Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll
(renamed file extension from exe to dll)
Original sample name:SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.exe
Analysis ID:1542010
MD5:76dae69bfde8cb40d0259f8b3736820c
SHA1:a7f83b240002220cae161c351946c59e7db255c9
SHA256:e8cd3d85840d7eedb28875ea60457f450d3b3c57f0834012f77a9a7fe713e6ad
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6372 cmdline: loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5744 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 2084 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 5016 cmdline: C:\Windows\system32\WerFault.exe -u -p 2084 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3844 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCallBehaviorMethod MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 1104 cmdline: C:\Windows\system32\WerFault.exe -u -p 3844 -s 288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 5416 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCreateElement MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3400 cmdline: C:\Windows\system32\WerFault.exe -u -p 5416 -s 296 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7248 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutDataReady MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7292 cmdline: C:\Windows\system32\WerFault.exe -u -p 7248 -s 288 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7360 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCallBehaviorMethod MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7372 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCreateElement MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7380 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutDataReady MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7408 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_step MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7464 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_prepare_v2 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7476 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_open16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7488 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_column_text MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7504 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_close MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7512 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UseElement MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7524 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UnuseElement MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7540 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowDetachEventHandler MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7548 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowAttachEventHandler MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7564 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutVisitElements MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7572 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateWindow MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7580 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElementEx MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7588 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElement MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetupDebugOutput MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetStyleAttribute MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetOption MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7656 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementState MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7780 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementInnerText16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7792 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementHtml MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7804 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetCallback MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllReversingLabs: Detection: 13%
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE1150C824 FindFirstFileExW,0_2_00007FFE1150C824
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE115023900_2_00007FFE11502390
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE115030100_2_00007FFE11503010
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11501C800_2_00007FFE11501C80
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE1150C8240_2_00007FFE1150C824
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11503BD00_2_00007FFE11503BD0
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE115116B80_2_00007FFE115116B8
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2084 -s 344
Source: classification engineClassification label: mal48.winDLL@83/17@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2084
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3844
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7248
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5416
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2e3fbea0-52ef-49a4-b49e-776d0f7f4fcfJump to behavior
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCallBehaviorMethod
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCallBehaviorMethod
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2084 -s 344
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3844 -s 288
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCreateElement
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5416 -s 296
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutDataReady
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7248 -s 288
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCallBehaviorMethod
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCreateElement
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutDataReady
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_step
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_prepare_v2
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_open16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_column_text
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_close
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UseElement
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UnuseElement
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowDetachEventHandler
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowAttachEventHandler
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutVisitElements
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateWindow
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElementEx
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElement
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetupDebugOutput
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetStyleAttribute
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetOption
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementState
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementInnerText16
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementHtml
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetCallback
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCallBehaviorMethodJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCreateElementJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutDataReadyJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCallBehaviorMethodJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCreateElementJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutDataReadyJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_stepJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_prepare_v2Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_open16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_column_textJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_closeJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UseElementJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UnuseElementJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowDetachEventHandlerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowAttachEventHandlerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutVisitElementsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateWindowJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElementExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElementJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetupDebugOutputJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetStyleAttributeJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetOptionJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementStateJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementInnerText16Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementHtmlJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetCallbackJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11502230 LoadLibraryA,GetProcAddress,FreeLibrary,GetCurrentThread,CreateThread,CloseHandle,0_2_00007FFE11502230
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: section name: _RDATA
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: section name: .detourc
Source: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dllStatic PE information: section name: .detourd
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll64.exe TID: 6616Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE1150C824 FindFirstFileExW,0_2_00007FFE1150C824
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11509DDC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFE11509DDC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11502230 LoadLibraryA,GetProcAddress,FreeLibrary,GetCurrentThread,CreateThread,CloseHandle,0_2_00007FFE11502230
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE1150E374 GetProcessHeap,0_2_00007FFE1150E374
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11509DDC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFE11509DDC
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11511D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FFE11511D20
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE115054C4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFE115054C4
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11511500 cpuid 0_2_00007FFE11511500
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFE11505094 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FFE11505094
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542010 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 25/10/2024 Architecture: WINDOWS Score: 48 28 Multi AV Scanner detection for submitted file 2->28 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 25 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 18 12->20         started        22 WerFault.exe 16 14->22         started        24 WerFault.exe 16 16->24         started        process6 26 WerFault.exe 20 16 18->26         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542010
Start date and time:2024-10-25 12:45:10 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:42
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll
(renamed file extension from exe to dll)
Original Sample Name:SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.exe
Detection:MAL
Classification:mal48.winDLL@83/17@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 8
  • Number of non-executed functions: 29

Warnings

  • Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.168.117.173
  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll

Simulations

Behavior and APIs

TimeTypeDescription
06:46:24API Interceptor4x Sleep call for process: WerFault.exe modified
06:48:07API Interceptor1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_847e5933c7b68f10fff588c9d4be4118d8c5e594_a132e67f_5dfd797d-ff43-4b78-8031-391bd555f2ca\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7693054116424295
Encrypted:false
SSDEEP:384:lVUGi0ndVUD9hufrjDzuiFNY4lO8bVU1:ljieo9hufrjDzuiFNY4lO8b
MD5:140A9DB4E48E5BEEA518AA91C40C6656
SHA1:D3D7CB15BCF1C567A8C7F46CC935C8D6A6A2E39C
SHA-256:309C5E83199F007B21734A7B6ADB9E225DFFDA3E444780C4CCD256751C7AF2F1
SHA-512:A4588068FB794E972981DD3278B7BA8EEB7722CAA98CD66474B1E57D9F31E661768BFE78BA4E3BBD63E7D226C3D2157134747EF38F775245DE802BE8CDD27E1E
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.2.2.7.4.9.2.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.2.9.3.1.1.8.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.f.d.7.9.7.d.-.f.f.4.3.-.4.b.7.8.-.8.0.3.1.-.3.9.1.b.d.5.5.5.f.2.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.e.e.3.f.b.a.-.f.0.7.6.-.4.4.c.8.-.b.4.c.9.-.d.1.f.5.1.9.9.e.3.7.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...K.r.y.p.t.i.k...D.Q.O.J.J.U...3.2.4.8.7.......O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.2.4.-.0.0.0.1.-.0.0.1.4.-.c.e.a.e.-.8.8.1.5.c.b.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_84dfe926c8a473f70df6ff9eee142b124f3fe79_a132e67f_0cdc4759-0de7-40f8-8c28-aa5cc0333853\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7735501770811893
Encrypted:false
SSDEEP:384:rPVUGiPYdVUnOf0ZjDzuiFNY4lO8bVU1:rPjiC0Of0ZjDzuiFNY4lO8b
MD5:116804AD203A60395FEC8A4213FFDB4B
SHA1:FDE392D634F661F40E0027673C37DF7B55EC2D58
SHA-256:36DF32A421726D3FF34AF45A8B252EE88CE20E20424A89B7A66A9C170863D6E3
SHA-512:9BA681E1CE453DF86E9E5A8BE4C7A1380BDE25CE847C73E29E0A9742A8A192AABAA5112A65727B457158C4D56B00FE0B13A6C5A82AC5811C809C81DC682C01FB
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.8.1.2.0.8.2.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.8.7.4.5.8.0.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.d.c.4.7.5.9.-.0.d.e.7.-.4.0.f.8.-.8.c.2.8.-.a.a.5.c.c.0.3.3.3.8.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.d.0.b.d.7.6.-.3.9.9.6.-.4.1.3.d.-.9.7.f.9.-.b.1.8.f.8.5.7.6.4.3.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...K.r.y.p.t.i.k...D.Q.O.J.J.U...3.2.4.8.7.......O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.0.-.0.0.0.1.-.0.0.1.4.-.1.1.5.6.-.1.f.1.9.c.b.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_84dfe926c8a473f70df6ff9eee142b124f3fe79_a132e67f_23825486-2bbf-45fb-9b0a-6d8c1a4fbf60\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7734265734766228
Encrypted:false
SSDEEP:192:MBVUGivy6ZdVUs0O3v0ZjHjzuiFNZ24lO8bVU1:IVUGiqcdVUnOf0ZjDzuiFNY4lO8bVU1
MD5:3D9082C79A776338948FF79AC27FB359
SHA1:3D0A1379193C52678EE252BECEFF9367BEFC36B0
SHA-256:B4E6A7DECAB27FA791EC7C1614EE6ECB286A8BA61FD786F3933F2C823D614932
SHA-512:0BDD2FA274C6B723FB66CC339E8FD51631AABE82E95B356AF35EBE713E719A5D912D02045DF1CB86C15AFBE945C4ED82E5C648CBDAAC4244D2554BC9AE0FD085
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.5.0.9.1.1.3.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.5.6.8.4.8.8.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.8.2.5.4.8.6.-.2.b.b.f.-.4.5.f.b.-.9.b.0.a.-.6.d.8.c.1.a.4.f.b.f.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.c.c.f.a.b.3.-.3.3.e.2.-.4.d.2.6.-.9.d.7.9.-.6.a.e.6.d.b.f.b.a.c.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...K.r.y.p.t.i.k...D.Q.O.J.J.U...3.2.4.8.7.......O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.4.-.f.d.5.7.-.5.3.1.7.c.b.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_84dfe926c8a473f70df6ff9eee142b124f3fe79_a132e67f_dea66e8e-942f-4a31-bba4-c04961d93161\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7731186098153546
Encrypted:false
SSDEEP:384:lVUGiOU2dVUnOf0ZjDzuiFNY4lO8bVU1:ljio0Of0ZjDzuiFNY4lO8b
MD5:AC5F448DFD250DBB4096B0EB3DB1D737
SHA1:FD17B22C2BA4F03F918F62093033A75BDB5928FF
SHA-256:0DBB692F508E35657F37D1554EB0485F526ED1294BA1A264FFEF4F1D4EF7F33F
SHA-512:B59EDDE9AFAB42DAABD67E11074082E61F33D4055F3AF93535A2370583DB72BC4A91CE8F8021881369FC5B3F517D5FAC16520916C829171AB89C4D5FCD59FAC8
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.2.2.8.1.6.8.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.2.6.7.6.3.4.2.2.3.1.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.a.6.6.e.8.e.-.9.4.2.f.-.4.a.3.1.-.b.b.a.4.-.c.0.4.9.6.1.d.9.3.1.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.7.0.0.0.7.f.-.d.a.4.a.-.4.9.b.d.-.b.9.4.f.-.0.1.7.d.2.9.a.e.c.6.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...K.r.y.p.t.i.k...D.Q.O.J.J.U...3.2.4.8.7.......O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.0.4.-.0.0.0.1.-.0.0.1.4.-.5.7.7.3.-.8.7.1.5.c.b.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1718.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Fri Oct 25 10:46:02 2024, 0x1205a4 type
Category:dropped
Size (bytes):64934
Entropy (8bit):1.4372382259023015
Encrypted:false
SSDEEP:96:5I8tyKH4Qxe9UlLhA1hIg8PMV2qtbuIoi7MqejaXop+7YMzY6xsMAtleMimyQbQV:RwQxXlMV2oAOMQYo7YMzYm8leMvhlbS
MD5:32DF03DCBC4917BAD7622D8A54CA7491
SHA1:E20B5802A79D621D3E50F40A76CF519066F58F4B
SHA-256:62C93CB9D940E5B70F23ADB71B8C7969C1B804BDE7F53CE62AF58AEF9CEAB0B6
SHA-512:55BFC6B9E9AD2F0D824FD8AD00918E8B8633DA2DA5D9009CE0208FAE374BC7A60183ADD410B87C2DBF9C258D144B9E078B5C50EFD107C45797315CB5BFECAE75
Malicious:false
Preview:MDMP..a..... ........v.g........................t...........<...L.......$....-..........`.......8...........T.......................................t...............................................................................eJ..............Lw......................T.......$....v.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1787.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Fri Oct 25 10:46:02 2024, 0x1205a4 type
Category:dropped
Size (bytes):575338
Entropy (8bit):0.8890901316040474
Encrypted:false
SSDEEP:384:XPhwuTGemTpu/EoWnu3+nW3gl+UXbiTCd+U/VpWFJcEFf:Xpwua/oWu3Yd+U9qcEF
MD5:128A62AF8F3D75C39A4307486C0C163A
SHA1:FD40F49618D8961882FF575129D1F67AFB75DABA
SHA-256:860A974476596625E29F20A2B969171B29CEA409E8950027099A3EDF41208BC1
SHA-512:16CAB336BBB1E8D3F76616121EF3C10CA8719F116DC31247BC66549DA00F5BE3B314B924D3A54AEFAA8F3206651EA3151B26E1A9B12EEB85AC27716FD679C97E
Malicious:false
Preview:MDMP..a..... ........v.g........................t...........<...L.......4....-..........`.......8...........T......................................t...............................................................................eJ..............Lw......................T............v.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER17A6.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8678
Entropy (8bit):3.696372154910322
Encrypted:false
SSDEEP:192:R6l7wVeJzA3k/6YBKHfgmf0VUEiNnbpDT89bxLWffbm:R6lXJU3s6Ys/gmf0VUEiNn6xKf6
MD5:A902107E281A1AAB7DFCF60A10C88C52
SHA1:EBA6A2E22CAAFF8CE12114644EA93FDE446229FF
SHA-256:BB2ACFBEF32F1FA99AFB6AE74F75BC2152C7926F3CB4C10463CA3AF00B3E8815
SHA-512:91DAB8C8A173BC2C9453D589F25B757CFEE54F47584A5445BD6E4ECDD0E852B91FF660E42A481CB66909A3598EFA8594BA3D626F6388E317702937A09561CD71
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1805.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4989
Entropy (8bit):4.542755236870299
Encrypted:false
SSDEEP:48:cvIwWl8zsqJg771I9ylWpW8VYIDYm8M4JC34YgFVyq8vh4YIptSTSud:uIjf4I7JU7VEJtW8poOud
MD5:A0D1603D5D30D4848FD21FDDDD02D655
SHA1:49F5F6B40F07BCFAD630C78A7800DCEC81FA9269
SHA-256:62077E9F8101F0C891A6F64C26AA5F9B7413F2B623FC7FC592498AF6A4FCAE14
SHA-512:4A83A174449BBB1A24BD35E744082F78EC706B8FC9ED988FEC7F3EB727857A2FD7B5CC30F654DC2997C9A8A29F32E43CBE2C21368E78471985E0F2CD067F2B65
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558828" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A28.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8720
Entropy (8bit):3.6978323100448858
Encrypted:false
SSDEEP:192:R6l7wVeJW9qK+6YZxVgmf0VUEwijpD089boPWfZYm:R6lXJEqL6YvVgmf0VUEwyoufT
MD5:513C41C02A425EDA896D1095744EA401
SHA1:D746665AFB383B2E4FC248D1B50F3BAB2D874293
SHA-256:2F04798F10D91EB3B4D6FF52BBF00277C18D7E3914C2FC4B1A9CA6EF2A56ABC9
SHA-512:7AC7B27A48DE365362DE433F50E018BBAC782BF773FB6ACD2A6E67F2B37FEC13D866FC17651BEF84651606090E55525AAAD7848FA9FED9F60BCDB590B9DC884D
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A67.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5035
Entropy (8bit):4.567784838278926
Encrypted:false
SSDEEP:48:cvIwWl8zsqJg771I9ylWpW8VYIBoYm8M4JC34XFiyq8vh4qVptSTSxd:uIjf4I7JU7VHFJkWdpoOxd
MD5:86DB52F9DD2567D2D4E44CB695FAAF0D
SHA1:95DAECDAA38885E386CA4C62FFDFE3DBF93DC6CE
SHA-256:C14A6E6B0AA3A204873D147AB7D0DC5DC45C47BBE2F48D2B2FA60FF03713A220
SHA-512:1A28C64721BF360F143709B719A9D2E3C991A1E8E554CE71F74ECF6842D34FF387E185B205C4BBC5B08A854310A8C3F1B9F0D5F173B7B26FDE4CFDDE37AE41DA
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558828" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2215.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Fri Oct 25 10:46:05 2024, 0x1205a4 type
Category:dropped
Size (bytes):578202
Entropy (8bit):0.8864098378237648
Encrypted:false
SSDEEP:768:VOUrjz7DLTbjrz7DLTbjrz7DLTbjrz7DLTbj1Syay621ZBve3JnkiktPHCEOffKU:ZSya2RqkiktPHkffK
MD5:FD36EE5B7F3BCBD173136BE213B709C6
SHA1:89D29A6F1D1AAE56692F98198B536D3DDD227604
SHA-256:D53EC5EAD278D8148F7BCBEF63CCC192076181B3F59F2CBAD58F00084E80FA41
SHA-512:BA7CA56DA96EFDC19907BF54AB1F9277273D9C39570B1CACCAEB6F7115924837BAC335F8F0C03B9A416D4094AEE83DE2F4074AE6F7873EE57C965B2678210B3E
Malicious:false
Preview:MDMP..a..... ........v.g........................t...........<...L.......4....-..........`.......8...........T.......................................t...............................................................................eJ..............Lw......................T.......(....v.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23AC.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8718
Entropy (8bit):3.7003772415028733
Encrypted:false
SSDEEP:192:R6l7wVeJ7l1IF6YZBVgmf0VUEwijpDRC89b+wWftKm:R6lXJJeF6YfVgmf0VUEwg7+ZfB
MD5:AC20CF3B7366BBA0252F9F568FA93C9A
SHA1:4E6D031B0E46D2FB8B9511F782B3B25259DE0162
SHA-256:4176993E80EB8CFA52089172E997214843BD3B19390D1ABAC42921878CA3EC97
SHA-512:4224E36F8B35FAFE284D1AFC9ED10BE485422C438E61D063851D0BDE0A0DE891C385CF380A062D03D92B71751BA73F888F05530EB3397906177314596681D659
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23DC.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5035
Entropy (8bit):4.570322002370681
Encrypted:false
SSDEEP:48:cvIwWl8zsqJg771I9ylWpW8VYIvYm8M4JC34XFNyq8vh4h9ptSTSBd:uIjf4I7JU7V0JXWQpoOBd
MD5:FAB923D0C1B8F07105843C148C53759F
SHA1:039AA21C9551F084682ABF077345C827B7909917
SHA-256:345DE4287E49B28A08F0E5DDBC7628F5205EDCCBFD8DDBFBE67EEF9784607C20
SHA-512:AD5FEDA7BE9905489031919DC9F7844A74EDC479A8AA71E680B0100F0CF2A39BBEAD673FA25C2E01702CADF2B65C80375535422E3856866297EFE114F34623F9
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558828" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DFC.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Fri Oct 25 10:46:08 2024, 0x1205a4 type
Category:dropped
Size (bytes):577186
Entropy (8bit):0.886308258120648
Encrypted:false
SSDEEP:384:B2BVtVu3apXh3B9V9s34v434vSZlZnQ0WC3ksGOUm0:kBN5hx9E34vSJnLk5
MD5:FDF70F2BCC2C2A1FA7D678C199E13A47
SHA1:BF3547CE59CC10164FF3886CCDF7D02F8D8E5B91
SHA-256:E097BE4CC8D8120E93E8D5EB10F997736FCB97B2FD08E5574923FF83B4A2048E
SHA-512:02CEC27DE638D5E5CC1FB8DAE2128439D53E2CC0D3AB1941A95D05AAF26AD94F08532000FCF1A706BBB14E53EF755AA782A074A206A4CCA2C682456D66F9821D
Malicious:false
Preview:MDMP..a..... ........v.g........................t...........<...L.......D....-..........`.......8...........T.......................................t...............................................................................eJ..............Lw......................T.......P....v.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F26.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8718
Entropy (8bit):3.7001929730719922
Encrypted:false
SSDEEP:192:R6l7wVeJEAr16YZYVgmf0VUEwijpDa89brjofqGZm:R6lXJjr16Y2Vgmf0VUEwArMfqZ
MD5:D8502FB67998E2EECB40B63E8CC95382
SHA1:900E85DD3F1B31E244CA33D682200F06728B7117
SHA-256:A4A5B144EFB0AE072B30181A4D1E63C615E9546A78C618941307A6B781149499
SHA-512:59D33B813CF6D652B92DE385446F9D88D07678E4429CC7933C569A9BF48BD50A893A5E23FAD6122B32ECBDFA1E88E61F456857DCD137093498A08D03BE2D3789
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F55.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5035
Entropy (8bit):4.572948853530648
Encrypted:false
SSDEEP:48:cvIwWl8zsqJg771I9ylWpW8VYICYm8M4JC34XFvjyq8vh4SptSTSFd:uIjf4I7JU7VFJ5jWFpoOFd
MD5:083616840F482C8616ABD068BA3769EB
SHA1:8763EB1DA4DDDCD09F4AC088B29F22040F60FB1A
SHA-256:AE336A2BEFC1917903BE35CAAEDD16752E04DCF4A4797A1F53C994558C04BD15
SHA-512:5D1A6FFF0CD650A3FEFDE0B383119B1D31A413E9CA0B9240B4FC14AF0DFAF20DD6B33512399213A6AA8C683712570E0FCBA1A0DE908C29EAD94C8C6F5E816D06
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558828" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.466372140248933
Encrypted:false
SSDEEP:6144:xIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:SXD94zWlLZMM6YFHa+9
MD5:F71281DAA0B521F07B805C120E9AFC17
SHA1:21AE2D9465D6FB0182E1133B5E802C06F8774BCC
SHA-256:3D8225BDCC17283679A535EE77D25E11A523915721BBBAC256920245A69FA686
SHA-512:52B786E3536207CE31C59D889390DC6F38650E43ECD40097D24AC16E50C900FE38DD540751CA25859EE86CCF75EF14218918570E0791E30E492D49A6CCE133F9
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~....&...............................................................................................................................................................................................................................................................................................................................................(.!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):5.852515449410217
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll
File size:139'776 bytes
MD5:76dae69bfde8cb40d0259f8b3736820c
SHA1:a7f83b240002220cae161c351946c59e7db255c9
SHA256:e8cd3d85840d7eedb28875ea60457f450d3b3c57f0834012f77a9a7fe713e6ad
SHA512:0a718b8295448a4b57e1e656c1446e8ffadd09ac07a7754cbe1ae42c225be1630d552b05b8887db74cedf4b7d49f58c778cbaadd02d85a782b8175fdd26cef92
SSDEEP:3072:YPBL22Nu6dCcGmBG3AxkEaaW6QlJlMQ6+snerWM5WH:cgBuBG3ck48lJWerWMgH
TLSH:92D3283FB2B542BBD426813984530F35A332F8950730DB9F0A954ABD1EB37D19D29B62
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .^Rdq0.dq0.dq0./.3.aq0./.5..q0./.4.nq0.6.5.Fq0.6.4.jq0.6.3.mq0./.1.cq0.dq1..q0...9.cq0...0.eq0.....eq0...2.eq0.Richdq0........

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x180005018
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6715F971 [Mon Oct 21 06:49:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:44cdc801a895c4cbaf14c1dd721f21ad

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F9954815817h
call 00007F9954815870h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F99548156A4h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007F9954815821h
dec eax
mov ecx, ebx
call 00007F995481943Ah
test eax, eax
je 00007F9954815825h
dec eax
mov ecx, ebx
call 00007F99548194A6h
dec eax
test eax, eax
je 00007F99548157F9h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007F9954815818h
call 00007F9954815F54h
int3
call 00007F9954815F6Eh
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00019F68h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F9954815886h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [0000E01Ah]
dec eax
mov eax, dword ptr [ebp+18h]
dec eax
mov dword ptr [ebp+10h], eax
call dword ptr [0000E004h]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [0000DFF0h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1d1e00x5ec.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1d7cc0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000xf8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x210000x1254.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x290000xa94.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1b7200x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1b7600x138.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x130000x348.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x115a20x116005078fef54c7d2e2983707352221cdea1False0.590349595323741zlib compressed data6.4854667724654576IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x130000xb2ca0xb400ccca7978ba6b4b2f434c1c9408cd8026False0.4117838541666667data4.630939705872032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1f0000x1d980xc000aea13ff98a072bc3efa4a3addb4f808False0.1435546875DOS executable (block device driver \322f\324\377\3772)2.042643173523336IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x210000x12540x140033c17830c447237df1a4ba8f73ce1bbaFalse0.442578125data4.646158518892248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0x230000xfc0x200c1afef9f385ed834f9b1d5311af224c0False0.296875data1.9925111403557825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.detourc0x240000x21c00x2200c5690763d958566407d69b1cc40d6e4bFalse0.14510569852941177data2.7185189157071132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.detourd0x270000x180x200083338860205efcc4d20e102cfe79c12False0.037109375Matlab v4 mat-file (little endian) \377\377\377\377, numeric, rows 0, columns 00.11611507530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x280000xf80x200af9421cf07137b18ce8c7d80578e5fc4False0.3359375data2.5220112108280497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x290000xa940xc0059aa9a8f5d7e94e2dec9d29ba1a9251bFalse0.3570963541666667data5.180079286833233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x280600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

Imports

DLLImport
KERNEL32.dllLoadLibraryA, GetProcAddress, FreeLibrary, Sleep, GetCurrentThread, VirtualFree, SetEvent, WaitForSingleObject, ResetEvent, CreateThread, CloseHandle, CreateFileA, GetFileSize, ReadFile, GetLastError, CreateEventW, AddVectoredExceptionHandler, GetModuleFileNameA, GetModuleHandleW, WriteConsoleW, HeapReAlloc, HeapSize, GetStringTypeW, FlushFileBuffers, SetStdHandle, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, VirtualProtect, GetCurrentProcess, VirtualAlloc, SuspendThread, ResumeThread, VirtualProtectEx, GetThreadContext, FlushInstructionCache, SetThreadContext, VirtualQuery, VirtualQueryEx, SetLastError, LoadLibraryExA, LoadLibraryExW, RtlUnwindEx, InterlockedFlushSList, RtlPcToFileHeader, RaiseException, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, TerminateProcess, GetModuleHandleExW, GetModuleFileNameW, GetConsoleMode, WriteFile, GetConsoleOutputCP, SetFilePointerEx, HeapFree, GetStdHandle, GetFileType, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, CreateFileW
USER32.dllPeekMessageW, DispatchMessageW, TranslateMessage
SHLWAPI.dllPathRemoveFileSpecA, PathAppendA

Exports

NameOrdinalAddress
HTMLayoutCallBehaviorMethod10x1800027c0
HTMLayoutCreateElement20x1800027c0
HTMLayoutDataReady30x1800027c0
HTMLayoutGetAttributeByName40x1800027c0
HTMLayoutGetChildrenCount50x1800027c0
HTMLayoutGetElementHwnd60x1800027c0
HTMLayoutGetElementIndex70x1800027c0
HTMLayoutGetElementInnerTextCB80x1800027c0
HTMLayoutGetElementLocation90x1800027c0
HTMLayoutGetElementState100x1800027c0
HTMLayoutGetNthChild110x1800027c0
HTMLayoutGetParentElement120x1800027c0
HTMLayoutGetRootElement130x1800027c0
HTMLayoutGetStyleAttribute140x1800027c0
HTMLayoutInsertElement150x1800027c0
HTMLayoutLoadFile160x1800027c0
HTMLayoutLoadHtmlEx170x1800027c0
HTMLayoutPostEvent180x1800027c0
HTMLayoutProcND190x1800027c0
HTMLayoutScrollToView200x1800027c0
HTMLayoutSelectElements210x1800027c0
HTMLayoutSelectElementsW220x1800027c0
HTMLayoutSendEvent230x1800027c0
HTMLayoutSetAttributeByName240x1800027c0
HTMLayoutSetCallback250x1800027c0
HTMLayoutSetElementHtml260x1800027c0
HTMLayoutSetElementInnerText16270x1800027c0
HTMLayoutSetElementState280x1800027c0
HTMLayoutSetOption290x1800027c0
HTMLayoutSetStyleAttribute300x1800027c0
HTMLayoutSetupDebugOutput310x1800027c0
HTMLayoutUpdateElement320x1800027c0
HTMLayoutUpdateElementEx330x1800027c0
HTMLayoutUpdateWindow340x1800027c0
HTMLayoutVisitElements350x1800027c0
HTMLayoutWindowAttachEventHandler360x1800027c0
HTMLayoutWindowDetachEventHandler370x1800027c0
HTMLayout_UnuseElement380x1800027c0
HTMLayout_UseElement390x1800027c0
sqlite3_close400x1800027c0
sqlite3_column_text410x1800027c0
sqlite3_open16420x1800027c0
sqlite3_prepare_v2430x1800027c0
sqlite3_step440x1800027c0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:06:46:01
Start date:25/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll"
Imagebase:0x7ff74d940000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:1
Start time:06:46:01
Start date:25/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:06:46:01
Start date:25/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1
Imagebase:0x7ff66d510000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:06:46:01
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCallBehaviorMethod
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:06:46:01
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",#1
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:06:46:02
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 2084 -s 344
Imagebase:0x7ff7d6030000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:06:46:02
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 3844 -s 288
Imagebase:0x7ff7d6030000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:10
Start time:06:46:04
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutCreateElement
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:12
Start time:06:46:05
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 5416 -s 296
Imagebase:0x7ff7d6030000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:13
Start time:06:46:07
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll,HTMLayoutDataReady
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:15
Start time:06:46:08
Start date:25/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7248 -s 288
Imagebase:0x7ff7d6030000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:06:46:10
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCallBehaviorMethod
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:06:46:10
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutCreateElement
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:06:46:10
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutDataReady
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_step
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_prepare_v2
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_open16
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_column_text
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",sqlite3_close
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UseElement
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayout_UnuseElement
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowDetachEventHandler
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutWindowAttachEventHandler
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutVisitElements
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateWindow
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElementEx
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutUpdateElement
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetupDebugOutput
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetStyleAttribute
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetOption
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementState
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementInnerText16
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:40
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetElementHtml
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:41
Start time:06:46:11
Start date:25/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.Kryptik.DQOJJU.32487.4625.dll",HTMLayoutSetCallback
Imagebase:0x7ff7eb6f0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:7.4%
    Total number of Nodes:1356
    Total number of Limit Nodes:16
    execution_graph 7667 7ffe11511ca0 7668 7ffe11511cd8 __GSHandlerCheckCommon 7667->7668 7669 7ffe11511d04 7668->7669 7671 7ffe11506930 7668->7671 7672 7ffe1150624c _CatchTryBlock 63 API calls 7671->7672 7673 7ffe1150695a 7672->7673 7674 7ffe1150624c _CatchTryBlock 63 API calls 7673->7674 7675 7ffe11506967 7674->7675 7676 7ffe1150624c _CatchTryBlock 63 API calls 7675->7676 7677 7ffe11506970 7676->7677 7680 7ffe11508008 7677->7680 7679 7ffe115069a1 7679->7669 7681 7ffe11508035 __except_validate_context_record 7680->7681 7682 7ffe1150624c _CatchTryBlock 63 API calls 7681->7682 7685 7ffe1150803a 7682->7685 7683 7ffe11508122 7694 7ffe11508141 7683->7694 7738 7ffe115068d8 7683->7738 7684 7ffe11508094 7686 7ffe1150810f 7684->7686 7689 7ffe115080b6 7684->7689 7690 7ffe115080ed 7684->7690 7701 7ffe115080e8 7684->7701 7685->7683 7685->7684 7685->7701 7729 7ffe115064d4 7686->7729 7705 7ffe115073ec 7689->7705 7690->7686 7692 7ffe115080c5 7690->7692 7695 7ffe11508239 7692->7695 7698 7ffe115080d7 7692->7698 7699 7ffe11508190 7694->7699 7694->7701 7741 7ffe115068ec 7694->7741 7697 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7695->7697 7700 7ffe1150823e 7697->7700 7710 7ffe11508510 7698->7710 7699->7701 7744 7ffe115077e8 7699->7744 7703 7ffe11506000 __std_exception_copy 54 API calls 7700->7703 7701->7679 7704 7ffe11508269 7703->7704 7704->7679 7706 7ffe115073fa 7705->7706 7707 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7706->7707 7709 7ffe1150740b 7706->7709 7708 7ffe11507451 7707->7708 7709->7692 7711 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7710->7711 7712 7ffe1150853f 7711->7712 7806 7ffe11507348 7712->7806 7715 7ffe1150624c _CatchTryBlock 63 API calls 7727 7ffe1150855c __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7715->7727 7716 7ffe11508653 7717 7ffe1150624c _CatchTryBlock 63 API calls 7716->7717 7718 7ffe11508658 7717->7718 7721 7ffe1150624c _CatchTryBlock 63 API calls 7718->7721 7723 7ffe11508663 7718->7723 7719 7ffe1150868e 7720 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7719->7720 7720->7723 7721->7723 7722 7ffe11508670 __FrameHandler3::GetHandlerSearchState 7722->7701 7723->7722 7724 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7723->7724 7725 7ffe11508699 7724->7725 7726 7ffe115068d8 63 API calls Is_bad_exception_allowed 7726->7727 7727->7716 7727->7719 7727->7726 7728 7ffe11506900 __FrameHandler3::FrameUnwindToEmptyState 63 API calls 7727->7728 7728->7727 7810 7ffe11506538 7729->7810 7736 7ffe11508510 __FrameHandler3::FrameUnwindToEmptyState 63 API calls 7737 7ffe11506528 7736->7737 7737->7701 7739 7ffe1150624c _CatchTryBlock 63 API calls 7738->7739 7740 7ffe115068e1 7739->7740 7740->7694 7742 7ffe1150624c _CatchTryBlock 63 API calls 7741->7742 7743 7ffe115068f5 7742->7743 7743->7699 7824 7ffe1150869c 7744->7824 7746 7ffe11507ca6 7747 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7746->7747 7749 7ffe11507cac 7747->7749 7748 7ffe1150792e 7750 7ffe11507bf7 7748->7750 7753 7ffe11507966 7748->7753 7750->7746 7751 7ffe11507bf5 7750->7751 7887 7ffe11507cb0 7750->7887 7752 7ffe1150624c _CatchTryBlock 63 API calls 7751->7752 7755 7ffe11507c39 7752->7755 7756 7ffe11507b24 7753->7756 7852 7ffe11506604 7753->7852 7755->7746 7759 7ffe11507c40 7755->7759 7756->7751 7763 7ffe11507b45 7756->7763 7765 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7756->7765 7757 7ffe1150624c _CatchTryBlock 63 API calls 7761 7ffe11507895 7757->7761 7762 7ffe11511ad0 _log10_special 8 API calls 7759->7762 7761->7759 7766 7ffe1150624c _CatchTryBlock 63 API calls 7761->7766 7764 7ffe11507c4c 7762->7764 7763->7751 7770 7ffe11507b67 7763->7770 7879 7ffe115064a8 7763->7879 7764->7701 7765->7763 7768 7ffe115078a5 7766->7768 7769 7ffe1150624c _CatchTryBlock 63 API calls 7768->7769 7771 7ffe115078ae 7769->7771 7770->7751 7772 7ffe11507b7d 7770->7772 7803 7ffe11507c89 7770->7803 7836 7ffe11506918 7771->7836 7775 7ffe11507b88 7772->7775 7776 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7772->7776 7773 7ffe1150624c _CatchTryBlock 63 API calls 7777 7ffe11507c8f 7773->7777 7780 7ffe11508734 __GSHandlerCheck_EH 63 API calls 7775->7780 7776->7775 7779 7ffe1150624c _CatchTryBlock 63 API calls 7777->7779 7781 7ffe11507c98 7779->7781 7782 7ffe11507b9f 7780->7782 7784 7ffe11509adc __GSHandlerCheck_EH 52 API calls 7781->7784 7782->7751 7786 7ffe11506538 _GetEstablisherFrame 53 API calls 7782->7786 7783 7ffe1150624c _CatchTryBlock 63 API calls 7785 7ffe115078f0 7783->7785 7784->7746 7785->7748 7789 7ffe1150624c _CatchTryBlock 63 API calls 7785->7789 7788 7ffe11507bb9 7786->7788 7787 7ffe115068ec 63 API calls __GSHandlerCheck_EH 7795 7ffe11507995 7787->7795 7884 7ffe11506744 RtlUnwindEx 7788->7884 7791 7ffe115078fc 7789->7791 7793 7ffe1150624c _CatchTryBlock 63 API calls 7791->7793 7794 7ffe11507905 7793->7794 7839 7ffe11508734 7794->7839 7795->7756 7795->7787 7858 7ffe11507ec8 7795->7858 7872 7ffe11507714 7795->7872 7799 7ffe11507919 7848 7ffe11508824 7799->7848 7801 7ffe11507921 __CxxCallCatchBlock std::bad_alloc::bad_alloc 7804 7ffe115060b8 Concurrency::cancel_current_task 2 API calls 7801->7804 7805 7ffe11507c83 7801->7805 7802 7ffe11509adc __GSHandlerCheck_EH 52 API calls 7802->7803 7803->7773 7804->7805 7805->7802 7807 7ffe1150736a 7806->7807 7808 7ffe1150735f 7806->7808 7807->7715 7809 7ffe115073ec __GetCurrentState 52 API calls 7808->7809 7809->7807 7811 7ffe115073e4 _GetEstablisherFrame 52 API calls 7810->7811 7814 7ffe11506566 7811->7814 7812 7ffe115064f3 7815 7ffe115073e4 7812->7815 7813 7ffe1150658f RtlLookupFunctionEntry 7813->7814 7814->7812 7814->7813 7816 7ffe115073ec 7815->7816 7817 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7816->7817 7818 7ffe11506501 7816->7818 7819 7ffe11507451 7817->7819 7820 7ffe11506454 7818->7820 7821 7ffe1150646b 7820->7821 7822 7ffe11506493 7821->7822 7823 7ffe1150624c _CatchTryBlock 63 API calls 7821->7823 7822->7736 7823->7821 7825 7ffe115073e4 _GetEstablisherFrame 52 API calls 7824->7825 7826 7ffe115086c1 7825->7826 7827 7ffe11506538 _GetEstablisherFrame 53 API calls 7826->7827 7828 7ffe115086d6 7827->7828 7905 7ffe11507370 7828->7905 7831 7ffe115086e8 __FrameHandler3::GetHandlerSearchState 7908 7ffe115073a8 7831->7908 7832 7ffe1150870b 7833 7ffe11507370 __GetUnwindTryBlock 53 API calls 7832->7833 7835 7ffe11507849 7833->7835 7835->7746 7835->7748 7835->7757 7837 7ffe1150624c _CatchTryBlock 63 API calls 7836->7837 7838 7ffe11506926 7837->7838 7838->7746 7838->7783 7840 7ffe1150881b 7839->7840 7844 7ffe1150875f 7839->7844 7841 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7840->7841 7843 7ffe11508820 7841->7843 7842 7ffe11507915 7842->7748 7842->7799 7844->7842 7845 7ffe115068ec 63 API calls __GSHandlerCheck_EH 7844->7845 7846 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7844->7846 7847 7ffe11507ec8 __GSHandlerCheck_EH 63 API calls 7844->7847 7845->7844 7846->7844 7847->7844 7849 7ffe11508891 7848->7849 7851 7ffe11508841 Is_bad_exception_allowed 7848->7851 7849->7801 7850 7ffe115068d8 63 API calls Is_bad_exception_allowed 7850->7851 7851->7849 7851->7850 7853 7ffe115073e4 _GetEstablisherFrame 52 API calls 7852->7853 7854 7ffe11506643 7853->7854 7855 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7854->7855 7857 7ffe11506651 7854->7857 7856 7ffe11506742 7855->7856 7857->7795 7859 7ffe11507ef5 7858->7859 7870 7ffe11507f84 7858->7870 7860 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7859->7860 7861 7ffe11507efe 7860->7861 7862 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7861->7862 7863 7ffe11507f17 7861->7863 7861->7870 7862->7863 7864 7ffe11507f43 7863->7864 7865 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7863->7865 7863->7870 7866 7ffe115068ec __GSHandlerCheck_EH 63 API calls 7864->7866 7865->7864 7867 7ffe11507f57 7866->7867 7868 7ffe11507f70 7867->7868 7869 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7867->7869 7867->7870 7871 7ffe115068ec __GSHandlerCheck_EH 63 API calls 7868->7871 7869->7868 7870->7795 7871->7870 7873 7ffe11506538 _GetEstablisherFrame 53 API calls 7872->7873 7874 7ffe11507751 __GSHandlerCheck_EH 7873->7874 7875 7ffe115068d8 Is_bad_exception_allowed 63 API calls 7874->7875 7876 7ffe11507789 7875->7876 7877 7ffe11506744 __GSHandlerCheck_EH 9 API calls 7876->7877 7878 7ffe115077cd 7877->7878 7878->7795 7880 7ffe115073e4 _GetEstablisherFrame 52 API calls 7879->7880 7881 7ffe115064bc 7880->7881 7882 7ffe11506454 _CatchTryBlock 63 API calls 7881->7882 7883 7ffe115064c6 7882->7883 7883->7770 7885 7ffe11511ad0 _log10_special 8 API calls 7884->7885 7886 7ffe1150683e 7885->7886 7886->7751 7888 7ffe11507ce6 7887->7888 7889 7ffe11507d54 7887->7889 7890 7ffe1150624c _CatchTryBlock 63 API calls 7888->7890 7889->7751 7891 7ffe11507ceb 7890->7891 7892 7ffe11507cfa EncodePointer 7891->7892 7893 7ffe11507d50 7891->7893 7894 7ffe1150624c _CatchTryBlock 63 API calls 7892->7894 7893->7889 7895 7ffe11507d89 7893->7895 7896 7ffe11507ebf 7893->7896 7900 7ffe11507d0a 7894->7900 7897 7ffe11506604 __GSHandlerCheck_EH 52 API calls 7895->7897 7898 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7896->7898 7902 7ffe11507da6 7897->7902 7899 7ffe11507ec4 7898->7899 7900->7893 7911 7ffe11506400 7900->7911 7902->7889 7903 7ffe115068d8 63 API calls Is_bad_exception_allowed 7902->7903 7904 7ffe11507714 __GSHandlerCheck_EH 65 API calls 7902->7904 7903->7902 7904->7902 7906 7ffe11506538 _GetEstablisherFrame 53 API calls 7905->7906 7907 7ffe11507383 7906->7907 7907->7831 7907->7832 7909 7ffe11506538 _GetEstablisherFrame 53 API calls 7908->7909 7910 7ffe115073c2 7909->7910 7910->7835 7912 7ffe1150624c _CatchTryBlock 63 API calls 7911->7912 7913 7ffe1150642c 7912->7913 7913->7893 7153 7ffe11505018 7154 7ffe11505039 7153->7154 7155 7ffe11505034 7153->7155 7157 7ffe11505094 7155->7157 7158 7ffe1150512b 7157->7158 7159 7ffe115050b7 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7157->7159 7158->7154 7159->7158 8068 7ffe11512523 8069 7ffe11512532 8068->8069 8070 7ffe1151253c 8068->8070 8072 7ffe1150c16c LeaveCriticalSection 8069->8072 7160 7ffe1150e824 7161 7ffe1150e850 7160->7161 7162 7ffe1150e83d 7160->7162 7162->7161 7163 7ffe1150f53c 52 API calls 7162->7163 7163->7161 8073 7ffe1150a324 8074 7ffe1150a32f 8073->8074 8082 7ffe1150ea40 8074->8082 8095 7ffe1150c118 EnterCriticalSection 8082->8095 6692 7ffe11508fa5 6704 7ffe11509adc 6692->6704 6709 7ffe1150b710 GetLastError 6704->6709 6706 7ffe11509ae5 6750 7ffe11509b7c 6706->6750 6710 7ffe1150b751 FlsSetValue 6709->6710 6711 7ffe1150b734 FlsGetValue 6709->6711 6713 7ffe1150b763 6710->6713 6730 7ffe1150b741 6710->6730 6712 7ffe1150b74b 6711->6712 6711->6730 6712->6710 6715 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 6713->6715 6714 7ffe1150b7bd SetLastError 6716 7ffe1150b7ca 6714->6716 6717 7ffe1150b7dd 6714->6717 6718 7ffe1150b772 6715->6718 6716->6706 6719 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 40 API calls 6717->6719 6720 7ffe1150b790 FlsSetValue 6718->6720 6721 7ffe1150b780 FlsSetValue 6718->6721 6724 7ffe1150b7e2 6719->6724 6722 7ffe1150b7ae 6720->6722 6723 7ffe1150b79c FlsSetValue 6720->6723 6725 7ffe1150b789 6721->6725 6727 7ffe1150b47c _invalid_parameter_noinfo 11 API calls 6722->6727 6723->6725 6728 7ffe1150b810 FlsSetValue 6724->6728 6729 7ffe1150b7f5 FlsGetValue 6724->6729 6726 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6725->6726 6726->6730 6731 7ffe1150b7b6 6727->6731 6733 7ffe1150b81d 6728->6733 6748 7ffe1150b802 6728->6748 6732 7ffe1150b80a 6729->6732 6729->6748 6730->6714 6734 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6731->6734 6732->6728 6735 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 6733->6735 6734->6714 6738 7ffe1150b82c 6735->6738 6736 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 40 API calls 6739 7ffe1150b885 6736->6739 6737 7ffe1150b808 6737->6706 6740 7ffe1150b84a FlsSetValue 6738->6740 6741 7ffe1150b83a FlsSetValue 6738->6741 6742 7ffe1150b856 FlsSetValue 6740->6742 6743 7ffe1150b868 6740->6743 6744 7ffe1150b843 6741->6744 6742->6744 6745 7ffe1150b47c _invalid_parameter_noinfo 11 API calls 6743->6745 6746 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6744->6746 6747 7ffe1150b870 6745->6747 6746->6748 6747->6737 6749 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 6747->6749 6748->6736 6748->6737 6749->6737 6759 7ffe1150e4c0 6750->6759 6793 7ffe1150e478 6759->6793 6798 7ffe1150c118 EnterCriticalSection 6793->6798 6862 7ffe115123a6 6865 7ffe11505dc0 6862->6865 6864 7ffe115123b4 6866 7ffe11505dea 6865->6866 6867 7ffe11505dd8 6865->6867 6881 7ffe1150624c 6866->6881 6867->6866 6869 7ffe11505de0 6867->6869 6871 7ffe11505de8 6869->6871 6872 7ffe1150624c _CatchTryBlock 63 API calls 6869->6872 6871->6864 6874 7ffe11505e0f 6872->6874 6873 7ffe1150624c _CatchTryBlock 63 API calls 6873->6871 6875 7ffe1150624c _CatchTryBlock 63 API calls 6874->6875 6876 7ffe11505e1c 6875->6876 6877 7ffe11509adc __GSHandlerCheck_EH 52 API calls 6876->6877 6878 7ffe11505e25 6877->6878 6879 7ffe11509adc __GSHandlerCheck_EH 52 API calls 6878->6879 6880 7ffe11505e31 6879->6880 6880->6864 6887 7ffe11506268 6881->6887 6884 7ffe11505def 6884->6871 6884->6873 6885 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 6886 7ffe11506264 6885->6886 6888 7ffe11506287 GetLastError 6887->6888 6889 7ffe11506255 6887->6889 6901 7ffe11507248 6888->6901 6889->6884 6889->6885 6905 7ffe11507068 6901->6905 6906 7ffe11507182 TlsGetValue 6905->6906 6911 7ffe115070ac __vcrt_InitializeCriticalSectionEx 6905->6911 6907 7ffe115070da LoadLibraryExW 6908 7ffe115070fb GetLastError 6907->6908 6909 7ffe11507151 6907->6909 6908->6911 6910 7ffe11507171 GetProcAddress 6909->6910 6912 7ffe11507168 FreeLibrary 6909->6912 6910->6906 6911->6906 6911->6907 6911->6910 6913 7ffe1150711d LoadLibraryExW 6911->6913 6912->6910 6913->6909 6913->6911 6391 7ffe11502390 CreateEventW AddVectoredExceptionHandler CreateThread CloseHandle 6421 7ffe11505e70 6391->6421 6394 7ffe11502472 CloseHandle 6396 7ffe115027a0 6394->6396 6395 7ffe11502480 GetFileSize 6397 7ffe115024d8 CloseHandle 6395->6397 6398 7ffe1150249f 6395->6398 6397->6396 6399 7ffe115024a9 ReadFile 6398->6399 6400 7ffe115024e6 CloseHandle 6399->6400 6401 7ffe115024d2 GetLastError 6399->6401 6400->6396 6403 7ffe115024f7 6400->6403 6401->6397 6402 7ffe11502627 GetModuleHandleW GetProcAddress 6402->6396 6404 7ffe11502699 __FrameHandler3::FrameUnwindToEmptyState 6402->6404 6403->6402 6404->6396 6423 7ffe11504610 6404->6423 6406 7ffe115026e5 6432 7ffe11502f50 6406->6432 6408 7ffe115026ea GetCurrentThread 6441 7ffe11503600 6408->6441 6410 7ffe115026f8 6452 7ffe11503bd0 LoadLibraryExA 6410->6452 6415 7ffe11503bd0 21 API calls 6416 7ffe1150277f 6415->6416 6417 7ffe115036a0 32 API calls 6416->6417 6418 7ffe11502799 6417->6418 6486 7ffe11503010 GetCurrentThreadId 6418->6486 6420 7ffe1150279e 6420->6396 6422 7ffe11502410 GetModuleFileNameA PathRemoveFileSpecA PathAppendA CreateFileA 6421->6422 6422->6394 6422->6395 6524 7ffe11504090 6423->6524 6425 7ffe11504652 SetLastError 6426 7ffe1150465d SetLastError 6425->6426 6426->6406 6428 7ffe1150461d 6428->6425 6429 7ffe11504670 6428->6429 6430 7ffe11504090 VirtualQuery 6428->6430 6528 7ffe11504260 6428->6528 6429->6426 6431 7ffe11504678 6429->6431 6430->6428 6433 7ffe11502ff7 6432->6433 6434 7ffe11502f61 GetCurrentThreadId 6432->6434 6433->6408 6434->6433 6435 7ffe11502f79 6434->6435 6436 7ffe11502fe0 6435->6436 6438 7ffe11502fa6 6435->6438 6436->6408 6437 7ffe11502fb0 VirtualProtect 6437->6438 6439 7ffe11502fd8 GetLastError 6437->6439 6438->6437 6440 7ffe11502fd6 6438->6440 6439->6436 6440->6436 6442 7ffe11503699 6441->6442 6443 7ffe11503617 GetCurrentThread 6441->6443 6442->6410 6444 7ffe1150362a 6443->6444 6445 7ffe11503622 6443->6445 6551 7ffe11505058 6444->6551 6445->6410 6448 7ffe1150367d 6448->6442 6449 7ffe1150364a GetLastError 6560 7ffe115059e0 6449->6560 6453 7ffe11503c14 GetProcAddress 6452->6453 6454 7ffe11504062 6452->6454 6453->6454 6455 7ffe11503c29 6453->6455 6641 7ffe11511ad0 6454->6641 6455->6454 6457 7ffe11503c47 GetCurrentProcess LoadLibraryExW 6455->6457 6464 7ffe11503dd1 6455->6464 6459 7ffe11503c9c 7 API calls 6457->6459 6460 7ffe11504012 6457->6460 6459->6460 6463 7ffe11503d74 6459->6463 6461 7ffe11504028 FreeLibrary 6460->6461 6465 7ffe11503e30 __FrameHandler3::FrameUnwindToEmptyState 6460->6465 6461->6465 6462 7ffe11503e22 GetLastError 6462->6454 6462->6465 6463->6460 6463->6464 6464->6462 6464->6465 6465->6454 6466 7ffe115036a0 6467 7ffe115036d3 GetCurrentThreadId 6466->6467 6470 7ffe115036cb 6466->6470 6467->6470 6471 7ffe115036eb 6467->6471 6468 7ffe11511ad0 _log10_special 8 API calls 6469 7ffe1150275b 6468->6469 6469->6415 6470->6468 6471->6470 6655 7ffe11502ea0 6471->6655 6473 7ffe11503755 6474 7ffe11502ea0 VirtualQuery 6473->6474 6475 7ffe11503760 6474->6475 6476 7ffe1150376a 6475->6476 6477 7ffe11505058 4 API calls 6475->6477 6476->6470 6480 7ffe115059e0 13 API calls 6476->6480 6478 7ffe11503785 6477->6478 6662 7ffe11502c30 6478->6662 6480->6470 6481 7ffe115037f6 SetLastError 6482 7ffe11503790 6481->6482 6482->6476 6482->6481 6483 7ffe115038bd __FrameHandler3::FrameUnwindToEmptyState 6482->6483 6483->6476 6484 7ffe1150396b VirtualProtect 6483->6484 6484->6470 6485 7ffe1150398a GetLastError 6484->6485 6485->6476 6487 7ffe11503037 6486->6487 6488 7ffe11503054 6486->6488 6489 7ffe11511ad0 _log10_special 8 API calls 6487->6489 6490 7ffe11503079 GetCurrentThreadId 6488->6490 6521 7ffe115031ab __FrameHandler3::FrameUnwindToEmptyState 6488->6521 6491 7ffe1150304c 6489->6491 6492 7ffe1150308b 6490->6492 6493 7ffe115035b2 6490->6493 6491->6420 6497 7ffe1150311b GetCurrentProcess 6492->6497 6506 7ffe1150309d 6492->6506 6496 7ffe11511ad0 _log10_special 8 API calls 6493->6496 6494 7ffe115033c3 GetCurrentProcess 6511 7ffe115033e4 6494->6511 6519 7ffe11503485 6494->6519 6495 7ffe11503280 GetThreadContext 6495->6521 6500 7ffe115035ed 6496->6500 6498 7ffe11503137 6497->6498 6499 7ffe11503174 6497->6499 6503 7ffe11503140 VirtualProtect FlushInstructionCache 6498->6503 6499->6493 6505 7ffe11503184 ResumeThread 6499->6505 6500->6420 6501 7ffe115030a0 VirtualProtect 6501->6506 6502 7ffe115033f0 VirtualProtect FlushInstructionCache 6502->6511 6503->6499 6503->6503 6504 7ffe1150352c GetCurrentProcess 6508 7ffe11503584 6504->6508 6509 7ffe11503541 6504->6509 6510 7ffe115059e0 13 API calls 6505->6510 6506->6497 6506->6501 6507 7ffe115059e0 13 API calls 6506->6507 6507->6506 6508->6493 6514 7ffe11503590 ResumeThread 6508->6514 6513 7ffe11503550 VirtualProtect FlushInstructionCache 6509->6513 6515 7ffe1150319e 6510->6515 6511->6502 6512 7ffe115059e0 13 API calls 6511->6512 6511->6519 6512->6511 6513->6508 6513->6513 6516 7ffe115059e0 13 API calls 6514->6516 6515->6505 6517 7ffe115031a6 6515->6517 6518 7ffe115035aa 6516->6518 6517->6493 6518->6493 6518->6514 6519->6504 6520 7ffe11503502 VirtualFree 6519->6520 6520->6519 6521->6494 6521->6495 6523 7ffe11503310 SetThreadContext 6521->6523 6523->6521 6525 7ffe115040c0 VirtualQuery 6524->6525 6526 7ffe115040e4 6525->6526 6527 7ffe115040d9 6525->6527 6526->6525 6526->6527 6527->6428 6529 7ffe11504272 6528->6529 6538 7ffe11504140 6529->6538 6532 7ffe11504283 6532->6428 6533 7ffe1150433b SetLastError 6535 7ffe11504357 6533->6535 6534 7ffe115042a4 6536 7ffe1150432c SetLastError 6534->6536 6537 7ffe11504310 SetLastError 6534->6537 6535->6428 6536->6535 6537->6535 6539 7ffe11504157 6538->6539 6540 7ffe1150414e GetModuleHandleW 6538->6540 6541 7ffe11504174 6539->6541 6542 7ffe11504162 SetLastError 6539->6542 6540->6539 6544 7ffe11504196 6541->6544 6545 7ffe11504184 SetLastError 6541->6545 6543 7ffe1150424b 6542->6543 6543->6532 6543->6533 6543->6534 6546 7ffe115041a0 SetLastError 6544->6546 6548 7ffe115041b2 6544->6548 6545->6543 6546->6543 6547 7ffe1150422f SetLastError 6547->6543 6548->6547 6549 7ffe11504214 SetLastError 6548->6549 6549->6543 6553 7ffe11505063 6551->6553 6552 7ffe11503639 SuspendThread 6552->6448 6552->6449 6553->6552 6555 7ffe11505082 6553->6555 6567 7ffe11508c90 6553->6567 6556 7ffe1150508d 6555->6556 6570 7ffe115057cc 6555->6570 6574 7ffe115057ec 6556->6574 6561 7ffe11505a14 6560->6561 6562 7ffe1150bb21 HeapFree 6561->6562 6563 7ffe1150365f 6561->6563 6562->6563 6564 7ffe1150bb3c GetLastError 6562->6564 6563->6410 6565 7ffe1150bb49 Concurrency::details::SchedulerProxy::DeleteThis 6564->6565 6589 7ffe1150a1e4 6565->6589 6578 7ffe11508cd0 6567->6578 6571 7ffe115057da std::bad_alloc::bad_alloc 6570->6571 6584 7ffe115060b8 6571->6584 6573 7ffe115057eb 6575 7ffe115057fa std::bad_alloc::bad_alloc 6574->6575 6576 7ffe115060b8 Concurrency::cancel_current_task 2 API calls 6575->6576 6577 7ffe11505093 6576->6577 6583 7ffe1150c118 EnterCriticalSection 6578->6583 6585 7ffe115060d7 6584->6585 6586 7ffe115060f4 RtlPcToFileHeader 6584->6586 6585->6586 6587 7ffe1150611b RaiseException 6586->6587 6588 7ffe1150610c 6586->6588 6587->6573 6588->6587 6592 7ffe1150b888 GetLastError 6589->6592 6591 7ffe1150a1ed 6591->6563 6593 7ffe1150b8c9 FlsSetValue 6592->6593 6597 7ffe1150b8ac 6592->6597 6594 7ffe1150b8db 6593->6594 6607 7ffe1150b8b9 SetLastError 6593->6607 6609 7ffe1150c24c 6594->6609 6597->6593 6597->6607 6599 7ffe1150b908 FlsSetValue 6602 7ffe1150b914 FlsSetValue 6599->6602 6603 7ffe1150b926 6599->6603 6600 7ffe1150b8f8 FlsSetValue 6601 7ffe1150b901 6600->6601 6616 7ffe1150bb1c 6601->6616 6602->6601 6622 7ffe1150b47c 6603->6622 6607->6591 6614 7ffe1150c25d _invalid_parameter_noinfo 6609->6614 6610 7ffe1150c2ae 6613 7ffe1150a1e4 __std_exception_copy 10 API calls 6610->6613 6611 7ffe1150c292 HeapAlloc 6612 7ffe1150b8ea 6611->6612 6611->6614 6612->6599 6612->6600 6613->6612 6614->6610 6614->6611 6615 7ffe11508c90 _invalid_parameter_noinfo 2 API calls 6614->6615 6615->6614 6617 7ffe1150bb21 HeapFree 6616->6617 6618 7ffe1150bb52 6616->6618 6617->6618 6619 7ffe1150bb3c GetLastError 6617->6619 6618->6607 6620 7ffe1150bb49 Concurrency::details::SchedulerProxy::DeleteThis 6619->6620 6621 7ffe1150a1e4 __std_exception_copy 9 API calls 6620->6621 6621->6618 6627 7ffe1150b354 6622->6627 6639 7ffe1150c118 EnterCriticalSection 6627->6639 6642 7ffe11511ad9 6641->6642 6643 7ffe11502741 6642->6643 6644 7ffe11511d54 IsProcessorFeaturePresent 6642->6644 6643->6466 6645 7ffe11511d6c 6644->6645 6650 7ffe11511f48 RtlCaptureContext 6645->6650 6651 7ffe11511f62 RtlLookupFunctionEntry 6650->6651 6652 7ffe11511d7f 6651->6652 6653 7ffe11511f78 RtlVirtualUnwind 6651->6653 6654 7ffe11511d20 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6652->6654 6653->6651 6653->6652 6656 7ffe11502eb6 6655->6656 6657 7ffe11502eae 6655->6657 6660 7ffe11502ed6 6656->6660 6680 7ffe115027d0 VirtualQuery 6656->6680 6657->6473 6658 7ffe11502f10 6658->6473 6660->6658 6661 7ffe115027d0 VirtualQuery 6660->6661 6661->6658 6663 7ffe11502c4d 6662->6663 6664 7ffe11502d76 6663->6664 6669 7ffe11502df8 6663->6669 6682 7ffe11502b40 6663->6682 6668 7ffe11502d8a 6664->6668 6687 7ffe11502a50 6664->6687 6668->6669 6670 7ffe11502db2 6668->6670 6671 7ffe11502a50 2 API calls 6668->6671 6669->6482 6672 7ffe11502dc6 6670->6672 6674 7ffe11502b40 2 API calls 6670->6674 6673 7ffe11502daa 6671->6673 6672->6669 6675 7ffe11502b40 2 API calls 6672->6675 6673->6669 6673->6670 6674->6672 6676 7ffe11502dd9 6675->6676 6676->6669 6677 7ffe11502de1 6676->6677 6678 7ffe11502a50 2 API calls 6677->6678 6679 7ffe11502dec 6678->6679 6679->6669 6681 7ffe115027fa 6680->6681 6681->6660 6683 7ffe11502c18 6682->6683 6685 7ffe11502b6d 6682->6685 6683->6664 6683->6669 6684 7ffe11502b8b VirtualQuery 6684->6683 6684->6685 6685->6683 6685->6684 6686 7ffe11502bcb VirtualAlloc 6685->6686 6686->6683 6686->6685 6691 7ffe11502a68 6687->6691 6688 7ffe11502b2a 6688->6668 6689 7ffe11502a9b VirtualQuery 6689->6688 6689->6691 6690 7ffe11502ade VirtualAlloc 6690->6688 6690->6691 6691->6688 6691->6689 6691->6690 6914 7ffe11502190 6915 7ffe115021ca 6914->6915 6916 7ffe1150219f VirtualProtect 6914->6916 7164 7ffe11505210 7171 7ffe11505ca4 7164->7171 7167 7ffe1150521d 7172 7ffe11506268 _CatchTryBlock 22 API calls 7171->7172 7173 7ffe11505219 7172->7173 7173->7167 7174 7ffe11509a70 7173->7174 7175 7ffe1150b888 __std_exception_copy 11 API calls 7174->7175 7176 7ffe11505226 7175->7176 7176->7167 7177 7ffe11505cb8 7176->7177 7180 7ffe115061fc 7177->7180 7181 7ffe11505cc3 7180->7181 7182 7ffe11506210 7180->7182 7181->7167 7183 7ffe1150621a 7182->7183 7184 7ffe11507248 __vcrt_freeptd 6 API calls 7182->7184 7188 7ffe11507290 7183->7188 7184->7183 7187 7ffe11509b08 __vcrt_freeptd 13 API calls 7187->7181 7189 7ffe11507068 __vcrt_InitializeCriticalSectionEx 5 API calls 7188->7189 7190 7ffe115072be 7189->7190 7191 7ffe1150622a 7190->7191 7192 7ffe115072d0 TlsSetValue 7190->7192 7191->7181 7191->7187 7192->7191 7193 7ffe11502010 7194 7ffe11502020 PeekMessageW 7193->7194 7195 7ffe1150203f 7194->7195 7196 7ffe1150205e Sleep 7194->7196 7197 7ffe1150206b 7195->7197 7198 7ffe11502046 TranslateMessage DispatchMessageW 7195->7198 7196->7194 7198->7194 7199 7ffe1150862c 7204 7ffe1150855f __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7199->7204 7200 7ffe11508653 7201 7ffe1150624c _CatchTryBlock 63 API calls 7200->7201 7202 7ffe11508658 7201->7202 7206 7ffe1150624c _CatchTryBlock 63 API calls 7202->7206 7207 7ffe11508663 7202->7207 7203 7ffe1150868e 7205 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7203->7205 7204->7200 7204->7203 7211 7ffe115068d8 63 API calls Is_bad_exception_allowed 7204->7211 7213 7ffe11506900 7204->7213 7205->7207 7206->7207 7208 7ffe11508670 __FrameHandler3::GetHandlerSearchState 7207->7208 7209 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7207->7209 7210 7ffe11508699 7209->7210 7211->7204 7214 7ffe1150624c _CatchTryBlock 63 API calls 7213->7214 7215 7ffe1150690e 7214->7215 7215->7204 6917 7ffe115103ad 6918 7ffe115103e5 6917->6918 6919 7ffe115103f9 6917->6919 6920 7ffe1150a1e4 __std_exception_copy 11 API calls 6918->6920 6919->6918 6921 7ffe115103fe 6919->6921 6922 7ffe115103ea 6920->6922 6925 7ffe115103f5 6921->6925 6926 7ffe1150ccf8 6921->6926 6923 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 6922->6923 6923->6925 6927 7ffe1150cd17 6926->6927 6928 7ffe1150cd1c 6926->6928 6927->6925 6928->6927 6929 7ffe1150b710 __FrameHandler3::FrameUnwindToEmptyState 52 API calls 6928->6929 6930 7ffe1150cd37 6929->6930 6934 7ffe1150e7f0 6930->6934 6935 7ffe1150e805 6934->6935 6936 7ffe1150cd5a 6934->6936 6935->6936 6942 7ffe1150f53c 6935->6942 6938 7ffe1150e85c 6936->6938 6939 7ffe1150e884 6938->6939 6940 7ffe1150e871 6938->6940 6939->6927 6940->6939 6955 7ffe1150d834 6940->6955 6943 7ffe1150b710 __FrameHandler3::FrameUnwindToEmptyState 52 API calls 6942->6943 6944 7ffe1150f54b 6943->6944 6945 7ffe1150f596 6944->6945 6954 7ffe1150c118 EnterCriticalSection 6944->6954 6945->6936 6956 7ffe1150b710 __FrameHandler3::FrameUnwindToEmptyState 52 API calls 6955->6956 6957 7ffe1150d83d 6956->6957 8096 7ffe1150770e 8097 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 8096->8097 8098 7ffe11507713 8097->8098 8099 7ffe1151232e 8100 7ffe11506884 __CxxCallCatchBlock 63 API calls 8099->8100 8105 7ffe11512341 8100->8105 8101 7ffe11512372 __CxxCallCatchBlock 8102 7ffe1150624c _CatchTryBlock 63 API calls 8101->8102 8103 7ffe11512386 8102->8103 8104 7ffe1150624c _CatchTryBlock 63 API calls 8103->8104 8106 7ffe11512396 8104->8106 8105->8101 8107 7ffe11505d6c __CxxCallCatchBlock 63 API calls 8105->8107 8107->8101 7216 7ffe11510830 7219 7ffe1150d7d4 7216->7219 7220 7ffe1150d7e1 7219->7220 7224 7ffe1150d826 7219->7224 7225 7ffe1150b7e4 7220->7225 7226 7ffe1150b810 FlsSetValue 7225->7226 7227 7ffe1150b7f5 FlsGetValue 7225->7227 7228 7ffe1150b802 7226->7228 7230 7ffe1150b81d 7226->7230 7227->7228 7229 7ffe1150b80a 7227->7229 7231 7ffe1150b808 7228->7231 7233 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7228->7233 7229->7226 7232 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 7230->7232 7245 7ffe1150d4ac 7231->7245 7234 7ffe1150b82c 7232->7234 7235 7ffe1150b885 7233->7235 7236 7ffe1150b84a FlsSetValue 7234->7236 7237 7ffe1150b83a FlsSetValue 7234->7237 7238 7ffe1150b856 FlsSetValue 7236->7238 7239 7ffe1150b868 7236->7239 7240 7ffe1150b843 7237->7240 7238->7240 7241 7ffe1150b47c _invalid_parameter_noinfo 11 API calls 7239->7241 7242 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7240->7242 7243 7ffe1150b870 7241->7243 7242->7228 7243->7231 7244 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7243->7244 7244->7231 7268 7ffe1150d71c 7245->7268 7247 7ffe1150d4e1 7283 7ffe1150d1ac 7247->7283 7250 7ffe1150d4fe 7250->7224 7252 7ffe1150d50f 7253 7ffe1150d517 7252->7253 7255 7ffe1150d526 7252->7255 7254 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7253->7254 7254->7250 7255->7255 7297 7ffe1150d850 7255->7297 7258 7ffe1150d622 7259 7ffe1150a1e4 __std_exception_copy 11 API calls 7258->7259 7260 7ffe1150d627 7259->7260 7262 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7260->7262 7261 7ffe1150d67d 7264 7ffe1150d6e4 7261->7264 7308 7ffe1150cfdc 7261->7308 7262->7250 7263 7ffe1150d63c 7263->7261 7266 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7263->7266 7265 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7264->7265 7265->7250 7266->7261 7269 7ffe1150d73f 7268->7269 7270 7ffe1150d749 7269->7270 7323 7ffe1150c118 EnterCriticalSection 7269->7323 7273 7ffe1150d7bb 7270->7273 7275 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7270->7275 7273->7247 7277 7ffe1150d7d3 7275->7277 7279 7ffe1150b7e4 57 API calls 7277->7279 7282 7ffe1150d826 7277->7282 7280 7ffe1150d810 7279->7280 7281 7ffe1150d4ac 72 API calls 7280->7281 7281->7282 7282->7247 7284 7ffe1150ccf8 52 API calls 7283->7284 7285 7ffe1150d1c0 7284->7285 7286 7ffe1150d1de 7285->7286 7287 7ffe1150d1cc GetOEMCP 7285->7287 7288 7ffe1150d1f3 7286->7288 7289 7ffe1150d1e3 GetACP 7286->7289 7287->7288 7288->7250 7290 7ffe1150c188 7288->7290 7289->7288 7291 7ffe1150c1d3 7290->7291 7296 7ffe1150c197 _invalid_parameter_noinfo 7290->7296 7292 7ffe1150a1e4 __std_exception_copy 11 API calls 7291->7292 7294 7ffe1150c1d1 7292->7294 7293 7ffe1150c1ba HeapAlloc 7293->7294 7293->7296 7294->7252 7295 7ffe11508c90 _invalid_parameter_noinfo 2 API calls 7295->7296 7296->7291 7296->7293 7296->7295 7298 7ffe1150d1ac 54 API calls 7297->7298 7299 7ffe1150d87d 7298->7299 7300 7ffe1150d9d3 7299->7300 7302 7ffe1150d8ba IsValidCodePage 7299->7302 7307 7ffe1150d8d4 __FrameHandler3::FrameUnwindToEmptyState 7299->7307 7301 7ffe11511ad0 _log10_special 8 API calls 7300->7301 7303 7ffe1150d619 7301->7303 7302->7300 7304 7ffe1150d8cb 7302->7304 7303->7258 7303->7263 7305 7ffe1150d8fa GetCPInfo 7304->7305 7304->7307 7305->7300 7305->7307 7324 7ffe1150d2c4 7307->7324 7410 7ffe1150c118 EnterCriticalSection 7308->7410 7325 7ffe1150d301 GetCPInfo 7324->7325 7334 7ffe1150d3f7 7324->7334 7331 7ffe1150d314 7325->7331 7325->7334 7326 7ffe11511ad0 _log10_special 8 API calls 7327 7ffe1150d496 7326->7327 7327->7300 7335 7ffe1150f8c8 7331->7335 7334->7326 7336 7ffe1150ccf8 52 API calls 7335->7336 7337 7ffe1150f90a 7336->7337 7355 7ffe1150dbc0 7337->7355 7357 7ffe1150dbc9 MultiByteToWideChar 7355->7357 8108 7ffe1150e330 8109 7ffe1150e369 8108->8109 8110 7ffe1150e33a 8108->8110 8110->8109 8111 7ffe1150e34f FreeLibrary 8110->8111 8111->8110 6958 7ffe11505788 6963 7ffe11506090 6958->6963 6961 7ffe115057bc 6962 7ffe115059e0 13 API calls 6962->6961 6964 7ffe115057aa 6963->6964 6965 7ffe1150609f 6963->6965 6964->6961 6964->6962 6967 7ffe11509b08 6965->6967 6968 7ffe1150bb1c 6967->6968 6969 7ffe1150bb21 HeapFree 6968->6969 6970 7ffe1150bb52 6968->6970 6969->6970 6971 7ffe1150bb3c GetLastError 6969->6971 6970->6964 6972 7ffe1150bb49 Concurrency::details::SchedulerProxy::DeleteThis 6971->6972 6973 7ffe1150a1e4 __std_exception_copy 11 API calls 6972->6973 6973->6970 7914 7ffe11505688 7915 7ffe11506000 __std_exception_copy 54 API calls 7914->7915 7916 7ffe115056b1 7915->7916 6974 7ffe11511fbc 6984 7ffe11505a1c 6974->6984 6976 7ffe11511fe4 6978 7ffe1150624c _CatchTryBlock 63 API calls 6979 7ffe11511ff4 6978->6979 6980 7ffe1150624c _CatchTryBlock 63 API calls 6979->6980 6981 7ffe11511ffd 6980->6981 6982 7ffe11509adc __GSHandlerCheck_EH 52 API calls 6981->6982 6983 7ffe11512006 6982->6983 6986 7ffe11505a4c _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 6984->6986 6985 7ffe11505b3d 6985->6976 6985->6978 6986->6985 6987 7ffe11505b08 RtlUnwindEx 6986->6987 6987->6986 6988 7ffe115123bc 6989 7ffe1150624c _CatchTryBlock 63 API calls 6988->6989 6990 7ffe115123ca 6989->6990 6991 7ffe115123d5 6990->6991 6992 7ffe1150624c _CatchTryBlock 63 API calls 6990->6992 6992->6991 7411 7ffe11509a00 7412 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7411->7412 7413 7ffe11509a10 7412->7413 7414 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7413->7414 7415 7ffe11509a24 7414->7415 7416 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7415->7416 7417 7ffe11509a38 7416->7417 7418 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7417->7418 7419 7ffe11509a4c 7418->7419 7420 7ffe1150a204 7421 7ffe1150a22e 7420->7421 7422 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 7421->7422 7423 7ffe1150a24d 7422->7423 7424 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7423->7424 7425 7ffe1150a25b 7424->7425 7426 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 7425->7426 7429 7ffe1150a285 7425->7429 7428 7ffe1150a277 7426->7428 7430 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7428->7430 7431 7ffe1150a28e 7429->7431 7432 7ffe1150e150 7429->7432 7430->7429 7433 7ffe1150ded8 5 API calls 7432->7433 7434 7ffe1150e186 7433->7434 7435 7ffe1150e1a5 InitializeCriticalSectionAndSpinCount 7434->7435 7436 7ffe1150e18b 7434->7436 7435->7436 7436->7429 8112 7ffe11512309 8115 7ffe11508488 8112->8115 8116 7ffe115084f3 8115->8116 8117 7ffe115084aa 8115->8117 8117->8116 8118 7ffe1150624c _CatchTryBlock 63 API calls 8117->8118 8118->8116 7437 7ffe1150ba10 7438 7ffe1150ba20 7437->7438 7439 7ffe1150ba2b __vcrt_uninitialize_ptd 7438->7439 7440 7ffe1150b888 __std_exception_copy 11 API calls 7438->7440 7440->7439 7917 7ffe1150e890 7918 7ffe1150e8bc 7917->7918 7919 7ffe1150e8a9 7917->7919 7919->7918 7920 7ffe1150d834 52 API calls 7919->7920 7920->7918 7921 7ffe1150c090 7922 7ffe1150c09c 7921->7922 7924 7ffe1150c0c3 7922->7924 7925 7ffe1150ec48 7922->7925 7926 7ffe1150ec88 7925->7926 7927 7ffe1150ec4d 7925->7927 7926->7922 7928 7ffe1150ec6e DeleteCriticalSection 7927->7928 7929 7ffe1150ec80 7927->7929 7928->7928 7928->7929 7930 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7929->7930 7930->7926 6993 7ffe11512194 __scrt_dllmain_exception_filter 6994 7ffe11508396 6995 7ffe1150624c _CatchTryBlock 63 API calls 6994->6995 6996 7ffe115083a3 __CxxCallCatchBlock 6995->6996 6997 7ffe115083e7 RaiseException 6996->6997 6998 7ffe1150840e 6997->6998 7007 7ffe11506884 6998->7007 7000 7ffe1150843f __CxxCallCatchBlock 7001 7ffe1150624c _CatchTryBlock 63 API calls 7000->7001 7002 7ffe11508452 7001->7002 7003 7ffe1150624c _CatchTryBlock 63 API calls 7002->7003 7005 7ffe1150845b 7003->7005 7008 7ffe1150624c _CatchTryBlock 63 API calls 7007->7008 7009 7ffe11506896 7008->7009 7010 7ffe115068d1 7009->7010 7012 7ffe1150624c _CatchTryBlock 63 API calls 7009->7012 7011 7ffe11509b7c __FrameHandler3::FrameUnwindToEmptyState 52 API calls 7010->7011 7013 7ffe115068d6 7011->7013 7014 7ffe115068a1 7012->7014 7014->7010 7015 7ffe115068bd 7014->7015 7016 7ffe1150624c _CatchTryBlock 63 API calls 7015->7016 7017 7ffe115068c2 7016->7017 7017->7000 7018 7ffe11505d6c 7017->7018 7019 7ffe1150624c _CatchTryBlock 63 API calls 7018->7019 7020 7ffe11505d7a 7019->7020 7020->7000 7021 7ffe1150db98 GetCommandLineA GetCommandLineW 8119 7ffe11509518 8120 7ffe11509531 8119->8120 8121 7ffe1150952d 8119->8121 8122 7ffe1150d7d4 72 API calls 8120->8122 8123 7ffe11509536 8122->8123 8134 7ffe1150dd30 GetEnvironmentStringsW 8123->8134 8126 7ffe1150954f 8154 7ffe1150958c 8126->8154 8127 7ffe11509543 8128 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8127->8128 8128->8121 8131 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8132 7ffe11509576 8131->8132 8133 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8132->8133 8133->8121 8135 7ffe1150dd60 8134->8135 8136 7ffe1150953b 8134->8136 8137 7ffe1150dc50 WideCharToMultiByte 8135->8137 8136->8126 8136->8127 8138 7ffe1150ddb1 8137->8138 8139 7ffe1150ddb8 FreeEnvironmentStringsW 8138->8139 8140 7ffe1150c188 12 API calls 8138->8140 8139->8136 8141 7ffe1150ddcb 8140->8141 8142 7ffe1150ddd3 8141->8142 8143 7ffe1150dddc 8141->8143 8144 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8142->8144 8145 7ffe1150dc50 WideCharToMultiByte 8143->8145 8147 7ffe1150ddda 8144->8147 8146 7ffe1150ddff 8145->8146 8148 7ffe1150de03 8146->8148 8149 7ffe1150de0d 8146->8149 8147->8139 8150 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8148->8150 8151 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8149->8151 8152 7ffe1150de0b FreeEnvironmentStringsW 8150->8152 8151->8152 8152->8136 8155 7ffe115095b1 8154->8155 8156 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 8155->8156 8165 7ffe115095e7 8156->8165 8157 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8158 7ffe11509557 8157->8158 8158->8131 8159 7ffe11509662 8160 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8159->8160 8160->8158 8161 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 8161->8165 8162 7ffe11509651 8164 7ffe1150969c 11 API calls 8162->8164 8163 7ffe11509b1c __std_exception_copy 52 API calls 8163->8165 8166 7ffe11509659 8164->8166 8165->8159 8165->8161 8165->8162 8165->8163 8167 7ffe11509687 8165->8167 8169 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8165->8169 8170 7ffe115095ef 8165->8170 8168 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8166->8168 8171 7ffe1150a0c8 _invalid_parameter_noinfo 17 API calls 8167->8171 8168->8170 8169->8165 8170->8157 8172 7ffe1150969a 8171->8172 8173 7ffe11504122 8175 7ffe115040e4 8173->8175 8174 7ffe115040c0 VirtualQuery 8174->8175 8176 7ffe115040d9 8174->8176 8175->8174 8175->8176 7931 7ffe1150829c 7932 7ffe1150624c _CatchTryBlock 63 API calls 7931->7932 7933 7ffe115082d1 7932->7933 7934 7ffe1150624c _CatchTryBlock 63 API calls 7933->7934 7935 7ffe115082df __except_validate_context_record 7934->7935 7936 7ffe1150624c _CatchTryBlock 63 API calls 7935->7936 7937 7ffe11508323 7936->7937 7938 7ffe1150624c _CatchTryBlock 63 API calls 7937->7938 7939 7ffe1150832c 7938->7939 7940 7ffe1150624c _CatchTryBlock 63 API calls 7939->7940 7941 7ffe11508335 7940->7941 7954 7ffe11506848 7941->7954 7944 7ffe1150624c _CatchTryBlock 63 API calls 7945 7ffe11508365 __CxxCallCatchBlock 7944->7945 7946 7ffe11506884 __CxxCallCatchBlock 63 API calls 7945->7946 7951 7ffe11508416 7946->7951 7947 7ffe1150843f __CxxCallCatchBlock 7948 7ffe1150624c _CatchTryBlock 63 API calls 7947->7948 7949 7ffe11508452 7948->7949 7950 7ffe1150624c _CatchTryBlock 63 API calls 7949->7950 7952 7ffe1150845b 7950->7952 7951->7947 7953 7ffe11505d6c __CxxCallCatchBlock 63 API calls 7951->7953 7953->7947 7955 7ffe1150624c _CatchTryBlock 63 API calls 7954->7955 7956 7ffe11506859 7955->7956 7957 7ffe11506864 7956->7957 7958 7ffe1150624c _CatchTryBlock 63 API calls 7956->7958 7959 7ffe1150624c _CatchTryBlock 63 API calls 7957->7959 7958->7957 7960 7ffe11506875 7959->7960 7960->7944 7960->7945 7441 7ffe115061dc 7442 7ffe115061f6 7441->7442 7443 7ffe115061e5 7441->7443 7443->7442 7444 7ffe11509b08 __vcrt_freeptd 13 API calls 7443->7444 7444->7442 7022 7ffe1150ff60 7023 7ffe1150ff7f 7022->7023 7024 7ffe1150fff8 7023->7024 7027 7ffe1150ff8f 7023->7027 7030 7ffe11511e28 7024->7030 7028 7ffe11511ad0 _log10_special 8 API calls 7027->7028 7029 7ffe1150ffee 7028->7029 7033 7ffe11511e3c IsProcessorFeaturePresent 7030->7033 7034 7ffe11511e53 7033->7034 7039 7ffe11511ed8 RtlCaptureContext RtlLookupFunctionEntry 7034->7039 7040 7ffe11511f08 RtlVirtualUnwind 7039->7040 7041 7ffe11511e67 7039->7041 7040->7041 7042 7ffe11511d20 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7041->7042 7445 7ffe1150c5e0 7446 7ffe1150c605 7445->7446 7451 7ffe1150c61c 7445->7451 7447 7ffe1150a1e4 __std_exception_copy 11 API calls 7446->7447 7448 7ffe1150c60a 7447->7448 7450 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7448->7450 7449 7ffe1150c6d4 7499 7ffe11509330 7449->7499 7473 7ffe1150c615 7450->7473 7451->7449 7459 7ffe1150c6ac 7451->7459 7461 7ffe1150c669 7451->7461 7477 7ffe1150c824 7451->7477 7454 7ffe1150c734 7456 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7454->7456 7458 7ffe1150c73b 7456->7458 7457 7ffe1150c7c5 7460 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7457->7460 7462 7ffe1150c68c 7458->7462 7464 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7458->7464 7459->7462 7465 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7459->7465 7463 7ffe1150c7d0 7460->7463 7461->7462 7468 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7461->7468 7467 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7462->7467 7466 7ffe1150c7e9 7463->7466 7471 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7463->7471 7464->7458 7465->7459 7472 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7466->7472 7467->7473 7468->7461 7469 7ffe1150c766 7469->7457 7474 7ffe1150c80b 7469->7474 7505 7ffe1150fe70 7469->7505 7471->7463 7472->7473 7475 7ffe1150a0c8 _invalid_parameter_noinfo 17 API calls 7474->7475 7476 7ffe1150c820 7475->7476 7478 7ffe1150c852 7477->7478 7478->7478 7479 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 7478->7479 7480 7ffe1150c89d 7479->7480 7481 7ffe1150fe70 52 API calls 7480->7481 7482 7ffe1150c8d3 7481->7482 7483 7ffe1150a0c8 _invalid_parameter_noinfo 17 API calls 7482->7483 7484 7ffe1150c9a7 7483->7484 7485 7ffe1150ccf8 52 API calls 7484->7485 7486 7ffe1150ca8a 7485->7486 7514 7ffe1150e0ec 7486->7514 7491 7ffe1150cb51 7492 7ffe1150ccf8 52 API calls 7491->7492 7493 7ffe1150cb81 7492->7493 7494 7ffe1150e0ec 5 API calls 7493->7494 7495 7ffe1150cbaa 7494->7495 7539 7ffe1150c454 7495->7539 7498 7ffe1150c824 62 API calls 7500 7ffe11509380 7499->7500 7501 7ffe11509348 7499->7501 7500->7454 7500->7469 7501->7500 7502 7ffe1150c24c _invalid_parameter_noinfo 11 API calls 7501->7502 7503 7ffe11509376 7502->7503 7504 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7503->7504 7504->7500 7506 7ffe1150fe8d 7505->7506 7507 7ffe1150fea8 7506->7507 7510 7ffe1150fe92 7506->7510 7512 7ffe1150fedc 7506->7512 7507->7469 7508 7ffe1150a1e4 __std_exception_copy 11 API calls 7509 7ffe1150fe9c 7508->7509 7511 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7509->7511 7510->7507 7510->7508 7511->7507 7512->7507 7513 7ffe1150a1e4 __std_exception_copy 11 API calls 7512->7513 7513->7509 7515 7ffe1150ded8 5 API calls 7514->7515 7516 7ffe1150cab5 7515->7516 7517 7ffe1150c2d8 7516->7517 7518 7ffe1150c326 7517->7518 7519 7ffe1150c302 7517->7519 7520 7ffe1150c380 7518->7520 7521 7ffe1150c32b 7518->7521 7523 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7519->7523 7526 7ffe1150c311 FindFirstFileExW 7519->7526 7522 7ffe1150dbc0 MultiByteToWideChar 7520->7522 7524 7ffe1150c340 7521->7524 7521->7526 7527 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7521->7527 7534 7ffe1150c39c 7522->7534 7523->7526 7528 7ffe1150c188 12 API calls 7524->7528 7525 7ffe1150c3a3 GetLastError 7561 7ffe1150a158 7525->7561 7526->7491 7527->7524 7528->7526 7530 7ffe1150c3de 7530->7526 7531 7ffe1150dbc0 MultiByteToWideChar 7530->7531 7535 7ffe1150c422 7531->7535 7533 7ffe1150c3d1 7538 7ffe1150c188 12 API calls 7533->7538 7534->7525 7534->7530 7534->7533 7537 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7534->7537 7535->7525 7535->7526 7536 7ffe1150a1e4 __std_exception_copy 11 API calls 7536->7526 7537->7533 7538->7530 7540 7ffe1150c47e 7539->7540 7541 7ffe1150c4a2 7539->7541 7544 7ffe1150c48d 7540->7544 7546 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7540->7546 7542 7ffe1150c4a8 7541->7542 7543 7ffe1150c4fc 7541->7543 7542->7544 7548 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7542->7548 7552 7ffe1150c4bd 7542->7552 7545 7ffe1150dc50 WideCharToMultiByte 7543->7545 7544->7498 7554 7ffe1150c520 7545->7554 7546->7544 7547 7ffe1150c527 GetLastError 7550 7ffe1150a158 11 API calls 7547->7550 7548->7552 7549 7ffe1150c188 12 API calls 7549->7544 7553 7ffe1150c534 7550->7553 7551 7ffe1150c564 7551->7544 7556 7ffe1150dc50 WideCharToMultiByte 7551->7556 7552->7549 7557 7ffe1150a1e4 __std_exception_copy 11 API calls 7553->7557 7554->7547 7554->7551 7555 7ffe1150c558 7554->7555 7558 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7554->7558 7559 7ffe1150c188 12 API calls 7555->7559 7560 7ffe1150c5b0 7556->7560 7557->7544 7558->7555 7559->7551 7560->7544 7560->7547 7562 7ffe1150b888 __std_exception_copy 11 API calls 7561->7562 7563 7ffe1150a165 Concurrency::details::SchedulerProxy::DeleteThis 7562->7563 7564 7ffe1150b888 __std_exception_copy 11 API calls 7563->7564 7565 7ffe1150a187 7564->7565 7565->7536 7961 7ffe1150fa60 7962 7ffe1150fa8d 7961->7962 7963 7ffe1150a1e4 __std_exception_copy 11 API calls 7962->7963 7968 7ffe1150faa2 7962->7968 7964 7ffe1150fa97 7963->7964 7966 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7964->7966 7965 7ffe11511ad0 _log10_special 8 API calls 7967 7ffe1150fe60 7965->7967 7966->7968 7968->7965 7566 7ffe115121e2 7567 7ffe115121fa 7566->7567 7573 7ffe11512265 7566->7573 7568 7ffe1150624c _CatchTryBlock 63 API calls 7567->7568 7567->7573 7569 7ffe11512247 7568->7569 7570 7ffe1150624c _CatchTryBlock 63 API calls 7569->7570 7571 7ffe1151225c 7570->7571 7572 7ffe11509adc __GSHandlerCheck_EH 52 API calls 7571->7572 7572->7573 7043 7ffe11509968 7046 7ffe11509718 7043->7046 7053 7ffe115096e0 7046->7053 7054 7ffe115096f0 7053->7054 7055 7ffe115096f5 7053->7055 7056 7ffe1150969c 11 API calls 7054->7056 7057 7ffe115096fc 7055->7057 7056->7055 7058 7ffe11509711 7057->7058 7059 7ffe1150970c 7057->7059 7061 7ffe1150969c 7058->7061 7060 7ffe1150969c 11 API calls 7059->7060 7060->7058 7062 7ffe115096a1 7061->7062 7066 7ffe115096d2 7061->7066 7063 7ffe115096ca 7062->7063 7064 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7062->7064 7065 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7063->7065 7064->7062 7065->7066 7969 7ffe11505250 7971 7ffe11505274 __scrt_acquire_startup_lock 7969->7971 7970 7ffe11508d19 7971->7970 7972 7ffe1150b888 __std_exception_copy 11 API calls 7971->7972 7973 7ffe11508d42 7972->7973 8177 7ffe1150baec 8180 7ffe1150ba70 8177->8180 8187 7ffe1150c118 EnterCriticalSection 8180->8187 7069 7ffe1150e374 GetProcessHeap 7574 7ffe115051c4 7575 7ffe115051cd __scrt_acquire_startup_lock 7574->7575 7577 7ffe115051d1 7575->7577 7578 7ffe11509390 7575->7578 7579 7ffe115093b0 7578->7579 7580 7ffe115093c7 7578->7580 7581 7ffe115093ce 7579->7581 7582 7ffe115093b8 7579->7582 7580->7577 7584 7ffe1150d7d4 72 API calls 7581->7584 7583 7ffe1150a1e4 __std_exception_copy 11 API calls 7582->7583 7585 7ffe115093bd 7583->7585 7586 7ffe115093d3 7584->7586 7587 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7585->7587 7609 7ffe1150ceb8 GetModuleFileNameW 7586->7609 7587->7580 7592 7ffe11509330 11 API calls 7593 7ffe1150943d 7592->7593 7594 7ffe11509445 7593->7594 7595 7ffe1150945d 7593->7595 7596 7ffe1150a1e4 __std_exception_copy 11 API calls 7594->7596 7597 7ffe11509168 52 API calls 7595->7597 7598 7ffe1150944a 7596->7598 7601 7ffe11509479 7597->7601 7599 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7598->7599 7599->7580 7600 7ffe1150947f 7602 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7600->7602 7601->7600 7603 7ffe115094c4 7601->7603 7604 7ffe115094ab 7601->7604 7602->7580 7607 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7603->7607 7605 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7604->7605 7606 7ffe115094b4 7605->7606 7608 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7606->7608 7607->7600 7608->7580 7610 7ffe1150cf11 7609->7610 7611 7ffe1150cefd GetLastError 7609->7611 7613 7ffe1150ccf8 52 API calls 7610->7613 7612 7ffe1150a158 11 API calls 7611->7612 7619 7ffe1150cf0a 7612->7619 7614 7ffe1150cf3f 7613->7614 7615 7ffe1150e0ec 5 API calls 7614->7615 7620 7ffe1150cf50 7614->7620 7615->7620 7616 7ffe11511ad0 _log10_special 8 API calls 7618 7ffe115093ea 7616->7618 7621 7ffe11509168 7618->7621 7619->7616 7627 7ffe1150cd9c 7620->7627 7623 7ffe115091a6 7621->7623 7625 7ffe11509212 7623->7625 7641 7ffe1150db84 7623->7641 7624 7ffe11509303 7624->7592 7625->7624 7626 7ffe1150db84 52 API calls 7625->7626 7626->7625 7628 7ffe1150cddb 7627->7628 7631 7ffe1150cdc0 7627->7631 7629 7ffe1150cde0 7628->7629 7630 7ffe1150dc50 WideCharToMultiByte 7628->7630 7629->7631 7634 7ffe1150a1e4 __std_exception_copy 11 API calls 7629->7634 7632 7ffe1150ce37 7630->7632 7631->7619 7632->7629 7633 7ffe1150ce3e GetLastError 7632->7633 7636 7ffe1150ce69 7632->7636 7635 7ffe1150a158 11 API calls 7633->7635 7634->7631 7637 7ffe1150ce4b 7635->7637 7638 7ffe1150dc50 WideCharToMultiByte 7636->7638 7639 7ffe1150a1e4 __std_exception_copy 11 API calls 7637->7639 7640 7ffe1150ce90 7638->7640 7639->7631 7640->7631 7640->7633 7642 7ffe1150db10 7641->7642 7643 7ffe1150ccf8 52 API calls 7642->7643 7644 7ffe1150db34 7643->7644 7644->7623 7974 7ffe11512278 7975 7ffe1150624c _CatchTryBlock 63 API calls 7974->7975 7976 7ffe1151228f 7975->7976 7977 7ffe1150624c _CatchTryBlock 63 API calls 7976->7977 7978 7ffe115122aa 7977->7978 7979 7ffe11508008 __GSHandlerCheck_EH 68 API calls 7978->7979 7980 7ffe115122eb 7979->7980 7981 7ffe1150624c _CatchTryBlock 63 API calls 7980->7981 7982 7ffe115122f0 7981->7982 7070 7ffe11505740 7073 7ffe11506000 7070->7073 7074 7ffe11505769 7073->7074 7075 7ffe11506021 7073->7075 7075->7074 7076 7ffe11506056 7075->7076 7079 7ffe11509b1c 7075->7079 7078 7ffe11509b08 __vcrt_freeptd 13 API calls 7076->7078 7078->7074 7080 7ffe11509b33 7079->7080 7081 7ffe11509b29 7079->7081 7082 7ffe1150a1e4 __std_exception_copy 11 API calls 7080->7082 7081->7080 7086 7ffe11509b4e 7081->7086 7083 7ffe11509b3a 7082->7083 7084 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7083->7084 7085 7ffe11509b46 7084->7085 7085->7076 7086->7085 7087 7ffe1150a1e4 __std_exception_copy 11 API calls 7086->7087 7087->7083 7983 7ffe1150423e SetLastError 7984 7ffe1150424b 7983->7984 7985 7ffe11505c7c 7992 7ffe11506394 7985->7992 7991 7ffe11505c89 8008 7ffe115072e4 7992->8008 7995 7ffe11505c85 7995->7991 7997 7ffe11506328 7995->7997 7996 7ffe115063c8 __vcrt_uninitialize_locks DeleteCriticalSection 7996->7995 8013 7ffe115071b8 7997->8013 8009 7ffe11507068 __vcrt_InitializeCriticalSectionEx 5 API calls 8008->8009 8010 7ffe1150731a 8009->8010 8011 7ffe1150732f InitializeCriticalSectionAndSpinCount 8010->8011 8012 7ffe115063ac 8010->8012 8011->8012 8012->7995 8012->7996 8014 7ffe11507068 __vcrt_InitializeCriticalSectionEx 5 API calls 8013->8014 8015 7ffe115071dd TlsAlloc 8014->8015 7645 7ffe115099c0 7646 7ffe115099d9 7645->7646 7648 7ffe115099f1 7645->7648 7647 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7646->7647 7646->7648 7647->7648 8017 7ffe1150de40 8018 7ffe1150de7f 8017->8018 8019 7ffe1150de62 8017->8019 8023 7ffe1150de89 8018->8023 8026 7ffe11510848 8018->8026 8019->8018 8020 7ffe1150de70 8019->8020 8021 7ffe1150a1e4 __std_exception_copy 11 API calls 8020->8021 8025 7ffe1150de75 __FrameHandler3::FrameUnwindToEmptyState 8021->8025 8033 7ffe11510884 8023->8033 8027 7ffe11510851 8026->8027 8028 7ffe1151086a HeapSize 8026->8028 8029 7ffe1150a1e4 __std_exception_copy 11 API calls 8027->8029 8030 7ffe11510856 8029->8030 8031 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 8030->8031 8032 7ffe11510861 8031->8032 8032->8023 8034 7ffe115108a3 8033->8034 8035 7ffe11510899 8033->8035 8036 7ffe115108a8 8034->8036 8043 7ffe115108af _invalid_parameter_noinfo 8034->8043 8037 7ffe1150c188 12 API calls 8035->8037 8038 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8036->8038 8041 7ffe115108a1 8037->8041 8038->8041 8039 7ffe115108e2 HeapReAlloc 8039->8041 8039->8043 8040 7ffe115108b5 8042 7ffe1150a1e4 __std_exception_copy 11 API calls 8040->8042 8041->8025 8042->8041 8043->8039 8043->8040 8044 7ffe11508c90 _invalid_parameter_noinfo 2 API calls 8043->8044 8044->8043 7649 7ffe115103c8 7650 7ffe115103d0 7649->7650 7651 7ffe115103e5 7650->7651 7653 7ffe115103fe 7650->7653 7652 7ffe1150a1e4 __std_exception_copy 11 API calls 7651->7652 7654 7ffe115103ea 7652->7654 7656 7ffe1150ccf8 52 API calls 7653->7656 7657 7ffe115103f5 7653->7657 7655 7ffe1150a0a8 _invalid_parameter_noinfo 52 API calls 7654->7655 7655->7657 7656->7657 7088 7ffe11504370 7089 7ffe115045f2 SetLastError 7088->7089 7090 7ffe1150438f 7088->7090 7090->7089 7091 7ffe1150439b GetCurrentProcess VirtualQueryEx 7090->7091 7093 7ffe115045bc 7091->7093 7094 7ffe1150441f VirtualProtectEx 7091->7094 7094->7093 7095 7ffe1150445d GetCurrentProcess VirtualQueryEx 7094->7095 7096 7ffe1150449b VirtualProtectEx 7095->7096 7097 7ffe115045a7 VirtualProtect 7095->7097 7096->7097 7098 7ffe115044cb 7096->7098 7097->7093 7099 7ffe1150458d 7098->7099 7100 7ffe11504502 GetCurrentProcess VirtualQueryEx 7098->7100 7101 7ffe11504592 VirtualProtect 7099->7101 7100->7101 7102 7ffe11504538 VirtualProtectEx 7100->7102 7101->7097 7102->7101 7103 7ffe11504564 7102->7103 7104 7ffe11504578 VirtualProtect 7103->7104 7104->7099 8045 7ffe11502070 8046 7ffe11502f50 3 API calls 8045->8046 8047 7ffe11502095 GetCurrentThread 8046->8047 8048 7ffe11503600 18 API calls 8047->8048 8049 7ffe115020a3 8048->8049 8054 7ffe11503a70 GetCurrentThreadId 8049->8054 8051 7ffe115020b6 8052 7ffe11503010 38 API calls 8051->8052 8053 7ffe115020bb 8052->8053 8055 7ffe11503a8e 8054->8055 8056 7ffe11503a9e 8054->8056 8055->8051 8057 7ffe11503ab1 8056->8057 8058 7ffe11505058 4 API calls 8056->8058 8057->8051 8059 7ffe11503aff 8058->8059 8060 7ffe11502ea0 VirtualQuery 8059->8060 8061 7ffe11503b0a 8060->8061 8062 7ffe11502ea0 VirtualQuery 8061->8062 8063 7ffe11503b15 8062->8063 8064 7ffe11503b89 8063->8064 8065 7ffe11503b30 VirtualProtect 8063->8065 8066 7ffe115059e0 13 API calls 8064->8066 8065->8057 8067 7ffe11503b50 GetLastError 8065->8067 8066->8057 8067->8064 8188 7ffe115020f0 8189 7ffe11502f50 3 API calls 8188->8189 8190 7ffe115020fd GetCurrentThread 8189->8190 8191 7ffe11503600 18 API calls 8190->8191 8192 7ffe1150210b 8191->8192 8193 7ffe11503a70 19 API calls 8192->8193 8194 7ffe1150211e 8193->8194 8195 7ffe11503010 38 API calls 8194->8195 8196 7ffe11502123 8195->8196 8197 7ffe11502142 SetEvent 8196->8197 8198 7ffe1150212f VirtualFree 8196->8198 8199 7ffe11502157 8197->8199 8198->8197 8200 7ffe11504610 12 API calls 8199->8200 8201 7ffe1150215c 8200->8201 8202 7ffe11502f50 3 API calls 8201->8202 8203 7ffe11502161 GetCurrentThread 8202->8203 8204 7ffe11503600 18 API calls 8203->8204 8205 7ffe1150216f 8204->8205 8206 7ffe115036a0 32 API calls 8205->8206 8207 7ffe11502182 8206->8207 7105 7ffe1150b54c 7106 7ffe1150b551 7105->7106 7110 7ffe1150b566 7105->7110 7111 7ffe1150b56c 7106->7111 7112 7ffe1150b5ae 7111->7112 7113 7ffe1150b5b6 7111->7113 7114 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7112->7114 7115 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7113->7115 7114->7113 7116 7ffe1150b5c3 7115->7116 7117 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7116->7117 7118 7ffe1150b5d0 7117->7118 7119 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7118->7119 7120 7ffe1150b5dd 7119->7120 7121 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7120->7121 7122 7ffe1150b5ea 7121->7122 7123 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7122->7123 7124 7ffe1150b5f7 7123->7124 7125 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7124->7125 7126 7ffe1150b604 7125->7126 7127 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7126->7127 7128 7ffe1150b611 7127->7128 7129 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7128->7129 7130 7ffe1150b621 7129->7130 7131 7ffe1150bb1c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7130->7131 7132 7ffe1150b631 7131->7132 7137 7ffe1150b41c 7132->7137 7151 7ffe1150c118 EnterCriticalSection 7137->7151 8208 7ffe1150c0d0 8209 7ffe1150c0d8 8208->8209 8210 7ffe1150e150 6 API calls 8209->8210 8211 7ffe1150c109 8209->8211 8212 7ffe1150c105 8209->8212 8210->8209 8214 7ffe1150c134 8211->8214 8215 7ffe1150c15f 8214->8215 8216 7ffe1150c142 DeleteCriticalSection 8215->8216 8217 7ffe1150c163 8215->8217 8216->8215 8217->8212 7658 7ffe115059e8 7659 7ffe11505a0a 7658->7659 7660 7ffe11505a00 7658->7660 7661 7ffe115059e0 13 API calls 7660->7661 7661->7659 7662 7ffe115021e0 7663 7ffe115021e4 WaitForSingleObject VirtualProtect ResetEvent 7662->7663 7663->7663 8221 7ffe11510cdb 8222 7ffe11510f80 8221->8222 8223 7ffe11510d1b 8221->8223 8224 7ffe11510f76 8222->8224 8228 7ffe11511570 _log10_special 20 API calls 8222->8228 8223->8222 8225 7ffe11510d4f 8223->8225 8226 7ffe11510f62 8223->8226 8229 7ffe11511570 8226->8229 8228->8224 8232 7ffe11511590 8229->8232 8233 7ffe115115aa 8232->8233 8234 7ffe1151158b 8233->8234 8236 7ffe115113d8 8233->8236 8234->8224 8237 7ffe11511418 _log10_special 8236->8237 8240 7ffe11511484 _log10_special 8237->8240 8247 7ffe11511690 8237->8247 8239 7ffe115114c1 8254 7ffe115119c0 8239->8254 8240->8239 8241 7ffe11511491 8240->8241 8250 7ffe115112b4 8241->8250 8244 7ffe115114bf _log10_special 8245 7ffe11511ad0 _log10_special 8 API calls 8244->8245 8246 7ffe115114e9 8245->8246 8246->8234 8260 7ffe115116b8 8247->8260 8251 7ffe115112f8 _log10_special 8250->8251 8252 7ffe1151130d 8251->8252 8253 7ffe115119c0 _log10_special 11 API calls 8251->8253 8252->8244 8253->8252 8255 7ffe115119e0 8254->8255 8256 7ffe115119c9 8254->8256 8257 7ffe1150a1e4 __std_exception_copy 11 API calls 8255->8257 8258 7ffe115119d8 8256->8258 8259 7ffe1150a1e4 __std_exception_copy 11 API calls 8256->8259 8257->8258 8258->8244 8259->8258 8261 7ffe115116f7 _raise_exc _clrfp 8260->8261 8262 7ffe1151190c RaiseException 8261->8262 8263 7ffe115116b2 8262->8263 8263->8240 7664 7ffe11510bdc 7665 7ffe11510bf3 7664->7665 7666 7ffe11510bed CloseHandle 7664->7666 7666->7665

    Executed Functions

    Function 00007FFE11502390 Relevance: 58.0, APIs: 17, Strings: 16, Instructions: 233filethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ffe11502390-7ffe11502470 CreateEventW AddVectoredExceptionHandler CreateThread CloseHandle call 7ffe11505e70 GetModuleFileNameA PathRemoveFileSpecA PathAppendA CreateFileA 3 7ffe11502472-7ffe1150247b CloseHandle 0->3 4 7ffe11502480-7ffe1150249d GetFileSize 0->4 5 7ffe115027a0-7ffe115027b3 3->5 6 7ffe115024d8-7ffe115024e1 CloseHandle 4->6 7 7ffe1150249f-7ffe115024d0 call 7ffe11504cf0 ReadFile 4->7 6->5 10 7ffe115024e6-7ffe115024f1 CloseHandle 7->10 11 7ffe115024d2 GetLastError 7->11 10->5 12 7ffe115024f7-7ffe11502561 call 7ffe11504cf0 call 7ffe11501000 call 7ffe115011a0 call 7ffe11501c80 10->12 11->6 21 7ffe115025b6-7ffe115025c6 12->21 22 7ffe11502563-7ffe1150257f 12->22 24 7ffe115025ed 21->24 25 7ffe115025c8-7ffe115025d4 21->25 23 7ffe11502580-7ffe115025b4 call 7ffe11501c80 22->23 23->21 28 7ffe115025f3-7ffe11502604 24->28 27 7ffe115025d6-7ffe115025de 25->27 25->28 27->28 30 7ffe115025e0-7ffe115025e9 27->30 31 7ffe1150261d-7ffe11502624 28->31 32 7ffe11502606-7ffe1150261b call 7ffe115069f0 28->32 30->27 34 7ffe115025eb 30->34 33 7ffe11502627-7ffe11502693 GetModuleHandleW GetProcAddress 31->33 32->33 33->5 36 7ffe11502699-7ffe115026b2 33->36 34->28 36->5 39 7ffe115026b8-7ffe115026c9 call 7ffe115069f0 36->39 39->5 42 7ffe115026cf-7ffe115026d1 39->42 43 7ffe115026d3-7ffe115026db call 7ffe11505e70 42->43 44 7ffe115026e0-7ffe1150279e call 7ffe11504610 call 7ffe11502f50 GetCurrentThread call 7ffe11503600 call 7ffe11503bd0 call 7ffe115036a0 call 7ffe11503bd0 call 7ffe115036a0 call 7ffe11503010 42->44 43->44 44->5
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: File$CloseCreateHandle$Path$AppendErrorEventExceptionHandlerLastModuleNameReadRemoveSizeSpecThreadVectored
    • String ID: .dll$3$AABBAABB$Slee$Virt$Virt$bd.dat$e$el32$k$kern$lloc$lloc$r$ualA$ualA
    • API String ID: 2000086441-2148533931
    • Opcode ID: 748b09c8db22c9233cfb8b6db612900a15be1036188c19155c0c32e5012fe5a0
    • Instruction ID: 819e37513ceabfb2f73a7a99d73ad5911274fc15f5f01597c782c3dc46123dce
    • Opcode Fuzzy Hash: 748b09c8db22c9233cfb8b6db612900a15be1036188c19155c0c32e5012fe5a0
    • Instruction Fuzzy Hash: 7FB1B572A19F8285EB61DFA2E8502AE77A9FB447A4F400179DA4D07B79DF3CD148CB00
    Function 00007FFE11503010 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 348threadmemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 62 7ffe11503010-7ffe11503035 GetCurrentThreadId 63 7ffe11503037-7ffe11503053 call 7ffe11511ad0 62->63 64 7ffe11503054-7ffe11503073 62->64 66 7ffe115031ab-7ffe115031d2 64->66 67 7ffe11503079-7ffe11503085 GetCurrentThreadId 64->67 71 7ffe115031d8 66->71 72 7ffe11503270-7ffe1150327a 66->72 69 7ffe1150308b-7ffe11503097 67->69 70 7ffe115035bf-7ffe115035f4 call 7ffe11511ad0 67->70 76 7ffe1150309d 69->76 77 7ffe1150311b-7ffe11503135 GetCurrentProcess 69->77 78 7ffe115031e0-7ffe115031e7 71->78 73 7ffe115033c3-7ffe115033de GetCurrentProcess 72->73 74 7ffe11503280-7ffe11503299 GetThreadContext 72->74 81 7ffe11503485-7ffe1150349f 73->81 82 7ffe115033e4-7ffe115033e8 73->82 85 7ffe115033b7-7ffe115033bd 74->85 86 7ffe1150329f-7ffe115032a9 74->86 88 7ffe115030a0-7ffe115030be VirtualProtect 76->88 83 7ffe11503137 77->83 84 7ffe11503174-7ffe1150317e 77->84 79 7ffe115031e9-7ffe11503206 call 7ffe115069f0 78->79 80 7ffe11503208-7ffe11503250 78->80 109 7ffe11503264-7ffe1150326a 79->109 93 7ffe1150325d-7ffe11503261 80->93 94 7ffe11503252-7ffe11503259 call 7ffe11505e70 80->94 96 7ffe1150352c-7ffe1150353f GetCurrentProcess 81->96 97 7ffe115034a5-7ffe115034ab 81->97 92 7ffe115033f0-7ffe11503424 VirtualProtect FlushInstructionCache 82->92 95 7ffe11503140-7ffe11503172 VirtualProtect FlushInstructionCache 83->95 98 7ffe11503184-7ffe115031a4 ResumeThread call 7ffe115059e0 84->98 99 7ffe115035b2-7ffe115035b9 84->99 85->73 85->74 86->85 100 7ffe115032af 86->100 89 7ffe11503103-7ffe11503119 call 7ffe115059e0 88->89 90 7ffe115030c0-7ffe115030c7 88->90 89->77 89->88 90->89 101 7ffe115030c9-7ffe115030ff 90->101 104 7ffe11503469-7ffe1150347f call 7ffe115059e0 92->104 105 7ffe11503426-7ffe1150342d 92->105 93->109 94->93 95->84 95->95 107 7ffe11503584-7ffe1150358e 96->107 108 7ffe11503541-7ffe11503545 96->108 97->96 110 7ffe115034b1-7ffe115034c2 97->110 129 7ffe115031a6 98->129 99->70 112 7ffe115032b7-7ffe115032ba 100->112 101->89 104->81 104->92 105->104 114 7ffe1150342f-7ffe11503465 105->114 107->99 118 7ffe11503590-7ffe115035b0 ResumeThread call 7ffe115059e0 107->118 117 7ffe11503550-7ffe11503582 VirtualProtect FlushInstructionCache 108->117 109->72 109->78 110->96 119 7ffe115034c4-7ffe115034ca 110->119 121 7ffe115032bc-7ffe115032c3 112->121 122 7ffe1150332b-7ffe11503332 112->122 114->104 117->107 117->117 118->99 127 7ffe115034cc-7ffe115034dd 119->127 128 7ffe11503520 119->128 123 7ffe115033ab-7ffe115033b1 121->123 130 7ffe115032c9-7ffe115032d0 121->130 122->123 124 7ffe11503334-7ffe11503342 122->124 123->85 123->112 124->123 133 7ffe11503344-7ffe11503357 124->133 135 7ffe115034e0-7ffe115034e6 127->135 132 7ffe11503524-7ffe1150352a 128->132 129->99 130->123 131 7ffe115032d6-7ffe115032e5 130->131 136 7ffe115032f0-7ffe11503304 131->136 132->96 132->119 137 7ffe11503360-7ffe11503373 133->137 138 7ffe115034e8-7ffe115034eb 135->138 139 7ffe115034f2-7ffe11503500 135->139 141 7ffe1150331d-7ffe11503329 136->141 142 7ffe11503306-7ffe1150330e 136->142 143 7ffe11503375-7ffe1150337d 137->143 144 7ffe11503383-7ffe11503386 137->144 138->128 145 7ffe115034ed-7ffe115034f0 138->145 139->135 140 7ffe11503502-7ffe1150351e VirtualFree 139->140 140->132 147 7ffe1150338c-7ffe115033a3 SetThreadContext 141->147 142->136 146 7ffe11503310-7ffe1150331b 142->146 143->137 148 7ffe1150337f-7ffe11503381 143->148 149 7ffe11503389 144->149 145->128 145->139 146->147 147->123 148->149 149->147
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: CurrentThread$ProtectVirtual$CacheFlushInstructionProcessResume
    • String ID: dtrR
    • API String ID: 389031504-1586779240
    • Opcode ID: 4e1dd71c2b551d481fc923206b8a64093158a7e9e0a79a0bf46b119fb70263a9
    • Instruction ID: a3e735a9d1841975f1cf283d3672d62f4d4f00fc005ae33bf7c54901e219dd83
    • Opcode Fuzzy Hash: 4e1dd71c2b551d481fc923206b8a64093158a7e9e0a79a0bf46b119fb70263a9
    • Instruction Fuzzy Hash: 48F18E22A0EE8286EB918F53D4502BE77A9FB49BA4F084176DA4D07776DF3CE095C740
    Function 00007FFE11502230 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 69librarythreadloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: LibraryThread$AddressCloseCreateCurrentFreeHandleLoadProc
    • String ID: .dll$ct$kern.dllVirtrote$kernrote
    • API String ID: 1766266960-2031131594
    • Opcode ID: e7fd98acc4234be35493e34f86f575c47727de015c7b141c750db42f753a3734
    • Instruction ID: 6df7a93a1768fcde02d417f206e3414996de71ba947d0d845f416694f35dba94
    • Opcode Fuzzy Hash: e7fd98acc4234be35493e34f86f575c47727de015c7b141c750db42f753a3734
    • Instruction Fuzzy Hash: 14312A72E09F0289FB41DFE2E9512AC3AB9BB04764F5044B8C94C66B79EF3C92448B15
    Function 00007FFE11504CF8 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 168 7ffe11504cf8-7ffe11504cfe 169 7ffe11504d39-7ffe11504d43 168->169 170 7ffe11504d00-7ffe11504d03 168->170 171 7ffe11504e60-7ffe11504e75 169->171 172 7ffe11504d2d-7ffe11504d65 call 7ffe115052f4 170->172 173 7ffe11504d05-7ffe11504d08 170->173 177 7ffe11504e77 171->177 178 7ffe11504e84-7ffe11504e9e call 7ffe11505188 171->178 187 7ffe11504d6a-7ffe11504d6c 172->187 175 7ffe11504d0a-7ffe11504d0d 173->175 176 7ffe11504d20 __scrt_dllmain_crt_thread_attach 173->176 182 7ffe11504d19-7ffe11504d1e call 7ffe11505238 175->182 183 7ffe11504d0f-7ffe11504d18 175->183 180 7ffe11504d25-7ffe11504d2c 176->180 184 7ffe11504e79-7ffe11504e83 177->184 189 7ffe11504ed7-7ffe11504f08 call 7ffe115054c4 178->189 190 7ffe11504ea0-7ffe11504ed5 call 7ffe115052b0 call 7ffe11505150 call 7ffe1150564c call 7ffe11505464 call 7ffe11505488 call 7ffe115052e0 178->190 182->180 191 7ffe11504e3a 187->191 192 7ffe11504d72-7ffe11504d87 call 7ffe11505188 187->192 200 7ffe11504f0a-7ffe11504f10 189->200 201 7ffe11504f19-7ffe11504f1f 189->201 190->184 195 7ffe11504e3c-7ffe11504e51 191->195 203 7ffe11504d8d-7ffe11504d9e call 7ffe115051f8 192->203 204 7ffe11504e52-7ffe11504e5f call 7ffe115054c4 192->204 200->201 205 7ffe11504f12-7ffe11504f14 200->205 206 7ffe11504f66-7ffe11504f6e call 7ffe11502230 201->206 207 7ffe11504f21-7ffe11504f2b 201->207 221 7ffe11504da0-7ffe11504dc4 call 7ffe11505610 call 7ffe11505140 call 7ffe1150516c call 7ffe11508c40 203->221 222 7ffe11504def-7ffe11504df9 call 7ffe11505464 203->222 204->171 211 7ffe11505007-7ffe11505014 205->211 218 7ffe11504f73-7ffe11504f7c 206->218 212 7ffe11504f2d-7ffe11504f35 207->212 213 7ffe11504f37-7ffe11504f45 207->213 219 7ffe11504f4b-7ffe11504f53 call 7ffe11504cf8 212->219 213->219 234 7ffe11504ffd-7ffe11505005 213->234 224 7ffe11504fb4-7ffe11504fb6 218->224 225 7ffe11504f7e-7ffe11504f80 218->225 236 7ffe11504f58-7ffe11504f60 219->236 221->222 268 7ffe11504dc6-7ffe11504dcd __scrt_dllmain_after_initialize_c 221->268 222->191 243 7ffe11504dfb-7ffe11504e07 call 7ffe115054b4 222->243 232 7ffe11504fbd-7ffe11504fd2 call 7ffe11504cf8 224->232 233 7ffe11504fb8-7ffe11504fbb 224->233 225->224 231 7ffe11504f82-7ffe11504fa4 call 7ffe11502230 call 7ffe11504e60 225->231 231->224 263 7ffe11504fa6-7ffe11504fab 231->263 232->234 252 7ffe11504fd4-7ffe11504fde 232->252 233->232 233->234 234->211 236->206 236->234 254 7ffe11504e2d-7ffe11504e38 243->254 255 7ffe11504e09-7ffe11504e13 call 7ffe115053cc 243->255 258 7ffe11504fe9-7ffe11504ff9 252->258 259 7ffe11504fe0-7ffe11504fe7 252->259 254->195 255->254 267 7ffe11504e15-7ffe11504e23 255->267 258->234 259->234 263->224 267->254 268->222 269 7ffe11504dcf-7ffe11504dec call 7ffe11508bfc 268->269 269->222
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
    • String ID:
    • API String ID: 190073905-0
    • Opcode ID: dd18162d97b1a6b29cd3cf662115e7bc01adcf2463740e85e59020e4d9962bdd
    • Instruction ID: 45614df8714cab16cf0ba71a8c4235aec0c5fa1aca55e7b34609cf3968f6eeb0
    • Opcode Fuzzy Hash: dd18162d97b1a6b29cd3cf662115e7bc01adcf2463740e85e59020e4d9962bdd
    • Instruction Fuzzy Hash: 5581DF21E1CE4346FB61ABA794512BD6A9DAF857A4F4480BDEA0C473B3DF3CE8458701
    Function 00007FFE115036A0 Relevance: 6.2, APIs: 4, Instructions: 248threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 272 7ffe115036a0-7ffe115036c9 273 7ffe115036cb-7ffe115036ce 272->273 274 7ffe115036d3-7ffe115036df GetCurrentThreadId 272->274 275 7ffe11503a4d-7ffe11503a68 call 7ffe11511ad0 273->275 276 7ffe115036eb-7ffe115036f3 274->276 277 7ffe115036e1-7ffe115036e6 274->277 276->275 279 7ffe115036f9-7ffe115036fc 276->279 277->275 281 7ffe11503718-7ffe1150371d 279->281 282 7ffe115036fe-7ffe11503705 279->282 281->275 283 7ffe11503707-7ffe11503711 282->283 284 7ffe11503722-7ffe11503768 call 7ffe11502ea0 * 2 282->284 283->281 289 7ffe1150377b-7ffe11503796 call 7ffe11505058 call 7ffe11502c30 284->289 290 7ffe1150376a-7ffe11503770 284->290 303 7ffe11503798-7ffe1150379b 289->303 304 7ffe115037a0-7ffe115037ac 289->304 291 7ffe11503a1c-7ffe11503a23 290->291 292 7ffe11503776 290->292 296 7ffe11503a25-7ffe11503a45 291->296 294 7ffe115039cf-7ffe115039d8 292->294 297 7ffe11503a0a-7ffe11503a0d 294->297 298 7ffe115039da-7ffe11503a06 294->298 296->275 297->291 300 7ffe11503a0f-7ffe11503a17 call 7ffe115059e0 297->300 298->297 300->291 303->294 305 7ffe115037af-7ffe115037f4 304->305 306 7ffe115037f6-7ffe11503803 SetLastError 305->306 307 7ffe11503805-7ffe11503821 305->307 308 7ffe11503824-7ffe1150385c 306->308 307->308 310 7ffe115038bd-7ffe115038c1 308->310 311 7ffe1150385e-7ffe11503866 308->311 314 7ffe115038e4-7ffe115038e8 310->314 315 7ffe115038c3-7ffe115038cd call 7ffe11502850 310->315 312 7ffe11503878-7ffe1150387b 311->312 313 7ffe11503868-7ffe11503876 311->313 316 7ffe1150387d-7ffe11503881 312->316 317 7ffe115038b2-7ffe115038b5 312->317 313->310 313->312 318 7ffe115039c1-7ffe115039cd 314->318 319 7ffe115038ee-7ffe115038f5 314->319 315->318 326 7ffe115038d3-7ffe115038e2 315->326 316->310 321 7ffe11503883-7ffe11503889 316->321 317->321 324 7ffe115038b7-7ffe115038bb 317->324 318->294 318->298 322 7ffe115038f8-7ffe11503916 call 7ffe115069f0 319->322 323 7ffe115038f7 319->323 327 7ffe1150388b-7ffe11503899 321->327 328 7ffe115038a7-7ffe115038ab 321->328 335 7ffe11503918-7ffe1150391d 322->335 336 7ffe11503922-7ffe11503962 322->336 323->322 330 7ffe115038a5 324->330 326->314 326->315 327->328 331 7ffe1150389b-7ffe1150389f 327->331 328->319 333 7ffe115038ad 328->333 330->310 330->328 331->328 334 7ffe115038a1 331->334 333->305 334->330 335->294 337 7ffe1150396b-7ffe11503988 VirtualProtect 336->337 338 7ffe11503964-7ffe11503966 call 7ffe11505e70 336->338 340 7ffe1150398a-7ffe11503992 GetLastError 337->340 341 7ffe11503994-7ffe115039bf 337->341 338->337 340->294 341->296
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: c061db6a54b3aca9ccfc29b1edd971cf39f48d1cbc30c91d7a325912b1399ad0
    • Instruction ID: a349c0c2b6071d8afd738e0ba895724e65b45f67d81704430abcc6dbd06cad61
    • Opcode Fuzzy Hash: c061db6a54b3aca9ccfc29b1edd971cf39f48d1cbc30c91d7a325912b1399ad0
    • Instruction Fuzzy Hash: BFB1B562E0DF828AE7A08B92E44477E7799FB447A4F4445B9CA9D03BB2DF3CE5548700
    Function 00007FFE1150BF4C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: FileHandleType
    • String ID:
    • API String ID: 3000768030-0
    • Opcode ID: d4df30131ec42738e431e5d51b80152184bce404cb529a4fbe6d8a5f229f992f
    • Instruction ID: 98bad001804bf7f534f17a7b91d23184e424133c152b50a480828b3701bdd17f
    • Opcode Fuzzy Hash: d4df30131ec42738e431e5d51b80152184bce404cb529a4fbe6d8a5f229f992f
    • Instruction Fuzzy Hash: E3317E22A18F4681EB608F56959017D6A59FB46BB0F6813ADDB6E473F0CF3DE4A1D300
    Function 00007FFE11502B40 Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 360 7ffe11502b40-7ffe11502b67 361 7ffe11502b6d 360->361 362 7ffe11502c18 360->362 363 7ffe11502b70-7ffe11502b7d 361->363 364 7ffe11502c1a-7ffe11502c24 362->364 365 7ffe11502b8b-7ffe11502bb4 VirtualQuery 363->365 366 7ffe11502b7f-7ffe11502b86 363->366 365->362 368 7ffe11502bb6-7ffe11502bbe 365->368 367 7ffe11502c0f-7ffe11502c12 366->367 367->362 367->363 369 7ffe11502bf3-7ffe11502c0b 368->369 370 7ffe11502bc0-7ffe11502bc9 368->370 369->367 370->369 371 7ffe11502bcb-7ffe11502be8 VirtualAlloc 370->371 371->364 372 7ffe11502bea-7ffe11502bf1 371->372 372->367
    APIs
    • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,-7FF80000,00007FFE11502DD9,?,?,00000000,00007FFE11503790), ref: 00007FFE11502BAB
    • VirtualAlloc.KERNELBASE ref: 00007FFE11502BDF
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Virtual$AllocQuery
    • String ID:
    • API String ID: 31662377-0
    • Opcode ID: a1bf2276042524e804c363faaddb26e5b58e67ec955276ecdb07037aca792729
    • Instruction ID: ec03519e16a206e9732ce98c2e3b0de6ba29c7e06af27550aaa6b543e4c96676
    • Opcode Fuzzy Hash: a1bf2276042524e804c363faaddb26e5b58e67ec955276ecdb07037aca792729
    • Instruction Fuzzy Hash: AA11E421F1DE8642EF618B62E114379A251BB487F4F184339FA9C467F8EF2CD1C08600
    Function 00007FFE115052F4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: __scrt_dllmain_crt_thread_attach
    • String ID:
    • API String ID: 2860701742-0
    • Opcode ID: 3df07956f1b410fff491cdda7c16f79f6f5fab2606c02a4a58a2709734f37b96
    • Instruction ID: 27d32b1bb9fa057b426661570fc5250cdb2fa343d85dd24f2653148664cbe5b4
    • Opcode Fuzzy Hash: 3df07956f1b410fff491cdda7c16f79f6f5fab2606c02a4a58a2709734f37b96
    • Instruction Fuzzy Hash: 2EE01A50E2CA4285FF252AF720622FD17581F15378F4414FDDDAE421F38D4D69491565

    Non-executed Functions

    Function 00007FFE11503BD0 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 262libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 473 7ffe11503bd0-7ffe11503c0e LoadLibraryExA 474 7ffe11503c14-7ffe11503c23 GetProcAddress 473->474 475 7ffe11504062 473->475 476 7ffe11503c29-7ffe11503c2f 474->476 477 7ffe11504064-7ffe1150408b call 7ffe11511ad0 474->477 475->477 476->475 478 7ffe11503c35-7ffe11503c41 476->478 480 7ffe11503c47-7ffe11503c96 GetCurrentProcess LoadLibraryExW 478->480 481 7ffe11503e06-7ffe11503e20 478->481 483 7ffe11503c9c-7ffe11503d6e GetProcAddress * 7 480->483 484 7ffe11504019-7ffe11504026 480->484 491 7ffe11503e22-7ffe11503e2a GetLastError 481->491 492 7ffe11503e30-7ffe11503e63 call 7ffe11505e70 481->492 487 7ffe11503d74-7ffe11503d7b 483->487 488 7ffe11504012 483->488 485 7ffe11504028-7ffe1150402b FreeLibrary 484->485 486 7ffe11504031-7ffe1150405b 484->486 485->486 486->475 487->488 490 7ffe11503d81-7ffe11503d88 487->490 488->484 490->488 493 7ffe11503d8e-7ffe11503d95 490->493 491->475 491->492 492->475 499 7ffe11503e69-7ffe11503e89 492->499 493->488 495 7ffe11503d9b-7ffe11503d9e 493->495 495->488 497 7ffe11503da4-7ffe11503db1 495->497 497->488 502 7ffe11503db7-7ffe11503dcb 497->502 501 7ffe11503e90-7ffe11503e9a 499->501 503 7ffe11503e9c-7ffe11503ea3 501->503 504 7ffe11503eb0-7ffe11503ebe 501->504 502->488 508 7ffe11503dd1-7ffe11503ddb 502->508 503->504 505 7ffe11503ea5-7ffe11503eae 503->505 504->475 506 7ffe11503ec4-7ffe11503ec9 504->506 505->501 505->504 509 7ffe11503ed1-7ffe11503ed4 506->509 510 7ffe11503ddd-7ffe11503de4 508->510 511 7ffe11503df8-7ffe11503dff 508->511 512 7ffe11503ed6-7ffe11503edd 509->512 513 7ffe11503edf-7ffe11503eee 509->513 510->511 514 7ffe11503de6-7ffe11503df0 510->514 511->481 512->509 512->513 513->475 515 7ffe11503ef4-7ffe11503f0e 513->515 514->511 516 7ffe11503f10-7ffe11503f1d 515->516 517 7ffe11503f3e-7ffe11503f4c 515->517 519 7ffe11503f20-7ffe11503f23 516->519 517->475 520 7ffe11503f52-7ffe11503f5f 517->520 519->517 522 7ffe11503f25-7ffe11503f2d 519->522 521 7ffe11503f60-7ffe11503f63 520->521 523 7ffe11503f65-7ffe11503f6c 521->523 524 7ffe11503f6e-7ffe11503f7d 521->524 522->517 525 7ffe11503f2f-7ffe11503f3c 522->525 523->521 523->524 524->475 526 7ffe11503f83-7ffe11503f97 524->526 525->517 525->519 527 7ffe11503fbb-7ffe11503fc9 526->527 528 7ffe11503f99-7ffe11503f9c 526->528 527->475 530 7ffe11503fcf-7ffe11504009 call 7ffe11505e70 527->530 529 7ffe11503fa0-7ffe11503fa3 528->529 529->527 531 7ffe11503fa5-7ffe11503fab 529->531 530->475 536 7ffe1150400b-7ffe11504010 530->536 531->527 533 7ffe11503fad-7ffe11503fb9 531->533 533->527 533->529 536->477
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: AddressProc$Library$Load$CurrentErrorFreeLastProcess
    • String ID: ImagehlpApiVersionEx$SymFromName$SymGetModuleInfo64$SymGetOptions$SymInitialize$SymLoadModule64$SymSetOptions$X$dbghelp.dll
    • API String ID: 1987430839-1769957640
    • Opcode ID: af72ff92c30fe70ee819a1b1fed1df289b22ebf1dfbfbe834bb4dfab729c1675
    • Instruction ID: 9daa7786b5514614e3b03a7542fc9493795da5707347bea1bb2fc8701791ddf0
    • Opcode Fuzzy Hash: af72ff92c30fe70ee819a1b1fed1df289b22ebf1dfbfbe834bb4dfab729c1675
    • Instruction Fuzzy Hash: 66C15E22A1EF82C5FB91CB92E8542792BAAFF847A0F4441B9CA4D467B1DF3CE544C701
    Function 00007FFE115054C4 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 3140674995-0
    • Opcode ID: ceae5bf99175bf329a882c9c01ada8f9b0552e284b09529520216b81c19f759a
    • Instruction ID: 1a4ab360bc0dd3a400d836f495a7a82fb916bc8d72a1298dfb8f7b480818a493
    • Opcode Fuzzy Hash: ceae5bf99175bf329a882c9c01ada8f9b0552e284b09529520216b81c19f759a
    • Instruction Fuzzy Hash: FF316D72619E818AEB608F61E8503ED7369FB84768F444079DA4D47BA5EF3CC648C700
    Function 00007FFE11509DDC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
    • String ID:
    • API String ID: 1239891234-0
    • Opcode ID: 653a7dd5f739a26b48d6358187edaa874bff51e666f89fa05cf4fd4263b2b541
    • Instruction ID: e7db64b742455ec7db7b9749fd96cf63fe2ffed7653599bfbc426820374bd450
    • Opcode Fuzzy Hash: 653a7dd5f739a26b48d6358187edaa874bff51e666f89fa05cf4fd4263b2b541
    • Instruction Fuzzy Hash: 17319432618F8186DB60CF66E8402AE73A9FB84764F540179EA9D43B79EF3CC545CB00
    Function 00007FFE115116B8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionRaise_clrfp
    • String ID:
    • API String ID: 15204871-0
    • Opcode ID: e31da4721cf26eebe3d2a8be9e2adc1308b472473acb19fe4f12416613483fde
    • Instruction ID: a44321d5cfbace76f069ccb37f25ea995261da507bf7a381398dbb7d597e25df
    • Opcode Fuzzy Hash: e31da4721cf26eebe3d2a8be9e2adc1308b472473acb19fe4f12416613483fde
    • Instruction Fuzzy Hash: 22B16C77A04B898AEB16CF3AC48636C7BA5F784B58F1489A1DA6D837B4CB3DD451C700
    Function 00007FFE1150C824 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09ac312f4b710438d319fbfa6c52b5c7fbaa3ff3507b47009a3330bb5223a6f1
    • Instruction ID: b052cbec6a4b0606a2264c3ebe84a535412ec4fbb833d74127f73a06cf79fa7f
    • Opcode Fuzzy Hash: 09ac312f4b710438d319fbfa6c52b5c7fbaa3ff3507b47009a3330bb5223a6f1
    • Instruction Fuzzy Hash: F351C422B08F9185FB10DBB6A8442AE7BA9FB417A4F1441B9EE5D27AB5CE3CD5418700
    Function 00007FFE1150E374 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 8bb68053ac3bf32336c7316952a68321939a125ed2afefbdb217c5687ebb920c
    • Instruction ID: 48b5c23912b94a786eaf2a9530bcec24c2be95a78e3e481da409455aa9f7c19e
    • Opcode Fuzzy Hash: 8bb68053ac3bf32336c7316952a68321939a125ed2afefbdb217c5687ebb920c
    • Instruction Fuzzy Hash: 78B09225E0BE02C6EB992B526C8621422AE7F88730FA900B8C01C41330DE2C20E59701
    Function 00007FFE11501C80 Relevance: .2, Instructions: 229COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 534549ea163d61a7c457dc93563329af7cb01e3e0525a982fb1a593890e2156f
    • Instruction ID: 864e87dfcb997ebe7a5a5758810f89d134d6f88fe4b8f36745c5bd0f219891ab
    • Opcode Fuzzy Hash: 534549ea163d61a7c457dc93563329af7cb01e3e0525a982fb1a593890e2156f
    • Instruction Fuzzy Hash: B1C15A53A0D6D04DE7128FB980901FD3FB0DB2E71DB0A428AEFD86998BD618D394D725
    Function 00007FFE11511500 Relevance: .0, Instructions: 32COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ce8a0e7fef8ddd7bc8ed9c8976c1d54b922fe6bdf0dc1b8b06ed46e333767b34
    • Instruction ID: 5c7d2a006b22a7764544c1197bf818745794a77c9b2e8ec47835c8f6418e25dc
    • Opcode Fuzzy Hash: ce8a0e7fef8ddd7bc8ed9c8976c1d54b922fe6bdf0dc1b8b06ed46e333767b34
    • Instruction Fuzzy Hash: 8BF0F672B19695CBDBA4CFAEA84262977D5F7083D0F848079D68D83B24C63C80618F04
    Function 00007FFE11504370 Relevance: 19.7, APIs: 13, Instructions: 160memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Virtual$Protect$CurrentProcessQuery$ErrorLast
    • String ID:
    • API String ID: 3405148435-0
    • Opcode ID: ff34727a7d015ad3aec6eb73e7a699898f2e6799fc8288cd341ea737d9ec148e
    • Instruction ID: e232dfeb5f73631625636f94d1a2493370b56ff983f339ee5aca855ad6685a87
    • Opcode Fuzzy Hash: ff34727a7d015ad3aec6eb73e7a699898f2e6799fc8288cd341ea737d9ec148e
    • Instruction Fuzzy Hash: A9717E32B09A818AD7208F36D4146AD37A5FB49BA8F048269DE4C17BB9DF3CD595C740
    Function 00007FFE1150B710 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 562 7ffe1150b710-7ffe1150b732 GetLastError 563 7ffe1150b751-7ffe1150b75c FlsSetValue 562->563 564 7ffe1150b734-7ffe1150b73f FlsGetValue 562->564 567 7ffe1150b75e-7ffe1150b761 563->567 568 7ffe1150b763-7ffe1150b768 563->568 565 7ffe1150b741-7ffe1150b749 564->565 566 7ffe1150b74b 564->566 569 7ffe1150b7bd-7ffe1150b7c8 SetLastError 565->569 566->563 567->569 570 7ffe1150b76d call 7ffe1150c24c 568->570 571 7ffe1150b7ca-7ffe1150b7dc 569->571 572 7ffe1150b7dd-7ffe1150b7f3 call 7ffe11509b7c 569->572 573 7ffe1150b772-7ffe1150b77e 570->573 584 7ffe1150b810-7ffe1150b81b FlsSetValue 572->584 585 7ffe1150b7f5-7ffe1150b800 FlsGetValue 572->585 575 7ffe1150b790-7ffe1150b79a FlsSetValue 573->575 576 7ffe1150b780-7ffe1150b787 FlsSetValue 573->576 577 7ffe1150b7ae-7ffe1150b7b8 call 7ffe1150b47c call 7ffe1150bb1c 575->577 578 7ffe1150b79c-7ffe1150b7ac FlsSetValue 575->578 580 7ffe1150b789-7ffe1150b78e call 7ffe1150bb1c 576->580 577->569 578->580 580->567 590 7ffe1150b880-7ffe1150b887 call 7ffe11509b7c 584->590 591 7ffe1150b81d-7ffe1150b822 584->591 588 7ffe1150b802-7ffe1150b806 585->588 589 7ffe1150b80a 585->589 588->590 593 7ffe1150b808 588->593 589->584 594 7ffe1150b827 call 7ffe1150c24c 591->594 596 7ffe1150b877-7ffe1150b87f 593->596 597 7ffe1150b82c-7ffe1150b838 594->597 599 7ffe1150b84a-7ffe1150b854 FlsSetValue 597->599 600 7ffe1150b83a-7ffe1150b841 FlsSetValue 597->600 601 7ffe1150b856-7ffe1150b866 FlsSetValue 599->601 602 7ffe1150b868-7ffe1150b870 call 7ffe1150b47c 599->602 603 7ffe1150b843-7ffe1150b848 call 7ffe1150bb1c 600->603 601->603 602->596 608 7ffe1150b872 call 7ffe1150bb1c 602->608 603->590 608->596
    APIs
    • GetLastError.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B71F
    • FlsGetValue.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B734
    • FlsSetValue.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B755
    • FlsSetValue.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B782
    • FlsSetValue.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B793
    • FlsSetValue.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B7A4
    • SetLastError.KERNEL32(?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B7BF
    • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B7F5
    • FlsSetValue.KERNEL32(?,?,00000001,00007FFE1150D810,?,?,?,?,00007FFE115093D3,?,?,?,?,?,00007FFE115051E4), ref: 00007FFE1150B814
      • Part of subcall function 00007FFE1150C24C: HeapAlloc.KERNEL32(?,?,00000000,00007FFE1150B8EA,?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150C2A1
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B83C
      • Part of subcall function 00007FFE1150BB1C: HeapFree.KERNEL32 ref: 00007FFE1150BB32
      • Part of subcall function 00007FFE1150BB1C: GetLastError.KERNEL32 ref: 00007FFE1150BB3C
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B84D
    • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFE1150F54B,?,?,?,00007FFE1150E850,?,?,00000001,00007FFE11509C1F), ref: 00007FFE1150B85E
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Value$ErrorLast$Heap$AllocFree
    • String ID:
    • API String ID: 570795689-0
    • Opcode ID: 8f004e0fd8d534411d4f2fec35ca597af5750725386c7776f7d15f151d711827
    • Instruction ID: 893ae9b182d38560d56bca6a720ac1b25cf40b8c6e91eefff05e546997acd79f
    • Opcode Fuzzy Hash: 8f004e0fd8d534411d4f2fec35ca597af5750725386c7776f7d15f151d711827
    • Instruction Fuzzy Hash: 51414B28E0DE0342FB69ABB759911BD224A9F547B0F1807BDE93E0A7F6DE2CB5054201
    Function 00007FFE115077E8 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 312COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 609 7ffe115077e8-7ffe1150784f call 7ffe1150869c 612 7ffe11507ca7-7ffe11507caf call 7ffe11509b7c 609->612 613 7ffe11507855-7ffe11507858 609->613 613->612 614 7ffe1150785e-7ffe11507864 613->614 616 7ffe1150786a-7ffe1150786e 614->616 617 7ffe11507933-7ffe11507945 614->617 616->617 621 7ffe11507874-7ffe1150787f 616->621 619 7ffe1150794b-7ffe1150794f 617->619 620 7ffe11507bf7-7ffe11507bfb 617->620 619->620 622 7ffe11507955-7ffe11507960 619->622 624 7ffe11507bfd-7ffe11507c04 620->624 625 7ffe11507c34-7ffe11507c3e call 7ffe1150624c 620->625 621->617 623 7ffe11507885-7ffe1150788a 621->623 622->620 627 7ffe11507966-7ffe1150796d 622->627 623->617 628 7ffe11507890-7ffe1150789a call 7ffe1150624c 623->628 624->612 629 7ffe11507c0a-7ffe11507c2f call 7ffe11507cb0 624->629 625->612 635 7ffe11507c40-7ffe11507c5f call 7ffe11511ad0 625->635 631 7ffe11507b28-7ffe11507b34 627->631 632 7ffe11507973-7ffe115079aa call 7ffe11506604 627->632 628->635 643 7ffe115078a0-7ffe115078cb call 7ffe1150624c * 2 call 7ffe11506918 628->643 629->625 631->625 636 7ffe11507b3a-7ffe11507b3e 631->636 632->631 647 7ffe115079b0-7ffe115079b8 632->647 640 7ffe11507b40-7ffe11507b4c call 7ffe115068d8 636->640 641 7ffe11507b4e-7ffe11507b56 636->641 640->641 654 7ffe11507b6f-7ffe11507b77 640->654 641->625 646 7ffe11507b5c-7ffe11507b69 call 7ffe115064a8 641->646 677 7ffe115078cd-7ffe115078d1 643->677 678 7ffe115078eb-7ffe115078f5 call 7ffe1150624c 643->678 646->625 646->654 651 7ffe115079bd-7ffe115079ef 647->651 656 7ffe11507b17-7ffe11507b1e 651->656 657 7ffe115079f5-7ffe11507a00 651->657 661 7ffe11507b7d-7ffe11507b81 654->661 662 7ffe11507c8a-7ffe11507ca6 call 7ffe1150624c * 2 call 7ffe11509adc 654->662 656->651 660 7ffe11507b24 656->660 657->656 658 7ffe11507a06-7ffe11507a1c 657->658 664 7ffe11507b14 658->664 665 7ffe11507a22-7ffe11507a67 call 7ffe115068ec * 2 658->665 660->631 667 7ffe11507b94 661->667 668 7ffe11507b83-7ffe11507b92 call 7ffe115068d8 661->668 662->612 664->656 691 7ffe11507a69-7ffe11507a8f call 7ffe115068ec call 7ffe11507ec8 665->691 692 7ffe11507aa5-7ffe11507aab 665->692 673 7ffe11507b97-7ffe11507ba1 call 7ffe11508734 667->673 668->673 673->625 688 7ffe11507ba7-7ffe11507bf5 call 7ffe11506538 call 7ffe11506744 673->688 677->678 682 7ffe115078d3-7ffe115078de 677->682 678->617 694 7ffe115078f7-7ffe11507917 call 7ffe1150624c * 2 call 7ffe11508734 678->694 682->678 687 7ffe115078e0-7ffe115078e5 682->687 687->612 687->678 688->625 708 7ffe11507ab6-7ffe11507b0a call 7ffe11507714 691->708 709 7ffe11507a91-7ffe11507aa3 691->709 698 7ffe11507aad-7ffe11507ab1 692->698 699 7ffe11507b0f 692->699 713 7ffe11507919-7ffe11507923 call 7ffe11508824 694->713 714 7ffe1150792e 694->714 698->665 699->664 708->699 709->691 709->692 717 7ffe11507929-7ffe11507c83 call 7ffe11505cf8 call 7ffe1150827c call 7ffe115060b8 713->717 718 7ffe11507c84-7ffe11507c89 call 7ffe11509adc 713->718 714->617 717->718 718->662
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
    • String ID: csm$csm$csm
    • API String ID: 3606184308-393685449
    • Opcode ID: 06d3728c1fe3869259745ac4c5e6a0cb00fc75d00ae8fc1fa34a4fbaf183a18e
    • Instruction ID: 878fadacb6b06967065a0d309b32ad23372f440b7a46511cf66162bd4f59a878
    • Opcode Fuzzy Hash: 06d3728c1fe3869259745ac4c5e6a0cb00fc75d00ae8fc1fa34a4fbaf183a18e
    • Instruction Fuzzy Hash: BED17172A08F428AEB209FA6D4412AD77A8FB457A8F100179EE8D57B75DF3CE591C700
    Function 00007FFE11504140 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00000000,00007FFE1150427E,?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE1150414E
    • SetLastError.KERNEL32(?,?,?,?,00000000,00007FFE1150427E,?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE11504167
    • SetLastError.KERNEL32(?,?,?,?,00000000,00007FFE1150427E,?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE11504189
    • SetLastError.KERNEL32(?,?,?,?,00000000,00007FFE1150427E,?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE115041A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast$HandleModule
    • String ID: .detour$Dtr
    • API String ID: 1090667551-1360480496
    • Opcode ID: 525fe6b1b2cddfa9d0ddd716b500ea8b7d1fd6ff01d5c97a3c603da605cd3077
    • Instruction ID: 97fd649a14323a6959dcec3d7ec54ece4c3ecc635c852ae75c9a293606e7046a
    • Opcode Fuzzy Hash: 525fe6b1b2cddfa9d0ddd716b500ea8b7d1fd6ff01d5c97a3c603da605cd3077
    • Instruction Fuzzy Hash: 5E31A031F0CD47D7EBA48BA2D41463C2AA9EB55B65F4541B9CA0A422F1EE3CE584C711
    Function 00007FFE1150DED8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID: api-ms-$ext-ms-
    • API String ID: 3013587201-537541572
    • Opcode ID: 021fd238debe797a42248dafad0f7b6325df0aa8ae931348c9bf8a3dd3b1b969
    • Instruction ID: 94537b8ba02dfcb2ae3a80832e211805586d7186624fd33489e1fd535814e198
    • Opcode Fuzzy Hash: 021fd238debe797a42248dafad0f7b6325df0aa8ae931348c9bf8a3dd3b1b969
    • Instruction Fuzzy Hash: 5F41F221B19E1281EB16CB57A8206BE239ABF08BB0F18817DDD1D877B5EE3CE4059300
    Function 00007FFE11507068 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE11507227,?,?,?,00007FFE11506384,?,?,?,?,00007FFE11505CD9), ref: 00007FFE115070ED
    • GetLastError.KERNEL32(?,?,?,00007FFE11507227,?,?,?,00007FFE11506384,?,?,?,?,00007FFE11505CD9), ref: 00007FFE115070FB
    • LoadLibraryExW.KERNEL32(?,?,?,00007FFE11507227,?,?,?,00007FFE11506384,?,?,?,?,00007FFE11505CD9), ref: 00007FFE11507125
    • FreeLibrary.KERNEL32(?,?,?,00007FFE11507227,?,?,?,00007FFE11506384,?,?,?,?,00007FFE11505CD9), ref: 00007FFE1150716B
    • GetProcAddress.KERNEL32(?,?,?,00007FFE11507227,?,?,?,00007FFE11506384,?,?,?,?,00007FFE11505CD9), ref: 00007FFE11507177
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Library$Load$AddressErrorFreeLastProc
    • String ID: api-ms-
    • API String ID: 2559590344-2084034818
    • Opcode ID: 9595c688d46539b0029f737ea7c98cea7b792a27edac32f2a73856f0b901c317
    • Instruction ID: bb75320945d752128a1fb0e3473ddc8641c5be3125894cdd8e1d3ad9dcff3578
    • Opcode Fuzzy Hash: 9595c688d46539b0029f737ea7c98cea7b792a27edac32f2a73856f0b901c317
    • Instruction Fuzzy Hash: 3931AD21B1AE4291EF56DB43A8106B922AEBF48BB0F590578DD5D0A3B0EF3CE4418340
    Function 00007FFE11510BF8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
    • String ID: CONOUT$
    • API String ID: 3230265001-3130406586
    • Opcode ID: 9f93710af558f09a9892279fedac6daf20a1c9877a31ad6e89a14bce2994dbd4
    • Instruction ID: 6d59bbfd7c270342b0018c57ffc918a8b8a259dd501ac92d71b43781b4821048
    • Opcode Fuzzy Hash: 9f93710af558f09a9892279fedac6daf20a1c9877a31ad6e89a14bce2994dbd4
    • Instruction Fuzzy Hash: A411BB21B18F4286E7919B13E854329A7AAFB88BF4F104275EA1D877B5DF3CD8488700
    Function 00007FFE1150B888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B897
    • FlsSetValue.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B8CD
    • FlsSetValue.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B8FA
    • FlsSetValue.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B90B
    • FlsSetValue.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B91C
    • SetLastError.KERNEL32(?,?,00000000,00007FFE1150A1ED,?,?,?,?,00007FFE1150BB50), ref: 00007FFE1150B937
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Value$ErrorLast
    • String ID:
    • API String ID: 2506987500-0
    • Opcode ID: 5712d5309adc982fc957e4a5394a015e28f1bd12a4f0ec68597790818cc231c7
    • Instruction ID: cbde8beb07c34fe180839e30c61944a884ddb3ed00175cf004be822bb87750f4
    • Opcode Fuzzy Hash: 5712d5309adc982fc957e4a5394a015e28f1bd12a4f0ec68597790818cc231c7
    • Instruction Fuzzy Hash: C8116028F0CE5242FB69ABB359D507D225A9F587B0F5847BDEC7E067F6DE2CA4024200
    Function 00007FFE11508008 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
    • String ID: csm$csm
    • API String ID: 851805269-3733052814
    • Opcode ID: 9241c421326e447cd47d6f729757179164197b510e3a13c0456f9585d2c8a81a
    • Instruction ID: ba24e864396484f8c80207d86e97e1358759abb9f863e30e65eb2315be0d35d8
    • Opcode Fuzzy Hash: 9241c421326e447cd47d6f729757179164197b510e3a13c0456f9585d2c8a81a
    • Instruction Fuzzy Hash: 98618F32D08F4286EB248F92D45466C77A8FB55BA4F58417ADA8C47BB5CF3CE491C701
    Function 00007FFE115090CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: b02347b63891b87bf246745171a9137b88de9c8fc1f42791f7e12703f88cb520
    • Instruction ID: ac902bbd9c630a3a2bc4ea9ae0b969462be9ef13002ee2927d414ec16609c36e
    • Opcode Fuzzy Hash: b02347b63891b87bf246745171a9137b88de9c8fc1f42791f7e12703f88cb520
    • Instruction Fuzzy Hash: 5DF0CD61B1CE0281EB218B26E8583396779BF89BB0F5402BDCA6E452F4DF2CD048C300
    Function 00007FFE1151131C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: _set_statfp
    • String ID:
    • API String ID: 1156100317-0
    • Opcode ID: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
    • Instruction ID: e24a18dcf7bb0b87731bf7f14b5fc4c13789c0024c31d88f123bf021bd492ef2
    • Opcode Fuzzy Hash: 42c32d3acaf94be8bf6c9fa5576b7a947ae4a2e90c63d94789f449aabdcb8345
    • Instruction Fuzzy Hash: 77115E26E1CE0301F76A113AE5D63B9358B6F58370E0806F4E96E46AFEDE6CA8408644
    Function 00007FFE1150B950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FlsGetValue.KERNEL32(?,?,?,00007FFE11508A16,?,?,?,00007FFE11509BF7), ref: 00007FFE1150B96F
    • FlsSetValue.KERNEL32(?,?,?,00007FFE11508A16,?,?,?,00007FFE11509BF7), ref: 00007FFE1150B98E
    • FlsSetValue.KERNEL32(?,?,?,00007FFE11508A16,?,?,?,00007FFE11509BF7), ref: 00007FFE1150B9B6
    • FlsSetValue.KERNEL32(?,?,?,00007FFE11508A16,?,?,?,00007FFE11509BF7), ref: 00007FFE1150B9C7
    • FlsSetValue.KERNEL32(?,?,?,00007FFE11508A16,?,?,?,00007FFE11509BF7), ref: 00007FFE1150B9D8
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Value
    • String ID:
    • API String ID: 3702945584-0
    • Opcode ID: 66810da383b16041ac4f90909df8ff7a9f87a16cd65f4df93bff3abf34f73556
    • Instruction ID: 0dc75cae5c7e20d049ee5153a342a87b3b9ccf383b8d68ad50cfcd7e5b9726c5
    • Opcode Fuzzy Hash: 66810da383b16041ac4f90909df8ff7a9f87a16cd65f4df93bff3abf34f73556
    • Instruction Fuzzy Hash: F2114F28F08E4342FB59ABA799911BD614A9F543B0F184BBDE87D067F6DF2CA4414201
    Function 00007FFE11507CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: CallEncodePointerTranslator
    • String ID: MOC$RCC
    • API String ID: 3544855599-2084237596
    • Opcode ID: 898245a4e9ac5fcb2a92b3faea40d05d33a71a1af291c163c3876f26104ed544
    • Instruction ID: dc1e848c8cbb988f0b45989a7ffbb7d81f960d1fdc6678e5f6bad239eb55cf92
    • Opcode Fuzzy Hash: 898245a4e9ac5fcb2a92b3faea40d05d33a71a1af291c163c3876f26104ed544
    • Instruction Fuzzy Hash: 76512773A09E858AEB208FA6D4802AD77A4FB44B98F144169EE8D17B78DF3CE555C700
    Function 00007FFE1150A3DC Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: FileWrite$ConsoleErrorLastOutput
    • String ID:
    • API String ID: 2718003287-0
    • Opcode ID: ea2f9132f6d48a695c55c4ae9686dcec7304a04df8a6dc56de6e911d6adc0be8
    • Instruction ID: ac0e338566d76d1227bcfc029017f0ccc2df860a7dddb37e984ec6720ac15749
    • Opcode Fuzzy Hash: ea2f9132f6d48a695c55c4ae9686dcec7304a04df8a6dc56de6e911d6adc0be8
    • Instruction Fuzzy Hash: DED19032B18A8189E711CFA6D4402AC37B9FB547E8B144279CE5E97BB9DE3CD516C340
    Function 00007FFE1150AD04 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
    Download Yara Rule
    APIs
    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00007FFE1150ACEF), ref: 00007FFE1150AE20
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,00007FFE1150ACEF), ref: 00007FFE1150AEAB
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ConsoleErrorLastMode
    • String ID:
    • API String ID: 953036326-0
    • Opcode ID: 70b4f0dda715ac8b7c46d9c9adf802532413323acc67bfa74d9044eab8bb075d
    • Instruction ID: 379e95d64ceb3cbb4f8afd0d97863d89f2b648a9920f4571e588957309ecb593
    • Opcode Fuzzy Hash: 70b4f0dda715ac8b7c46d9c9adf802532413323acc67bfa74d9044eab8bb075d
    • Instruction Fuzzy Hash: F791D672E18E5189F751DFA694402BD3BA9AB44BA8F14427DDE0E576B5DF3CD881C300
    Function 00007FFE11504260 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE11504319
    • SetLastError.KERNEL32(?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE11504331
    • SetLastError.KERNEL32(?,?,?,00007FFE1150463D,?,?,?,00007FFE1150215C), ref: 00007FFE11504340
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: Dtr
    • API String ID: 1452528299-2106216684
    • Opcode ID: f0267f2bb7e7edf3d30ea7b100ec0b05282f545f04cca291f4c47bc44467c1a4
    • Instruction ID: 772fb60c23e7c43445da44d1e771736c26c3a00ca79ae18e58d81fc4b1e63b07
    • Opcode Fuzzy Hash: f0267f2bb7e7edf3d30ea7b100ec0b05282f545f04cca291f4c47bc44467c1a4
    • Instruction Fuzzy Hash: 45319431E0CA82D6FB644BBA950427C7FE89B18775F4451BCC629061F5CE2CD9D08701
    Function 00007FFE115020F0 Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: CurrentThread$Virtual$EventFreeProtect
    • String ID:
    • API String ID: 3114980141-0
    • Opcode ID: a6d37546754540cac960b494684c5983a0f486765d434498aaeec168e2e9e9de
    • Instruction ID: b8ab59939490ac1801b485d7541b1c053d5edfae50c847a33dac63e9c8d2c763
    • Opcode Fuzzy Hash: a6d37546754540cac960b494684c5983a0f486765d434498aaeec168e2e9e9de
    • Instruction Fuzzy Hash: B901C855E1EE0385FB80EBE3E86627D526A6F487B0F4004B8D84E032B39E2CA1498741
    Function 00007FFE11502010 Relevance: 6.0, APIs: 4, Instructions: 23windowsleepCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: Message$DispatchPeekSleepTranslate
    • String ID:
    • API String ID: 3768732053-0
    • Opcode ID: 0395413088325337527c4fea6a51752cfaa5cbb19b32a1d120b66f6e5a3b3644
    • Instruction ID: 273faf2b1fa7fd3222a0b1923eaea8f88f4817a08cd1072ffb3f1c517264516e
    • Opcode Fuzzy Hash: 0395413088325337527c4fea6a51752cfaa5cbb19b32a1d120b66f6e5a3b3644
    • Instruction Fuzzy Hash: 46F0302292CA82D3E7A19B12E464A7E6A66FF94B64FC050B5E14F415B0CF3CD508DB00
    Function 00007FFE11511FBC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE11511FCC
      • Part of subcall function 00007FFE11505A1C: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11505A47
      • Part of subcall function 00007FFE11505A1C: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE11505ADC
      • Part of subcall function 00007FFE11505A1C: RtlUnwindEx.KERNEL32 ref: 00007FFE11505B2B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: C_specific_handlerCurrentImageNonwritableUnwind__except_validate_context_record
    • String ID: csm$f
    • API String ID: 3112662972-629598281
    • Opcode ID: e8dcb5c5d9ad2d1514f77f46448aa769a091e05a482fbfc692ed975bcc890757
    • Instruction ID: 59823c9e0b229ba99b5bdd9eaf13e824ff066d10238d5931af8e1b9bb9d3d59f
    • Opcode Fuzzy Hash: e8dcb5c5d9ad2d1514f77f46448aa769a091e05a482fbfc692ed975bcc890757
    • Instruction Fuzzy Hash: B231C6E2E18E8645EF624B6AD0806786397EF61BB4F7457B0CA5D072F1DF1DD882C200
    Function 00007FFE1150AA74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: U
    • API String ID: 442123175-4171548499
    • Opcode ID: c31127e09c37f873c947b8b3ca032fd4a57633eb6955ada51fddec5702fe77de
    • Instruction ID: a2a68443feab787fd26e1fd282d02b1c3a03f4b62ed4294744b4dc2521d25eea
    • Opcode Fuzzy Hash: c31127e09c37f873c947b8b3ca032fd4a57633eb6955ada51fddec5702fe77de
    • Instruction Fuzzy Hash: 8641AE22B18E8181EB609F66E4443AA77A5FB987A4F404275EE4E877A8DF7CD441C740
    Function 00007FFE115060B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1150580B), ref: 00007FFE115060FC
    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1150580B), ref: 00007FFE11506142
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2933789667.00007FFE11501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE11500000, based on PE: true
    • Associated: 00000000.00000002.2933764440.00007FFE11500000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933820544.00007FFE11513000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933848852.00007FFE1151F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933864769.00007FFE11521000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2933889338.00007FFE11528000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ffe11500000_loaddll64.jbxd
    Similarity
    • API ID: ExceptionFileHeaderRaise
    • String ID: csm
    • API String ID: 2573137834-1018135373
    • Opcode ID: 4985d7d09a7abd305dfa4f2fce599ff24cb257baee9f465fb6d6953927abce41
    • Instruction ID: d645b2bebf74d5017a0ec99276f89be5a0a593269229353a8d4650d70a598cf0
    • Opcode Fuzzy Hash: 4985d7d09a7abd305dfa4f2fce599ff24cb257baee9f465fb6d6953927abce41
    • Instruction Fuzzy Hash: 8E113A32608F8182EB618B16E44026977A9FB88BA4F284274DF8D07B79DF3CD551CB00