 call 405141 424->430 429->430 432 4050fa-4050ff call 4020e5 429->432 437 405102-405104 430->437 432->437 439 405106-40510d call 401860 437->439 440 40510e-405115 call 404145 437->440 439->440
    APIs
    • __getptd.LIBCMT ref: 004050E3
      • Part of subcall function 004020E5: __getptd_noexit.LIBCMT ref: 004020E8
      • Part of subcall function 004020E5: __amsg_exit.LIBCMT ref: 004020F5
    • __getptd.LIBCMT ref: 004050FA
    • __amsg_exit.LIBCMT ref: 00405108
    • __lock.LIBCMT ref: 00405118
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID: P@
    • API String ID: 3521780317-2576892400
    • Opcode ID: 292315619262c9bd03a0c3c32dc5d33be8f5e60fe6b90dd8fdf3790a4c901334
    • Instruction ID: 45ce987a040570b940bfd1b67db92ead2b9782dad656f6b329638e645959e1d2
    • Opcode Fuzzy Hash: 292315619262c9bd03a0c3c32dc5d33be8f5e60fe6b90dd8fdf3790a4c901334
    • Instruction Fuzzy Hash: E5F06D32D00B149BD760BBA6980775A76A0AB44729F10497FE500BB2D2CBBDA941CE5D
    Function 00403B13 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 457 403b13-403b24 call 404100 460 403b26-403b2d 457->460 461 403b9b-403ba0 call 404145 457->461 462 403b72 460->462 463 403b2f-403b47 call 403f01 call 405bab 460->463 465 403b73-403b83 HeapFree 462->465 475 403b52-403b62 call 403b69 463->475 476 403b49-403b51 call 405bdb 463->476 465->461 468 403b85-403b9a call 4025c7 GetLastError call 402585 465->468 468->461 475->461 482 403b64-403b67 475->482 476->475 482->465
    APIs
    • __lock.LIBCMT ref: 00403B31
      • Part of subcall function 00403F01: __mtinitlocknum.LIBCMT ref: 00403F17
      • Part of subcall function 00403F01: __amsg_exit.LIBCMT ref: 00403F23
      • Part of subcall function 00403F01: EnterCriticalSection.KERNEL32(?,?,?,0040853B,00000004,0040D180,0000000C,0040588B,?,?,00000000,00000000,00000000,?,00402097,00000001), ref: 00403F2B
    • ___sbh_find_block.LIBCMT ref: 00403B3C
    • ___sbh_free_block.LIBCMT ref: 00403B4B
    • HeapFree.KERNEL32(00000000,?,0040CFC0,0000000C,00403EE2,00000000,0040CFE0,0000000C,00403F1C,?,?,?,0040853B,00000004,0040D180,0000000C), ref: 00403B7B
    • GetLastError.KERNEL32(?,0040853B,00000004,0040D180,0000000C,0040588B,?,?,00000000,00000000,00000000,?,00402097,00000001,00000214), ref: 00403B8C
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
    • String ID:
    • API String ID: 2714421763-0
    • Opcode ID: d40e4bded3547a574fada6302cb5c8a75203ac074cc5f097bf97510ee4f74a70
    • Instruction ID: 1ed3d528fb89d26d96b841ba9b13040ff4c7b6b0184ab87104d6cdf21aa37396
    • Opcode Fuzzy Hash: d40e4bded3547a574fada6302cb5c8a75203ac074cc5f097bf97510ee4f74a70
    • Instruction Fuzzy Hash: 44012171905205AADB206F71AD4AB5F7E78AF0071DF20453FF504BA1C2DB7CAA418A9D
    Function 004070CF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: __calloc_crt
    • String ID: p@$@
    • API String ID: 3494438863-182354213
    • Opcode ID: 68f1f67d400d3783efbfbe76d1c8295ca7d93854fd5b98a01ce9ea8ddd010927
    • Instruction ID: e58deb14ca4d686b66a55d25d5ab87a9c9dfa1ee0c59f417d0b25fcba68291ec
    • Opcode Fuzzy Hash: 68f1f67d400d3783efbfbe76d1c8295ca7d93854fd5b98a01ce9ea8ddd010927
    • Instruction Fuzzy Hash: 9011E731B1C21157E7248A2EBC51A623395E788728B24863BF601EE3D5D678F882464E
    Function 00405099 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___addlocaleref.LIBCMT ref: 004050AB
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404F83
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404F90
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404F9D
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404FAA
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404FB7
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404FD3
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(00000000), ref: 00404FE3
      • Part of subcall function 00404F71: InterlockedIncrement.KERNEL32(?), ref: 00404FF9
    • ___removelocaleref.LIBCMT ref: 004050B6
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(00407591), ref: 0040501A
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(24541B10), ref: 00405027
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(1B082444), ref: 00405034
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(2BDB3314), ref: 00405041
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(83D8F7DA), ref: 0040504E
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(83D8F7DA), ref: 0040506A
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(448BD88B), ref: 0040507A
      • Part of subcall function 00405000: InterlockedDecrement.KERNEL32(8B55FED7), ref: 00405090
    • ___freetlocinfo.LIBCMT ref: 004050CA
      • Part of subcall function 00404E28: ___free_lconv_mon.LIBCMT ref: 00404E6E
      • Part of subcall function 00404E28: ___free_lconv_num.LIBCMT ref: 00404E8F
      • Part of subcall function 00404E28: ___free_lc_time.LIBCMT ref: 00404F14
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
    • String ID: P@
    • API String ID: 467427115-2576892400
    • Opcode ID: e3482a1573c6d3a07d82dd9e17644850ac0fb9d0e0d13d3f343ce4ab07a00c63
    • Instruction ID: 383dead39ef71e1e1dcd079927ab95f572f11390da728018fa155e8cc7c7cb95
    • Opcode Fuzzy Hash: e3482a1573c6d3a07d82dd9e17644850ac0fb9d0e0d13d3f343ce4ab07a00c63
    • Instruction Fuzzy Hash: CCE0DF33501C2101CA312529641436FB288CF81314FBA003BF808BB7C1EB3C5C8099FC
    Function 0040744D Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00407481
    • __isleadbyte_l.LIBCMT ref: 004074B5
    • MultiByteToWideChar.KERNEL32(00000080,00000009,004013E8,?,00000000,00000000,?,?,?,?,004013E8), ref: 004074E6
    • MultiByteToWideChar.KERNEL32(00000080,00000009,004013E8,00000001,00000000,00000000,?,?,?,?,004013E8), ref: 00407554
    Memory Dump Source
    • Source File: 00000000.00000002.2066922820.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2066890273.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066939321.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066979186.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2066997063.000000000044F000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_stopka2017.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: 64842263c045c9e913d0ede6f41d6a3c6c384cefa37386dbee949877ada3f6e0
    • Instruction ID: 522790c7f44f66b35ebc33cb1467b44ce90adb6fb33efdb3ecc8feb0813c704b
    • Opcode Fuzzy Hash: 64842263c045c9e913d0ede6f41d6a3c6c384cefa37386dbee949877ada3f6e0
    • Instruction Fuzzy Hash: 67319E31E08245AFDB21DF64CC85DAA7FB5FF01311B14857AE4A1AB2E1D334E940DB5A